2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/evp.h>
12 #include <openssl/kdf.h>
13 #include <openssl/core_names.h>
14 #include <openssl/param_build.h>
15 #include "internal/cryptlib.h"
16 #include "internal/nelem.h"
17 #include "self_test.h"
18 #include "self_test_data.inc"
20 static int self_test_digest(const ST_KAT_DIGEST
*t
, OSSL_SELF_TEST
*st
,
24 unsigned char out
[EVP_MAX_MD_SIZE
];
25 unsigned int out_len
= 0;
26 EVP_MD_CTX
*ctx
= EVP_MD_CTX_new();
27 EVP_MD
*md
= EVP_MD_fetch(libctx
, t
->algorithm
, NULL
);
29 OSSL_SELF_TEST_onbegin(st
, OSSL_SELF_TEST_TYPE_KAT_DIGEST
, t
->desc
);
33 || !EVP_DigestInit_ex(ctx
, md
, NULL
)
34 || !EVP_DigestUpdate(ctx
, t
->pt
, t
->pt_len
)
35 || !EVP_DigestFinal(ctx
, out
, &out_len
))
38 /* Optional corruption */
39 OSSL_SELF_TEST_oncorrupt_byte(st
, out
);
41 if (out_len
!= t
->expected_len
42 || memcmp(out
, t
->expected
, out_len
) != 0)
48 OSSL_SELF_TEST_onend(st
, ok
);
53 * Helper function to setup a EVP_CipherInit
54 * Used to hide the complexity of Authenticated ciphers.
56 static int cipher_init(EVP_CIPHER_CTX
*ctx
, const EVP_CIPHER
*cipher
,
57 const ST_KAT_CIPHER
*t
, int enc
)
59 unsigned char *in_tag
= NULL
;
62 /* Flag required for Key wrapping */
63 EVP_CIPHER_CTX_set_flags(ctx
, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW
);
65 /* Use a normal cipher init */
66 return EVP_CipherInit_ex(ctx
, cipher
, NULL
, t
->key
, t
->iv
, enc
)
67 && EVP_CIPHER_CTX_set_padding(ctx
, pad
);
70 /* The authenticated cipher init */
72 in_tag
= (unsigned char *)t
->tag
;
74 return EVP_CipherInit_ex(ctx
, cipher
, NULL
, NULL
, NULL
, enc
)
75 && EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_AEAD_SET_IVLEN
, t
->iv_len
, NULL
)
77 || EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_AEAD_SET_TAG
, t
->tag_len
,
79 && EVP_CipherInit_ex(ctx
, NULL
, NULL
, t
->key
, t
->iv
, enc
)
80 && EVP_CIPHER_CTX_set_padding(ctx
, pad
)
81 && EVP_CipherUpdate(ctx
, NULL
, &tmp
, t
->aad
, t
->aad_len
);
84 /* Test a single KAT for encrypt/decrypt */
85 static int self_test_cipher(const ST_KAT_CIPHER
*t
, OSSL_SELF_TEST
*st
,
88 int ret
= 0, encrypt
= 1, len
, ct_len
= 0, pt_len
= 0;
89 EVP_CIPHER_CTX
*ctx
= NULL
;
90 EVP_CIPHER
*cipher
= NULL
;
91 unsigned char ct_buf
[256] = { 0 };
92 unsigned char pt_buf
[256] = { 0 };
94 OSSL_SELF_TEST_onbegin(st
, OSSL_SELF_TEST_TYPE_KAT_CIPHER
, t
->base
.desc
);
96 ctx
= EVP_CIPHER_CTX_new();
99 cipher
= EVP_CIPHER_fetch(libctx
, t
->base
.algorithm
, "");
103 /* Encrypt plain text message */
104 if (!cipher_init(ctx
, cipher
, t
, encrypt
)
105 || !EVP_CipherUpdate(ctx
, ct_buf
, &len
, t
->base
.pt
, t
->base
.pt_len
)
106 || !EVP_CipherFinal_ex(ctx
, ct_buf
+ len
, &ct_len
))
109 OSSL_SELF_TEST_oncorrupt_byte(st
, ct_buf
);
111 if (ct_len
!= (int)t
->base
.expected_len
112 || memcmp(t
->base
.expected
, ct_buf
, ct_len
) != 0)
115 if (t
->tag
!= NULL
) {
116 unsigned char tag
[16] = { 0 };
118 if (!EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_AEAD_GET_TAG
, t
->tag_len
, tag
)
119 || memcmp(tag
, t
->tag
, t
->tag_len
) != 0)
123 if (!(cipher_init(ctx
, cipher
, t
, !encrypt
)
124 && EVP_CipherUpdate(ctx
, pt_buf
, &len
, ct_buf
, ct_len
)
125 && EVP_CipherFinal_ex(ctx
, pt_buf
+ len
, &pt_len
)))
129 if (pt_len
!= (int)t
->base
.pt_len
130 || memcmp(pt_buf
, t
->base
.pt
, pt_len
) != 0)
135 EVP_CIPHER_free(cipher
);
136 EVP_CIPHER_CTX_free(ctx
);
137 OSSL_SELF_TEST_onend(st
, ret
);
141 static int add_params(OSSL_PARAM_BLD
*bld
, const ST_KAT_PARAM
*params
,
145 const ST_KAT_PARAM
*p
;
149 for (p
= params
; p
->data
!= NULL
; ++p
)
152 case OSSL_PARAM_UNSIGNED_INTEGER
: {
153 BIGNUM
*bn
= BN_CTX_get(ctx
);
156 || (BN_bin2bn(p
->data
, p
->data_len
, bn
) == NULL
)
157 || !OSSL_PARAM_BLD_push_BN(bld
, p
->name
, bn
))
161 case OSSL_PARAM_UTF8_STRING
: {
162 if (!OSSL_PARAM_BLD_push_utf8_string(bld
, p
->name
, p
->data
, 0))
166 case OSSL_PARAM_OCTET_STRING
: {
167 if (!OSSL_PARAM_BLD_push_octet_string(bld
, p
->name
, p
->data
,
181 static int self_test_kdf(const ST_KAT_KDF
*t
, OSSL_SELF_TEST
*st
,
185 unsigned char out
[64];
187 EVP_KDF_CTX
*ctx
= NULL
;
188 BN_CTX
*bnctx
= NULL
;
189 OSSL_PARAM
*params
= NULL
;
190 OSSL_PARAM_BLD
*bld
= NULL
;
192 OSSL_SELF_TEST_onbegin(st
, OSSL_SELF_TEST_TYPE_KAT_KDF
, t
->desc
);
194 bld
= OSSL_PARAM_BLD_new();
198 kdf
= EVP_KDF_fetch(libctx
, t
->algorithm
, "");
202 ctx
= EVP_KDF_CTX_new(kdf
);
206 bnctx
= BN_CTX_new_ex(libctx
);
209 if (!add_params(bld
, t
->params
, bnctx
))
211 params
= OSSL_PARAM_BLD_to_param(bld
);
214 if (!EVP_KDF_CTX_set_params(ctx
, params
))
217 if (t
->expected_len
> sizeof(out
))
219 if (EVP_KDF_derive(ctx
, out
, t
->expected_len
) <= 0)
222 OSSL_SELF_TEST_oncorrupt_byte(st
, out
);
224 if (memcmp(out
, t
->expected
, t
->expected_len
) != 0)
230 EVP_KDF_CTX_free(ctx
);
232 OSSL_PARAM_BLD_free_params(params
);
233 OSSL_PARAM_BLD_free(bld
);
234 OSSL_SELF_TEST_onend(st
, ret
);
238 static int self_test_drbg(const ST_KAT_DRBG
*t
, OSSL_SELF_TEST
*st
,
242 unsigned char out
[256];
244 EVP_RAND_CTX
*test
= NULL
, *drbg
= NULL
;
245 unsigned int strength
= 256;
246 int prediction_resistance
= 1; /* Causes a reseed */
247 OSSL_PARAM drbg_params
[3] = {
248 OSSL_PARAM_END
, OSSL_PARAM_END
, OSSL_PARAM_END
251 OSSL_SELF_TEST_onbegin(st
, OSSL_SELF_TEST_TYPE_DRBG
, t
->desc
);
253 rand
= EVP_RAND_fetch(libctx
, "TEST-RAND", NULL
);
257 test
= EVP_RAND_CTX_new(rand
, NULL
);
262 drbg_params
[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH
,
264 if (!EVP_RAND_set_ctx_params(test
, drbg_params
))
267 rand
= EVP_RAND_fetch(libctx
, t
->algorithm
, NULL
);
271 drbg
= EVP_RAND_CTX_new(rand
, test
);
276 strength
= EVP_RAND_strength(drbg
);
278 drbg_params
[0] = OSSL_PARAM_construct_utf8_string(t
->param_name
,
280 /* This is only used by HMAC-DRBG but it is ignored by the others */
282 OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC
, "HMAC", 0);
283 if (!EVP_RAND_set_ctx_params(drbg
, drbg_params
))
287 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY
,
288 (void *)t
->entropyin
,
291 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE
,
292 (void *)t
->nonce
, t
->noncelen
);
293 if (!EVP_RAND_set_ctx_params(test
, drbg_params
)
294 || !EVP_RAND_instantiate(test
, strength
, 0, NULL
, 0))
296 if (!EVP_RAND_instantiate(drbg
, strength
, 0, t
->persstr
, t
->persstrlen
))
300 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY
,
301 (void *)t
->entropyinpr1
,
303 if (!EVP_RAND_set_ctx_params(test
, drbg_params
))
306 if (!EVP_RAND_generate(drbg
, out
, t
->expectedlen
, strength
,
307 prediction_resistance
,
308 t
->entropyaddin1
, t
->entropyaddin1len
))
312 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY
,
313 (void *)t
->entropyinpr2
,
315 if (!EVP_RAND_set_ctx_params(test
, drbg_params
))
318 /* This calls RAND_DRBG_reseed() internally when prediction_resistance = 1 */
319 if (!EVP_RAND_generate(drbg
, out
, t
->expectedlen
, strength
,
320 prediction_resistance
,
321 t
->entropyaddin2
, t
->entropyaddin2len
))
324 OSSL_SELF_TEST_oncorrupt_byte(st
, out
);
326 if (memcmp(out
, t
->expected
, t
->expectedlen
) != 0)
329 if (!EVP_RAND_uninstantiate(drbg
))
332 * Check that the DRBG data has been zeroized after RAND_DRBG_uninstantiate.
334 if (!EVP_RAND_verify_zeroization(drbg
))
339 EVP_RAND_CTX_free(drbg
);
340 EVP_RAND_CTX_free(test
);
341 OSSL_SELF_TEST_onend(st
, ret
);
347 static int self_test_ka(const ST_KAT_KAS
*t
,
348 OSSL_SELF_TEST
*st
, OPENSSL_CTX
*libctx
)
351 EVP_PKEY_CTX
*kactx
= NULL
, *dctx
= NULL
;
352 EVP_PKEY
*pkey
= NULL
, *peerkey
= NULL
;
353 OSSL_PARAM
*params
= NULL
;
354 OSSL_PARAM
*params_peer
= NULL
;
355 unsigned char secret
[256];
357 OSSL_PARAM_BLD
*bld
= NULL
;
358 BN_CTX
*bnctx
= NULL
;
360 OSSL_SELF_TEST_onbegin(st
, OSSL_SELF_TEST_TYPE_KAT_KA
, t
->desc
);
362 bnctx
= BN_CTX_new_ex(libctx
);
366 bld
= OSSL_PARAM_BLD_new();
370 if (!add_params(bld
, t
->key_group
, bnctx
)
371 || !add_params(bld
, t
->key_host_data
, bnctx
))
373 params
= OSSL_PARAM_BLD_to_param(bld
);
375 if (!add_params(bld
, t
->key_group
, bnctx
)
376 || !add_params(bld
, t
->key_peer_data
, bnctx
))
379 params_peer
= OSSL_PARAM_BLD_to_param(bld
);
380 if (params
== NULL
|| params_peer
== NULL
)
383 /* Create a EVP_PKEY_CTX to load the DH keys into */
384 kactx
= EVP_PKEY_CTX_new_from_name(libctx
, t
->algorithm
, "");
387 if (EVP_PKEY_key_fromdata_init(kactx
) <= 0
388 || EVP_PKEY_fromdata(kactx
, &pkey
, params
) <= 0)
390 if (EVP_PKEY_key_fromdata_init(kactx
) <= 0
391 || EVP_PKEY_fromdata(kactx
, &peerkey
, params_peer
) <= 0)
394 /* Create a EVP_PKEY_CTX to perform key derivation */
395 dctx
= EVP_PKEY_CTX_new_from_pkey(libctx
, pkey
, NULL
);
399 if (EVP_PKEY_derive_init(dctx
) <= 0
400 || EVP_PKEY_derive_set_peer(dctx
, peerkey
) <= 0
401 || EVP_PKEY_derive(dctx
, secret
, &secret_len
) <= 0)
404 OSSL_SELF_TEST_oncorrupt_byte(st
, secret
);
406 if (secret_len
!= t
->expected_len
407 || memcmp(secret
, t
->expected
, t
->expected_len
) != 0)
413 EVP_PKEY_free(peerkey
);
414 EVP_PKEY_CTX_free(kactx
);
415 EVP_PKEY_CTX_free(dctx
);
416 OSSL_PARAM_BLD_free_params(params_peer
);
417 OSSL_PARAM_BLD_free_params(params
);
418 OSSL_PARAM_BLD_free(bld
);
419 OSSL_SELF_TEST_onend(st
, ret
);
423 static int self_test_sign(const ST_KAT_SIGN
*t
,
424 OSSL_SELF_TEST
*st
, OPENSSL_CTX
*libctx
)
427 OSSL_PARAM
*params
= NULL
, *params_sig
= NULL
;
428 OSSL_PARAM_BLD
*bld
= NULL
;
429 EVP_PKEY_CTX
*sctx
= NULL
, *kctx
= NULL
;
430 EVP_PKEY
*pkey
= NULL
;
431 unsigned char sig
[256];
432 BN_CTX
*bnctx
= NULL
;
434 static const unsigned char dgst
[] = {
435 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
436 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
437 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
440 OSSL_SELF_TEST_onbegin(st
, OSSL_SELF_TEST_TYPE_KAT_SIGNATURE
, t
->desc
);
442 bnctx
= BN_CTX_new_ex(libctx
);
446 bld
= OSSL_PARAM_BLD_new();
450 if (!add_params(bld
, t
->key
, bnctx
))
452 params
= OSSL_PARAM_BLD_to_param(bld
);
454 /* Create a EVP_PKEY_CTX to load the DSA key into */
455 kctx
= EVP_PKEY_CTX_new_from_name(libctx
, t
->algorithm
, "");
456 if (kctx
== NULL
|| params
== NULL
)
458 if (EVP_PKEY_key_fromdata_init(kctx
) <= 0
459 || EVP_PKEY_fromdata(kctx
, &pkey
, params
) <= 0)
462 /* Create a EVP_PKEY_CTX to use for the signing operation */
463 sctx
= EVP_PKEY_CTX_new_from_pkey(libctx
, pkey
, NULL
);
465 || EVP_PKEY_sign_init(sctx
) <= 0)
468 /* set signature parameters */
469 if (!OSSL_PARAM_BLD_push_utf8_string(bld
, OSSL_SIGNATURE_PARAM_DIGEST
,
471 strlen(t
->mdalgorithm
) + 1))
473 params_sig
= OSSL_PARAM_BLD_to_param(bld
);
474 if (EVP_PKEY_CTX_set_params(sctx
, params_sig
) <= 0)
477 if (EVP_PKEY_sign(sctx
, sig
, &siglen
, dgst
, sizeof(dgst
)) <= 0
478 || EVP_PKEY_verify_init(sctx
) <= 0
479 || EVP_PKEY_CTX_set_params(sctx
, params_sig
) <= 0)
483 * Used by RSA, for other key types where the signature changes, we
484 * can only use the verify.
486 if (t
->sig_expected
!= NULL
487 && (siglen
!= t
->sig_expected_len
488 || memcmp(sig
, t
->sig_expected
, t
->sig_expected_len
) != 0))
491 OSSL_SELF_TEST_oncorrupt_byte(st
, sig
);
492 if (EVP_PKEY_verify(sctx
, sig
, siglen
, dgst
, sizeof(dgst
)) <= 0)
498 EVP_PKEY_CTX_free(kctx
);
499 EVP_PKEY_CTX_free(sctx
);
500 OSSL_PARAM_BLD_free_params(params
);
501 OSSL_PARAM_BLD_free_params(params_sig
);
502 OSSL_PARAM_BLD_free(bld
);
503 OSSL_SELF_TEST_onend(st
, ret
);
508 * Test a data driven list of KAT's for digest algorithms.
509 * All tests are run regardless of if they fail or not.
510 * Return 0 if any test fails.
512 static int self_test_digests(OSSL_SELF_TEST
*st
, OPENSSL_CTX
*libctx
)
516 for (i
= 0; i
< (int)OSSL_NELEM(st_kat_digest_tests
); ++i
) {
517 if (!self_test_digest(&st_kat_digest_tests
[i
], st
, libctx
))
523 static int self_test_ciphers(OSSL_SELF_TEST
*st
, OPENSSL_CTX
*libctx
)
527 for (i
= 0; i
< (int)OSSL_NELEM(st_kat_cipher_tests
); ++i
) {
528 if (!self_test_cipher(&st_kat_cipher_tests
[i
], st
, libctx
))
534 static int self_test_kdfs(OSSL_SELF_TEST
*st
, OPENSSL_CTX
*libctx
)
538 for (i
= 0; i
< (int)OSSL_NELEM(st_kat_kdf_tests
); ++i
) {
539 if (!self_test_kdf(&st_kat_kdf_tests
[i
], st
, libctx
))
545 static int self_test_drbgs(OSSL_SELF_TEST
*st
, OPENSSL_CTX
*libctx
)
549 for (i
= 0; i
< (int)OSSL_NELEM(st_kat_drbg_tests
); ++i
) {
550 if (!self_test_drbg(&st_kat_drbg_tests
[i
], st
, libctx
))
556 static int self_test_kas(OSSL_SELF_TEST
*st
, OPENSSL_CTX
*libctx
)
560 for (i
= 0; i
< (int)OSSL_NELEM(st_kat_kas_tests
); ++i
) {
561 if (!self_test_ka(&st_kat_kas_tests
[i
], st
, libctx
))
567 static int self_test_signatures(OSSL_SELF_TEST
*st
, OPENSSL_CTX
*libctx
)
571 for (i
= 0; i
< (int)OSSL_NELEM(st_kat_sign_tests
); ++i
) {
572 if (!self_test_sign(&st_kat_sign_tests
[i
], st
, libctx
))
579 * Run the algorithm KAT's.
580 * Return 1 is successful, otherwise return 0.
581 * This runs all the tests regardless of if any fail.
583 int SELF_TEST_kats(OSSL_SELF_TEST
*st
, OPENSSL_CTX
*libctx
)
587 if (!self_test_digests(st
, libctx
))
589 if (!self_test_ciphers(st
, libctx
))
591 if (!self_test_signatures(st
, libctx
))
593 if (!self_test_kdfs(st
, libctx
))
595 if (!self_test_drbgs(st
, libctx
))
597 if (!self_test_kas(st
, libctx
))