1#! /usr/bin/env perl 2# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use Getopt::Long; 10 11# Module options for pedantic FIPS mode 12# self_test_onload happens if install_mac isn't included, don't add it below 13my $conditional_errors = 1; 14my $security_checks = 1; 15my $ems_check = 1; 16my $no_short_mac = 1; 17my $drgb_no_trunc_dgst = 1; 18my $digest_check = 1; 19my $dsa_sign_disabled = 1; 20my $tdes_encrypt_disabled = 1; 21my $pkcs15_pad_disable = 1; 22my $rsa_pss_saltlen_check = 1; 23my $rsa_sign_x931_pad_disabled = 1; 24my $kdf_key_check = 1; 25my $pbkdf2_lower_bound_check = 1; 26my $ec_cofactor_check = 1; 27my $mac_key_check = 1; 28 29my $activate = 1; 30my $version = 1; 31my $mac_key; 32my $module_name; 33my $section_name = "fips_sect"; 34 35GetOptions("key=s" => \$mac_key, 36 "module=s" => \$module_name, 37 "section_name=s" => \$section_name) 38 or die "Error when getting command line arguments"; 39 40my $mac_keylen = length($mac_key); 41 42use Digest::SHA qw(hmac_sha256_hex); 43my $module_size = [ stat($module_name) ]->[7]; 44 45open my $fh, "<:raw", $module_name or die "Trying to open $module_name: $!"; 46read $fh, my $data, $module_size or die "Trying to read $module_name: $!"; 47close $fh; 48 49# Calculate HMAC-SHA256 in hex, and split it into a list of two character 50# chunks, and join the chunks with colons. 51my @module_mac 52 = ( uc(hmac_sha256_hex($data, pack("H$mac_keylen", $mac_key))) =~ m/../g ); 53my $module_mac = join(':', @module_mac); 54 55print <<_____; 56[$section_name] 57activate = $activate 58install-version = $version 59conditional-errors = $conditional_errors 60security-checks = $security_checks 61module-mac = $module_mac 62tls1-prf-ems-check = $ems_check 63no-short-mac = $no_short_mac 64drbg-no-trunc-md = $drgb_no_trunc_dgst 65signature-digest-check = $digest_check 66dsa-sign-disabled = $dsa_sign_disabled 67hkdf-digest-check = $digest_check 68tls13-kdf-digest-check = $digest_check 69tls1-prf-digest-check = $digest_check 70sshkdf-digest-check = $digest_check 71sskdf-digest-check = $digest_check 72x963kdf-digest-check = $digest_check 73tdes-encrypt-disabled = $tdes_encrypt_disabled 74rsa-pkcs15-pad-disabled = $pkcs15_pad_disable 75rsa-pss-saltlen-check = $rsa_pss_saltlen_check 76rsa-sign-x931-pad-disabled = $rsa_sign_x931_pad_disabled 77hkdf-key-check = $kdf_key_check 78kbkdf-key-check = $kdf_key_check 79tls13-kdf-key-check = $kdf_key_check 80tls1-prf-key-check = $kdf_key_check 81sshkdf-key-check = $kdf_key_check 82sskdf-key-check = $kdf_key_check 83x963kdf-key-check = $kdf_key_check 84x942kdf-key-check = $kdf_key_check 85pbkdf2-lower-bound-check = $pbkdf2_lower_bound_check 86ecdh-cofactor-check = $ec_cofactor_check 87hmac-key-check = $mac_key_check 88kmac-key-check = $mac_key_check 89_____ 90
