1 /* Copyright (c) 2017, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/crypto.h> 16 17 #include <stdio.h> 18 19 #include <openssl/aead.h> 20 #include <openssl/aes.h> 21 #include <openssl/bn.h> 22 #include <openssl/des.h> 23 #include <openssl/ecdsa.h> 24 #include <openssl/ec_key.h> 25 #include <openssl/nid.h> 26 #include <openssl/rsa.h> 27 #include <openssl/sha.h> 28 29 #include "../../internal.h" 30 #include "../ec/internal.h" 31 #include "../rand/internal.h" 32 33 34 // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot 35 // compile this. 36 #if !defined(_MSC_VER) 37 38 static void hexdump(const uint8_t *in, size_t len) { 39 for (size_t i = 0; i < len; i++) { 40 printf("%02x", in[i]); 41 } 42 } 43 44 static int check_test(const void *expected, const void *actual, 45 size_t expected_len, const char *name) { 46 if (OPENSSL_memcmp(actual, expected, expected_len) != 0) { 47 printf("%s failed.\nExpected: ", name); 48 hexdump(expected, expected_len); 49 printf("\nCalculated: "); 50 hexdump(actual, expected_len); 51 printf("\n"); 52 return 0; 53 } 54 return 1; 55 } 56 57 static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) { 58 *out = BN_bin2bn(in, len, NULL); 59 return *out != NULL; 60 } 61 62 static RSA *self_test_rsa_key(void) { 63 static const uint8_t kN[] = { 64 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc, 65 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90, 66 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda, 67 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f, 68 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e, 69 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c, 70 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4, 71 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f, 72 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54, 73 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56, 74 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74, 75 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0, 76 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7, 77 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce, 78 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5, 79 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0, 80 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1, 81 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2, 82 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63, 83 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46, 84 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2, 85 0x94, 0xc0, 0xbe, 0xb3, 86 }; 87 static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537 88 static const uint8_t kD[] = { 89 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8, 90 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab, 91 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6, 92 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b, 93 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f, 94 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a, 95 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56, 96 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc, 97 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60, 98 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8, 99 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e, 100 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66, 101 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5, 102 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49, 103 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee, 104 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae, 105 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2, 106 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e, 107 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0, 108 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb, 109 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8, 110 0x5d, 0x1a, 0xf6, 0xc1, 111 }; 112 static const uint8_t kP[] = { 113 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68, 114 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb, 115 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4, 116 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90, 117 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75, 118 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49, 119 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5, 120 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b, 121 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78, 122 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27, 123 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29, 124 }; 125 static const uint8_t kQ[] = { 126 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3, 127 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf, 128 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c, 129 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59, 130 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf, 131 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c, 132 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f, 133 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed, 134 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb, 135 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4, 136 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b, 137 }; 138 static const uint8_t kDModPMinusOne[] = { 139 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d, 140 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70, 141 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96, 142 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb, 143 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54, 144 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0, 145 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c, 146 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06, 147 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82, 148 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6, 149 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39, 150 }; 151 static const uint8_t kDModQMinusOne[] = { 152 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d, 153 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12, 154 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2, 155 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36, 156 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac, 157 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65, 158 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca, 159 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53, 160 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6, 161 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74, 162 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85, 163 }; 164 static const uint8_t kQInverseModP[] = { 165 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0, 166 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d, 167 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b, 168 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9, 169 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1, 170 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef, 171 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5, 172 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79, 173 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11, 174 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95, 175 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15, 176 }; 177 178 RSA *rsa = RSA_new(); 179 if (rsa == NULL || 180 !set_bignum(&rsa->n, kN, sizeof(kN)) || 181 !set_bignum(&rsa->e, kE, sizeof(kE)) || 182 !set_bignum(&rsa->d, kD, sizeof(kD)) || 183 !set_bignum(&rsa->p, kP, sizeof(kP)) || 184 !set_bignum(&rsa->q, kQ, sizeof(kQ)) || 185 !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) || 186 !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) || 187 !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) { 188 RSA_free(rsa); 189 return NULL; 190 } 191 192 return rsa; 193 } 194 195 static EC_KEY *self_test_ecdsa_key(void) { 196 static const uint8_t kQx[] = { 197 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17, 198 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2, 199 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81, 200 }; 201 static const uint8_t kQy[] = { 202 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef, 203 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac, 204 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88, 205 }; 206 static const uint8_t kD[] = { 207 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c, 208 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0, 209 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77, 210 }; 211 212 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 213 BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL); 214 BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL); 215 BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL); 216 if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL || 217 !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) || 218 !EC_KEY_set_private_key(ec_key, d)) { 219 EC_KEY_free(ec_key); 220 ec_key = NULL; 221 } 222 223 BN_free(qx); 224 BN_free(qy); 225 BN_free(d); 226 return ec_key; 227 } 228 229 int BORINGSSL_self_test(void) { 230 static const uint8_t kAESKey[16] = "BoringCrypto Key"; 231 static const uint8_t kAESIV[16] = {0}; 232 static const uint8_t kPlaintext[64] = 233 "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!"; 234 static const uint8_t kAESCBCCiphertext[64] = { 235 0x87, 0x2d, 0x98, 0xc2, 0xcc, 0x31, 0x5b, 0x41, 0xe0, 0xfa, 0x7b, 236 0x0a, 0x71, 0xc0, 0x42, 0xbf, 0x4f, 0x61, 0xd0, 0x0d, 0x58, 0x8c, 237 0xf7, 0x05, 0xfb, 0x94, 0x89, 0xd3, 0xbc, 0xaa, 0x1a, 0x50, 0x45, 238 0x1f, 0xc3, 0x8c, 0xb8, 0x98, 0x86, 0xa3, 0xe3, 0x6c, 0xfc, 0xad, 239 0x3a, 0xb5, 0x59, 0x27, 0x7d, 0x21, 0x07, 0xca, 0x4c, 0x1d, 0x55, 240 0x34, 0xdd, 0x5a, 0x2d, 0xc4, 0xb4, 0xf5, 0xa8, 241 #if !defined(BORINGSSL_FIPS_BREAK_AES_CBC) 242 0x35 243 #else 244 0x00 245 #endif 246 }; 247 static const uint8_t kAESGCMCiphertext[80] = { 248 0x4a, 0xd8, 0xe7, 0x7d, 0x78, 0xd7, 0x7d, 0x5e, 0xb2, 0x11, 0xb6, 0xc9, 249 0xa4, 0xbc, 0xb2, 0xae, 0xbe, 0x93, 0xd1, 0xb7, 0xfe, 0x65, 0xc1, 0x82, 250 0x2a, 0xb6, 0x71, 0x5f, 0x1a, 0x7c, 0xe0, 0x1b, 0x2b, 0xe2, 0x53, 0xfa, 251 0xa0, 0x47, 0xfa, 0xd7, 0x8f, 0xb1, 0x4a, 0xc4, 0xdc, 0x89, 0xf9, 0xb4, 252 0x14, 0x4d, 0xde, 0x95, 0xea, 0x29, 0x69, 0x76, 0x81, 0xa3, 0x5c, 0x33, 253 0xd8, 0x37, 0xd8, 0xfa, 0x47, 0x19, 0x46, 0x2f, 0xf1, 0x90, 0xb7, 0x61, 254 0x8f, 0x6f, 0xdd, 0x31, 0x3f, 0x6a, 0x64, 255 #if !defined(BORINGSSL_FIPS_BREAK_AES_GCM) 256 0x0d 257 #else 258 0x00 259 #endif 260 }; 261 static const DES_cblock kDESKey1 = {"BCMDESK1"}; 262 static const DES_cblock kDESKey2 = {"BCMDESK2"}; 263 static const DES_cblock kDESKey3 = {"BCMDESK3"}; 264 static const DES_cblock kDESIV = {"BCMDESIV"}; 265 static const uint8_t kDESCiphertext[64] = { 266 0xa4, 0x30, 0x7a, 0x4c, 0x1f, 0x60, 0x16, 0xd7, 0x4f, 0x41, 0xe1, 267 0xbb, 0x27, 0xc4, 0x27, 0x37, 0xd4, 0x7f, 0xb9, 0x10, 0xf8, 0xbc, 268 0xaf, 0x93, 0x91, 0xb8, 0x88, 0x24, 0xb1, 0xf6, 0xf8, 0xbd, 0x31, 269 0x96, 0x06, 0x76, 0xde, 0x32, 0xcd, 0x29, 0x29, 0xba, 0x70, 0x5f, 270 0xea, 0xc0, 0xcb, 0xde, 0xc7, 0x75, 0x90, 0xe0, 0x0f, 0x5e, 0x2c, 271 0x0d, 0x49, 0x20, 0xd5, 0x30, 0x83, 0xf8, 0x08, 272 #if !defined(BORINGSSL_FIPS_BREAK_DES) 273 0x5a 274 #else 275 0x00 276 #endif 277 }; 278 static const uint8_t kPlaintextSHA1[20] = { 279 0xc6, 0xf8, 0xc9, 0x63, 0x1c, 0x14, 0x23, 0x62, 0x9b, 0xbd, 280 0x55, 0x82, 0xf4, 0xd6, 0x1d, 0xf2, 0xab, 0x7d, 0xc8, 281 #if !defined(BORINGSSL_FIPS_BREAK_SHA_1) 282 0x28 283 #else 284 0x00 285 #endif 286 }; 287 static const uint8_t kPlaintextSHA256[32] = { 288 0x37, 0xbd, 0x70, 0x53, 0x72, 0xfc, 0xd4, 0x03, 0x79, 0x70, 0xfb, 289 0x06, 0x95, 0xb1, 0x2a, 0x82, 0x48, 0xe1, 0x3e, 0xf2, 0x33, 0xfb, 290 0xef, 0x29, 0x81, 0x22, 0x45, 0x40, 0x43, 0x70, 0xce, 291 #if !defined(BORINGSSL_FIPS_BREAK_SHA_256) 292 0x0f 293 #else 294 0x00 295 #endif 296 }; 297 static const uint8_t kPlaintextSHA512[64] = { 298 0x08, 0x6a, 0x1c, 0x84, 0x61, 0x9d, 0x8e, 0xb3, 0xc0, 0x97, 0x4e, 299 0xa1, 0x9f, 0x9c, 0xdc, 0xaf, 0x3b, 0x5c, 0x31, 0xf0, 0xf2, 0x74, 300 0xc3, 0xbd, 0x6e, 0xd6, 0x1e, 0xb2, 0xbb, 0x34, 0x74, 0x72, 0x5c, 301 0x51, 0x29, 0x8b, 0x87, 0x3a, 0xa3, 0xf2, 0x25, 0x23, 0xd4, 0x1c, 302 0x82, 0x1b, 0xfe, 0xd3, 0xc6, 0xee, 0xb5, 0xd6, 0xaf, 0x07, 0x7b, 303 0x98, 0xca, 0xa7, 0x01, 0xf3, 0x94, 0xf3, 0x68, 304 #if !defined(BORINGSSL_FIPS_BREAK_SHA_512) 305 0x14 306 #else 307 0x00 308 #endif 309 }; 310 static const uint8_t kRSASignature[256] = { 311 0x62, 0x66, 0x4b, 0xe3, 0xb1, 0xd2, 0x83, 0xf1, 0xa8, 0x56, 0x2b, 0x33, 312 0x60, 0x1e, 0xdb, 0x1e, 0x06, 0xf7, 0xa7, 0x1e, 0xa8, 0xef, 0x03, 0x4d, 313 0x0c, 0xf6, 0x83, 0x75, 0x7a, 0xf0, 0x14, 0xc7, 0xe2, 0x94, 0x3a, 0xb5, 314 0x67, 0x56, 0xa5, 0x48, 0x7f, 0x3a, 0xa5, 0xbf, 0xf7, 0x1d, 0x44, 0xa6, 315 0x34, 0xed, 0x9b, 0xd6, 0x51, 0xaa, 0x2c, 0x4e, 0xce, 0x60, 0x5f, 0xe9, 316 0x0e, 0xd5, 0xcd, 0xeb, 0x23, 0x27, 0xf8, 0xfb, 0x45, 0xe5, 0x34, 0x63, 317 0x77, 0x7f, 0x2e, 0x80, 0xcf, 0x9d, 0x2e, 0xfc, 0xe2, 0x50, 0x75, 0x29, 318 0x46, 0xf4, 0xaf, 0x91, 0xed, 0x36, 0xe1, 0x5e, 0xef, 0x66, 0xa1, 0xff, 319 0x27, 0xfc, 0x87, 0x7e, 0x60, 0x84, 0x0f, 0x54, 0x51, 0x56, 0x0f, 0x68, 320 0x99, 0xc0, 0x3f, 0xeb, 0xa5, 0xa0, 0x46, 0xb0, 0x86, 0x02, 0xb0, 0xc8, 321 0xe8, 0x46, 0x13, 0x06, 0xcd, 0xb7, 0x8a, 0xd0, 0x3b, 0x46, 0xd0, 0x14, 322 0x64, 0x53, 0x9b, 0x5b, 0x5e, 0x02, 0x45, 0xba, 0x6e, 0x7e, 0x0a, 0xb9, 323 0x9e, 0x62, 0xb7, 0xd5, 0x7a, 0x87, 0xea, 0xd3, 0x24, 0xa5, 0xef, 0xb3, 324 0xdc, 0x05, 0x9c, 0x04, 0x60, 0x4b, 0xde, 0xa8, 0x90, 0x08, 0x7b, 0x6a, 325 0x5f, 0xb4, 0x3f, 0xda, 0xc5, 0x1f, 0x6e, 0xd6, 0x15, 0xde, 0x65, 0xa4, 326 0x6e, 0x62, 0x9d, 0x8f, 0xa8, 0xbe, 0x86, 0xf6, 0x09, 0x90, 0x40, 0xa5, 327 0xf4, 0x23, 0xc5, 0xf6, 0x38, 0x86, 0x0d, 0x1c, 0xed, 0x4a, 0x0a, 0xae, 328 0xa4, 0x26, 0xc2, 0x2e, 0xd3, 0x13, 0x66, 0x61, 0xea, 0x35, 0x01, 0x0e, 329 0x13, 0xda, 0x78, 0x20, 0xae, 0x59, 0x5f, 0x9b, 0xa9, 0x6c, 0xf9, 0x1b, 330 0xdf, 0x76, 0x53, 0xc8, 0xa7, 0xf5, 0x63, 0x6d, 0xf3, 0xff, 0xfd, 0xaf, 331 0x75, 0x4b, 0xac, 0x67, 0xb1, 0x3c, 0xbf, 0x5e, 0xde, 0x73, 0x02, 0x6d, 332 0xd2, 0x0c, 0xb1, 333 #if !defined(BORINGSSL_FIPS_BREAK_RSA_SIG) 334 0x64 335 #else 336 0x00 337 #endif 338 }; 339 const uint8_t kDRBGEntropy[48] = 340 "BCM Known Answer Test DBRG Initial Entropy "; 341 const uint8_t kDRBGPersonalization[18] = "BCMPersonalization"; 342 const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD "; 343 const uint8_t kDRBGOutput[64] = { 344 0x1d, 0x63, 0xdf, 0x05, 0x51, 0x49, 0x22, 0x46, 0xcd, 0x9b, 0xc5, 345 0xbb, 0xf1, 0x5d, 0x44, 0xae, 0x13, 0x78, 0xb1, 0xe4, 0x7c, 0xf1, 346 0x96, 0x33, 0x3d, 0x60, 0xb6, 0x29, 0xd4, 0xbb, 0x6b, 0x44, 0xf9, 347 0xef, 0xd9, 0xf4, 0xa2, 0xba, 0x48, 0xea, 0x39, 0x75, 0x59, 0x32, 348 0xf7, 0x31, 0x2c, 0x98, 0x14, 0x2b, 0x49, 0xdf, 0x02, 0xb6, 0x5d, 349 0x71, 0x09, 0x50, 0xdb, 0x23, 0xdb, 0xe5, 0x22, 350 #if !defined(BORINGSSL_FIPS_BREAK_DRBG) 351 0x95 352 #else 353 0x00 354 #endif 355 }; 356 const uint8_t kDRBGEntropy2[48] = 357 "BCM Known Answer Test DBRG Reseed Entropy "; 358 const uint8_t kDRBGReseedOutput[64] = { 359 0xa4, 0x77, 0x05, 0xdb, 0x14, 0x11, 0x76, 0x71, 0x42, 0x5b, 0xd8, 360 0xd7, 0xa5, 0x4f, 0x8b, 0x39, 0xf2, 0x10, 0x4a, 0x50, 0x5b, 0xa2, 361 0xc8, 0xf0, 0xbb, 0x3e, 0xa1, 0xa5, 0x90, 0x7d, 0x54, 0xd9, 0xc6, 362 0xb0, 0x96, 0xc0, 0x2b, 0x7e, 0x9b, 0xc9, 0xa1, 0xdd, 0x78, 0x2e, 363 0xd5, 0xa8, 0x66, 0x16, 0xbd, 0x18, 0x3c, 0xf2, 0xaa, 0x7a, 0x2b, 364 0x37, 0xf9, 0xab, 0x35, 0x64, 0x15, 0x01, 0x3f, 0xc4, 365 }; 366 const uint8_t kECDSASigR[32] = { 367 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0, 368 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02, 369 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 370 #if !defined(BORINGSSL_FIPS_BREAK_ECDSA_SIG) 371 0x0c, 372 #else 373 0x00, 374 #endif 375 }; 376 const uint8_t kECDSASigS[32] = { 377 0xa5, 0x93, 0xe0, 0x23, 0x91, 0xe7, 0x4b, 0x8d, 0x77, 0x25, 0xa6, 378 0xba, 0x4d, 0xd9, 0x86, 0x77, 0xda, 0x7d, 0x8f, 0xef, 0xc4, 0x1a, 379 0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8, 380 }; 381 382 EVP_AEAD_CTX aead_ctx; 383 EVP_AEAD_CTX_zero(&aead_ctx); 384 RSA *rsa_key = NULL; 385 EC_KEY *ec_key = NULL; 386 ECDSA_SIG *sig = NULL; 387 int ret = 0; 388 389 AES_KEY aes_key; 390 uint8_t aes_iv[16]; 391 uint8_t output[256]; 392 393 // AES-CBC Encryption KAT 394 memcpy(aes_iv, kAESIV, sizeof(kAESIV)); 395 if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) { 396 goto err; 397 } 398 AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv, 399 AES_ENCRYPT); 400 if (!check_test(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext), 401 "AES-CBC Encryption KAT")) { 402 goto err; 403 } 404 405 // AES-CBC Decryption KAT 406 memcpy(aes_iv, kAESIV, sizeof(kAESIV)); 407 if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) { 408 goto err; 409 } 410 AES_cbc_encrypt(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext), 411 &aes_key, aes_iv, AES_DECRYPT); 412 if (!check_test(kPlaintext, output, sizeof(kPlaintext), 413 "AES-CBC Decryption KAT")) { 414 goto err; 415 } 416 417 size_t out_len; 418 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; 419 OPENSSL_memset(nonce, 0, sizeof(nonce)); 420 if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey, 421 sizeof(kAESKey), 0, NULL)) { 422 goto err; 423 } 424 425 // AES-GCM Encryption KAT 426 if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce, 427 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), 428 kPlaintext, sizeof(kPlaintext), NULL, 0) || 429 !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext), 430 "AES-GCM Encryption KAT")) { 431 goto err; 432 } 433 434 // AES-GCM Decryption KAT 435 if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce, 436 EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), 437 kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL, 438 0) || 439 !check_test(kPlaintext, output, sizeof(kPlaintext), 440 "AES-GCM Decryption KAT")) { 441 goto err; 442 } 443 444 DES_key_schedule des1, des2, des3; 445 DES_cblock des_iv; 446 DES_set_key(&kDESKey1, &des1); 447 DES_set_key(&kDESKey2, &des2); 448 DES_set_key(&kDESKey3, &des3); 449 450 // 3DES Encryption KAT 451 memcpy(&des_iv, &kDESIV, sizeof(des_iv)); 452 DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2, 453 &des3, &des_iv, DES_ENCRYPT); 454 if (!check_test(kDESCiphertext, output, sizeof(kDESCiphertext), 455 "3DES Encryption KAT")) { 456 goto err; 457 } 458 459 // 3DES Decryption KAT 460 memcpy(&des_iv, &kDESIV, sizeof(des_iv)); 461 DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1, 462 &des2, &des3, &des_iv, DES_DECRYPT); 463 if (!check_test(kPlaintext, output, sizeof(kPlaintext), 464 "3DES Decryption KAT")) { 465 goto err; 466 } 467 468 // SHA-1 KAT 469 SHA1(kPlaintext, sizeof(kPlaintext), output); 470 if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1), 471 "SHA-1 KAT")) { 472 goto err; 473 } 474 475 // SHA-256 KAT 476 SHA256(kPlaintext, sizeof(kPlaintext), output); 477 if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256), 478 "SHA-256 KAT")) { 479 goto err; 480 } 481 482 // SHA-512 KAT 483 SHA512(kPlaintext, sizeof(kPlaintext), output); 484 if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512), 485 "SHA-512 KAT")) { 486 goto err; 487 } 488 489 rsa_key = self_test_rsa_key(); 490 if (rsa_key == NULL) { 491 printf("RSA KeyGen failed\n"); 492 goto err; 493 } 494 495 // RSA Sign KAT 496 unsigned sig_len; 497 498 // Disable blinding for the power-on tests because it's not needed and 499 // triggers an entropy draw. 500 rsa_key->flags |= RSA_FLAG_NO_BLINDING; 501 502 if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output, 503 &sig_len, rsa_key) || 504 !check_test(kRSASignature, output, sizeof(kRSASignature), 505 "RSA Sign KAT")) { 506 goto err; 507 } 508 509 // RSA Verify KAT 510 if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), 511 kRSASignature, sizeof(kRSASignature), rsa_key)) { 512 printf("RSA Verify KAT failed.\n"); 513 goto err; 514 } 515 516 ec_key = self_test_ecdsa_key(); 517 if (ec_key == NULL) { 518 printf("ECDSA KeyGen failed\n"); 519 goto err; 520 } 521 522 // ECDSA Sign/Verify PWCT 523 524 // The 'k' value for ECDSA is fixed to avoid an entropy draw. 525 ec_key->fixed_k = BN_new(); 526 if (ec_key->fixed_k == NULL || 527 !BN_set_word(ec_key->fixed_k, 42)) { 528 printf("Out of memory\n"); 529 goto err; 530 } 531 532 sig = ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key); 533 534 uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)]; 535 uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)]; 536 if (sig == NULL || 537 BN_num_bytes(sig->r) != sizeof(ecdsa_r_bytes) || 538 !BN_bn2bin(sig->r, ecdsa_r_bytes) || 539 BN_num_bytes(sig->s) != sizeof(ecdsa_s_bytes) || 540 !BN_bn2bin(sig->s, ecdsa_s_bytes) || 541 !check_test(kECDSASigR, ecdsa_r_bytes, sizeof(kECDSASigR), "ECDSA R") || 542 !check_test(kECDSASigS, ecdsa_s_bytes, sizeof(kECDSASigS), "ECDSA S")) { 543 printf("ECDSA KAT failed.\n"); 544 goto err; 545 } 546 547 // DBRG KAT 548 CTR_DRBG_STATE drbg; 549 if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization, 550 sizeof(kDRBGPersonalization)) || 551 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD, 552 sizeof(kDRBGAD)) || 553 !check_test(kDRBGOutput, output, sizeof(kDRBGOutput), 554 "DBRG Generate KAT") || 555 !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) || 556 !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD, 557 sizeof(kDRBGAD)) || 558 !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput), 559 "DRBG Reseed KAT")) { 560 goto err; 561 } 562 CTR_DRBG_clear(&drbg); 563 564 CTR_DRBG_STATE kZeroDRBG; 565 memset(&kZeroDRBG, 0, sizeof(kZeroDRBG)); 566 if (!check_test(&kZeroDRBG, &drbg, sizeof(drbg), "DRBG Clear KAT")) { 567 goto err; 568 } 569 570 ret = 1; 571 572 err: 573 EVP_AEAD_CTX_cleanup(&aead_ctx); 574 RSA_free(rsa_key); 575 EC_KEY_free(ec_key); 576 ECDSA_SIG_free(sig); 577 578 return ret; 579 } 580 581 #endif // !_MSC_VER 582