/src/boringssl/crypto/fipsmodule/self_check/self_check.cc.inc
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright 2017 The BoringSSL Authors |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/crypto.h> |
16 | | |
17 | | #include <stdio.h> |
18 | | #include <stdlib.h> |
19 | | |
20 | | #include <openssl/aead.h> |
21 | | #include <openssl/aes.h> |
22 | | #include <openssl/bn.h> |
23 | | #include <openssl/ctrdrbg.h> |
24 | | #include <openssl/dh.h> |
25 | | #include <openssl/digest.h> |
26 | | #include <openssl/ec.h> |
27 | | #include <openssl/ec_key.h> |
28 | | #include <openssl/ecdsa.h> |
29 | | #include <openssl/hkdf.h> |
30 | | #include <openssl/hmac.h> |
31 | | #include <openssl/nid.h> |
32 | | #include <openssl/rsa.h> |
33 | | #include <openssl/sha.h> |
34 | | |
35 | | #include "../../bcm_support.h" |
36 | | #include "../../internal.h" |
37 | | #include "../delocate.h" |
38 | | #include "../dh/internal.h" |
39 | | #include "../ec/internal.h" |
40 | | #include "../ecdsa/internal.h" |
41 | | #include "../rand/internal.h" |
42 | | #include "../rsa/internal.h" |
43 | | #include "../service_indicator/internal.h" |
44 | | #include "../tls/internal.h" |
45 | | |
46 | | |
47 | 0 | static void hexdump(FILE *out, const void *in, size_t len) { |
48 | 0 | const uint8_t *in8 = reinterpret_cast<const uint8_t *>(in); |
49 | 0 | for (size_t i = 0; i < len; i++) { |
50 | 0 | fprintf(out, "%02x", in8[i]); |
51 | 0 | } |
52 | 0 | } |
53 | | |
54 | | int BORINGSSL_check_test(const void *expected, const void *actual, |
55 | 0 | size_t expected_len, const char *name) { |
56 | 0 | if (OPENSSL_memcmp(actual, expected, expected_len) != 0) { |
57 | 0 | FILE *err = CRYPTO_get_stderr(); |
58 | 0 | fprintf(err, "%s failed.\nExpected: ", name); |
59 | 0 | hexdump(err, expected, expected_len); |
60 | 0 | fprintf(err, "\nCalculated: "); |
61 | 0 | hexdump(err, actual, expected_len); |
62 | 0 | fprintf(err, "\n"); |
63 | 0 | fflush(err); |
64 | 0 | return 0; |
65 | 0 | } |
66 | 0 | return 1; |
67 | 0 | } |
68 | | |
69 | | // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot |
70 | | // compile the real logic. |
71 | | #if defined(_MSC_VER) |
72 | | |
73 | | int BORINGSSL_self_test(void) { return 0; } |
74 | | |
75 | | #else |
76 | | |
77 | 0 | static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) { |
78 | 0 | *out = BN_bin2bn(in, len, NULL); |
79 | 0 | return *out != NULL; |
80 | 0 | } |
81 | | |
82 | 0 | static RSA *self_test_rsa_key(void) { |
83 | 0 | static const uint8_t kN[] = { |
84 | 0 | 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc, |
85 | 0 | 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90, |
86 | 0 | 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda, |
87 | 0 | 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f, |
88 | 0 | 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e, |
89 | 0 | 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c, |
90 | 0 | 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4, |
91 | 0 | 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f, |
92 | 0 | 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54, |
93 | 0 | 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56, |
94 | 0 | 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74, |
95 | 0 | 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0, |
96 | 0 | 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7, |
97 | 0 | 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce, |
98 | 0 | 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5, |
99 | 0 | 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0, |
100 | 0 | 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1, |
101 | 0 | 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2, |
102 | 0 | 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63, |
103 | 0 | 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46, |
104 | 0 | 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2, |
105 | 0 | 0x94, 0xc0, 0xbe, 0xb3, |
106 | 0 | }; |
107 | 0 | static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537 |
108 | 0 | static const uint8_t kD[] = { |
109 | 0 | 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8, |
110 | 0 | 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab, |
111 | 0 | 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6, |
112 | 0 | 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b, |
113 | 0 | 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f, |
114 | 0 | 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a, |
115 | 0 | 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56, |
116 | 0 | 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc, |
117 | 0 | 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60, |
118 | 0 | 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8, |
119 | 0 | 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e, |
120 | 0 | 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66, |
121 | 0 | 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5, |
122 | 0 | 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49, |
123 | 0 | 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee, |
124 | 0 | 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae, |
125 | 0 | 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2, |
126 | 0 | 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e, |
127 | 0 | 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0, |
128 | 0 | 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb, |
129 | 0 | 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8, |
130 | 0 | 0x5d, 0x1a, 0xf6, 0xc1, |
131 | 0 | }; |
132 | 0 | static const uint8_t kP[] = { |
133 | 0 | 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68, |
134 | 0 | 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb, |
135 | 0 | 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4, |
136 | 0 | 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90, |
137 | 0 | 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75, |
138 | 0 | 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49, |
139 | 0 | 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5, |
140 | 0 | 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b, |
141 | 0 | 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78, |
142 | 0 | 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27, |
143 | 0 | 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29, |
144 | 0 | }; |
145 | 0 | static const uint8_t kQ[] = { |
146 | 0 | 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3, |
147 | 0 | 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf, |
148 | 0 | 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c, |
149 | 0 | 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59, |
150 | 0 | 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf, |
151 | 0 | 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c, |
152 | 0 | 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f, |
153 | 0 | 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed, |
154 | 0 | 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb, |
155 | 0 | 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4, |
156 | 0 | 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b, |
157 | 0 | }; |
158 | 0 | static const uint8_t kDModPMinusOne[] = { |
159 | 0 | 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d, |
160 | 0 | 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70, |
161 | 0 | 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96, |
162 | 0 | 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb, |
163 | 0 | 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54, |
164 | 0 | 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0, |
165 | 0 | 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c, |
166 | 0 | 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06, |
167 | 0 | 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82, |
168 | 0 | 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6, |
169 | 0 | 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39, |
170 | 0 | }; |
171 | 0 | static const uint8_t kDModQMinusOne[] = { |
172 | 0 | 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d, |
173 | 0 | 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12, |
174 | 0 | 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2, |
175 | 0 | 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36, |
176 | 0 | 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac, |
177 | 0 | 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65, |
178 | 0 | 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca, |
179 | 0 | 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53, |
180 | 0 | 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6, |
181 | 0 | 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74, |
182 | 0 | 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85, |
183 | 0 | }; |
184 | 0 | static const uint8_t kQInverseModP[] = { |
185 | 0 | 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0, |
186 | 0 | 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d, |
187 | 0 | 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b, |
188 | 0 | 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9, |
189 | 0 | 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1, |
190 | 0 | 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef, |
191 | 0 | 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5, |
192 | 0 | 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79, |
193 | 0 | 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11, |
194 | 0 | 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95, |
195 | 0 | 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15, |
196 | 0 | }; |
197 | |
|
198 | 0 | RSA *rsa = RSA_new(); |
199 | 0 | if (rsa == NULL || // |
200 | 0 | !set_bignum(&rsa->n, kN, sizeof(kN)) || |
201 | 0 | !set_bignum(&rsa->e, kE, sizeof(kE)) || |
202 | 0 | !set_bignum(&rsa->d, kD, sizeof(kD)) || |
203 | 0 | !set_bignum(&rsa->p, kP, sizeof(kP)) || |
204 | 0 | !set_bignum(&rsa->q, kQ, sizeof(kQ)) || |
205 | 0 | !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) || |
206 | 0 | !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) || |
207 | 0 | !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) { |
208 | 0 | RSA_free(rsa); |
209 | 0 | return NULL; |
210 | 0 | } |
211 | | |
212 | 0 | return rsa; |
213 | 0 | } |
214 | | |
215 | 0 | static EC_KEY *self_test_ecdsa_key(void) { |
216 | 0 | static const uint8_t kQx[] = { |
217 | 0 | 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17, |
218 | 0 | 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2, |
219 | 0 | 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81, |
220 | 0 | }; |
221 | 0 | static const uint8_t kQy[] = { |
222 | 0 | 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef, |
223 | 0 | 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac, |
224 | 0 | 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88, |
225 | 0 | }; |
226 | 0 | static const uint8_t kD[] = { |
227 | 0 | 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c, |
228 | 0 | 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0, |
229 | 0 | 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77, |
230 | 0 | }; |
231 | |
|
232 | 0 | EC_KEY *ec_key = EC_KEY_new(); |
233 | 0 | BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL); |
234 | 0 | BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL); |
235 | 0 | BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL); |
236 | 0 | if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL || |
237 | 0 | !EC_KEY_set_group(ec_key, EC_group_p256()) || |
238 | 0 | !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) || |
239 | 0 | !EC_KEY_set_private_key(ec_key, d)) { |
240 | 0 | EC_KEY_free(ec_key); |
241 | 0 | ec_key = NULL; |
242 | 0 | } |
243 | |
|
244 | 0 | BN_free(qx); |
245 | 0 | BN_free(qy); |
246 | 0 | BN_free(d); |
247 | 0 | return ec_key; |
248 | 0 | } |
249 | | |
250 | 0 | static DH *self_test_dh(void) { |
251 | 0 | DH *dh = DH_get_rfc7919_2048(); |
252 | 0 | if (!dh) { |
253 | 0 | return NULL; |
254 | 0 | } |
255 | | |
256 | 0 | BIGNUM *priv = BN_new(); |
257 | 0 | if (!priv) { |
258 | 0 | goto err; |
259 | 0 | } |
260 | | |
261 | | // kFFDHE2048PrivateKeyData is a 225-bit value. (225 because that's the |
262 | | // minimum private key size in |
263 | | // https://tools.ietf.org/html/rfc7919#appendix-A.1.) |
264 | 0 | static const BN_ULONG kFFDHE2048PrivateKeyData[] = { |
265 | 0 | TOBN(0x187be36b, 0xd38a4fa1), |
266 | 0 | TOBN(0x0a152f39, 0x6458f3b8), |
267 | 0 | TOBN(0x0570187e, 0xc422eeb7), |
268 | 0 | TOBN(0x00000001, 0x91173f2a), |
269 | 0 | }; |
270 | |
|
271 | 0 | bn_set_static_words(priv, kFFDHE2048PrivateKeyData, |
272 | 0 | OPENSSL_ARRAY_SIZE(kFFDHE2048PrivateKeyData)); |
273 | |
|
274 | 0 | if (!DH_set0_key(dh, NULL, priv)) { |
275 | 0 | goto err; |
276 | 0 | } |
277 | 0 | return dh; |
278 | | |
279 | 0 | err: |
280 | 0 | BN_free(priv); |
281 | 0 | DH_free(dh); |
282 | 0 | return NULL; |
283 | 0 | } |
284 | | |
285 | | |
286 | | // Lazy self-tests |
287 | | // |
288 | | // Self tests that are slow are deferred until the corresponding algorithm is |
289 | | // actually exercised, in FIPS mode. (In non-FIPS mode these tests are only run |
290 | | // when requested by |BORINGSSL_self_test|.) |
291 | | |
292 | 0 | static int boringssl_self_test_rsa(void) { |
293 | 0 | int ret = 0; |
294 | 0 | uint8_t output[256]; |
295 | |
|
296 | 0 | RSA *const rsa_key = self_test_rsa_key(); |
297 | 0 | if (rsa_key == NULL) { |
298 | 0 | fprintf(CRYPTO_get_stderr(), "RSA key construction failed\n"); |
299 | 0 | goto err; |
300 | 0 | } |
301 | | // Disable blinding for the power-on tests because it's not needed and |
302 | | // triggers an entropy draw. |
303 | 0 | rsa_key->flags |= RSA_FLAG_NO_BLINDING; |
304 | | |
305 | | // RSA Sign KAT |
306 | |
|
307 | 0 | static const uint8_t kRSASignDigest[32] = { |
308 | 0 | 0xd2, 0xb5, 0x6e, 0x53, 0x30, 0x6f, 0x72, 0x0d, 0x79, 0x29, 0xd8, |
309 | 0 | 0x70, 0x8b, 0xf4, 0x6f, 0x1c, 0x22, 0x30, 0x03, 0x05, 0x58, 0x2b, |
310 | 0 | 0x11, 0x5b, 0xed, 0xca, 0xc7, 0x22, 0xd8, 0xaa, 0x5a, 0xb2, |
311 | 0 | }; |
312 | 0 | static const uint8_t kRSASignSignature[256] = { |
313 | 0 | 0x64, 0xce, 0xdd, 0x91, 0x27, 0xb0, 0x4f, 0xb9, 0x14, 0xea, 0xc0, 0xb4, |
314 | 0 | 0xa2, 0x06, 0xc5, 0xd8, 0x40, 0x0f, 0x6c, 0x54, 0xac, 0xf7, 0x02, 0xde, |
315 | 0 | 0x26, 0xbb, 0xfd, 0x33, 0xe5, 0x2f, 0x4d, 0xb1, 0x53, 0xc4, 0xff, 0xd0, |
316 | 0 | 0x5f, 0xea, 0x15, 0x89, 0x83, 0x4c, 0xe3, 0x80, 0x0b, 0xe9, 0x13, 0x82, |
317 | 0 | 0x1d, 0x71, 0x92, 0x1a, 0x03, 0x60, 0x2c, 0xaf, 0xe2, 0x16, 0xc7, 0x43, |
318 | 0 | 0x3f, 0xde, 0x6b, 0x94, 0xfd, 0x6e, 0x08, 0x7b, 0x11, 0xf1, 0x34, 0x52, |
319 | 0 | 0xe5, 0xc0, 0x97, 0x66, 0x4a, 0xe0, 0x91, 0x45, 0xc8, 0xb1, 0x3d, 0x6a, |
320 | 0 | 0x54, 0xc1, 0x32, 0x0f, 0x32, 0xad, 0x25, 0x11, 0x3e, 0x49, 0xad, 0x41, |
321 | 0 | 0xce, 0x7b, 0xca, 0x95, 0x6b, 0x54, 0x5e, 0x86, 0x1b, 0xce, 0xfa, 0x2a, |
322 | 0 | 0x60, 0xe8, 0xfa, 0xbb, 0x23, 0xb2, 0x41, 0xbc, 0x7c, 0x98, 0xec, 0x73, |
323 | 0 | 0x20, 0xed, 0xb3, 0xcf, 0xab, 0x07, 0x24, 0x85, 0x6a, 0x2a, 0x61, 0x76, |
324 | 0 | 0x28, 0xf8, 0x00, 0x80, 0xeb, 0xd9, 0x3a, 0x63, 0xe2, 0x01, 0xb1, 0xee, |
325 | 0 | 0x6d, 0xe9, 0x73, 0xe9, 0xb6, 0x75, 0x2e, 0xf9, 0x81, 0xd9, 0xa8, 0x79, |
326 | 0 | 0xf6, 0x8f, 0xe3, 0x02, 0x7d, 0xf6, 0xea, 0xdc, 0x35, 0xe4, 0x62, 0x0d, |
327 | 0 | 0x91, 0xba, 0x3e, 0x7d, 0x8b, 0x82, 0xbf, 0x15, 0x74, 0x6a, 0x4e, 0x29, |
328 | 0 | 0xf8, 0x9b, 0x2c, 0x94, 0x8d, 0xa7, 0x00, 0x4d, 0x7b, 0xbf, 0x35, 0x07, |
329 | 0 | 0xeb, 0xdd, 0x10, 0xef, 0xd5, 0x2f, 0xe6, 0x98, 0x4b, 0x7e, 0x24, 0x80, |
330 | 0 | 0xe2, 0x01, 0xf2, 0x66, 0xb7, 0xd3, 0x93, 0xfe, 0x2a, 0xb3, 0x74, 0xed, |
331 | 0 | 0xec, 0x4b, 0xb1, 0x5f, 0x5f, 0xee, 0x85, 0x44, 0xa7, 0x26, 0xdf, 0xc1, |
332 | 0 | 0x2e, 0x7a, 0xf3, 0xa5, 0x8f, 0xf8, 0x64, 0xda, 0x65, 0xad, 0x91, 0xe2, |
333 | 0 | 0x90, 0x94, 0x20, 0x16, 0xb8, 0x61, 0xa5, 0x0a, 0x7d, 0xb4, 0xbf, 0xc0, |
334 | 0 | 0x10, 0xaf, 0x72, 0x67, |
335 | 0 | }; |
336 | |
|
337 | 0 | unsigned sig_len; |
338 | 0 | if (!rsa_sign_no_self_test(NID_sha256, kRSASignDigest, sizeof(kRSASignDigest), |
339 | 0 | output, &sig_len, rsa_key) || |
340 | 0 | !BORINGSSL_check_test(kRSASignSignature, output, |
341 | 0 | sizeof(kRSASignSignature), "RSA-sign KAT")) { |
342 | 0 | fprintf(CRYPTO_get_stderr(), "RSA signing test failed.\n"); |
343 | 0 | goto err; |
344 | 0 | } |
345 | | |
346 | | // RSA Verify KAT |
347 | | |
348 | 0 | static const uint8_t kRSAVerifyDigest[32] = { |
349 | 0 | 0x09, 0x65, 0x2f, 0xd8, 0xed, 0x9d, 0xc2, 0x6d, 0xbc, 0xbf, 0xf2, |
350 | 0 | 0xa7, 0xa5, 0xed, 0xe1, 0x37, 0x13, 0x78, 0x21, 0x36, 0xcf, 0x8d, |
351 | 0 | 0x22, 0x3d, 0xab, 0x93, 0xb4, 0x12, 0xa8, 0xb5, 0x15, 0x53, |
352 | 0 | }; |
353 | 0 | static const uint8_t kRSAVerifySignature[256] = { |
354 | 0 | 0xab, 0xe2, 0xcb, 0xc1, 0x3d, 0x6b, 0xd3, 0x9d, 0x48, 0xdb, 0x53, 0x34, |
355 | 0 | 0xdd, 0xbf, 0x8d, 0x07, 0x0a, 0x93, 0xbd, 0xcb, 0x10, 0x4e, 0x2c, 0xc5, |
356 | 0 | 0xd0, 0xee, 0x48, 0x6e, 0xe2, 0x95, 0xf6, 0xb3, 0x1b, 0xda, 0x12, 0x6c, |
357 | 0 | 0x41, 0x89, 0x0b, 0x98, 0xb7, 0x3e, 0x70, 0xe6, 0xb6, 0x5d, 0x82, 0xf9, |
358 | 0 | 0x5c, 0x66, 0x31, 0x21, 0x75, 0x5a, 0x90, 0x74, 0x4c, 0x8d, 0x1c, 0x21, |
359 | 0 | 0x14, 0x8a, 0x19, 0x60, 0xbe, 0x0e, 0xca, 0x44, 0x6e, 0x9f, 0xf4, 0x97, |
360 | 0 | 0xf1, 0x34, 0x5c, 0x53, 0x7e, 0xf8, 0x11, 0x9b, 0x9a, 0x43, 0x98, 0xe9, |
361 | 0 | 0x5c, 0x5c, 0x6d, 0xe2, 0xb1, 0xc9, 0x55, 0x90, 0x5c, 0x52, 0x99, 0xd8, |
362 | 0 | 0xce, 0x7a, 0x3b, 0x6a, 0xb7, 0x63, 0x80, 0xd9, 0xba, 0xbd, 0xd1, 0x5f, |
363 | 0 | 0x61, 0x02, 0x37, 0xe1, 0xf3, 0xf2, 0xaa, 0x1c, 0x1f, 0x1e, 0x77, 0x0b, |
364 | 0 | 0x62, 0xfb, 0xb5, 0x96, 0x38, 0x1b, 0x2e, 0xbd, 0xd7, 0x7e, 0xce, 0xf9, |
365 | 0 | 0xc9, 0x0d, 0x4c, 0x92, 0xf7, 0xb6, 0xb0, 0x5f, 0xed, 0x29, 0x36, 0x28, |
366 | 0 | 0x5f, 0xa9, 0x48, 0x26, 0xe6, 0x20, 0x55, 0x32, 0x2a, 0x33, 0xb6, 0xf0, |
367 | 0 | 0x4c, 0x74, 0xce, 0x69, 0xe5, 0xd8, 0xd7, 0x37, 0xfb, 0x83, 0x8b, 0x79, |
368 | 0 | 0xd2, 0xd4, 0x8e, 0x3d, 0xaf, 0x71, 0x38, 0x75, 0x31, 0x88, 0x25, 0x31, |
369 | 0 | 0xa9, 0x5a, 0xc9, 0x64, 0xd0, 0x2e, 0xa4, 0x13, 0xbf, 0x85, 0x95, 0x29, |
370 | 0 | 0x82, 0xbb, 0xc0, 0x89, 0x52, 0x7d, 0xaf, 0xf5, 0xb8, 0x45, 0xc9, 0xa0, |
371 | 0 | 0xf4, 0xd1, 0x4e, 0xf1, 0x95, 0x6d, 0x9c, 0x3a, 0xca, 0xe8, 0x82, 0xd1, |
372 | 0 | 0x2d, 0xa6, 0x6d, 0xa0, 0xf3, 0x57, 0x94, 0xf5, 0xee, 0x32, 0x23, 0x23, |
373 | 0 | 0x33, 0x51, 0x7d, 0xb9, 0x31, 0x52, 0x32, 0xa1, 0x83, 0xb9, 0x91, 0x65, |
374 | 0 | 0x4d, 0xbe, 0xa4, 0x16, 0x15, 0x34, 0x5c, 0x88, 0x53, 0x25, 0x92, 0x67, |
375 | 0 | 0x44, 0xa5, 0x39, 0x15, |
376 | 0 | }; |
377 | 0 | if (!rsa_verify_no_self_test(NID_sha256, kRSAVerifyDigest, |
378 | 0 | sizeof(kRSAVerifyDigest), kRSAVerifySignature, |
379 | 0 | sizeof(kRSAVerifySignature), rsa_key)) { |
380 | 0 | fprintf(CRYPTO_get_stderr(), "RSA-verify KAT failed.\n"); |
381 | 0 | goto err; |
382 | 0 | } |
383 | | |
384 | 0 | ret = 1; |
385 | |
|
386 | 0 | err: |
387 | 0 | RSA_free(rsa_key); |
388 | |
|
389 | 0 | return ret; |
390 | 0 | } |
391 | | |
392 | 0 | static int boringssl_self_test_ecc(void) { |
393 | 0 | int ret = 0; |
394 | 0 | EC_KEY *ec_key = NULL; |
395 | 0 | EC_POINT *ec_point_in = NULL; |
396 | 0 | EC_POINT *ec_point_out = NULL; |
397 | 0 | BIGNUM *ec_scalar = NULL; |
398 | 0 | const EC_GROUP *ec_group = NULL; |
399 | | |
400 | | // The 'k' value for ECDSA is fixed to avoid an entropy draw. |
401 | 0 | uint8_t ecdsa_k[32] = {0}; |
402 | 0 | ecdsa_k[31] = 42; |
403 | |
|
404 | 0 | ec_key = self_test_ecdsa_key(); |
405 | 0 | if (ec_key == NULL) { |
406 | 0 | fprintf(CRYPTO_get_stderr(), "ECDSA KeyGen failed\n"); |
407 | 0 | goto err; |
408 | 0 | } |
409 | | |
410 | | // ECDSA Sign/Verify KAT |
411 | | |
412 | 0 | static const uint8_t kECDSASignDigest[32] = { |
413 | 0 | 0x1e, 0x35, 0x93, 0x0b, 0xe8, 0x60, 0xd0, 0x94, 0x2c, 0xa7, 0xbb, |
414 | 0 | 0xd6, 0xf6, 0xde, 0xd8, 0x7f, 0x15, 0x7e, 0x4d, 0xe2, 0x4f, 0x81, |
415 | 0 | 0xed, 0x4b, 0x87, 0x5c, 0x0e, 0x01, 0x8e, 0x89, 0xa8, 0x1f, |
416 | 0 | }; |
417 | 0 | static const uint8_t kECDSASignSig[64] = { |
418 | 0 | 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0, |
419 | 0 | 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02, |
420 | 0 | 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x68, |
421 | 0 | 0x04, 0x73, 0x40, 0x94, 0xb2, 0xd1, 0x90, 0xac, 0x2d, 0x0c, 0xd7, |
422 | 0 | 0xa5, 0x7f, 0x2f, 0x2e, 0xb2, 0x62, 0xb0, 0x09, 0x16, 0xe1, 0xa6, |
423 | 0 | 0x70, 0xb5, 0xbb, 0x0d, 0xfd, 0x8e, 0x0c, 0x02, 0x3f, |
424 | 0 | }; |
425 | |
|
426 | 0 | uint8_t ecdsa_sign_output[64]; |
427 | 0 | size_t ecdsa_sign_output_len; |
428 | 0 | if (!ecdsa_sign_fixed_with_nonce_for_known_answer_test( |
429 | 0 | kECDSASignDigest, sizeof(kECDSASignDigest), ecdsa_sign_output, |
430 | 0 | &ecdsa_sign_output_len, sizeof(ecdsa_sign_output), ec_key, ecdsa_k, |
431 | 0 | sizeof(ecdsa_k)) || |
432 | 0 | !BORINGSSL_check_test(kECDSASignSig, ecdsa_sign_output, |
433 | 0 | sizeof(ecdsa_sign_output), |
434 | 0 | "ECDSA-sign signature")) { |
435 | 0 | fprintf(CRYPTO_get_stderr(), "ECDSA-sign KAT failed.\n"); |
436 | 0 | goto err; |
437 | 0 | } |
438 | | |
439 | 0 | static const uint8_t kECDSAVerifyDigest[32] = { |
440 | 0 | 0x78, 0x7c, 0x50, 0x5c, 0x60, 0xc9, 0xe4, 0x13, 0x6c, 0xe4, 0x48, |
441 | 0 | 0xba, 0x93, 0xff, 0x71, 0xfa, 0x9c, 0x18, 0xf4, 0x17, 0x09, 0x4f, |
442 | 0 | 0xdf, 0x5a, 0xe2, 0x75, 0xc0, 0xcc, 0xd2, 0x67, 0x97, 0xad, |
443 | 0 | }; |
444 | 0 | static const uint8_t kECDSAVerifySig[64] = { |
445 | 0 | 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0, |
446 | 0 | 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02, |
447 | 0 | 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x2d, |
448 | 0 | 0x36, 0xe5, 0x79, 0x97, 0x90, 0xbf, 0xbe, 0x21, 0x83, 0xd3, 0x3e, |
449 | 0 | 0x96, 0xf3, 0xc5, 0x1f, 0x6a, 0x23, 0x2f, 0x2a, 0x24, 0x48, 0x8c, |
450 | 0 | 0x8e, 0x5f, 0x64, 0xc3, 0x7e, 0xa2, 0xcf, 0x05, 0x29, |
451 | 0 | }; |
452 | |
|
453 | 0 | if (!ecdsa_verify_fixed_no_self_test( |
454 | 0 | kECDSAVerifyDigest, sizeof(kECDSAVerifyDigest), kECDSAVerifySig, |
455 | 0 | sizeof(kECDSAVerifySig), ec_key)) { |
456 | 0 | fprintf(CRYPTO_get_stderr(), "ECDSA-verify KAT failed.\n"); |
457 | 0 | goto err; |
458 | 0 | } |
459 | | |
460 | | // Primitive Z Computation KAT (IG 9.6). |
461 | | |
462 | | // kP256Point is SHA256("Primitive Z Computation KAT")×G within P-256. |
463 | 0 | static const uint8_t kP256Point[65] = { |
464 | 0 | 0x04, 0x4e, 0xc1, 0x94, 0x8c, 0x5c, 0xf4, 0x37, 0x35, 0x0d, 0xa3, |
465 | 0 | 0xf9, 0x55, 0xf9, 0x8b, 0x26, 0x23, 0x5c, 0x43, 0xe0, 0x83, 0x51, |
466 | 0 | 0x2b, 0x0d, 0x4b, 0x56, 0x24, 0xc3, 0xe4, 0xa5, 0xa8, 0xe2, 0xe9, |
467 | 0 | 0x95, 0xf2, 0xc4, 0xb9, 0xb7, 0x48, 0x7d, 0x2a, 0xae, 0xc5, 0xc0, |
468 | 0 | 0x0a, 0xcc, 0x1b, 0xd0, 0xec, 0xb8, 0xdc, 0xbe, 0x0c, 0xbe, 0x52, |
469 | 0 | 0x79, 0x93, 0x7c, 0x0b, 0x92, 0x2b, 0x7f, 0x17, 0xa5, 0x80, |
470 | 0 | }; |
471 | | // kP256Scalar is SHA256("Primitive Z Computation KAT scalar"). |
472 | 0 | static const uint8_t kP256Scalar[32] = { |
473 | 0 | 0xe7, 0x60, 0x44, 0x91, 0x26, 0x9a, 0xfb, 0x5b, 0x10, 0x2d, 0x6e, |
474 | 0 | 0xa5, 0x2c, 0xb5, 0x9f, 0xeb, 0x70, 0xae, 0xde, 0x6c, 0xe3, 0xbf, |
475 | 0 | 0xb3, 0xe0, 0x10, 0x54, 0x85, 0xab, 0xd8, 0x61, 0xd7, 0x7b, |
476 | 0 | }; |
477 | | // kP256PointResult is |kP256Scalar|×|kP256Point|. |
478 | 0 | static const uint8_t kP256PointResult[65] = { |
479 | 0 | 0x04, 0xf1, 0x63, 0x00, 0x88, 0xc5, 0xd5, 0xe9, 0x05, 0x52, 0xac, |
480 | 0 | 0xb6, 0xec, 0x68, 0x76, 0xb8, 0x73, 0x7f, 0x0f, 0x72, 0x34, 0xe6, |
481 | 0 | 0xbb, 0x30, 0x32, 0x22, 0x37, 0xb6, 0x2a, 0x80, 0xe8, 0x9e, 0x6e, |
482 | 0 | 0x6f, 0x36, 0x02, 0xe7, 0x21, 0xd2, 0x31, 0xdb, 0x94, 0x63, 0xb7, |
483 | 0 | 0xd8, 0x19, 0x0e, 0xc2, 0xc0, 0xa7, 0x2f, 0x15, 0x49, 0x1a, 0xa2, |
484 | 0 | 0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a, 0x0c, |
485 | 0 | }; |
486 | |
|
487 | 0 | ec_group = EC_group_p256(); |
488 | 0 | ec_point_in = EC_POINT_new(ec_group); |
489 | 0 | ec_point_out = EC_POINT_new(ec_group); |
490 | 0 | ec_scalar = BN_new(); |
491 | 0 | uint8_t z_comp_result[65]; |
492 | 0 | if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL || |
493 | 0 | !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point), |
494 | 0 | NULL) || |
495 | 0 | !BN_bin2bn(kP256Scalar, sizeof(kP256Scalar), ec_scalar) || |
496 | 0 | !ec_point_mul_no_self_test(ec_group, ec_point_out, NULL, ec_point_in, |
497 | 0 | ec_scalar, NULL) || |
498 | 0 | !EC_POINT_point2oct(ec_group, ec_point_out, POINT_CONVERSION_UNCOMPRESSED, |
499 | 0 | z_comp_result, sizeof(z_comp_result), NULL) || |
500 | 0 | !BORINGSSL_check_test(kP256PointResult, z_comp_result, |
501 | 0 | sizeof(z_comp_result), "Z Computation Result")) { |
502 | 0 | fprintf(CRYPTO_get_stderr(), "Z-computation KAT failed.\n"); |
503 | 0 | goto err; |
504 | 0 | } |
505 | | |
506 | 0 | ret = 1; |
507 | |
|
508 | 0 | err: |
509 | 0 | EC_KEY_free(ec_key); |
510 | 0 | EC_POINT_free(ec_point_in); |
511 | 0 | EC_POINT_free(ec_point_out); |
512 | 0 | BN_free(ec_scalar); |
513 | |
|
514 | 0 | return ret; |
515 | 0 | } |
516 | | |
517 | 0 | static int boringssl_self_test_ffdh(void) { |
518 | 0 | int ret = 0; |
519 | 0 | DH *dh = NULL; |
520 | 0 | BIGNUM *ffdhe2048_value = NULL; |
521 | | |
522 | | // FFC Diffie-Hellman KAT |
523 | | |
524 | | // kFFDHE2048PublicValueData is an arbitrary public value, mod |
525 | | // kFFDHE2048Data. (The private key happens to be 4096.) |
526 | 0 | static const BN_ULONG kFFDHE2048PublicValueData[] = { |
527 | 0 | TOBN(0x187be36b, 0xd38a4fa1), TOBN(0x0a152f39, 0x6458f3b8), |
528 | 0 | TOBN(0x0570187e, 0xc422eeb7), TOBN(0x18af7482, 0x91173f2a), |
529 | 0 | TOBN(0xe9fdac6a, 0xcff4eaaa), TOBN(0xf6afebb7, 0x6e589d6c), |
530 | 0 | TOBN(0xf92f8e9a, 0xb7e33fb0), TOBN(0x70acf2aa, 0x4cf36ddd), |
531 | 0 | TOBN(0x561ab426, 0xd07137fd), TOBN(0x5f57d037, 0x430ee91e), |
532 | 0 | TOBN(0xe3e768c8, 0x60d10b8a), TOBN(0xb14884d8, 0xa18af8ce), |
533 | 0 | TOBN(0xf8a98014, 0xa12b74e4), TOBN(0x748d407c, 0x3437b7a8), |
534 | 0 | TOBN(0x627588c4, 0x9875d5a7), TOBN(0xdd24a127, 0x53c8f09d), |
535 | 0 | TOBN(0x85a997d5, 0x0cd51aec), TOBN(0x44f0c619, 0xce348458), |
536 | 0 | TOBN(0x9b894b24, 0x5f6b69a1), TOBN(0xae1302f2, 0xf6d4777e), |
537 | 0 | TOBN(0xe6678eeb, 0x375db18e), TOBN(0x2674e1d6, 0x4fbcbdc8), |
538 | 0 | TOBN(0xb297a823, 0x6fa93d28), TOBN(0x6a12fb70, 0x7c8c0510), |
539 | 0 | TOBN(0x5c6d1aeb, 0xdb06f65b), TOBN(0xe8c2954e, 0x4c1804ca), |
540 | 0 | TOBN(0x06bdeac1, 0xf5500fa7), TOBN(0x6a315604, 0x189cd76b), |
541 | 0 | TOBN(0xbae7b0b3, 0x6e362dc0), TOBN(0xa57c73bd, 0xdc70fb82), |
542 | 0 | TOBN(0xfaff50d2, 0x9d573457), TOBN(0x352bd399, 0xbe84058e), |
543 | 0 | }; |
544 | 0 | static const uint8_t kDHOutput[2048 / 8] = { |
545 | 0 | 0x2a, 0xe6, 0xd3, 0xa6, 0x13, 0x58, 0x8e, 0xce, 0x53, 0xaa, 0xf6, 0x5d, |
546 | 0 | 0x9a, 0xae, 0x02, 0x12, 0xf5, 0x80, 0x3d, 0x06, 0x09, 0x76, 0xac, 0x57, |
547 | 0 | 0x37, 0x9e, 0xab, 0x38, 0x62, 0x25, 0x05, 0x1d, 0xf3, 0xa9, 0x39, 0x60, |
548 | 0 | 0xf6, 0xae, 0x90, 0xed, 0x1e, 0xad, 0x6e, 0xe9, 0xe3, 0xba, 0x27, 0xf6, |
549 | 0 | 0xdb, 0x54, 0xdf, 0xe2, 0xbd, 0xbb, 0x7f, 0xf1, 0x81, 0xac, 0x1a, 0xfa, |
550 | 0 | 0xdb, 0x87, 0x07, 0x98, 0x76, 0x90, 0x21, 0xf2, 0xae, 0xda, 0x0d, 0x84, |
551 | 0 | 0x97, 0x64, 0x0b, 0xbf, 0xb8, 0x8d, 0x10, 0x46, 0xe2, 0xd5, 0xca, 0x1b, |
552 | 0 | 0xbb, 0xe5, 0x37, 0xb2, 0x3b, 0x35, 0xd3, 0x1b, 0x65, 0xea, 0xae, 0xf2, |
553 | 0 | 0x03, 0xe2, 0xb6, 0xde, 0x22, 0xb7, 0x86, 0x49, 0x79, 0xfe, 0xd7, 0x16, |
554 | 0 | 0xf7, 0xdc, 0x9c, 0x59, 0xf5, 0xb7, 0x70, 0xc0, 0x53, 0x42, 0x6f, 0xb1, |
555 | 0 | 0xd2, 0x4e, 0x00, 0x25, 0x4b, 0x2d, 0x5a, 0x9b, 0xd0, 0xe9, 0x27, 0x43, |
556 | 0 | 0xcc, 0x00, 0x66, 0xea, 0x94, 0x7a, 0x0b, 0xb9, 0x89, 0x0c, 0x5e, 0x94, |
557 | 0 | 0xb8, 0x3a, 0x78, 0x9c, 0x4d, 0x84, 0xe6, 0x32, 0x2c, 0x38, 0x7c, 0xf7, |
558 | 0 | 0x43, 0x9c, 0xd8, 0xb8, 0x1c, 0xce, 0x24, 0x91, 0x20, 0x67, 0x7a, 0x54, |
559 | 0 | 0x1f, 0x7e, 0x86, 0x7f, 0xa1, 0xc1, 0x03, 0x4e, 0x2c, 0x26, 0x71, 0xb2, |
560 | 0 | 0x06, 0x30, 0xb3, 0x6c, 0x15, 0xcc, 0xac, 0x25, 0xe5, 0x37, 0x3f, 0x24, |
561 | 0 | 0x8f, 0x2a, 0x89, 0x5e, 0x3d, 0x43, 0x94, 0xc9, 0x36, 0xae, 0x40, 0x00, |
562 | 0 | 0x6a, 0x0d, 0xb0, 0x6e, 0x8b, 0x2e, 0x70, 0x57, 0xe1, 0x88, 0x53, 0xd6, |
563 | 0 | 0x06, 0x80, 0x2a, 0x4e, 0x5a, 0xf0, 0x1e, 0xaa, 0xcb, 0xab, 0x06, 0x0e, |
564 | 0 | 0x27, 0x0f, 0xd9, 0x88, 0xd9, 0x01, 0xe3, 0x07, 0xeb, 0xdf, 0xc3, 0x12, |
565 | 0 | 0xe3, 0x40, 0x88, 0x7b, 0x5f, 0x59, 0x78, 0x6e, 0x26, 0x20, 0xc3, 0xdf, |
566 | 0 | 0xc8, 0xe4, 0x5e, 0xb8, |
567 | 0 | }; |
568 | |
|
569 | 0 | ffdhe2048_value = BN_new(); |
570 | 0 | if (ffdhe2048_value) { |
571 | 0 | bn_set_static_words(ffdhe2048_value, kFFDHE2048PublicValueData, |
572 | 0 | OPENSSL_ARRAY_SIZE(kFFDHE2048PublicValueData)); |
573 | 0 | } |
574 | |
|
575 | 0 | dh = self_test_dh(); |
576 | 0 | uint8_t dh_out[sizeof(kDHOutput)]; |
577 | 0 | if (dh == NULL || ffdhe2048_value == NULL || sizeof(dh_out) != DH_size(dh) || |
578 | 0 | dh_compute_key_padded_no_self_test(dh_out, ffdhe2048_value, dh) != |
579 | 0 | sizeof(dh_out) || |
580 | 0 | !BORINGSSL_check_test(kDHOutput, dh_out, sizeof(dh_out), "FFC DH")) { |
581 | 0 | fprintf(CRYPTO_get_stderr(), "FFDH failed.\n"); |
582 | 0 | goto err; |
583 | 0 | } |
584 | | |
585 | 0 | ret = 1; |
586 | |
|
587 | 0 | err: |
588 | 0 | DH_free(dh); |
589 | 0 | BN_free(ffdhe2048_value); |
590 | |
|
591 | 0 | return ret; |
592 | 0 | } |
593 | | |
594 | | #if defined(BORINGSSL_FIPS) |
595 | | |
596 | | static void run_self_test_rsa(void) { |
597 | | FIPS_service_indicator_lock_state(); |
598 | | if (!boringssl_self_test_rsa()) { |
599 | | BORINGSSL_FIPS_abort(); |
600 | | } |
601 | | FIPS_service_indicator_unlock_state(); |
602 | | } |
603 | | |
604 | | DEFINE_STATIC_ONCE(g_self_test_once_rsa) |
605 | | |
606 | | void boringssl_ensure_rsa_self_test(void) { |
607 | | CRYPTO_once(g_self_test_once_rsa_bss_get(), run_self_test_rsa); |
608 | | } |
609 | | |
610 | | static void run_self_test_ecc(void) { |
611 | | FIPS_service_indicator_lock_state(); |
612 | | if (!boringssl_self_test_ecc()) { |
613 | | BORINGSSL_FIPS_abort(); |
614 | | } |
615 | | FIPS_service_indicator_unlock_state(); |
616 | | } |
617 | | |
618 | | DEFINE_STATIC_ONCE(g_self_test_once_ecc) |
619 | | |
620 | | void boringssl_ensure_ecc_self_test(void) { |
621 | | CRYPTO_once(g_self_test_once_ecc_bss_get(), run_self_test_ecc); |
622 | | } |
623 | | |
624 | | static void run_self_test_ffdh(void) { |
625 | | FIPS_service_indicator_lock_state(); |
626 | | if (!boringssl_self_test_ffdh()) { |
627 | | BORINGSSL_FIPS_abort(); |
628 | | } |
629 | | FIPS_service_indicator_unlock_state(); |
630 | | } |
631 | | |
632 | | DEFINE_STATIC_ONCE(g_self_test_once_ffdh) |
633 | | |
634 | | void boringssl_ensure_ffdh_self_test(void) { |
635 | | CRYPTO_once(g_self_test_once_ffdh_bss_get(), run_self_test_ffdh); |
636 | | } |
637 | | |
638 | | #endif // BORINGSSL_FIPS |
639 | | |
640 | | |
641 | | // Startup self tests. |
642 | | // |
643 | | // These tests are run at process start when in FIPS mode. |
644 | | |
645 | 0 | int boringssl_self_test_sha256(void) { |
646 | 0 | static const uint8_t kInput[16] = { |
647 | 0 | 0xff, 0x3b, 0x85, 0x7d, 0xa7, 0x23, 0x6a, 0x2b, |
648 | 0 | 0xaa, 0x0f, 0x39, 0x6b, 0x51, 0x52, 0x22, 0x17, |
649 | 0 | }; |
650 | 0 | static const uint8_t kPlaintextSHA256[32] = { |
651 | 0 | 0x7f, 0xe4, 0xd5, 0xf1, 0xa1, 0xe3, 0x82, 0x87, 0xd9, 0x58, 0xf5, |
652 | 0 | 0x11, 0xc7, 0x1d, 0x5e, 0x27, 0x5e, 0xcc, 0xd2, 0x66, 0xcf, 0xb9, |
653 | 0 | 0xc8, 0xc6, 0x60, 0xd8, 0x92, 0x1e, 0x57, 0xfd, 0x46, 0x75, |
654 | 0 | }; |
655 | 0 | uint8_t output[SHA256_DIGEST_LENGTH]; |
656 | | |
657 | | // SHA-256 KAT |
658 | 0 | SHA256(kInput, sizeof(kInput), output); |
659 | 0 | return BORINGSSL_check_test(kPlaintextSHA256, output, |
660 | 0 | sizeof(kPlaintextSHA256), "SHA-256 KAT"); |
661 | 0 | } |
662 | | |
663 | 0 | int boringssl_self_test_sha512(void) { |
664 | 0 | static const uint8_t kInput[16] = { |
665 | 0 | 0x21, 0x25, 0x12, 0xf8, 0xd2, 0xad, 0x83, 0x22, |
666 | 0 | 0x78, 0x1c, 0x6c, 0x4d, 0x69, 0xa9, 0xda, 0xa1, |
667 | 0 | }; |
668 | 0 | static const uint8_t kPlaintextSHA512[64] = { |
669 | 0 | 0x29, 0x3c, 0x94, 0x35, 0x4e, 0x98, 0x83, 0xe5, 0xc2, 0x78, 0x36, |
670 | 0 | 0x7a, 0xe5, 0x18, 0x90, 0xbf, 0x35, 0x41, 0x01, 0x64, 0x19, 0x8d, |
671 | 0 | 0x26, 0xeb, 0xe1, 0xf8, 0x2f, 0x04, 0x8e, 0xfa, 0x8b, 0x2b, 0xc6, |
672 | 0 | 0xb2, 0x9d, 0x5d, 0x46, 0x76, 0x5a, 0xc8, 0xb5, 0x25, 0xa3, 0xea, |
673 | 0 | 0x52, 0x84, 0x47, 0x6d, 0x6d, 0xf4, 0xc9, 0x71, 0xf3, 0x3d, 0x89, |
674 | 0 | 0x4c, 0x3b, 0x20, 0x8c, 0x5b, 0x75, 0xe8, 0xf8, 0x7c, |
675 | 0 | }; |
676 | 0 | uint8_t output[SHA512_DIGEST_LENGTH]; |
677 | | |
678 | | // SHA-512 KAT |
679 | 0 | SHA512(kInput, sizeof(kInput), output); |
680 | 0 | return BORINGSSL_check_test(kPlaintextSHA512, output, |
681 | 0 | sizeof(kPlaintextSHA512), "SHA-512 KAT"); |
682 | 0 | } |
683 | | |
684 | 0 | int boringssl_self_test_hmac_sha256(void) { |
685 | 0 | static const uint8_t kInput[16] = { |
686 | 0 | 0xda, 0xd9, 0x12, 0x93, 0xdf, 0xcf, 0x2a, 0x7c, |
687 | 0 | 0x8e, 0xcd, 0x13, 0xfe, 0x35, 0x3f, 0xa7, 0x5b, |
688 | 0 | }; |
689 | 0 | static const uint8_t kPlaintextHMACSHA256[32] = { |
690 | 0 | 0x36, 0x5f, 0x5b, 0xd5, 0xf5, 0xeb, 0xfd, 0xc7, 0x6e, 0x53, 0xa5, |
691 | 0 | 0x73, 0x6d, 0x73, 0x20, 0x13, 0xaa, 0xd3, 0xbc, 0x86, 0x4b, 0xb8, |
692 | 0 | 0x84, 0x94, 0x16, 0x46, 0x88, 0x9c, 0x48, 0xee, 0xa9, 0x0e, |
693 | 0 | }; |
694 | 0 | uint8_t output[EVP_MAX_MD_SIZE]; |
695 | |
|
696 | 0 | unsigned output_len; |
697 | 0 | HMAC(EVP_sha256(), kInput, sizeof(kInput), kInput, sizeof(kInput), output, |
698 | 0 | &output_len); |
699 | 0 | return output_len == sizeof(kPlaintextHMACSHA256) && |
700 | 0 | BORINGSSL_check_test(kPlaintextHMACSHA256, output, |
701 | 0 | sizeof(kPlaintextHMACSHA256), "HMAC-SHA-256 KAT"); |
702 | 0 | } |
703 | | |
704 | 0 | static int boringssl_self_test_fast(void) { |
705 | 0 | static const uint8_t kAESKey[16] = { |
706 | 0 | 'B', 'o', 'r', 'i', 'n', 'g', 'C', 'r', |
707 | 0 | 'y', 'p', 't', 'o', ' ', 'K', 'e', 'y', |
708 | 0 | }; |
709 | 0 | static const uint8_t kAESIV[16] = {0}; |
710 | |
|
711 | 0 | AES_KEY aes_key; |
712 | 0 | uint8_t aes_iv[16]; |
713 | 0 | uint8_t output[256]; |
714 | | |
715 | | // AES-CBC Encryption KAT |
716 | 0 | static const uint8_t kAESCBCEncPlaintext[32] = { |
717 | 0 | 0x07, 0x86, 0x09, 0xa6, 0xc5, 0xac, 0x25, 0x44, 0x69, 0x9a, 0xdf, |
718 | 0 | 0x68, 0x2f, 0xa3, 0x77, 0xf9, 0xbe, 0x8a, 0xb6, 0xae, 0xf5, 0x63, |
719 | 0 | 0xe8, 0xc5, 0x6a, 0x36, 0xb8, 0x4f, 0x55, 0x7f, 0xad, 0xd3, |
720 | 0 | }; |
721 | 0 | static const uint8_t kAESCBCEncCiphertext[sizeof(kAESCBCEncPlaintext)] = { |
722 | 0 | 0x56, 0x46, 0xc1, 0x41, 0xf4, 0x13, 0xd6, 0xff, 0x62, 0x92, 0x41, |
723 | 0 | 0x7a, 0x26, 0xc6, 0x86, 0xbd, 0x30, 0x5f, 0xb6, 0x57, 0xa7, 0xd2, |
724 | 0 | 0x50, 0x3a, 0xc5, 0x5e, 0x8e, 0x93, 0x40, 0xf2, 0x10, 0xd8, |
725 | 0 | }; |
726 | 0 | memcpy(aes_iv, kAESIV, sizeof(kAESIV)); |
727 | 0 | if (!bcm_success( |
728 | 0 | BCM_aes_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key))) { |
729 | 0 | fprintf(CRYPTO_get_stderr(), "BCM_aes_set_encrypt_key failed.\n"); |
730 | 0 | return 0; |
731 | 0 | } |
732 | 0 | AES_cbc_encrypt(kAESCBCEncPlaintext, output, sizeof(kAESCBCEncPlaintext), |
733 | 0 | &aes_key, aes_iv, AES_ENCRYPT); |
734 | 0 | if (!BORINGSSL_check_test(kAESCBCEncCiphertext, output, |
735 | 0 | sizeof(kAESCBCEncCiphertext), |
736 | 0 | "AES-CBC-encrypt KAT")) { |
737 | 0 | return 0; |
738 | 0 | } |
739 | | |
740 | | // AES-CBC Decryption KAT |
741 | 0 | static const uint8_t kAESCBCDecCiphertext[32] = { |
742 | 0 | 0x34, 0x7a, 0xa5, 0xa0, 0x24, 0xb2, 0x82, 0x57, 0xb3, 0x65, 0x10, |
743 | 0 | 0xbe, 0x58, 0x3d, 0x4f, 0x47, 0xad, 0xb7, 0xbb, 0xee, 0xdc, 0x60, |
744 | 0 | 0x05, 0xbb, 0xbd, 0x0d, 0x0a, 0x9f, 0x06, 0xbb, 0x7b, 0x10, |
745 | 0 | }; |
746 | 0 | static const uint8_t kAESCBCDecPlaintext[sizeof(kAESCBCDecCiphertext)] = { |
747 | 0 | 0x51, 0xa7, 0xa0, 0x1f, 0x6b, 0x79, 0x6c, 0xcd, 0x48, 0x03, 0xa1, |
748 | 0 | 0x41, 0xdc, 0x56, 0xa6, 0xc2, 0x16, 0xb5, 0xd1, 0xd3, 0xb7, 0x06, |
749 | 0 | 0xb2, 0x25, 0x6f, 0xa6, 0xd0, 0xd2, 0x0e, 0x6f, 0x19, 0xb5, |
750 | 0 | }; |
751 | 0 | memcpy(aes_iv, kAESIV, sizeof(kAESIV)); |
752 | 0 | if (!bcm_success( |
753 | 0 | BCM_aes_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key))) { |
754 | 0 | fprintf(CRYPTO_get_stderr(), "BCM_aes_set_decrypt_key failed.\n"); |
755 | 0 | return 0; |
756 | 0 | } |
757 | 0 | AES_cbc_encrypt(kAESCBCDecCiphertext, output, sizeof(kAESCBCDecCiphertext), |
758 | 0 | &aes_key, aes_iv, AES_DECRYPT); |
759 | 0 | if (!BORINGSSL_check_test(kAESCBCDecPlaintext, output, |
760 | 0 | sizeof(kAESCBCDecPlaintext), |
761 | 0 | "AES-CBC-decrypt KAT")) { |
762 | 0 | return 0; |
763 | 0 | } |
764 | | |
765 | 0 | size_t out_len; |
766 | 0 | uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; |
767 | 0 | OPENSSL_memset(nonce, 0, sizeof(nonce)); |
768 | 0 | bssl::ScopedEVP_AEAD_CTX aead_ctx; |
769 | 0 | if (!EVP_AEAD_CTX_init(aead_ctx.get(), EVP_aead_aes_128_gcm(), kAESKey, |
770 | 0 | sizeof(kAESKey), 0, NULL)) { |
771 | 0 | fprintf(CRYPTO_get_stderr(), "EVP_AEAD_CTX_init for AES-128-GCM failed.\n"); |
772 | 0 | return 0; |
773 | 0 | } |
774 | | |
775 | | // AES-GCM Encryption KAT |
776 | 0 | static const uint8_t kAESGCMEncPlaintext[32] = { |
777 | 0 | 0x8f, 0xcc, 0x40, 0x99, 0x80, 0x8e, 0x75, 0xca, 0xaf, 0xf5, 0x82, |
778 | 0 | 0x89, 0x88, 0x48, 0xa8, 0x8d, 0x80, 0x8b, 0x55, 0xab, 0x4e, 0x93, |
779 | 0 | 0x70, 0x79, 0x7d, 0x94, 0x0b, 0xe8, 0xcc, 0x1d, 0x78, 0x84, |
780 | 0 | }; |
781 | 0 | static const uint8_t kAESGCMCiphertext[sizeof(kAESGCMEncPlaintext) + 16] = { |
782 | 0 | 0x87, 0x7b, 0xd5, 0x8d, 0x96, 0x3e, 0x4b, 0xe6, 0x64, 0x94, 0x40, 0x2f, |
783 | 0 | 0x61, 0x9b, 0x7e, 0x56, 0x52, 0x7d, 0xa4, 0x5a, 0xf9, 0xa6, 0xe2, 0xdb, |
784 | 0 | 0x1c, 0x63, 0x2e, 0x97, 0x93, 0x0f, 0xfb, 0xed, 0xb5, 0x9e, 0x1c, 0x20, |
785 | 0 | 0xb2, 0xb0, 0x58, 0xda, 0x48, 0x07, 0x2d, 0xbd, 0x96, 0x0d, 0x34, 0xc6, |
786 | 0 | }; |
787 | 0 | if (!EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), |
788 | 0 | nonce, EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), |
789 | 0 | kAESGCMEncPlaintext, sizeof(kAESGCMEncPlaintext), NULL, |
790 | 0 | 0) || |
791 | 0 | !BORINGSSL_check_test(kAESGCMCiphertext, output, |
792 | 0 | sizeof(kAESGCMCiphertext), "AES-GCM-encrypt KAT")) { |
793 | 0 | fprintf(CRYPTO_get_stderr(), "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n"); |
794 | 0 | return 0; |
795 | 0 | } |
796 | | |
797 | | // AES-GCM Decryption KAT |
798 | 0 | static const uint8_t kAESGCMDecCiphertext[48] = { |
799 | 0 | 0x35, 0xf3, 0x05, 0x8f, 0x87, 0x57, 0x60, 0xff, 0x09, 0xd3, 0x12, 0x0f, |
800 | 0 | 0x70, 0xc4, 0xbc, 0x9e, 0xd7, 0xa8, 0x68, 0x72, 0xe1, 0x34, 0x52, 0x20, |
801 | 0 | 0x21, 0x76, 0xf7, 0x37, 0x1a, 0xe0, 0x4f, 0xaa, 0xe1, 0xdd, 0x39, 0x19, |
802 | 0 | 0x20, 0xf5, 0xd1, 0x39, 0x53, 0xd8, 0x96, 0x78, 0x59, 0x94, 0x82, 0x3c, |
803 | 0 | }; |
804 | 0 | static const uint8_t kAESGCMDecPlaintext[sizeof(kAESGCMDecCiphertext) - 16] = |
805 | 0 | { |
806 | 0 | 0x3d, 0x44, 0x90, 0x9b, 0x91, 0xe7, 0x5e, 0xd3, 0xc2, 0xb2, 0xd0, |
807 | 0 | 0xa9, 0x99, 0x17, 0x6a, 0x45, 0x05, 0x5e, 0x99, 0x83, 0x56, 0x01, |
808 | 0 | 0xc0, 0x82, 0x40, 0x81, 0xd2, 0x48, 0x45, 0xf2, 0xcc, 0xc3, |
809 | 0 | }; |
810 | 0 | if (!EVP_AEAD_CTX_open(aead_ctx.get(), output, &out_len, sizeof(output), |
811 | 0 | nonce, EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), |
812 | 0 | kAESGCMDecCiphertext, sizeof(kAESGCMDecCiphertext), |
813 | 0 | NULL, 0) || |
814 | 0 | !BORINGSSL_check_test(kAESGCMDecPlaintext, output, |
815 | 0 | sizeof(kAESGCMDecPlaintext), |
816 | 0 | "AES-GCM-decrypt KAT")) { |
817 | 0 | fprintf(CRYPTO_get_stderr(), |
818 | 0 | "AES-GCM-decrypt KAT failed because EVP_AEAD_CTX_open failed.\n"); |
819 | 0 | return 0; |
820 | 0 | } |
821 | | |
822 | | // SHA-1 KAT |
823 | 0 | static const uint8_t kSHA1Input[16] = { |
824 | 0 | 0x13, 0x2f, 0xd9, 0xba, 0xd5, 0xc1, 0x82, 0x62, |
825 | 0 | 0x63, 0xba, 0xfb, 0xb6, 0x99, 0xf7, 0x07, 0xa5, |
826 | 0 | }; |
827 | 0 | static const uint8_t kSHA1Digest[20] = { |
828 | 0 | 0x94, 0x19, 0x55, 0x93, 0x0a, 0x58, 0x29, 0x38, 0xeb, 0xf5, |
829 | 0 | 0x09, 0x11, 0x6d, 0x1a, 0xfd, 0x0f, 0x1e, 0x11, 0xe3, 0xcb, |
830 | 0 | }; |
831 | 0 | SHA1(kSHA1Input, sizeof(kSHA1Input), output); |
832 | 0 | if (!BORINGSSL_check_test(kSHA1Digest, output, sizeof(kSHA1Digest), |
833 | 0 | "SHA-1 KAT")) { |
834 | 0 | return 0; |
835 | 0 | } |
836 | | |
837 | 0 | if (!boringssl_self_test_sha256() || !boringssl_self_test_sha512() || |
838 | 0 | !boringssl_self_test_hmac_sha256()) { |
839 | 0 | return 0; |
840 | 0 | } |
841 | | |
842 | | // DBRG KAT |
843 | 0 | static const uint8_t kDRBGEntropy[48] = { |
844 | 0 | 0xc4, 0xda, 0x07, 0x40, 0xd5, 0x05, 0xf1, 0xee, 0x28, 0x0b, 0x95, 0xe5, |
845 | 0 | 0x8c, 0x49, 0x31, 0xac, 0x6d, 0xe8, 0x46, 0xa0, 0x15, 0x2f, 0xbb, 0x4a, |
846 | 0 | 0x3f, 0x17, 0x4c, 0xf4, 0x78, 0x7a, 0x4f, 0x1a, 0x40, 0xc2, 0xb5, 0x0b, |
847 | 0 | 0xab, 0xe1, 0x4a, 0xae, 0x53, 0x0b, 0xe5, 0x88, 0x6d, 0x91, 0x0a, 0x27, |
848 | 0 | }; |
849 | 0 | static const uint8_t kDRBGPersonalization[18] = { |
850 | 0 | 'B', 'C', 'M', 'P', 'e', 'r', 's', 'o', 'n', |
851 | 0 | 'a', 'l', 'i', 'z', 'a', 't', 'i', 'o', 'n'}; |
852 | 0 | static const uint8_t kDRBGAD[16] = {'B', 'C', 'M', ' ', 'D', 'R', 'B', 'G', |
853 | 0 | ' ', 'K', 'A', 'T', ' ', 'A', 'D', ' '}; |
854 | 0 | static const uint8_t kDRBGOutput[64] = { |
855 | 0 | 0x19, 0x1f, 0x2b, 0x49, 0x76, 0x85, 0xfd, 0x51, 0xb6, 0x56, 0xbc, |
856 | 0 | 0x1c, 0x7d, 0xd5, 0xdd, 0x44, 0x76, 0xa3, 0x5e, 0x17, 0x9b, 0x8e, |
857 | 0 | 0xb8, 0x98, 0x65, 0x12, 0xca, 0x35, 0x6c, 0xa0, 0x6f, 0xa0, 0x22, |
858 | 0 | 0xe4, 0xf6, 0xd8, 0x43, 0xed, 0x4e, 0x2d, 0x97, 0x39, 0x43, 0x3b, |
859 | 0 | 0x57, 0xfc, 0x23, 0x3f, 0x71, 0x0a, 0xe0, 0xed, 0xfe, 0xd5, 0xb8, |
860 | 0 | 0x67, 0x7a, 0x00, 0x39, 0xb2, 0x6e, 0xa9, 0x25, 0x97, |
861 | 0 | }; |
862 | 0 | static const uint8_t kDRBGEntropy2[48] = { |
863 | 0 | 0xc7, 0x16, 0x1c, 0xa3, 0x6c, 0x23, 0x09, 0xb7, 0x16, 0xe9, 0x85, 0x9b, |
864 | 0 | 0xb9, 0x6c, 0x6d, 0x49, 0xbd, 0xc8, 0x35, 0x21, 0x03, 0xa1, 0x8c, 0xd2, |
865 | 0 | 0x4e, 0xf4, 0x2e, 0xc9, 0x7e, 0xf4, 0x6b, 0xf4, 0x46, 0xeb, 0x1a, 0x45, |
866 | 0 | 0x76, 0xc1, 0x86, 0xe9, 0x35, 0x18, 0x03, 0x76, 0x3a, 0x79, 0x12, 0xfe, |
867 | 0 | }; |
868 | 0 | static const uint8_t kDRBGReseedOutput[64] = { |
869 | 0 | 0x00, 0xf2, 0x05, 0xaa, 0xfd, 0x11, 0x6c, 0x77, 0xbc, 0x81, 0x86, |
870 | 0 | 0x99, 0xca, 0x51, 0xcf, 0x80, 0x15, 0x9f, 0x02, 0x9e, 0x0b, 0xcd, |
871 | 0 | 0x26, 0xc8, 0x4b, 0x87, 0x8a, 0x15, 0x1a, 0xdd, 0xf2, 0xf3, 0xeb, |
872 | 0 | 0x94, 0x0b, 0x08, 0xc8, 0xc9, 0x57, 0xa4, 0x0b, 0x4b, 0x0f, 0x13, |
873 | 0 | 0xde, 0x7c, 0x0c, 0x6a, 0xac, 0x34, 0x4a, 0x9a, 0xf2, 0xd0, 0x83, |
874 | 0 | 0x02, 0x05, 0x17, 0xc9, 0x81, 0x8f, 0x2a, 0x81, 0x92, |
875 | 0 | }; |
876 | 0 | CTR_DRBG_STATE drbg; |
877 | 0 | if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization, |
878 | 0 | sizeof(kDRBGPersonalization)) || |
879 | 0 | !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD, |
880 | 0 | sizeof(kDRBGAD)) || |
881 | 0 | !BORINGSSL_check_test(kDRBGOutput, output, sizeof(kDRBGOutput), |
882 | 0 | "DRBG Generate KAT") || |
883 | 0 | !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) || |
884 | 0 | !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD, |
885 | 0 | sizeof(kDRBGAD)) || |
886 | 0 | !BORINGSSL_check_test(kDRBGReseedOutput, output, |
887 | 0 | sizeof(kDRBGReseedOutput), "DRBG-reseed KAT")) { |
888 | 0 | fprintf(CRYPTO_get_stderr(), "CTR-DRBG failed.\n"); |
889 | 0 | return 0; |
890 | 0 | } |
891 | 0 | CTR_DRBG_clear(&drbg); |
892 | |
|
893 | 0 | CTR_DRBG_STATE kZeroDRBG; |
894 | 0 | memset(&kZeroDRBG, 0, sizeof(kZeroDRBG)); |
895 | 0 | if (!BORINGSSL_check_test(&kZeroDRBG, &drbg, sizeof(drbg), |
896 | 0 | "DRBG Clear KAT")) { |
897 | 0 | return 0; |
898 | 0 | } |
899 | | |
900 | | // TLS KDF KAT |
901 | 0 | static const char kTLSLabel[] = "FIPS self test"; |
902 | 0 | static const uint8_t kTLSSeed1[16] = { |
903 | 0 | 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2, |
904 | 0 | 0x6d, 0x51, 0xf4, 0x79, 0x18, 0x63, 0x51, 0x65, |
905 | 0 | }; |
906 | 0 | static const uint8_t kTLSSeed2[16] = { |
907 | 0 | 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c, |
908 | 0 | 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81, |
909 | 0 | }; |
910 | |
|
911 | 0 | static const uint8_t kTLS10Secret[32] = { |
912 | 0 | 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82, |
913 | 0 | 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e, |
914 | 0 | 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31, |
915 | 0 | }; |
916 | 0 | static const uint8_t kTLS10Output[32] = { |
917 | 0 | 0x69, 0x7c, 0x4e, 0x2c, 0xee, 0x82, 0xb1, 0xd2, 0x8b, 0xac, 0x90, |
918 | 0 | 0x7a, 0xa1, 0x8a, 0x81, 0xfe, 0xc5, 0x58, 0x45, 0x57, 0x61, 0x2f, |
919 | 0 | 0x7a, 0x8d, 0x80, 0xfb, 0x44, 0xd8, 0x81, 0x60, 0xe5, 0xf8, |
920 | 0 | }; |
921 | 0 | uint8_t tls10_output[sizeof(kTLS10Output)]; |
922 | 0 | if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output), |
923 | 0 | kTLS10Secret, sizeof(kTLS10Secret), kTLSLabel, |
924 | 0 | sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1), |
925 | 0 | kTLSSeed2, sizeof(kTLSSeed2)) || |
926 | 0 | !BORINGSSL_check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output), |
927 | 0 | "TLS10-KDF KAT")) { |
928 | 0 | fprintf(CRYPTO_get_stderr(), "TLS KDF failed.\n"); |
929 | 0 | return 0; |
930 | 0 | } |
931 | | |
932 | 0 | static const uint8_t kTLS12Secret[32] = { |
933 | 0 | 0xc5, 0x43, 0x8e, 0xe2, 0x6f, 0xd4, 0xac, 0xbd, 0x25, 0x9f, 0xc9, |
934 | 0 | 0x18, 0x55, 0xdc, 0x69, 0xbf, 0x88, 0x4e, 0xe2, 0x93, 0x22, 0xfc, |
935 | 0 | 0xbf, 0xd2, 0x96, 0x6a, 0x46, 0x23, 0xd4, 0x2e, 0xc7, 0x81, |
936 | 0 | }; |
937 | 0 | static const uint8_t kTLS12Output[32] = { |
938 | 0 | 0xee, 0x4a, 0xcd, 0x3f, 0xa3, 0xd3, 0x55, 0x89, 0x9e, 0x6f, 0xf1, |
939 | 0 | 0x38, 0x46, 0x9d, 0x2b, 0x33, 0xaa, 0x7f, 0xc4, 0x7f, 0x51, 0x85, |
940 | 0 | 0x8a, 0xf3, 0x13, 0x84, 0xbf, 0x53, 0x6a, 0x65, 0x37, 0x51, |
941 | 0 | }; |
942 | 0 | uint8_t tls12_output[sizeof(kTLS12Output)]; |
943 | 0 | if (!CRYPTO_tls1_prf(EVP_sha256(), tls12_output, sizeof(tls12_output), |
944 | 0 | kTLS12Secret, sizeof(kTLS12Secret), kTLSLabel, |
945 | 0 | sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1), |
946 | 0 | kTLSSeed2, sizeof(kTLSSeed2)) || |
947 | 0 | !BORINGSSL_check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output), |
948 | 0 | "TLS12-KDF KAT")) { |
949 | 0 | fprintf(CRYPTO_get_stderr(), "TLS KDF failed.\n"); |
950 | 0 | return 0; |
951 | 0 | } |
952 | | |
953 | | // TLS v1.3: derives a dummy client-early-traffic secret. |
954 | 0 | static const uint8_t kTLS13Secret[32] = { |
955 | 0 | 0x02, 0x4a, 0x0d, 0x80, 0xf3, 0x57, 0xf2, 0x49, 0x9a, 0x12, 0x44, |
956 | 0 | 0xda, 0xc2, 0x6d, 0xab, 0x66, 0xfc, 0x13, 0xed, 0x85, 0xfc, 0xa7, |
957 | 0 | 0x1d, 0xac, 0xe1, 0x46, 0x21, 0x11, 0x19, 0x52, 0x58, 0x74, |
958 | 0 | }; |
959 | 0 | static const uint8_t kTLS13Salt[16] = { |
960 | 0 | 0x54, 0x61, 0x11, 0x36, 0x75, 0x91, 0xf0, 0xf8, |
961 | 0 | 0x92, 0xec, 0x70, 0xbd, 0x78, 0x2a, 0xef, 0x61, |
962 | 0 | }; |
963 | 0 | static const uint8_t kTLS13Label[] = "c e traffic"; |
964 | 0 | static const uint8_t kTLS13ClientHelloHash[32] = { |
965 | 0 | 0x1d, 0xe8, 0x67, 0xed, 0x93, 0x6a, 0x73, 0x65, 0x9b, 0x05, 0xcf, |
966 | 0 | 0x8a, 0x22, 0x77, 0xb7, 0x37, 0x29, 0xf2, 0x44, 0x94, 0x81, 0x6a, |
967 | 0 | 0x83, 0x33, 0x7f, 0x09, 0xbb, 0x6c, 0xc2, 0x6f, 0x48, 0x9c, |
968 | 0 | }; |
969 | 0 | static const uint8_t kTLS13ExpandLabelOutput[32] = { |
970 | 0 | 0x62, 0x91, 0x52, 0x90, 0x2e, 0xc9, 0xcf, 0x9c, 0x5f, 0x1e, 0x0a, |
971 | 0 | 0xb7, 0x00, 0x33, 0x42, 0x24, 0xc4, 0xe3, 0xba, 0x01, 0x40, 0x32, |
972 | 0 | 0x06, 0xab, 0x09, 0x23, 0x8a, 0xdd, 0x01, 0xa4, 0x05, 0xcd, |
973 | 0 | }; |
974 | 0 | uint8_t tls13_extract_output[32]; |
975 | 0 | size_t tls13_extract_output_len; |
976 | 0 | uint8_t tls13_expand_label_output[32]; |
977 | 0 | if (!HKDF_extract(tls13_extract_output, &tls13_extract_output_len, |
978 | 0 | EVP_sha256(), kTLS13Secret, sizeof(kTLS13Secret), |
979 | 0 | kTLS13Salt, sizeof(kTLS13Salt)) || |
980 | 0 | tls13_extract_output_len != sizeof(tls13_extract_output) || |
981 | 0 | !CRYPTO_tls13_hkdf_expand_label( |
982 | 0 | tls13_expand_label_output, sizeof(tls13_expand_label_output), |
983 | 0 | EVP_sha256(), tls13_extract_output, sizeof(tls13_extract_output), |
984 | 0 | kTLS13Label, sizeof(kTLS13Label) - 1, kTLS13ClientHelloHash, |
985 | 0 | sizeof(kTLS13ClientHelloHash)) || |
986 | 0 | !BORINGSSL_check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output, |
987 | 0 | sizeof(kTLS13ExpandLabelOutput), |
988 | 0 | "CRYPTO_tls13_hkdf_expand_label")) { |
989 | 0 | fprintf(CRYPTO_get_stderr(), "TLS13-KDF failed.\n"); |
990 | 0 | return 0; |
991 | 0 | } |
992 | | |
993 | | // HKDF |
994 | 0 | static const uint8_t kHKDFSecret[32] = { |
995 | 0 | 0x68, 0x67, 0x85, 0x04, 0xb9, 0xb3, 0xad, 0xd1, 0x7d, 0x59, 0x67, |
996 | 0 | 0xa1, 0xa7, 0xbd, 0x37, 0x99, 0x3f, 0xd8, 0xa3, 0x3c, 0xe7, 0x30, |
997 | 0 | 0x30, 0x71, 0xf3, 0x9c, 0x09, 0x6d, 0x16, 0x35, 0xb3, 0xc9, |
998 | 0 | }; |
999 | 0 | static const uint8_t kHKDFSalt[32] = { |
1000 | 0 | 0x8a, 0xab, 0x18, 0xb4, 0x9b, 0x0a, 0x17, 0xf9, 0xe8, 0xe6, 0x97, |
1001 | 0 | 0x1a, 0x3d, 0xff, 0xda, 0x9b, 0x26, 0x8b, 0x3d, 0x17, 0x78, 0x0a, |
1002 | 0 | 0xb3, 0xea, 0x65, 0xdb, 0x2a, 0xc0, 0x29, 0x9c, 0xfa, 0x72, |
1003 | 0 | }; |
1004 | 0 | static const uint8_t kHKDFInfo[32] = { |
1005 | 0 | 0xe5, 0x6f, 0xf9, 0xe1, 0x18, 0x5e, 0x64, 0x8c, 0x6c, 0x8f, 0xee, |
1006 | 0 | 0xc6, 0x93, 0x5a, 0xc5, 0x14, 0x8c, 0xf3, 0xd9, 0x78, 0xd2, 0x3a, |
1007 | 0 | 0x86, 0xdd, 0x01, 0xdf, 0xb9, 0xe9, 0x5e, 0xe5, 0x1a, 0x56, |
1008 | 0 | }; |
1009 | 0 | static const uint8_t kHKDFOutput[32] = { |
1010 | 0 | 0xa6, 0x29, 0xb4, 0xd7, 0xf4, 0xc1, 0x16, 0x64, 0x71, 0x5e, 0xa4, |
1011 | 0 | 0xa8, 0xe6, 0x60, 0x8c, 0xf3, 0xc1, 0xa5, 0x03, 0xe2, 0x22, 0xf9, |
1012 | 0 | 0x89, 0xe2, 0x12, 0x18, 0xbe, 0xef, 0x16, 0x86, 0xe0, 0xec, |
1013 | 0 | }; |
1014 | 0 | uint8_t hkdf_output[sizeof(kHKDFOutput)]; |
1015 | 0 | if (!HKDF(hkdf_output, sizeof(hkdf_output), EVP_sha256(), kHKDFSecret, |
1016 | 0 | sizeof(kHKDFSecret), kHKDFSalt, sizeof(kHKDFSalt), kHKDFInfo, |
1017 | 0 | sizeof(kHKDFInfo)) || |
1018 | 0 | !BORINGSSL_check_test(kHKDFOutput, hkdf_output, sizeof(kHKDFOutput), |
1019 | 0 | "HKDF")) { |
1020 | 0 | fprintf(CRYPTO_get_stderr(), "HKDF failed.\n"); |
1021 | 0 | return 0; |
1022 | 0 | } |
1023 | | |
1024 | 0 | return 1; |
1025 | 0 | } |
1026 | | |
1027 | 0 | int BORINGSSL_self_test(void) { |
1028 | 0 | if (!boringssl_self_test_fast() || |
1029 | | // When requested to run self tests, also run some of the lazy tests. |
1030 | 0 | !boringssl_self_test_rsa() || // |
1031 | 0 | !boringssl_self_test_ecc() || // |
1032 | 0 | !boringssl_self_test_ffdh() || // |
1033 | 0 | !boringssl_self_test_mlkem() || // |
1034 | 0 | !boringssl_self_test_mldsa()) { |
1035 | 0 | return 0; |
1036 | 0 | } |
1037 | | |
1038 | 0 | return 1; |
1039 | 0 | } |
1040 | | |
1041 | 0 | int BORINGSSL_self_test_all(void) { |
1042 | 0 | if (!BORINGSSL_self_test() || |
1043 | | // When requested to run all self tests, add in the really slow tests. |
1044 | 0 | !boringssl_self_test_slhdsa()) { |
1045 | 0 | return 0; |
1046 | 0 | } |
1047 | | |
1048 | 0 | return 1; |
1049 | 0 | } |
1050 | | |
1051 | | #if defined(BORINGSSL_FIPS) |
1052 | | int boringssl_self_test_startup(void) { return boringssl_self_test_fast(); } |
1053 | | #endif |
1054 | | |
1055 | | #endif // !_MSC_VER |