]>
Commit | Line | Data |
---|---|---|
ac892b7a DSH |
1 | /* ==================================================================== |
2 | * Copyright (c) 2011 The OpenSSL Project. All rights reserved. | |
3 | * | |
4 | * Redistribution and use in source and binary forms, with or without | |
5 | * modification, are permitted provided that the following conditions | |
6 | * are met: | |
7 | * | |
8 | * 1. Redistributions of source code must retain the above copyright | |
9 | * notice, this list of conditions and the following disclaimer. | |
10 | * | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in | |
13 | * the documentation and/or other materials provided with the | |
14 | * distribution. | |
15 | * | |
16 | * 3. All advertising materials mentioning features or use of this | |
17 | * software must display the following acknowledgment: | |
18 | * "This product includes software developed by the OpenSSL Project | |
19 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
20 | * | |
21 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
22 | * endorse or promote products derived from this software without | |
23 | * prior written permission. For written permission, please contact | |
24 | * openssl-core@openssl.org. | |
25 | * | |
26 | * 5. Products derived from this software may not be called "OpenSSL" | |
27 | * nor may "OpenSSL" appear in their names without prior written | |
28 | * permission of the OpenSSL Project. | |
29 | * | |
30 | * 6. Redistributions of any form whatsoever must retain the following | |
31 | * acknowledgment: | |
32 | * "This product includes software developed by the OpenSSL Project | |
33 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
34 | * | |
35 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
36 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
37 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
38 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
39 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
40 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
41 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
42 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
43 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
44 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
45 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
46 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
47 | * | |
48 | */ | |
49 | ||
50 | #define OPENSSL_FIPSAPI | |
51 | ||
52 | #include <openssl/crypto.h> | |
53 | #include <openssl/rand.h> | |
54 | #include <openssl/fips_rand.h> | |
55 | #include <openssl/err.h> | |
56 | #include <openssl/bio.h> | |
57 | #include <openssl/hmac.h> | |
58 | #include <openssl/rsa.h> | |
59 | #include <openssl/dsa.h> | |
60 | #include <openssl/ecdsa.h> | |
61 | #include <string.h> | |
62 | #include <limits.h> | |
63 | ||
64 | #ifdef OPENSSL_FIPS | |
65 | ||
66 | /* Power on self test (POST) support functions */ | |
67 | ||
68 | #include <openssl/fips.h> | |
69 | #include "fips_locl.h" | |
70 | ||
71 | /* POST notification callback */ | |
72 | ||
73 | int (*fips_post_cb)(int op, int id, int subid, void *ex); | |
74 | ||
75 | void FIPS_post_set_callback( | |
76 | int (*post_cb)(int op, int id, int subid, void *ex)) | |
77 | { | |
78 | fips_post_cb = post_cb; | |
79 | } | |
80 | ||
81 | /* POST status: i.e. status of all tests */ | |
82 | #define FIPS_POST_STATUS_NOT_STARTED 0 | |
83 | #define FIPS_POST_STATUS_OK 1 | |
84 | #define FIPS_POST_STATUS_RUNNING 2 | |
85 | #define FIPS_POST_STATUS_FAILED -1 | |
86 | static int post_status = 0; | |
87 | /* Set to 1 if any test failed */ | |
88 | static int post_failure = 0; | |
89 | ||
90 | /* All tests started */ | |
91 | ||
92 | int fips_post_begin(void) | |
93 | { | |
94 | post_failure = 0; | |
95 | post_status = FIPS_POST_STATUS_NOT_STARTED; | |
96 | if (fips_post_cb) | |
97 | if (!fips_post_cb(FIPS_POST_BEGIN, 0, 0, NULL)) | |
98 | return 0; | |
99 | post_status = FIPS_POST_STATUS_RUNNING; | |
100 | return 1; | |
101 | } | |
102 | ||
103 | void fips_post_end(void) | |
104 | { | |
105 | if (post_failure) | |
106 | { | |
107 | post_status = FIPS_POST_STATUS_FAILED; | |
8038511c DSH |
108 | if(fips_post_cb) |
109 | fips_post_cb(FIPS_POST_END, 0, 0, NULL); | |
ac892b7a DSH |
110 | } |
111 | else | |
112 | { | |
113 | post_status = FIPS_POST_STATUS_OK; | |
8038511c DSH |
114 | if (fips_post_cb) |
115 | fips_post_cb(FIPS_POST_END, 1, 0, NULL); | |
ac892b7a DSH |
116 | } |
117 | } | |
118 | ||
119 | /* A self test started */ | |
120 | int fips_post_started(int id, int subid, void *ex) | |
121 | { | |
122 | if (fips_post_cb) | |
123 | return fips_post_cb(FIPS_POST_STARTED, id, subid, ex); | |
124 | return 1; | |
125 | } | |
126 | /* A self test passed successfully */ | |
127 | int fips_post_success(int id, int subid, void *ex) | |
128 | { | |
129 | if (fips_post_cb) | |
130 | return fips_post_cb(FIPS_POST_SUCCESS, id, subid, ex); | |
131 | return 1; | |
132 | } | |
133 | /* A self test failed */ | |
134 | int fips_post_failed(int id, int subid, void *ex) | |
135 | { | |
136 | post_failure = 1; | |
137 | if (fips_post_cb) | |
138 | return fips_post_cb(FIPS_POST_FAIL, id, subid, ex); | |
139 | return 1; | |
140 | } | |
141 | /* Indicate if a self test failure should be induced */ | |
142 | int fips_post_corrupt(int id, int subid, void *ex) | |
143 | { | |
144 | if (fips_post_cb) | |
145 | return fips_post_cb(FIPS_POST_CORRUPT, id, subid, ex); | |
146 | return 1; | |
147 | } | |
148 | /* Note: if selftests running return status OK so their operation is | |
149 | * not interrupted. This will only happen while selftests are actually | |
150 | * running so will not interfere with normal operation. | |
151 | */ | |
152 | int fips_post_status(void) | |
153 | { | |
154 | return post_status > 0 ? 1 : 0; | |
155 | } | |
156 | /* Run all selftests */ | |
157 | int FIPS_selftest(void) | |
158 | { | |
159 | int rv = 1; | |
160 | fips_post_begin(); | |
161 | if(!FIPS_check_incore_fingerprint()) | |
162 | rv = 0; | |
163 | if (!FIPS_selftest_drbg()) | |
164 | rv = 0; | |
165 | if (!FIPS_selftest_x931()) | |
166 | rv = 0; | |
167 | if (!FIPS_selftest_sha1()) | |
168 | rv = 0; | |
169 | if (!FIPS_selftest_hmac()) | |
170 | rv = 0; | |
171 | if (!FIPS_selftest_cmac()) | |
172 | rv = 0; | |
173 | if (!FIPS_selftest_aes()) | |
174 | rv = 0; | |
cb1b3aa1 DSH |
175 | if (!FIPS_selftest_aes_ccm()) |
176 | rv = 0; | |
ac892b7a DSH |
177 | if (!FIPS_selftest_aes_gcm()) |
178 | rv = 0; | |
bf8131f7 DSH |
179 | if (!FIPS_selftest_aes_xts()) |
180 | rv = 0; | |
ac892b7a DSH |
181 | if (!FIPS_selftest_des()) |
182 | rv = 0; | |
183 | if (!FIPS_selftest_rsa()) | |
184 | rv = 0; | |
185 | if (!FIPS_selftest_ecdsa()) | |
186 | rv = 0; | |
187 | if (!FIPS_selftest_dsa()) | |
188 | rv = 0; | |
189 | fips_post_end(); | |
190 | return rv; | |
191 | } | |
192 | ||
193 | /* Generalized public key test routine. Signs and verifies the data | |
194 | * supplied in tbs using mesage digest md and setting RSA padding mode | |
195 | * pad_mode. If the 'kat' parameter is not NULL it will | |
196 | * additionally check the signature matches it: a known answer test | |
197 | * The string "fail_str" is used for identification purposes in case | |
198 | * of failure. If "pkey" is NULL just perform a message digest check. | |
199 | */ | |
200 | ||
201 | int fips_pkey_signature_test(int id, EVP_PKEY *pkey, | |
202 | const unsigned char *tbs, size_t tbslen, | |
203 | const unsigned char *kat, size_t katlen, | |
204 | const EVP_MD *digest, int pad_mode, | |
205 | const char *fail_str) | |
206 | { | |
207 | int subid; | |
208 | void *ex = NULL; | |
209 | int ret = 0; | |
210 | unsigned char *sig = NULL; | |
211 | unsigned int siglen; | |
03e389cf | 212 | __fips_constseg |
ac892b7a DSH |
213 | static const unsigned char str1[]="12345678901234567890"; |
214 | DSA_SIG *dsig = NULL; | |
215 | ECDSA_SIG *esig = NULL; | |
216 | EVP_MD_CTX mctx; | |
217 | FIPS_md_ctx_init(&mctx); | |
218 | ||
219 | if (tbs == NULL) | |
220 | tbs = str1; | |
221 | ||
222 | if (tbslen == 0) | |
223 | tbslen = strlen((char *)tbs); | |
224 | ||
225 | if (digest == NULL) | |
226 | digest = EVP_sha256(); | |
227 | ||
228 | subid = M_EVP_MD_type(digest); | |
229 | ||
230 | ||
231 | if (!fips_post_started(id, subid, pkey)) | |
232 | return 1; | |
233 | ||
234 | if (!pkey || pkey->type == EVP_PKEY_RSA) | |
235 | { | |
236 | size_t sigsize; | |
237 | if (!pkey) | |
238 | sigsize = EVP_MAX_MD_SIZE; | |
239 | else | |
240 | sigsize = RSA_size(pkey->pkey.rsa); | |
241 | ||
242 | sig = OPENSSL_malloc(sigsize); | |
243 | if (!sig) | |
244 | { | |
245 | FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE); | |
246 | goto error; | |
247 | } | |
248 | } | |
249 | ||
250 | if (!FIPS_digestinit(&mctx, digest)) | |
251 | goto error; | |
252 | if (!FIPS_digestupdate(&mctx, tbs, tbslen)) | |
253 | goto error; | |
254 | ||
255 | if (!fips_post_corrupt(id, subid, pkey)) | |
256 | { | |
257 | if (!FIPS_digestupdate(&mctx, tbs, 1)) | |
258 | goto error; | |
259 | } | |
260 | ||
261 | if (pkey == NULL) | |
262 | { | |
263 | if (!FIPS_digestfinal(&mctx, sig, &siglen)) | |
264 | goto error; | |
265 | } | |
266 | else if (pkey->type == EVP_PKEY_RSA) | |
267 | { | |
268 | if (!FIPS_rsa_sign_ctx(pkey->pkey.rsa, &mctx, | |
269 | pad_mode, 0, NULL, sig, &siglen)) | |
270 | goto error; | |
271 | } | |
272 | else if (pkey->type == EVP_PKEY_DSA) | |
273 | { | |
274 | dsig = FIPS_dsa_sign_ctx(pkey->pkey.dsa, &mctx); | |
275 | if (!dsig) | |
276 | goto error; | |
277 | } | |
278 | else if (pkey->type == EVP_PKEY_EC) | |
279 | { | |
280 | esig = FIPS_ecdsa_sign_ctx(pkey->pkey.ec, &mctx); | |
281 | if (!esig) | |
282 | goto error; | |
283 | } | |
284 | ||
285 | if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) | |
286 | goto error; | |
287 | #if 0 | |
288 | { | |
289 | /* Debug code to print out self test KAT discrepancies */ | |
290 | unsigned int i; | |
291 | fprintf(stderr, "%s=", fail_str); | |
292 | for (i = 0; i < siglen; i++) | |
293 | fprintf(stderr, "%02X", sig[i]); | |
294 | fprintf(stderr, "\n"); | |
295 | goto error; | |
296 | } | |
297 | #endif | |
298 | /* If just digest test we've finished */ | |
299 | if (pkey == NULL) | |
300 | { | |
301 | ret = 1; | |
302 | /* Well actually sucess as we've set ret to 1 */ | |
303 | goto error; | |
304 | } | |
305 | if (!FIPS_digestinit(&mctx, digest)) | |
306 | goto error; | |
307 | if (!FIPS_digestupdate(&mctx, tbs, tbslen)) | |
308 | goto error; | |
309 | if (pkey->type == EVP_PKEY_RSA) | |
310 | { | |
311 | ret = FIPS_rsa_verify_ctx(pkey->pkey.rsa, &mctx, | |
312 | pad_mode, 0, NULL, sig, siglen); | |
313 | } | |
314 | else if (pkey->type == EVP_PKEY_DSA) | |
315 | { | |
316 | ret = FIPS_dsa_verify_ctx(pkey->pkey.dsa, &mctx, dsig); | |
317 | } | |
318 | else if (pkey->type == EVP_PKEY_EC) | |
319 | { | |
320 | ret = FIPS_ecdsa_verify_ctx(pkey->pkey.ec, &mctx, esig); | |
321 | } | |
322 | ||
323 | error: | |
324 | if (dsig != NULL) | |
325 | FIPS_dsa_sig_free(dsig); | |
326 | if (esig != NULL) | |
327 | FIPS_ecdsa_sig_free(esig); | |
328 | if (sig) | |
329 | OPENSSL_free(sig); | |
330 | FIPS_md_ctx_cleanup(&mctx); | |
331 | if (ret != 1) | |
332 | { | |
333 | FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE); | |
334 | if (fail_str) | |
335 | FIPS_add_error_data(2, "Type=", fail_str); | |
336 | fips_post_failed(id, subid, ex); | |
337 | return 0; | |
338 | } | |
339 | return fips_post_success(id, subid, pkey); | |
340 | } | |
341 | ||
342 | /* Generalized symmetric cipher test routine. Encrypt data, verify result | |
343 | * against known answer, decrypt and compare with original plaintext. | |
344 | */ | |
345 | ||
346 | int fips_cipher_test(int id, EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, | |
347 | const unsigned char *key, | |
348 | const unsigned char *iv, | |
349 | const unsigned char *plaintext, | |
350 | const unsigned char *ciphertext, | |
351 | int len) | |
352 | { | |
353 | unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; | |
354 | unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; | |
355 | int subid = M_EVP_CIPHER_nid(cipher); | |
356 | int rv = 0; | |
357 | OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); | |
358 | memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); | |
359 | memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); | |
360 | ||
361 | if (!fips_post_started(id, subid, NULL)) | |
362 | return 1; | |
363 | if (FIPS_cipherinit(ctx, cipher, key, iv, 1) <= 0) | |
364 | goto error; | |
365 | if (!FIPS_cipher(ctx, citmp, plaintext, len)) | |
366 | goto error; | |
367 | if (memcmp(citmp, ciphertext, len)) | |
368 | goto error; | |
369 | if (!fips_post_corrupt(id, subid, NULL)) | |
370 | citmp[0] ^= 0x1; | |
371 | if (FIPS_cipherinit(ctx, cipher, key, iv, 0) <= 0) | |
372 | goto error; | |
373 | FIPS_cipher(ctx, pltmp, citmp, len); | |
374 | if (memcmp(pltmp, plaintext, len)) | |
375 | goto error; | |
376 | rv = 1; | |
377 | error: | |
378 | if (rv == 0) | |
379 | { | |
380 | fips_post_failed(id, subid, NULL); | |
381 | return 0; | |
382 | } | |
383 | return fips_post_success(id, subid, NULL); | |
384 | } | |
385 | ||
386 | #endif |