Google Git
Sign in
boringssl/boringssl.git/a8ffaf1bf2ec64cbbb17863ede06ba506b3db8b8^!/.
commit
a8ffaf1bf2ec64cbbb17863ede06ba506b3db8b8
[log]
author
Adam Langley <alangley@gmail.com>
Wed Aug 21 14:27:23 2019 -0700
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Fri Aug 23 00:20:22 2019 +0000
tree
2f9a14c55f4598de328fb7c6ad6b5d9aecc0eb5e
parent
f350351a9a9f0b11da9d5a2683884e1a1dc2c0fc [diff]
Add self-test suppression flag file for Android FIPS builds.

FIPS IG 9.11 allows for a shared library to skip running self tests if
they have already run successfully for a given module and environment.
This change has Android FIPS builds read and write a flag file in
/dev/boringssl to implement this. The flag file is named after the hash
of the module to ensure specificity.

Change-Id: I5c4e7b6244831746e61c5f78f703b0b4fb0ddd10
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/37204
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>

diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
index 7666222..559ade3 100644
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c

@@ -109,6 +109,8 @@
 extern const uint8_t BORINGSSL_bcm_rodata_start[];
 extern const uint8_t BORINGSSL_bcm_rodata_end[];
 #endif
+#else
+static const uint8_t BORINGSSL_bcm_text_hash[SHA512_DIGEST_LENGTH] = {0};
 #endif
 
 static void __attribute__((constructor))
@@ -161,7 +163,7 @@
   }
 #endif
 
-  if (!BORINGSSL_self_test()) {
+  if (!BORINGSSL_self_test(BORINGSSL_bcm_text_hash)) {
     goto err;
   }
 

diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c
index 1bbefa9..3d47e69 100644
--- a/crypto/fipsmodule/self_check/self_check.c
+++ b/crypto/fipsmodule/self_check/self_check.c

@@ -35,6 +35,15 @@
 // compile this.
 #if !defined(_MSC_VER)
 
+#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
+// FIPS builds on Android will attempt to write flag files to
+// /dev/boringssl/selftest/ named after the module hash. If the flag file
+// exists, it's assumed that self-tests have already passed and thus do not need
+// to be repeated.
+#define BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
+static const char kFlagPrefix[] = "/dev/boringssl/selftest/";
+#endif
+
 static void hexdump(const uint8_t *in, size_t len) {
   for (size_t i = 0; i < len; i++) {
     fprintf(stderr, "%02x", in[i]);
@@ -227,7 +236,30 @@
   return ec_key;
 }
 
-int BORINGSSL_self_test(void) {
+int BORINGSSL_self_test(
+    const uint8_t module_sha512_hash[SHA512_DIGEST_LENGTH]) {
+#if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
+  // Test whether the flag file exists.
+  char flag_path[sizeof(kFlagPrefix) + 2*SHA512_DIGEST_LENGTH];
+  memcpy(flag_path, kFlagPrefix, sizeof(kFlagPrefix) - 1);
+  static const char kHexTable[17] = "0123456789abcdef";
+  uint8_t module_hash_sum = 0;
+  for (size_t i = 0; i < SHA512_DIGEST_LENGTH; i++) {
+    module_hash_sum |= module_sha512_hash[i];
+    flag_path[sizeof(kFlagPrefix) - 1 + 2 * i] =
+        kHexTable[module_sha512_hash[i] >> 4];
+    flag_path[sizeof(kFlagPrefix) - 1 + 2 * i + 1] =
+        kHexTable[module_sha512_hash[i] & 15];
+  }
+  flag_path[sizeof(flag_path) - 1] = 0;
+
+  const int flag_path_valid = (module_hash_sum != 0);
+  if (flag_path_valid && access(flag_path, F_OK) == 0) {
+    // Flag file found. Skip self-tests.
+    return 1;
+  }
+#endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
+
   static const uint8_t kAESKey[16] = "BoringCrypto Key";
   static const uint8_t kAESIV[16] = {0};
   static const uint8_t kPlaintext[64] =
@@ -577,6 +609,16 @@
 
   ret = 1;
 
+#if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
+  // Tests were successful. Write flag file if requested.
+  if (flag_path_valid) {
+    const int fd = open(flag_path, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+    if (fd >= 0) {
+      close(fd);
+    }
+  }
+#endif  // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
+
 err:
   EVP_AEAD_CTX_cleanup(&aead_ctx);
   RSA_free(rsa_key);

diff --git a/crypto/self_test.cc b/crypto/self_test.cc
index c20b5de..b0c769d 100644
--- a/crypto/self_test.cc
+++ b/crypto/self_test.cc

@@ -19,6 +19,7 @@
 
 TEST(SelfTests, KAT) {
 #if !defined(_MSC_VER)
-  EXPECT_TRUE(BORINGSSL_self_test());
+  const uint8_t zero_hash[SHA512_DIGEST_LENGTH] = {0};
+  EXPECT_TRUE(BORINGSSL_self_test(zero_hash));
 #endif
 }

diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index d35cf71..b9d8449 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h

@@ -16,6 +16,7 @@
 #define OPENSSL_HEADER_CRYPTO_H
 
 #include <openssl/base.h>
+#include <openssl/sha.h>
 
 // Upstream OpenSSL defines |OPENSSL_malloc|, etc., in crypto.h rather than
 // mem.h.
@@ -58,9 +59,13 @@
 // which case it returns one.
 OPENSSL_EXPORT int FIPS_mode(void);
 
-// BORINGSSL_self_test triggers the FIPS KAT-based self tests. It returns one
-// on success and zero on error.
-OPENSSL_EXPORT int BORINGSSL_self_test(void);
+// BORINGSSL_self_test triggers the FIPS KAT-based self tests. It returns one on
+// success and zero on error. The argument is the integrity hash of the FIPS
+// module and may be used to check and write flag files to suppress duplicate
+// self-tests. If it is all zeros, no flag file will be checked nor written and
+// tests will always be run.
+OPENSSL_EXPORT int BORINGSSL_self_test(
+    const uint8_t module_sha512_hash[SHA512_DIGEST_LENGTH]);
 
 
 // Deprecated functions.