1 /* Copyright (c) 2017, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include <openssl/crypto.h>
16 
17 #include <stdio.h>
18 
19 #include <openssl/aead.h>
20 #include <openssl/aes.h>
21 #include <openssl/bn.h>
22 #include <openssl/des.h>
23 #include <openssl/ecdsa.h>
24 #include <openssl/ec_key.h>
25 #include <openssl/nid.h>
26 #include <openssl/rsa.h>
27 #include <openssl/sha.h>
28 
29 #include "../../internal.h"
30 #include "../ec/internal.h"
31 #include "../rand/internal.h"
32 
33 
34 // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot
35 // compile this.
36 #if !defined(_MSC_VER)
37 
hexdump(const uint8_t * in,size_t len)38 static void hexdump(const uint8_t *in, size_t len) {
39   for (size_t i = 0; i < len; i++) {
40     fprintf(stderr, "%02x", in[i]);
41   }
42 }
43 
check_test(const void * expected,const void * actual,size_t expected_len,const char * name)44 static int check_test(const void *expected, const void *actual,
45                       size_t expected_len, const char *name) {
46   if (OPENSSL_memcmp(actual, expected, expected_len) != 0) {
47     fprintf(stderr, "%s failed.\nExpected: ", name);
48     hexdump(expected, expected_len);
49     fprintf(stderr, "\nCalculated: ");
50     hexdump(actual, expected_len);
51     fprintf(stderr, "\n");
52     fflush(stderr);
53     return 0;
54   }
55   return 1;
56 }
57 
set_bignum(BIGNUM ** out,const uint8_t * in,size_t len)58 static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) {
59   *out = BN_bin2bn(in, len, NULL);
60   return *out != NULL;
61 }
62 
self_test_rsa_key(void)63 static RSA *self_test_rsa_key(void) {
64   static const uint8_t kN[] = {
65       0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc,
66       0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90,
67       0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda,
68       0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f,
69       0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e,
70       0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c,
71       0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4,
72       0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f,
73       0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54,
74       0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56,
75       0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74,
76       0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0,
77       0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7,
78       0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce,
79       0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5,
80       0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0,
81       0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1,
82       0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2,
83       0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63,
84       0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46,
85       0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,
86       0x94, 0xc0, 0xbe, 0xb3,
87   };
88   static const uint8_t kE[] = {0x01, 0x00, 0x01};  // 65537
89   static const uint8_t kD[] = {
90       0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,
91       0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,
92       0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6,
93       0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b,
94       0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f,
95       0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a,
96       0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56,
97       0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc,
98       0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60,
99       0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8,
100       0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e,
101       0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66,
102       0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5,
103       0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49,
104       0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee,
105       0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae,
106       0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2,
107       0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e,
108       0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0,
109       0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb,
110       0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8,
111       0x5d, 0x1a, 0xf6, 0xc1,
112   };
113   static const uint8_t kP[] = {
114       0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68,
115       0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb,
116       0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4,
117       0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90,
118       0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75,
119       0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49,
120       0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5,
121       0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b,
122       0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78,
123       0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27,
124       0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29,
125   };
126   static const uint8_t kQ[] = {
127       0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3,
128       0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf,
129       0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c,
130       0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59,
131       0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf,
132       0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c,
133       0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f,
134       0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed,
135       0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb,
136       0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4,
137       0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b,
138   };
139   static const uint8_t kDModPMinusOne[] = {
140       0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d,
141       0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70,
142       0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96,
143       0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb,
144       0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54,
145       0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0,
146       0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c,
147       0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06,
148       0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82,
149       0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6,
150       0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39,
151   };
152   static const uint8_t kDModQMinusOne[] = {
153       0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d,
154       0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12,
155       0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2,
156       0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36,
157       0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac,
158       0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65,
159       0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca,
160       0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53,
161       0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6,
162       0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74,
163       0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85,
164   };
165   static const uint8_t kQInverseModP[] = {
166       0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0,
167       0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d,
168       0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b,
169       0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9,
170       0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1,
171       0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef,
172       0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5,
173       0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79,
174       0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11,
175       0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95,
176       0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15,
177   };
178 
179   RSA *rsa = RSA_new();
180   if (rsa == NULL ||
181       !set_bignum(&rsa->n, kN, sizeof(kN)) ||
182       !set_bignum(&rsa->e, kE, sizeof(kE)) ||
183       !set_bignum(&rsa->d, kD, sizeof(kD)) ||
184       !set_bignum(&rsa->p, kP, sizeof(kP)) ||
185       !set_bignum(&rsa->q, kQ, sizeof(kQ)) ||
186       !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) ||
187       !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) ||
188       !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) {
189     RSA_free(rsa);
190     return NULL;
191   }
192 
193   return rsa;
194 }
195 
self_test_ecdsa_key(void)196 static EC_KEY *self_test_ecdsa_key(void) {
197   static const uint8_t kQx[] = {
198       0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17,
199       0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2,
200       0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81,
201   };
202   static const uint8_t kQy[] = {
203       0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef,
204       0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac,
205       0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88,
206   };
207   static const uint8_t kD[] = {
208       0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c,
209       0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0,
210       0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
211   };
212 
213   EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
214   BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL);
215   BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL);
216   BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL);
217   if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL ||
218       !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) ||
219       !EC_KEY_set_private_key(ec_key, d)) {
220     EC_KEY_free(ec_key);
221     ec_key = NULL;
222   }
223 
224   BN_free(qx);
225   BN_free(qy);
226   BN_free(d);
227   return ec_key;
228 }
229 
BORINGSSL_self_test(void)230 int BORINGSSL_self_test(void) {
231   static const uint8_t kAESKey[16] = "BoringCrypto Key";
232   static const uint8_t kAESIV[16] = {0};
233   static const uint8_t kPlaintext[64] =
234       "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!";
235   static const uint8_t kAESCBCCiphertext[64] = {
236       0x87, 0x2d, 0x98, 0xc2, 0xcc, 0x31, 0x5b, 0x41, 0xe0, 0xfa, 0x7b,
237       0x0a, 0x71, 0xc0, 0x42, 0xbf, 0x4f, 0x61, 0xd0, 0x0d, 0x58, 0x8c,
238       0xf7, 0x05, 0xfb, 0x94, 0x89, 0xd3, 0xbc, 0xaa, 0x1a, 0x50, 0x45,
239       0x1f, 0xc3, 0x8c, 0xb8, 0x98, 0x86, 0xa3, 0xe3, 0x6c, 0xfc, 0xad,
240       0x3a, 0xb5, 0x59, 0x27, 0x7d, 0x21, 0x07, 0xca, 0x4c, 0x1d, 0x55,
241       0x34, 0xdd, 0x5a, 0x2d, 0xc4, 0xb4, 0xf5, 0xa8,
242 #if !defined(BORINGSSL_FIPS_BREAK_AES_CBC)
243       0x35
244 #else
245       0x00
246 #endif
247   };
248   static const uint8_t kAESGCMCiphertext[80] = {
249       0x4a, 0xd8, 0xe7, 0x7d, 0x78, 0xd7, 0x7d, 0x5e, 0xb2, 0x11, 0xb6, 0xc9,
250       0xa4, 0xbc, 0xb2, 0xae, 0xbe, 0x93, 0xd1, 0xb7, 0xfe, 0x65, 0xc1, 0x82,
251       0x2a, 0xb6, 0x71, 0x5f, 0x1a, 0x7c, 0xe0, 0x1b, 0x2b, 0xe2, 0x53, 0xfa,
252       0xa0, 0x47, 0xfa, 0xd7, 0x8f, 0xb1, 0x4a, 0xc4, 0xdc, 0x89, 0xf9, 0xb4,
253       0x14, 0x4d, 0xde, 0x95, 0xea, 0x29, 0x69, 0x76, 0x81, 0xa3, 0x5c, 0x33,
254       0xd8, 0x37, 0xd8, 0xfa, 0x47, 0x19, 0x46, 0x2f, 0xf1, 0x90, 0xb7, 0x61,
255       0x8f, 0x6f, 0xdd, 0x31, 0x3f, 0x6a, 0x64,
256 #if !defined(BORINGSSL_FIPS_BREAK_AES_GCM)
257       0x0d
258 #else
259       0x00
260 #endif
261   };
262   static const DES_cblock kDESKey1 = {"BCMDESK1"};
263   static const DES_cblock kDESKey2 = {"BCMDESK2"};
264   static const DES_cblock kDESKey3 = {"BCMDESK3"};
265   static const DES_cblock kDESIV = {"BCMDESIV"};
266   static const uint8_t kDESCiphertext[64] = {
267       0xa4, 0x30, 0x7a, 0x4c, 0x1f, 0x60, 0x16, 0xd7, 0x4f, 0x41, 0xe1,
268       0xbb, 0x27, 0xc4, 0x27, 0x37, 0xd4, 0x7f, 0xb9, 0x10, 0xf8, 0xbc,
269       0xaf, 0x93, 0x91, 0xb8, 0x88, 0x24, 0xb1, 0xf6, 0xf8, 0xbd, 0x31,
270       0x96, 0x06, 0x76, 0xde, 0x32, 0xcd, 0x29, 0x29, 0xba, 0x70, 0x5f,
271       0xea, 0xc0, 0xcb, 0xde, 0xc7, 0x75, 0x90, 0xe0, 0x0f, 0x5e, 0x2c,
272       0x0d, 0x49, 0x20, 0xd5, 0x30, 0x83, 0xf8, 0x08,
273 #if !defined(BORINGSSL_FIPS_BREAK_DES)
274       0x5a
275 #else
276       0x00
277 #endif
278   };
279   static const uint8_t kPlaintextSHA1[20] = {
280       0xc6, 0xf8, 0xc9, 0x63, 0x1c, 0x14, 0x23, 0x62, 0x9b, 0xbd,
281       0x55, 0x82, 0xf4, 0xd6, 0x1d, 0xf2, 0xab, 0x7d, 0xc8,
282 #if !defined(BORINGSSL_FIPS_BREAK_SHA_1)
283       0x28
284 #else
285       0x00
286 #endif
287   };
288   static const uint8_t kPlaintextSHA256[32] = {
289       0x37, 0xbd, 0x70, 0x53, 0x72, 0xfc, 0xd4, 0x03, 0x79, 0x70, 0xfb,
290       0x06, 0x95, 0xb1, 0x2a, 0x82, 0x48, 0xe1, 0x3e, 0xf2, 0x33, 0xfb,
291       0xef, 0x29, 0x81, 0x22, 0x45, 0x40, 0x43, 0x70, 0xce,
292 #if !defined(BORINGSSL_FIPS_BREAK_SHA_256)
293       0x0f
294 #else
295       0x00
296 #endif
297   };
298   static const uint8_t kPlaintextSHA512[64] = {
299       0x08, 0x6a, 0x1c, 0x84, 0x61, 0x9d, 0x8e, 0xb3, 0xc0, 0x97, 0x4e,
300       0xa1, 0x9f, 0x9c, 0xdc, 0xaf, 0x3b, 0x5c, 0x31, 0xf0, 0xf2, 0x74,
301       0xc3, 0xbd, 0x6e, 0xd6, 0x1e, 0xb2, 0xbb, 0x34, 0x74, 0x72, 0x5c,
302       0x51, 0x29, 0x8b, 0x87, 0x3a, 0xa3, 0xf2, 0x25, 0x23, 0xd4, 0x1c,
303       0x82, 0x1b, 0xfe, 0xd3, 0xc6, 0xee, 0xb5, 0xd6, 0xaf, 0x07, 0x7b,
304       0x98, 0xca, 0xa7, 0x01, 0xf3, 0x94, 0xf3, 0x68,
305 #if !defined(BORINGSSL_FIPS_BREAK_SHA_512)
306       0x14
307 #else
308       0x00
309 #endif
310   };
311   static const uint8_t kRSASignature[256] = {
312       0x62, 0x66, 0x4b, 0xe3, 0xb1, 0xd2, 0x83, 0xf1, 0xa8, 0x56, 0x2b, 0x33,
313       0x60, 0x1e, 0xdb, 0x1e, 0x06, 0xf7, 0xa7, 0x1e, 0xa8, 0xef, 0x03, 0x4d,
314       0x0c, 0xf6, 0x83, 0x75, 0x7a, 0xf0, 0x14, 0xc7, 0xe2, 0x94, 0x3a, 0xb5,
315       0x67, 0x56, 0xa5, 0x48, 0x7f, 0x3a, 0xa5, 0xbf, 0xf7, 0x1d, 0x44, 0xa6,
316       0x34, 0xed, 0x9b, 0xd6, 0x51, 0xaa, 0x2c, 0x4e, 0xce, 0x60, 0x5f, 0xe9,
317       0x0e, 0xd5, 0xcd, 0xeb, 0x23, 0x27, 0xf8, 0xfb, 0x45, 0xe5, 0x34, 0x63,
318       0x77, 0x7f, 0x2e, 0x80, 0xcf, 0x9d, 0x2e, 0xfc, 0xe2, 0x50, 0x75, 0x29,
319       0x46, 0xf4, 0xaf, 0x91, 0xed, 0x36, 0xe1, 0x5e, 0xef, 0x66, 0xa1, 0xff,
320       0x27, 0xfc, 0x87, 0x7e, 0x60, 0x84, 0x0f, 0x54, 0x51, 0x56, 0x0f, 0x68,
321       0x99, 0xc0, 0x3f, 0xeb, 0xa5, 0xa0, 0x46, 0xb0, 0x86, 0x02, 0xb0, 0xc8,
322       0xe8, 0x46, 0x13, 0x06, 0xcd, 0xb7, 0x8a, 0xd0, 0x3b, 0x46, 0xd0, 0x14,
323       0x64, 0x53, 0x9b, 0x5b, 0x5e, 0x02, 0x45, 0xba, 0x6e, 0x7e, 0x0a, 0xb9,
324       0x9e, 0x62, 0xb7, 0xd5, 0x7a, 0x87, 0xea, 0xd3, 0x24, 0xa5, 0xef, 0xb3,
325       0xdc, 0x05, 0x9c, 0x04, 0x60, 0x4b, 0xde, 0xa8, 0x90, 0x08, 0x7b, 0x6a,
326       0x5f, 0xb4, 0x3f, 0xda, 0xc5, 0x1f, 0x6e, 0xd6, 0x15, 0xde, 0x65, 0xa4,
327       0x6e, 0x62, 0x9d, 0x8f, 0xa8, 0xbe, 0x86, 0xf6, 0x09, 0x90, 0x40, 0xa5,
328       0xf4, 0x23, 0xc5, 0xf6, 0x38, 0x86, 0x0d, 0x1c, 0xed, 0x4a, 0x0a, 0xae,
329       0xa4, 0x26, 0xc2, 0x2e, 0xd3, 0x13, 0x66, 0x61, 0xea, 0x35, 0x01, 0x0e,
330       0x13, 0xda, 0x78, 0x20, 0xae, 0x59, 0x5f, 0x9b, 0xa9, 0x6c, 0xf9, 0x1b,
331       0xdf, 0x76, 0x53, 0xc8, 0xa7, 0xf5, 0x63, 0x6d, 0xf3, 0xff, 0xfd, 0xaf,
332       0x75, 0x4b, 0xac, 0x67, 0xb1, 0x3c, 0xbf, 0x5e, 0xde, 0x73, 0x02, 0x6d,
333       0xd2, 0x0c, 0xb1,
334 #if !defined(BORINGSSL_FIPS_BREAK_RSA_SIG)
335       0x64
336 #else
337       0x00
338 #endif
339   };
340   const uint8_t kDRBGEntropy[48] =
341       "BCM Known Answer Test DBRG Initial Entropy      ";
342   const uint8_t kDRBGPersonalization[18] = "BCMPersonalization";
343   const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD ";
344   const uint8_t kDRBGOutput[64] = {
345       0x1d, 0x63, 0xdf, 0x05, 0x51, 0x49, 0x22, 0x46, 0xcd, 0x9b, 0xc5,
346       0xbb, 0xf1, 0x5d, 0x44, 0xae, 0x13, 0x78, 0xb1, 0xe4, 0x7c, 0xf1,
347       0x96, 0x33, 0x3d, 0x60, 0xb6, 0x29, 0xd4, 0xbb, 0x6b, 0x44, 0xf9,
348       0xef, 0xd9, 0xf4, 0xa2, 0xba, 0x48, 0xea, 0x39, 0x75, 0x59, 0x32,
349       0xf7, 0x31, 0x2c, 0x98, 0x14, 0x2b, 0x49, 0xdf, 0x02, 0xb6, 0x5d,
350       0x71, 0x09, 0x50, 0xdb, 0x23, 0xdb, 0xe5, 0x22,
351 #if !defined(BORINGSSL_FIPS_BREAK_DRBG)
352       0x95
353 #else
354       0x00
355 #endif
356   };
357   const uint8_t kDRBGEntropy2[48] =
358       "BCM Known Answer Test DBRG Reseed Entropy       ";
359   const uint8_t kDRBGReseedOutput[64] = {
360       0xa4, 0x77, 0x05, 0xdb, 0x14, 0x11, 0x76, 0x71, 0x42, 0x5b, 0xd8,
361       0xd7, 0xa5, 0x4f, 0x8b, 0x39, 0xf2, 0x10, 0x4a, 0x50, 0x5b, 0xa2,
362       0xc8, 0xf0, 0xbb, 0x3e, 0xa1, 0xa5, 0x90, 0x7d, 0x54, 0xd9, 0xc6,
363       0xb0, 0x96, 0xc0, 0x2b, 0x7e, 0x9b, 0xc9, 0xa1, 0xdd, 0x78, 0x2e,
364       0xd5, 0xa8, 0x66, 0x16, 0xbd, 0x18, 0x3c, 0xf2, 0xaa, 0x7a, 0x2b,
365       0x37, 0xf9, 0xab, 0x35, 0x64, 0x15, 0x01, 0x3f, 0xc4,
366   };
367   const uint8_t kECDSASigR[32] = {
368       0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,
369       0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,
370       0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5,
371 #if !defined(BORINGSSL_FIPS_BREAK_ECDSA_SIG)
372       0x0c,
373 #else
374       0x00,
375 #endif
376   };
377   const uint8_t kECDSASigS[32] = {
378       0xa5, 0x93, 0xe0, 0x23, 0x91, 0xe7, 0x4b, 0x8d, 0x77, 0x25, 0xa6,
379       0xba, 0x4d, 0xd9, 0x86, 0x77, 0xda, 0x7d, 0x8f, 0xef, 0xc4, 0x1a,
380       0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8,
381   };
382 
383   EVP_AEAD_CTX aead_ctx;
384   EVP_AEAD_CTX_zero(&aead_ctx);
385   RSA *rsa_key = NULL;
386   EC_KEY *ec_key = NULL;
387   ECDSA_SIG *sig = NULL;
388   int ret = 0;
389 
390   AES_KEY aes_key;
391   uint8_t aes_iv[16];
392   uint8_t output[256];
393 
394   // AES-CBC Encryption KAT
395   memcpy(aes_iv, kAESIV, sizeof(kAESIV));
396   if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
397     fprintf(stderr, "AES_set_encrypt_key failed.\n");
398     goto err;
399   }
400   AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv,
401                   AES_ENCRYPT);
402   if (!check_test(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
403                   "AES-CBC Encryption KAT")) {
404     goto err;
405   }
406 
407   // AES-CBC Decryption KAT
408   memcpy(aes_iv, kAESIV, sizeof(kAESIV));
409   if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
410     fprintf(stderr, "AES_set_decrypt_key failed.\n");
411     goto err;
412   }
413   AES_cbc_encrypt(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
414                   &aes_key, aes_iv, AES_DECRYPT);
415   if (!check_test(kPlaintext, output, sizeof(kPlaintext),
416                   "AES-CBC Decryption KAT")) {
417     goto err;
418   }
419 
420   size_t out_len;
421   uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
422   OPENSSL_memset(nonce, 0, sizeof(nonce));
423   if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey,
424                          sizeof(kAESKey), 0, NULL)) {
425     fprintf(stderr, "EVP_AEAD_CTX_init for AES-128-GCM failed.\n");
426     goto err;
427   }
428 
429   // AES-GCM Encryption KAT
430   if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,
431                          EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
432                          kPlaintext, sizeof(kPlaintext), NULL, 0) ||
433       !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext),
434                   "AES-GCM Encryption KAT")) {
435     fprintf(stderr, "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n");
436     goto err;
437   }
438 
439   // AES-GCM Decryption KAT
440   if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,
441                          EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
442                          kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL,
443                          0) ||
444       !check_test(kPlaintext, output, sizeof(kPlaintext),
445                   "AES-GCM Decryption KAT")) {
446     fprintf(stderr, "EVP_AEAD_CTX_open for AES-128-GCM failed.\n");
447     goto err;
448   }
449 
450   DES_key_schedule des1, des2, des3;
451   DES_cblock des_iv;
452   DES_set_key(&kDESKey1, &des1);
453   DES_set_key(&kDESKey2, &des2);
454   DES_set_key(&kDESKey3, &des3);
455 
456   // 3DES Encryption KAT
457   memcpy(&des_iv, &kDESIV, sizeof(des_iv));
458   DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2,
459                        &des3, &des_iv, DES_ENCRYPT);
460   if (!check_test(kDESCiphertext, output, sizeof(kDESCiphertext),
461                   "3DES Encryption KAT")) {
462     goto err;
463   }
464 
465   // 3DES Decryption KAT
466   memcpy(&des_iv, &kDESIV, sizeof(des_iv));
467   DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1,
468                        &des2, &des3, &des_iv, DES_DECRYPT);
469   if (!check_test(kPlaintext, output, sizeof(kPlaintext),
470                   "3DES Decryption KAT")) {
471     goto err;
472   }
473 
474   // SHA-1 KAT
475   SHA1(kPlaintext, sizeof(kPlaintext), output);
476   if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1),
477                   "SHA-1 KAT")) {
478     goto err;
479   }
480 
481   // SHA-256 KAT
482   SHA256(kPlaintext, sizeof(kPlaintext), output);
483   if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),
484                   "SHA-256 KAT")) {
485     goto err;
486   }
487 
488   // SHA-512 KAT
489   SHA512(kPlaintext, sizeof(kPlaintext), output);
490   if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),
491                   "SHA-512 KAT")) {
492     goto err;
493   }
494 
495   rsa_key = self_test_rsa_key();
496   if (rsa_key == NULL) {
497     fprintf(stderr, "RSA KeyGen failed\n");
498     goto err;
499   }
500 
501   // RSA Sign KAT
502   unsigned sig_len;
503 
504   // Disable blinding for the power-on tests because it's not needed and
505   // triggers an entropy draw.
506   rsa_key->flags |= RSA_FLAG_NO_BLINDING;
507 
508   if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output,
509                 &sig_len, rsa_key) ||
510       !check_test(kRSASignature, output, sizeof(kRSASignature),
511                   "RSA Sign KAT")) {
512     fprintf(stderr, "RSA signing test failed.\n");
513     goto err;
514   }
515 
516   // RSA Verify KAT
517   if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256),
518                   kRSASignature, sizeof(kRSASignature), rsa_key)) {
519     fprintf(stderr, "RSA Verify KAT failed.\n");
520     goto err;
521   }
522 
523   ec_key = self_test_ecdsa_key();
524   if (ec_key == NULL) {
525     fprintf(stderr, "ECDSA KeyGen failed\n");
526     goto err;
527   }
528 
529   // ECDSA Sign/Verify PWCT
530 
531   // The 'k' value for ECDSA is fixed to avoid an entropy draw.
532   ec_key->fixed_k = BN_new();
533   if (ec_key->fixed_k == NULL ||
534       !BN_set_word(ec_key->fixed_k, 42)) {
535     fprintf(stderr, "Out of memory\n");
536     goto err;
537   }
538 
539   sig = ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key);
540 
541   uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)];
542   uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)];
543   if (sig == NULL ||
544       BN_num_bytes(sig->r) != sizeof(ecdsa_r_bytes) ||
545       !BN_bn2bin(sig->r, ecdsa_r_bytes) ||
546       BN_num_bytes(sig->s) != sizeof(ecdsa_s_bytes) ||
547       !BN_bn2bin(sig->s, ecdsa_s_bytes) ||
548       !check_test(kECDSASigR, ecdsa_r_bytes, sizeof(kECDSASigR), "ECDSA R") ||
549       !check_test(kECDSASigS, ecdsa_s_bytes, sizeof(kECDSASigS), "ECDSA S")) {
550     fprintf(stderr, "ECDSA KAT failed.\n");
551     goto err;
552   }
553 
554   // DBRG KAT
555   CTR_DRBG_STATE drbg;
556   if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
557                      sizeof(kDRBGPersonalization)) ||
558       !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD,
559                          sizeof(kDRBGAD)) ||
560       !check_test(kDRBGOutput, output, sizeof(kDRBGOutput),
561                   "DBRG Generate KAT") ||
562       !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) ||
563       !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD,
564                          sizeof(kDRBGAD)) ||
565       !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput),
566                   "DRBG Reseed KAT")) {
567     fprintf(stderr, "CTR-DRBG failed.\n");
568     goto err;
569   }
570   CTR_DRBG_clear(&drbg);
571 
572   CTR_DRBG_STATE kZeroDRBG;
573   memset(&kZeroDRBG, 0, sizeof(kZeroDRBG));
574   if (!check_test(&kZeroDRBG, &drbg, sizeof(drbg), "DRBG Clear KAT")) {
575     goto err;
576   }
577 
578   ret = 1;
579 
580 err:
581   EVP_AEAD_CTX_cleanup(&aead_ctx);
582   RSA_free(rsa_key);
583   EC_KEY_free(ec_key);
584   ECDSA_SIG_free(sig);
585 
586   return ret;
587 }
588 
589 #endif  // !_MSC_VER
590