Test sysgenid permissions

justsmth · Jun 19, 2024 · ca3b67d · ca3b67d
1 parent aac575a
commit ca3b67d
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 13 deletions.
diff --git a/crypto/fipsmodule/rand/snapsafe_detect.c b/crypto/fipsmodule/rand/snapsafe_detect.c
@@ -140,8 +140,7 @@ const char* CRYPTO_get_sysgenid_path(void) {
 
 #if defined(AWSLC_SNAPSAFE_TESTING)
 int HAZMAT_init_sysgenid_file(void) {
-  const char* sgc_file_path = AWSLC_SYSGENID_PATH;
-  int fd_sgn = open(sgc_file_path, O_CREAT | O_RDWR | O_APPEND, S_IRUSR | S_IWUSR);
+  int fd_sgn = open(CRYPTO_get_sysgenid_path(), O_CREAT | O_RDWR, S_IRWXU | S_IRGRP | S_IROTH);
   if (fd_sgn == -1) {
     return 0;
   }

diff --git a/crypto/fipsmodule/rand/snapsafe_detect_test.cc b/crypto/fipsmodule/rand/snapsafe_detect_test.cc
@@ -24,8 +24,8 @@ static int init_sgn_file(void** addr, size_t* pgsize) {
   *addr = nullptr;
   *pgsize = 0;
 
-  const char *sgc_file_path = AWSLC_SYSGENID_PATH;
-  const int fd_sgn = open(sgc_file_path, O_CREAT | O_RDWR | O_APPEND, S_IRUSR | S_IWUSR);
+  // This file should've been created during test initialization
+  const int fd_sgn = open(CRYPTO_get_sysgenid_path(), O_RDWR | O_APPEND);
   if (fd_sgn == -1) {
     return 0;
   }
@@ -59,7 +59,6 @@ static int init_sgn_file(void** addr, size_t* pgsize) {
   return 1;
 }
 
-
 static int init_sgn_test(sgn_test_s* sgn_test);
 static int init_sgn_test(sgn_test_s* sgn_test) {
   return init_sgn_file(&sgn_test->addr, &sgn_test->pgsize);
@@ -78,17 +77,15 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalTesting) {
   sgn_test_s sgn_test;
   ASSERT_TRUE(init_sgn_test(&sgn_test));
 
-  if(1 != set_sgn(&sgn_test, 0)) {
-    FAIL();
-  }
+  ASSERT_TRUE(set_sgn(&sgn_test, 0));
 
   EXPECT_EQ(1, CRYPTO_get_snapsafe_supported());
   EXPECT_EQ(1, CRYPTO_get_snapsafe_active());
 
   uint32_t current_snapsafe_gen_num = 0;
   ASSERT_TRUE(set_sgn(&sgn_test, 7));
   ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));
-  ASSERT_EQ((unsigned int)7, current_snapsafe_gen_num);
+  ASSERT_EQ((uint32_t) 7, current_snapsafe_gen_num);
 
   uint32_t test_sysgenid_values[NUMBER_OF_TEST_VALUES] = {
     0x03, // 2^0 + 2
@@ -110,14 +107,14 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalTesting) {
 TEST(SnapsafeGenerationTest, SysGenIDretrievalLinux) {
   uint32_t current_snapsafe_gen_num = 0xffffffff;
   ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));
-  if(CRYPTO_get_snapsafe_supported()) {
+  if (CRYPTO_get_snapsafe_supported()) {
     ASSERT_TRUE(CRYPTO_get_snapsafe_active());
     // If we're on a system where the SysGenId is available, we won't
     // know what sgn value to expect, but we assume it's not 0xffffffff
     ASSERT_NE(0xffffffff, current_snapsafe_gen_num);
   } else {
     ASSERT_FALSE(CRYPTO_get_snapsafe_active());
-    ASSERT_EQ((unsigned int)0, current_snapsafe_gen_num);
+    ASSERT_EQ((uint32_t) 0, current_snapsafe_gen_num);
   }
 }
 #else
@@ -126,6 +123,6 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalNonLinux) {
   ASSERT_FALSE(CRYPTO_get_snapsafe_active());
   uint32_t current_snapsafe_gen_num = 0xffffffff;
   ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));
-  ASSERT_EQ((unsigned int)0, current_snapsafe_gen_num);
+  ASSERT_EQ((uint32_t) 0, current_snapsafe_gen_num);
 }
 #endif // defined(OPENSSL_LINUX)
diff --git a/crypto/rsa_extra/rsa_test.cc b/crypto/rsa_extra/rsa_test.cc
@@ -1660,7 +1660,7 @@ TEST(RSATest, Threads) {
 // also disable on FreeBSD. See https://crbug.com/boringssl/603.
 #if defined(OPENSSL_TSAN) || \
     (defined(OPENSSL_X86_64) && !defined(OPENSSL_FREEBSD))
-TEST(RSATest, DISABLED_BlindingCacheConcurrency) {
+TEST(RSATest, BlindingCacheConcurrency) {
   bssl::UniquePtr<RSA> rsa(
       RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1));
   ASSERT_TRUE(rsa);

diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
@@ -1422,6 +1422,12 @@ int main(int argc, char **argv) {
   // Anything following this line will be considered an error.
   StderrDelimiter delimiter;
 
+#if defined(AWSLC_SNAPSAFE_TESTING)
+  if (1 != HAZMAT_init_sysgenid_file()) {
+    abort();
+  }
+#endif
+
 #if defined(OPENSSL_WINDOWS)
   // Initialize Winsock.
   WORD wsa_version = MAKEWORD(2, 2);

diff --git a/ssl/test/handshaker.cc b/ssl/test/handshaker.cc
@@ -27,6 +27,7 @@
 #include "handshake_util.h"
 #include "test_config.h"
 #include "test_state.h"
+#include "../crypto/internal.h"
 
 using namespace bssl;
 
@@ -228,6 +229,12 @@ int SignalError() {
 
 int main(int argc, char **argv) {
   TestConfig initial_config, resume_config, retry_config;
+#if defined(AWSLC_SNAPSAFE_TESTING)
+  if (1 != HAZMAT_init_sysgenid_file()) {
+    abort();
+  }
+#endif
+
   if (!ParseConfig(argc - 1, argv + 1, /*is_shim=*/false, &initial_config,
                    &resume_config, &retry_config)) {
     return SignalError();

diff --git a/util/fipstools/acvp/modulewrapper/main.cc b/util/fipstools/acvp/modulewrapper/main.cc
@@ -28,6 +28,15 @@
 
 
 int main(int argc, char **argv) {
+
+#if defined(AWSLC_SNAPSAFE_TESTING)
+  // When snapsafe testing is enabled, the sysgenid file must be created prior
+  // to running the test.
+  if (1 != HAZMAT_init_sysgenid_file()) {
+    abort();
+  }
+#endif
+
   if (argc == 2 && strcmp(argv[1], "--version") == 0) {
     printf("Built for architecture: ");