[thirdparty/openssl.git] / providers / fips / self_test.c

/*
 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <openssl/evp.h>
#include <openssl/params.h>
#include <openssl/crypto.h>
#include "internal/cryptlib.h"
#include <openssl/fipskey.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include "internal/e_os.h"
#include "prov/providercommon.h"

/*
 * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
 * module because all such initialisation should be associated with an
 * individual OSSL_LIB_CTX. That doesn't work with the self test though because
 * it should be run once regardless of the number of OSSL_LIB_CTXs we have.
 */
#define ALLOW_RUN_ONCE_IN_FIPS
#include "internal/thread_once.h"
#include "self_test.h"

#define FIPS_STATE_INIT     0
#define FIPS_STATE_SELFTEST 1
#define FIPS_STATE_RUNNING  2
#define FIPS_STATE_ERROR    3

/*
 * The number of times the module will report it is in the error state
 * before going quiet.
 */
#define FIPS_ERROR_REPORTING_RATE_LIMIT     10

/* The size of a temp buffer used to read in data */
#define INTEGRITY_BUF_SIZE (4096)
#define MAX_MD_SIZE 64
#define MAC_NAME    "HMAC"
#define DIGEST_NAME "SHA256"

static int FIPS_conditional_error_check = 1;
static CRYPTO_RWLOCK *self_test_lock = NULL;
static CRYPTO_RWLOCK *fips_state_lock = NULL;
static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS };

static CRYPTO_ONCE fips_self_test_init = CRYPTO_ONCE_STATIC_INIT;
DEFINE_RUN_ONCE_STATIC(do_fips_self_test_init)
{
    /*
     * These locks get freed in platform specific ways that may occur after we
     * do mem leak checking. If we don't know how to free it for a particular
     * platform then we just leak it deliberately.
     */
    self_test_lock = CRYPTO_THREAD_lock_new();
    fips_state_lock = CRYPTO_THREAD_lock_new();
    return self_test_lock != NULL;
}

/*
 * Declarations for the DEP entry/exit points.
 * Ones not required or incorrect need to be undefined or redefined respectively.
 */
#define DEP_INITIAL_STATE   FIPS_STATE_INIT
#define DEP_INIT_ATTRIBUTE  static
#define DEP_FINI_ATTRIBUTE  static

static void init(void);
static void cleanup(void);

/*
 * This is the Default Entry Point (DEP) code.
 * See FIPS 140-2 IG 9.10
 */
#if defined(_WIN32) || defined(__CYGWIN__)
# ifdef __CYGWIN__
/* pick DLL_[PROCESS|THREAD]_[ATTACH|DETACH] definitions */
#  include <windows.h>
/*
 * this has side-effect of _WIN32 getting defined, which otherwise is
 * mutually exclusive with __CYGWIN__...
 */
# endif

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved);
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason) {
    case DLL_PROCESS_ATTACH:
        init();
        break;
    case DLL_PROCESS_DETACH:
        cleanup();
        break;
    default:
        break;
    }
    return TRUE;
}
#elif defined(__sun)
# pragma init(init)
# pragma fini(cleanup)

#elif defined(_AIX)
void _init(void);
void _cleanup(void);
# pragma init(_init)
# pragma fini(_cleanup)
void _init(void)
{
    init();
}
void _cleanup(void)
{
    cleanup();
}

#elif defined(__hpux)
# pragma init "init"
# pragma fini "cleanup"

#elif defined(__GNUC__)
# undef DEP_INIT_ATTRIBUTE
# undef DEP_FINI_ATTRIBUTE
# define DEP_INIT_ATTRIBUTE static __attribute__((constructor))
# define DEP_FINI_ATTRIBUTE static __attribute__((destructor))

#elif defined(__TANDEM)
/* Method automatically called by the NonStop OS when the DLL loads */
void __INIT__init(void) {
    init();
}

/* Method automatically called by the NonStop OS prior to unloading the DLL */
void __TERM__cleanup(void) {
    cleanup();
}

#else
/*
 * This build does not support any kind of DEP.
 * We force the self-tests to run as part of the FIPS provider initialisation
 * rather than being triggered by the DEP.
 */
# undef DEP_INIT_ATTRIBUTE
# undef DEP_FINI_ATTRIBUTE
# undef DEP_INITIAL_STATE
# define DEP_INITIAL_STATE  FIPS_STATE_SELFTEST
#endif

static int FIPS_state = DEP_INITIAL_STATE;

#if defined(DEP_INIT_ATTRIBUTE)
DEP_INIT_ATTRIBUTE void init(void)
{
    FIPS_state = FIPS_STATE_SELFTEST;
}
#endif

#if defined(DEP_FINI_ATTRIBUTE)
DEP_FINI_ATTRIBUTE void cleanup(void)
{
    CRYPTO_THREAD_lock_free(self_test_lock);
    CRYPTO_THREAD_lock_free(fips_state_lock);
}
#endif

/*
 * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
 * the result matches the expected value.
 * Return 1 if verified, or 0 if it fails.
 */
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
                            unsigned char *expected, size_t expected_len,
                            OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
                            const char *event_type)
{
    int ret = 0, status;
    unsigned char out[MAX_MD_SIZE];
    unsigned char buf[INTEGRITY_BUF_SIZE];
    size_t bytes_read = 0, out_len = 0;
    EVP_MAC *mac = NULL;
    EVP_MAC_CTX *ctx = NULL;
    OSSL_PARAM params[2], *p = params;

    OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);

    mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
    if (mac == NULL)
        goto err;
    ctx = EVP_MAC_CTX_new(mac);
    if (ctx == NULL)
        goto err;

    *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
    *p = OSSL_PARAM_construct_end();

    if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
        goto err;

    while (1) {
        status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
        if (status != 1)
            break;
        if (!EVP_MAC_update(ctx, buf, bytes_read))
            goto err;
    }
    if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
        goto err;

    OSSL_SELF_TEST_oncorrupt_byte(ev, out);
    if (expected_len != out_len
            || memcmp(expected, out, out_len) != 0)
        goto err;
    ret = 1;
err:
    OSSL_SELF_TEST_onend(ev, ret);
    EVP_MAC_CTX_free(ctx);
    EVP_MAC_free(mac);
    return ret;
}

static void set_fips_state(int state)
{
    if (ossl_assert(CRYPTO_THREAD_write_lock(fips_state_lock) != 0)) {
        FIPS_state = state;
        CRYPTO_THREAD_unlock(fips_state_lock);
    }
}

/* This API is triggered either on loading of the FIPS module or on demand */
int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
{
    int ok = 0;
    int kats_already_passed = 0;
    long checksum_len;
    OSSL_CORE_BIO *bio_module = NULL, *bio_indicator = NULL;
    unsigned char *module_checksum = NULL;
    unsigned char *indicator_checksum = NULL;
    int loclstate;
    OSSL_SELF_TEST *ev = NULL;

    if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init))
        return 0;

    if (!CRYPTO_THREAD_read_lock(fips_state_lock))
        return 0;
    loclstate = FIPS_state;
    CRYPTO_THREAD_unlock(fips_state_lock);

    if (loclstate == FIPS_STATE_RUNNING) {
        if (!on_demand_test)
            return 1;
    } else if (loclstate != FIPS_STATE_SELFTEST) {
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE);
        return 0;
    }

    if (!CRYPTO_THREAD_write_lock(self_test_lock))
        return 0;
    if (!CRYPTO_THREAD_read_lock(fips_state_lock)) {
        CRYPTO_THREAD_unlock(self_test_lock);
        return 0;
    }
    if (FIPS_state == FIPS_STATE_RUNNING) {
        CRYPTO_THREAD_unlock(fips_state_lock);
        if (!on_demand_test) {
            CRYPTO_THREAD_unlock(self_test_lock);
            return 1;
        }
        set_fips_state(FIPS_STATE_SELFTEST);
    } else if (FIPS_state != FIPS_STATE_SELFTEST) {
        CRYPTO_THREAD_unlock(fips_state_lock);
        CRYPTO_THREAD_unlock(self_test_lock);
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE);
        return 0;
    } else {
        CRYPTO_THREAD_unlock(fips_state_lock);
    }

    if (st == NULL
            || st->module_checksum_data == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
        goto end;
    }

    ev = OSSL_SELF_TEST_new(st->cb, st->cb_arg);
    if (ev == NULL)
        goto end;

    module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
                                         &checksum_len);
    if (module_checksum == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
        goto end;
    }
    bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");

    /* Always check the integrity of the fips module */
    if (bio_module == NULL
            || !verify_integrity(bio_module, st->bio_read_ex_cb,
                                 module_checksum, checksum_len, st->libctx,
                                 ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
        goto end;
    }

    /* This will be NULL during installation - so the self test KATS will run */
    if (st->indicator_data != NULL) {
        /*
         * If the kats have already passed indicator is set - then check the
         * integrity of the indicator.
         */
        if (st->indicator_checksum_data == NULL) {
            ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
            goto end;
        }
        indicator_checksum = OPENSSL_hexstr2buf(st->indicator_checksum_data,
                                                &checksum_len);
        if (indicator_checksum == NULL) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
            goto end;
        }

        bio_indicator =
            (*st->bio_new_buffer_cb)(st->indicator_data,
                                     strlen(st->indicator_data));
        if (bio_indicator == NULL
                || !verify_integrity(bio_indicator, st->bio_read_ex_cb,
                                     indicator_checksum, checksum_len,
                                     st->libctx, ev,
                                     OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INDICATOR_INTEGRITY_FAILURE);
            goto end;
        } else {
            kats_already_passed = 1;
        }
    }

    /*
     * Only runs the KAT's during installation OR on_demand().
     * NOTE: If the installation option 'self_test_onload' is chosen then this
     * path will always be run, since kats_already_passed will always be 0.
     */
    if (on_demand_test || kats_already_passed == 0) {
        if (!SELF_TEST_kats(ev, st->libctx)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
            goto end;
        }
    }
    ok = 1;
end:
    OSSL_SELF_TEST_free(ev);
    OPENSSL_free(module_checksum);
    OPENSSL_free(indicator_checksum);

    if (st != NULL) {
        (*st->bio_free_cb)(bio_indicator);
        (*st->bio_free_cb)(bio_module);
    }
    if (ok)
        set_fips_state(FIPS_STATE_RUNNING);
    else
        ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE);
    CRYPTO_THREAD_unlock(self_test_lock);

    return ok;
}

void SELF_TEST_disable_conditional_error_state(void)
{
    FIPS_conditional_error_check = 0;
}

void ossl_set_error_state(const char *type)
{
    int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0);

    if (!cond_test || (FIPS_conditional_error_check == 1)) {
        set_fips_state(FIPS_STATE_ERROR);
        ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
    } else {
        ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR);
    }
}

int ossl_prov_is_running(void)
{
    int res;
    static unsigned int rate_limit = 0;

    if (!CRYPTO_THREAD_read_lock(fips_state_lock))
        return 0;
    res = FIPS_state == FIPS_STATE_RUNNING
                        || FIPS_state == FIPS_STATE_SELFTEST;
    if (FIPS_state == FIPS_STATE_ERROR) {
        CRYPTO_THREAD_unlock(fips_state_lock);
        if (!CRYPTO_THREAD_write_lock(fips_state_lock))
            return 0;
        if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT)
            ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE);
    }
    CRYPTO_THREAD_unlock(fips_state_lock);
    return res;
}
Commit	Line	Data
7bb82f92	1	/*
a28d06f3	2	* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
7bb82f92	3	*
a6ed19dc	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
7bb82f92 SL	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <string.h>
	11	#include <openssl/evp.h>
	12	#include <openssl/params.h>
14a684bf	13	#include <openssl/crypto.h>
449bdf37	14	#include "internal/cryptlib.h"
31214258	15	#include <openssl/fipskey.h>
9f7bdcf3	16	#include <openssl/err.h>
2741128e	17	#include <openssl/proverr.h>
d5f9166b	18	#include "internal/e_os.h"
6cf37302 P	19	#include "prov/providercommon.h"
6cf37302 P	20
14a684bf MC	21	/*
	22	* We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
	23	* module because all such initialisation should be associated with an
b4250010 DMSP	24	* individual OSSL_LIB_CTX. That doesn't work with the self test though because
b4250010 DMSP	25	* it should be run once regardless of the number of OSSL_LIB_CTXs we have.
14a684bf MC	26	*/
14a684bf MC	27	#define ALLOW_RUN_ONCE_IN_FIPS
449bdf37	28	#include "internal/thread_once.h"
36fc5fc6	29	#include "self_test.h"
7bb82f92 SL	30
7bb82f92 SL	31	#define FIPS_STATE_INIT 0
14a684bf MC	32	#define FIPS_STATE_SELFTEST 1
14a684bf MC	33	#define FIPS_STATE_RUNNING 2
7bb82f92 SL	34	#define FIPS_STATE_ERROR 3
7bb82f92 SL	35
5736923f P	36	/*
	37	* The number of times the module will report it is in the error state
	38	* before going quiet.
	39	*/
	40	#define FIPS_ERROR_REPORTING_RATE_LIMIT 10
	41
7bb82f92 SL	42	/* The size of a temp buffer used to read in data */
	43	#define INTEGRITY_BUF_SIZE (4096)
	44	#define MAX_MD_SIZE 64
	45	#define MAC_NAME "HMAC"
	46	#define DIGEST_NAME "SHA256"
	47
35e6ea3b	48	static int FIPS_conditional_error_check = 1;
14a684bf	49	static CRYPTO_RWLOCK *self_test_lock = NULL;
40994605	50	static CRYPTO_RWLOCK *fips_state_lock = NULL;
31214258	51	static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS };
7bb82f92	52
14a684bf MC	53	static CRYPTO_ONCE fips_self_test_init = CRYPTO_ONCE_STATIC_INIT;
	54	DEFINE_RUN_ONCE_STATIC(do_fips_self_test_init)
	55	{
cc38e643	56	/*
40994605	57	* These locks get freed in platform specific ways that may occur after we
cc38e643	58	* do mem leak checking. If we don't know how to free it for a particular
40994605	59	* platform then we just leak it deliberately.
cc38e643	60	*/
14a684bf	61	self_test_lock = CRYPTO_THREAD_lock_new();
40994605	62	fips_state_lock = CRYPTO_THREAD_lock_new();
14a684bf MC	63	return self_test_lock != NULL;
	64	}
	65
c45df330 P	66	/*
	67	* Declarations for the DEP entry/exit points.
	68	* Ones not required or incorrect need to be undefined or redefined respectively.
	69	*/
	70	#define DEP_INITIAL_STATE FIPS_STATE_INIT
	71	#define DEP_INIT_ATTRIBUTE static
	72	#define DEP_FINI_ATTRIBUTE static
	73
c45df330 P	74	static void init(void);
c45df330 P	75	static void cleanup(void);
390b18a7	76
14a684bf	77	/*
c45df330	78	* This is the Default Entry Point (DEP) code.
14a684bf	79	* See FIPS 140-2 IG 9.10
14a684bf MC	80	*/
	81	#if defined(_WIN32) \|\| defined(__CYGWIN__)
	82	# ifdef __CYGWIN__
	83	/* pick DLL_[PROCESS\|THREAD]_[ATTACH\|DETACH] definitions */
	84	# include <windows.h>
	85	/*
	86	* this has side-effect of _WIN32 getting defined, which otherwise is
	87	* mutually exclusive with __CYGWIN__...
	88	*/
	89	# endif
	90
	91	BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved);
	92	BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
	93	{
	94	switch (fdwReason) {
	95	case DLL_PROCESS_ATTACH:
390b18a7	96	init();
14a684bf MC	97	break;
14a684bf MC	98	case DLL_PROCESS_DETACH:
390b18a7	99	cleanup();
14a684bf MC	100	break;
	101	default:
	102	break;
	103	}
	104	return TRUE;
	105	}
69e0f8cc	106	#elif defined(__sun)
390b18a7 SL	107	# pragma init(init)
	108	# pragma fini(cleanup)
	109
69e0f8cc SL	110	#elif defined(_AIX)
	111	void _init(void);
	112	void _cleanup(void);
	113	# pragma init(_init)
	114	# pragma fini(_cleanup)
	115	void _init(void)
	116	{
	117	init();
	118	}
	119	void _cleanup(void)
	120	{
	121	cleanup();
	122	}
	123
390b18a7	124	#elif defined(__hpux)
390b18a7 SL	125	# pragma init "init"
	126	# pragma fini "cleanup"
	127
14a684bf	128	#elif defined(__GNUC__)
c45df330 P	129	# undef DEP_INIT_ATTRIBUTE
c45df330 P	130	# undef DEP_FINI_ATTRIBUTE
390b18a7 SL	131	# define DEP_INIT_ATTRIBUTE static __attribute__((constructor))
390b18a7 SL	132	# define DEP_FINI_ATTRIBUTE static __attribute__((destructor))
6b1428ac RB	133
6b1428ac RB	134	#elif defined(__TANDEM)
6b1428ac RB	135	/* Method automatically called by the NonStop OS when the DLL loads */
	136	void __INIT__init(void) {
	137	init();
	138	}
	139
	140	/* Method automatically called by the NonStop OS prior to unloading the DLL */
	141	void __TERM__cleanup(void) {
	142	cleanup();
	143	}
	144
c45df330 P	145	#else
	146	/*
	147	* This build does not support any kind of DEP.
	148	* We force the self-tests to run as part of the FIPS provider initialisation
	149	* rather than being triggered by the DEP.
	150	*/
	151	# undef DEP_INIT_ATTRIBUTE
	152	# undef DEP_FINI_ATTRIBUTE
	153	# undef DEP_INITIAL_STATE
	154	# define DEP_INITIAL_STATE FIPS_STATE_SELFTEST
390b18a7	155	#endif
14a684bf	156
c45df330 P	157	static int FIPS_state = DEP_INITIAL_STATE;
	158
	159	#if defined(DEP_INIT_ATTRIBUTE)
390b18a7	160	DEP_INIT_ATTRIBUTE void init(void)
14a684bf MC	161	{
	162	FIPS_state = FIPS_STATE_SELFTEST;
	163	}
c45df330	164	#endif
14a684bf	165
c45df330	166	#if defined(DEP_FINI_ATTRIBUTE)
390b18a7	167	DEP_FINI_ATTRIBUTE void cleanup(void)
14a684bf MC	168	{
14a684bf MC	169	CRYPTO_THREAD_lock_free(self_test_lock);
40994605	170	CRYPTO_THREAD_lock_free(fips_state_lock);
14a684bf	171	}
14a684bf MC	172	#endif
14a684bf MC	173
7bb82f92 SL	174	/*
	175	* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
	176	* the result matches the expected value.
	177	* Return 1 if verified, or 0 if it fails.
	178	*/
363b1e5d	179	static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
7bb82f92	180	unsigned char *expected, size_t expected_len,
b4250010	181	OSSL_LIB_CTX libctx, OSSL_SELF_TEST ev,
36fc5fc6	182	const char *event_type)
7bb82f92 SL	183	{
	184	int ret = 0, status;
	185	unsigned char out[MAX_MD_SIZE];
	186	unsigned char buf[INTEGRITY_BUF_SIZE];
	187	size_t bytes_read = 0, out_len = 0;
	188	EVP_MAC *mac = NULL;
	189	EVP_MAC_CTX *ctx = NULL;
fbff75ca	190	OSSL_PARAM params[2], *p = params;
7bb82f92	191
47c239c6	192	OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
36fc5fc6	193
7bb82f92	194	mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
78ef5717 SL	195	if (mac == NULL)
78ef5717 SL	196	goto err;
865adf97	197	ctx = EVP_MAC_CTX_new(mac);
78ef5717	198	if (ctx == NULL)
7bb82f92 SL	199	goto err;
7bb82f92 SL	200
3262300a	201	*p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
7bb82f92 SL	202	*p = OSSL_PARAM_construct_end();
7bb82f92 SL	203
fbff75ca	204	if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
7bb82f92 SL	205	goto err;
	206
	207	while (1) {
	208	status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
	209	if (status != 1)
	210	break;
	211	if (!EVP_MAC_update(ctx, buf, bytes_read))
	212	goto err;
	213	}
	214	if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
	215	goto err;
	216
47c239c6	217	OSSL_SELF_TEST_oncorrupt_byte(ev, out);
7bb82f92 SL	218	if (expected_len != out_len
	219	\|\| memcmp(expected, out, out_len) != 0)
	220	goto err;
	221	ret = 1;
	222	err:
47c239c6	223	OSSL_SELF_TEST_onend(ev, ret);
865adf97	224	EVP_MAC_CTX_free(ctx);
7bb82f92 SL	225	EVP_MAC_free(mac);
	226	return ret;
	227	}
	228
40994605 MC	229	static void set_fips_state(int state)
40994605 MC	230	{
cd3f8c1b RS	231	if (ossl_assert(CRYPTO_THREAD_write_lock(fips_state_lock) != 0)) {
	232	FIPS_state = state;
	233	CRYPTO_THREAD_unlock(fips_state_lock);
	234	}
40994605 MC	235	}
40994605 MC	236
7bb82f92	237	/* This API is triggered either on loading of the FIPS module or on demand */
14a684bf	238	int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
7bb82f92 SL	239	{
	240	int ok = 0;
	241	int kats_already_passed = 0;
7bb82f92	242	long checksum_len;
d40b42ab	243	OSSL_CORE_BIO bio_module = NULL, bio_indicator = NULL;
7bb82f92 SL	244	unsigned char *module_checksum = NULL;
7bb82f92 SL	245	unsigned char *indicator_checksum = NULL;
14a684bf	246	int loclstate;
47c239c6	247	OSSL_SELF_TEST *ev = NULL;
14a684bf MC	248
	249	if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init))
	250	return 0;
	251
cd3f8c1b RS	252	if (!CRYPTO_THREAD_read_lock(fips_state_lock))
cd3f8c1b RS	253	return 0;
14a684bf	254	loclstate = FIPS_state;
40994605	255	CRYPTO_THREAD_unlock(fips_state_lock);
7bb82f92	256
14a684bf MC	257	if (loclstate == FIPS_STATE_RUNNING) {
	258	if (!on_demand_test)
	259	return 1;
	260	} else if (loclstate != FIPS_STATE_SELFTEST) {
9f7bdcf3	261	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE);
14a684bf MC	262	return 0;
	263	}
	264
cd3f8c1b RS	265	if (!CRYPTO_THREAD_write_lock(self_test_lock))
	266	return 0;
	267	if (!CRYPTO_THREAD_read_lock(fips_state_lock)) {
	268	CRYPTO_THREAD_unlock(self_test_lock);
	269	return 0;
	270	}
14a684bf	271	if (FIPS_state == FIPS_STATE_RUNNING) {
40994605	272	CRYPTO_THREAD_unlock(fips_state_lock);
14a684bf MC	273	if (!on_demand_test) {
	274	CRYPTO_THREAD_unlock(self_test_lock);
	275	return 1;
	276	}
40994605	277	set_fips_state(FIPS_STATE_SELFTEST);
14a684bf	278	} else if (FIPS_state != FIPS_STATE_SELFTEST) {
40994605	279	CRYPTO_THREAD_unlock(fips_state_lock);
14a684bf	280	CRYPTO_THREAD_unlock(self_test_lock);
9f7bdcf3	281	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE);
14a684bf	282	return 0;
40994605 MC	283	} else {
40994605 MC	284	CRYPTO_THREAD_unlock(fips_state_lock);
14a684bf	285	}
40994605	286
7bb82f92	287	if (st == NULL
9f7bdcf3 SL	288	\|\| st->module_checksum_data == NULL) {
9f7bdcf3 SL	289	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
7bb82f92	290	goto end;
9f7bdcf3	291	}
7bb82f92	292
47c239c6 SL	293	ev = OSSL_SELF_TEST_new(st->cb, st->cb_arg);
	294	if (ev == NULL)
	295	goto end;
36fc5fc6	296
7bb82f92 SL	297	module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
7bb82f92 SL	298	&checksum_len);
9f7bdcf3 SL	299	if (module_checksum == NULL) {
9f7bdcf3 SL	300	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
7bb82f92	301	goto end;
9f7bdcf3	302	}
7bb82f92 SL	303	bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
	304
	305	/* Always check the integrity of the fips module */
	306	if (bio_module == NULL
	307	\|\| !verify_integrity(bio_module, st->bio_read_ex_cb,
36fc5fc6	308	module_checksum, checksum_len, st->libctx,
9f7bdcf3 SL	309	ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
9f7bdcf3 SL	310	ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
7bb82f92	311	goto end;
9f7bdcf3	312	}
7bb82f92 SL	313
	314	/* This will be NULL during installation - so the self test KATS will run */
	315	if (st->indicator_data != NULL) {
	316	/*
	317	* If the kats have already passed indicator is set - then check the
	318	* integrity of the indicator.
	319	*/
9f7bdcf3 SL	320	if (st->indicator_checksum_data == NULL) {
9f7bdcf3 SL	321	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
7bb82f92	322	goto end;
9f7bdcf3	323	}
7bb82f92 SL	324	indicator_checksum = OPENSSL_hexstr2buf(st->indicator_checksum_data,
7bb82f92 SL	325	&checksum_len);
9f7bdcf3 SL	326	if (indicator_checksum == NULL) {
9f7bdcf3 SL	327	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
7bb82f92	328	goto end;
9f7bdcf3	329	}
7bb82f92 SL	330
	331	bio_indicator =
	332	(*st->bio_new_buffer_cb)(st->indicator_data,
	333	strlen(st->indicator_data));
	334	if (bio_indicator == NULL
	335	\|\| !verify_integrity(bio_indicator, st->bio_read_ex_cb,
	336	indicator_checksum, checksum_len,
47c239c6	337	st->libctx, ev,
9f7bdcf3 SL	338	OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)) {
9f7bdcf3 SL	339	ERR_raise(ERR_LIB_PROV, PROV_R_INDICATOR_INTEGRITY_FAILURE);
7bb82f92	340	goto end;
9f7bdcf3	341	} else {
7bb82f92	342	kats_already_passed = 1;
9f7bdcf3	343	}
7bb82f92 SL	344	}
7bb82f92 SL	345
2abffec0 SL	346	/*
	347	* Only runs the KAT's during installation OR on_demand().
	348	* NOTE: If the installation option 'self_test_onload' is chosen then this
	349	* path will always be run, since kats_already_passed will always be 0.
	350	*/
7bb82f92	351	if (on_demand_test \|\| kats_already_passed == 0) {
9f7bdcf3 SL	352	if (!SELF_TEST_kats(ev, st->libctx)) {
9f7bdcf3 SL	353	ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
36fc5fc6	354	goto end;
9f7bdcf3	355	}
7bb82f92 SL	356	}
	357	ok = 1;
	358	end:
47c239c6	359	OSSL_SELF_TEST_free(ev);
7bb82f92 SL	360	OPENSSL_free(module_checksum);
	361	OPENSSL_free(indicator_checksum);
	362
12fca1af SL	363	if (st != NULL) {
	364	(*st->bio_free_cb)(bio_indicator);
	365	(*st->bio_free_cb)(bio_module);
	366	}
5736923f	367	if (ok)
40994605	368	set_fips_state(FIPS_STATE_RUNNING);
5736923f	369	else
35e6ea3b	370	ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE);
14a684bf	371	CRYPTO_THREAD_unlock(self_test_lock);
7bb82f92 SL	372
	373	return ok;
	374	}
04cb5ec0	375
35e6ea3b	376	void SELF_TEST_disable_conditional_error_state(void)
5736923f	377	{
35e6ea3b SL	378	FIPS_conditional_error_check = 0;
	379	}
	380
	381	void ossl_set_error_state(const char *type)
	382	{
	383	int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0);
	384
	385	if (!cond_test \|\| (FIPS_conditional_error_check == 1)) {
40994605	386	set_fips_state(FIPS_STATE_ERROR);
35e6ea3b SL	387	ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
	388	} else {
	389	ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR);
	390	}
5736923f	391	}
04cb5ec0	392
6cf37302	393	int ossl_prov_is_running(void)
04cb5ec0	394	{
40994605	395	int res;
5736923f P	396	static unsigned int rate_limit = 0;
5736923f P	397
40994605 MC	398	if (!CRYPTO_THREAD_read_lock(fips_state_lock))
	399	return 0;
	400	res = FIPS_state == FIPS_STATE_RUNNING
	401	\|\| FIPS_state == FIPS_STATE_SELFTEST;
	402	if (FIPS_state == FIPS_STATE_ERROR) {
	403	CRYPTO_THREAD_unlock(fips_state_lock);
	404	if (!CRYPTO_THREAD_write_lock(fips_state_lock))
	405	return 0;
5736923f P	406	if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT)
	407	ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE);
	408	}
40994605	409	CRYPTO_THREAD_unlock(fips_state_lock);
5736923f	410	return res;
04cb5ec0	411	}