1/* Copyright 2017 The BoringSSL Authors 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15#include <openssl/crypto.h> 16 17#include <stdio.h> 18#include <stdlib.h> 19 20#include <openssl/aead.h> 21#include <openssl/aes.h> 22#include <openssl/bn.h> 23#include <openssl/ctrdrbg.h> 24#include <openssl/dh.h> 25#include <openssl/digest.h> 26#include <openssl/ec.h> 27#include <openssl/ec_key.h> 28#include <openssl/ecdsa.h> 29#include <openssl/hkdf.h> 30#include <openssl/hmac.h> 31#include <openssl/nid.h> 32#include <openssl/rsa.h> 33#include <openssl/sha.h> 34 35#include "../../bcm_support.h" 36#include "../../internal.h" 37#include "../delocate.h" 38#include "../dh/internal.h" 39#include "../ec/internal.h" 40#include "../ecdsa/internal.h" 41#include "../rand/internal.h" 42#include "../rsa/internal.h" 43#include "../service_indicator/internal.h" 44#include "../tls/internal.h" 45 46 47static void hexdump(FILE *out, const void *in, size_t len) { 48 const uint8_t *in8 = reinterpret_cast<const uint8_t *>(in); 49 for (size_t i = 0; i < len; i++) { 50 fprintf(out, "%02x", in8[i]); 51 } 52} 53 54int BORINGSSL_check_test(const void *expected, const void *actual, 55 size_t expected_len, const char *name) { 56 if (OPENSSL_memcmp(actual, expected, expected_len) != 0) { 57 FILE *err = CRYPTO_get_stderr(); 58 fprintf(err, "%s failed.\nExpected: ", name); 59 hexdump(err, expected, expected_len); 60 fprintf(err, "\nCalculated: "); 61 hexdump(err, actual, expected_len); 62 fprintf(err, "\n"); 63 fflush(err); 64 return 0; 65 } 66 return 1; 67} 68 69// MSVC wants to put a NUL byte at the end of non-char arrays and so cannot 70// compile the real logic. 71#if defined(_MSC_VER) 72 73int BORINGSSL_self_test(void) { return 0; } 74 75#else 76 77static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) { 78 *out = BN_bin2bn(in, len, NULL); 79 return *out != NULL; 80} 81 82static RSA *self_test_rsa_key(void) { 83 static const uint8_t kN[] = { 84 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc, 85 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90, 86 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda, 87 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f, 88 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e, 89 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c, 90 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4, 91 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f, 92 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54, 93 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56, 94 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74, 95 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0, 96 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7, 97 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce, 98 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5, 99 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0, 100 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1, 101 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2, 102 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63, 103 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46, 104 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2, 105 0x94, 0xc0, 0xbe, 0xb3, 106 }; 107 static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537 108 static const uint8_t kD[] = { 109 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8, 110 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab, 111 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6, 112 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b, 113 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f, 114 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a, 115 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56, 116 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc, 117 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60, 118 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8, 119 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e, 120 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66, 121 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5, 122 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49, 123 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee, 124 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae, 125 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2, 126 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e, 127 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0, 128 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb, 129 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8, 130 0x5d, 0x1a, 0xf6, 0xc1, 131 }; 132 static const uint8_t kP[] = { 133 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68, 134 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb, 135 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4, 136 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90, 137 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75, 138 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49, 139 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5, 140 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b, 141 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78, 142 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27, 143 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29, 144 }; 145 static const uint8_t kQ[] = { 146 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3, 147 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf, 148 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c, 149 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59, 150 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf, 151 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c, 152 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f, 153 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed, 154 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb, 155 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4, 156 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b, 157 }; 158 static const uint8_t kDModPMinusOne[] = { 159 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d, 160 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70, 161 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96, 162 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb, 163 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54, 164 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0, 165 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c, 166 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06, 167 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82, 168 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6, 169 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39, 170 }; 171 static const uint8_t kDModQMinusOne[] = { 172 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d, 173 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12, 174 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2, 175 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36, 176 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac, 177 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65, 178 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca, 179 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53, 180 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6, 181 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74, 182 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85, 183 }; 184 static const uint8_t kQInverseModP[] = { 185 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0, 186 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d, 187 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b, 188 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9, 189 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1, 190 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef, 191 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5, 192 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79, 193 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11, 194 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95, 195 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15, 196 }; 197 198 RSA *rsa = RSA_new(); 199 if (rsa == NULL || // 200 !set_bignum(&rsa->n, kN, sizeof(kN)) || 201 !set_bignum(&rsa->e, kE, sizeof(kE)) || 202 !set_bignum(&rsa->d, kD, sizeof(kD)) || 203 !set_bignum(&rsa->p, kP, sizeof(kP)) || 204 !set_bignum(&rsa->q, kQ, sizeof(kQ)) || 205 !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) || 206 !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) || 207 !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) { 208 RSA_free(rsa); 209 return NULL; 210 } 211 212 return rsa; 213} 214 215static EC_KEY *self_test_ecdsa_key(void) { 216 static const uint8_t kQx[] = { 217 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17, 218 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2, 219 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81, 220 }; 221 static const uint8_t kQy[] = { 222 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef, 223 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac, 224 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88, 225 }; 226 static const uint8_t kD[] = { 227 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c, 228 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0, 229 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77, 230 }; 231 232 EC_KEY *ec_key = EC_KEY_new(); 233 BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL); 234 BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL); 235 BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL); 236 if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL || 237 !EC_KEY_set_group(ec_key, EC_group_p256()) || 238 !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) || 239 !EC_KEY_set_private_key(ec_key, d)) { 240 EC_KEY_free(ec_key); 241 ec_key = NULL; 242 } 243 244 BN_free(qx); 245 BN_free(qy); 246 BN_free(d); 247 return ec_key; 248} 249 250static DH *self_test_dh(void) { 251 DH *dh = DH_get_rfc7919_2048(); 252 if (!dh) { 253 return NULL; 254 } 255 256 BIGNUM *priv = BN_new(); 257 if (!priv) { 258 goto err; 259 } 260 261 // kFFDHE2048PrivateKeyData is a 225-bit value. (225 because that's the 262 // minimum private key size in 263 // https://tools.ietf.org/html/rfc7919#appendix-A.1.) 264 static const BN_ULONG kFFDHE2048PrivateKeyData[] = { 265 TOBN(0x187be36b, 0xd38a4fa1), 266 TOBN(0x0a152f39, 0x6458f3b8), 267 TOBN(0x0570187e, 0xc422eeb7), 268 TOBN(0x00000001, 0x91173f2a), 269 }; 270 271 bn_set_static_words(priv, kFFDHE2048PrivateKeyData, 272 OPENSSL_ARRAY_SIZE(kFFDHE2048PrivateKeyData)); 273 274 if (!DH_set0_key(dh, NULL, priv)) { 275 goto err; 276 } 277 return dh; 278 279err: 280 BN_free(priv); 281 DH_free(dh); 282 return NULL; 283} 284 285 286// Lazy self-tests 287// 288// Self tests that are slow are deferred until the corresponding algorithm is 289// actually exercised, in FIPS mode. (In non-FIPS mode these tests are only run 290// when requested by |BORINGSSL_self_test|.) 291 292static int boringssl_self_test_rsa(void) { 293 int ret = 0; 294 uint8_t output[256]; 295 296 RSA *const rsa_key = self_test_rsa_key(); 297 if (rsa_key == NULL) { 298 fprintf(CRYPTO_get_stderr(), "RSA key construction failed\n"); 299 goto err; 300 } 301 // Disable blinding for the power-on tests because it's not needed and 302 // triggers an entropy draw. 303 rsa_key->flags |= RSA_FLAG_NO_BLINDING; 304 305 // RSA Sign KAT 306 307 static const uint8_t kRSASignDigest[32] = { 308 0xd2, 0xb5, 0x6e, 0x53, 0x30, 0x6f, 0x72, 0x0d, 0x79, 0x29, 0xd8, 309 0x70, 0x8b, 0xf4, 0x6f, 0x1c, 0x22, 0x30, 0x03, 0x05, 0x58, 0x2b, 310 0x11, 0x5b, 0xed, 0xca, 0xc7, 0x22, 0xd8, 0xaa, 0x5a, 0xb2, 311 }; 312 static const uint8_t kRSASignSignature[256] = { 313 0x64, 0xce, 0xdd, 0x91, 0x27, 0xb0, 0x4f, 0xb9, 0x14, 0xea, 0xc0, 0xb4, 314 0xa2, 0x06, 0xc5, 0xd8, 0x40, 0x0f, 0x6c, 0x54, 0xac, 0xf7, 0x02, 0xde, 315 0x26, 0xbb, 0xfd, 0x33, 0xe5, 0x2f, 0x4d, 0xb1, 0x53, 0xc4, 0xff, 0xd0, 316 0x5f, 0xea, 0x15, 0x89, 0x83, 0x4c, 0xe3, 0x80, 0x0b, 0xe9, 0x13, 0x82, 317 0x1d, 0x71, 0x92, 0x1a, 0x03, 0x60, 0x2c, 0xaf, 0xe2, 0x16, 0xc7, 0x43, 318 0x3f, 0xde, 0x6b, 0x94, 0xfd, 0x6e, 0x08, 0x7b, 0x11, 0xf1, 0x34, 0x52, 319 0xe5, 0xc0, 0x97, 0x66, 0x4a, 0xe0, 0x91, 0x45, 0xc8, 0xb1, 0x3d, 0x6a, 320 0x54, 0xc1, 0x32, 0x0f, 0x32, 0xad, 0x25, 0x11, 0x3e, 0x49, 0xad, 0x41, 321 0xce, 0x7b, 0xca, 0x95, 0x6b, 0x54, 0x5e, 0x86, 0x1b, 0xce, 0xfa, 0x2a, 322 0x60, 0xe8, 0xfa, 0xbb, 0x23, 0xb2, 0x41, 0xbc, 0x7c, 0x98, 0xec, 0x73, 323 0x20, 0xed, 0xb3, 0xcf, 0xab, 0x07, 0x24, 0x85, 0x6a, 0x2a, 0x61, 0x76, 324 0x28, 0xf8, 0x00, 0x80, 0xeb, 0xd9, 0x3a, 0x63, 0xe2, 0x01, 0xb1, 0xee, 325 0x6d, 0xe9, 0x73, 0xe9, 0xb6, 0x75, 0x2e, 0xf9, 0x81, 0xd9, 0xa8, 0x79, 326 0xf6, 0x8f, 0xe3, 0x02, 0x7d, 0xf6, 0xea, 0xdc, 0x35, 0xe4, 0x62, 0x0d, 327 0x91, 0xba, 0x3e, 0x7d, 0x8b, 0x82, 0xbf, 0x15, 0x74, 0x6a, 0x4e, 0x29, 328 0xf8, 0x9b, 0x2c, 0x94, 0x8d, 0xa7, 0x00, 0x4d, 0x7b, 0xbf, 0x35, 0x07, 329 0xeb, 0xdd, 0x10, 0xef, 0xd5, 0x2f, 0xe6, 0x98, 0x4b, 0x7e, 0x24, 0x80, 330 0xe2, 0x01, 0xf2, 0x66, 0xb7, 0xd3, 0x93, 0xfe, 0x2a, 0xb3, 0x74, 0xed, 331 0xec, 0x4b, 0xb1, 0x5f, 0x5f, 0xee, 0x85, 0x44, 0xa7, 0x26, 0xdf, 0xc1, 332 0x2e, 0x7a, 0xf3, 0xa5, 0x8f, 0xf8, 0x64, 0xda, 0x65, 0xad, 0x91, 0xe2, 333 0x90, 0x94, 0x20, 0x16, 0xb8, 0x61, 0xa5, 0x0a, 0x7d, 0xb4, 0xbf, 0xc0, 334 0x10, 0xaf, 0x72, 0x67, 335 }; 336 337 unsigned sig_len; 338 if (!rsa_sign_no_self_test(NID_sha256, kRSASignDigest, sizeof(kRSASignDigest), 339 output, &sig_len, rsa_key) || 340 !BORINGSSL_check_test(kRSASignSignature, output, 341 sizeof(kRSASignSignature), "RSA-sign KAT")) { 342 fprintf(CRYPTO_get_stderr(), "RSA signing test failed.\n"); 343 goto err; 344 } 345 346 // RSA Verify KAT 347 348 static const uint8_t kRSAVerifyDigest[32] = { 349 0x09, 0x65, 0x2f, 0xd8, 0xed, 0x9d, 0xc2, 0x6d, 0xbc, 0xbf, 0xf2, 350 0xa7, 0xa5, 0xed, 0xe1, 0x37, 0x13, 0x78, 0x21, 0x36, 0xcf, 0x8d, 351 0x22, 0x3d, 0xab, 0x93, 0xb4, 0x12, 0xa8, 0xb5, 0x15, 0x53, 352 }; 353 static const uint8_t kRSAVerifySignature[256] = { 354 0xab, 0xe2, 0xcb, 0xc1, 0x3d, 0x6b, 0xd3, 0x9d, 0x48, 0xdb, 0x53, 0x34, 355 0xdd, 0xbf, 0x8d, 0x07, 0x0a, 0x93, 0xbd, 0xcb, 0x10, 0x4e, 0x2c, 0xc5, 356 0xd0, 0xee, 0x48, 0x6e, 0xe2, 0x95, 0xf6, 0xb3, 0x1b, 0xda, 0x12, 0x6c, 357 0x41, 0x89, 0x0b, 0x98, 0xb7, 0x3e, 0x70, 0xe6, 0xb6, 0x5d, 0x82, 0xf9, 358 0x5c, 0x66, 0x31, 0x21, 0x75, 0x5a, 0x90, 0x74, 0x4c, 0x8d, 0x1c, 0x21, 359 0x14, 0x8a, 0x19, 0x60, 0xbe, 0x0e, 0xca, 0x44, 0x6e, 0x9f, 0xf4, 0x97, 360 0xf1, 0x34, 0x5c, 0x53, 0x7e, 0xf8, 0x11, 0x9b, 0x9a, 0x43, 0x98, 0xe9, 361 0x5c, 0x5c, 0x6d, 0xe2, 0xb1, 0xc9, 0x55, 0x90, 0x5c, 0x52, 0x99, 0xd8, 362 0xce, 0x7a, 0x3b, 0x6a, 0xb7, 0x63, 0x80, 0xd9, 0xba, 0xbd, 0xd1, 0x5f, 363 0x61, 0x02, 0x37, 0xe1, 0xf3, 0xf2, 0xaa, 0x1c, 0x1f, 0x1e, 0x77, 0x0b, 364 0x62, 0xfb, 0xb5, 0x96, 0x38, 0x1b, 0x2e, 0xbd, 0xd7, 0x7e, 0xce, 0xf9, 365 0xc9, 0x0d, 0x4c, 0x92, 0xf7, 0xb6, 0xb0, 0x5f, 0xed, 0x29, 0x36, 0x28, 366 0x5f, 0xa9, 0x48, 0x26, 0xe6, 0x20, 0x55, 0x32, 0x2a, 0x33, 0xb6, 0xf0, 367 0x4c, 0x74, 0xce, 0x69, 0xe5, 0xd8, 0xd7, 0x37, 0xfb, 0x83, 0x8b, 0x79, 368 0xd2, 0xd4, 0x8e, 0x3d, 0xaf, 0x71, 0x38, 0x75, 0x31, 0x88, 0x25, 0x31, 369 0xa9, 0x5a, 0xc9, 0x64, 0xd0, 0x2e, 0xa4, 0x13, 0xbf, 0x85, 0x95, 0x29, 370 0x82, 0xbb, 0xc0, 0x89, 0x52, 0x7d, 0xaf, 0xf5, 0xb8, 0x45, 0xc9, 0xa0, 371 0xf4, 0xd1, 0x4e, 0xf1, 0x95, 0x6d, 0x9c, 0x3a, 0xca, 0xe8, 0x82, 0xd1, 372 0x2d, 0xa6, 0x6d, 0xa0, 0xf3, 0x57, 0x94, 0xf5, 0xee, 0x32, 0x23, 0x23, 373 0x33, 0x51, 0x7d, 0xb9, 0x31, 0x52, 0x32, 0xa1, 0x83, 0xb9, 0x91, 0x65, 374 0x4d, 0xbe, 0xa4, 0x16, 0x15, 0x34, 0x5c, 0x88, 0x53, 0x25, 0x92, 0x67, 375 0x44, 0xa5, 0x39, 0x15, 376 }; 377 if (!rsa_verify_no_self_test(NID_sha256, kRSAVerifyDigest, 378 sizeof(kRSAVerifyDigest), kRSAVerifySignature, 379 sizeof(kRSAVerifySignature), rsa_key)) { 380 fprintf(CRYPTO_get_stderr(), "RSA-verify KAT failed.\n"); 381 goto err; 382 } 383 384 ret = 1; 385 386err: 387 RSA_free(rsa_key); 388 389 return ret; 390} 391 392static int boringssl_self_test_ecc(void) { 393 int ret = 0; 394 EC_KEY *ec_key = NULL; 395 EC_POINT *ec_point_in = NULL; 396 EC_POINT *ec_point_out = NULL; 397 BIGNUM *ec_scalar = NULL; 398 const EC_GROUP *ec_group = NULL; 399 400 // The 'k' value for ECDSA is fixed to avoid an entropy draw. 401 uint8_t ecdsa_k[32] = {0}; 402 ecdsa_k[31] = 42; 403 404 ec_key = self_test_ecdsa_key(); 405 if (ec_key == NULL) { 406 fprintf(CRYPTO_get_stderr(), "ECDSA KeyGen failed\n"); 407 goto err; 408 } 409 410 // ECDSA Sign/Verify KAT 411 412 static const uint8_t kECDSASignDigest[32] = { 413 0x1e, 0x35, 0x93, 0x0b, 0xe8, 0x60, 0xd0, 0x94, 0x2c, 0xa7, 0xbb, 414 0xd6, 0xf6, 0xde, 0xd8, 0x7f, 0x15, 0x7e, 0x4d, 0xe2, 0x4f, 0x81, 415 0xed, 0x4b, 0x87, 0x5c, 0x0e, 0x01, 0x8e, 0x89, 0xa8, 0x1f, 416 }; 417 static const uint8_t kECDSASignSig[64] = { 418 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0, 419 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02, 420 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x68, 421 0x04, 0x73, 0x40, 0x94, 0xb2, 0xd1, 0x90, 0xac, 0x2d, 0x0c, 0xd7, 422 0xa5, 0x7f, 0x2f, 0x2e, 0xb2, 0x62, 0xb0, 0x09, 0x16, 0xe1, 0xa6, 423 0x70, 0xb5, 0xbb, 0x0d, 0xfd, 0x8e, 0x0c, 0x02, 0x3f, 424 }; 425 426 uint8_t ecdsa_sign_output[64]; 427 size_t ecdsa_sign_output_len; 428 if (!ecdsa_sign_fixed_with_nonce_for_known_answer_test( 429 kECDSASignDigest, sizeof(kECDSASignDigest), ecdsa_sign_output, 430 &ecdsa_sign_output_len, sizeof(ecdsa_sign_output), ec_key, ecdsa_k, 431 sizeof(ecdsa_k)) || 432 !BORINGSSL_check_test(kECDSASignSig, ecdsa_sign_output, 433 sizeof(ecdsa_sign_output), 434 "ECDSA-sign signature")) { 435 fprintf(CRYPTO_get_stderr(), "ECDSA-sign KAT failed.\n"); 436 goto err; 437 } 438 439 static const uint8_t kECDSAVerifyDigest[32] = { 440 0x78, 0x7c, 0x50, 0x5c, 0x60, 0xc9, 0xe4, 0x13, 0x6c, 0xe4, 0x48, 441 0xba, 0x93, 0xff, 0x71, 0xfa, 0x9c, 0x18, 0xf4, 0x17, 0x09, 0x4f, 442 0xdf, 0x5a, 0xe2, 0x75, 0xc0, 0xcc, 0xd2, 0x67, 0x97, 0xad, 443 }; 444 static const uint8_t kECDSAVerifySig[64] = { 445 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0, 446 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02, 447 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x2d, 448 0x36, 0xe5, 0x79, 0x97, 0x90, 0xbf, 0xbe, 0x21, 0x83, 0xd3, 0x3e, 449 0x96, 0xf3, 0xc5, 0x1f, 0x6a, 0x23, 0x2f, 0x2a, 0x24, 0x48, 0x8c, 450 0x8e, 0x5f, 0x64, 0xc3, 0x7e, 0xa2, 0xcf, 0x05, 0x29, 451 }; 452 453 if (!ecdsa_verify_fixed_no_self_test( 454 kECDSAVerifyDigest, sizeof(kECDSAVerifyDigest), kECDSAVerifySig, 455 sizeof(kECDSAVerifySig), ec_key)) { 456 fprintf(CRYPTO_get_stderr(), "ECDSA-verify KAT failed.\n"); 457 goto err; 458 } 459 460 // Primitive Z Computation KAT (IG 9.6). 461 462 // kP256Point is SHA256("Primitive Z Computation KAT")×G within P-256. 463 static const uint8_t kP256Point[65] = { 464 0x04, 0x4e, 0xc1, 0x94, 0x8c, 0x5c, 0xf4, 0x37, 0x35, 0x0d, 0xa3, 465 0xf9, 0x55, 0xf9, 0x8b, 0x26, 0x23, 0x5c, 0x43, 0xe0, 0x83, 0x51, 466 0x2b, 0x0d, 0x4b, 0x56, 0x24, 0xc3, 0xe4, 0xa5, 0xa8, 0xe2, 0xe9, 467 0x95, 0xf2, 0xc4, 0xb9, 0xb7, 0x48, 0x7d, 0x2a, 0xae, 0xc5, 0xc0, 468 0x0a, 0xcc, 0x1b, 0xd0, 0xec, 0xb8, 0xdc, 0xbe, 0x0c, 0xbe, 0x52, 469 0x79, 0x93, 0x7c, 0x0b, 0x92, 0x2b, 0x7f, 0x17, 0xa5, 0x80, 470 }; 471 // kP256Scalar is SHA256("Primitive Z Computation KAT scalar"). 472 static const uint8_t kP256Scalar[32] = { 473 0xe7, 0x60, 0x44, 0x91, 0x26, 0x9a, 0xfb, 0x5b, 0x10, 0x2d, 0x6e, 474 0xa5, 0x2c, 0xb5, 0x9f, 0xeb, 0x70, 0xae, 0xde, 0x6c, 0xe3, 0xbf, 475 0xb3, 0xe0, 0x10, 0x54, 0x85, 0xab, 0xd8, 0x61, 0xd7, 0x7b, 476 }; 477 // kP256PointResult is |kP256Scalar|×|kP256Point|. 478 static const uint8_t kP256PointResult[65] = { 479 0x04, 0xf1, 0x63, 0x00, 0x88, 0xc5, 0xd5, 0xe9, 0x05, 0x52, 0xac, 480 0xb6, 0xec, 0x68, 0x76, 0xb8, 0x73, 0x7f, 0x0f, 0x72, 0x34, 0xe6, 481 0xbb, 0x30, 0x32, 0x22, 0x37, 0xb6, 0x2a, 0x80, 0xe8, 0x9e, 0x6e, 482 0x6f, 0x36, 0x02, 0xe7, 0x21, 0xd2, 0x31, 0xdb, 0x94, 0x63, 0xb7, 483 0xd8, 0x19, 0x0e, 0xc2, 0xc0, 0xa7, 0x2f, 0x15, 0x49, 0x1a, 0xa2, 484 0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a, 0x0c, 485 }; 486 487 ec_group = EC_group_p256(); 488 ec_point_in = EC_POINT_new(ec_group); 489 ec_point_out = EC_POINT_new(ec_group); 490 ec_scalar = BN_new(); 491 uint8_t z_comp_result[65]; 492 if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL || 493 !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point), 494 NULL) || 495 !BN_bin2bn(kP256Scalar, sizeof(kP256Scalar), ec_scalar) || 496 !ec_point_mul_no_self_test(ec_group, ec_point_out, NULL, ec_point_in, 497 ec_scalar, NULL) || 498 !EC_POINT_point2oct(ec_group, ec_point_out, POINT_CONVERSION_UNCOMPRESSED, 499 z_comp_result, sizeof(z_comp_result), NULL) || 500 !BORINGSSL_check_test(kP256PointResult, z_comp_result, 501 sizeof(z_comp_result), "Z Computation Result")) { 502 fprintf(CRYPTO_get_stderr(), "Z-computation KAT failed.\n"); 503 goto err; 504 } 505 506 ret = 1; 507 508err: 509 EC_KEY_free(ec_key); 510 EC_POINT_free(ec_point_in); 511 EC_POINT_free(ec_point_out); 512 BN_free(ec_scalar); 513 514 return ret; 515} 516 517static int boringssl_self_test_ffdh(void) { 518 int ret = 0; 519 DH *dh = NULL; 520 BIGNUM *ffdhe2048_value = NULL; 521 522 // FFC Diffie-Hellman KAT 523 524 // kFFDHE2048PublicValueData is an arbitrary public value, mod 525 // kFFDHE2048Data. (The private key happens to be 4096.) 526 static const BN_ULONG kFFDHE2048PublicValueData[] = { 527 TOBN(0x187be36b, 0xd38a4fa1), TOBN(0x0a152f39, 0x6458f3b8), 528 TOBN(0x0570187e, 0xc422eeb7), TOBN(0x18af7482, 0x91173f2a), 529 TOBN(0xe9fdac6a, 0xcff4eaaa), TOBN(0xf6afebb7, 0x6e589d6c), 530 TOBN(0xf92f8e9a, 0xb7e33fb0), TOBN(0x70acf2aa, 0x4cf36ddd), 531 TOBN(0x561ab426, 0xd07137fd), TOBN(0x5f57d037, 0x430ee91e), 532 TOBN(0xe3e768c8, 0x60d10b8a), TOBN(0xb14884d8, 0xa18af8ce), 533 TOBN(0xf8a98014, 0xa12b74e4), TOBN(0x748d407c, 0x3437b7a8), 534 TOBN(0x627588c4, 0x9875d5a7), TOBN(0xdd24a127, 0x53c8f09d), 535 TOBN(0x85a997d5, 0x0cd51aec), TOBN(0x44f0c619, 0xce348458), 536 TOBN(0x9b894b24, 0x5f6b69a1), TOBN(0xae1302f2, 0xf6d4777e), 537 TOBN(0xe6678eeb, 0x375db18e), TOBN(0x2674e1d6, 0x4fbcbdc8), 538 TOBN(0xb297a823, 0x6fa93d28), TOBN(0x6a12fb70, 0x7c8c0510), 539 TOBN(0x5c6d1aeb, 0xdb06f65b), TOBN(0xe8c2954e, 0x4c1804ca), 540 TOBN(0x06bdeac1, 0xf5500fa7), TOBN(0x6a315604, 0x189cd76b), 541 TOBN(0xbae7b0b3, 0x6e362dc0), TOBN(0xa57c73bd, 0xdc70fb82), 542 TOBN(0xfaff50d2, 0x9d573457), TOBN(0x352bd399, 0xbe84058e), 543 }; 544 static const uint8_t kDHOutput[2048 / 8] = { 545 0x2a, 0xe6, 0xd3, 0xa6, 0x13, 0x58, 0x8e, 0xce, 0x53, 0xaa, 0xf6, 0x5d, 546 0x9a, 0xae, 0x02, 0x12, 0xf5, 0x80, 0x3d, 0x06, 0x09, 0x76, 0xac, 0x57, 547 0x37, 0x9e, 0xab, 0x38, 0x62, 0x25, 0x05, 0x1d, 0xf3, 0xa9, 0x39, 0x60, 548 0xf6, 0xae, 0x90, 0xed, 0x1e, 0xad, 0x6e, 0xe9, 0xe3, 0xba, 0x27, 0xf6, 549 0xdb, 0x54, 0xdf, 0xe2, 0xbd, 0xbb, 0x7f, 0xf1, 0x81, 0xac, 0x1a, 0xfa, 550 0xdb, 0x87, 0x07, 0x98, 0x76, 0x90, 0x21, 0xf2, 0xae, 0xda, 0x0d, 0x84, 551 0x97, 0x64, 0x0b, 0xbf, 0xb8, 0x8d, 0x10, 0x46, 0xe2, 0xd5, 0xca, 0x1b, 552 0xbb, 0xe5, 0x37, 0xb2, 0x3b, 0x35, 0xd3, 0x1b, 0x65, 0xea, 0xae, 0xf2, 553 0x03, 0xe2, 0xb6, 0xde, 0x22, 0xb7, 0x86, 0x49, 0x79, 0xfe, 0xd7, 0x16, 554 0xf7, 0xdc, 0x9c, 0x59, 0xf5, 0xb7, 0x70, 0xc0, 0x53, 0x42, 0x6f, 0xb1, 555 0xd2, 0x4e, 0x00, 0x25, 0x4b, 0x2d, 0x5a, 0x9b, 0xd0, 0xe9, 0x27, 0x43, 556 0xcc, 0x00, 0x66, 0xea, 0x94, 0x7a, 0x0b, 0xb9, 0x89, 0x0c, 0x5e, 0x94, 557 0xb8, 0x3a, 0x78, 0x9c, 0x4d, 0x84, 0xe6, 0x32, 0x2c, 0x38, 0x7c, 0xf7, 558 0x43, 0x9c, 0xd8, 0xb8, 0x1c, 0xce, 0x24, 0x91, 0x20, 0x67, 0x7a, 0x54, 559 0x1f, 0x7e, 0x86, 0x7f, 0xa1, 0xc1, 0x03, 0x4e, 0x2c, 0x26, 0x71, 0xb2, 560 0x06, 0x30, 0xb3, 0x6c, 0x15, 0xcc, 0xac, 0x25, 0xe5, 0x37, 0x3f, 0x24, 561 0x8f, 0x2a, 0x89, 0x5e, 0x3d, 0x43, 0x94, 0xc9, 0x36, 0xae, 0x40, 0x00, 562 0x6a, 0x0d, 0xb0, 0x6e, 0x8b, 0x2e, 0x70, 0x57, 0xe1, 0x88, 0x53, 0xd6, 563 0x06, 0x80, 0x2a, 0x4e, 0x5a, 0xf0, 0x1e, 0xaa, 0xcb, 0xab, 0x06, 0x0e, 564 0x27, 0x0f, 0xd9, 0x88, 0xd9, 0x01, 0xe3, 0x07, 0xeb, 0xdf, 0xc3, 0x12, 565 0xe3, 0x40, 0x88, 0x7b, 0x5f, 0x59, 0x78, 0x6e, 0x26, 0x20, 0xc3, 0xdf, 566 0xc8, 0xe4, 0x5e, 0xb8, 567 }; 568 569 ffdhe2048_value = BN_new(); 570 if (ffdhe2048_value) { 571 bn_set_static_words(ffdhe2048_value, kFFDHE2048PublicValueData, 572 OPENSSL_ARRAY_SIZE(kFFDHE2048PublicValueData)); 573 } 574 575 dh = self_test_dh(); 576 uint8_t dh_out[sizeof(kDHOutput)]; 577 if (dh == NULL || ffdhe2048_value == NULL || sizeof(dh_out) != DH_size(dh) || 578 dh_compute_key_padded_no_self_test(dh_out, ffdhe2048_value, dh) != 579 sizeof(dh_out) || 580 !BORINGSSL_check_test(kDHOutput, dh_out, sizeof(dh_out), "FFC DH")) { 581 fprintf(CRYPTO_get_stderr(), "FFDH failed.\n"); 582 goto err; 583 } 584 585 ret = 1; 586 587err: 588 DH_free(dh); 589 BN_free(ffdhe2048_value); 590 591 return ret; 592} 593 594#if defined(BORINGSSL_FIPS) 595 596static void run_self_test_rsa(void) { 597 FIPS_service_indicator_lock_state(); 598 if (!boringssl_self_test_rsa()) { 599 BORINGSSL_FIPS_abort(); 600 } 601 FIPS_service_indicator_unlock_state(); 602} 603 604DEFINE_STATIC_ONCE(g_self_test_once_rsa) 605 606void boringssl_ensure_rsa_self_test(void) { 607 CRYPTO_once(g_self_test_once_rsa_bss_get(), run_self_test_rsa); 608} 609 610static void run_self_test_ecc(void) { 611 FIPS_service_indicator_lock_state(); 612 if (!boringssl_self_test_ecc()) { 613 BORINGSSL_FIPS_abort(); 614 } 615 FIPS_service_indicator_unlock_state(); 616} 617 618DEFINE_STATIC_ONCE(g_self_test_once_ecc) 619 620void boringssl_ensure_ecc_self_test(void) { 621 CRYPTO_once(g_self_test_once_ecc_bss_get(), run_self_test_ecc); 622} 623 624static void run_self_test_ffdh(void) { 625 FIPS_service_indicator_lock_state(); 626 if (!boringssl_self_test_ffdh()) { 627 BORINGSSL_FIPS_abort(); 628 } 629 FIPS_service_indicator_unlock_state(); 630} 631 632DEFINE_STATIC_ONCE(g_self_test_once_ffdh) 633 634void boringssl_ensure_ffdh_self_test(void) { 635 CRYPTO_once(g_self_test_once_ffdh_bss_get(), run_self_test_ffdh); 636} 637 638#endif // BORINGSSL_FIPS 639 640 641// Startup self tests. 642// 643// These tests are run at process start when in FIPS mode. 644 645int boringssl_self_test_sha256(void) { 646 static const uint8_t kInput[16] = { 647 0xff, 0x3b, 0x85, 0x7d, 0xa7, 0x23, 0x6a, 0x2b, 648 0xaa, 0x0f, 0x39, 0x6b, 0x51, 0x52, 0x22, 0x17, 649 }; 650 static const uint8_t kPlaintextSHA256[32] = { 651 0x7f, 0xe4, 0xd5, 0xf1, 0xa1, 0xe3, 0x82, 0x87, 0xd9, 0x58, 0xf5, 652 0x11, 0xc7, 0x1d, 0x5e, 0x27, 0x5e, 0xcc, 0xd2, 0x66, 0xcf, 0xb9, 653 0xc8, 0xc6, 0x60, 0xd8, 0x92, 0x1e, 0x57, 0xfd, 0x46, 0x75, 654 }; 655 uint8_t output[SHA256_DIGEST_LENGTH]; 656 657 // SHA-256 KAT 658 SHA256(kInput, sizeof(kInput), output); 659 return BORINGSSL_check_test(kPlaintextSHA256, output, 660 sizeof(kPlaintextSHA256), "SHA-256 KAT"); 661} 662 663int boringssl_self_test_sha512(void) { 664 static const uint8_t kInput[16] = { 665 0x21, 0x25, 0x12, 0xf8, 0xd2, 0xad, 0x83, 0x22, 666 0x78, 0x1c, 0x6c, 0x4d, 0x69, 0xa9, 0xda, 0xa1, 667 }; 668 static const uint8_t kPlaintextSHA512[64] = { 669 0x29, 0x3c, 0x94, 0x35, 0x4e, 0x98, 0x83, 0xe5, 0xc2, 0x78, 0x36, 670 0x7a, 0xe5, 0x18, 0x90, 0xbf, 0x35, 0x41, 0x01, 0x64, 0x19, 0x8d, 671 0x26, 0xeb, 0xe1, 0xf8, 0x2f, 0x04, 0x8e, 0xfa, 0x8b, 0x2b, 0xc6, 672 0xb2, 0x9d, 0x5d, 0x46, 0x76, 0x5a, 0xc8, 0xb5, 0x25, 0xa3, 0xea, 673 0x52, 0x84, 0x47, 0x6d, 0x6d, 0xf4, 0xc9, 0x71, 0xf3, 0x3d, 0x89, 674 0x4c, 0x3b, 0x20, 0x8c, 0x5b, 0x75, 0xe8, 0xf8, 0x7c, 675 }; 676 uint8_t output[SHA512_DIGEST_LENGTH]; 677 678 // SHA-512 KAT 679 SHA512(kInput, sizeof(kInput), output); 680 return BORINGSSL_check_test(kPlaintextSHA512, output, 681 sizeof(kPlaintextSHA512), "SHA-512 KAT"); 682} 683 684int boringssl_self_test_hmac_sha256(void) { 685 static const uint8_t kInput[16] = { 686 0xda, 0xd9, 0x12, 0x93, 0xdf, 0xcf, 0x2a, 0x7c, 687 0x8e, 0xcd, 0x13, 0xfe, 0x35, 0x3f, 0xa7, 0x5b, 688 }; 689 static const uint8_t kPlaintextHMACSHA256[32] = { 690 0x36, 0x5f, 0x5b, 0xd5, 0xf5, 0xeb, 0xfd, 0xc7, 0x6e, 0x53, 0xa5, 691 0x73, 0x6d, 0x73, 0x20, 0x13, 0xaa, 0xd3, 0xbc, 0x86, 0x4b, 0xb8, 692 0x84, 0x94, 0x16, 0x46, 0x88, 0x9c, 0x48, 0xee, 0xa9, 0x0e, 693 }; 694 uint8_t output[EVP_MAX_MD_SIZE]; 695 696 unsigned output_len; 697 HMAC(EVP_sha256(), kInput, sizeof(kInput), kInput, sizeof(kInput), output, 698 &output_len); 699 return output_len == sizeof(kPlaintextHMACSHA256) && 700 BORINGSSL_check_test(kPlaintextHMACSHA256, output, 701 sizeof(kPlaintextHMACSHA256), "HMAC-SHA-256 KAT"); 702} 703 704static int boringssl_self_test_fast(void) { 705 static const uint8_t kAESKey[16] = { 706 'B', 'o', 'r', 'i', 'n', 'g', 'C', 'r', 707 'y', 'p', 't', 'o', ' ', 'K', 'e', 'y', 708 }; 709 static const uint8_t kAESIV[16] = {0}; 710 711 EVP_AEAD_CTX aead_ctx; 712 EVP_AEAD_CTX_zero(&aead_ctx); 713 int ret = 0; 714 715 AES_KEY aes_key; 716 uint8_t aes_iv[16]; 717 uint8_t output[256]; 718 719 // AES-CBC Encryption KAT 720 static const uint8_t kAESCBCEncPlaintext[32] = { 721 0x07, 0x86, 0x09, 0xa6, 0xc5, 0xac, 0x25, 0x44, 0x69, 0x9a, 0xdf, 722 0x68, 0x2f, 0xa3, 0x77, 0xf9, 0xbe, 0x8a, 0xb6, 0xae, 0xf5, 0x63, 723 0xe8, 0xc5, 0x6a, 0x36, 0xb8, 0x4f, 0x55, 0x7f, 0xad, 0xd3, 724 }; 725 static const uint8_t kAESCBCEncCiphertext[sizeof(kAESCBCEncPlaintext)] = { 726 0x56, 0x46, 0xc1, 0x41, 0xf4, 0x13, 0xd6, 0xff, 0x62, 0x92, 0x41, 727 0x7a, 0x26, 0xc6, 0x86, 0xbd, 0x30, 0x5f, 0xb6, 0x57, 0xa7, 0xd2, 728 0x50, 0x3a, 0xc5, 0x5e, 0x8e, 0x93, 0x40, 0xf2, 0x10, 0xd8, 729 }; 730 memcpy(aes_iv, kAESIV, sizeof(kAESIV)); 731 if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) { 732 fprintf(CRYPTO_get_stderr(), "AES_set_encrypt_key failed.\n"); 733 goto err; 734 } 735 AES_cbc_encrypt(kAESCBCEncPlaintext, output, sizeof(kAESCBCEncPlaintext), 736 &aes_key, aes_iv, AES_ENCRYPT); 737 if (!BORINGSSL_check_test(kAESCBCEncCiphertext, output, 738 sizeof(kAESCBCEncCiphertext), 739 "AES-CBC-encrypt KAT")) { 740 goto err; 741 } 742 743 // AES-CBC Decryption KAT 744 static const uint8_t kAESCBCDecCiphertext[32] = { 745 0x34, 0x7a, 0xa5, 0xa0, 0x24, 0xb2, 0x82, 0x57, 0xb3, 0x65, 0x10, 746 0xbe, 0x58, 0x3d, 0x4f, 0x47, 0xad, 0xb7, 0xbb, 0xee, 0xdc, 0x60, 747 0x05, 0xbb, 0xbd, 0x0d, 0x0a, 0x9f, 0x06, 0xbb, 0x7b, 0x10, 748 }; 749 static const uint8_t kAESCBCDecPlaintext[sizeof(kAESCBCDecCiphertext)] = { 750 0x51, 0xa7, 0xa0, 0x1f, 0x6b, 0x79, 0x6c, 0xcd, 0x48, 0x03, 0xa1, 751 0x41, 0xdc, 0x56, 0xa6, 0xc2, 0x16, 0xb5, 0xd1, 0xd3, 0xb7, 0x06, 752 0xb2, 0x25, 0x6f, 0xa6, 0xd0, 0xd2, 0x0e, 0x6f, 0x19, 0xb5, 753 }; 754 memcpy(aes_iv, kAESIV, sizeof(kAESIV)); 755 if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) { 756 fprintf(CRYPTO_get_stderr(), "AES_set_decrypt_key failed.\n"); 757 goto err; 758 } 759 AES_cbc_encrypt(kAESCBCDecCiphertext, output, sizeof(kAESCBCDecCiphertext), 760 &aes_key, aes_iv, AES_DECRYPT); 761 if (!BORINGSSL_check_test(kAESCBCDecPlaintext, output, 762 sizeof(kAESCBCDecPlaintext), 763 "AES-CBC-decrypt KAT")) { 764 goto err; 765 } 766 767 size_t out_len; 768 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; 769 OPENSSL_memset(nonce, 0, sizeof(nonce)); 770 if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey, 771 sizeof(kAESKey), 0, NULL)) { 772 fprintf(CRYPTO_get_stderr(), "EVP_AEAD_CTX_init for AES-128-GCM failed.\n"); 773 goto err; 774 } 775 776 // AES-GCM Encryption KAT 777 static const uint8_t kAESGCMEncPlaintext[32] = { 778 0x8f, 0xcc, 0x40, 0x99, 0x80, 0x8e, 0x75, 0xca, 0xaf, 0xf5, 0x82, 779 0x89, 0x88, 0x48, 0xa8, 0x8d, 0x80, 0x8b, 0x55, 0xab, 0x4e, 0x93, 780 0x70, 0x79, 0x7d, 0x94, 0x0b, 0xe8, 0xcc, 0x1d, 0x78, 0x84, 781 }; 782 static const uint8_t kAESGCMCiphertext[sizeof(kAESGCMEncPlaintext) + 16] = { 783 0x87, 0x7b, 0xd5, 0x8d, 0x96, 0x3e, 0x4b, 0xe6, 0x64, 0x94, 0x40, 0x2f, 784 0x61, 0x9b, 0x7e, 0x56, 0x52, 0x7d, 0xa4, 0x5a, 0xf9, 0xa6, 0xe2, 0xdb, 785 0x1c, 0x63, 0x2e, 0x97, 0x93, 0x0f, 0xfb, 0xed, 0xb5, 0x9e, 0x1c, 0x20, 786 0xb2, 0xb0, 0x58, 0xda, 0x48, 0x07, 0x2d, 0xbd, 0x96, 0x0d, 0x34, 0xc6, 787 }; 788 if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce, 789 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), 790 kAESGCMEncPlaintext, sizeof(kAESGCMEncPlaintext), NULL, 791 0) || 792 !BORINGSSL_check_test(kAESGCMCiphertext, output, 793 sizeof(kAESGCMCiphertext), "AES-GCM-encrypt KAT")) { 794 fprintf(CRYPTO_get_stderr(), "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n"); 795 goto err; 796 } 797 798 // AES-GCM Decryption KAT 799 static const uint8_t kAESGCMDecCiphertext[48] = { 800 0x35, 0xf3, 0x05, 0x8f, 0x87, 0x57, 0x60, 0xff, 0x09, 0xd3, 0x12, 0x0f, 801 0x70, 0xc4, 0xbc, 0x9e, 0xd7, 0xa8, 0x68, 0x72, 0xe1, 0x34, 0x52, 0x20, 802 0x21, 0x76, 0xf7, 0x37, 0x1a, 0xe0, 0x4f, 0xaa, 0xe1, 0xdd, 0x39, 0x19, 803 0x20, 0xf5, 0xd1, 0x39, 0x53, 0xd8, 0x96, 0x78, 0x59, 0x94, 0x82, 0x3c, 804 }; 805 static const uint8_t kAESGCMDecPlaintext[sizeof(kAESGCMDecCiphertext) - 16] = 806 { 807 0x3d, 0x44, 0x90, 0x9b, 0x91, 0xe7, 0x5e, 0xd3, 0xc2, 0xb2, 0xd0, 808 0xa9, 0x99, 0x17, 0x6a, 0x45, 0x05, 0x5e, 0x99, 0x83, 0x56, 0x01, 809 0xc0, 0x82, 0x40, 0x81, 0xd2, 0x48, 0x45, 0xf2, 0xcc, 0xc3, 810 }; 811 if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce, 812 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), 813 kAESGCMDecCiphertext, sizeof(kAESGCMDecCiphertext), 814 NULL, 0) || 815 !BORINGSSL_check_test(kAESGCMDecPlaintext, output, 816 sizeof(kAESGCMDecPlaintext), 817 "AES-GCM-decrypt KAT")) { 818 fprintf(CRYPTO_get_stderr(), 819 "AES-GCM-decrypt KAT failed because EVP_AEAD_CTX_open failed.\n"); 820 goto err; 821 } 822 823 // SHA-1 KAT 824 static const uint8_t kSHA1Input[16] = { 825 0x13, 0x2f, 0xd9, 0xba, 0xd5, 0xc1, 0x82, 0x62, 826 0x63, 0xba, 0xfb, 0xb6, 0x99, 0xf7, 0x07, 0xa5, 827 }; 828 static const uint8_t kSHA1Digest[20] = { 829 0x94, 0x19, 0x55, 0x93, 0x0a, 0x58, 0x29, 0x38, 0xeb, 0xf5, 830 0x09, 0x11, 0x6d, 0x1a, 0xfd, 0x0f, 0x1e, 0x11, 0xe3, 0xcb, 831 }; 832 SHA1(kSHA1Input, sizeof(kSHA1Input), output); 833 if (!BORINGSSL_check_test(kSHA1Digest, output, sizeof(kSHA1Digest), 834 "SHA-1 KAT")) { 835 goto err; 836 } 837 838 if (!boringssl_self_test_sha256() || !boringssl_self_test_sha512() || 839 !boringssl_self_test_hmac_sha256()) { 840 goto err; 841 } 842 843 // DBRG KAT 844 static const uint8_t kDRBGEntropy[48] = { 845 0xc4, 0xda, 0x07, 0x40, 0xd5, 0x05, 0xf1, 0xee, 0x28, 0x0b, 0x95, 0xe5, 846 0x8c, 0x49, 0x31, 0xac, 0x6d, 0xe8, 0x46, 0xa0, 0x15, 0x2f, 0xbb, 0x4a, 847 0x3f, 0x17, 0x4c, 0xf4, 0x78, 0x7a, 0x4f, 0x1a, 0x40, 0xc2, 0xb5, 0x0b, 848 0xab, 0xe1, 0x4a, 0xae, 0x53, 0x0b, 0xe5, 0x88, 0x6d, 0x91, 0x0a, 0x27, 849 }; 850 static const uint8_t kDRBGPersonalization[18] = { 851 'B', 'C', 'M', 'P', 'e', 'r', 's', 'o', 'n', 852 'a', 'l', 'i', 'z', 'a', 't', 'i', 'o', 'n'}; 853 static const uint8_t kDRBGAD[16] = {'B', 'C', 'M', ' ', 'D', 'R', 'B', 'G', 854 ' ', 'K', 'A', 'T', ' ', 'A', 'D', ' '}; 855 static const uint8_t kDRBGOutput[64] = { 856 0x19, 0x1f, 0x2b, 0x49, 0x76, 0x85, 0xfd, 0x51, 0xb6, 0x56, 0xbc, 857 0x1c, 0x7d, 0xd5, 0xdd, 0x44, 0x76, 0xa3, 0x5e, 0x17, 0x9b, 0x8e, 858 0xb8, 0x98, 0x65, 0x12, 0xca, 0x35, 0x6c, 0xa0, 0x6f, 0xa0, 0x22, 859 0xe4, 0xf6, 0xd8, 0x43, 0xed, 0x4e, 0x2d, 0x97, 0x39, 0x43, 0x3b, 860 0x57, 0xfc, 0x23, 0x3f, 0x71, 0x0a, 0xe0, 0xed, 0xfe, 0xd5, 0xb8, 861 0x67, 0x7a, 0x00, 0x39, 0xb2, 0x6e, 0xa9, 0x25, 0x97, 862 }; 863 static const uint8_t kDRBGEntropy2[48] = { 864 0xc7, 0x16, 0x1c, 0xa3, 0x6c, 0x23, 0x09, 0xb7, 0x16, 0xe9, 0x85, 0x9b, 865 0xb9, 0x6c, 0x6d, 0x49, 0xbd, 0xc8, 0x35, 0x21, 0x03, 0xa1, 0x8c, 0xd2, 866 0x4e, 0xf4, 0x2e, 0xc9, 0x7e, 0xf4, 0x6b, 0xf4, 0x46, 0xeb, 0x1a, 0x45, 867 0x76, 0xc1, 0x86, 0xe9, 0x35, 0x18, 0x03, 0x76, 0x3a, 0x79, 0x12, 0xfe, 868 }; 869 static const uint8_t kDRBGReseedOutput[64] = { 870 0x00, 0xf2, 0x05, 0xaa, 0xfd, 0x11, 0x6c, 0x77, 0xbc, 0x81, 0x86, 871 0x99, 0xca, 0x51, 0xcf, 0x80, 0x15, 0x9f, 0x02, 0x9e, 0x0b, 0xcd, 872 0x26, 0xc8, 0x4b, 0x87, 0x8a, 0x15, 0x1a, 0xdd, 0xf2, 0xf3, 0xeb, 873 0x94, 0x0b, 0x08, 0xc8, 0xc9, 0x57, 0xa4, 0x0b, 0x4b, 0x0f, 0x13, 874 0xde, 0x7c, 0x0c, 0x6a, 0xac, 0x34, 0x4a, 0x9a, 0xf2, 0xd0, 0x83, 875 0x02, 0x05, 0x17, 0xc9, 0x81, 0x8f, 0x2a, 0x81, 0x92, 876 }; 877 CTR_DRBG_STATE drbg; 878 if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization, 879 sizeof(kDRBGPersonalization)) || 880 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD, 881 sizeof(kDRBGAD)) || 882 !BORINGSSL_check_test(kDRBGOutput, output, sizeof(kDRBGOutput), 883 "DRBG Generate KAT") || 884 !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) || 885 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD, 886 sizeof(kDRBGAD)) || 887 !BORINGSSL_check_test(kDRBGReseedOutput, output, 888 sizeof(kDRBGReseedOutput), "DRBG-reseed KAT")) { 889 fprintf(CRYPTO_get_stderr(), "CTR-DRBG failed.\n"); 890 goto err; 891 } 892 CTR_DRBG_clear(&drbg); 893 894 CTR_DRBG_STATE kZeroDRBG; 895 memset(&kZeroDRBG, 0, sizeof(kZeroDRBG)); 896 if (!BORINGSSL_check_test(&kZeroDRBG, &drbg, sizeof(drbg), 897 "DRBG Clear KAT")) { 898 goto err; 899 } 900 901 // TLS KDF KAT 902 static const char kTLSLabel[] = "FIPS self test"; 903 static const uint8_t kTLSSeed1[16] = { 904 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2, 905 0x6d, 0x51, 0xf4, 0x79, 0x18, 0x63, 0x51, 0x65, 906 }; 907 static const uint8_t kTLSSeed2[16] = { 908 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c, 909 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81, 910 }; 911 912 static const uint8_t kTLS10Secret[32] = { 913 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82, 914 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e, 915 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31, 916 }; 917 static const uint8_t kTLS10Output[32] = { 918 0x69, 0x7c, 0x4e, 0x2c, 0xee, 0x82, 0xb1, 0xd2, 0x8b, 0xac, 0x90, 919 0x7a, 0xa1, 0x8a, 0x81, 0xfe, 0xc5, 0x58, 0x45, 0x57, 0x61, 0x2f, 920 0x7a, 0x8d, 0x80, 0xfb, 0x44, 0xd8, 0x81, 0x60, 0xe5, 0xf8, 921 }; 922 uint8_t tls10_output[sizeof(kTLS10Output)]; 923 if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output), 924 kTLS10Secret, sizeof(kTLS10Secret), kTLSLabel, 925 sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1), 926 kTLSSeed2, sizeof(kTLSSeed2)) || 927 !BORINGSSL_check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output), 928 "TLS10-KDF KAT")) { 929 fprintf(CRYPTO_get_stderr(), "TLS KDF failed.\n"); 930 goto err; 931 } 932 933 static const uint8_t kTLS12Secret[32] = { 934 0xc5, 0x43, 0x8e, 0xe2, 0x6f, 0xd4, 0xac, 0xbd, 0x25, 0x9f, 0xc9, 935 0x18, 0x55, 0xdc, 0x69, 0xbf, 0x88, 0x4e, 0xe2, 0x93, 0x22, 0xfc, 936 0xbf, 0xd2, 0x96, 0x6a, 0x46, 0x23, 0xd4, 0x2e, 0xc7, 0x81, 937 }; 938 static const uint8_t kTLS12Output[32] = { 939 0xee, 0x4a, 0xcd, 0x3f, 0xa3, 0xd3, 0x55, 0x89, 0x9e, 0x6f, 0xf1, 940 0x38, 0x46, 0x9d, 0x2b, 0x33, 0xaa, 0x7f, 0xc4, 0x7f, 0x51, 0x85, 941 0x8a, 0xf3, 0x13, 0x84, 0xbf, 0x53, 0x6a, 0x65, 0x37, 0x51, 942 }; 943 uint8_t tls12_output[sizeof(kTLS12Output)]; 944 if (!CRYPTO_tls1_prf(EVP_sha256(), tls12_output, sizeof(tls12_output), 945 kTLS12Secret, sizeof(kTLS12Secret), kTLSLabel, 946 sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1), 947 kTLSSeed2, sizeof(kTLSSeed2)) || 948 !BORINGSSL_check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output), 949 "TLS12-KDF KAT")) { 950 fprintf(CRYPTO_get_stderr(), "TLS KDF failed.\n"); 951 goto err; 952 } 953 954 // TLS v1.3: derives a dummy client-early-traffic secret. 955 static const uint8_t kTLS13Secret[32] = { 956 0x02, 0x4a, 0x0d, 0x80, 0xf3, 0x57, 0xf2, 0x49, 0x9a, 0x12, 0x44, 957 0xda, 0xc2, 0x6d, 0xab, 0x66, 0xfc, 0x13, 0xed, 0x85, 0xfc, 0xa7, 958 0x1d, 0xac, 0xe1, 0x46, 0x21, 0x11, 0x19, 0x52, 0x58, 0x74, 959 }; 960 static const uint8_t kTLS13Salt[16] = { 961 0x54, 0x61, 0x11, 0x36, 0x75, 0x91, 0xf0, 0xf8, 962 0x92, 0xec, 0x70, 0xbd, 0x78, 0x2a, 0xef, 0x61, 963 }; 964 static const uint8_t kTLS13Label[] = "c e traffic"; 965 static const uint8_t kTLS13ClientHelloHash[32] = { 966 0x1d, 0xe8, 0x67, 0xed, 0x93, 0x6a, 0x73, 0x65, 0x9b, 0x05, 0xcf, 967 0x8a, 0x22, 0x77, 0xb7, 0x37, 0x29, 0xf2, 0x44, 0x94, 0x81, 0x6a, 968 0x83, 0x33, 0x7f, 0x09, 0xbb, 0x6c, 0xc2, 0x6f, 0x48, 0x9c, 969 }; 970 static const uint8_t kTLS13ExpandLabelOutput[32] = { 971 0x62, 0x91, 0x52, 0x90, 0x2e, 0xc9, 0xcf, 0x9c, 0x5f, 0x1e, 0x0a, 972 0xb7, 0x00, 0x33, 0x42, 0x24, 0xc4, 0xe3, 0xba, 0x01, 0x40, 0x32, 973 0x06, 0xab, 0x09, 0x23, 0x8a, 0xdd, 0x01, 0xa4, 0x05, 0xcd, 974 }; 975 uint8_t tls13_extract_output[32]; 976 size_t tls13_extract_output_len; 977 uint8_t tls13_expand_label_output[32]; 978 if (!HKDF_extract(tls13_extract_output, &tls13_extract_output_len, 979 EVP_sha256(), kTLS13Secret, sizeof(kTLS13Secret), 980 kTLS13Salt, sizeof(kTLS13Salt)) || 981 tls13_extract_output_len != sizeof(tls13_extract_output) || 982 !CRYPTO_tls13_hkdf_expand_label( 983 tls13_expand_label_output, sizeof(tls13_expand_label_output), 984 EVP_sha256(), tls13_extract_output, sizeof(tls13_extract_output), 985 kTLS13Label, sizeof(kTLS13Label) - 1, kTLS13ClientHelloHash, 986 sizeof(kTLS13ClientHelloHash)) || 987 !BORINGSSL_check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output, 988 sizeof(kTLS13ExpandLabelOutput), 989 "CRYPTO_tls13_hkdf_expand_label")) { 990 fprintf(CRYPTO_get_stderr(), "TLS13-KDF failed.\n"); 991 goto err; 992 } 993 994 // HKDF 995 static const uint8_t kHKDFSecret[32] = { 996 0x68, 0x67, 0x85, 0x04, 0xb9, 0xb3, 0xad, 0xd1, 0x7d, 0x59, 0x67, 997 0xa1, 0xa7, 0xbd, 0x37, 0x99, 0x3f, 0xd8, 0xa3, 0x3c, 0xe7, 0x30, 998 0x30, 0x71, 0xf3, 0x9c, 0x09, 0x6d, 0x16, 0x35, 0xb3, 0xc9, 999 }; 1000 static const uint8_t kHKDFSalt[32] = { 1001 0x8a, 0xab, 0x18, 0xb4, 0x9b, 0x0a, 0x17, 0xf9, 0xe8, 0xe6, 0x97, 1002 0x1a, 0x3d, 0xff, 0xda, 0x9b, 0x26, 0x8b, 0x3d, 0x17, 0x78, 0x0a, 1003 0xb3, 0xea, 0x65, 0xdb, 0x2a, 0xc0, 0x29, 0x9c, 0xfa, 0x72, 1004 }; 1005 static const uint8_t kHKDFInfo[32] = { 1006 0xe5, 0x6f, 0xf9, 0xe1, 0x18, 0x5e, 0x64, 0x8c, 0x6c, 0x8f, 0xee, 1007 0xc6, 0x93, 0x5a, 0xc5, 0x14, 0x8c, 0xf3, 0xd9, 0x78, 0xd2, 0x3a, 1008 0x86, 0xdd, 0x01, 0xdf, 0xb9, 0xe9, 0x5e, 0xe5, 0x1a, 0x56, 1009 }; 1010 static const uint8_t kHKDFOutput[32] = { 1011 0xa6, 0x29, 0xb4, 0xd7, 0xf4, 0xc1, 0x16, 0x64, 0x71, 0x5e, 0xa4, 1012 0xa8, 0xe6, 0x60, 0x8c, 0xf3, 0xc1, 0xa5, 0x03, 0xe2, 0x22, 0xf9, 1013 0x89, 0xe2, 0x12, 0x18, 0xbe, 0xef, 0x16, 0x86, 0xe0, 0xec, 1014 }; 1015 uint8_t hkdf_output[sizeof(kHKDFOutput)]; 1016 if (!HKDF(hkdf_output, sizeof(hkdf_output), EVP_sha256(), kHKDFSecret, 1017 sizeof(kHKDFSecret), kHKDFSalt, sizeof(kHKDFSalt), kHKDFInfo, 1018 sizeof(kHKDFInfo)) || 1019 !BORINGSSL_check_test(kHKDFOutput, hkdf_output, sizeof(kHKDFOutput), 1020 "HKDF")) { 1021 fprintf(CRYPTO_get_stderr(), "HKDF failed.\n"); 1022 goto err; 1023 } 1024 1025 ret = 1; 1026 1027err: 1028 EVP_AEAD_CTX_cleanup(&aead_ctx); 1029 1030 return ret; 1031} 1032 1033int BORINGSSL_self_test(void) { 1034 if (!boringssl_self_test_fast() || 1035 // When requested to run self tests, also run the lazy tests. 1036 !boringssl_self_test_rsa() || // 1037 !boringssl_self_test_ecc() || // 1038 !boringssl_self_test_ffdh() || // 1039 !boringssl_self_test_mlkem() || // 1040 !boringssl_self_test_mldsa() || // 1041 !boringssl_self_test_slhdsa()) { 1042 return 0; 1043 } 1044 1045 return 1; 1046} 1047 1048#if defined(BORINGSSL_FIPS) 1049int boringssl_self_test_startup(void) { return boringssl_self_test_fast(); } 1050#endif 1051 1052#endif // !_MSC_VER 1053