1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/crypto.h>
16
17 #include <stdio.h>
18 #include <stdlib.h>
19
20 #include <openssl/aead.h>
21 #include <openssl/aes.h>
22 #include <openssl/bn.h>
23 #include <openssl/des.h>
24 #include <openssl/dh.h>
25 #include <openssl/digest.h>
26 #include <openssl/ec.h>
27 #include <openssl/ecdsa.h>
28 #include <openssl/ec_key.h>
29 #include <openssl/nid.h>
30 #include <openssl/rsa.h>
31 #include <openssl/sha.h>
32
33 #include "../../internal.h"
34 #include "../ec/internal.h"
35 #include "../ecdsa/internal.h"
36 #include "../rand/internal.h"
37 #include "../tls/internal.h"
38
39
40 // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot
41 // compile the real logic.
42 #if defined(_MSC_VER)
43
BORINGSSL_self_test(void)44 int BORINGSSL_self_test(void) {
45 return 0;
46 }
47
48 #else
49
50 #if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
51 // FIPS builds on Android will test for flag files, named after the module hash,
52 // in /dev/boringssl/selftest/. If such a flag file exists, it's assumed that
53 // self-tests have already passed and thus do not need to be repeated. (The
54 // integrity tests always run, however.)
55 //
56 // If self-tests complete successfully and the environment variable named in
57 // |kFlagWriteEnableEnvVar| is present, then the flag file will be created. The
58 // flag file isn't written without the environment variable being set in order
59 // to avoid SELinux violations on Android.
60 #define BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
61 static const char kFlagPrefix[] = "/dev/boringssl/selftest/";
62 static const char kFlagWriteEnableEnvVar[] = "BORINGSSL_SELF_TEST_CREATE_FLAG";
63 #endif
64
hexdump(const uint8_t * in,size_t len)65 static void hexdump(const uint8_t *in, size_t len) {
66 for (size_t i = 0; i < len; i++) {
67 fprintf(stderr, "%02x", in[i]);
68 }
69 }
70
check_test(const void * expected,const void * actual,size_t expected_len,const char * name)71 static int check_test(const void *expected, const void *actual,
72 size_t expected_len, const char *name) {
73 if (OPENSSL_memcmp(actual, expected, expected_len) != 0) {
74 fprintf(stderr, "%s failed.\nExpected: ", name);
75 hexdump(expected, expected_len);
76 fprintf(stderr, "\nCalculated: ");
77 hexdump(actual, expected_len);
78 fprintf(stderr, "\n");
79 fflush(stderr);
80 return 0;
81 }
82 return 1;
83 }
84
set_bignum(BIGNUM ** out,const uint8_t * in,size_t len)85 static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) {
86 *out = BN_bin2bn(in, len, NULL);
87 return *out != NULL;
88 }
89
self_test_rsa_key(void)90 static RSA *self_test_rsa_key(void) {
91 static const uint8_t kN[] = {
92 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc,
93 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90,
94 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda,
95 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f,
96 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e,
97 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c,
98 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4,
99 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f,
100 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54,
101 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56,
102 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74,
103 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0,
104 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7,
105 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce,
106 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5,
107 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0,
108 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1,
109 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2,
110 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63,
111 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46,
112 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,
113 0x94, 0xc0, 0xbe, 0xb3,
114 };
115 static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537
116 static const uint8_t kD[] = {
117 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,
118 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,
119 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6,
120 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b,
121 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f,
122 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a,
123 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56,
124 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc,
125 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60,
126 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8,
127 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e,
128 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66,
129 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5,
130 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49,
131 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee,
132 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae,
133 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2,
134 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e,
135 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0,
136 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb,
137 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8,
138 0x5d, 0x1a, 0xf6, 0xc1,
139 };
140 static const uint8_t kP[] = {
141 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68,
142 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb,
143 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4,
144 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90,
145 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75,
146 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49,
147 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5,
148 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b,
149 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78,
150 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27,
151 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29,
152 };
153 static const uint8_t kQ[] = {
154 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3,
155 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf,
156 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c,
157 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59,
158 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf,
159 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c,
160 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f,
161 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed,
162 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb,
163 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4,
164 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b,
165 };
166 static const uint8_t kDModPMinusOne[] = {
167 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d,
168 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70,
169 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96,
170 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb,
171 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54,
172 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0,
173 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c,
174 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06,
175 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82,
176 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6,
177 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39,
178 };
179 static const uint8_t kDModQMinusOne[] = {
180 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d,
181 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12,
182 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2,
183 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36,
184 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac,
185 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65,
186 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca,
187 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53,
188 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6,
189 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74,
190 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85,
191 };
192 static const uint8_t kQInverseModP[] = {
193 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0,
194 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d,
195 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b,
196 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9,
197 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1,
198 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef,
199 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5,
200 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79,
201 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11,
202 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95,
203 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15,
204 };
205
206 RSA *rsa = RSA_new();
207 if (rsa == NULL ||
208 !set_bignum(&rsa->n, kN, sizeof(kN)) ||
209 !set_bignum(&rsa->e, kE, sizeof(kE)) ||
210 !set_bignum(&rsa->d, kD, sizeof(kD)) ||
211 !set_bignum(&rsa->p, kP, sizeof(kP)) ||
212 !set_bignum(&rsa->q, kQ, sizeof(kQ)) ||
213 !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) ||
214 !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) ||
215 !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) {
216 RSA_free(rsa);
217 return NULL;
218 }
219
220 return rsa;
221 }
222
self_test_ecdsa_key(void)223 static EC_KEY *self_test_ecdsa_key(void) {
224 static const uint8_t kQx[] = {
225 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17,
226 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2,
227 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81,
228 };
229 static const uint8_t kQy[] = {
230 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef,
231 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac,
232 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88,
233 };
234 static const uint8_t kD[] = {
235 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c,
236 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0,
237 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
238 };
239
240 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
241 BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL);
242 BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL);
243 BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL);
244 if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL ||
245 !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) ||
246 !EC_KEY_set_private_key(ec_key, d)) {
247 EC_KEY_free(ec_key);
248 ec_key = NULL;
249 }
250
251 BN_free(qx);
252 BN_free(qy);
253 BN_free(d);
254 return ec_key;
255 }
256
self_test_dh(void)257 static DH *self_test_dh(void) {
258 DH *dh = DH_get_rfc7919_2048();
259 if (!dh) {
260 return NULL;
261 }
262
263 BIGNUM *priv = BN_new();
264 if (!priv) {
265 goto err;
266 }
267
268 // kFFDHE2048PrivateKeyData is a 225-bit value. (225 because that's the
269 // minimum private key size in
270 // https://tools.ietf.org/html/rfc7919#appendix-A.1.)
271 static const BN_ULONG kFFDHE2048PrivateKeyData[] = {
272 TOBN(0x187be36b, 0xd38a4fa1),
273 TOBN(0x0a152f39, 0x6458f3b8),
274 TOBN(0x0570187e, 0xc422eeb7),
275 TOBN(0x00000001, 0x91173f2a),
276 };
277
278 bn_set_static_words(priv, kFFDHE2048PrivateKeyData,
279 OPENSSL_ARRAY_SIZE(kFFDHE2048PrivateKeyData));
280
281 if (!DH_set0_key(dh, NULL, priv)) {
282 goto err;
283 }
284 return dh;
285
286 err:
287 BN_free(priv);
288 DH_free(dh);
289 return NULL;
290 }
291
292 #if defined(OPENSSL_ANDROID)
293 static const size_t kModuleDigestSize = SHA256_DIGEST_LENGTH;
294 #else
295 static const size_t kModuleDigestSize = SHA512_DIGEST_LENGTH;
296 #endif
297
boringssl_fips_self_test(const uint8_t * module_hash,size_t module_hash_len)298 int boringssl_fips_self_test(
299 const uint8_t *module_hash, size_t module_hash_len) {
300 #if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
301 char flag_path[sizeof(kFlagPrefix) + 2*kModuleDigestSize];
302 if (module_hash_len != 0) {
303 if (module_hash_len != kModuleDigestSize) {
304 fprintf(stderr,
305 "module hash of length %zu does not match expected length %zu\n",
306 module_hash_len, kModuleDigestSize);
307 BORINGSSL_FIPS_abort();
308 }
309
310 // Test whether the flag file exists.
311 memcpy(flag_path, kFlagPrefix, sizeof(kFlagPrefix) - 1);
312 static const char kHexTable[17] = "0123456789abcdef";
313 for (size_t i = 0; i < kModuleDigestSize; i++) {
314 flag_path[sizeof(kFlagPrefix) - 1 + 2 * i] =
315 kHexTable[module_hash[i] >> 4];
316 flag_path[sizeof(kFlagPrefix) - 1 + 2 * i + 1] =
317 kHexTable[module_hash[i] & 15];
318 }
319 flag_path[sizeof(flag_path) - 1] = 0;
320
321 if (access(flag_path, F_OK) == 0) {
322 // Flag file found. Skip self-tests.
323 return 1;
324 }
325 }
326 #endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
327
328 static const uint8_t kAESKey[16] = "BoringCrypto Key";
329 static const uint8_t kAESIV[16] = {0};
330 static const uint8_t kPlaintext[64] =
331 "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!";
332 static const uint8_t kAESCBCCiphertext[64] = {
333 0x87, 0x2d, 0x98, 0xc2, 0xcc, 0x31, 0x5b, 0x41, 0xe0, 0xfa, 0x7b,
334 0x0a, 0x71, 0xc0, 0x42, 0xbf, 0x4f, 0x61, 0xd0, 0x0d, 0x58, 0x8c,
335 0xf7, 0x05, 0xfb, 0x94, 0x89, 0xd3, 0xbc, 0xaa, 0x1a, 0x50, 0x45,
336 0x1f, 0xc3, 0x8c, 0xb8, 0x98, 0x86, 0xa3, 0xe3, 0x6c, 0xfc, 0xad,
337 0x3a, 0xb5, 0x59, 0x27, 0x7d, 0x21, 0x07, 0xca, 0x4c, 0x1d, 0x55,
338 0x34, 0xdd, 0x5a, 0x2d, 0xc4, 0xb4, 0xf5, 0xa8,
339 #if !defined(BORINGSSL_FIPS_BREAK_AES_CBC)
340 0x35
341 #else
342 0x00
343 #endif
344 };
345 static const uint8_t kAESGCMCiphertext[80] = {
346 0x4a, 0xd8, 0xe7, 0x7d, 0x78, 0xd7, 0x7d, 0x5e, 0xb2, 0x11, 0xb6, 0xc9,
347 0xa4, 0xbc, 0xb2, 0xae, 0xbe, 0x93, 0xd1, 0xb7, 0xfe, 0x65, 0xc1, 0x82,
348 0x2a, 0xb6, 0x71, 0x5f, 0x1a, 0x7c, 0xe0, 0x1b, 0x2b, 0xe2, 0x53, 0xfa,
349 0xa0, 0x47, 0xfa, 0xd7, 0x8f, 0xb1, 0x4a, 0xc4, 0xdc, 0x89, 0xf9, 0xb4,
350 0x14, 0x4d, 0xde, 0x95, 0xea, 0x29, 0x69, 0x76, 0x81, 0xa3, 0x5c, 0x33,
351 0xd8, 0x37, 0xd8, 0xfa, 0x47, 0x19, 0x46, 0x2f, 0xf1, 0x90, 0xb7, 0x61,
352 0x8f, 0x6f, 0xdd, 0x31, 0x3f, 0x6a, 0x64,
353 #if !defined(BORINGSSL_FIPS_BREAK_AES_GCM)
354 0x0d
355 #else
356 0x00
357 #endif
358 };
359 static const DES_cblock kDESKey1 = {"BCMDESK1"};
360 static const DES_cblock kDESKey2 = {"BCMDESK2"};
361 static const DES_cblock kDESKey3 = {"BCMDESK3"};
362 static const DES_cblock kDESIV = {"BCMDESIV"};
363 static const uint8_t kDESCiphertext[64] = {
364 0xa4, 0x30, 0x7a, 0x4c, 0x1f, 0x60, 0x16, 0xd7, 0x4f, 0x41, 0xe1,
365 0xbb, 0x27, 0xc4, 0x27, 0x37, 0xd4, 0x7f, 0xb9, 0x10, 0xf8, 0xbc,
366 0xaf, 0x93, 0x91, 0xb8, 0x88, 0x24, 0xb1, 0xf6, 0xf8, 0xbd, 0x31,
367 0x96, 0x06, 0x76, 0xde, 0x32, 0xcd, 0x29, 0x29, 0xba, 0x70, 0x5f,
368 0xea, 0xc0, 0xcb, 0xde, 0xc7, 0x75, 0x90, 0xe0, 0x0f, 0x5e, 0x2c,
369 0x0d, 0x49, 0x20, 0xd5, 0x30, 0x83, 0xf8, 0x08,
370 #if !defined(BORINGSSL_FIPS_BREAK_DES)
371 0x5a
372 #else
373 0x00
374 #endif
375 };
376 static const uint8_t kPlaintextSHA1[20] = {
377 0xc6, 0xf8, 0xc9, 0x63, 0x1c, 0x14, 0x23, 0x62, 0x9b, 0xbd,
378 0x55, 0x82, 0xf4, 0xd6, 0x1d, 0xf2, 0xab, 0x7d, 0xc8,
379 #if !defined(BORINGSSL_FIPS_BREAK_SHA_1)
380 0x28
381 #else
382 0x00
383 #endif
384 };
385 static const uint8_t kPlaintextSHA256[32] = {
386 0x37, 0xbd, 0x70, 0x53, 0x72, 0xfc, 0xd4, 0x03, 0x79, 0x70, 0xfb,
387 0x06, 0x95, 0xb1, 0x2a, 0x82, 0x48, 0xe1, 0x3e, 0xf2, 0x33, 0xfb,
388 0xef, 0x29, 0x81, 0x22, 0x45, 0x40, 0x43, 0x70, 0xce,
389 #if !defined(BORINGSSL_FIPS_BREAK_SHA_256)
390 0x0f
391 #else
392 0x00
393 #endif
394 };
395 static const uint8_t kPlaintextSHA512[64] = {
396 0x08, 0x6a, 0x1c, 0x84, 0x61, 0x9d, 0x8e, 0xb3, 0xc0, 0x97, 0x4e,
397 0xa1, 0x9f, 0x9c, 0xdc, 0xaf, 0x3b, 0x5c, 0x31, 0xf0, 0xf2, 0x74,
398 0xc3, 0xbd, 0x6e, 0xd6, 0x1e, 0xb2, 0xbb, 0x34, 0x74, 0x72, 0x5c,
399 0x51, 0x29, 0x8b, 0x87, 0x3a, 0xa3, 0xf2, 0x25, 0x23, 0xd4, 0x1c,
400 0x82, 0x1b, 0xfe, 0xd3, 0xc6, 0xee, 0xb5, 0xd6, 0xaf, 0x07, 0x7b,
401 0x98, 0xca, 0xa7, 0x01, 0xf3, 0x94, 0xf3, 0x68,
402 #if !defined(BORINGSSL_FIPS_BREAK_SHA_512)
403 0x14
404 #else
405 0x00
406 #endif
407 };
408 static const uint8_t kRSASignature[256] = {
409 0x62, 0x66, 0x4b, 0xe3, 0xb1, 0xd2, 0x83, 0xf1, 0xa8, 0x56, 0x2b, 0x33,
410 0x60, 0x1e, 0xdb, 0x1e, 0x06, 0xf7, 0xa7, 0x1e, 0xa8, 0xef, 0x03, 0x4d,
411 0x0c, 0xf6, 0x83, 0x75, 0x7a, 0xf0, 0x14, 0xc7, 0xe2, 0x94, 0x3a, 0xb5,
412 0x67, 0x56, 0xa5, 0x48, 0x7f, 0x3a, 0xa5, 0xbf, 0xf7, 0x1d, 0x44, 0xa6,
413 0x34, 0xed, 0x9b, 0xd6, 0x51, 0xaa, 0x2c, 0x4e, 0xce, 0x60, 0x5f, 0xe9,
414 0x0e, 0xd5, 0xcd, 0xeb, 0x23, 0x27, 0xf8, 0xfb, 0x45, 0xe5, 0x34, 0x63,
415 0x77, 0x7f, 0x2e, 0x80, 0xcf, 0x9d, 0x2e, 0xfc, 0xe2, 0x50, 0x75, 0x29,
416 0x46, 0xf4, 0xaf, 0x91, 0xed, 0x36, 0xe1, 0x5e, 0xef, 0x66, 0xa1, 0xff,
417 0x27, 0xfc, 0x87, 0x7e, 0x60, 0x84, 0x0f, 0x54, 0x51, 0x56, 0x0f, 0x68,
418 0x99, 0xc0, 0x3f, 0xeb, 0xa5, 0xa0, 0x46, 0xb0, 0x86, 0x02, 0xb0, 0xc8,
419 0xe8, 0x46, 0x13, 0x06, 0xcd, 0xb7, 0x8a, 0xd0, 0x3b, 0x46, 0xd0, 0x14,
420 0x64, 0x53, 0x9b, 0x5b, 0x5e, 0x02, 0x45, 0xba, 0x6e, 0x7e, 0x0a, 0xb9,
421 0x9e, 0x62, 0xb7, 0xd5, 0x7a, 0x87, 0xea, 0xd3, 0x24, 0xa5, 0xef, 0xb3,
422 0xdc, 0x05, 0x9c, 0x04, 0x60, 0x4b, 0xde, 0xa8, 0x90, 0x08, 0x7b, 0x6a,
423 0x5f, 0xb4, 0x3f, 0xda, 0xc5, 0x1f, 0x6e, 0xd6, 0x15, 0xde, 0x65, 0xa4,
424 0x6e, 0x62, 0x9d, 0x8f, 0xa8, 0xbe, 0x86, 0xf6, 0x09, 0x90, 0x40, 0xa5,
425 0xf4, 0x23, 0xc5, 0xf6, 0x38, 0x86, 0x0d, 0x1c, 0xed, 0x4a, 0x0a, 0xae,
426 0xa4, 0x26, 0xc2, 0x2e, 0xd3, 0x13, 0x66, 0x61, 0xea, 0x35, 0x01, 0x0e,
427 0x13, 0xda, 0x78, 0x20, 0xae, 0x59, 0x5f, 0x9b, 0xa9, 0x6c, 0xf9, 0x1b,
428 0xdf, 0x76, 0x53, 0xc8, 0xa7, 0xf5, 0x63, 0x6d, 0xf3, 0xff, 0xfd, 0xaf,
429 0x75, 0x4b, 0xac, 0x67, 0xb1, 0x3c, 0xbf, 0x5e, 0xde, 0x73, 0x02, 0x6d,
430 0xd2, 0x0c, 0xb1,
431 #if !defined(BORINGSSL_FIPS_BREAK_RSA_SIG)
432 0x64
433 #else
434 0x00
435 #endif
436 };
437 const uint8_t kDRBGEntropy[48] =
438 "BCM Known Answer Test DBRG Initial Entropy ";
439 const uint8_t kDRBGPersonalization[18] = "BCMPersonalization";
440 const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD ";
441 const uint8_t kDRBGOutput[64] = {
442 0x1d, 0x63, 0xdf, 0x05, 0x51, 0x49, 0x22, 0x46, 0xcd, 0x9b, 0xc5,
443 0xbb, 0xf1, 0x5d, 0x44, 0xae, 0x13, 0x78, 0xb1, 0xe4, 0x7c, 0xf1,
444 0x96, 0x33, 0x3d, 0x60, 0xb6, 0x29, 0xd4, 0xbb, 0x6b, 0x44, 0xf9,
445 0xef, 0xd9, 0xf4, 0xa2, 0xba, 0x48, 0xea, 0x39, 0x75, 0x59, 0x32,
446 0xf7, 0x31, 0x2c, 0x98, 0x14, 0x2b, 0x49, 0xdf, 0x02, 0xb6, 0x5d,
447 0x71, 0x09, 0x50, 0xdb, 0x23, 0xdb, 0xe5, 0x22,
448 #if !defined(BORINGSSL_FIPS_BREAK_DRBG)
449 0x95
450 #else
451 0x00
452 #endif
453 };
454 const uint8_t kDRBGEntropy2[48] =
455 "BCM Known Answer Test DBRG Reseed Entropy ";
456 const uint8_t kDRBGReseedOutput[64] = {
457 0xa4, 0x77, 0x05, 0xdb, 0x14, 0x11, 0x76, 0x71, 0x42, 0x5b, 0xd8,
458 0xd7, 0xa5, 0x4f, 0x8b, 0x39, 0xf2, 0x10, 0x4a, 0x50, 0x5b, 0xa2,
459 0xc8, 0xf0, 0xbb, 0x3e, 0xa1, 0xa5, 0x90, 0x7d, 0x54, 0xd9, 0xc6,
460 0xb0, 0x96, 0xc0, 0x2b, 0x7e, 0x9b, 0xc9, 0xa1, 0xdd, 0x78, 0x2e,
461 0xd5, 0xa8, 0x66, 0x16, 0xbd, 0x18, 0x3c, 0xf2, 0xaa, 0x7a, 0x2b,
462 0x37, 0xf9, 0xab, 0x35, 0x64, 0x15, 0x01, 0x3f, 0xc4,
463 };
464 const uint8_t kECDSASigR[32] = {
465 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,
466 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,
467 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5,
468 #if !defined(BORINGSSL_FIPS_BREAK_ECDSA_SIG)
469 0x0c,
470 #else
471 0x00,
472 #endif
473 };
474 const uint8_t kECDSASigS[32] = {
475 0xa5, 0x93, 0xe0, 0x23, 0x91, 0xe7, 0x4b, 0x8d, 0x77, 0x25, 0xa6,
476 0xba, 0x4d, 0xd9, 0x86, 0x77, 0xda, 0x7d, 0x8f, 0xef, 0xc4, 0x1a,
477 0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8,
478 };
479 // kP256Point is SHA256("Primitive Z Computation KAT")×G within P-256.
480 const uint8_t kP256Point[65] = {
481 0x04, 0x4e, 0xc1, 0x94, 0x8c, 0x5c, 0xf4, 0x37, 0x35, 0x0d, 0xa3,
482 0xf9, 0x55, 0xf9, 0x8b, 0x26, 0x23, 0x5c, 0x43, 0xe0, 0x83, 0x51,
483 0x2b, 0x0d, 0x4b, 0x56, 0x24, 0xc3, 0xe4, 0xa5, 0xa8, 0xe2, 0xe9,
484 0x95, 0xf2, 0xc4, 0xb9, 0xb7, 0x48, 0x7d, 0x2a, 0xae, 0xc5, 0xc0,
485 0x0a, 0xcc, 0x1b, 0xd0, 0xec, 0xb8, 0xdc, 0xbe, 0x0c, 0xbe, 0x52,
486 0x79, 0x93, 0x7c, 0x0b, 0x92, 0x2b, 0x7f, 0x17, 0xa5, 0x80,
487 };
488 // kP256Scalar is SHA256("Primitive Z Computation KAT scalar").
489 const uint8_t kP256Scalar[32] = {
490 0xe7, 0x60, 0x44, 0x91, 0x26, 0x9a, 0xfb, 0x5b, 0x10, 0x2d, 0x6e,
491 0xa5, 0x2c, 0xb5, 0x9f, 0xeb, 0x70, 0xae, 0xde, 0x6c, 0xe3, 0xbf,
492 0xb3, 0xe0, 0x10, 0x54, 0x85, 0xab, 0xd8, 0x61, 0xd7, 0x7b,
493 };
494 // kP256PointResult is |kP256Scalar|×|kP256Point|.
495 const uint8_t kP256PointResult[65] = {
496 0x04, 0xf1, 0x63, 0x00, 0x88, 0xc5, 0xd5, 0xe9, 0x05, 0x52, 0xac,
497 0xb6, 0xec, 0x68, 0x76, 0xb8, 0x73, 0x7f, 0x0f, 0x72, 0x34, 0xe6,
498 0xbb, 0x30, 0x32, 0x22, 0x37, 0xb6, 0x2a, 0x80, 0xe8, 0x9e, 0x6e,
499 0x6f, 0x36, 0x02, 0xe7, 0x21, 0xd2, 0x31, 0xdb, 0x94, 0x63, 0xb7,
500 0xd8, 0x19, 0x0e, 0xc2, 0xc0, 0xa7, 0x2f, 0x15, 0x49, 0x1a, 0xa2,
501 0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a,
502 #if !defined(BORINGSSL_FIPS_BREAK_Z_COMPUTATION)
503 0x0c,
504 #else
505 0x00,
506 #endif
507 };
508 const uint8_t kTLSOutput[32] = {
509 0x67, 0x85, 0xde, 0x60, 0xfc, 0x0a, 0x83, 0xe9, 0xa2, 0x2a, 0xb3,
510 0xf0, 0x27, 0x0c, 0xba, 0xf7, 0xfa, 0x82, 0x3d, 0x14, 0x77, 0x1d,
511 0x86, 0x29, 0x79, 0x39, 0x77, 0x8a, 0xd5, 0x0e, 0x9d,
512 #if !defined(BORINGSSL_FIPS_BREAK_TLS_KDF)
513 0x32,
514 #else
515 0x00,
516 #endif
517 };
518 const uint8_t kTLSSecret[32] = {
519 0xbf, 0xe4, 0xb7, 0xe0, 0x26, 0x55, 0x5f, 0x6a, 0xdf, 0x5d, 0x27,
520 0xd6, 0x89, 0x99, 0x2a, 0xd6, 0xf7, 0x65, 0x66, 0x07, 0x4b, 0x55,
521 0x5f, 0x64, 0x55, 0xcd, 0xd5, 0x77, 0xa4, 0xc7, 0x09, 0x61,
522 };
523 const char kTLSLabel[] = "FIPS self test";
524 const uint8_t kTLSSeed1[16] = {
525 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2,
526 0x6d, 0x51, 0xf4, 0x79, 0x18, 0x63, 0x51, 0x65,
527 };
528 const uint8_t kTLSSeed2[16] = {
529 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c,
530 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81,
531 };
532
533 // kFFDHE2048PublicValueData is an arbitrary public value, mod
534 // kFFDHE2048Data. (The private key happens to be 4096.)
535 static const BN_ULONG kFFDHE2048PublicValueData[] = {
536 TOBN(0x187be36b, 0xd38a4fa1), TOBN(0x0a152f39, 0x6458f3b8),
537 TOBN(0x0570187e, 0xc422eeb7), TOBN(0x18af7482, 0x91173f2a),
538 TOBN(0xe9fdac6a, 0xcff4eaaa), TOBN(0xf6afebb7, 0x6e589d6c),
539 TOBN(0xf92f8e9a, 0xb7e33fb0), TOBN(0x70acf2aa, 0x4cf36ddd),
540 TOBN(0x561ab426, 0xd07137fd), TOBN(0x5f57d037, 0x430ee91e),
541 TOBN(0xe3e768c8, 0x60d10b8a), TOBN(0xb14884d8, 0xa18af8ce),
542 TOBN(0xf8a98014, 0xa12b74e4), TOBN(0x748d407c, 0x3437b7a8),
543 TOBN(0x627588c4, 0x9875d5a7), TOBN(0xdd24a127, 0x53c8f09d),
544 TOBN(0x85a997d5, 0x0cd51aec), TOBN(0x44f0c619, 0xce348458),
545 TOBN(0x9b894b24, 0x5f6b69a1), TOBN(0xae1302f2, 0xf6d4777e),
546 TOBN(0xe6678eeb, 0x375db18e), TOBN(0x2674e1d6, 0x4fbcbdc8),
547 TOBN(0xb297a823, 0x6fa93d28), TOBN(0x6a12fb70, 0x7c8c0510),
548 TOBN(0x5c6d1aeb, 0xdb06f65b), TOBN(0xe8c2954e, 0x4c1804ca),
549 TOBN(0x06bdeac1, 0xf5500fa7), TOBN(0x6a315604, 0x189cd76b),
550 TOBN(0xbae7b0b3, 0x6e362dc0), TOBN(0xa57c73bd, 0xdc70fb82),
551 TOBN(0xfaff50d2, 0x9d573457), TOBN(0x352bd399, 0xbe84058e),
552 };
553
554 const uint8_t kDHOutput[2048 / 8] = {
555 0x2a, 0xe6, 0xd3, 0xa6, 0x13, 0x58, 0x8e, 0xce, 0x53, 0xaa, 0xf6, 0x5d,
556 0x9a, 0xae, 0x02, 0x12, 0xf5, 0x80, 0x3d, 0x06, 0x09, 0x76, 0xac, 0x57,
557 0x37, 0x9e, 0xab, 0x38, 0x62, 0x25, 0x05, 0x1d, 0xf3, 0xa9, 0x39, 0x60,
558 0xf6, 0xae, 0x90, 0xed, 0x1e, 0xad, 0x6e, 0xe9, 0xe3, 0xba, 0x27, 0xf6,
559 0xdb, 0x54, 0xdf, 0xe2, 0xbd, 0xbb, 0x7f, 0xf1, 0x81, 0xac, 0x1a, 0xfa,
560 0xdb, 0x87, 0x07, 0x98, 0x76, 0x90, 0x21, 0xf2, 0xae, 0xda, 0x0d, 0x84,
561 0x97, 0x64, 0x0b, 0xbf, 0xb8, 0x8d, 0x10, 0x46, 0xe2, 0xd5, 0xca, 0x1b,
562 0xbb, 0xe5, 0x37, 0xb2, 0x3b, 0x35, 0xd3, 0x1b, 0x65, 0xea, 0xae, 0xf2,
563 0x03, 0xe2, 0xb6, 0xde, 0x22, 0xb7, 0x86, 0x49, 0x79, 0xfe, 0xd7, 0x16,
564 0xf7, 0xdc, 0x9c, 0x59, 0xf5, 0xb7, 0x70, 0xc0, 0x53, 0x42, 0x6f, 0xb1,
565 0xd2, 0x4e, 0x00, 0x25, 0x4b, 0x2d, 0x5a, 0x9b, 0xd0, 0xe9, 0x27, 0x43,
566 0xcc, 0x00, 0x66, 0xea, 0x94, 0x7a, 0x0b, 0xb9, 0x89, 0x0c, 0x5e, 0x94,
567 0xb8, 0x3a, 0x78, 0x9c, 0x4d, 0x84, 0xe6, 0x32, 0x2c, 0x38, 0x7c, 0xf7,
568 0x43, 0x9c, 0xd8, 0xb8, 0x1c, 0xce, 0x24, 0x91, 0x20, 0x67, 0x7a, 0x54,
569 0x1f, 0x7e, 0x86, 0x7f, 0xa1, 0xc1, 0x03, 0x4e, 0x2c, 0x26, 0x71, 0xb2,
570 0x06, 0x30, 0xb3, 0x6c, 0x15, 0xcc, 0xac, 0x25, 0xe5, 0x37, 0x3f, 0x24,
571 0x8f, 0x2a, 0x89, 0x5e, 0x3d, 0x43, 0x94, 0xc9, 0x36, 0xae, 0x40, 0x00,
572 0x6a, 0x0d, 0xb0, 0x6e, 0x8b, 0x2e, 0x70, 0x57, 0xe1, 0x88, 0x53, 0xd6,
573 0x06, 0x80, 0x2a, 0x4e, 0x5a, 0xf0, 0x1e, 0xaa, 0xcb, 0xab, 0x06, 0x0e,
574 0x27, 0x0f, 0xd9, 0x88, 0xd9, 0x01, 0xe3, 0x07, 0xeb, 0xdf, 0xc3, 0x12,
575 0xe3, 0x40, 0x88, 0x7b, 0x5f, 0x59, 0x78, 0x6e, 0x26, 0x20, 0xc3, 0xdf,
576 0xc8, 0xe4, 0x5e,
577 #if !defined(BORINGSSL_FIPS_BREAK_FFC_DH)
578 0xb8,
579 #else
580 0x00,
581 #endif
582 };
583
584 EVP_AEAD_CTX aead_ctx;
585 EVP_AEAD_CTX_zero(&aead_ctx);
586 RSA *rsa_key = NULL;
587 EC_KEY *ec_key = NULL;
588 EC_GROUP *ec_group = NULL;
589 EC_POINT *ec_point_in = NULL;
590 EC_POINT *ec_point_out = NULL;
591 BIGNUM *ec_scalar = NULL;
592 ECDSA_SIG *sig = NULL;
593 int ret = 0;
594
595 AES_KEY aes_key;
596 uint8_t aes_iv[16];
597 uint8_t output[256];
598
599 // AES-CBC Encryption KAT
600 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
601 if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
602 fprintf(stderr, "AES_set_encrypt_key failed.\n");
603 goto err;
604 }
605 AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv,
606 AES_ENCRYPT);
607 if (!check_test(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
608 "AES-CBC Encryption KAT")) {
609 goto err;
610 }
611
612 // AES-CBC Decryption KAT
613 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
614 if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
615 fprintf(stderr, "AES_set_decrypt_key failed.\n");
616 goto err;
617 }
618 AES_cbc_encrypt(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
619 &aes_key, aes_iv, AES_DECRYPT);
620 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
621 "AES-CBC Decryption KAT")) {
622 goto err;
623 }
624
625 size_t out_len;
626 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
627 OPENSSL_memset(nonce, 0, sizeof(nonce));
628 if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey,
629 sizeof(kAESKey), 0, NULL)) {
630 fprintf(stderr, "EVP_AEAD_CTX_init for AES-128-GCM failed.\n");
631 goto err;
632 }
633
634 // AES-GCM Encryption KAT
635 if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,
636 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
637 kPlaintext, sizeof(kPlaintext), NULL, 0) ||
638 !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext),
639 "AES-GCM Encryption KAT")) {
640 fprintf(stderr, "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n");
641 goto err;
642 }
643
644 // AES-GCM Decryption KAT
645 if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,
646 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
647 kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL,
648 0) ||
649 !check_test(kPlaintext, output, sizeof(kPlaintext),
650 "AES-GCM Decryption KAT")) {
651 fprintf(stderr, "EVP_AEAD_CTX_open for AES-128-GCM failed.\n");
652 goto err;
653 }
654
655 DES_key_schedule des1, des2, des3;
656 DES_cblock des_iv;
657 DES_set_key(&kDESKey1, &des1);
658 DES_set_key(&kDESKey2, &des2);
659 DES_set_key(&kDESKey3, &des3);
660
661 // 3DES Encryption KAT
662 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
663 DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2,
664 &des3, &des_iv, DES_ENCRYPT);
665 if (!check_test(kDESCiphertext, output, sizeof(kDESCiphertext),
666 "3DES Encryption KAT")) {
667 goto err;
668 }
669
670 // 3DES Decryption KAT
671 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
672 DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1,
673 &des2, &des3, &des_iv, DES_DECRYPT);
674 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
675 "3DES Decryption KAT")) {
676 goto err;
677 }
678
679 // SHA-1 KAT
680 SHA1(kPlaintext, sizeof(kPlaintext), output);
681 if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1),
682 "SHA-1 KAT")) {
683 goto err;
684 }
685
686 // SHA-256 KAT
687 SHA256(kPlaintext, sizeof(kPlaintext), output);
688 if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),
689 "SHA-256 KAT")) {
690 goto err;
691 }
692
693 // SHA-512 KAT
694 SHA512(kPlaintext, sizeof(kPlaintext), output);
695 if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),
696 "SHA-512 KAT")) {
697 goto err;
698 }
699
700 rsa_key = self_test_rsa_key();
701 if (rsa_key == NULL) {
702 fprintf(stderr, "RSA KeyGen failed\n");
703 goto err;
704 }
705
706 // RSA Sign KAT
707 unsigned sig_len;
708
709 // Disable blinding for the power-on tests because it's not needed and
710 // triggers an entropy draw.
711 rsa_key->flags |= RSA_FLAG_NO_BLINDING;
712
713 if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output,
714 &sig_len, rsa_key) ||
715 !check_test(kRSASignature, output, sizeof(kRSASignature),
716 "RSA Sign KAT")) {
717 fprintf(stderr, "RSA signing test failed.\n");
718 goto err;
719 }
720
721 // RSA Verify KAT
722 if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256),
723 kRSASignature, sizeof(kRSASignature), rsa_key)) {
724 fprintf(stderr, "RSA Verify KAT failed.\n");
725 goto err;
726 }
727
728 ec_key = self_test_ecdsa_key();
729 if (ec_key == NULL) {
730 fprintf(stderr, "ECDSA KeyGen failed\n");
731 goto err;
732 }
733
734 // ECDSA Sign/Verify KAT
735
736 // The 'k' value for ECDSA is fixed to avoid an entropy draw.
737 uint8_t ecdsa_k[32] = {0};
738 ecdsa_k[31] = 42;
739
740 sig = ecdsa_sign_with_nonce_for_known_answer_test(
741 kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key, ecdsa_k,
742 sizeof(ecdsa_k));
743
744 uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)];
745 uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)];
746 if (sig == NULL ||
747 BN_num_bytes(sig->r) != sizeof(ecdsa_r_bytes) ||
748 !BN_bn2bin(sig->r, ecdsa_r_bytes) ||
749 BN_num_bytes(sig->s) != sizeof(ecdsa_s_bytes) ||
750 !BN_bn2bin(sig->s, ecdsa_s_bytes) ||
751 !check_test(kECDSASigR, ecdsa_r_bytes, sizeof(kECDSASigR), "ECDSA R") ||
752 !check_test(kECDSASigS, ecdsa_s_bytes, sizeof(kECDSASigS), "ECDSA S")) {
753 fprintf(stderr, "ECDSA signature KAT failed.\n");
754 goto err;
755 }
756
757 if (!ECDSA_do_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), sig,
758 ec_key)) {
759 fprintf(stderr, "ECDSA verification KAT failed.\n");
760 goto err;
761 }
762
763 // Primitive Z Computation KAT (IG 9.6).
764 ec_group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
765 if (ec_group == NULL) {
766 fprintf(stderr, "Failed to create P-256 group.\n");
767 goto err;
768 }
769 ec_point_in = EC_POINT_new(ec_group);
770 ec_point_out = EC_POINT_new(ec_group);
771 ec_scalar = BN_new();
772 uint8_t z_comp_result[65];
773 if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL ||
774 !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point),
775 NULL) ||
776 !BN_bin2bn(kP256Scalar, sizeof(kP256Scalar), ec_scalar) ||
777 !EC_POINT_mul(ec_group, ec_point_out, NULL, ec_point_in, ec_scalar,
778 NULL) ||
779 !EC_POINT_point2oct(ec_group, ec_point_out, POINT_CONVERSION_UNCOMPRESSED,
780 z_comp_result, sizeof(z_comp_result), NULL) ||
781 !check_test(kP256PointResult, z_comp_result, sizeof(z_comp_result),
782 "Z Computation Result")) {
783 fprintf(stderr, "Z Computation KAT failed.\n");
784 goto err;
785 }
786
787 // FFC Diffie-Hellman KAT
788
789 BIGNUM *const ffdhe2048_value = BN_new();
790 DH *const dh = self_test_dh();
791 int dh_ok = 0;
792 if (ffdhe2048_value && dh) {
793 bn_set_static_words(ffdhe2048_value, kFFDHE2048PublicValueData,
794 OPENSSL_ARRAY_SIZE(kFFDHE2048PublicValueData));
795
796 uint8_t dh_out[sizeof(kDHOutput)];
797 dh_ok =
798 sizeof(dh_out) == DH_size(dh) &&
799 DH_compute_key_padded(dh_out, ffdhe2048_value, dh) == sizeof(dh_out) &&
800 check_test(kDHOutput, dh_out, sizeof(dh_out), "FFC DH");
801 }
802
803 BN_free(ffdhe2048_value);
804 DH_free(dh);
805 if (!dh_ok) {
806 fprintf(stderr, "FFDH failed.\n");
807 goto err;
808 }
809
810 // DBRG KAT
811 CTR_DRBG_STATE drbg;
812 if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
813 sizeof(kDRBGPersonalization)) ||
814 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD,
815 sizeof(kDRBGAD)) ||
816 !check_test(kDRBGOutput, output, sizeof(kDRBGOutput),
817 "DBRG Generate KAT") ||
818 !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) ||
819 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD,
820 sizeof(kDRBGAD)) ||
821 !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput),
822 "DRBG Reseed KAT")) {
823 fprintf(stderr, "CTR-DRBG failed.\n");
824 goto err;
825 }
826 CTR_DRBG_clear(&drbg);
827
828 CTR_DRBG_STATE kZeroDRBG;
829 memset(&kZeroDRBG, 0, sizeof(kZeroDRBG));
830 if (!check_test(&kZeroDRBG, &drbg, sizeof(drbg), "DRBG Clear KAT")) {
831 goto err;
832 }
833
834 // TLS KDF KAT
835 uint8_t tls_output[sizeof(kTLSOutput)];
836 if (!CRYPTO_tls1_prf(EVP_sha256(), tls_output, sizeof(tls_output), kTLSSecret,
837 sizeof(kTLSSecret), kTLSLabel, sizeof(kTLSLabel),
838 kTLSSeed1, sizeof(kTLSSeed1), kTLSSeed2,
839 sizeof(kTLSSeed2)) ||
840 !check_test(kTLSOutput, tls_output, sizeof(kTLSOutput), "TLS KDF KAT")) {
841 fprintf(stderr, "TLS KDF failed.\n");
842 goto err;
843 }
844
845 ret = 1;
846
847 #if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
848 // Tests were successful. Write flag file if requested.
849 if (module_hash_len != 0 && getenv(kFlagWriteEnableEnvVar) != NULL) {
850 const int fd = open(flag_path, O_WRONLY | O_CREAT | O_TRUNC, 0644);
851 if (fd >= 0) {
852 close(fd);
853 }
854 }
855 #endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
856
857 err:
858 EVP_AEAD_CTX_cleanup(&aead_ctx);
859 RSA_free(rsa_key);
860 EC_KEY_free(ec_key);
861 EC_POINT_free(ec_point_in);
862 EC_POINT_free(ec_point_out);
863 EC_GROUP_free(ec_group);
864 BN_free(ec_scalar);
865 ECDSA_SIG_free(sig);
866
867 return ret;
868 }
869
BORINGSSL_self_test(void)870 int BORINGSSL_self_test(void) {
871 return boringssl_fips_self_test(NULL, 0);
872 }
873
874 #endif // !_MSC_VER
875