2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/evp.h>
12 #include <openssl/kdf.h>
13 #include <openssl/core_names.h>
14 #include <openssl/param_build.h>
15 #include "internal/cryptlib.h"
16 #include "internal/nelem.h"
17 #include "self_test.h"
18 #include "self_test_data.inc"
20 static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
24 unsigned char out[EVP_MAX_MD_SIZE];
25 unsigned int out_len = 0;
26 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
27 EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
29 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);
33 || !EVP_DigestInit_ex(ctx, md, NULL)
34 || !EVP_DigestUpdate(ctx, t->pt, t->pt_len)
35 || !EVP_DigestFinal(ctx, out, &out_len))
38 /* Optional corruption */
39 OSSL_SELF_TEST_oncorrupt_byte(st, out);
41 if (out_len != t->expected_len
42 || memcmp(out, t->expected, out_len) != 0)
48 OSSL_SELF_TEST_onend(st, ok);
53 * Helper function to setup a EVP_CipherInit
54 * Used to hide the complexity of Authenticated ciphers.
56 static int cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
57 const ST_KAT_CIPHER *t, int enc)
59 unsigned char *in_tag = NULL;
62 /* Flag required for Key wrapping */
63 EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
65 /* Use a normal cipher init */
66 return EVP_CipherInit_ex(ctx, cipher, NULL, t->key, t->iv, enc)
67 && EVP_CIPHER_CTX_set_padding(ctx, pad);
70 /* The authenticated cipher init */
72 in_tag = (unsigned char *)t->tag;
74 return EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)
75 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, t->iv_len, NULL)
77 || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, t->tag_len,
79 && EVP_CipherInit_ex(ctx, NULL, NULL, t->key, t->iv, enc)
80 && EVP_CIPHER_CTX_set_padding(ctx, pad)
81 && EVP_CipherUpdate(ctx, NULL, &tmp, t->aad, t->aad_len);
84 /* Test a single KAT for encrypt/decrypt */
85 static int self_test_cipher(const ST_KAT_CIPHER *t, OSSL_SELF_TEST *st,
88 int ret = 0, encrypt = 1, len = 0, ct_len = 0, pt_len = 0;
89 EVP_CIPHER_CTX *ctx = NULL;
90 EVP_CIPHER *cipher = NULL;
91 unsigned char ct_buf[256] = { 0 };
92 unsigned char pt_buf[256] = { 0 };
94 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_CIPHER, t->base.desc);
96 ctx = EVP_CIPHER_CTX_new();
99 cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, NULL);
103 /* Encrypt plain text message */
104 if ((t->mode & CIPHER_MODE_ENCRYPT) != 0) {
105 if (!cipher_init(ctx, cipher, t, encrypt)
106 || !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt,
108 || !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len))
111 OSSL_SELF_TEST_oncorrupt_byte(st, ct_buf);
113 if (ct_len != (int)t->base.expected_len
114 || memcmp(t->base.expected, ct_buf, ct_len) != 0)
117 if (t->tag != NULL) {
118 unsigned char tag[16] = { 0 };
120 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len,
122 || memcmp(tag, t->tag, t->tag_len) != 0)
127 /* Decrypt cipher text */
128 if ((t->mode & CIPHER_MODE_DECRYPT) != 0) {
129 if (!(cipher_init(ctx, cipher, t, !encrypt)
130 && EVP_CipherUpdate(ctx, pt_buf, &len,
131 t->base.expected, t->base.expected_len)
132 && EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len)))
134 OSSL_SELF_TEST_oncorrupt_byte(st, pt_buf);
136 if (pt_len != (int)t->base.pt_len
137 || memcmp(pt_buf, t->base.pt, pt_len) != 0)
143 EVP_CIPHER_free(cipher);
144 EVP_CIPHER_CTX_free(ctx);
145 OSSL_SELF_TEST_onend(st, ret);
149 static int add_params(OSSL_PARAM_BLD *bld, const ST_KAT_PARAM *params,
153 const ST_KAT_PARAM *p;
157 for (p = params; p->data != NULL; ++p)
160 case OSSL_PARAM_UNSIGNED_INTEGER: {
161 BIGNUM *bn = BN_CTX_get(ctx);
164 || (BN_bin2bn(p->data, p->data_len, bn) == NULL)
165 || !OSSL_PARAM_BLD_push_BN(bld, p->name, bn))
169 case OSSL_PARAM_UTF8_STRING: {
170 if (!OSSL_PARAM_BLD_push_utf8_string(bld, p->name, p->data,
175 case OSSL_PARAM_OCTET_STRING: {
176 if (!OSSL_PARAM_BLD_push_octet_string(bld, p->name, p->data,
181 case OSSL_PARAM_INTEGER: {
182 if (!OSSL_PARAM_BLD_push_int(bld, p->name, *(int *)p->data))
195 static int self_test_kdf(const ST_KAT_KDF *t, OSSL_SELF_TEST *st,
196 OSSL_LIB_CTX *libctx)
199 unsigned char out[128];
201 EVP_KDF_CTX *ctx = NULL;
202 BN_CTX *bnctx = NULL;
203 OSSL_PARAM *params = NULL;
204 OSSL_PARAM_BLD *bld = NULL;
206 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KDF, t->desc);
208 bld = OSSL_PARAM_BLD_new();
212 kdf = EVP_KDF_fetch(libctx, t->algorithm, "");
216 ctx = EVP_KDF_CTX_new(kdf);
220 bnctx = BN_CTX_new_ex(libctx);
223 if (!add_params(bld, t->params, bnctx))
225 params = OSSL_PARAM_BLD_to_param(bld);
229 if (t->expected_len > sizeof(out))
231 if (EVP_KDF_derive(ctx, out, t->expected_len, params) <= 0)
234 OSSL_SELF_TEST_oncorrupt_byte(st, out);
236 if (memcmp(out, t->expected, t->expected_len) != 0)
242 EVP_KDF_CTX_free(ctx);
244 OSSL_PARAM_free(params);
245 OSSL_PARAM_BLD_free(bld);
246 OSSL_SELF_TEST_onend(st, ret);
250 static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st,
251 OSSL_LIB_CTX *libctx)
254 unsigned char out[256];
256 EVP_RAND_CTX *test = NULL, *drbg = NULL;
257 unsigned int strength = 256;
258 int prediction_resistance = 1; /* Causes a reseed */
259 OSSL_PARAM drbg_params[3] = {
260 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
263 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
265 rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL);
269 test = EVP_RAND_CTX_new(rand, NULL);
274 drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
276 if (!EVP_RAND_CTX_set_params(test, drbg_params))
279 rand = EVP_RAND_fetch(libctx, t->algorithm, NULL);
283 drbg = EVP_RAND_CTX_new(rand, test);
288 strength = EVP_RAND_strength(drbg);
290 drbg_params[0] = OSSL_PARAM_construct_utf8_string(t->param_name,
292 /* This is only used by HMAC-DRBG but it is ignored by the others */
294 OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC, "HMAC", 0);
295 if (!EVP_RAND_CTX_set_params(drbg, drbg_params))
299 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
300 (void *)t->entropyin,
303 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE,
304 (void *)t->nonce, t->noncelen);
305 if (!EVP_RAND_instantiate(test, strength, 0, NULL, 0, drbg_params))
307 if (!EVP_RAND_instantiate(drbg, strength, 0, t->persstr, t->persstrlen,
312 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
313 (void *)t->entropyinpr1,
315 if (!EVP_RAND_CTX_set_params(test, drbg_params))
318 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
319 prediction_resistance,
320 t->entropyaddin1, t->entropyaddin1len))
324 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
325 (void *)t->entropyinpr2,
327 if (!EVP_RAND_CTX_set_params(test, drbg_params))
331 * This calls ossl_prov_drbg_reseed() internally when
332 * prediction_resistance = 1
334 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
335 prediction_resistance,
336 t->entropyaddin2, t->entropyaddin2len))
339 OSSL_SELF_TEST_oncorrupt_byte(st, out);
341 if (memcmp(out, t->expected, t->expectedlen) != 0)
344 if (!EVP_RAND_uninstantiate(drbg))
347 * Check that the DRBG data has been zeroized after
348 * ossl_prov_drbg_uninstantiate.
350 if (!EVP_RAND_verify_zeroization(drbg))
355 EVP_RAND_CTX_free(drbg);
356 EVP_RAND_CTX_free(test);
357 OSSL_SELF_TEST_onend(st, ret);
361 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
362 static int self_test_ka(const ST_KAT_KAS *t,
363 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
366 EVP_PKEY_CTX *kactx = NULL, *dctx = NULL;
367 EVP_PKEY *pkey = NULL, *peerkey = NULL;
368 OSSL_PARAM *params = NULL;
369 OSSL_PARAM *params_peer = NULL;
370 unsigned char secret[256];
371 size_t secret_len = sizeof(secret);
372 OSSL_PARAM_BLD *bld = NULL;
373 BN_CTX *bnctx = NULL;
375 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KA, t->desc);
377 bnctx = BN_CTX_new_ex(libctx);
381 bld = OSSL_PARAM_BLD_new();
385 if (!add_params(bld, t->key_group, bnctx)
386 || !add_params(bld, t->key_host_data, bnctx))
388 params = OSSL_PARAM_BLD_to_param(bld);
390 if (!add_params(bld, t->key_group, bnctx)
391 || !add_params(bld, t->key_peer_data, bnctx))
394 params_peer = OSSL_PARAM_BLD_to_param(bld);
395 if (params == NULL || params_peer == NULL)
398 /* Create a EVP_PKEY_CTX to load the DH keys into */
399 kactx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
402 if (EVP_PKEY_fromdata_init(kactx) <= 0
403 || EVP_PKEY_fromdata(kactx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
405 if (EVP_PKEY_fromdata_init(kactx) <= 0
406 || EVP_PKEY_fromdata(kactx, &peerkey, EVP_PKEY_KEYPAIR, params_peer) <= 0)
409 /* Create a EVP_PKEY_CTX to perform key derivation */
410 dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
414 if (EVP_PKEY_derive_init(dctx) <= 0
415 || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0
416 || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0)
419 OSSL_SELF_TEST_oncorrupt_byte(st, secret);
421 if (secret_len != t->expected_len
422 || memcmp(secret, t->expected, t->expected_len) != 0)
428 EVP_PKEY_free(peerkey);
429 EVP_PKEY_CTX_free(kactx);
430 EVP_PKEY_CTX_free(dctx);
431 OSSL_PARAM_free(params_peer);
432 OSSL_PARAM_free(params);
433 OSSL_PARAM_BLD_free(bld);
434 OSSL_SELF_TEST_onend(st, ret);
437 #endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */
439 static int self_test_sign(const ST_KAT_SIGN *t,
440 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
443 OSSL_PARAM *params = NULL, *params_sig = NULL;
444 OSSL_PARAM_BLD *bld = NULL;
445 EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
446 EVP_PKEY *pkey = NULL;
447 unsigned char sig[256];
448 BN_CTX *bnctx = NULL;
450 static const unsigned char dgst[] = {
451 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
452 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
453 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
456 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_SIGNATURE, t->desc);
458 bnctx = BN_CTX_new_ex(libctx);
462 bld = OSSL_PARAM_BLD_new();
466 if (!add_params(bld, t->key, bnctx))
468 params = OSSL_PARAM_BLD_to_param(bld);
470 /* Create a EVP_PKEY_CTX to load the DSA key into */
471 kctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
472 if (kctx == NULL || params == NULL)
474 if (EVP_PKEY_fromdata_init(kctx) <= 0
475 || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
478 /* Create a EVP_PKEY_CTX to use for the signing operation */
479 sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
481 || EVP_PKEY_sign_init(sctx) <= 0)
484 /* set signature parameters */
485 if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
487 strlen(t->mdalgorithm) + 1))
489 params_sig = OSSL_PARAM_BLD_to_param(bld);
490 if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
493 if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
494 || EVP_PKEY_verify_init(sctx) <= 0
495 || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
499 * Used by RSA, for other key types where the signature changes, we
500 * can only use the verify.
502 if (t->sig_expected != NULL
503 && (siglen != t->sig_expected_len
504 || memcmp(sig, t->sig_expected, t->sig_expected_len) != 0))
507 OSSL_SELF_TEST_oncorrupt_byte(st, sig);
508 if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
514 EVP_PKEY_CTX_free(kctx);
515 EVP_PKEY_CTX_free(sctx);
516 OSSL_PARAM_free(params);
517 OSSL_PARAM_free(params_sig);
518 OSSL_PARAM_BLD_free(bld);
519 OSSL_SELF_TEST_onend(st, ret);
524 * Test an encrypt or decrypt KAT..
526 * FIPS 140-2 IG D.9 states that separate KAT tests are needed for encrypt
529 static int self_test_asym_cipher(const ST_KAT_ASYM_CIPHER *t, OSSL_SELF_TEST *st,
530 OSSL_LIB_CTX *libctx)
533 OSSL_PARAM *keyparams = NULL, *initparams = NULL;
534 OSSL_PARAM_BLD *keybld = NULL, *initbld = NULL;
535 EVP_PKEY_CTX *encctx = NULL, *keyctx = NULL;
536 EVP_PKEY *key = NULL;
537 BN_CTX *bnctx = NULL;
538 unsigned char out[256];
539 size_t outlen = sizeof(out);
541 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER, t->desc);
543 bnctx = BN_CTX_new_ex(libctx);
547 /* Load a public or private key from data */
548 keybld = OSSL_PARAM_BLD_new();
550 || !add_params(keybld, t->key, bnctx))
552 keyparams = OSSL_PARAM_BLD_to_param(keybld);
553 keyctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, NULL);
554 if (keyctx == NULL || keyparams == NULL)
556 if (EVP_PKEY_fromdata_init(keyctx) <= 0
557 || EVP_PKEY_fromdata(keyctx, &key, EVP_PKEY_KEYPAIR, keyparams) <= 0)
560 /* Create a EVP_PKEY_CTX to use for the encrypt or decrypt operation */
561 encctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL);
563 || (t->encrypt && EVP_PKEY_encrypt_init(encctx) <= 0)
564 || (!t->encrypt && EVP_PKEY_decrypt_init(encctx) <= 0))
567 /* Add any additional parameters such as padding */
568 if (t->postinit != NULL) {
569 initbld = OSSL_PARAM_BLD_new();
572 if (!add_params(initbld, t->postinit, bnctx))
574 initparams = OSSL_PARAM_BLD_to_param(initbld);
575 if (initparams == NULL)
577 if (EVP_PKEY_CTX_set_params(encctx, initparams) <= 0)
582 if (EVP_PKEY_encrypt(encctx, out, &outlen,
583 t->in, t->in_len) <= 0)
586 if (EVP_PKEY_decrypt(encctx, out, &outlen,
587 t->in, t->in_len) <= 0)
591 OSSL_SELF_TEST_oncorrupt_byte(st, out);
592 if (outlen != t->expected_len
593 || memcmp(out, t->expected, t->expected_len) != 0)
600 EVP_PKEY_CTX_free(encctx);
601 EVP_PKEY_CTX_free(keyctx);
602 OSSL_PARAM_free(keyparams);
603 OSSL_PARAM_BLD_free(keybld);
604 OSSL_PARAM_free(initparams);
605 OSSL_PARAM_BLD_free(initbld);
606 OSSL_SELF_TEST_onend(st, ret);
611 * Test a data driven list of KAT's for digest algorithms.
612 * All tests are run regardless of if they fail or not.
613 * Return 0 if any test fails.
615 static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
619 for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
620 if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
626 static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
630 for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) {
631 if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
637 static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
641 for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
642 if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
648 static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
652 for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) {
653 if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
659 static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
663 for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) {
664 if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
670 static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
673 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
676 for (i = 0; i < (int)OSSL_NELEM(st_kat_kas_tests); ++i) {
677 if (!self_test_ka(&st_kat_kas_tests[i], st, libctx))
685 static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
689 for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
690 if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))
697 * Run the algorithm KAT's.
698 * Return 1 is successful, otherwise return 0.
699 * This runs all the tests regardless of if any fail.
701 int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
705 if (!self_test_digests(st, libctx))
707 if (!self_test_ciphers(st, libctx))
709 if (!self_test_signatures(st, libctx))
711 if (!self_test_kdfs(st, libctx))
713 if (!self_test_drbgs(st, libctx))
715 if (!self_test_kas(st, libctx))
717 if (!self_test_asym_ciphers(st, libctx))