1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #if !defined(_GNU_SOURCE)
16 #define _GNU_SOURCE // needed for syscall() on Linux.
17 #endif
18
19 #include <openssl/crypto.h>
20
21 #include <stdlib.h>
22 #if defined(BORINGSSL_FIPS)
23 #include <sys/mman.h>
24 #include <unistd.h>
25 #endif
26
27 #include <openssl/digest.h>
28 #include <openssl/hmac.h>
29 #include <openssl/sha.h>
30
31 #include "../bcm_support.h"
32 #include "../internal.h"
33 #include "bcm_interface.h"
34
35 // TODO(crbug.com/362530616): When delocate is removed, build these files as
36 // separate compilation units again.
37 #include "aes/aes.cc.inc"
38 #include "aes/aes_nohw.cc.inc"
39 #include "aes/key_wrap.cc.inc"
40 #include "aes/mode_wrappers.cc.inc"
41 #include "bn/add.cc.inc"
42 #include "bn/asm/x86_64-gcc.cc.inc"
43 #include "bn/bn.cc.inc"
44 #include "bn/bytes.cc.inc"
45 #include "bn/cmp.cc.inc"
46 #include "bn/ctx.cc.inc"
47 #include "bn/div.cc.inc"
48 #include "bn/div_extra.cc.inc"
49 #include "bn/exponentiation.cc.inc"
50 #include "bn/gcd.cc.inc"
51 #include "bn/gcd_extra.cc.inc"
52 #include "bn/generic.cc.inc"
53 #include "bn/jacobi.cc.inc"
54 #include "bn/montgomery.cc.inc"
55 #include "bn/montgomery_inv.cc.inc"
56 #include "bn/mul.cc.inc"
57 #include "bn/prime.cc.inc"
58 #include "bn/random.cc.inc"
59 #include "bn/rsaz_exp.cc.inc"
60 #include "bn/shift.cc.inc"
61 #include "bn/sqrt.cc.inc"
62 #include "cipher/aead.cc.inc"
63 #include "cipher/cipher.cc.inc"
64 #include "cipher/e_aes.cc.inc"
65 #include "cipher/e_aesccm.cc.inc"
66 #include "cmac/cmac.cc.inc"
67 #include "dh/check.cc.inc"
68 #include "dh/dh.cc.inc"
69 #include "digest/digest.cc.inc"
70 #include "digest/digests.cc.inc"
71 #include "digestsign/digestsign.cc.inc"
72 #include "ec/ec.cc.inc"
73 #include "ec/ec_key.cc.inc"
74 #include "ec/ec_montgomery.cc.inc"
75 #include "ec/felem.cc.inc"
76 #include "ec/oct.cc.inc"
77 #include "ec/p224-64.cc.inc"
78 #include "ec/p256-nistz.cc.inc"
79 #include "ec/p256.cc.inc"
80 #include "ec/scalar.cc.inc"
81 #include "ec/simple.cc.inc"
82 #include "ec/simple_mul.cc.inc"
83 #include "ec/util.cc.inc"
84 #include "ec/wnaf.cc.inc"
85 #include "ecdh/ecdh.cc.inc"
86 #include "ecdsa/ecdsa.cc.inc"
87 #include "hkdf/hkdf.cc.inc"
88 #include "hmac/hmac.cc.inc"
89 #include "modes/cbc.cc.inc"
90 #include "modes/cfb.cc.inc"
91 #include "modes/ctr.cc.inc"
92 #include "modes/gcm.cc.inc"
93 #include "modes/gcm_nohw.cc.inc"
94 #include "modes/ofb.cc.inc"
95 #include "modes/polyval.cc.inc"
96 #include "rand/ctrdrbg.cc.inc"
97 #include "rand/rand.cc.inc"
98 #include "rsa/blinding.cc.inc"
99 #include "rsa/padding.cc.inc"
100 #include "rsa/rsa.cc.inc"
101 #include "rsa/rsa_impl.cc.inc"
102 #include "self_check/fips.cc.inc"
103 #include "self_check/self_check.cc.inc"
104 #include "service_indicator/service_indicator.cc.inc"
105 #include "sha/sha1.cc.inc"
106 #include "sha/sha256.cc.inc"
107 #include "sha/sha512.cc.inc"
108 #include "tls/kdf.cc.inc"
109
110
111 #if defined(BORINGSSL_FIPS)
112
113 #if !defined(OPENSSL_ASAN)
114
115 // These symbols are filled in by delocate.go (in static builds) or a linker
116 // script (in shared builds). They point to the start and end of the module, and
117 // the location of the integrity hash, respectively.
118 extern const uint8_t BORINGSSL_bcm_text_start[];
119 extern const uint8_t BORINGSSL_bcm_text_end[];
120 extern const uint8_t BORINGSSL_bcm_text_hash[];
121 #if defined(BORINGSSL_SHARED_LIBRARY)
122 extern const uint8_t BORINGSSL_bcm_rodata_start[];
123 extern const uint8_t BORINGSSL_bcm_rodata_end[];
124 #endif
125
126 // assert_within is used to sanity check that certain symbols are within the
127 // bounds of the integrity check. It checks that start <= symbol < end and
128 // aborts otherwise.
assert_within(const void * start,const void * symbol,const void * end)129 static void assert_within(const void *start, const void *symbol,
130 const void *end) {
131 const uintptr_t start_val = (uintptr_t)start;
132 const uintptr_t symbol_val = (uintptr_t)symbol;
133 const uintptr_t end_val = (uintptr_t)end;
134
135 if (start_val <= symbol_val && symbol_val < end_val) {
136 return;
137 }
138
139 fprintf(CRYPTO_get_stderr(),
140 "FIPS module doesn't span expected symbol. Expected %p <= %p < %p\n",
141 start, symbol, end);
142 BORINGSSL_FIPS_abort();
143 }
144
145 #if defined(OPENSSL_ANDROID) && defined(OPENSSL_AARCH64)
BORINGSSL_maybe_set_module_text_permissions(int permission)146 static void BORINGSSL_maybe_set_module_text_permissions(int permission) {
147 // Android may be compiled in execute-only-memory mode, in which case the
148 // .text segment cannot be read. That conflicts with the need for a FIPS
149 // module to hash its own contents, therefore |mprotect| is used to make
150 // the module's .text readable for the duration of the hashing process. In
151 // other build configurations this is a no-op.
152 const uintptr_t page_size = getpagesize();
153 const uintptr_t page_start =
154 ((uintptr_t)BORINGSSL_bcm_text_start) & ~(page_size - 1);
155
156 if (mprotect((void *)page_start,
157 ((uintptr_t)BORINGSSL_bcm_text_end) - page_start,
158 permission) != 0) {
159 perror("BoringSSL: mprotect");
160 }
161 }
162 #else
BORINGSSL_maybe_set_module_text_permissions(int permission)163 static void BORINGSSL_maybe_set_module_text_permissions(int permission) {}
164 #endif // !ANDROID
165
166 #endif // !ASAN
167
168 static void __attribute__((constructor))
BORINGSSL_bcm_power_on_self_test(void)169 BORINGSSL_bcm_power_on_self_test(void) {
170 #if !defined(OPENSSL_ASAN)
171 // Integrity tests cannot run under ASAN because it involves reading the full
172 // .text section, which triggers the global-buffer overflow detection.
173 if (!BORINGSSL_integrity_test()) {
174 goto err;
175 }
176 #endif // OPENSSL_ASAN
177
178 if (!boringssl_self_test_startup()) {
179 goto err;
180 }
181
182 return;
183
184 err:
185 BORINGSSL_FIPS_abort();
186 }
187
188 #if !defined(OPENSSL_ASAN)
BORINGSSL_integrity_test(void)189 int BORINGSSL_integrity_test(void) {
190 const uint8_t *const start = BORINGSSL_bcm_text_start;
191 const uint8_t *const end = BORINGSSL_bcm_text_end;
192
193 assert_within(start, reinterpret_cast<const void *>(AES_encrypt), end);
194 assert_within(start, reinterpret_cast<const void *>(RSA_sign), end);
195 assert_within(start, reinterpret_cast<const void *>(BCM_rand_bytes), end);
196 assert_within(start, reinterpret_cast<const void *>(EC_GROUP_cmp), end);
197 assert_within(start, reinterpret_cast<const void *>(BCM_sha256_update), end);
198 assert_within(start, reinterpret_cast<const void *>(ecdsa_verify_fixed), end);
199 assert_within(start, reinterpret_cast<const void *>(EVP_AEAD_CTX_seal), end);
200
201 #if defined(BORINGSSL_SHARED_LIBRARY)
202 const uint8_t *const rodata_start = BORINGSSL_bcm_rodata_start;
203 const uint8_t *const rodata_end = BORINGSSL_bcm_rodata_end;
204 #else
205 // In the static build, read-only data is placed within the .text segment.
206 const uint8_t *const rodata_start = BORINGSSL_bcm_text_start;
207 const uint8_t *const rodata_end = BORINGSSL_bcm_text_end;
208 #endif
209
210 assert_within(rodata_start, kPrimes, rodata_end);
211 assert_within(rodata_start, kP256Field, rodata_end);
212 assert_within(rodata_start, kPKCS1SigPrefixes, rodata_end);
213
214 uint8_t result[SHA256_DIGEST_LENGTH];
215 const EVP_MD *const kHashFunction = EVP_sha256();
216 if (!boringssl_self_test_sha256() || !boringssl_self_test_hmac_sha256()) {
217 return 0;
218 }
219
220 static const uint8_t kHMACKey[64] = {0};
221 unsigned result_len;
222 HMAC_CTX hmac_ctx;
223 HMAC_CTX_init(&hmac_ctx);
224 if (!HMAC_Init_ex(&hmac_ctx, kHMACKey, sizeof(kHMACKey), kHashFunction,
225 NULL /* no ENGINE */)) {
226 fprintf(CRYPTO_get_stderr(), "HMAC_Init_ex failed.\n");
227 return 0;
228 }
229
230 BORINGSSL_maybe_set_module_text_permissions(PROT_READ | PROT_EXEC);
231 #if defined(BORINGSSL_SHARED_LIBRARY)
232 uint64_t length = end - start;
233 HMAC_Update(&hmac_ctx, (const uint8_t *)&length, sizeof(length));
234 HMAC_Update(&hmac_ctx, start, length);
235
236 length = rodata_end - rodata_start;
237 HMAC_Update(&hmac_ctx, (const uint8_t *)&length, sizeof(length));
238 HMAC_Update(&hmac_ctx, rodata_start, length);
239 #else
240 HMAC_Update(&hmac_ctx, start, end - start);
241 #endif
242 BORINGSSL_maybe_set_module_text_permissions(PROT_EXEC);
243
244 if (!HMAC_Final(&hmac_ctx, result, &result_len) ||
245 result_len != sizeof(result)) {
246 fprintf(CRYPTO_get_stderr(), "HMAC failed.\n");
247 return 0;
248 }
249 HMAC_CTX_cleanse(&hmac_ctx); // FIPS 140-3, AS05.10.
250
251 const uint8_t *expected = BORINGSSL_bcm_text_hash;
252
253 if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) {
254 #if !defined(BORINGSSL_FIPS_BREAK_TESTS)
255 return 0;
256 #endif
257 }
258
259 OPENSSL_cleanse(result, sizeof(result)); // FIPS 140-3, AS05.10.
260 return 1;
261 }
262
FIPS_module_hash(void)263 const uint8_t *FIPS_module_hash(void) { return BORINGSSL_bcm_text_hash; }
264
265 #endif // OPENSSL_ASAN
266
BORINGSSL_FIPS_abort(void)267 void BORINGSSL_FIPS_abort(void) {
268 for (;;) {
269 abort();
270 exit(1);
271 }
272 }
273
274 #endif // BORINGSSL_FIPS
275