Extract FIPS KAT tests into a function.

This change adds |BORINGSSL_self_test|, which allows applications to run
the FIPS KAT tests on demand, even in non-FIPS builds.

Change-Id: I950b30a02ab030d5e05f2d86148beb4ee1b5929c
Reviewed-on: https://boringssl-review.googlesource.com/25044
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
Adam Langley 2018-01-22 11:07:42 -08:00 committed by CQ bot account: commit-bot@chromium.org
parent 36fcc4ca5d
commit f2e7b220c0
4 changed files with 98 additions and 48 deletions

View File

@ -260,6 +260,7 @@ add_executable(
pool/pool_test.cc pool/pool_test.cc
refcount_test.cc refcount_test.cc
rsa_extra/rsa_test.cc rsa_extra/rsa_test.cc
self_test.cc
test/file_test_gtest.cc test/file_test_gtest.cc
thread_test.cc thread_test.cc
x509/x509_test.cc x509/x509_test.cc

View File

@ -95,7 +95,9 @@
#include "tls/kdf.c" #include "tls/kdf.c"
#if defined(BORINGSSL_FIPS) // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot
// compile this.
#if !defined(_MSC_VER)
static void hexdump(const uint8_t *in, size_t len) { static void hexdump(const uint8_t *in, size_t len) {
for (size_t i = 0; i < len; i++) { for (size_t i = 0; i < len; i++) {
@ -288,41 +290,7 @@ static EC_KEY *self_test_ecdsa_key(void) {
return ec_key; return ec_key;
} }
#if !defined(OPENSSL_ASAN) int BORINGSSL_self_test(void) {
// These symbols are filled in by delocate.go. They point to the start and end
// of the module, and the location of the integrity hash, respectively.
extern const uint8_t BORINGSSL_bcm_text_start[];
extern const uint8_t BORINGSSL_bcm_text_end[];
extern const uint8_t BORINGSSL_bcm_text_hash[];
#endif
static void __attribute__((constructor))
BORINGSSL_bcm_power_on_self_test(void) {
CRYPTO_library_init();
#if !defined(OPENSSL_ASAN)
// Integrity tests cannot run under ASAN because it involves reading the full
// .text section, which triggers the global-buffer overflow detection.
const uint8_t *const start = BORINGSSL_bcm_text_start;
const uint8_t *const end = BORINGSSL_bcm_text_end;
static const uint8_t kHMACKey[64] = {0};
uint8_t result[SHA512_DIGEST_LENGTH];
unsigned result_len;
if (!HMAC(EVP_sha512(), kHMACKey, sizeof(kHMACKey), start, end - start,
result, &result_len) ||
result_len != sizeof(result)) {
goto err;
}
const uint8_t *expected = BORINGSSL_bcm_text_hash;
if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) {
goto err;
}
#endif
static const uint8_t kAESKey[16] = "BoringCrypto Key"; static const uint8_t kAESKey[16] = "BoringCrypto Key";
static const uint8_t kAESIV[16] = {0}; static const uint8_t kAESIV[16] = {0};
static const uint8_t kPlaintext[64] = static const uint8_t kPlaintext[64] =
@ -475,6 +443,13 @@ BORINGSSL_bcm_power_on_self_test(void) {
0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8, 0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8,
}; };
EVP_AEAD_CTX aead_ctx;
EVP_AEAD_CTX_zero(&aead_ctx);
RSA *rsa_key = NULL;
EC_KEY *ec_key = NULL;
ECDSA_SIG *sig = NULL;
int ret = 0;
AES_KEY aes_key; AES_KEY aes_key;
uint8_t aes_iv[16]; uint8_t aes_iv[16];
uint8_t output[256]; uint8_t output[256];
@ -506,7 +481,6 @@ BORINGSSL_bcm_power_on_self_test(void) {
size_t out_len; size_t out_len;
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
OPENSSL_memset(nonce, 0, sizeof(nonce)); OPENSSL_memset(nonce, 0, sizeof(nonce));
EVP_AEAD_CTX aead_ctx;
if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey, if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey,
sizeof(kAESKey), 0, NULL)) { sizeof(kAESKey), 0, NULL)) {
goto err; goto err;
@ -531,8 +505,6 @@ BORINGSSL_bcm_power_on_self_test(void) {
goto err; goto err;
} }
EVP_AEAD_CTX_cleanup(&aead_ctx);
DES_key_schedule des1, des2, des3; DES_key_schedule des1, des2, des3;
DES_cblock des_iv; DES_cblock des_iv;
DES_set_key(&kDESKey1, &des1); DES_set_key(&kDESKey1, &des1);
@ -578,7 +550,7 @@ BORINGSSL_bcm_power_on_self_test(void) {
goto err; goto err;
} }
RSA *rsa_key = self_test_rsa_key(); rsa_key = self_test_rsa_key();
if (rsa_key == NULL) { if (rsa_key == NULL) {
printf("RSA KeyGen failed\n"); printf("RSA KeyGen failed\n");
goto err; goto err;
@ -605,9 +577,7 @@ BORINGSSL_bcm_power_on_self_test(void) {
goto err; goto err;
} }
RSA_free(rsa_key); ec_key = self_test_ecdsa_key();
EC_KEY *ec_key = self_test_ecdsa_key();
if (ec_key == NULL) { if (ec_key == NULL) {
printf("ECDSA KeyGen failed\n"); printf("ECDSA KeyGen failed\n");
goto err; goto err;
@ -623,8 +593,7 @@ BORINGSSL_bcm_power_on_self_test(void) {
goto err; goto err;
} }
ECDSA_SIG *sig = sig = ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key);
ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key);
uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)]; uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)];
uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)]; uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)];
@ -639,9 +608,6 @@ BORINGSSL_bcm_power_on_self_test(void) {
goto err; goto err;
} }
ECDSA_SIG_free(sig);
EC_KEY_free(ec_key);
// DBRG KAT // DBRG KAT
CTR_DRBG_STATE drbg; CTR_DRBG_STATE drbg;
if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization, if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
@ -665,6 +631,58 @@ BORINGSSL_bcm_power_on_self_test(void) {
goto err; goto err;
} }
ret = 1;
err:
EVP_AEAD_CTX_cleanup(&aead_ctx);
RSA_free(rsa_key);
EC_KEY_free(ec_key);
ECDSA_SIG_free(sig);
return ret;
}
#if defined(BORINGSSL_FIPS)
#if !defined(OPENSSL_ASAN)
// These symbols are filled in by delocate.go. They point to the start and end
// of the module, and the location of the integrity hash, respectively.
extern const uint8_t BORINGSSL_bcm_text_start[];
extern const uint8_t BORINGSSL_bcm_text_end[];
extern const uint8_t BORINGSSL_bcm_text_hash[];
#endif
static void __attribute__((constructor))
BORINGSSL_bcm_power_on_self_test(void) {
CRYPTO_library_init();
#if !defined(OPENSSL_ASAN)
// Integrity tests cannot run under ASAN because it involves reading the full
// .text section, which triggers the global-buffer overflow detection.
const uint8_t *const start = BORINGSSL_bcm_text_start;
const uint8_t *const end = BORINGSSL_bcm_text_end;
static const uint8_t kHMACKey[64] = {0};
uint8_t result[SHA512_DIGEST_LENGTH];
unsigned result_len;
if (!HMAC(EVP_sha512(), kHMACKey, sizeof(kHMACKey), start, end - start,
result, &result_len) ||
result_len != sizeof(result)) {
goto err;
}
const uint8_t *expected = BORINGSSL_bcm_text_hash;
if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) {
goto err;
}
#endif
if (!BORINGSSL_self_test()) {
goto err;
}
return; return;
err: err:
@ -677,4 +695,7 @@ void BORINGSSL_FIPS_abort(void) {
exit(1); exit(1);
} }
} }
#endif // BORINGSSL_FIPS #endif // BORINGSSL_FIPS
#endif // !_MSC_VER

24
crypto/self_test.cc Normal file
View File

@ -0,0 +1,24 @@
/* Copyright (c) 2018, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <openssl/crypto.h>
#include <gtest/gtest.h>
TEST(SelfTests, KAT) {
#if !defined(_MSC_VER)
EXPECT_TRUE(BORINGSSL_self_test());
#endif
}

View File

@ -58,6 +58,10 @@ OPENSSL_EXPORT int CRYPTO_has_asm(void);
// which case it returns one. // which case it returns one.
OPENSSL_EXPORT int FIPS_mode(void); OPENSSL_EXPORT int FIPS_mode(void);
// BORINGSSL_self_test triggers the FIPS KAT-based self tests. It returns one
// on success and zero on error.
OPENSSL_EXPORT int BORINGSSL_self_test(void);
// Deprecated functions. // Deprecated functions.