1 /*
2 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11 #include <openssl/evp.h>
12 #include <openssl/params.h>
13 #include <openssl/crypto.h>
14 #include "internal/cryptlib.h"
15 #include <openssl/fipskey.h>
16 #include <openssl/err.h>
17 #include <openssl/proverr.h>
18 #include "e_os.h"
19 #include "internal/tsan_assist.h"
20 #include "prov/providercommon.h"
21
22 /*
23 * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
24 * module because all such initialisation should be associated with an
25 * individual OSSL_LIB_CTX. That doesn't work with the self test though because
26 * it should be run once regardless of the number of OSSL_LIB_CTXs we have.
27 */
28 #define ALLOW_RUN_ONCE_IN_FIPS
29 #include "internal/thread_once.h"
30 #include "self_test.h"
31
32 #define FIPS_STATE_INIT 0
33 #define FIPS_STATE_SELFTEST 1
34 #define FIPS_STATE_RUNNING 2
35 #define FIPS_STATE_ERROR 3
36
37 /*
38 * The number of times the module will report it is in the error state
39 * before going quiet.
40 */
41 #define FIPS_ERROR_REPORTING_RATE_LIMIT 10
42
43 /* The size of a temp buffer used to read in data */
44 #define INTEGRITY_BUF_SIZE (4096)
45 #define MAX_MD_SIZE 64
46 #define MAC_NAME "HMAC"
47 #define DIGEST_NAME "SHA256"
48
49 static int FIPS_conditional_error_check = 1;
50 static CRYPTO_RWLOCK *self_test_lock = NULL;
51 static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS };
52
53 static CRYPTO_ONCE fips_self_test_init = CRYPTO_ONCE_STATIC_INIT;
DEFINE_RUN_ONCE_STATIC(do_fips_self_test_init)54 DEFINE_RUN_ONCE_STATIC(do_fips_self_test_init)
55 {
56 /*
57 * These locks get freed in platform specific ways that may occur after we
58 * do mem leak checking. If we don't know how to free it for a particular
59 * platform then we just leak it deliberately.
60 */
61 self_test_lock = CRYPTO_THREAD_lock_new();
62 return self_test_lock != NULL;
63 }
64
65 /*
66 * Declarations for the DEP entry/exit points.
67 * Ones not required or incorrect need to be undefined or redefined respectively.
68 */
69 #define DEP_INITIAL_STATE FIPS_STATE_INIT
70 #define DEP_INIT_ATTRIBUTE static
71 #define DEP_FINI_ATTRIBUTE static
72
73 static void init(void);
74 static void cleanup(void);
75
76 /*
77 * This is the Default Entry Point (DEP) code.
78 * See FIPS 140-2 IG 9.10
79 */
80 #if defined(_WIN32) || defined(__CYGWIN__)
81 # ifdef __CYGWIN__
82 /* pick DLL_[PROCESS|THREAD]_[ATTACH|DETACH] definitions */
83 # include <windows.h>
84 /*
85 * this has side-effect of _WIN32 getting defined, which otherwise is
86 * mutually exclusive with __CYGWIN__...
87 */
88 # endif
89
90 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved);
DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)91 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
92 {
93 switch (fdwReason) {
94 case DLL_PROCESS_ATTACH:
95 init();
96 break;
97 case DLL_PROCESS_DETACH:
98 cleanup();
99 break;
100 default:
101 break;
102 }
103 return TRUE;
104 }
105
106 #elif defined(__GNUC__) && !defined(_AIX)
107 # undef DEP_INIT_ATTRIBUTE
108 # undef DEP_FINI_ATTRIBUTE
109 # define DEP_INIT_ATTRIBUTE static __attribute__((constructor))
110 # define DEP_FINI_ATTRIBUTE static __attribute__((destructor))
111
112 #elif defined(__sun)
113 # pragma init(init)
114 # pragma fini(cleanup)
115
116 #elif defined(_AIX) && !defined(__GNUC__)
117 void _init(void);
118 void _cleanup(void);
119 # pragma init(_init)
120 # pragma fini(_cleanup)
_init(void)121 void _init(void)
122 {
123 init();
124 }
_cleanup(void)125 void _cleanup(void)
126 {
127 cleanup();
128 }
129
130 #elif defined(__hpux)
131 # pragma init "init"
132 # pragma fini "cleanup"
133
134 #elif defined(__TANDEM)
135 /* Method automatically called by the NonStop OS when the DLL loads */
__INIT__init(void)136 void __INIT__init(void) {
137 init();
138 }
139
140 /* Method automatically called by the NonStop OS prior to unloading the DLL */
__TERM__cleanup(void)141 void __TERM__cleanup(void) {
142 cleanup();
143 }
144
145 #else
146 /*
147 * This build does not support any kind of DEP.
148 * We force the self-tests to run as part of the FIPS provider initialisation
149 * rather than being triggered by the DEP.
150 */
151 # undef DEP_INIT_ATTRIBUTE
152 # undef DEP_FINI_ATTRIBUTE
153 # undef DEP_INITIAL_STATE
154 # define DEP_INITIAL_STATE FIPS_STATE_SELFTEST
155 #endif
156
157 static TSAN_QUALIFIER int FIPS_state = DEP_INITIAL_STATE;
158
159 #if defined(DEP_INIT_ATTRIBUTE)
init(void)160 DEP_INIT_ATTRIBUTE void init(void)
161 {
162 tsan_store(&FIPS_state, FIPS_STATE_SELFTEST);
163 }
164 #endif
165
166 #if defined(DEP_FINI_ATTRIBUTE)
cleanup(void)167 DEP_FINI_ATTRIBUTE void cleanup(void)
168 {
169 CRYPTO_THREAD_lock_free(self_test_lock);
170 }
171 #endif
172
173 /*
174 * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
175 * the result matches the expected value.
176 * Return 1 if verified, or 0 if it fails.
177 */
verify_integrity(OSSL_CORE_BIO * bio,OSSL_FUNC_BIO_read_ex_fn read_ex_cb,unsigned char * expected,size_t expected_len,OSSL_LIB_CTX * libctx,OSSL_SELF_TEST * ev,const char * event_type)178 static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
179 unsigned char *expected, size_t expected_len,
180 OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
181 const char *event_type)
182 {
183 int ret = 0, status;
184 unsigned char out[MAX_MD_SIZE];
185 unsigned char buf[INTEGRITY_BUF_SIZE];
186 size_t bytes_read = 0, out_len = 0;
187 EVP_MAC *mac = NULL;
188 EVP_MAC_CTX *ctx = NULL;
189 OSSL_PARAM params[2], *p = params;
190
191 OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
192
193 mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
194 if (mac == NULL)
195 goto err;
196 ctx = EVP_MAC_CTX_new(mac);
197 if (ctx == NULL)
198 goto err;
199
200 *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
201 *p = OSSL_PARAM_construct_end();
202
203 if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
204 goto err;
205
206 while (1) {
207 status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
208 if (status != 1)
209 break;
210 if (!EVP_MAC_update(ctx, buf, bytes_read))
211 goto err;
212 }
213 if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
214 goto err;
215
216 OSSL_SELF_TEST_oncorrupt_byte(ev, out);
217 if (expected_len != out_len
218 || memcmp(expected, out, out_len) != 0)
219 goto err;
220 ret = 1;
221 err:
222 OSSL_SELF_TEST_onend(ev, ret);
223 EVP_MAC_CTX_free(ctx);
224 EVP_MAC_free(mac);
225 return ret;
226 }
227
set_fips_state(int state)228 static void set_fips_state(int state)
229 {
230 tsan_store(&FIPS_state, state);
231 }
232
233 /* This API is triggered either on loading of the FIPS module or on demand */
SELF_TEST_post(SELF_TEST_POST_PARAMS * st,int on_demand_test)234 int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
235 {
236 int ok = 0;
237 int kats_already_passed = 0;
238 long checksum_len;
239 OSSL_CORE_BIO *bio_module = NULL, *bio_indicator = NULL;
240 unsigned char *module_checksum = NULL;
241 unsigned char *indicator_checksum = NULL;
242 int loclstate;
243 OSSL_SELF_TEST *ev = NULL;
244
245 if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init))
246 return 0;
247
248 loclstate = tsan_load(&FIPS_state);
249
250 if (loclstate == FIPS_STATE_RUNNING) {
251 if (!on_demand_test)
252 return 1;
253 } else if (loclstate != FIPS_STATE_SELFTEST) {
254 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE);
255 return 0;
256 }
257
258 if (!CRYPTO_THREAD_write_lock(self_test_lock))
259 return 0;
260 loclstate = tsan_load(&FIPS_state);
261 if (loclstate == FIPS_STATE_RUNNING) {
262 if (!on_demand_test) {
263 CRYPTO_THREAD_unlock(self_test_lock);
264 return 1;
265 }
266 set_fips_state(FIPS_STATE_SELFTEST);
267 } else if (loclstate != FIPS_STATE_SELFTEST) {
268 CRYPTO_THREAD_unlock(self_test_lock);
269 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE);
270 return 0;
271 }
272
273 if (st == NULL
274 || st->module_checksum_data == NULL) {
275 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
276 goto end;
277 }
278
279 ev = OSSL_SELF_TEST_new(st->cb, st->cb_arg);
280 if (ev == NULL)
281 goto end;
282
283 module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
284 &checksum_len);
285 if (module_checksum == NULL) {
286 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
287 goto end;
288 }
289 bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
290
291 /* Always check the integrity of the fips module */
292 if (bio_module == NULL
293 || !verify_integrity(bio_module, st->bio_read_ex_cb,
294 module_checksum, checksum_len, st->libctx,
295 ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
296 ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
297 goto end;
298 }
299
300 /* This will be NULL during installation - so the self test KATS will run */
301 if (st->indicator_data != NULL) {
302 /*
303 * If the kats have already passed indicator is set - then check the
304 * integrity of the indicator.
305 */
306 if (st->indicator_checksum_data == NULL) {
307 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
308 goto end;
309 }
310 indicator_checksum = OPENSSL_hexstr2buf(st->indicator_checksum_data,
311 &checksum_len);
312 if (indicator_checksum == NULL) {
313 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
314 goto end;
315 }
316
317 bio_indicator =
318 (*st->bio_new_buffer_cb)(st->indicator_data,
319 strlen(st->indicator_data));
320 if (bio_indicator == NULL
321 || !verify_integrity(bio_indicator, st->bio_read_ex_cb,
322 indicator_checksum, checksum_len,
323 st->libctx, ev,
324 OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)) {
325 ERR_raise(ERR_LIB_PROV, PROV_R_INDICATOR_INTEGRITY_FAILURE);
326 goto end;
327 } else {
328 kats_already_passed = 1;
329 }
330 }
331
332 /*
333 * Only runs the KAT's during installation OR on_demand().
334 * NOTE: If the installation option 'self_test_onload' is chosen then this
335 * path will always be run, since kats_already_passed will always be 0.
336 */
337 if (on_demand_test || kats_already_passed == 0) {
338 if (!SELF_TEST_kats(ev, st->libctx)) {
339 ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
340 goto end;
341 }
342 }
343 ok = 1;
344 end:
345 OSSL_SELF_TEST_free(ev);
346 OPENSSL_free(module_checksum);
347 OPENSSL_free(indicator_checksum);
348
349 if (st != NULL) {
350 (*st->bio_free_cb)(bio_indicator);
351 (*st->bio_free_cb)(bio_module);
352 }
353 if (ok)
354 set_fips_state(FIPS_STATE_RUNNING);
355 else
356 ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE);
357 CRYPTO_THREAD_unlock(self_test_lock);
358
359 return ok;
360 }
361
SELF_TEST_disable_conditional_error_state(void)362 void SELF_TEST_disable_conditional_error_state(void)
363 {
364 FIPS_conditional_error_check = 0;
365 }
366
ossl_set_error_state(const char * type)367 void ossl_set_error_state(const char *type)
368 {
369 int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0);
370
371 if (!cond_test || (FIPS_conditional_error_check == 1)) {
372 set_fips_state(FIPS_STATE_ERROR);
373 ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
374 } else {
375 ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR);
376 }
377 }
378
ossl_prov_is_running(void)379 int ossl_prov_is_running(void)
380 {
381 int res, loclstate;
382 static TSAN_QUALIFIER unsigned int rate_limit = 0;
383
384 loclstate = tsan_load(&FIPS_state);
385 res = loclstate == FIPS_STATE_RUNNING || loclstate == FIPS_STATE_SELFTEST;
386 if (loclstate == FIPS_STATE_ERROR)
387 if (tsan_counter(&rate_limit) < FIPS_ERROR_REPORTING_RATE_LIMIT)
388 ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE);
389 return res;
390 }
391