1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #if !defined(_GNU_SOURCE)
16 #define _GNU_SOURCE /* needed for syscall() on Linux. */
17 #endif
18
19 #include <openssl/aead.h>
20 #include <openssl/aes.h>
21 #include <openssl/base.h>
22 #include <openssl/bn.h>
23 #include <openssl/crypto.h>
24 #include <openssl/des.h>
25 #include <openssl/ecdsa.h>
26 #include <openssl/ec_key.h>
27 #include <openssl/hmac.h>
28 #include <openssl/nid.h>
29 #include <openssl/rsa.h>
30 #include <openssl/sha.h>
31
32 #include "../internal.h"
33 #include "rand/internal.h"
34
35 #include "aes/aes.c"
36 #include "aes/key_wrap.c"
37 #include "aes/mode_wrappers.c"
38 #include "bn/add.c"
39 #include "bn/asm/x86_64-gcc.c"
40 #include "bn/bn.c"
41 #include "bn/bytes.c"
42 #include "bn/cmp.c"
43 #include "bn/ctx.c"
44 #include "bn/div.c"
45 #include "bn/exponentiation.c"
46 #include "bn/gcd.c"
47 #include "bn/generic.c"
48 #include "bn/jacobi.c"
49 #include "bn/montgomery.c"
50 #include "bn/montgomery_inv.c"
51 #include "bn/mul.c"
52 #include "bn/prime.c"
53 #include "bn/random.c"
54 #include "bn/rsaz_exp.c"
55 #include "bn/shift.c"
56 #include "bn/sqrt.c"
57 #include "cipher/aead.c"
58 #include "cipher/cipher.c"
59 #include "cipher/e_aes.c"
60 #include "cipher/e_des.c"
61 #include "des/des.c"
62 #include "digest/digest.c"
63 #include "digest/digests.c"
64 #include "ecdsa/ecdsa.c"
65 #include "ec/ec.c"
66 #include "ec/ec_key.c"
67 #include "ec/ec_montgomery.c"
68 #include "ec/oct.c"
69 #include "ec/p224-64.c"
70 #include "ec/p256-64.c"
71 #include "ec/p256-x86_64.c"
72 #include "ec/simple.c"
73 #include "ec/util-64.c"
74 #include "ec/wnaf.c"
75 #include "hmac/hmac.c"
76 #include "md4/md4.c"
77 #include "md5/md5.c"
78 #include "modes/cbc.c"
79 #include "modes/cfb.c"
80 #include "modes/ctr.c"
81 #include "modes/gcm.c"
82 #include "modes/ofb.c"
83 #include "modes/polyval.c"
84 #include "rand/ctrdrbg.c"
85 #include "rand/rand.c"
86 #include "rand/urandom.c"
87 #include "rsa/blinding.c"
88 #include "rsa/padding.c"
89 #include "rsa/rsa.c"
90 #include "rsa/rsa_impl.c"
91 #include "sha/sha1-altivec.c"
92 #include "sha/sha1.c"
93 #include "sha/sha256.c"
94 #include "sha/sha512.c"
95
96
97 #if defined(BORINGSSL_FIPS)
98
hexdump(const uint8_t * in,size_t len)99 static void hexdump(const uint8_t *in, size_t len) {
100 for (size_t i = 0; i < len; i++) {
101 printf("%02x", in[i]);
102 }
103 }
104
check_test(const void * expected,const void * actual,size_t expected_len,const char * name)105 static int check_test(const void *expected, const void *actual,
106 size_t expected_len, const char *name) {
107 if (OPENSSL_memcmp(actual, expected, expected_len) != 0) {
108 printf("%s failed.\nExpected: ", name);
109 hexdump(expected, expected_len);
110 printf("\nCalculated: ");
111 hexdump(actual, expected_len);
112 printf("\n");
113 return 0;
114 }
115 return 1;
116 }
117
set_bignum(BIGNUM ** out,const uint8_t * in,size_t len)118 static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) {
119 *out = BN_bin2bn(in, len, NULL);
120 return *out != NULL;
121 }
122
self_test_rsa_key(void)123 static RSA *self_test_rsa_key(void) {
124 static const uint8_t kN[] = {
125 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc,
126 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90,
127 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda,
128 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f,
129 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e,
130 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c,
131 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4,
132 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f,
133 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54,
134 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56,
135 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74,
136 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0,
137 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7,
138 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce,
139 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5,
140 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0,
141 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1,
142 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2,
143 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63,
144 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46,
145 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,
146 0x94, 0xc0, 0xbe, 0xb3,
147 };
148 static const uint8_t kE[] = {0x01, 0x00, 0x01}; /* 65537 */
149 static const uint8_t kD[] = {
150 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,
151 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,
152 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6,
153 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b,
154 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f,
155 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a,
156 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56,
157 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc,
158 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60,
159 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8,
160 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e,
161 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66,
162 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5,
163 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49,
164 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee,
165 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae,
166 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2,
167 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e,
168 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0,
169 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb,
170 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8,
171 0x5d, 0x1a, 0xf6, 0xc1,
172 };
173 static const uint8_t kP[] = {
174 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68,
175 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb,
176 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4,
177 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90,
178 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75,
179 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49,
180 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5,
181 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b,
182 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78,
183 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27,
184 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29,
185 };
186 static const uint8_t kQ[] = {
187 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3,
188 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf,
189 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c,
190 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59,
191 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf,
192 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c,
193 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f,
194 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed,
195 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb,
196 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4,
197 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b,
198 };
199 static const uint8_t kDModPMinusOne[] = {
200 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d,
201 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70,
202 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96,
203 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb,
204 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54,
205 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0,
206 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c,
207 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06,
208 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82,
209 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6,
210 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39,
211 };
212 static const uint8_t kDModQMinusOne[] = {
213 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d,
214 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12,
215 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2,
216 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36,
217 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac,
218 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65,
219 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca,
220 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53,
221 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6,
222 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74,
223 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85,
224 };
225 static const uint8_t kQInverseModP[] = {
226 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0,
227 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d,
228 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b,
229 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9,
230 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1,
231 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef,
232 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5,
233 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79,
234 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11,
235 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95,
236 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15,
237 };
238
239 RSA *rsa = RSA_new();
240 if (rsa == NULL ||
241 !set_bignum(&rsa->n, kN, sizeof(kN)) ||
242 !set_bignum(&rsa->e, kE, sizeof(kE)) ||
243 !set_bignum(&rsa->d, kD, sizeof(kD)) ||
244 !set_bignum(&rsa->p, kP, sizeof(kP)) ||
245 !set_bignum(&rsa->q, kQ, sizeof(kQ)) ||
246 !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) ||
247 !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) ||
248 !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) {
249 RSA_free(rsa);
250 return NULL;
251 }
252
253 return rsa;
254 }
255
self_test_ecdsa_key(void)256 static EC_KEY *self_test_ecdsa_key(void) {
257 static const uint8_t kQx[] = {
258 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17,
259 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2,
260 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81,
261 };
262 static const uint8_t kQy[] = {
263 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef,
264 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac,
265 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88,
266 };
267 static const uint8_t kD[] = {
268 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c,
269 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0,
270 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
271 };
272
273 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
274 BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL);
275 BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL);
276 BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL);
277 if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL ||
278 !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) ||
279 !EC_KEY_set_private_key(ec_key, d)) {
280 EC_KEY_free(ec_key);
281 ec_key = NULL;
282 }
283
284 BN_free(qx);
285 BN_free(qy);
286 BN_free(d);
287 return ec_key;
288 }
289
290 #if !defined(OPENSSL_ASAN)
291 /* These symbols are filled in by delocate.go. They point to the start and end
292 * of the module, and the location of the integrity hash, respectively. */
293 extern const uint8_t BORINGSSL_bcm_text_start[];
294 extern const uint8_t BORINGSSL_bcm_text_end[];
295 extern const uint8_t BORINGSSL_bcm_text_hash[];
296 #endif
297
298 static void __attribute__((constructor))
BORINGSSL_bcm_power_on_self_test(void)299 BORINGSSL_bcm_power_on_self_test(void) {
300 CRYPTO_library_init();
301
302 #if !defined(OPENSSL_ASAN)
303 /* Integrity tests cannot run under ASAN because it involves reading the full
304 * .text section, which triggers the global-buffer overflow detection. */
305 const uint8_t *const start = BORINGSSL_bcm_text_start;
306 const uint8_t *const end = BORINGSSL_bcm_text_end;
307
308 static const uint8_t kHMACKey[64] = {0};
309 uint8_t result[SHA512_DIGEST_LENGTH];
310
311 unsigned result_len;
312 if (!HMAC(EVP_sha512(), kHMACKey, sizeof(kHMACKey), start, end - start,
313 result, &result_len) ||
314 result_len != sizeof(result)) {
315 goto err;
316 }
317
318 const uint8_t *expected = BORINGSSL_bcm_text_hash;
319
320 if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) {
321 goto err;
322 }
323 #endif
324
325 static const uint8_t kAESKey[16] = "BoringCrypto Key";
326 static const uint8_t kAESIV[16] = {0};
327 static const uint8_t kPlaintext[64] =
328 "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!";
329 static const uint8_t kAESCBCCiphertext[64] = {
330 0x87, 0x2d, 0x98, 0xc2, 0xcc, 0x31, 0x5b, 0x41, 0xe0, 0xfa, 0x7b,
331 0x0a, 0x71, 0xc0, 0x42, 0xbf, 0x4f, 0x61, 0xd0, 0x0d, 0x58, 0x8c,
332 0xf7, 0x05, 0xfb, 0x94, 0x89, 0xd3, 0xbc, 0xaa, 0x1a, 0x50, 0x45,
333 0x1f, 0xc3, 0x8c, 0xb8, 0x98, 0x86, 0xa3, 0xe3, 0x6c, 0xfc, 0xad,
334 0x3a, 0xb5, 0x59, 0x27, 0x7d, 0x21, 0x07, 0xca, 0x4c, 0x1d, 0x55,
335 0x34, 0xdd, 0x5a, 0x2d, 0xc4, 0xb4, 0xf5, 0xa8,
336 #if !defined(BORINGSSL_FIPS_BREAK_AES_CBC)
337 0x35
338 #else
339 0x00
340 #endif
341 };
342 static const uint8_t kAESGCMCiphertext[80] = {
343 0x4a, 0xd8, 0xe7, 0x7d, 0x78, 0xd7, 0x7d, 0x5e, 0xb2, 0x11, 0xb6, 0xc9,
344 0xa4, 0xbc, 0xb2, 0xae, 0xbe, 0x93, 0xd1, 0xb7, 0xfe, 0x65, 0xc1, 0x82,
345 0x2a, 0xb6, 0x71, 0x5f, 0x1a, 0x7c, 0xe0, 0x1b, 0x2b, 0xe2, 0x53, 0xfa,
346 0xa0, 0x47, 0xfa, 0xd7, 0x8f, 0xb1, 0x4a, 0xc4, 0xdc, 0x89, 0xf9, 0xb4,
347 0x14, 0x4d, 0xde, 0x95, 0xea, 0x29, 0x69, 0x76, 0x81, 0xa3, 0x5c, 0x33,
348 0xd8, 0x37, 0xd8, 0xfa, 0x47, 0x19, 0x46, 0x2f, 0xf1, 0x90, 0xb7, 0x61,
349 0x8f, 0x6f, 0xdd, 0x31, 0x3f, 0x6a, 0x64,
350 #if !defined(BORINGSSL_FIPS_BREAK_AES_GCM)
351 0x0d
352 #else
353 0x00
354 #endif
355 };
356 static const DES_cblock kDESKey1 = {"BCMDESK1"};
357 static const DES_cblock kDESKey2 = {"BCMDESK2"};
358 static const DES_cblock kDESKey3 = {"BCMDESK3"};
359 static const DES_cblock kDESIV = {"BCMDESIV"};
360 static const uint8_t kDESCiphertext[64] = {
361 0xa4, 0x30, 0x7a, 0x4c, 0x1f, 0x60, 0x16, 0xd7, 0x4f, 0x41, 0xe1,
362 0xbb, 0x27, 0xc4, 0x27, 0x37, 0xd4, 0x7f, 0xb9, 0x10, 0xf8, 0xbc,
363 0xaf, 0x93, 0x91, 0xb8, 0x88, 0x24, 0xb1, 0xf6, 0xf8, 0xbd, 0x31,
364 0x96, 0x06, 0x76, 0xde, 0x32, 0xcd, 0x29, 0x29, 0xba, 0x70, 0x5f,
365 0xea, 0xc0, 0xcb, 0xde, 0xc7, 0x75, 0x90, 0xe0, 0x0f, 0x5e, 0x2c,
366 0x0d, 0x49, 0x20, 0xd5, 0x30, 0x83, 0xf8, 0x08,
367 #if !defined(BORINGSSL_FIPS_BREAK_DES)
368 0x5a
369 #else
370 0x00
371 #endif
372 };
373 static const uint8_t kPlaintextSHA1[20] = {
374 0xc6, 0xf8, 0xc9, 0x63, 0x1c, 0x14, 0x23, 0x62, 0x9b, 0xbd,
375 0x55, 0x82, 0xf4, 0xd6, 0x1d, 0xf2, 0xab, 0x7d, 0xc8,
376 #if !defined(BORINGSSL_FIPS_BREAK_SHA_1)
377 0x28
378 #else
379 0x00
380 #endif
381 };
382 static const uint8_t kPlaintextSHA256[32] = {
383 0x37, 0xbd, 0x70, 0x53, 0x72, 0xfc, 0xd4, 0x03, 0x79, 0x70, 0xfb,
384 0x06, 0x95, 0xb1, 0x2a, 0x82, 0x48, 0xe1, 0x3e, 0xf2, 0x33, 0xfb,
385 0xef, 0x29, 0x81, 0x22, 0x45, 0x40, 0x43, 0x70, 0xce,
386 #if !defined(BORINGSSL_FIPS_BREAK_SHA_256)
387 0x0f
388 #else
389 0x00
390 #endif
391 };
392 static const uint8_t kPlaintextSHA512[64] = {
393 0x08, 0x6a, 0x1c, 0x84, 0x61, 0x9d, 0x8e, 0xb3, 0xc0, 0x97, 0x4e,
394 0xa1, 0x9f, 0x9c, 0xdc, 0xaf, 0x3b, 0x5c, 0x31, 0xf0, 0xf2, 0x74,
395 0xc3, 0xbd, 0x6e, 0xd6, 0x1e, 0xb2, 0xbb, 0x34, 0x74, 0x72, 0x5c,
396 0x51, 0x29, 0x8b, 0x87, 0x3a, 0xa3, 0xf2, 0x25, 0x23, 0xd4, 0x1c,
397 0x82, 0x1b, 0xfe, 0xd3, 0xc6, 0xee, 0xb5, 0xd6, 0xaf, 0x07, 0x7b,
398 0x98, 0xca, 0xa7, 0x01, 0xf3, 0x94, 0xf3, 0x68,
399 #if !defined(BORINGSSL_FIPS_BREAK_SHA_512)
400 0x14
401 #else
402 0x00
403 #endif
404 };
405 static const uint8_t kRSASignature[256] = {
406 0x62, 0x66, 0x4b, 0xe3, 0xb1, 0xd2, 0x83, 0xf1, 0xa8, 0x56, 0x2b, 0x33,
407 0x60, 0x1e, 0xdb, 0x1e, 0x06, 0xf7, 0xa7, 0x1e, 0xa8, 0xef, 0x03, 0x4d,
408 0x0c, 0xf6, 0x83, 0x75, 0x7a, 0xf0, 0x14, 0xc7, 0xe2, 0x94, 0x3a, 0xb5,
409 0x67, 0x56, 0xa5, 0x48, 0x7f, 0x3a, 0xa5, 0xbf, 0xf7, 0x1d, 0x44, 0xa6,
410 0x34, 0xed, 0x9b, 0xd6, 0x51, 0xaa, 0x2c, 0x4e, 0xce, 0x60, 0x5f, 0xe9,
411 0x0e, 0xd5, 0xcd, 0xeb, 0x23, 0x27, 0xf8, 0xfb, 0x45, 0xe5, 0x34, 0x63,
412 0x77, 0x7f, 0x2e, 0x80, 0xcf, 0x9d, 0x2e, 0xfc, 0xe2, 0x50, 0x75, 0x29,
413 0x46, 0xf4, 0xaf, 0x91, 0xed, 0x36, 0xe1, 0x5e, 0xef, 0x66, 0xa1, 0xff,
414 0x27, 0xfc, 0x87, 0x7e, 0x60, 0x84, 0x0f, 0x54, 0x51, 0x56, 0x0f, 0x68,
415 0x99, 0xc0, 0x3f, 0xeb, 0xa5, 0xa0, 0x46, 0xb0, 0x86, 0x02, 0xb0, 0xc8,
416 0xe8, 0x46, 0x13, 0x06, 0xcd, 0xb7, 0x8a, 0xd0, 0x3b, 0x46, 0xd0, 0x14,
417 0x64, 0x53, 0x9b, 0x5b, 0x5e, 0x02, 0x45, 0xba, 0x6e, 0x7e, 0x0a, 0xb9,
418 0x9e, 0x62, 0xb7, 0xd5, 0x7a, 0x87, 0xea, 0xd3, 0x24, 0xa5, 0xef, 0xb3,
419 0xdc, 0x05, 0x9c, 0x04, 0x60, 0x4b, 0xde, 0xa8, 0x90, 0x08, 0x7b, 0x6a,
420 0x5f, 0xb4, 0x3f, 0xda, 0xc5, 0x1f, 0x6e, 0xd6, 0x15, 0xde, 0x65, 0xa4,
421 0x6e, 0x62, 0x9d, 0x8f, 0xa8, 0xbe, 0x86, 0xf6, 0x09, 0x90, 0x40, 0xa5,
422 0xf4, 0x23, 0xc5, 0xf6, 0x38, 0x86, 0x0d, 0x1c, 0xed, 0x4a, 0x0a, 0xae,
423 0xa4, 0x26, 0xc2, 0x2e, 0xd3, 0x13, 0x66, 0x61, 0xea, 0x35, 0x01, 0x0e,
424 0x13, 0xda, 0x78, 0x20, 0xae, 0x59, 0x5f, 0x9b, 0xa9, 0x6c, 0xf9, 0x1b,
425 0xdf, 0x76, 0x53, 0xc8, 0xa7, 0xf5, 0x63, 0x6d, 0xf3, 0xff, 0xfd, 0xaf,
426 0x75, 0x4b, 0xac, 0x67, 0xb1, 0x3c, 0xbf, 0x5e, 0xde, 0x73, 0x02, 0x6d,
427 0xd2, 0x0c, 0xb1,
428 #if !defined(BORINGSSL_FIPS_BREAK_RSA_SIG)
429 0x64
430 #else
431 0x00
432 #endif
433 };
434 const uint8_t kDRBGEntropy[48] =
435 "BCM Known Answer Test DBRG Initial Entropy ";
436 const uint8_t kDRBGPersonalization[18] = "BCMPersonalization";
437 const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD ";
438 const uint8_t kDRBGOutput[64] = {
439 0x1d, 0x63, 0xdf, 0x05, 0x51, 0x49, 0x22, 0x46, 0xcd, 0x9b, 0xc5,
440 0xbb, 0xf1, 0x5d, 0x44, 0xae, 0x13, 0x78, 0xb1, 0xe4, 0x7c, 0xf1,
441 0x96, 0x33, 0x3d, 0x60, 0xb6, 0x29, 0xd4, 0xbb, 0x6b, 0x44, 0xf9,
442 0xef, 0xd9, 0xf4, 0xa2, 0xba, 0x48, 0xea, 0x39, 0x75, 0x59, 0x32,
443 0xf7, 0x31, 0x2c, 0x98, 0x14, 0x2b, 0x49, 0xdf, 0x02, 0xb6, 0x5d,
444 0x71, 0x09, 0x50, 0xdb, 0x23, 0xdb, 0xe5, 0x22,
445 #if !defined(BORINGSSL_FIPS_BREAK_DRBG)
446 0x95
447 #else
448 0x00
449 #endif
450 };
451 const uint8_t kDRBGEntropy2[48] =
452 "BCM Known Answer Test DBRG Reseed Entropy ";
453 const uint8_t kDRBGReseedOutput[64] = {
454 0xa4, 0x77, 0x05, 0xdb, 0x14, 0x11, 0x76, 0x71, 0x42, 0x5b, 0xd8,
455 0xd7, 0xa5, 0x4f, 0x8b, 0x39, 0xf2, 0x10, 0x4a, 0x50, 0x5b, 0xa2,
456 0xc8, 0xf0, 0xbb, 0x3e, 0xa1, 0xa5, 0x90, 0x7d, 0x54, 0xd9, 0xc6,
457 0xb0, 0x96, 0xc0, 0x2b, 0x7e, 0x9b, 0xc9, 0xa1, 0xdd, 0x78, 0x2e,
458 0xd5, 0xa8, 0x66, 0x16, 0xbd, 0x18, 0x3c, 0xf2, 0xaa, 0x7a, 0x2b,
459 0x37, 0xf9, 0xab, 0x35, 0x64, 0x15, 0x01, 0x3f, 0xc4,
460 };
461 const uint8_t kECDSASigR[32] = {
462 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,
463 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,
464 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5,
465 #if !defined(BORINGSSL_FIPS_BREAK_ECDSA_SIG)
466 0x0c,
467 #else
468 0x00,
469 #endif
470 };
471 const uint8_t kECDSASigS[32] = {
472 0xa5, 0x93, 0xe0, 0x23, 0x91, 0xe7, 0x4b, 0x8d, 0x77, 0x25, 0xa6,
473 0xba, 0x4d, 0xd9, 0x86, 0x77, 0xda, 0x7d, 0x8f, 0xef, 0xc4, 0x1a,
474 0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8,
475 };
476
477 AES_KEY aes_key;
478 uint8_t aes_iv[16];
479 uint8_t output[256];
480
481 /* AES-CBC Encryption KAT */
482 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
483 if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
484 goto err;
485 }
486 AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv,
487 AES_ENCRYPT);
488 if (!check_test(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
489 "AES-CBC Encryption KAT")) {
490 goto err;
491 }
492
493 /* AES-CBC Decryption KAT */
494 memcpy(aes_iv, kAESIV, sizeof(kAESIV));
495 if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
496 goto err;
497 }
498 AES_cbc_encrypt(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
499 &aes_key, aes_iv, AES_DECRYPT);
500 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
501 "AES-CBC Decryption KAT")) {
502 goto err;
503 }
504
505 size_t out_len;
506 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
507 OPENSSL_memset(nonce, 0, sizeof(nonce));
508 EVP_AEAD_CTX aead_ctx;
509 if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey,
510 sizeof(kAESKey), 0, NULL)) {
511 goto err;
512 }
513
514 /* AES-GCM Encryption KAT */
515 if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,
516 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
517 kPlaintext, sizeof(kPlaintext), NULL, 0) ||
518 !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext),
519 "AES-GCM Encryption KAT")) {
520 goto err;
521 }
522
523 /* AES-GCM Decryption KAT */
524 if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,
525 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
526 kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL,
527 0) ||
528 !check_test(kPlaintext, output, sizeof(kPlaintext),
529 "AES-GCM Decryption KAT")) {
530 goto err;
531 }
532
533 EVP_AEAD_CTX_cleanup(&aead_ctx);
534
535 DES_key_schedule des1, des2, des3;
536 DES_cblock des_iv;
537 DES_set_key(&kDESKey1, &des1);
538 DES_set_key(&kDESKey2, &des2);
539 DES_set_key(&kDESKey3, &des3);
540
541 /* 3DES Encryption KAT */
542 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
543 DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2,
544 &des3, &des_iv, DES_ENCRYPT);
545 if (!check_test(kDESCiphertext, output, sizeof(kDESCiphertext),
546 "3DES Encryption KAT")) {
547 goto err;
548 }
549
550 /* 3DES Decryption KAT */
551 memcpy(&des_iv, &kDESIV, sizeof(des_iv));
552 DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1,
553 &des2, &des3, &des_iv, DES_DECRYPT);
554 if (!check_test(kPlaintext, output, sizeof(kPlaintext),
555 "3DES Decryption KAT")) {
556 goto err;
557 }
558
559 /* SHA-1 KAT */
560 SHA1(kPlaintext, sizeof(kPlaintext), output);
561 if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1),
562 "SHA-1 KAT")) {
563 goto err;
564 }
565
566 /* SHA-256 KAT */
567 SHA256(kPlaintext, sizeof(kPlaintext), output);
568 if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),
569 "SHA-256 KAT")) {
570 goto err;
571 }
572
573 /* SHA-512 KAT */
574 SHA512(kPlaintext, sizeof(kPlaintext), output);
575 if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),
576 "SHA-512 KAT")) {
577 goto err;
578 }
579
580 RSA *rsa_key = self_test_rsa_key();
581 if (rsa_key == NULL) {
582 printf("RSA KeyGen failed\n");
583 goto err;
584 }
585
586 /* RSA Sign KAT */
587 unsigned sig_len;
588
589 /* Disable blinding for the power-on tests because it's not needed and
590 * triggers an entropy draw. */
591 rsa_key->flags |= RSA_FLAG_NO_BLINDING;
592
593 if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output,
594 &sig_len, rsa_key) ||
595 !check_test(kRSASignature, output, sizeof(kRSASignature),
596 "RSA Sign KAT")) {
597 goto err;
598 }
599
600 /* RSA Verify KAT */
601 if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256),
602 kRSASignature, sizeof(kRSASignature), rsa_key)) {
603 printf("RSA Verify KAT failed.\n");
604 goto err;
605 }
606
607 RSA_free(rsa_key);
608
609 EC_KEY *ec_key = self_test_ecdsa_key();
610 if (ec_key == NULL) {
611 printf("ECDSA KeyGen failed\n");
612 goto err;
613 }
614
615 /* ECDSA Sign/Verify PWCT */
616
617 /* The 'k' value for ECDSA is fixed to avoid an entropy draw. */
618 ec_key->fixed_k = BN_new();
619 if (ec_key->fixed_k == NULL ||
620 !BN_set_word(ec_key->fixed_k, 42)) {
621 printf("Out of memory\n");
622 goto err;
623 }
624
625 ECDSA_SIG *sig =
626 ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key);
627
628 uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)];
629 uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)];
630 if (sig == NULL ||
631 BN_num_bytes(sig->r) != sizeof(ecdsa_r_bytes) ||
632 !BN_bn2bin(sig->r, ecdsa_r_bytes) ||
633 BN_num_bytes(sig->s) != sizeof(ecdsa_s_bytes) ||
634 !BN_bn2bin(sig->s, ecdsa_s_bytes) ||
635 !check_test(kECDSASigR, ecdsa_r_bytes, sizeof(kECDSASigR), "ECDSA R") ||
636 !check_test(kECDSASigS, ecdsa_s_bytes, sizeof(kECDSASigS), "ECDSA S")) {
637 printf("ECDSA KAT failed.\n");
638 goto err;
639 }
640
641 ECDSA_SIG_free(sig);
642 EC_KEY_free(ec_key);
643
644 /* DBRG KAT */
645 CTR_DRBG_STATE drbg;
646 if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
647 sizeof(kDRBGPersonalization)) ||
648 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD,
649 sizeof(kDRBGAD)) ||
650 !check_test(kDRBGOutput, output, sizeof(kDRBGOutput),
651 "DBRG Generate KAT") ||
652 !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) ||
653 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD,
654 sizeof(kDRBGAD)) ||
655 !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput),
656 "DRBG Reseed KAT")) {
657 goto err;
658 }
659 CTR_DRBG_clear(&drbg);
660
661 CTR_DRBG_STATE kZeroDRBG;
662 memset(&kZeroDRBG, 0, sizeof(kZeroDRBG));
663 if (!check_test(&kZeroDRBG, &drbg, sizeof(drbg), "DRBG Clear KAT")) {
664 goto err;
665 }
666
667 return;
668
669 err:
670 BORINGSSL_FIPS_abort();
671 }
672
BORINGSSL_FIPS_abort(void)673 void BORINGSSL_FIPS_abort(void) {
674 for (;;) {
675 abort();
676 exit(1);
677 }
678 }
679 #endif /* BORINGSSL_FIPS */
680