2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/evp.h>
12 #include <openssl/kdf.h>
13 #include <openssl/core_names.h>
14 #include <openssl/param_build.h>
15 #include "internal/cryptlib.h"
16 #include "internal/nelem.h"
17 #include "self_test.h"
18 #include "self_test_data.inc"
20 static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
24 unsigned char out[EVP_MAX_MD_SIZE];
25 unsigned int out_len = 0;
26 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
27 EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
29 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);
33 || !EVP_DigestInit_ex(ctx, md, NULL)
34 || !EVP_DigestUpdate(ctx, t->pt, t->pt_len)
35 || !EVP_DigestFinal(ctx, out, &out_len))
38 /* Optional corruption */
39 OSSL_SELF_TEST_oncorrupt_byte(st, out);
41 if (out_len != t->expected_len
42 || memcmp(out, t->expected, out_len) != 0)
48 OSSL_SELF_TEST_onend(st, ok);
53 * Helper function to setup a EVP_CipherInit
54 * Used to hide the complexity of Authenticated ciphers.
56 static int cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
57 const ST_KAT_CIPHER *t, int enc)
59 unsigned char *in_tag = NULL;
62 /* Flag required for Key wrapping */
63 EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
65 /* Use a normal cipher init */
66 return EVP_CipherInit_ex(ctx, cipher, NULL, t->key, t->iv, enc)
67 && EVP_CIPHER_CTX_set_padding(ctx, pad);
70 /* The authenticated cipher init */
72 in_tag = (unsigned char *)t->tag;
74 return EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)
75 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, t->iv_len, NULL)
77 || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, t->tag_len,
79 && EVP_CipherInit_ex(ctx, NULL, NULL, t->key, t->iv, enc)
80 && EVP_CIPHER_CTX_set_padding(ctx, pad)
81 && EVP_CipherUpdate(ctx, NULL, &tmp, t->aad, t->aad_len);
84 /* Test a single KAT for encrypt/decrypt */
85 static int self_test_cipher(const ST_KAT_CIPHER *t, OSSL_SELF_TEST *st,
88 int ret = 0, encrypt = 1, len, ct_len = 0, pt_len = 0;
89 EVP_CIPHER_CTX *ctx = NULL;
90 EVP_CIPHER *cipher = NULL;
91 unsigned char ct_buf[256] = { 0 };
92 unsigned char pt_buf[256] = { 0 };
94 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_CIPHER, t->base.desc);
96 ctx = EVP_CIPHER_CTX_new();
99 cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, "");
103 /* Encrypt plain text message */
104 if (!cipher_init(ctx, cipher, t, encrypt)
105 || !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt, t->base.pt_len)
106 || !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len))
109 OSSL_SELF_TEST_oncorrupt_byte(st, ct_buf);
111 if (ct_len != (int)t->base.expected_len
112 || memcmp(t->base.expected, ct_buf, ct_len) != 0)
115 if (t->tag != NULL) {
116 unsigned char tag[16] = { 0 };
118 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len, tag)
119 || memcmp(tag, t->tag, t->tag_len) != 0)
123 if (!(cipher_init(ctx, cipher, t, !encrypt)
124 && EVP_CipherUpdate(ctx, pt_buf, &len, ct_buf, ct_len)
125 && EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len)))
129 if (pt_len != (int)t->base.pt_len
130 || memcmp(pt_buf, t->base.pt, pt_len) != 0)
135 EVP_CIPHER_free(cipher);
136 EVP_CIPHER_CTX_free(ctx);
137 OSSL_SELF_TEST_onend(st, ret);
141 static int add_params(OSSL_PARAM_BLD *bld, const ST_KAT_PARAM *params,
145 const ST_KAT_PARAM *p;
149 for (p = params; p->data != NULL; ++p)
152 case OSSL_PARAM_UNSIGNED_INTEGER: {
153 BIGNUM *bn = BN_CTX_get(ctx);
156 || (BN_bin2bn(p->data, p->data_len, bn) == NULL)
157 || !OSSL_PARAM_BLD_push_BN(bld, p->name, bn))
161 case OSSL_PARAM_UTF8_STRING: {
162 if (!OSSL_PARAM_BLD_push_utf8_string(bld, p->name, p->data,
167 case OSSL_PARAM_OCTET_STRING: {
168 if (!OSSL_PARAM_BLD_push_octet_string(bld, p->name, p->data,
173 case OSSL_PARAM_INTEGER: {
174 if (!OSSL_PARAM_BLD_push_int(bld, p->name, *(int *)p->data))
187 static int self_test_kdf(const ST_KAT_KDF *t, OSSL_SELF_TEST *st,
188 OSSL_LIB_CTX *libctx)
191 unsigned char out[128];
193 EVP_KDF_CTX *ctx = NULL;
194 BN_CTX *bnctx = NULL;
195 OSSL_PARAM *params = NULL;
196 OSSL_PARAM_BLD *bld = NULL;
198 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KDF, t->desc);
200 bld = OSSL_PARAM_BLD_new();
204 kdf = EVP_KDF_fetch(libctx, t->algorithm, "");
208 ctx = EVP_KDF_CTX_new(kdf);
212 bnctx = BN_CTX_new_ex(libctx);
215 if (!add_params(bld, t->params, bnctx))
217 params = OSSL_PARAM_BLD_to_param(bld);
220 if (!EVP_KDF_CTX_set_params(ctx, params))
223 if (t->expected_len > sizeof(out))
225 if (EVP_KDF_derive(ctx, out, t->expected_len) <= 0)
228 OSSL_SELF_TEST_oncorrupt_byte(st, out);
230 if (memcmp(out, t->expected, t->expected_len) != 0)
236 EVP_KDF_CTX_free(ctx);
238 OSSL_PARAM_BLD_free_params(params);
239 OSSL_PARAM_BLD_free(bld);
240 OSSL_SELF_TEST_onend(st, ret);
244 static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st,
245 OSSL_LIB_CTX *libctx)
248 unsigned char out[256];
250 EVP_RAND_CTX *test = NULL, *drbg = NULL;
251 unsigned int strength = 256;
252 int prediction_resistance = 1; /* Causes a reseed */
253 OSSL_PARAM drbg_params[3] = {
254 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
257 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
259 rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL);
263 test = EVP_RAND_CTX_new(rand, NULL);
268 drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
270 if (!EVP_RAND_set_ctx_params(test, drbg_params))
273 rand = EVP_RAND_fetch(libctx, t->algorithm, NULL);
277 drbg = EVP_RAND_CTX_new(rand, test);
282 strength = EVP_RAND_strength(drbg);
284 drbg_params[0] = OSSL_PARAM_construct_utf8_string(t->param_name,
286 /* This is only used by HMAC-DRBG but it is ignored by the others */
288 OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC, "HMAC", 0);
289 if (!EVP_RAND_set_ctx_params(drbg, drbg_params))
293 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
294 (void *)t->entropyin,
297 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE,
298 (void *)t->nonce, t->noncelen);
299 if (!EVP_RAND_set_ctx_params(test, drbg_params)
300 || !EVP_RAND_instantiate(test, strength, 0, NULL, 0))
302 if (!EVP_RAND_instantiate(drbg, strength, 0, t->persstr, t->persstrlen))
306 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
307 (void *)t->entropyinpr1,
309 if (!EVP_RAND_set_ctx_params(test, drbg_params))
312 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
313 prediction_resistance,
314 t->entropyaddin1, t->entropyaddin1len))
318 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
319 (void *)t->entropyinpr2,
321 if (!EVP_RAND_set_ctx_params(test, drbg_params))
325 * This calls ossl_prov_drbg_reseed() internally when
326 * prediction_resistance = 1
328 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
329 prediction_resistance,
330 t->entropyaddin2, t->entropyaddin2len))
333 OSSL_SELF_TEST_oncorrupt_byte(st, out);
335 if (memcmp(out, t->expected, t->expectedlen) != 0)
338 if (!EVP_RAND_uninstantiate(drbg))
341 * Check that the DRBG data has been zeroized after
342 * ossl_prov_drbg_uninstantiate.
344 if (!EVP_RAND_verify_zeroization(drbg))
349 EVP_RAND_CTX_free(drbg);
350 EVP_RAND_CTX_free(test);
351 OSSL_SELF_TEST_onend(st, ret);
355 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
356 static int self_test_ka(const ST_KAT_KAS *t,
357 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
360 EVP_PKEY_CTX *kactx = NULL, *dctx = NULL;
361 EVP_PKEY *pkey = NULL, *peerkey = NULL;
362 OSSL_PARAM *params = NULL;
363 OSSL_PARAM *params_peer = NULL;
364 unsigned char secret[256];
365 size_t secret_len = sizeof(secret);
366 OSSL_PARAM_BLD *bld = NULL;
367 BN_CTX *bnctx = NULL;
369 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KA, t->desc);
371 bnctx = BN_CTX_new_ex(libctx);
375 bld = OSSL_PARAM_BLD_new();
379 if (!add_params(bld, t->key_group, bnctx)
380 || !add_params(bld, t->key_host_data, bnctx))
382 params = OSSL_PARAM_BLD_to_param(bld);
384 if (!add_params(bld, t->key_group, bnctx)
385 || !add_params(bld, t->key_peer_data, bnctx))
388 params_peer = OSSL_PARAM_BLD_to_param(bld);
389 if (params == NULL || params_peer == NULL)
392 /* Create a EVP_PKEY_CTX to load the DH keys into */
393 kactx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
396 if (EVP_PKEY_fromdata_init(kactx) <= 0
397 || EVP_PKEY_fromdata(kactx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
399 if (EVP_PKEY_fromdata_init(kactx) <= 0
400 || EVP_PKEY_fromdata(kactx, &peerkey, EVP_PKEY_KEYPAIR, params_peer) <= 0)
403 /* Create a EVP_PKEY_CTX to perform key derivation */
404 dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
408 if (EVP_PKEY_derive_init(dctx) <= 0
409 || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0
410 || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0)
413 OSSL_SELF_TEST_oncorrupt_byte(st, secret);
415 if (secret_len != t->expected_len
416 || memcmp(secret, t->expected, t->expected_len) != 0)
422 EVP_PKEY_free(peerkey);
423 EVP_PKEY_CTX_free(kactx);
424 EVP_PKEY_CTX_free(dctx);
425 OSSL_PARAM_BLD_free_params(params_peer);
426 OSSL_PARAM_BLD_free_params(params);
427 OSSL_PARAM_BLD_free(bld);
428 OSSL_SELF_TEST_onend(st, ret);
431 #endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */
433 static int self_test_sign(const ST_KAT_SIGN *t,
434 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
437 OSSL_PARAM *params = NULL, *params_sig = NULL;
438 OSSL_PARAM_BLD *bld = NULL;
439 EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
440 EVP_PKEY *pkey = NULL;
441 unsigned char sig[256];
442 BN_CTX *bnctx = NULL;
444 static const unsigned char dgst[] = {
445 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
446 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
447 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
450 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_SIGNATURE, t->desc);
452 bnctx = BN_CTX_new_ex(libctx);
456 bld = OSSL_PARAM_BLD_new();
460 if (!add_params(bld, t->key, bnctx))
462 params = OSSL_PARAM_BLD_to_param(bld);
464 /* Create a EVP_PKEY_CTX to load the DSA key into */
465 kctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
466 if (kctx == NULL || params == NULL)
468 if (EVP_PKEY_fromdata_init(kctx) <= 0
469 || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
472 /* Create a EVP_PKEY_CTX to use for the signing operation */
473 sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
475 || EVP_PKEY_sign_init(sctx) <= 0)
478 /* set signature parameters */
479 if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
481 strlen(t->mdalgorithm) + 1))
483 params_sig = OSSL_PARAM_BLD_to_param(bld);
484 if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
487 if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
488 || EVP_PKEY_verify_init(sctx) <= 0
489 || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
493 * Used by RSA, for other key types where the signature changes, we
494 * can only use the verify.
496 if (t->sig_expected != NULL
497 && (siglen != t->sig_expected_len
498 || memcmp(sig, t->sig_expected, t->sig_expected_len) != 0))
501 OSSL_SELF_TEST_oncorrupt_byte(st, sig);
502 if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
508 EVP_PKEY_CTX_free(kctx);
509 EVP_PKEY_CTX_free(sctx);
510 OSSL_PARAM_BLD_free_params(params);
511 OSSL_PARAM_BLD_free_params(params_sig);
512 OSSL_PARAM_BLD_free(bld);
513 OSSL_SELF_TEST_onend(st, ret);
518 * Test an encrypt or decrypt KAT..
520 * FIPS 140-2 IG D.9 states that separate KAT tests are needed for encrypt
523 static int self_test_asym_cipher(const ST_KAT_ASYM_CIPHER *t, OSSL_SELF_TEST *st,
524 OSSL_LIB_CTX *libctx)
527 OSSL_PARAM *keyparams = NULL, *initparams = NULL;
528 OSSL_PARAM_BLD *keybld = NULL, *initbld = NULL;
529 EVP_PKEY_CTX *encctx = NULL, *keyctx = NULL;
530 EVP_PKEY *key = NULL;
531 BN_CTX *bnctx = NULL;
532 unsigned char out[256];
533 size_t outlen = sizeof(out);
535 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER, t->desc);
537 bnctx = BN_CTX_new_ex(libctx);
541 /* Load a public or private key from data */
542 keybld = OSSL_PARAM_BLD_new();
544 || !add_params(keybld, t->key, bnctx))
546 keyparams = OSSL_PARAM_BLD_to_param(keybld);
547 keyctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, NULL);
548 if (keyctx == NULL || keyparams == NULL)
550 if (EVP_PKEY_fromdata_init(keyctx) <= 0
551 || EVP_PKEY_fromdata(keyctx, &key, EVP_PKEY_KEYPAIR, keyparams) <= 0)
554 /* Create a EVP_PKEY_CTX to use for the encrypt or decrypt operation */
555 encctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL);
557 || (t->encrypt && EVP_PKEY_encrypt_init(encctx) <= 0)
558 || (!t->encrypt && EVP_PKEY_decrypt_init(encctx) <= 0))
561 /* Add any additional parameters such as padding */
562 if (t->postinit != NULL) {
563 initbld = OSSL_PARAM_BLD_new();
566 if (!add_params(initbld, t->postinit, bnctx))
568 initparams = OSSL_PARAM_BLD_to_param(initbld);
569 if (initparams == NULL)
571 if (EVP_PKEY_CTX_set_params(encctx, initparams) <= 0)
576 if (EVP_PKEY_encrypt(encctx, out, &outlen,
577 t->in, t->in_len) <= 0)
580 if (EVP_PKEY_decrypt(encctx, out, &outlen,
581 t->in, t->in_len) <= 0)
585 OSSL_SELF_TEST_oncorrupt_byte(st, out);
586 if (outlen != t->expected_len
587 || memcmp(out, t->expected, t->expected_len) != 0)
594 EVP_PKEY_CTX_free(encctx);
595 EVP_PKEY_CTX_free(keyctx);
596 OSSL_PARAM_BLD_free_params(keyparams);
597 OSSL_PARAM_BLD_free(keybld);
598 OSSL_PARAM_BLD_free_params(initparams);
599 OSSL_PARAM_BLD_free(initbld);
600 OSSL_SELF_TEST_onend(st, ret);
605 * Test a data driven list of KAT's for digest algorithms.
606 * All tests are run regardless of if they fail or not.
607 * Return 0 if any test fails.
609 static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
613 for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
614 if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
620 static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
624 for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) {
625 if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
631 static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
635 for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
636 if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
642 static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
646 for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) {
647 if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
653 static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
657 for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) {
658 if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
664 static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
667 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
670 for (i = 0; i < (int)OSSL_NELEM(st_kat_kas_tests); ++i) {
671 if (!self_test_ka(&st_kat_kas_tests[i], st, libctx))
679 static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
683 for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
684 if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))
691 * Run the algorithm KAT's.
692 * Return 1 is successful, otherwise return 0.
693 * This runs all the tests regardless of if any fail.
695 int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
699 if (!self_test_digests(st, libctx))
701 if (!self_test_ciphers(st, libctx))
703 if (!self_test_signatures(st, libctx))
705 if (!self_test_kdfs(st, libctx))
707 if (!self_test_drbgs(st, libctx))
709 if (!self_test_kas(st, libctx))
711 if (!self_test_asym_ciphers(st, libctx))