1 /* ====================================================================
2 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
5 * This command is intended as a test driver for the FIPS-140 testing
6 * lab performing FIPS-140 validation. It demonstrates the use of the
7 * OpenSSL library ito perform a variety of common cryptographic
8 * functions. A power-up self test is demonstrated by deliberately
9 * pointing to an invalid executable hash
11 * Contributed by Steve Marquess.
15 #define OPENSSL_FIPSAPI
22 #include <openssl/evp.h>
23 #include <openssl/hmac.h>
24 #include <openssl/sha.h>
25 #include <openssl/err.h>
27 #include <openssl/bn.h>
28 #include <openssl/rand.h>
31 int main(int argc, char *argv[])
33 printf("No FIPS support\n");
38 #define ERR_clear_error() while(0)
40 #include <openssl/rsa.h>
41 #include <openssl/dsa.h>
42 #include <openssl/dh.h>
44 #include <openssl/fips.h>
47 /* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
49 static int FIPS_aes_test(void)
52 unsigned char pltmp[16];
53 unsigned char citmp[16];
54 unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
55 unsigned char plaintext[16] = "etaonrishdlcu";
57 FIPS_cipher_ctx_init(&ctx);
58 if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 1) <= 0)
60 FIPS_cipher(&ctx, citmp, plaintext, 16);
61 if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 0) <= 0)
63 FIPS_cipher(&ctx, pltmp, citmp, 16);
64 if (memcmp(pltmp, plaintext, 16))
68 FIPS_cipher_ctx_cleanup(&ctx);
72 static int FIPS_aes_gcm_test(void)
75 unsigned char pltmp[16];
76 unsigned char citmp[16];
77 unsigned char tagtmp[16];
78 unsigned char key[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
79 unsigned char iv[16] = {21,22,23,24,25,26,27,28,29,30,31,32};
80 unsigned char aad[] = "Some text AAD";
81 unsigned char plaintext[16] = "etaonrishdlcu";
83 FIPS_cipher_ctx_init(&ctx);
84 if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 1) <= 0)
86 FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
87 FIPS_cipher(&ctx, citmp, plaintext, 16);
88 FIPS_cipher(&ctx, NULL, NULL, 0);
89 if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tagtmp))
92 if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 0) <= 0)
94 if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tagtmp))
97 FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
99 FIPS_cipher(&ctx, pltmp, citmp, 16);
101 if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0)
104 if (memcmp(pltmp, plaintext, 16))
109 FIPS_cipher_ctx_cleanup(&ctx);
113 static int FIPS_des3_test(void)
116 unsigned char pltmp[8];
117 unsigned char citmp[8];
118 unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
120 unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
122 FIPS_cipher_ctx_init(&ctx);
123 if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 1) <= 0)
125 FIPS_cipher(&ctx, citmp, plaintext, 8);
126 if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 0) <= 0)
128 FIPS_cipher(&ctx, pltmp, citmp, 8);
129 if (memcmp(pltmp, plaintext, 8))
133 FIPS_cipher_ctx_cleanup(&ctx);
138 * DSA: generate keys and sign, verify input plaintext.
140 static int FIPS_dsa_test(int bad)
143 unsigned char dgst[] = "etaonrishdlc";
149 FIPS_md_ctx_init(&mctx);
150 dsa = FIPS_dsa_new();
153 if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
155 if (!DSA_generate_key(dsa))
158 BN_add_word(dsa->pub_key, 1);
160 if (!FIPS_digestinit(&mctx, EVP_sha256()))
162 if (!FIPS_digestupdate(&mctx, dgst, sizeof(dgst) - 1))
164 sig = FIPS_dsa_sign_ctx(dsa, &mctx);
168 if (!FIPS_digestinit(&mctx, EVP_sha256()))
170 if (!FIPS_digestupdate(&mctx, dgst, sizeof(dgst) - 1))
172 r = FIPS_dsa_verify_ctx(dsa, &mctx, sig);
175 FIPS_dsa_sig_free(sig);
176 FIPS_md_ctx_cleanup(&mctx);
185 * RSA: generate keys and sign, verify input plaintext.
187 static int FIPS_rsa_test(int bad)
190 unsigned char input_ptext[] = "etaonrishdlc";
191 unsigned char buf[256];
198 FIPS_md_ctx_init(&mctx);
199 key = FIPS_rsa_new();
203 BN_set_word(bn, 65537);
204 if (!RSA_generate_key_ex(key, 2048,bn,NULL))
208 BN_add_word(key->n, 1);
210 if (!FIPS_digestinit(&mctx, EVP_sha256()))
212 if (!FIPS_digestupdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
214 if (!FIPS_rsa_sign_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
217 if (!FIPS_digestinit(&mctx, EVP_sha256()))
219 if (!FIPS_digestupdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
221 r = FIPS_rsa_verify_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, slen);
223 FIPS_md_ctx_cleanup(&mctx);
231 /* SHA1: generate hash of known digest value and compare to known
232 precomputed correct hash
234 static int FIPS_sha1_test()
236 unsigned char digest[SHA_DIGEST_LENGTH] =
237 { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
238 unsigned char str[] = "etaonrishd";
240 unsigned char md[SHA_DIGEST_LENGTH];
243 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha1())) return 0;
244 if (memcmp(md,digest,sizeof(md)))
249 /* SHA256: generate hash of known digest value and compare to known
250 precomputed correct hash
252 static int FIPS_sha256_test()
254 unsigned char digest[SHA256_DIGEST_LENGTH] =
255 {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
256 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
257 unsigned char str[] = "etaonrishd";
259 unsigned char md[SHA256_DIGEST_LENGTH];
262 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha256())) return 0;
263 if (memcmp(md,digest,sizeof(md)))
268 /* SHA512: generate hash of known digest value and compare to known
269 precomputed correct hash
271 static int FIPS_sha512_test()
273 unsigned char digest[SHA512_DIGEST_LENGTH] =
274 {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
275 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
276 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
277 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
278 unsigned char str[] = "etaonrishd";
280 unsigned char md[SHA512_DIGEST_LENGTH];
283 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha512())) return 0;
284 if (memcmp(md,digest,sizeof(md)))
289 /* HMAC-SHA1: generate hash of known digest value and compare to known
290 precomputed correct hash
292 static int FIPS_hmac_sha1_test()
294 unsigned char key[] = "etaonrishd";
295 unsigned char iv[] = "Sample text";
296 unsigned char kaval[EVP_MAX_MD_SIZE] =
297 {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
298 0xb2, 0xfb, 0xec, 0xc6};
300 unsigned char out[EVP_MAX_MD_SIZE];
304 if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
305 if (memcmp(out,kaval,outlen))
310 /* HMAC-SHA224: generate hash of known digest value and compare to known
311 precomputed correct hash
313 static int FIPS_hmac_sha224_test()
315 unsigned char key[] = "etaonrishd";
316 unsigned char iv[] = "Sample text";
317 unsigned char kaval[EVP_MAX_MD_SIZE] =
318 {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
319 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
321 unsigned char out[EVP_MAX_MD_SIZE];
325 if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
326 if (memcmp(out,kaval,outlen))
331 /* HMAC-SHA256: generate hash of known digest value and compare to known
332 precomputed correct hash
334 static int FIPS_hmac_sha256_test()
336 unsigned char key[] = "etaonrishd";
337 unsigned char iv[] = "Sample text";
338 unsigned char kaval[EVP_MAX_MD_SIZE] =
339 {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
340 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
342 unsigned char out[EVP_MAX_MD_SIZE];
346 if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
347 if (memcmp(out,kaval,outlen))
352 /* HMAC-SHA384: generate hash of known digest value and compare to known
353 precomputed correct hash
355 static int FIPS_hmac_sha384_test()
357 unsigned char key[] = "etaonrishd";
358 unsigned char iv[] = "Sample text";
359 unsigned char kaval[EVP_MAX_MD_SIZE] =
360 {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
361 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
362 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
364 unsigned char out[EVP_MAX_MD_SIZE];
368 if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
369 if (memcmp(out,kaval,outlen))
374 /* HMAC-SHA512: generate hash of known digest value and compare to known
375 precomputed correct hash
377 static int FIPS_hmac_sha512_test()
379 unsigned char key[] = "etaonrishd";
380 unsigned char iv[] = "Sample text";
381 unsigned char kaval[EVP_MAX_MD_SIZE] =
382 {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
383 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
384 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
385 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
387 unsigned char out[EVP_MAX_MD_SIZE];
391 if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
392 if (memcmp(out,kaval,outlen))
398 /* DH: generate shared parameters
407 if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
419 unsigned char userkey[16] =
420 { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
424 key = FIPS_rsa_new();
428 BN_set_word(bn, 65537);
429 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
433 n = BN_num_bytes(key->d);
434 printf(" Generated %d byte RSA private key\n", n);
435 printf("\tBN key before overwriting:\n");
436 do_bn_print(stdout, key->d);
437 BN_rand(key->d,n*8,-1,0);
438 printf("\tBN key after overwriting:\n");
439 do_bn_print(stdout, key->d);
441 printf("\tchar buffer key before overwriting: \n\t\t");
442 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
444 RAND_bytes(userkey, sizeof userkey);
445 printf("\tchar buffer key after overwriting: \n\t\t");
446 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
453 static const char * Fail(const char *msg)
459 static void test_msg(const char *msg, int result)
461 printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
464 int main(int argc,char **argv)
467 int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
468 int bad_rsa = 0, bad_dsa = 0;
469 int do_rng_stick = 0;
472 fips_set_error_print();
474 printf("\tFIPS-mode test application\n\n");
476 /* Load entropy from external file, if any */
477 RAND_load_file(".rnd", 1024);
480 /* Corrupted KAT tests */
481 if (!strcmp(argv[1], "aes")) {
483 printf("AES encryption/decryption with corrupted KAT...\n");
484 } else if (!strcmp(argv[1], "aes-gcm")) {
485 FIPS_corrupt_aes_gcm();
486 printf("AES-GCM encryption/decryption with corrupted KAT...\n");
487 } else if (!strcmp(argv[1], "des")) {
489 printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
490 } else if (!strcmp(argv[1], "dsa")) {
492 printf("DSA key generation and signature validation with corrupted KAT...\n");
493 } else if (!strcmp(argv[1], "ecdsa")) {
494 FIPS_corrupt_ecdsa();
495 printf("ECDSA key generation and signature validation with corrupted KAT...\n");
496 } else if (!strcmp(argv[1], "rsa")) {
498 printf("RSA key generation and signature validation with corrupted KAT...\n");
499 } else if (!strcmp(argv[1], "rsakey")) {
500 printf("RSA key generation and signature validation with corrupted key...\n");
503 } else if (!strcmp(argv[1], "rsakeygen")) {
504 do_corrupt_rsa_keygen = 1;
506 printf("RSA key generation and signature validation with corrupted keygen...\n");
507 } else if (!strcmp(argv[1], "dsakey")) {
508 printf("DSA key generation and signature validation with corrupted key...\n");
511 } else if (!strcmp(argv[1], "dsakeygen")) {
512 do_corrupt_dsa_keygen = 1;
514 printf("DSA key generation and signature validation with corrupted keygen...\n");
515 } else if (!strcmp(argv[1], "sha1")) {
517 printf("SHA-1 hash with corrupted KAT...\n");
518 } else if (!strcmp(argv[1], "drbg")) {
520 } else if (!strcmp(argv[1], "rng")) {
522 } else if (!strcmp(argv[1], "rngstick")) {
525 printf("RNG test with stuck continuous test...\n");
527 printf("Bad argument \"%s\"\n", argv[1]);
531 if (!FIPS_mode_set(1)) {
532 printf("Power-up self test failed\n");
535 printf("Power-up self test successful\n");
540 /* Non-Approved cryptographic operation
542 printf("1. Non-Approved cryptographic operation test...\n");
543 test_msg("\ta. Included algorithm (D-H)...", dh_test());
545 /* Power-up self test
548 test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
551 if (do_corrupt_dsa_keygen)
552 FIPS_corrupt_dsa_keygen();
553 if (do_corrupt_rsa_keygen)
554 FIPS_corrupt_rsa_keygen();
558 /* AES encryption/decryption
560 test_msg("3a. AES encryption/decryption", FIPS_aes_test());
561 /* AES GCM encryption/decryption
563 test_msg("3b. AES-GCM encryption/decryption", FIPS_aes_gcm_test());
565 /* RSA key generation and encryption/decryption
567 test_msg("4. RSA key generation and encryption/decryption",
568 FIPS_rsa_test(bad_rsa));
570 /* DES-CBC encryption/decryption
572 test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
574 /* DSA key generation and signature validation
576 test_msg("6. DSA key generation and signature validation",
577 FIPS_dsa_test(bad_dsa));
581 test_msg("7a. SHA-1 hash", FIPS_sha1_test());
585 test_msg("7b. SHA-256 hash", FIPS_sha256_test());
589 test_msg("7c. SHA-512 hash", FIPS_sha512_test());
593 test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
597 test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
601 test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
605 test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
609 test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
611 /* Non-Approved cryptographic operation
613 printf("8. Non-Approved cryptographic operation test...\n");
614 printf("\ta. Included algorithm (D-H)...%s\n",
615 dh_test() ? "successful as expected"
616 : Fail("failed INCORRECTLY!") );
620 printf("9. Zero-ization...\n\t%s\n",
621 Zeroize() ? "successful as expected"
622 : Fail("failed INCORRECTLY!") );
624 printf("\nAll tests completed with %d errors\n", Error);
625 return Error ? 1 : 0;