[thirdparty/openssl.git] / providers / fips / self_test_kats.c

/*
 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
#include <openssl/rand_drbg.h>
#include "internal/cryptlib.h"
#include "internal/nelem.h"
#include "self_test.h"
#include "self_test_data.inc"
#include "../../crypto/rand/rand_local.h"

#define DRBG_PARAM_ENTROPY "DRBG-ENTROPY"
#define DRBG_PARAM_NONCE   "DRBG-NONCE"

static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
                            OPENSSL_CTX *libctx)
{
    int ok = 0;
    unsigned char out[EVP_MAX_MD_SIZE];
    unsigned int out_len = 0;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);

    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);

    if (ctx == NULL
            || md == NULL
            || !EVP_DigestInit_ex(ctx, md, NULL)
            || !EVP_DigestUpdate(ctx, t->pt, t->pt_len)
            || !EVP_DigestFinal(ctx, out, &out_len))
        goto err;

    /* Optional corruption */
    OSSL_SELF_TEST_oncorrupt_byte(st, out);

    if (out_len != t->expected_len
            || memcmp(out, t->expected, out_len) != 0)
        goto err;
    ok = 1;
err:
    OSSL_SELF_TEST_onend(st, ok);
    EVP_MD_free(md);
    EVP_MD_CTX_free(ctx);

    return ok;
}

/*
 * Helper function to setup a EVP_CipherInit
 * Used to hide the complexity of Authenticated ciphers.
 */
static int cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                       const ST_KAT_CIPHER *t, int enc)
{
    unsigned char *in_tag = NULL;
    int pad = 0, tmp;

    /* Flag required for Key wrapping */
    EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
    if (t->tag == NULL) {
        /* Use a normal cipher init */
        return EVP_CipherInit_ex(ctx, cipher, NULL, t->key, t->iv, enc)
               && EVP_CIPHER_CTX_set_padding(ctx, pad);
    }

    /* The authenticated cipher init */
    if (!enc)
        in_tag = (unsigned char *)t->tag;

    return EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)
           && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, t->iv_len, NULL)
           && (in_tag == NULL
               || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, t->tag_len,
                                      in_tag))
           && EVP_CipherInit_ex(ctx, NULL, NULL, t->key, t->iv, enc)
           && EVP_CIPHER_CTX_set_padding(ctx, pad)
           && EVP_CipherUpdate(ctx, NULL, &tmp, t->aad, t->aad_len);
}

/* Test a single KAT for encrypt/decrypt */
static int self_test_cipher(const ST_KAT_CIPHER *t, OSSL_SELF_TEST *st,
                            OPENSSL_CTX *libctx)
{
    int ret = 0, encrypt = 1, len, ct_len = 0, pt_len = 0;
    EVP_CIPHER_CTX *ctx = NULL;
    EVP_CIPHER *cipher = NULL;
    unsigned char ct_buf[256] = { 0 };
    unsigned char pt_buf[256] = { 0 };

    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_CIPHER, t->base.desc);

    ctx = EVP_CIPHER_CTX_new();
    if (ctx == NULL)
        goto err;
    cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, "");
    if (cipher == NULL)
        goto err;

    /* Encrypt plain text message */
    if (!cipher_init(ctx, cipher, t, encrypt)
            || !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt, t->base.pt_len)
            || !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len))
        goto err;

    OSSL_SELF_TEST_oncorrupt_byte(st, ct_buf);
    ct_len += len;
    if (ct_len != (int)t->base.expected_len
        || memcmp(t->base.expected, ct_buf, ct_len) != 0)
        goto err;

    if (t->tag != NULL) {
        unsigned char tag[16] = { 0 };

        if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len, tag)
            || memcmp(tag, t->tag, t->tag_len) != 0)
            goto err;
    }

    if (!(cipher_init(ctx, cipher, t, !encrypt)
          && EVP_CipherUpdate(ctx, pt_buf, &len, ct_buf, ct_len)
          && EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len)))
        goto err;
    pt_len += len;

    if (pt_len != (int)t->base.pt_len
            || memcmp(pt_buf, t->base.pt, pt_len) != 0)
        goto err;

    ret = 1;
err:
    EVP_CIPHER_free(cipher);
    EVP_CIPHER_CTX_free(ctx);
    OSSL_SELF_TEST_onend(st, ret);
    return ret;
}

static int self_test_kdf(const ST_KAT_KDF *t, OSSL_SELF_TEST *st,
                         OPENSSL_CTX *libctx)
{
    int ret = 0;
    int i, numparams;
    unsigned char out[64];
    EVP_KDF *kdf = NULL;
    EVP_KDF_CTX *ctx = NULL;
    OSSL_PARAM params[16];
    const OSSL_PARAM *settables = NULL;

    numparams = OSSL_NELEM(params);
    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KDF, t->desc);

    /* Zeroize the params array to avoid mem leaks on error */
    for (i = 0; i < numparams; ++i)
        params[i] = OSSL_PARAM_construct_end();

    kdf = EVP_KDF_fetch(libctx, t->algorithm, "");
    ctx = EVP_KDF_CTX_new(kdf);
    if (ctx == NULL)
        goto err;

    settables = EVP_KDF_settable_ctx_params(kdf);
    for (i = 0; t->ctrls[i].name != NULL; ++i) {
        if (!ossl_assert(i < (numparams - 1)))
            goto err;
        if (!OSSL_PARAM_allocate_from_text(&params[i], settables,
                                           t->ctrls[i].name,
                                           t->ctrls[i].value,
                                           strlen(t->ctrls[i].value), NULL))
            goto err;
    }
    if (!EVP_KDF_CTX_set_params(ctx, params))
        goto err;

    if (t->expected_len > sizeof(out))
        goto err;
    if (EVP_KDF_derive(ctx, out, t->expected_len) <= 0)
        goto err;

    OSSL_SELF_TEST_oncorrupt_byte(st, out);

    if (memcmp(out, t->expected,  t->expected_len) != 0)
        goto err;

    ret = 1;
err:
    for (i = 0; params[i].key != NULL; ++i)
        OPENSSL_free(params[i].data);
    EVP_KDF_free(kdf);
    EVP_KDF_CTX_free(ctx);
    OSSL_SELF_TEST_onend(st, ret);
    return ret;
}

static size_t drbg_kat_entropy_cb(RAND_DRBG *drbg, unsigned char **pout,
                                  int entropy, size_t min_len, size_t max_len,
                                  int prediction_resistance)
{
    OSSL_PARAM *drbg_params = RAND_DRBG_get_callback_data(drbg);
    OSSL_PARAM *p = OSSL_PARAM_locate(drbg_params, DRBG_PARAM_ENTROPY);

    if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
        return 0;
    *pout = (unsigned char *)p->data;
    return p->data_size;
}

static size_t drbg_kat_nonce_cb(RAND_DRBG *drbg, unsigned char **pout,
                                int entropy, size_t min_len, size_t max_len)
{
    OSSL_PARAM *drbg_params = RAND_DRBG_get_callback_data(drbg);
    OSSL_PARAM *p = OSSL_PARAM_locate(drbg_params, DRBG_PARAM_NONCE);

    if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
        return 0;
    *pout = (unsigned char *)p->data;
    return p->data_size;
}

static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st,
                          OPENSSL_CTX *libctx)
{
    int ret = 0;
    unsigned char out[256];
    RAND_DRBG *drbg = NULL;
    unsigned int flags = 0;
    int prediction_resistance = 1; /* Causes a reseed */
    OSSL_PARAM drbg_params[3] = {
        OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
    };
    static const unsigned char zero[sizeof(drbg->data)] = { 0 };

    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc);

    if (strcmp(t->desc, OSSL_SELF_TEST_DESC_DRBG_HMAC) == 0)
        flags |= RAND_DRBG_FLAG_HMAC;

    drbg = RAND_DRBG_new_ex(libctx, t->nid, flags, NULL);
    if (drbg == NULL)
        goto err;

    if (!RAND_DRBG_set_callback_data(drbg, drbg_params))
        goto err;

    if (!RAND_DRBG_set_callbacks(drbg, drbg_kat_entropy_cb, NULL,
                                 drbg_kat_nonce_cb, NULL))
        goto err;

    drbg_params[0] =
        OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
                                          (void *)t->entropyin, t->entropyinlen);
    drbg_params[1] =
        OSSL_PARAM_construct_octet_string(DRBG_PARAM_NONCE,
                                          (void *)t->nonce, t->noncelen);

    if (!RAND_DRBG_instantiate(drbg, t->persstr, t->persstrlen))
        goto err;

    drbg_params[0] =
        OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
                                          (void *)t->entropyinpr1,
                                          t->entropyinpr1len);

    if (!RAND_DRBG_generate(drbg, out, t->expectedlen, prediction_resistance,
                            t->entropyaddin1, t->entropyaddin1len))
        goto err;

    drbg_params[0] =
        OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
                                         (void *)t->entropyinpr2,
                                         t->entropyinpr2len);
    /* This calls RAND_DRBG_reseed() internally when prediction_resistance = 1 */
    if (!RAND_DRBG_generate(drbg, out,  t->expectedlen, prediction_resistance,
                            t->entropyaddin2, t->entropyaddin2len))
        goto err;

    OSSL_SELF_TEST_oncorrupt_byte(st, out);

    if (memcmp(out, t->expected, t->expectedlen) != 0)
        goto err;

    if (!RAND_DRBG_uninstantiate(drbg))
        goto err;
    /*
     * Check that the DRBG data has been zeroized after RAND_DRBG_uninstantiate.
     */
    if (memcmp((unsigned char *)&drbg->data, zero, sizeof(drbg->data)) != 0)
        goto err;

    ret = 1;
err:
    RAND_DRBG_free(drbg);
    OSSL_SELF_TEST_onend(st, ret);
    return ret;
}

/*
 * Test a data driven list of KAT's for digest algorithms.
 * All tests are run regardless of if they fail or not.
 * Return 0 if any test fails.
 */
static int self_test_digests(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
{
    int i, ret = 1;

    for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
        if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
            ret = 0;
    }
    return ret;
}

static int self_test_ciphers(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
{
    int i, ret = 1;

    for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) {
        if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
            ret = 0;
    }
    return ret;
}

static int self_test_kdfs(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
{
    int i, ret = 1;

    for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) {
        if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
            ret = 0;
    }
    return ret;
}

static int self_test_drbgs(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
{
    int i, ret = 1;

    for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) {
        if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
            ret = 0;
    }
    return ret;
}

/*
 * Run the algorithm KAT's.
 * Return 1 is successful, otherwise return 0.
 * This runs all the tests regardless of if any fail.
 *
 * TODO(3.0) Add self tests for KA, Sign/Verify when they become available
 */
int SELF_TEST_kats(OSSL_SELF_TEST *st, OPENSSL_CTX *libctx)
{
    int ret = 1;

    if (!self_test_digests(st, libctx))
        ret = 0;
    if (!self_test_ciphers(st, libctx))
        ret = 0;
    if (!self_test_kdfs(st, libctx))
        ret = 0;
    if (!self_test_drbgs(st, libctx))
        ret = 0;

    return ret;
}
Commit	Line	Data
36fc5fc6	1	/*
d5e66eab	2	* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
36fc5fc6 SL	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <string.h>
	11	#include <openssl/evp.h>
	12	#include <openssl/kdf.h>
980a880e	13	#include <openssl/rand_drbg.h>
d5e66eab	14	#include "internal/cryptlib.h"
36fc5fc6 SL	15	#include "internal/nelem.h"
	16	#include "self_test.h"
	17	#include "self_test_data.inc"
980a880e SL	18	#include "../../crypto/rand/rand_local.h"
	19
	20	#define DRBG_PARAM_ENTROPY "DRBG-ENTROPY"
	21	#define DRBG_PARAM_NONCE "DRBG-NONCE"
36fc5fc6	22
47c239c6	23	static int self_test_digest(const ST_KAT_DIGEST t, OSSL_SELF_TEST st,
36fc5fc6 SL	24	OPENSSL_CTX *libctx)
	25	{
	26	int ok = 0;
	27	unsigned char out[EVP_MAX_MD_SIZE];
	28	unsigned int out_len = 0;
	29	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
	30	EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
	31
47c239c6	32	OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);
36fc5fc6 SL	33
	34	if (ctx == NULL
	35	\|\| md == NULL
	36	\|\| !EVP_DigestInit_ex(ctx, md, NULL)
	37	\|\| !EVP_DigestUpdate(ctx, t->pt, t->pt_len)
	38	\|\| !EVP_DigestFinal(ctx, out, &out_len))
	39	goto err;
	40
	41	/* Optional corruption */
47c239c6	42	OSSL_SELF_TEST_oncorrupt_byte(st, out);
36fc5fc6 SL	43
	44	if (out_len != t->expected_len
	45	\|\| memcmp(out, t->expected, out_len) != 0)
	46	goto err;
	47	ok = 1;
	48	err:
47c239c6	49	OSSL_SELF_TEST_onend(st, ok);
36fc5fc6 SL	50	EVP_MD_free(md);
	51	EVP_MD_CTX_free(ctx);
	52
	53	return ok;
	54	}
	55
	56	/*
	57	* Helper function to setup a EVP_CipherInit
	58	* Used to hide the complexity of Authenticated ciphers.
	59	*/
	60	static int cipher_init(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
	61	const ST_KAT_CIPHER *t, int enc)
	62	{
	63	unsigned char *in_tag = NULL;
	64	int pad = 0, tmp;
	65
	66	/* Flag required for Key wrapping */
	67	EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
	68	if (t->tag == NULL) {
	69	/* Use a normal cipher init */
	70	return EVP_CipherInit_ex(ctx, cipher, NULL, t->key, t->iv, enc)
	71	&& EVP_CIPHER_CTX_set_padding(ctx, pad);
	72	}
	73
	74	/* The authenticated cipher init */
	75	if (!enc)
	76	in_tag = (unsigned char *)t->tag;
	77
	78	return EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)
	79	&& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, t->iv_len, NULL)
	80	&& (in_tag == NULL
	81	\|\| EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, t->tag_len,
	82	in_tag))
	83	&& EVP_CipherInit_ex(ctx, NULL, NULL, t->key, t->iv, enc)
	84	&& EVP_CIPHER_CTX_set_padding(ctx, pad)
	85	&& EVP_CipherUpdate(ctx, NULL, &tmp, t->aad, t->aad_len);
	86	}
	87
	88	/* Test a single KAT for encrypt/decrypt */
47c239c6	89	static int self_test_cipher(const ST_KAT_CIPHER t, OSSL_SELF_TEST st,
36fc5fc6 SL	90	OPENSSL_CTX *libctx)
	91	{
	92	int ret = 0, encrypt = 1, len, ct_len = 0, pt_len = 0;
	93	EVP_CIPHER_CTX *ctx = NULL;
	94	EVP_CIPHER *cipher = NULL;
	95	unsigned char ct_buf[256] = { 0 };
	96	unsigned char pt_buf[256] = { 0 };
	97
47c239c6	98	OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_CIPHER, t->base.desc);
36fc5fc6 SL	99
	100	ctx = EVP_CIPHER_CTX_new();
	101	if (ctx == NULL)
980a880e	102	goto err;
36fc5fc6 SL	103	cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, "");
36fc5fc6 SL	104	if (cipher == NULL)
980a880e	105	goto err;
36fc5fc6 SL	106
	107	/* Encrypt plain text message */
	108	if (!cipher_init(ctx, cipher, t, encrypt)
	109	\|\| !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt, t->base.pt_len)
	110	\|\| !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len))
980a880e	111	goto err;
36fc5fc6	112
47c239c6	113	OSSL_SELF_TEST_oncorrupt_byte(st, ct_buf);
36fc5fc6 SL	114	ct_len += len;
	115	if (ct_len != (int)t->base.expected_len
	116	\|\| memcmp(t->base.expected, ct_buf, ct_len) != 0)
980a880e	117	goto err;
36fc5fc6 SL	118
	119	if (t->tag != NULL) {
	120	unsigned char tag[16] = { 0 };
	121
	122	if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len, tag)
	123	\|\| memcmp(tag, t->tag, t->tag_len) != 0)
980a880e	124	goto err;
36fc5fc6 SL	125	}
	126
	127	if (!(cipher_init(ctx, cipher, t, !encrypt)
	128	&& EVP_CipherUpdate(ctx, pt_buf, &len, ct_buf, ct_len)
	129	&& EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len)))
980a880e	130	goto err;
36fc5fc6 SL	131	pt_len += len;
	132
	133	if (pt_len != (int)t->base.pt_len
	134	\|\| memcmp(pt_buf, t->base.pt, pt_len) != 0)
980a880e	135	goto err;
36fc5fc6 SL	136
36fc5fc6 SL	137	ret = 1;
980a880e	138	err:
36fc5fc6 SL	139	EVP_CIPHER_free(cipher);
36fc5fc6 SL	140	EVP_CIPHER_CTX_free(ctx);
47c239c6	141	OSSL_SELF_TEST_onend(st, ret);
36fc5fc6 SL	142	return ret;
	143	}
	144
47c239c6	145	static int self_test_kdf(const ST_KAT_KDF t, OSSL_SELF_TEST st,
36fc5fc6 SL	146	OPENSSL_CTX *libctx)
	147	{
	148	int ret = 0;
d5e66eab	149	int i, numparams;
36fc5fc6 SL	150	unsigned char out[64];
	151	EVP_KDF *kdf = NULL;
	152	EVP_KDF_CTX *ctx = NULL;
	153	OSSL_PARAM params[16];
	154	const OSSL_PARAM *settables = NULL;
	155
d5e66eab	156	numparams = OSSL_NELEM(params);
47c239c6	157	OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KDF, t->desc);
36fc5fc6	158
d5e66eab SL	159	/* Zeroize the params array to avoid mem leaks on error */
	160	for (i = 0; i < numparams; ++i)
	161	params[i] = OSSL_PARAM_construct_end();
	162
36fc5fc6 SL	163	kdf = EVP_KDF_fetch(libctx, t->algorithm, "");
	164	ctx = EVP_KDF_CTX_new(kdf);
	165	if (ctx == NULL)
980a880e	166	goto err;
36fc5fc6 SL	167
	168	settables = EVP_KDF_settable_ctx_params(kdf);
	169	for (i = 0; t->ctrls[i].name != NULL; ++i) {
d5e66eab	170	if (!ossl_assert(i < (numparams - 1)))
980a880e	171	goto err;
36fc5fc6 SL	172	if (!OSSL_PARAM_allocate_from_text(&params[i], settables,
	173	t->ctrls[i].name,
	174	t->ctrls[i].value,
2ee0dfa6	175	strlen(t->ctrls[i].value), NULL))
980a880e	176	goto err;
36fc5fc6	177	}
36fc5fc6	178	if (!EVP_KDF_CTX_set_params(ctx, params))
980a880e	179	goto err;
36fc5fc6 SL	180
36fc5fc6 SL	181	if (t->expected_len > sizeof(out))
980a880e	182	goto err;
36fc5fc6	183	if (EVP_KDF_derive(ctx, out, t->expected_len) <= 0)
980a880e	184	goto err;
36fc5fc6	185
47c239c6	186	OSSL_SELF_TEST_oncorrupt_byte(st, out);
36fc5fc6 SL	187
36fc5fc6 SL	188	if (memcmp(out, t->expected, t->expected_len) != 0)
980a880e	189	goto err;
36fc5fc6 SL	190
36fc5fc6 SL	191	ret = 1;
980a880e	192	err:
36fc5fc6 SL	193	for (i = 0; params[i].key != NULL; ++i)
	194	OPENSSL_free(params[i].data);
	195	EVP_KDF_free(kdf);
	196	EVP_KDF_CTX_free(ctx);
47c239c6	197	OSSL_SELF_TEST_onend(st, ret);
36fc5fc6 SL	198	return ret;
	199	}
	200
980a880e SL	201	static size_t drbg_kat_entropy_cb(RAND_DRBG drbg, unsigned char *pout,
	202	int entropy, size_t min_len, size_t max_len,
	203	int prediction_resistance)
	204	{
	205	OSSL_PARAM *drbg_params = RAND_DRBG_get_callback_data(drbg);
	206	OSSL_PARAM *p = OSSL_PARAM_locate(drbg_params, DRBG_PARAM_ENTROPY);
	207
	208	if (p == NULL \|\| p->data_type != OSSL_PARAM_OCTET_STRING)
	209	return 0;
	210	pout = (unsigned char )p->data;
	211	return p->data_size;
	212	}
	213
	214	static size_t drbg_kat_nonce_cb(RAND_DRBG drbg, unsigned char *pout,
	215	int entropy, size_t min_len, size_t max_len)
	216	{
	217	OSSL_PARAM *drbg_params = RAND_DRBG_get_callback_data(drbg);
	218	OSSL_PARAM *p = OSSL_PARAM_locate(drbg_params, DRBG_PARAM_NONCE);
	219
	220	if (p == NULL \|\| p->data_type != OSSL_PARAM_OCTET_STRING)
	221	return 0;
	222	pout = (unsigned char )p->data;
	223	return p->data_size;
	224	}
	225
47c239c6	226	static int self_test_drbg(const ST_KAT_DRBG t, OSSL_SELF_TEST st,
980a880e SL	227	OPENSSL_CTX *libctx)
	228	{
	229	int ret = 0;
	230	unsigned char out[256];
	231	RAND_DRBG *drbg = NULL;
	232	unsigned int flags = 0;
	233	int prediction_resistance = 1; /* Causes a reseed */
	234	OSSL_PARAM drbg_params[3] = {
	235	OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
	236	};
e7045215	237	static const unsigned char zero[sizeof(drbg->data)] = { 0 };
980a880e	238
47c239c6	239	OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
980a880e SL	240
	241	if (strcmp(t->desc, OSSL_SELF_TEST_DESC_DRBG_HMAC) == 0)
	242	flags \|= RAND_DRBG_FLAG_HMAC;
	243
	244	drbg = RAND_DRBG_new_ex(libctx, t->nid, flags, NULL);
	245	if (drbg == NULL)
	246	goto err;
	247
	248	if (!RAND_DRBG_set_callback_data(drbg, drbg_params))
	249	goto err;
	250
	251	if (!RAND_DRBG_set_callbacks(drbg, drbg_kat_entropy_cb, NULL,
	252	drbg_kat_nonce_cb, NULL))
	253	goto err;
	254
	255	drbg_params[0] =
	256	OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
	257	(void *)t->entropyin, t->entropyinlen);
	258	drbg_params[1] =
	259	OSSL_PARAM_construct_octet_string(DRBG_PARAM_NONCE,
	260	(void *)t->nonce, t->noncelen);
	261
	262	if (!RAND_DRBG_instantiate(drbg, t->persstr, t->persstrlen))
	263	goto err;
	264
	265	drbg_params[0] =
	266	OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
	267	(void *)t->entropyinpr1,
	268	t->entropyinpr1len);
	269
	270	if (!RAND_DRBG_generate(drbg, out, t->expectedlen, prediction_resistance,
	271	t->entropyaddin1, t->entropyaddin1len))
	272	goto err;
	273
	274	drbg_params[0] =
	275	OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
	276	(void *)t->entropyinpr2,
	277	t->entropyinpr2len);
	278	/* This calls RAND_DRBG_reseed() internally when prediction_resistance = 1 */
	279	if (!RAND_DRBG_generate(drbg, out, t->expectedlen, prediction_resistance,
	280	t->entropyaddin2, t->entropyaddin2len))
	281	goto err;
	282
47c239c6	283	OSSL_SELF_TEST_oncorrupt_byte(st, out);
980a880e SL	284
	285	if (memcmp(out, t->expected, t->expectedlen) != 0)
	286	goto err;
	287
	288	if (!RAND_DRBG_uninstantiate(drbg))
	289	goto err;
	290	/*
e7045215	291	* Check that the DRBG data has been zeroized after RAND_DRBG_uninstantiate.
980a880e	292	*/
e7045215 DMSP	293	if (memcmp((unsigned char *)&drbg->data, zero, sizeof(drbg->data)) != 0)
	294	goto err;
	295
980a880e SL	296	ret = 1;
	297	err:
	298	RAND_DRBG_free(drbg);
47c239c6	299	OSSL_SELF_TEST_onend(st, ret);
980a880e SL	300	return ret;
	301	}
	302
36fc5fc6 SL	303	/*
	304	* Test a data driven list of KAT's for digest algorithms.
	305	* All tests are run regardless of if they fail or not.
	306	* Return 0 if any test fails.
	307	*/
47c239c6	308	static int self_test_digests(OSSL_SELF_TEST st, OPENSSL_CTX libctx)
36fc5fc6 SL	309	{
	310	int i, ret = 1;
	311
	312	for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
47c239c6	313	if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
36fc5fc6 SL	314	ret = 0;
	315	}
	316	return ret;
	317	}
	318
47c239c6	319	static int self_test_ciphers(OSSL_SELF_TEST st, OPENSSL_CTX libctx)
36fc5fc6 SL	320	{
	321	int i, ret = 1;
	322
	323	for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) {
47c239c6	324	if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
36fc5fc6 SL	325	ret = 0;
	326	}
	327	return ret;
	328	}
	329
47c239c6	330	static int self_test_kdfs(OSSL_SELF_TEST st, OPENSSL_CTX libctx)
36fc5fc6 SL	331	{
	332	int i, ret = 1;
	333
	334	for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) {
47c239c6	335	if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
36fc5fc6 SL	336	ret = 0;
	337	}
	338	return ret;
	339	}
	340
47c239c6	341	static int self_test_drbgs(OSSL_SELF_TEST st, OPENSSL_CTX libctx)
980a880e SL	342	{
	343	int i, ret = 1;
	344
	345	for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) {
47c239c6	346	if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
980a880e SL	347	ret = 0;
	348	}
	349	return ret;
	350	}
	351
36fc5fc6 SL	352	/*
	353	* Run the algorithm KAT's.
	354	* Return 1 is successful, otherwise return 0.
	355	* This runs all the tests regardless of if any fail.
	356	*
980a880e	357	* TODO(3.0) Add self tests for KA, Sign/Verify when they become available
36fc5fc6	358	*/
47c239c6	359	int SELF_TEST_kats(OSSL_SELF_TEST st, OPENSSL_CTX libctx)
36fc5fc6 SL	360	{
	361	int ret = 1;
	362
47c239c6	363	if (!self_test_digests(st, libctx))
36fc5fc6	364	ret = 0;
47c239c6	365	if (!self_test_ciphers(st, libctx))
36fc5fc6	366	ret = 0;
47c239c6	367	if (!self_test_kdfs(st, libctx))
36fc5fc6	368	ret = 0;
47c239c6	369	if (!self_test_drbgs(st, libctx))
980a880e	370	ret = 0;
36fc5fc6 SL	371
	372	return ret;
	373	}