1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/crypto.h>
16
17 #include <stdio.h>
18 #include <stdlib.h>
19
20 #include <openssl/aead.h>
21 #include <openssl/aes.h>
22 #include <openssl/bn.h>
23 #include <openssl/ctrdrbg.h>
24 #include <openssl/dh.h>
25 #include <openssl/digest.h>
26 #include <openssl/ec.h>
27 #include <openssl/ecdsa.h>
28 #include <openssl/ec_key.h>
29 #include <openssl/hkdf.h>
30 #include <openssl/hmac.h>
31 #include <openssl/nid.h>
32 #include <openssl/rsa.h>
33 #include <openssl/sha.h>
34
35 #include "../../internal.h"
36 #include "../dh/internal.h"
37 #include "../ec/internal.h"
38 #include "../ecdsa/internal.h"
39 #include "../rand/internal.h"
40 #include "../rsa/internal.h"
41 #include "../service_indicator/internal.h"
42 #include "../tls/internal.h"
43
44
45 // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot
46 // compile the real logic.
47 #if defined(_MSC_VER)
48
BORINGSSL_self_test(void)49 int BORINGSSL_self_test(void) {
50 return 0;
51 }
52
53 #else
54
hexdump(const uint8_t * in,size_t len)55 static void hexdump(const uint8_t *in, size_t len) {
56 for (size_t i = 0; i < len; i++) {
57 fprintf(stderr, "%02x", in[i]);
58 }
59 }
60
check_test(const void * expected,const void * actual,size_t expected_len,const char * name)61 static int check_test(const void *expected, const void *actual,
62 size_t expected_len, const char *name) {
63 if (OPENSSL_memcmp(actual, expected, expected_len) != 0) {
64 fprintf(stderr, "%s failed.\nExpected: ", name);
65 hexdump(expected, expected_len);
66 fprintf(stderr, "\nCalculated: ");
67 hexdump(actual, expected_len);
68 fprintf(stderr, "\n");
69 fflush(stderr);
70 return 0;
71 }
72 return 1;
73 }
74
set_bignum(BIGNUM ** out,const uint8_t * in,size_t len)75 static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) {
76 *out = BN_bin2bn(in, len, NULL);
77 return *out != NULL;
78 }
79
serialize_ecdsa_sig(uint8_t * out,size_t out_len,const ECDSA_SIG * sig)80 static int serialize_ecdsa_sig(uint8_t *out, size_t out_len,
81 const ECDSA_SIG *sig) {
82 if ((out_len & 1) || //
83 !BN_bn2bin_padded(out, out_len / 2, sig->r) ||
84 !BN_bn2bin_padded(out + out_len / 2, out_len / 2, sig->s)) {
85 return 0;
86 }
87 return 1;
88 }
89
parse_ecdsa_sig(const uint8_t * in,size_t in_len)90 static ECDSA_SIG *parse_ecdsa_sig(const uint8_t *in, size_t in_len) {
91 ECDSA_SIG *ret = ECDSA_SIG_new();
92 if (!ret || //
93 (in_len & 1) ||
94 BN_bin2bn(in, in_len/2, ret->r) == NULL ||
95 BN_bin2bn(in + in_len/2, in_len/2, ret->s) == NULL) {
96 ECDSA_SIG_free(ret);
97 ret = NULL;
98 }
99 return ret;
100 }
101
self_test_rsa_key(void)102 static RSA *self_test_rsa_key(void) {
103 static const uint8_t kN[] = {
104 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc,
105 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90,
106 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda,
107 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f,
108 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e,
109 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c,
110 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4,
111 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f,
112 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54,
113 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56,
114 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74,
115 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0,
116 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7,
117 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce,
118 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5,
119 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0,
120 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1,
121 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2,
122 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63,
123 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46,
124 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,
125 0x94, 0xc0, 0xbe, 0xb3,
126 };
127 static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537
128 static const uint8_t kD[] = {
129 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,
130 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,
131 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6,
132 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b,
133 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f,
134 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a,
135 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56,
136 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc,
137 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60,
138 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8,
139 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e,
140 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66,
141 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5,
142 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49,
143 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee,
144 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae,
145 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2,
146 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e,
147 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0,
148 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb,
149 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8,
150 0x5d, 0x1a, 0xf6, 0xc1,
151 };
152 static const uint8_t kP[] = {
153 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68,
154 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb,
155 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4,
156 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90,
157 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75,
158 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49,
159 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5,
160 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b,
161 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78,
162 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27,
163 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29,
164 };
165 static const uint8_t kQ[] = {
166 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3,
167 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf,
168 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c,
169 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59,
170 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf,
171 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c,
172 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f,
173 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed,
174 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb,
175 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4,
176 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b,
177 };
178 static const uint8_t kDModPMinusOne[] = {
179 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d,
180 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70,
181 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96,
182 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb,
183 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54,
184 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0,
185 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c,
186 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06,
187 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82,
188 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6,
189 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39,
190 };
191 static const uint8_t kDModQMinusOne[] = {
192 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d,
193 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12,
194 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2,
195 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36,
196 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac,
197 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65,
198 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca,
199 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53,
200 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6,
201 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74,
202 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85,
203 };
204 static const uint8_t kQInverseModP[] = {
205 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0,
206 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d,
207 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b,
208 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9,
209 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1,
210 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef,
211 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5,
212 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79,
213 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11,
214 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95,
215 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15,
216 };
217
218 RSA *rsa = RSA_new();
219 if (rsa == NULL ||
220 !set_bignum(&rsa->n, kN, sizeof(kN)) ||
221 !set_bignum(&rsa->e, kE, sizeof(kE)) ||
222 !set_bignum(&rsa->d, kD, sizeof(kD)) ||
223 !set_bignum(&rsa->p, kP, sizeof(kP)) ||
224 !set_bignum(&rsa->q, kQ, sizeof(kQ)) ||
225 !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) ||
226 !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) ||
227 !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) {
228 RSA_free(rsa);
229 return NULL;
230 }
231
232 return rsa;
233 }
234
self_test_ecdsa_key(void)235 static EC_KEY *self_test_ecdsa_key(void) {
236 static const uint8_t kQx[] = {
237 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17,
238 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2,
239 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81,
240 };
241 static const uint8_t kQy[] = {
242 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef,
243 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac,
244 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88,
245 };
246 static const uint8_t kD[] = {
247 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c,
248 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0,
249 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
250 };
251
252 EC_KEY *ec_key = EC_KEY_new();
253 BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL);
254 BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL);
255 BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL);
256 if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL ||
257 !EC_KEY_set_group(ec_key, EC_group_p256()) ||
258 !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) ||
259 !EC_KEY_set_private_key(ec_key, d)) {
260 EC_KEY_free(ec_key);
261 ec_key = NULL;
262 }
263
264 BN_free(qx);
265 BN_free(qy);
266 BN_free(d);
267 return ec_key;
268 }
269
self_test_dh(void)270 static DH *self_test_dh(void) {
271 DH *dh = DH_get_rfc7919_2048();
272 if (!dh) {
273 return NULL;
274 }
275
276 BIGNUM *priv = BN_new();
277 if (!priv) {
278 goto err;
279 }
280
281 // kFFDHE2048PrivateKeyData is a 225-bit value. (225 because that's the
282 // minimum private key size in
283 // https://tools.ietf.org/html/rfc7919#appendix-A.1.)
284 static const BN_ULONG kFFDHE2048PrivateKeyData[] = {
285 TOBN(0x187be36b, 0xd38a4fa1),
286 TOBN(0x0a152f39, 0x6458f3b8),
287 TOBN(0x0570187e, 0xc422eeb7),
288 TOBN(0x00000001, 0x91173f2a),
289 };
290
291 bn_set_static_words(priv, kFFDHE2048PrivateKeyData,
292 OPENSSL_ARRAY_SIZE(kFFDHE2048PrivateKeyData));
293
294 if (!DH_set0_key(dh, NULL, priv)) {
295 goto err;
296 }
297 return dh;
298
299 err:
300 BN_free(priv);
301 DH_free(dh);
302 return NULL;
303 }
304
305
306 // Lazy self-tests
307 //
308 // Self tests that are slow are deferred until the corresponding algorithm is
309 // actually exercised, in FIPS mode. (In non-FIPS mode these tests are only run
310 // when requested by |BORINGSSL_self_test|.)
311
boringssl_self_test_rsa(void)312 static int boringssl_self_test_rsa(void) {
313 int ret = 0;
314 uint8_t output[256];
315
316 RSA *const rsa_key = self_test_rsa_key();
317 if (rsa_key == NULL) {
318 fprintf(stderr, "RSA key construction failed\n");
319 goto err;
320 }
321 // Disable blinding for the power-on tests because it's not needed and
322 // triggers an entropy draw.
323 rsa_key->flags |= RSA_FLAG_NO_BLINDING;
324
325 // RSA Sign KAT
326
327 static const uint8_t kRSASignDigest[32] = {
328 0xd2, 0xb5, 0x6e, 0x53, 0x30, 0x6f, 0x72, 0x0d, 0x79, 0x29, 0xd8,
329 0x70, 0x8b, 0xf4, 0x6f, 0x1c, 0x22, 0x30, 0x03, 0x05, 0x58, 0x2b,
330 0x11, 0x5b, 0xed, 0xca, 0xc7, 0x22, 0xd8, 0xaa, 0x5a, 0xb2,
331 };
332 static const uint8_t kRSASignSignature[256] = {
333 0x64, 0xce, 0xdd, 0x91, 0x27, 0xb0, 0x4f, 0xb9, 0x14, 0xea, 0xc0, 0xb4,
334 0xa2, 0x06, 0xc5, 0xd8, 0x40, 0x0f, 0x6c, 0x54, 0xac, 0xf7, 0x02, 0xde,
335 0x26, 0xbb, 0xfd, 0x33, 0xe5, 0x2f, 0x4d, 0xb1, 0x53, 0xc4, 0xff, 0xd0,
336 0x5f, 0xea, 0x15, 0x89, 0x83, 0x4c, 0xe3, 0x80, 0x0b, 0xe9, 0x13, 0x82,
337 0x1d, 0x71, 0x92, 0x1a, 0x03, 0x60, 0x2c, 0xaf, 0xe2, 0x16, 0xc7, 0x43,
338 0x3f, 0xde, 0x6b, 0x94, 0xfd, 0x6e, 0x08, 0x7b, 0x11, 0xf1, 0x34, 0x52,
339 0xe5, 0xc0, 0x97, 0x66, 0x4a, 0xe0, 0x91, 0x45, 0xc8, 0xb1, 0x3d, 0x6a,
340 0x54, 0xc1, 0x32, 0x0f, 0x32, 0xad, 0x25, 0x11, 0x3e, 0x49, 0xad, 0x41,
341 0xce, 0x7b, 0xca, 0x95, 0x6b, 0x54, 0x5e, 0x86, 0x1b, 0xce, 0xfa, 0x2a,
342 0x60, 0xe8, 0xfa, 0xbb, 0x23, 0xb2, 0x41, 0xbc, 0x7c, 0x98, 0xec, 0x73,
343 0x20, 0xed, 0xb3, 0xcf, 0xab, 0x07, 0x24, 0x85, 0x6a, 0x2a, 0x61, 0x76,
344 0x28, 0xf8, 0x00, 0x80, 0xeb, 0xd9, 0x3a, 0x63, 0xe2, 0x01, 0xb1, 0xee,
345 0x6d, 0xe9, 0x73, 0xe9, 0xb6, 0x75, 0x2e, 0xf9, 0x81, 0xd9, 0xa8, 0x79,
346 0xf6, 0x8f, 0xe3, 0x02, 0x7d, 0xf6, 0xea, 0xdc, 0x35, 0xe4, 0x62, 0x0d,
347 0x91, 0xba, 0x3e, 0x7d, 0x8b, 0x82, 0xbf, 0x15, 0x74, 0x6a, 0x4e, 0x29,
348 0xf8, 0x9b, 0x2c, 0x94, 0x8d, 0xa7, 0x00, 0x4d, 0x7b, 0xbf, 0x35, 0x07,
349 0xeb, 0xdd, 0x10, 0xef, 0xd5, 0x2f, 0xe6, 0x98, 0x4b, 0x7e, 0x24, 0x80,
350 0xe2, 0x01, 0xf2, 0x66, 0xb7, 0xd3, 0x93, 0xfe, 0x2a, 0xb3, 0x74, 0xed,
351 0xec, 0x4b, 0xb1, 0x5f, 0x5f, 0xee, 0x85, 0x44, 0xa7, 0x26, 0xdf, 0xc1,
352 0x2e, 0x7a, 0xf3, 0xa5, 0x8f, 0xf8, 0x64, 0xda, 0x65, 0xad, 0x91, 0xe2,
353 0x90, 0x94, 0x20, 0x16, 0xb8, 0x61, 0xa5, 0x0a, 0x7d, 0xb4, 0xbf, 0xc0,
354 0x10, 0xaf, 0x72, 0x67,
355 };
356
357 unsigned sig_len;
358 if (!rsa_sign_no_self_test(NID_sha256, kRSASignDigest, sizeof(kRSASignDigest),
359 output, &sig_len, rsa_key) ||
360 !check_test(kRSASignSignature, output, sizeof(kRSASignSignature),
361 "RSA-sign KAT")) {
362 fprintf(stderr, "RSA signing test failed.\n");
363 goto err;
364 }
365
366 // RSA Verify KAT
367
368 static const uint8_t kRSAVerifyDigest[32] = {
369 0x09, 0x65, 0x2f, 0xd8, 0xed, 0x9d, 0xc2, 0x6d, 0xbc, 0xbf, 0xf2,
370 0xa7, 0xa5, 0xed, 0xe1, 0x37, 0x13, 0x78, 0x21, 0x36, 0xcf, 0x8d,
371 0x22, 0x3d, 0xab, 0x93, 0xb4, 0x12, 0xa8, 0xb5, 0x15, 0x53,
372 };
373 static const uint8_t kRSAVerifySignature[256] = {
374 0xab, 0xe2, 0xcb, 0xc1, 0x3d, 0x6b, 0xd3, 0x9d, 0x48, 0xdb, 0x53, 0x34,
375 0xdd, 0xbf, 0x8d, 0x07, 0x0a, 0x93, 0xbd, 0xcb, 0x10, 0x4e, 0x2c, 0xc5,
376 0xd0, 0xee, 0x48, 0x6e, 0xe2, 0x95, 0xf6, 0xb3, 0x1b, 0xda, 0x12, 0x6c,
377 0x41, 0x89, 0x0b, 0x98, 0xb7, 0x3e, 0x70, 0xe6, 0xb6, 0x5d, 0x82, 0xf9,
378 0x5c, 0x66, 0x31, 0x21, 0x75, 0x5a, 0x90, 0x74, 0x4c, 0x8d, 0x1c, 0x21,
379 0x14, 0x8a, 0x19, 0x60, 0xbe, 0x0e, 0xca, 0x44, 0x6e, 0x9f, 0xf4, 0x97,
380 0xf1, 0x34, 0x5c, 0x53, 0x7e, 0xf8, 0x11, 0x9b, 0x9a, 0x43, 0x98, 0xe9,
381 0x5c, 0x5c, 0x6d, 0xe2, 0xb1, 0xc9, 0x55, 0x90, 0x5c, 0x52, 0x99, 0xd8,
382 0xce, 0x7a, 0x3b, 0x6a, 0xb7, 0x63, 0x80, 0xd9, 0xba, 0xbd, 0xd1, 0x5f,
383 0x61, 0x02, 0x37, 0xe1, 0xf3, 0xf2, 0xaa, 0x1c, 0x1f, 0x1e, 0x77, 0x0b,
384 0x62, 0xfb, 0xb5, 0x96, 0x38, 0x1b, 0x2e, 0xbd, 0xd7, 0x7e, 0xce, 0xf9,
385 0xc9, 0x0d, 0x4c, 0x92, 0xf7, 0xb6, 0xb0, 0x5f, 0xed, 0x29, 0x36, 0x28,
386 0x5f, 0xa9, 0x48, 0x26, 0xe6, 0x20, 0x55, 0x32, 0x2a, 0x33, 0xb6, 0xf0,
387 0x4c, 0x74, 0xce, 0x69, 0xe5, 0xd8, 0xd7, 0x37, 0xfb, 0x83, 0x8b, 0x79,
388 0xd2, 0xd4, 0x8e, 0x3d, 0xaf, 0x71, 0x38, 0x75, 0x31, 0x88, 0x25, 0x31,
389 0xa9, 0x5a, 0xc9, 0x64, 0xd0, 0x2e, 0xa4, 0x13, 0xbf, 0x85, 0x95, 0x29,
390 0x82, 0xbb, 0xc0, 0x89, 0x52, 0x7d, 0xaf, 0xf5, 0xb8, 0x45, 0xc9, 0xa0,
391 0xf4, 0xd1, 0x4e, 0xf1, 0x95, 0x6d, 0x9c, 0x3a, 0xca, 0xe8, 0x82, 0xd1,
392 0x2d, 0xa6, 0x6d, 0xa0, 0xf3, 0x57, 0x94, 0xf5, 0xee, 0x32, 0x23, 0x23,
393 0x33, 0x51, 0x7d, 0xb9, 0x31, 0x52, 0x32, 0xa1, 0x83, 0xb9, 0x91, 0x65,
394 0x4d, 0xbe, 0xa4, 0x16, 0x15, 0x34, 0x5c, 0x88, 0x53, 0x25, 0x92, 0x67,
395 0x44, 0xa5, 0x39, 0x15,
396 };
397 if (!rsa_verify_no_self_test(NID_sha256, kRSAVerifyDigest,
398 sizeof(kRSAVerifyDigest), kRSAVerifySignature,
399 sizeof(kRSAVerifySignature), rsa_key)) {
400 fprintf(stderr, "RSA-verify KAT failed.\n");
401 goto err;
402 }
403
404 ret = 1;
405
406 err:
407 RSA_free(rsa_key);
408
409 return ret;
410 }
411
boringssl_self_test_ecc(void)412 static int boringssl_self_test_ecc(void) {
413 int ret = 0;
414 EC_KEY *ec_key = NULL;
415 EC_POINT *ec_point_in = NULL;
416 EC_POINT *ec_point_out = NULL;
417 BIGNUM *ec_scalar = NULL;
418 ECDSA_SIG *sig = NULL;
419
420 ec_key = self_test_ecdsa_key();
421 if (ec_key == NULL) {
422 fprintf(stderr, "ECDSA KeyGen failed\n");
423 goto err;
424 }
425
426 // ECDSA Sign/Verify KAT
427
428 static const uint8_t kECDSASignDigest[32] = {
429 0x1e, 0x35, 0x93, 0x0b, 0xe8, 0x60, 0xd0, 0x94, 0x2c, 0xa7, 0xbb,
430 0xd6, 0xf6, 0xde, 0xd8, 0x7f, 0x15, 0x7e, 0x4d, 0xe2, 0x4f, 0x81,
431 0xed, 0x4b, 0x87, 0x5c, 0x0e, 0x01, 0x8e, 0x89, 0xa8, 0x1f,
432 };
433 static const uint8_t kECDSASignSig[64] = {
434 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,
435 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,
436 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x68,
437 0x04, 0x73, 0x40, 0x94, 0xb2, 0xd1, 0x90, 0xac, 0x2d, 0x0c, 0xd7,
438 0xa5, 0x7f, 0x2f, 0x2e, 0xb2, 0x62, 0xb0, 0x09, 0x16, 0xe1, 0xa6,
439 0x70, 0xb5, 0xbb, 0x0d, 0xfd, 0x8e, 0x0c, 0x02, 0x3f,
440 };
441
442 // The 'k' value for ECDSA is fixed to avoid an entropy draw.
443 uint8_t ecdsa_k[32] = {0};
444 ecdsa_k[31] = 42;
445
446 sig = ecdsa_sign_with_nonce_for_known_answer_test(
447 kECDSASignDigest, sizeof(kECDSASignDigest), ec_key, ecdsa_k,
448 sizeof(ecdsa_k));
449
450 uint8_t ecdsa_sign_output[64];
451 if (sig == NULL ||
452 !serialize_ecdsa_sig(ecdsa_sign_output, sizeof(ecdsa_sign_output), sig) ||
453 !check_test(kECDSASignSig, ecdsa_sign_output, sizeof(ecdsa_sign_output),
454 "ECDSA-sign signature")) {
455 fprintf(stderr, "ECDSA-sign KAT failed.\n");
456 goto err;
457 }
458
459 static const uint8_t kECDSAVerifyDigest[32] = {
460 0x78, 0x7c, 0x50, 0x5c, 0x60, 0xc9, 0xe4, 0x13, 0x6c, 0xe4, 0x48,
461 0xba, 0x93, 0xff, 0x71, 0xfa, 0x9c, 0x18, 0xf4, 0x17, 0x09, 0x4f,
462 0xdf, 0x5a, 0xe2, 0x75, 0xc0, 0xcc, 0xd2, 0x67, 0x97, 0xad,
463 };
464 static const uint8_t kECDSAVerifySig[64] = {
465 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,
466 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,
467 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x2d,
468 0x36, 0xe5, 0x79, 0x97, 0x90, 0xbf, 0xbe, 0x21, 0x83, 0xd3, 0x3e,
469 0x96, 0xf3, 0xc5, 0x1f, 0x6a, 0x23, 0x2f, 0x2a, 0x24, 0x48, 0x8c,
470 0x8e, 0x5f, 0x64, 0xc3, 0x7e, 0xa2, 0xcf, 0x05, 0x29,
471 };
472
473 ECDSA_SIG_free(sig);
474 sig = parse_ecdsa_sig(kECDSAVerifySig, sizeof(kECDSAVerifySig));
475 if (!sig ||
476 !ecdsa_do_verify_no_self_test(kECDSAVerifyDigest,
477 sizeof(kECDSAVerifyDigest), sig, ec_key)) {
478 fprintf(stderr, "ECDSA-verify KAT failed.\n");
479 goto err;
480 }
481
482 // Primitive Z Computation KAT (IG 9.6).
483
484 // kP256Point is SHA256("Primitive Z Computation KAT")×G within P-256.
485 static const uint8_t kP256Point[65] = {
486 0x04, 0x4e, 0xc1, 0x94, 0x8c, 0x5c, 0xf4, 0x37, 0x35, 0x0d, 0xa3,
487 0xf9, 0x55, 0xf9, 0x8b, 0x26, 0x23, 0x5c, 0x43, 0xe0, 0x83, 0x51,
488 0x2b, 0x0d, 0x4b, 0x56, 0x24, 0xc3, 0xe4, 0xa5, 0xa8, 0xe2, 0xe9,
489 0x95, 0xf2, 0xc4, 0xb9, 0xb7, 0x48, 0x7d, 0x2a, 0xae, 0xc5, 0xc0,
490 0x0a, 0xcc, 0x1b, 0xd0, 0xec, 0xb8, 0xdc, 0xbe, 0x0c, 0xbe, 0x52,
491 0x79, 0x93, 0x7c, 0x0b, 0x92, 0x2b, 0x7f, 0x17, 0xa5, 0x80,
492 };
493 // kP256Scalar is SHA256("Primitive Z Computation KAT scalar").
494 static const uint8_t kP256Scalar[32] = {
495 0xe7, 0x60, 0x44, 0x91, 0x26, 0x9a, 0xfb, 0x5b, 0x10, 0x2d, 0x6e,
496 0xa5, 0x2c, 0xb5, 0x9f, 0xeb, 0x70, 0xae, 0xde, 0x6c, 0xe3, 0xbf,
497 0xb3, 0xe0, 0x10, 0x54, 0x85, 0xab, 0xd8, 0x61, 0xd7, 0x7b,
498 };
499 // kP256PointResult is |kP256Scalar|×|kP256Point|.
500 static const uint8_t kP256PointResult[65] = {
501 0x04, 0xf1, 0x63, 0x00, 0x88, 0xc5, 0xd5, 0xe9, 0x05, 0x52, 0xac,
502 0xb6, 0xec, 0x68, 0x76, 0xb8, 0x73, 0x7f, 0x0f, 0x72, 0x34, 0xe6,
503 0xbb, 0x30, 0x32, 0x22, 0x37, 0xb6, 0x2a, 0x80, 0xe8, 0x9e, 0x6e,
504 0x6f, 0x36, 0x02, 0xe7, 0x21, 0xd2, 0x31, 0xdb, 0x94, 0x63, 0xb7,
505 0xd8, 0x19, 0x0e, 0xc2, 0xc0, 0xa7, 0x2f, 0x15, 0x49, 0x1a, 0xa2,
506 0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a, 0x0c,
507 };
508
509 const EC_GROUP *ec_group = EC_group_p256();
510 ec_point_in = EC_POINT_new(ec_group);
511 ec_point_out = EC_POINT_new(ec_group);
512 ec_scalar = BN_new();
513 uint8_t z_comp_result[65];
514 if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL ||
515 !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point),
516 NULL) ||
517 !BN_bin2bn(kP256Scalar, sizeof(kP256Scalar), ec_scalar) ||
518 !ec_point_mul_no_self_test(ec_group, ec_point_out, NULL, ec_point_in,
519 ec_scalar, NULL) ||
520 !EC_POINT_point2oct(ec_group, ec_point_out, POINT_CONVERSION_UNCOMPRESSED,
521 z_comp_result, sizeof(z_comp_result), NULL) ||
522 !check_test(kP256PointResult, z_comp_result, sizeof(z_comp_result),
523 "Z Computation Result")) {
524 fprintf(stderr, "Z-computation KAT failed.\n");
525 goto err;
526 }
527
528 ret = 1;
529
530 err:
531 EC_KEY_free(ec_key);
532 EC_POINT_free(ec_point_in);
533 EC_POINT_free(ec_point_out);
534 BN_free(ec_scalar);
535 ECDSA_SIG_free(sig);
536
537 return ret;
538 }
539
boringssl_self_test_ffdh(void)540 static int boringssl_self_test_ffdh(void) {
541 int ret = 0;
542 DH *dh = NULL;
543 BIGNUM *ffdhe2048_value = NULL;
544
545 // FFC Diffie-Hellman KAT
546
547 // kFFDHE2048PublicValueData is an arbitrary public value, mod
548 // kFFDHE2048Data. (The private key happens to be 4096.)
549 static const BN_ULONG kFFDHE2048PublicValueData[] = {
550 TOBN(0x187be36b, 0xd38a4fa1), TOBN(0x0a152f39, 0x6458f3b8),
551 TOBN(0x0570187e, 0xc422eeb7), TOBN(0x18af7482, 0x91173f2a),
552 TOBN(0xe9fdac6a, 0xcff4eaaa), TOBN(0xf6afebb7, 0x6e589d6c),
553 TOBN(0xf92f8e9a, 0xb7e33fb0), TOBN(0x70acf2aa, 0x4cf36ddd),
554 TOBN(0x561ab426, 0xd07137fd), TOBN(0x5f57d037, 0x430ee91e),
555 TOBN(0xe3e768c8, 0x60d10b8a), TOBN(0xb14884d8, 0xa18af8ce),
556 TOBN(0xf8a98014, 0xa12b74e4), TOBN(0x748d407c, 0x3437b7a8),
557 TOBN(0x627588c4, 0x9875d5a7), TOBN(0xdd24a127, 0x53c8f09d),
558 TOBN(0x85a997d5, 0x0cd51aec), TOBN(0x44f0c619, 0xce348458),
559 TOBN(0x9b894b24, 0x5f6b69a1), TOBN(0xae1302f2, 0xf6d4777e),
560 TOBN(0xe6678eeb, 0x375db18e), TOBN(0x2674e1d6, 0x4fbcbdc8),
561 TOBN(0xb297a823, 0x6fa93d28), TOBN(0x6a12fb70, 0x7c8c0510),
562 TOBN(0x5c6d1aeb, 0xdb06f65b), TOBN(0xe8c2954e, 0x4c1804ca),
563 TOBN(0x06bdeac1, 0xf5500fa7), TOBN(0x6a315604, 0x189cd76b),
564 TOBN(0xbae7b0b3, 0x6e362dc0), TOBN(0xa57c73bd, 0xdc70fb82),
565 TOBN(0xfaff50d2, 0x9d573457), TOBN(0x352bd399, 0xbe84058e),
566 };
567 static const uint8_t kDHOutput[2048 / 8] = {
568 0x2a, 0xe6, 0xd3, 0xa6, 0x13, 0x58, 0x8e, 0xce, 0x53, 0xaa, 0xf6, 0x5d,
569 0x9a, 0xae, 0x02, 0x12, 0xf5, 0x80, 0x3d, 0x06, 0x09, 0x76, 0xac, 0x57,
570 0x37, 0x9e, 0xab, 0x38, 0x62, 0x25, 0x05, 0x1d, 0xf3, 0xa9, 0x39, 0x60,
571 0xf6, 0xae, 0x90, 0xed, 0x1e, 0xad, 0x6e, 0xe9, 0xe3, 0xba, 0x27, 0xf6,
572 0xdb, 0x54, 0xdf, 0xe2, 0xbd, 0xbb, 0x7f, 0xf1, 0x81, 0xac, 0x1a, 0xfa,
573 0xdb, 0x87, 0x07, 0x98, 0x76, 0x90, 0x21, 0xf2, 0xae, 0xda, 0x0d, 0x84,
574 0x97, 0x64, 0x0b, 0xbf, 0xb8, 0x8d, 0x10, 0x46, 0xe2, 0xd5, 0xca, 0x1b,
575 0xbb, 0xe5, 0x37, 0xb2, 0x3b, 0x35, 0xd3, 0x1b, 0x65, 0xea, 0xae, 0xf2,
576 0x03, 0xe2, 0xb6, 0xde, 0x22, 0xb7, 0x86, 0x49, 0x79, 0xfe, 0xd7, 0x16,
577 0xf7, 0xdc, 0x9c, 0x59, 0xf5, 0xb7, 0x70, 0xc0, 0x53, 0x42, 0x6f, 0xb1,
578 0xd2, 0x4e, 0x00, 0x25, 0x4b, 0x2d, 0x5a, 0x9b, 0xd0, 0xe9, 0x27, 0x43,
579 0xcc, 0x00, 0x66, 0xea, 0x94, 0x7a, 0x0b, 0xb9, 0x89, 0x0c, 0x5e, 0x94,
580 0xb8, 0x3a, 0x78, 0x9c, 0x4d, 0x84, 0xe6, 0x32, 0x2c, 0x38, 0x7c, 0xf7,
581 0x43, 0x9c, 0xd8, 0xb8, 0x1c, 0xce, 0x24, 0x91, 0x20, 0x67, 0x7a, 0x54,
582 0x1f, 0x7e, 0x86, 0x7f, 0xa1, 0xc1, 0x03, 0x4e, 0x2c, 0x26, 0x71, 0xb2,
583 0x06, 0x30, 0xb3, 0x6c, 0x15, 0xcc, 0xac, 0x25, 0xe5, 0x37, 0x3f, 0x24,
584 0x8f, 0x2a, 0x89, 0x5e, 0x3d, 0x43, 0x94, 0xc9, 0x36, 0xae, 0x40, 0x00,
585 0x6a, 0x0d, 0xb0, 0x6e, 0x8b, 0x2e, 0x70, 0x57, 0xe1, 0x88, 0x53, 0xd6,
586 0x06, 0x80, 0x2a, 0x4e, 0x5a, 0xf0, 0x1e, 0xaa, 0xcb, 0xab, 0x06, 0x0e,
587 0x27, 0x0f, 0xd9, 0x88, 0xd9, 0x01, 0xe3, 0x07, 0xeb, 0xdf, 0xc3, 0x12,
588 0xe3, 0x40, 0x88, 0x7b, 0x5f, 0x59, 0x78, 0x6e, 0x26, 0x20, 0xc3, 0xdf,
589 0xc8, 0xe4, 0x5e, 0xb8,
590 };
591
592 ffdhe2048_value = BN_new();
593 if (ffdhe2048_value) {
594 bn_set_static_words(ffdhe2048_value, kFFDHE2048PublicValueData,
595 OPENSSL_ARRAY_SIZE(kFFDHE2048PublicValueData));
596 }
597
598 dh = self_test_dh();
599 uint8_t dh_out[sizeof(kDHOutput)];
600 if (dh == NULL || ffdhe2048_value == NULL || sizeof(dh_out) != DH_size(dh) ||
601 dh_compute_key_padded_no_self_test(dh_out, ffdhe2048_value, dh) !=
602 sizeof(dh_out) ||
603 !check_test(kDHOutput, dh_out, sizeof(dh_out), "FFC DH")) {
604 fprintf(stderr, "FFDH failed.\n");
605 goto err;
606 }
607
608 ret = 1;
609
610 err:
611 DH_free(dh);
612 BN_free(ffdhe2048_value);
613
614 return ret;
615 }
616
617 #if defined(BORINGSSL_FIPS)
618
run_self_test_rsa(void)619 static void run_self_test_rsa(void) {
620 FIPS_service_indicator_lock_state();
621 if (!boringssl_self_test_rsa()) {
622 BORINGSSL_FIPS_abort();
623 }
624 FIPS_service_indicator_unlock_state();
625 }
626
627 DEFINE_STATIC_ONCE(g_self_test_once_rsa);
628
boringssl_ensure_rsa_self_test(void)629 void boringssl_ensure_rsa_self_test(void) {
630 CRYPTO_once(g_self_test_once_rsa_bss_get(), run_self_test_rsa);
631 }
632
run_self_test_ecc(void)633 static void run_self_test_ecc(void) {
634 FIPS_service_indicator_lock_state();
635 if (!boringssl_self_test_ecc()) {
636 BORINGSSL_FIPS_abort();
637 }
638 FIPS_service_indicator_unlock_state();
639 }
640
641 DEFINE_STATIC_ONCE(g_self_test_once_ecc);
642
boringssl_ensure_ecc_self_test(void)643 void boringssl_ensure_ecc_self_test(void) {
644 CRYPTO_once(g_self_test_once_ecc_bss_get(), run_self_test_ecc);
645 }
646
run_self_test_ffdh(void)647 static void run_self_test_ffdh(void) {
648 FIPS_service_indicator_lock_state();
649 if (!boringssl_self_test_ffdh()) {
650 BORINGSSL_FIPS_abort();
651 }
652 FIPS_service_indicator_unlock_state();
653 }
654
655 DEFINE_STATIC_ONCE(g_self_test_once_ffdh);
656
boringssl_ensure_ffdh_self_test(void)657 void boringssl_ensure_ffdh_self_test(void) {
658 CRYPTO_once(g_self_test_once_ffdh_bss_get(), run_self_test_ffdh);
659 }
660
661 #endif // BORINGSSL_FIPS
662
663
664 // Startup self tests.
665 //
666 // These tests are run at process start when in FIPS mode.
667
boringssl_self_test_sha256(void)668 int boringssl_self_test_sha256(void) {
669 static const uint8_t kInput[16] = {
670 0xff, 0x3b, 0x85, 0x7d, 0xa7, 0x23, 0x6a, 0x2b,
671 0xaa, 0x0f, 0x39, 0x6b, 0x51, 0x52, 0x22, 0x17,
672 };
673 static const uint8_t kPlaintextSHA256[32] = {
674 0x7f, 0xe4, 0xd5, 0xf1, 0xa1, 0xe3, 0x82, 0x87, 0xd9, 0x58, 0xf5,
675 0x11, 0xc7, 0x1d, 0x5e, 0x27, 0x5e, 0xcc, 0xd2, 0x66, 0xcf, 0xb9,
676 0xc8, 0xc6, 0x60, 0xd8, 0x92, 0x1e, 0x57, 0xfd, 0x46, 0x75,
677 };
678 uint8_t output[SHA256_DIGEST_LENGTH];
679
680 // SHA-256 KAT
681 SHA256(kInput, sizeof(kInput), output);
682 return check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),
683 "SHA-256 KAT");
684 }
685
boringssl_self_test_sha512(void)686 int boringssl_self_test_sha512(void) {
687 static const uint8_t kInput[16] = {
688 0x21, 0x25, 0x12, 0xf8, 0xd2, 0xad, 0x83, 0x22,
689 0x78, 0x1c, 0x6c, 0x4d, 0x69, 0xa9, 0xda, 0xa1,
690 };
691 static const uint8_t kPlaintextSHA512[64] = {
692 0x29, 0x3c, 0x94, 0x35, 0x4e, 0x98, 0x83, 0xe5, 0xc2, 0x78, 0x36,
693 0x7a, 0xe5, 0x18, 0x90, 0xbf, 0x35, 0x41, 0x01, 0x64, 0x19, 0x8d,
694 0x26, 0xeb, 0xe1, 0xf8, 0x2f, 0x04, 0x8e, 0xfa, 0x8b, 0x2b, 0xc6,
695 0xb2, 0x9d, 0x5d, 0x46, 0x76, 0x5a, 0xc8, 0xb5, 0x25, 0xa3, 0xea,
696 0x52, 0x84, 0x47, 0x6d, 0x6d, 0xf4, 0xc9, 0x71, 0xf3, 0x3d, 0x89,
697 0x4c, 0x3b, 0x20, 0x8c, 0x5b, 0x75, 0xe8, 0xf8, 0x7c,
698 };
699 uint8_t output[SHA512_DIGEST_LENGTH];
700
701 // SHA-512 KAT
702 SHA512(kInput, sizeof(kInput), output);
703 return check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),
704 "SHA-512 KAT");
705 }
706
boringssl_self_test_hmac_sha256(void)707 int boringssl_self_test_hmac_sha256(void) {
708 static const uint8_t kInput[16] = {
709 0xda, 0xd9, 0x12, 0x93, 0xdf, 0xcf, 0x2a, 0x7c,
710 0x8e, 0xcd, 0x13, 0xfe, 0x35, 0x3f, 0xa7, 0x5b,
711 };
712 static const uint8_t kPlaintextHMACSHA256[32] = {
713 0x36, 0x5f, 0x5b, 0xd5, 0xf5, 0xeb, 0xfd, 0xc7, 0x6e, 0x53, 0xa5,
714 0x73, 0x6d, 0x73, 0x20, 0x13, 0xaa, 0xd3, 0xbc, 0x86, 0x4b, 0xb8,
715 0x84, 0x94, 0x16, 0x46, 0x88, 0x9c, 0x48, 0xee, 0xa9, 0x0e,
716 };
717 uint8_t output[EVP_MAX_MD_SIZE];
718
719 unsigned output_len;
720 HMAC(EVP_sha256(), kInput, sizeof(kInput), kInput, sizeof(kInput), output,
721 &output_len);
722 return output_len == sizeof(kPlaintextHMACSHA256) &&
723 check_test(kPlaintextHMACSHA256, output, sizeof(kPlaintextHMACSHA256),
724 "HMAC-SHA-256 KAT");
725 }
726
boringssl_self_test_fast(void)727 static int boringssl_self_test_fast(void) {
728 static const uint8_t kAESKey[16] = "BoringCrypto Key";
729 static const uint8_t kAESIV[16] = {0};
730
731 EVP_AEAD_CTX aead_ctx;
732 EVP_AEAD_CTX_zero(&aead_ctx);
733 int ret = 0;
734
735 AES_KEY aes_key;
736 uint8_t aes_iv[16];
737 uint8_t output[256];
738
739 // AES-CBC Encryption KAT
740 static const uint8_t kAESCBCEncPlaintext[32] = {
741 0x07, 0x86, 0x09, 0xa6, 0xc5, 0xac, 0x25, 0x44, 0x69, 0x9a, 0xdf,
742 0x68, 0x2f, 0xa3, 0x77, 0xf9, 0xbe, 0x8a, 0xb6, 0xae, 0xf5, 0x63,
743 0xe8, 0xc5, 0x6a, 0x36, 0xb8, 0x4f, 0x55, 0x7f, 0xad, 0xd3,
744 };
745 static const uint8_t kAESCBCEncCiphertext[sizeof(kAESCBCEncPlaintext)] = {
746 0x56, 0x46, 0xc1, 0x41, 0xf4, 0x13, 0xd6, 0xff, 0x62, 0x92, 0x41,
747 0x7a, 0x26, 0xc6, 0x86, 0xbd, 0x30, 0x5f, 0xb6, 0x57, 0xa7, 0xd2,
748 0x50, 0x3a, 0xc5, 0x5e, 0x8e, 0x93, 0x40, 0xf2, 0x10, 0xd8,
749 };
750 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
751 if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
752 fprintf(stderr, "AES_set_encrypt_key failed.\n");
753 goto err;
754 }
755 AES_cbc_encrypt(kAESCBCEncPlaintext, output, sizeof(kAESCBCEncPlaintext),
756 &aes_key, aes_iv, AES_ENCRYPT);
757 if (!check_test(kAESCBCEncCiphertext, output, sizeof(kAESCBCEncCiphertext),
758 "AES-CBC-encrypt KAT")) {
759 goto err;
760 }
761
762 // AES-CBC Decryption KAT
763 static const uint8_t kAESCBCDecCiphertext[32] = {
764 0x34, 0x7a, 0xa5, 0xa0, 0x24, 0xb2, 0x82, 0x57, 0xb3, 0x65, 0x10,
765 0xbe, 0x58, 0x3d, 0x4f, 0x47, 0xad, 0xb7, 0xbb, 0xee, 0xdc, 0x60,
766 0x05, 0xbb, 0xbd, 0x0d, 0x0a, 0x9f, 0x06, 0xbb, 0x7b, 0x10,
767 };
768 static const uint8_t kAESCBCDecPlaintext[sizeof(kAESCBCDecCiphertext)] = {
769 0x51, 0xa7, 0xa0, 0x1f, 0x6b, 0x79, 0x6c, 0xcd, 0x48, 0x03, 0xa1,
770 0x41, 0xdc, 0x56, 0xa6, 0xc2, 0x16, 0xb5, 0xd1, 0xd3, 0xb7, 0x06,
771 0xb2, 0x25, 0x6f, 0xa6, 0xd0, 0xd2, 0x0e, 0x6f, 0x19, 0xb5,
772 };
773 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
774 if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
775 fprintf(stderr, "AES_set_decrypt_key failed.\n");
776 goto err;
777 }
778 AES_cbc_encrypt(kAESCBCDecCiphertext, output, sizeof(kAESCBCDecCiphertext),
779 &aes_key, aes_iv, AES_DECRYPT);
780 if (!check_test(kAESCBCDecPlaintext, output, sizeof(kAESCBCDecPlaintext),
781 "AES-CBC-decrypt KAT")) {
782 goto err;
783 }
784
785 size_t out_len;
786 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
787 OPENSSL_memset(nonce, 0, sizeof(nonce));
788 if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey,
789 sizeof(kAESKey), 0, NULL)) {
790 fprintf(stderr, "EVP_AEAD_CTX_init for AES-128-GCM failed.\n");
791 goto err;
792 }
793
794 // AES-GCM Encryption KAT
795 static const uint8_t kAESGCMEncPlaintext[32] = {
796 0x8f, 0xcc, 0x40, 0x99, 0x80, 0x8e, 0x75, 0xca, 0xaf, 0xf5, 0x82,
797 0x89, 0x88, 0x48, 0xa8, 0x8d, 0x80, 0x8b, 0x55, 0xab, 0x4e, 0x93,
798 0x70, 0x79, 0x7d, 0x94, 0x0b, 0xe8, 0xcc, 0x1d, 0x78, 0x84,
799 };
800 static const uint8_t kAESGCMCiphertext[sizeof(kAESGCMEncPlaintext) + 16] = {
801 0x87, 0x7b, 0xd5, 0x8d, 0x96, 0x3e, 0x4b, 0xe6, 0x64, 0x94, 0x40, 0x2f,
802 0x61, 0x9b, 0x7e, 0x56, 0x52, 0x7d, 0xa4, 0x5a, 0xf9, 0xa6, 0xe2, 0xdb,
803 0x1c, 0x63, 0x2e, 0x97, 0x93, 0x0f, 0xfb, 0xed, 0xb5, 0x9e, 0x1c, 0x20,
804 0xb2, 0xb0, 0x58, 0xda, 0x48, 0x07, 0x2d, 0xbd, 0x96, 0x0d, 0x34, 0xc6,
805 };
806 if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,
807 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
808 kAESGCMEncPlaintext, sizeof(kAESGCMEncPlaintext), NULL,
809 0) ||
810 !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext),
811 "AES-GCM-encrypt KAT")) {
812 fprintf(stderr, "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n");
813 goto err;
814 }
815
816 // AES-GCM Decryption KAT
817 static const uint8_t kAESGCMDecCiphertext[48] = {
818 0x35, 0xf3, 0x05, 0x8f, 0x87, 0x57, 0x60, 0xff, 0x09, 0xd3, 0x12, 0x0f,
819 0x70, 0xc4, 0xbc, 0x9e, 0xd7, 0xa8, 0x68, 0x72, 0xe1, 0x34, 0x52, 0x20,
820 0x21, 0x76, 0xf7, 0x37, 0x1a, 0xe0, 0x4f, 0xaa, 0xe1, 0xdd, 0x39, 0x19,
821 0x20, 0xf5, 0xd1, 0x39, 0x53, 0xd8, 0x96, 0x78, 0x59, 0x94, 0x82, 0x3c,
822 };
823 static const uint8_t kAESGCMDecPlaintext[sizeof(kAESGCMDecCiphertext) - 16] =
824 {
825 0x3d, 0x44, 0x90, 0x9b, 0x91, 0xe7, 0x5e, 0xd3, 0xc2, 0xb2, 0xd0,
826 0xa9, 0x99, 0x17, 0x6a, 0x45, 0x05, 0x5e, 0x99, 0x83, 0x56, 0x01,
827 0xc0, 0x82, 0x40, 0x81, 0xd2, 0x48, 0x45, 0xf2, 0xcc, 0xc3,
828 };
829 if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,
830 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
831 kAESGCMDecCiphertext, sizeof(kAESGCMDecCiphertext),
832 NULL, 0) ||
833 !check_test(kAESGCMDecPlaintext, output, sizeof(kAESGCMDecPlaintext),
834 "AES-GCM-decrypt KAT")) {
835 fprintf(stderr,
836 "AES-GCM-decrypt KAT failed because EVP_AEAD_CTX_open failed.\n");
837 goto err;
838 }
839
840 // SHA-1 KAT
841 static const uint8_t kSHA1Input[16] = {
842 0x13, 0x2f, 0xd9, 0xba, 0xd5, 0xc1, 0x82, 0x62,
843 0x63, 0xba, 0xfb, 0xb6, 0x99, 0xf7, 0x07, 0xa5,
844 };
845 static const uint8_t kSHA1Digest[20] = {
846 0x94, 0x19, 0x55, 0x93, 0x0a, 0x58, 0x29, 0x38, 0xeb, 0xf5,
847 0x09, 0x11, 0x6d, 0x1a, 0xfd, 0x0f, 0x1e, 0x11, 0xe3, 0xcb,
848 };
849 SHA1(kSHA1Input, sizeof(kSHA1Input), output);
850 if (!check_test(kSHA1Digest, output, sizeof(kSHA1Digest),
851 "SHA-1 KAT")) {
852 goto err;
853 }
854
855 if (!boringssl_self_test_sha256() ||
856 !boringssl_self_test_sha512() ||
857 !boringssl_self_test_hmac_sha256()) {
858 goto err;
859 }
860
861 // DBRG KAT
862 static const uint8_t kDRBGEntropy[48] = {
863 0xc4, 0xda, 0x07, 0x40, 0xd5, 0x05, 0xf1, 0xee, 0x28, 0x0b, 0x95, 0xe5,
864 0x8c, 0x49, 0x31, 0xac, 0x6d, 0xe8, 0x46, 0xa0, 0x15, 0x2f, 0xbb, 0x4a,
865 0x3f, 0x17, 0x4c, 0xf4, 0x78, 0x7a, 0x4f, 0x1a, 0x40, 0xc2, 0xb5, 0x0b,
866 0xab, 0xe1, 0x4a, 0xae, 0x53, 0x0b, 0xe5, 0x88, 0x6d, 0x91, 0x0a, 0x27,
867 };
868 static const uint8_t kDRBGPersonalization[18] = "BCMPersonalization";
869 static const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD ";
870 static const uint8_t kDRBGOutput[64] = {
871 0x19, 0x1f, 0x2b, 0x49, 0x76, 0x85, 0xfd, 0x51, 0xb6, 0x56, 0xbc,
872 0x1c, 0x7d, 0xd5, 0xdd, 0x44, 0x76, 0xa3, 0x5e, 0x17, 0x9b, 0x8e,
873 0xb8, 0x98, 0x65, 0x12, 0xca, 0x35, 0x6c, 0xa0, 0x6f, 0xa0, 0x22,
874 0xe4, 0xf6, 0xd8, 0x43, 0xed, 0x4e, 0x2d, 0x97, 0x39, 0x43, 0x3b,
875 0x57, 0xfc, 0x23, 0x3f, 0x71, 0x0a, 0xe0, 0xed, 0xfe, 0xd5, 0xb8,
876 0x67, 0x7a, 0x00, 0x39, 0xb2, 0x6e, 0xa9, 0x25, 0x97,
877 };
878 static const uint8_t kDRBGEntropy2[48] = {
879 0xc7, 0x16, 0x1c, 0xa3, 0x6c, 0x23, 0x09, 0xb7, 0x16, 0xe9, 0x85, 0x9b,
880 0xb9, 0x6c, 0x6d, 0x49, 0xbd, 0xc8, 0x35, 0x21, 0x03, 0xa1, 0x8c, 0xd2,
881 0x4e, 0xf4, 0x2e, 0xc9, 0x7e, 0xf4, 0x6b, 0xf4, 0x46, 0xeb, 0x1a, 0x45,
882 0x76, 0xc1, 0x86, 0xe9, 0x35, 0x18, 0x03, 0x76, 0x3a, 0x79, 0x12, 0xfe,
883 };
884 static const uint8_t kDRBGReseedOutput[64] = {
885 0x00, 0xf2, 0x05, 0xaa, 0xfd, 0x11, 0x6c, 0x77, 0xbc, 0x81, 0x86,
886 0x99, 0xca, 0x51, 0xcf, 0x80, 0x15, 0x9f, 0x02, 0x9e, 0x0b, 0xcd,
887 0x26, 0xc8, 0x4b, 0x87, 0x8a, 0x15, 0x1a, 0xdd, 0xf2, 0xf3, 0xeb,
888 0x94, 0x0b, 0x08, 0xc8, 0xc9, 0x57, 0xa4, 0x0b, 0x4b, 0x0f, 0x13,
889 0xde, 0x7c, 0x0c, 0x6a, 0xac, 0x34, 0x4a, 0x9a, 0xf2, 0xd0, 0x83,
890 0x02, 0x05, 0x17, 0xc9, 0x81, 0x8f, 0x2a, 0x81, 0x92,
891 };
892 CTR_DRBG_STATE drbg;
893 if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
894 sizeof(kDRBGPersonalization)) ||
895 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD,
896 sizeof(kDRBGAD)) ||
897 !check_test(kDRBGOutput, output, sizeof(kDRBGOutput),
898 "DRBG Generate KAT") ||
899 !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) ||
900 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD,
901 sizeof(kDRBGAD)) ||
902 !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput),
903 "DRBG-reseed KAT")) {
904 fprintf(stderr, "CTR-DRBG failed.\n");
905 goto err;
906 }
907 CTR_DRBG_clear(&drbg);
908
909 CTR_DRBG_STATE kZeroDRBG;
910 memset(&kZeroDRBG, 0, sizeof(kZeroDRBG));
911 if (!check_test(&kZeroDRBG, &drbg, sizeof(drbg), "DRBG Clear KAT")) {
912 goto err;
913 }
914
915 // TLS KDF KAT
916 static const char kTLSLabel[] = "FIPS self test";
917 static const uint8_t kTLSSeed1[16] = {
918 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2,
919 0x6d, 0x51, 0xf4, 0x79, 0x18, 0x63, 0x51, 0x65,
920 };
921 static const uint8_t kTLSSeed2[16] = {
922 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c,
923 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81,
924 };
925
926 static const uint8_t kTLS10Secret[32] = {
927 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82,
928 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e,
929 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31,
930 };
931 static const uint8_t kTLS10Output[32] = {
932 0x69, 0x7c, 0x4e, 0x2c, 0xee, 0x82, 0xb1, 0xd2, 0x8b, 0xac, 0x90,
933 0x7a, 0xa1, 0x8a, 0x81, 0xfe, 0xc5, 0x58, 0x45, 0x57, 0x61, 0x2f,
934 0x7a, 0x8d, 0x80, 0xfb, 0x44, 0xd8, 0x81, 0x60, 0xe5, 0xf8,
935 };
936 uint8_t tls10_output[sizeof(kTLS10Output)];
937 if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output),
938 kTLS10Secret, sizeof(kTLS10Secret), kTLSLabel,
939 sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),
940 kTLSSeed2, sizeof(kTLSSeed2)) ||
941 !check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output),
942 "TLS10-KDF KAT")) {
943 fprintf(stderr, "TLS KDF failed.\n");
944 goto err;
945 }
946
947 static const uint8_t kTLS12Secret[32] = {
948 0xc5, 0x43, 0x8e, 0xe2, 0x6f, 0xd4, 0xac, 0xbd, 0x25, 0x9f, 0xc9,
949 0x18, 0x55, 0xdc, 0x69, 0xbf, 0x88, 0x4e, 0xe2, 0x93, 0x22, 0xfc,
950 0xbf, 0xd2, 0x96, 0x6a, 0x46, 0x23, 0xd4, 0x2e, 0xc7, 0x81,
951 };
952 static const uint8_t kTLS12Output[32] = {
953 0xee, 0x4a, 0xcd, 0x3f, 0xa3, 0xd3, 0x55, 0x89, 0x9e, 0x6f, 0xf1,
954 0x38, 0x46, 0x9d, 0x2b, 0x33, 0xaa, 0x7f, 0xc4, 0x7f, 0x51, 0x85,
955 0x8a, 0xf3, 0x13, 0x84, 0xbf, 0x53, 0x6a, 0x65, 0x37, 0x51,
956 };
957 uint8_t tls12_output[sizeof(kTLS12Output)];
958 if (!CRYPTO_tls1_prf(EVP_sha256(), tls12_output, sizeof(tls12_output),
959 kTLS12Secret, sizeof(kTLS12Secret), kTLSLabel,
960 sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),
961 kTLSSeed2, sizeof(kTLSSeed2)) ||
962 !check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output),
963 "TLS12-KDF KAT")) {
964 fprintf(stderr, "TLS KDF failed.\n");
965 goto err;
966 }
967
968 // TLS v1.3: derives a dummy client-early-traffic secret.
969 static const uint8_t kTLS13Secret[32] = {
970 0x02, 0x4a, 0x0d, 0x80, 0xf3, 0x57, 0xf2, 0x49, 0x9a, 0x12, 0x44,
971 0xda, 0xc2, 0x6d, 0xab, 0x66, 0xfc, 0x13, 0xed, 0x85, 0xfc, 0xa7,
972 0x1d, 0xac, 0xe1, 0x46, 0x21, 0x11, 0x19, 0x52, 0x58, 0x74,
973 };
974 static const uint8_t kTLS13Salt[16] = {
975 0x54, 0x61, 0x11, 0x36, 0x75, 0x91, 0xf0, 0xf8,
976 0x92, 0xec, 0x70, 0xbd, 0x78, 0x2a, 0xef, 0x61,
977 };
978 static const uint8_t kTLS13Label[] = "c e traffic";
979 static const uint8_t kTLS13ClientHelloHash[32] = {
980 0x1d, 0xe8, 0x67, 0xed, 0x93, 0x6a, 0x73, 0x65, 0x9b, 0x05, 0xcf,
981 0x8a, 0x22, 0x77, 0xb7, 0x37, 0x29, 0xf2, 0x44, 0x94, 0x81, 0x6a,
982 0x83, 0x33, 0x7f, 0x09, 0xbb, 0x6c, 0xc2, 0x6f, 0x48, 0x9c,
983 };
984 static const uint8_t kTLS13ExpandLabelOutput[32] = {
985 0x62, 0x91, 0x52, 0x90, 0x2e, 0xc9, 0xcf, 0x9c, 0x5f, 0x1e, 0x0a,
986 0xb7, 0x00, 0x33, 0x42, 0x24, 0xc4, 0xe3, 0xba, 0x01, 0x40, 0x32,
987 0x06, 0xab, 0x09, 0x23, 0x8a, 0xdd, 0x01, 0xa4, 0x05, 0xcd,
988 };
989 uint8_t tls13_extract_output[32];
990 size_t tls13_extract_output_len;
991 uint8_t tls13_expand_label_output[32];
992 if (!HKDF_extract(tls13_extract_output, &tls13_extract_output_len,
993 EVP_sha256(), kTLS13Secret, sizeof(kTLS13Secret),
994 kTLS13Salt, sizeof(kTLS13Salt)) ||
995 tls13_extract_output_len != sizeof(tls13_extract_output) ||
996 !CRYPTO_tls13_hkdf_expand_label(
997 tls13_expand_label_output, sizeof(tls13_expand_label_output),
998 EVP_sha256(), tls13_extract_output, sizeof(tls13_extract_output),
999 kTLS13Label, sizeof(kTLS13Label) - 1, kTLS13ClientHelloHash,
1000 sizeof(kTLS13ClientHelloHash)) ||
1001 !check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output,
1002 sizeof(kTLS13ExpandLabelOutput),
1003 "CRYPTO_tls13_hkdf_expand_label")) {
1004 fprintf(stderr, "TLS13-KDF failed.\n");
1005 goto err;
1006 }
1007
1008 // HKDF
1009 static const uint8_t kHKDFSecret[32] = {
1010 0x68, 0x67, 0x85, 0x04, 0xb9, 0xb3, 0xad, 0xd1, 0x7d, 0x59, 0x67,
1011 0xa1, 0xa7, 0xbd, 0x37, 0x99, 0x3f, 0xd8, 0xa3, 0x3c, 0xe7, 0x30,
1012 0x30, 0x71, 0xf3, 0x9c, 0x09, 0x6d, 0x16, 0x35, 0xb3, 0xc9,
1013 };
1014 static const uint8_t kHKDFSalt[32] = {
1015 0x8a, 0xab, 0x18, 0xb4, 0x9b, 0x0a, 0x17, 0xf9, 0xe8, 0xe6, 0x97,
1016 0x1a, 0x3d, 0xff, 0xda, 0x9b, 0x26, 0x8b, 0x3d, 0x17, 0x78, 0x0a,
1017 0xb3, 0xea, 0x65, 0xdb, 0x2a, 0xc0, 0x29, 0x9c, 0xfa, 0x72,
1018 };
1019 static const uint8_t kHKDFInfo[32] = {
1020 0xe5, 0x6f, 0xf9, 0xe1, 0x18, 0x5e, 0x64, 0x8c, 0x6c, 0x8f, 0xee,
1021 0xc6, 0x93, 0x5a, 0xc5, 0x14, 0x8c, 0xf3, 0xd9, 0x78, 0xd2, 0x3a,
1022 0x86, 0xdd, 0x01, 0xdf, 0xb9, 0xe9, 0x5e, 0xe5, 0x1a, 0x56,
1023 };
1024 static const uint8_t kHKDFOutput[32] = {
1025 0xa6, 0x29, 0xb4, 0xd7, 0xf4, 0xc1, 0x16, 0x64, 0x71, 0x5e, 0xa4,
1026 0xa8, 0xe6, 0x60, 0x8c, 0xf3, 0xc1, 0xa5, 0x03, 0xe2, 0x22, 0xf9,
1027 0x89, 0xe2, 0x12, 0x18, 0xbe, 0xef, 0x16, 0x86, 0xe0, 0xec,
1028 };
1029 uint8_t hkdf_output[sizeof(kHKDFOutput)];
1030 if (!HKDF(hkdf_output, sizeof(hkdf_output), EVP_sha256(), kHKDFSecret,
1031 sizeof(kHKDFSecret), kHKDFSalt, sizeof(kHKDFSalt), kHKDFInfo,
1032 sizeof(kHKDFInfo)) ||
1033 !check_test(kHKDFOutput, hkdf_output, sizeof(kHKDFOutput), "HKDF")) {
1034 fprintf(stderr, "HKDF failed.\n");
1035 goto err;
1036 }
1037
1038 ret = 1;
1039
1040 err:
1041 EVP_AEAD_CTX_cleanup(&aead_ctx);
1042
1043 return ret;
1044 }
1045
BORINGSSL_self_test(void)1046 int BORINGSSL_self_test(void) {
1047 if (!boringssl_self_test_fast() ||
1048 // When requested to run self tests, also run the lazy tests.
1049 !boringssl_self_test_rsa() ||
1050 !boringssl_self_test_ecc() ||
1051 !boringssl_self_test_ffdh()) {
1052 return 0;
1053 }
1054
1055 return 1;
1056 }
1057
1058 #if defined(BORINGSSL_FIPS)
boringssl_self_test_startup(void)1059 int boringssl_self_test_startup(void) {
1060 return boringssl_self_test_fast();
1061 }
1062 #endif
1063
1064 #endif // !_MSC_VER
1065