self_test_kats.c 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885
  1. /*
  2. * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include <openssl/evp.h>
  11. #include <openssl/kdf.h>
  12. #include <openssl/core_names.h>
  13. #include <openssl/param_build.h>
  14. #include <openssl/rand.h>
  15. #include "crypto/rand.h"
  16. #include "internal/cryptlib.h"
  17. #include "internal/nelem.h"
  18. #include "self_test.h"
  19. #include "self_test_data.inc"
  20. static int set_kat_drbg(OSSL_LIB_CTX *ctx,
  21. const unsigned char *entropy, size_t entropy_len,
  22. const unsigned char *nonce, size_t nonce_len,
  23. const unsigned char *persstr, size_t persstr_len);
  24. static int reset_main_drbg(OSSL_LIB_CTX *ctx);
  25. static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
  26. OSSL_LIB_CTX *libctx)
  27. {
  28. int ok = 0;
  29. unsigned char out[EVP_MAX_MD_SIZE];
  30. unsigned int out_len = 0;
  31. EVP_MD_CTX *ctx = EVP_MD_CTX_new();
  32. EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
  33. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);
  34. if (ctx == NULL
  35. || md == NULL
  36. || !EVP_DigestInit_ex(ctx, md, NULL)
  37. || !EVP_DigestUpdate(ctx, t->pt, t->pt_len)
  38. || !EVP_DigestFinal(ctx, out, &out_len))
  39. goto err;
  40. /* Optional corruption */
  41. OSSL_SELF_TEST_oncorrupt_byte(st, out);
  42. if (out_len != t->expected_len
  43. || memcmp(out, t->expected, out_len) != 0)
  44. goto err;
  45. ok = 1;
  46. err:
  47. EVP_MD_free(md);
  48. EVP_MD_CTX_free(ctx);
  49. OSSL_SELF_TEST_onend(st, ok);
  50. return ok;
  51. }
  52. /*
  53. * Helper function to setup a EVP_CipherInit
  54. * Used to hide the complexity of Authenticated ciphers.
  55. */
  56. static int cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
  57. const ST_KAT_CIPHER *t, int enc)
  58. {
  59. unsigned char *in_tag = NULL;
  60. int pad = 0, tmp;
  61. /* Flag required for Key wrapping */
  62. EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
  63. if (t->tag == NULL) {
  64. /* Use a normal cipher init */
  65. return EVP_CipherInit_ex(ctx, cipher, NULL, t->key, t->iv, enc)
  66. && EVP_CIPHER_CTX_set_padding(ctx, pad);
  67. }
  68. /* The authenticated cipher init */
  69. if (!enc)
  70. in_tag = (unsigned char *)t->tag;
  71. return EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)
  72. && (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, t->iv_len, NULL) > 0)
  73. && (in_tag == NULL
  74. || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, t->tag_len,
  75. in_tag) > 0)
  76. && EVP_CipherInit_ex(ctx, NULL, NULL, t->key, t->iv, enc)
  77. && EVP_CIPHER_CTX_set_padding(ctx, pad)
  78. && EVP_CipherUpdate(ctx, NULL, &tmp, t->aad, t->aad_len);
  79. }
  80. /* Test a single KAT for encrypt/decrypt */
  81. static int self_test_cipher(const ST_KAT_CIPHER *t, OSSL_SELF_TEST *st,
  82. OSSL_LIB_CTX *libctx)
  83. {
  84. int ret = 0, encrypt = 1, len = 0, ct_len = 0, pt_len = 0;
  85. EVP_CIPHER_CTX *ctx = NULL;
  86. EVP_CIPHER *cipher = NULL;
  87. unsigned char ct_buf[256] = { 0 };
  88. unsigned char pt_buf[256] = { 0 };
  89. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_CIPHER, t->base.desc);
  90. ctx = EVP_CIPHER_CTX_new();
  91. if (ctx == NULL)
  92. goto err;
  93. cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, NULL);
  94. if (cipher == NULL)
  95. goto err;
  96. /* Encrypt plain text message */
  97. if ((t->mode & CIPHER_MODE_ENCRYPT) != 0) {
  98. if (!cipher_init(ctx, cipher, t, encrypt)
  99. || !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt,
  100. t->base.pt_len)
  101. || !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len))
  102. goto err;
  103. OSSL_SELF_TEST_oncorrupt_byte(st, ct_buf);
  104. ct_len += len;
  105. if (ct_len != (int)t->base.expected_len
  106. || memcmp(t->base.expected, ct_buf, ct_len) != 0)
  107. goto err;
  108. if (t->tag != NULL) {
  109. unsigned char tag[16] = { 0 };
  110. if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len,
  111. tag) <= 0
  112. || memcmp(tag, t->tag, t->tag_len) != 0)
  113. goto err;
  114. }
  115. }
  116. /* Decrypt cipher text */
  117. if ((t->mode & CIPHER_MODE_DECRYPT) != 0) {
  118. if (!(cipher_init(ctx, cipher, t, !encrypt)
  119. && EVP_CipherUpdate(ctx, pt_buf, &len,
  120. t->base.expected, t->base.expected_len)
  121. && EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len)))
  122. goto err;
  123. OSSL_SELF_TEST_oncorrupt_byte(st, pt_buf);
  124. pt_len += len;
  125. if (pt_len != (int)t->base.pt_len
  126. || memcmp(pt_buf, t->base.pt, pt_len) != 0)
  127. goto err;
  128. }
  129. ret = 1;
  130. err:
  131. EVP_CIPHER_free(cipher);
  132. EVP_CIPHER_CTX_free(ctx);
  133. OSSL_SELF_TEST_onend(st, ret);
  134. return ret;
  135. }
  136. static int add_params(OSSL_PARAM_BLD *bld, const ST_KAT_PARAM *params,
  137. BN_CTX *ctx)
  138. {
  139. int ret = 0;
  140. const ST_KAT_PARAM *p;
  141. if (params == NULL)
  142. return 1;
  143. for (p = params; p->data != NULL; ++p)
  144. {
  145. switch (p->type) {
  146. case OSSL_PARAM_UNSIGNED_INTEGER: {
  147. BIGNUM *bn = BN_CTX_get(ctx);
  148. if (bn == NULL
  149. || (BN_bin2bn(p->data, p->data_len, bn) == NULL)
  150. || !OSSL_PARAM_BLD_push_BN(bld, p->name, bn))
  151. goto err;
  152. break;
  153. }
  154. case OSSL_PARAM_UTF8_STRING: {
  155. if (!OSSL_PARAM_BLD_push_utf8_string(bld, p->name, p->data,
  156. p->data_len))
  157. goto err;
  158. break;
  159. }
  160. case OSSL_PARAM_OCTET_STRING: {
  161. if (!OSSL_PARAM_BLD_push_octet_string(bld, p->name, p->data,
  162. p->data_len))
  163. goto err;
  164. break;
  165. }
  166. case OSSL_PARAM_INTEGER: {
  167. if (!OSSL_PARAM_BLD_push_int(bld, p->name, *(int *)p->data))
  168. goto err;
  169. break;
  170. }
  171. default:
  172. break;
  173. }
  174. }
  175. ret = 1;
  176. err:
  177. return ret;
  178. }
  179. static int self_test_kdf(const ST_KAT_KDF *t, OSSL_SELF_TEST *st,
  180. OSSL_LIB_CTX *libctx)
  181. {
  182. int ret = 0;
  183. unsigned char out[128];
  184. EVP_KDF *kdf = NULL;
  185. EVP_KDF_CTX *ctx = NULL;
  186. BN_CTX *bnctx = NULL;
  187. OSSL_PARAM *params = NULL;
  188. OSSL_PARAM_BLD *bld = NULL;
  189. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KDF, t->desc);
  190. bld = OSSL_PARAM_BLD_new();
  191. if (bld == NULL)
  192. goto err;
  193. kdf = EVP_KDF_fetch(libctx, t->algorithm, "");
  194. if (kdf == NULL)
  195. goto err;
  196. ctx = EVP_KDF_CTX_new(kdf);
  197. if (ctx == NULL)
  198. goto err;
  199. bnctx = BN_CTX_new_ex(libctx);
  200. if (bnctx == NULL)
  201. goto err;
  202. if (!add_params(bld, t->params, bnctx))
  203. goto err;
  204. params = OSSL_PARAM_BLD_to_param(bld);
  205. if (params == NULL)
  206. goto err;
  207. if (t->expected_len > sizeof(out))
  208. goto err;
  209. if (EVP_KDF_derive(ctx, out, t->expected_len, params) <= 0)
  210. goto err;
  211. OSSL_SELF_TEST_oncorrupt_byte(st, out);
  212. if (memcmp(out, t->expected, t->expected_len) != 0)
  213. goto err;
  214. ret = 1;
  215. err:
  216. EVP_KDF_free(kdf);
  217. EVP_KDF_CTX_free(ctx);
  218. BN_CTX_free(bnctx);
  219. OSSL_PARAM_free(params);
  220. OSSL_PARAM_BLD_free(bld);
  221. OSSL_SELF_TEST_onend(st, ret);
  222. return ret;
  223. }
  224. static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st,
  225. OSSL_LIB_CTX *libctx)
  226. {
  227. int ret = 0;
  228. unsigned char out[256];
  229. EVP_RAND *rand;
  230. EVP_RAND_CTX *test = NULL, *drbg = NULL;
  231. unsigned int strength = 256;
  232. int prediction_resistance = 1; /* Causes a reseed */
  233. OSSL_PARAM drbg_params[3] = {
  234. OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
  235. };
  236. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
  237. rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL);
  238. if (rand == NULL)
  239. goto err;
  240. test = EVP_RAND_CTX_new(rand, NULL);
  241. EVP_RAND_free(rand);
  242. if (test == NULL)
  243. goto err;
  244. drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
  245. &strength);
  246. if (!EVP_RAND_CTX_set_params(test, drbg_params))
  247. goto err;
  248. rand = EVP_RAND_fetch(libctx, t->algorithm, NULL);
  249. if (rand == NULL)
  250. goto err;
  251. drbg = EVP_RAND_CTX_new(rand, test);
  252. EVP_RAND_free(rand);
  253. if (drbg == NULL)
  254. goto err;
  255. strength = EVP_RAND_get_strength(drbg);
  256. drbg_params[0] = OSSL_PARAM_construct_utf8_string(t->param_name,
  257. t->param_value, 0);
  258. /* This is only used by HMAC-DRBG but it is ignored by the others */
  259. drbg_params[1] =
  260. OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC, "HMAC", 0);
  261. if (!EVP_RAND_CTX_set_params(drbg, drbg_params))
  262. goto err;
  263. drbg_params[0] =
  264. OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
  265. (void *)t->entropyin,
  266. t->entropyinlen);
  267. drbg_params[1] =
  268. OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE,
  269. (void *)t->nonce, t->noncelen);
  270. if (!EVP_RAND_instantiate(test, strength, 0, NULL, 0, drbg_params))
  271. goto err;
  272. if (!EVP_RAND_instantiate(drbg, strength, 0, t->persstr, t->persstrlen,
  273. NULL))
  274. goto err;
  275. drbg_params[0] =
  276. OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
  277. (void *)t->entropyinpr1,
  278. t->entropyinpr1len);
  279. if (!EVP_RAND_CTX_set_params(test, drbg_params))
  280. goto err;
  281. if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
  282. prediction_resistance,
  283. t->entropyaddin1, t->entropyaddin1len))
  284. goto err;
  285. drbg_params[0] =
  286. OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
  287. (void *)t->entropyinpr2,
  288. t->entropyinpr2len);
  289. if (!EVP_RAND_CTX_set_params(test, drbg_params))
  290. goto err;
  291. /*
  292. * This calls ossl_prov_drbg_reseed() internally when
  293. * prediction_resistance = 1
  294. */
  295. if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
  296. prediction_resistance,
  297. t->entropyaddin2, t->entropyaddin2len))
  298. goto err;
  299. OSSL_SELF_TEST_oncorrupt_byte(st, out);
  300. if (memcmp(out, t->expected, t->expectedlen) != 0)
  301. goto err;
  302. if (!EVP_RAND_uninstantiate(drbg))
  303. goto err;
  304. /*
  305. * Check that the DRBG data has been zeroized after
  306. * ossl_prov_drbg_uninstantiate.
  307. */
  308. if (!EVP_RAND_verify_zeroization(drbg))
  309. goto err;
  310. ret = 1;
  311. err:
  312. EVP_RAND_CTX_free(drbg);
  313. EVP_RAND_CTX_free(test);
  314. OSSL_SELF_TEST_onend(st, ret);
  315. return ret;
  316. }
  317. #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
  318. static int self_test_ka(const ST_KAT_KAS *t,
  319. OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  320. {
  321. int ret = 0;
  322. EVP_PKEY_CTX *kactx = NULL, *dctx = NULL;
  323. EVP_PKEY *pkey = NULL, *peerkey = NULL;
  324. OSSL_PARAM *params = NULL;
  325. OSSL_PARAM *params_peer = NULL;
  326. unsigned char secret[256];
  327. size_t secret_len = sizeof(secret);
  328. OSSL_PARAM_BLD *bld = NULL;
  329. BN_CTX *bnctx = NULL;
  330. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KA, t->desc);
  331. bnctx = BN_CTX_new_ex(libctx);
  332. if (bnctx == NULL)
  333. goto err;
  334. bld = OSSL_PARAM_BLD_new();
  335. if (bld == NULL)
  336. goto err;
  337. if (!add_params(bld, t->key_group, bnctx)
  338. || !add_params(bld, t->key_host_data, bnctx))
  339. goto err;
  340. params = OSSL_PARAM_BLD_to_param(bld);
  341. if (!add_params(bld, t->key_group, bnctx)
  342. || !add_params(bld, t->key_peer_data, bnctx))
  343. goto err;
  344. params_peer = OSSL_PARAM_BLD_to_param(bld);
  345. if (params == NULL || params_peer == NULL)
  346. goto err;
  347. /* Create a EVP_PKEY_CTX to load the DH keys into */
  348. kactx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
  349. if (kactx == NULL)
  350. goto err;
  351. if (EVP_PKEY_fromdata_init(kactx) <= 0
  352. || EVP_PKEY_fromdata(kactx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
  353. goto err;
  354. if (EVP_PKEY_fromdata_init(kactx) <= 0
  355. || EVP_PKEY_fromdata(kactx, &peerkey, EVP_PKEY_KEYPAIR, params_peer) <= 0)
  356. goto err;
  357. /* Create a EVP_PKEY_CTX to perform key derivation */
  358. dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
  359. if (dctx == NULL)
  360. goto err;
  361. if (EVP_PKEY_derive_init(dctx) <= 0
  362. || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0
  363. || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0)
  364. goto err;
  365. OSSL_SELF_TEST_oncorrupt_byte(st, secret);
  366. if (secret_len != t->expected_len
  367. || memcmp(secret, t->expected, t->expected_len) != 0)
  368. goto err;
  369. ret = 1;
  370. err:
  371. BN_CTX_free(bnctx);
  372. EVP_PKEY_free(pkey);
  373. EVP_PKEY_free(peerkey);
  374. EVP_PKEY_CTX_free(kactx);
  375. EVP_PKEY_CTX_free(dctx);
  376. OSSL_PARAM_free(params_peer);
  377. OSSL_PARAM_free(params);
  378. OSSL_PARAM_BLD_free(bld);
  379. OSSL_SELF_TEST_onend(st, ret);
  380. return ret;
  381. }
  382. #endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */
  383. static int self_test_sign(const ST_KAT_SIGN *t,
  384. OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  385. {
  386. int ret = 0;
  387. OSSL_PARAM *params = NULL, *params_sig = NULL;
  388. OSSL_PARAM_BLD *bld = NULL;
  389. EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
  390. EVP_PKEY *pkey = NULL;
  391. unsigned char sig[256];
  392. BN_CTX *bnctx = NULL;
  393. size_t siglen = sizeof(sig);
  394. static const unsigned char dgst[] = {
  395. 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
  396. 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
  397. 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
  398. };
  399. const char *typ = OSSL_SELF_TEST_TYPE_KAT_SIGNATURE;
  400. if (t->sig_expected == NULL)
  401. typ = OSSL_SELF_TEST_TYPE_PCT_SIGNATURE;
  402. OSSL_SELF_TEST_onbegin(st, typ, t->desc);
  403. bnctx = BN_CTX_new_ex(libctx);
  404. if (bnctx == NULL)
  405. goto err;
  406. bld = OSSL_PARAM_BLD_new();
  407. if (bld == NULL)
  408. goto err;
  409. if (!add_params(bld, t->key, bnctx))
  410. goto err;
  411. params = OSSL_PARAM_BLD_to_param(bld);
  412. /* Create a EVP_PKEY_CTX to load the DSA key into */
  413. kctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
  414. if (kctx == NULL || params == NULL)
  415. goto err;
  416. if (EVP_PKEY_fromdata_init(kctx) <= 0
  417. || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
  418. goto err;
  419. /* Create a EVP_PKEY_CTX to use for the signing operation */
  420. sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
  421. if (sctx == NULL
  422. || EVP_PKEY_sign_init(sctx) <= 0)
  423. goto err;
  424. /* set signature parameters */
  425. if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
  426. t->mdalgorithm,
  427. strlen(t->mdalgorithm) + 1))
  428. goto err;
  429. params_sig = OSSL_PARAM_BLD_to_param(bld);
  430. if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
  431. goto err;
  432. if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
  433. || EVP_PKEY_verify_init(sctx) <= 0
  434. || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
  435. goto err;
  436. if (t->sig_expected != NULL
  437. && (siglen != t->sig_expected_len
  438. || memcmp(sig, t->sig_expected, t->sig_expected_len) != 0))
  439. goto err;
  440. OSSL_SELF_TEST_oncorrupt_byte(st, sig);
  441. if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
  442. goto err;
  443. ret = 1;
  444. err:
  445. BN_CTX_free(bnctx);
  446. EVP_PKEY_free(pkey);
  447. EVP_PKEY_CTX_free(kctx);
  448. EVP_PKEY_CTX_free(sctx);
  449. OSSL_PARAM_free(params);
  450. OSSL_PARAM_free(params_sig);
  451. OSSL_PARAM_BLD_free(bld);
  452. OSSL_SELF_TEST_onend(st, ret);
  453. return ret;
  454. }
  455. /*
  456. * Test an encrypt or decrypt KAT..
  457. *
  458. * FIPS 140-2 IG D.9 states that separate KAT tests are needed for encrypt
  459. * and decrypt..
  460. */
  461. static int self_test_asym_cipher(const ST_KAT_ASYM_CIPHER *t, OSSL_SELF_TEST *st,
  462. OSSL_LIB_CTX *libctx)
  463. {
  464. int ret = 0;
  465. OSSL_PARAM *keyparams = NULL, *initparams = NULL;
  466. OSSL_PARAM_BLD *keybld = NULL, *initbld = NULL;
  467. EVP_PKEY_CTX *encctx = NULL, *keyctx = NULL;
  468. EVP_PKEY *key = NULL;
  469. BN_CTX *bnctx = NULL;
  470. unsigned char out[256];
  471. size_t outlen = sizeof(out);
  472. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER, t->desc);
  473. bnctx = BN_CTX_new_ex(libctx);
  474. if (bnctx == NULL)
  475. goto err;
  476. /* Load a public or private key from data */
  477. keybld = OSSL_PARAM_BLD_new();
  478. if (keybld == NULL
  479. || !add_params(keybld, t->key, bnctx))
  480. goto err;
  481. keyparams = OSSL_PARAM_BLD_to_param(keybld);
  482. keyctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, NULL);
  483. if (keyctx == NULL || keyparams == NULL)
  484. goto err;
  485. if (EVP_PKEY_fromdata_init(keyctx) <= 0
  486. || EVP_PKEY_fromdata(keyctx, &key, EVP_PKEY_KEYPAIR, keyparams) <= 0)
  487. goto err;
  488. /* Create a EVP_PKEY_CTX to use for the encrypt or decrypt operation */
  489. encctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL);
  490. if (encctx == NULL
  491. || (t->encrypt && EVP_PKEY_encrypt_init(encctx) <= 0)
  492. || (!t->encrypt && EVP_PKEY_decrypt_init(encctx) <= 0))
  493. goto err;
  494. /* Add any additional parameters such as padding */
  495. if (t->postinit != NULL) {
  496. initbld = OSSL_PARAM_BLD_new();
  497. if (initbld == NULL)
  498. goto err;
  499. if (!add_params(initbld, t->postinit, bnctx))
  500. goto err;
  501. initparams = OSSL_PARAM_BLD_to_param(initbld);
  502. if (initparams == NULL)
  503. goto err;
  504. if (EVP_PKEY_CTX_set_params(encctx, initparams) <= 0)
  505. goto err;
  506. }
  507. if (t->encrypt) {
  508. if (EVP_PKEY_encrypt(encctx, out, &outlen,
  509. t->in, t->in_len) <= 0)
  510. goto err;
  511. } else {
  512. if (EVP_PKEY_decrypt(encctx, out, &outlen,
  513. t->in, t->in_len) <= 0)
  514. goto err;
  515. }
  516. /* Check the KAT */
  517. OSSL_SELF_TEST_oncorrupt_byte(st, out);
  518. if (outlen != t->expected_len
  519. || memcmp(out, t->expected, t->expected_len) != 0)
  520. goto err;
  521. ret = 1;
  522. err:
  523. BN_CTX_free(bnctx);
  524. EVP_PKEY_free(key);
  525. EVP_PKEY_CTX_free(encctx);
  526. EVP_PKEY_CTX_free(keyctx);
  527. OSSL_PARAM_free(keyparams);
  528. OSSL_PARAM_BLD_free(keybld);
  529. OSSL_PARAM_free(initparams);
  530. OSSL_PARAM_BLD_free(initbld);
  531. OSSL_SELF_TEST_onend(st, ret);
  532. return ret;
  533. }
  534. /*
  535. * Test a data driven list of KAT's for digest algorithms.
  536. * All tests are run regardless of if they fail or not.
  537. * Return 0 if any test fails.
  538. */
  539. static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  540. {
  541. int i, ret = 1;
  542. for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
  543. if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
  544. ret = 0;
  545. }
  546. return ret;
  547. }
  548. static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  549. {
  550. int i, ret = 1;
  551. for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) {
  552. if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
  553. ret = 0;
  554. }
  555. return ret;
  556. }
  557. static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  558. {
  559. int i, ret = 1;
  560. for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
  561. if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
  562. ret = 0;
  563. }
  564. return ret;
  565. }
  566. static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  567. {
  568. int i, ret = 1;
  569. for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) {
  570. if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
  571. ret = 0;
  572. }
  573. return ret;
  574. }
  575. static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  576. {
  577. int i, ret = 1;
  578. for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) {
  579. if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
  580. ret = 0;
  581. }
  582. return ret;
  583. }
  584. static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  585. {
  586. int ret = 1;
  587. #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
  588. int i;
  589. for (i = 0; i < (int)OSSL_NELEM(st_kat_kas_tests); ++i) {
  590. if (!self_test_ka(&st_kat_kas_tests[i], st, libctx))
  591. ret = 0;
  592. }
  593. #endif
  594. return ret;
  595. }
  596. static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  597. {
  598. int i, ret = 1;
  599. const ST_KAT_SIGN *t;
  600. for (i = 0; ret && i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
  601. t = st_kat_sign_tests + i;
  602. if (!set_kat_drbg(libctx, t->entropy, t->entropy_len,
  603. t->nonce, t->nonce_len, t->persstr, t->persstr_len))
  604. return 0;
  605. if (!self_test_sign(t, st, libctx))
  606. ret = 0;
  607. if (!reset_main_drbg(libctx))
  608. ret = 0;
  609. }
  610. return ret;
  611. }
  612. /*
  613. * Swap the library context DRBG for KAT testing
  614. *
  615. * In FIPS 140-3, the asymmetric POST must be a KAT, not a PCT. For DSA and ECDSA,
  616. * the sign operation includes the random value 'k'. For a KAT to work, we
  617. * have to have control of the DRBG to make sure it is in a "test" state, where
  618. * its output is truly deterministic.
  619. *
  620. */
  621. /*
  622. * Replacement "random" sources
  623. * main_rand is used for most tests and it's set to generate mode.
  624. * kat_rand is used for KATs where specific input is mandated.
  625. */
  626. static EVP_RAND_CTX *kat_rand = NULL;
  627. static EVP_RAND_CTX *main_rand = NULL;
  628. static int set_kat_drbg(OSSL_LIB_CTX *ctx,
  629. const unsigned char *entropy, size_t entropy_len,
  630. const unsigned char *nonce, size_t nonce_len,
  631. const unsigned char *persstr, size_t persstr_len) {
  632. EVP_RAND *rand;
  633. unsigned int strength = 256;
  634. EVP_RAND_CTX *parent_rand = NULL;
  635. OSSL_PARAM drbg_params[3] = {
  636. OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
  637. };
  638. /* If not NULL, we didn't cleanup from last call: BAD */
  639. if (kat_rand != NULL)
  640. return 0;
  641. rand = EVP_RAND_fetch(ctx, "TEST-RAND", NULL);
  642. if (rand == NULL)
  643. return 0;
  644. parent_rand = EVP_RAND_CTX_new(rand, NULL);
  645. EVP_RAND_free(rand);
  646. if (parent_rand == NULL)
  647. goto err;
  648. drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
  649. &strength);
  650. if (!EVP_RAND_CTX_set_params(parent_rand, drbg_params))
  651. goto err;
  652. rand = EVP_RAND_fetch(ctx, "HASH-DRBG", NULL);
  653. if (rand == NULL)
  654. goto err;
  655. kat_rand = EVP_RAND_CTX_new(rand, parent_rand);
  656. EVP_RAND_free(rand);
  657. if (kat_rand == NULL)
  658. goto err;
  659. drbg_params[0] = OSSL_PARAM_construct_utf8_string("digest", "SHA256", 0);
  660. if (!EVP_RAND_CTX_set_params(kat_rand, drbg_params))
  661. goto err;
  662. /* Instantiate the RNGs */
  663. drbg_params[0] =
  664. OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
  665. (void *)entropy, entropy_len);
  666. drbg_params[1] =
  667. OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE,
  668. (void *)nonce, nonce_len);
  669. if (!EVP_RAND_instantiate(parent_rand, strength, 0, NULL, 0, drbg_params))
  670. goto err;
  671. EVP_RAND_CTX_free(parent_rand);
  672. parent_rand = NULL;
  673. if (!EVP_RAND_instantiate(kat_rand, strength, 0, persstr, persstr_len, NULL))
  674. goto err;
  675. /* When we set the new private generator this one is freed, so upref it */
  676. if (!EVP_RAND_CTX_up_ref(main_rand))
  677. goto err;
  678. /* Update the library context DRBG */
  679. if (RAND_set0_private(ctx, kat_rand) > 0) {
  680. /* Keeping a copy to verify zeroization */
  681. if (EVP_RAND_CTX_up_ref(kat_rand))
  682. return 1;
  683. RAND_set0_private(ctx, main_rand);
  684. }
  685. err:
  686. EVP_RAND_CTX_free(parent_rand);
  687. EVP_RAND_CTX_free(kat_rand);
  688. kat_rand = NULL;
  689. return 0;
  690. }
  691. static int reset_main_drbg(OSSL_LIB_CTX *ctx) {
  692. int ret = 1;
  693. if (!RAND_set0_private(ctx, main_rand))
  694. ret = 0;
  695. if (kat_rand != NULL) {
  696. if (!EVP_RAND_uninstantiate(kat_rand)
  697. || !EVP_RAND_verify_zeroization(kat_rand))
  698. ret = 0;
  699. EVP_RAND_CTX_free(kat_rand);
  700. kat_rand = NULL;
  701. }
  702. return ret;
  703. }
  704. static int setup_main_random(OSSL_LIB_CTX *libctx)
  705. {
  706. OSSL_PARAM drbg_params[3] = {
  707. OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
  708. };
  709. unsigned int strength = 256, generate = 1;
  710. EVP_RAND *rand;
  711. rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL);
  712. if (rand == NULL)
  713. return 0;
  714. main_rand = EVP_RAND_CTX_new(rand, NULL);
  715. EVP_RAND_free(rand);
  716. if (main_rand == NULL)
  717. goto err;
  718. drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_GENERATE,
  719. &generate);
  720. drbg_params[1] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
  721. &strength);
  722. if (!EVP_RAND_instantiate(main_rand, strength, 0, NULL, 0, drbg_params))
  723. goto err;
  724. return 1;
  725. err:
  726. EVP_RAND_CTX_free(main_rand);
  727. return 0;
  728. }
  729. /*
  730. * Run the algorithm KAT's.
  731. * Return 1 is successful, otherwise return 0.
  732. * This runs all the tests regardless of if any fail.
  733. */
  734. int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  735. {
  736. EVP_RAND_CTX *saved_rand = ossl_rand_get0_private_noncreating(libctx);
  737. int ret = 1;
  738. if (!setup_main_random(libctx)
  739. || !RAND_set0_private(libctx, main_rand)) {
  740. EVP_RAND_CTX_free(main_rand);
  741. return 0;
  742. }
  743. if (!self_test_digests(st, libctx))
  744. ret = 0;
  745. if (!self_test_ciphers(st, libctx))
  746. ret = 0;
  747. if (!self_test_signatures(st, libctx))
  748. ret = 0;
  749. if (!self_test_kdfs(st, libctx))
  750. ret = 0;
  751. if (!self_test_drbgs(st, libctx))
  752. ret = 0;
  753. if (!self_test_kas(st, libctx))
  754. ret = 0;
  755. if (!self_test_asym_ciphers(st, libctx))
  756. ret = 0;
  757. RAND_set0_private(libctx, saved_rand);
  758. return ret;
  759. }