2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/evp.h>
12 #include <openssl/kdf.h>
13 #include <openssl/core_names.h>
14 #include <openssl/param_build.h>
15 #include "internal/cryptlib.h"
16 #include "internal/nelem.h"
17 #include "self_test.h"
18 #include "self_test_data.inc"
20 static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
24 unsigned char out[EVP_MAX_MD_SIZE];
25 unsigned int out_len = 0;
26 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
27 EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
29 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);
33 || !EVP_DigestInit_ex(ctx, md, NULL)
34 || !EVP_DigestUpdate(ctx, t->pt, t->pt_len)
35 || !EVP_DigestFinal(ctx, out, &out_len))
38 /* Optional corruption */
39 OSSL_SELF_TEST_oncorrupt_byte(st, out);
41 if (out_len != t->expected_len
42 || memcmp(out, t->expected, out_len) != 0)
48 OSSL_SELF_TEST_onend(st, ok);
53 * Helper function to setup a EVP_CipherInit
54 * Used to hide the complexity of Authenticated ciphers.
56 static int cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
57 const ST_KAT_CIPHER *t, int enc)
59 unsigned char *in_tag = NULL;
62 /* Flag required for Key wrapping */
63 EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
65 /* Use a normal cipher init */
66 return EVP_CipherInit_ex(ctx, cipher, NULL, t->key, t->iv, enc)
67 && EVP_CIPHER_CTX_set_padding(ctx, pad);
70 /* The authenticated cipher init */
72 in_tag = (unsigned char *)t->tag;
74 return EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)
75 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, t->iv_len, NULL)
77 || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, t->tag_len,
79 && EVP_CipherInit_ex(ctx, NULL, NULL, t->key, t->iv, enc)
80 && EVP_CIPHER_CTX_set_padding(ctx, pad)
81 && EVP_CipherUpdate(ctx, NULL, &tmp, t->aad, t->aad_len);
84 /* Test a single KAT for encrypt/decrypt */
85 static int self_test_cipher(const ST_KAT_CIPHER *t, OSSL_SELF_TEST *st,
88 int ret = 0, encrypt = 1, len, ct_len = 0, pt_len = 0;
89 EVP_CIPHER_CTX *ctx = NULL;
90 EVP_CIPHER *cipher = NULL;
91 unsigned char ct_buf[256] = { 0 };
92 unsigned char pt_buf[256] = { 0 };
94 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_CIPHER, t->base.desc);
96 ctx = EVP_CIPHER_CTX_new();
99 cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, "");
103 /* Encrypt plain text message */
104 if (!cipher_init(ctx, cipher, t, encrypt)
105 || !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt, t->base.pt_len)
106 || !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len))
109 OSSL_SELF_TEST_oncorrupt_byte(st, ct_buf);
111 if (ct_len != (int)t->base.expected_len
112 || memcmp(t->base.expected, ct_buf, ct_len) != 0)
115 if (t->tag != NULL) {
116 unsigned char tag[16] = { 0 };
118 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len, tag)
119 || memcmp(tag, t->tag, t->tag_len) != 0)
123 if (!(cipher_init(ctx, cipher, t, !encrypt)
124 && EVP_CipherUpdate(ctx, pt_buf, &len, ct_buf, ct_len)
125 && EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len)))
129 if (pt_len != (int)t->base.pt_len
130 || memcmp(pt_buf, t->base.pt, pt_len) != 0)
135 EVP_CIPHER_free(cipher);
136 EVP_CIPHER_CTX_free(ctx);
137 OSSL_SELF_TEST_onend(st, ret);
141 static int add_params(OSSL_PARAM_BLD *bld, const ST_KAT_PARAM *params,
145 const ST_KAT_PARAM *p;
149 for (p = params; p->data != NULL; ++p)
152 case OSSL_PARAM_UNSIGNED_INTEGER: {
153 BIGNUM *bn = BN_CTX_get(ctx);
156 || (BN_bin2bn(p->data, p->data_len, bn) == NULL)
157 || !OSSL_PARAM_BLD_push_BN(bld, p->name, bn))
161 case OSSL_PARAM_UTF8_STRING: {
162 if (!OSSL_PARAM_BLD_push_utf8_string(bld, p->name, p->data, 0))
166 case OSSL_PARAM_OCTET_STRING: {
167 if (!OSSL_PARAM_BLD_push_octet_string(bld, p->name, p->data,
172 case OSSL_PARAM_INTEGER: {
173 if (!OSSL_PARAM_BLD_push_int(bld, p->name, *(int *)p->data))
186 static int self_test_kdf(const ST_KAT_KDF *t, OSSL_SELF_TEST *st,
187 OSSL_LIB_CTX *libctx)
190 unsigned char out[128];
192 EVP_KDF_CTX *ctx = NULL;
193 BN_CTX *bnctx = NULL;
194 OSSL_PARAM *params = NULL;
195 OSSL_PARAM_BLD *bld = NULL;
197 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KDF, t->desc);
199 bld = OSSL_PARAM_BLD_new();
203 kdf = EVP_KDF_fetch(libctx, t->algorithm, "");
207 ctx = EVP_KDF_CTX_new(kdf);
211 bnctx = BN_CTX_new_ex(libctx);
214 if (!add_params(bld, t->params, bnctx))
216 params = OSSL_PARAM_BLD_to_param(bld);
219 if (!EVP_KDF_CTX_set_params(ctx, params))
222 if (t->expected_len > sizeof(out))
224 if (EVP_KDF_derive(ctx, out, t->expected_len) <= 0)
227 OSSL_SELF_TEST_oncorrupt_byte(st, out);
229 if (memcmp(out, t->expected, t->expected_len) != 0)
235 EVP_KDF_CTX_free(ctx);
237 OSSL_PARAM_BLD_free_params(params);
238 OSSL_PARAM_BLD_free(bld);
239 OSSL_SELF_TEST_onend(st, ret);
243 static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st,
244 OSSL_LIB_CTX *libctx)
247 unsigned char out[256];
249 EVP_RAND_CTX *test = NULL, *drbg = NULL;
250 unsigned int strength = 256;
251 int prediction_resistance = 1; /* Causes a reseed */
252 OSSL_PARAM drbg_params[3] = {
253 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
256 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
258 rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL);
262 test = EVP_RAND_CTX_new(rand, NULL);
267 drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
269 if (!EVP_RAND_set_ctx_params(test, drbg_params))
272 rand = EVP_RAND_fetch(libctx, t->algorithm, NULL);
276 drbg = EVP_RAND_CTX_new(rand, test);
281 strength = EVP_RAND_strength(drbg);
283 drbg_params[0] = OSSL_PARAM_construct_utf8_string(t->param_name,
285 /* This is only used by HMAC-DRBG but it is ignored by the others */
287 OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC, "HMAC", 0);
288 if (!EVP_RAND_set_ctx_params(drbg, drbg_params))
292 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
293 (void *)t->entropyin,
296 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE,
297 (void *)t->nonce, t->noncelen);
298 if (!EVP_RAND_set_ctx_params(test, drbg_params)
299 || !EVP_RAND_instantiate(test, strength, 0, NULL, 0))
301 if (!EVP_RAND_instantiate(drbg, strength, 0, t->persstr, t->persstrlen))
305 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
306 (void *)t->entropyinpr1,
308 if (!EVP_RAND_set_ctx_params(test, drbg_params))
311 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
312 prediction_resistance,
313 t->entropyaddin1, t->entropyaddin1len))
317 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
318 (void *)t->entropyinpr2,
320 if (!EVP_RAND_set_ctx_params(test, drbg_params))
324 * This calls ossl_prov_drbg_reseed() internally when
325 * prediction_resistance = 1
327 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
328 prediction_resistance,
329 t->entropyaddin2, t->entropyaddin2len))
332 OSSL_SELF_TEST_oncorrupt_byte(st, out);
334 if (memcmp(out, t->expected, t->expectedlen) != 0)
337 if (!EVP_RAND_uninstantiate(drbg))
340 * Check that the DRBG data has been zeroized after
341 * ossl_prov_drbg_uninstantiate.
343 if (!EVP_RAND_verify_zeroization(drbg))
348 EVP_RAND_CTX_free(drbg);
349 EVP_RAND_CTX_free(test);
350 OSSL_SELF_TEST_onend(st, ret);
354 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
355 static int self_test_ka(const ST_KAT_KAS *t,
356 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
359 EVP_PKEY_CTX *kactx = NULL, *dctx = NULL;
360 EVP_PKEY *pkey = NULL, *peerkey = NULL;
361 OSSL_PARAM *params = NULL;
362 OSSL_PARAM *params_peer = NULL;
363 unsigned char secret[256];
364 size_t secret_len = sizeof(secret);
365 OSSL_PARAM_BLD *bld = NULL;
366 BN_CTX *bnctx = NULL;
368 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KA, t->desc);
370 bnctx = BN_CTX_new_ex(libctx);
374 bld = OSSL_PARAM_BLD_new();
378 if (!add_params(bld, t->key_group, bnctx)
379 || !add_params(bld, t->key_host_data, bnctx))
381 params = OSSL_PARAM_BLD_to_param(bld);
383 if (!add_params(bld, t->key_group, bnctx)
384 || !add_params(bld, t->key_peer_data, bnctx))
387 params_peer = OSSL_PARAM_BLD_to_param(bld);
388 if (params == NULL || params_peer == NULL)
391 /* Create a EVP_PKEY_CTX to load the DH keys into */
392 kactx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
395 if (EVP_PKEY_fromdata_init(kactx) <= 0
396 || EVP_PKEY_fromdata(kactx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
398 if (EVP_PKEY_fromdata_init(kactx) <= 0
399 || EVP_PKEY_fromdata(kactx, &peerkey, EVP_PKEY_KEYPAIR, params_peer) <= 0)
402 /* Create a EVP_PKEY_CTX to perform key derivation */
403 dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
407 if (EVP_PKEY_derive_init(dctx) <= 0
408 || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0
409 || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0)
412 OSSL_SELF_TEST_oncorrupt_byte(st, secret);
414 if (secret_len != t->expected_len
415 || memcmp(secret, t->expected, t->expected_len) != 0)
421 EVP_PKEY_free(peerkey);
422 EVP_PKEY_CTX_free(kactx);
423 EVP_PKEY_CTX_free(dctx);
424 OSSL_PARAM_BLD_free_params(params_peer);
425 OSSL_PARAM_BLD_free_params(params);
426 OSSL_PARAM_BLD_free(bld);
427 OSSL_SELF_TEST_onend(st, ret);
430 #endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */
432 static int self_test_sign(const ST_KAT_SIGN *t,
433 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
436 OSSL_PARAM *params = NULL, *params_sig = NULL;
437 OSSL_PARAM_BLD *bld = NULL;
438 EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
439 EVP_PKEY *pkey = NULL;
440 unsigned char sig[256];
441 BN_CTX *bnctx = NULL;
443 static const unsigned char dgst[] = {
444 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
445 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
446 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
449 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_SIGNATURE, t->desc);
451 bnctx = BN_CTX_new_ex(libctx);
455 bld = OSSL_PARAM_BLD_new();
459 if (!add_params(bld, t->key, bnctx))
461 params = OSSL_PARAM_BLD_to_param(bld);
463 /* Create a EVP_PKEY_CTX to load the DSA key into */
464 kctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
465 if (kctx == NULL || params == NULL)
467 if (EVP_PKEY_fromdata_init(kctx) <= 0
468 || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
471 /* Create a EVP_PKEY_CTX to use for the signing operation */
472 sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
474 || EVP_PKEY_sign_init(sctx) <= 0)
477 /* set signature parameters */
478 if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
480 strlen(t->mdalgorithm) + 1))
482 params_sig = OSSL_PARAM_BLD_to_param(bld);
483 if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
486 if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
487 || EVP_PKEY_verify_init(sctx) <= 0
488 || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
492 * Used by RSA, for other key types where the signature changes, we
493 * can only use the verify.
495 if (t->sig_expected != NULL
496 && (siglen != t->sig_expected_len
497 || memcmp(sig, t->sig_expected, t->sig_expected_len) != 0))
500 OSSL_SELF_TEST_oncorrupt_byte(st, sig);
501 if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
507 EVP_PKEY_CTX_free(kctx);
508 EVP_PKEY_CTX_free(sctx);
509 OSSL_PARAM_BLD_free_params(params);
510 OSSL_PARAM_BLD_free_params(params_sig);
511 OSSL_PARAM_BLD_free(bld);
512 OSSL_SELF_TEST_onend(st, ret);
517 * Test an encrypt or decrypt KAT..
519 * FIPS 140-2 IG D.9 states that separate KAT tests are needed for encrypt
522 static int self_test_asym_cipher(const ST_KAT_ASYM_CIPHER *t, OSSL_SELF_TEST *st,
523 OSSL_LIB_CTX *libctx)
526 OSSL_PARAM *keyparams = NULL, *initparams = NULL;
527 OSSL_PARAM_BLD *keybld = NULL, *initbld = NULL;
528 EVP_PKEY_CTX *encctx = NULL, *keyctx = NULL;
529 EVP_PKEY *key = NULL;
530 BN_CTX *bnctx = NULL;
531 unsigned char out[256];
532 size_t outlen = sizeof(out);
534 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER, t->desc);
536 bnctx = BN_CTX_new_ex(libctx);
540 /* Load a public or private key from data */
541 keybld = OSSL_PARAM_BLD_new();
543 || !add_params(keybld, t->key, bnctx))
545 keyparams = OSSL_PARAM_BLD_to_param(keybld);
546 keyctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, NULL);
547 if (keyctx == NULL || keyparams == NULL)
549 if (EVP_PKEY_fromdata_init(keyctx) <= 0
550 || EVP_PKEY_fromdata(keyctx, &key, EVP_PKEY_KEYPAIR, keyparams) <= 0)
553 /* Create a EVP_PKEY_CTX to use for the encrypt or decrypt operation */
554 encctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL);
556 || (t->encrypt && EVP_PKEY_encrypt_init(encctx) <= 0)
557 || (!t->encrypt && EVP_PKEY_decrypt_init(encctx) <= 0))
560 /* Add any additional parameters such as padding */
561 if (t->postinit != NULL) {
562 initbld = OSSL_PARAM_BLD_new();
565 if (!add_params(initbld, t->postinit, bnctx))
567 initparams = OSSL_PARAM_BLD_to_param(initbld);
568 if (initparams == NULL)
570 if (EVP_PKEY_CTX_set_params(encctx, initparams) <= 0)
575 if (EVP_PKEY_encrypt(encctx, out, &outlen,
576 t->in, t->in_len) <= 0)
579 if (EVP_PKEY_decrypt(encctx, out, &outlen,
580 t->in, t->in_len) <= 0)
584 OSSL_SELF_TEST_oncorrupt_byte(st, out);
585 if (outlen != t->expected_len
586 || memcmp(out, t->expected, t->expected_len) != 0)
593 EVP_PKEY_CTX_free(encctx);
594 EVP_PKEY_CTX_free(keyctx);
595 OSSL_PARAM_BLD_free_params(keyparams);
596 OSSL_PARAM_BLD_free(keybld);
597 OSSL_PARAM_BLD_free_params(initparams);
598 OSSL_PARAM_BLD_free(initbld);
599 OSSL_SELF_TEST_onend(st, ret);
604 * Test a data driven list of KAT's for digest algorithms.
605 * All tests are run regardless of if they fail or not.
606 * Return 0 if any test fails.
608 static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
612 for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
613 if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
619 static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
623 for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) {
624 if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
630 static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
634 for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
635 if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
641 static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
645 for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) {
646 if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
652 static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
656 for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) {
657 if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
663 static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
666 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
669 for (i = 0; i < (int)OSSL_NELEM(st_kat_kas_tests); ++i) {
670 if (!self_test_ka(&st_kat_kas_tests[i], st, libctx))
678 static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
682 for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
683 if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))
690 * Run the algorithm KAT's.
691 * Return 1 is successful, otherwise return 0.
692 * This runs all the tests regardless of if any fail.
694 int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
698 if (!self_test_digests(st, libctx))
700 if (!self_test_ciphers(st, libctx))
702 if (!self_test_signatures(st, libctx))
704 if (!self_test_kdfs(st, libctx))
706 if (!self_test_drbgs(st, libctx))
708 if (!self_test_kas(st, libctx))
710 if (!self_test_asym_ciphers(st, libctx))