2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/evp.h>
12 #include <openssl/kdf.h>
13 #include <openssl/core_names.h>
14 #include <openssl/param_build.h>
15 #include "internal/cryptlib.h"
16 #include "internal/nelem.h"
17 #include "self_test.h"
18 #include "self_test_data.inc"
20 static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
24 unsigned char out[EVP_MAX_MD_SIZE];
25 unsigned int out_len = 0;
26 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
27 EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
29 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);
33 || !EVP_DigestInit_ex(ctx, md, NULL)
34 || !EVP_DigestUpdate(ctx, t->pt, t->pt_len)
35 || !EVP_DigestFinal(ctx, out, &out_len))
38 /* Optional corruption */
39 OSSL_SELF_TEST_oncorrupt_byte(st, out);
41 if (out_len != t->expected_len
42 || memcmp(out, t->expected, out_len) != 0)
48 OSSL_SELF_TEST_onend(st, ok);
53 * Helper function to setup a EVP_CipherInit
54 * Used to hide the complexity of Authenticated ciphers.
56 static int cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
57 const ST_KAT_CIPHER *t, int enc)
59 unsigned char *in_tag = NULL;
62 /* Flag required for Key wrapping */
63 EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
65 /* Use a normal cipher init */
66 return EVP_CipherInit_ex(ctx, cipher, NULL, t->key, t->iv, enc)
67 && EVP_CIPHER_CTX_set_padding(ctx, pad);
70 /* The authenticated cipher init */
72 in_tag = (unsigned char *)t->tag;
74 return EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)
75 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, t->iv_len, NULL)
77 || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, t->tag_len,
79 && EVP_CipherInit_ex(ctx, NULL, NULL, t->key, t->iv, enc)
80 && EVP_CIPHER_CTX_set_padding(ctx, pad)
81 && EVP_CipherUpdate(ctx, NULL, &tmp, t->aad, t->aad_len);
84 /* Test a single KAT for encrypt/decrypt */
85 static int self_test_cipher(const ST_KAT_CIPHER *t, OSSL_SELF_TEST *st,
88 int ret = 0, encrypt = 1, len, ct_len = 0, pt_len = 0;
89 EVP_CIPHER_CTX *ctx = NULL;
90 EVP_CIPHER *cipher = NULL;
91 unsigned char ct_buf[256] = { 0 };
92 unsigned char pt_buf[256] = { 0 };
94 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_CIPHER, t->base.desc);
96 ctx = EVP_CIPHER_CTX_new();
99 cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, "");
103 /* Encrypt plain text message */
104 if (!cipher_init(ctx, cipher, t, encrypt)
105 || !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt, t->base.pt_len)
106 || !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len))
109 OSSL_SELF_TEST_oncorrupt_byte(st, ct_buf);
111 if (ct_len != (int)t->base.expected_len
112 || memcmp(t->base.expected, ct_buf, ct_len) != 0)
115 if (t->tag != NULL) {
116 unsigned char tag[16] = { 0 };
118 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len, tag)
119 || memcmp(tag, t->tag, t->tag_len) != 0)
123 if (!(cipher_init(ctx, cipher, t, !encrypt)
124 && EVP_CipherUpdate(ctx, pt_buf, &len, ct_buf, ct_len)
125 && EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len)))
129 if (pt_len != (int)t->base.pt_len
130 || memcmp(pt_buf, t->base.pt, pt_len) != 0)
135 EVP_CIPHER_free(cipher);
136 EVP_CIPHER_CTX_free(ctx);
137 OSSL_SELF_TEST_onend(st, ret);
141 static int add_params(OSSL_PARAM_BLD *bld, const ST_KAT_PARAM *params,
145 const ST_KAT_PARAM *p;
149 for (p = params; p->data != NULL; ++p)
152 case OSSL_PARAM_UNSIGNED_INTEGER: {
153 BIGNUM *bn = BN_CTX_get(ctx);
156 || (BN_bin2bn(p->data, p->data_len, bn) == NULL)
157 || !OSSL_PARAM_BLD_push_BN(bld, p->name, bn))
161 case OSSL_PARAM_UTF8_STRING: {
162 if (!OSSL_PARAM_BLD_push_utf8_string(bld, p->name, p->data, 0))
166 case OSSL_PARAM_OCTET_STRING: {
167 if (!OSSL_PARAM_BLD_push_octet_string(bld, p->name, p->data,
181 static int self_test_kdf(const ST_KAT_KDF *t, OSSL_SELF_TEST *st,
182 OSSL_LIB_CTX *libctx)
185 unsigned char out[64];
187 EVP_KDF_CTX *ctx = NULL;
188 BN_CTX *bnctx = NULL;
189 OSSL_PARAM *params = NULL;
190 OSSL_PARAM_BLD *bld = NULL;
192 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KDF, t->desc);
194 bld = OSSL_PARAM_BLD_new();
198 kdf = EVP_KDF_fetch(libctx, t->algorithm, "");
202 ctx = EVP_KDF_CTX_new(kdf);
206 bnctx = BN_CTX_new_ex(libctx);
209 if (!add_params(bld, t->params, bnctx))
211 params = OSSL_PARAM_BLD_to_param(bld);
214 if (!EVP_KDF_CTX_set_params(ctx, params))
217 if (t->expected_len > sizeof(out))
219 if (EVP_KDF_derive(ctx, out, t->expected_len) <= 0)
222 OSSL_SELF_TEST_oncorrupt_byte(st, out);
224 if (memcmp(out, t->expected, t->expected_len) != 0)
230 EVP_KDF_CTX_free(ctx);
232 OSSL_PARAM_BLD_free_params(params);
233 OSSL_PARAM_BLD_free(bld);
234 OSSL_SELF_TEST_onend(st, ret);
238 static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st,
239 OSSL_LIB_CTX *libctx)
242 unsigned char out[256];
244 EVP_RAND_CTX *test = NULL, *drbg = NULL;
245 unsigned int strength = 256;
246 int prediction_resistance = 1; /* Causes a reseed */
247 OSSL_PARAM drbg_params[3] = {
248 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
251 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
253 rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL);
257 test = EVP_RAND_CTX_new(rand, NULL);
262 drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
264 if (!EVP_RAND_set_ctx_params(test, drbg_params))
267 rand = EVP_RAND_fetch(libctx, t->algorithm, NULL);
271 drbg = EVP_RAND_CTX_new(rand, test);
276 strength = EVP_RAND_strength(drbg);
278 drbg_params[0] = OSSL_PARAM_construct_utf8_string(t->param_name,
280 /* This is only used by HMAC-DRBG but it is ignored by the others */
282 OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC, "HMAC", 0);
283 if (!EVP_RAND_set_ctx_params(drbg, drbg_params))
287 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
288 (void *)t->entropyin,
291 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE,
292 (void *)t->nonce, t->noncelen);
293 if (!EVP_RAND_set_ctx_params(test, drbg_params)
294 || !EVP_RAND_instantiate(test, strength, 0, NULL, 0))
296 if (!EVP_RAND_instantiate(drbg, strength, 0, t->persstr, t->persstrlen))
300 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
301 (void *)t->entropyinpr1,
303 if (!EVP_RAND_set_ctx_params(test, drbg_params))
306 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
307 prediction_resistance,
308 t->entropyaddin1, t->entropyaddin1len))
312 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
313 (void *)t->entropyinpr2,
315 if (!EVP_RAND_set_ctx_params(test, drbg_params))
319 * This calls ossl_prov_drbg_reseed() internally when
320 * prediction_resistance = 1
322 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
323 prediction_resistance,
324 t->entropyaddin2, t->entropyaddin2len))
327 OSSL_SELF_TEST_oncorrupt_byte(st, out);
329 if (memcmp(out, t->expected, t->expectedlen) != 0)
332 if (!EVP_RAND_uninstantiate(drbg))
335 * Check that the DRBG data has been zeroized after
336 * ossl_prov_drbg_uninstantiate.
338 if (!EVP_RAND_verify_zeroization(drbg))
343 EVP_RAND_CTX_free(drbg);
344 EVP_RAND_CTX_free(test);
345 OSSL_SELF_TEST_onend(st, ret);
349 static int self_test_ka(const ST_KAT_KAS *t,
350 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
353 EVP_PKEY_CTX *kactx = NULL, *dctx = NULL;
354 EVP_PKEY *pkey = NULL, *peerkey = NULL;
355 OSSL_PARAM *params = NULL;
356 OSSL_PARAM *params_peer = NULL;
357 unsigned char secret[256];
359 OSSL_PARAM_BLD *bld = NULL;
360 BN_CTX *bnctx = NULL;
362 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KA, t->desc);
364 bnctx = BN_CTX_new_ex(libctx);
368 bld = OSSL_PARAM_BLD_new();
372 if (!add_params(bld, t->key_group, bnctx)
373 || !add_params(bld, t->key_host_data, bnctx))
375 params = OSSL_PARAM_BLD_to_param(bld);
377 if (!add_params(bld, t->key_group, bnctx)
378 || !add_params(bld, t->key_peer_data, bnctx))
381 params_peer = OSSL_PARAM_BLD_to_param(bld);
382 if (params == NULL || params_peer == NULL)
385 /* Create a EVP_PKEY_CTX to load the DH keys into */
386 kactx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
389 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
390 || EVP_PKEY_fromdata(kactx, &pkey, params) <= 0)
392 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
393 || EVP_PKEY_fromdata(kactx, &peerkey, params_peer) <= 0)
396 /* Create a EVP_PKEY_CTX to perform key derivation */
397 dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
401 if (EVP_PKEY_derive_init(dctx) <= 0
402 || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0
403 || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0)
406 OSSL_SELF_TEST_oncorrupt_byte(st, secret);
408 if (secret_len != t->expected_len
409 || memcmp(secret, t->expected, t->expected_len) != 0)
415 EVP_PKEY_free(peerkey);
416 EVP_PKEY_CTX_free(kactx);
417 EVP_PKEY_CTX_free(dctx);
418 OSSL_PARAM_BLD_free_params(params_peer);
419 OSSL_PARAM_BLD_free_params(params);
420 OSSL_PARAM_BLD_free(bld);
421 OSSL_SELF_TEST_onend(st, ret);
425 static int self_test_sign(const ST_KAT_SIGN *t,
426 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
429 OSSL_PARAM *params = NULL, *params_sig = NULL;
430 OSSL_PARAM_BLD *bld = NULL;
431 EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
432 EVP_PKEY *pkey = NULL;
433 unsigned char sig[256];
434 BN_CTX *bnctx = NULL;
436 static const unsigned char dgst[] = {
437 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
438 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
439 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
442 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_SIGNATURE, t->desc);
444 bnctx = BN_CTX_new_ex(libctx);
448 bld = OSSL_PARAM_BLD_new();
452 if (!add_params(bld, t->key, bnctx))
454 params = OSSL_PARAM_BLD_to_param(bld);
456 /* Create a EVP_PKEY_CTX to load the DSA key into */
457 kctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
458 if (kctx == NULL || params == NULL)
460 if (EVP_PKEY_key_fromdata_init(kctx) <= 0
461 || EVP_PKEY_fromdata(kctx, &pkey, params) <= 0)
464 /* Create a EVP_PKEY_CTX to use for the signing operation */
465 sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
467 || EVP_PKEY_sign_init(sctx) <= 0)
470 /* set signature parameters */
471 if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
473 strlen(t->mdalgorithm) + 1))
475 params_sig = OSSL_PARAM_BLD_to_param(bld);
476 if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
479 if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
480 || EVP_PKEY_verify_init(sctx) <= 0
481 || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
485 * Used by RSA, for other key types where the signature changes, we
486 * can only use the verify.
488 if (t->sig_expected != NULL
489 && (siglen != t->sig_expected_len
490 || memcmp(sig, t->sig_expected, t->sig_expected_len) != 0))
493 OSSL_SELF_TEST_oncorrupt_byte(st, sig);
494 if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
500 EVP_PKEY_CTX_free(kctx);
501 EVP_PKEY_CTX_free(sctx);
502 OSSL_PARAM_BLD_free_params(params);
503 OSSL_PARAM_BLD_free_params(params_sig);
504 OSSL_PARAM_BLD_free(bld);
505 OSSL_SELF_TEST_onend(st, ret);
510 * Test an encrypt or decrypt KAT..
512 * FIPS 140-2 IG D.9 states that separate KAT tests are needed for encrypt
515 static int self_test_asym_cipher(const ST_KAT_ASYM_CIPHER *t, OSSL_SELF_TEST *st,
516 OSSL_LIB_CTX *libctx)
519 OSSL_PARAM *keyparams = NULL, *initparams = NULL;
520 OSSL_PARAM_BLD *keybld = NULL, *initbld = NULL;
521 EVP_PKEY_CTX *encctx = NULL, *keyctx = NULL;
522 EVP_PKEY *key = NULL;
523 BN_CTX *bnctx = NULL;
524 unsigned char out[256];
525 size_t outlen = sizeof(out);
527 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER, t->desc);
529 bnctx = BN_CTX_new_ex(libctx);
533 /* Load a public or private key from data */
534 keybld = OSSL_PARAM_BLD_new();
536 || !add_params(keybld, t->key, bnctx))
538 keyparams = OSSL_PARAM_BLD_to_param(keybld);
539 keyctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, NULL);
540 if (keyctx == NULL || keyparams == NULL)
542 if (EVP_PKEY_key_fromdata_init(keyctx) <= 0
543 || EVP_PKEY_fromdata(keyctx, &key, keyparams) <= 0)
546 /* Create a EVP_PKEY_CTX to use for the encrypt or decrypt operation */
547 encctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL);
549 || (t->encrypt && EVP_PKEY_encrypt_init(encctx) <= 0)
550 || (!t->encrypt && EVP_PKEY_decrypt_init(encctx) <= 0))
553 /* Add any additional parameters such as padding */
554 if (t->postinit != NULL) {
555 initbld = OSSL_PARAM_BLD_new();
558 if (!add_params(initbld, t->postinit, bnctx))
560 initparams = OSSL_PARAM_BLD_to_param(initbld);
561 if (initparams == NULL)
563 if (EVP_PKEY_CTX_set_params(encctx, initparams) <= 0)
568 if (EVP_PKEY_encrypt(encctx, out, &outlen,
569 t->in, t->in_len) <= 0)
572 if (EVP_PKEY_decrypt(encctx, out, &outlen,
573 t->in, t->in_len) <= 0)
577 OSSL_SELF_TEST_oncorrupt_byte(st, out);
578 if (outlen != t->expected_len
579 || memcmp(out, t->expected, t->expected_len) != 0)
586 EVP_PKEY_CTX_free(encctx);
587 EVP_PKEY_CTX_free(keyctx);
588 OSSL_PARAM_BLD_free_params(keyparams);
589 OSSL_PARAM_BLD_free(keybld);
590 OSSL_PARAM_BLD_free_params(initparams);
591 OSSL_PARAM_BLD_free(initbld);
592 OSSL_SELF_TEST_onend(st, ret);
597 * Test a data driven list of KAT's for digest algorithms.
598 * All tests are run regardless of if they fail or not.
599 * Return 0 if any test fails.
601 static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
605 for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
606 if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
612 static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
616 for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) {
617 if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
623 static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
627 for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
628 if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
634 static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
638 for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) {
639 if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
645 static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
649 for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) {
650 if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
656 static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
660 for (i = 0; i < (int)OSSL_NELEM(st_kat_kas_tests); ++i) {
661 if (!self_test_ka(&st_kat_kas_tests[i], st, libctx))
667 static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
671 for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
672 if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))
679 * Run the algorithm KAT's.
680 * Return 1 is successful, otherwise return 0.
681 * This runs all the tests regardless of if any fail.
683 int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
687 if (!self_test_digests(st, libctx))
689 if (!self_test_ciphers(st, libctx))
691 if (!self_test_signatures(st, libctx))
693 if (!self_test_kdfs(st, libctx))
695 if (!self_test_drbgs(st, libctx))
697 if (!self_test_kas(st, libctx))
699 if (!self_test_asym_ciphers(st, libctx))