]>
Commit | Line | Data |
---|---|---|
7bb82f92 | 1 | /* |
33388b44 | 2 | * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. |
7bb82f92 | 3 | * |
a6ed19dc | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7bb82f92 SL |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <string.h> | |
11 | #include <openssl/evp.h> | |
12 | #include <openssl/params.h> | |
14a684bf | 13 | #include <openssl/crypto.h> |
31214258 | 14 | #include <openssl/fipskey.h> |
9f7bdcf3 | 15 | #include <openssl/err.h> |
14a684bf | 16 | #include "e_os.h" |
9f7bdcf3 | 17 | #include "prov/providercommonerr.h" |
6cf37302 P |
18 | #include "prov/providercommon.h" |
19 | ||
14a684bf MC |
20 | /* |
21 | * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS | |
22 | * module because all such initialisation should be associated with an | |
23 | * individual OPENSSL_CTX. That doesn't work with the self test though because | |
24 | * it should be run once regardless of the number of OPENSSL_CTXs we have. | |
25 | */ | |
26 | #define ALLOW_RUN_ONCE_IN_FIPS | |
27 | #include <internal/thread_once.h> | |
36fc5fc6 | 28 | #include "self_test.h" |
7bb82f92 SL |
29 | |
30 | #define FIPS_STATE_INIT 0 | |
14a684bf MC |
31 | #define FIPS_STATE_SELFTEST 1 |
32 | #define FIPS_STATE_RUNNING 2 | |
7bb82f92 SL |
33 | #define FIPS_STATE_ERROR 3 |
34 | ||
5736923f P |
35 | /* |
36 | * The number of times the module will report it is in the error state | |
37 | * before going quiet. | |
38 | */ | |
39 | #define FIPS_ERROR_REPORTING_RATE_LIMIT 10 | |
40 | ||
7bb82f92 SL |
41 | /* The size of a temp buffer used to read in data */ |
42 | #define INTEGRITY_BUF_SIZE (4096) | |
43 | #define MAX_MD_SIZE 64 | |
44 | #define MAC_NAME "HMAC" | |
45 | #define DIGEST_NAME "SHA256" | |
46 | ||
35e6ea3b | 47 | static int FIPS_conditional_error_check = 1; |
7bb82f92 | 48 | static int FIPS_state = FIPS_STATE_INIT; |
14a684bf | 49 | static CRYPTO_RWLOCK *self_test_lock = NULL; |
31214258 | 50 | static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS }; |
7bb82f92 | 51 | |
14a684bf MC |
52 | static CRYPTO_ONCE fips_self_test_init = CRYPTO_ONCE_STATIC_INIT; |
53 | DEFINE_RUN_ONCE_STATIC(do_fips_self_test_init) | |
54 | { | |
cc38e643 MC |
55 | /* |
56 | * This lock gets freed in platform specific ways that may occur after we | |
57 | * do mem leak checking. If we don't know how to free it for a particular | |
58 | * platform then we just leak it deliberately. So we temporarily disable the | |
59 | * mem leak checking while we allocate this. | |
60 | */ | |
14a684bf | 61 | self_test_lock = CRYPTO_THREAD_lock_new(); |
14a684bf MC |
62 | return self_test_lock != NULL; |
63 | } | |
64 | ||
390b18a7 SL |
65 | #define DEP_DECLARE() \ |
66 | void init(void); \ | |
67 | void cleanup(void); | |
68 | ||
14a684bf MC |
69 | /* |
70 | * This is the Default Entry Point (DEP) code. Every platform must have a DEP. | |
71 | * See FIPS 140-2 IG 9.10 | |
72 | * | |
73 | * If we're run on a platform where we don't know how to define the DEP then | |
74 | * the self-tests will never get triggered (FIPS_state never moves to | |
75 | * FIPS_STATE_SELFTEST). This will be detected as an error when SELF_TEST_post() | |
76 | * is called from OSSL_provider_init(), and so the fips module will be unusable | |
77 | * on those platforms. | |
78 | */ | |
79 | #if defined(_WIN32) || defined(__CYGWIN__) | |
80 | # ifdef __CYGWIN__ | |
81 | /* pick DLL_[PROCESS|THREAD]_[ATTACH|DETACH] definitions */ | |
82 | # include <windows.h> | |
83 | /* | |
84 | * this has side-effect of _WIN32 getting defined, which otherwise is | |
85 | * mutually exclusive with __CYGWIN__... | |
86 | */ | |
87 | # endif | |
88 | ||
390b18a7 SL |
89 | DEP_DECLARE() |
90 | # define DEP_INIT_ATTRIBUTE | |
91 | # define DEP_FINI_ATTRIBUTE | |
14a684bf MC |
92 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved); |
93 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) | |
94 | { | |
95 | switch (fdwReason) { | |
96 | case DLL_PROCESS_ATTACH: | |
390b18a7 | 97 | init(); |
14a684bf MC |
98 | break; |
99 | case DLL_PROCESS_DETACH: | |
390b18a7 | 100 | cleanup(); |
14a684bf MC |
101 | break; |
102 | default: | |
103 | break; | |
104 | } | |
105 | return TRUE; | |
106 | } | |
9a7319b0 | 107 | #elif defined(__sun) || defined(_AIX) |
390b18a7 SL |
108 | |
109 | DEP_DECLARE() /* must be declared before pragma */ | |
110 | # define DEP_INIT_ATTRIBUTE | |
111 | # define DEP_FINI_ATTRIBUTE | |
112 | # pragma init(init) | |
113 | # pragma fini(cleanup) | |
114 | ||
115 | #elif defined(__hpux) | |
116 | ||
117 | DEP_DECLARE() | |
118 | # define DEP_INIT_ATTRIBUTE | |
119 | # define DEP_FINI_ATTRIBUTE | |
120 | # pragma init "init" | |
121 | # pragma fini "cleanup" | |
122 | ||
14a684bf | 123 | #elif defined(__GNUC__) |
390b18a7 SL |
124 | # define DEP_INIT_ATTRIBUTE static __attribute__((constructor)) |
125 | # define DEP_FINI_ATTRIBUTE static __attribute__((destructor)) | |
6b1428ac RB |
126 | |
127 | #elif defined(__TANDEM) | |
128 | DEP_DECLARE() /* must be declared before calling init() or cleanup() */ | |
129 | # define DEP_INIT_ATTRIBUTE | |
130 | # define DEP_FINI_ATTRIBUTE | |
131 | ||
132 | /* Method automatically called by the NonStop OS when the DLL loads */ | |
133 | void __INIT__init(void) { | |
134 | init(); | |
135 | } | |
136 | ||
137 | /* Method automatically called by the NonStop OS prior to unloading the DLL */ | |
138 | void __TERM__cleanup(void) { | |
139 | cleanup(); | |
140 | } | |
141 | ||
390b18a7 | 142 | #endif |
14a684bf | 143 | |
390b18a7 SL |
144 | #if defined(DEP_INIT_ATTRIBUTE) && defined(DEP_FINI_ATTRIBUTE) |
145 | DEP_INIT_ATTRIBUTE void init(void) | |
14a684bf MC |
146 | { |
147 | FIPS_state = FIPS_STATE_SELFTEST; | |
148 | } | |
149 | ||
390b18a7 | 150 | DEP_FINI_ATTRIBUTE void cleanup(void) |
14a684bf MC |
151 | { |
152 | CRYPTO_THREAD_lock_free(self_test_lock); | |
153 | } | |
14a684bf MC |
154 | #endif |
155 | ||
7bb82f92 SL |
156 | /* |
157 | * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify | |
158 | * the result matches the expected value. | |
159 | * Return 1 if verified, or 0 if it fails. | |
160 | */ | |
363b1e5d | 161 | static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, |
7bb82f92 | 162 | unsigned char *expected, size_t expected_len, |
47c239c6 | 163 | OPENSSL_CTX *libctx, OSSL_SELF_TEST *ev, |
36fc5fc6 | 164 | const char *event_type) |
7bb82f92 SL |
165 | { |
166 | int ret = 0, status; | |
167 | unsigned char out[MAX_MD_SIZE]; | |
168 | unsigned char buf[INTEGRITY_BUF_SIZE]; | |
169 | size_t bytes_read = 0, out_len = 0; | |
170 | EVP_MAC *mac = NULL; | |
171 | EVP_MAC_CTX *ctx = NULL; | |
172 | OSSL_PARAM params[3], *p = params; | |
173 | ||
47c239c6 | 174 | OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); |
36fc5fc6 | 175 | |
7bb82f92 | 176 | mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); |
78ef5717 SL |
177 | if (mac == NULL) |
178 | goto err; | |
865adf97 | 179 | ctx = EVP_MAC_CTX_new(mac); |
78ef5717 | 180 | if (ctx == NULL) |
7bb82f92 SL |
181 | goto err; |
182 | ||
183 | *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, | |
184 | strlen(DIGEST_NAME) + 1); | |
185 | *p++ = OSSL_PARAM_construct_octet_string("key", fixed_key, | |
186 | sizeof(fixed_key)); | |
187 | *p = OSSL_PARAM_construct_end(); | |
188 | ||
865adf97 | 189 | if (EVP_MAC_CTX_set_params(ctx, params) <= 0 |
7bb82f92 SL |
190 | || !EVP_MAC_init(ctx)) |
191 | goto err; | |
192 | ||
193 | while (1) { | |
194 | status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); | |
195 | if (status != 1) | |
196 | break; | |
197 | if (!EVP_MAC_update(ctx, buf, bytes_read)) | |
198 | goto err; | |
199 | } | |
200 | if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) | |
201 | goto err; | |
202 | ||
47c239c6 | 203 | OSSL_SELF_TEST_oncorrupt_byte(ev, out); |
7bb82f92 SL |
204 | if (expected_len != out_len |
205 | || memcmp(expected, out, out_len) != 0) | |
206 | goto err; | |
207 | ret = 1; | |
208 | err: | |
47c239c6 | 209 | OSSL_SELF_TEST_onend(ev, ret); |
865adf97 | 210 | EVP_MAC_CTX_free(ctx); |
7bb82f92 SL |
211 | EVP_MAC_free(mac); |
212 | return ret; | |
213 | } | |
214 | ||
215 | /* This API is triggered either on loading of the FIPS module or on demand */ | |
14a684bf | 216 | int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) |
7bb82f92 SL |
217 | { |
218 | int ok = 0; | |
219 | int kats_already_passed = 0; | |
7bb82f92 | 220 | long checksum_len; |
d40b42ab | 221 | OSSL_CORE_BIO *bio_module = NULL, *bio_indicator = NULL; |
7bb82f92 SL |
222 | unsigned char *module_checksum = NULL; |
223 | unsigned char *indicator_checksum = NULL; | |
14a684bf | 224 | int loclstate; |
47c239c6 | 225 | OSSL_SELF_TEST *ev = NULL; |
14a684bf MC |
226 | |
227 | if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init)) | |
228 | return 0; | |
229 | ||
230 | CRYPTO_THREAD_read_lock(self_test_lock); | |
231 | loclstate = FIPS_state; | |
232 | CRYPTO_THREAD_unlock(self_test_lock); | |
7bb82f92 | 233 | |
14a684bf MC |
234 | if (loclstate == FIPS_STATE_RUNNING) { |
235 | if (!on_demand_test) | |
236 | return 1; | |
237 | } else if (loclstate != FIPS_STATE_SELFTEST) { | |
9f7bdcf3 | 238 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE); |
14a684bf MC |
239 | return 0; |
240 | } | |
241 | ||
242 | CRYPTO_THREAD_write_lock(self_test_lock); | |
243 | if (FIPS_state == FIPS_STATE_RUNNING) { | |
244 | if (!on_demand_test) { | |
245 | CRYPTO_THREAD_unlock(self_test_lock); | |
246 | return 1; | |
247 | } | |
248 | FIPS_state = FIPS_STATE_SELFTEST; | |
249 | } else if (FIPS_state != FIPS_STATE_SELFTEST) { | |
250 | CRYPTO_THREAD_unlock(self_test_lock); | |
9f7bdcf3 | 251 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE); |
14a684bf MC |
252 | return 0; |
253 | } | |
7bb82f92 | 254 | if (st == NULL |
9f7bdcf3 SL |
255 | || st->module_checksum_data == NULL) { |
256 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); | |
7bb82f92 | 257 | goto end; |
9f7bdcf3 | 258 | } |
7bb82f92 | 259 | |
47c239c6 SL |
260 | ev = OSSL_SELF_TEST_new(st->cb, st->cb_arg); |
261 | if (ev == NULL) | |
262 | goto end; | |
36fc5fc6 | 263 | |
7bb82f92 SL |
264 | module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, |
265 | &checksum_len); | |
9f7bdcf3 SL |
266 | if (module_checksum == NULL) { |
267 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); | |
7bb82f92 | 268 | goto end; |
9f7bdcf3 | 269 | } |
7bb82f92 SL |
270 | bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); |
271 | ||
272 | /* Always check the integrity of the fips module */ | |
273 | if (bio_module == NULL | |
274 | || !verify_integrity(bio_module, st->bio_read_ex_cb, | |
36fc5fc6 | 275 | module_checksum, checksum_len, st->libctx, |
9f7bdcf3 SL |
276 | ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { |
277 | ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); | |
7bb82f92 | 278 | goto end; |
9f7bdcf3 | 279 | } |
7bb82f92 SL |
280 | |
281 | /* This will be NULL during installation - so the self test KATS will run */ | |
282 | if (st->indicator_data != NULL) { | |
283 | /* | |
284 | * If the kats have already passed indicator is set - then check the | |
285 | * integrity of the indicator. | |
286 | */ | |
9f7bdcf3 SL |
287 | if (st->indicator_checksum_data == NULL) { |
288 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); | |
7bb82f92 | 289 | goto end; |
9f7bdcf3 | 290 | } |
7bb82f92 SL |
291 | indicator_checksum = OPENSSL_hexstr2buf(st->indicator_checksum_data, |
292 | &checksum_len); | |
9f7bdcf3 SL |
293 | if (indicator_checksum == NULL) { |
294 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); | |
7bb82f92 | 295 | goto end; |
9f7bdcf3 | 296 | } |
7bb82f92 SL |
297 | |
298 | bio_indicator = | |
299 | (*st->bio_new_buffer_cb)(st->indicator_data, | |
300 | strlen(st->indicator_data)); | |
301 | if (bio_indicator == NULL | |
302 | || !verify_integrity(bio_indicator, st->bio_read_ex_cb, | |
303 | indicator_checksum, checksum_len, | |
47c239c6 | 304 | st->libctx, ev, |
9f7bdcf3 SL |
305 | OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)) { |
306 | ERR_raise(ERR_LIB_PROV, PROV_R_INDICATOR_INTEGRITY_FAILURE); | |
7bb82f92 | 307 | goto end; |
9f7bdcf3 | 308 | } else { |
7bb82f92 | 309 | kats_already_passed = 1; |
9f7bdcf3 | 310 | } |
7bb82f92 SL |
311 | } |
312 | ||
313 | /* Only runs the KAT's during installation OR on_demand() */ | |
314 | if (on_demand_test || kats_already_passed == 0) { | |
9f7bdcf3 SL |
315 | if (!SELF_TEST_kats(ev, st->libctx)) { |
316 | ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); | |
36fc5fc6 | 317 | goto end; |
9f7bdcf3 | 318 | } |
7bb82f92 SL |
319 | } |
320 | ok = 1; | |
321 | end: | |
47c239c6 | 322 | OSSL_SELF_TEST_free(ev); |
7bb82f92 SL |
323 | OPENSSL_free(module_checksum); |
324 | OPENSSL_free(indicator_checksum); | |
325 | ||
12fca1af SL |
326 | if (st != NULL) { |
327 | (*st->bio_free_cb)(bio_indicator); | |
328 | (*st->bio_free_cb)(bio_module); | |
329 | } | |
5736923f P |
330 | if (ok) |
331 | FIPS_state = FIPS_STATE_RUNNING; | |
332 | else | |
35e6ea3b | 333 | ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE); |
14a684bf | 334 | CRYPTO_THREAD_unlock(self_test_lock); |
7bb82f92 SL |
335 | |
336 | return ok; | |
337 | } | |
04cb5ec0 | 338 | |
35e6ea3b | 339 | void SELF_TEST_disable_conditional_error_state(void) |
5736923f | 340 | { |
35e6ea3b SL |
341 | FIPS_conditional_error_check = 0; |
342 | } | |
343 | ||
344 | void ossl_set_error_state(const char *type) | |
345 | { | |
346 | int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0); | |
347 | ||
348 | if (!cond_test || (FIPS_conditional_error_check == 1)) { | |
349 | FIPS_state = FIPS_STATE_ERROR; | |
350 | ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE); | |
351 | } else { | |
352 | ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR); | |
353 | } | |
5736923f | 354 | } |
04cb5ec0 | 355 | |
6cf37302 | 356 | int ossl_prov_is_running(void) |
04cb5ec0 | 357 | { |
5736923f P |
358 | const int res = FIPS_state == FIPS_STATE_RUNNING |
359 | || FIPS_state == FIPS_STATE_SELFTEST; | |
360 | static unsigned int rate_limit = 0; | |
361 | ||
362 | if (res) { | |
363 | rate_limit = 0; | |
364 | } else if (FIPS_state == FIPS_STATE_ERROR) { | |
365 | if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT) | |
366 | ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE); | |
367 | } | |
368 | return res; | |
04cb5ec0 | 369 | } |