1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/crypto.h>
16
17 #include <stdio.h>
18 #include <stdlib.h>
19
20 #include <openssl/aead.h>
21 #include <openssl/aes.h>
22 #include <openssl/bn.h>
23 #include <openssl/des.h>
24 #include <openssl/ecdsa.h>
25 #include <openssl/ec_key.h>
26 #include <openssl/nid.h>
27 #include <openssl/rsa.h>
28 #include <openssl/sha.h>
29
30 #include "../../internal.h"
31 #include "../ec/internal.h"
32 #include "../rand/internal.h"
33
34
35 // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot
36 // compile this.
37 #if !defined(_MSC_VER)
38
39 #if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
40 // FIPS builds on Android will test for flag files, named after the module hash,
41 // in /dev/boringssl/selftest/. If such a flag file exists, it's assumed that
42 // self-tests have already passed and thus do not need to be repeated. (The
43 // integrity tests always run, however.)
44 //
45 // If self-tests complete successfully and the environment variable named in
46 // |kFlagWriteEnableEnvVar| is present, then the flag file will be created. The
47 // flag file isn't written without the environment variable being set in order
48 // to avoid SELinux violations on Android.
49 #define BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
50 static const char kFlagPrefix[] = "/dev/boringssl/selftest/";
51 static const char kFlagWriteEnableEnvVar[] = "BORINGSSL_SELF_TEST_CREATE_FLAG";
52 #endif
53
hexdump(const uint8_t * in,size_t len)54 static void hexdump(const uint8_t *in, size_t len) {
55 for (size_t i = 0; i < len; i++) {
56 fprintf(stderr, "%02x", in[i]);
57 }
58 }
59
check_test(const void * expected,const void * actual,size_t expected_len,const char * name)60 static int check_test(const void *expected, const void *actual,
61 size_t expected_len, const char *name) {
62 if (OPENSSL_memcmp(actual, expected, expected_len) != 0) {
63 fprintf(stderr, "%s failed.\nExpected: ", name);
64 hexdump(expected, expected_len);
65 fprintf(stderr, "\nCalculated: ");
66 hexdump(actual, expected_len);
67 fprintf(stderr, "\n");
68 fflush(stderr);
69 return 0;
70 }
71 return 1;
72 }
73
set_bignum(BIGNUM ** out,const uint8_t * in,size_t len)74 static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) {
75 *out = BN_bin2bn(in, len, NULL);
76 return *out != NULL;
77 }
78
self_test_rsa_key(void)79 static RSA *self_test_rsa_key(void) {
80 static const uint8_t kN[] = {
81 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc,
82 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90,
83 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda,
84 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f,
85 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e,
86 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c,
87 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4,
88 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f,
89 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54,
90 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56,
91 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74,
92 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0,
93 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7,
94 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce,
95 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5,
96 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0,
97 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1,
98 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2,
99 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63,
100 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46,
101 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,
102 0x94, 0xc0, 0xbe, 0xb3,
103 };
104 static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537
105 static const uint8_t kD[] = {
106 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,
107 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,
108 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6,
109 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b,
110 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f,
111 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a,
112 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56,
113 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc,
114 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60,
115 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8,
116 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e,
117 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66,
118 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5,
119 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49,
120 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee,
121 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae,
122 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2,
123 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e,
124 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0,
125 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb,
126 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8,
127 0x5d, 0x1a, 0xf6, 0xc1,
128 };
129 static const uint8_t kP[] = {
130 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68,
131 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb,
132 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4,
133 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90,
134 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75,
135 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49,
136 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5,
137 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b,
138 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78,
139 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27,
140 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29,
141 };
142 static const uint8_t kQ[] = {
143 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3,
144 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf,
145 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c,
146 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59,
147 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf,
148 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c,
149 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f,
150 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed,
151 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb,
152 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4,
153 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b,
154 };
155 static const uint8_t kDModPMinusOne[] = {
156 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d,
157 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70,
158 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96,
159 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb,
160 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54,
161 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0,
162 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c,
163 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06,
164 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82,
165 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6,
166 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39,
167 };
168 static const uint8_t kDModQMinusOne[] = {
169 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d,
170 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12,
171 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2,
172 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36,
173 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac,
174 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65,
175 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca,
176 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53,
177 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6,
178 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74,
179 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85,
180 };
181 static const uint8_t kQInverseModP[] = {
182 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0,
183 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d,
184 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b,
185 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9,
186 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1,
187 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef,
188 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5,
189 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79,
190 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11,
191 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95,
192 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15,
193 };
194
195 RSA *rsa = RSA_new();
196 if (rsa == NULL ||
197 !set_bignum(&rsa->n, kN, sizeof(kN)) ||
198 !set_bignum(&rsa->e, kE, sizeof(kE)) ||
199 !set_bignum(&rsa->d, kD, sizeof(kD)) ||
200 !set_bignum(&rsa->p, kP, sizeof(kP)) ||
201 !set_bignum(&rsa->q, kQ, sizeof(kQ)) ||
202 !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) ||
203 !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) ||
204 !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) {
205 RSA_free(rsa);
206 return NULL;
207 }
208
209 return rsa;
210 }
211
self_test_ecdsa_key(void)212 static EC_KEY *self_test_ecdsa_key(void) {
213 static const uint8_t kQx[] = {
214 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17,
215 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2,
216 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81,
217 };
218 static const uint8_t kQy[] = {
219 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef,
220 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac,
221 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88,
222 };
223 static const uint8_t kD[] = {
224 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c,
225 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0,
226 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
227 };
228
229 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
230 BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL);
231 BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL);
232 BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL);
233 if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL ||
234 !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) ||
235 !EC_KEY_set_private_key(ec_key, d)) {
236 EC_KEY_free(ec_key);
237 ec_key = NULL;
238 }
239
240 BN_free(qx);
241 BN_free(qy);
242 BN_free(d);
243 return ec_key;
244 }
245
246 #if defined(OPENSSL_ANDROID)
247 static const size_t kModuleDigestSize = SHA256_DIGEST_LENGTH;
248 #else
249 static const size_t kModuleDigestSize = SHA512_DIGEST_LENGTH;
250 #endif
251
boringssl_fips_self_test(const uint8_t * module_hash,size_t module_hash_len)252 int boringssl_fips_self_test(
253 const uint8_t *module_hash, size_t module_hash_len) {
254 #if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
255 char flag_path[sizeof(kFlagPrefix) + 2*kModuleDigestSize];
256 if (module_hash_len != 0) {
257 if (module_hash_len != kModuleDigestSize) {
258 fprintf(stderr,
259 "module hash of length %zu does not match expected length %zu\n",
260 module_hash_len, kModuleDigestSize);
261 BORINGSSL_FIPS_abort();
262 }
263
264 // Test whether the flag file exists.
265 memcpy(flag_path, kFlagPrefix, sizeof(kFlagPrefix) - 1);
266 static const char kHexTable[17] = "0123456789abcdef";
267 for (size_t i = 0; i < kModuleDigestSize; i++) {
268 flag_path[sizeof(kFlagPrefix) - 1 + 2 * i] =
269 kHexTable[module_hash[i] >> 4];
270 flag_path[sizeof(kFlagPrefix) - 1 + 2 * i + 1] =
271 kHexTable[module_hash[i] & 15];
272 }
273 flag_path[sizeof(flag_path) - 1] = 0;
274
275 if (access(flag_path, F_OK) == 0) {
276 // Flag file found. Skip self-tests.
277 return 1;
278 }
279 }
280 #endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
281
282 static const uint8_t kAESKey[16] = "BoringCrypto Key";
283 static const uint8_t kAESIV[16] = {0};
284 static const uint8_t kPlaintext[64] =
285 "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!";
286 static const uint8_t kAESCBCCiphertext[64] = {
287 0x87, 0x2d, 0x98, 0xc2, 0xcc, 0x31, 0x5b, 0x41, 0xe0, 0xfa, 0x7b,
288 0x0a, 0x71, 0xc0, 0x42, 0xbf, 0x4f, 0x61, 0xd0, 0x0d, 0x58, 0x8c,
289 0xf7, 0x05, 0xfb, 0x94, 0x89, 0xd3, 0xbc, 0xaa, 0x1a, 0x50, 0x45,
290 0x1f, 0xc3, 0x8c, 0xb8, 0x98, 0x86, 0xa3, 0xe3, 0x6c, 0xfc, 0xad,
291 0x3a, 0xb5, 0x59, 0x27, 0x7d, 0x21, 0x07, 0xca, 0x4c, 0x1d, 0x55,
292 0x34, 0xdd, 0x5a, 0x2d, 0xc4, 0xb4, 0xf5, 0xa8,
293 #if !defined(BORINGSSL_FIPS_BREAK_AES_CBC)
294 0x35
295 #else
296 0x00
297 #endif
298 };
299 static const uint8_t kAESGCMCiphertext[80] = {
300 0x4a, 0xd8, 0xe7, 0x7d, 0x78, 0xd7, 0x7d, 0x5e, 0xb2, 0x11, 0xb6, 0xc9,
301 0xa4, 0xbc, 0xb2, 0xae, 0xbe, 0x93, 0xd1, 0xb7, 0xfe, 0x65, 0xc1, 0x82,
302 0x2a, 0xb6, 0x71, 0x5f, 0x1a, 0x7c, 0xe0, 0x1b, 0x2b, 0xe2, 0x53, 0xfa,
303 0xa0, 0x47, 0xfa, 0xd7, 0x8f, 0xb1, 0x4a, 0xc4, 0xdc, 0x89, 0xf9, 0xb4,
304 0x14, 0x4d, 0xde, 0x95, 0xea, 0x29, 0x69, 0x76, 0x81, 0xa3, 0x5c, 0x33,
305 0xd8, 0x37, 0xd8, 0xfa, 0x47, 0x19, 0x46, 0x2f, 0xf1, 0x90, 0xb7, 0x61,
306 0x8f, 0x6f, 0xdd, 0x31, 0x3f, 0x6a, 0x64,
307 #if !defined(BORINGSSL_FIPS_BREAK_AES_GCM)
308 0x0d
309 #else
310 0x00
311 #endif
312 };
313 static const DES_cblock kDESKey1 = {"BCMDESK1"};
314 static const DES_cblock kDESKey2 = {"BCMDESK2"};
315 static const DES_cblock kDESKey3 = {"BCMDESK3"};
316 static const DES_cblock kDESIV = {"BCMDESIV"};
317 static const uint8_t kDESCiphertext[64] = {
318 0xa4, 0x30, 0x7a, 0x4c, 0x1f, 0x60, 0x16, 0xd7, 0x4f, 0x41, 0xe1,
319 0xbb, 0x27, 0xc4, 0x27, 0x37, 0xd4, 0x7f, 0xb9, 0x10, 0xf8, 0xbc,
320 0xaf, 0x93, 0x91, 0xb8, 0x88, 0x24, 0xb1, 0xf6, 0xf8, 0xbd, 0x31,
321 0x96, 0x06, 0x76, 0xde, 0x32, 0xcd, 0x29, 0x29, 0xba, 0x70, 0x5f,
322 0xea, 0xc0, 0xcb, 0xde, 0xc7, 0x75, 0x90, 0xe0, 0x0f, 0x5e, 0x2c,
323 0x0d, 0x49, 0x20, 0xd5, 0x30, 0x83, 0xf8, 0x08,
324 #if !defined(BORINGSSL_FIPS_BREAK_DES)
325 0x5a
326 #else
327 0x00
328 #endif
329 };
330 static const uint8_t kPlaintextSHA1[20] = {
331 0xc6, 0xf8, 0xc9, 0x63, 0x1c, 0x14, 0x23, 0x62, 0x9b, 0xbd,
332 0x55, 0x82, 0xf4, 0xd6, 0x1d, 0xf2, 0xab, 0x7d, 0xc8,
333 #if !defined(BORINGSSL_FIPS_BREAK_SHA_1)
334 0x28
335 #else
336 0x00
337 #endif
338 };
339 static const uint8_t kPlaintextSHA256[32] = {
340 0x37, 0xbd, 0x70, 0x53, 0x72, 0xfc, 0xd4, 0x03, 0x79, 0x70, 0xfb,
341 0x06, 0x95, 0xb1, 0x2a, 0x82, 0x48, 0xe1, 0x3e, 0xf2, 0x33, 0xfb,
342 0xef, 0x29, 0x81, 0x22, 0x45, 0x40, 0x43, 0x70, 0xce,
343 #if !defined(BORINGSSL_FIPS_BREAK_SHA_256)
344 0x0f
345 #else
346 0x00
347 #endif
348 };
349 static const uint8_t kPlaintextSHA512[64] = {
350 0x08, 0x6a, 0x1c, 0x84, 0x61, 0x9d, 0x8e, 0xb3, 0xc0, 0x97, 0x4e,
351 0xa1, 0x9f, 0x9c, 0xdc, 0xaf, 0x3b, 0x5c, 0x31, 0xf0, 0xf2, 0x74,
352 0xc3, 0xbd, 0x6e, 0xd6, 0x1e, 0xb2, 0xbb, 0x34, 0x74, 0x72, 0x5c,
353 0x51, 0x29, 0x8b, 0x87, 0x3a, 0xa3, 0xf2, 0x25, 0x23, 0xd4, 0x1c,
354 0x82, 0x1b, 0xfe, 0xd3, 0xc6, 0xee, 0xb5, 0xd6, 0xaf, 0x07, 0x7b,
355 0x98, 0xca, 0xa7, 0x01, 0xf3, 0x94, 0xf3, 0x68,
356 #if !defined(BORINGSSL_FIPS_BREAK_SHA_512)
357 0x14
358 #else
359 0x00
360 #endif
361 };
362 static const uint8_t kRSASignature[256] = {
363 0x62, 0x66, 0x4b, 0xe3, 0xb1, 0xd2, 0x83, 0xf1, 0xa8, 0x56, 0x2b, 0x33,
364 0x60, 0x1e, 0xdb, 0x1e, 0x06, 0xf7, 0xa7, 0x1e, 0xa8, 0xef, 0x03, 0x4d,
365 0x0c, 0xf6, 0x83, 0x75, 0x7a, 0xf0, 0x14, 0xc7, 0xe2, 0x94, 0x3a, 0xb5,
366 0x67, 0x56, 0xa5, 0x48, 0x7f, 0x3a, 0xa5, 0xbf, 0xf7, 0x1d, 0x44, 0xa6,
367 0x34, 0xed, 0x9b, 0xd6, 0x51, 0xaa, 0x2c, 0x4e, 0xce, 0x60, 0x5f, 0xe9,
368 0x0e, 0xd5, 0xcd, 0xeb, 0x23, 0x27, 0xf8, 0xfb, 0x45, 0xe5, 0x34, 0x63,
369 0x77, 0x7f, 0x2e, 0x80, 0xcf, 0x9d, 0x2e, 0xfc, 0xe2, 0x50, 0x75, 0x29,
370 0x46, 0xf4, 0xaf, 0x91, 0xed, 0x36, 0xe1, 0x5e, 0xef, 0x66, 0xa1, 0xff,
371 0x27, 0xfc, 0x87, 0x7e, 0x60, 0x84, 0x0f, 0x54, 0x51, 0x56, 0x0f, 0x68,
372 0x99, 0xc0, 0x3f, 0xeb, 0xa5, 0xa0, 0x46, 0xb0, 0x86, 0x02, 0xb0, 0xc8,
373 0xe8, 0x46, 0x13, 0x06, 0xcd, 0xb7, 0x8a, 0xd0, 0x3b, 0x46, 0xd0, 0x14,
374 0x64, 0x53, 0x9b, 0x5b, 0x5e, 0x02, 0x45, 0xba, 0x6e, 0x7e, 0x0a, 0xb9,
375 0x9e, 0x62, 0xb7, 0xd5, 0x7a, 0x87, 0xea, 0xd3, 0x24, 0xa5, 0xef, 0xb3,
376 0xdc, 0x05, 0x9c, 0x04, 0x60, 0x4b, 0xde, 0xa8, 0x90, 0x08, 0x7b, 0x6a,
377 0x5f, 0xb4, 0x3f, 0xda, 0xc5, 0x1f, 0x6e, 0xd6, 0x15, 0xde, 0x65, 0xa4,
378 0x6e, 0x62, 0x9d, 0x8f, 0xa8, 0xbe, 0x86, 0xf6, 0x09, 0x90, 0x40, 0xa5,
379 0xf4, 0x23, 0xc5, 0xf6, 0x38, 0x86, 0x0d, 0x1c, 0xed, 0x4a, 0x0a, 0xae,
380 0xa4, 0x26, 0xc2, 0x2e, 0xd3, 0x13, 0x66, 0x61, 0xea, 0x35, 0x01, 0x0e,
381 0x13, 0xda, 0x78, 0x20, 0xae, 0x59, 0x5f, 0x9b, 0xa9, 0x6c, 0xf9, 0x1b,
382 0xdf, 0x76, 0x53, 0xc8, 0xa7, 0xf5, 0x63, 0x6d, 0xf3, 0xff, 0xfd, 0xaf,
383 0x75, 0x4b, 0xac, 0x67, 0xb1, 0x3c, 0xbf, 0x5e, 0xde, 0x73, 0x02, 0x6d,
384 0xd2, 0x0c, 0xb1,
385 #if !defined(BORINGSSL_FIPS_BREAK_RSA_SIG)
386 0x64
387 #else
388 0x00
389 #endif
390 };
391 const uint8_t kDRBGEntropy[48] =
392 "BCM Known Answer Test DBRG Initial Entropy ";
393 const uint8_t kDRBGPersonalization[18] = "BCMPersonalization";
394 const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD ";
395 const uint8_t kDRBGOutput[64] = {
396 0x1d, 0x63, 0xdf, 0x05, 0x51, 0x49, 0x22, 0x46, 0xcd, 0x9b, 0xc5,
397 0xbb, 0xf1, 0x5d, 0x44, 0xae, 0x13, 0x78, 0xb1, 0xe4, 0x7c, 0xf1,
398 0x96, 0x33, 0x3d, 0x60, 0xb6, 0x29, 0xd4, 0xbb, 0x6b, 0x44, 0xf9,
399 0xef, 0xd9, 0xf4, 0xa2, 0xba, 0x48, 0xea, 0x39, 0x75, 0x59, 0x32,
400 0xf7, 0x31, 0x2c, 0x98, 0x14, 0x2b, 0x49, 0xdf, 0x02, 0xb6, 0x5d,
401 0x71, 0x09, 0x50, 0xdb, 0x23, 0xdb, 0xe5, 0x22,
402 #if !defined(BORINGSSL_FIPS_BREAK_DRBG)
403 0x95
404 #else
405 0x00
406 #endif
407 };
408 const uint8_t kDRBGEntropy2[48] =
409 "BCM Known Answer Test DBRG Reseed Entropy ";
410 const uint8_t kDRBGReseedOutput[64] = {
411 0xa4, 0x77, 0x05, 0xdb, 0x14, 0x11, 0x76, 0x71, 0x42, 0x5b, 0xd8,
412 0xd7, 0xa5, 0x4f, 0x8b, 0x39, 0xf2, 0x10, 0x4a, 0x50, 0x5b, 0xa2,
413 0xc8, 0xf0, 0xbb, 0x3e, 0xa1, 0xa5, 0x90, 0x7d, 0x54, 0xd9, 0xc6,
414 0xb0, 0x96, 0xc0, 0x2b, 0x7e, 0x9b, 0xc9, 0xa1, 0xdd, 0x78, 0x2e,
415 0xd5, 0xa8, 0x66, 0x16, 0xbd, 0x18, 0x3c, 0xf2, 0xaa, 0x7a, 0x2b,
416 0x37, 0xf9, 0xab, 0x35, 0x64, 0x15, 0x01, 0x3f, 0xc4,
417 };
418 const uint8_t kECDSASigR[32] = {
419 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,
420 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,
421 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5,
422 #if !defined(BORINGSSL_FIPS_BREAK_ECDSA_SIG)
423 0x0c,
424 #else
425 0x00,
426 #endif
427 };
428 const uint8_t kECDSASigS[32] = {
429 0xa5, 0x93, 0xe0, 0x23, 0x91, 0xe7, 0x4b, 0x8d, 0x77, 0x25, 0xa6,
430 0xba, 0x4d, 0xd9, 0x86, 0x77, 0xda, 0x7d, 0x8f, 0xef, 0xc4, 0x1a,
431 0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8,
432 };
433
434 EVP_AEAD_CTX aead_ctx;
435 EVP_AEAD_CTX_zero(&aead_ctx);
436 RSA *rsa_key = NULL;
437 EC_KEY *ec_key = NULL;
438 ECDSA_SIG *sig = NULL;
439 int ret = 0;
440
441 AES_KEY aes_key;
442 uint8_t aes_iv[16];
443 uint8_t output[256];
444
445 // AES-CBC Encryption KAT
446 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
447 if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
448 fprintf(stderr, "AES_set_encrypt_key failed.\n");
449 goto err;
450 }
451 AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv,
452 AES_ENCRYPT);
453 if (!check_test(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
454 "AES-CBC Encryption KAT")) {
455 goto err;
456 }
457
458 // AES-CBC Decryption KAT
459 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
460 if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
461 fprintf(stderr, "AES_set_decrypt_key failed.\n");
462 goto err;
463 }
464 AES_cbc_encrypt(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
465 &aes_key, aes_iv, AES_DECRYPT);
466 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
467 "AES-CBC Decryption KAT")) {
468 goto err;
469 }
470
471 size_t out_len;
472 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
473 OPENSSL_memset(nonce, 0, sizeof(nonce));
474 if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey,
475 sizeof(kAESKey), 0, NULL)) {
476 fprintf(stderr, "EVP_AEAD_CTX_init for AES-128-GCM failed.\n");
477 goto err;
478 }
479
480 // AES-GCM Encryption KAT
481 if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,
482 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
483 kPlaintext, sizeof(kPlaintext), NULL, 0) ||
484 !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext),
485 "AES-GCM Encryption KAT")) {
486 fprintf(stderr, "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n");
487 goto err;
488 }
489
490 // AES-GCM Decryption KAT
491 if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,
492 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
493 kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL,
494 0) ||
495 !check_test(kPlaintext, output, sizeof(kPlaintext),
496 "AES-GCM Decryption KAT")) {
497 fprintf(stderr, "EVP_AEAD_CTX_open for AES-128-GCM failed.\n");
498 goto err;
499 }
500
501 DES_key_schedule des1, des2, des3;
502 DES_cblock des_iv;
503 DES_set_key(&kDESKey1, &des1);
504 DES_set_key(&kDESKey2, &des2);
505 DES_set_key(&kDESKey3, &des3);
506
507 // 3DES Encryption KAT
508 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
509 DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2,
510 &des3, &des_iv, DES_ENCRYPT);
511 if (!check_test(kDESCiphertext, output, sizeof(kDESCiphertext),
512 "3DES Encryption KAT")) {
513 goto err;
514 }
515
516 // 3DES Decryption KAT
517 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
518 DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1,
519 &des2, &des3, &des_iv, DES_DECRYPT);
520 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
521 "3DES Decryption KAT")) {
522 goto err;
523 }
524
525 // SHA-1 KAT
526 SHA1(kPlaintext, sizeof(kPlaintext), output);
527 if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1),
528 "SHA-1 KAT")) {
529 goto err;
530 }
531
532 // SHA-256 KAT
533 SHA256(kPlaintext, sizeof(kPlaintext), output);
534 if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),
535 "SHA-256 KAT")) {
536 goto err;
537 }
538
539 // SHA-512 KAT
540 SHA512(kPlaintext, sizeof(kPlaintext), output);
541 if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),
542 "SHA-512 KAT")) {
543 goto err;
544 }
545
546 rsa_key = self_test_rsa_key();
547 if (rsa_key == NULL) {
548 fprintf(stderr, "RSA KeyGen failed\n");
549 goto err;
550 }
551
552 // RSA Sign KAT
553 unsigned sig_len;
554
555 // Disable blinding for the power-on tests because it's not needed and
556 // triggers an entropy draw.
557 rsa_key->flags |= RSA_FLAG_NO_BLINDING;
558
559 if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output,
560 &sig_len, rsa_key) ||
561 !check_test(kRSASignature, output, sizeof(kRSASignature),
562 "RSA Sign KAT")) {
563 fprintf(stderr, "RSA signing test failed.\n");
564 goto err;
565 }
566
567 // RSA Verify KAT
568 if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256),
569 kRSASignature, sizeof(kRSASignature), rsa_key)) {
570 fprintf(stderr, "RSA Verify KAT failed.\n");
571 goto err;
572 }
573
574 ec_key = self_test_ecdsa_key();
575 if (ec_key == NULL) {
576 fprintf(stderr, "ECDSA KeyGen failed\n");
577 goto err;
578 }
579
580 // ECDSA Sign/Verify PWCT
581
582 // The 'k' value for ECDSA is fixed to avoid an entropy draw.
583 ec_key->fixed_k = BN_new();
584 if (ec_key->fixed_k == NULL ||
585 !BN_set_word(ec_key->fixed_k, 42)) {
586 fprintf(stderr, "Out of memory\n");
587 goto err;
588 }
589
590 sig = ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key);
591
592 uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)];
593 uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)];
594 if (sig == NULL ||
595 BN_num_bytes(sig->r) != sizeof(ecdsa_r_bytes) ||
596 !BN_bn2bin(sig->r, ecdsa_r_bytes) ||
597 BN_num_bytes(sig->s) != sizeof(ecdsa_s_bytes) ||
598 !BN_bn2bin(sig->s, ecdsa_s_bytes) ||
599 !check_test(kECDSASigR, ecdsa_r_bytes, sizeof(kECDSASigR), "ECDSA R") ||
600 !check_test(kECDSASigS, ecdsa_s_bytes, sizeof(kECDSASigS), "ECDSA S")) {
601 fprintf(stderr, "ECDSA KAT failed.\n");
602 goto err;
603 }
604
605 // DBRG KAT
606 CTR_DRBG_STATE drbg;
607 if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
608 sizeof(kDRBGPersonalization)) ||
609 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD,
610 sizeof(kDRBGAD)) ||
611 !check_test(kDRBGOutput, output, sizeof(kDRBGOutput),
612 "DBRG Generate KAT") ||
613 !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) ||
614 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD,
615 sizeof(kDRBGAD)) ||
616 !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput),
617 "DRBG Reseed KAT")) {
618 fprintf(stderr, "CTR-DRBG failed.\n");
619 goto err;
620 }
621 CTR_DRBG_clear(&drbg);
622
623 CTR_DRBG_STATE kZeroDRBG;
624 memset(&kZeroDRBG, 0, sizeof(kZeroDRBG));
625 if (!check_test(&kZeroDRBG, &drbg, sizeof(drbg), "DRBG Clear KAT")) {
626 goto err;
627 }
628
629 ret = 1;
630
631 #if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
632 // Tests were successful. Write flag file if requested.
633 if (module_hash_len != 0 && getenv(kFlagWriteEnableEnvVar) != NULL) {
634 const int fd = open(flag_path, O_WRONLY | O_CREAT | O_TRUNC, 0644);
635 if (fd >= 0) {
636 close(fd);
637 }
638 }
639 #endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
640
641 err:
642 EVP_AEAD_CTX_cleanup(&aead_ctx);
643 RSA_free(rsa_key);
644 EC_KEY_free(ec_key);
645 ECDSA_SIG_free(sig);
646
647 return ret;
648 }
649
BORINGSSL_self_test(void)650 int BORINGSSL_self_test(void) {
651 return boringssl_fips_self_test(NULL, 0);
652 }
653
654 #endif // !_MSC_VER
655