fips_test_suite.c 27 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043
  1. /* ====================================================================
  2. * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
  3. *
  4. *
  5. * This command is intended as a test driver for the FIPS-140 testing
  6. * lab performing FIPS-140 validation. It demonstrates the use of the
  7. * OpenSSL library ito perform a variety of common cryptographic
  8. * functions. A power-up self test is demonstrated by deliberately
  9. * pointing to an invalid executable hash
  10. *
  11. * Contributed by Steve Marquess.
  12. *
  13. */
  14. #define OPENSSL_FIPSAPI
  15. #include <stdio.h>
  16. #include <assert.h>
  17. #include <ctype.h>
  18. #include <string.h>
  19. #include <stdlib.h>
  20. #include <openssl/evp.h>
  21. #include <openssl/hmac.h>
  22. #include <openssl/cmac.h>
  23. #include <openssl/sha.h>
  24. #include <openssl/err.h>
  25. #include <openssl/bn.h>
  26. #include <openssl/rand.h>
  27. #ifndef OPENSSL_FIPS
  28. int main(int argc, char *argv[])
  29. {
  30. printf("No FIPS support\n");
  31. return(0);
  32. }
  33. #else
  34. #define ERR_clear_error() while(0)
  35. #include <openssl/rsa.h>
  36. #include <openssl/dsa.h>
  37. #include <openssl/dh.h>
  38. #include <openssl/fips.h>
  39. #include "fips_utl.h"
  40. /* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
  41. */
  42. static int FIPS_aes_test(void)
  43. {
  44. int ret = 0;
  45. unsigned char pltmp[16];
  46. unsigned char citmp[16];
  47. unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
  48. unsigned char plaintext[16] = "etaonrishdlcu";
  49. EVP_CIPHER_CTX ctx;
  50. FIPS_cipher_ctx_init(&ctx);
  51. if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 1) <= 0)
  52. goto err;
  53. FIPS_cipher(&ctx, citmp, plaintext, 16);
  54. if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 0) <= 0)
  55. goto err;
  56. FIPS_cipher(&ctx, pltmp, citmp, 16);
  57. if (memcmp(pltmp, plaintext, 16))
  58. goto err;
  59. ret = 1;
  60. err:
  61. FIPS_cipher_ctx_cleanup(&ctx);
  62. return ret;
  63. }
  64. static int FIPS_aes_gcm_test(void)
  65. {
  66. int ret = 0;
  67. unsigned char pltmp[16];
  68. unsigned char citmp[16];
  69. unsigned char tagtmp[16];
  70. unsigned char key[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
  71. unsigned char iv[16] = {21,22,23,24,25,26,27,28,29,30,31,32};
  72. unsigned char aad[] = "Some text AAD";
  73. unsigned char plaintext[16] = "etaonrishdlcu";
  74. EVP_CIPHER_CTX ctx;
  75. FIPS_cipher_ctx_init(&ctx);
  76. if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 1) <= 0)
  77. goto err;
  78. FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
  79. FIPS_cipher(&ctx, citmp, plaintext, 16);
  80. FIPS_cipher(&ctx, NULL, NULL, 0);
  81. if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tagtmp))
  82. goto err;
  83. if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 0) <= 0)
  84. goto err;
  85. if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tagtmp))
  86. goto err;
  87. FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
  88. FIPS_cipher(&ctx, pltmp, citmp, 16);
  89. if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0)
  90. goto err;
  91. if (memcmp(pltmp, plaintext, 16))
  92. goto err;
  93. ret = 1;
  94. err:
  95. FIPS_cipher_ctx_cleanup(&ctx);
  96. return ret;
  97. }
  98. static int FIPS_des3_test(void)
  99. {
  100. int ret = 0;
  101. unsigned char pltmp[8];
  102. unsigned char citmp[8];
  103. unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
  104. 19,20,21,22,23,24};
  105. unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
  106. EVP_CIPHER_CTX ctx;
  107. FIPS_cipher_ctx_init(&ctx);
  108. if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 1) <= 0)
  109. goto err;
  110. FIPS_cipher(&ctx, citmp, plaintext, 8);
  111. if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 0) <= 0)
  112. goto err;
  113. FIPS_cipher(&ctx, pltmp, citmp, 8);
  114. if (memcmp(pltmp, plaintext, 8))
  115. goto err;
  116. ret = 1;
  117. err:
  118. FIPS_cipher_ctx_cleanup(&ctx);
  119. return ret;
  120. }
  121. /*
  122. * DSA: generate keys and sign, verify input plaintext.
  123. */
  124. static int FIPS_dsa_test(int bad)
  125. {
  126. DSA *dsa = NULL;
  127. unsigned char dgst[] = "etaonrishdlc";
  128. int r = 0;
  129. EVP_MD_CTX mctx;
  130. DSA_SIG *sig = NULL;
  131. ERR_clear_error();
  132. FIPS_md_ctx_init(&mctx);
  133. dsa = FIPS_dsa_new();
  134. if (!dsa)
  135. goto end;
  136. if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
  137. goto end;
  138. if (!DSA_generate_key(dsa))
  139. goto end;
  140. if (bad)
  141. BN_add_word(dsa->pub_key, 1);
  142. if (!FIPS_digestinit(&mctx, EVP_sha256()))
  143. goto end;
  144. if (!FIPS_digestupdate(&mctx, dgst, sizeof(dgst) - 1))
  145. goto end;
  146. sig = FIPS_dsa_sign_ctx(dsa, &mctx);
  147. if (!sig)
  148. goto end;
  149. if (!FIPS_digestinit(&mctx, EVP_sha256()))
  150. goto end;
  151. if (!FIPS_digestupdate(&mctx, dgst, sizeof(dgst) - 1))
  152. goto end;
  153. r = FIPS_dsa_verify_ctx(dsa, &mctx, sig);
  154. end:
  155. if (sig)
  156. FIPS_dsa_sig_free(sig);
  157. FIPS_md_ctx_cleanup(&mctx);
  158. if (dsa)
  159. FIPS_dsa_free(dsa);
  160. if (r != 1)
  161. return 0;
  162. return 1;
  163. }
  164. /*
  165. * RSA: generate keys and sign, verify input plaintext.
  166. */
  167. static int FIPS_rsa_test(int bad)
  168. {
  169. RSA *key;
  170. unsigned char input_ptext[] = "etaonrishdlc";
  171. unsigned char buf[256];
  172. unsigned int slen;
  173. BIGNUM *bn;
  174. EVP_MD_CTX mctx;
  175. int r = 0;
  176. ERR_clear_error();
  177. FIPS_md_ctx_init(&mctx);
  178. key = FIPS_rsa_new();
  179. bn = BN_new();
  180. if (!key || !bn)
  181. return 0;
  182. BN_set_word(bn, 65537);
  183. if (!RSA_generate_key_ex(key, 2048,bn,NULL))
  184. return 0;
  185. BN_free(bn);
  186. if (bad)
  187. BN_add_word(key->n, 1);
  188. if (!FIPS_digestinit(&mctx, EVP_sha256()))
  189. goto end;
  190. if (!FIPS_digestupdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
  191. goto end;
  192. if (!FIPS_rsa_sign_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
  193. goto end;
  194. if (!FIPS_digestinit(&mctx, EVP_sha256()))
  195. goto end;
  196. if (!FIPS_digestupdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
  197. goto end;
  198. r = FIPS_rsa_verify_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, slen);
  199. end:
  200. FIPS_md_ctx_cleanup(&mctx);
  201. if (key)
  202. FIPS_rsa_free(key);
  203. if (r != 1)
  204. return 0;
  205. return 1;
  206. }
  207. /* SHA1: generate hash of known digest value and compare to known
  208. precomputed correct hash
  209. */
  210. static int FIPS_sha1_test()
  211. {
  212. unsigned char digest[SHA_DIGEST_LENGTH] =
  213. { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
  214. unsigned char str[] = "etaonrishd";
  215. unsigned char md[SHA_DIGEST_LENGTH];
  216. ERR_clear_error();
  217. if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha1())) return 0;
  218. if (memcmp(md,digest,sizeof(md)))
  219. return 0;
  220. return 1;
  221. }
  222. /* SHA256: generate hash of known digest value and compare to known
  223. precomputed correct hash
  224. */
  225. static int FIPS_sha256_test()
  226. {
  227. unsigned char digest[SHA256_DIGEST_LENGTH] =
  228. {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
  229. 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
  230. unsigned char str[] = "etaonrishd";
  231. unsigned char md[SHA256_DIGEST_LENGTH];
  232. ERR_clear_error();
  233. if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha256())) return 0;
  234. if (memcmp(md,digest,sizeof(md)))
  235. return 0;
  236. return 1;
  237. }
  238. /* SHA512: generate hash of known digest value and compare to known
  239. precomputed correct hash
  240. */
  241. static int FIPS_sha512_test()
  242. {
  243. unsigned char digest[SHA512_DIGEST_LENGTH] =
  244. {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
  245. 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
  246. 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
  247. 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
  248. unsigned char str[] = "etaonrishd";
  249. unsigned char md[SHA512_DIGEST_LENGTH];
  250. ERR_clear_error();
  251. if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha512())) return 0;
  252. if (memcmp(md,digest,sizeof(md)))
  253. return 0;
  254. return 1;
  255. }
  256. /* HMAC-SHA1: generate hash of known digest value and compare to known
  257. precomputed correct hash
  258. */
  259. static int FIPS_hmac_sha1_test()
  260. {
  261. unsigned char key[] = "etaonrishd";
  262. unsigned char iv[] = "Sample text";
  263. unsigned char kaval[EVP_MAX_MD_SIZE] =
  264. {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
  265. 0xb2, 0xfb, 0xec, 0xc6};
  266. unsigned char out[EVP_MAX_MD_SIZE];
  267. unsigned int outlen;
  268. ERR_clear_error();
  269. if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
  270. if (memcmp(out,kaval,outlen))
  271. return 0;
  272. return 1;
  273. }
  274. /* HMAC-SHA224: generate hash of known digest value and compare to known
  275. precomputed correct hash
  276. */
  277. static int FIPS_hmac_sha224_test()
  278. {
  279. unsigned char key[] = "etaonrishd";
  280. unsigned char iv[] = "Sample text";
  281. unsigned char kaval[EVP_MAX_MD_SIZE] =
  282. {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
  283. 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
  284. unsigned char out[EVP_MAX_MD_SIZE];
  285. unsigned int outlen;
  286. ERR_clear_error();
  287. if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
  288. if (memcmp(out,kaval,outlen))
  289. return 0;
  290. return 1;
  291. }
  292. /* HMAC-SHA256: generate hash of known digest value and compare to known
  293. precomputed correct hash
  294. */
  295. static int FIPS_hmac_sha256_test()
  296. {
  297. unsigned char key[] = "etaonrishd";
  298. unsigned char iv[] = "Sample text";
  299. unsigned char kaval[EVP_MAX_MD_SIZE] =
  300. {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
  301. 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
  302. unsigned char out[EVP_MAX_MD_SIZE];
  303. unsigned int outlen;
  304. ERR_clear_error();
  305. if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
  306. if (memcmp(out,kaval,outlen))
  307. return 0;
  308. return 1;
  309. }
  310. /* HMAC-SHA384: generate hash of known digest value and compare to known
  311. precomputed correct hash
  312. */
  313. static int FIPS_hmac_sha384_test()
  314. {
  315. unsigned char key[] = "etaonrishd";
  316. unsigned char iv[] = "Sample text";
  317. unsigned char kaval[EVP_MAX_MD_SIZE] =
  318. {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
  319. 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
  320. 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
  321. unsigned char out[EVP_MAX_MD_SIZE];
  322. unsigned int outlen;
  323. ERR_clear_error();
  324. if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
  325. if (memcmp(out,kaval,outlen))
  326. return 0;
  327. return 1;
  328. }
  329. /* HMAC-SHA512: generate hash of known digest value and compare to known
  330. precomputed correct hash
  331. */
  332. static int FIPS_hmac_sha512_test()
  333. {
  334. unsigned char key[] = "etaonrishd";
  335. unsigned char iv[] = "Sample text";
  336. unsigned char kaval[EVP_MAX_MD_SIZE] =
  337. {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
  338. 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
  339. 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
  340. 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
  341. unsigned char out[EVP_MAX_MD_SIZE];
  342. unsigned int outlen;
  343. ERR_clear_error();
  344. if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
  345. if (memcmp(out,kaval,outlen))
  346. return 0;
  347. return 1;
  348. }
  349. /* CMAC-AES128: generate hash of known digest value and compare to known
  350. precomputed correct hash
  351. */
  352. static int FIPS_cmac_aes128_test()
  353. {
  354. unsigned char key[16] = { 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6,
  355. 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c, };
  356. unsigned char data[] = "Sample text";
  357. unsigned char kaval[EVP_MAX_MD_SIZE] =
  358. { 0x16,0x83,0xfe,0xac, 0x52,0x9b,0xae,0x23,
  359. 0xd7,0xd5,0x66,0xf5, 0xd2,0x8d,0xbd,0x2a, };
  360. unsigned char *out = NULL;
  361. size_t outlen;
  362. CMAC_CTX *ctx = CMAC_CTX_new();
  363. int r = 0;
  364. ERR_clear_error();
  365. if (!ctx)
  366. goto end;
  367. if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_128_cbc(),NULL))
  368. goto end;
  369. if (!CMAC_Update(ctx,data,sizeof(data)-1))
  370. goto end;
  371. /* This should return 1. If not, there's a programming error... */
  372. if (!CMAC_Final(ctx, out, &outlen))
  373. goto end;
  374. out = OPENSSL_malloc(outlen);
  375. if (!CMAC_Final(ctx, out, &outlen))
  376. goto end;
  377. #if 0
  378. {
  379. char *hexout = OPENSSL_malloc(outlen * 2 + 1);
  380. bin2hex(out, outlen, hexout);
  381. printf("CMAC-AES128: res = %s\n", hexout);
  382. OPENSSL_free(hexout);
  383. }
  384. r = 1;
  385. #else
  386. if (!memcmp(out,kaval,outlen))
  387. r = 1;
  388. #endif
  389. end:
  390. CMAC_CTX_free(ctx);
  391. if (out)
  392. OPENSSL_free(out);
  393. return r;
  394. }
  395. /* CMAC-AES192: generate hash of known digest value and compare to known
  396. precomputed correct hash
  397. */
  398. static int FIPS_cmac_aes192_test()
  399. {
  400. unsigned char key[] = { 0x8e,0x73,0xb0,0xf7, 0xda,0x0e,0x64,0x52,
  401. 0xc8,0x10,0xf3,0x2b, 0x80,0x90,0x79,0xe5,
  402. 0x62,0xf8,0xea,0xd2, 0x52,0x2c,0x6b,0x7b, };
  403. unsigned char data[] = "Sample text";
  404. unsigned char kaval[] =
  405. { 0xd6,0x99,0x19,0x25, 0xe5,0x1d,0x95,0x48,
  406. 0xb1,0x4a,0x0b,0xf2, 0xc6,0x3c,0x47,0x1f, };
  407. unsigned char *out = NULL;
  408. size_t outlen;
  409. CMAC_CTX *ctx = CMAC_CTX_new();
  410. int r = 0;
  411. ERR_clear_error();
  412. if (!ctx)
  413. goto end;
  414. if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_192_cbc(),NULL))
  415. goto end;
  416. if (!CMAC_Update(ctx,data,sizeof(data)-1))
  417. goto end;
  418. /* This should return 1. If not, there's a programming error... */
  419. if (!CMAC_Final(ctx, out, &outlen))
  420. goto end;
  421. out = OPENSSL_malloc(outlen);
  422. if (!CMAC_Final(ctx, out, &outlen))
  423. goto end;
  424. #if 0
  425. {
  426. char *hexout = OPENSSL_malloc(outlen * 2 + 1);
  427. bin2hex(out, outlen, hexout);
  428. printf("CMAC-AES192: res = %s\n", hexout);
  429. OPENSSL_free(hexout);
  430. }
  431. r = 1;
  432. #else
  433. if (!memcmp(out,kaval,outlen))
  434. r = 1;
  435. #endif
  436. end:
  437. CMAC_CTX_free(ctx);
  438. if (out)
  439. OPENSSL_free(out);
  440. return r;
  441. }
  442. /* CMAC-AES256: generate hash of known digest value and compare to known
  443. precomputed correct hash
  444. */
  445. static int FIPS_cmac_aes256_test()
  446. {
  447. unsigned char key[] = { 0x60,0x3d,0xeb,0x10, 0x15,0xca,0x71,0xbe,
  448. 0x2b,0x73,0xae,0xf0, 0x85,0x7d,0x77,0x81,
  449. 0x1f,0x35,0x2c,0x07, 0x3b,0x61,0x08,0xd7,
  450. 0x2d,0x98,0x10,0xa3, 0x09,0x14,0xdf,0xf4, };
  451. unsigned char data[] = "Sample text";
  452. unsigned char kaval[] =
  453. { 0xec,0xc2,0xcf,0x63, 0xc7,0xce,0xfc,0xa4,
  454. 0xb0,0x86,0x37,0x5f, 0x15,0x60,0xba,0x1f, };
  455. unsigned char *out = NULL;
  456. size_t outlen;
  457. CMAC_CTX *ctx = CMAC_CTX_new();
  458. int r = 0;
  459. ERR_clear_error();
  460. if (!ctx)
  461. goto end;
  462. if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_256_cbc(),NULL))
  463. goto end;
  464. if (!CMAC_Update(ctx,data,sizeof(data)-1))
  465. goto end;
  466. /* This should return 1. If not, there's a programming error... */
  467. if (!CMAC_Final(ctx, out, &outlen))
  468. goto end;
  469. out = OPENSSL_malloc(outlen);
  470. if (!CMAC_Final(ctx, out, &outlen))
  471. goto end;
  472. #if 0
  473. {
  474. char *hexout = OPENSSL_malloc(outlen * 2 + 1);
  475. bin2hex(out, outlen, hexout);
  476. printf("CMAC-AES256: res = %s\n", hexout);
  477. OPENSSL_free(hexout);
  478. }
  479. r = 1;
  480. #else
  481. if (!memcmp(out,kaval,outlen))
  482. r = 1;
  483. #endif
  484. end:
  485. CMAC_CTX_free(ctx);
  486. if (out)
  487. OPENSSL_free(out);
  488. return r;
  489. }
  490. /* CMAC-TDEA3: generate hash of known digest value and compare to known
  491. precomputed correct hash
  492. */
  493. static int FIPS_cmac_tdea3_test()
  494. {
  495. unsigned char key[] = { 0x8a,0xa8,0x3b,0xf8, 0xcb,0xda,0x10,0x62,
  496. 0x0b,0xc1,0xbf,0x19, 0xfb,0xb6,0xcd,0x58,
  497. 0xbc,0x31,0x3d,0x4a, 0x37,0x1c,0xa8,0xb5, };
  498. unsigned char data[] = "Sample text";
  499. unsigned char kaval[EVP_MAX_MD_SIZE] =
  500. { 0xb4,0x06,0x4e,0xbf, 0x59,0x89,0xba,0x68, };
  501. unsigned char *out = NULL;
  502. size_t outlen;
  503. CMAC_CTX *ctx = CMAC_CTX_new();
  504. int r = 0;
  505. ERR_clear_error();
  506. if (!ctx)
  507. goto end;
  508. if (!CMAC_Init(ctx,key,sizeof(key),EVP_des_ede3_cbc(),NULL))
  509. goto end;
  510. if (!CMAC_Update(ctx,data,sizeof(data)-1))
  511. goto end;
  512. /* This should return 1. If not, there's a programming error... */
  513. if (!CMAC_Final(ctx, out, &outlen))
  514. goto end;
  515. out = OPENSSL_malloc(outlen);
  516. if (!CMAC_Final(ctx, out, &outlen))
  517. goto end;
  518. #if 0
  519. {
  520. char *hexout = OPENSSL_malloc(outlen * 2 + 1);
  521. bin2hex(out, outlen, hexout);
  522. printf("CMAC-TDEA3: res = %s\n", hexout);
  523. OPENSSL_free(hexout);
  524. }
  525. r = 1;
  526. #else
  527. if (!memcmp(out,kaval,outlen))
  528. r = 1;
  529. #endif
  530. end:
  531. CMAC_CTX_free(ctx);
  532. if (out)
  533. OPENSSL_free(out);
  534. return r;
  535. }
  536. /* DH: generate shared parameters
  537. */
  538. static int dh_test()
  539. {
  540. DH *dh;
  541. ERR_clear_error();
  542. dh = FIPS_dh_new();
  543. if (!dh)
  544. return 0;
  545. if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
  546. return 0;
  547. FIPS_dh_free(dh);
  548. return 1;
  549. }
  550. /* Zeroize
  551. */
  552. static int Zeroize()
  553. {
  554. RSA *key;
  555. BIGNUM *bn;
  556. unsigned char userkey[16] =
  557. { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
  558. size_t i;
  559. int n;
  560. key = FIPS_rsa_new();
  561. bn = BN_new();
  562. if (!key || !bn)
  563. return 0;
  564. BN_set_word(bn, 65537);
  565. if (!RSA_generate_key_ex(key, 1024,bn,NULL))
  566. return 0;
  567. BN_free(bn);
  568. n = BN_num_bytes(key->d);
  569. printf(" Generated %d byte RSA private key\n", n);
  570. printf("\tBN key before overwriting:\n");
  571. do_bn_print(stdout, key->d);
  572. BN_rand(key->d,n*8,-1,0);
  573. printf("\tBN key after overwriting:\n");
  574. do_bn_print(stdout, key->d);
  575. printf("\tchar buffer key before overwriting: \n\t\t");
  576. for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
  577. printf("\n");
  578. RAND_bytes(userkey, sizeof userkey);
  579. printf("\tchar buffer key after overwriting: \n\t\t");
  580. for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
  581. printf("\n");
  582. return 1;
  583. }
  584. static int Error;
  585. static const char * Fail(const char *msg)
  586. {
  587. Error++;
  588. return msg;
  589. }
  590. static void test_msg(const char *msg, int result)
  591. {
  592. printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
  593. }
  594. /* Table of IDs for POST translating between NIDs and names */
  595. typedef struct
  596. {
  597. int id;
  598. const char *name;
  599. } POST_ID;
  600. POST_ID id_list[] = {
  601. {NID_sha1, "SHA1"},
  602. {NID_sha224, "SHA224"},
  603. {NID_sha256, "SHA256"},
  604. {NID_sha384, "SHA384"},
  605. {NID_sha512, "SHA512"},
  606. {EVP_PKEY_RSA, "RSA"},
  607. {EVP_PKEY_DSA, "DSA"},
  608. {EVP_PKEY_EC, "ECDSA"},
  609. {NID_aes_128_cbc, "AES-128-CBC"},
  610. {NID_aes_192_cbc, "AES-192-CBC"},
  611. {NID_aes_256_cbc, "AES-256-CBC"},
  612. {NID_aes_128_ctr, "AES-128-CTR"},
  613. {NID_aes_192_ctr, "AES-192-CTR"},
  614. {NID_aes_256_ctr, "AES-256-CTR"},
  615. {NID_aes_128_ecb, "AES-128-ECB"},
  616. {NID_aes_128_xts, "AES-128-XTS"},
  617. {NID_aes_256_xts, "AES-256-XTS"},
  618. {NID_des_ede3_cbc, "DES-EDE3-CBC"},
  619. {NID_des_ede3_ecb, "DES-EDE3-ECB"},
  620. {0, NULL}
  621. };
  622. static const char *lookup_id(int id)
  623. {
  624. POST_ID *n;
  625. static char out[40];
  626. for (n = id_list; n->name; n++)
  627. {
  628. if (n->id == id)
  629. return n->name;
  630. }
  631. sprintf(out, "ID=%d", id);
  632. return out;
  633. }
  634. static int fail_id = -1;
  635. static int fail_sub = -1;
  636. static int fail_key = -1;
  637. static int post_cb(int op, int id, int subid, void *ex)
  638. {
  639. const char *idstr, *exstr = "";
  640. char asctmp[20];
  641. int keytype = -1;
  642. switch(id)
  643. {
  644. case FIPS_TEST_INTEGRITY:
  645. idstr = "Integrity";
  646. break;
  647. case FIPS_TEST_DIGEST:
  648. idstr = "Digest";
  649. exstr = lookup_id(subid);
  650. break;
  651. case FIPS_TEST_CIPHER:
  652. exstr = lookup_id(subid);
  653. idstr = "Cipher";
  654. break;
  655. case FIPS_TEST_SIGNATURE:
  656. if (ex)
  657. {
  658. EVP_PKEY *pkey = ex;
  659. keytype = pkey->type;
  660. exstr = lookup_id(keytype);
  661. }
  662. idstr = "Signature";
  663. break;
  664. case FIPS_TEST_HMAC:
  665. exstr = lookup_id(subid);
  666. idstr = "HMAC";
  667. break;
  668. case FIPS_TEST_CMAC:
  669. idstr = "CMAC";
  670. exstr = lookup_id(subid);
  671. break;
  672. case FIPS_TEST_GCM:
  673. idstr = "GCM";
  674. break;
  675. case FIPS_TEST_XTS:
  676. idstr = "XTS";
  677. exstr = lookup_id(subid);
  678. break;
  679. case FIPS_TEST_CCM:
  680. idstr = "CCM";
  681. break;
  682. case FIPS_TEST_X931:
  683. idstr = "X9.31 PRNG";
  684. sprintf(asctmp, "keylen=%d", subid);
  685. exstr = asctmp;
  686. break;
  687. case FIPS_TEST_DRBG:
  688. idstr = "DRBG";
  689. if (*(int *)ex & DRBG_FLAG_CTR_USE_DF)
  690. {
  691. sprintf(asctmp, "%s DF", lookup_id(subid));
  692. exstr = asctmp;
  693. }
  694. else
  695. exstr = lookup_id(subid);
  696. break;
  697. case FIPS_TEST_PAIRWISE:
  698. if (ex)
  699. {
  700. EVP_PKEY *pkey = ex;
  701. keytype = pkey->type;
  702. exstr = lookup_id(keytype);
  703. }
  704. idstr = "Pairwise Consistency";
  705. break;
  706. case FIPS_TEST_CONTINUOUS:
  707. idstr = "Continuous PRNG";
  708. break;
  709. default:
  710. idstr = "Unknown";
  711. break;
  712. }
  713. switch(op)
  714. {
  715. case FIPS_POST_BEGIN:
  716. printf("\tPOST started\n");
  717. break;
  718. case FIPS_POST_END:
  719. printf("\tPOST %s\n", id ? "Success" : "Failed");
  720. break;
  721. case FIPS_POST_STARTED:
  722. printf("\t\t%s %s test started\n", idstr, exstr);
  723. break;
  724. case FIPS_POST_SUCCESS:
  725. printf("\t\t%s %s test OK\n", idstr, exstr);
  726. break;
  727. case FIPS_POST_FAIL:
  728. printf("\t\t%s %s test FAILED!!\n", idstr, exstr);
  729. break;
  730. case FIPS_POST_CORRUPT:
  731. if (fail_id == id
  732. && (fail_key == -1 || fail_key == keytype)
  733. && (fail_sub == -1 || fail_sub == subid))
  734. {
  735. printf("\t\t%s %s test failure induced\n", idstr, exstr);
  736. return 0;
  737. }
  738. break;
  739. }
  740. return 1;
  741. }
  742. int main(int argc,char **argv)
  743. {
  744. int bad_rsa = 0, bad_dsa = 0;
  745. int do_rng_stick = 0;
  746. int do_drbg_stick = 0;
  747. int no_exit = 0;
  748. FIPS_post_set_callback(post_cb);
  749. printf("\tFIPS-mode test application\n\n");
  750. if (argv[1]) {
  751. /* Corrupted KAT tests */
  752. if (!strcmp(argv[1], "integrity")) {
  753. fail_id = FIPS_TEST_INTEGRITY;
  754. } else if (!strcmp(argv[1], "aes")) {
  755. fail_id = FIPS_TEST_CIPHER;
  756. fail_sub = NID_aes_128_ecb;
  757. } else if (!strcmp(argv[1], "aes-ccm")) {
  758. fail_id = FIPS_TEST_CCM;
  759. } else if (!strcmp(argv[1], "aes-gcm")) {
  760. fail_id = FIPS_TEST_GCM;
  761. } else if (!strcmp(argv[1], "aes-xts")) {
  762. fail_id = FIPS_TEST_XTS;
  763. } else if (!strcmp(argv[1], "des")) {
  764. fail_id = FIPS_TEST_CIPHER;
  765. fail_sub = NID_des_ede3_ecb;
  766. } else if (!strcmp(argv[1], "dsa")) {
  767. fail_id = FIPS_TEST_SIGNATURE;
  768. fail_key = EVP_PKEY_DSA;
  769. } else if (!strcmp(argv[1], "ecdsa")) {
  770. fail_id = FIPS_TEST_SIGNATURE;
  771. fail_key = EVP_PKEY_EC;
  772. } else if (!strcmp(argv[1], "rsa")) {
  773. fail_id = FIPS_TEST_SIGNATURE;
  774. fail_key = EVP_PKEY_RSA;
  775. } else if (!strcmp(argv[1], "rsakey")) {
  776. printf("RSA key generation and signature validation with corrupted key...\n");
  777. bad_rsa = 1;
  778. no_exit = 1;
  779. } else if (!strcmp(argv[1], "rsakeygen")) {
  780. fail_id = FIPS_TEST_PAIRWISE;
  781. fail_key = EVP_PKEY_RSA;
  782. no_exit = 1;
  783. } else if (!strcmp(argv[1], "dsakey")) {
  784. printf("DSA key generation and signature validation with corrupted key...\n");
  785. bad_dsa = 1;
  786. no_exit = 1;
  787. } else if (!strcmp(argv[1], "dsakeygen")) {
  788. fail_id = FIPS_TEST_PAIRWISE;
  789. fail_key = EVP_PKEY_DSA;
  790. no_exit = 1;
  791. } else if (!strcmp(argv[1], "sha1")) {
  792. fail_id = FIPS_TEST_DIGEST;
  793. } else if (!strcmp(argv[1], "hmac")) {
  794. fail_id = FIPS_TEST_HMAC;
  795. } else if (!strcmp(argv[1], "cmac")) {
  796. fail_id = FIPS_TEST_CMAC;
  797. } else if (!strcmp(argv[1], "drbg")) {
  798. fail_id = FIPS_TEST_DRBG;
  799. } else if (!strcmp(argv[1], "rng")) {
  800. fail_id = FIPS_TEST_X931;
  801. } else if (!strcmp(argv[1], "post")) {
  802. fail_id = -1;
  803. } else if (!strcmp(argv[1], "rngstick")) {
  804. do_rng_stick = 1;
  805. no_exit = 1;
  806. printf("RNG test with stuck continuous test...\n");
  807. } else if (!strcmp(argv[1], "drbgentstick")) {
  808. do_entropy_stick();
  809. } else if (!strcmp(argv[1], "drbgstick")) {
  810. do_drbg_stick = 1;
  811. no_exit = 1;
  812. printf("DRBG test with stuck continuous test...\n");
  813. } else {
  814. printf("Bad argument \"%s\"\n", argv[1]);
  815. exit(1);
  816. }
  817. if (!no_exit) {
  818. fips_algtest_init_nofips();
  819. if (!FIPS_mode_set(1)) {
  820. printf("Power-up self test failed\n");
  821. exit(1);
  822. }
  823. printf("Power-up self test successful\n");
  824. exit(0);
  825. }
  826. }
  827. fips_algtest_init_nofips();
  828. /* Non-Approved cryptographic operation
  829. */
  830. printf("1. Non-Approved cryptographic operation test...\n");
  831. test_msg("\ta. Included algorithm (D-H)...", dh_test());
  832. /* Power-up self test
  833. */
  834. ERR_clear_error();
  835. test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
  836. if (!FIPS_mode())
  837. exit(1);
  838. if (do_drbg_stick)
  839. FIPS_drbg_stick();
  840. if (do_rng_stick)
  841. FIPS_x931_stick();
  842. /* AES encryption/decryption
  843. */
  844. test_msg("3a. AES encryption/decryption", FIPS_aes_test());
  845. /* AES GCM encryption/decryption
  846. */
  847. test_msg("3b. AES-GCM encryption/decryption", FIPS_aes_gcm_test());
  848. /* RSA key generation and encryption/decryption
  849. */
  850. test_msg("4. RSA key generation and encryption/decryption",
  851. FIPS_rsa_test(bad_rsa));
  852. /* DES-CBC encryption/decryption
  853. */
  854. test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
  855. /* DSA key generation and signature validation
  856. */
  857. test_msg("6. DSA key generation and signature validation",
  858. FIPS_dsa_test(bad_dsa));
  859. /* SHA-1 hash
  860. */
  861. test_msg("7a. SHA-1 hash", FIPS_sha1_test());
  862. /* SHA-256 hash
  863. */
  864. test_msg("7b. SHA-256 hash", FIPS_sha256_test());
  865. /* SHA-512 hash
  866. */
  867. test_msg("7c. SHA-512 hash", FIPS_sha512_test());
  868. /* HMAC-SHA-1 hash
  869. */
  870. test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
  871. /* HMAC-SHA-224 hash
  872. */
  873. test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
  874. /* HMAC-SHA-256 hash
  875. */
  876. test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
  877. /* HMAC-SHA-384 hash
  878. */
  879. test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
  880. /* HMAC-SHA-512 hash
  881. */
  882. test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
  883. /* CMAC-AES-128 hash
  884. */
  885. test_msg("8a. CMAC-AES-128 hash", FIPS_cmac_aes128_test());
  886. /* CMAC-AES-192 hash
  887. */
  888. test_msg("8b. CMAC-AES-192 hash", FIPS_cmac_aes192_test());
  889. /* CMAC-AES-256 hash
  890. */
  891. test_msg("8c. CMAC-AES-256 hash", FIPS_cmac_aes256_test());
  892. # if 0 /* Not a FIPS algorithm */
  893. /* CMAC-TDEA-2 hash
  894. */
  895. test_msg("8d. CMAC-TDEA-2 hash", FIPS_cmac_tdea2_test());
  896. #endif
  897. /* CMAC-TDEA-3 hash
  898. */
  899. test_msg("8e. CMAC-TDEA-3 hash", FIPS_cmac_tdea3_test());
  900. /* Non-Approved cryptographic operation
  901. */
  902. printf("9. Non-Approved cryptographic operation test...\n");
  903. printf("\ta. Included algorithm (D-H)...%s\n",
  904. dh_test() ? "successful as expected"
  905. : Fail("failed INCORRECTLY!") );
  906. /* Zeroization
  907. */
  908. printf("10. Zero-ization...\n\t%s\n",
  909. Zeroize() ? "successful as expected"
  910. : Fail("failed INCORRECTLY!") );
  911. printf("\nAll tests completed with %d errors\n", Error);
  912. return Error ? 1 : 0;
  913. }
  914. #endif