]>
Commit | Line | Data |
---|---|---|
7bb82f92 | 1 | /* |
a28d06f3 | 2 | * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. |
7bb82f92 | 3 | * |
a6ed19dc | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7bb82f92 SL |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <string.h> | |
11 | #include <openssl/evp.h> | |
12 | #include <openssl/params.h> | |
14a684bf | 13 | #include <openssl/crypto.h> |
449bdf37 | 14 | #include "internal/cryptlib.h" |
31214258 | 15 | #include <openssl/fipskey.h> |
9f7bdcf3 | 16 | #include <openssl/err.h> |
2741128e | 17 | #include <openssl/proverr.h> |
d5f9166b | 18 | #include "internal/e_os.h" |
6cf37302 P |
19 | #include "prov/providercommon.h" |
20 | ||
14a684bf MC |
21 | /* |
22 | * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS | |
23 | * module because all such initialisation should be associated with an | |
b4250010 DMSP |
24 | * individual OSSL_LIB_CTX. That doesn't work with the self test though because |
25 | * it should be run once regardless of the number of OSSL_LIB_CTXs we have. | |
14a684bf MC |
26 | */ |
27 | #define ALLOW_RUN_ONCE_IN_FIPS | |
449bdf37 | 28 | #include "internal/thread_once.h" |
36fc5fc6 | 29 | #include "self_test.h" |
7bb82f92 SL |
30 | |
31 | #define FIPS_STATE_INIT 0 | |
14a684bf MC |
32 | #define FIPS_STATE_SELFTEST 1 |
33 | #define FIPS_STATE_RUNNING 2 | |
7bb82f92 SL |
34 | #define FIPS_STATE_ERROR 3 |
35 | ||
5736923f P |
36 | /* |
37 | * The number of times the module will report it is in the error state | |
38 | * before going quiet. | |
39 | */ | |
40 | #define FIPS_ERROR_REPORTING_RATE_LIMIT 10 | |
41 | ||
7bb82f92 SL |
42 | /* The size of a temp buffer used to read in data */ |
43 | #define INTEGRITY_BUF_SIZE (4096) | |
44 | #define MAX_MD_SIZE 64 | |
45 | #define MAC_NAME "HMAC" | |
46 | #define DIGEST_NAME "SHA256" | |
47 | ||
35e6ea3b | 48 | static int FIPS_conditional_error_check = 1; |
14a684bf | 49 | static CRYPTO_RWLOCK *self_test_lock = NULL; |
40994605 | 50 | static CRYPTO_RWLOCK *fips_state_lock = NULL; |
31214258 | 51 | static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS }; |
7bb82f92 | 52 | |
14a684bf MC |
53 | static CRYPTO_ONCE fips_self_test_init = CRYPTO_ONCE_STATIC_INIT; |
54 | DEFINE_RUN_ONCE_STATIC(do_fips_self_test_init) | |
55 | { | |
cc38e643 | 56 | /* |
40994605 | 57 | * These locks get freed in platform specific ways that may occur after we |
cc38e643 | 58 | * do mem leak checking. If we don't know how to free it for a particular |
40994605 | 59 | * platform then we just leak it deliberately. |
cc38e643 | 60 | */ |
14a684bf | 61 | self_test_lock = CRYPTO_THREAD_lock_new(); |
40994605 | 62 | fips_state_lock = CRYPTO_THREAD_lock_new(); |
14a684bf MC |
63 | return self_test_lock != NULL; |
64 | } | |
65 | ||
c45df330 P |
66 | /* |
67 | * Declarations for the DEP entry/exit points. | |
68 | * Ones not required or incorrect need to be undefined or redefined respectively. | |
69 | */ | |
70 | #define DEP_INITIAL_STATE FIPS_STATE_INIT | |
71 | #define DEP_INIT_ATTRIBUTE static | |
72 | #define DEP_FINI_ATTRIBUTE static | |
73 | ||
c45df330 P |
74 | static void init(void); |
75 | static void cleanup(void); | |
390b18a7 | 76 | |
14a684bf | 77 | /* |
c45df330 | 78 | * This is the Default Entry Point (DEP) code. |
14a684bf | 79 | * See FIPS 140-2 IG 9.10 |
14a684bf MC |
80 | */ |
81 | #if defined(_WIN32) || defined(__CYGWIN__) | |
82 | # ifdef __CYGWIN__ | |
83 | /* pick DLL_[PROCESS|THREAD]_[ATTACH|DETACH] definitions */ | |
84 | # include <windows.h> | |
85 | /* | |
86 | * this has side-effect of _WIN32 getting defined, which otherwise is | |
87 | * mutually exclusive with __CYGWIN__... | |
88 | */ | |
89 | # endif | |
90 | ||
91 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved); | |
92 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) | |
93 | { | |
94 | switch (fdwReason) { | |
95 | case DLL_PROCESS_ATTACH: | |
390b18a7 | 96 | init(); |
14a684bf MC |
97 | break; |
98 | case DLL_PROCESS_DETACH: | |
390b18a7 | 99 | cleanup(); |
14a684bf MC |
100 | break; |
101 | default: | |
102 | break; | |
103 | } | |
104 | return TRUE; | |
105 | } | |
69e0f8cc | 106 | #elif defined(__sun) |
390b18a7 SL |
107 | # pragma init(init) |
108 | # pragma fini(cleanup) | |
109 | ||
69e0f8cc SL |
110 | #elif defined(_AIX) |
111 | void _init(void); | |
112 | void _cleanup(void); | |
113 | # pragma init(_init) | |
114 | # pragma fini(_cleanup) | |
115 | void _init(void) | |
116 | { | |
117 | init(); | |
118 | } | |
119 | void _cleanup(void) | |
120 | { | |
121 | cleanup(); | |
122 | } | |
123 | ||
390b18a7 | 124 | #elif defined(__hpux) |
390b18a7 SL |
125 | # pragma init "init" |
126 | # pragma fini "cleanup" | |
127 | ||
14a684bf | 128 | #elif defined(__GNUC__) |
c45df330 P |
129 | # undef DEP_INIT_ATTRIBUTE |
130 | # undef DEP_FINI_ATTRIBUTE | |
390b18a7 SL |
131 | # define DEP_INIT_ATTRIBUTE static __attribute__((constructor)) |
132 | # define DEP_FINI_ATTRIBUTE static __attribute__((destructor)) | |
6b1428ac RB |
133 | |
134 | #elif defined(__TANDEM) | |
6b1428ac RB |
135 | /* Method automatically called by the NonStop OS when the DLL loads */ |
136 | void __INIT__init(void) { | |
137 | init(); | |
138 | } | |
139 | ||
140 | /* Method automatically called by the NonStop OS prior to unloading the DLL */ | |
141 | void __TERM__cleanup(void) { | |
142 | cleanup(); | |
143 | } | |
144 | ||
c45df330 P |
145 | #else |
146 | /* | |
147 | * This build does not support any kind of DEP. | |
148 | * We force the self-tests to run as part of the FIPS provider initialisation | |
149 | * rather than being triggered by the DEP. | |
150 | */ | |
151 | # undef DEP_INIT_ATTRIBUTE | |
152 | # undef DEP_FINI_ATTRIBUTE | |
153 | # undef DEP_INITIAL_STATE | |
154 | # define DEP_INITIAL_STATE FIPS_STATE_SELFTEST | |
390b18a7 | 155 | #endif |
14a684bf | 156 | |
c45df330 P |
157 | static int FIPS_state = DEP_INITIAL_STATE; |
158 | ||
159 | #if defined(DEP_INIT_ATTRIBUTE) | |
390b18a7 | 160 | DEP_INIT_ATTRIBUTE void init(void) |
14a684bf MC |
161 | { |
162 | FIPS_state = FIPS_STATE_SELFTEST; | |
163 | } | |
c45df330 | 164 | #endif |
14a684bf | 165 | |
c45df330 | 166 | #if defined(DEP_FINI_ATTRIBUTE) |
390b18a7 | 167 | DEP_FINI_ATTRIBUTE void cleanup(void) |
14a684bf MC |
168 | { |
169 | CRYPTO_THREAD_lock_free(self_test_lock); | |
40994605 | 170 | CRYPTO_THREAD_lock_free(fips_state_lock); |
14a684bf | 171 | } |
14a684bf MC |
172 | #endif |
173 | ||
7bb82f92 SL |
174 | /* |
175 | * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify | |
176 | * the result matches the expected value. | |
177 | * Return 1 if verified, or 0 if it fails. | |
178 | */ | |
363b1e5d | 179 | static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, |
7bb82f92 | 180 | unsigned char *expected, size_t expected_len, |
b4250010 | 181 | OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, |
36fc5fc6 | 182 | const char *event_type) |
7bb82f92 SL |
183 | { |
184 | int ret = 0, status; | |
185 | unsigned char out[MAX_MD_SIZE]; | |
186 | unsigned char buf[INTEGRITY_BUF_SIZE]; | |
187 | size_t bytes_read = 0, out_len = 0; | |
188 | EVP_MAC *mac = NULL; | |
189 | EVP_MAC_CTX *ctx = NULL; | |
fbff75ca | 190 | OSSL_PARAM params[2], *p = params; |
7bb82f92 | 191 | |
47c239c6 | 192 | OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); |
36fc5fc6 | 193 | |
7bb82f92 | 194 | mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); |
78ef5717 SL |
195 | if (mac == NULL) |
196 | goto err; | |
865adf97 | 197 | ctx = EVP_MAC_CTX_new(mac); |
78ef5717 | 198 | if (ctx == NULL) |
7bb82f92 SL |
199 | goto err; |
200 | ||
3262300a | 201 | *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); |
7bb82f92 SL |
202 | *p = OSSL_PARAM_construct_end(); |
203 | ||
fbff75ca | 204 | if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) |
7bb82f92 SL |
205 | goto err; |
206 | ||
207 | while (1) { | |
208 | status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); | |
209 | if (status != 1) | |
210 | break; | |
211 | if (!EVP_MAC_update(ctx, buf, bytes_read)) | |
212 | goto err; | |
213 | } | |
214 | if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) | |
215 | goto err; | |
216 | ||
47c239c6 | 217 | OSSL_SELF_TEST_oncorrupt_byte(ev, out); |
7bb82f92 SL |
218 | if (expected_len != out_len |
219 | || memcmp(expected, out, out_len) != 0) | |
220 | goto err; | |
221 | ret = 1; | |
222 | err: | |
47c239c6 | 223 | OSSL_SELF_TEST_onend(ev, ret); |
865adf97 | 224 | EVP_MAC_CTX_free(ctx); |
7bb82f92 SL |
225 | EVP_MAC_free(mac); |
226 | return ret; | |
227 | } | |
228 | ||
40994605 MC |
229 | static void set_fips_state(int state) |
230 | { | |
cd3f8c1b RS |
231 | if (ossl_assert(CRYPTO_THREAD_write_lock(fips_state_lock) != 0)) { |
232 | FIPS_state = state; | |
233 | CRYPTO_THREAD_unlock(fips_state_lock); | |
234 | } | |
40994605 MC |
235 | } |
236 | ||
7bb82f92 | 237 | /* This API is triggered either on loading of the FIPS module or on demand */ |
14a684bf | 238 | int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) |
7bb82f92 SL |
239 | { |
240 | int ok = 0; | |
241 | int kats_already_passed = 0; | |
7bb82f92 | 242 | long checksum_len; |
d40b42ab | 243 | OSSL_CORE_BIO *bio_module = NULL, *bio_indicator = NULL; |
7bb82f92 SL |
244 | unsigned char *module_checksum = NULL; |
245 | unsigned char *indicator_checksum = NULL; | |
14a684bf | 246 | int loclstate; |
47c239c6 | 247 | OSSL_SELF_TEST *ev = NULL; |
14a684bf MC |
248 | |
249 | if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init)) | |
250 | return 0; | |
251 | ||
cd3f8c1b RS |
252 | if (!CRYPTO_THREAD_read_lock(fips_state_lock)) |
253 | return 0; | |
14a684bf | 254 | loclstate = FIPS_state; |
40994605 | 255 | CRYPTO_THREAD_unlock(fips_state_lock); |
7bb82f92 | 256 | |
14a684bf MC |
257 | if (loclstate == FIPS_STATE_RUNNING) { |
258 | if (!on_demand_test) | |
259 | return 1; | |
260 | } else if (loclstate != FIPS_STATE_SELFTEST) { | |
9f7bdcf3 | 261 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE); |
14a684bf MC |
262 | return 0; |
263 | } | |
264 | ||
cd3f8c1b RS |
265 | if (!CRYPTO_THREAD_write_lock(self_test_lock)) |
266 | return 0; | |
267 | if (!CRYPTO_THREAD_read_lock(fips_state_lock)) { | |
268 | CRYPTO_THREAD_unlock(self_test_lock); | |
269 | return 0; | |
270 | } | |
14a684bf | 271 | if (FIPS_state == FIPS_STATE_RUNNING) { |
40994605 | 272 | CRYPTO_THREAD_unlock(fips_state_lock); |
14a684bf MC |
273 | if (!on_demand_test) { |
274 | CRYPTO_THREAD_unlock(self_test_lock); | |
275 | return 1; | |
276 | } | |
40994605 | 277 | set_fips_state(FIPS_STATE_SELFTEST); |
14a684bf | 278 | } else if (FIPS_state != FIPS_STATE_SELFTEST) { |
40994605 | 279 | CRYPTO_THREAD_unlock(fips_state_lock); |
14a684bf | 280 | CRYPTO_THREAD_unlock(self_test_lock); |
9f7bdcf3 | 281 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE); |
14a684bf | 282 | return 0; |
40994605 MC |
283 | } else { |
284 | CRYPTO_THREAD_unlock(fips_state_lock); | |
14a684bf | 285 | } |
40994605 | 286 | |
7bb82f92 | 287 | if (st == NULL |
9f7bdcf3 SL |
288 | || st->module_checksum_data == NULL) { |
289 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); | |
7bb82f92 | 290 | goto end; |
9f7bdcf3 | 291 | } |
7bb82f92 | 292 | |
47c239c6 SL |
293 | ev = OSSL_SELF_TEST_new(st->cb, st->cb_arg); |
294 | if (ev == NULL) | |
295 | goto end; | |
36fc5fc6 | 296 | |
7bb82f92 SL |
297 | module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, |
298 | &checksum_len); | |
9f7bdcf3 SL |
299 | if (module_checksum == NULL) { |
300 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); | |
7bb82f92 | 301 | goto end; |
9f7bdcf3 | 302 | } |
7bb82f92 SL |
303 | bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); |
304 | ||
305 | /* Always check the integrity of the fips module */ | |
306 | if (bio_module == NULL | |
307 | || !verify_integrity(bio_module, st->bio_read_ex_cb, | |
36fc5fc6 | 308 | module_checksum, checksum_len, st->libctx, |
9f7bdcf3 SL |
309 | ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { |
310 | ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); | |
7bb82f92 | 311 | goto end; |
9f7bdcf3 | 312 | } |
7bb82f92 SL |
313 | |
314 | /* This will be NULL during installation - so the self test KATS will run */ | |
315 | if (st->indicator_data != NULL) { | |
316 | /* | |
317 | * If the kats have already passed indicator is set - then check the | |
318 | * integrity of the indicator. | |
319 | */ | |
9f7bdcf3 SL |
320 | if (st->indicator_checksum_data == NULL) { |
321 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); | |
7bb82f92 | 322 | goto end; |
9f7bdcf3 | 323 | } |
7bb82f92 SL |
324 | indicator_checksum = OPENSSL_hexstr2buf(st->indicator_checksum_data, |
325 | &checksum_len); | |
9f7bdcf3 SL |
326 | if (indicator_checksum == NULL) { |
327 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); | |
7bb82f92 | 328 | goto end; |
9f7bdcf3 | 329 | } |
7bb82f92 SL |
330 | |
331 | bio_indicator = | |
332 | (*st->bio_new_buffer_cb)(st->indicator_data, | |
333 | strlen(st->indicator_data)); | |
334 | if (bio_indicator == NULL | |
335 | || !verify_integrity(bio_indicator, st->bio_read_ex_cb, | |
336 | indicator_checksum, checksum_len, | |
47c239c6 | 337 | st->libctx, ev, |
9f7bdcf3 SL |
338 | OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)) { |
339 | ERR_raise(ERR_LIB_PROV, PROV_R_INDICATOR_INTEGRITY_FAILURE); | |
7bb82f92 | 340 | goto end; |
9f7bdcf3 | 341 | } else { |
7bb82f92 | 342 | kats_already_passed = 1; |
9f7bdcf3 | 343 | } |
7bb82f92 SL |
344 | } |
345 | ||
2abffec0 SL |
346 | /* |
347 | * Only runs the KAT's during installation OR on_demand(). | |
348 | * NOTE: If the installation option 'self_test_onload' is chosen then this | |
349 | * path will always be run, since kats_already_passed will always be 0. | |
350 | */ | |
7bb82f92 | 351 | if (on_demand_test || kats_already_passed == 0) { |
9f7bdcf3 SL |
352 | if (!SELF_TEST_kats(ev, st->libctx)) { |
353 | ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); | |
36fc5fc6 | 354 | goto end; |
9f7bdcf3 | 355 | } |
7bb82f92 SL |
356 | } |
357 | ok = 1; | |
358 | end: | |
47c239c6 | 359 | OSSL_SELF_TEST_free(ev); |
7bb82f92 SL |
360 | OPENSSL_free(module_checksum); |
361 | OPENSSL_free(indicator_checksum); | |
362 | ||
12fca1af SL |
363 | if (st != NULL) { |
364 | (*st->bio_free_cb)(bio_indicator); | |
365 | (*st->bio_free_cb)(bio_module); | |
366 | } | |
5736923f | 367 | if (ok) |
40994605 | 368 | set_fips_state(FIPS_STATE_RUNNING); |
5736923f | 369 | else |
35e6ea3b | 370 | ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE); |
14a684bf | 371 | CRYPTO_THREAD_unlock(self_test_lock); |
7bb82f92 SL |
372 | |
373 | return ok; | |
374 | } | |
04cb5ec0 | 375 | |
35e6ea3b | 376 | void SELF_TEST_disable_conditional_error_state(void) |
5736923f | 377 | { |
35e6ea3b SL |
378 | FIPS_conditional_error_check = 0; |
379 | } | |
380 | ||
381 | void ossl_set_error_state(const char *type) | |
382 | { | |
383 | int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0); | |
384 | ||
385 | if (!cond_test || (FIPS_conditional_error_check == 1)) { | |
40994605 | 386 | set_fips_state(FIPS_STATE_ERROR); |
35e6ea3b SL |
387 | ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE); |
388 | } else { | |
389 | ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR); | |
390 | } | |
5736923f | 391 | } |
04cb5ec0 | 392 | |
6cf37302 | 393 | int ossl_prov_is_running(void) |
04cb5ec0 | 394 | { |
40994605 | 395 | int res; |
5736923f P |
396 | static unsigned int rate_limit = 0; |
397 | ||
40994605 MC |
398 | if (!CRYPTO_THREAD_read_lock(fips_state_lock)) |
399 | return 0; | |
400 | res = FIPS_state == FIPS_STATE_RUNNING | |
401 | || FIPS_state == FIPS_STATE_SELFTEST; | |
402 | if (FIPS_state == FIPS_STATE_ERROR) { | |
403 | CRYPTO_THREAD_unlock(fips_state_lock); | |
404 | if (!CRYPTO_THREAD_write_lock(fips_state_lock)) | |
405 | return 0; | |
5736923f P |
406 | if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT) |
407 | ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE); | |
408 | } | |
40994605 | 409 | CRYPTO_THREAD_unlock(fips_state_lock); |
5736923f | 410 | return res; |
04cb5ec0 | 411 | } |