VirtualBox

source: vbox/trunk/src/libs/openssl-3.1.0/test/recipes/03-test_fipsinstall.t@ 99507

最後變更 在這個檔案從99507是 99366,由 vboxsync 提交於 2 年 前

openssl-3.1.0: Applied and adjusted our OpenSSL changes to 3.0.7. bugref:10418
檔案大小: 14.7 KB
 
1#! /usr/bin/env perl
2# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License"). You may not use
5# this file except in compliance with the License. You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9use strict;
10use warnings;
11
12use File::Spec::Functions qw(:DEFAULT abs2rel);
13use File::Copy;
14use OpenSSL::Glob;
15use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
16use OpenSSL::Test::Utils;
17
18BEGIN {
19 setup("test_fipsinstall");
20}
21use lib srctop_dir('Configurations');
22use lib bldtop_dir('.');
23use platform;
24
25plan skip_all => "Test only supported in a fips build" if disabled("fips");
26
27plan tests => 31;
28
29my $infile = bldtop_file('providers', platform->dso('fips'));
30my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
31my $provconf = srctop_file("test", "fips-and-base.cnf");
32
33# Read in a text $infile and replace the regular expression in $srch with the
34# value in $repl and output to a new file $outfile.
35sub replace_line_file_internal {
36
37 my ($infile, $srch, $repl, $outfile) = @_;
38 my $msg;
39
40 open(my $in, "<", $infile) or return 0;
41 read($in, $msg, 1024);
42 close $in;
43
44 $msg =~ s/$srch/$repl/;
45
46 open(my $fh, ">", $outfile) or return 0;
47 print $fh $msg;
48 close $fh;
49 return 1;
50}
51
52# Read in the text input file 'fips.cnf'
53# and replace a single Key = Value line with a new value in $value.
54# OR remove the Key = Value line if the passed in $value is empty.
55# and then output a new file $outfile.
56# $key is the Key to find
57sub replace_line_file {
58 my ($key, $value, $outfile) = @_;
59
60 my $srch = qr/$key\s*=\s*\S*\n/;
61 my $rep;
62 if ($value eq "") {
63 $rep = "";
64 } else {
65 $rep = "$key = $value\n";
66 }
67 return replace_line_file_internal('fips.cnf', $srch, $rep, $outfile);
68}
69
70# Read in the text input file 'test/fips.cnf'
71# and replace the .cnf file used in
72# .include fipsmodule.cnf with a new value in $value.
73# and then output a new file $outfile.
74# $key is the Key to find
75sub replace_parent_line_file {
76 my ($value, $outfile) = @_;
77 my $srch = qr/fipsmodule.cnf/;
78 my $rep = "$value";
79 return replace_line_file_internal(srctop_file("test", 'fips.cnf'),
80 $srch, $rep, $outfile);
81}
82
83# fail if no module name
84ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module',
85 '-provider_name', 'fips',
86 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
87 '-section_name', 'fips_sect'])),
88 "fipsinstall fail");
89
90# fail to verify if the configuration file is missing
91ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
92 '-provider_name', 'fips', '-mac_name', 'HMAC',
93 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
94 '-section_name', 'fips_sect', '-verify'])),
95 "fipsinstall verify fail");
96
97
98# output a fips.cnf file containing mac data
99ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
100 '-provider_name', 'fips', '-mac_name', 'HMAC',
101 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
102 '-section_name', 'fips_sect'])),
103 "fipsinstall");
104
105# verify the fips.cnf file
106ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
107 '-provider_name', 'fips', '-mac_name', 'HMAC',
108 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
109 '-section_name', 'fips_sect', '-verify'])),
110 "fipsinstall verify");
111
112ok(replace_line_file('module-mac', '', 'fips_no_module_mac.cnf')
113 && !run(app(['openssl', 'fipsinstall',
114 '-in', 'fips_no_module_mac.cnf',
115 '-module', $infile,
116 '-provider_name', 'fips', '-mac_name', 'HMAC',
117 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
118 '-section_name', 'fips_sect', '-verify'])),
119 "fipsinstall verify fail no module mac");
120
121ok(replace_line_file('install-mac', '', 'fips_no_install_mac.cnf')
122 && !run(app(['openssl', 'fipsinstall',
123 '-in', 'fips_no_install_mac.cnf',
124 '-module', $infile,
125 '-provider_name', 'fips', '-mac_name', 'HMAC',
126 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
127 '-section_name', 'fips_sect', '-verify'])),
128 "fipsinstall verify fail no install indicator mac");
129
130ok(replace_line_file('module-mac', '00:00:00:00:00:00',
131 'fips_bad_module_mac.cnf')
132 && !run(app(['openssl', 'fipsinstall',
133 '-in', 'fips_bad_module_mac.cnf',
134 '-module', $infile,
135 '-provider_name', 'fips', '-mac_name', 'HMAC',
136 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
137 '-section_name', 'fips_sect', '-verify'])),
138 "fipsinstall verify fail if invalid module integrity value");
139
140ok(replace_line_file('install-mac', '00:00:00:00:00:00',
141 'fips_bad_install_mac.cnf')
142 && !run(app(['openssl', 'fipsinstall',
143 '-in', 'fips_bad_install_mac.cnf',
144 '-module', $infile,
145 '-provider_name', 'fips', '-mac_name', 'HMAC',
146 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
147 '-section_name', 'fips_sect', '-verify'])),
148 "fipsinstall verify fail if invalid install indicator integrity value");
149
150ok(replace_line_file('install-status', 'INCORRECT_STATUS_STRING',
151 'fips_bad_indicator.cnf')
152 && !run(app(['openssl', 'fipsinstall',
153 '-in', 'fips_bad_indicator.cnf',
154 '-module', $infile,
155 '-provider_name', 'fips', '-mac_name', 'HMAC',
156 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
157 '-section_name', 'fips_sect', '-verify'])),
158 "fipsinstall verify fail if invalid install indicator status");
159
160# fail to verify the fips.cnf file if a different key is used
161ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
162 '-provider_name', 'fips', '-mac_name', 'HMAC',
163 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
164 '-section_name', 'fips_sect', '-verify'])),
165 "fipsinstall verify fail bad key");
166
167# fail to verify the fips.cnf file if a different mac digest is used
168ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
169 '-provider_name', 'fips', '-mac_name', 'HMAC',
170 '-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey",
171 '-section_name', 'fips_sect', '-verify'])),
172 "fipsinstall verify fail incorrect digest");
173
174# corrupt the module hmac
175ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
176 '-provider_name', 'fips', '-mac_name', 'HMAC',
177 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
178 '-section_name', 'fips_sect', '-corrupt_desc', 'HMAC'])),
179 "fipsinstall fails when the module integrity is corrupted");
180
181# corrupt the first digest
182ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
183 '-provider_name', 'fips', '-mac_name', 'HMAC',
184 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
185 '-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])),
186 "fipsinstall fails when the digest result is corrupted");
187
188# corrupt another digest
189ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
190 '-provider_name', 'fips', '-mac_name', 'HMAC',
191 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
192 '-section_name', 'fips_sect', '-corrupt_desc', 'SHA3'])),
193 "fipsinstall fails when the digest result is corrupted");
194
195# corrupt cipher encrypt test
196ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
197 '-provider_name', 'fips', '-mac_name', 'HMAC',
198 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
199 '-section_name', 'fips_sect', '-corrupt_desc', 'AES_GCM'])),
200 "fipsinstall fails when the AES_GCM result is corrupted");
201
202# corrupt cipher decrypt test
203ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
204 '-provider_name', 'fips', '-mac_name', 'HMAC',
205 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
206 '-section_name', 'fips_sect', '-corrupt_desc', 'AES_ECB_Decrypt'])),
207 "fipsinstall fails when the AES_ECB result is corrupted");
208
209# corrupt DRBG
210ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
211 '-provider_name', 'fips', '-mac_name', 'HMAC',
212 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
213 '-section_name', 'fips_sect', '-corrupt_desc', 'CTR'])),
214 "fipsinstall fails when the DRBG CTR result is corrupted");
215
216# corrupt a KAS test
217SKIP: {
218 skip "Skipping KAS DH corruption test because of no dh in this build", 1
219 if disabled("dh");
220
221 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
222 '-provider_name', 'fips', '-mac_name', 'HMAC',
223 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
224 '-section_name', 'fips_sect',
225 '-corrupt_desc', 'DH',
226 '-corrupt_type', 'KAT_KA'])),
227 "fipsinstall fails when the kas result is corrupted");
228}
229
230# corrupt a Signature test - 140-3 requires a known answer test
231SKIP: {
232 skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
233 if disabled("dsa");
234
235 run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
236 capture => 1, statusvar => \my $exit);
237 skip "FIPS provider version is too old for KAT DSA signature test", 1
238 if !$exit;
239 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
240 '-provider_name', 'fips', '-mac_name', 'HMAC',
241 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
242 '-section_name', 'fips_sect', '-self_test_oninstall',
243 '-corrupt_desc', 'DSA',
244 '-corrupt_type', 'KAT_Signature'])),
245 "fipsinstall fails when the signature result is corrupted");
246}
247
248# corrupt a Signature test - 140-2 allows a pairwise consistency test
249SKIP: {
250 skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
251 if disabled("dsa");
252
253 run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
254 capture => 1, statusvar => \my $exit);
255 skip "FIPS provider version is too new for PCT DSA signature test", 1
256 if !$exit;
257 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
258 '-provider_name', 'fips', '-mac_name', 'HMAC',
259 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
260 '-section_name', 'fips_sect',
261 '-corrupt_desc', 'DSA',
262 '-corrupt_type', 'PCT_Signature'])),
263 "fipsinstall fails when the signature result is corrupted");
264}
265
266# corrupt an Asymmetric cipher test
267SKIP: {
268 skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1
269 if disabled("rsa");
270 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
271 '-corrupt_desc', 'RSA_Encrypt',
272 '-corrupt_type', 'KAT_AsymmetricCipher'])),
273 "fipsinstall fails when the asymmetric cipher result is corrupted");
274}
275
276# 'local' ensures that this change is only done in this file.
277local $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir());
278
279ok(replace_parent_line_file('fips.cnf', 'fips_parent.cnf')
280 && run(app(['openssl', 'fipsinstall', '-config', 'fips_parent.cnf'])),
281 "verify fips provider loads from a configuration file");
282
283ok(replace_parent_line_file('fips_no_module_mac.cnf',
284 'fips_parent_no_module_mac.cnf')
285 && !run(app(['openssl', 'fipsinstall',
286 '-config', 'fips_parent_no_module_mac.cnf'])),
287 "verify load config fail no module mac");
288
289SKIP: {
290 run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
291 capture => 1, statusvar => \my $exit);
292 skip "FIPS provider version doesn't support self test indicator", 3
293 if !$exit;
294
295 ok(replace_parent_line_file('fips_no_install_mac.cnf',
296 'fips_parent_no_install_mac.cnf')
297 && !run(app(['openssl', 'fipsinstall',
298 '-config', 'fips_parent_no_install_mac.cnf'])),
299 "verify load config fail no install mac");
300
301 ok(replace_parent_line_file('fips_bad_indicator.cnf',
302 'fips_parent_bad_indicator.cnf')
303 && !run(app(['openssl', 'fipsinstall',
304 '-config', 'fips_parent_bad_indicator.cnf'])),
305 "verify load config fail bad indicator");
306
307
308 ok(replace_parent_line_file('fips_bad_install_mac.cnf',
309 'fips_parent_bad_install_mac.cnf')
310 && !run(app(['openssl', 'fipsinstall',
311 '-config', 'fips_parent_bad_install_mac.cnf'])),
312 "verify load config fail bad install mac");
313}
314
315ok(replace_parent_line_file('fips_bad_module_mac.cnf',
316 'fips_parent_bad_module_mac.cnf')
317 && !run(app(['openssl', 'fipsinstall',
318 '-config', 'fips_parent_bad_module_mac.cnf'])),
319 "verify load config fail bad module mac");
320
321SKIP: {
322 run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
323 capture => 1, statusvar => \my $exit);
324 skip "FIPS provider version doesn't support self test indicator", 3
325 if !$exit;
326
327 my $stconf = "fipsmodule_selftest.cnf";
328
329 ok(run(app(['openssl', 'fipsinstall', '-out', $stconf,
330 '-module', $infile, '-self_test_onload'])),
331 "fipsinstall config saved without self test indicator");
332
333 ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf,
334 '-module', $infile, '-verify'])),
335 "fipsinstall config verify fails without self test indicator");
336
337 ok(run(app(['openssl', 'fipsinstall', '-in', $stconf,
338 '-module', $infile, '-self_test_onload', '-verify'])),
339 "fipsinstall config verify passes when self test indicator is not present");
340}
341
342SKIP: {
343 run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
344 capture => 1, statusvar => \my $exit);
345 skip "FIPS provider version can run self tests on install", 1
346 if !$exit;
347 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
348 '-provider_name', 'fips', '-mac_name', 'HMAC',
349 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
350 '-section_name', 'fips_sect', '-self_test_oninstall',
351 '-ems_check'])),
352 "fipsinstall fails when attempting to run self tests on install");
353}
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette