int _gnutls_fips_perform_self_checks1(void) { int ret; _gnutls_switch_lib_state(LIB_STATE_SELFTEST); /* Tests the FIPS algorithms used by nettle internally. * In our case we test AES-CBC since nettle's AES is used by * the DRBG-AES. */ /* ciphers - one test per cipher */ ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_128_CBC); if (ret < 0) { gnutls_assert(); goto error; } return 0; error: _gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n"); return GNUTLS_E_SELF_TEST_ERROR; }
_CONSTRUCTOR static void lib_init(void) { int ret; ret = gnutls_global_init(); if (ret < 0) { fprintf(stderr, "Error in GnuTLS initialization: %s\n", gnutls_strerror(ret)); _gnutls_switch_lib_state(LIB_STATE_ERROR); } }
static void rnd_func(void *_ctx, unsigned length, uint8_t * data) { if (_gnutls_rnd(GNUTLS_RND_RANDOM, data, length) < 0) { #ifdef ENABLE_FIPS140 _gnutls_switch_lib_state(LIB_STATE_ERROR); #else abort(); #endif } }
static void lib_init(void) { int ret; const char *e; if (_gnutls_global_init_skip() != 0) return; e = secure_getenv("GNUTLS_NO_EXPLICIT_INIT"); if (e != NULL) { ret = atoi(e); if (ret == 1) return; } ret = _gnutls_global_init(1); if (ret < 0) { fprintf(stderr, "Error in GnuTLS initialization: %s\n", gnutls_strerror(ret)); _gnutls_switch_lib_state(LIB_STATE_ERROR); } }
static int _gnutls_global_init(unsigned constructor) { int ret = 0, res; int level; const char* e; if (!constructor) { GNUTLS_STATIC_MUTEX_LOCK(global_init_mutex); } _gnutls_init++; if (_gnutls_init > 1) { if (_gnutls_init == 2 && _gnutls_init_ret == 0) { /* some applications may close the urandom fd * before calling gnutls_global_init(). in that * case reopen it */ ret = _gnutls_rnd_check(); if (ret < 0) { gnutls_assert(); goto out; } } ret = _gnutls_init_ret; goto out; } _gnutls_switch_lib_state(LIB_STATE_INIT); e = secure_getenv("GNUTLS_DEBUG_LEVEL"); if (e != NULL) { level = atoi(e); gnutls_global_set_log_level(level); if (_gnutls_log_func == NULL) gnutls_global_set_log_function(default_log_func); _gnutls_debug_log("Enabled GnuTLS "VERSION" logging...\n"); } #ifdef HAVE_DCGETTEXT bindtextdomain(PACKAGE, LOCALEDIR); #endif res = gnutls_crypto_init(); if (res != 0) { gnutls_assert(); ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto out; } ret = _gnutls_system_key_init(); if (ret != 0) { gnutls_assert(); } /* initialize ASN.1 parser */ if (asn1_check_version(GNUTLS_MIN_LIBTASN1_VERSION) == NULL) { gnutls_assert(); _gnutls_debug_log ("Checking for libtasn1 failed: %s < %s\n", asn1_check_version(NULL), GNUTLS_MIN_LIBTASN1_VERSION); ret = GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY; goto out; } _gnutls_pkix1_asn = ASN1_TYPE_EMPTY; res = asn1_array2tree(pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); if (res != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(res); goto out; } res = asn1_array2tree(gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); if (res != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(res); goto out; } /* Initialize the random generator */ ret = _gnutls_rnd_preinit(); if (ret < 0) { gnutls_assert(); goto out; } /* Initialize the default TLS extensions */ ret = _gnutls_ext_init(); if (ret < 0) { gnutls_assert(); goto out; } ret = gnutls_mutex_init(&_gnutls_file_mutex); if (ret < 0) { gnutls_assert(); goto out; } ret = gnutls_mutex_init(&_gnutls_pkcs11_mutex); if (ret < 0) { gnutls_assert(); goto out; } ret = gnutls_system_global_init(); if (ret < 0) { gnutls_assert(); goto out; } #ifndef _WIN32 ret = _gnutls_register_fork_handler(); if (ret < 0) { gnutls_assert(); goto out; } #endif #ifdef ENABLE_FIPS140 res = _gnutls_fips_mode_enabled(); /* res == 1 -> fips140-2 mode enabled * res == 2 -> only self checks performed - but no failure * res == not in fips140 mode */ if (res != 0) { _gnutls_debug_log("FIPS140-2 mode: %d\n", res); _gnutls_priority_update_fips(); /* first round of self checks, these are done on the * nettle algorithms which are used internally */ ret = _gnutls_fips_perform_self_checks1(); if (res != 2) { if (ret < 0) { gnutls_assert(); goto out; } } } #endif _gnutls_register_accel_crypto(); _gnutls_cryptodev_init(); _gnutls_load_system_priorities(); #ifdef ENABLE_FIPS140 /* These self tests are performed on the overriden algorithms * (e.g., AESNI overriden AES). They are after _gnutls_register_accel_crypto() * intentionally */ if (res != 0) { ret = _gnutls_fips_perform_self_checks2(); if (res != 2) { if (ret < 0) { gnutls_assert(); goto out; } } _gnutls_fips_mode_reset_zombie(); } #endif _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); ret = 0; out: _gnutls_init_ret = ret; if (!constructor) { GNUTLS_STATIC_MUTEX_UNLOCK(global_init_mutex); } return ret; }
/** * gnutls_global_init: * * This function performs any required precalculations, detects * the supported CPU capabilities and initializes the underlying * cryptographic backend. In order to free any resources * taken by this call you should gnutls_global_deinit() * when gnutls usage is no longer needed. * * This function increments a global counter, so that * gnutls_global_deinit() only releases resources when it has been * called as many times as gnutls_global_init(). This is useful when * GnuTLS is used by more than one library in an application. This * function can be called many times, but will only do something the * first time. * * Since GnuTLS 3.3.0 this function is only required in systems that * do not support library constructors and static linking. This * function also became thread safe. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. **/ int gnutls_global_init(void) { int ret = 0, res; int level; const char* e; GNUTLS_STATIC_MUTEX_LOCK(global_init_mutex); _gnutls_init++; if (_gnutls_init > 1) { ret = 0; goto out; } _gnutls_switch_lib_state(LIB_STATE_INIT); e = getenv("GNUTLS_DEBUG_LEVEL"); if (e != NULL) { level = atoi(e); gnutls_global_set_log_level(level); if (_gnutls_log_func == NULL) gnutls_global_set_log_function(default_log_func); _gnutls_debug_log("Enabled GnuTLS logging...\n"); } bindtextdomain(PACKAGE, LOCALEDIR); res = gnutls_crypto_init(); if (res != 0) { gnutls_assert(); ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto out; } /* initialize ASN.1 parser */ if (asn1_check_version(GNUTLS_MIN_LIBTASN1_VERSION) == NULL) { gnutls_assert(); _gnutls_debug_log ("Checking for libtasn1 failed: %s < %s\n", asn1_check_version(NULL), GNUTLS_MIN_LIBTASN1_VERSION); ret = GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY; goto out; } res = asn1_array2tree(pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); if (res != ASN1_SUCCESS) { ret = _gnutls_asn2err(res); goto out; } res = asn1_array2tree(gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); if (res != ASN1_SUCCESS) { ret = _gnutls_asn2err(res); goto out; } /* Initialize the random generator */ ret = _gnutls_rnd_init(); if (ret < 0) { gnutls_assert(); goto out; } /* Initialize the default TLS extensions */ ret = _gnutls_ext_init(); if (ret < 0) { gnutls_assert(); goto out; } ret = gnutls_mutex_init(&_gnutls_file_mutex); if (ret < 0) { gnutls_assert(); goto out; } ret = gnutls_mutex_init(&_gnutls_pkcs11_mutex); if (ret < 0) { gnutls_assert(); goto out; } ret = gnutls_system_global_init(); if (ret < 0) { gnutls_assert(); goto out; } _gnutls_register_accel_crypto(); _gnutls_cryptodev_init(); #ifdef ENABLE_FIPS140 /* Perform FIPS140 checks last, so that all modules * have been loaded */ res = _gnutls_fips_mode_enabled(); /* res == 1 -> fips140-2 mode enabled * res == 2 -> only self checks performed - but no failure * res == not in fips140 mode */ if (res != 0) { _gnutls_priority_update_fips(); ret = _gnutls_fips_perform_self_checks(); if (res != 2) { if (ret < 0) { gnutls_assert(); goto out; } } } #endif _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); ret = 0; out: GNUTLS_STATIC_MUTEX_UNLOCK(global_init_mutex); return ret; }
/* we don't use additional input */ int drbg_aes_generate(struct drbg_aes_ctx *ctx, unsigned length, uint8_t * dst, unsigned add_size, const uint8_t *add) { uint8_t tmp[AES_BLOCK_SIZE]; uint8_t seed[DRBG_AES_SEED_SIZE]; unsigned left; if (ctx->seeded == 0) return 0; if (add_size > 0) { if (add_size > DRBG_AES_SEED_SIZE) return 0; memcpy(seed, add, add_size); if (add_size != DRBG_AES_SEED_SIZE) memset(&seed[add_size], 0, DRBG_AES_SEED_SIZE - add_size); drbg_aes_update(ctx, seed); } else { memset(seed, 0, DRBG_AES_SEED_SIZE); } /* Throw the first block generated. FIPS 140-2 requirement (see * the continuous random number generator test in 4.9.2) */ if (ctx->prev_block_present == 0) { INCREMENT(sizeof(ctx->v), ctx->v); aes_encrypt(&ctx->key, AES_BLOCK_SIZE, ctx->prev_block, ctx->v); ctx->prev_block_present = 1; } /* Perform the actual encryption */ for (left = length; left >= AES_BLOCK_SIZE; left -= AES_BLOCK_SIZE, dst += AES_BLOCK_SIZE) { INCREMENT(sizeof(ctx->v), ctx->v); aes_encrypt(&ctx->key, AES_BLOCK_SIZE, dst, ctx->v); /* if detected loop */ if (memcmp(dst, ctx->prev_block, AES_BLOCK_SIZE) == 0) { _gnutls_switch_lib_state(LIB_STATE_ERROR); return 0; } memcpy(ctx->prev_block, dst, AES_BLOCK_SIZE); } if (left > 0) { /* partial fill */ INCREMENT(sizeof(ctx->v), ctx->v); aes_encrypt(&ctx->key, AES_BLOCK_SIZE, tmp, ctx->v); /* if detected loop */ if (memcmp(tmp, ctx->prev_block, AES_BLOCK_SIZE) == 0) { _gnutls_switch_lib_state(LIB_STATE_ERROR); return 0; } memcpy(ctx->prev_block, tmp, AES_BLOCK_SIZE); memcpy(dst, tmp, left); } if (ctx->reseed_counter > DRBG_AES_RESEED_TIME) return 0; ctx->reseed_counter++; drbg_aes_update(ctx, seed); return 1; }
void _gnutls_lib_simulate_error(void) { _gnutls_switch_lib_state(LIB_STATE_ERROR); }
int _gnutls_fips_perform_self_checks2(void) { int ret; _gnutls_switch_lib_state(LIB_STATE_SELFTEST); /* Tests the FIPS algorithms */ /* ciphers - one test per cipher */ ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_3DES_CBC); if (ret < 0) { gnutls_assert(); goto error; } ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM); if (ret < 0) { gnutls_assert(); goto error; } /* MAC (includes message digest test) */ ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA1); if (ret < 0) { gnutls_assert(); goto error; } ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA224); if (ret < 0) { gnutls_assert(); goto error; } ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA256); if (ret < 0) { gnutls_assert(); goto error; } ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA384); if (ret < 0) { gnutls_assert(); goto error; } ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA512); if (ret < 0) { gnutls_assert(); goto error; } /* PK */ ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA); if (ret < 0) { gnutls_assert(); goto error; } ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA); if (ret < 0) { gnutls_assert(); goto error; } ret = gnutls_pk_self_test(0, GNUTLS_PK_EC); if (ret < 0) { gnutls_assert(); goto error; } ret = gnutls_pk_self_test(0, GNUTLS_PK_DH); if (ret < 0) { gnutls_assert(); goto error; } if (_gnutls_rnd_ops.self_test == NULL) { gnutls_assert(); goto error; } ret = _gnutls_rnd_ops.self_test(); if (ret < 0) { gnutls_assert(); goto error; } if (_skip_integrity_checks == 0) { ret = check_binary_integrity(GNUTLS_LIBRARY_NAME, "gnutls_global_init"); if (ret == 0) { gnutls_assert(); goto error; } ret = check_binary_integrity(NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key"); if (ret == 0) { gnutls_assert(); goto error; } ret = check_binary_integrity(HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u"); if (ret == 0) { gnutls_assert(); goto error; } ret = check_binary_integrity(GMP_LIBRARY_NAME, "__gmpz_init"); if (ret == 0) { gnutls_assert(); goto error; } } return 0; error: _gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n"); return GNUTLS_E_SELF_TEST_ERROR; }
/* Run an HMAC using the key above on the library binary data. * Returns true on success and false on error. */ static unsigned check_binary_integrity(const char* libname, const char* symbol) { int ret; unsigned prev; char mac_file[GNUTLS_PATH_MAX]; char file[GNUTLS_PATH_MAX]; uint8_t hmac[HMAC_SIZE]; uint8_t new_hmac[HMAC_SIZE]; size_t hmac_size; gnutls_datum_t data; ret = get_library_path(libname, symbol, file, sizeof(file)); if (ret < 0) { _gnutls_debug_log("Could not get path for library %s\n", libname); return 0; } _gnutls_debug_log("Loading: %s\n", file); ret = gnutls_load_file(file, &data); if (ret < 0) { _gnutls_debug_log("Could not load: %s\n", file); return gnutls_assert_val(0); } prev = _gnutls_get_lib_state(); _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY)-1, data.data, data.size, new_hmac); _gnutls_switch_lib_state(prev); gnutls_free(data.data); if (ret < 0) return gnutls_assert_val(0); /* now open the .hmac file and compare */ get_hmac_file(mac_file, sizeof(mac_file), file); ret = gnutls_load_file(mac_file, &data); if (ret < 0) { get_hmac_file2(mac_file, sizeof(mac_file), file); ret = gnutls_load_file(mac_file, &data); if (ret < 0) { _gnutls_debug_log("Could not open %s for MAC testing: %s\n", mac_file, gnutls_strerror(ret)); return gnutls_assert_val(0); } } hmac_size = hex_data_size(data.size); ret = gnutls_hex_decode(&data, hmac, &hmac_size); gnutls_free(data.data); if (ret < 0) { _gnutls_debug_log("Could not convert hex data to binary for MAC testing for %s.\n", libname); return gnutls_assert_val(0); } if (hmac_size != sizeof(hmac) || memcmp(hmac, new_hmac, sizeof(hmac)) != 0) { _gnutls_debug_log("Calculated MAC for %s does not match\n", libname); return gnutls_assert_val(0); } _gnutls_debug_log("Successfully verified MAC for %s (%s)\n", mac_file, libname); return 1; }
static int pct_test(gnutls_pk_algorithm_t algo, const gnutls_pk_params_st* params) { int ret; gnutls_datum_t sig = {NULL, 0}; const char const_data[20] = "onetwothreefourfive"; gnutls_datum_t ddata, tmp = {NULL,0}; char* gen_data = NULL; if (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_EC) { unsigned hash_len; _gnutls_dsa_q_to_hash(algo, params, &hash_len); gen_data = gnutls_malloc(hash_len); gnutls_rnd(GNUTLS_RND_NONCE, gen_data, hash_len); ddata.data = (void*)gen_data; ddata.size = hash_len; } else { ddata.data = (void*)const_data; ddata.size = sizeof(const_data); } switch (algo) { case GNUTLS_PK_RSA: ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params); if (ret < 0) { ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR); goto cleanup; } if (ddata.size == sig.size && memcmp(ddata.data, sig.data, sig.size) == 0) { ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR); gnutls_assert(); goto cleanup; } ret = _gnutls_pk_decrypt(algo, &tmp, &sig, params); if (ret < 0) { ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR); gnutls_assert(); goto cleanup; } if (tmp.size != ddata.size || memcmp(tmp.data, ddata.data, tmp.size) != 0) { ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR); gnutls_assert(); goto cleanup; } free(sig.data); sig.data = NULL; /* Here we don't know the purpose of the key. Check both * signing and encryption. */ case GNUTLS_PK_EC: /* we only do keys for ECDSA */ case GNUTLS_PK_DSA: ret = _gnutls_pk_sign(algo, &sig, &ddata, params); if (ret < 0) { ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR); goto cleanup; } ret = _gnutls_pk_verify(algo, &ddata, &sig, params); if (ret < 0) { ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR); gnutls_assert(); goto cleanup; } break; default: ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); goto cleanup; } ret = 0; cleanup: if (ret == GNUTLS_E_PK_GENERATION_ERROR) { _gnutls_switch_lib_state(LIB_STATE_ERROR); } gnutls_free(gen_data); gnutls_free(sig.data); gnutls_free(tmp.data); return ret; }