2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/evp.h>
12 #include <openssl/kdf.h>
13 #include <openssl/rand_drbg.h>
14 #include <openssl/core_names.h>
15 #include <openssl/param_build.h>
16 #include "internal/cryptlib.h"
17 #include "internal/nelem.h"
18 #include "self_test.h"
19 #include "self_test_data.inc"
20 #include "../../crypto/rand/rand_local.h"
22 #define DRBG_PARAM_ENTROPY "DRBG-ENTROPY"
23 #define DRBG_PARAM_NONCE "DRBG-NONCE"
25 static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
29 unsigned char out[EVP_MAX_MD_SIZE];
30 unsigned int out_len = 0;
31 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
32 EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
34 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);
38 || !EVP_DigestInit_ex(ctx, md, NULL)
39 || !EVP_DigestUpdate(ctx, t->pt, t->pt_len)
40 || !EVP_DigestFinal(ctx, out, &out_len))
43 /* Optional corruption */
44 OSSL_SELF_TEST_oncorrupt_byte(st, out);
46 if (out_len != t->expected_len
47 || memcmp(out, t->expected, out_len) != 0)
53 OSSL_SELF_TEST_onend(st, ok);
58 * Helper function to setup a EVP_CipherInit
59 * Used to hide the complexity of Authenticated ciphers.
61 static int cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
62 const ST_KAT_CIPHER *t, int enc)
64 unsigned char *in_tag = NULL;
67 /* Flag required for Key wrapping */
68 EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
70 /* Use a normal cipher init */
71 return EVP_CipherInit_ex(ctx, cipher, NULL, t->key, t->iv, enc)
72 && EVP_CIPHER_CTX_set_padding(ctx, pad);
75 /* The authenticated cipher init */
77 in_tag = (unsigned char *)t->tag;
79 return EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)
80 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, t->iv_len, NULL)
82 || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, t->tag_len,
84 && EVP_CipherInit_ex(ctx, NULL, NULL, t->key, t->iv, enc)
85 && EVP_CIPHER_CTX_set_padding(ctx, pad)
86 && EVP_CipherUpdate(ctx, NULL, &tmp, t->aad, t->aad_len);
89 /* Test a single KAT for encrypt/decrypt */
90 static int self_test_cipher(const ST_KAT_CIPHER *t, OSSL_SELF_TEST *st,
93 int ret = 0, encrypt = 1, len, ct_len = 0, pt_len = 0;
94 EVP_CIPHER_CTX *ctx = NULL;
95 EVP_CIPHER *cipher = NULL;
96 unsigned char ct_buf[256] = { 0 };
97 unsigned char pt_buf[256] = { 0 };
99 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_CIPHER, t->base.desc);
101 ctx = EVP_CIPHER_CTX_new();
104 cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, "");
108 /* Encrypt plain text message */
109 if (!cipher_init(ctx, cipher, t, encrypt)
110 || !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt, t->base.pt_len)
111 || !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len))
114 OSSL_SELF_TEST_oncorrupt_byte(st, ct_buf);
116 if (ct_len != (int)t->base.expected_len
117 || memcmp(t->base.expected, ct_buf, ct_len) != 0)
120 if (t->tag != NULL) {
121 unsigned char tag[16] = { 0 };
123 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len, tag)
124 || memcmp(tag, t->tag, t->tag_len) != 0)
128 if (!(cipher_init(ctx, cipher, t, !encrypt)
129 && EVP_CipherUpdate(ctx, pt_buf, &len, ct_buf, ct_len)
130 && EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len)))
134 if (pt_len != (int)t->base.pt_len
135 || memcmp(pt_buf, t->base.pt, pt_len) != 0)
140 EVP_CIPHER_free(cipher);
141 EVP_CIPHER_CTX_free(ctx);
142 OSSL_SELF_TEST_onend(st, ret);
146 static int add_params(OSSL_PARAM_BLD *bld, const ST_KAT_PARAM *params,
150 const ST_KAT_PARAM *p;
154 for (p = params; p->data != NULL; ++p)
157 case OSSL_PARAM_UNSIGNED_INTEGER: {
158 BIGNUM *bn = BN_CTX_get(ctx);
161 || (BN_bin2bn(p->data, p->data_len, bn) == NULL)
162 || !OSSL_PARAM_BLD_push_BN(bld, p->name, bn))
166 case OSSL_PARAM_UTF8_STRING: {
167 if (!OSSL_PARAM_BLD_push_utf8_string(bld, p->name, p->data, 0))
171 case OSSL_PARAM_OCTET_STRING: {
172 if (!OSSL_PARAM_BLD_push_octet_string(bld, p->name, p->data,
186 static int self_test_kdf(const ST_KAT_KDF *t, OSSL_SELF_TEST *st,
190 unsigned char out[64];
192 EVP_KDF_CTX *ctx = NULL;
193 BN_CTX *bnctx = NULL;
194 OSSL_PARAM *params = NULL;
195 OSSL_PARAM_BLD *bld = NULL;
197 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KDF, t->desc);
199 bld = OSSL_PARAM_BLD_new();
203 kdf = EVP_KDF_fetch(libctx, t->algorithm, "");
207 ctx = EVP_KDF_CTX_new(kdf);
211 bnctx = BN_CTX_new_ex(libctx);
214 if (!add_params(bld, t->params, bnctx))
216 params = OSSL_PARAM_BLD_to_param(bld);
219 if (!EVP_KDF_CTX_set_params(ctx, params))
222 if (t->expected_len > sizeof(out))
224 if (EVP_KDF_derive(ctx, out, t->expected_len) <= 0)
227 OSSL_SELF_TEST_oncorrupt_byte(st, out);
229 if (memcmp(out, t->expected, t->expected_len) != 0)
235 EVP_KDF_CTX_free(ctx);
237 OSSL_PARAM_BLD_free_params(params);
238 OSSL_PARAM_BLD_free(bld);
239 OSSL_SELF_TEST_onend(st, ret);
243 static size_t drbg_kat_entropy_cb(RAND_DRBG *drbg, unsigned char **pout,
244 int entropy, size_t min_len, size_t max_len,
245 int prediction_resistance)
247 OSSL_PARAM *drbg_params = RAND_DRBG_get_callback_data(drbg);
248 OSSL_PARAM *p = OSSL_PARAM_locate(drbg_params, DRBG_PARAM_ENTROPY);
250 if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
252 *pout = (unsigned char *)p->data;
256 static size_t drbg_kat_nonce_cb(RAND_DRBG *drbg, unsigned char **pout,
257 int entropy, size_t min_len, size_t max_len)
259 OSSL_PARAM *drbg_params = RAND_DRBG_get_callback_data(drbg);
260 OSSL_PARAM *p = OSSL_PARAM_locate(drbg_params, DRBG_PARAM_NONCE);
262 if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
264 *pout = (unsigned char *)p->data;
268 static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st,
272 unsigned char out[256];
273 RAND_DRBG *drbg = NULL;
274 unsigned int flags = 0;
275 int prediction_resistance = 1; /* Causes a reseed */
276 OSSL_PARAM drbg_params[3] = {
277 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
279 static const unsigned char zero[sizeof(drbg->data)] = { 0 };
281 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
283 if (strcmp(t->desc, OSSL_SELF_TEST_DESC_DRBG_HMAC) == 0)
284 flags |= RAND_DRBG_FLAG_HMAC;
286 drbg = RAND_DRBG_new_ex(libctx, t->nid, flags, NULL);
290 if (!RAND_DRBG_set_callback_data(drbg, drbg_params))
293 if (!RAND_DRBG_set_callbacks(drbg, drbg_kat_entropy_cb, NULL,
294 drbg_kat_nonce_cb, NULL))
298 OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
299 (void *)t->entropyin, t->entropyinlen);
301 OSSL_PARAM_construct_octet_string(DRBG_PARAM_NONCE,
302 (void *)t->nonce, t->noncelen);
304 if (!RAND_DRBG_instantiate(drbg, t->persstr, t->persstrlen))
308 OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
309 (void *)t->entropyinpr1,
312 if (!RAND_DRBG_generate(drbg, out, t->expectedlen, prediction_resistance,
313 t->entropyaddin1, t->entropyaddin1len))
317 OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
318 (void *)t->entropyinpr2,
320 /* This calls RAND_DRBG_reseed() internally when prediction_resistance = 1 */
321 if (!RAND_DRBG_generate(drbg, out, t->expectedlen, prediction_resistance,
322 t->entropyaddin2, t->entropyaddin2len))
325 OSSL_SELF_TEST_oncorrupt_byte(st, out);
327 if (memcmp(out, t->expected, t->expectedlen) != 0)
330 if (!RAND_DRBG_uninstantiate(drbg))
333 * Check that the DRBG data has been zeroized after RAND_DRBG_uninstantiate.
335 if (memcmp((unsigned char *)&drbg->data, zero, sizeof(drbg->data)) != 0)
340 RAND_DRBG_free(drbg);
341 OSSL_SELF_TEST_onend(st, ret);
347 static int self_test_ka(const ST_KAT_KAS *t,
348 OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
351 EVP_PKEY_CTX *kactx = NULL, *dctx = NULL;
352 EVP_PKEY *pkey = NULL, *peerkey = NULL;
353 OSSL_PARAM *params = NULL;
354 OSSL_PARAM *params_peer = NULL;
355 unsigned char secret[256];
357 OSSL_PARAM_BLD *bld = NULL;
358 BN_CTX *bnctx = NULL;
360 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KA, t->desc);
362 bnctx = BN_CTX_new_ex(libctx);
366 bld = OSSL_PARAM_BLD_new();
370 if (!add_params(bld, t->key_group, bnctx)
371 || !add_params(bld, t->key_host_data, bnctx))
373 params = OSSL_PARAM_BLD_to_param(bld);
375 if (!add_params(bld, t->key_group, bnctx)
376 || !add_params(bld, t->key_peer_data, bnctx))
379 params_peer = OSSL_PARAM_BLD_to_param(bld);
380 if (params == NULL || params_peer == NULL)
383 /* Create a EVP_PKEY_CTX to load the DH keys into */
384 kactx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
387 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
388 || EVP_PKEY_fromdata(kactx, &pkey, params) <= 0)
390 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
391 || EVP_PKEY_fromdata(kactx, &peerkey, params_peer) <= 0)
394 /* Create a EVP_PKEY_CTX to perform key derivation */
395 dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
399 if (EVP_PKEY_derive_init(dctx) <= 0
400 || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0
401 || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0)
404 OSSL_SELF_TEST_oncorrupt_byte(st, secret);
406 if (secret_len != t->expected_len
407 || memcmp(secret, t->expected, t->expected_len) != 0)
413 EVP_PKEY_free(peerkey);
414 EVP_PKEY_CTX_free(kactx);
415 EVP_PKEY_CTX_free(dctx);
416 OSSL_PARAM_BLD_free_params(params_peer);
417 OSSL_PARAM_BLD_free_params(params);
418 OSSL_PARAM_BLD_free(bld);
419 OSSL_SELF_TEST_onend(st, ret);
423 static int self_test_sign(const ST_KAT_SIGN *t,
424 OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
427 OSSL_PARAM *params = NULL, *params_sig = NULL;
428 OSSL_PARAM_BLD *bld = NULL;
429 EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
430 EVP_PKEY *pkey = NULL;
431 unsigned char sig[256];
432 BN_CTX *bnctx = NULL;
434 static const unsigned char dgst[] = {
435 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
436 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
437 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
440 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_SIGNATURE, t->desc);
442 bnctx = BN_CTX_new_ex(libctx);
446 bld = OSSL_PARAM_BLD_new();
450 if (!add_params(bld, t->key, bnctx))
452 params = OSSL_PARAM_BLD_to_param(bld);
454 /* Create a EVP_PKEY_CTX to load the DSA key into */
455 kctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
456 if (kctx == NULL || params == NULL)
458 if (EVP_PKEY_key_fromdata_init(kctx) <= 0
459 || EVP_PKEY_fromdata(kctx, &pkey, params) <= 0)
462 /* Create a EVP_PKEY_CTX to use for the signing operation */
463 sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
465 || EVP_PKEY_sign_init(sctx) <= 0)
468 /* set signature parameters */
469 if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
471 strlen(t->mdalgorithm) + 1))
473 params_sig = OSSL_PARAM_BLD_to_param(bld);
474 if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
477 if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
478 || EVP_PKEY_verify_init(sctx) <= 0
479 || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
483 * Used by RSA, for other key types where the signature changes, we
484 * can only use the verify.
486 if (t->sig_expected != NULL
487 && (siglen != t->sig_expected_len
488 || memcmp(sig, t->sig_expected, t->sig_expected_len) != 0))
491 OSSL_SELF_TEST_oncorrupt_byte(st, sig);
492 if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
498 EVP_PKEY_CTX_free(kctx);
499 EVP_PKEY_CTX_free(sctx);
500 OSSL_PARAM_BLD_free_params(params);
501 OSSL_PARAM_BLD_free_params(params_sig);
502 OSSL_PARAM_BLD_free(bld);
503 OSSL_SELF_TEST_onend(st, ret);
508 * Test a data driven list of KAT's for digest algorithms.
509 * All tests are run regardless of if they fail or not.
510 * Return 0 if any test fails.
512 static int self_test_digests(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
516 for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
517 if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
523 static int self_test_ciphers(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
527 for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) {
528 if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
534 static int self_test_kdfs(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
538 for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) {
539 if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
545 static int self_test_drbgs(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
549 for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) {
550 if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
556 static int self_test_kas(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
560 for (i = 0; i < (int)OSSL_NELEM(st_kat_kas_tests); ++i) {
561 if (!self_test_ka(&st_kat_kas_tests[i], st, libctx))
567 static int self_test_signatures(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
571 for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
572 if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))
579 * Run the algorithm KAT's.
580 * Return 1 is successful, otherwise return 0.
581 * This runs all the tests regardless of if any fail.
583 int SELF_TEST_kats(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
587 if (!self_test_digests(st, libctx))
589 if (!self_test_ciphers(st, libctx))
591 if (!self_test_signatures(st, libctx))
593 if (!self_test_kdfs(st, libctx))
595 if (!self_test_drbgs(st, libctx))
597 if (!self_test_kas(st, libctx))
projects / openssl.git / blob