projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 95214b43 SL |
1 | #! /usr/bin/env perl |
| 2 | # Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. | |
| 3 | # | |
| 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use | |
| 5 | # this file except in compliance with the License. You can obtain a copy | |
| 6 | # in the file LICENSE in the source distribution or at | |
| 7 | # https://www.openssl.org/source/license.html | |
| 8 | ||
| 9 | use strict; | |
| 10 | use warnings; | |
| 11 | ||
| 12 | use File::Spec; | |
| 13 | use File::Copy; | |
| 14 | use OpenSSL::Glob; | |
| 15 | use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file/; | |
| 16 | use OpenSSL::Test::Utils; | |
| 17 | ||
| 18 | BEGIN { | |
| 19 | setup("test_fipsinstall"); | |
| 20 | } | |
| 21 | use lib srctop_dir('Configurations'); | |
| 22 | use lib bldtop_dir('.'); | |
| 23 | use platform; | |
| 24 | ||
| 25 | plan skip_all => "Test only supported in a fips build" if disabled("fips"); | |
| 26 | ||
| ec4d1b8f | 27 | plan tests => 12; |
| 95214b43 SL |
28 | |
| 29 | my $infile = bldtop_file('providers', platform->dso('fips')); | |
| 30 | $ENV{OPENSSL_MODULES} = bldtop_dir("providers"); | |
| 31 | ||
| be3acd79 | 32 | # fail if no module name |
| 433deaff | 33 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', |
| 95214b43 SL |
34 | '-provider_name', 'fips', |
| 35 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 36 | '-section_name', 'fips_install'])), | |
| be3acd79 | 37 | "fipsinstall fail"); |
| 95214b43 | 38 | |
| be3acd79 | 39 | # fail to verify if the configuration file is missing |
| 95214b43 SL |
40 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile, |
| 41 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
| 42 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 43 | '-section_name', 'fips_install', '-verify'])), | |
| be3acd79 | 44 | "fipsinstall verify fail"); |
| 95214b43 SL |
45 | |
| 46 | ||
| 433deaff RS |
47 | # output a fips.cnf file containing mac data |
| 48 | ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, | |
| 95214b43 SL |
49 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
| 50 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 51 | '-section_name', 'fips_install'])), | |
| be3acd79 | 52 | "fipsinstall"); |
| 95214b43 | 53 | |
| 433deaff RS |
54 | # verify the fips.cnf file |
| 55 | ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
| 95214b43 SL |
56 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
| 57 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 58 | '-section_name', 'fips_install', '-verify'])), | |
| be3acd79 | 59 | "fipsinstall verify"); |
| 95214b43 | 60 | |
| 433deaff RS |
61 | # fail to verify the fips.cnf file if a different key is used |
| 62 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
| 95214b43 SL |
63 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
| 64 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:01', | |
| 65 | '-section_name', 'fips_install', '-verify'])), | |
| be3acd79 | 66 | "fipsinstall verify fail bad key"); |
| 95214b43 | 67 | |
| 433deaff RS |
68 | # fail to verify the fips.cnf file if a different mac digest is used |
| 69 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
| 95214b43 SL |
70 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
| 71 | '-macopt', 'digest:SHA512', '-macopt', 'hexkey:00', | |
| 72 | '-section_name', 'fips_install', '-verify'])), | |
| be3acd79 | 73 | "fipsinstall verify fail incorrect digest"); |
| 36fc5fc6 SL |
74 | |
| 75 | # corrupt the module hmac | |
| 433deaff | 76 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
| 36fc5fc6 SL |
77 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
| 78 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 79 | '-section_name', 'fips_install', '-corrupt_desc', 'HMAC'])), | |
| 80 | "fipsinstall fails when the module integrity is corrupted"); | |
| 81 | ||
| 82 | # corrupt the first digest | |
| 433deaff | 83 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
| 36fc5fc6 SL |
84 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
| 85 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 86 | '-section_name', 'fips_install', '-corrupt_desc', 'SHA1'])), | |
| 87 | "fipsinstall fails when the digest result is corrupted"); | |
| 88 | ||
| 89 | # corrupt another digest | |
| 433deaff | 90 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
| 36fc5fc6 SL |
91 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
| 92 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 93 | '-section_name', 'fips_install', '-corrupt_desc', 'SHA3'])), | |
| 94 | "fipsinstall fails when the digest result is corrupted"); | |
| 980a880e SL |
95 | |
| 96 | # corrupt DRBG | |
| 433deaff | 97 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
| 980a880e SL |
98 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
| 99 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 100 | '-section_name', 'fips_install', '-corrupt_desc', 'CTR'])), | |
| 101 | "fipsinstall fails when the DRBG CTR result is corrupted"); | |
| ec4d1b8f SL |
102 | |
| 103 | # corrupt a KAS test | |
| a7a7643a MC |
104 | SKIP: { |
| 105 | skip "Skipping KAS DH corruption test because of no dh in this build", 1 | |
| 106 | if disabled("dh"); | |
| 107 | ||
| 108 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile, | |
| 109 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
| 110 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 111 | '-section_name', 'fips_install', | |
| 112 | '-corrupt_desc', 'DH', | |
| 113 | '-corrupt_type', 'KAT_KA'])), | |
| 114 | "fipsinstall fails when the kas result is corrupted"); | |
| 115 | } | |
| ec4d1b8f SL |
116 | |
| 117 | # corrupt a Signature test | |
| 9be92bec MC |
118 | SKIP: { |
| 119 | skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 | |
| 120 | if disabled("dsa"); | |
| 121 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile, | |
| 122 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
| 123 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
| 124 | '-section_name', 'fips_install', | |
| 125 | '-corrupt_desc', 'DSA', | |
| 126 | '-corrupt_type', 'KAT_Signature'])), | |
| 127 | "fipsinstall fails when the signature result is corrupted"); | |
| 128 | } |