1 /* ====================================================================
2 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
5 * This command is intended as a test driver for the FIPS-140 testing
6 * lab performing FIPS-140 validation. It demonstrates the use of the
7 * OpenSSL library ito perform a variety of common cryptographic
8 * functions. A power-up self test is demonstrated by deliberately
9 * pointing to an invalid executable hash
11 * Contributed by Steve Marquess.
19 #include <openssl/aes.h>
20 #include <openssl/des.h>
21 #include <openssl/hmac.h>
22 #include <openssl/err.h>
24 #include <openssl/bn.h>
25 #include <openssl/rand.h>
26 #include <openssl/sha.h>
30 int main(int argc, char *argv[])
32 printf("No FIPS support\n");
37 #include <openssl/rsa.h>
38 #include <openssl/dsa.h>
39 #include <openssl/dh.h>
41 #include <openssl/fips.h>
44 /* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
46 static int FIPS_aes_test(void)
49 unsigned char pltmp[16];
50 unsigned char citmp[16];
51 unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
52 unsigned char plaintext[16] = "etaonrishdlcu";
54 EVP_CIPHER_CTX_init(&ctx);
55 if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0)
57 EVP_Cipher(&ctx, citmp, plaintext, 16);
58 if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0)
60 EVP_Cipher(&ctx, pltmp, citmp, 16);
61 if (memcmp(pltmp, plaintext, 16))
65 EVP_CIPHER_CTX_cleanup(&ctx);
69 static int FIPS_des3_test(void)
72 unsigned char pltmp[8];
73 unsigned char citmp[8];
74 unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
76 unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
78 EVP_CIPHER_CTX_init(&ctx);
79 if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0)
81 EVP_Cipher(&ctx, citmp, plaintext, 8);
82 if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0)
84 EVP_Cipher(&ctx, pltmp, citmp, 8);
85 if (memcmp(pltmp, plaintext, 8))
89 EVP_CIPHER_CTX_cleanup(&ctx);
94 * DSA: generate keys and sign, verify input plaintext.
96 static int FIPS_dsa_test(int bad)
100 unsigned char dgst[] = "etaonrishdlc";
101 unsigned char buf[60];
107 EVP_MD_CTX_init(&mctx);
108 dsa = FIPS_dsa_new();
111 if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
113 if (!DSA_generate_key(dsa))
116 BN_add_word(dsa->pub_key, 1);
118 pk.type = EVP_PKEY_DSA;
121 if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
123 if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
125 if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
128 if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
130 if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
132 r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
134 EVP_MD_CTX_cleanup(&mctx);
143 * RSA: generate keys and sign, verify input plaintext.
145 static int FIPS_rsa_test(int bad)
148 unsigned char input_ptext[] = "etaonrishdlc";
149 unsigned char buf[256];
157 EVP_MD_CTX_init(&mctx);
158 key = FIPS_rsa_new();
162 BN_set_word(bn, 65537);
163 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
167 BN_add_word(key->n, 1);
169 pk.type = EVP_PKEY_RSA;
172 if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
174 if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
176 if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
179 if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
181 if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
183 r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
185 EVP_MD_CTX_cleanup(&mctx);
193 /* SHA1: generate hash of known digest value and compare to known
194 precomputed correct hash
196 static int FIPS_sha1_test()
198 unsigned char digest[SHA_DIGEST_LENGTH] =
199 { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
200 unsigned char str[] = "etaonrishd";
202 unsigned char md[SHA_DIGEST_LENGTH];
205 if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0;
206 if (memcmp(md,digest,sizeof(md)))
211 /* SHA256: generate hash of known digest value and compare to known
212 precomputed correct hash
214 static int FIPS_sha256_test()
216 unsigned char digest[SHA256_DIGEST_LENGTH] =
217 {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
218 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
219 unsigned char str[] = "etaonrishd";
221 unsigned char md[SHA256_DIGEST_LENGTH];
224 if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0;
225 if (memcmp(md,digest,sizeof(md)))
230 /* SHA512: generate hash of known digest value and compare to known
231 precomputed correct hash
233 static int FIPS_sha512_test()
235 unsigned char digest[SHA512_DIGEST_LENGTH] =
236 {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
237 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
238 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
239 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
240 unsigned char str[] = "etaonrishd";
242 unsigned char md[SHA512_DIGEST_LENGTH];
245 if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0;
246 if (memcmp(md,digest,sizeof(md)))
251 /* HMAC-SHA1: generate hash of known digest value and compare to known
252 precomputed correct hash
254 static int FIPS_hmac_sha1_test()
256 unsigned char key[] = "etaonrishd";
257 unsigned char iv[] = "Sample text";
258 unsigned char kaval[EVP_MAX_MD_SIZE] =
259 {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
260 0xb2, 0xfb, 0xec, 0xc6};
262 unsigned char out[EVP_MAX_MD_SIZE];
266 if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
267 if (memcmp(out,kaval,outlen))
272 /* HMAC-SHA224: generate hash of known digest value and compare to known
273 precomputed correct hash
275 static int FIPS_hmac_sha224_test()
277 unsigned char key[] = "etaonrishd";
278 unsigned char iv[] = "Sample text";
279 unsigned char kaval[EVP_MAX_MD_SIZE] =
280 {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
281 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
283 unsigned char out[EVP_MAX_MD_SIZE];
287 if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
288 if (memcmp(out,kaval,outlen))
293 /* HMAC-SHA256: generate hash of known digest value and compare to known
294 precomputed correct hash
296 static int FIPS_hmac_sha256_test()
298 unsigned char key[] = "etaonrishd";
299 unsigned char iv[] = "Sample text";
300 unsigned char kaval[EVP_MAX_MD_SIZE] =
301 {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
302 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
304 unsigned char out[EVP_MAX_MD_SIZE];
308 if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
309 if (memcmp(out,kaval,outlen))
314 /* HMAC-SHA384: generate hash of known digest value and compare to known
315 precomputed correct hash
317 static int FIPS_hmac_sha384_test()
319 unsigned char key[] = "etaonrishd";
320 unsigned char iv[] = "Sample text";
321 unsigned char kaval[EVP_MAX_MD_SIZE] =
322 {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
323 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
324 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
326 unsigned char out[EVP_MAX_MD_SIZE];
330 if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
331 if (memcmp(out,kaval,outlen))
336 /* HMAC-SHA512: generate hash of known digest value and compare to known
337 precomputed correct hash
339 static int FIPS_hmac_sha512_test()
341 unsigned char key[] = "etaonrishd";
342 unsigned char iv[] = "Sample text";
343 unsigned char kaval[EVP_MAX_MD_SIZE] =
344 {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
345 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
346 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
347 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
349 unsigned char out[EVP_MAX_MD_SIZE];
353 if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
354 if (memcmp(out,kaval,outlen))
360 /* DH: generate shared parameters
369 if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
381 unsigned char userkey[16] =
382 { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
386 key = FIPS_rsa_new();
390 BN_set_word(bn, 65537);
391 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
395 n = BN_num_bytes(key->d);
396 printf(" Generated %d byte RSA private key\n", n);
397 printf("\tBN key before overwriting:\n");
398 do_bn_print(stdout, key->d);
399 BN_rand(key->d,n*8,-1,0);
400 printf("\tBN key after overwriting:\n");
401 do_bn_print(stdout, key->d);
403 printf("\tchar buffer key before overwriting: \n\t\t");
404 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
406 RAND_bytes(userkey, sizeof userkey);
407 printf("\tchar buffer key after overwriting: \n\t\t");
408 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
415 static const char * Fail(const char *msg)
422 static void test_msg(const char *msg, int result)
424 printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
427 int main(int argc,char **argv)
430 int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
431 int bad_rsa = 0, bad_dsa = 0;
432 int do_rng_stick = 0;
435 printf("\tFIPS-mode test application\n\n");
437 /* Load entropy from external file, if any */
438 RAND_load_file(".rnd", 1024);
441 /* Corrupted KAT tests */
442 if (!strcmp(argv[1], "aes")) {
444 printf("AES encryption/decryption with corrupted KAT...\n");
445 } else if (!strcmp(argv[1], "des")) {
447 printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
448 } else if (!strcmp(argv[1], "dsa")) {
450 printf("DSA key generation and signature validation with corrupted KAT...\n");
451 } else if (!strcmp(argv[1], "rsa")) {
453 printf("RSA key generation and signature validation with corrupted KAT...\n");
454 } else if (!strcmp(argv[1], "rsakey")) {
455 printf("RSA key generation and signature validation with corrupted key...\n");
458 } else if (!strcmp(argv[1], "rsakeygen")) {
459 do_corrupt_rsa_keygen = 1;
461 printf("RSA key generation and signature validation with corrupted keygen...\n");
462 } else if (!strcmp(argv[1], "dsakey")) {
463 printf("DSA key generation and signature validation with corrupted key...\n");
466 } else if (!strcmp(argv[1], "dsakeygen")) {
467 do_corrupt_dsa_keygen = 1;
469 printf("DSA key generation and signature validation with corrupted keygen...\n");
470 } else if (!strcmp(argv[1], "sha1")) {
472 printf("SHA-1 hash with corrupted KAT...\n");
473 } else if (!strcmp(argv[1], "rng")) {
475 } else if (!strcmp(argv[1], "rngstick")) {
478 printf("RNG test with stuck continuous test...\n");
480 printf("Bad argument \"%s\"\n", argv[1]);
484 if (!FIPS_mode_set(1)) {
486 printf("Power-up self test failed\n");
489 printf("Power-up self test successful\n");
494 /* Non-Approved cryptographic operation
496 printf("1. Non-Approved cryptographic operation test...\n");
497 test_msg("\ta. Included algorithm (D-H)...", dh_test());
499 /* Power-up self test
502 test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
505 if (do_corrupt_dsa_keygen)
506 FIPS_corrupt_dsa_keygen();
507 if (do_corrupt_rsa_keygen)
508 FIPS_corrupt_rsa_keygen();
512 /* AES encryption/decryption
514 test_msg("3. AES encryption/decryption", FIPS_aes_test());
516 /* RSA key generation and encryption/decryption
518 test_msg("4. RSA key generation and encryption/decryption",
519 FIPS_rsa_test(bad_rsa));
521 /* DES-CBC encryption/decryption
523 test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
525 /* DSA key generation and signature validation
527 test_msg("6. DSA key generation and signature validation",
528 FIPS_dsa_test(bad_dsa));
532 test_msg("7a. SHA-1 hash", FIPS_sha1_test());
536 test_msg("7b. SHA-256 hash", FIPS_sha256_test());
540 test_msg("7c. SHA-512 hash", FIPS_sha512_test());
544 test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
548 test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
552 test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
556 test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
560 test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
562 /* Non-Approved cryptographic operation
564 printf("8. Non-Approved cryptographic operation test...\n");
565 printf("\ta. Included algorithm (D-H)...%s\n",
566 dh_test() ? "successful as expected"
567 : Fail("failed INCORRECTLY!") );
571 printf("9. Zero-ization...\n\t%s\n",
572 Zeroize() ? "successful as expected"
573 : Fail("failed INCORRECTLY!") );
575 printf("\nAll tests completed with %d errors\n", Error);
576 return Error ? 1 : 0;