root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

fipsinstall: add -pedantic option 

This adds a -pedantic option to fipsinstall that adjusts the various
settings to ensure strict FIPS compliance rather than backwards
compatibility.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)

(cherry picked from commit bc2a4225a4)
This commit is contained in:
Pauli 2023-04-17 15:31:29 +10:00
parent 182e7d0798
commit c31dfcd455
1 changed files with 64 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
apps/fipsinstall.c
View File

@ -34,7 +34,7 @@ static int quiet = 0;
typedef enum OPTION_choice { typedef enum OPTION_choice {
OPT_COMMON, OPT_COMMON,
OPT_IN, OPT_OUT, OPT_MODULE, OPT_IN, OPT_OUT, OPT_MODULE, OPT_PEDANTIC,
OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY, OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG, OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
OPT_NO_CONDITIONAL_ERRORS, OPT_NO_CONDITIONAL_ERRORS,
@ -47,6 +47,7 @@ typedef enum OPTION_choice {
const OPTIONS fipsinstall_options[] = { const OPTIONS fipsinstall_options[] = {
OPT_SECTION("General"), OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"}, {"help", OPT_HELP, '-', "Display this summary"},
{"pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance"},
{"verify", OPT_VERIFY, '-', {"verify", OPT_VERIFY, '-',
"Verify a config file instead of generating one"}, "Verify a config file instead of generating one"},
{"module", OPT_MODULE, '<', "File name of the provider module"}, {"module", OPT_MODULE, '<', "File name of the provider module"},
@ -82,6 +83,41 @@ const OPTIONS fipsinstall_options[] = {
{NULL} {NULL}
}; };
typedef struct {
unsigned int self_test_onload : 1;
unsigned int conditional_errors : 1;
unsigned int security_checks : 1;
unsigned int tls_prf_ems_check : 1;
unsigned int drgb_no_trunc_dgst : 1;
} FIPS_OPTS;
/* Pedantic FIPS compliance */
static const FIPS_OPTS pedantic_opts = {
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
1, /* tls_prf_ems_check */
1, /* drgb_no_trunc_dgst */
};
/* Default FIPS settings for backward compatibility */
static FIPS_OPTS fips_opts = {
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
0, /* tls_prf_ems_check */
0, /* drgb_no_trunc_dgst */
};
static int check_non_pedantic_fips(int pedantic, const char *name)
{
if (pedantic) {
BIO_printf(bio_err, "Cannot specify -%s after -pedantic\n", name);
return 0;
}
return 1;
}
static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in, static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in,
unsigned char *out, size_t *out_len) unsigned char *out, size_t *out_len)
{ {
@ -176,10 +212,7 @@ static int write_config_header(BIO *out, const char *prov_name,
static int write_config_fips_section(BIO *out, const char *section, static int write_config_fips_section(BIO *out, const char *section,
unsigned char *module_mac, unsigned char *module_mac,
size_t module_mac_len, size_t module_mac_len,
int conditional_errors, const FIPS_OPTS *opts,
int security_checks,
int ems_check,
int drgb_no_trunc_dgst,
unsigned char *install_mac, unsigned char *install_mac,
size_t install_mac_len) size_t install_mac_len)
{ {
@ -190,13 +223,13 @@ static int write_config_fips_section(BIO *out, const char *section,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION, || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
VERSION_VAL) <= 0 VERSION_VAL) <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
conditional_errors ? "1" : "0") <= 0 opts->conditional_errors ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
security_checks ? "1" : "0") <= 0 opts->security_checks ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
ems_check ? "1" : "0") <= 0 opts->tls_prf_ems_check ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST, || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
drgb_no_trunc_dgst ? "1" : "0") <= 0 opts->drgb_no_trunc_dgst ? "1" : "0") <= 0
|| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac, || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
module_mac_len)) module_mac_len))
goto end; goto end;
@ -217,10 +250,7 @@ static CONF *generate_config_and_load(const char *prov_name,
const char *section, const char *section,
unsigned char *module_mac, unsigned char *module_mac,
size_t module_mac_len, size_t module_mac_len,
int conditional_errors, const FIPS_OPTS *opts)
int security_checks,
int ems_check,
int drgb_no_trunc_dgst)
{ {
BIO *mem_bio = NULL; BIO *mem_bio = NULL;
CONF *conf = NULL; CONF *conf = NULL;
@ -231,11 +261,7 @@ static CONF *generate_config_and_load(const char *prov_name,
if (!write_config_header(mem_bio, prov_name, section) if (!write_config_header(mem_bio, prov_name, section)
|| !write_config_fips_section(mem_bio, section, || !write_config_fips_section(mem_bio, section,
module_mac, module_mac_len, module_mac, module_mac_len,
conditional_errors, opts, NULL, 0))
security_checks,
ems_check,
drgb_no_trunc_dgst,
NULL, 0))
goto end; goto end;
conf = app_load_config_bio(mem_bio, NULL); conf = app_load_config_bio(mem_bio, NULL);
@ -330,10 +356,7 @@ end:
int fipsinstall_main(int argc, char **argv) int fipsinstall_main(int argc, char **argv)
{ {
int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 1; int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, pedantic = 0;
int enable_conditional_errors = 1, enable_security_checks = 1;
int enable_tls_prf_ems_check = 0; /* This is off by default */
int enable_drgb_no_trunc_dgst = 0; /* This is off by default */
const char *section_name = "fips_sect"; const char *section_name = "fips_sect";
const char *mac_name = "HMAC"; const char *mac_name = "HMAC";
const char *prov_name = "fips"; const char *prov_name = "fips";
@ -373,17 +396,25 @@ opthelp:
case OPT_OUT: case OPT_OUT:
out_fname = opt_arg(); out_fname = opt_arg();
break; break;
case OPT_PEDANTIC:
fips_opts = pedantic_opts;
pedantic = 1;
break;
case OPT_NO_CONDITIONAL_ERRORS: case OPT_NO_CONDITIONAL_ERRORS:
enable_conditional_errors = 0; if (!check_non_pedantic_fips(pedantic, "no_conditional_errors"))
goto end;
fips_opts.conditional_errors = 0;
break; break;
case OPT_NO_SECURITY_CHECKS: case OPT_NO_SECURITY_CHECKS:
enable_security_checks = 0; if (!check_non_pedantic_fips(pedantic, "no_security_checks"))
goto end;
fips_opts.security_checks = 0;
break; break;
case OPT_TLS_PRF_EMS_CHECK: case OPT_TLS_PRF_EMS_CHECK:
enable_tls_prf_ems_check = 1; fips_opts.tls_prf_ems_check = 1;
break; break;
case OPT_DISALLOW_DRGB_TRUNC_DIGEST: case OPT_DISALLOW_DRGB_TRUNC_DIGEST:
enable_drgb_no_trunc_dgst = 1; fips_opts.drgb_no_trunc_dgst = 1;
break; break;
case OPT_QUIET: case OPT_QUIET:
quiet = 1; quiet = 1;
@ -424,10 +455,12 @@ opthelp:
verify = 1; verify = 1;
break; break;
case OPT_SELF_TEST_ONLOAD: case OPT_SELF_TEST_ONLOAD:
self_test_onload = 1; fips_opts.self_test_onload = 1;
break; break;
case OPT_SELF_TEST_ONINSTALL: case OPT_SELF_TEST_ONINSTALL:
self_test_onload = 0; if (!check_non_pedantic_fips(pedantic, "self_test_oninstall"))
goto end;
fips_opts.self_test_onload = 0;
break; break;
} }
} }
@ -521,7 +554,7 @@ opthelp:
if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len)) if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len))
goto end; goto end;
if (self_test_onload == 0) { if (fips_opts.self_test_onload == 0) {
mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL, mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
strlen(INSTALL_STATUS_VAL)); strlen(INSTALL_STATUS_VAL));
if (mem_bio == NULL) { if (mem_bio == NULL) {
@ -543,11 +576,7 @@ opthelp:
} else { } else {
conf = generate_config_and_load(prov_name, section_name, module_mac, conf = generate_config_and_load(prov_name, section_name, module_mac,
module_mac_len, module_mac_len, &fips_opts);
enable_conditional_errors,
enable_security_checks,
enable_tls_prf_ems_check,
enable_drgb_no_trunc_dgst);
if (conf == NULL) if (conf == NULL)
goto end; goto end;
if (!load_fips_prov_and_run_self_test(prov_name)) if (!load_fips_prov_and_run_self_test(prov_name))
@ -561,11 +590,7 @@ opthelp:
goto end; goto end;
} }
if (!write_config_fips_section(fout, section_name, if (!write_config_fips_section(fout, section_name,
module_mac, module_mac_len, module_mac, module_mac_len, &fips_opts,
enable_conditional_errors,
enable_security_checks,
enable_tls_prf_ems_check,
enable_drgb_no_trunc_dgst,
install_mac, install_mac_len)) install_mac, install_mac_len))
goto end; goto end;
if (!quiet) if (!quiet)