diff options
-rw-r--r-- | crypto/fipsmodule/bcm.c | 5 | ||||
-rw-r--r-- | include/openssl/crypto.h | 3 | ||||
-rw-r--r-- | util/fipstools/inject_hash/inject_hash.go | 3 | ||||
-rw-r--r-- | util/fipstools/test_fips.c | 9 |
4 files changed, 19 insertions, 1 deletions
diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c index 9d9227d..4b9b64f 100644 --- a/crypto/fipsmodule/bcm.c +++ b/crypto/fipsmodule/bcm.c @@ -263,6 +263,11 @@ int BORINGSSL_integrity_test(void) { OPENSSL_cleanse(result, sizeof(result)); // FIPS 140-3, AS05.10. return 1; } + +const uint8_t* FIPS_module_hash(void) { + return BORINGSSL_bcm_text_hash; +} + #endif // OPENSSL_ASAN void BORINGSSL_FIPS_abort(void) { diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index c5c21bb..2981e68 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -178,6 +178,9 @@ OPENSSL_EXPORT int FIPS_mode_set(int on); // FIPS_module_name returns the name of the FIPS module. OPENSSL_EXPORT const char *FIPS_module_name(void); +// FIPS_module_hash returns the 32-byte hash of the FIPS module. +OPENSSL_EXPORT const uint8_t* FIPS_module_hash(void); + // FIPS_version returns the version of the FIPS module, or zero if the build // isn't exactly at a verified version. The version, expressed in base 10, will // be a date in the form yyyymmddXX where XX is often "00", but can be diff --git a/util/fipstools/inject_hash/inject_hash.go b/util/fipstools/inject_hash/inject_hash.go index 9c30836..ffae5e9 100644 --- a/util/fipstools/inject_hash/inject_hash.go +++ b/util/fipstools/inject_hash/inject_hash.go @@ -242,6 +242,9 @@ func do(outPath, oInput string, arInput string) error { return errors.New("found two occurrences of uninitialised hash value in object file") } + if _, exists := os.LookupEnv("BORINGSSL_FIPS_SHOW_HASH"); exists { + fmt.Printf("Module hash: %x\n", calculated) + } copy(objectBytes[offset:], calculated) return os.WriteFile(outPath, objectBytes, perm&0777) diff --git a/util/fipstools/test_fips.c b/util/fipstools/test_fips.c index bd0ec46..af01bfc 100644 --- a/util/fipstools/test_fips.c +++ b/util/fipstools/test_fips.c @@ -55,9 +55,16 @@ int main(int argc, char **argv) { printf("No module version set\n"); goto err; } - printf("Module: '%s', version: %" PRIu32 "\n", FIPS_module_name(), + printf("Module: '%s', version: %" PRIu32 " hash:\n", FIPS_module_name(), module_version); +#if !defined(OPENSSL_ASAN) + hexdump(FIPS_module_hash(), SHA256_DIGEST_LENGTH); +#else + printf("(not available when compiled for ASAN)"); +#endif + printf("\n"); + static const uint8_t kAESKey[16] = "BoringCrypto Key"; static const uint8_t kPlaintext[64] = "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!"; |