diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-07-21 16:30:02 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2020-07-21 16:30:02 +1000 |
commit | 9f7bdcf37f9541f7a1e4dc62ebdf97e8d8ccd307 (patch) | |
tree | 5e68472ae3a8d05c6294c1169b513c0434329a57 /apps/fipsinstall.c | |
parent | 823a113574451ea2e050bee7ce35861948ad55ca (diff) |
Add ERR_raise() errors to fips OSSL_provider_init and self tests.
As the ERR_raise() is setup at this point returng a range of negative values for errors is not required.
This will need to be revisited if the code ever moves to running from the DEP.
Added a -config option to the fips install so that it can test if a fips module is loadable from configuration.
(The -verify option only uses the generated config, whereas -config uses the normal way of including the generated data via another config file).
Added more failure tests for the raised errors.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12346)
Diffstat (limited to 'apps/fipsinstall.c')
-rw-r--r-- | apps/fipsinstall.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index c8687bec8f..bd1cd68477 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -38,7 +38,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_IN, OPT_OUT, OPT_MODULE, OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY, - OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET + OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG } OPTION_CHOICE; const OPTIONS fipsinstall_options[] = { @@ -62,6 +62,7 @@ const OPTIONS fipsinstall_options[] = { {"noout", OPT_NO_LOG, '-', "Disable logging of self test events"}, {"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"}, {"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"}, + {"config", OPT_CONFIG, '<', "The parent config to verify"}, {"quiet", OPT_QUIET, '-', "No messages, just exit status"}, {NULL} }; @@ -202,6 +203,11 @@ static void free_config_and_unload(CONF *conf) } } +static int verify_module_load(const char *parent_config_file) +{ + return OPENSSL_CTX_load_config(NULL, parent_config_file); +} + /* * Returns 1 if the config file entries match the passed in module_mac and * install_mac values, otherwise it returns 0. @@ -271,7 +277,7 @@ int fipsinstall_main(int argc, char **argv) const char *prov_name = "fips"; BIO *module_bio = NULL, *mem_bio = NULL, *fout = NULL; char *in_fname = NULL, *out_fname = NULL, *prog; - char *module_fname = NULL; + char *module_fname = NULL, *parent_config = NULL; EVP_MAC_CTX *ctx = NULL, *ctx2 = NULL; STACK_OF(OPENSSL_STRING) *opts = NULL; OPTION_CHOICE o; @@ -328,6 +334,9 @@ opthelp: case OPT_MAC_NAME: mac_name = opt_arg(); break; + case OPT_CONFIG: + parent_config = opt_arg(); + break; case OPT_MACOPT: if (!sk_OPENSSL_STRING_push(opts, opt_arg())) goto opthelp; @@ -342,6 +351,17 @@ opthelp: } } argc = opt_num_rest(); + + if (parent_config != NULL) { + /* Test that a parent config can load the module */ + if (verify_module_load(parent_config)) { + ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1; + if (!quiet) + BIO_printf(bio_out, "FIPS provider is %s\n", + ret == 0 ? "available" : " not available"); + } + goto end; + } if (module_fname == NULL || (verify && in_fname == NULL) || (!verify && out_fname == NULL) |