diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2020-09-05 05:08:27 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2020-09-18 15:20:50 +0200 |
| commit | 991a6bb58182d4d2077a68eb813c897b7de73462 (patch) | |
| tree | 738fc724534be090323181dc445cf19e442b827c /providers/fips | |
| parent | Add 'fips-securitychecks' option and plumb this into the actual fips checks (diff) | |
| download | openssl-991a6bb58182d4d2077a68eb813c897b7de73462.tar.xz openssl-991a6bb58182d4d2077a68eb813c897b7de73462.zip | |
Add option to fipsinstall to disable fips security checks at run time.
Changes merged from a patch by @richsalz.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12745)
Diffstat (limited to 'providers/fips')
| -rw-r--r-- | providers/fips/fipsprov.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 4290a87e6e..aec262654e 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -37,6 +37,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query; #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) extern OSSL_FUNC_core_thread_start_fn *c_thread_start; +int FIPS_security_check_enabled(void); /* * TODO(3.0): Should these be stored in the provider side provctx? Could they @@ -46,6 +47,8 @@ extern OSSL_FUNC_core_thread_start_fn *c_thread_start; */ static SELF_TEST_POST_PARAMS selftest_params; +static int fips_security_checks = 1; +static const char *fips_security_check_option = "1"; /* Functions provided by the core */ static OSSL_FUNC_core_gettable_params_fn *c_gettable_params; @@ -100,6 +103,7 @@ static const OSSL_PARAM fips_param_types[] = { OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), OSSL_PARAM_END }; @@ -108,6 +112,7 @@ static const OSSL_PARAM fips_param_types[] = { * NOTE: inside core_get_params() these will be loaded from config items * stored inside prov->parameters (except for * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). + * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. */ static OSSL_PARAM core_params[] = { @@ -129,6 +134,9 @@ static OSSL_PARAM core_params[] = OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, selftest_params.conditional_error_check, sizeof(selftest_params.conditional_error_check)), + OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, + fips_security_check_option, + sizeof(fips_security_check_option)), OSSL_PARAM_END }; @@ -153,6 +161,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); + if (p != NULL && !OSSL_PARAM_set_int(p, fips_security_checks)) + return 0; return 1; } @@ -653,6 +664,11 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, && strcmp(selftest_params.conditional_error_check, "0") == 0) SELF_TEST_disable_conditional_error_state(); + /* Disable the security check if is disabled in the fips config file*/ + if (fips_security_check_option != NULL + && strcmp(fips_security_check_option, "0") == 0) + fips_security_checks = 0; + /* Create a context. */ if ((*provctx = PROV_CTX_new()) == NULL || (libctx = OPENSSL_CTX_new()) == NULL) { @@ -858,3 +874,8 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...) va_end(args); return ret; } + +int FIPS_security_check_enabled(void) +{ + return fips_security_checks; +} |