fipsinstall.c@ 102797

Last change on this file since 102797 was 101211, checked in by vboxsync, 15 months ago
openssl-3.1.3: Applied and adjusted our OpenSSL changes to 3.1.2. bugref:10527
File size: 22.1 KB

Line
1	/*
2	* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <string.h>
11	#include <openssl/evp.h>
12	#include <openssl/err.h>
13	#include <openssl/provider.h>
14	#include <openssl/params.h>
15	#include <openssl/fips_names.h>
16	#include <openssl/core_names.h>
17	#include <openssl/self_test.h>
18	#include <openssl/fipskey.h>
19	#include "apps.h"
20	#include "progs.h"
21
22	#define BUFSIZE 4096
23
24	/* Configuration file values */
25	#define VERSION_KEY "version"
26	#define VERSION_VAL "1"
27	#define INSTALL_STATUS_VAL "INSTALL_SELF_TEST_KATS_RUN"
28
29	static OSSL_CALLBACK self_test_events;
30	static char *self_test_corrupt_desc = NULL;
31	static char *self_test_corrupt_type = NULL;
32	static int self_test_log = 1;
33	static int quiet = 0;
34
35	typedef enum OPTION_choice {
36	OPT_COMMON,
37	OPT_IN, OPT_OUT, OPT_MODULE, OPT_PEDANTIC,
38	OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
39	OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
40	OPT_NO_CONDITIONAL_ERRORS,
41	OPT_NO_SECURITY_CHECKS,
42	OPT_TLS_PRF_EMS_CHECK,
43	OPT_DISALLOW_DRGB_TRUNC_DIGEST,
44	OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
45	} OPTION_CHOICE;
46
47	const OPTIONS fipsinstall_options[] = {
48	OPT_SECTION("General"),
49	{"help", OPT_HELP, '-', "Display this summary"},
50	{"pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance"},
51	{"verify", OPT_VERIFY, '-',
52	"Verify a config file instead of generating one"},
53	{"module", OPT_MODULE, '<', "File name of the provider module"},
54	{"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
55	{"section_name", OPT_SECTION_NAME, 's',
56	"FIPS Provider config section name (optional)"},
57	{"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
58	"Disable the ability of the fips module to enter an error state if"
59	" any conditional self tests fail"},
60	{"no_security_checks", OPT_NO_SECURITY_CHECKS, '-',
61	"Disable the run-time FIPS security checks in the module"},
62	{"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
63	"Forces self tests to always run on module load"},
64	{"self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-',
65	"Forces self tests to run once on module installation"},
66	{"ems_check", OPT_TLS_PRF_EMS_CHECK, '-',
67	"Enable the run-time FIPS check for EMS during TLS1_PRF"},
68	{"no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-',
69	"Disallow truncated digests with Hash and HMAC DRBGs"},
70	OPT_SECTION("Input"),
71	{"in", OPT_IN, '<', "Input config file, used when verifying"},
72
73	OPT_SECTION("Output"),
74	{"out", OPT_OUT, '>', "Output config file, used when generating"},
75	{"mac_name", OPT_MAC_NAME, 's', "MAC name"},
76	{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form."},
77	{OPT_MORE_STR, 0, 0, "See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
78	{"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
79	{"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
80	{"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
81	{"config", OPT_CONFIG, '<', "The parent config to verify"},
82	{"quiet", OPT_QUIET, '-', "No messages, just exit status"},
83	{NULL}
84	};
85
86	typedef struct {
87	unsigned int self_test_onload : 1;
88	unsigned int conditional_errors : 1;
89	unsigned int security_checks : 1;
90	unsigned int tls_prf_ems_check : 1;
91	unsigned int drgb_no_trunc_dgst : 1;
92	} FIPS_OPTS;
93
94	/* Pedantic FIPS compliance */
95	static const FIPS_OPTS pedantic_opts = {
96	1, /* self_test_onload */
97	1, /* conditional_errors */
98	1, /* security_checks */
99	1, /* tls_prf_ems_check */
100	1, /* drgb_no_trunc_dgst */
101	};
102
103	/* Default FIPS settings for backward compatibility */
104	static FIPS_OPTS fips_opts = {
105	1, /* self_test_onload */
106	1, /* conditional_errors */
107	1, /* security_checks */
108	0, /* tls_prf_ems_check */
109	0, /* drgb_no_trunc_dgst */
110	};
111
112	static int check_non_pedantic_fips(int pedantic, const char *name)
113	{
114	if (pedantic) {
115	BIO_printf(bio_err, "Cannot specify -%s after -pedantic\n", name);
116	return 0;
117	}
118	return 1;
119	}
120
121	static int do_mac(EVP_MAC_CTX ctx, unsigned char tmp, BIO *in,
122	unsigned char out, size_t out_len)
123	{
124	int ret = 0;
125	int i;
126	size_t outsz = *out_len;
127
128	if (!EVP_MAC_init(ctx, NULL, 0, NULL))
129	goto err;
130	if (EVP_MAC_CTX_get_mac_size(ctx) > outsz)
131	goto end;
132	while ((i = BIO_read(in, (char *)tmp, BUFSIZE)) != 0) {
133	if (i < 0 \|\| !EVP_MAC_update(ctx, tmp, i))
134	goto err;
135	}
136	end:
137	if (!EVP_MAC_final(ctx, out, out_len, outsz))
138	goto err;
139	ret = 1;
140	err:
141	return ret;
142	}
143
144	static int load_fips_prov_and_run_self_test(const char *prov_name)
145	{
146	int ret = 0;
147	OSSL_PROVIDER *prov = NULL;
148	OSSL_PARAM params[4], *p = params;
149	char name = "", vers = "", *build = "";
150
151	prov = OSSL_PROVIDER_load(NULL, prov_name);
152	if (prov == NULL) {
153	BIO_printf(bio_err, "Failed to load FIPS module\n");
154	goto end;
155	}
156	if (!quiet) {
157	*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME,
158	&name, sizeof(name));
159	*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
160	&vers, sizeof(vers));
161	*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO,
162	&build, sizeof(build));
163	*p = OSSL_PARAM_construct_end();
164	if (!OSSL_PROVIDER_get_params(prov, params)) {
165	BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
166	goto end;
167	}
168	if (OSSL_PARAM_modified(params))
169	BIO_printf(bio_err, "\t%-10s\t%s\n", "name:", name);
170	if (OSSL_PARAM_modified(params + 1))
171	BIO_printf(bio_err, "\t%-10s\t%s\n", "version:", vers);
172	if (OSSL_PARAM_modified(params + 2))
173	BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build);
174	}
175	ret = 1;
176	end:
177	OSSL_PROVIDER_unload(prov);
178	return ret;
179	}
180
181	static int print_mac(BIO bio, const char label, const unsigned char *mac,
182	size_t len)
183	{
184	int ret;
185	char *hexstr = NULL;
186
187	hexstr = OPENSSL_buf2hexstr(mac, (long)len);
188	if (hexstr == NULL)
189	return 0;
190	ret = BIO_printf(bio, "%s = %s\n", label, hexstr);
191	OPENSSL_free(hexstr);
192	return ret;
193	}
194
195	static int write_config_header(BIO out, const char prov_name,
196	const char *section)
197	{
198	return BIO_printf(out, "openssl_conf = openssl_init\n\n")
199	&& BIO_printf(out, "[openssl_init]\n")
200	&& BIO_printf(out, "providers = provider_section\n\n")
201	&& BIO_printf(out, "[provider_section]\n")
202	&& BIO_printf(out, "%s = %s\n\n", prov_name, section);
203	}
204
205	/*
206	* Outputs a fips related config file that contains entries for the fips
207	* module checksum, installation indicator checksum and the options
208	* conditional_errors and security_checks.
209	*
210	* Returns 1 if the config file is written otherwise it returns 0 on error.
211	*/
212	static int write_config_fips_section(BIO out, const char section,
213	unsigned char *module_mac,
214	size_t module_mac_len,
215	const FIPS_OPTS *opts,
216	unsigned char *install_mac,
217	size_t install_mac_len)
218	{
219	int ret = 0;
220
221	if (BIO_printf(out, "[%s]\n", section) <= 0
222	\|\| BIO_printf(out, "activate = 1\n") <= 0
223	\|\| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
224	VERSION_VAL) <= 0
225	\|\| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
226	opts->conditional_errors ? "1" : "0") <= 0
227	\|\| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
228	opts->security_checks ? "1" : "0") <= 0
229	\|\| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
230	opts->tls_prf_ems_check ? "1" : "0") <= 0
231	\|\| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
232	opts->drgb_no_trunc_dgst ? "1" : "0") <= 0
233	\|\| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
234	module_mac_len))
235	goto end;
236
237	if (install_mac != NULL && install_mac_len > 0) {
238	if (!print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac,
239	install_mac_len)
240	\|\| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
241	INSTALL_STATUS_VAL) <= 0)
242	goto end;
243	}
244	ret = 1;
245	end:
246	return ret;
247	}
248
249	static CONF generate_config_and_load(const char prov_name,
250	const char *section,
251	unsigned char *module_mac,
252	size_t module_mac_len,
253	const FIPS_OPTS *opts)
254	{
255	BIO *mem_bio = NULL;
256	CONF *conf = NULL;
257
258	mem_bio = BIO_new(BIO_s_mem());
259	if (mem_bio == NULL)
260	return 0;
261	if (!write_config_header(mem_bio, prov_name, section)
262	\|\| !write_config_fips_section(mem_bio, section,
263	module_mac, module_mac_len,
264	opts, NULL, 0))
265	goto end;
266
267	conf = app_load_config_bio(mem_bio, NULL);
268	if (conf == NULL)
269	goto end;
270
271	if (CONF_modules_load(conf, NULL, 0) <= 0)
272	goto end;
273	BIO_free(mem_bio);
274	return conf;
275	end:
276	NCONF_free(conf);
277	BIO_free(mem_bio);
278	return NULL;
279	}
280
281	static void free_config_and_unload(CONF *conf)
282	{
283	if (conf != NULL) {
284	NCONF_free(conf);
285	CONF_modules_unload(1);
286	}
287	}
288
289	static int verify_module_load(const char *parent_config_file)
290	{
291	return OSSL_LIB_CTX_load_config(NULL, parent_config_file);
292	}
293
294	/*
295	* Returns 1 if the config file entries match the passed in module_mac and
296	* install_mac values, otherwise it returns 0.
297	*/
298	static int verify_config(const char infile, const char section,
299	unsigned char *module_mac, size_t module_mac_len,
300	unsigned char *install_mac, size_t install_mac_len)
301	{
302	int ret = 0;
303	char *s = NULL;
304	unsigned char buf1 = NULL, buf2 = NULL;
305	long len;
306	CONF *conf = NULL;
307
308	/* read in the existing values and check they match the saved values */
309	conf = app_load_config(infile);
310	if (conf == NULL)
311	goto end;
312
313	s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_VERSION);
314	if (s == NULL \|\| strcmp(s, VERSION_VAL) != 0) {
315	BIO_printf(bio_err, "version not found\n");
316	goto end;
317	}
318	s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_MODULE_MAC);
319	if (s == NULL) {
320	BIO_printf(bio_err, "Module integrity MAC not found\n");
321	goto end;
322	}
323	buf1 = OPENSSL_hexstr2buf(s, &len);
324	if (buf1 == NULL
325	\|\| (size_t)len != module_mac_len
326	\|\| memcmp(module_mac, buf1, module_mac_len) != 0) {
327	BIO_printf(bio_err, "Module integrity mismatch\n");
328	goto end;
329	}
330	if (install_mac != NULL && install_mac_len > 0) {
331	s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_STATUS);
332	if (s == NULL \|\| strcmp(s, INSTALL_STATUS_VAL) != 0) {
333	BIO_printf(bio_err, "install status not found\n");
334	goto end;
335	}
336	s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_MAC);
337	if (s == NULL) {
338	BIO_printf(bio_err, "Install indicator MAC not found\n");
339	goto end;
340	}
341	buf2 = OPENSSL_hexstr2buf(s, &len);
342	if (buf2 == NULL
343	\|\| (size_t)len != install_mac_len
344	\|\| memcmp(install_mac, buf2, install_mac_len) != 0) {
345	BIO_printf(bio_err, "Install indicator status mismatch\n");
346	goto end;
347	}
348	}
349	ret = 1;
350	end:
351	OPENSSL_free(buf1);
352	OPENSSL_free(buf2);
353	NCONF_free(conf);
354	return ret;
355	}
356
357	int fipsinstall_main(int argc, char **argv)
358	{
359	int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, pedantic = 0;
360	const char *section_name = "fips_sect";
361	const char *mac_name = "HMAC";
362	const char *prov_name = "fips";
363	BIO module_bio = NULL, mem_bio = NULL, *fout = NULL;
364	char in_fname = NULL, out_fname = NULL, *prog;
365	char module_fname = NULL, parent_config = NULL, *module_path = NULL;
366	const char *tail;
367	EVP_MAC_CTX ctx = NULL, ctx2 = NULL;
368	STACK_OF(OPENSSL_STRING) *opts = NULL;
369	OPTION_CHOICE o;
370	unsigned char *read_buffer = NULL;
371	unsigned char module_mac[EVP_MAX_MD_SIZE];
372	size_t module_mac_len = EVP_MAX_MD_SIZE;
373	unsigned char install_mac[EVP_MAX_MD_SIZE];
374	size_t install_mac_len = EVP_MAX_MD_SIZE;
375	EVP_MAC *mac = NULL;
376	CONF *conf = NULL;
377
378	if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
379	goto end;
380
381	prog = opt_init(argc, argv, fipsinstall_options);
382	while ((o = opt_next()) != OPT_EOF) {
383	switch (o) {
384	case OPT_EOF:
385	case OPT_ERR:
386	opthelp:
387	BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
388	goto cleanup;
389	case OPT_HELP:
390	opt_help(fipsinstall_options);
391	ret = 0;
392	goto end;
393	case OPT_IN:
394	in_fname = opt_arg();
395	break;
396	case OPT_OUT:
397	out_fname = opt_arg();
398	break;
399	case OPT_PEDANTIC:
400	fips_opts = pedantic_opts;
401	pedantic = 1;
402	break;
403	case OPT_NO_CONDITIONAL_ERRORS:
404	if (!check_non_pedantic_fips(pedantic, "no_conditional_errors"))
405	goto end;
406	fips_opts.conditional_errors = 0;
407	break;
408	case OPT_NO_SECURITY_CHECKS:
409	if (!check_non_pedantic_fips(pedantic, "no_security_checks"))
410	goto end;
411	fips_opts.security_checks = 0;
412	break;
413	case OPT_TLS_PRF_EMS_CHECK:
414	fips_opts.tls_prf_ems_check = 1;
415	break;
416	case OPT_DISALLOW_DRGB_TRUNC_DIGEST:
417	fips_opts.drgb_no_trunc_dgst = 1;
418	break;
419	case OPT_QUIET:
420	quiet = 1;
421	/* FALLTHROUGH */
422	case OPT_NO_LOG:
423	self_test_log = 0;
424	break;
425	case OPT_CORRUPT_DESC:
426	self_test_corrupt_desc = opt_arg();
427	break;
428	case OPT_CORRUPT_TYPE:
429	self_test_corrupt_type = opt_arg();
430	break;
431	case OPT_PROV_NAME:
432	prov_name = opt_arg();
433	break;
434	case OPT_MODULE:
435	module_fname = opt_arg();
436	break;
437	case OPT_SECTION_NAME:
438	section_name = opt_arg();
439	break;
440	case OPT_MAC_NAME:
441	mac_name = opt_arg();
442	break;
443	case OPT_CONFIG:
444	parent_config = opt_arg();
445	break;
446	case OPT_MACOPT:
447	if (!sk_OPENSSL_STRING_push(opts, opt_arg()))
448	goto opthelp;
449	if (strncmp(opt_arg(), "hexkey:", 7) == 0)
450	gotkey = 1;
451	else if (strncmp(opt_arg(), "digest:", 7) == 0)
452	gotdigest = 1;
453	break;
454	case OPT_VERIFY:
455	verify = 1;
456	break;
457	case OPT_SELF_TEST_ONLOAD:
458	fips_opts.self_test_onload = 1;
459	break;
460	case OPT_SELF_TEST_ONINSTALL:
461	if (!check_non_pedantic_fips(pedantic, "self_test_oninstall"))
462	goto end;
463	fips_opts.self_test_onload = 0;
464	break;
465	}
466	}
467
468	/* No extra arguments. */
469	argc = opt_num_rest();
470	if (argc != 0 \|\| (verify && in_fname == NULL))
471	goto opthelp;
472
473	if (parent_config != NULL) {
474	/* Test that a parent config can load the module */
475	if (verify_module_load(parent_config)) {
476	ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
477	if (!quiet) {
478	BIO_printf(bio_err, "FIPS provider is %s\n",
479	ret == 0 ? "available" : " not available");
480	}
481	}
482	goto end;
483	}
484	if (module_fname == NULL)
485	goto opthelp;
486
487	tail = opt_path_end(module_fname);
488	if (tail != NULL) {
489	module_path = OPENSSL_strdup(module_fname);
490	if (module_path == NULL)
491	goto end;
492	module_path[tail - module_fname] = '\0';
493	if (!OSSL_PROVIDER_set_default_search_path(NULL, module_path))
494	goto end;
495	}
496
497	if (self_test_log
498	\|\| self_test_corrupt_desc != NULL
499	\|\| self_test_corrupt_type != NULL)
500	OSSL_SELF_TEST_set_callback(NULL, self_test_events, NULL);
501
502	/* Use the default FIPS HMAC digest and key if not specified. */
503	if (!gotdigest && !sk_OPENSSL_STRING_push(opts, "digest:SHA256"))
504	goto end;
505	if (!gotkey && !sk_OPENSSL_STRING_push(opts, "hexkey:" FIPS_KEY_STRING))
506	goto end;
507
508	module_bio = bio_open_default(module_fname, 'r', FORMAT_BINARY);
509	if (module_bio == NULL) {
510	BIO_printf(bio_err, "Failed to open module file\n");
511	goto end;
512	}
513
514	read_buffer = app_malloc(BUFSIZE, "I/O buffer");
515	if (read_buffer == NULL)
516	goto end;
517
518	mac = EVP_MAC_fetch(app_get0_libctx(), mac_name, app_get0_propq());
519	if (mac == NULL) {
520	BIO_printf(bio_err, "Unable to get MAC of type %s\n", mac_name);
521	goto end;
522	}
523
524	ctx = EVP_MAC_CTX_new(mac);
525	if (ctx == NULL) {
526	BIO_printf(bio_err, "Unable to create MAC CTX for module check\n");
527	goto end;
528	}
529
530	if (opts != NULL) {
531	int ok = 1;
532	OSSL_PARAM *params =
533	app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac));
534
535	if (params == NULL)
536	goto end;
537
538	if (!EVP_MAC_CTX_set_params(ctx, params)) {
539	BIO_printf(bio_err, "MAC parameter error\n");
540	ERR_print_errors(bio_err);
541	ok = 0;
542	}
543	app_params_free(params);
544	if (!ok)
545	goto end;
546	}
547
548	ctx2 = EVP_MAC_CTX_dup(ctx);
549	if (ctx2 == NULL) {
550	BIO_printf(bio_err, "Unable to create MAC CTX for install indicator\n");
551	goto end;
552	}
553
554	if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len))
555	goto end;
556
557	if (fips_opts.self_test_onload == 0) {
558	mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
559	strlen(INSTALL_STATUS_VAL));
560	if (mem_bio == NULL) {
561	BIO_printf(bio_err, "Unable to create memory BIO\n");
562	goto end;
563	}
564	if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
565	goto end;
566	} else {
567	install_mac_len = 0;
568	}
569
570	if (verify) {
571	if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
572	install_mac, install_mac_len))
573	goto end;
574	if (!quiet)
575	BIO_printf(bio_err, "VERIFY PASSED\n");
576	} else {
577
578	conf = generate_config_and_load(prov_name, section_name, module_mac,
579	module_mac_len, &fips_opts);
580	if (conf == NULL)
581	goto end;
582	if (!load_fips_prov_and_run_self_test(prov_name))
583	goto end;
584
585	fout =
586	out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
587	: bio_open_default(out_fname, 'w', FORMAT_TEXT);
588	if (fout == NULL) {
589	BIO_printf(bio_err, "Failed to open file\n");
590	goto end;
591	}
592	if (!write_config_fips_section(fout, section_name,
593	module_mac, module_mac_len, &fips_opts,
594	install_mac, install_mac_len))
595	goto end;
596	if (!quiet)
597	BIO_printf(bio_err, "INSTALL PASSED\n");
598	}
599
600	ret = 0;
601	end:
602	if (ret == 1) {
603	if (!quiet)
604	BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL");
605	ERR_print_errors(bio_err);
606	}
607
608	cleanup:
609	OPENSSL_free(module_path);
610	BIO_free(fout);
611	BIO_free(mem_bio);
612	BIO_free(module_bio);
613	sk_OPENSSL_STRING_free(opts);
614	EVP_MAC_free(mac);
615	EVP_MAC_CTX_free(ctx2);
616	EVP_MAC_CTX_free(ctx);
617	OPENSSL_free(read_buffer);
618	free_config_and_unload(conf);
619	return ret;
620	}
621
622	static int self_test_events(const OSSL_PARAM params[], void *arg)
623	{
624	const OSSL_PARAM *p = NULL;
625	const char phase = NULL, type = NULL, *desc = NULL;
626	int ret = 0;
627
628	p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
629	if (p == NULL \|\| p->data_type != OSSL_PARAM_UTF8_STRING)
630	goto err;
631	phase = (const char *)p->data;
632
633	p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
634	if (p == NULL \|\| p->data_type != OSSL_PARAM_UTF8_STRING)
635	goto err;
636	desc = (const char *)p->data;
637
638	p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
639	if (p == NULL \|\| p->data_type != OSSL_PARAM_UTF8_STRING)
640	goto err;
641	type = (const char *)p->data;
642
643	if (self_test_log) {
644	if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
645	BIO_printf(bio_err, "%s : (%s) : ", desc, type);
646	else if (strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0
647	\|\| strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
648	BIO_printf(bio_err, "%s\n", phase);
649	}
650	/*
651	* The self test code will internally corrupt the KAT test result if an
652	* error is returned during the corrupt phase.
653	*/
654	if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) == 0
655	&& (self_test_corrupt_desc != NULL
656	\|\| self_test_corrupt_type != NULL)) {
657	if (self_test_corrupt_desc != NULL
658	&& strcmp(self_test_corrupt_desc, desc) != 0)
659	goto end;
660	if (self_test_corrupt_type != NULL
661	&& strcmp(self_test_corrupt_type, type) != 0)
662	goto end;
663	BIO_printf(bio_err, "%s ", phase);
664	goto err;
665	}
666	end:
667	ret = 1;
668	err:
669	return ret;
670	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.1.3/apps/fipsinstall.c@ 102797

Download in other formats: