1572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan/* Copyright (c) 2017, Google Inc. 2572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * 3572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * Permission to use, copy, modify, and/or distribute this software for any 4572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * purpose with or without fee is hereby granted, provided that the above 5572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * copyright notice and this permission notice appear in all copies. 6572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * 7572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan 159254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#if !defined(_GNU_SOURCE) 168f860b133896bf655e4342ecefe692d52df81d48Robert Sloan#define _GNU_SOURCE // needed for syscall() on Linux. 179254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#endif 189254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan 19572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include <openssl/crypto.h> 20309a31e32558286a3b92c754bd3051b962527c25Robert Sloan 21309a31e32558286a3b92c754bd3051b962527c25Robert Sloan#include <stdlib.h> 22309a31e32558286a3b92c754bd3051b962527c25Robert Sloan 23309a31e32558286a3b92c754bd3051b962527c25Robert Sloan#include <openssl/digest.h> 24572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include <openssl/hmac.h> 258ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include <openssl/sha.h> 26572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan 27572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "../internal.h" 28572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan 29572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "aes/aes.c" 30572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "aes/key_wrap.c" 31572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "aes/mode_wrappers.c" 328ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/add.c" 338ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/asm/x86_64-gcc.c" 348ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/bn.c" 358ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/bytes.c" 368ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/cmp.c" 378ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/ctx.c" 388ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/div.c" 398ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/exponentiation.c" 408ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/gcd.c" 418ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/generic.c" 428ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/jacobi.c" 438ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/montgomery.c" 448ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/montgomery_inv.c" 458ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/mul.c" 468ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/prime.c" 478ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/random.c" 488ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/rsaz_exp.c" 498ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/shift.c" 508ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "bn/sqrt.c" 518ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "cipher/aead.c" 528ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "cipher/cipher.c" 538ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "cipher/e_aes.c" 548ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "cipher/e_des.c" 558ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "des/des.c" 56572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "digest/digest.c" 57572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "digest/digests.c" 588ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ecdsa/ecdsa.c" 598ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/ec.c" 608ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/ec_key.c" 618ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/ec_montgomery.c" 628ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/oct.c" 638ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/p224-64.c" 64558181089d69085101510906bd46e51ade9e20e9Robert Sloan#include "../../third_party/fiat/p256.c" 658ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/p256-x86_64.c" 668ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/simple.c" 67558181089d69085101510906bd46e51ade9e20e9Robert Sloan#include "ec/util.c" 688ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "ec/wnaf.c" 69572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "hmac/hmac.c" 70572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "md4/md4.c" 71572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "md5/md5.c" 729254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/cbc.c" 739254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/cfb.c" 749254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/ctr.c" 759254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/gcm.c" 769254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/ofb.c" 779254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "modes/polyval.c" 789254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "rand/ctrdrbg.c" 799254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "rand/rand.c" 809254e681d446a8105bd66f08bae1252d4d89a139Robert Sloan#include "rand/urandom.c" 818ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "rsa/blinding.c" 828ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "rsa/padding.c" 838ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "rsa/rsa.c" 848ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan#include "rsa/rsa_impl.c" 85309a31e32558286a3b92c754bd3051b962527c25Robert Sloan#include "self_check/self_check.c" 86572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "sha/sha1-altivec.c" 87572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "sha/sha1.c" 88572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "sha/sha256.c" 89572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#include "sha/sha512.c" 90978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#include "tls/kdf.c" 91572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan 92572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan 93978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#if defined(BORINGSSL_FIPS) 94978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 95978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#if !defined(OPENSSL_ASAN) 96978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan// These symbols are filled in by delocate.go. They point to the start and end 97978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan// of the module, and the location of the integrity hash, respectively. 98978112cdf099dece01f92874cc8a8025b2405a59Robert Sloanextern const uint8_t BORINGSSL_bcm_text_start[]; 99978112cdf099dece01f92874cc8a8025b2405a59Robert Sloanextern const uint8_t BORINGSSL_bcm_text_end[]; 100978112cdf099dece01f92874cc8a8025b2405a59Robert Sloanextern const uint8_t BORINGSSL_bcm_text_hash[]; 101978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#endif 102978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 103978112cdf099dece01f92874cc8a8025b2405a59Robert Sloanstatic void __attribute__((constructor)) 104978112cdf099dece01f92874cc8a8025b2405a59Robert SloanBORINGSSL_bcm_power_on_self_test(void) { 105978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan CRYPTO_library_init(); 106978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 107978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#if !defined(OPENSSL_ASAN) 108978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan // Integrity tests cannot run under ASAN because it involves reading the full 109978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan // .text section, which triggers the global-buffer overflow detection. 110978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan const uint8_t *const start = BORINGSSL_bcm_text_start; 111978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan const uint8_t *const end = BORINGSSL_bcm_text_end; 112978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 113978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan static const uint8_t kHMACKey[64] = {0}; 114978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan uint8_t result[SHA512_DIGEST_LENGTH]; 115978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 116978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan unsigned result_len; 117978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan if (!HMAC(EVP_sha512(), kHMACKey, sizeof(kHMACKey), start, end - start, 118978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan result, &result_len) || 119978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan result_len != sizeof(result)) { 120978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan goto err; 121978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan } 122978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 123978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan const uint8_t *expected = BORINGSSL_bcm_text_hash; 124978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 125978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) { 126978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan goto err; 127978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan } 128978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan#endif 129978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 130978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan if (!BORINGSSL_self_test()) { 131978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan goto err; 132978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan } 133978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 134572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan return; 135572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan 136572a4e2e687520da9e518528d7371b794b1decc0Robert Sloanerr: 1378ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan BORINGSSL_FIPS_abort(); 1388ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan} 1398ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan 1408ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloanvoid BORINGSSL_FIPS_abort(void) { 141572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan for (;;) { 142572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan abort(); 1438ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan exit(1); 144572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan } 145572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan} 146978112cdf099dece01f92874cc8a8025b2405a59Robert Sloan 1478f860b133896bf655e4342ecefe692d52df81d48Robert Sloan#endif // BORINGSSL_FIPS 148