FIPS: error mode is set from failed self tests and produced a limited number of errors when algorithm accesses are attempted

Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
2025-02-17 14:32:04 +08:00 · 2020-09-10 07:08:57 +10:00 · 2020-09-10 07:08:57 +10:00 · 5736923f12
commit 5736923f12
parent f99d3eedf7
6 changed files with 44 additions and 3 deletions
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@ -2877,6 +2877,8 @@ PROV_R_FAILED_TO_GENERATE_KEY:121:failed to generate key
 PROV_R_FAILED_TO_GET_PARAMETER:103:failed to get parameter
 PROV_R_FAILED_TO_SET_PARAMETER:104:failed to set parameter
 PROV_R_FAILED_TO_SIGN:175:failed to sign
+PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE:224:fips module entering error state
+PROV_R_FIPS_MODULE_IN_ERROR_STATE:225:fips module in error state
 PROV_R_GENERATE_ERROR:191:generate error
 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\
 	illegal or unsupported padding mode
--- a/providers/common/include/prov/providercommon.h
+++ b/providers/common/include/prov/providercommon.h
@ -19,4 +19,8 @@ int cipher_capable_aes_cbc_hmac_sha256(void);

 OSSL_FUNC_provider_get_capabilities_fn provider_get_capabilities;

+/* Set the error state if this is a FIPS module */
+void ossl_set_error_state(void);
+
+/* Return true if the module is in a usable condition */
 int ossl_prov_is_running(void);
--- a/providers/common/include/prov/providercommonerr.h
+++ b/providers/common/include/prov/providercommonerr.h
@ -75,6 +75,8 @@ int ERR_load_PROV_strings(void);
 # define PROV_R_FAILED_TO_GET_PARAMETER                   103
 # define PROV_R_FAILED_TO_SET_PARAMETER                   104
 # define PROV_R_FAILED_TO_SIGN                            175
+# define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE          224
+# define PROV_R_FIPS_MODULE_IN_ERROR_STATE                225
 # define PROV_R_GENERATE_ERROR                            191
 # define PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE       165
 # define PROV_R_INAVLID_UKM_LENGTH                        146
--- a/providers/common/provider_err.c
+++ b/providers/common/provider_err.c
@ -58,6 +58,10 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
    "failed to set parameter"},
    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"},
+    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
+    "fips module entering error state"},
+    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_IN_ERROR_STATE),
+    "fips module in error state"},
    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_GENERATE_ERROR), "generate error"},
    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE),
    "illegal or unsupported padding mode"},
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@ -32,6 +32,12 @@
 #define FIPS_STATE_RUNNING  2
 #define FIPS_STATE_ERROR    3

+/*
+ * The number of times the module will report it is in the error state
+ * before going quiet.
+ */
+#define FIPS_ERROR_REPORTING_RATE_LIMIT     10
+
 /* The size of a temp buffer used to read in data */
 #define INTEGRITY_BUF_SIZE (4096)
 #define MAX_MD_SIZE 64
@ -302,15 +308,32 @@ end:
        (*st->bio_free_cb)(bio_indicator);
        (*st->bio_free_cb)(bio_module);
    }
-    FIPS_state = ok ? FIPS_STATE_RUNNING : FIPS_STATE_ERROR;
+    if (ok)
+        FIPS_state = FIPS_STATE_RUNNING;
+    else
+        ossl_set_error_state();
    CRYPTO_THREAD_unlock(self_test_lock);

    return ok;
 }

+void ossl_set_error_state(void)
+{
+    FIPS_state = FIPS_STATE_ERROR;
+    ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
+}

 int ossl_prov_is_running(void)
 {
-    return FIPS_state == FIPS_STATE_RUNNING
-           || FIPS_state == FIPS_STATE_SELFTEST;
+    const int res = FIPS_state == FIPS_STATE_RUNNING
+                    || FIPS_state == FIPS_STATE_SELFTEST;
+    static unsigned int rate_limit = 0;
+
+    if (res) {
+        rate_limit = 0;
+    } else if (FIPS_state == FIPS_STATE_ERROR) {
+        if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT)
+            ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE);
+    }
+    return res;
 }
--- a/providers/prov_running.c
+++ b/providers/prov_running.c
@ -10,6 +10,12 @@
 #include <openssl/e_os2.h>
 #include "prov/providercommon.h"

+/* By default, our providers don't have an error state */
+void ossl_set_error_state(void)
+{
+}
+
+/* By default, out providers are always in a happy state */
 int ossl_prov_is_running(void)
 {
    return 1;