1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/crypto.h>
16
17 #include <stdio.h>
18
19 #include <openssl/aead.h>
20 #include <openssl/aes.h>
21 #include <openssl/bn.h>
22 #include <openssl/des.h>
23 #include <openssl/ecdsa.h>
24 #include <openssl/ec_key.h>
25 #include <openssl/nid.h>
26 #include <openssl/rsa.h>
27 #include <openssl/sha.h>
28
29 #include "../../internal.h"
30 #include "../ec/internal.h"
31 #include "../rand/internal.h"
32
33
34 // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot
35 // compile this.
36 #if !defined(_MSC_VER)
37
hexdump(const uint8_t * in,size_t len)38 static void hexdump(const uint8_t *in, size_t len) {
39 for (size_t i = 0; i < len; i++) {
40 fprintf(stderr, "%02x", in[i]);
41 }
42 }
43
check_test(const void * expected,const void * actual,size_t expected_len,const char * name)44 static int check_test(const void *expected, const void *actual,
45 size_t expected_len, const char *name) {
46 if (OPENSSL_memcmp(actual, expected, expected_len) != 0) {
47 fprintf(stderr, "%s failed.\nExpected: ", name);
48 hexdump(expected, expected_len);
49 fprintf(stderr, "\nCalculated: ");
50 hexdump(actual, expected_len);
51 fprintf(stderr, "\n");
52 fflush(stderr);
53 return 0;
54 }
55 return 1;
56 }
57
set_bignum(BIGNUM ** out,const uint8_t * in,size_t len)58 static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) {
59 *out = BN_bin2bn(in, len, NULL);
60 return *out != NULL;
61 }
62
self_test_rsa_key(void)63 static RSA *self_test_rsa_key(void) {
64 static const uint8_t kN[] = {
65 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc,
66 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90,
67 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda,
68 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f,
69 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e,
70 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c,
71 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4,
72 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f,
73 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54,
74 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56,
75 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74,
76 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0,
77 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7,
78 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce,
79 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5,
80 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0,
81 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1,
82 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2,
83 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63,
84 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46,
85 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,
86 0x94, 0xc0, 0xbe, 0xb3,
87 };
88 static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537
89 static const uint8_t kD[] = {
90 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,
91 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,
92 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6,
93 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b,
94 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f,
95 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a,
96 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56,
97 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc,
98 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60,
99 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8,
100 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e,
101 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66,
102 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5,
103 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49,
104 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee,
105 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae,
106 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2,
107 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e,
108 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0,
109 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb,
110 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8,
111 0x5d, 0x1a, 0xf6, 0xc1,
112 };
113 static const uint8_t kP[] = {
114 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68,
115 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb,
116 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4,
117 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90,
118 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75,
119 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49,
120 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5,
121 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b,
122 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78,
123 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27,
124 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29,
125 };
126 static const uint8_t kQ[] = {
127 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3,
128 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf,
129 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c,
130 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59,
131 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf,
132 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c,
133 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f,
134 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed,
135 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb,
136 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4,
137 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b,
138 };
139 static const uint8_t kDModPMinusOne[] = {
140 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d,
141 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70,
142 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96,
143 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb,
144 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54,
145 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0,
146 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c,
147 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06,
148 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82,
149 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6,
150 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39,
151 };
152 static const uint8_t kDModQMinusOne[] = {
153 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d,
154 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12,
155 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2,
156 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36,
157 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac,
158 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65,
159 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca,
160 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53,
161 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6,
162 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74,
163 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85,
164 };
165 static const uint8_t kQInverseModP[] = {
166 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0,
167 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d,
168 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b,
169 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9,
170 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1,
171 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef,
172 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5,
173 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79,
174 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11,
175 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95,
176 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15,
177 };
178
179 RSA *rsa = RSA_new();
180 if (rsa == NULL ||
181 !set_bignum(&rsa->n, kN, sizeof(kN)) ||
182 !set_bignum(&rsa->e, kE, sizeof(kE)) ||
183 !set_bignum(&rsa->d, kD, sizeof(kD)) ||
184 !set_bignum(&rsa->p, kP, sizeof(kP)) ||
185 !set_bignum(&rsa->q, kQ, sizeof(kQ)) ||
186 !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) ||
187 !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) ||
188 !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) {
189 RSA_free(rsa);
190 return NULL;
191 }
192
193 return rsa;
194 }
195
self_test_ecdsa_key(void)196 static EC_KEY *self_test_ecdsa_key(void) {
197 static const uint8_t kQx[] = {
198 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17,
199 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2,
200 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81,
201 };
202 static const uint8_t kQy[] = {
203 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef,
204 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac,
205 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88,
206 };
207 static const uint8_t kD[] = {
208 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c,
209 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0,
210 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
211 };
212
213 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
214 BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL);
215 BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL);
216 BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL);
217 if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL ||
218 !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) ||
219 !EC_KEY_set_private_key(ec_key, d)) {
220 EC_KEY_free(ec_key);
221 ec_key = NULL;
222 }
223
224 BN_free(qx);
225 BN_free(qy);
226 BN_free(d);
227 return ec_key;
228 }
229
BORINGSSL_self_test(void)230 int BORINGSSL_self_test(void) {
231 static const uint8_t kAESKey[16] = "BoringCrypto Key";
232 static const uint8_t kAESIV[16] = {0};
233 static const uint8_t kPlaintext[64] =
234 "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!";
235 static const uint8_t kAESCBCCiphertext[64] = {
236 0x87, 0x2d, 0x98, 0xc2, 0xcc, 0x31, 0x5b, 0x41, 0xe0, 0xfa, 0x7b,
237 0x0a, 0x71, 0xc0, 0x42, 0xbf, 0x4f, 0x61, 0xd0, 0x0d, 0x58, 0x8c,
238 0xf7, 0x05, 0xfb, 0x94, 0x89, 0xd3, 0xbc, 0xaa, 0x1a, 0x50, 0x45,
239 0x1f, 0xc3, 0x8c, 0xb8, 0x98, 0x86, 0xa3, 0xe3, 0x6c, 0xfc, 0xad,
240 0x3a, 0xb5, 0x59, 0x27, 0x7d, 0x21, 0x07, 0xca, 0x4c, 0x1d, 0x55,
241 0x34, 0xdd, 0x5a, 0x2d, 0xc4, 0xb4, 0xf5, 0xa8,
242 #if !defined(BORINGSSL_FIPS_BREAK_AES_CBC)
243 0x35
244 #else
245 0x00
246 #endif
247 };
248 static const uint8_t kAESGCMCiphertext[80] = {
249 0x4a, 0xd8, 0xe7, 0x7d, 0x78, 0xd7, 0x7d, 0x5e, 0xb2, 0x11, 0xb6, 0xc9,
250 0xa4, 0xbc, 0xb2, 0xae, 0xbe, 0x93, 0xd1, 0xb7, 0xfe, 0x65, 0xc1, 0x82,
251 0x2a, 0xb6, 0x71, 0x5f, 0x1a, 0x7c, 0xe0, 0x1b, 0x2b, 0xe2, 0x53, 0xfa,
252 0xa0, 0x47, 0xfa, 0xd7, 0x8f, 0xb1, 0x4a, 0xc4, 0xdc, 0x89, 0xf9, 0xb4,
253 0x14, 0x4d, 0xde, 0x95, 0xea, 0x29, 0x69, 0x76, 0x81, 0xa3, 0x5c, 0x33,
254 0xd8, 0x37, 0xd8, 0xfa, 0x47, 0x19, 0x46, 0x2f, 0xf1, 0x90, 0xb7, 0x61,
255 0x8f, 0x6f, 0xdd, 0x31, 0x3f, 0x6a, 0x64,
256 #if !defined(BORINGSSL_FIPS_BREAK_AES_GCM)
257 0x0d
258 #else
259 0x00
260 #endif
261 };
262 static const DES_cblock kDESKey1 = {"BCMDESK1"};
263 static const DES_cblock kDESKey2 = {"BCMDESK2"};
264 static const DES_cblock kDESKey3 = {"BCMDESK3"};
265 static const DES_cblock kDESIV = {"BCMDESIV"};
266 static const uint8_t kDESCiphertext[64] = {
267 0xa4, 0x30, 0x7a, 0x4c, 0x1f, 0x60, 0x16, 0xd7, 0x4f, 0x41, 0xe1,
268 0xbb, 0x27, 0xc4, 0x27, 0x37, 0xd4, 0x7f, 0xb9, 0x10, 0xf8, 0xbc,
269 0xaf, 0x93, 0x91, 0xb8, 0x88, 0x24, 0xb1, 0xf6, 0xf8, 0xbd, 0x31,
270 0x96, 0x06, 0x76, 0xde, 0x32, 0xcd, 0x29, 0x29, 0xba, 0x70, 0x5f,
271 0xea, 0xc0, 0xcb, 0xde, 0xc7, 0x75, 0x90, 0xe0, 0x0f, 0x5e, 0x2c,
272 0x0d, 0x49, 0x20, 0xd5, 0x30, 0x83, 0xf8, 0x08,
273 #if !defined(BORINGSSL_FIPS_BREAK_DES)
274 0x5a
275 #else
276 0x00
277 #endif
278 };
279 static const uint8_t kPlaintextSHA1[20] = {
280 0xc6, 0xf8, 0xc9, 0x63, 0x1c, 0x14, 0x23, 0x62, 0x9b, 0xbd,
281 0x55, 0x82, 0xf4, 0xd6, 0x1d, 0xf2, 0xab, 0x7d, 0xc8,
282 #if !defined(BORINGSSL_FIPS_BREAK_SHA_1)
283 0x28
284 #else
285 0x00
286 #endif
287 };
288 static const uint8_t kPlaintextSHA256[32] = {
289 0x37, 0xbd, 0x70, 0x53, 0x72, 0xfc, 0xd4, 0x03, 0x79, 0x70, 0xfb,
290 0x06, 0x95, 0xb1, 0x2a, 0x82, 0x48, 0xe1, 0x3e, 0xf2, 0x33, 0xfb,
291 0xef, 0x29, 0x81, 0x22, 0x45, 0x40, 0x43, 0x70, 0xce,
292 #if !defined(BORINGSSL_FIPS_BREAK_SHA_256)
293 0x0f
294 #else
295 0x00
296 #endif
297 };
298 static const uint8_t kPlaintextSHA512[64] = {
299 0x08, 0x6a, 0x1c, 0x84, 0x61, 0x9d, 0x8e, 0xb3, 0xc0, 0x97, 0x4e,
300 0xa1, 0x9f, 0x9c, 0xdc, 0xaf, 0x3b, 0x5c, 0x31, 0xf0, 0xf2, 0x74,
301 0xc3, 0xbd, 0x6e, 0xd6, 0x1e, 0xb2, 0xbb, 0x34, 0x74, 0x72, 0x5c,
302 0x51, 0x29, 0x8b, 0x87, 0x3a, 0xa3, 0xf2, 0x25, 0x23, 0xd4, 0x1c,
303 0x82, 0x1b, 0xfe, 0xd3, 0xc6, 0xee, 0xb5, 0xd6, 0xaf, 0x07, 0x7b,
304 0x98, 0xca, 0xa7, 0x01, 0xf3, 0x94, 0xf3, 0x68,
305 #if !defined(BORINGSSL_FIPS_BREAK_SHA_512)
306 0x14
307 #else
308 0x00
309 #endif
310 };
311 static const uint8_t kRSASignature[256] = {
312 0x62, 0x66, 0x4b, 0xe3, 0xb1, 0xd2, 0x83, 0xf1, 0xa8, 0x56, 0x2b, 0x33,
313 0x60, 0x1e, 0xdb, 0x1e, 0x06, 0xf7, 0xa7, 0x1e, 0xa8, 0xef, 0x03, 0x4d,
314 0x0c, 0xf6, 0x83, 0x75, 0x7a, 0xf0, 0x14, 0xc7, 0xe2, 0x94, 0x3a, 0xb5,
315 0x67, 0x56, 0xa5, 0x48, 0x7f, 0x3a, 0xa5, 0xbf, 0xf7, 0x1d, 0x44, 0xa6,
316 0x34, 0xed, 0x9b, 0xd6, 0x51, 0xaa, 0x2c, 0x4e, 0xce, 0x60, 0x5f, 0xe9,
317 0x0e, 0xd5, 0xcd, 0xeb, 0x23, 0x27, 0xf8, 0xfb, 0x45, 0xe5, 0x34, 0x63,
318 0x77, 0x7f, 0x2e, 0x80, 0xcf, 0x9d, 0x2e, 0xfc, 0xe2, 0x50, 0x75, 0x29,
319 0x46, 0xf4, 0xaf, 0x91, 0xed, 0x36, 0xe1, 0x5e, 0xef, 0x66, 0xa1, 0xff,
320 0x27, 0xfc, 0x87, 0x7e, 0x60, 0x84, 0x0f, 0x54, 0x51, 0x56, 0x0f, 0x68,
321 0x99, 0xc0, 0x3f, 0xeb, 0xa5, 0xa0, 0x46, 0xb0, 0x86, 0x02, 0xb0, 0xc8,
322 0xe8, 0x46, 0x13, 0x06, 0xcd, 0xb7, 0x8a, 0xd0, 0x3b, 0x46, 0xd0, 0x14,
323 0x64, 0x53, 0x9b, 0x5b, 0x5e, 0x02, 0x45, 0xba, 0x6e, 0x7e, 0x0a, 0xb9,
324 0x9e, 0x62, 0xb7, 0xd5, 0x7a, 0x87, 0xea, 0xd3, 0x24, 0xa5, 0xef, 0xb3,
325 0xdc, 0x05, 0x9c, 0x04, 0x60, 0x4b, 0xde, 0xa8, 0x90, 0x08, 0x7b, 0x6a,
326 0x5f, 0xb4, 0x3f, 0xda, 0xc5, 0x1f, 0x6e, 0xd6, 0x15, 0xde, 0x65, 0xa4,
327 0x6e, 0x62, 0x9d, 0x8f, 0xa8, 0xbe, 0x86, 0xf6, 0x09, 0x90, 0x40, 0xa5,
328 0xf4, 0x23, 0xc5, 0xf6, 0x38, 0x86, 0x0d, 0x1c, 0xed, 0x4a, 0x0a, 0xae,
329 0xa4, 0x26, 0xc2, 0x2e, 0xd3, 0x13, 0x66, 0x61, 0xea, 0x35, 0x01, 0x0e,
330 0x13, 0xda, 0x78, 0x20, 0xae, 0x59, 0x5f, 0x9b, 0xa9, 0x6c, 0xf9, 0x1b,
331 0xdf, 0x76, 0x53, 0xc8, 0xa7, 0xf5, 0x63, 0x6d, 0xf3, 0xff, 0xfd, 0xaf,
332 0x75, 0x4b, 0xac, 0x67, 0xb1, 0x3c, 0xbf, 0x5e, 0xde, 0x73, 0x02, 0x6d,
333 0xd2, 0x0c, 0xb1,
334 #if !defined(BORINGSSL_FIPS_BREAK_RSA_SIG)
335 0x64
336 #else
337 0x00
338 #endif
339 };
340 const uint8_t kDRBGEntropy[48] =
341 "BCM Known Answer Test DBRG Initial Entropy ";
342 const uint8_t kDRBGPersonalization[18] = "BCMPersonalization";
343 const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD ";
344 const uint8_t kDRBGOutput[64] = {
345 0x1d, 0x63, 0xdf, 0x05, 0x51, 0x49, 0x22, 0x46, 0xcd, 0x9b, 0xc5,
346 0xbb, 0xf1, 0x5d, 0x44, 0xae, 0x13, 0x78, 0xb1, 0xe4, 0x7c, 0xf1,
347 0x96, 0x33, 0x3d, 0x60, 0xb6, 0x29, 0xd4, 0xbb, 0x6b, 0x44, 0xf9,
348 0xef, 0xd9, 0xf4, 0xa2, 0xba, 0x48, 0xea, 0x39, 0x75, 0x59, 0x32,
349 0xf7, 0x31, 0x2c, 0x98, 0x14, 0x2b, 0x49, 0xdf, 0x02, 0xb6, 0x5d,
350 0x71, 0x09, 0x50, 0xdb, 0x23, 0xdb, 0xe5, 0x22,
351 #if !defined(BORINGSSL_FIPS_BREAK_DRBG)
352 0x95
353 #else
354 0x00
355 #endif
356 };
357 const uint8_t kDRBGEntropy2[48] =
358 "BCM Known Answer Test DBRG Reseed Entropy ";
359 const uint8_t kDRBGReseedOutput[64] = {
360 0xa4, 0x77, 0x05, 0xdb, 0x14, 0x11, 0x76, 0x71, 0x42, 0x5b, 0xd8,
361 0xd7, 0xa5, 0x4f, 0x8b, 0x39, 0xf2, 0x10, 0x4a, 0x50, 0x5b, 0xa2,
362 0xc8, 0xf0, 0xbb, 0x3e, 0xa1, 0xa5, 0x90, 0x7d, 0x54, 0xd9, 0xc6,
363 0xb0, 0x96, 0xc0, 0x2b, 0x7e, 0x9b, 0xc9, 0xa1, 0xdd, 0x78, 0x2e,
364 0xd5, 0xa8, 0x66, 0x16, 0xbd, 0x18, 0x3c, 0xf2, 0xaa, 0x7a, 0x2b,
365 0x37, 0xf9, 0xab, 0x35, 0x64, 0x15, 0x01, 0x3f, 0xc4,
366 };
367 const uint8_t kECDSASigR[32] = {
368 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,
369 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,
370 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5,
371 #if !defined(BORINGSSL_FIPS_BREAK_ECDSA_SIG)
372 0x0c,
373 #else
374 0x00,
375 #endif
376 };
377 const uint8_t kECDSASigS[32] = {
378 0xa5, 0x93, 0xe0, 0x23, 0x91, 0xe7, 0x4b, 0x8d, 0x77, 0x25, 0xa6,
379 0xba, 0x4d, 0xd9, 0x86, 0x77, 0xda, 0x7d, 0x8f, 0xef, 0xc4, 0x1a,
380 0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8,
381 };
382
383 EVP_AEAD_CTX aead_ctx;
384 EVP_AEAD_CTX_zero(&aead_ctx);
385 RSA *rsa_key = NULL;
386 EC_KEY *ec_key = NULL;
387 ECDSA_SIG *sig = NULL;
388 int ret = 0;
389
390 AES_KEY aes_key;
391 uint8_t aes_iv[16];
392 uint8_t output[256];
393
394 // AES-CBC Encryption KAT
395 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
396 if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
397 fprintf(stderr, "AES_set_encrypt_key failed.\n");
398 goto err;
399 }
400 AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv,
401 AES_ENCRYPT);
402 if (!check_test(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
403 "AES-CBC Encryption KAT")) {
404 goto err;
405 }
406
407 // AES-CBC Decryption KAT
408 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
409 if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
410 fprintf(stderr, "AES_set_decrypt_key failed.\n");
411 goto err;
412 }
413 AES_cbc_encrypt(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
414 &aes_key, aes_iv, AES_DECRYPT);
415 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
416 "AES-CBC Decryption KAT")) {
417 goto err;
418 }
419
420 size_t out_len;
421 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
422 OPENSSL_memset(nonce, 0, sizeof(nonce));
423 if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey,
424 sizeof(kAESKey), 0, NULL)) {
425 fprintf(stderr, "EVP_AEAD_CTX_init for AES-128-GCM failed.\n");
426 goto err;
427 }
428
429 // AES-GCM Encryption KAT
430 if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,
431 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
432 kPlaintext, sizeof(kPlaintext), NULL, 0) ||
433 !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext),
434 "AES-GCM Encryption KAT")) {
435 fprintf(stderr, "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n");
436 goto err;
437 }
438
439 // AES-GCM Decryption KAT
440 if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,
441 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
442 kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL,
443 0) ||
444 !check_test(kPlaintext, output, sizeof(kPlaintext),
445 "AES-GCM Decryption KAT")) {
446 fprintf(stderr, "EVP_AEAD_CTX_open for AES-128-GCM failed.\n");
447 goto err;
448 }
449
450 DES_key_schedule des1, des2, des3;
451 DES_cblock des_iv;
452 DES_set_key(&kDESKey1, &des1);
453 DES_set_key(&kDESKey2, &des2);
454 DES_set_key(&kDESKey3, &des3);
455
456 // 3DES Encryption KAT
457 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
458 DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2,
459 &des3, &des_iv, DES_ENCRYPT);
460 if (!check_test(kDESCiphertext, output, sizeof(kDESCiphertext),
461 "3DES Encryption KAT")) {
462 goto err;
463 }
464
465 // 3DES Decryption KAT
466 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
467 DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1,
468 &des2, &des3, &des_iv, DES_DECRYPT);
469 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
470 "3DES Decryption KAT")) {
471 goto err;
472 }
473
474 // SHA-1 KAT
475 SHA1(kPlaintext, sizeof(kPlaintext), output);
476 if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1),
477 "SHA-1 KAT")) {
478 goto err;
479 }
480
481 // SHA-256 KAT
482 SHA256(kPlaintext, sizeof(kPlaintext), output);
483 if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),
484 "SHA-256 KAT")) {
485 goto err;
486 }
487
488 // SHA-512 KAT
489 SHA512(kPlaintext, sizeof(kPlaintext), output);
490 if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),
491 "SHA-512 KAT")) {
492 goto err;
493 }
494
495 rsa_key = self_test_rsa_key();
496 if (rsa_key == NULL) {
497 fprintf(stderr, "RSA KeyGen failed\n");
498 goto err;
499 }
500
501 // RSA Sign KAT
502 unsigned sig_len;
503
504 // Disable blinding for the power-on tests because it's not needed and
505 // triggers an entropy draw.
506 rsa_key->flags |= RSA_FLAG_NO_BLINDING;
507
508 if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output,
509 &sig_len, rsa_key) ||
510 !check_test(kRSASignature, output, sizeof(kRSASignature),
511 "RSA Sign KAT")) {
512 fprintf(stderr, "RSA signing test failed.\n");
513 goto err;
514 }
515
516 // RSA Verify KAT
517 if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256),
518 kRSASignature, sizeof(kRSASignature), rsa_key)) {
519 fprintf(stderr, "RSA Verify KAT failed.\n");
520 goto err;
521 }
522
523 ec_key = self_test_ecdsa_key();
524 if (ec_key == NULL) {
525 fprintf(stderr, "ECDSA KeyGen failed\n");
526 goto err;
527 }
528
529 // ECDSA Sign/Verify PWCT
530
531 // The 'k' value for ECDSA is fixed to avoid an entropy draw.
532 ec_key->fixed_k = BN_new();
533 if (ec_key->fixed_k == NULL ||
534 !BN_set_word(ec_key->fixed_k, 42)) {
535 fprintf(stderr, "Out of memory\n");
536 goto err;
537 }
538
539 sig = ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key);
540
541 uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)];
542 uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)];
543 if (sig == NULL ||
544 BN_num_bytes(sig->r) != sizeof(ecdsa_r_bytes) ||
545 !BN_bn2bin(sig->r, ecdsa_r_bytes) ||
546 BN_num_bytes(sig->s) != sizeof(ecdsa_s_bytes) ||
547 !BN_bn2bin(sig->s, ecdsa_s_bytes) ||
548 !check_test(kECDSASigR, ecdsa_r_bytes, sizeof(kECDSASigR), "ECDSA R") ||
549 !check_test(kECDSASigS, ecdsa_s_bytes, sizeof(kECDSASigS), "ECDSA S")) {
550 fprintf(stderr, "ECDSA KAT failed.\n");
551 goto err;
552 }
553
554 // DBRG KAT
555 CTR_DRBG_STATE drbg;
556 if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
557 sizeof(kDRBGPersonalization)) ||
558 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD,
559 sizeof(kDRBGAD)) ||
560 !check_test(kDRBGOutput, output, sizeof(kDRBGOutput),
561 "DBRG Generate KAT") ||
562 !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) ||
563 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD,
564 sizeof(kDRBGAD)) ||
565 !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput),
566 "DRBG Reseed KAT")) {
567 fprintf(stderr, "CTR-DRBG failed.\n");
568 goto err;
569 }
570 CTR_DRBG_clear(&drbg);
571
572 CTR_DRBG_STATE kZeroDRBG;
573 memset(&kZeroDRBG, 0, sizeof(kZeroDRBG));
574 if (!check_test(&kZeroDRBG, &drbg, sizeof(drbg), "DRBG Clear KAT")) {
575 goto err;
576 }
577
578 ret = 1;
579
580 err:
581 EVP_AEAD_CTX_cleanup(&aead_ctx);
582 RSA_free(rsa_key);
583 EC_KEY_free(ec_key);
584 ECDSA_SIG_free(sig);
585
586 return ret;
587 }
588
589 #endif // !_MSC_VER
590