Trang chủ Khám phá Trợ giúp
Đăng nhập
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Các tập tin Các vấn đề 1 Wiki
Tree: 8dab4de538
Branches Tags
openssl
/
test
/
recipes
/
03-test_fipsinstall.t

03-test_fipsinstall.t 5.3 KB
Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. #! /usr/bin/env perl
    2. 

  2. # Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3. #
    4. 

  4. # Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5. # this file except in compliance with the License.  You can obtain a copy
    6. 

  6. # in the file LICENSE in the source distribution or at
    7. 

  7. # https://www.openssl.org/source/license.html
    8. 

  8. 

  9. use strict;
    10. 

  10. use warnings;
    11. 

  11. 

  12. use File::Spec;
    13. 

  13. use File::Copy;
    14. 

  14. use OpenSSL::Glob;
    15. 

  15. use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file/;
    16. 

  16. use OpenSSL::Test::Utils;
    17. 

  17. 

  18. BEGIN {
    19. 

  19.     setup("test_fipsinstall");
    20. 

  20. }
    21. 

  21. use lib srctop_dir('Configurations');
    22. 

  22. use lib bldtop_dir('.');
    23. 

  23. use platform;
    24. 

  24. 

  25. plan skip_all => "Test only supported in a fips build" if disabled("fips");
    26. 

  26. 

  27. plan tests => 12;
    28. 

  28. 

  29. my $infile = bldtop_file('providers', platform->dso('fips'));
    30. 

  30. my $fipskey = $ENV{FIPSKEY} // '00';
    31. 

  31. 

  32. # fail if no module name
    33. 

  33. ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module',
    34. 

  34.              '-provider_name', 'fips',
    35. 

  35.              '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    36. 

  36.              '-section_name', 'fips_install'])),
    37. 

  37.    "fipsinstall fail");
    38. 

  38. 

  39. # fail to verify if the configuration file is missing
    40. 

  40. ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
    41. 

  41.              '-provider_name', 'fips', '-mac_name', 'HMAC',
    42. 

  42.              '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    43. 

  43.              '-section_name', 'fips_install', '-verify'])),
    44. 

  44.    "fipsinstall verify fail");
    45. 

  45. 

  46. 

  47. # output a fips.cnf file containing mac data
    48. 

  48. ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
    49. 

  49.             '-provider_name', 'fips', '-mac_name', 'HMAC',
    50. 

  50.             '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    51. 

  51.             '-section_name', 'fips_install'])),
    52. 

  52.    "fipsinstall");
    53. 

  53. 

  54. # verify the fips.cnf file
    55. 

  55. ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
    56. 

  56.             '-provider_name', 'fips', '-mac_name', 'HMAC',
    57. 

  57.             '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    58. 

  58.             '-section_name', 'fips_install', '-verify'])),
    59. 

  59.    "fipsinstall verify");
    60. 

  60. 

  61. # fail to verify the fips.cnf file if a different key is used
    62. 

  62. ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
    63. 

  63.              '-provider_name', 'fips', '-mac_name', 'HMAC',
    64. 

  64.              '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
    65. 

  65.              '-section_name', 'fips_install', '-verify'])),
    66. 

  66.    "fipsinstall verify fail bad key");
    67. 

  67. 

  68. # fail to verify the fips.cnf file if a different mac digest is used
    69. 

  69. ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
    70. 

  70.              '-provider_name', 'fips', '-mac_name', 'HMAC',
    71. 

  71.              '-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey",
    72. 

  72.              '-section_name', 'fips_install', '-verify'])),
    73. 

  73.    "fipsinstall verify fail incorrect digest");
    74. 

  74. 

  75. # corrupt the module hmac
    76. 

  76. ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
    77. 

  77.             '-provider_name', 'fips', '-mac_name', 'HMAC',
    78. 

  78.             '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    79. 

  79.             '-section_name', 'fips_install', '-corrupt_desc', 'HMAC'])),
    80. 

  80.    "fipsinstall fails when the module integrity is corrupted");
    81. 

  81. 

  82. # corrupt the first digest
    83. 

  83. ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
    84. 

  84.             '-provider_name', 'fips', '-mac_name', 'HMAC',
    85. 

  85.             '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    86. 

  86.             '-section_name', 'fips_install', '-corrupt_desc', 'SHA1'])),
    87. 

  87.    "fipsinstall fails when the digest result is corrupted");
    88. 

  88. 

  89. # corrupt another digest
    90. 

  90. ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
    91. 

  91.             '-provider_name', 'fips', '-mac_name', 'HMAC',
    92. 

  92.             '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    93. 

  93.             '-section_name', 'fips_install', '-corrupt_desc', 'SHA3'])),
    94. 

  94.    "fipsinstall fails when the digest result is corrupted");
    95. 

  95. 

  96. # corrupt DRBG
    97. 

  97. ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
    98. 

  98.             '-provider_name', 'fips', '-mac_name', 'HMAC',
    99. 

  99.             '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    100. 

  100.             '-section_name', 'fips_install', '-corrupt_desc', 'CTR'])),
    101. 

  101.    "fipsinstall fails when the DRBG CTR result is corrupted");
    102. 

  102. 

  103. # corrupt a KAS test
    104. 

  104. SKIP: {
    105. 

  105.     skip "Skipping KAS DH corruption test because of no dh in this build", 1
    106. 

  106.         if disabled("dh");
    107. 

  107. 

  108.     ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile,
    109. 

  109.                 '-provider_name', 'fips', '-mac_name', 'HMAC',
    110. 

  110.                 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    111. 

  111.                 '-section_name', 'fips_install',
    112. 

  112.                 '-corrupt_desc', 'DH',
    113. 

  113.                 '-corrupt_type', 'KAT_KA'])),
    114. 

  114.        "fipsinstall fails when the kas result is corrupted");
    115. 

  115. }
    116. 

  116. 

  117. # corrupt a Signature test
    118. 

  118. SKIP: {
    119. 

  119.     skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
    120. 

  120.         if disabled("dsa");
    121. 

  121.     ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile,
    122. 

  122.                 '-provider_name', 'fips', '-mac_name', 'HMAC',
    123. 

  123.                 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
    124. 

  124.                 '-section_name', 'fips_install',
    125. 

  125.                 '-corrupt_desc', 'DSA',
    126. 

  126.                 '-corrupt_type', 'KAT_Signature'])),
    127. 

  127.        "fipsinstall fails when the signature result is corrupted");
    128. 

  128. }
    129.