1 /* Copyright 2014 The BoringSSL Authors
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <string.h>
18
19 #include <memory>
20 #include <vector>
21
22 #include <gtest/gtest.h>
23
24 #include <openssl/asn1.h>
25 #include <openssl/bytestring.h>
26 #include <openssl/crypto.h>
27 #include <openssl/digest.h>
28 #include <openssl/err.h>
29 #include <openssl/md4.h>
30 #include <openssl/md5.h>
31 #include <openssl/nid.h>
32 #include <openssl/obj.h>
33 #include <openssl/sha.h>
34
35 #include "../internal.h"
36 #include "../test/test_util.h"
37
38
39 namespace {
40
41 struct MD {
42 // name is the name of the digest.
43 const char *name;
44 // md_func is the digest to test.
45 const EVP_MD *(*func)(void);
46 // one_shot_func is the convenience one-shot version of the
47 // digest.
48 uint8_t *(*one_shot_func)(const uint8_t *, size_t, uint8_t *);
49 };
50
51 static const MD md4 = {"MD4", &EVP_md4, nullptr};
52 static const MD md5 = {"MD5", &EVP_md5, &MD5};
53 static const MD sha1 = {"SHA1", &EVP_sha1, &SHA1};
54 static const MD sha224 = {"SHA224", &EVP_sha224, &SHA224};
55 static const MD sha256 = {"SHA256", &EVP_sha256, &SHA256};
56 static const MD sha384 = {"SHA384", &EVP_sha384, &SHA384};
57 static const MD sha512 = {"SHA512", &EVP_sha512, &SHA512};
58 static const MD sha512_256 = {"SHA512-256", &EVP_sha512_256, &SHA512_256};
59 static const MD md5_sha1 = {"MD5-SHA1", &EVP_md5_sha1, nullptr};
60 static const MD blake2b256 = {"BLAKE2b-256", &EVP_blake2b256, nullptr};
61
62 struct DigestTestVector {
63 // md is the digest to test.
64 const MD &md;
65 // input is a NUL-terminated string to hash.
66 const char *input;
67 // repeat is the number of times to repeat input.
68 size_t repeat;
69 // expected_hex is the expected digest in hexadecimal.
70 const char *expected_hex;
71 };
72
73 static const DigestTestVector kTestVectors[] = {
74 // MD4 tests, from RFC 1320. (crypto/md4 does not provide a
75 // one-shot MD4 function.)
76 {md4, "", 1, "31d6cfe0d16ae931b73c59d7e0c089c0"},
77 {md4, "a", 1, "bde52cb31de33e46245e05fbdbd6fb24"},
78 {md4, "abc", 1, "a448017aaf21d8525fc10ae87aa6729d"},
79 {md4, "message digest", 1, "d9130a8164549fe818874806e1c7014b"},
80 {md4, "abcdefghijklmnopqrstuvwxyz", 1, "d79e1c308aa5bbcdeea8ed63df412da9"},
81 {md4, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1,
82 "043f8582f241db351ce627e153e7f0e4"},
83 {md4, "1234567890", 8, "e33b4ddc9c38f2199c3e7b164fcc0536"},
84
85 // MD5 tests, from RFC 1321.
86 {md5, "", 1, "d41d8cd98f00b204e9800998ecf8427e"},
87 {md5, "a", 1, "0cc175b9c0f1b6a831c399e269772661"},
88 {md5, "abc", 1, "900150983cd24fb0d6963f7d28e17f72"},
89 {md5, "message digest", 1, "f96b697d7cb7938d525a2f31aaf161d0"},
90 {md5, "abcdefghijklmnopqrstuvwxyz", 1, "c3fcd3d76192e4007dfb496cca67e13b"},
91 {md5, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1,
92 "d174ab98d277d9f5a5611c2c9f419d9f"},
93 {md5, "1234567890", 8, "57edf4a22be3c955ac49da2e2107b67a"},
94
95 // SHA-1 tests, from RFC 3174.
96 {sha1, "abc", 1, "a9993e364706816aba3e25717850c26c9cd0d89d"},
97 {sha1, "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
98 "84983e441c3bd26ebaae4aa1f95129e5e54670f1"},
99 {sha1, "a", 1000000, "34aa973cd4c4daa4f61eeb2bdbad27316534016f"},
100 {sha1, "0123456701234567012345670123456701234567012345670123456701234567",
101 10, "dea356a2cddd90c7a7ecedc5ebb563934f460452"},
102
103 // SHA-224 tests, from RFC 3874.
104 {sha224, "abc", 1,
105 "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7"},
106 {sha224, "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
107 "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525"},
108 {sha224, "a", 1000000,
109 "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67"},
110
111 // SHA-256 tests, from NIST.
112 {sha256, "abc", 1,
113 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"},
114 {sha256, "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
115 "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1"},
116
117 // SHA-384 tests, from NIST.
118 {sha384, "abc", 1,
119 "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed"
120 "8086072ba1e7cc2358baeca134c825a7"},
121 {sha384,
122 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
123 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
124 1,
125 "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712"
126 "fcc7c71a557e2db966c3e9fa91746039"},
127
128 // SHA-512 tests, from NIST.
129 {sha512, "abc", 1,
130 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
131 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"},
132 {sha512,
133 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
134 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
135 1,
136 "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
137 "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909"},
138
139 // SHA-512-256 tests, from
140 // https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/examples/sha512_256.pdf
141 {sha512_256, "abc", 1,
142 "53048e2681941ef99b2e29b76b4c7dabe4c2d0c634fc6d46e0e2f13107e7af23"},
143 {sha512_256,
144 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopj"
145 "klmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
146 1, "3928e184fb8690f840da3988121d31be65cb9d3ef83ee6146feac861e19b563a"},
147
148 // MD5-SHA1 tests.
149 {md5_sha1, "abc", 1,
150 "900150983cd24fb0d6963f7d28e17f72a9993e364706816aba3e25717850c26c9cd0d89"
151 "d"},
152
153 // BLAKE2b-256 tests.
154 {blake2b256, "abc", 1,
155 "bddd813c634239723171ef3fee98579b94964e3bb1cb3e427262c8c068d52319"},
156 };
157
CompareDigest(const DigestTestVector * test,const uint8_t * digest,size_t digest_len)158 static void CompareDigest(const DigestTestVector *test, const uint8_t *digest,
159 size_t digest_len) {
160 EXPECT_EQ(test->expected_hex,
161 EncodeHex(bssl::MakeConstSpan(digest, digest_len)));
162 }
163
TestDigest(const DigestTestVector * test)164 static void TestDigest(const DigestTestVector *test) {
165 bssl::ScopedEVP_MD_CTX ctx;
166
167 // Test the input provided.
168 ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr));
169 for (size_t i = 0; i < test->repeat; i++) {
170 ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), test->input, strlen(test->input)));
171 }
172 auto digest = std::make_unique<uint8_t[]>(EVP_MD_size(test->md.func()));
173 unsigned digest_len;
174 ASSERT_TRUE(EVP_DigestFinal_ex(ctx.get(), digest.get(), &digest_len));
175 CompareDigest(test, digest.get(), digest_len);
176
177 // Test the input one character at a time.
178 ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr));
179 ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), nullptr, 0));
180 for (size_t i = 0; i < test->repeat; i++) {
181 for (const char *p = test->input; *p; p++) {
182 ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), p, 1));
183 }
184 }
185 ASSERT_TRUE(EVP_DigestFinal_ex(ctx.get(), digest.get(), &digest_len));
186 EXPECT_EQ(EVP_MD_size(test->md.func()), digest_len);
187 CompareDigest(test, digest.get(), digest_len);
188
189 // Test with unaligned input.
190 ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr));
191 std::vector<char> unaligned(strlen(test->input) + 1);
192 char *ptr = unaligned.data();
193 if ((reinterpret_cast<uintptr_t>(ptr) & 1) == 0) {
194 ptr++;
195 }
196 OPENSSL_memcpy(ptr, test->input, strlen(test->input));
197 for (size_t i = 0; i < test->repeat; i++) {
198 ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), ptr, strlen(test->input)));
199 }
200 ASSERT_TRUE(EVP_DigestFinal_ex(ctx.get(), digest.get(), &digest_len));
201 CompareDigest(test, digest.get(), digest_len);
202
203 // Make a copy of the digest in the initial state.
204 ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr));
205 bssl::ScopedEVP_MD_CTX copy;
206 ASSERT_TRUE(EVP_MD_CTX_copy_ex(copy.get(), ctx.get()));
207 for (size_t i = 0; i < test->repeat; i++) {
208 ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input)));
209 }
210 ASSERT_TRUE(EVP_DigestFinal_ex(copy.get(), digest.get(), &digest_len));
211 CompareDigest(test, digest.get(), digest_len);
212
213 // Make a copy of the digest with half the input provided.
214 size_t half = strlen(test->input) / 2;
215 ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), test->input, half));
216 ASSERT_TRUE(EVP_MD_CTX_copy_ex(copy.get(), ctx.get()));
217 ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input + half,
218 strlen(test->input) - half));
219 for (size_t i = 1; i < test->repeat; i++) {
220 ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input)));
221 }
222 ASSERT_TRUE(EVP_DigestFinal_ex(copy.get(), digest.get(), &digest_len));
223 CompareDigest(test, digest.get(), digest_len);
224
225 // Move the digest from the initial state.
226 ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr));
227 copy = std::move(ctx);
228 for (size_t i = 0; i < test->repeat; i++) {
229 ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input)));
230 }
231 ASSERT_TRUE(EVP_DigestFinal_ex(copy.get(), digest.get(), &digest_len));
232 CompareDigest(test, digest.get(), digest_len);
233
234 // Move the digest with half the input provided.
235 ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr));
236 ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), test->input, half));
237 copy = std::move(ctx);
238 ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input + half,
239 strlen(test->input) - half));
240 for (size_t i = 1; i < test->repeat; i++) {
241 ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input)));
242 }
243 ASSERT_TRUE(EVP_DigestFinal_ex(copy.get(), digest.get(), &digest_len));
244 CompareDigest(test, digest.get(), digest_len);
245
246 // Test the one-shot function.
247 if (test->md.one_shot_func && test->repeat == 1) {
248 uint8_t *out = test->md.one_shot_func((const uint8_t *)test->input,
249 strlen(test->input), digest.get());
250 // One-shot functions return their supplied buffers.
251 EXPECT_EQ(digest.get(), out);
252 CompareDigest(test, digest.get(), EVP_MD_size(test->md.func()));
253 }
254 }
255
TEST(DigestTest,TestVectors)256 TEST(DigestTest, TestVectors) {
257 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTestVectors); i++) {
258 SCOPED_TRACE(i);
259 TestDigest(&kTestVectors[i]);
260 }
261 }
262
TEST(DigestTest,Getters)263 TEST(DigestTest, Getters) {
264 EXPECT_EQ(EVP_sha512(), EVP_get_digestbyname("RSA-SHA512"));
265 EXPECT_EQ(EVP_sha512(), EVP_get_digestbyname("sha512WithRSAEncryption"));
266 EXPECT_EQ(nullptr, EVP_get_digestbyname("nonsense"));
267 EXPECT_EQ(EVP_sha512(), EVP_get_digestbyname("SHA512"));
268 EXPECT_EQ(EVP_sha512(), EVP_get_digestbyname("sha512"));
269
270 EXPECT_EQ(EVP_sha512(), EVP_get_digestbynid(NID_sha512));
271 EXPECT_EQ(nullptr, EVP_get_digestbynid(NID_sha512WithRSAEncryption));
272 EXPECT_EQ(nullptr, EVP_get_digestbynid(NID_undef));
273
274 bssl::UniquePtr<ASN1_OBJECT> obj(OBJ_txt2obj("1.3.14.3.2.26", 0));
275 ASSERT_TRUE(obj);
276 EXPECT_EQ(EVP_sha1(), EVP_get_digestbyobj(obj.get()));
277 EXPECT_EQ(EVP_md5_sha1(), EVP_get_digestbyobj(OBJ_nid2obj(NID_md5_sha1)));
278 EXPECT_EQ(EVP_sha1(), EVP_get_digestbyobj(OBJ_nid2obj(NID_sha1)));
279 }
280
TEST(DigestTest,ASN1)281 TEST(DigestTest, ASN1) {
282 bssl::ScopedCBB cbb;
283 ASSERT_TRUE(CBB_init(cbb.get(), 0));
284 EXPECT_FALSE(EVP_marshal_digest_algorithm(cbb.get(), EVP_md5_sha1()));
285
286 static const uint8_t kSHA256[] = {0x30, 0x0d, 0x06, 0x09, 0x60,
287 0x86, 0x48, 0x01, 0x65, 0x03,
288 0x04, 0x02, 0x01, 0x05, 0x00};
289 static const uint8_t kSHA256NoParam[] = {0x30, 0x0b, 0x06, 0x09, 0x60,
290 0x86, 0x48, 0x01, 0x65, 0x03,
291 0x04, 0x02, 0x01};
292 static const uint8_t kSHA256GarbageParam[] = {
293 0x30, 0x0e, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
294 0x65, 0x03, 0x04, 0x02, 0x01, 0x02, 0x01, 0x2a};
295
296 // Serialize SHA-256.
297 cbb.Reset();
298 ASSERT_TRUE(CBB_init(cbb.get(), 0));
299 ASSERT_TRUE(EVP_marshal_digest_algorithm(cbb.get(), EVP_sha256()));
300 uint8_t *der;
301 size_t der_len;
302 ASSERT_TRUE(CBB_finish(cbb.get(), &der, &der_len));
303 bssl::UniquePtr<uint8_t> free_der(der);
304 EXPECT_EQ(Bytes(kSHA256), Bytes(der, der_len));
305
306 // Parse SHA-256.
307 CBS cbs;
308 CBS_init(&cbs, kSHA256, sizeof(kSHA256));
309 EXPECT_EQ(EVP_sha256(), EVP_parse_digest_algorithm(&cbs));
310 EXPECT_EQ(0u, CBS_len(&cbs));
311
312 // Missing parameters are tolerated for compatibility.
313 CBS_init(&cbs, kSHA256NoParam, sizeof(kSHA256NoParam));
314 EXPECT_EQ(EVP_sha256(), EVP_parse_digest_algorithm(&cbs));
315 EXPECT_EQ(0u, CBS_len(&cbs));
316
317 // Garbage parameters are not.
318 CBS_init(&cbs, kSHA256GarbageParam, sizeof(kSHA256GarbageParam));
319 EXPECT_FALSE(EVP_parse_digest_algorithm(&cbs));
320 }
321
TEST(DigestTest,TransformBlocks)322 TEST(DigestTest, TransformBlocks) {
323 uint8_t blocks[SHA256_CBLOCK * 10];
324 for (size_t i = 0; i < sizeof(blocks); i++) {
325 blocks[i] = i * 3;
326 }
327
328 SHA256_CTX ctx1;
329 SHA256_Init(&ctx1);
330 SHA256_Update(&ctx1, blocks, sizeof(blocks));
331
332 SHA256_CTX ctx2;
333 SHA256_Init(&ctx2);
334 SHA256_TransformBlocks(ctx2.h, blocks, sizeof(blocks) / SHA256_CBLOCK);
335
336 EXPECT_TRUE(0 == OPENSSL_memcmp(ctx1.h, ctx2.h, sizeof(ctx1.h)));
337 }
338
339 } // namespace
340