More FIPS tests

scripts/test-sanity.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+# This script provides simple sanity checks to make sure the provider is working
+
+SET_PRE=$( set )
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+LOG_FILE=${SCRIPT_DIR}/test-sanity.log
+rm -f ${LOG_FILE}
+source ${SCRIPT_DIR}/utils-wolfprovider.sh
+
+echo "Using openssl: $OPENSSL_TAG, wolfssl: $WOLFSSL_TAG"
+
+function doTestCmd() {
+    CMD=$*
+    echo ">>>>>> Running $CMD"
+    eval $CMD
+    RET=$?
+    if [ $RET -ne 0 ]; then
+        echo "Failed $CMD: $RET"
+        exit 1
+    fi
+    echo "<<<<<<"
+}
+
+function runSpotCheck() {
+    doTestCmd init_wolfprov
+
+    SET_POST=$( set )
+    echo "New variables set:"
+    diff <(echo "$SET_PRE") <(echo "$SET_POST") | grep "="
+
+    doTestCmd "${OPENSSL_INSTALL_DIR}/bin/openssl list -providers --verbose | grep 'Providers:' -A 10"
+
+    if [ $(${OPENSSL_INSTALL_DIR}/bin/openssl list -providers --verbose | grep libwolfprov | wc -l) = 0 ]; then
+        echo "Not using wolfProvider for some reason"
+        exit 2
+    fi
+
+    if [ $(${OPENSSL_INSTALL_DIR}/bin/openssl list -providers --verbose | grep OpenSSL | wc -l) -ne 0 ]; then
+        echo "OpenSSL provider is also enabled"
+        exit 2
+    fi
+
+    doTestCmd "${OPENSSL_INSTALL_DIR}/bin/openssl s_client -CApath /etc/ssl/certs -connect github.com:443 </dev/null"
+    doTestCmd "curl https://github.com/wolfSSL/wolfProvider -o test.html"
+
+    doTestCmd "${OPENSSL_INSTALL_DIR}/bin/openssl s_client -CApath /etc/ssl/certs -connect tls.support:443 </dev/null"
+    doTestCmd "curl https://tls.support -vv --tlsv1.3 --tls-max 1.3 -o test.html"
+}
+
+runSpotCheck
+
+exit $?

scripts/utils-wolfssl.sh

@@ -80,9 +80,11 @@ install_wolfssl() {
         CONF_ARGS="-prefix=${WOLFSSL_INSTALL_DIR}"
 
         if [ "$WOLFPROV_DEBUG" = "1" ]; then
-            CONF_ARGS+=" --enable-debug"
+            CONF_ARGS+=" --enable-debug --enable-debug-trace-errcodes=backtrace --enable-keylog-export"
+            WOLFSSL_CONFIG_CFLAGS+=" -DWOLFSSL_LOGGINGENABLED_DEFAULT=1"
         fi
         if [ "$WOLFSSL_ISFIPS" = "1" ]; then
+            printf "with FIPS ... "
             CONF_ARGS+=" --enable-fips=ready"
             if [ ! -e "XXX-fips-test" ]; then
                 ./fips-check.sh keep nomakecheck fips-ready >>$LOG_FILE 2>&1

src/wp_aes_aead.c

@@ -603,6 +603,7 @@ static int wp_aead_set_param_tls1_iv_rand(wp_AeadCtx* ctx,
 #else
     (void)ctx;
     (void)params;
+    WOLFPROV_LEAVE(WP_LOG_CIPHER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 #endif
 }

src/wp_aes_stream.c

@@ -450,6 +450,7 @@ static int wp_aes_stream_final(wp_AesStreamCtx* ctx, unsigned char *out,
     (void)out;
     (void)outSize;
     *outLen = 0;
+    WOLFPROV_LEAVE(WP_LOG_CIPHER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 

src/wp_dh_kmgmt.c

@@ -276,6 +276,7 @@ int wp_dh_up_ref(wp_Dh* dh)
     return ok;
 #else
     dh->refCnt++;
+    WOLFPROV_LEAVE(WP_LOG_KE, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 #endif
 }

src/wp_drbg.c

@@ -166,6 +166,7 @@ static int wp_drbg_uninstantiate(wp_DrbgCtx* ctx)
     OPENSSL_clear_free(ctx->rng, sizeof(*ctx->rng));
 #endif
     ctx->rng = NULL;
+    WOLFPROV_LEAVE(WP_LOG_RNG, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 
@@ -331,6 +332,7 @@ static int wp_drbg_unlock(wp_DrbgCtx* ctx)
        wc_UnLockMutex(ctx->mutex);
     }
 #endif
+    WOLFPROV_LEAVE(WP_LOG_RNG, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 
@@ -419,6 +421,7 @@ static int wp_drbg_set_ctx_params(wp_DrbgCtx* ctx, const OSSL_PARAM params[])
 {
     (void)ctx;
     (void)params;
+    WOLFPROV_LEAVE(WP_LOG_RNG, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 
@@ -431,6 +434,7 @@ static int wp_drbg_set_ctx_params(wp_DrbgCtx* ctx, const OSSL_PARAM params[])
 static int wp_drbg_verify_zeroization(wp_DrbgCtx* ctx)
 {
     (void)ctx;
+    WOLFPROV_LEAVE(WP_LOG_RNG, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 

src/wp_ecc_kmgmt.c

@@ -256,6 +256,7 @@ int wp_ecc_up_ref(wp_Ecc* ecc)
     return ok;
 #else
     ecc->refCnt++;
+    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 #endif
 }
@@ -800,6 +801,14 @@ static int wp_ecc_get_params(wp_Ecc* ecc, OSSL_PARAM params[])
         }
     }
 
+    if (ok) {
+        /* Always assume not decoded from explicit params for now */
+        p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS);
+        if ((p != NULL) && !OSSL_PARAM_set_int(p, 0)) {
+            ok = 0;
+        }
+    }
+
     WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
 }
@@ -1869,11 +1878,13 @@ static int wp_ecc_decode_params(wp_Ecc* ecc, unsigned char* data, word32 len)
         ok = 0;
     }
     if (ok && (data[0] != 0x06)) {
+        WOLFPROV_MSG(WP_LOG_PK, "Invalid data");
         ok = 0;
     }
     if (ok) {
         oidLen = data[1];
         if ((oidLen >= 0x80) || (oidLen + 2 > len)) {
+            WOLFPROV_MSG(WP_LOG_PK, "OID out of bounds");
             ok = 0;
         }
     }
@@ -1884,17 +1895,20 @@ static int wp_ecc_decode_params(wp_Ecc* ecc, unsigned char* data, word32 len)
         ecc->curveId = wp_ecc_get_curve_id_from_oid(data + 2, oidLen);
     #endif
         if (ecc->curveId == ECC_CURVE_INVALID) {
+            WOLFPROV_MSG(WP_LOG_PK, "Invalid curve");
             ok = 0;
         }
     }
 
     if (ok) {
         rc = wc_ecc_set_curve(&ecc->key, 0, ecc->curveId);
         if (rc != 0) {
+            WOLFPROV_MSG(WP_LOG_PK, "Can't set curve: %d",rc);
             ok = 0;
         }
     }
     if (ok && (!wp_ecc_set_bits(ecc))) {
+        WOLFPROV_MSG(WP_LOG_PK, "Can't set bits");
         ok = 0;
     }
 
@@ -2108,6 +2122,7 @@ static int wp_ecc_encode_params_size(const wp_Ecc *ecc, size_t* keyLen)
     /* ASN.1 type, len and data. */
     *keyLen = ecc->key.dp->oidSz + 2;
 
+    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 
@@ -2130,6 +2145,7 @@ static int wp_ecc_encode_params(const wp_Ecc *ecc, unsigned char* keyData,
 
     *keyLen = ecc->key.dp->oidSz + 2;
 
+    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 

src/wp_ecx_kmgmt.c

@@ -224,6 +224,7 @@ int wp_ecx_up_ref(wp_Ecx* ecx)
     return ok;
 #else
     ecx->refCnt++;
+    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 #endif
 }

src/wp_file_store.c

@@ -480,6 +480,7 @@ static int wp_file_eof(wp_FileCtx* ctx)
 static int wp_file_close(wp_FileCtx* ctx)
 {
     wp_filectx_free(ctx);
+    WOLFPROV_LEAVE(WP_LOG_PROVIDER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 

src/wp_kdf_kmgmt.c

@@ -71,6 +71,7 @@ int wp_kdf_up_ref(wp_Kdf* kdf)
     return ok;
 #else
     kdf->refCnt++;
+    WOLFPROV_LEAVE(WP_LOG_KDF, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 #endif
 }
@@ -151,6 +152,7 @@ static int wp_kdf_has(const wp_Kdf* kdf, int selection)
 {
     (void)kdf;
     (void)selection;
+    WOLFPROV_LEAVE(WP_LOG_KDF, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 

src/wp_mac_kmgmt.c

@@ -108,6 +108,7 @@ int wp_mac_up_ref(wp_Mac* mac)
     return ok;
 #else
     mac->refCnt++;
+    WOLFPROV_LEAVE(WP_LOG_MAC, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 #endif
 }
@@ -435,6 +436,7 @@ static int wp_mac_export_priv_key(wp_Mac* mac, OSSL_PARAM* params, int* pIdx,
     }
 
     *pIdx = i;
+    WOLFPROV_LEAVE(WP_LOG_MAC, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 

src/wp_rsa_kmgmt.c

@@ -199,6 +199,7 @@ int wp_rsa_up_ref(wp_Rsa* rsa)
     return ok;
 #else
     rsa->refCnt++;
+    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 #endif
 }
@@ -468,6 +469,7 @@ static int wp_rsa_pss_params_set_pss_defaults(wp_RsaPssParams* pss)
     pss->saltLen = 20;
     pss->derTrailer = 1; /* Default: RFC8017 A.2.3 */
 
+    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 
@@ -1085,6 +1087,7 @@ static int wp_rsa_pss_params_export(wp_RsaPssParams* pss, OSSL_PARAM* params,
         &pss->saltLen);
 
     *idx = i;
+    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 

src/wp_wolfprov.c

@@ -33,6 +33,8 @@
 #include "wolfprovider/wp_wolfprov.h"
 #include "wolfprovider/alg_funcs.h"
 
+#include "wolfssl/wolfcrypt/logging.h"
+
 const char* wolfprovider_id = "libwolfprov";
 
 /* Core function that gets the table of parameters. */
@@ -73,6 +75,7 @@ static const OSSL_PARAM* wolfprov_gettable_params(void* provCtx)
 int wolfssl_prov_is_running(void)
 {
     /* Always running. */
+    WOLFPROV_LEAVE(WP_LOG_PROVIDER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 
@@ -172,6 +175,7 @@ static int bio_core_new(BIO *bio)
 {
     BIO_set_init(bio, 1);
 
+    WOLFPROV_LEAVE(WP_LOG_PROVIDER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 
@@ -180,6 +184,7 @@ static int bio_core_free(BIO *bio)
     BIO_set_init(bio, 0);
     wolfssl_prov_bio_free(BIO_get_data(bio));
 
+    WOLFPROV_LEAVE(WP_LOG_PROVIDER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 
@@ -909,6 +914,7 @@ static int wp_dummy_decode(WOLFPROV_CTX* ctx, OSSL_CORE_BIO* cBio,
     (void)pwCb;
     (void)pwCbArg;
 
+    WOLFPROV_LEAVE(WP_LOG_PROVIDER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
     return 1;
 }
 /**
@@ -1133,6 +1139,11 @@ int wolfssl_provider_init(const OSSL_CORE_HANDLE* handle,
     int ok = 1;
     OSSL_FUNC_core_get_libctx_fn* c_get_libctx = NULL;
 
+#ifdef WOLFPROV_DEBUG
+    ok = (wolfProv_Debugging_ON() == 0) && (wolfSSL_Debugging_ON() == 0);
+    wolfSSL_SetLoggingPrefix("wolfSSL");
+#endif
+
     for (; in->function_id != 0; in++) {
         switch (in->function_id) {
             case OSSL_FUNC_CORE_GETTABLE_PARAMS: