bcm.c
Go to the documentation of this file.
1 /* Copyright (c) 2017, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #if !defined(_GNU_SOURCE)
16 #define _GNU_SOURCE // needed for syscall() on Linux.
17 #endif
18 
19 #include <openssl/crypto.h>
20 
21 #include <stdlib.h>
22 #if defined(BORINGSSL_FIPS)
23 #include <sys/mman.h>
24 #include <unistd.h>
25 #endif
26 
27 #include <openssl/digest.h>
28 #include <openssl/hmac.h>
29 #include <openssl/sha.h>
30 
31 #include "../internal.h"
32 
33 #include "aes/aes.c"
34 #include "aes/aes_nohw.c"
35 #include "aes/key_wrap.c"
36 #include "aes/mode_wrappers.c"
37 #include "bn/add.c"
38 #include "bn/asm/x86_64-gcc.c"
39 #include "bn/bn.c"
40 #include "bn/bytes.c"
41 #include "bn/cmp.c"
42 #include "bn/ctx.c"
43 #include "bn/div.c"
44 #include "bn/div_extra.c"
45 #include "bn/exponentiation.c"
46 #include "bn/gcd.c"
47 #include "bn/gcd_extra.c"
48 #include "bn/generic.c"
49 #include "bn/jacobi.c"
50 #include "bn/montgomery.c"
51 #include "bn/montgomery_inv.c"
52 #include "bn/mul.c"
53 #include "bn/prime.c"
54 #include "bn/random.c"
55 #include "bn/rsaz_exp.c"
56 #include "bn/shift.c"
57 #include "bn/sqrt.c"
58 #include "cipher/aead.c"
59 #include "cipher/cipher.c"
60 #include "cipher/e_aes.c"
61 #include "cipher/e_des.c"
62 #include "des/des.c"
63 #include "dh/check.c"
64 #include "dh/dh.c"
65 #include "digest/digest.c"
66 #include "digest/digests.c"
67 #include "ecdh/ecdh.c"
68 #include "ecdsa/ecdsa.c"
69 #include "ec/ec.c"
70 #include "ec/ec_key.c"
71 #include "ec/ec_montgomery.c"
72 #include "ec/felem.c"
73 #include "ec/oct.c"
74 #include "ec/p224-64.c"
75 #include "ec/p256.c"
76 #include "ec/p256-x86_64.c"
77 #include "ec/scalar.c"
78 #include "ec/simple.c"
79 #include "ec/simple_mul.c"
80 #include "ec/util.c"
81 #include "ec/wnaf.c"
82 #include "hmac/hmac.c"
83 #include "md4/md4.c"
84 #include "md5/md5.c"
85 #include "modes/cbc.c"
86 #include "modes/cfb.c"
87 #include "modes/ctr.c"
88 #include "modes/gcm.c"
89 #include "modes/gcm_nohw.c"
90 #include "modes/ofb.c"
91 #include "modes/polyval.c"
92 #include "rand/ctrdrbg.c"
93 #include "rand/fork_detect.c"
94 #include "rand/rand.c"
95 #include "rand/urandom.c"
96 #include "rsa/blinding.c"
97 #include "rsa/padding.c"
98 #include "rsa/rsa.c"
99 #include "rsa/rsa_impl.c"
100 #include "self_check/fips.c"
101 #include "self_check/self_check.c"
102 #include "sha/sha1-altivec.c"
103 #include "sha/sha1.c"
104 #include "sha/sha256.c"
105 #include "sha/sha512.c"
106 #include "tls/kdf.c"
107 
108 
109 #if defined(BORINGSSL_FIPS)
110 
111 #if !defined(OPENSSL_ASAN)
112 
113 // These symbols are filled in by delocate.go (in static builds) or a linker
114 // script (in shared builds). They point to the start and end of the module, and
115 // the location of the integrity hash, respectively.
116 extern const uint8_t BORINGSSL_bcm_text_start[];
117 extern const uint8_t BORINGSSL_bcm_text_end[];
118 extern const uint8_t BORINGSSL_bcm_text_hash[];
119 #if defined(BORINGSSL_SHARED_LIBRARY)
120 extern const uint8_t BORINGSSL_bcm_rodata_start[];
121 extern const uint8_t BORINGSSL_bcm_rodata_end[];
122 #endif
123 
124 // assert_within is used to sanity check that certain symbols are within the
125 // bounds of the integrity check. It checks that start <= symbol < end and
126 // aborts otherwise.
127 static void assert_within(const void *start, const void *symbol,
128  const void *end) {
129  const uintptr_t start_val = (uintptr_t) start;
130  const uintptr_t symbol_val = (uintptr_t) symbol;
131  const uintptr_t end_val = (uintptr_t) end;
132 
133  if (start_val <= symbol_val && symbol_val < end_val) {
134  return;
135  }
136 
137  fprintf(
138  stderr,
139  "FIPS module doesn't span expected symbol. Expected %p <= %p < %p\n",
140  start, symbol, end);
141  BORINGSSL_FIPS_abort();
142 }
143 
144 #if defined(OPENSSL_ANDROID) && defined(OPENSSL_AARCH64)
145 static void BORINGSSL_maybe_set_module_text_permissions(int permission) {
146  // Android may be compiled in execute-only-memory mode, in which case the
147  // .text segment cannot be read. That conflicts with the need for a FIPS
148  // module to hash its own contents, therefore |mprotect| is used to make
149  // the module's .text readable for the duration of the hashing process. In
150  // other build configurations this is a no-op.
151  const uintptr_t page_size = getpagesize();
152  const uintptr_t page_start =
153  ((uintptr_t)BORINGSSL_bcm_text_start) & ~(page_size - 1);
154 
155  if (mprotect((void *)page_start,
156  ((uintptr_t)BORINGSSL_bcm_text_end) - page_start,
157  permission) != 0) {
158  perror("BoringSSL: mprotect");
159  }
160 }
161 #else
162 static void BORINGSSL_maybe_set_module_text_permissions(int permission) {}
163 #endif // !ANDROID
164 
165 #endif // !ASAN
166 
167 static void __attribute__((constructor))
168 BORINGSSL_bcm_power_on_self_test(void) {
169  CRYPTO_library_init();
170 
171 #if !defined(OPENSSL_ASAN)
172  // Integrity tests cannot run under ASAN because it involves reading the full
173  // .text section, which triggers the global-buffer overflow detection.
174  const uint8_t *const start = BORINGSSL_bcm_text_start;
175  const uint8_t *const end = BORINGSSL_bcm_text_end;
176 
177  assert_within(start, AES_encrypt, end);
178  assert_within(start, RSA_sign, end);
179  assert_within(start, RAND_bytes, end);
180  assert_within(start, EC_GROUP_cmp, end);
181  assert_within(start, SHA256_Update, end);
182  assert_within(start, ECDSA_do_verify, end);
183  assert_within(start, EVP_AEAD_CTX_seal, end);
184 
185 #if defined(BORINGSSL_SHARED_LIBRARY)
186  const uint8_t *const rodata_start = BORINGSSL_bcm_rodata_start;
187  const uint8_t *const rodata_end = BORINGSSL_bcm_rodata_end;
188 #else
189  // In the static build, read-only data is placed within the .text segment.
190  const uint8_t *const rodata_start = BORINGSSL_bcm_text_start;
191  const uint8_t *const rodata_end = BORINGSSL_bcm_text_end;
192 #endif
193 
194  assert_within(rodata_start, kPrimes, rodata_end);
195  assert_within(rodata_start, des_skb, rodata_end);
196  assert_within(rodata_start, kP256Params, rodata_end);
197  assert_within(rodata_start, kPKCS1SigPrefixes, rodata_end);
198 
199 #if defined(OPENSSL_AARCH64) || defined(OPENSSL_ANDROID)
200  uint8_t result[SHA256_DIGEST_LENGTH];
201  const EVP_MD *const kHashFunction = EVP_sha256();
202 #else
203  uint8_t result[SHA512_DIGEST_LENGTH];
204  const EVP_MD *const kHashFunction = EVP_sha512();
205 #endif
206 
207  static const uint8_t kHMACKey[64] = {0};
208  unsigned result_len;
209  HMAC_CTX hmac_ctx;
210  HMAC_CTX_init(&hmac_ctx);
211  if (!HMAC_Init_ex(&hmac_ctx, kHMACKey, sizeof(kHMACKey), kHashFunction,
212  NULL /* no ENGINE */)) {
213  fprintf(stderr, "HMAC_Init_ex failed.\n");
214  goto err;
215  }
216 
217  BORINGSSL_maybe_set_module_text_permissions(PROT_READ | PROT_EXEC);
218 #if defined(BORINGSSL_SHARED_LIBRARY)
219  uint64_t length = end - start;
220  HMAC_Update(&hmac_ctx, (const uint8_t *) &length, sizeof(length));
221  HMAC_Update(&hmac_ctx, start, length);
222 
223  length = rodata_end - rodata_start;
224  HMAC_Update(&hmac_ctx, (const uint8_t *) &length, sizeof(length));
225  HMAC_Update(&hmac_ctx, rodata_start, length);
226 #else
227  HMAC_Update(&hmac_ctx, start, end - start);
228 #endif
229  BORINGSSL_maybe_set_module_text_permissions(PROT_EXEC);
230 
231  if (!HMAC_Final(&hmac_ctx, result, &result_len) ||
232  result_len != sizeof(result)) {
233  fprintf(stderr, "HMAC failed.\n");
234  goto err;
235  }
236  HMAC_CTX_cleanup(&hmac_ctx);
237 
238  const uint8_t *expected = BORINGSSL_bcm_text_hash;
239 
240  if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) {
241  goto err;
242  }
243 
244  if (!boringssl_fips_self_test(BORINGSSL_bcm_text_hash, sizeof(result))) {
245  goto err;
246  }
247 #else
248  if (!BORINGSSL_self_test()) {
249  goto err;
250  }
251 #endif // OPENSSL_ASAN
252 
253  return;
254 
255 err:
256  BORINGSSL_FIPS_abort();
257 }
258 
259 void BORINGSSL_FIPS_abort(void) {
260  for (;;) {
261  abort();
262  exit(1);
263  }
264 }
265 
266 #endif // BORINGSSL_FIPS
sha256.c
cmp.c
p224-64.c
digests.c
_gevent_test_main.result
result
Definition: _gevent_test_main.py:96
e_aes.c
RAND_bytes
#define RAND_bytes
Definition: boringssl_prefix_symbols.h:2060
EVP_sha512
const OPENSSL_EXPORT EVP_MD * EVP_sha512(void)
jacobi.c
padding.c
env_md_st
Definition: third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/internal.h:67
CRYPTO_library_init
#define CRYPTO_library_init
Definition: boringssl_prefix_symbols.h:1175
add.c
mode_wrappers.c
mul.c
e_des.c
error_ref_leak.err
err
Definition: error_ref_leak.py:35
kP256Params
static const uint8_t kP256Params[6 *32]
Definition: ec.c:113
simple_mul.c
oct.c
EVP_sha256
const OPENSSL_EXPORT EVP_MD * EVP_sha256(void)
uint8_t
unsigned char uint8_t
Definition: stdint-msvc2008.h:78
exponentiation.c
sqrt.c
ec.c
sha1-altivec.c
python_utils.port_server.stderr
stderr
Definition: port_server.py:51
des_skb
static const uint32_t des_skb[8][64]
Definition: des.c:64
check_test
static int check_test(const void *expected, const void *actual, size_t expected_len, const char *name)
Definition: self_check.c:71
start
static uint64_t start
Definition: benchmark-pound.c:74
aes.c
ec_montgomery.c
bn.c
prime.c
end
char * end
Definition: abseil-cpp/absl/strings/internal/str_format/float_conversion.cc:1008
HMAC_CTX_init
#define HMAC_CTX_init
Definition: boringssl_prefix_symbols.h:1788
EC_GROUP_cmp
#define EC_GROUP_cmp
Definition: boringssl_prefix_symbols.h:1319
x86_64-gcc.c
check.c
montgomery.c
sha.h
rsa_impl.c
urandom.c
kPKCS1SigPrefixes
static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[]
Definition: rsa.c:418
uint64_t
unsigned __int64 uint64_t
Definition: stdint-msvc2008.h:90
EVP_AEAD_CTX_seal
#define EVP_AEAD_CTX_seal
Definition: boringssl_prefix_symbols.h:1454
ofb.c
aead.c
__attribute__
__attribute__(void) start
fork_detect.c
cbc.c
crypto.h
des.c
HMAC_Init_ex
#define HMAC_Init_ex
Definition: boringssl_prefix_symbols.h:1793
felem.c
div_extra.c
shift.c
SHA512_DIGEST_LENGTH
#define SHA512_DIGEST_LENGTH
Definition: sha.h:230
sha512.c
uintptr_t
_W64 unsigned int uintptr_t
Definition: stdint-msvc2008.h:119
ECDSA_do_verify
#define ECDSA_do_verify
Definition: boringssl_prefix_symbols.h:1310
rsa.c
util.c
key_wrap.c
kdf.c
digest.c
gcm.c
AES_encrypt
#define AES_encrypt
Definition: boringssl_prefix_symbols.h:600
p256-x86_64.c
montgomery_inv.c
kPrimes
static const int kPrimes[]
Definition: bn_test.cc:1799
generic.c
digest.h
blinding.c
HMAC_Final
#define HMAC_Final
Definition: boringssl_prefix_symbols.h:1791
dh.c
rsaz_exp.c
polyval.c
hmac_ctx_st
Definition: hmac.h:158
simple.c
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition: sha.h:155
rand.c
p256.c
scalar.c
md4.c
ecdsa.c
sha1.c
aes_nohw.c
fips.c
gcm_nohw.c
random.c
md5.c
wnaf.c
gcd.c
HMAC_CTX_cleanup
#define HMAC_CTX_cleanup
Definition: boringssl_prefix_symbols.h:1784
RSA_sign
#define RSA_sign
Definition: boringssl_prefix_symbols.h:2136
ctrdrbg.c
cfb.c
ecdh.c
cipher.c
ec_key.c
bytes.c
BORINGSSL_self_test
#define BORINGSSL_self_test
Definition: boringssl_prefix_symbols.h:1006
ctr.c
hmac.c
length
std::size_t length
Definition: abseil-cpp/absl/time/internal/test_util.cc:57
boringssl_fips_self_test
#define boringssl_fips_self_test
Definition: boringssl_prefix_symbols.h:2920
gcd_extra.c
ctx.c
HMAC_Update
#define HMAC_Update
Definition: boringssl_prefix_symbols.h:1794
div.c
hmac.h
self_check.c
SHA256_Update
#define SHA256_Update
Definition: boringssl_prefix_symbols.h:2159

grpc
Author(s):
autogenerated on Thu Mar 13 2025 02:58:36