[openssl] master update
tmraz at fedoraproject.org
tmraz at fedoraproject.org
Fri Apr 24 11:19:54 UTC 2020
The branch master has been updated
via 713fc10f83a4d5cac4153a98374be8cac6af1771 (commit)
via 1cd2c1f857e114f176eee01c96e27a8d7a14a356 (commit)
from d38997af165324b1ec0bbc0c6694daf7f503f080 (commit)
- Log -----------------------------------------------------------------
commit 713fc10f83a4d5cac4153a98374be8cac6af1771
Author: Rich Salz <rsalz at akamai.com>
Date: Tue Apr 21 13:55:12 2020 -0400
Rename fipsinstall.cnf->fipsmodule.cnf
Introduced by rebasing
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11177)
commit 1cd2c1f857e114f176eee01c96e27a8d7a14a356
Author: Rich Salz <rsalz at akamai.com>
Date: Tue Feb 25 16:27:24 2020 -0500
Update some nits around the FIPS module
- Changed the generated FIPS signature file to be "fipsmodule.conf"
since it contains information about the FIPS module/file.
- Add -q option to fipsinstall command, to stop chatty verbose status
messages.
- Document env var OPENSSL_CONF_INCLUDE
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11177)
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 7 +++----
apps/fipsinstall.c | 19 ++++++++++++++-----
doc/man1/openssl-fipsinstall.pod.in | 8 ++++++--
test/default-and-fips.cnf | 2 +-
test/fips.cnf | 2 +-
test/recipes/30-test_evp.t | 2 +-
test/recipes/30-test_evp_fetch_prov.t | 2 +-
test/recipes/80-test_ssl_new.t | 2 +-
test/recipes/80-test_ssl_old.t | 2 +-
test/recipes/90-test_sslapi.t | 2 +-
test/recipes/90-test_sslprovider.t | 2 +-
11 files changed, 31 insertions(+), 19 deletions(-)
diff --git a/.gitignore b/.gitignore
index a2ff5f1c25..856a6c71d5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,14 +67,13 @@ providers/common/include/prov/der_rsa.h
/test/rsa_complex
/test/confdump
/test/bio_prefix_text
-# Other generated files in test/
-/test/provider_internal_test.cnf
-/test/fipsinstall.cnf
-/providers/fipsinstall.cnf
# Certain files that get created by tests on the fly
/test-runs
/test/buildtest_*
+/test/provider_internal_test.cnf
+/test/fipsmodule.cnf
+/providers/fipsmodule.cnf
# Fuzz stuff.
# Anything without an extension is an executable on Unix, so we keep files
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 1342cc9949..157f08b11f 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -31,12 +31,13 @@ static OSSL_CALLBACK self_test_events;
static char *self_test_corrupt_desc = NULL;
static char *self_test_corrupt_type = NULL;
static int self_test_log = 1;
+static int quiet = 0;
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_IN, OPT_OUT, OPT_MODULE,
OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
- OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE
+ OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET
} OPTION_CHOICE;
const OPTIONS fipsinstall_options[] = {
@@ -60,6 +61,7 @@ const OPTIONS fipsinstall_options[] = {
{"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
{"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
{"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
+ {"quiet", OPT_QUIET, '-', "No messages, just exit status"},
{NULL}
};
@@ -287,7 +289,7 @@ int fipsinstall_main(int argc, char **argv)
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
- goto end;
+ goto cleanup;
case OPT_HELP:
opt_help(fipsinstall_options);
ret = 0;
@@ -298,6 +300,9 @@ opthelp:
case OPT_OUT:
out_fname = opt_arg();
break;
+ case OPT_QUIET:
+ quiet = 1;
+ /* FALLTHROUGH */
case OPT_NO_LOG:
self_test_log = 0;
break;
@@ -405,7 +410,8 @@ opthelp:
if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
install_mac, install_mac_len))
goto end;
- BIO_printf(bio_out, "VERIFY PASSED\n");
+ if (!quiet)
+ BIO_printf(bio_out, "VERIFY PASSED\n");
} else {
conf = generate_config_and_load(prov_name, section_name, module_mac,
@@ -424,16 +430,19 @@ opthelp:
module_mac_len, install_mac,
install_mac_len))
goto end;
- BIO_printf(bio_out, "INSTALL PASSED\n");
+ if (!quiet)
+ BIO_printf(bio_out, "INSTALL PASSED\n");
}
ret = 0;
end:
if (ret == 1) {
- BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL");
+ if (!quiet)
+ BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL");
ERR_print_errors(bio_err);
}
+cleanup:
BIO_free(fout);
BIO_free(mem_bio);
BIO_free(module_bio);
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index 698ee3e35e..74b23341e3 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -18,6 +18,7 @@ B<openssl fipsinstall>
[B<-mac_name> I<macname>]
[B<-macopt> I<nm>:I<v>]
[B<-noout>]
+[B<-quiet>]
[B<-corrupt_desc> I<selftest_description>]
[B<-corrupt_type> I<selftest_type>]
@@ -114,9 +115,12 @@ C<openssl list -digest-commands>.
Disable logging of the self tests.
-=item B<-corrupt_desc> I<selftest_description>
+=item B<-quiet>
-=item B<-corrupt_type> I<selftest_type>
+Do not output pass/fail messages. Implies B<-noout>.
+
+=item B<-corrupt_desc> I<selftest_description>,
+B<-corrupt_type> I<selftest_type>
The corrupt options can be used to test failure of one or more self test(s) by
name.
diff --git a/test/default-and-fips.cnf b/test/default-and-fips.cnf
index 03f5a83183..7a4d765591 100644
--- a/test/default-and-fips.cnf
+++ b/test/default-and-fips.cnf
@@ -1,6 +1,6 @@
openssl_conf = openssl_init
-.include fipsinstall.cnf
+.include fipsmodule.cnf
[openssl_init]
providers = provider_sect
diff --git a/test/fips.cnf b/test/fips.cnf
index 32c18be671..d6c3c6be14 100644
--- a/test/fips.cnf
+++ b/test/fips.cnf
@@ -1,6 +1,6 @@
openssl_conf = openssl_init
-.include fipsinstall.cnf
+.include fipsmodule.cnf
[openssl_init]
providers = provider_sect
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 217cbd5e2a..88eb41e1c1 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -84,7 +84,7 @@ unless ($no_fips) {
$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
ok(run(app(['openssl', 'fipsinstall',
- '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/30-test_evp_fetch_prov.t b/test/recipes/30-test_evp_fetch_prov.t
index 6c9bfe221c..be06716b44 100644
--- a/test/recipes/30-test_evp_fetch_prov.t
+++ b/test/recipes/30-test_evp_fetch_prov.t
@@ -48,7 +48,7 @@ my @testdata = (
unless ($no_fips) {
push @setups, {
cmd => app(['openssl', 'fipsinstall',
- '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index fc0c376c1f..8a26119f86 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -119,7 +119,7 @@ my %skip = (
unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
- '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 345ec0fa67..42963c364a 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -94,7 +94,7 @@ plan tests =>
unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
- '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index feca1c2e20..b89b783805 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -41,7 +41,7 @@ ok(run(test(["sslapitest", srctop_dir("test", "certs"),
unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
- '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/90-test_sslprovider.t b/test/recipes/90-test_sslprovider.t
index 7af6c962ad..793756bc6d 100644
--- a/test/recipes/90-test_sslprovider.t
+++ b/test/recipes/90-test_sslprovider.t
@@ -31,7 +31,7 @@ SKIP: {
if disabled("fips");
ok(run(app(['openssl', 'fipsinstall',
- '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
More information about the openssl-commits
mailing list