1 /* ====================================================================
2 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
5 * This command is intended as a test driver for the FIPS-140 testing
6 * lab performing FIPS-140 validation. It demonstrates the use of the
7 * OpenSSL library ito perform a variety of common cryptographic
8 * functions. A power-up self test is demonstrated by deliberately
9 * pointing to an invalid executable hash
11 * Contributed by Steve Marquess.
15 #define OPENSSL_FIPSAPI
22 #include <openssl/evp.h>
23 #include <openssl/hmac.h>
24 #include <openssl/cmac.h>
25 #include <openssl/sha.h>
26 #include <openssl/err.h>
28 #include <openssl/bn.h>
29 #include <openssl/rand.h>
32 int main(int argc, char *argv[])
34 printf("No FIPS support\n");
39 #define ERR_clear_error() while(0)
41 #include <openssl/rsa.h>
42 #include <openssl/dsa.h>
43 #include <openssl/dh.h>
45 #include <openssl/fips.h>
46 #include <openssl/fips_rand.h>
49 /* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
51 static int FIPS_aes_test(void)
54 unsigned char pltmp[16];
55 unsigned char citmp[16];
56 unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
57 unsigned char plaintext[16] = "etaonrishdlcu";
59 FIPS_cipher_ctx_init(&ctx);
60 if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 1) <= 0)
62 FIPS_cipher(&ctx, citmp, plaintext, 16);
63 if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 0) <= 0)
65 FIPS_cipher(&ctx, pltmp, citmp, 16);
66 if (memcmp(pltmp, plaintext, 16))
70 FIPS_cipher_ctx_cleanup(&ctx);
74 static int FIPS_aes_gcm_test(void)
77 unsigned char pltmp[16];
78 unsigned char citmp[16];
79 unsigned char tagtmp[16];
80 unsigned char key[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
81 unsigned char iv[16] = {21,22,23,24,25,26,27,28,29,30,31,32};
82 unsigned char aad[] = "Some text AAD";
83 unsigned char plaintext[16] = "etaonrishdlcu";
85 FIPS_cipher_ctx_init(&ctx);
86 if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 1) <= 0)
88 FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
89 FIPS_cipher(&ctx, citmp, plaintext, 16);
90 FIPS_cipher(&ctx, NULL, NULL, 0);
91 if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tagtmp))
94 if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 0) <= 0)
96 if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tagtmp))
99 FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
101 FIPS_cipher(&ctx, pltmp, citmp, 16);
103 if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0)
106 if (memcmp(pltmp, plaintext, 16))
111 FIPS_cipher_ctx_cleanup(&ctx);
115 static int FIPS_des3_test(void)
118 unsigned char pltmp[8];
119 unsigned char citmp[8];
120 unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
122 unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
124 FIPS_cipher_ctx_init(&ctx);
125 if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 1) <= 0)
127 FIPS_cipher(&ctx, citmp, plaintext, 8);
128 if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 0) <= 0)
130 FIPS_cipher(&ctx, pltmp, citmp, 8);
131 if (memcmp(pltmp, plaintext, 8))
135 FIPS_cipher_ctx_cleanup(&ctx);
140 * DSA: generate keys and sign, verify input plaintext.
142 static int FIPS_dsa_test(int bad)
145 unsigned char dgst[] = "etaonrishdlc";
150 dsa = FIPS_dsa_new();
153 if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
155 if (!DSA_generate_key(dsa))
158 BN_add_word(dsa->pub_key, 1);
160 sig = FIPS_dsa_sign(dsa, dgst, sizeof(dgst) -1, EVP_sha256());
164 r = FIPS_dsa_verify(dsa, dgst, sizeof(dgst) -1, EVP_sha256(), sig);
167 FIPS_dsa_sig_free(sig);
176 * RSA: generate keys and sign, verify input plaintext.
178 static int FIPS_rsa_test(int bad)
181 unsigned char input_ptext[] = "etaonrishdlc";
182 unsigned char buf[256];
188 key = FIPS_rsa_new();
192 BN_set_word(bn, 65537);
193 if (!RSA_generate_key_ex(key, 2048,bn,NULL))
197 BN_add_word(key->n, 1);
199 if (!FIPS_rsa_sign(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
200 RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
203 r = FIPS_rsa_verify(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
204 RSA_PKCS1_PADDING, 0, NULL, buf, slen);
213 /* SHA1: generate hash of known digest value and compare to known
214 precomputed correct hash
216 static int FIPS_sha1_test()
218 unsigned char digest[SHA_DIGEST_LENGTH] =
219 { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
220 unsigned char str[] = "etaonrishd";
222 unsigned char md[SHA_DIGEST_LENGTH];
225 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha1())) return 0;
226 if (memcmp(md,digest,sizeof(md)))
231 /* SHA256: generate hash of known digest value and compare to known
232 precomputed correct hash
234 static int FIPS_sha256_test()
236 unsigned char digest[SHA256_DIGEST_LENGTH] =
237 {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
238 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
239 unsigned char str[] = "etaonrishd";
241 unsigned char md[SHA256_DIGEST_LENGTH];
244 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha256())) return 0;
245 if (memcmp(md,digest,sizeof(md)))
250 /* SHA512: generate hash of known digest value and compare to known
251 precomputed correct hash
253 static int FIPS_sha512_test()
255 unsigned char digest[SHA512_DIGEST_LENGTH] =
256 {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
257 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
258 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
259 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
260 unsigned char str[] = "etaonrishd";
262 unsigned char md[SHA512_DIGEST_LENGTH];
265 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha512())) return 0;
266 if (memcmp(md,digest,sizeof(md)))
271 /* HMAC-SHA1: generate hash of known digest value and compare to known
272 precomputed correct hash
274 static int FIPS_hmac_sha1_test()
276 unsigned char key[] = "etaonrishd";
277 unsigned char iv[] = "Sample text";
278 unsigned char kaval[EVP_MAX_MD_SIZE] =
279 {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
280 0xb2, 0xfb, 0xec, 0xc6};
282 unsigned char out[EVP_MAX_MD_SIZE];
286 if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
287 if (memcmp(out,kaval,outlen))
292 /* HMAC-SHA224: generate hash of known digest value and compare to known
293 precomputed correct hash
295 static int FIPS_hmac_sha224_test()
297 unsigned char key[] = "etaonrishd";
298 unsigned char iv[] = "Sample text";
299 unsigned char kaval[EVP_MAX_MD_SIZE] =
300 {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
301 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
303 unsigned char out[EVP_MAX_MD_SIZE];
307 if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
308 if (memcmp(out,kaval,outlen))
313 /* HMAC-SHA256: generate hash of known digest value and compare to known
314 precomputed correct hash
316 static int FIPS_hmac_sha256_test()
318 unsigned char key[] = "etaonrishd";
319 unsigned char iv[] = "Sample text";
320 unsigned char kaval[EVP_MAX_MD_SIZE] =
321 {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
322 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
324 unsigned char out[EVP_MAX_MD_SIZE];
328 if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
329 if (memcmp(out,kaval,outlen))
334 /* HMAC-SHA384: generate hash of known digest value and compare to known
335 precomputed correct hash
337 static int FIPS_hmac_sha384_test()
339 unsigned char key[] = "etaonrishd";
340 unsigned char iv[] = "Sample text";
341 unsigned char kaval[EVP_MAX_MD_SIZE] =
342 {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
343 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
344 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
346 unsigned char out[EVP_MAX_MD_SIZE];
350 if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
351 if (memcmp(out,kaval,outlen))
356 /* HMAC-SHA512: generate hash of known digest value and compare to known
357 precomputed correct hash
359 static int FIPS_hmac_sha512_test()
361 unsigned char key[] = "etaonrishd";
362 unsigned char iv[] = "Sample text";
363 unsigned char kaval[EVP_MAX_MD_SIZE] =
364 {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
365 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
366 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
367 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
369 unsigned char out[EVP_MAX_MD_SIZE];
373 if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
374 if (memcmp(out,kaval,outlen))
379 /* CMAC-AES128: generate hash of known digest value and compare to known
380 precomputed correct hash
382 static int FIPS_cmac_aes128_test()
384 unsigned char key[16] = { 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6,
385 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c, };
386 unsigned char data[] = "Sample text";
387 unsigned char kaval[EVP_MAX_MD_SIZE] =
388 { 0x16,0x83,0xfe,0xac, 0x52,0x9b,0xae,0x23,
389 0xd7,0xd5,0x66,0xf5, 0xd2,0x8d,0xbd,0x2a, };
391 unsigned char *out = NULL;
393 CMAC_CTX *ctx = CMAC_CTX_new();
400 if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_128_cbc(),NULL))
402 if (!CMAC_Update(ctx,data,sizeof(data)-1))
404 /* This should return 1. If not, there's a programming error... */
405 if (!CMAC_Final(ctx, out, &outlen))
407 out = OPENSSL_malloc(outlen);
408 if (!CMAC_Final(ctx, out, &outlen))
412 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
413 bin2hex(out, outlen, hexout);
414 printf("CMAC-AES128: res = %s\n", hexout);
415 OPENSSL_free(hexout);
419 if (!memcmp(out,kaval,outlen))
429 /* CMAC-AES192: generate hash of known digest value and compare to known
430 precomputed correct hash
432 static int FIPS_cmac_aes192_test()
434 unsigned char key[] = { 0x8e,0x73,0xb0,0xf7, 0xda,0x0e,0x64,0x52,
435 0xc8,0x10,0xf3,0x2b, 0x80,0x90,0x79,0xe5,
436 0x62,0xf8,0xea,0xd2, 0x52,0x2c,0x6b,0x7b, };
437 unsigned char data[] = "Sample text";
438 unsigned char kaval[] =
439 { 0xd6,0x99,0x19,0x25, 0xe5,0x1d,0x95,0x48,
440 0xb1,0x4a,0x0b,0xf2, 0xc6,0x3c,0x47,0x1f, };
442 unsigned char *out = NULL;
444 CMAC_CTX *ctx = CMAC_CTX_new();
451 if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_192_cbc(),NULL))
453 if (!CMAC_Update(ctx,data,sizeof(data)-1))
455 /* This should return 1. If not, there's a programming error... */
456 if (!CMAC_Final(ctx, out, &outlen))
458 out = OPENSSL_malloc(outlen);
459 if (!CMAC_Final(ctx, out, &outlen))
463 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
464 bin2hex(out, outlen, hexout);
465 printf("CMAC-AES192: res = %s\n", hexout);
466 OPENSSL_free(hexout);
470 if (!memcmp(out,kaval,outlen))
480 /* CMAC-AES256: generate hash of known digest value and compare to known
481 precomputed correct hash
483 static int FIPS_cmac_aes256_test()
485 unsigned char key[] = { 0x60,0x3d,0xeb,0x10, 0x15,0xca,0x71,0xbe,
486 0x2b,0x73,0xae,0xf0, 0x85,0x7d,0x77,0x81,
487 0x1f,0x35,0x2c,0x07, 0x3b,0x61,0x08,0xd7,
488 0x2d,0x98,0x10,0xa3, 0x09,0x14,0xdf,0xf4, };
489 unsigned char data[] = "Sample text";
490 unsigned char kaval[] =
491 { 0xec,0xc2,0xcf,0x63, 0xc7,0xce,0xfc,0xa4,
492 0xb0,0x86,0x37,0x5f, 0x15,0x60,0xba,0x1f, };
494 unsigned char *out = NULL;
496 CMAC_CTX *ctx = CMAC_CTX_new();
503 if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_256_cbc(),NULL))
505 if (!CMAC_Update(ctx,data,sizeof(data)-1))
507 /* This should return 1. If not, there's a programming error... */
508 if (!CMAC_Final(ctx, out, &outlen))
510 out = OPENSSL_malloc(outlen);
511 if (!CMAC_Final(ctx, out, &outlen))
515 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
516 bin2hex(out, outlen, hexout);
517 printf("CMAC-AES256: res = %s\n", hexout);
518 OPENSSL_free(hexout);
522 if (!memcmp(out,kaval,outlen))
532 /* CMAC-TDEA3: generate hash of known digest value and compare to known
533 precomputed correct hash
535 static int FIPS_cmac_tdea3_test()
537 unsigned char key[] = { 0x8a,0xa8,0x3b,0xf8, 0xcb,0xda,0x10,0x62,
538 0x0b,0xc1,0xbf,0x19, 0xfb,0xb6,0xcd,0x58,
539 0xbc,0x31,0x3d,0x4a, 0x37,0x1c,0xa8,0xb5, };
540 unsigned char data[] = "Sample text";
541 unsigned char kaval[EVP_MAX_MD_SIZE] =
542 { 0xb4,0x06,0x4e,0xbf, 0x59,0x89,0xba,0x68, };
544 unsigned char *out = NULL;
546 CMAC_CTX *ctx = CMAC_CTX_new();
553 if (!CMAC_Init(ctx,key,sizeof(key),EVP_des_ede3_cbc(),NULL))
555 if (!CMAC_Update(ctx,data,sizeof(data)-1))
557 /* This should return 1. If not, there's a programming error... */
558 if (!CMAC_Final(ctx, out, &outlen))
560 out = OPENSSL_malloc(outlen);
561 if (!CMAC_Final(ctx, out, &outlen))
565 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
566 bin2hex(out, outlen, hexout);
567 printf("CMAC-TDEA3: res = %s\n", hexout);
568 OPENSSL_free(hexout);
572 if (!memcmp(out,kaval,outlen))
583 /* DH: generate shared parameters
592 if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
604 unsigned char userkey[16] =
605 { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
609 key = FIPS_rsa_new();
613 BN_set_word(bn, 65537);
614 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
618 n = BN_num_bytes(key->d);
619 printf(" Generated %d byte RSA private key\n", n);
620 printf("\tBN key before overwriting:\n");
621 do_bn_print(stdout, key->d);
622 BN_rand(key->d,n*8,-1,0);
623 printf("\tBN key after overwriting:\n");
624 do_bn_print(stdout, key->d);
626 printf("\tchar buffer key before overwriting: \n\t\t");
627 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
629 RAND_bytes(userkey, sizeof userkey);
630 printf("\tchar buffer key after overwriting: \n\t\t");
631 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
639 /* Dummy Entropy for DRBG tests. WARNING: THIS IS TOTALLY BOGUS
640 * HAS ZERO SECURITY AND MUST NOT BE USED IN REAL APPLICATIONS.
643 static unsigned char dummy_drbg_entropy[1024];
645 static size_t drbg_test_cb(DRBG_CTX *ctx, unsigned char **pout,
646 int entropy, size_t min_len, size_t max_len)
648 *pout = dummy_drbg_entropy;
649 /* Round up to multiple of block size */
650 return (min_len + 0xf) & ~0xf;
653 /* DRBG test: just generate lots of data and trigger health checks */
655 static int do_drbg_test(int type, int flags)
660 unsigned char randout[1024];
661 dctx = FIPS_drbg_new(type, flags);
664 FIPS_drbg_set_callbacks(dctx, drbg_test_cb, 0, 0x10, drbg_test_cb, 0);
665 for (i = 0; i < sizeof(dummy_drbg_entropy); i++)
667 dummy_drbg_entropy[i] = i & 0xff;
669 if (!FIPS_drbg_instantiate(dctx, dummy_drbg_entropy, 10))
671 FIPS_drbg_set_check_interval(dctx, 10);
672 for (i = 0; i < 32; i++)
674 if (!FIPS_drbg_generate(dctx, randout, sizeof(randout), 0, NULL, 0))
676 if (!FIPS_drbg_generate(dctx, randout, sizeof(randout), 0, dummy_drbg_entropy, 1))
681 FIPS_drbg_free(dctx);
690 static int do_drbg_all(void)
692 static DRBG_LIST drbg_types[] =
699 {NID_hmacWithSHA1, 0},
700 {NID_hmacWithSHA224, 0},
701 {NID_hmacWithSHA256, 0},
702 {NID_hmacWithSHA384, 0},
703 {NID_hmacWithSHA512, 0},
704 {NID_aes_128_ctr, 0},
705 {NID_aes_192_ctr, 0},
706 {NID_aes_256_ctr, 0},
707 {NID_aes_128_ctr, DRBG_FLAG_CTR_USE_DF},
708 {NID_aes_192_ctr, DRBG_FLAG_CTR_USE_DF},
709 {NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF},
710 {(NID_X9_62_prime256v1 << 16)|NID_sha1, 0},
711 {(NID_X9_62_prime256v1 << 16)|NID_sha224, 0},
712 {(NID_X9_62_prime256v1 << 16)|NID_sha256, 0},
713 {(NID_X9_62_prime256v1 << 16)|NID_sha384, 0},
714 {(NID_X9_62_prime256v1 << 16)|NID_sha512, 0},
715 {(NID_secp384r1 << 16)|NID_sha224, 0},
716 {(NID_secp384r1 << 16)|NID_sha256, 0},
717 {(NID_secp384r1 << 16)|NID_sha384, 0},
718 {(NID_secp384r1 << 16)|NID_sha512, 0},
719 {(NID_secp521r1 << 16)|NID_sha256, 0},
720 {(NID_secp521r1 << 16)|NID_sha384, 0},
721 {(NID_secp521r1 << 16)|NID_sha512, 0},
726 for (lst = drbg_types;; lst++)
730 if (!do_drbg_test(lst->type, lst->flags))
737 static const char * Fail(const char *msg)
743 static void test_msg(const char *msg, int result)
745 printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
748 /* Table of IDs for POST translating between NIDs and names */
756 POST_ID id_list[] = {
758 {NID_sha224, "SHA224"},
759 {NID_sha256, "SHA256"},
760 {NID_sha384, "SHA384"},
761 {NID_sha512, "SHA512"},
762 {NID_hmacWithSHA1, "HMAC-SHA1"},
763 {NID_hmacWithSHA224, "HMAC-SHA224"},
764 {NID_hmacWithSHA256, "HMAC-SHA256"},
765 {NID_hmacWithSHA384, "HMAC-SHA384"},
766 {NID_hmacWithSHA512, "HMAC-SHA512"},
767 {EVP_PKEY_RSA, "RSA"},
768 {EVP_PKEY_DSA, "DSA"},
769 {EVP_PKEY_EC, "ECDSA"},
770 {NID_aes_128_cbc, "AES-128-CBC"},
771 {NID_aes_192_cbc, "AES-192-CBC"},
772 {NID_aes_256_cbc, "AES-256-CBC"},
773 {NID_aes_128_ctr, "AES-128-CTR"},
774 {NID_aes_192_ctr, "AES-192-CTR"},
775 {NID_aes_256_ctr, "AES-256-CTR"},
776 {NID_aes_128_ecb, "AES-128-ECB"},
777 {NID_aes_128_xts, "AES-128-XTS"},
778 {NID_aes_256_xts, "AES-256-XTS"},
779 {NID_des_ede3_cbc, "DES-EDE3-CBC"},
780 {NID_des_ede3_ecb, "DES-EDE3-ECB"},
781 {NID_secp224r1, "P-224"},
782 {NID_sect233r1, "B-233"},
783 {NID_sect233k1, "K-233"},
784 {NID_X9_62_prime256v1, "P-256"},
785 {NID_secp384r1, "P-384"},
786 {NID_secp521r1, "P-521"},
790 static const char *lookup_id(int id)
794 for (n = id_list; n->name; n++)
799 sprintf(out, "ID=%d", id);
803 static int fail_id = -1;
804 static int fail_sub = -1;
805 static int fail_key = -1;
807 static int st_err, post_quiet = 0;
809 static int post_cb(int op, int id, int subid, void *ex)
811 const char *idstr, *exstr = "";
815 #ifdef FIPS_POST_TIME
816 static struct timespec start, end, tstart, tend;
820 case FIPS_TEST_INTEGRITY:
824 case FIPS_TEST_DIGEST:
826 exstr = lookup_id(subid);
829 case FIPS_TEST_CIPHER:
830 exstr = lookup_id(subid);
834 case FIPS_TEST_SIGNATURE:
838 keytype = pkey->type;
839 if (keytype == EVP_PKEY_EC)
843 grp = EC_KEY_get0_group(pkey->pkey.ec);
844 cnid = EC_GROUP_get_curve_name(grp);
845 sprintf(asctmp, "ECDSA %s", lookup_id(cnid));
849 exstr = lookup_id(keytype);
855 exstr = lookup_id(subid);
861 exstr = lookup_id(subid);
870 exstr = lookup_id(subid);
878 idstr = "X9.31 PRNG";
879 sprintf(asctmp, "keylen=%d", subid);
885 if (*(int *)ex & DRBG_FLAG_CTR_USE_DF)
887 sprintf(asctmp, "%s DF", lookup_id(subid));
890 else if (subid >> 16)
892 sprintf(asctmp, "%s %s",
893 lookup_id(subid >> 16),
894 lookup_id(subid & 0xFFFF));
898 exstr = lookup_id(subid);
901 case FIPS_TEST_PAIRWISE:
905 keytype = pkey->type;
906 exstr = lookup_id(keytype);
908 idstr = "Pairwise Consistency";
911 case FIPS_TEST_CONTINUOUS:
912 idstr = "Continuous PRNG";
917 exstr = lookup_id(subid);
927 && (fail_key == -1 || fail_key == keytype)
928 && (fail_sub == -1 || fail_sub == subid))
933 case FIPS_POST_BEGIN:
934 #ifdef FIPS_POST_TIME
935 clock_getres(CLOCK_REALTIME, &tstart);
936 printf("\tTimer resolution %ld s, %ld ns\n",
937 (long)tstart.tv_sec, (long)tstart.tv_nsec);
938 clock_gettime(CLOCK_REALTIME, &tstart);
940 printf("\tPOST started\n");
944 printf("\tPOST %s\n", id ? "Success" : "Failed");
945 #ifdef FIPS_POST_TIME
946 clock_gettime(CLOCK_REALTIME, &tend);
947 printf("\t\tTook %f seconds\n",
948 (double)((tend.tv_sec+tend.tv_nsec*1e-9)
949 - (tstart.tv_sec+tstart.tv_nsec*1e-9)));
953 case FIPS_POST_STARTED:
954 if (!post_quiet && !exp_fail)
955 printf("\t\t%s %s test started\n", idstr, exstr);
956 #ifdef FIPS_POST_TIME
957 clock_gettime(CLOCK_REALTIME, &start);
961 case FIPS_POST_SUCCESS:
964 printf("\t\t%s %s test OK but should've failed\n",
968 else if (!post_quiet)
969 printf("\t\t%s %s test OK\n", idstr, exstr);
970 #ifdef FIPS_POST_TIME
971 clock_gettime(CLOCK_REALTIME, &end);
972 printf("\t\t\tTook %f seconds\n",
973 (double)((end.tv_sec+end.tv_nsec*1e-9)
974 - (start.tv_sec+start.tv_nsec*1e-9)));
981 printf("\t\t%s %s test failed as expected\n",
986 printf("\t\t%s %s test Failed Incorrectly!!\n",
992 case FIPS_POST_CORRUPT:
995 printf("\t\t%s %s test failure induced\n", idstr, exstr);
1004 /* Test POST induced failures */
1009 int id, subid, keyid;
1012 static fail_list flist[] =
1014 {"Integrity", FIPS_TEST_INTEGRITY, -1, -1},
1015 {"AES", FIPS_TEST_CIPHER, NID_aes_128_ecb, -1},
1016 {"DES3", FIPS_TEST_CIPHER, NID_des_ede3_ecb, -1},
1017 {"AES-GCM", FIPS_TEST_GCM, -1, -1},
1018 {"AES-CCM", FIPS_TEST_CCM, -1, -1},
1019 {"AES-XTS", FIPS_TEST_XTS, -1, -1},
1020 {"Digest", FIPS_TEST_DIGEST, -1, -1},
1021 {"HMAC", FIPS_TEST_HMAC, -1, -1},
1022 {"CMAC", FIPS_TEST_CMAC, -1, -1},
1023 {"DRBG", FIPS_TEST_DRBG, -1, -1},
1024 {"X9.31 PRNG", FIPS_TEST_X931, -1, -1},
1025 {"RSA", FIPS_TEST_SIGNATURE, -1, EVP_PKEY_RSA},
1026 {"DSA", FIPS_TEST_SIGNATURE, -1, EVP_PKEY_DSA},
1027 {"ECDSA", FIPS_TEST_SIGNATURE, -1, EVP_PKEY_EC},
1028 {"ECDH", FIPS_TEST_ECDH, -1, -1},
1032 static int do_fail_all(int fullpost, int fullerr)
1039 DRBG_CTX *dctx = NULL;
1042 unsigned char out[10];
1047 FIPS_module_mode_set(0, NULL);
1048 for (ftmp = flist; ftmp->name; ftmp++)
1050 printf(" Testing induced failure of %s test\n", ftmp->name);
1052 fail_sub = ftmp->subid;
1053 fail_key = ftmp->keyid;
1054 rv = FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS);
1057 printf("\tFIPS mode incorrectly successful!!\n");
1061 printf(" Testing induced failure of RSA keygen test\n");
1062 /* NB POST will succeed with a pairwise test failures as
1063 * it is not used during POST.
1065 fail_id = FIPS_TEST_PAIRWISE;
1066 fail_key = EVP_PKEY_RSA;
1067 /* Now enter FIPS mode successfully */
1068 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1070 printf("\tError entering FIPS mode\n");
1074 rsa = FIPS_rsa_new();
1078 BN_set_word(bn, 65537);
1079 if (RSA_generate_key_ex(rsa, 2048,bn,NULL))
1081 printf("\tRSA key generated OK incorrectly!!\n");
1085 printf("\tRSA key generation failed as expected.\n");
1087 /* Leave FIPS mode to clear error */
1088 FIPS_module_mode_set(0, NULL);
1090 printf(" Testing induced failure of DSA keygen test\n");
1091 fail_key = EVP_PKEY_DSA;
1092 /* Enter FIPS mode successfully */
1093 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1095 printf("\tError entering FIPS mode\n");
1098 dsa = FIPS_dsa_new();
1101 if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
1103 if (DSA_generate_key(dsa))
1105 printf("\tDSA key generated OK incorrectly!!\n");
1109 printf("\tDSA key generation failed as expected.\n");
1111 /* Leave FIPS mode to clear error */
1112 FIPS_module_mode_set(0, NULL);
1113 /* Enter FIPS mode successfully */
1114 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1116 printf("\tError entering FIPS mode\n");
1120 printf(" Testing induced failure of ECDSA keygen test\n");
1121 fail_key = EVP_PKEY_EC;
1123 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1128 if (EC_KEY_generate_key(ec))
1130 printf("\tECDSA key generated OK incorrectly!!\n");
1134 printf("\tECDSA key generation failed as expected.\n");
1139 /* Leave FIPS mode to clear error */
1140 FIPS_module_mode_set(0, NULL);
1141 /* Enter FIPS mode successfully */
1142 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1144 printf("\tError entering FIPS mode\n");
1147 /* Induce continuous PRNG failure for DRBG */
1148 printf(" Testing induced failure of DRBG CPRNG test\n");
1151 /* Initialise a DRBG context */
1152 dctx = FIPS_drbg_new(NID_sha1, 0);
1155 for (i = 0; i < sizeof(dummy_drbg_entropy); i++)
1157 dummy_drbg_entropy[i] = i & 0xff;
1159 FIPS_drbg_set_callbacks(dctx, drbg_test_cb, 0, 0x10, drbg_test_cb, 0);
1160 if (!FIPS_drbg_instantiate(dctx, dummy_drbg_entropy, 10))
1162 printf("\tDRBG instantiate error!!\n");
1165 if (FIPS_drbg_generate(dctx, out, sizeof(out), 0, NULL, 0))
1167 printf("\tDRBG continuous PRNG OK incorrectly!!\n");
1171 printf("\tDRBG continuous PRNG failed as expected\n");
1174 /* Leave FIPS mode to clear error */
1175 FIPS_module_mode_set(0, NULL);
1176 /* Enter FIPS mode successfully */
1177 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1179 printf("\tError entering FIPS mode\n");
1183 FIPS_drbg_free(dctx);
1185 /* Induce continuous PRNG failure for DRBG entropy source*/
1186 printf(" Testing induced failure of DRBG entropy CPRNG test\n");
1188 /* Initialise a DRBG context */
1189 dctx = FIPS_drbg_new(NID_sha1, 0);
1192 for (i = 0; i < sizeof(dummy_drbg_entropy); i++)
1194 dummy_drbg_entropy[i] = i & 0xf;
1196 FIPS_drbg_set_callbacks(dctx, drbg_test_cb, 0, 0x10, drbg_test_cb, 0);
1197 if (FIPS_drbg_instantiate(dctx, dummy_drbg_entropy, 10))
1199 printf("\tDRBG continuous PRNG entropy OK incorrectly!!\n");
1203 printf("\tDRBG continuous PRNG entropy failed as expected\n");
1204 /* Leave FIPS mode to clear error */
1205 FIPS_module_mode_set(0, NULL);
1206 /* Enter FIPS mode successfully */
1207 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1209 printf("\tError entering FIPS mode\n");
1212 FIPS_drbg_free(dctx);
1214 /* Leave FIPS mode to clear error */
1215 FIPS_module_mode_set(0, NULL);
1216 /* Enter FIPS mode successfully */
1217 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1219 printf("\tError entering FIPS mode\n");
1223 printf(" Testing induced failure of X9.31 CPRNG test\n");
1225 if (!FIPS_x931_set_key(dummy_drbg_entropy, 32))
1227 printf("\tError initialiasing X9.31 PRNG\n");
1230 if (!FIPS_x931_seed(dummy_drbg_entropy + 32, 16))
1232 printf("\tError seeding X9.31 PRNG\n");
1235 if (FIPS_x931_bytes(out, 10) > 0)
1237 printf("\tX9.31 continuous PRNG failure OK incorrectly!!\n");
1241 printf("\tX9.31 continuous PRNG failed as expected\n");
1244 printf(" Induced failure test completed with %d errors\n", st_err);
1250 FIPS_ec_key_free(ec);
1257 int fips_test_suite_main(int argc, char **argv)
1259 int main(int argc, char **argv)
1262 char **args = argv + 1;
1263 int bad_rsa = 0, bad_dsa = 0;
1264 int do_rng_stick = 0;
1265 int do_drbg_stick = 0;
1267 int no_dh = 0, no_drbg = 0;
1268 char *pass = FIPS_AUTH_USER_PASS;
1269 int fullpost = 0, fullerr = 0;
1271 FIPS_post_set_callback(post_cb);
1273 printf("\tFIPS-mode test application\n");
1275 printf("\t%s\n\n", FIPS_module_version_text());
1278 /* Corrupted KAT tests */
1279 if (!strcmp(*args, "integrity")) {
1280 fail_id = FIPS_TEST_INTEGRITY;
1281 } else if (!strcmp(*args, "aes")) {
1282 fail_id = FIPS_TEST_CIPHER;
1283 fail_sub = NID_aes_128_ecb;
1284 } else if (!strcmp(*args, "aes-ccm")) {
1285 fail_id = FIPS_TEST_CCM;
1286 } else if (!strcmp(*args, "aes-gcm")) {
1287 fail_id = FIPS_TEST_GCM;
1288 } else if (!strcmp(*args, "aes-xts")) {
1289 fail_id = FIPS_TEST_XTS;
1290 } else if (!strcmp(*args, "des")) {
1291 fail_id = FIPS_TEST_CIPHER;
1292 fail_sub = NID_des_ede3_ecb;
1293 } else if (!strcmp(*args, "dsa")) {
1294 fail_id = FIPS_TEST_SIGNATURE;
1295 fail_key = EVP_PKEY_DSA;
1296 } else if (!strcmp(argv[1], "ecdh")) {
1297 fail_id = FIPS_TEST_ECDH;
1298 } else if (!strcmp(*args, "ecdsa")) {
1299 fail_id = FIPS_TEST_SIGNATURE;
1300 fail_key = EVP_PKEY_EC;
1301 } else if (!strcmp(*args, "rsa")) {
1302 fail_id = FIPS_TEST_SIGNATURE;
1303 fail_key = EVP_PKEY_RSA;
1304 } else if (!strcmp(*args, "rsakey")) {
1305 printf("RSA key generation and signature validation with corrupted key...\n");
1308 } else if (!strcmp(*args, "rsakeygen")) {
1309 fail_id = FIPS_TEST_PAIRWISE;
1310 fail_key = EVP_PKEY_RSA;
1312 } else if (!strcmp(*args, "dsakey")) {
1313 printf("DSA key generation and signature validation with corrupted key...\n");
1316 } else if (!strcmp(*args, "dsakeygen")) {
1317 fail_id = FIPS_TEST_PAIRWISE;
1318 fail_key = EVP_PKEY_DSA;
1320 } else if (!strcmp(*args, "sha1")) {
1321 fail_id = FIPS_TEST_DIGEST;
1322 } else if (!strcmp(*args, "hmac")) {
1323 fail_id = FIPS_TEST_HMAC;
1324 } else if (!strcmp(*args, "cmac")) {
1325 fail_id = FIPS_TEST_CMAC;
1326 } else if (!strcmp(*args, "drbg")) {
1327 fail_id = FIPS_TEST_DRBG;
1328 } else if (!strcmp(argv[1], "rng")) {
1329 fail_id = FIPS_TEST_X931;
1330 } else if (!strcmp(*args, "nodrbg")) {
1333 } else if (!strcmp(*args, "nodh")) {
1336 } else if (!strcmp(*args, "post")) {
1338 } else if (!strcmp(*args, "rngstick")) {
1341 printf("RNG test with stuck continuous test...\n");
1342 } else if (!strcmp(*args, "drbgentstick")) {
1344 } else if (!strcmp(*args, "drbgstick")) {
1347 printf("DRBG test with stuck continuous test...\n");
1348 } else if (!strcmp(*args, "user")) {
1349 pass = FIPS_AUTH_USER_PASS;
1350 } else if (!strcmp(*args, "officer")) {
1351 pass = FIPS_AUTH_OFFICER_PASS;
1352 } else if (!strcmp(*args, "badpass")) {
1353 pass = "bad invalid password";
1354 } else if (!strcmp(*args, "nopass")) {
1356 } else if (!strcmp(*args, "fullpost")) {
1359 } else if (!strcmp(*args, "fullerr")) {
1363 printf("Bad argument \"%s\"\n", *args);
1369 if ((argc != 1) && !no_exit) {
1370 fips_algtest_init_nofips();
1371 if (!FIPS_module_mode_set(1, pass)) {
1372 printf("Power-up self test failed\n");
1375 printf("Power-up self test successful\n");
1379 fips_algtest_init_nofips();
1381 /* Non-Approved cryptographic operation
1383 printf("1. Non-Approved cryptographic operation test...\n");
1385 printf("\t D-H test skipped\n");
1387 test_msg("\ta. Included algorithm (D-H)...", dh_test());
1389 /* Power-up self test
1392 test_msg("2. Automatic power-up self test", FIPS_module_mode_set(1, pass));
1393 if (!FIPS_module_mode())
1400 /* AES encryption/decryption
1402 test_msg("3a. AES encryption/decryption", FIPS_aes_test());
1403 /* AES GCM encryption/decryption
1405 test_msg("3b. AES-GCM encryption/decryption", FIPS_aes_gcm_test());
1407 /* RSA key generation and encryption/decryption
1409 test_msg("4. RSA key generation and encryption/decryption",
1410 FIPS_rsa_test(bad_rsa));
1412 /* DES-CBC encryption/decryption
1414 test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
1416 /* DSA key generation and signature validation
1418 test_msg("6. DSA key generation and signature validation",
1419 FIPS_dsa_test(bad_dsa));
1423 test_msg("7a. SHA-1 hash", FIPS_sha1_test());
1427 test_msg("7b. SHA-256 hash", FIPS_sha256_test());
1431 test_msg("7c. SHA-512 hash", FIPS_sha512_test());
1435 test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
1437 /* HMAC-SHA-224 hash
1439 test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
1441 /* HMAC-SHA-256 hash
1443 test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
1445 /* HMAC-SHA-384 hash
1447 test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
1449 /* HMAC-SHA-512 hash
1451 test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
1453 /* CMAC-AES-128 hash
1455 test_msg("8a. CMAC-AES-128 hash", FIPS_cmac_aes128_test());
1457 /* CMAC-AES-192 hash
1459 test_msg("8b. CMAC-AES-192 hash", FIPS_cmac_aes192_test());
1461 /* CMAC-AES-256 hash
1463 test_msg("8c. CMAC-AES-256 hash", FIPS_cmac_aes256_test());
1465 # if 0 /* Not a FIPS algorithm */
1468 test_msg("8d. CMAC-TDEA-2 hash", FIPS_cmac_tdea2_test());
1473 test_msg("8e. CMAC-TDEA-3 hash", FIPS_cmac_tdea3_test());
1475 /* Non-Approved cryptographic operation
1477 printf("9. Non-Approved cryptographic operation test...\n");
1478 printf("\ta. Included algorithm (D-H)...%s\n",
1480 dh_test() ? "successful as expected"
1481 : Fail("failed INCORRECTLY!") );
1485 printf("10. Zero-ization...\n\t%s\n",
1486 Zeroize() ? "successful as expected"
1487 : Fail("failed INCORRECTLY!") );
1489 printf("11. Complete DRBG health check...\n");
1490 printf("\t%s\n", FIPS_selftest_drbg_all() ? "successful as expected"
1491 : Fail("failed INCORRECTLY!") );
1493 printf("12. DRBG generation check...\n");
1495 printf("\tskipped\n");
1497 printf("\t%s\n", do_drbg_all() ? "successful as expected"
1498 : Fail("failed INCORRECTLY!") );
1500 printf("13. Induced test failure check...\n");
1501 printf("\t%s\n", do_fail_all(fullpost, fullerr) ? "successful as expected"
1502 : Fail("failed INCORRECTLY!") );
1503 printf("\nAll tests completed with %d errors\n", Error);
1504 return Error ? 1 : 0;