1 /* 2 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 #include <openssl/evp.h> 12 #include <openssl/params.h> 13 #include <openssl/crypto.h> 14 #include "internal/cryptlib.h" 15 #include <openssl/fipskey.h> 16 #include <openssl/err.h> 17 #include <openssl/proverr.h> 18 #include "e_os.h" 19 #include "prov/providercommon.h" 20 21 /* 22 * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS 23 * module because all such initialisation should be associated with an 24 * individual OSSL_LIB_CTX. That doesn't work with the self test though because 25 * it should be run once regardless of the number of OSSL_LIB_CTXs we have. 26 */ 27 #define ALLOW_RUN_ONCE_IN_FIPS 28 #include "internal/thread_once.h" 29 #include "self_test.h" 30 31 #define FIPS_STATE_INIT 0 32 #define FIPS_STATE_SELFTEST 1 33 #define FIPS_STATE_RUNNING 2 34 #define FIPS_STATE_ERROR 3 35 36 /* 37 * The number of times the module will report it is in the error state 38 * before going quiet. 39 */ 40 #define FIPS_ERROR_REPORTING_RATE_LIMIT 10 41 42 /* The size of a temp buffer used to read in data */ 43 #define INTEGRITY_BUF_SIZE (4096) 44 #define MAX_MD_SIZE 64 45 #define MAC_NAME "HMAC" 46 #define DIGEST_NAME "SHA256" 47 48 static int FIPS_conditional_error_check = 1; 49 static CRYPTO_RWLOCK *self_test_lock = NULL; 50 static CRYPTO_RWLOCK *fips_state_lock = NULL; 51 static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS }; 52 53 static CRYPTO_ONCE fips_self_test_init = CRYPTO_ONCE_STATIC_INIT; 54 DEFINE_RUN_ONCE_STATIC(do_fips_self_test_init) 55 { 56 /* 57 * These locks get freed in platform specific ways that may occur after we 58 * do mem leak checking. If we don't know how to free it for a particular 59 * platform then we just leak it deliberately. 60 */ 61 self_test_lock = CRYPTO_THREAD_lock_new(); 62 fips_state_lock = CRYPTO_THREAD_lock_new(); 63 return self_test_lock != NULL; 64 } 65 66 /* 67 * Declarations for the DEP entry/exit points. 68 * Ones not required or incorrect need to be undefined or redefined respectively. 69 */ 70 #define DEP_INITIAL_STATE FIPS_STATE_INIT 71 #define DEP_INIT_ATTRIBUTE static 72 #define DEP_FINI_ATTRIBUTE static 73 74 static void init(void); 75 static void cleanup(void); 76 77 /* 78 * This is the Default Entry Point (DEP) code. 79 * See FIPS 140-2 IG 9.10 80 */ 81 #if defined(_WIN32) || defined(__CYGWIN__) 82 # ifdef __CYGWIN__ 83 /* pick DLL_[PROCESS|THREAD]_[ATTACH|DETACH] definitions */ 84 # include <windows.h> 85 /* 86 * this has side-effect of _WIN32 getting defined, which otherwise is 87 * mutually exclusive with __CYGWIN__... 88 */ 89 # endif 90 91 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved); 92 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 93 { 94 switch (fdwReason) { 95 case DLL_PROCESS_ATTACH: 96 init(); 97 break; 98 case DLL_PROCESS_DETACH: 99 cleanup(); 100 break; 101 default: 102 break; 103 } 104 return TRUE; 105 } 106 107 #elif defined(__GNUC__) && !defined(_AIX) 108 # undef DEP_INIT_ATTRIBUTE 109 # undef DEP_FINI_ATTRIBUTE 110 # define DEP_INIT_ATTRIBUTE static __attribute__((constructor)) 111 # define DEP_FINI_ATTRIBUTE static __attribute__((destructor)) 112 113 #elif defined(__sun) 114 # pragma init(init) 115 # pragma fini(cleanup) 116 117 #elif defined(_AIX) && !defined(__GNUC__) 118 void _init(void); 119 void _cleanup(void); 120 # pragma init(_init) 121 # pragma fini(_cleanup) 122 void _init(void) 123 { 124 init(); 125 } 126 void _cleanup(void) 127 { 128 cleanup(); 129 } 130 131 #elif defined(__hpux) 132 # pragma init "init" 133 # pragma fini "cleanup" 134 135 #elif defined(__TANDEM) 136 /* Method automatically called by the NonStop OS when the DLL loads */ 137 void __INIT__init(void) { 138 init(); 139 } 140 141 /* Method automatically called by the NonStop OS prior to unloading the DLL */ 142 void __TERM__cleanup(void) { 143 cleanup(); 144 } 145 146 #else 147 /* 148 * This build does not support any kind of DEP. 149 * We force the self-tests to run as part of the FIPS provider initialisation 150 * rather than being triggered by the DEP. 151 */ 152 # undef DEP_INIT_ATTRIBUTE 153 # undef DEP_FINI_ATTRIBUTE 154 # undef DEP_INITIAL_STATE 155 # define DEP_INITIAL_STATE FIPS_STATE_SELFTEST 156 #endif 157 158 static int FIPS_state = DEP_INITIAL_STATE; 159 160 #if defined(DEP_INIT_ATTRIBUTE) 161 DEP_INIT_ATTRIBUTE void init(void) 162 { 163 FIPS_state = FIPS_STATE_SELFTEST; 164 } 165 #endif 166 167 #if defined(DEP_FINI_ATTRIBUTE) 168 DEP_FINI_ATTRIBUTE void cleanup(void) 169 { 170 CRYPTO_THREAD_lock_free(self_test_lock); 171 CRYPTO_THREAD_lock_free(fips_state_lock); 172 } 173 #endif 174 175 /* 176 * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify 177 * the result matches the expected value. 178 * Return 1 if verified, or 0 if it fails. 179 */ 180 static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, 181 unsigned char *expected, size_t expected_len, 182 OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, 183 const char *event_type) 184 { 185 int ret = 0, status; 186 unsigned char out[MAX_MD_SIZE]; 187 unsigned char buf[INTEGRITY_BUF_SIZE]; 188 size_t bytes_read = 0, out_len = 0; 189 EVP_MAC *mac = NULL; 190 EVP_MAC_CTX *ctx = NULL; 191 OSSL_PARAM params[2], *p = params; 192 193 OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); 194 195 mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); 196 if (mac == NULL) 197 goto err; 198 ctx = EVP_MAC_CTX_new(mac); 199 if (ctx == NULL) 200 goto err; 201 202 *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); 203 *p = OSSL_PARAM_construct_end(); 204 205 if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) 206 goto err; 207 208 while (1) { 209 status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); 210 if (status != 1) 211 break; 212 if (!EVP_MAC_update(ctx, buf, bytes_read)) 213 goto err; 214 } 215 if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) 216 goto err; 217 218 OSSL_SELF_TEST_oncorrupt_byte(ev, out); 219 if (expected_len != out_len 220 || memcmp(expected, out, out_len) != 0) 221 goto err; 222 ret = 1; 223 err: 224 OSSL_SELF_TEST_onend(ev, ret); 225 EVP_MAC_CTX_free(ctx); 226 EVP_MAC_free(mac); 227 return ret; 228 } 229 230 static void set_fips_state(int state) 231 { 232 if (ossl_assert(CRYPTO_THREAD_write_lock(fips_state_lock) != 0)) { 233 FIPS_state = state; 234 CRYPTO_THREAD_unlock(fips_state_lock); 235 } 236 } 237 238 /* This API is triggered either on loading of the FIPS module or on demand */ 239 int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) 240 { 241 int ok = 0; 242 int kats_already_passed = 0; 243 long checksum_len; 244 OSSL_CORE_BIO *bio_module = NULL, *bio_indicator = NULL; 245 unsigned char *module_checksum = NULL; 246 unsigned char *indicator_checksum = NULL; 247 int loclstate; 248 OSSL_SELF_TEST *ev = NULL; 249 250 if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init)) 251 return 0; 252 253 if (!CRYPTO_THREAD_read_lock(fips_state_lock)) 254 return 0; 255 loclstate = FIPS_state; 256 CRYPTO_THREAD_unlock(fips_state_lock); 257 258 if (loclstate == FIPS_STATE_RUNNING) { 259 if (!on_demand_test) 260 return 1; 261 } else if (loclstate != FIPS_STATE_SELFTEST) { 262 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE); 263 return 0; 264 } 265 266 if (!CRYPTO_THREAD_write_lock(self_test_lock)) 267 return 0; 268 if (!CRYPTO_THREAD_read_lock(fips_state_lock)) { 269 CRYPTO_THREAD_unlock(self_test_lock); 270 return 0; 271 } 272 if (FIPS_state == FIPS_STATE_RUNNING) { 273 CRYPTO_THREAD_unlock(fips_state_lock); 274 if (!on_demand_test) { 275 CRYPTO_THREAD_unlock(self_test_lock); 276 return 1; 277 } 278 set_fips_state(FIPS_STATE_SELFTEST); 279 } else if (FIPS_state != FIPS_STATE_SELFTEST) { 280 CRYPTO_THREAD_unlock(fips_state_lock); 281 CRYPTO_THREAD_unlock(self_test_lock); 282 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE); 283 return 0; 284 } else { 285 CRYPTO_THREAD_unlock(fips_state_lock); 286 } 287 288 if (st == NULL 289 || st->module_checksum_data == NULL) { 290 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); 291 goto end; 292 } 293 294 ev = OSSL_SELF_TEST_new(st->cb, st->cb_arg); 295 if (ev == NULL) 296 goto end; 297 298 module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, 299 &checksum_len); 300 if (module_checksum == NULL) { 301 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); 302 goto end; 303 } 304 bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); 305 306 /* Always check the integrity of the fips module */ 307 if (bio_module == NULL 308 || !verify_integrity(bio_module, st->bio_read_ex_cb, 309 module_checksum, checksum_len, st->libctx, 310 ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { 311 ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); 312 goto end; 313 } 314 315 /* This will be NULL during installation - so the self test KATS will run */ 316 if (st->indicator_data != NULL) { 317 /* 318 * If the kats have already passed indicator is set - then check the 319 * integrity of the indicator. 320 */ 321 if (st->indicator_checksum_data == NULL) { 322 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); 323 goto end; 324 } 325 indicator_checksum = OPENSSL_hexstr2buf(st->indicator_checksum_data, 326 &checksum_len); 327 if (indicator_checksum == NULL) { 328 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); 329 goto end; 330 } 331 332 bio_indicator = 333 (*st->bio_new_buffer_cb)(st->indicator_data, 334 strlen(st->indicator_data)); 335 if (bio_indicator == NULL 336 || !verify_integrity(bio_indicator, st->bio_read_ex_cb, 337 indicator_checksum, checksum_len, 338 st->libctx, ev, 339 OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)) { 340 ERR_raise(ERR_LIB_PROV, PROV_R_INDICATOR_INTEGRITY_FAILURE); 341 goto end; 342 } else { 343 kats_already_passed = 1; 344 } 345 } 346 347 /* 348 * Only runs the KAT's during installation OR on_demand(). 349 * NOTE: If the installation option 'self_test_onload' is chosen then this 350 * path will always be run, since kats_already_passed will always be 0. 351 */ 352 if (on_demand_test || kats_already_passed == 0) { 353 if (!SELF_TEST_kats(ev, st->libctx)) { 354 ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); 355 goto end; 356 } 357 } 358 ok = 1; 359 end: 360 OSSL_SELF_TEST_free(ev); 361 OPENSSL_free(module_checksum); 362 OPENSSL_free(indicator_checksum); 363 364 if (st != NULL) { 365 (*st->bio_free_cb)(bio_indicator); 366 (*st->bio_free_cb)(bio_module); 367 } 368 if (ok) 369 set_fips_state(FIPS_STATE_RUNNING); 370 else 371 ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE); 372 CRYPTO_THREAD_unlock(self_test_lock); 373 374 return ok; 375 } 376 377 void SELF_TEST_disable_conditional_error_state(void) 378 { 379 FIPS_conditional_error_check = 0; 380 } 381 382 void ossl_set_error_state(const char *type) 383 { 384 int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0); 385 386 if (!cond_test || (FIPS_conditional_error_check == 1)) { 387 set_fips_state(FIPS_STATE_ERROR); 388 ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE); 389 } else { 390 ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR); 391 } 392 } 393 394 int ossl_prov_is_running(void) 395 { 396 int res; 397 static unsigned int rate_limit = 0; 398 399 if (!CRYPTO_THREAD_read_lock(fips_state_lock)) 400 return 0; 401 res = FIPS_state == FIPS_STATE_RUNNING 402 || FIPS_state == FIPS_STATE_SELFTEST; 403 if (FIPS_state == FIPS_STATE_ERROR) { 404 CRYPTO_THREAD_unlock(fips_state_lock); 405 if (!CRYPTO_THREAD_write_lock(fips_state_lock)) 406 return 0; 407 if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT) 408 ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE); 409 } 410 CRYPTO_THREAD_unlock(fips_state_lock); 411 return res; 412 } 413