1 /* ====================================================================
2 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
5 * This command is intended as a test driver for the FIPS-140 testing
6 * lab performing FIPS-140 validation. It demonstrates the use of the
7 * OpenSSL library ito perform a variety of common cryptographic
8 * functions. A power-up self test is demonstrated by deliberately
9 * pointing to an invalid executable hash
11 * Contributed by Steve Marquess.
15 #define OPENSSL_FIPSEVP
22 #include <openssl/evp.h>
23 #include <openssl/hmac.h>
24 #include <openssl/sha.h>
25 #include <openssl/err.h>
27 #include <openssl/bn.h>
28 #include <openssl/rand.h>
31 int main(int argc, char *argv[])
33 printf("No FIPS support\n");
38 #define ERR_clear_error() while(0)
40 #include <openssl/rsa.h>
41 #include <openssl/dsa.h>
42 #include <openssl/dh.h>
44 #include <openssl/fips.h>
47 /* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
49 static int FIPS_aes_test(void)
52 unsigned char pltmp[16];
53 unsigned char citmp[16];
54 unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
55 unsigned char plaintext[16] = "etaonrishdlcu";
57 EVP_CIPHER_CTX_init(&ctx);
58 if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0)
60 EVP_Cipher(&ctx, citmp, plaintext, 16);
61 if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0)
63 EVP_Cipher(&ctx, pltmp, citmp, 16);
64 if (memcmp(pltmp, plaintext, 16))
68 EVP_CIPHER_CTX_cleanup(&ctx);
72 static int FIPS_des3_test(void)
75 unsigned char pltmp[8];
76 unsigned char citmp[8];
77 unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
79 unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
81 EVP_CIPHER_CTX_init(&ctx);
82 if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0)
84 EVP_Cipher(&ctx, citmp, plaintext, 8);
85 if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0)
87 EVP_Cipher(&ctx, pltmp, citmp, 8);
88 if (memcmp(pltmp, plaintext, 8))
92 EVP_CIPHER_CTX_cleanup(&ctx);
97 * DSA: generate keys and sign, verify input plaintext.
99 static int FIPS_dsa_test(int bad)
102 unsigned char dgst[] = "etaonrishdlc";
108 EVP_MD_CTX_init(&mctx);
109 dsa = FIPS_dsa_new();
112 if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
114 if (!DSA_generate_key(dsa))
117 BN_add_word(dsa->pub_key, 1);
119 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL))
121 if (!EVP_DigestUpdate(&mctx, dgst, sizeof(dgst) - 1))
123 sig = FIPS_dsa_sign_ctx(dsa, &mctx);
127 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL))
129 if (!EVP_DigestUpdate(&mctx, dgst, sizeof(dgst) - 1))
131 r = FIPS_dsa_verify_ctx(dsa, &mctx, sig);
135 EVP_MD_CTX_cleanup(&mctx);
144 * RSA: generate keys and sign, verify input plaintext.
146 static int FIPS_rsa_test(int bad)
149 unsigned char input_ptext[] = "etaonrishdlc";
150 unsigned char buf[256];
157 EVP_MD_CTX_init(&mctx);
158 key = FIPS_rsa_new();
162 BN_set_word(bn, 65537);
163 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
167 BN_add_word(key->n, 1);
169 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL))
171 if (!EVP_DigestUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
173 if (!FIPS_rsa_sign_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
176 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL))
178 if (!EVP_DigestUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
180 r = FIPS_rsa_verify_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, slen);
182 EVP_MD_CTX_cleanup(&mctx);
190 /* SHA1: generate hash of known digest value and compare to known
191 precomputed correct hash
193 static int FIPS_sha1_test()
195 unsigned char digest[SHA_DIGEST_LENGTH] =
196 { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
197 unsigned char str[] = "etaonrishd";
199 unsigned char md[SHA_DIGEST_LENGTH];
202 if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0;
203 if (memcmp(md,digest,sizeof(md)))
208 /* SHA256: generate hash of known digest value and compare to known
209 precomputed correct hash
211 static int FIPS_sha256_test()
213 unsigned char digest[SHA256_DIGEST_LENGTH] =
214 {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
215 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
216 unsigned char str[] = "etaonrishd";
218 unsigned char md[SHA256_DIGEST_LENGTH];
221 if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0;
222 if (memcmp(md,digest,sizeof(md)))
227 /* SHA512: generate hash of known digest value and compare to known
228 precomputed correct hash
230 static int FIPS_sha512_test()
232 unsigned char digest[SHA512_DIGEST_LENGTH] =
233 {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
234 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
235 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
236 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
237 unsigned char str[] = "etaonrishd";
239 unsigned char md[SHA512_DIGEST_LENGTH];
242 if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0;
243 if (memcmp(md,digest,sizeof(md)))
248 /* HMAC-SHA1: generate hash of known digest value and compare to known
249 precomputed correct hash
251 static int FIPS_hmac_sha1_test()
253 unsigned char key[] = "etaonrishd";
254 unsigned char iv[] = "Sample text";
255 unsigned char kaval[EVP_MAX_MD_SIZE] =
256 {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
257 0xb2, 0xfb, 0xec, 0xc6};
259 unsigned char out[EVP_MAX_MD_SIZE];
263 if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
264 if (memcmp(out,kaval,outlen))
269 /* HMAC-SHA224: generate hash of known digest value and compare to known
270 precomputed correct hash
272 static int FIPS_hmac_sha224_test()
274 unsigned char key[] = "etaonrishd";
275 unsigned char iv[] = "Sample text";
276 unsigned char kaval[EVP_MAX_MD_SIZE] =
277 {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
278 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
280 unsigned char out[EVP_MAX_MD_SIZE];
284 if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
285 if (memcmp(out,kaval,outlen))
290 /* HMAC-SHA256: generate hash of known digest value and compare to known
291 precomputed correct hash
293 static int FIPS_hmac_sha256_test()
295 unsigned char key[] = "etaonrishd";
296 unsigned char iv[] = "Sample text";
297 unsigned char kaval[EVP_MAX_MD_SIZE] =
298 {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
299 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
301 unsigned char out[EVP_MAX_MD_SIZE];
305 if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
306 if (memcmp(out,kaval,outlen))
311 /* HMAC-SHA384: generate hash of known digest value and compare to known
312 precomputed correct hash
314 static int FIPS_hmac_sha384_test()
316 unsigned char key[] = "etaonrishd";
317 unsigned char iv[] = "Sample text";
318 unsigned char kaval[EVP_MAX_MD_SIZE] =
319 {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
320 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
321 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
323 unsigned char out[EVP_MAX_MD_SIZE];
327 if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
328 if (memcmp(out,kaval,outlen))
333 /* HMAC-SHA512: generate hash of known digest value and compare to known
334 precomputed correct hash
336 static int FIPS_hmac_sha512_test()
338 unsigned char key[] = "etaonrishd";
339 unsigned char iv[] = "Sample text";
340 unsigned char kaval[EVP_MAX_MD_SIZE] =
341 {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
342 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
343 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
344 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
346 unsigned char out[EVP_MAX_MD_SIZE];
350 if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
351 if (memcmp(out,kaval,outlen))
357 /* DH: generate shared parameters
366 if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
378 unsigned char userkey[16] =
379 { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
383 key = FIPS_rsa_new();
387 BN_set_word(bn, 65537);
388 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
392 n = BN_num_bytes(key->d);
393 printf(" Generated %d byte RSA private key\n", n);
394 printf("\tBN key before overwriting:\n");
395 do_bn_print(stdout, key->d);
396 BN_rand(key->d,n*8,-1,0);
397 printf("\tBN key after overwriting:\n");
398 do_bn_print(stdout, key->d);
400 printf("\tchar buffer key before overwriting: \n\t\t");
401 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
403 RAND_bytes(userkey, sizeof userkey);
404 printf("\tchar buffer key after overwriting: \n\t\t");
405 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
412 static const char * Fail(const char *msg)
418 static void test_msg(const char *msg, int result)
420 printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
423 int main(int argc,char **argv)
426 int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
427 int bad_rsa = 0, bad_dsa = 0;
428 int do_rng_stick = 0;
431 fips_set_error_print();
433 printf("\tFIPS-mode test application\n\n");
435 /* Load entropy from external file, if any */
436 RAND_load_file(".rnd", 1024);
439 /* Corrupted KAT tests */
440 if (!strcmp(argv[1], "aes")) {
442 printf("AES encryption/decryption with corrupted KAT...\n");
443 } else if (!strcmp(argv[1], "des")) {
445 printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
446 } else if (!strcmp(argv[1], "dsa")) {
448 printf("DSA key generation and signature validation with corrupted KAT...\n");
449 } else if (!strcmp(argv[1], "rsa")) {
451 printf("RSA key generation and signature validation with corrupted KAT...\n");
452 } else if (!strcmp(argv[1], "rsakey")) {
453 printf("RSA key generation and signature validation with corrupted key...\n");
456 } else if (!strcmp(argv[1], "rsakeygen")) {
457 do_corrupt_rsa_keygen = 1;
459 printf("RSA key generation and signature validation with corrupted keygen...\n");
460 } else if (!strcmp(argv[1], "dsakey")) {
461 printf("DSA key generation and signature validation with corrupted key...\n");
464 } else if (!strcmp(argv[1], "dsakeygen")) {
465 do_corrupt_dsa_keygen = 1;
467 printf("DSA key generation and signature validation with corrupted keygen...\n");
468 } else if (!strcmp(argv[1], "sha1")) {
470 printf("SHA-1 hash with corrupted KAT...\n");
471 } else if (!strcmp(argv[1], "rng")) {
473 } else if (!strcmp(argv[1], "rngstick")) {
476 printf("RNG test with stuck continuous test...\n");
478 printf("Bad argument \"%s\"\n", argv[1]);
482 if (!FIPS_mode_set(1)) {
483 printf("Power-up self test failed\n");
486 printf("Power-up self test successful\n");
491 /* Non-Approved cryptographic operation
493 printf("1. Non-Approved cryptographic operation test...\n");
494 test_msg("\ta. Included algorithm (D-H)...", dh_test());
496 /* Power-up self test
499 test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
502 if (do_corrupt_dsa_keygen)
503 FIPS_corrupt_dsa_keygen();
504 if (do_corrupt_rsa_keygen)
505 FIPS_corrupt_rsa_keygen();
509 /* AES encryption/decryption
511 test_msg("3. AES encryption/decryption", FIPS_aes_test());
513 /* RSA key generation and encryption/decryption
515 test_msg("4. RSA key generation and encryption/decryption",
516 FIPS_rsa_test(bad_rsa));
518 /* DES-CBC encryption/decryption
520 test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
522 /* DSA key generation and signature validation
524 test_msg("6. DSA key generation and signature validation",
525 FIPS_dsa_test(bad_dsa));
529 test_msg("7a. SHA-1 hash", FIPS_sha1_test());
533 test_msg("7b. SHA-256 hash", FIPS_sha256_test());
537 test_msg("7c. SHA-512 hash", FIPS_sha512_test());
541 test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
545 test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
549 test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
553 test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
557 test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
559 /* Non-Approved cryptographic operation
561 printf("8. Non-Approved cryptographic operation test...\n");
562 printf("\ta. Included algorithm (D-H)...%s\n",
563 dh_test() ? "successful as expected"
564 : Fail("failed INCORRECTLY!") );
568 printf("9. Zero-ization...\n\t%s\n",
569 Zeroize() ? "successful as expected"
570 : Fail("failed INCORRECTLY!") );
572 printf("\nAll tests completed with %d errors\n", Error);
573 return Error ? 1 : 0;