1 /* 2 * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 #include <openssl/evp.h> 12 #include <openssl/kdf.h> 13 #include <openssl/core_names.h> 14 #include <openssl/param_build.h> 15 #include <openssl/rand.h> 16 #include "crypto/ml_dsa.h" 17 #include "crypto/rand.h" 18 #include "internal/cryptlib.h" 19 #include "internal/nelem.h" 20 #include "self_test.h" 21 #include "crypto/ml_kem.h" 22 #include "self_test_data.inc" 23 24 static int set_kat_drbg(OSSL_LIB_CTX *ctx, 25 const unsigned char *entropy, size_t entropy_len, 26 const unsigned char *nonce, size_t nonce_len, 27 const unsigned char *persstr, size_t persstr_len); 28 static int reset_main_drbg(OSSL_LIB_CTX *ctx); 29 30 static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st, 31 OSSL_LIB_CTX *libctx) 32 { 33 int ok = 0; 34 unsigned char out[EVP_MAX_MD_SIZE]; 35 unsigned int out_len = 0; 36 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 37 EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL); 38 39 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc); 40 41 if (ctx == NULL 42 || md == NULL 43 || !EVP_DigestInit_ex(ctx, md, NULL) 44 || !EVP_DigestUpdate(ctx, t->pt, t->pt_len) 45 || !EVP_DigestFinal(ctx, out, &out_len)) 46 goto err; 47 48 /* Optional corruption */ 49 OSSL_SELF_TEST_oncorrupt_byte(st, out); 50 51 if (out_len != t->expected_len 52 || memcmp(out, t->expected, out_len) != 0) 53 goto err; 54 ok = 1; 55 err: 56 EVP_MD_free(md); 57 EVP_MD_CTX_free(ctx); 58 OSSL_SELF_TEST_onend(st, ok); 59 return ok; 60 } 61 62 /* 63 * Helper function to setup a EVP_CipherInit 64 * Used to hide the complexity of Authenticated ciphers. 65 */ 66 static int cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 67 const ST_KAT_CIPHER *t, int enc) 68 { 69 unsigned char *in_tag = NULL; 70 int pad = 0, tmp; 71 72 /* Flag required for Key wrapping */ 73 EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); 74 if (t->tag == NULL) { 75 /* Use a normal cipher init */ 76 return EVP_CipherInit_ex(ctx, cipher, NULL, t->key, t->iv, enc) 77 && EVP_CIPHER_CTX_set_padding(ctx, pad); 78 } 79 80 /* The authenticated cipher init */ 81 if (!enc) 82 in_tag = (unsigned char *)t->tag; 83 84 return EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc) 85 && (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, t->iv_len, NULL) > 0) 86 && (in_tag == NULL 87 || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, t->tag_len, 88 in_tag) > 0) 89 && EVP_CipherInit_ex(ctx, NULL, NULL, t->key, t->iv, enc) 90 && EVP_CIPHER_CTX_set_padding(ctx, pad) 91 && EVP_CipherUpdate(ctx, NULL, &tmp, t->aad, t->aad_len); 92 } 93 94 /* Test a single KAT for encrypt/decrypt */ 95 static int self_test_cipher(const ST_KAT_CIPHER *t, OSSL_SELF_TEST *st, 96 OSSL_LIB_CTX *libctx) 97 { 98 int ret = 0, encrypt = 1, len = 0, ct_len = 0, pt_len = 0; 99 EVP_CIPHER_CTX *ctx = NULL; 100 EVP_CIPHER *cipher = NULL; 101 unsigned char ct_buf[256] = { 0 }; 102 unsigned char pt_buf[256] = { 0 }; 103 104 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_CIPHER, t->base.desc); 105 106 ctx = EVP_CIPHER_CTX_new(); 107 if (ctx == NULL) 108 goto err; 109 cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, NULL); 110 if (cipher == NULL) 111 goto err; 112 113 /* Encrypt plain text message */ 114 if ((t->mode & CIPHER_MODE_ENCRYPT) != 0) { 115 if (!cipher_init(ctx, cipher, t, encrypt) 116 || !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt, 117 t->base.pt_len) 118 || !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len)) 119 goto err; 120 121 OSSL_SELF_TEST_oncorrupt_byte(st, ct_buf); 122 ct_len += len; 123 if (ct_len != (int)t->base.expected_len 124 || memcmp(t->base.expected, ct_buf, ct_len) != 0) 125 goto err; 126 127 if (t->tag != NULL) { 128 unsigned char tag[16] = { 0 }; 129 130 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len, 131 tag) <= 0 132 || memcmp(tag, t->tag, t->tag_len) != 0) 133 goto err; 134 } 135 } 136 137 /* Decrypt cipher text */ 138 if ((t->mode & CIPHER_MODE_DECRYPT) != 0) { 139 if (!(cipher_init(ctx, cipher, t, !encrypt) 140 && EVP_CipherUpdate(ctx, pt_buf, &len, 141 t->base.expected, t->base.expected_len) 142 && EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len))) 143 goto err; 144 OSSL_SELF_TEST_oncorrupt_byte(st, pt_buf); 145 pt_len += len; 146 if (pt_len != (int)t->base.pt_len 147 || memcmp(pt_buf, t->base.pt, pt_len) != 0) 148 goto err; 149 } 150 151 ret = 1; 152 err: 153 EVP_CIPHER_free(cipher); 154 EVP_CIPHER_CTX_free(ctx); 155 OSSL_SELF_TEST_onend(st, ret); 156 return ret; 157 } 158 159 static int add_params(OSSL_PARAM_BLD *bld, const ST_KAT_PARAM *params, 160 BN_CTX *ctx) 161 { 162 int ret = 0; 163 const ST_KAT_PARAM *p; 164 165 if (params == NULL) 166 return 1; 167 for (p = params; p->data != NULL; ++p) { 168 switch (p->type) { 169 case OSSL_PARAM_UNSIGNED_INTEGER: { 170 BIGNUM *bn = BN_CTX_get(ctx); 171 172 if (bn == NULL 173 || (BN_bin2bn(p->data, p->data_len, bn) == NULL) 174 || !OSSL_PARAM_BLD_push_BN(bld, p->name, bn)) 175 goto err; 176 break; 177 } 178 case OSSL_PARAM_UTF8_STRING: { 179 if (!OSSL_PARAM_BLD_push_utf8_string(bld, p->name, p->data, 180 p->data_len)) 181 goto err; 182 break; 183 } 184 case OSSL_PARAM_OCTET_STRING: { 185 if (!OSSL_PARAM_BLD_push_octet_string(bld, p->name, p->data, 186 p->data_len)) 187 goto err; 188 break; 189 } 190 case OSSL_PARAM_INTEGER: { 191 if (!OSSL_PARAM_BLD_push_int(bld, p->name, *(int *)p->data)) 192 goto err; 193 break; 194 } 195 default: 196 break; 197 } 198 } 199 ret = 1; 200 err: 201 return ret; 202 } 203 204 #if defined(__GNUC__) && __GNUC__ >= 4 205 # define SENTINEL __attribute__((sentinel)) 206 #endif 207 208 #if !defined(SENTINEL) && defined(__clang_major__) && __clang_major__ > 14 209 # define SENTINEL __attribute__((sentinel)) 210 #endif 211 212 #ifndef SENTINEL 213 # define SENTINEL 214 #endif 215 216 static SENTINEL OSSL_PARAM *kat_params_to_ossl_params(OSSL_LIB_CTX *libctx, ...) 217 { 218 BN_CTX *bnc = NULL; 219 OSSL_PARAM *params = NULL; 220 OSSL_PARAM_BLD *bld = NULL; 221 const ST_KAT_PARAM *pms; 222 va_list ap; 223 224 bnc = BN_CTX_new_ex(libctx); 225 if (bnc == NULL) 226 goto err; 227 bld = OSSL_PARAM_BLD_new(); 228 if (bld == NULL) 229 goto err; 230 231 va_start(ap, libctx); 232 while ((pms = va_arg(ap, const ST_KAT_PARAM *)) != NULL) 233 if (!add_params(bld, pms, bnc)) { 234 va_end(ap); 235 goto err; 236 } 237 va_end(ap); 238 239 params = OSSL_PARAM_BLD_to_param(bld); 240 241 err: 242 OSSL_PARAM_BLD_free(bld); 243 BN_CTX_free(bnc); 244 return params; 245 } 246 247 static int self_test_kdf(const ST_KAT_KDF *t, OSSL_SELF_TEST *st, 248 OSSL_LIB_CTX *libctx) 249 { 250 int ret = 0; 251 unsigned char out[128]; 252 EVP_KDF *kdf = NULL; 253 EVP_KDF_CTX *ctx = NULL; 254 OSSL_PARAM *params = NULL; 255 256 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KDF, t->desc); 257 258 kdf = EVP_KDF_fetch(libctx, t->algorithm, ""); 259 if (kdf == NULL) 260 goto err; 261 262 ctx = EVP_KDF_CTX_new(kdf); 263 if (ctx == NULL) 264 goto err; 265 266 params = kat_params_to_ossl_params(libctx, t->params, NULL); 267 if (params == NULL) 268 goto err; 269 270 if (t->expected_len > sizeof(out)) 271 goto err; 272 if (EVP_KDF_derive(ctx, out, t->expected_len, params) <= 0) 273 goto err; 274 275 OSSL_SELF_TEST_oncorrupt_byte(st, out); 276 277 if (memcmp(out, t->expected, t->expected_len) != 0) 278 goto err; 279 280 ret = 1; 281 err: 282 EVP_KDF_free(kdf); 283 EVP_KDF_CTX_free(ctx); 284 OSSL_PARAM_free(params); 285 OSSL_SELF_TEST_onend(st, ret); 286 return ret; 287 } 288 289 static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st, 290 OSSL_LIB_CTX *libctx) 291 { 292 int ret = 0; 293 unsigned char out[256]; 294 EVP_RAND *rand; 295 EVP_RAND_CTX *test = NULL, *drbg = NULL; 296 unsigned int strength = 256; 297 int prediction_resistance = 1; /* Causes a reseed */ 298 OSSL_PARAM drbg_params[3] = { 299 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END 300 }; 301 302 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc); 303 304 rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL); 305 if (rand == NULL) 306 goto err; 307 308 test = EVP_RAND_CTX_new(rand, NULL); 309 EVP_RAND_free(rand); 310 if (test == NULL) 311 goto err; 312 313 drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, 314 &strength); 315 if (!EVP_RAND_CTX_set_params(test, drbg_params)) 316 goto err; 317 318 rand = EVP_RAND_fetch(libctx, t->algorithm, NULL); 319 if (rand == NULL) 320 goto err; 321 322 drbg = EVP_RAND_CTX_new(rand, test); 323 EVP_RAND_free(rand); 324 if (drbg == NULL) 325 goto err; 326 327 strength = EVP_RAND_get_strength(drbg); 328 329 drbg_params[0] = OSSL_PARAM_construct_utf8_string(t->param_name, 330 t->param_value, 0); 331 /* This is only used by HMAC-DRBG but it is ignored by the others */ 332 drbg_params[1] = 333 OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC, "HMAC", 0); 334 if (!EVP_RAND_CTX_set_params(drbg, drbg_params)) 335 goto err; 336 337 drbg_params[0] = 338 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY, 339 (void *)t->entropyin, 340 t->entropyinlen); 341 drbg_params[1] = 342 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE, 343 (void *)t->nonce, t->noncelen); 344 if (!EVP_RAND_instantiate(test, strength, 0, NULL, 0, drbg_params)) 345 goto err; 346 if (!EVP_RAND_instantiate(drbg, strength, 0, t->persstr, t->persstrlen, 347 NULL)) 348 goto err; 349 350 drbg_params[0] = 351 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY, 352 (void *)t->entropyinpr1, 353 t->entropyinpr1len); 354 if (!EVP_RAND_CTX_set_params(test, drbg_params)) 355 goto err; 356 357 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength, 358 prediction_resistance, 359 t->entropyaddin1, t->entropyaddin1len)) 360 goto err; 361 362 drbg_params[0] = 363 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY, 364 (void *)t->entropyinpr2, 365 t->entropyinpr2len); 366 if (!EVP_RAND_CTX_set_params(test, drbg_params)) 367 goto err; 368 369 /* 370 * This calls ossl_prov_drbg_reseed() internally when 371 * prediction_resistance = 1 372 */ 373 if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength, 374 prediction_resistance, 375 t->entropyaddin2, t->entropyaddin2len)) 376 goto err; 377 378 OSSL_SELF_TEST_oncorrupt_byte(st, out); 379 380 if (memcmp(out, t->expected, t->expectedlen) != 0) 381 goto err; 382 383 if (!EVP_RAND_uninstantiate(drbg)) 384 goto err; 385 /* 386 * Check that the DRBG data has been zeroized after 387 * ossl_prov_drbg_uninstantiate. 388 */ 389 if (!EVP_RAND_verify_zeroization(drbg)) 390 goto err; 391 392 ret = 1; 393 err: 394 EVP_RAND_CTX_free(drbg); 395 EVP_RAND_CTX_free(test); 396 OSSL_SELF_TEST_onend(st, ret); 397 return ret; 398 } 399 400 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) 401 static int self_test_ka(const ST_KAT_KAS *t, 402 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 403 { 404 int ret = 0; 405 EVP_PKEY_CTX *kactx = NULL, *dctx = NULL; 406 EVP_PKEY *pkey = NULL, *peerkey = NULL; 407 OSSL_PARAM *params = NULL; 408 OSSL_PARAM *params_peer = NULL; 409 unsigned char secret[256]; 410 size_t secret_len = t->expected_len; 411 412 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KA, t->desc); 413 414 if (secret_len > sizeof(secret)) 415 goto err; 416 417 params = kat_params_to_ossl_params(libctx, t->key_group, 418 t->key_host_data, NULL); 419 params_peer = kat_params_to_ossl_params(libctx, t->key_group, 420 t->key_peer_data, NULL); 421 if (params == NULL || params_peer == NULL) 422 goto err; 423 424 /* Create a EVP_PKEY_CTX to load the DH keys into */ 425 kactx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, ""); 426 if (kactx == NULL) 427 goto err; 428 if (EVP_PKEY_fromdata_init(kactx) <= 0 429 || EVP_PKEY_fromdata(kactx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) 430 goto err; 431 if (EVP_PKEY_fromdata_init(kactx) <= 0 432 || EVP_PKEY_fromdata(kactx, &peerkey, EVP_PKEY_KEYPAIR, params_peer) <= 0) 433 goto err; 434 435 /* Create a EVP_PKEY_CTX to perform key derivation */ 436 dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL); 437 if (dctx == NULL) 438 goto err; 439 440 if (EVP_PKEY_derive_init(dctx) <= 0 441 || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0 442 || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0) 443 goto err; 444 445 OSSL_SELF_TEST_oncorrupt_byte(st, secret); 446 447 if (secret_len != t->expected_len 448 || memcmp(secret, t->expected, t->expected_len) != 0) 449 goto err; 450 ret = 1; 451 err: 452 EVP_PKEY_free(pkey); 453 EVP_PKEY_free(peerkey); 454 EVP_PKEY_CTX_free(kactx); 455 EVP_PKEY_CTX_free(dctx); 456 OSSL_PARAM_free(params_peer); 457 OSSL_PARAM_free(params); 458 OSSL_SELF_TEST_onend(st, ret); 459 return ret; 460 } 461 #endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */ 462 463 static int digest_signature(const uint8_t *sig, size_t sig_len, 464 uint8_t *out, size_t *out_len, 465 OSSL_LIB_CTX *lib_ctx) 466 { 467 int ret; 468 unsigned int len = 0; 469 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 470 EVP_MD *md = EVP_MD_fetch(lib_ctx, "SHA256", NULL); 471 472 ret = ctx != NULL 473 && md != NULL 474 && EVP_DigestInit_ex(ctx, md, NULL) == 1 475 && EVP_DigestUpdate(ctx, sig, sig_len) == 1 476 && EVP_DigestFinal(ctx, out, &len) == 1; 477 EVP_MD_free(md); 478 EVP_MD_CTX_free(ctx); 479 *out_len = len; 480 return ret; 481 } 482 483 static int self_test_digest_sign(const ST_KAT_SIGN *t, 484 OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 485 { 486 int ret = 0; 487 OSSL_PARAM *paramskey = NULL, *paramsinit = NULL, *paramsverify = NULL; 488 EVP_SIGNATURE *sigalg = NULL; 489 EVP_PKEY_CTX *ctx = NULL; 490 EVP_PKEY_CTX *fromctx = NULL; 491 EVP_PKEY *pkey = NULL; 492 unsigned char sig[MAX_ML_DSA_SIG_LEN], *psig = sig; 493 size_t siglen; 494 int digested = 0; 495 const char *typ = OSSL_SELF_TEST_TYPE_KAT_SIGNATURE; 496 497 if (t->sig_expected_len > sizeof(sig)) 498 goto err; 499 500 if (t->sig_expected == NULL) 501 typ = OSSL_SELF_TEST_TYPE_PCT_SIGNATURE; 502 503 OSSL_SELF_TEST_onbegin(st, typ, t->desc); 504 505 if (t->entropy != NULL) { 506 if (!set_kat_drbg(libctx, t->entropy, t->entropy_len, 507 t->nonce, t->nonce_len, t->persstr, t->persstr_len)) 508 goto err; 509 } 510 511 paramskey = kat_params_to_ossl_params(libctx, t->key, NULL); 512 paramsinit = kat_params_to_ossl_params(libctx, t->init, NULL); 513 paramsverify = kat_params_to_ossl_params(libctx, t->verify, NULL); 514 515 fromctx = EVP_PKEY_CTX_new_from_name(libctx, t->keytype, NULL); 516 if (fromctx == NULL 517 || paramskey == NULL 518 || paramsinit == NULL 519 || paramsverify == NULL) 520 goto err; 521 if (EVP_PKEY_fromdata_init(fromctx) <= 0 522 || EVP_PKEY_fromdata(fromctx, &pkey, EVP_PKEY_KEYPAIR, paramskey) <= 0) 523 goto err; 524 525 sigalg = EVP_SIGNATURE_fetch(libctx, t->sigalgorithm, NULL); 526 if (sigalg == NULL) 527 goto err; 528 ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL); 529 if (ctx == NULL) 530 goto err; 531 532 digested = ((t->mode & SIGNATURE_MODE_DIGESTED) != 0); 533 534 if ((t->mode & SIGNATURE_MODE_VERIFY_ONLY) != 0) { 535 siglen = t->sig_expected_len; 536 memcpy(psig, t->sig_expected, siglen); 537 } else { 538 if (digested) { 539 if (EVP_PKEY_sign_init_ex2(ctx, sigalg, paramsinit) <= 0) 540 goto err; 541 } else { 542 if (EVP_PKEY_sign_message_init(ctx, sigalg, paramsinit) <= 0) 543 goto err; 544 } 545 siglen = sizeof(sig); 546 if ((t->mode & SIGNATURE_MODE_SIG_DIGESTED) != 0) { 547 if (EVP_PKEY_sign(ctx, NULL, &siglen, t->msg, t->msg_len) <= 0) 548 goto err; 549 if (siglen > sizeof(sig)) { 550 psig = OPENSSL_malloc(siglen); 551 if (psig == NULL) 552 goto err; 553 } 554 } 555 if (EVP_PKEY_sign(ctx, psig, &siglen, t->msg, t->msg_len) <= 0) 556 goto err; 557 558 if (t->sig_expected != NULL) { 559 if ((t->mode & SIGNATURE_MODE_SIG_DIGESTED) != 0) { 560 uint8_t digested_sig[EVP_MAX_MD_SIZE]; 561 size_t digested_sig_len = 0; 562 563 if (!digest_signature(psig, siglen, digested_sig, 564 &digested_sig_len, libctx) 565 || digested_sig_len != t->sig_expected_len 566 || memcmp(digested_sig, t->sig_expected, t->sig_expected_len) != 0) 567 goto err; 568 } else { 569 if (siglen != t->sig_expected_len 570 || memcmp(psig, t->sig_expected, t->sig_expected_len) != 0) 571 goto err; 572 } 573 } 574 } 575 576 if ((t->mode & SIGNATURE_MODE_SIGN_ONLY) == 0) { 577 if (digested) { 578 if (EVP_PKEY_verify_init_ex2(ctx, sigalg, paramsverify) <= 0) 579 goto err; 580 } else { 581 if (EVP_PKEY_verify_message_init(ctx, sigalg, paramsverify) <= 0) 582 goto err; 583 } 584 OSSL_SELF_TEST_oncorrupt_byte(st, psig); 585 if (EVP_PKEY_verify(ctx, psig, siglen, t->msg, t->msg_len) <= 0) 586 goto err; 587 } 588 ret = 1; 589 err: 590 if (psig != sig) 591 OPENSSL_free(psig); 592 EVP_PKEY_free(pkey); 593 EVP_PKEY_CTX_free(fromctx); 594 EVP_PKEY_CTX_free(ctx); 595 EVP_SIGNATURE_free(sigalg); 596 OSSL_PARAM_free(paramskey); 597 OSSL_PARAM_free(paramsinit); 598 OSSL_PARAM_free(paramsverify); 599 if (t->entropy != NULL) { 600 if (!reset_main_drbg(libctx)) 601 ret = 0; 602 } 603 OSSL_SELF_TEST_onend(st, ret); 604 return ret; 605 } 606 607 #if !defined(OPENSSL_NO_ML_DSA) || !defined(OPENSSL_NO_SLH_DSA) 608 /* 609 * Test that a deterministic key generation produces the correct key 610 */ 611 static int self_test_asym_keygen(const ST_KAT_ASYM_KEYGEN *t, OSSL_SELF_TEST *st, 612 OSSL_LIB_CTX *libctx) 613 { 614 int ret = 0; 615 const ST_KAT_PARAM *expected; 616 OSSL_PARAM *key_params = NULL; 617 EVP_PKEY_CTX *key_ctx = NULL; 618 EVP_PKEY *key = NULL; 619 uint8_t out[MAX_ML_DSA_PRIV_LEN]; 620 size_t out_len = 0; 621 622 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_ASYM_KEYGEN, t->desc); 623 624 key_ctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, NULL); 625 if (key_ctx == NULL) 626 goto err; 627 if (t->keygen_params != NULL) { 628 key_params = kat_params_to_ossl_params(libctx, t->keygen_params, NULL); 629 if (key_params == NULL) 630 goto err; 631 } 632 if (EVP_PKEY_keygen_init(key_ctx) != 1 633 || EVP_PKEY_CTX_set_params(key_ctx, key_params) != 1 634 || EVP_PKEY_generate(key_ctx, &key) != 1) 635 goto err; 636 637 for (expected = t->expected_params; expected->data != NULL; ++expected) { 638 if (expected->type != OSSL_PARAM_OCTET_STRING 639 || !EVP_PKEY_get_octet_string_param(key, expected->name, 640 out, sizeof(out), &out_len)) 641 goto err; 642 OSSL_SELF_TEST_oncorrupt_byte(st, out); 643 /* Check the KAT */ 644 if (out_len != expected->data_len 645 || memcmp(out, expected->data, expected->data_len) != 0) 646 goto err; 647 } 648 ret = 1; 649 err: 650 EVP_PKEY_free(key); 651 EVP_PKEY_CTX_free(key_ctx); 652 OSSL_PARAM_free(key_params); 653 OSSL_SELF_TEST_onend(st, ret); 654 return ret; 655 } 656 #endif /* OPENSSL_NO_ML_DSA */ 657 658 #ifndef OPENSSL_NO_ML_KEM 659 /* 660 * FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for ML-KEM 661 * encapsulation. 662 */ 663 static int self_test_kem_encapsulate(const ST_KAT_KEM *t, OSSL_SELF_TEST *st, 664 OSSL_LIB_CTX *libctx, EVP_PKEY *pkey) 665 { 666 int ret = 0; 667 EVP_PKEY_CTX *ctx; 668 unsigned char *wrapped = NULL, *secret = NULL; 669 size_t wrappedlen = t->cipher_text_len, secretlen = t->secret_len; 670 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; 671 672 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KEM, 673 OSSL_SELF_TEST_DESC_ENCAP_KEM); 674 675 ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, ""); 676 if (ctx == NULL) 677 goto err; 678 679 *params = OSSL_PARAM_construct_octet_string(OSSL_KEM_PARAM_IKME, 680 (unsigned char *)t->entropy, 681 t->entropy_len); 682 if (EVP_PKEY_encapsulate_init(ctx, params) <= 0) 683 goto err; 684 685 /* Allocate output buffers */ 686 wrapped = OPENSSL_malloc(wrappedlen); 687 secret = OPENSSL_malloc(secretlen); 688 if (wrapped == NULL || secret == NULL) 689 goto err; 690 691 /* Encapsulate */ 692 if (EVP_PKEY_encapsulate(ctx, wrapped, &wrappedlen, secret, &secretlen) <= 0) 693 goto err; 694 695 /* Compare outputs */ 696 OSSL_SELF_TEST_oncorrupt_byte(st, wrapped); 697 if (wrappedlen != t->cipher_text_len 698 || memcmp(wrapped, t->cipher_text, t->cipher_text_len) != 0) 699 goto err; 700 701 OSSL_SELF_TEST_oncorrupt_byte(st, secret); 702 if (secretlen != t->secret_len 703 || memcmp(secret, t->secret, t->secret_len) != 0) 704 goto err; 705 706 ret = 1; 707 err: 708 OPENSSL_free(wrapped); 709 OPENSSL_free(secret); 710 EVP_PKEY_CTX_free(ctx); 711 OSSL_SELF_TEST_onend(st, ret); 712 return ret; 713 } 714 715 /* 716 * FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for ML-KEM 717 * decapsulation both for the rejection path and the normal path. 718 */ 719 static int self_test_kem_decapsulate(const ST_KAT_KEM *t, OSSL_SELF_TEST *st, 720 OSSL_LIB_CTX *libctx, EVP_PKEY *pkey, 721 int reject) 722 { 723 int ret = 0; 724 EVP_PKEY_CTX *ctx = NULL; 725 unsigned char *secret = NULL, *alloced = NULL; 726 const unsigned char *test_secret = t->secret; 727 const unsigned char *cipher_text = t->cipher_text; 728 size_t secretlen = t->secret_len; 729 730 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KEM, 731 reject ? OSSL_SELF_TEST_DESC_DECAP_KEM_FAIL 732 : OSSL_SELF_TEST_DESC_DECAP_KEM); 733 734 if (reject) { 735 cipher_text = alloced = OPENSSL_zalloc(t->cipher_text_len); 736 if (alloced == NULL) 737 goto err; 738 test_secret = t->reject_secret; 739 } 740 741 ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, ""); 742 if (ctx == NULL) 743 goto err; 744 745 if (EVP_PKEY_decapsulate_init(ctx, NULL) <= 0) 746 goto err; 747 748 /* Allocate output buffer */ 749 secret = OPENSSL_malloc(secretlen); 750 if (secret == NULL) 751 goto err; 752 753 /* Decapsulate */ 754 if (EVP_PKEY_decapsulate(ctx, secret, &secretlen, 755 cipher_text, t->cipher_text_len) <= 0) 756 goto err; 757 758 /* Compare output */ 759 OSSL_SELF_TEST_oncorrupt_byte(st, secret); 760 if (secretlen != t->secret_len 761 || memcmp(secret, test_secret, t->secret_len) != 0) 762 goto err; 763 764 ret = 1; 765 err: 766 OPENSSL_free(alloced); 767 OPENSSL_free(secret); 768 EVP_PKEY_CTX_free(ctx); 769 OSSL_SELF_TEST_onend(st, ret); 770 return ret; 771 } 772 773 /* 774 * Test encapsulation, decapsulation for KEM. 775 * 776 * FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for: 777 * 1 ML-KEM encapsulation 778 * 2a ML-KEM decapsulation non-rejection path 779 * 2b ML-KEM decapsulation implicit rejection path 780 * 3 ML-KEM key generation 781 */ 782 static int self_test_kem(const ST_KAT_KEM *t, OSSL_SELF_TEST *st, 783 OSSL_LIB_CTX *libctx) 784 { 785 int ret = 0; 786 EVP_PKEY *pkey = NULL; 787 EVP_PKEY_CTX *ctx; 788 OSSL_PARAM *params = NULL; 789 790 ctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, NULL); 791 if (ctx == NULL) 792 goto err; 793 params = kat_params_to_ossl_params(libctx, t->key, NULL); 794 if (params == NULL) 795 goto err; 796 797 if (EVP_PKEY_fromdata_init(ctx) <= 0 798 || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) 799 goto err; 800 801 if (!self_test_kem_encapsulate(t, st, libctx, pkey) 802 || !self_test_kem_decapsulate(t, st, libctx, pkey, 0) 803 || !self_test_kem_decapsulate(t, st, libctx, pkey, 1)) 804 goto err; 805 806 ret = 1; 807 err: 808 EVP_PKEY_CTX_free(ctx); 809 EVP_PKEY_free(pkey); 810 OSSL_PARAM_free(params); 811 return ret; 812 } 813 #endif 814 815 /* 816 * Test a data driven list of KAT's for digest algorithms. 817 * All tests are run regardless of if they fail or not. 818 * Return 0 if any test fails. 819 */ 820 static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 821 { 822 int i, ret = 1; 823 824 for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) { 825 if (!self_test_digest(&st_kat_digest_tests[i], st, libctx)) 826 ret = 0; 827 } 828 return ret; 829 } 830 831 static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 832 { 833 int i, ret = 1; 834 835 for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) { 836 if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx)) 837 ret = 0; 838 } 839 return ret; 840 } 841 842 static int self_test_kems(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 843 { 844 int ret = 1; 845 #ifndef OPENSSL_NO_ML_KEM 846 int i; 847 848 for (i = 0; i < (int)OSSL_NELEM(st_kat_kem_tests); ++i) { 849 if (!self_test_kem(&st_kat_kem_tests[i], st, libctx)) 850 ret = 0; 851 } 852 #endif 853 return ret; 854 } 855 856 static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 857 { 858 int i, ret = 1; 859 860 for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) { 861 if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx)) 862 ret = 0; 863 } 864 return ret; 865 } 866 867 static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 868 { 869 int i, ret = 1; 870 871 for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) { 872 if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx)) 873 ret = 0; 874 } 875 return ret; 876 } 877 878 static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 879 { 880 int ret = 1; 881 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) 882 int i; 883 884 for (i = 0; i < (int)OSSL_NELEM(st_kat_kas_tests); ++i) { 885 if (!self_test_ka(&st_kat_kas_tests[i], st, libctx)) 886 ret = 0; 887 } 888 #endif 889 890 return ret; 891 } 892 893 static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 894 { 895 int i, ret = 1; 896 897 for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) { 898 if (!self_test_digest_sign(&st_kat_sign_tests[i], st, libctx)) 899 ret = 0; 900 } 901 return ret; 902 } 903 904 /* 905 * Swap the library context DRBG for KAT testing 906 * 907 * In FIPS 140-3, the asymmetric POST must be a KAT, not a PCT. For DSA and ECDSA, 908 * the sign operation includes the random value 'k'. For a KAT to work, we 909 * have to have control of the DRBG to make sure it is in a "test" state, where 910 * its output is truly deterministic. 911 * 912 */ 913 914 /* 915 * Replacement "random" sources 916 * main_rand is used for most tests and it's set to generate mode. 917 * kat_rand is used for KATs where specific input is mandated. 918 */ 919 static EVP_RAND_CTX *kat_rand = NULL; 920 static EVP_RAND_CTX *main_rand = NULL; 921 922 static int set_kat_drbg(OSSL_LIB_CTX *ctx, 923 const unsigned char *entropy, size_t entropy_len, 924 const unsigned char *nonce, size_t nonce_len, 925 const unsigned char *persstr, size_t persstr_len) { 926 EVP_RAND *rand; 927 unsigned int strength = 256; 928 EVP_RAND_CTX *parent_rand = NULL; 929 OSSL_PARAM drbg_params[3] = { 930 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END 931 }; 932 933 /* If not NULL, we didn't cleanup from last call: BAD */ 934 if (kat_rand != NULL) 935 return 0; 936 937 rand = EVP_RAND_fetch(ctx, "TEST-RAND", NULL); 938 if (rand == NULL) 939 return 0; 940 941 parent_rand = EVP_RAND_CTX_new(rand, NULL); 942 EVP_RAND_free(rand); 943 if (parent_rand == NULL) 944 goto err; 945 946 drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, 947 &strength); 948 if (!EVP_RAND_CTX_set_params(parent_rand, drbg_params)) 949 goto err; 950 951 rand = EVP_RAND_fetch(ctx, "HASH-DRBG", NULL); 952 if (rand == NULL) 953 goto err; 954 955 kat_rand = EVP_RAND_CTX_new(rand, parent_rand); 956 EVP_RAND_free(rand); 957 if (kat_rand == NULL) 958 goto err; 959 960 drbg_params[0] = OSSL_PARAM_construct_utf8_string("digest", "SHA256", 0); 961 if (!EVP_RAND_CTX_set_params(kat_rand, drbg_params)) 962 goto err; 963 964 /* Instantiate the RNGs */ 965 drbg_params[0] = 966 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY, 967 (void *)entropy, entropy_len); 968 drbg_params[1] = 969 OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE, 970 (void *)nonce, nonce_len); 971 if (!EVP_RAND_instantiate(parent_rand, strength, 0, NULL, 0, drbg_params)) 972 goto err; 973 974 EVP_RAND_CTX_free(parent_rand); 975 parent_rand = NULL; 976 977 if (!EVP_RAND_instantiate(kat_rand, strength, 0, persstr, persstr_len, NULL)) 978 goto err; 979 980 /* When we set the new private generator this one is freed, so upref it */ 981 if (!EVP_RAND_CTX_up_ref(main_rand)) 982 goto err; 983 984 /* Update the library context DRBG */ 985 if (RAND_set0_private(ctx, kat_rand) > 0) { 986 /* Keeping a copy to verify zeroization */ 987 if (EVP_RAND_CTX_up_ref(kat_rand)) 988 return 1; 989 RAND_set0_private(ctx, main_rand); 990 } 991 992 err: 993 EVP_RAND_CTX_free(parent_rand); 994 EVP_RAND_CTX_free(kat_rand); 995 kat_rand = NULL; 996 return 0; 997 } 998 999 static int reset_main_drbg(OSSL_LIB_CTX *ctx) { 1000 int ret = 1; 1001 1002 if (!RAND_set0_private(ctx, main_rand)) 1003 ret = 0; 1004 if (kat_rand != NULL) { 1005 if (!EVP_RAND_uninstantiate(kat_rand) 1006 || !EVP_RAND_verify_zeroization(kat_rand)) 1007 ret = 0; 1008 EVP_RAND_CTX_free(kat_rand); 1009 kat_rand = NULL; 1010 } 1011 return ret; 1012 } 1013 1014 static int setup_main_random(OSSL_LIB_CTX *libctx) 1015 { 1016 OSSL_PARAM drbg_params[3] = { 1017 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END 1018 }; 1019 unsigned int strength = 256, generate = 1; 1020 EVP_RAND *rand; 1021 1022 rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL); 1023 if (rand == NULL) 1024 return 0; 1025 1026 main_rand = EVP_RAND_CTX_new(rand, NULL); 1027 EVP_RAND_free(rand); 1028 if (main_rand == NULL) 1029 goto err; 1030 1031 drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_GENERATE, 1032 &generate); 1033 drbg_params[1] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, 1034 &strength); 1035 1036 if (!EVP_RAND_instantiate(main_rand, strength, 0, NULL, 0, drbg_params)) 1037 goto err; 1038 return 1; 1039 err: 1040 EVP_RAND_CTX_free(main_rand); 1041 return 0; 1042 } 1043 1044 static int self_test_asym_keygens(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 1045 { 1046 #if !defined(OPENSSL_NO_ML_DSA) || !defined(OPENSSL_NO_SLH_DSA) 1047 int i, ret = 1; 1048 1049 for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_keygen_tests); ++i) { 1050 if (!self_test_asym_keygen(&st_kat_asym_keygen_tests[i], st, libctx)) 1051 ret = 0; 1052 } 1053 return ret; 1054 #else 1055 return 1; 1056 #endif /* OPENSSL_NO_ML_DSA */ 1057 } 1058 1059 /* 1060 * Run the algorithm KAT's. 1061 * Return 1 is successful, otherwise return 0. 1062 * This runs all the tests regardless of if any fail. 1063 */ 1064 int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) 1065 { 1066 EVP_RAND_CTX *saved_rand = ossl_rand_get0_private_noncreating(libctx); 1067 int ret = 1; 1068 1069 if (saved_rand != NULL && !EVP_RAND_CTX_up_ref(saved_rand)) 1070 return 0; 1071 if (!setup_main_random(libctx) 1072 || !RAND_set0_private(libctx, main_rand)) { 1073 /* Decrement saved_rand reference counter */ 1074 EVP_RAND_CTX_free(saved_rand); 1075 EVP_RAND_CTX_free(main_rand); 1076 return 0; 1077 } 1078 1079 if (!self_test_digests(st, libctx)) 1080 ret = 0; 1081 if (!self_test_ciphers(st, libctx)) 1082 ret = 0; 1083 if (!self_test_signatures(st, libctx)) 1084 ret = 0; 1085 if (!self_test_kdfs(st, libctx)) 1086 ret = 0; 1087 if (!self_test_drbgs(st, libctx)) 1088 ret = 0; 1089 if (!self_test_kas(st, libctx)) 1090 ret = 0; 1091 if (!self_test_asym_keygens(st, libctx)) 1092 ret = 0; 1093 if (!self_test_kems(st, libctx)) 1094 ret = 0; 1095 1096 RAND_set0_private(libctx, saved_rand); 1097 return ret; 1098 } 1099 1100