OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523
							/* ====================================================================
 * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */

#include <openssl/rand.h>
#include <openssl/fips_rand.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/hmac.h>
#include <openssl/rsa.h>
#include <string.h>
#include <limits.h>
#include "fips_locl.h"

#ifdef OPENSSL_FIPS

# include <openssl/fips.h>

# ifndef PATH_MAX
#  define PATH_MAX 1024
# endif

static int fips_selftest_fail;
static int fips_mode;
static const void *fips_rand_check;

static void fips_set_mode(int onoff)
{
    int owning_thread = fips_is_owning_thread();

    if (fips_is_started()) {
        if (!owning_thread)
            fips_w_lock();
        fips_mode = onoff;
        if (!owning_thread)
            fips_w_unlock();
    }
}

static void fips_set_rand_check(const void *rand_check)
{
    int owning_thread = fips_is_owning_thread();

    if (fips_is_started()) {
        if (!owning_thread)
            fips_w_lock();
        fips_rand_check = rand_check;
        if (!owning_thread)
            fips_w_unlock();
    }
}

int FIPS_mode(void)
{
    int ret = 0;
    int owning_thread = fips_is_owning_thread();

    if (fips_is_started()) {
        if (!owning_thread)
            fips_r_lock();
        ret = fips_mode;
        if (!owning_thread)
            fips_r_unlock();
    }
    return ret;
}

const void *FIPS_rand_check(void)
{
    const void *ret = 0;
    int owning_thread = fips_is_owning_thread();

    if (fips_is_started()) {
        if (!owning_thread)
            fips_r_lock();
        ret = fips_rand_check;
        if (!owning_thread)
            fips_r_unlock();
    }
    return ret;
}

int FIPS_selftest_failed(void)
{
    int ret = 0;
    if (fips_is_started()) {
        int owning_thread = fips_is_owning_thread();

        if (!owning_thread)
            fips_r_lock();
        ret = fips_selftest_fail;
        if (!owning_thread)
            fips_r_unlock();
    }
    return ret;
}

/*
 * Selftest failure fatal exit routine. This will be called during *any*
 * cryptographic operation. It has the minimum overhead possible to avoid too
 * big a performance hit.
 */

void FIPS_selftest_check(void)
{
    if (fips_selftest_fail) {
        OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
    }
}

void fips_set_selftest_fail(void)
{
    fips_selftest_fail = 1;
}

int FIPS_selftest()
{

    return FIPS_selftest_sha1()
        && FIPS_selftest_hmac()
        && FIPS_selftest_aes()
        && FIPS_selftest_des()
        && FIPS_selftest_rsa()
        && FIPS_selftest_dsa();
}

extern const void *FIPS_text_start(), *FIPS_text_end();
extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
unsigned char FIPS_signature[20] = { 0 };

static const char FIPS_hmac_key[] = "etaonrishdlcupfm";

unsigned int FIPS_incore_fingerprint(unsigned char *sig, unsigned int len)
{
    const unsigned char *p1 = FIPS_text_start();
    const unsigned char *p2 = FIPS_text_end();
    const unsigned char *p3 = FIPS_rodata_start;
    const unsigned char *p4 = FIPS_rodata_end;
    HMAC_CTX c;

    HMAC_CTX_init(&c);
    HMAC_Init(&c, FIPS_hmac_key, strlen(FIPS_hmac_key), EVP_sha1());

    /* detect overlapping regions */
    if (p1 <= p3 && p2 >= p3)
        p3 = p1, p4 = p2 > p4 ? p2 : p4, p1 = NULL, p2 = NULL;
    else if (p3 <= p1 && p4 >= p1)
        p3 = p3, p4 = p2 > p4 ? p2 : p4, p1 = NULL, p2 = NULL;

    if (p1)
        HMAC_Update(&c, p1, (size_t)p2 - (size_t)p1);

    if (FIPS_signature >= p3 && FIPS_signature < p4) {
        /* "punch" hole */
        HMAC_Update(&c, p3, (size_t)FIPS_signature - (size_t)p3);
        p3 = FIPS_signature + sizeof(FIPS_signature);
        if (p3 < p4)
            HMAC_Update(&c, p3, (size_t)p4 - (size_t)p3);
    } else
        HMAC_Update(&c, p3, (size_t)p4 - (size_t)p3);

    HMAC_Final(&c, sig, &len);
    HMAC_CTX_cleanup(&c);

    return len;
}

int FIPS_check_incore_fingerprint(void)
{
    unsigned char sig[EVP_MAX_MD_SIZE];
    unsigned int len;
# if defined(__sgi) && (defined(__mips) || defined(mips))
    extern int __dso_displacement[];
# else
    extern int OPENSSL_NONPIC_relocated;
# endif

    if (FIPS_text_start() == NULL) {
        FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,
                FIPS_R_UNSUPPORTED_PLATFORM);
        return 0;
    }

    len = FIPS_incore_fingerprint(sig, sizeof(sig));

    if (len != sizeof(FIPS_signature) ||
        memcmp(FIPS_signature, sig, sizeof(FIPS_signature))) {
        if (FIPS_signature >= FIPS_rodata_start
            && FIPS_signature < FIPS_rodata_end)
            FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,
                    FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING);
# if defined(__sgi) && (defined(__mips) || defined(mips))
        else if (__dso_displacement != NULL)
# else
        else if (OPENSSL_NONPIC_relocated)
# endif
            FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,
                    FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED);
        else
            FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,
                    FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
        return 0;
    }

    return 1;
}

int FIPS_mode_set(int onoff)
{
    int fips_set_owning_thread();
    int fips_clear_owning_thread();
    int ret = 0;

    fips_w_lock();
    fips_set_started();
    fips_set_owning_thread();

    if (onoff) {
        unsigned char buf[48];

        fips_selftest_fail = 0;

        /*
         * Don't go into FIPS mode twice, just so we can do automagic seeding
         */
        if (FIPS_mode()) {
            FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_FIPS_MODE_ALREADY_SET);
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
        }
# ifdef OPENSSL_IA32_SSE2
        if ((OPENSSL_ia32cap & (1 << 25 | 1 << 26)) != (1 << 25 | 1 << 26)) {
            FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_UNSUPPORTED_PLATFORM);
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
        }
# endif

        if (fips_signature_witness() != FIPS_signature) {
            FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_CONTRADICTING_EVIDENCE);
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
        }

        if (!FIPS_check_incore_fingerprint()) {
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
        }

        /* Perform RNG KAT before seeding */
        if (!FIPS_selftest_rng()) {
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
        }

        /* automagically seed PRNG if not already seeded */
        if (!FIPS_rand_status()) {
            if (RAND_bytes(buf, sizeof buf) <= 0) {
                fips_selftest_fail = 1;
                ret = 0;
                goto end;
            }
            FIPS_rand_set_key(buf, 32);
            FIPS_rand_seed(buf + 32, 16);
        }

        /* now switch into FIPS mode */
        fips_set_rand_check(FIPS_rand_method());
        RAND_set_rand_method(FIPS_rand_method());
        if (FIPS_selftest())
            fips_set_mode(1);
        else {
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
        }
        ret = 1;
        goto end;
    }
    fips_set_mode(0);
    fips_selftest_fail = 0;
    ret = 1;
 end:
    fips_clear_owning_thread();
    fips_w_unlock();
    return ret;
}

void fips_w_lock(void)
{
    CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
}

void fips_w_unlock(void)
{
    CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
}

void fips_r_lock(void)
{
    CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
}

void fips_r_unlock(void)
{
    CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
}

static int fips_started = 0;
static unsigned long fips_thread = 0;

void fips_set_started(void)
{
    fips_started = 1;
}

int fips_is_started(void)
{
    return fips_started;
}

int fips_is_owning_thread(void)
{
    int ret = 0;

    if (fips_is_started()) {
        CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
        if (fips_thread != 0 && fips_thread == CRYPTO_thread_id())
            ret = 1;
        CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
    }
    return ret;
}

int fips_set_owning_thread(void)
{
    int ret = 0;

    if (fips_is_started()) {
        CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
        if (fips_thread == 0) {
            fips_thread = CRYPTO_thread_id();
            ret = 1;
        }
        CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
    }
    return ret;
}

int fips_clear_owning_thread(void)
{
    int ret = 0;

    if (fips_is_started()) {
        CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
        if (fips_thread == CRYPTO_thread_id()) {
            fips_thread = 0;
            ret = 1;
        }
        CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
    }
    return ret;
}

unsigned char *fips_signature_witness(void)
{
    extern unsigned char FIPS_signature[];
    return FIPS_signature;
}

/*
 * Generalized public key test routine. Signs and verifies the data supplied
 * in tbs using mesage digest md and setting option digest flags md_flags. If
 * the 'kat' parameter is not NULL it will additionally check the signature
 * matches it: a known answer test The string "fail_str" is used for
 * identification purposes in case of failure.
 */

int fips_pkey_signature_test(EVP_PKEY *pkey,
                             const unsigned char *tbs, int tbslen,
                             const unsigned char *kat, unsigned int katlen,
                             const EVP_MD *digest, unsigned int md_flags,
                             const char *fail_str)
{
    int ret = 0;
    unsigned char sigtmp[256], *sig = sigtmp;
    unsigned int siglen;
    EVP_MD_CTX mctx;
    EVP_MD_CTX_init(&mctx);

    if ((pkey->type == EVP_PKEY_RSA)
        && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) {
        sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
        if (!sig) {
            FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
            return 0;
        }
    }

    if (tbslen == -1)
        tbslen = strlen((char *)tbs);

    if (md_flags)
        M_EVP_MD_CTX_set_flags(&mctx, md_flags);

    if (!EVP_SignInit_ex(&mctx, digest, NULL))
        goto error;
    if (!EVP_SignUpdate(&mctx, tbs, tbslen))
        goto error;
    if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
        goto error;

    if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
        goto error;

    if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
        goto error;
    if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
        goto error;
    ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);

 error:
    if (sig != sigtmp)
        OPENSSL_free(sig);
    EVP_MD_CTX_cleanup(&mctx);
    if (ret != 1) {
        FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
        if (fail_str)
            ERR_add_error_data(2, "Type=", fail_str);
        return 0;
    }
    return 1;
}

/*
 * Generalized symmetric cipher test routine. Encrypt data, verify result
 * against known answer, decrypt and compare with original plaintext.
 */

int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                     const unsigned char *key,
                     const unsigned char *iv,
                     const unsigned char *plaintext,
                     const unsigned char *ciphertext, int len)
{
    unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
    unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
    OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
    if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
        return 0;
    EVP_Cipher(ctx, citmp, plaintext, len);
    if (memcmp(citmp, ciphertext, len))
        return 0;
    if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
        return 0;
    EVP_Cipher(ctx, pltmp, citmp, len);
    if (memcmp(pltmp, plaintext, len))
        return 0;
    return 1;
}

# if 0
/*
 * The purpose of this is to ensure the error code exists and the function
 * name is to keep the error checking script quiet
 */
void hash_final(void)
{
    FIPSerr(FIPS_F_HASH_FINAL, FIPS_R_NON_FIPS_METHOD);
}
# endif

#endif