1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/crypto.h>
16
17 #include <stdio.h>
18 #include <stdlib.h>
19
20 #include <openssl/aead.h>
21 #include <openssl/aes.h>
22 #include <openssl/bn.h>
23 #include <openssl/des.h>
24 #include <openssl/dh.h>
25 #include <openssl/digest.h>
26 #include <openssl/ec.h>
27 #include <openssl/ecdsa.h>
28 #include <openssl/ec_key.h>
29 #include <openssl/nid.h>
30 #include <openssl/rsa.h>
31 #include <openssl/sha.h>
32
33 #include "../../internal.h"
34 #include "../ec/internal.h"
35 #include "../rand/internal.h"
36 #include "../tls/internal.h"
37
38
39 // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot
40 // compile this.
41 #if !defined(_MSC_VER)
42
43 #if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
44 // FIPS builds on Android will test for flag files, named after the module hash,
45 // in /dev/boringssl/selftest/. If such a flag file exists, it's assumed that
46 // self-tests have already passed and thus do not need to be repeated. (The
47 // integrity tests always run, however.)
48 //
49 // If self-tests complete successfully and the environment variable named in
50 // |kFlagWriteEnableEnvVar| is present, then the flag file will be created. The
51 // flag file isn't written without the environment variable being set in order
52 // to avoid SELinux violations on Android.
53 #define BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
54 static const char kFlagPrefix[] = "/dev/boringssl/selftest/";
55 static const char kFlagWriteEnableEnvVar[] = "BORINGSSL_SELF_TEST_CREATE_FLAG";
56 #endif
57
hexdump(const uint8_t * in,size_t len)58 static void hexdump(const uint8_t *in, size_t len) {
59 for (size_t i = 0; i < len; i++) {
60 fprintf(stderr, "%02x", in[i]);
61 }
62 }
63
check_test(const void * expected,const void * actual,size_t expected_len,const char * name)64 static int check_test(const void *expected, const void *actual,
65 size_t expected_len, const char *name) {
66 if (OPENSSL_memcmp(actual, expected, expected_len) != 0) {
67 fprintf(stderr, "%s failed.\nExpected: ", name);
68 hexdump(expected, expected_len);
69 fprintf(stderr, "\nCalculated: ");
70 hexdump(actual, expected_len);
71 fprintf(stderr, "\n");
72 fflush(stderr);
73 return 0;
74 }
75 return 1;
76 }
77
set_bignum(BIGNUM ** out,const uint8_t * in,size_t len)78 static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) {
79 *out = BN_bin2bn(in, len, NULL);
80 return *out != NULL;
81 }
82
self_test_rsa_key(void)83 static RSA *self_test_rsa_key(void) {
84 static const uint8_t kN[] = {
85 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc,
86 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90,
87 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda,
88 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f,
89 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e,
90 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c,
91 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4,
92 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f,
93 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54,
94 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56,
95 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74,
96 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0,
97 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7,
98 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce,
99 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5,
100 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0,
101 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1,
102 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2,
103 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63,
104 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46,
105 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,
106 0x94, 0xc0, 0xbe, 0xb3,
107 };
108 static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537
109 static const uint8_t kD[] = {
110 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,
111 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,
112 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6,
113 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b,
114 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f,
115 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a,
116 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56,
117 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc,
118 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60,
119 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8,
120 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e,
121 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66,
122 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5,
123 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49,
124 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee,
125 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae,
126 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2,
127 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e,
128 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0,
129 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb,
130 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8,
131 0x5d, 0x1a, 0xf6, 0xc1,
132 };
133 static const uint8_t kP[] = {
134 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68,
135 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb,
136 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4,
137 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90,
138 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75,
139 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49,
140 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5,
141 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b,
142 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78,
143 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27,
144 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29,
145 };
146 static const uint8_t kQ[] = {
147 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3,
148 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf,
149 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c,
150 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59,
151 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf,
152 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c,
153 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f,
154 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed,
155 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb,
156 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4,
157 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b,
158 };
159 static const uint8_t kDModPMinusOne[] = {
160 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d,
161 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70,
162 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96,
163 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb,
164 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54,
165 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0,
166 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c,
167 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06,
168 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82,
169 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6,
170 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39,
171 };
172 static const uint8_t kDModQMinusOne[] = {
173 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d,
174 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12,
175 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2,
176 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36,
177 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac,
178 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65,
179 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca,
180 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53,
181 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6,
182 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74,
183 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85,
184 };
185 static const uint8_t kQInverseModP[] = {
186 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0,
187 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d,
188 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b,
189 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9,
190 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1,
191 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef,
192 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5,
193 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79,
194 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11,
195 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95,
196 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15,
197 };
198
199 RSA *rsa = RSA_new();
200 if (rsa == NULL ||
201 !set_bignum(&rsa->n, kN, sizeof(kN)) ||
202 !set_bignum(&rsa->e, kE, sizeof(kE)) ||
203 !set_bignum(&rsa->d, kD, sizeof(kD)) ||
204 !set_bignum(&rsa->p, kP, sizeof(kP)) ||
205 !set_bignum(&rsa->q, kQ, sizeof(kQ)) ||
206 !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) ||
207 !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) ||
208 !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) {
209 RSA_free(rsa);
210 return NULL;
211 }
212
213 return rsa;
214 }
215
self_test_ecdsa_key(void)216 static EC_KEY *self_test_ecdsa_key(void) {
217 static const uint8_t kQx[] = {
218 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17,
219 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2,
220 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81,
221 };
222 static const uint8_t kQy[] = {
223 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef,
224 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac,
225 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88,
226 };
227 static const uint8_t kD[] = {
228 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c,
229 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0,
230 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
231 };
232
233 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
234 BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL);
235 BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL);
236 BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL);
237 if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL ||
238 !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) ||
239 !EC_KEY_set_private_key(ec_key, d)) {
240 EC_KEY_free(ec_key);
241 ec_key = NULL;
242 }
243
244 BN_free(qx);
245 BN_free(qy);
246 BN_free(d);
247 return ec_key;
248 }
249
self_test_dh(void)250 static DH *self_test_dh(void) {
251 DH *dh = DH_get_rfc7919_2048();
252 if (!dh) {
253 return NULL;
254 }
255
256 BIGNUM *priv = BN_new();
257 if (!priv) {
258 goto err;
259 }
260
261 // kFFDHE2048PrivateKeyData is a 225-bit value. (225 because that's the
262 // minimum private key size in
263 // https://tools.ietf.org/html/rfc7919#appendix-A.1.)
264 static const BN_ULONG kFFDHE2048PrivateKeyData[] = {
265 TOBN(0x187be36b, 0xd38a4fa1),
266 TOBN(0x0a152f39, 0x6458f3b8),
267 TOBN(0x0570187e, 0xc422eeb7),
268 TOBN(0x00000001, 0x91173f2a),
269 };
270
271 bn_set_static_words(priv, kFFDHE2048PrivateKeyData,
272 OPENSSL_ARRAY_SIZE(kFFDHE2048PrivateKeyData));
273
274 if (!DH_set0_key(dh, NULL, priv)) {
275 goto err;
276 }
277 return dh;
278
279 err:
280 BN_free(priv);
281 DH_free(dh);
282 return NULL;
283 }
284
285 #if defined(OPENSSL_ANDROID)
286 static const size_t kModuleDigestSize = SHA256_DIGEST_LENGTH;
287 #else
288 static const size_t kModuleDigestSize = SHA512_DIGEST_LENGTH;
289 #endif
290
boringssl_fips_self_test(const uint8_t * module_hash,size_t module_hash_len)291 int boringssl_fips_self_test(
292 const uint8_t *module_hash, size_t module_hash_len) {
293 #if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
294 char flag_path[sizeof(kFlagPrefix) + 2*kModuleDigestSize];
295 if (module_hash_len != 0) {
296 if (module_hash_len != kModuleDigestSize) {
297 fprintf(stderr,
298 "module hash of length %zu does not match expected length %zu\n",
299 module_hash_len, kModuleDigestSize);
300 BORINGSSL_FIPS_abort();
301 }
302
303 // Test whether the flag file exists.
304 memcpy(flag_path, kFlagPrefix, sizeof(kFlagPrefix) - 1);
305 static const char kHexTable[17] = "0123456789abcdef";
306 for (size_t i = 0; i < kModuleDigestSize; i++) {
307 flag_path[sizeof(kFlagPrefix) - 1 + 2 * i] =
308 kHexTable[module_hash[i] >> 4];
309 flag_path[sizeof(kFlagPrefix) - 1 + 2 * i + 1] =
310 kHexTable[module_hash[i] & 15];
311 }
312 flag_path[sizeof(flag_path) - 1] = 0;
313
314 if (access(flag_path, F_OK) == 0) {
315 // Flag file found. Skip self-tests.
316 return 1;
317 }
318 }
319 #endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
320
321 static const uint8_t kAESKey[16] = "BoringCrypto Key";
322 static const uint8_t kAESIV[16] = {0};
323 static const uint8_t kPlaintext[64] =
324 "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!";
325 static const uint8_t kAESCBCCiphertext[64] = {
326 0x87, 0x2d, 0x98, 0xc2, 0xcc, 0x31, 0x5b, 0x41, 0xe0, 0xfa, 0x7b,
327 0x0a, 0x71, 0xc0, 0x42, 0xbf, 0x4f, 0x61, 0xd0, 0x0d, 0x58, 0x8c,
328 0xf7, 0x05, 0xfb, 0x94, 0x89, 0xd3, 0xbc, 0xaa, 0x1a, 0x50, 0x45,
329 0x1f, 0xc3, 0x8c, 0xb8, 0x98, 0x86, 0xa3, 0xe3, 0x6c, 0xfc, 0xad,
330 0x3a, 0xb5, 0x59, 0x27, 0x7d, 0x21, 0x07, 0xca, 0x4c, 0x1d, 0x55,
331 0x34, 0xdd, 0x5a, 0x2d, 0xc4, 0xb4, 0xf5, 0xa8,
332 #if !defined(BORINGSSL_FIPS_BREAK_AES_CBC)
333 0x35
334 #else
335 0x00
336 #endif
337 };
338 static const uint8_t kAESGCMCiphertext[80] = {
339 0x4a, 0xd8, 0xe7, 0x7d, 0x78, 0xd7, 0x7d, 0x5e, 0xb2, 0x11, 0xb6, 0xc9,
340 0xa4, 0xbc, 0xb2, 0xae, 0xbe, 0x93, 0xd1, 0xb7, 0xfe, 0x65, 0xc1, 0x82,
341 0x2a, 0xb6, 0x71, 0x5f, 0x1a, 0x7c, 0xe0, 0x1b, 0x2b, 0xe2, 0x53, 0xfa,
342 0xa0, 0x47, 0xfa, 0xd7, 0x8f, 0xb1, 0x4a, 0xc4, 0xdc, 0x89, 0xf9, 0xb4,
343 0x14, 0x4d, 0xde, 0x95, 0xea, 0x29, 0x69, 0x76, 0x81, 0xa3, 0x5c, 0x33,
344 0xd8, 0x37, 0xd8, 0xfa, 0x47, 0x19, 0x46, 0x2f, 0xf1, 0x90, 0xb7, 0x61,
345 0x8f, 0x6f, 0xdd, 0x31, 0x3f, 0x6a, 0x64,
346 #if !defined(BORINGSSL_FIPS_BREAK_AES_GCM)
347 0x0d
348 #else
349 0x00
350 #endif
351 };
352 static const DES_cblock kDESKey1 = {"BCMDESK1"};
353 static const DES_cblock kDESKey2 = {"BCMDESK2"};
354 static const DES_cblock kDESKey3 = {"BCMDESK3"};
355 static const DES_cblock kDESIV = {"BCMDESIV"};
356 static const uint8_t kDESCiphertext[64] = {
357 0xa4, 0x30, 0x7a, 0x4c, 0x1f, 0x60, 0x16, 0xd7, 0x4f, 0x41, 0xe1,
358 0xbb, 0x27, 0xc4, 0x27, 0x37, 0xd4, 0x7f, 0xb9, 0x10, 0xf8, 0xbc,
359 0xaf, 0x93, 0x91, 0xb8, 0x88, 0x24, 0xb1, 0xf6, 0xf8, 0xbd, 0x31,
360 0x96, 0x06, 0x76, 0xde, 0x32, 0xcd, 0x29, 0x29, 0xba, 0x70, 0x5f,
361 0xea, 0xc0, 0xcb, 0xde, 0xc7, 0x75, 0x90, 0xe0, 0x0f, 0x5e, 0x2c,
362 0x0d, 0x49, 0x20, 0xd5, 0x30, 0x83, 0xf8, 0x08,
363 #if !defined(BORINGSSL_FIPS_BREAK_DES)
364 0x5a
365 #else
366 0x00
367 #endif
368 };
369 static const uint8_t kPlaintextSHA1[20] = {
370 0xc6, 0xf8, 0xc9, 0x63, 0x1c, 0x14, 0x23, 0x62, 0x9b, 0xbd,
371 0x55, 0x82, 0xf4, 0xd6, 0x1d, 0xf2, 0xab, 0x7d, 0xc8,
372 #if !defined(BORINGSSL_FIPS_BREAK_SHA_1)
373 0x28
374 #else
375 0x00
376 #endif
377 };
378 static const uint8_t kPlaintextSHA256[32] = {
379 0x37, 0xbd, 0x70, 0x53, 0x72, 0xfc, 0xd4, 0x03, 0x79, 0x70, 0xfb,
380 0x06, 0x95, 0xb1, 0x2a, 0x82, 0x48, 0xe1, 0x3e, 0xf2, 0x33, 0xfb,
381 0xef, 0x29, 0x81, 0x22, 0x45, 0x40, 0x43, 0x70, 0xce,
382 #if !defined(BORINGSSL_FIPS_BREAK_SHA_256)
383 0x0f
384 #else
385 0x00
386 #endif
387 };
388 static const uint8_t kPlaintextSHA512[64] = {
389 0x08, 0x6a, 0x1c, 0x84, 0x61, 0x9d, 0x8e, 0xb3, 0xc0, 0x97, 0x4e,
390 0xa1, 0x9f, 0x9c, 0xdc, 0xaf, 0x3b, 0x5c, 0x31, 0xf0, 0xf2, 0x74,
391 0xc3, 0xbd, 0x6e, 0xd6, 0x1e, 0xb2, 0xbb, 0x34, 0x74, 0x72, 0x5c,
392 0x51, 0x29, 0x8b, 0x87, 0x3a, 0xa3, 0xf2, 0x25, 0x23, 0xd4, 0x1c,
393 0x82, 0x1b, 0xfe, 0xd3, 0xc6, 0xee, 0xb5, 0xd6, 0xaf, 0x07, 0x7b,
394 0x98, 0xca, 0xa7, 0x01, 0xf3, 0x94, 0xf3, 0x68,
395 #if !defined(BORINGSSL_FIPS_BREAK_SHA_512)
396 0x14
397 #else
398 0x00
399 #endif
400 };
401 static const uint8_t kRSASignature[256] = {
402 0x62, 0x66, 0x4b, 0xe3, 0xb1, 0xd2, 0x83, 0xf1, 0xa8, 0x56, 0x2b, 0x33,
403 0x60, 0x1e, 0xdb, 0x1e, 0x06, 0xf7, 0xa7, 0x1e, 0xa8, 0xef, 0x03, 0x4d,
404 0x0c, 0xf6, 0x83, 0x75, 0x7a, 0xf0, 0x14, 0xc7, 0xe2, 0x94, 0x3a, 0xb5,
405 0x67, 0x56, 0xa5, 0x48, 0x7f, 0x3a, 0xa5, 0xbf, 0xf7, 0x1d, 0x44, 0xa6,
406 0x34, 0xed, 0x9b, 0xd6, 0x51, 0xaa, 0x2c, 0x4e, 0xce, 0x60, 0x5f, 0xe9,
407 0x0e, 0xd5, 0xcd, 0xeb, 0x23, 0x27, 0xf8, 0xfb, 0x45, 0xe5, 0x34, 0x63,
408 0x77, 0x7f, 0x2e, 0x80, 0xcf, 0x9d, 0x2e, 0xfc, 0xe2, 0x50, 0x75, 0x29,
409 0x46, 0xf4, 0xaf, 0x91, 0xed, 0x36, 0xe1, 0x5e, 0xef, 0x66, 0xa1, 0xff,
410 0x27, 0xfc, 0x87, 0x7e, 0x60, 0x84, 0x0f, 0x54, 0x51, 0x56, 0x0f, 0x68,
411 0x99, 0xc0, 0x3f, 0xeb, 0xa5, 0xa0, 0x46, 0xb0, 0x86, 0x02, 0xb0, 0xc8,
412 0xe8, 0x46, 0x13, 0x06, 0xcd, 0xb7, 0x8a, 0xd0, 0x3b, 0x46, 0xd0, 0x14,
413 0x64, 0x53, 0x9b, 0x5b, 0x5e, 0x02, 0x45, 0xba, 0x6e, 0x7e, 0x0a, 0xb9,
414 0x9e, 0x62, 0xb7, 0xd5, 0x7a, 0x87, 0xea, 0xd3, 0x24, 0xa5, 0xef, 0xb3,
415 0xdc, 0x05, 0x9c, 0x04, 0x60, 0x4b, 0xde, 0xa8, 0x90, 0x08, 0x7b, 0x6a,
416 0x5f, 0xb4, 0x3f, 0xda, 0xc5, 0x1f, 0x6e, 0xd6, 0x15, 0xde, 0x65, 0xa4,
417 0x6e, 0x62, 0x9d, 0x8f, 0xa8, 0xbe, 0x86, 0xf6, 0x09, 0x90, 0x40, 0xa5,
418 0xf4, 0x23, 0xc5, 0xf6, 0x38, 0x86, 0x0d, 0x1c, 0xed, 0x4a, 0x0a, 0xae,
419 0xa4, 0x26, 0xc2, 0x2e, 0xd3, 0x13, 0x66, 0x61, 0xea, 0x35, 0x01, 0x0e,
420 0x13, 0xda, 0x78, 0x20, 0xae, 0x59, 0x5f, 0x9b, 0xa9, 0x6c, 0xf9, 0x1b,
421 0xdf, 0x76, 0x53, 0xc8, 0xa7, 0xf5, 0x63, 0x6d, 0xf3, 0xff, 0xfd, 0xaf,
422 0x75, 0x4b, 0xac, 0x67, 0xb1, 0x3c, 0xbf, 0x5e, 0xde, 0x73, 0x02, 0x6d,
423 0xd2, 0x0c, 0xb1,
424 #if !defined(BORINGSSL_FIPS_BREAK_RSA_SIG)
425 0x64
426 #else
427 0x00
428 #endif
429 };
430 const uint8_t kDRBGEntropy[48] =
431 "BCM Known Answer Test DBRG Initial Entropy ";
432 const uint8_t kDRBGPersonalization[18] = "BCMPersonalization";
433 const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD ";
434 const uint8_t kDRBGOutput[64] = {
435 0x1d, 0x63, 0xdf, 0x05, 0x51, 0x49, 0x22, 0x46, 0xcd, 0x9b, 0xc5,
436 0xbb, 0xf1, 0x5d, 0x44, 0xae, 0x13, 0x78, 0xb1, 0xe4, 0x7c, 0xf1,
437 0x96, 0x33, 0x3d, 0x60, 0xb6, 0x29, 0xd4, 0xbb, 0x6b, 0x44, 0xf9,
438 0xef, 0xd9, 0xf4, 0xa2, 0xba, 0x48, 0xea, 0x39, 0x75, 0x59, 0x32,
439 0xf7, 0x31, 0x2c, 0x98, 0x14, 0x2b, 0x49, 0xdf, 0x02, 0xb6, 0x5d,
440 0x71, 0x09, 0x50, 0xdb, 0x23, 0xdb, 0xe5, 0x22,
441 #if !defined(BORINGSSL_FIPS_BREAK_DRBG)
442 0x95
443 #else
444 0x00
445 #endif
446 };
447 const uint8_t kDRBGEntropy2[48] =
448 "BCM Known Answer Test DBRG Reseed Entropy ";
449 const uint8_t kDRBGReseedOutput[64] = {
450 0xa4, 0x77, 0x05, 0xdb, 0x14, 0x11, 0x76, 0x71, 0x42, 0x5b, 0xd8,
451 0xd7, 0xa5, 0x4f, 0x8b, 0x39, 0xf2, 0x10, 0x4a, 0x50, 0x5b, 0xa2,
452 0xc8, 0xf0, 0xbb, 0x3e, 0xa1, 0xa5, 0x90, 0x7d, 0x54, 0xd9, 0xc6,
453 0xb0, 0x96, 0xc0, 0x2b, 0x7e, 0x9b, 0xc9, 0xa1, 0xdd, 0x78, 0x2e,
454 0xd5, 0xa8, 0x66, 0x16, 0xbd, 0x18, 0x3c, 0xf2, 0xaa, 0x7a, 0x2b,
455 0x37, 0xf9, 0xab, 0x35, 0x64, 0x15, 0x01, 0x3f, 0xc4,
456 };
457 const uint8_t kECDSASigR[32] = {
458 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,
459 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,
460 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5,
461 #if !defined(BORINGSSL_FIPS_BREAK_ECDSA_SIG)
462 0x0c,
463 #else
464 0x00,
465 #endif
466 };
467 const uint8_t kECDSASigS[32] = {
468 0xa5, 0x93, 0xe0, 0x23, 0x91, 0xe7, 0x4b, 0x8d, 0x77, 0x25, 0xa6,
469 0xba, 0x4d, 0xd9, 0x86, 0x77, 0xda, 0x7d, 0x8f, 0xef, 0xc4, 0x1a,
470 0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8,
471 };
472 // kP256Point is SHA256("Primitive Z Computation KAT")×G within P-256.
473 const uint8_t kP256Point[65] = {
474 0x04, 0x4e, 0xc1, 0x94, 0x8c, 0x5c, 0xf4, 0x37, 0x35, 0x0d, 0xa3,
475 0xf9, 0x55, 0xf9, 0x8b, 0x26, 0x23, 0x5c, 0x43, 0xe0, 0x83, 0x51,
476 0x2b, 0x0d, 0x4b, 0x56, 0x24, 0xc3, 0xe4, 0xa5, 0xa8, 0xe2, 0xe9,
477 0x95, 0xf2, 0xc4, 0xb9, 0xb7, 0x48, 0x7d, 0x2a, 0xae, 0xc5, 0xc0,
478 0x0a, 0xcc, 0x1b, 0xd0, 0xec, 0xb8, 0xdc, 0xbe, 0x0c, 0xbe, 0x52,
479 0x79, 0x93, 0x7c, 0x0b, 0x92, 0x2b, 0x7f, 0x17, 0xa5, 0x80,
480 };
481 // kP256Scalar is SHA256("Primitive Z Computation KAT scalar").
482 const uint8_t kP256Scalar[32] = {
483 0xe7, 0x60, 0x44, 0x91, 0x26, 0x9a, 0xfb, 0x5b, 0x10, 0x2d, 0x6e,
484 0xa5, 0x2c, 0xb5, 0x9f, 0xeb, 0x70, 0xae, 0xde, 0x6c, 0xe3, 0xbf,
485 0xb3, 0xe0, 0x10, 0x54, 0x85, 0xab, 0xd8, 0x61, 0xd7, 0x7b,
486 };
487 // kP256PointResult is |kP256Scalar|×|kP256Point|.
488 const uint8_t kP256PointResult[65] = {
489 0x04, 0xf1, 0x63, 0x00, 0x88, 0xc5, 0xd5, 0xe9, 0x05, 0x52, 0xac,
490 0xb6, 0xec, 0x68, 0x76, 0xb8, 0x73, 0x7f, 0x0f, 0x72, 0x34, 0xe6,
491 0xbb, 0x30, 0x32, 0x22, 0x37, 0xb6, 0x2a, 0x80, 0xe8, 0x9e, 0x6e,
492 0x6f, 0x36, 0x02, 0xe7, 0x21, 0xd2, 0x31, 0xdb, 0x94, 0x63, 0xb7,
493 0xd8, 0x19, 0x0e, 0xc2, 0xc0, 0xa7, 0x2f, 0x15, 0x49, 0x1a, 0xa2,
494 0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a,
495 #if !defined(BORINGSSL_FIPS_BREAK_Z_COMPUTATION)
496 0x0c,
497 #else
498 0x00,
499 #endif
500 };
501 const uint8_t kTLSOutput[32] = {
502 0x67, 0x85, 0xde, 0x60, 0xfc, 0x0a, 0x83, 0xe9, 0xa2, 0x2a, 0xb3,
503 0xf0, 0x27, 0x0c, 0xba, 0xf7, 0xfa, 0x82, 0x3d, 0x14, 0x77, 0x1d,
504 0x86, 0x29, 0x79, 0x39, 0x77, 0x8a, 0xd5, 0x0e, 0x9d,
505 #if !defined(BORINGSSL_FIPS_BREAK_TLS_KDF)
506 0x32,
507 #else
508 0x00,
509 #endif
510 };
511 const uint8_t kTLSSecret[32] = {
512 0xbf, 0xe4, 0xb7, 0xe0, 0x26, 0x55, 0x5f, 0x6a, 0xdf, 0x5d, 0x27,
513 0xd6, 0x89, 0x99, 0x2a, 0xd6, 0xf7, 0x65, 0x66, 0x07, 0x4b, 0x55,
514 0x5f, 0x64, 0x55, 0xcd, 0xd5, 0x77, 0xa4, 0xc7, 0x09, 0x61,
515 };
516 const char kTLSLabel[] = "FIPS self test";
517 const uint8_t kTLSSeed1[16] = {
518 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2,
519 0x6d, 0x51, 0xf4, 0x79, 0x18, 0x63, 0x51, 0x65,
520 };
521 const uint8_t kTLSSeed2[16] = {
522 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c,
523 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81,
524 };
525
526 // kFFDHE2048PublicValueData is an arbitrary public value, mod
527 // kFFDHE2048Data. (The private key happens to be 4096.)
528 static const BN_ULONG kFFDHE2048PublicValueData[] = {
529 TOBN(0x187be36b, 0xd38a4fa1), TOBN(0x0a152f39, 0x6458f3b8),
530 TOBN(0x0570187e, 0xc422eeb7), TOBN(0x18af7482, 0x91173f2a),
531 TOBN(0xe9fdac6a, 0xcff4eaaa), TOBN(0xf6afebb7, 0x6e589d6c),
532 TOBN(0xf92f8e9a, 0xb7e33fb0), TOBN(0x70acf2aa, 0x4cf36ddd),
533 TOBN(0x561ab426, 0xd07137fd), TOBN(0x5f57d037, 0x430ee91e),
534 TOBN(0xe3e768c8, 0x60d10b8a), TOBN(0xb14884d8, 0xa18af8ce),
535 TOBN(0xf8a98014, 0xa12b74e4), TOBN(0x748d407c, 0x3437b7a8),
536 TOBN(0x627588c4, 0x9875d5a7), TOBN(0xdd24a127, 0x53c8f09d),
537 TOBN(0x85a997d5, 0x0cd51aec), TOBN(0x44f0c619, 0xce348458),
538 TOBN(0x9b894b24, 0x5f6b69a1), TOBN(0xae1302f2, 0xf6d4777e),
539 TOBN(0xe6678eeb, 0x375db18e), TOBN(0x2674e1d6, 0x4fbcbdc8),
540 TOBN(0xb297a823, 0x6fa93d28), TOBN(0x6a12fb70, 0x7c8c0510),
541 TOBN(0x5c6d1aeb, 0xdb06f65b), TOBN(0xe8c2954e, 0x4c1804ca),
542 TOBN(0x06bdeac1, 0xf5500fa7), TOBN(0x6a315604, 0x189cd76b),
543 TOBN(0xbae7b0b3, 0x6e362dc0), TOBN(0xa57c73bd, 0xdc70fb82),
544 TOBN(0xfaff50d2, 0x9d573457), TOBN(0x352bd399, 0xbe84058e),
545 };
546
547 const uint8_t kDHOutput[2048 / 8] = {
548 0x2a, 0xe6, 0xd3, 0xa6, 0x13, 0x58, 0x8e, 0xce, 0x53, 0xaa, 0xf6, 0x5d,
549 0x9a, 0xae, 0x02, 0x12, 0xf5, 0x80, 0x3d, 0x06, 0x09, 0x76, 0xac, 0x57,
550 0x37, 0x9e, 0xab, 0x38, 0x62, 0x25, 0x05, 0x1d, 0xf3, 0xa9, 0x39, 0x60,
551 0xf6, 0xae, 0x90, 0xed, 0x1e, 0xad, 0x6e, 0xe9, 0xe3, 0xba, 0x27, 0xf6,
552 0xdb, 0x54, 0xdf, 0xe2, 0xbd, 0xbb, 0x7f, 0xf1, 0x81, 0xac, 0x1a, 0xfa,
553 0xdb, 0x87, 0x07, 0x98, 0x76, 0x90, 0x21, 0xf2, 0xae, 0xda, 0x0d, 0x84,
554 0x97, 0x64, 0x0b, 0xbf, 0xb8, 0x8d, 0x10, 0x46, 0xe2, 0xd5, 0xca, 0x1b,
555 0xbb, 0xe5, 0x37, 0xb2, 0x3b, 0x35, 0xd3, 0x1b, 0x65, 0xea, 0xae, 0xf2,
556 0x03, 0xe2, 0xb6, 0xde, 0x22, 0xb7, 0x86, 0x49, 0x79, 0xfe, 0xd7, 0x16,
557 0xf7, 0xdc, 0x9c, 0x59, 0xf5, 0xb7, 0x70, 0xc0, 0x53, 0x42, 0x6f, 0xb1,
558 0xd2, 0x4e, 0x00, 0x25, 0x4b, 0x2d, 0x5a, 0x9b, 0xd0, 0xe9, 0x27, 0x43,
559 0xcc, 0x00, 0x66, 0xea, 0x94, 0x7a, 0x0b, 0xb9, 0x89, 0x0c, 0x5e, 0x94,
560 0xb8, 0x3a, 0x78, 0x9c, 0x4d, 0x84, 0xe6, 0x32, 0x2c, 0x38, 0x7c, 0xf7,
561 0x43, 0x9c, 0xd8, 0xb8, 0x1c, 0xce, 0x24, 0x91, 0x20, 0x67, 0x7a, 0x54,
562 0x1f, 0x7e, 0x86, 0x7f, 0xa1, 0xc1, 0x03, 0x4e, 0x2c, 0x26, 0x71, 0xb2,
563 0x06, 0x30, 0xb3, 0x6c, 0x15, 0xcc, 0xac, 0x25, 0xe5, 0x37, 0x3f, 0x24,
564 0x8f, 0x2a, 0x89, 0x5e, 0x3d, 0x43, 0x94, 0xc9, 0x36, 0xae, 0x40, 0x00,
565 0x6a, 0x0d, 0xb0, 0x6e, 0x8b, 0x2e, 0x70, 0x57, 0xe1, 0x88, 0x53, 0xd6,
566 0x06, 0x80, 0x2a, 0x4e, 0x5a, 0xf0, 0x1e, 0xaa, 0xcb, 0xab, 0x06, 0x0e,
567 0x27, 0x0f, 0xd9, 0x88, 0xd9, 0x01, 0xe3, 0x07, 0xeb, 0xdf, 0xc3, 0x12,
568 0xe3, 0x40, 0x88, 0x7b, 0x5f, 0x59, 0x78, 0x6e, 0x26, 0x20, 0xc3, 0xdf,
569 0xc8, 0xe4, 0x5e,
570 #if !defined(BORINGSSL_FIPS_BREAK_FFC_DH)
571 0xb8,
572 #else
573 0x00,
574 #endif
575 };
576
577 EVP_AEAD_CTX aead_ctx;
578 EVP_AEAD_CTX_zero(&aead_ctx);
579 RSA *rsa_key = NULL;
580 EC_KEY *ec_key = NULL;
581 EC_GROUP *ec_group = NULL;
582 EC_POINT *ec_point_in = NULL;
583 EC_POINT *ec_point_out = NULL;
584 BIGNUM *ec_scalar = NULL;
585 ECDSA_SIG *sig = NULL;
586 int ret = 0;
587
588 AES_KEY aes_key;
589 uint8_t aes_iv[16];
590 uint8_t output[256];
591
592 // AES-CBC Encryption KAT
593 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
594 if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
595 fprintf(stderr, "AES_set_encrypt_key failed.\n");
596 goto err;
597 }
598 AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv,
599 AES_ENCRYPT);
600 if (!check_test(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
601 "AES-CBC Encryption KAT")) {
602 goto err;
603 }
604
605 // AES-CBC Decryption KAT
606 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
607 if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
608 fprintf(stderr, "AES_set_decrypt_key failed.\n");
609 goto err;
610 }
611 AES_cbc_encrypt(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
612 &aes_key, aes_iv, AES_DECRYPT);
613 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
614 "AES-CBC Decryption KAT")) {
615 goto err;
616 }
617
618 size_t out_len;
619 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
620 OPENSSL_memset(nonce, 0, sizeof(nonce));
621 if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey,
622 sizeof(kAESKey), 0, NULL)) {
623 fprintf(stderr, "EVP_AEAD_CTX_init for AES-128-GCM failed.\n");
624 goto err;
625 }
626
627 // AES-GCM Encryption KAT
628 if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,
629 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
630 kPlaintext, sizeof(kPlaintext), NULL, 0) ||
631 !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext),
632 "AES-GCM Encryption KAT")) {
633 fprintf(stderr, "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n");
634 goto err;
635 }
636
637 // AES-GCM Decryption KAT
638 if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,
639 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
640 kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL,
641 0) ||
642 !check_test(kPlaintext, output, sizeof(kPlaintext),
643 "AES-GCM Decryption KAT")) {
644 fprintf(stderr, "EVP_AEAD_CTX_open for AES-128-GCM failed.\n");
645 goto err;
646 }
647
648 DES_key_schedule des1, des2, des3;
649 DES_cblock des_iv;
650 DES_set_key(&kDESKey1, &des1);
651 DES_set_key(&kDESKey2, &des2);
652 DES_set_key(&kDESKey3, &des3);
653
654 // 3DES Encryption KAT
655 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
656 DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2,
657 &des3, &des_iv, DES_ENCRYPT);
658 if (!check_test(kDESCiphertext, output, sizeof(kDESCiphertext),
659 "3DES Encryption KAT")) {
660 goto err;
661 }
662
663 // 3DES Decryption KAT
664 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
665 DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1,
666 &des2, &des3, &des_iv, DES_DECRYPT);
667 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
668 "3DES Decryption KAT")) {
669 goto err;
670 }
671
672 // SHA-1 KAT
673 SHA1(kPlaintext, sizeof(kPlaintext), output);
674 if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1),
675 "SHA-1 KAT")) {
676 goto err;
677 }
678
679 // SHA-256 KAT
680 SHA256(kPlaintext, sizeof(kPlaintext), output);
681 if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),
682 "SHA-256 KAT")) {
683 goto err;
684 }
685
686 // SHA-512 KAT
687 SHA512(kPlaintext, sizeof(kPlaintext), output);
688 if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),
689 "SHA-512 KAT")) {
690 goto err;
691 }
692
693 rsa_key = self_test_rsa_key();
694 if (rsa_key == NULL) {
695 fprintf(stderr, "RSA KeyGen failed\n");
696 goto err;
697 }
698
699 // RSA Sign KAT
700 unsigned sig_len;
701
702 // Disable blinding for the power-on tests because it's not needed and
703 // triggers an entropy draw.
704 rsa_key->flags |= RSA_FLAG_NO_BLINDING;
705
706 if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output,
707 &sig_len, rsa_key) ||
708 !check_test(kRSASignature, output, sizeof(kRSASignature),
709 "RSA Sign KAT")) {
710 fprintf(stderr, "RSA signing test failed.\n");
711 goto err;
712 }
713
714 // RSA Verify KAT
715 if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256),
716 kRSASignature, sizeof(kRSASignature), rsa_key)) {
717 fprintf(stderr, "RSA Verify KAT failed.\n");
718 goto err;
719 }
720
721 ec_key = self_test_ecdsa_key();
722 if (ec_key == NULL) {
723 fprintf(stderr, "ECDSA KeyGen failed\n");
724 goto err;
725 }
726
727 // ECDSA Sign/Verify KAT
728
729 // The 'k' value for ECDSA is fixed to avoid an entropy draw.
730 ec_key->fixed_k = BN_new();
731 if (ec_key->fixed_k == NULL ||
732 !BN_set_word(ec_key->fixed_k, 42)) {
733 fprintf(stderr, "Out of memory\n");
734 goto err;
735 }
736
737 sig = ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key);
738
739 uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)];
740 uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)];
741 if (sig == NULL ||
742 BN_num_bytes(sig->r) != sizeof(ecdsa_r_bytes) ||
743 !BN_bn2bin(sig->r, ecdsa_r_bytes) ||
744 BN_num_bytes(sig->s) != sizeof(ecdsa_s_bytes) ||
745 !BN_bn2bin(sig->s, ecdsa_s_bytes) ||
746 !check_test(kECDSASigR, ecdsa_r_bytes, sizeof(kECDSASigR), "ECDSA R") ||
747 !check_test(kECDSASigS, ecdsa_s_bytes, sizeof(kECDSASigS), "ECDSA S")) {
748 fprintf(stderr, "ECDSA signature KAT failed.\n");
749 goto err;
750 }
751
752 if (!ECDSA_do_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), sig,
753 ec_key)) {
754 fprintf(stderr, "ECDSA verification KAT failed.\n");
755 goto err;
756 }
757
758 // Primitive Z Computation KAT (IG 9.6).
759 ec_group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
760 if (ec_group == NULL) {
761 fprintf(stderr, "Failed to create P-256 group.\n");
762 goto err;
763 }
764 ec_point_in = EC_POINT_new(ec_group);
765 ec_point_out = EC_POINT_new(ec_group);
766 ec_scalar = BN_new();
767 uint8_t z_comp_result[65];
768 if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL ||
769 !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point),
770 NULL) ||
771 !BN_bin2bn(kP256Scalar, sizeof(kP256Scalar), ec_scalar) ||
772 !EC_POINT_mul(ec_group, ec_point_out, NULL, ec_point_in, ec_scalar,
773 NULL) ||
774 !EC_POINT_point2oct(ec_group, ec_point_out, POINT_CONVERSION_UNCOMPRESSED,
775 z_comp_result, sizeof(z_comp_result), NULL) ||
776 !check_test(kP256PointResult, z_comp_result, sizeof(z_comp_result),
777 "Z Computation Result")) {
778 fprintf(stderr, "Z Computation KAT failed.\n");
779 goto err;
780 }
781
782 // FFC Diffie-Hellman KAT
783
784 BIGNUM *const ffdhe2048_value = BN_new();
785 DH *const dh = self_test_dh();
786 int dh_ok = 0;
787 if (ffdhe2048_value && dh) {
788 bn_set_static_words(ffdhe2048_value, kFFDHE2048PublicValueData,
789 OPENSSL_ARRAY_SIZE(kFFDHE2048PublicValueData));
790
791 uint8_t dh_out[sizeof(kDHOutput)];
792 dh_ok =
793 sizeof(dh_out) == DH_size(dh) &&
794 DH_compute_key_padded(dh_out, ffdhe2048_value, dh) == sizeof(dh_out) &&
795 check_test(kDHOutput, dh_out, sizeof(dh_out), "FFC DH");
796 }
797
798 BN_free(ffdhe2048_value);
799 DH_free(dh);
800 if (!dh_ok) {
801 fprintf(stderr, "FFDH failed.\n");
802 goto err;
803 }
804
805 // DBRG KAT
806 CTR_DRBG_STATE drbg;
807 if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
808 sizeof(kDRBGPersonalization)) ||
809 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD,
810 sizeof(kDRBGAD)) ||
811 !check_test(kDRBGOutput, output, sizeof(kDRBGOutput),
812 "DBRG Generate KAT") ||
813 !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) ||
814 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD,
815 sizeof(kDRBGAD)) ||
816 !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput),
817 "DRBG Reseed KAT")) {
818 fprintf(stderr, "CTR-DRBG failed.\n");
819 goto err;
820 }
821 CTR_DRBG_clear(&drbg);
822
823 CTR_DRBG_STATE kZeroDRBG;
824 memset(&kZeroDRBG, 0, sizeof(kZeroDRBG));
825 if (!check_test(&kZeroDRBG, &drbg, sizeof(drbg), "DRBG Clear KAT")) {
826 goto err;
827 }
828
829 // TLS KDF KAT
830 uint8_t tls_output[sizeof(kTLSOutput)];
831 if (!CRYPTO_tls1_prf(EVP_sha256(), tls_output, sizeof(tls_output), kTLSSecret,
832 sizeof(kTLSSecret), kTLSLabel, sizeof(kTLSLabel),
833 kTLSSeed1, sizeof(kTLSSeed1), kTLSSeed2,
834 sizeof(kTLSSeed2)) ||
835 !check_test(kTLSOutput, tls_output, sizeof(kTLSOutput), "TLS KDF KAT")) {
836 fprintf(stderr, "TLS KDF failed.\n");
837 goto err;
838 }
839
840 ret = 1;
841
842 #if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
843 // Tests were successful. Write flag file if requested.
844 if (module_hash_len != 0 && getenv(kFlagWriteEnableEnvVar) != NULL) {
845 const int fd = open(flag_path, O_WRONLY | O_CREAT | O_TRUNC, 0644);
846 if (fd >= 0) {
847 close(fd);
848 }
849 }
850 #endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
851
852 err:
853 EVP_AEAD_CTX_cleanup(&aead_ctx);
854 RSA_free(rsa_key);
855 EC_KEY_free(ec_key);
856 EC_POINT_free(ec_point_in);
857 EC_POINT_free(ec_point_out);
858 EC_GROUP_free(ec_group);
859 BN_free(ec_scalar);
860 ECDSA_SIG_free(sig);
861
862 return ret;
863 }
864
BORINGSSL_self_test(void)865 int BORINGSSL_self_test(void) {
866 return boringssl_fips_self_test(NULL, 0);
867 }
868
869 #endif // !_MSC_VER
870