| /* ==================================================================== |
| * Copyright (c) 2003 The OpenSSL Project. All rights reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in |
| * the documentation and/or other materials provided with the |
| * distribution. |
| * |
| * 3. All advertising materials mentioning features or use of this |
| * software must display the following acknowledgment: |
| * "This product includes software developed by the OpenSSL Project |
| * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| * |
| * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| * endorse or promote products derived from this software without |
| * prior written permission. For written permission, please contact |
| * openssl-core@openssl.org. |
| * |
| * 5. Products derived from this software may not be called "OpenSSL" |
| * nor may "OpenSSL" appear in their names without prior written |
| * permission of the OpenSSL Project. |
| * |
| * 6. Redistributions of any form whatsoever must retain the following |
| * acknowledgment: |
| * "This product includes software developed by the OpenSSL Project |
| * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| * |
| * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| * OF THE POSSIBILITY OF SUCH DAMAGE. |
| * |
| */ |
| |
| |
| #include <openssl/rand.h> |
| #include <openssl/fips_rand.h> |
| #include <openssl/err.h> |
| #include <openssl/bio.h> |
| #include <openssl/hmac.h> |
| #include <openssl/rsa.h> |
| #include <string.h> |
| #include <limits.h> |
| #include "fips_locl.h" |
| |
| #ifdef OPENSSL_FIPS |
| |
| #include <openssl/fips.h> |
| |
| #ifndef PATH_MAX |
| #define PATH_MAX 1024 |
| #endif |
| |
| static int fips_selftest_fail; |
| static int fips_mode; |
| static const void *fips_rand_check; |
| |
| static void fips_set_mode(int onoff) |
| { |
| int owning_thread = fips_is_owning_thread(); |
| |
| if (fips_is_started()) |
| { |
| if (!owning_thread) fips_w_lock(); |
| fips_mode = onoff; |
| if (!owning_thread) fips_w_unlock(); |
| } |
| } |
| |
| static void fips_set_rand_check(const void *rand_check) |
| { |
| int owning_thread = fips_is_owning_thread(); |
| |
| if (fips_is_started()) |
| { |
| if (!owning_thread) fips_w_lock(); |
| fips_rand_check = rand_check; |
| if (!owning_thread) fips_w_unlock(); |
| } |
| } |
| |
| int FIPS_mode(void) |
| { |
| int ret = 0; |
| int owning_thread = fips_is_owning_thread(); |
| |
| if (fips_is_started()) |
| { |
| if (!owning_thread) fips_r_lock(); |
| ret = fips_mode; |
| if (!owning_thread) fips_r_unlock(); |
| } |
| return ret; |
| } |
| |
| const void *FIPS_rand_check(void) |
| { |
| const void *ret = 0; |
| int owning_thread = fips_is_owning_thread(); |
| |
| if (fips_is_started()) |
| { |
| if (!owning_thread) fips_r_lock(); |
| ret = fips_rand_check; |
| if (!owning_thread) fips_r_unlock(); |
| } |
| return ret; |
| } |
| |
| int FIPS_selftest_failed(void) |
| { |
| int ret = 0; |
| if (fips_is_started()) |
| { |
| int owning_thread = fips_is_owning_thread(); |
| |
| if (!owning_thread) fips_r_lock(); |
| ret = fips_selftest_fail; |
| if (!owning_thread) fips_r_unlock(); |
| } |
| return ret; |
| } |
| |
| /* Selftest failure fatal exit routine. This will be called |
| * during *any* cryptographic operation. It has the minimum |
| * overhead possible to avoid too big a performance hit. |
| */ |
| |
| void FIPS_selftest_check(void) |
| { |
| if (fips_selftest_fail) |
| { |
| OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); |
| } |
| } |
| |
| void fips_set_selftest_fail(void) |
| { |
| fips_selftest_fail = 1; |
| } |
| |
| int FIPS_selftest() |
| { |
| |
| return FIPS_selftest_sha1() |
| && FIPS_selftest_hmac() |
| && FIPS_selftest_aes() |
| && FIPS_selftest_des() |
| && FIPS_selftest_rsa() |
| && FIPS_selftest_dsa(); |
| } |
| |
| extern const void *FIPS_text_start(), *FIPS_text_end(); |
| extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; |
| unsigned char FIPS_signature [20] = { 0 }; |
| static const char FIPS_hmac_key[]="etaonrishdlcupfm"; |
| |
| unsigned int FIPS_incore_fingerprint(unsigned char *sig,unsigned int len) |
| { |
| const unsigned char *p1 = FIPS_text_start(); |
| const unsigned char *p2 = FIPS_text_end(); |
| const unsigned char *p3 = FIPS_rodata_start; |
| const unsigned char *p4 = FIPS_rodata_end; |
| HMAC_CTX c; |
| |
| HMAC_CTX_init(&c); |
| HMAC_Init(&c,FIPS_hmac_key,strlen(FIPS_hmac_key),EVP_sha1()); |
| |
| /* detect overlapping regions */ |
| if (p1<=p3 && p2>=p3) |
| p3=p1, p4=p2>p4?p2:p4, p1=NULL, p2=NULL; |
| else if (p3<=p1 && p4>=p1) |
| p3=p3, p4=p2>p4?p2:p4, p1=NULL, p2=NULL; |
| |
| if (p1) |
| HMAC_Update(&c,p1,(size_t)p2-(size_t)p1); |
| |
| if (FIPS_signature>=p3 && FIPS_signature<p4) |
| { |
| /* "punch" hole */ |
| HMAC_Update(&c,p3,(size_t)FIPS_signature-(size_t)p3); |
| p3 = FIPS_signature+sizeof(FIPS_signature); |
| if (p3<p4) |
| HMAC_Update(&c,p3,(size_t)p4-(size_t)p3); |
| } |
| else |
| HMAC_Update(&c,p3,(size_t)p4-(size_t)p3); |
| |
| HMAC_Final(&c,sig,&len); |
| HMAC_CTX_cleanup(&c); |
| |
| return len; |
| } |
| |
| int FIPS_check_incore_fingerprint(void) |
| { |
| unsigned char sig[EVP_MAX_MD_SIZE]; |
| unsigned int len; |
| #if defined(__sgi) && (defined(__mips) || defined(mips)) |
| extern int __dso_displacement[]; |
| #else |
| extern int OPENSSL_NONPIC_relocated; |
| #endif |
| |
| if (FIPS_text_start()==NULL) |
| { |
| FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_UNSUPPORTED_PLATFORM); |
| return 0; |
| } |
| |
| len=FIPS_incore_fingerprint (sig,sizeof(sig)); |
| |
| if (len!=sizeof(FIPS_signature) || |
| memcmp(FIPS_signature,sig,sizeof(FIPS_signature))) |
| { |
| if (FIPS_signature>=FIPS_rodata_start && FIPS_signature<FIPS_rodata_end) |
| FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING); |
| #if defined(__sgi) && (defined(__mips) || defined(mips)) |
| else if (__dso_displacement!=NULL) |
| #else |
| else if (OPENSSL_NONPIC_relocated) |
| #endif |
| FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED); |
| else |
| FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); |
| return 0; |
| } |
| |
| return 1; |
| } |
| |
| int FIPS_mode_set(int onoff) |
| { |
| int fips_set_owning_thread(); |
| int fips_clear_owning_thread(); |
| int ret = 0; |
| |
| fips_w_lock(); |
| fips_set_started(); |
| fips_set_owning_thread(); |
| |
| if(onoff) |
| { |
| unsigned char buf[48]; |
| |
| fips_selftest_fail = 0; |
| |
| /* Don't go into FIPS mode twice, just so we can do automagic |
| seeding */ |
| if(FIPS_mode()) |
| { |
| FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET); |
| fips_selftest_fail = 1; |
| ret = 0; |
| goto end; |
| } |
| |
| #ifdef OPENSSL_IA32_SSE2 |
| if ((OPENSSL_ia32cap & (1<<25|1<<26)) != (1<<25|1<<26)) |
| { |
| FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM); |
| fips_selftest_fail = 1; |
| ret = 0; |
| goto end; |
| } |
| #endif |
| |
| if(fips_signature_witness() != FIPS_signature) |
| { |
| FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); |
| fips_selftest_fail = 1; |
| ret = 0; |
| goto end; |
| } |
| |
| if(!FIPS_check_incore_fingerprint()) |
| { |
| fips_selftest_fail = 1; |
| ret = 0; |
| goto end; |
| } |
| |
| /* Perform RNG KAT before seeding */ |
| if (!FIPS_selftest_rng()) |
| { |
| fips_selftest_fail = 1; |
| ret = 0; |
| goto end; |
| } |
| |
| /* automagically seed PRNG if not already seeded */ |
| if(!FIPS_rand_status()) |
| { |
| if(RAND_bytes(buf,sizeof buf) <= 0) |
| { |
| fips_selftest_fail = 1; |
| ret = 0; |
| goto end; |
| } |
| FIPS_rand_set_key(buf,32); |
| FIPS_rand_seed(buf+32,16); |
| } |
| |
| /* now switch into FIPS mode */ |
| fips_set_rand_check(FIPS_rand_method()); |
| RAND_set_rand_method(FIPS_rand_method()); |
| if(FIPS_selftest()) |
| fips_set_mode(1); |
| else |
| { |
| fips_selftest_fail = 1; |
| ret = 0; |
| goto end; |
| } |
| ret = 1; |
| goto end; |
| } |
| fips_set_mode(0); |
| fips_selftest_fail = 0; |
| ret = 1; |
| end: |
| fips_clear_owning_thread(); |
| fips_w_unlock(); |
| return ret; |
| } |
| |
| void fips_w_lock(void) { CRYPTO_w_lock(CRYPTO_LOCK_FIPS); } |
| void fips_w_unlock(void) { CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); } |
| void fips_r_lock(void) { CRYPTO_r_lock(CRYPTO_LOCK_FIPS); } |
| void fips_r_unlock(void) { CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); } |
| |
| static int fips_started = 0; |
| static unsigned long fips_thread = 0; |
| |
| void fips_set_started(void) |
| { |
| fips_started = 1; |
| } |
| |
| int fips_is_started(void) |
| { |
| return fips_started; |
| } |
| |
| int fips_is_owning_thread(void) |
| { |
| int ret = 0; |
| |
| if (fips_is_started()) |
| { |
| CRYPTO_r_lock(CRYPTO_LOCK_FIPS2); |
| if (fips_thread != 0 && fips_thread == CRYPTO_thread_id()) |
| ret = 1; |
| CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2); |
| } |
| return ret; |
| } |
| |
| int fips_set_owning_thread(void) |
| { |
| int ret = 0; |
| |
| if (fips_is_started()) |
| { |
| CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); |
| if (fips_thread == 0) |
| { |
| fips_thread = CRYPTO_thread_id(); |
| ret = 1; |
| } |
| CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); |
| } |
| return ret; |
| } |
| |
| int fips_clear_owning_thread(void) |
| { |
| int ret = 0; |
| |
| if (fips_is_started()) |
| { |
| CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); |
| if (fips_thread == CRYPTO_thread_id()) |
| { |
| fips_thread = 0; |
| ret = 1; |
| } |
| CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); |
| } |
| return ret; |
| } |
| |
| unsigned char *fips_signature_witness(void) |
| { |
| extern unsigned char FIPS_signature[]; |
| return FIPS_signature; |
| } |
| |
| /* Generalized public key test routine. Signs and verifies the data |
| * supplied in tbs using mesage digest md and setting option digest |
| * flags md_flags. If the 'kat' parameter is not NULL it will |
| * additionally check the signature matches it: a known answer test |
| * The string "fail_str" is used for identification purposes in case |
| * of failure. |
| */ |
| |
| int fips_pkey_signature_test(EVP_PKEY *pkey, |
| const unsigned char *tbs, int tbslen, |
| const unsigned char *kat, unsigned int katlen, |
| const EVP_MD *digest, unsigned int md_flags, |
| const char *fail_str) |
| { |
| int ret = 0; |
| unsigned char sigtmp[256], *sig = sigtmp; |
| unsigned int siglen; |
| EVP_MD_CTX mctx; |
| EVP_MD_CTX_init(&mctx); |
| |
| if ((pkey->type == EVP_PKEY_RSA) |
| && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) |
| { |
| sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa)); |
| if (!sig) |
| { |
| FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE); |
| return 0; |
| } |
| } |
| |
| if (tbslen == -1) |
| tbslen = strlen((char *)tbs); |
| |
| if (md_flags) |
| M_EVP_MD_CTX_set_flags(&mctx, md_flags); |
| |
| if (!EVP_SignInit_ex(&mctx, digest, NULL)) |
| goto error; |
| if (!EVP_SignUpdate(&mctx, tbs, tbslen)) |
| goto error; |
| if (!EVP_SignFinal(&mctx, sig, &siglen, pkey)) |
| goto error; |
| |
| if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) |
| goto error; |
| |
| if (!EVP_VerifyInit_ex(&mctx, digest, NULL)) |
| goto error; |
| if (!EVP_VerifyUpdate(&mctx, tbs, tbslen)) |
| goto error; |
| ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey); |
| |
| error: |
| if (sig != sigtmp) |
| OPENSSL_free(sig); |
| EVP_MD_CTX_cleanup(&mctx); |
| if (ret != 1) |
| { |
| FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE); |
| if (fail_str) |
| ERR_add_error_data(2, "Type=", fail_str); |
| return 0; |
| } |
| return 1; |
| } |
| |
| /* Generalized symmetric cipher test routine. Encrypt data, verify result |
| * against known answer, decrypt and compare with original plaintext. |
| */ |
| |
| int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, |
| const unsigned char *key, |
| const unsigned char *iv, |
| const unsigned char *plaintext, |
| const unsigned char *ciphertext, |
| int len) |
| { |
| unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; |
| unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; |
| OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); |
| if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) |
| return 0; |
| EVP_Cipher(ctx, citmp, plaintext, len); |
| if (memcmp(citmp, ciphertext, len)) |
| return 0; |
| if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) |
| return 0; |
| EVP_Cipher(ctx, pltmp, citmp, len); |
| if (memcmp(pltmp, plaintext, len)) |
| return 0; |
| return 1; |
| } |
| |
| #if 0 |
| /* The purpose of this is to ensure the error code exists and the function |
| * name is to keep the error checking script quiet |
| */ |
| void hash_final(void) |
| { |
| FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); |
| } |
| #endif |
| |
| |
| #endif |