1/* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#if !defined(_GNU_SOURCE)
16#define _GNU_SOURCE // needed for syscall() on Linux.
17#endif
18
19#include <openssl/crypto.h>
20
21#include <stdlib.h>
22
23#include <openssl/digest.h>
24#include <openssl/hmac.h>
25#include <openssl/sha.h>
26
27#include "../internal.h"
28
29#include "aes/aes.c"
30#include "aes/key_wrap.c"
31#include "aes/mode_wrappers.c"
32#include "bn/add.c"
33#include "bn/asm/x86_64-gcc.c"
34#include "bn/bn.c"
35#include "bn/bytes.c"
36#include "bn/cmp.c"
37#include "bn/ctx.c"
38#include "bn/div.c"
39#include "bn/div_extra.c"
40#include "bn/exponentiation.c"
41#include "bn/gcd.c"
42#include "bn/gcd_extra.c"
43#include "bn/generic.c"
44#include "bn/jacobi.c"
45#include "bn/montgomery.c"
46#include "bn/montgomery_inv.c"
47#include "bn/mul.c"
48#include "bn/prime.c"
49#include "bn/random.c"
50#include "bn/rsaz_exp.c"
51#include "bn/shift.c"
52#include "bn/sqrt.c"
53#include "cipher/aead.c"
54#include "cipher/cipher.c"
55#include "cipher/e_aes.c"
56#include "cipher/e_des.c"
57#include "des/des.c"
58#include "digest/digest.c"
59#include "digest/digests.c"
60#include "ecdh/ecdh.c"
61#include "ecdsa/ecdsa.c"
62#include "ec/ec.c"
63#include "ec/ec_key.c"
64#include "ec/ec_montgomery.c"
65#include "ec/felem.c"
66#include "ec/oct.c"
67#include "ec/p224-64.c"
68#include "../../third_party/fiat/p256.c"
69#include "ec/p256-x86_64.c"
70#include "ec/scalar.c"
71#include "ec/simple.c"
72#include "ec/simple_mul.c"
73#include "ec/util.c"
74#include "ec/wnaf.c"
75#include "hmac/hmac.c"
76#include "md4/md4.c"
77#include "md5/md5.c"
78#include "modes/cbc.c"
79#include "modes/ccm.c"
80#include "modes/cfb.c"
81#include "modes/ctr.c"
82#include "modes/gcm.c"
83#include "modes/ofb.c"
84#include "modes/polyval.c"
85#include "rand/ctrdrbg.c"
86#include "rand/rand.c"
87#include "rand/urandom.c"
88#include "rsa/blinding.c"
89#include "rsa/padding.c"
90#include "rsa/rsa.c"
91#include "rsa/rsa_impl.c"
92#include "self_check/self_check.c"
93#include "sha/sha1-altivec.c"
94#include "sha/sha1.c"
95#include "sha/sha256.c"
96#include "sha/sha512.c"
97#include "tls/kdf.c"
98
99
100#if defined(BORINGSSL_FIPS)
101
102#if !defined(OPENSSL_ASAN)
103// These symbols are filled in by delocate.go (in static builds) or a linker
104// script (in shared builds). They point to the start and end of the module, and
105// the location of the integrity hash, respectively.
106extern const uint8_t BORINGSSL_bcm_text_start[];
107extern const uint8_t BORINGSSL_bcm_text_end[];
108extern const uint8_t BORINGSSL_bcm_text_hash[];
109#if defined(BORINGSSL_SHARED_LIBRARY)
110extern const uint8_t BORINGSSL_bcm_rodata_start[];
111extern const uint8_t BORINGSSL_bcm_rodata_end[];
112#endif
113#endif
114
115static void __attribute__((constructor))
116BORINGSSL_bcm_power_on_self_test(void) {
117 CRYPTO_library_init();
118
119#if !defined(OPENSSL_ASAN)
120 // Integrity tests cannot run under ASAN because it involves reading the full
121 // .text section, which triggers the global-buffer overflow detection.
122 const uint8_t *const start = BORINGSSL_bcm_text_start;
123 const uint8_t *const end = BORINGSSL_bcm_text_end;
124#if defined(BORINGSSL_SHARED_LIBRARY)
125 const uint8_t *const rodata_start = BORINGSSL_bcm_rodata_start;
126 const uint8_t *const rodata_end = BORINGSSL_bcm_rodata_end;
127#endif
128
129 static const uint8_t kHMACKey[64] = {0};
130 uint8_t result[SHA512_DIGEST_LENGTH];
131
132 unsigned result_len;
133 HMAC_CTX hmac_ctx;
134 HMAC_CTX_init(&hmac_ctx);
135 if (!HMAC_Init_ex(&hmac_ctx, kHMACKey, sizeof(kHMACKey), EVP_sha512(),
136 NULL /* no ENGINE */)) {
137 fprintf(stderr, "HMAC_Init_ex failed.\n");
138 goto err;
139 }
140#if defined(BORINGSSL_SHARED_LIBRARY)
141 uint64_t length = end - start;
142 HMAC_Update(&hmac_ctx, (const uint8_t *) &length, sizeof(length));
143 HMAC_Update(&hmac_ctx, start, length);
144
145 length = rodata_end - rodata_start;
146 HMAC_Update(&hmac_ctx, (const uint8_t *) &length, sizeof(length));
147 HMAC_Update(&hmac_ctx, rodata_start, length);
148#else
149 HMAC_Update(&hmac_ctx, start, end - start);
150#endif
151 if (!HMAC_Final(&hmac_ctx, result, &result_len) ||
152 result_len != sizeof(result)) {
153 fprintf(stderr, "HMAC failed.\n");
154 goto err;
155 }
156 HMAC_CTX_cleanup(&hmac_ctx);
157
158 const uint8_t *expected = BORINGSSL_bcm_text_hash;
159
160 if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) {
161 goto err;
162 }
163#endif
164
165 if (!BORINGSSL_self_test()) {
166 goto err;
167 }
168
169 return;
170
171err:
172 BORINGSSL_FIPS_abort();
173}
174
175void BORINGSSL_FIPS_abort(void) {
176 for (;;) {
177 abort();
178 exit(1);
179 }
180}
181
182#endif // BORINGSSL_FIPS
183