FIPS: error mode is set from failed self tests and produced a limited number of error...

author Pauli <paul.dale@oracle.com>

Wed, 9 Sep 2020 21:08:57 +0000 (07:08 +1000)

committer Pauli <paul.dale@oracle.com>

Sat, 12 Sep 2020 06:46:51 +0000 (16:46 +1000)
author Pauli <paul.dale@oracle.com>
Wed, 9 Sep 2020 21:08:57 +0000 (07:08 +1000)
committer Pauli <paul.dale@oracle.com>
Sat, 12 Sep 2020 06:46:51 +0000 (16:46 +1000)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt

index d0ba9c47be57460366e314cd575662dff78e06cd..6c2e81efb9b45e65a29928f69885bf99efd4f3c0 100644 (file)
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2877,6 +2877,8 @@ PROV_R_FAILED_TO_GENERATE_KEY:121:failed to generate key
  PROV_R_FAILED_TO_GET_PARAMETER:103:failed to get parameter
  PROV_R_FAILED_TO_SET_PARAMETER:104:failed to set parameter
  PROV_R_FAILED_TO_SIGN:175:failed to sign
+PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE:224:fips module entering error state
+PROV_R_FIPS_MODULE_IN_ERROR_STATE:225:fips module in error state
  PROV_R_GENERATE_ERROR:191:generate error
  PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\
         illegal or unsupported padding mode
diff --git a/providers/common/include/prov/providercommon.h b/providers/common/include/prov/providercommon.h

index f6d27dababd58dfecc62acc220ba495f5483f551..280d2d2072c60113440ba1c1fcb9d176a8e066a8 100644 (file)
--- a/providers/common/include/prov/providercommon.h
+++ b/providers/common/include/prov/providercommon.h
@@ -19,4 +19,8 @@ int cipher_capable_aes_cbc_hmac_sha256(void);
  
  OSSL_FUNC_provider_get_capabilities_fn provider_get_capabilities;
  
+/* Set the error state if this is a FIPS module */
+void ossl_set_error_state(void);
+
+/* Return true if the module is in a usable condition */
  int ossl_prov_is_running(void);
diff --git a/providers/common/include/prov/providercommonerr.h b/providers/common/include/prov/providercommonerr.h

index 68bcfb482848141c6c69b434026ee6c7240b3973..d4d3c7e8e8e3f0bfcef1a61d0002a9be35969eda 100644 (file)
--- a/providers/common/include/prov/providercommonerr.h
+++ b/providers/common/include/prov/providercommonerr.h
@@ -75,6 +75,8 @@ int ERR_load_PROV_strings(void);
  # define PROV_R_FAILED_TO_GET_PARAMETER                   103
  # define PROV_R_FAILED_TO_SET_PARAMETER                   104
  # define PROV_R_FAILED_TO_SIGN                            175
+# define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE          224
+# define PROV_R_FIPS_MODULE_IN_ERROR_STATE                225
  # define PROV_R_GENERATE_ERROR                            191
  # define PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE       165
  # define PROV_R_INAVLID_UKM_LENGTH                        146
diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c

index 75f24f88d7c7f5b73e6ab0af2edfd9e1bf458b30..329bb279ebb7c6c6a2f20df94260fed970e91920 100644 (file)
--- a/providers/common/provider_err.c
+++ b/providers/common/provider_err.c
@@ -58,6 +58,10 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
      {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
      "failed to set parameter"},
      {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"},
+    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
+    "fips module entering error state"},
+    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_IN_ERROR_STATE),
+    "fips module in error state"},
      {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_GENERATE_ERROR), "generate error"},
      {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE),
      "illegal or unsupported padding mode"},
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c

index 8a70bdee7cf3d0d52e2fbef28961807866374de5..b0df0863e265fa0f6308ce5abbafa725378469f9 100644 (file)
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -32,6 +32,12 @@
  #define FIPS_STATE_RUNNING  2
  #define FIPS_STATE_ERROR    3
  
+/*
+ * The number of times the module will report it is in the error state
+ * before going quiet.
+ */
+#define FIPS_ERROR_REPORTING_RATE_LIMIT     10
+
  /* The size of a temp buffer used to read in data */
  #define INTEGRITY_BUF_SIZE (4096)
  #define MAX_MD_SIZE 64
@@ -302,15 +308,32 @@ end:
          (*st->bio_free_cb)(bio_indicator);
          (*st->bio_free_cb)(bio_module);
      }
-    FIPS_state = ok ? FIPS_STATE_RUNNING : FIPS_STATE_ERROR;
+    if (ok)
+        FIPS_state = FIPS_STATE_RUNNING;
+    else
+        ossl_set_error_state();
      CRYPTO_THREAD_unlock(self_test_lock);
  
      return ok;
  }
  
+void ossl_set_error_state(void)
+{
+    FIPS_state = FIPS_STATE_ERROR;
+    ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
+}
  
  int ossl_prov_is_running(void)
  {
-    return FIPS_state == FIPS_STATE_RUNNING
-           || FIPS_state == FIPS_STATE_SELFTEST;
+    const int res = FIPS_state == FIPS_STATE_RUNNING
+                    || FIPS_state == FIPS_STATE_SELFTEST;
+    static unsigned int rate_limit = 0;
+
+    if (res) {
+        rate_limit = 0;
+    } else if (FIPS_state == FIPS_STATE_ERROR) {
+        if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT)
+            ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE);
+    }
+    return res;
  }
diff --git a/providers/prov_running.c b/providers/prov_running.c

index a65e4978d07b42a31c31484550f8f18348a6435a..7e62dedf4d475961cddf081fd5f4974c3a27d7dd 100644 (file)
--- a/providers/prov_running.c
+++ b/providers/prov_running.c
@@ -10,6 +10,12 @@
  #include <openssl/e_os2.h>
  #include "prov/providercommon.h"
  
+/* By default, our providers don't have an error state */
+void ossl_set_error_state(void)
+{
+}
+
+/* By default, out providers are always in a happy state */
  int ossl_prov_is_running(void)
  {
      return 1;
author	Pauli <paul.dale@oracle.com>
	Wed, 9 Sep 2020 21:08:57 +0000 (07:08 +1000)
committer	Pauli <paul.dale@oracle.com>
	Sat, 12 Sep 2020 06:46:51 +0000 (16:46 +1000)
crypto/err/openssl.txt		patch \| blob \| blame \| history
providers/common/include/prov/providercommon.h		patch \| blob \| blame \| history
providers/common/include/prov/providercommonerr.h		patch \| blob \| blame \| history
providers/common/provider_err.c		patch \| blob \| blame \| history
providers/fips/self_test.c		patch \| blob \| blame \| history
providers/prov_running.c		patch \| blob \| blame \| history