diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2019-08-24 10:56:34 +0200 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2019-08-24 10:56:34 +0200 |
commit | 95214b434fe969e9508b6b9f38d0ea931d7e6415 (patch) | |
tree | 96a0684ba1c18233a9bf12f03a8177852c343523 /apps | |
parent | Avoid overflowing FDSET when using select(2). (diff) | |
download | openssl-95214b434fe969e9508b6b9f38d0ea931d7e6415.tar.xz openssl-95214b434fe969e9508b6b9f38d0ea931d7e6415.zip |
Add app for fips installation
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9634)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/apps.c | 50 | ||||
-rw-r--r-- | apps/build.info | 2 | ||||
-rw-r--r-- | apps/fipsinstall.c | 419 | ||||
-rw-r--r-- | apps/include/apps.h | 4 | ||||
-rw-r--r-- | apps/mac.c | 49 | ||||
-rw-r--r-- | apps/progs.c | 1 | ||||
-rw-r--r-- | apps/progs.h | 2 |
7 files changed, 489 insertions, 38 deletions
diff --git a/apps/apps.c b/apps/apps.c index 274a387a3d..5038817750 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2566,3 +2566,53 @@ int opt_printf_stderr(const char *fmt, ...) va_end(ap); return ret; } + +OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts, + const OSSL_PARAM *paramdefs) +{ + OSSL_PARAM *params = NULL; + size_t sz = (size_t)sk_OPENSSL_STRING_num(opts); + size_t params_n; + char *opt = "", *stmp, *vtmp = NULL; + + if (opts == NULL) + return NULL; + + params = OPENSSL_zalloc(sizeof(OSSL_PARAM) * (sz + 1)); + if (params == NULL) + return NULL; + + for (params_n = 0; params_n < sz; params_n++) { + opt = sk_OPENSSL_STRING_value(opts, (int)params_n); + if ((stmp = OPENSSL_strdup(opt)) == NULL + || (vtmp = strchr(stmp, ':')) == NULL) + goto err; + /* Replace ':' with 0 to terminate the string pointed to by stmp */ + *vtmp = 0; + /* Skip over the separator so that vmtp points to the value */ + vtmp++; + if (!OSSL_PARAM_allocate_from_text(¶ms[params_n], paramdefs, + stmp, vtmp, strlen(vtmp))) + goto err; + OPENSSL_free(stmp); + } + params[params_n] = OSSL_PARAM_construct_end(); + return params; +err: + OPENSSL_free(stmp); + BIO_printf(bio_err, "Parameter error '%s'\n", opt); + ERR_print_errors(bio_err); + app_params_free(params); + return NULL; +} + +void app_params_free(OSSL_PARAM *params) +{ + int i; + + if (params != NULL) { + for (i = 0; params[i].key != NULL; ++i) + OPENSSL_free(params[i].data); + OPENSSL_free(params); + } +} diff --git a/apps/build.info b/apps/build.info index 2a7317a4ab..ef6fa220d3 100644 --- a/apps/build.info +++ b/apps/build.info @@ -27,7 +27,7 @@ $OPENSSLSRC={- pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c srp.c ts.c verify.c version.c x509.c rehash.c storeutl.c - list.c info.c); + list.c info.c fipsinstall.c); join(' ', @opensslsrc); -} # Source for libapps $LIBAPPSSRC=apps.c apps_ui.c opt.c fmt.c s_cb.c s_socket.c app_rand.c \ diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c new file mode 100644 index 0000000000..2aedcbaa6c --- /dev/null +++ b/apps/fipsinstall.c @@ -0,0 +1,419 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include <openssl/evp.h> +#include <openssl/err.h> +#include <openssl/provider.h> +#include <openssl/params.h> +#include <openssl/fips_names.h> +#include "apps.h" +#include "progs.h" + +#define BUFSIZE 4096 +#define DEFAULT_MAC_NAME "HMAC" +#define DEFAULT_FIPS_SECTION "fips_check_section" + +/* Configuration file values */ +#define VERSION_KEY "version" +#define VERSION_VAL "1" +#define INSTALL_STATUS_VAL "INSTALL_SELF_TEST_KATS_RUN" + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_IN, OPT_OUT, OPT_MODULE, + OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY +} OPTION_CHOICE; + +const OPTIONS fipsinstall_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {OPT_MORE_STR, 0, 0, "e.g: openssl fipsinstall -provider_name fips" + "-section_name fipsinstall -out fips.conf -module ./fips.so" + "-mac_name HMAC -macopt digest:SHA256 -macopt hexkey:00"}, + {"verify", OPT_VERIFY, '-', "Verification mode, i.e verify a config file " + "instead of generating one"}, + {"in", OPT_IN, '<', "Input config file, used when verifying"}, + {"out", OPT_OUT, '>', "Output config file, used when generating"}, + {"module", OPT_MODULE, '<', "File name of the provider module"}, + {"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"}, + {"section_name", OPT_SECTION_NAME, 's', + "FIPS Provider config section name (optional)"}, + {"mac_name", OPT_MAC_NAME, 's', "MAC name"}, + {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. " + "See 'PARAMETER NAMES' in the EVP_MAC_ docs"}, + {NULL} +}; + +static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in, + unsigned char *out, size_t *out_len) +{ + int ret = 0; + int i; + size_t outsz = *out_len; + + if (!EVP_MAC_init(ctx)) + goto err; + if (EVP_MAC_size(ctx) > outsz) + goto end; + while ((i = BIO_read(in, (char *)tmp, BUFSIZE)) != 0) { + if (i < 0 || !EVP_MAC_update(ctx, tmp, i)) + goto err; + } +end: + if (!EVP_MAC_final(ctx, out, out_len, outsz)) + goto err; + ret = 1; +err: + return ret; +} + +static int load_fips_prov_and_run_self_test(const char *prov_name) +{ + int ret = 0; + OSSL_PROVIDER *prov = NULL; + + prov = OSSL_PROVIDER_load(NULL, prov_name); + if (prov == NULL) { + BIO_printf(bio_err, "Failed to load FIPS module\n"); + goto end; + } + ret = 1; +end: + OSSL_PROVIDER_unload(prov); + return ret; +} + +static int print_mac(BIO *bio, const char *label, const unsigned char *mac, + size_t len) +{ + int ret; + char *hexstr = NULL; + + hexstr = OPENSSL_buf2hexstr(mac, (long)len); + if (hexstr == NULL) + return 0; + ret = BIO_printf(bio, "%s = %s\n", label, hexstr); + OPENSSL_free(hexstr); + return ret; +} + +static int write_config_header(BIO *out, const char *prov_name, + const char *section) +{ + return BIO_printf(out, "openssl_conf = openssl_init\n\n") + && BIO_printf(out, "[openssl_init]\n") + && BIO_printf(out, "providers = provider_section\n\n") + && BIO_printf(out, "[provider_section]\n") + && BIO_printf(out, "%s = %s\n\n", prov_name, section); +} + +/* + * Outputs a fips related config file that contains entries for the fips + * module checksum and the installation indicator checksum. + * + * Returns 1 if the config file is written otherwise it returns 0 on error. + */ +static int write_config_fips_section(BIO *out, const char *section, + unsigned char *module_mac, + size_t module_mac_len, + unsigned char *install_mac, + size_t install_mac_len) +{ + int ret = 0; + + if (!(BIO_printf(out, "[%s]\n", section) > 0 + && BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION, + VERSION_VAL) > 0 + && print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac, + module_mac_len))) + goto end; + + if (install_mac != NULL) { + if (!(print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac, + install_mac_len) + && BIO_printf(out, "%s = %s\n", + OSSL_PROV_FIPS_PARAM_INSTALL_STATUS, + INSTALL_STATUS_VAL) > 0)) + goto end; + } + ret = 1; +end: + return ret; +} + +static CONF *generate_config_and_load(const char *prov_name, + const char *section, + unsigned char *module_mac, + size_t module_mac_len) +{ + BIO *mem_bio = NULL; + CONF *conf = NULL; + + mem_bio = BIO_new(BIO_s_mem()); + if (mem_bio == NULL) + return 0; + if (!write_config_header(mem_bio, prov_name, section) + || !write_config_fips_section(mem_bio, section, module_mac, + module_mac_len, NULL, 0)) + goto end; + + conf = app_load_config_bio(mem_bio, NULL); + if (conf == NULL) + goto end; + + if (!CONF_modules_load(conf, NULL, 0)) + goto end; + BIO_free(mem_bio); + return conf; +end: + NCONF_free(conf); + BIO_free(mem_bio); + return NULL; +} + +static void free_config_and_unload(CONF *conf) +{ + if (conf != NULL) { + NCONF_free(conf); + CONF_modules_unload(1); + } +} + +/* + * Returns 1 if the config file entries match the passed in module_mac and + * install_mac values, otherwise it returns 0. + */ +static int verify_config(const char *infile, const char *section, + unsigned char *module_mac, size_t module_mac_len, + unsigned char *install_mac, size_t install_mac_len) +{ + int ret = 0; + char *s = NULL; + unsigned char *buf1 = NULL, *buf2 = NULL; + long len; + CONF *conf = NULL; + + /* read in the existing values and check they match the saved values */ + conf = app_load_config(infile); + if (conf == NULL) + goto end; + + s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_VERSION); + if (s == NULL || strcmp(s, VERSION_VAL) != 0) { + BIO_printf(bio_err, "version not found\n"); + goto end; + } + s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_STATUS); + if (s == NULL || strcmp(s, INSTALL_STATUS_VAL) != 0) { + BIO_printf(bio_err, "install status not found\n"); + goto end; + } + s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_MODULE_MAC); + if (s == NULL) { + BIO_printf(bio_err, "Module integrity MAC not found\n"); + goto end; + } + buf1 = OPENSSL_hexstr2buf(s, &len); + if (buf1 == NULL + || (size_t)len != module_mac_len + || memcmp(module_mac, buf1, module_mac_len) != 0) { + BIO_printf(bio_err, "Module integrity mismatch\n"); + goto end; + } + s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_MAC); + if (s == NULL) { + BIO_printf(bio_err, "Install indicator MAC not found\n"); + goto end; + } + buf2 = OPENSSL_hexstr2buf(s, &len); + if (buf2 == NULL + || (size_t)len != install_mac_len + || memcmp(install_mac, buf2, install_mac_len) != 0) { + BIO_printf(bio_err, "Install indicator status mismatch\n"); + goto end; + } + ret = 1; +end: + OPENSSL_free(buf1); + OPENSSL_free(buf2); + NCONF_free(conf); + return ret; +} + +int fipsinstall_main(int argc, char **argv) +{ + int ret = 1, verify = 0; + BIO *module_bio = NULL, *mem_bio = NULL, *fout = NULL; + char *in_fname = NULL, *out_fname = NULL, *prog, *section_name = NULL; + char *prov_name = NULL, *module_fname = NULL; + static const char *mac_name = DEFAULT_MAC_NAME; + EVP_MAC_CTX *ctx = NULL, *ctx2 = NULL; + STACK_OF(OPENSSL_STRING) *opts = NULL; + OPTION_CHOICE o; + unsigned char *read_buffer = NULL; + unsigned char module_mac[EVP_MAX_MD_SIZE]; + size_t module_mac_len = EVP_MAX_MD_SIZE; + unsigned char install_mac[EVP_MAX_MD_SIZE]; + size_t install_mac_len = EVP_MAX_MD_SIZE; + EVP_MAC *mac = NULL; + CONF *conf = NULL; + + section_name = DEFAULT_FIPS_SECTION; + + prog = opt_init(argc, argv, fipsinstall_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(fipsinstall_options); + ret = 0; + goto end; + case OPT_IN: + in_fname = opt_arg(); + break; + case OPT_OUT: + out_fname = opt_arg(); + break; + case OPT_PROV_NAME: + prov_name = opt_arg(); + break; + case OPT_MODULE: + module_fname = opt_arg(); + break; + case OPT_SECTION_NAME: + section_name = opt_arg(); + break; + case OPT_MAC_NAME: + mac_name = opt_arg(); + break; + case OPT_MACOPT: + if (opts == NULL) + opts = sk_OPENSSL_STRING_new_null(); + if (opts == NULL || !sk_OPENSSL_STRING_push(opts, opt_arg())) + goto opthelp; + break; + case OPT_VERIFY: + verify = 1; + break; + } + } + argc = opt_num_rest(); + if (module_fname == NULL + || (verify && in_fname == NULL) + || (!verify && (out_fname == NULL || prov_name == NULL)) + || opts == NULL + || argc != 0) + goto opthelp; + + module_bio = bio_open_default(module_fname, 'r', FORMAT_BINARY); + if (module_bio == NULL) { + BIO_printf(bio_err, "Failed to open module file\n"); + goto end; + } + + read_buffer = app_malloc(BUFSIZE, "I/O buffer"); + if (read_buffer == NULL) + goto end; + + mac = EVP_MAC_fetch(NULL, mac_name, NULL); + if (mac == NULL) { + BIO_printf(bio_err, "Unable to get MAC of type %s\n", mac_name); + goto end; + } + + ctx = EVP_MAC_CTX_new(mac); + if (ctx == NULL) { + BIO_printf(bio_err, "Unable to create MAC CTX for module check\n"); + goto end; + } + + if (opts != NULL) { + int ok = 1; + OSSL_PARAM *params = + app_params_new_from_opts(opts, EVP_MAC_CTX_settable_params(mac)); + + if (params == NULL) + goto end; + + if (!EVP_MAC_CTX_set_params(ctx, params)) { + BIO_printf(bio_err, "MAC parameter error\n"); + ERR_print_errors(bio_err); + ok = 0; + } + app_params_free(params); + if (!ok) + goto end; + } + + ctx2 = EVP_MAC_CTX_dup(ctx); + if (ctx2 == NULL) { + BIO_printf(bio_err, "Unable to create MAC CTX for install indicator\n"); + goto end; + } + + if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len)) + goto end; + + mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL, + strlen(INSTALL_STATUS_VAL)); + if (mem_bio == NULL) { + BIO_printf(bio_err, "Unable to create memory BIO\n"); + goto end; + } + if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len)) + goto end; + + if (verify) { + if (!verify_config(in_fname, section_name, module_mac, module_mac_len, + install_mac, install_mac_len)) + goto end; + BIO_printf(bio_out, "VERIFY PASSED\n"); + } else { + + conf = generate_config_and_load(prov_name, section_name, module_mac, + module_mac_len); + if (conf == NULL) + goto end; + if (!load_fips_prov_and_run_self_test(prov_name)) + goto end; + + fout = bio_open_default(out_fname, 'w', FORMAT_TEXT); + if (fout == NULL) { + BIO_printf(bio_err, "Failed to open file\n"); + goto end; + } + if (!write_config_fips_section(fout, section_name, module_mac, + module_mac_len, install_mac, + install_mac_len)) + goto end; + BIO_printf(bio_out, "INSTALL PASSED\n"); + } + + ret = 0; +end: + if (ret == 1) { + BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL"); + ERR_print_errors(bio_err); + } + + BIO_free(fout); + BIO_free(mem_bio); + BIO_free(module_bio); + sk_OPENSSL_STRING_free(opts); + EVP_MAC_free(mac); + EVP_MAC_CTX_free(ctx2); + EVP_MAC_CTX_free(ctx); + OPENSSL_free(read_buffer); + free_config_and_unload(conf); + return ret; +} diff --git a/apps/include/apps.h b/apps/include/apps.h index a0fd3c3787..8b28d749e9 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -264,4 +264,8 @@ typedef struct verify_options_st { extern VERIFY_CB_ARGS verify_args; +OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts, + const OSSL_PARAM *paramdefs); +void app_params_free(OSSL_PARAM *params); + #endif diff --git a/apps/mac.c b/apps/mac.c index 8220356e42..205d82f779 100644 --- a/apps/mac.c +++ b/apps/mac.c @@ -29,8 +29,8 @@ const OPTIONS mac_options[] = { {OPT_HELP_STR, 1, '-', "mac_name\t\t MAC algorithm (See list " "-mac-algorithms)"}, {"help", OPT_HELP, '-', "Display this summary"}, - {"macopt", OPT_MACOPT, 's', "MAC algorithm control parameters in n:v form. " - "See 'Supported Controls' in the EVP_MAC_ docs"}, + {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. " + "See 'PARAMETER NAMES' in the EVP_MAC_ docs"}, {"in", OPT_IN, '<', "Input file to MAC (default is stdin)"}, {"out", OPT_OUT, '>', "Output to filename rather than stdout"}, {"binary", OPT_BIN, '-', "Output in binary format (Default is hexadecimal " @@ -103,43 +103,19 @@ opthelp: goto err; if (opts != NULL) { - OSSL_PARAM *params = - OPENSSL_zalloc(sizeof(OSSL_PARAM) - * (sk_OPENSSL_STRING_num(opts) + 1)); - const OSSL_PARAM *paramdefs = EVP_MAC_CTX_settable_params(mac); - size_t params_n; int ok = 1; + OSSL_PARAM *params = + app_params_new_from_opts(opts, EVP_MAC_CTX_settable_params(mac)); - for (params_n = 0; params_n < (size_t)sk_OPENSSL_STRING_num(opts); - params_n++) { - char *opt = sk_OPENSSL_STRING_value(opts, (int)params_n); - char *stmp, *vtmp = NULL; - - if ((stmp = OPENSSL_strdup(opt)) == NULL - || (vtmp = strchr(stmp, ':')) == NULL - || (*vtmp++ = 0) /* Always zero */ - || !OSSL_PARAM_allocate_from_text(¶ms[params_n], paramdefs, - stmp, vtmp, strlen(vtmp))) { - BIO_printf(bio_err, "MAC parameter error '%s'\n", opt); - ERR_print_errors(bio_err); - ok = 0; - } - OPENSSL_free(stmp); - if (!ok) - break; - } - if (ok) { - params[params_n] = OSSL_PARAM_construct_end(); - if (!EVP_MAC_CTX_set_params(ctx, params)) { - BIO_printf(bio_err, "MAC parameter error\n"); - ERR_print_errors(bio_err); - goto err; - } - } - for (; params_n-- > 0;) { - OPENSSL_free(params[params_n].data); + if (params == NULL) + goto err; + + if (!EVP_MAC_CTX_set_params(ctx, params)) { + BIO_printf(bio_err, "MAC parameter error\n"); + ERR_print_errors(bio_err); + ok = 0; } - OPENSSL_free(params); + app_params_free(params); if (!ok) goto err; } @@ -160,7 +136,6 @@ opthelp: goto err; } - for (;;) { i = BIO_read(in, (char *)buf, BUFSIZE); if (i < 0) { diff --git a/apps/progs.c b/apps/progs.c index e7a06b9f16..879e6298bb 100644 --- a/apps/progs.c +++ b/apps/progs.c @@ -44,6 +44,7 @@ FUNCTION functions[] = { {FT_general, "engine", engine_main, engine_options}, #endif {FT_general, "errstr", errstr_main, errstr_options}, + {FT_general, "fipsinstall", fipsinstall_main, fipsinstall_options}, #ifndef OPENSSL_NO_DSA {FT_general, "gendsa", gendsa_main, gendsa_options}, #endif diff --git a/apps/progs.h b/apps/progs.h index 664c71467d..675a66ca04 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -27,6 +27,7 @@ extern int ecparam_main(int argc, char *argv[]); extern int enc_main(int argc, char *argv[]); extern int engine_main(int argc, char *argv[]); extern int errstr_main(int argc, char *argv[]); +extern int fipsinstall_main(int argc, char *argv[]); extern int gendsa_main(int argc, char *argv[]); extern int genpkey_main(int argc, char *argv[]); extern int genrsa_main(int argc, char *argv[]); @@ -79,6 +80,7 @@ extern const OPTIONS ecparam_options[]; extern const OPTIONS enc_options[]; extern const OPTIONS engine_options[]; extern const OPTIONS errstr_options[]; +extern const OPTIONS fipsinstall_options[]; extern const OPTIONS gendsa_options[]; extern const OPTIONS genpkey_options[]; extern const OPTIONS genrsa_options[]; |