1572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan/* Copyright (c) 2017, Google Inc.
2572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan *
3572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * Permission to use, copy, modify, and/or distribute this software for any
4572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * purpose with or without fee is hereby granted, provided that the above
5572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * copyright notice and this permission notice appear in all copies.
6572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan *
7572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan
159254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#if !defined(_GNU_SOURCE)
168f860b133896bf655e4342ecefe692d52df81d48Robert Sloan#define _GNU_SOURCE  // needed for syscall() on Linux.
179254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#endif
189254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan
19572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include <openssl/crypto.h>
20309a31e32558286a3b92c754bd3051b962527c25Robert Sloan
21309a31e32558286a3b92c754bd3051b962527c25Robert Sloan#include <stdlib.h>
22309a31e32558286a3b92c754bd3051b962527c25Robert Sloan
23309a31e32558286a3b92c754bd3051b962527c25Robert Sloan#include <openssl/digest.h>
24572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include <openssl/hmac.h>
258ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include <openssl/sha.h>
26572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan
27572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "../internal.h"
28572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan
29572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "aes/aes.c"
30572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "aes/key_wrap.c"
31572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "aes/mode_wrappers.c"
328ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/add.c"
338ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/asm/x86_64-gcc.c"
348ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/bn.c"
358ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/bytes.c"
368ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/cmp.c"
378ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/ctx.c"
388ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/div.c"
398ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/exponentiation.c"
408ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/gcd.c"
418ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/generic.c"
428ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/jacobi.c"
438ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/montgomery.c"
448ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/montgomery_inv.c"
458ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/mul.c"
468ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/prime.c"
478ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/random.c"
488ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/rsaz_exp.c"
498ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/shift.c"
508ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/sqrt.c"
518ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "cipher/aead.c"
528ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "cipher/cipher.c"
538ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "cipher/e_aes.c"
548ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "cipher/e_des.c"
558ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "des/des.c"
56572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "digest/digest.c"
57572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "digest/digests.c"
588ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ecdsa/ecdsa.c"
598ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/ec.c"
608ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/ec_key.c"
618ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/ec_montgomery.c"
628ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/oct.c"
638ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/p224-64.c"
64558181089d69085101510906bd46e51ade9e20e9Robert Sloan#include "../../third_party/fiat/p256.c"
658ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/p256-x86_64.c"
668ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/simple.c"
67558181089d69085101510906bd46e51ade9e20e9Robert Sloan#include "ec/util.c"
688ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/wnaf.c"
69572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "hmac/hmac.c"
70572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "md4/md4.c"
71572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "md5/md5.c"
729254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/cbc.c"
739254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/cfb.c"
749254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/ctr.c"
759254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/gcm.c"
769254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/ofb.c"
779254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/polyval.c"
789254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "rand/ctrdrbg.c"
799254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "rand/rand.c"
809254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "rand/urandom.c"
818ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "rsa/blinding.c"
828ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "rsa/padding.c"
838ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "rsa/rsa.c"
848ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "rsa/rsa_impl.c"
85309a31e32558286a3b92c754bd3051b962527c25Robert Sloan#include "self_check/self_check.c"
86572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "sha/sha1-altivec.c"
87572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "sha/sha1.c"
88572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "sha/sha256.c"
89572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "sha/sha512.c"
90978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#include "tls/kdf.c"
91572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan
92572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan
93978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#if defined(BORINGSSL_FIPS)
94978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
95978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#if !defined(OPENSSL_ASAN)
96978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan// These symbols are filled in by delocate.go. They point to the start and end
97978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan// of the module, and the location of the integrity hash, respectively.
98978112cdf099dece01f92874cc8a8025b2405a59Robert Sloanextern const uint8_t BORINGSSL_bcm_text_start[];
99978112cdf099dece01f92874cc8a8025b2405a59Robert Sloanextern const uint8_t BORINGSSL_bcm_text_end[];
100978112cdf099dece01f92874cc8a8025b2405a59Robert Sloanextern const uint8_t BORINGSSL_bcm_text_hash[];
101978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#endif
102978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
103978112cdf099dece01f92874cc8a8025b2405a59Robert Sloanstatic void __attribute__((constructor))
104978112cdf099dece01f92874cc8a8025b2405a59Robert SloanBORINGSSL_bcm_power_on_self_test(void) {
105978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  CRYPTO_library_init();
106978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
107978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#if !defined(OPENSSL_ASAN)
108978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  // Integrity tests cannot run under ASAN because it involves reading the full
109978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  // .text section, which triggers the global-buffer overflow detection.
110978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  const uint8_t *const start = BORINGSSL_bcm_text_start;
111978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  const uint8_t *const end = BORINGSSL_bcm_text_end;
112978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
113978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  static const uint8_t kHMACKey[64] = {0};
114978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  uint8_t result[SHA512_DIGEST_LENGTH];
115978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
116978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  unsigned result_len;
117978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  if (!HMAC(EVP_sha512(), kHMACKey, sizeof(kHMACKey), start, end - start,
118978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan            result, &result_len) ||
119978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan      result_len != sizeof(result)) {
120978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan    goto err;
121978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  }
122978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
123978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  const uint8_t *expected = BORINGSSL_bcm_text_hash;
124978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
125978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) {
126978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan    goto err;
127978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  }
128978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#endif
129978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
130978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  if (!BORINGSSL_self_test()) {
131978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan    goto err;
132978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan  }
133978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
134572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan  return;
135572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan
136572a4e2e687520da9e518528d7371b794b1decc0Robert Sloanerr:
1378ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan  BORINGSSL_FIPS_abort();
1388ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan}
1398ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan
1408ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloanvoid BORINGSSL_FIPS_abort(void) {
141572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan  for (;;) {
142572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan    abort();
1438ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan    exit(1);
144572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan  }
145572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan}
146978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan
1478f860b133896bf655e4342ecefe692d52df81d48Robert Sloan#endif  // BORINGSSL_FIPS
148