X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=fips%2Ffips_test_suite.c;h=5290cb258747306203c1f45b8757191f49a2b0ef;hb=c33066900ca7639797d8722ec9c7cc716ced5d0e;hp=6addef6386649108e5949a307fdad89a603c9ef3;hpb=011c865640fb6edd3e810326a2c331b29759e87d;p=oweals%2Fopenssl.git

diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index 6addef6386..5290cb2587 100644
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c
@@ -665,74 +665,287 @@ static void test_msg(const char *msg, int result)
 	printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
 	}
 
+/* Table of IDs for POST translating between NIDs and names */
+
+typedef struct 
+	{
+	int id;
+	const char *name;
+	} POST_ID;
+
+POST_ID id_list[] = {
+	{NID_sha1, "SHA1"},
+	{NID_sha224, "SHA224"},
+	{NID_sha256, "SHA256"},
+	{NID_sha384, "SHA384"},
+	{NID_sha512, "SHA512"},
+	{EVP_PKEY_RSA, "RSA"},
+	{EVP_PKEY_DSA, "DSA"},
+	{EVP_PKEY_EC, "ECDSA"},
+	{NID_aes_128_cbc, "AES-128-CBC"},
+	{NID_aes_192_cbc, "AES-192-CBC"},
+	{NID_aes_256_cbc, "AES-256-CBC"},
+	{NID_aes_128_ctr, "AES-128-CTR"},
+	{NID_aes_192_ctr, "AES-192-CTR"},
+	{NID_aes_256_ctr, "AES-256-CTR"},
+	{NID_aes_128_ecb, "AES-128-ECB"},
+	{NID_aes_128_xts, "AES-128-XTS"},
+	{NID_aes_256_xts, "AES-256-XTS"},
+	{NID_des_ede3_cbc, "DES-EDE3-CBC"},
+	{NID_des_ede3_ecb, "DES-EDE3-ECB"},
+	{0, NULL}
+};
+
+static const char *lookup_id(int id)
+	{
+	POST_ID *n;
+	static char out[40];
+	for (n = id_list; n->name; n++)
+		{
+		if (n->id == id)
+			return n->name;
+		}
+	sprintf(out, "ID=%d", id);
+	return out;
+	}
+
+static int fail_id = -1;
+static int fail_sub = -1;
+static int fail_key = -1;
+
+static int post_cb(int op, int id, int subid, void *ex)
+	{
+	const char *idstr, *exstr = "";
+	char asctmp[20];
+	int keytype = -1;
+#ifdef FIPS_POST_TIME
+	static struct timespec start, end, tstart, tend;
+#endif
+	switch(id)
+		{
+		case FIPS_TEST_INTEGRITY:
+		idstr = "Integrity";
+		break;
+
+		case FIPS_TEST_DIGEST:
+		idstr = "Digest";
+		exstr = lookup_id(subid);
+		break;
+
+		case FIPS_TEST_CIPHER:
+		exstr = lookup_id(subid);
+		idstr = "Cipher";
+		break;
+
+		case FIPS_TEST_SIGNATURE:
+		if (ex)
+			{
+			EVP_PKEY *pkey = ex;
+			keytype = pkey->type;
+			exstr = lookup_id(keytype);
+			}
+		idstr = "Signature";
+		break;
+
+		case FIPS_TEST_HMAC:
+		exstr = lookup_id(subid);
+		idstr = "HMAC";
+		break;
+
+		case FIPS_TEST_CMAC:
+		idstr = "CMAC";
+		exstr = lookup_id(subid);
+		break;
+
+		case FIPS_TEST_GCM:
+		idstr = "GCM";
+		break;
+
+		case FIPS_TEST_XTS:
+		idstr = "XTS";
+		exstr = lookup_id(subid);
+		break;
+
+		case FIPS_TEST_CCM:
+		idstr = "CCM";
+		break;
+
+		case FIPS_TEST_X931:
+		idstr = "X9.31 PRNG";
+		sprintf(asctmp, "keylen=%d", subid);
+		exstr = asctmp;
+		break;
+
+		case FIPS_TEST_DRBG:
+		idstr = "DRBG";
+		if (*(int *)ex & DRBG_FLAG_CTR_USE_DF)
+			{
+			sprintf(asctmp, "%s DF", lookup_id(subid));
+			exstr = asctmp;
+			}
+		else
+			exstr = lookup_id(subid);
+		break;
+
+		case FIPS_TEST_PAIRWISE:
+		if (ex)
+			{
+			EVP_PKEY *pkey = ex;
+			keytype = pkey->type;
+			exstr = lookup_id(keytype);
+			}
+		idstr = "Pairwise Consistency";
+		break;
+
+		case FIPS_TEST_CONTINUOUS:
+		idstr = "Continuous PRNG";
+		break;
+
+		default:
+		idstr = "Unknown";
+		break;
+
+		}
+
+	switch(op)
+		{
+		case FIPS_POST_BEGIN:
+#ifdef FIPS_POST_TIME
+		clock_getres(CLOCK_REALTIME, &tstart);
+		printf("\tTimer resolution %ld s, %ld ns\n",
+				(long)tstart.tv_sec, (long)tstart.tv_nsec);
+		clock_gettime(CLOCK_REALTIME, &tstart);
+#endif
+		printf("\tPOST started\n");
+		break;
+
+		case FIPS_POST_END:
+		printf("\tPOST %s\n", id ? "Success" : "Failed");
+#ifdef FIPS_POST_TIME
+		clock_gettime(CLOCK_REALTIME, &tend);
+		printf("\t\tTook %f seconds\n",
+			(double)((tend.tv_sec+tend.tv_nsec*1e-9)
+                        - (tstart.tv_sec+tstart.tv_nsec*1e-9)));
+#endif
+		break;
+
+		case FIPS_POST_STARTED:
+		printf("\t\t%s %s test started\n", idstr, exstr);
+#ifdef FIPS_POST_TIME
+		clock_gettime(CLOCK_REALTIME, &start);
+#endif
+		break;
+
+		case FIPS_POST_SUCCESS:
+		printf("\t\t%s %s test OK\n", idstr, exstr);
+#ifdef FIPS_POST_TIME
+		clock_gettime(CLOCK_REALTIME, &end);
+		printf("\t\t\tTook %f seconds\n",
+			(double)((end.tv_sec+end.tv_nsec*1e-9)
+                        - (start.tv_sec+start.tv_nsec*1e-9)));
+#endif
+		break;
+
+		case FIPS_POST_FAIL:
+		printf("\t\t%s %s test FAILED!!\n", idstr, exstr);
+		break;
+
+		case FIPS_POST_CORRUPT:
+		if (fail_id == id
+			&& (fail_key == -1 || fail_key == keytype)
+			&& (fail_sub == -1 || fail_sub == subid))
+			{
+			printf("\t\t%s %s test failure induced\n", idstr, exstr);
+			return 0;
+			}
+		break;
+
+		}
+	return 1;
+	}
+
 int main(int argc,char **argv)
     {
-
-    int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
     int bad_rsa = 0, bad_dsa = 0;
     int do_rng_stick = 0;
+    int do_drbg_stick = 0;
     int no_exit = 0;
 
-    fips_algtest_init_nofips();
 
-    printf("\tFIPS-mode test application\n\n");
+    FIPS_post_set_callback(post_cb);
 
-    /* Load entropy from external file, if any */
-    RAND_load_file(".rnd", 1024);
+    printf("\tFIPS-mode test application\n\n");
 
     if (argv[1]) {
         /* Corrupted KAT tests */
-        if (!strcmp(argv[1], "aes")) {
-            FIPS_corrupt_aes();
-            printf("AES encryption/decryption with corrupted KAT...\n");
+        if (!strcmp(argv[1], "integrity")) {
+	    fail_id = FIPS_TEST_INTEGRITY;
+        } else if (!strcmp(argv[1], "aes")) {
+	    fail_id = FIPS_TEST_CIPHER;
+	    fail_sub = NID_aes_128_ecb;	
+        } else if (!strcmp(argv[1], "aes-ccm")) {
+	    fail_id = FIPS_TEST_CCM;
         } else if (!strcmp(argv[1], "aes-gcm")) {
-            FIPS_corrupt_aes_gcm();
-            printf("AES-GCM encryption/decryption with corrupted KAT...\n");
+	    fail_id = FIPS_TEST_GCM;
+        } else if (!strcmp(argv[1], "aes-xts")) {
+	    fail_id = FIPS_TEST_XTS;
         } else if (!strcmp(argv[1], "des")) {
-            FIPS_corrupt_des();
-            printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
+	    fail_id = FIPS_TEST_CIPHER;
+	    fail_sub = NID_des_ede3_ecb;	
         } else if (!strcmp(argv[1], "dsa")) {
-            FIPS_corrupt_dsa();
-            printf("DSA key generation and signature validation with corrupted KAT...\n");
+	    fail_id = FIPS_TEST_SIGNATURE;
+	    fail_key = EVP_PKEY_DSA;	
         } else if (!strcmp(argv[1], "ecdsa")) {
-            FIPS_corrupt_ecdsa();
-            printf("ECDSA key generation and signature validation with corrupted KAT...\n");
+	    fail_id = FIPS_TEST_SIGNATURE;
+	    fail_key = EVP_PKEY_EC;	
         } else if (!strcmp(argv[1], "rsa")) {
-            FIPS_corrupt_rsa();
-            printf("RSA key generation and signature validation with corrupted KAT...\n");
+	    fail_id = FIPS_TEST_SIGNATURE;
+	    fail_key = EVP_PKEY_RSA;	
         } else if (!strcmp(argv[1], "rsakey")) {
             printf("RSA key generation and signature validation with corrupted key...\n");
 	    bad_rsa = 1;
 	    no_exit = 1;
         } else if (!strcmp(argv[1], "rsakeygen")) {
-	    do_corrupt_rsa_keygen = 1;
+	    fail_id = FIPS_TEST_PAIRWISE;
+	    fail_key = EVP_PKEY_RSA;
 	    no_exit = 1;
-            printf("RSA key generation and signature validation with corrupted keygen...\n");
         } else if (!strcmp(argv[1], "dsakey")) {
             printf("DSA key generation and signature validation with corrupted key...\n");
 	    bad_dsa = 1;
 	    no_exit = 1;
         } else if (!strcmp(argv[1], "dsakeygen")) {
-	    do_corrupt_dsa_keygen = 1;
+	    fail_id = FIPS_TEST_PAIRWISE;
+	    fail_key = EVP_PKEY_DSA;
 	    no_exit = 1;
-            printf("DSA key generation and signature validation with corrupted keygen...\n");
         } else if (!strcmp(argv[1], "sha1")) {
-            FIPS_corrupt_sha1();
-            printf("SHA-1 hash with corrupted KAT...\n");
+	    fail_id = FIPS_TEST_DIGEST;
+        } else if (!strcmp(argv[1], "hmac")) {
+	    fail_id = FIPS_TEST_HMAC;
+        } else if (!strcmp(argv[1], "cmac")) {
+	    fail_id = FIPS_TEST_CMAC;
 	} else if (!strcmp(argv[1], "drbg")) {
-	    FIPS_corrupt_drbg();
+	    fail_id = FIPS_TEST_DRBG;
 	} else if (!strcmp(argv[1], "rng")) {
-	    FIPS_corrupt_rng();
+	    fail_id = FIPS_TEST_X931;
+	} else if (!strcmp(argv[1], "post")) {
+	    fail_id = -1;
 	} else if (!strcmp(argv[1], "rngstick")) {
 	    do_rng_stick = 1;
 	    no_exit = 1;
 	    printf("RNG test with stuck continuous test...\n");
+	} else if (!strcmp(argv[1], "drbgentstick")) {
+		do_entropy_stick();
+	} else if (!strcmp(argv[1], "drbgstick")) {
+	    do_drbg_stick = 1;
+	    no_exit = 1;
+	    printf("DRBG test with stuck continuous test...\n");
         } else {
             printf("Bad argument \"%s\"\n", argv[1]);
             exit(1);
         }
 	if (!no_exit) {
-        	if (!FIPS_mode_set(1)) {
+    		fips_algtest_init_nofips();
+        	if (!FIPS_module_mode_set(1)) {
         	    printf("Power-up self test failed\n");
 		    exit(1);
 		}
@@ -741,6 +954,8 @@ int main(int argc,char **argv)
 	}
     }
 
+    fips_algtest_init_nofips();
+
     /* Non-Approved cryptographic operation
     */
     printf("1. Non-Approved cryptographic operation test...\n");
@@ -749,15 +964,13 @@ int main(int argc,char **argv)
     /* Power-up self test
     */
     ERR_clear_error();
-    test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
-    if (!FIPS_mode())
+    test_msg("2. Automatic power-up self test", FIPS_module_mode_set(1));
+    if (!FIPS_module_mode())
 	exit(1);
-    if (do_corrupt_dsa_keygen)
-            FIPS_corrupt_dsa_keygen();
-    if (do_corrupt_rsa_keygen)
-            FIPS_corrupt_rsa_keygen();
+    if (do_drbg_stick)
+            FIPS_drbg_stick();
     if (do_rng_stick)
-            FIPS_rng_stick();
+            FIPS_x931_stick();
 
     /* AES encryption/decryption
     */