2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/evp.h>
12 #include <openssl/params.h>
13 #include <openssl/crypto.h>
14 #include <openssl/fipskey.h>
15 #include <openssl/err.h>
17 #include "prov/providercommonerr.h"
19 * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
20 * module because all such initialisation should be associated with an
21 * individual OPENSSL_CTX. That doesn't work with the self test though because
22 * it should be run once regardless of the number of OPENSSL_CTXs we have.
24 #define ALLOW_RUN_ONCE_IN_FIPS
25 #include <internal/thread_once.h>
26 #include "self_test.h"
28 #define FIPS_STATE_INIT 0
29 #define FIPS_STATE_SELFTEST 1
30 #define FIPS_STATE_RUNNING 2
31 #define FIPS_STATE_ERROR 3
33 /* The size of a temp buffer used to read in data */
34 #define INTEGRITY_BUF_SIZE (4096)
35 #define MAX_MD_SIZE 64
36 #define MAC_NAME "HMAC"
37 #define DIGEST_NAME "SHA256"
39 static int FIPS_state
= FIPS_STATE_INIT
;
40 static CRYPTO_RWLOCK
*self_test_lock
= NULL
;
41 static unsigned char fixed_key
[32] = { FIPS_KEY_ELEMENTS
};
43 static CRYPTO_ONCE fips_self_test_init
= CRYPTO_ONCE_STATIC_INIT
;
44 DEFINE_RUN_ONCE_STATIC(do_fips_self_test_init
)
47 * This lock gets freed in platform specific ways that may occur after we
48 * do mem leak checking. If we don't know how to free it for a particular
49 * platform then we just leak it deliberately. So we temporarily disable the
50 * mem leak checking while we allocate this.
52 self_test_lock
= CRYPTO_THREAD_lock_new();
53 return self_test_lock
!= NULL
;
56 #define DEP_DECLARE() \
61 * This is the Default Entry Point (DEP) code. Every platform must have a DEP.
62 * See FIPS 140-2 IG 9.10
64 * If we're run on a platform where we don't know how to define the DEP then
65 * the self-tests will never get triggered (FIPS_state never moves to
66 * FIPS_STATE_SELFTEST). This will be detected as an error when SELF_TEST_post()
67 * is called from OSSL_provider_init(), and so the fips module will be unusable
70 #if defined(_WIN32) || defined(__CYGWIN__)
72 /* pick DLL_[PROCESS|THREAD]_[ATTACH|DETACH] definitions */
75 * this has side-effect of _WIN32 getting defined, which otherwise is
76 * mutually exclusive with __CYGWIN__...
81 # define DEP_INIT_ATTRIBUTE
82 # define DEP_FINI_ATTRIBUTE
83 BOOL WINAPI
DllMain(HINSTANCE hinstDLL
, DWORD fdwReason
, LPVOID lpvReserved
);
84 BOOL WINAPI
DllMain(HINSTANCE hinstDLL
, DWORD fdwReason
, LPVOID lpvReserved
)
87 case DLL_PROCESS_ATTACH
:
90 case DLL_PROCESS_DETACH
:
98 #elif defined(__sun) || defined(_AIX)
100 DEP_DECLARE() /* must be declared before pragma */
101 # define DEP_INIT_ATTRIBUTE
102 # define DEP_FINI_ATTRIBUTE
104 # pragma fini(cleanup)
106 #elif defined(__hpux)
109 # define DEP_INIT_ATTRIBUTE
110 # define DEP_FINI_ATTRIBUTE
112 # pragma fini "cleanup"
114 #elif defined(__GNUC__)
115 # define DEP_INIT_ATTRIBUTE static __attribute__((constructor))
116 # define DEP_FINI_ATTRIBUTE static __attribute__((destructor))
119 #if defined(DEP_INIT_ATTRIBUTE) && defined(DEP_FINI_ATTRIBUTE)
120 DEP_INIT_ATTRIBUTE
void init(void)
122 FIPS_state
= FIPS_STATE_SELFTEST
;
125 DEP_FINI_ATTRIBUTE
void cleanup(void)
127 CRYPTO_THREAD_lock_free(self_test_lock
);
132 * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
133 * the result matches the expected value.
134 * Return 1 if verified, or 0 if it fails.
136 static int verify_integrity(OSSL_CORE_BIO
*bio
, OSSL_FUNC_BIO_read_ex_fn read_ex_cb
,
137 unsigned char *expected
, size_t expected_len
,
138 OPENSSL_CTX
*libctx
, OSSL_SELF_TEST
*ev
,
139 const char *event_type
)
142 unsigned char out
[MAX_MD_SIZE
];
143 unsigned char buf
[INTEGRITY_BUF_SIZE
];
144 size_t bytes_read
= 0, out_len
= 0;
146 EVP_MAC_CTX
*ctx
= NULL
;
147 OSSL_PARAM params
[3], *p
= params
;
149 OSSL_SELF_TEST_onbegin(ev
, event_type
, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC
);
151 mac
= EVP_MAC_fetch(libctx
, MAC_NAME
, NULL
);
152 ctx
= EVP_MAC_CTX_new(mac
);
153 if (mac
== NULL
|| ctx
== NULL
)
156 *p
++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME
,
157 strlen(DIGEST_NAME
) + 1);
158 *p
++ = OSSL_PARAM_construct_octet_string("key", fixed_key
,
160 *p
= OSSL_PARAM_construct_end();
162 if (EVP_MAC_CTX_set_params(ctx
, params
) <= 0
163 || !EVP_MAC_init(ctx
))
167 status
= read_ex_cb(bio
, buf
, sizeof(buf
), &bytes_read
);
170 if (!EVP_MAC_update(ctx
, buf
, bytes_read
))
173 if (!EVP_MAC_final(ctx
, out
, &out_len
, sizeof(out
)))
176 OSSL_SELF_TEST_oncorrupt_byte(ev
, out
);
177 if (expected_len
!= out_len
178 || memcmp(expected
, out
, out_len
) != 0)
182 OSSL_SELF_TEST_onend(ev
, ret
);
183 EVP_MAC_CTX_free(ctx
);
188 /* This API is triggered either on loading of the FIPS module or on demand */
189 int SELF_TEST_post(SELF_TEST_POST_PARAMS
*st
, int on_demand_test
)
192 int kats_already_passed
= 0;
194 OSSL_CORE_BIO
*bio_module
= NULL
, *bio_indicator
= NULL
;
195 unsigned char *module_checksum
= NULL
;
196 unsigned char *indicator_checksum
= NULL
;
198 OSSL_SELF_TEST
*ev
= NULL
;
200 if (!RUN_ONCE(&fips_self_test_init
, do_fips_self_test_init
))
203 CRYPTO_THREAD_read_lock(self_test_lock
);
204 loclstate
= FIPS_state
;
205 CRYPTO_THREAD_unlock(self_test_lock
);
207 if (loclstate
== FIPS_STATE_RUNNING
) {
210 } else if (loclstate
!= FIPS_STATE_SELFTEST
) {
211 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_STATE
);
215 CRYPTO_THREAD_write_lock(self_test_lock
);
216 if (FIPS_state
== FIPS_STATE_RUNNING
) {
217 if (!on_demand_test
) {
218 CRYPTO_THREAD_unlock(self_test_lock
);
221 FIPS_state
= FIPS_STATE_SELFTEST
;
222 } else if (FIPS_state
!= FIPS_STATE_SELFTEST
) {
223 CRYPTO_THREAD_unlock(self_test_lock
);
224 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_STATE
);
228 || st
->module_checksum_data
== NULL
) {
229 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_CONFIG_DATA
);
233 ev
= OSSL_SELF_TEST_new(st
->cb
, st
->cb_arg
);
237 module_checksum
= OPENSSL_hexstr2buf(st
->module_checksum_data
,
239 if (module_checksum
== NULL
) {
240 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_CONFIG_DATA
);
243 bio_module
= (*st
->bio_new_file_cb
)(st
->module_filename
, "rb");
245 /* Always check the integrity of the fips module */
246 if (bio_module
== NULL
247 || !verify_integrity(bio_module
, st
->bio_read_ex_cb
,
248 module_checksum
, checksum_len
, st
->libctx
,
249 ev
, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY
)) {
250 ERR_raise(ERR_LIB_PROV
, PROV_R_MODULE_INTEGRITY_FAILURE
);
254 /* This will be NULL during installation - so the self test KATS will run */
255 if (st
->indicator_data
!= NULL
) {
257 * If the kats have already passed indicator is set - then check the
258 * integrity of the indicator.
260 if (st
->indicator_checksum_data
== NULL
) {
261 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_CONFIG_DATA
);
264 indicator_checksum
= OPENSSL_hexstr2buf(st
->indicator_checksum_data
,
266 if (indicator_checksum
== NULL
) {
267 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_CONFIG_DATA
);
272 (*st
->bio_new_buffer_cb
)(st
->indicator_data
,
273 strlen(st
->indicator_data
));
274 if (bio_indicator
== NULL
275 || !verify_integrity(bio_indicator
, st
->bio_read_ex_cb
,
276 indicator_checksum
, checksum_len
,
278 OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY
)) {
279 ERR_raise(ERR_LIB_PROV
, PROV_R_INDICATOR_INTEGRITY_FAILURE
);
282 kats_already_passed
= 1;
286 /* Only runs the KAT's during installation OR on_demand() */
287 if (on_demand_test
|| kats_already_passed
== 0) {
288 if (!SELF_TEST_kats(ev
, st
->libctx
)) {
289 ERR_raise(ERR_LIB_PROV
, PROV_R_SELF_TEST_KAT_FAILURE
);
295 OSSL_SELF_TEST_free(ev
);
296 OPENSSL_free(module_checksum
);
297 OPENSSL_free(indicator_checksum
);
300 (*st
->bio_free_cb
)(bio_indicator
);
301 (*st
->bio_free_cb
)(bio_module
);
303 FIPS_state
= ok
? FIPS_STATE_RUNNING
: FIPS_STATE_ERROR
;
304 CRYPTO_THREAD_unlock(self_test_lock
);