[openssl] master update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Fri Apr 24 11:19:54 UTC 2020


The branch master has been updated
       via  713fc10f83a4d5cac4153a98374be8cac6af1771 (commit)
       via  1cd2c1f857e114f176eee01c96e27a8d7a14a356 (commit)
      from  d38997af165324b1ec0bbc0c6694daf7f503f080 (commit)


- Log -----------------------------------------------------------------
commit 713fc10f83a4d5cac4153a98374be8cac6af1771
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Apr 21 13:55:12 2020 -0400

    Rename fipsinstall.cnf->fipsmodule.cnf
    
    Introduced by rebasing
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/11177)

commit 1cd2c1f857e114f176eee01c96e27a8d7a14a356
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Feb 25 16:27:24 2020 -0500

    Update some nits around the FIPS module
    
    - Changed the generated FIPS signature file to be "fipsmodule.conf"
    since it contains information about the FIPS module/file.
    - Add -q option to fipsinstall command, to stop chatty verbose status
    messages.
    - Document env var OPENSSL_CONF_INCLUDE
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/11177)

-----------------------------------------------------------------------

Summary of changes:
 .gitignore                            |  7 +++----
 apps/fipsinstall.c                    | 19 ++++++++++++++-----
 doc/man1/openssl-fipsinstall.pod.in   |  8 ++++++--
 test/default-and-fips.cnf             |  2 +-
 test/fips.cnf                         |  2 +-
 test/recipes/30-test_evp.t            |  2 +-
 test/recipes/30-test_evp_fetch_prov.t |  2 +-
 test/recipes/80-test_ssl_new.t        |  2 +-
 test/recipes/80-test_ssl_old.t        |  2 +-
 test/recipes/90-test_sslapi.t         |  2 +-
 test/recipes/90-test_sslprovider.t    |  2 +-
 11 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/.gitignore b/.gitignore
index a2ff5f1c25..856a6c71d5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,14 +67,13 @@ providers/common/include/prov/der_rsa.h
 /test/rsa_complex
 /test/confdump
 /test/bio_prefix_text
-# Other generated files in test/
-/test/provider_internal_test.cnf
-/test/fipsinstall.cnf
-/providers/fipsinstall.cnf
 
 # Certain files that get created by tests on the fly
 /test-runs
 /test/buildtest_*
+/test/provider_internal_test.cnf
+/test/fipsmodule.cnf
+/providers/fipsmodule.cnf
 
 # Fuzz stuff.
 # Anything without an extension is an executable on Unix, so we keep files
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 1342cc9949..157f08b11f 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -31,12 +31,13 @@ static OSSL_CALLBACK self_test_events;
 static char *self_test_corrupt_desc = NULL;
 static char *self_test_corrupt_type = NULL;
 static int self_test_log = 1;
+static int quiet = 0;
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_IN, OPT_OUT, OPT_MODULE,
     OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
-    OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE
+    OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET
 } OPTION_CHOICE;
 
 const OPTIONS fipsinstall_options[] = {
@@ -60,6 +61,7 @@ const OPTIONS fipsinstall_options[] = {
     {"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
     {"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
     {"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
+    {"quiet", OPT_QUIET, '-', "No messages, just exit status"},
     {NULL}
 };
 
@@ -287,7 +289,7 @@ int fipsinstall_main(int argc, char **argv)
         case OPT_ERR:
 opthelp:
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-            goto end;
+            goto cleanup;
         case OPT_HELP:
             opt_help(fipsinstall_options);
             ret = 0;
@@ -298,6 +300,9 @@ opthelp:
         case OPT_OUT:
             out_fname = opt_arg();
             break;
+        case OPT_QUIET:
+            quiet = 1;
+            /* FALLTHROUGH */
         case OPT_NO_LOG:
             self_test_log = 0;
             break;
@@ -405,7 +410,8 @@ opthelp:
         if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
                            install_mac, install_mac_len))
             goto end;
-        BIO_printf(bio_out, "VERIFY PASSED\n");
+        if (!quiet)
+            BIO_printf(bio_out, "VERIFY PASSED\n");
     } else {
 
         conf = generate_config_and_load(prov_name, section_name, module_mac,
@@ -424,16 +430,19 @@ opthelp:
                                        module_mac_len, install_mac,
                                        install_mac_len))
             goto end;
-        BIO_printf(bio_out, "INSTALL PASSED\n");
+        if (!quiet)
+            BIO_printf(bio_out, "INSTALL PASSED\n");
     }
 
     ret = 0;
 end:
     if (ret == 1) {
-        BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL");
+        if (!quiet)
+            BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL");
         ERR_print_errors(bio_err);
     }
 
+cleanup:
     BIO_free(fout);
     BIO_free(mem_bio);
     BIO_free(module_bio);
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index 698ee3e35e..74b23341e3 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -18,6 +18,7 @@ B<openssl fipsinstall>
 [B<-mac_name> I<macname>]
 [B<-macopt> I<nm>:I<v>]
 [B<-noout>]
+[B<-quiet>]
 [B<-corrupt_desc> I<selftest_description>]
 [B<-corrupt_type> I<selftest_type>]
 
@@ -114,9 +115,12 @@ C<openssl list -digest-commands>.
 
 Disable logging of the self tests.
 
-=item B<-corrupt_desc> I<selftest_description>
+=item B<-quiet>
 
-=item B<-corrupt_type> I<selftest_type>
+Do not output pass/fail messages. Implies B<-noout>.
+
+=item B<-corrupt_desc> I<selftest_description>,
+B<-corrupt_type> I<selftest_type>
 
 The corrupt options can be used to test failure of one or more self test(s) by
 name.
diff --git a/test/default-and-fips.cnf b/test/default-and-fips.cnf
index 03f5a83183..7a4d765591 100644
--- a/test/default-and-fips.cnf
+++ b/test/default-and-fips.cnf
@@ -1,6 +1,6 @@
 openssl_conf = openssl_init
 
-.include fipsinstall.cnf
+.include fipsmodule.cnf
 
 [openssl_init]
 providers = provider_sect
diff --git a/test/fips.cnf b/test/fips.cnf
index 32c18be671..d6c3c6be14 100644
--- a/test/fips.cnf
+++ b/test/fips.cnf
@@ -1,6 +1,6 @@
 openssl_conf = openssl_init
 
-.include fipsinstall.cnf
+.include fipsmodule.cnf
 
 [openssl_init]
 providers = provider_sect
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 217cbd5e2a..88eb41e1c1 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -84,7 +84,7 @@ unless ($no_fips) {
     $ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
 
     ok(run(app(['openssl', 'fipsinstall',
-                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                '-out', bldtop_file('providers', 'fipsmodule.cnf'),
                 '-module', $infile,
                 '-provider_name', 'fips', '-mac_name', 'HMAC',
                 '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/30-test_evp_fetch_prov.t b/test/recipes/30-test_evp_fetch_prov.t
index 6c9bfe221c..be06716b44 100644
--- a/test/recipes/30-test_evp_fetch_prov.t
+++ b/test/recipes/30-test_evp_fetch_prov.t
@@ -48,7 +48,7 @@ my @testdata = (
 unless ($no_fips) {
     push @setups, {
         cmd     => app(['openssl', 'fipsinstall',
-                        '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                        '-out', bldtop_file('providers', 'fipsmodule.cnf'),
                         '-module', bldtop_file('providers', platform->dso('fips')),
                         '-provider_name', 'fips', '-mac_name', 'HMAC',
                         '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index fc0c376c1f..8a26119f86 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -119,7 +119,7 @@ my %skip = (
 
 unless ($no_fips) {
     ok(run(app(['openssl', 'fipsinstall',
-                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                '-out', bldtop_file('providers', 'fipsmodule.cnf'),
                 '-module', bldtop_file('providers', platform->dso('fips')),
                 '-provider_name', 'fips', '-mac_name', 'HMAC',
                 '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 345ec0fa67..42963c364a 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -94,7 +94,7 @@ plan tests =>
 
 unless ($no_fips) {
     ok(run(app(['openssl', 'fipsinstall',
-                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                '-out', bldtop_file('providers', 'fipsmodule.cnf'),
                 '-module', bldtop_file('providers', platform->dso('fips')),
                 '-provider_name', 'fips', '-mac_name', 'HMAC',
                 '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index feca1c2e20..b89b783805 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -41,7 +41,7 @@ ok(run(test(["sslapitest", srctop_dir("test", "certs"),
 
 unless ($no_fips) {
     ok(run(app(['openssl', 'fipsinstall',
-                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                '-out', bldtop_file('providers', 'fipsmodule.cnf'),
                 '-module', bldtop_file('providers', platform->dso('fips')),
                 '-provider_name', 'fips', '-mac_name', 'HMAC',
                 '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
diff --git a/test/recipes/90-test_sslprovider.t b/test/recipes/90-test_sslprovider.t
index 7af6c962ad..793756bc6d 100644
--- a/test/recipes/90-test_sslprovider.t
+++ b/test/recipes/90-test_sslprovider.t
@@ -31,7 +31,7 @@ SKIP: {
         if disabled("fips");
 
     ok(run(app(['openssl', 'fipsinstall',
-                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                '-out', bldtop_file('providers', 'fipsmodule.cnf'),
                 '-module', bldtop_file('providers', platform->dso('fips')),
                 '-provider_name', 'fips', '-mac_name', 'HMAC',
                 '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',


More information about the openssl-commits mailing list