diff options
author | slontis <shane.lontis@oracle.com> | 2024-08-09 12:29:04 +1000 |
---|---|---|
committer | slontis <shane.lontis@oracle.com> | 2024-08-16 10:14:24 +1000 |
commit | 4b7b40f2f79ea4d3cb205660690382b8b9e9291f (patch) | |
tree | 40c0d6cce2b48ebed3cc499a68f0639f85494829 | |
parent | a595d624c896ace0eae017ad88268fa4c686b374 (diff) |
FIPS: Remove ability to bypass the FIPS self tests
This is a FIPS 140-3 requirement.
It should not be done as a FIPS indicator.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25147)
-rw-r--r-- | providers/fips/fipsprov.c | 41 | ||||
-rw-r--r-- | providers/fips/self_test.c | 55 | ||||
-rw-r--r-- | providers/fips/self_test.h | 5 |
3 files changed, 21 insertions, 80 deletions
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 1d607ad462..c5d1b5b4f3 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -217,32 +217,21 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters. */ - OSSL_PARAM core_params[33], *p = core_params; - - *p++ = OSSL_PARAM_construct_utf8_ptr( - OSSL_PROV_PARAM_CORE_MODULE_FILENAME, - (char **)&fgbl->selftest_params.module_filename, - sizeof(fgbl->selftest_params.module_filename)); - *p++ = OSSL_PARAM_construct_utf8_ptr( - OSSL_PROV_FIPS_PARAM_MODULE_MAC, - (char **)&fgbl->selftest_params.module_checksum_data, - sizeof(fgbl->selftest_params.module_checksum_data)); - *p++ = OSSL_PARAM_construct_utf8_ptr( - OSSL_PROV_FIPS_PARAM_INSTALL_MAC, - (char **)&fgbl->selftest_params.indicator_checksum_data, - sizeof(fgbl->selftest_params.indicator_checksum_data)); - *p++ = OSSL_PARAM_construct_utf8_ptr( - OSSL_PROV_FIPS_PARAM_INSTALL_STATUS, - (char **)&fgbl->selftest_params.indicator_data, - sizeof(fgbl->selftest_params.indicator_data)); - *p++ = OSSL_PARAM_construct_utf8_ptr( - OSSL_PROV_FIPS_PARAM_INSTALL_VERSION, - (char **)&fgbl->selftest_params.indicator_version, - sizeof(fgbl->selftest_params.indicator_version)); - *p++ = OSSL_PARAM_construct_utf8_ptr( - OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, - (char **)&fgbl->selftest_params.conditional_error_check, - sizeof(fgbl->selftest_params.conditional_error_check)); + OSSL_PARAM core_params[30], *p = core_params; + +/* FIPS self test params */ +#define FIPS_FEATURE_SELF_TEST(fgbl, pname, field) \ + *p++ = OSSL_PARAM_construct_utf8_ptr(pname, \ + (char **)&fgbl->selftest_params.field,\ + sizeof(fgbl->selftest_params.field)) + + FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_PARAM_CORE_MODULE_FILENAME, + module_filename); + FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_MODULE_MAC, + module_checksum_data); + FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, + conditional_error_check); +#undef FIPS_FEATURE_SELF_TEST /* FIPS features can be enabled or disabled independently */ #define FIPS_FEATURE_OPTION(fgbl, pname, field) \ diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index 7f92bd61a5..5de2ea744f 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -304,11 +304,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) int loclstate; #if !defined(OPENSSL_NO_FIPS_POST) int ok = 0; - int kats_already_passed = 0; long checksum_len; - OSSL_CORE_BIO *bio_module = NULL, *bio_indicator = NULL; + OSSL_CORE_BIO *bio_module = NULL; unsigned char *module_checksum = NULL; - unsigned char *indicator_checksum = NULL; OSSL_SELF_TEST *ev = NULL; EVP_RAND *testrand = NULL; EVP_RAND_CTX *rng; @@ -371,48 +369,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) goto end; } - /* This will be NULL during installation - so the self test KATS will run */ - if (st->indicator_data != NULL) { - /* - * If the kats have already passed indicator is set - then check the - * integrity of the indicator. - */ - if (st->indicator_checksum_data == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); - goto end; - } - indicator_checksum = OPENSSL_hexstr2buf(st->indicator_checksum_data, - &checksum_len); - if (indicator_checksum == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); - goto end; - } - - bio_indicator = - (*st->bio_new_buffer_cb)(st->indicator_data, - strlen(st->indicator_data)); - if (bio_indicator == NULL - || !verify_integrity(bio_indicator, st->bio_read_ex_cb, - indicator_checksum, checksum_len, - st->libctx, ev, - OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)) { - ERR_raise(ERR_LIB_PROV, PROV_R_INDICATOR_INTEGRITY_FAILURE); - goto end; - } else { - kats_already_passed = 1; - } - } - - /* - * Only runs the KAT's during installation OR on_demand(). - * NOTE: If the installation option 'self_test_onload' is chosen then this - * path will always be run, since kats_already_passed will always be 0. - */ - if (on_demand_test || kats_already_passed == 0) { - if (!SELF_TEST_kats(ev, st->libctx)) { - ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); - goto end; - } + if (!SELF_TEST_kats(ev, st->libctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); + goto end; } /* Verify that the RNG has been restored properly */ @@ -430,12 +389,10 @@ end: EVP_RAND_free(testrand); OSSL_SELF_TEST_free(ev); OPENSSL_free(module_checksum); - OPENSSL_free(indicator_checksum); - if (st != NULL) { - (*st->bio_free_cb)(bio_indicator); + if (st != NULL) (*st->bio_free_cb)(bio_module); - } + if (ok) set_fips_state(FIPS_STATE_RUNNING); else diff --git a/providers/fips/self_test.h b/providers/fips/self_test.h index ff5928eeb4..f54bc1e432 100644 --- a/providers/fips/self_test.h +++ b/providers/fips/self_test.h @@ -16,11 +16,6 @@ typedef struct self_test_post_params_st { const char *module_filename; /* Module file to perform MAC on */ const char *module_checksum_data; /* Expected module MAC integrity */ - /* Used for KAT install indicator integrity check */ - const char *indicator_version; /* version - for future proofing */ - const char *indicator_data; /* data to perform MAC on */ - const char *indicator_checksum_data; /* Expected MAC integrity value */ - /* Used for continuous tests */ const char *conditional_error_check; |