1 /* ====================================================================
2 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
5 * This command is intended as a test driver for the FIPS-140 testing
6 * lab performing FIPS-140 validation. It demonstrates the use of the
7 * OpenSSL library ito perform a variety of common cryptographic
8 * functions. A power-up self test is demonstrated by deliberately
9 * pointing to an invalid executable hash
11 * Contributed by Steve Marquess.
15 #define OPENSSL_FIPSAPI
22 #include <openssl/evp.h>
23 #include <openssl/hmac.h>
24 #include <openssl/cmac.h>
25 #include <openssl/sha.h>
26 #include <openssl/err.h>
28 #include <openssl/bn.h>
29 #include <openssl/rand.h>
32 int main(int argc, char *argv[])
34 printf("No FIPS support\n");
39 #define ERR_clear_error() while(0)
41 #include <openssl/rsa.h>
42 #include <openssl/dsa.h>
43 #include <openssl/dh.h>
45 #include <openssl/fips.h>
46 #include <openssl/fips_rand.h>
49 /* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
51 static int FIPS_aes_test(void)
54 unsigned char pltmp[16];
55 unsigned char citmp[16];
56 unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
57 unsigned char plaintext[16] = "etaonrishdlcu";
59 FIPS_cipher_ctx_init(&ctx);
60 if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 1) <= 0)
62 FIPS_cipher(&ctx, citmp, plaintext, 16);
63 if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 0) <= 0)
65 FIPS_cipher(&ctx, pltmp, citmp, 16);
66 if (memcmp(pltmp, plaintext, 16))
70 FIPS_cipher_ctx_cleanup(&ctx);
74 static int FIPS_aes_gcm_test(void)
77 unsigned char pltmp[16];
78 unsigned char citmp[16];
79 unsigned char tagtmp[16];
80 unsigned char key[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
81 unsigned char iv[16] = {21,22,23,24,25,26,27,28,29,30,31,32};
82 unsigned char aad[] = "Some text AAD";
83 unsigned char plaintext[16] = "etaonrishdlcu";
85 FIPS_cipher_ctx_init(&ctx);
86 if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 1) <= 0)
88 FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
89 FIPS_cipher(&ctx, citmp, plaintext, 16);
90 FIPS_cipher(&ctx, NULL, NULL, 0);
91 if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tagtmp))
94 if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 0) <= 0)
96 if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tagtmp))
99 FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
101 FIPS_cipher(&ctx, pltmp, citmp, 16);
103 if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0)
106 if (memcmp(pltmp, plaintext, 16))
111 FIPS_cipher_ctx_cleanup(&ctx);
115 static int FIPS_des3_test(void)
118 unsigned char pltmp[8];
119 unsigned char citmp[8];
120 unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
122 unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
124 FIPS_cipher_ctx_init(&ctx);
125 if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 1) <= 0)
127 FIPS_cipher(&ctx, citmp, plaintext, 8);
128 if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 0) <= 0)
130 FIPS_cipher(&ctx, pltmp, citmp, 8);
131 if (memcmp(pltmp, plaintext, 8))
135 FIPS_cipher_ctx_cleanup(&ctx);
140 * DSA: generate keys and sign, verify input plaintext.
142 static int FIPS_dsa_test(int bad)
145 unsigned char dgst[] = "etaonrishdlc";
150 dsa = FIPS_dsa_new();
153 if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
155 if (!DSA_generate_key(dsa))
158 BN_add_word(dsa->pub_key, 1);
160 sig = FIPS_dsa_sign(dsa, dgst, sizeof(dgst) -1, EVP_sha256());
164 r = FIPS_dsa_verify(dsa, dgst, sizeof(dgst) -1, EVP_sha256(), sig);
167 FIPS_dsa_sig_free(sig);
176 * RSA: generate keys and sign, verify input plaintext.
178 static int FIPS_rsa_test(int bad)
181 unsigned char input_ptext[] = "etaonrishdlc";
182 unsigned char buf[256];
188 key = FIPS_rsa_new();
192 BN_set_word(bn, 65537);
193 if (!RSA_generate_key_ex(key, 2048,bn,NULL))
197 BN_add_word(key->n, 1);
199 if (!FIPS_rsa_sign(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
200 RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
203 r = FIPS_rsa_verify(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
204 RSA_PKCS1_PADDING, 0, NULL, buf, slen);
213 /* SHA1: generate hash of known digest value and compare to known
214 precomputed correct hash
216 static int FIPS_sha1_test()
218 unsigned char digest[SHA_DIGEST_LENGTH] =
219 { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
220 unsigned char str[] = "etaonrishd";
222 unsigned char md[SHA_DIGEST_LENGTH];
225 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha1())) return 0;
226 if (memcmp(md,digest,sizeof(md)))
231 /* SHA256: generate hash of known digest value and compare to known
232 precomputed correct hash
234 static int FIPS_sha256_test()
236 unsigned char digest[SHA256_DIGEST_LENGTH] =
237 {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
238 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
239 unsigned char str[] = "etaonrishd";
241 unsigned char md[SHA256_DIGEST_LENGTH];
244 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha256())) return 0;
245 if (memcmp(md,digest,sizeof(md)))
250 /* SHA512: generate hash of known digest value and compare to known
251 precomputed correct hash
253 static int FIPS_sha512_test()
255 unsigned char digest[SHA512_DIGEST_LENGTH] =
256 {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
257 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
258 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
259 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
260 unsigned char str[] = "etaonrishd";
262 unsigned char md[SHA512_DIGEST_LENGTH];
265 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha512())) return 0;
266 if (memcmp(md,digest,sizeof(md)))
271 /* HMAC-SHA1: generate hash of known digest value and compare to known
272 precomputed correct hash
274 static int FIPS_hmac_sha1_test()
276 unsigned char key[] = "etaonrishd";
277 unsigned char iv[] = "Sample text";
278 unsigned char kaval[EVP_MAX_MD_SIZE] =
279 {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
280 0xb2, 0xfb, 0xec, 0xc6};
282 unsigned char out[EVP_MAX_MD_SIZE];
286 if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
287 if (memcmp(out,kaval,outlen))
292 /* HMAC-SHA224: generate hash of known digest value and compare to known
293 precomputed correct hash
295 static int FIPS_hmac_sha224_test()
297 unsigned char key[] = "etaonrishd";
298 unsigned char iv[] = "Sample text";
299 unsigned char kaval[EVP_MAX_MD_SIZE] =
300 {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
301 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
303 unsigned char out[EVP_MAX_MD_SIZE];
307 if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
308 if (memcmp(out,kaval,outlen))
313 /* HMAC-SHA256: generate hash of known digest value and compare to known
314 precomputed correct hash
316 static int FIPS_hmac_sha256_test()
318 unsigned char key[] = "etaonrishd";
319 unsigned char iv[] = "Sample text";
320 unsigned char kaval[EVP_MAX_MD_SIZE] =
321 {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
322 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
324 unsigned char out[EVP_MAX_MD_SIZE];
328 if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
329 if (memcmp(out,kaval,outlen))
334 /* HMAC-SHA384: generate hash of known digest value and compare to known
335 precomputed correct hash
337 static int FIPS_hmac_sha384_test()
339 unsigned char key[] = "etaonrishd";
340 unsigned char iv[] = "Sample text";
341 unsigned char kaval[EVP_MAX_MD_SIZE] =
342 {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
343 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
344 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
346 unsigned char out[EVP_MAX_MD_SIZE];
350 if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
351 if (memcmp(out,kaval,outlen))
356 /* HMAC-SHA512: generate hash of known digest value and compare to known
357 precomputed correct hash
359 static int FIPS_hmac_sha512_test()
361 unsigned char key[] = "etaonrishd";
362 unsigned char iv[] = "Sample text";
363 unsigned char kaval[EVP_MAX_MD_SIZE] =
364 {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
365 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
366 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
367 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
369 unsigned char out[EVP_MAX_MD_SIZE];
373 if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
374 if (memcmp(out,kaval,outlen))
379 /* CMAC-AES128: generate hash of known digest value and compare to known
380 precomputed correct hash
382 static int FIPS_cmac_aes128_test()
384 unsigned char key[16] = { 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6,
385 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c, };
386 unsigned char data[] = "Sample text";
387 unsigned char kaval[EVP_MAX_MD_SIZE] =
388 { 0x16,0x83,0xfe,0xac, 0x52,0x9b,0xae,0x23,
389 0xd7,0xd5,0x66,0xf5, 0xd2,0x8d,0xbd,0x2a, };
391 unsigned char *out = NULL;
393 CMAC_CTX *ctx = CMAC_CTX_new();
400 if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_128_cbc(),NULL))
402 if (!CMAC_Update(ctx,data,sizeof(data)-1))
404 /* This should return 1. If not, there's a programming error... */
405 if (!CMAC_Final(ctx, out, &outlen))
407 out = OPENSSL_malloc(outlen);
408 if (!CMAC_Final(ctx, out, &outlen))
412 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
413 bin2hex(out, outlen, hexout);
414 printf("CMAC-AES128: res = %s\n", hexout);
415 OPENSSL_free(hexout);
419 if (!memcmp(out,kaval,outlen))
429 /* CMAC-AES192: generate hash of known digest value and compare to known
430 precomputed correct hash
432 static int FIPS_cmac_aes192_test()
434 unsigned char key[] = { 0x8e,0x73,0xb0,0xf7, 0xda,0x0e,0x64,0x52,
435 0xc8,0x10,0xf3,0x2b, 0x80,0x90,0x79,0xe5,
436 0x62,0xf8,0xea,0xd2, 0x52,0x2c,0x6b,0x7b, };
437 unsigned char data[] = "Sample text";
438 unsigned char kaval[] =
439 { 0xd6,0x99,0x19,0x25, 0xe5,0x1d,0x95,0x48,
440 0xb1,0x4a,0x0b,0xf2, 0xc6,0x3c,0x47,0x1f, };
442 unsigned char *out = NULL;
444 CMAC_CTX *ctx = CMAC_CTX_new();
451 if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_192_cbc(),NULL))
453 if (!CMAC_Update(ctx,data,sizeof(data)-1))
455 /* This should return 1. If not, there's a programming error... */
456 if (!CMAC_Final(ctx, out, &outlen))
458 out = OPENSSL_malloc(outlen);
459 if (!CMAC_Final(ctx, out, &outlen))
463 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
464 bin2hex(out, outlen, hexout);
465 printf("CMAC-AES192: res = %s\n", hexout);
466 OPENSSL_free(hexout);
470 if (!memcmp(out,kaval,outlen))
480 /* CMAC-AES256: generate hash of known digest value and compare to known
481 precomputed correct hash
483 static int FIPS_cmac_aes256_test()
485 unsigned char key[] = { 0x60,0x3d,0xeb,0x10, 0x15,0xca,0x71,0xbe,
486 0x2b,0x73,0xae,0xf0, 0x85,0x7d,0x77,0x81,
487 0x1f,0x35,0x2c,0x07, 0x3b,0x61,0x08,0xd7,
488 0x2d,0x98,0x10,0xa3, 0x09,0x14,0xdf,0xf4, };
489 unsigned char data[] = "Sample text";
490 unsigned char kaval[] =
491 { 0xec,0xc2,0xcf,0x63, 0xc7,0xce,0xfc,0xa4,
492 0xb0,0x86,0x37,0x5f, 0x15,0x60,0xba,0x1f, };
494 unsigned char *out = NULL;
496 CMAC_CTX *ctx = CMAC_CTX_new();
503 if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_256_cbc(),NULL))
505 if (!CMAC_Update(ctx,data,sizeof(data)-1))
507 /* This should return 1. If not, there's a programming error... */
508 if (!CMAC_Final(ctx, out, &outlen))
510 out = OPENSSL_malloc(outlen);
511 if (!CMAC_Final(ctx, out, &outlen))
515 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
516 bin2hex(out, outlen, hexout);
517 printf("CMAC-AES256: res = %s\n", hexout);
518 OPENSSL_free(hexout);
522 if (!memcmp(out,kaval,outlen))
532 /* CMAC-TDEA3: generate hash of known digest value and compare to known
533 precomputed correct hash
535 static int FIPS_cmac_tdea3_test()
537 unsigned char key[] = { 0x8a,0xa8,0x3b,0xf8, 0xcb,0xda,0x10,0x62,
538 0x0b,0xc1,0xbf,0x19, 0xfb,0xb6,0xcd,0x58,
539 0xbc,0x31,0x3d,0x4a, 0x37,0x1c,0xa8,0xb5, };
540 unsigned char data[] = "Sample text";
541 unsigned char kaval[EVP_MAX_MD_SIZE] =
542 { 0xb4,0x06,0x4e,0xbf, 0x59,0x89,0xba,0x68, };
544 unsigned char *out = NULL;
546 CMAC_CTX *ctx = CMAC_CTX_new();
553 if (!CMAC_Init(ctx,key,sizeof(key),EVP_des_ede3_cbc(),NULL))
555 if (!CMAC_Update(ctx,data,sizeof(data)-1))
557 /* This should return 1. If not, there's a programming error... */
558 if (!CMAC_Final(ctx, out, &outlen))
560 out = OPENSSL_malloc(outlen);
561 if (!CMAC_Final(ctx, out, &outlen))
565 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
566 bin2hex(out, outlen, hexout);
567 printf("CMAC-TDEA3: res = %s\n", hexout);
568 OPENSSL_free(hexout);
572 if (!memcmp(out,kaval,outlen))
583 /* DH: generate shared parameters
592 if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
604 unsigned char userkey[16] =
605 { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
609 key = FIPS_rsa_new();
613 BN_set_word(bn, 65537);
614 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
618 n = BN_num_bytes(key->d);
619 printf(" Generated %d byte RSA private key\n", n);
620 printf("\tBN key before overwriting:\n");
621 do_bn_print(stdout, key->d);
622 BN_rand(key->d,n*8,-1,0);
623 printf("\tBN key after overwriting:\n");
624 do_bn_print(stdout, key->d);
626 printf("\tchar buffer key before overwriting: \n\t\t");
627 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
629 RAND_bytes(userkey, sizeof userkey);
630 printf("\tchar buffer key after overwriting: \n\t\t");
631 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
639 /* Dummy Entropy for DRBG tests. WARNING: THIS IS TOTALLY BOGUS
640 * HAS ZERO SECURITY AND MUST NOT BE USED IN REAL APPLICATIONS.
643 static unsigned char dummy_drbg_entropy[1024];
645 static size_t drbg_test_cb(DRBG_CTX *ctx, unsigned char **pout,
646 int entropy, size_t min_len, size_t max_len)
648 *pout = dummy_drbg_entropy;
649 /* Round up to multiple of block size */
650 return (min_len + 0xf) & ~0xf;
653 /* Callback which returns 0 to indicate entropy source failure */
654 static size_t drbg_fail_cb(DRBG_CTX *ctx, unsigned char **pout,
655 int entropy, size_t min_len, size_t max_len)
660 /* DRBG test: just generate lots of data and trigger health checks */
662 static int do_drbg_test(int type, int flags)
667 unsigned char randout[1024];
668 dctx = FIPS_drbg_new(type, flags);
671 FIPS_drbg_set_callbacks(dctx, drbg_test_cb, 0, 0x10, drbg_test_cb, 0);
672 for (i = 0; i < sizeof(dummy_drbg_entropy); i++)
674 dummy_drbg_entropy[i] = i & 0xff;
676 if (!FIPS_drbg_instantiate(dctx, dummy_drbg_entropy, 10))
678 FIPS_drbg_set_check_interval(dctx, 10);
679 for (i = 0; i < 32; i++)
681 if (!FIPS_drbg_generate(dctx, randout, sizeof(randout), 0, NULL, 0))
683 if (!FIPS_drbg_generate(dctx, randout, sizeof(randout), 0, dummy_drbg_entropy, 1))
688 FIPS_drbg_free(dctx);
697 static int do_drbg_all(void)
699 static DRBG_LIST drbg_types[] =
706 {NID_hmacWithSHA1, 0},
707 {NID_hmacWithSHA224, 0},
708 {NID_hmacWithSHA256, 0},
709 {NID_hmacWithSHA384, 0},
710 {NID_hmacWithSHA512, 0},
711 {NID_aes_128_ctr, 0},
712 {NID_aes_192_ctr, 0},
713 {NID_aes_256_ctr, 0},
714 {NID_aes_128_ctr, DRBG_FLAG_CTR_USE_DF},
715 {NID_aes_192_ctr, DRBG_FLAG_CTR_USE_DF},
716 {NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF},
717 {(NID_X9_62_prime256v1 << 16)|NID_sha1, 0},
718 {(NID_X9_62_prime256v1 << 16)|NID_sha224, 0},
719 {(NID_X9_62_prime256v1 << 16)|NID_sha256, 0},
720 {(NID_X9_62_prime256v1 << 16)|NID_sha384, 0},
721 {(NID_X9_62_prime256v1 << 16)|NID_sha512, 0},
722 {(NID_secp384r1 << 16)|NID_sha224, 0},
723 {(NID_secp384r1 << 16)|NID_sha256, 0},
724 {(NID_secp384r1 << 16)|NID_sha384, 0},
725 {(NID_secp384r1 << 16)|NID_sha512, 0},
726 {(NID_secp521r1 << 16)|NID_sha256, 0},
727 {(NID_secp521r1 << 16)|NID_sha384, 0},
728 {(NID_secp521r1 << 16)|NID_sha512, 0},
733 for (lst = drbg_types;; lst++)
737 if (!do_drbg_test(lst->type, lst->flags))
744 static const char * Fail(const char *msg)
750 static void test_msg(const char *msg, int result)
752 printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
755 /* Table of IDs for POST translating between NIDs and names */
763 POST_ID id_list[] = {
765 {NID_sha224, "SHA224"},
766 {NID_sha256, "SHA256"},
767 {NID_sha384, "SHA384"},
768 {NID_sha512, "SHA512"},
769 {NID_hmacWithSHA1, "HMAC-SHA1"},
770 {NID_hmacWithSHA224, "HMAC-SHA224"},
771 {NID_hmacWithSHA256, "HMAC-SHA256"},
772 {NID_hmacWithSHA384, "HMAC-SHA384"},
773 {NID_hmacWithSHA512, "HMAC-SHA512"},
774 {EVP_PKEY_RSA, "RSA"},
775 {EVP_PKEY_DSA, "DSA"},
776 {EVP_PKEY_EC, "ECDSA"},
777 {NID_aes_128_cbc, "AES-128-CBC"},
778 {NID_aes_192_cbc, "AES-192-CBC"},
779 {NID_aes_256_cbc, "AES-256-CBC"},
780 {NID_aes_128_ctr, "AES-128-CTR"},
781 {NID_aes_192_ctr, "AES-192-CTR"},
782 {NID_aes_256_ctr, "AES-256-CTR"},
783 {NID_aes_128_ecb, "AES-128-ECB"},
784 {NID_aes_128_xts, "AES-128-XTS"},
785 {NID_aes_256_xts, "AES-256-XTS"},
786 {NID_des_ede3_cbc, "DES-EDE3-CBC"},
787 {NID_des_ede3_ecb, "DES-EDE3-ECB"},
788 {NID_secp224r1, "P-224"},
789 {NID_sect233r1, "B-233"},
790 {NID_sect233k1, "K-233"},
791 {NID_X9_62_prime256v1, "P-256"},
792 {NID_secp384r1, "P-384"},
793 {NID_secp521r1, "P-521"},
797 static const char *lookup_id(int id)
801 for (n = id_list; n->name; n++)
806 sprintf(out, "ID=%d", id);
810 static int fail_id = -1;
811 static int fail_sub = -1;
812 static int fail_key = -1;
814 static int st_err, post_quiet = 0;
816 static int post_cb(int op, int id, int subid, void *ex)
818 const char *idstr, *exstr = "";
822 #ifdef FIPS_POST_TIME
823 static struct timespec start, end, tstart, tend;
827 case FIPS_TEST_INTEGRITY:
831 case FIPS_TEST_DIGEST:
833 exstr = lookup_id(subid);
836 case FIPS_TEST_CIPHER:
837 exstr = lookup_id(subid);
841 case FIPS_TEST_SIGNATURE:
845 keytype = pkey->type;
846 if (keytype == EVP_PKEY_EC)
850 grp = EC_KEY_get0_group(pkey->pkey.ec);
851 cnid = EC_GROUP_get_curve_name(grp);
852 sprintf(asctmp, "ECDSA %s", lookup_id(cnid));
856 exstr = lookup_id(keytype);
862 exstr = lookup_id(subid);
868 exstr = lookup_id(subid);
877 exstr = lookup_id(subid);
885 idstr = "X9.31 PRNG";
886 sprintf(asctmp, "keylen=%d", subid);
892 if (*(int *)ex & DRBG_FLAG_CTR_USE_DF)
894 sprintf(asctmp, "%s DF", lookup_id(subid));
897 else if (subid >> 16)
899 sprintf(asctmp, "%s %s",
900 lookup_id(subid >> 16),
901 lookup_id(subid & 0xFFFF));
905 exstr = lookup_id(subid);
908 case FIPS_TEST_PAIRWISE:
912 keytype = pkey->type;
913 exstr = lookup_id(keytype);
915 idstr = "Pairwise Consistency";
918 case FIPS_TEST_CONTINUOUS:
919 idstr = "Continuous PRNG";
924 exstr = lookup_id(subid);
934 && (fail_key == -1 || fail_key == keytype)
935 && (fail_sub == -1 || fail_sub == subid))
940 case FIPS_POST_BEGIN:
941 #ifdef FIPS_POST_TIME
942 clock_getres(CLOCK_REALTIME, &tstart);
943 printf("\tTimer resolution %ld s, %ld ns\n",
944 (long)tstart.tv_sec, (long)tstart.tv_nsec);
945 clock_gettime(CLOCK_REALTIME, &tstart);
947 printf("\tPOST started\n");
951 printf("\tPOST %s\n", id ? "Success" : "Failed");
952 #ifdef FIPS_POST_TIME
953 clock_gettime(CLOCK_REALTIME, &tend);
954 printf("\t\tTook %f seconds\n",
955 (double)((tend.tv_sec+tend.tv_nsec*1e-9)
956 - (tstart.tv_sec+tstart.tv_nsec*1e-9)));
960 case FIPS_POST_STARTED:
961 if (!post_quiet && !exp_fail)
962 printf("\t\t%s %s test started\n", idstr, exstr);
963 #ifdef FIPS_POST_TIME
964 clock_gettime(CLOCK_REALTIME, &start);
968 case FIPS_POST_SUCCESS:
971 printf("\t\t%s %s test OK but should've failed\n",
975 else if (!post_quiet)
976 printf("\t\t%s %s test OK\n", idstr, exstr);
977 #ifdef FIPS_POST_TIME
978 clock_gettime(CLOCK_REALTIME, &end);
979 printf("\t\t\tTook %f seconds\n",
980 (double)((end.tv_sec+end.tv_nsec*1e-9)
981 - (start.tv_sec+start.tv_nsec*1e-9)));
988 printf("\t\t%s %s test failed as expected\n",
993 printf("\t\t%s %s test Failed Incorrectly!!\n",
999 case FIPS_POST_CORRUPT:
1002 printf("\t\t%s %s test failure induced\n", idstr, exstr);
1011 /* Test POST induced failures */
1016 int id, subid, keyid;
1019 static fail_list flist[] =
1021 {"Integrity", FIPS_TEST_INTEGRITY, -1, -1},
1022 {"AES", FIPS_TEST_CIPHER, NID_aes_128_ecb, -1},
1023 {"DES3", FIPS_TEST_CIPHER, NID_des_ede3_ecb, -1},
1024 {"AES-GCM", FIPS_TEST_GCM, -1, -1},
1025 {"AES-CCM", FIPS_TEST_CCM, -1, -1},
1026 {"AES-XTS", FIPS_TEST_XTS, -1, -1},
1027 {"Digest", FIPS_TEST_DIGEST, -1, -1},
1028 {"HMAC", FIPS_TEST_HMAC, -1, -1},
1029 {"CMAC", FIPS_TEST_CMAC, -1, -1},
1030 {"DRBG", FIPS_TEST_DRBG, -1, -1},
1031 {"X9.31 PRNG", FIPS_TEST_X931, -1, -1},
1032 {"RSA", FIPS_TEST_SIGNATURE, -1, EVP_PKEY_RSA},
1033 {"DSA", FIPS_TEST_SIGNATURE, -1, EVP_PKEY_DSA},
1034 {"ECDSA", FIPS_TEST_SIGNATURE, -1, EVP_PKEY_EC},
1035 {"ECDH", FIPS_TEST_ECDH, -1, -1},
1039 static int do_fail_all(int fullpost, int fullerr)
1046 DRBG_CTX *dctx = NULL, *defctx = NULL;
1049 unsigned char out[10];
1054 FIPS_module_mode_set(0, NULL);
1055 for (ftmp = flist; ftmp->name; ftmp++)
1057 printf(" Testing induced failure of %s test\n", ftmp->name);
1059 fail_sub = ftmp->subid;
1060 fail_key = ftmp->keyid;
1061 rv = FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS);
1064 printf("\tFIPS mode incorrectly successful!!\n");
1068 printf(" Testing induced failure of RSA keygen test\n");
1069 /* NB POST will succeed with a pairwise test failures as
1070 * it is not used during POST.
1072 fail_id = FIPS_TEST_PAIRWISE;
1073 fail_key = EVP_PKEY_RSA;
1074 /* Now enter FIPS mode successfully */
1075 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1077 printf("\tError entering FIPS mode\n");
1081 rsa = FIPS_rsa_new();
1085 BN_set_word(bn, 65537);
1086 if (RSA_generate_key_ex(rsa, 2048,bn,NULL))
1088 printf("\tRSA key generated OK incorrectly!!\n");
1092 printf("\tRSA key generation failed as expected.\n");
1094 /* Leave FIPS mode to clear error */
1095 FIPS_module_mode_set(0, NULL);
1097 printf(" Testing induced failure of DSA keygen test\n");
1098 fail_key = EVP_PKEY_DSA;
1099 /* Enter FIPS mode successfully */
1100 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1102 printf("\tError entering FIPS mode\n");
1105 dsa = FIPS_dsa_new();
1108 if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
1110 if (DSA_generate_key(dsa))
1112 printf("\tDSA key generated OK incorrectly!!\n");
1116 printf("\tDSA key generation failed as expected.\n");
1118 /* Leave FIPS mode to clear error */
1119 FIPS_module_mode_set(0, NULL);
1120 /* Enter FIPS mode successfully */
1121 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1123 printf("\tError entering FIPS mode\n");
1127 printf(" Testing induced failure of ECDSA keygen test\n");
1128 fail_key = EVP_PKEY_EC;
1130 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1135 if (EC_KEY_generate_key(ec))
1137 printf("\tECDSA key generated OK incorrectly!!\n");
1141 printf("\tECDSA key generation failed as expected.\n");
1143 FIPS_ec_key_free(ec);
1149 /* Leave FIPS mode to clear error */
1150 FIPS_module_mode_set(0, NULL);
1151 /* Enter FIPS mode successfully */
1152 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1154 printf("\tError entering FIPS mode\n");
1157 /* Induce continuous PRNG failure for DRBG */
1158 printf(" Testing induced failure of DRBG CPRNG test\n");
1161 /* Initialise a DRBG context */
1162 dctx = FIPS_drbg_new(NID_sha1, 0);
1165 for (i = 0; i < sizeof(dummy_drbg_entropy); i++)
1167 dummy_drbg_entropy[i] = i & 0xff;
1169 FIPS_drbg_set_callbacks(dctx, drbg_test_cb, 0, 0x10, drbg_test_cb, 0);
1170 if (!FIPS_drbg_instantiate(dctx, dummy_drbg_entropy, 10))
1172 printf("\tDRBG instantiate error!!\n");
1175 if (FIPS_drbg_generate(dctx, out, sizeof(out), 0, NULL, 0))
1177 printf("\tDRBG continuous PRNG OK incorrectly!!\n");
1181 printf("\tDRBG continuous PRNG failed as expected\n");
1184 /* Leave FIPS mode to clear error */
1185 FIPS_module_mode_set(0, NULL);
1186 /* Enter FIPS mode successfully */
1187 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1189 printf("\tError entering FIPS mode\n");
1193 FIPS_drbg_free(dctx);
1195 /* Induce continuous PRNG failure for DRBG entropy source*/
1196 printf(" Testing induced failure of DRBG entropy CPRNG test\n");
1198 /* Initialise a DRBG context */
1199 dctx = FIPS_drbg_new(NID_sha1, 0);
1202 for (i = 0; i < sizeof(dummy_drbg_entropy); i++)
1204 dummy_drbg_entropy[i] = i & 0xf;
1206 FIPS_drbg_set_callbacks(dctx, drbg_test_cb, 0, 0x10, drbg_test_cb, 0);
1207 if (FIPS_drbg_instantiate(dctx, dummy_drbg_entropy, 10))
1209 printf("\tDRBG continuous PRNG entropy OK incorrectly!!\n");
1213 printf("\tDRBG continuous PRNG entropy failed as expected\n");
1214 /* Leave FIPS mode to clear error */
1215 FIPS_module_mode_set(0, NULL);
1216 /* Enter FIPS mode successfully */
1217 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1219 printf("\tError entering FIPS mode\n");
1222 FIPS_drbg_free(dctx);
1224 /* Leave FIPS mode to clear error */
1225 FIPS_module_mode_set(0, NULL);
1226 /* Enter FIPS mode successfully */
1227 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1229 printf("\tError entering FIPS mode\n");
1233 printf(" Testing induced failure of X9.31 CPRNG test\n");
1235 if (!FIPS_x931_set_key(dummy_drbg_entropy, 32))
1237 printf("\tError initialiasing X9.31 PRNG\n");
1240 if (!FIPS_x931_seed(dummy_drbg_entropy + 32, 16))
1242 printf("\tError seeding X9.31 PRNG\n");
1245 if (FIPS_x931_bytes(out, 10) > 0)
1247 printf("\tX9.31 continuous PRNG failure OK incorrectly!!\n");
1251 printf("\tX9.31 continuous PRNG failed as expected\n");
1254 /* Leave FIPS mode to clear error */
1255 FIPS_module_mode_set(0, NULL);
1256 /* Enter FIPS mode successfully */
1257 if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
1259 printf("\tError entering FIPS mode\n");
1263 printf(" Testing operation failure with DRBG entropy failure\n");
1265 /* Generate DSA key for later use */
1266 if (DSA_generate_key(dsa))
1267 printf("\tDSA key generated OK as expected.\n");
1270 printf("\tDSA key generation FAILED!!\n");
1274 /* Initialise default DRBG context */
1275 defctx = FIPS_get_default_drbg();
1278 if (!FIPS_drbg_init(defctx, NID_sha512, 0))
1280 /* Set entropy failure callback */
1281 FIPS_drbg_set_callbacks(defctx, drbg_fail_cb, 0, 0x10, drbg_test_cb, 0);
1282 if (FIPS_drbg_instantiate(defctx, dummy_drbg_entropy, 10))
1284 printf("\tDRBG entropy fail OK incorrectly!!\n");
1288 printf("\tDRBG entropy fail failed as expected\n");
1290 if (FIPS_dsa_sign(dsa, dummy_drbg_entropy, 5, EVP_sha256()))
1292 printf("\tDSA signing OK incorrectly!!\n");
1296 printf("\tDSA signing failed as expected\n");
1298 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1303 if (EC_KEY_generate_key(ec))
1305 printf("\tECDSA key generated OK incorrectly!!\n");
1309 printf("\tECDSA key generation failed as expected.\n");
1311 printf(" Induced failure test completed with %d errors\n", st_err);
1317 FIPS_ec_key_free(ec);
1324 int fips_test_suite_main(int argc, char **argv)
1326 int main(int argc, char **argv)
1329 char **args = argv + 1;
1330 int bad_rsa = 0, bad_dsa = 0;
1331 int do_rng_stick = 0;
1332 int do_drbg_stick = 0;
1334 int no_dh = 0, no_drbg = 0;
1335 char *pass = FIPS_AUTH_USER_PASS;
1336 int fullpost = 0, fullerr = 0;
1338 FIPS_post_set_callback(post_cb);
1340 printf("\tFIPS-mode test application\n");
1342 printf("\t%s\n\n", FIPS_module_version_text());
1345 /* Corrupted KAT tests */
1346 if (!strcmp(*args, "integrity")) {
1347 fail_id = FIPS_TEST_INTEGRITY;
1348 } else if (!strcmp(*args, "aes")) {
1349 fail_id = FIPS_TEST_CIPHER;
1350 fail_sub = NID_aes_128_ecb;
1351 } else if (!strcmp(*args, "aes-ccm")) {
1352 fail_id = FIPS_TEST_CCM;
1353 } else if (!strcmp(*args, "aes-gcm")) {
1354 fail_id = FIPS_TEST_GCM;
1355 } else if (!strcmp(*args, "aes-xts")) {
1356 fail_id = FIPS_TEST_XTS;
1357 } else if (!strcmp(*args, "des")) {
1358 fail_id = FIPS_TEST_CIPHER;
1359 fail_sub = NID_des_ede3_ecb;
1360 } else if (!strcmp(*args, "dsa")) {
1361 fail_id = FIPS_TEST_SIGNATURE;
1362 fail_key = EVP_PKEY_DSA;
1363 } else if (!strcmp(argv[1], "ecdh")) {
1364 fail_id = FIPS_TEST_ECDH;
1365 } else if (!strcmp(*args, "ecdsa")) {
1366 fail_id = FIPS_TEST_SIGNATURE;
1367 fail_key = EVP_PKEY_EC;
1368 } else if (!strcmp(*args, "rsa")) {
1369 fail_id = FIPS_TEST_SIGNATURE;
1370 fail_key = EVP_PKEY_RSA;
1371 } else if (!strcmp(*args, "rsakey")) {
1372 printf("RSA key generation and signature validation with corrupted key...\n");
1375 } else if (!strcmp(*args, "rsakeygen")) {
1376 fail_id = FIPS_TEST_PAIRWISE;
1377 fail_key = EVP_PKEY_RSA;
1379 } else if (!strcmp(*args, "dsakey")) {
1380 printf("DSA key generation and signature validation with corrupted key...\n");
1383 } else if (!strcmp(*args, "dsakeygen")) {
1384 fail_id = FIPS_TEST_PAIRWISE;
1385 fail_key = EVP_PKEY_DSA;
1387 } else if (!strcmp(*args, "sha1")) {
1388 fail_id = FIPS_TEST_DIGEST;
1389 } else if (!strcmp(*args, "hmac")) {
1390 fail_id = FIPS_TEST_HMAC;
1391 } else if (!strcmp(*args, "cmac")) {
1392 fail_id = FIPS_TEST_CMAC;
1393 } else if (!strcmp(*args, "drbg")) {
1394 fail_id = FIPS_TEST_DRBG;
1395 } else if (!strcmp(argv[1], "rng")) {
1396 fail_id = FIPS_TEST_X931;
1397 } else if (!strcmp(*args, "nodrbg")) {
1400 } else if (!strcmp(*args, "nodh")) {
1403 } else if (!strcmp(*args, "post")) {
1405 } else if (!strcmp(*args, "rngstick")) {
1408 printf("RNG test with stuck continuous test...\n");
1409 } else if (!strcmp(*args, "drbgentstick")) {
1411 } else if (!strcmp(*args, "drbgstick")) {
1414 printf("DRBG test with stuck continuous test...\n");
1415 } else if (!strcmp(*args, "user")) {
1416 pass = FIPS_AUTH_USER_PASS;
1417 } else if (!strcmp(*args, "officer")) {
1418 pass = FIPS_AUTH_OFFICER_PASS;
1419 } else if (!strcmp(*args, "badpass")) {
1420 pass = "bad invalid password";
1421 } else if (!strcmp(*args, "nopass")) {
1423 } else if (!strcmp(*args, "fullpost")) {
1426 } else if (!strcmp(*args, "fullerr")) {
1430 printf("Bad argument \"%s\"\n", *args);
1436 if ((argc != 1) && !no_exit) {
1437 fips_algtest_init_nofips();
1438 if (!FIPS_module_mode_set(1, pass)) {
1439 printf("Power-up self test failed\n");
1442 printf("Power-up self test successful\n");
1446 fips_algtest_init_nofips();
1448 /* Non-Approved cryptographic operation
1450 printf("1. Non-Approved cryptographic operation test...\n");
1452 printf("\t D-H test skipped\n");
1454 test_msg("\ta. Included algorithm (D-H)...", dh_test());
1456 /* Power-up self test
1459 test_msg("2. Automatic power-up self test", FIPS_module_mode_set(1, pass));
1460 if (!FIPS_module_mode())
1467 /* AES encryption/decryption
1469 test_msg("3a. AES encryption/decryption", FIPS_aes_test());
1470 /* AES GCM encryption/decryption
1472 test_msg("3b. AES-GCM encryption/decryption", FIPS_aes_gcm_test());
1474 /* RSA key generation and encryption/decryption
1476 test_msg("4. RSA key generation and encryption/decryption",
1477 FIPS_rsa_test(bad_rsa));
1479 /* DES-CBC encryption/decryption
1481 test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
1483 /* DSA key generation and signature validation
1485 test_msg("6. DSA key generation and signature validation",
1486 FIPS_dsa_test(bad_dsa));
1490 test_msg("7a. SHA-1 hash", FIPS_sha1_test());
1494 test_msg("7b. SHA-256 hash", FIPS_sha256_test());
1498 test_msg("7c. SHA-512 hash", FIPS_sha512_test());
1502 test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
1504 /* HMAC-SHA-224 hash
1506 test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
1508 /* HMAC-SHA-256 hash
1510 test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
1512 /* HMAC-SHA-384 hash
1514 test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
1516 /* HMAC-SHA-512 hash
1518 test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
1520 /* CMAC-AES-128 hash
1522 test_msg("8a. CMAC-AES-128 hash", FIPS_cmac_aes128_test());
1524 /* CMAC-AES-192 hash
1526 test_msg("8b. CMAC-AES-192 hash", FIPS_cmac_aes192_test());
1528 /* CMAC-AES-256 hash
1530 test_msg("8c. CMAC-AES-256 hash", FIPS_cmac_aes256_test());
1532 # if 0 /* Not a FIPS algorithm */
1535 test_msg("8d. CMAC-TDEA-2 hash", FIPS_cmac_tdea2_test());
1540 test_msg("8e. CMAC-TDEA-3 hash", FIPS_cmac_tdea3_test());
1542 /* Non-Approved cryptographic operation
1544 printf("9. Non-Approved cryptographic operation test...\n");
1545 printf("\ta. Included algorithm (D-H)...%s\n",
1547 dh_test() ? "successful as expected"
1548 : Fail("failed INCORRECTLY!") );
1552 printf("10. Zero-ization...\n\t%s\n",
1553 Zeroize() ? "successful as expected"
1554 : Fail("failed INCORRECTLY!") );
1556 printf("11. Complete DRBG health check...\n");
1557 printf("\t%s\n", FIPS_selftest_drbg_all() ? "successful as expected"
1558 : Fail("failed INCORRECTLY!") );
1560 printf("12. DRBG generation check...\n");
1562 printf("\tskipped\n");
1564 printf("\t%s\n", do_drbg_all() ? "successful as expected"
1565 : Fail("failed INCORRECTLY!") );
1567 printf("13. Induced test failure check...\n");
1568 printf("\t%s\n", do_fail_all(fullpost, fullerr) ? "successful as expected"
1569 : Fail("failed INCORRECTLY!") );
1570 printf("\nAll tests completed with %d errors\n", Error);
1571 return Error ? 1 : 0;