FIPS: Remove ability to bypass the FIPS self tests

This is a FIPS 140-3 requirement. It should not be done as a FIPS indicator. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25147)
author: slontis <shane.lontis@oracle.com> 2024-08-09 12:29:04 +1000
committer: slontis <shane.lontis@oracle.com> 2024-08-16 10:14:24 +1000
commit: 4b7b40f2f79ea4d3cb205660690382b8b9e9291f (patch)
tree: 40c0d6cce2b48ebed3cc499a68f0639f85494829
parent: a595d624c896ace0eae017ad88268fa4c686b374 (diff)
3 files changed, 21 insertions, 80 deletions
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 1d607ad462..c5d1b5b4f3 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -217,32 +217,21 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
     * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and
     * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters.
     */
-    OSSL_PARAM core_params[33], *p = core_params;
-
-    *p++ = OSSL_PARAM_construct_utf8_ptr(
-            OSSL_PROV_PARAM_CORE_MODULE_FILENAME,
-            (char **)&fgbl->selftest_params.module_filename,
-            sizeof(fgbl->selftest_params.module_filename));
-    *p++ = OSSL_PARAM_construct_utf8_ptr(
-            OSSL_PROV_FIPS_PARAM_MODULE_MAC,
-            (char **)&fgbl->selftest_params.module_checksum_data,
-            sizeof(fgbl->selftest_params.module_checksum_data));
-    *p++ = OSSL_PARAM_construct_utf8_ptr(
-            OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
-            (char **)&fgbl->selftest_params.indicator_checksum_data,
-            sizeof(fgbl->selftest_params.indicator_checksum_data));
-    *p++ = OSSL_PARAM_construct_utf8_ptr(
-            OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
-            (char **)&fgbl->selftest_params.indicator_data,
-            sizeof(fgbl->selftest_params.indicator_data));
-    *p++ = OSSL_PARAM_construct_utf8_ptr(
-            OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
-            (char **)&fgbl->selftest_params.indicator_version,
-            sizeof(fgbl->selftest_params.indicator_version));
-    *p++ = OSSL_PARAM_construct_utf8_ptr(
-            OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
-            (char **)&fgbl->selftest_params.conditional_error_check,
-            sizeof(fgbl->selftest_params.conditional_error_check));
+    OSSL_PARAM core_params[30], *p = core_params;
+
+/* FIPS self test params */
+#define FIPS_FEATURE_SELF_TEST(fgbl, pname, field)                             \
+    *p++ = OSSL_PARAM_construct_utf8_ptr(pname,                                \
+                                         (char **)&fgbl->selftest_params.field,\
+                                         sizeof(fgbl->selftest_params.field))
+
+    FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_PARAM_CORE_MODULE_FILENAME,
+                           module_filename);
+    FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_MODULE_MAC,
+                           module_checksum_data);
+    FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
+                           conditional_error_check);
+#undef FIPS_FEATURE_SELF_TEST
 
 /* FIPS features can be enabled or disabled independently */
 #define FIPS_FEATURE_OPTION(fgbl, pname, field)                         \
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index 7f92bd61a5..5de2ea744f 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -304,11 +304,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
     int loclstate;
 #if !defined(OPENSSL_NO_FIPS_POST)
     int ok = 0;
-    int kats_already_passed = 0;
     long checksum_len;
-    OSSL_CORE_BIO *bio_module = NULL, *bio_indicator = NULL;
+    OSSL_CORE_BIO *bio_module = NULL;
     unsigned char *module_checksum = NULL;
-    unsigned char *indicator_checksum = NULL;
     OSSL_SELF_TEST *ev = NULL;
     EVP_RAND *testrand = NULL;
     EVP_RAND_CTX *rng;
@@ -371,48 +369,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
         goto end;
     }
 
-    /* This will be NULL during installation - so the self test KATS will run */
-    if (st->indicator_data != NULL) {
-        /*
-         * If the kats have already passed indicator is set - then check the
-         * integrity of the indicator.
-         */
-        if (st->indicator_checksum_data == NULL) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
-            goto end;
-        }
-        indicator_checksum = OPENSSL_hexstr2buf(st->indicator_checksum_data,
-                                                &checksum_len);
-        if (indicator_checksum == NULL) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
-            goto end;
-        }
-
-        bio_indicator =
-            (*st->bio_new_buffer_cb)(st->indicator_data,
-                                     strlen(st->indicator_data));
-        if (bio_indicator == NULL
-                || !verify_integrity(bio_indicator, st->bio_read_ex_cb,
-                                     indicator_checksum, checksum_len,
-                                     st->libctx, ev,
-                                     OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INDICATOR_INTEGRITY_FAILURE);
-            goto end;
-        } else {
-            kats_already_passed = 1;
-        }
-    }
-
-    /*
-     * Only runs the KAT's during installation OR on_demand().
-     * NOTE: If the installation option 'self_test_onload' is chosen then this
-     * path will always be run, since kats_already_passed will always be 0.
-     */
-    if (on_demand_test || kats_already_passed == 0) {
-        if (!SELF_TEST_kats(ev, st->libctx)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
-            goto end;
-        }
+    if (!SELF_TEST_kats(ev, st->libctx)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+        goto end;
     }
 
     /* Verify that the RNG has been restored properly */
@@ -430,12 +389,10 @@ end:
     EVP_RAND_free(testrand);
     OSSL_SELF_TEST_free(ev);
     OPENSSL_free(module_checksum);
-    OPENSSL_free(indicator_checksum);
 
-    if (st != NULL) {
-        (*st->bio_free_cb)(bio_indicator);
+    if (st != NULL)
         (*st->bio_free_cb)(bio_module);
-    }
+
     if (ok)
         set_fips_state(FIPS_STATE_RUNNING);
     else
diff --git a/providers/fips/self_test.h b/providers/fips/self_test.h
index ff5928eeb4..f54bc1e432 100644
--- a/providers/fips/self_test.h
+++ b/providers/fips/self_test.h
@@ -16,11 +16,6 @@ typedef struct self_test_post_params_st {
     const char *module_filename;            /* Module file to perform MAC on */
     const char *module_checksum_data;       /* Expected module MAC integrity */
 
-    /* Used for KAT install indicator integrity check */
-    const char *indicator_version;          /* version - for future proofing */
-    const char *indicator_data;             /* data to perform MAC on */
-    const char *indicator_checksum_data;    /* Expected MAC integrity value */
-
     /* Used for continuous tests */
     const char *conditional_error_check;
author	slontis <shane.lontis@oracle.com>	2024-08-09 12:29:04 +1000
committer	slontis <shane.lontis@oracle.com>	2024-08-16 10:14:24 +1000
commit	4b7b40f2f79ea4d3cb205660690382b8b9e9291f (patch)
tree	40c0d6cce2b48ebed3cc499a68f0639f85494829
parent	a595d624c896ace0eae017ad88268fa4c686b374 (diff)