Test sysgenid permissions

aws · Jun 19, 2024 · e34505c · e34505c
1 parent aac575a
commit e34505c
Show file tree

Hide file tree

Showing 9 changed files with 39 additions and 17 deletions.
diff --git a/crypto/fipsmodule/rand/rand.c b/crypto/fipsmodule/rand/rand.c
@@ -553,7 +553,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
   }
 
   OPENSSL_cleanse(additional_data, 32);
-
+#if !defined(AWSLC_SNAPSAFE_TESTING)
+  // SysGenId tests might be running parallel to this, causing changes to sgn.
   if (1 == CRYPTO_get_snapsafe_generation(&snapsafe_generation)) {
     if (snapsafe_generation != state->snapsafe_generation) {
       // Unexpected change to snapsafe generation.
@@ -565,6 +566,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
       abort();
     }
   }
+#endif
+
 #if defined(BORINGSSL_FIPS)
   CRYPTO_STATIC_MUTEX_unlock_read(state_clear_all_lock_bss_get());
 #endif

diff --git a/crypto/fipsmodule/rand/snapsafe_detect.c b/crypto/fipsmodule/rand/snapsafe_detect.c
@@ -140,8 +140,7 @@ const char* CRYPTO_get_sysgenid_path(void) {
 
 #if defined(AWSLC_SNAPSAFE_TESTING)
 int HAZMAT_init_sysgenid_file(void) {
-  const char* sgc_file_path = AWSLC_SYSGENID_PATH;
-  int fd_sgn = open(sgc_file_path, O_CREAT | O_RDWR | O_APPEND, S_IRUSR | S_IWUSR);
+  int fd_sgn = open(CRYPTO_get_sysgenid_path(), O_CREAT | O_RDWR, S_IRWXU | S_IRGRP | S_IROTH);
   if (fd_sgn == -1) {
     return 0;
   }
@@ -162,7 +161,7 @@ int HAZMAT_init_sysgenid_file(void) {
     close(fd_sgn);
     return 0;
   }
-  memset(buffer, 0, my_pgsize);
+  OPENSSL_cleanse(buffer, my_pgsize);
   if(0 >= write(fd_sgn, &buffer, my_pgsize)) {
     close(fd_sgn);
     free(buffer);

diff --git a/crypto/fipsmodule/rand/snapsafe_detect_test.cc b/crypto/fipsmodule/rand/snapsafe_detect_test.cc
@@ -24,8 +24,8 @@ static int init_sgn_file(void** addr, size_t* pgsize) {
   *addr = nullptr;
   *pgsize = 0;
 
-  const char *sgc_file_path = AWSLC_SYSGENID_PATH;
-  const int fd_sgn = open(sgc_file_path, O_CREAT | O_RDWR | O_APPEND, S_IRUSR | S_IWUSR);
+  // This file should've been created during test initialization
+  const int fd_sgn = open(CRYPTO_get_sysgenid_path(), O_RDWR | O_APPEND);
   if (fd_sgn == -1) {
     return 0;
   }
@@ -59,7 +59,6 @@ static int init_sgn_file(void** addr, size_t* pgsize) {
   return 1;
 }
 
-
 static int init_sgn_test(sgn_test_s* sgn_test);
 static int init_sgn_test(sgn_test_s* sgn_test) {
   return init_sgn_file(&sgn_test->addr, &sgn_test->pgsize);
@@ -78,17 +77,15 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalTesting) {
   sgn_test_s sgn_test;
   ASSERT_TRUE(init_sgn_test(&sgn_test));
 
-  if(1 != set_sgn(&sgn_test, 0)) {
-    FAIL();
-  }
+  ASSERT_TRUE(set_sgn(&sgn_test, 0));
 
   EXPECT_EQ(1, CRYPTO_get_snapsafe_supported());
   EXPECT_EQ(1, CRYPTO_get_snapsafe_active());
 
   uint32_t current_snapsafe_gen_num = 0;
   ASSERT_TRUE(set_sgn(&sgn_test, 7));
   ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));
-  ASSERT_EQ((unsigned int)7, current_snapsafe_gen_num);
+  ASSERT_EQ((uint32_t) 7, current_snapsafe_gen_num);
 
   uint32_t test_sysgenid_values[NUMBER_OF_TEST_VALUES] = {
     0x03, // 2^0 + 2
@@ -110,14 +107,14 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalTesting) {
 TEST(SnapsafeGenerationTest, SysGenIDretrievalLinux) {
   uint32_t current_snapsafe_gen_num = 0xffffffff;
   ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));
-  if(CRYPTO_get_snapsafe_supported()) {
+  if (CRYPTO_get_snapsafe_supported()) {
     ASSERT_TRUE(CRYPTO_get_snapsafe_active());
     // If we're on a system where the SysGenId is available, we won't
     // know what sgn value to expect, but we assume it's not 0xffffffff
     ASSERT_NE(0xffffffff, current_snapsafe_gen_num);
   } else {
     ASSERT_FALSE(CRYPTO_get_snapsafe_active());
-    ASSERT_EQ((unsigned int)0, current_snapsafe_gen_num);
+    ASSERT_EQ((uint32_t) 0, current_snapsafe_gen_num);
   }
 }
 #else
@@ -126,6 +123,6 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalNonLinux) {
   ASSERT_FALSE(CRYPTO_get_snapsafe_active());
   uint32_t current_snapsafe_gen_num = 0xffffffff;
   ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));
-  ASSERT_EQ((unsigned int)0, current_snapsafe_gen_num);
+  ASSERT_EQ((uint32_t) 0, current_snapsafe_gen_num);
 }
 #endif // defined(OPENSSL_LINUX)
diff --git a/crypto/test/gtest_main.cc b/crypto/test/gtest_main.cc
@@ -25,15 +25,14 @@
 
 
 int main(int argc, char **argv) {
-  testing::InitGoogleTest(&argc, argv);
-  bssl::SetupGoogleTest();
-
 #if defined(AWSLC_SNAPSAFE_TESTING)
   if (1 != HAZMAT_init_sysgenid_file()) {
     abort();
   }
 #endif
 
+  testing::InitGoogleTest(&argc, argv);
+  bssl::SetupGoogleTest();
   bool unwind_tests = true;
   for (int i = 1; i < argc; i++) {
 #if !defined(OPENSSL_WINDOWS)

diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
@@ -1418,6 +1418,12 @@ class StderrDelimiter {
 };
 
 int main(int argc, char **argv) {
+#if defined(AWSLC_SNAPSAFE_TESTING)
+  if (1 != HAZMAT_init_sysgenid_file()) {
+    abort();
+  }
+#endif
+
   // To distinguish ASan's output from ours, add a trailing message to stderr.
   // Anything following this line will be considered an error.
   StderrDelimiter delimiter;

diff --git a/ssl/test/handshaker.cc b/ssl/test/handshaker.cc
@@ -27,6 +27,7 @@
 #include "handshake_util.h"
 #include "test_config.h"
 #include "test_state.h"
+#include "../crypto/internal.h"
 
 using namespace bssl;
 
@@ -227,6 +228,12 @@ int SignalError() {
 }  // namespace
 
 int main(int argc, char **argv) {
+#if defined(AWSLC_SNAPSAFE_TESTING)
+  if (1 != HAZMAT_init_sysgenid_file()) {
+    abort();
+  }
+#endif
+
   TestConfig initial_config, resume_config, retry_config;
   if (!ParseConfig(argc - 1, argv + 1, /*is_shim=*/false, &initial_config,
                    &resume_config, &retry_config)) {

diff --git a/tests/ci/run_fips_tests.sh b/tests/ci/run_fips_tests.sh
@@ -56,6 +56,7 @@ if static_linux_supported || static_openbsd_supported; then
 
   echo "Testing AWS-LC static library in FIPS Debug with SysGenId."
   TEST_SYSGENID_PATH=$(mktemp)
+  dd if=/dev/zero of="${TEST_SYSGENID_PATH}" bs=1 count=4096
   fips_build_and_test -DTEST_SYSGENID_PATH="${TEST_SYSGENID_PATH}"
 fi
 

diff --git a/tests/ci/run_posix_tests.sh b/tests/ci/run_posix_tests.sh
@@ -29,6 +29,7 @@ build_and_test -DBUILD_SHARED_LIBS=1 -DCMAKE_BUILD_TYPE=Release
 
 echo "Testing building with a SysGenId."
 TEST_SYSGENID_PATH=$(mktemp)
+dd if=/dev/zero of="${TEST_SYSGENID_PATH}" bs=1 count=4096
 build_and_test -DTEST_SYSGENID_PATH="${TEST_SYSGENID_PATH}"
 
 if [[ "${AWSLC_C99_TEST}" == "1" ]]; then

diff --git a/util/fipstools/acvp/modulewrapper/main.cc b/util/fipstools/acvp/modulewrapper/main.cc
@@ -28,6 +28,15 @@
 
 
 int main(int argc, char **argv) {
+
+#if defined(AWSLC_SNAPSAFE_TESTING)
+  // When snapsafe testing is enabled, the sysgenid file must be created prior
+  // to running the test.
+  if (1 != HAZMAT_init_sysgenid_file()) {
+    abort();
+  }
+#endif
+
   if (argc == 2 && strcmp(argv[1], "--version") == 0) {
     printf("Built for architecture: ");