1 /* ====================================================================
2 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
5 * This command is intended as a test driver for the FIPS-140 testing
6 * lab performing FIPS-140 validation. It demonstrates the use of the
7 * OpenSSL library ito perform a variety of common cryptographic
8 * functions. A power-up self test is demonstrated by deliberately
9 * pointing to an invalid executable hash
11 * Contributed by Steve Marquess.
19 #include <openssl/aes.h>
20 #include <openssl/des.h>
21 #include <openssl/rsa.h>
22 #include <openssl/dsa.h>
23 #include <openssl/dh.h>
24 #include <openssl/hmac.h>
25 #include <openssl/err.h>
27 #include <openssl/bn.h>
28 #include <openssl/rand.h>
29 #include <openssl/sha.h>
33 int main(int argc, char *argv[])
35 printf("No FIPS support\n");
40 #include <openssl/fips.h>
43 /* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
45 static int FIPS_aes_test(void)
48 unsigned char pltmp[16];
49 unsigned char citmp[16];
50 unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
51 unsigned char plaintext[16] = "etaonrishdlcu";
53 EVP_CIPHER_CTX_init(&ctx);
54 if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0)
56 EVP_Cipher(&ctx, citmp, plaintext, 16);
57 if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0)
59 EVP_Cipher(&ctx, pltmp, citmp, 16);
60 if (memcmp(pltmp, plaintext, 16))
64 EVP_CIPHER_CTX_cleanup(&ctx);
68 static int FIPS_des3_test(void)
71 unsigned char pltmp[8];
72 unsigned char citmp[8];
73 unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
75 unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
77 EVP_CIPHER_CTX_init(&ctx);
78 if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0)
80 EVP_Cipher(&ctx, citmp, plaintext, 8);
81 if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0)
83 EVP_Cipher(&ctx, pltmp, citmp, 8);
84 if (memcmp(pltmp, plaintext, 8))
88 EVP_CIPHER_CTX_cleanup(&ctx);
93 * DSA: generate keys and sign, verify input plaintext.
95 static int FIPS_dsa_test(int bad)
99 unsigned char dgst[] = "etaonrishdlc";
100 unsigned char buf[60];
106 EVP_MD_CTX_init(&mctx);
107 dsa = FIPS_dsa_new();
110 if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
112 if (!DSA_generate_key(dsa))
115 BN_add_word(dsa->pub_key, 1);
117 pk.type = EVP_PKEY_DSA;
120 if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
122 if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
124 if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
127 if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
129 if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
131 r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
133 EVP_MD_CTX_cleanup(&mctx);
142 * RSA: generate keys and sign, verify input plaintext.
144 static int FIPS_rsa_test(int bad)
147 unsigned char input_ptext[] = "etaonrishdlc";
148 unsigned char buf[256];
156 EVP_MD_CTX_init(&mctx);
157 key = FIPS_rsa_new();
161 BN_set_word(bn, 65537);
162 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
166 BN_add_word(key->n, 1);
168 pk.type = EVP_PKEY_RSA;
171 if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
173 if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
175 if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
178 if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
180 if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
182 r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
184 EVP_MD_CTX_cleanup(&mctx);
192 /* SHA1: generate hash of known digest value and compare to known
193 precomputed correct hash
195 static int FIPS_sha1_test()
197 unsigned char digest[SHA_DIGEST_LENGTH] =
198 { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
199 unsigned char str[] = "etaonrishd";
201 unsigned char md[SHA_DIGEST_LENGTH];
204 if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0;
205 if (memcmp(md,digest,sizeof(md)))
210 /* SHA256: generate hash of known digest value and compare to known
211 precomputed correct hash
213 static int FIPS_sha256_test()
215 unsigned char digest[SHA256_DIGEST_LENGTH] =
216 {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
217 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
218 unsigned char str[] = "etaonrishd";
220 unsigned char md[SHA256_DIGEST_LENGTH];
223 if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0;
224 if (memcmp(md,digest,sizeof(md)))
229 /* SHA512: generate hash of known digest value and compare to known
230 precomputed correct hash
232 static int FIPS_sha512_test()
234 unsigned char digest[SHA512_DIGEST_LENGTH] =
235 {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
236 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
237 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
238 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
239 unsigned char str[] = "etaonrishd";
241 unsigned char md[SHA512_DIGEST_LENGTH];
244 if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0;
245 if (memcmp(md,digest,sizeof(md)))
250 /* HMAC-SHA1: generate hash of known digest value and compare to known
251 precomputed correct hash
253 static int FIPS_hmac_sha1_test()
255 unsigned char key[] = "etaonrishd";
256 unsigned char iv[] = "Sample text";
257 unsigned char kaval[EVP_MAX_MD_SIZE] =
258 {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
259 0xb2, 0xfb, 0xec, 0xc6};
261 unsigned char out[EVP_MAX_MD_SIZE];
265 if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
266 if (memcmp(out,kaval,outlen))
271 /* HMAC-SHA224: generate hash of known digest value and compare to known
272 precomputed correct hash
274 static int FIPS_hmac_sha224_test()
276 unsigned char key[] = "etaonrishd";
277 unsigned char iv[] = "Sample text";
278 unsigned char kaval[EVP_MAX_MD_SIZE] =
279 {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
280 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
282 unsigned char out[EVP_MAX_MD_SIZE];
286 if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
287 if (memcmp(out,kaval,outlen))
292 /* HMAC-SHA256: generate hash of known digest value and compare to known
293 precomputed correct hash
295 static int FIPS_hmac_sha256_test()
297 unsigned char key[] = "etaonrishd";
298 unsigned char iv[] = "Sample text";
299 unsigned char kaval[EVP_MAX_MD_SIZE] =
300 {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
301 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
303 unsigned char out[EVP_MAX_MD_SIZE];
307 if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
308 if (memcmp(out,kaval,outlen))
313 /* HMAC-SHA384: generate hash of known digest value and compare to known
314 precomputed correct hash
316 static int FIPS_hmac_sha384_test()
318 unsigned char key[] = "etaonrishd";
319 unsigned char iv[] = "Sample text";
320 unsigned char kaval[EVP_MAX_MD_SIZE] =
321 {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
322 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
323 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
325 unsigned char out[EVP_MAX_MD_SIZE];
329 if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
330 if (memcmp(out,kaval,outlen))
335 /* HMAC-SHA512: generate hash of known digest value and compare to known
336 precomputed correct hash
338 static int FIPS_hmac_sha512_test()
340 unsigned char key[] = "etaonrishd";
341 unsigned char iv[] = "Sample text";
342 unsigned char kaval[EVP_MAX_MD_SIZE] =
343 {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
344 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
345 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
346 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
348 unsigned char out[EVP_MAX_MD_SIZE];
352 if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
353 if (memcmp(out,kaval,outlen))
359 /* DH: generate shared parameters
368 if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
380 unsigned char userkey[16] =
381 { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
385 key = FIPS_rsa_new();
389 BN_set_word(bn, 65537);
390 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
394 n = BN_num_bytes(key->d);
395 printf(" Generated %d byte RSA private key\n", n);
396 printf("\tBN key before overwriting:\n");
397 do_bn_print(stdout, key->d);
398 BN_rand(key->d,n*8,-1,0);
399 printf("\tBN key after overwriting:\n");
400 do_bn_print(stdout, key->d);
402 printf("\tchar buffer key before overwriting: \n\t\t");
403 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
405 RAND_bytes(userkey, sizeof userkey);
406 printf("\tchar buffer key after overwriting: \n\t\t");
407 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
414 static const char * Fail(const char *msg)
421 static void test_msg(const char *msg, int result)
423 printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
426 int main(int argc,char **argv)
429 int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
430 int bad_rsa = 0, bad_dsa = 0;
431 int do_rng_stick = 0;
434 printf("\tFIPS-mode test application\n\n");
436 /* Load entropy from external file, if any */
437 RAND_load_file(".rnd", 1024);
440 /* Corrupted KAT tests */
441 if (!strcmp(argv[1], "aes")) {
443 printf("AES encryption/decryption with corrupted KAT...\n");
444 } else if (!strcmp(argv[1], "des")) {
446 printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
447 } else if (!strcmp(argv[1], "dsa")) {
449 printf("DSA key generation and signature validation with corrupted KAT...\n");
450 } else if (!strcmp(argv[1], "rsa")) {
452 printf("RSA key generation and signature validation with corrupted KAT...\n");
453 } else if (!strcmp(argv[1], "rsakey")) {
454 printf("RSA key generation and signature validation with corrupted key...\n");
457 } else if (!strcmp(argv[1], "rsakeygen")) {
458 do_corrupt_rsa_keygen = 1;
460 printf("RSA key generation and signature validation with corrupted keygen...\n");
461 } else if (!strcmp(argv[1], "dsakey")) {
462 printf("DSA key generation and signature validation with corrupted key...\n");
465 } else if (!strcmp(argv[1], "dsakeygen")) {
466 do_corrupt_dsa_keygen = 1;
468 printf("DSA key generation and signature validation with corrupted keygen...\n");
469 } else if (!strcmp(argv[1], "sha1")) {
471 printf("SHA-1 hash with corrupted KAT...\n");
472 } else if (!strcmp(argv[1], "rng")) {
474 } else if (!strcmp(argv[1], "rngstick")) {
477 printf("RNG test with stuck continuous test...\n");
479 printf("Bad argument \"%s\"\n", argv[1]);
483 if (!FIPS_mode_set(1)) {
485 printf("Power-up self test failed\n");
488 printf("Power-up self test successful\n");
493 /* Non-Approved cryptographic operation
495 printf("1. Non-Approved cryptographic operation test...\n");
496 test_msg("\ta. Included algorithm (D-H)...", dh_test());
498 /* Power-up self test
501 test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
504 if (do_corrupt_dsa_keygen)
505 FIPS_corrupt_dsa_keygen();
506 if (do_corrupt_rsa_keygen)
507 FIPS_corrupt_rsa_keygen();
511 /* AES encryption/decryption
513 test_msg("3. AES encryption/decryption", FIPS_aes_test());
515 /* RSA key generation and encryption/decryption
517 test_msg("4. RSA key generation and encryption/decryption",
518 FIPS_rsa_test(bad_rsa));
520 /* DES-CBC encryption/decryption
522 test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
524 /* DSA key generation and signature validation
526 test_msg("6. DSA key generation and signature validation",
527 FIPS_dsa_test(bad_dsa));
531 test_msg("7a. SHA-1 hash", FIPS_sha1_test());
535 test_msg("7b. SHA-256 hash", FIPS_sha256_test());
539 test_msg("7c. SHA-512 hash", FIPS_sha512_test());
543 test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
547 test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
551 test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
555 test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
559 test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
561 /* Non-Approved cryptographic operation
563 printf("8. Non-Approved cryptographic operation test...\n");
564 printf("\ta. Included algorithm (D-H)...%s\n",
565 dh_test() ? "successful as expected"
566 : Fail("failed INCORRECTLY!") );
570 printf("9. Zero-ization...\n\t%s\n",
571 Zeroize() ? "successful as expected"
572 : Fail("failed INCORRECTLY!") );
574 printf("\nAll tests completed with %d errors\n", Error);
575 return Error ? 1 : 0;