1 /* ====================================================================
2 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
5 * This command is intended as a test driver for the FIPS-140 testing
6 * lab performing FIPS-140 validation. It demonstrates the use of the
7 * OpenSSL library ito perform a variety of common cryptographic
8 * functions. A power-up self test is demonstrated by deliberately
9 * pointing to an invalid executable hash
11 * Contributed by Steve Marquess.
15 #define OPENSSL_FIPSAPI
22 #include <openssl/evp.h>
23 #include <openssl/hmac.h>
24 #include <openssl/cmac.h>
25 #include <openssl/sha.h>
26 #include <openssl/err.h>
28 #include <openssl/bn.h>
29 #include <openssl/rand.h>
32 int main(int argc, char *argv[])
34 printf("No FIPS support\n");
39 #define ERR_clear_error() while(0)
41 #include <openssl/rsa.h>
42 #include <openssl/dsa.h>
43 #include <openssl/dh.h>
45 #include <openssl/fips.h>
46 #include <openssl/fips_rand.h>
49 /* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
51 static int FIPS_aes_test(void)
54 unsigned char pltmp[16];
55 unsigned char citmp[16];
56 unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
57 unsigned char plaintext[16] = "etaonrishdlcu";
59 FIPS_cipher_ctx_init(&ctx);
60 if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 1) <= 0)
62 FIPS_cipher(&ctx, citmp, plaintext, 16);
63 if (FIPS_cipherinit(&ctx, EVP_aes_128_ecb(), key, NULL, 0) <= 0)
65 FIPS_cipher(&ctx, pltmp, citmp, 16);
66 if (memcmp(pltmp, plaintext, 16))
70 FIPS_cipher_ctx_cleanup(&ctx);
74 static int FIPS_aes_gcm_test(void)
77 unsigned char pltmp[16];
78 unsigned char citmp[16];
79 unsigned char tagtmp[16];
80 unsigned char key[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
81 unsigned char iv[16] = {21,22,23,24,25,26,27,28,29,30,31,32};
82 unsigned char aad[] = "Some text AAD";
83 unsigned char plaintext[16] = "etaonrishdlcu";
85 FIPS_cipher_ctx_init(&ctx);
86 if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 1) <= 0)
88 FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
89 FIPS_cipher(&ctx, citmp, plaintext, 16);
90 FIPS_cipher(&ctx, NULL, NULL, 0);
91 if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tagtmp))
94 if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 0) <= 0)
96 if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tagtmp))
99 FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
101 FIPS_cipher(&ctx, pltmp, citmp, 16);
103 if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0)
106 if (memcmp(pltmp, plaintext, 16))
111 FIPS_cipher_ctx_cleanup(&ctx);
115 static int FIPS_des3_test(void)
118 unsigned char pltmp[8];
119 unsigned char citmp[8];
120 unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
122 unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
124 FIPS_cipher_ctx_init(&ctx);
125 if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 1) <= 0)
127 FIPS_cipher(&ctx, citmp, plaintext, 8);
128 if (FIPS_cipherinit(&ctx, EVP_des_ede3_ecb(), key, NULL, 0) <= 0)
130 FIPS_cipher(&ctx, pltmp, citmp, 8);
131 if (memcmp(pltmp, plaintext, 8))
135 FIPS_cipher_ctx_cleanup(&ctx);
140 * DSA: generate keys and sign, verify input plaintext.
142 static int FIPS_dsa_test(int bad)
145 unsigned char dgst[] = "etaonrishdlc";
150 dsa = FIPS_dsa_new();
153 if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
155 if (!DSA_generate_key(dsa))
158 BN_add_word(dsa->pub_key, 1);
160 sig = FIPS_dsa_sign(dsa, dgst, sizeof(dgst) -1, EVP_sha256());
164 r = FIPS_dsa_verify(dsa, dgst, sizeof(dgst) -1, EVP_sha256(), sig);
167 FIPS_dsa_sig_free(sig);
176 * RSA: generate keys and sign, verify input plaintext.
178 static int FIPS_rsa_test(int bad)
181 unsigned char input_ptext[] = "etaonrishdlc";
182 unsigned char buf[256];
188 key = FIPS_rsa_new();
192 BN_set_word(bn, 65537);
193 if (!RSA_generate_key_ex(key, 2048,bn,NULL))
197 BN_add_word(key->n, 1);
199 if (!FIPS_rsa_sign(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
200 RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
203 r = FIPS_rsa_verify(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
204 RSA_PKCS1_PADDING, 0, NULL, buf, slen);
213 /* SHA1: generate hash of known digest value and compare to known
214 precomputed correct hash
216 static int FIPS_sha1_test()
218 unsigned char digest[SHA_DIGEST_LENGTH] =
219 { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
220 unsigned char str[] = "etaonrishd";
222 unsigned char md[SHA_DIGEST_LENGTH];
225 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha1())) return 0;
226 if (memcmp(md,digest,sizeof(md)))
231 /* SHA256: generate hash of known digest value and compare to known
232 precomputed correct hash
234 static int FIPS_sha256_test()
236 unsigned char digest[SHA256_DIGEST_LENGTH] =
237 {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
238 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
239 unsigned char str[] = "etaonrishd";
241 unsigned char md[SHA256_DIGEST_LENGTH];
244 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha256())) return 0;
245 if (memcmp(md,digest,sizeof(md)))
250 /* SHA512: generate hash of known digest value and compare to known
251 precomputed correct hash
253 static int FIPS_sha512_test()
255 unsigned char digest[SHA512_DIGEST_LENGTH] =
256 {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
257 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
258 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
259 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
260 unsigned char str[] = "etaonrishd";
262 unsigned char md[SHA512_DIGEST_LENGTH];
265 if (!FIPS_digest(str,sizeof(str) - 1,md, NULL, EVP_sha512())) return 0;
266 if (memcmp(md,digest,sizeof(md)))
271 /* HMAC-SHA1: generate hash of known digest value and compare to known
272 precomputed correct hash
274 static int FIPS_hmac_sha1_test()
276 unsigned char key[] = "etaonrishd";
277 unsigned char iv[] = "Sample text";
278 unsigned char kaval[EVP_MAX_MD_SIZE] =
279 {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
280 0xb2, 0xfb, 0xec, 0xc6};
282 unsigned char out[EVP_MAX_MD_SIZE];
286 if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
287 if (memcmp(out,kaval,outlen))
292 /* HMAC-SHA224: generate hash of known digest value and compare to known
293 precomputed correct hash
295 static int FIPS_hmac_sha224_test()
297 unsigned char key[] = "etaonrishd";
298 unsigned char iv[] = "Sample text";
299 unsigned char kaval[EVP_MAX_MD_SIZE] =
300 {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
301 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
303 unsigned char out[EVP_MAX_MD_SIZE];
307 if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
308 if (memcmp(out,kaval,outlen))
313 /* HMAC-SHA256: generate hash of known digest value and compare to known
314 precomputed correct hash
316 static int FIPS_hmac_sha256_test()
318 unsigned char key[] = "etaonrishd";
319 unsigned char iv[] = "Sample text";
320 unsigned char kaval[EVP_MAX_MD_SIZE] =
321 {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
322 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
324 unsigned char out[EVP_MAX_MD_SIZE];
328 if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
329 if (memcmp(out,kaval,outlen))
334 /* HMAC-SHA384: generate hash of known digest value and compare to known
335 precomputed correct hash
337 static int FIPS_hmac_sha384_test()
339 unsigned char key[] = "etaonrishd";
340 unsigned char iv[] = "Sample text";
341 unsigned char kaval[EVP_MAX_MD_SIZE] =
342 {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
343 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
344 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
346 unsigned char out[EVP_MAX_MD_SIZE];
350 if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
351 if (memcmp(out,kaval,outlen))
356 /* HMAC-SHA512: generate hash of known digest value and compare to known
357 precomputed correct hash
359 static int FIPS_hmac_sha512_test()
361 unsigned char key[] = "etaonrishd";
362 unsigned char iv[] = "Sample text";
363 unsigned char kaval[EVP_MAX_MD_SIZE] =
364 {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
365 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
366 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
367 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
369 unsigned char out[EVP_MAX_MD_SIZE];
373 if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
374 if (memcmp(out,kaval,outlen))
379 /* CMAC-AES128: generate hash of known digest value and compare to known
380 precomputed correct hash
382 static int FIPS_cmac_aes128_test()
384 unsigned char key[16] = { 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6,
385 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c, };
386 unsigned char data[] = "Sample text";
387 unsigned char kaval[EVP_MAX_MD_SIZE] =
388 { 0x16,0x83,0xfe,0xac, 0x52,0x9b,0xae,0x23,
389 0xd7,0xd5,0x66,0xf5, 0xd2,0x8d,0xbd,0x2a, };
391 unsigned char *out = NULL;
393 CMAC_CTX *ctx = CMAC_CTX_new();
400 if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_128_cbc(),NULL))
402 if (!CMAC_Update(ctx,data,sizeof(data)-1))
404 /* This should return 1. If not, there's a programming error... */
405 if (!CMAC_Final(ctx, out, &outlen))
407 out = OPENSSL_malloc(outlen);
408 if (!CMAC_Final(ctx, out, &outlen))
412 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
413 bin2hex(out, outlen, hexout);
414 printf("CMAC-AES128: res = %s\n", hexout);
415 OPENSSL_free(hexout);
419 if (!memcmp(out,kaval,outlen))
429 /* CMAC-AES192: generate hash of known digest value and compare to known
430 precomputed correct hash
432 static int FIPS_cmac_aes192_test()
434 unsigned char key[] = { 0x8e,0x73,0xb0,0xf7, 0xda,0x0e,0x64,0x52,
435 0xc8,0x10,0xf3,0x2b, 0x80,0x90,0x79,0xe5,
436 0x62,0xf8,0xea,0xd2, 0x52,0x2c,0x6b,0x7b, };
437 unsigned char data[] = "Sample text";
438 unsigned char kaval[] =
439 { 0xd6,0x99,0x19,0x25, 0xe5,0x1d,0x95,0x48,
440 0xb1,0x4a,0x0b,0xf2, 0xc6,0x3c,0x47,0x1f, };
442 unsigned char *out = NULL;
444 CMAC_CTX *ctx = CMAC_CTX_new();
451 if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_192_cbc(),NULL))
453 if (!CMAC_Update(ctx,data,sizeof(data)-1))
455 /* This should return 1. If not, there's a programming error... */
456 if (!CMAC_Final(ctx, out, &outlen))
458 out = OPENSSL_malloc(outlen);
459 if (!CMAC_Final(ctx, out, &outlen))
463 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
464 bin2hex(out, outlen, hexout);
465 printf("CMAC-AES192: res = %s\n", hexout);
466 OPENSSL_free(hexout);
470 if (!memcmp(out,kaval,outlen))
480 /* CMAC-AES256: generate hash of known digest value and compare to known
481 precomputed correct hash
483 static int FIPS_cmac_aes256_test()
485 unsigned char key[] = { 0x60,0x3d,0xeb,0x10, 0x15,0xca,0x71,0xbe,
486 0x2b,0x73,0xae,0xf0, 0x85,0x7d,0x77,0x81,
487 0x1f,0x35,0x2c,0x07, 0x3b,0x61,0x08,0xd7,
488 0x2d,0x98,0x10,0xa3, 0x09,0x14,0xdf,0xf4, };
489 unsigned char data[] = "Sample text";
490 unsigned char kaval[] =
491 { 0xec,0xc2,0xcf,0x63, 0xc7,0xce,0xfc,0xa4,
492 0xb0,0x86,0x37,0x5f, 0x15,0x60,0xba,0x1f, };
494 unsigned char *out = NULL;
496 CMAC_CTX *ctx = CMAC_CTX_new();
503 if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_256_cbc(),NULL))
505 if (!CMAC_Update(ctx,data,sizeof(data)-1))
507 /* This should return 1. If not, there's a programming error... */
508 if (!CMAC_Final(ctx, out, &outlen))
510 out = OPENSSL_malloc(outlen);
511 if (!CMAC_Final(ctx, out, &outlen))
515 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
516 bin2hex(out, outlen, hexout);
517 printf("CMAC-AES256: res = %s\n", hexout);
518 OPENSSL_free(hexout);
522 if (!memcmp(out,kaval,outlen))
532 /* CMAC-TDEA3: generate hash of known digest value and compare to known
533 precomputed correct hash
535 static int FIPS_cmac_tdea3_test()
537 unsigned char key[] = { 0x8a,0xa8,0x3b,0xf8, 0xcb,0xda,0x10,0x62,
538 0x0b,0xc1,0xbf,0x19, 0xfb,0xb6,0xcd,0x58,
539 0xbc,0x31,0x3d,0x4a, 0x37,0x1c,0xa8,0xb5, };
540 unsigned char data[] = "Sample text";
541 unsigned char kaval[EVP_MAX_MD_SIZE] =
542 { 0xb4,0x06,0x4e,0xbf, 0x59,0x89,0xba,0x68, };
544 unsigned char *out = NULL;
546 CMAC_CTX *ctx = CMAC_CTX_new();
553 if (!CMAC_Init(ctx,key,sizeof(key),EVP_des_ede3_cbc(),NULL))
555 if (!CMAC_Update(ctx,data,sizeof(data)-1))
557 /* This should return 1. If not, there's a programming error... */
558 if (!CMAC_Final(ctx, out, &outlen))
560 out = OPENSSL_malloc(outlen);
561 if (!CMAC_Final(ctx, out, &outlen))
565 char *hexout = OPENSSL_malloc(outlen * 2 + 1);
566 bin2hex(out, outlen, hexout);
567 printf("CMAC-TDEA3: res = %s\n", hexout);
568 OPENSSL_free(hexout);
572 if (!memcmp(out,kaval,outlen))
583 /* DH: generate shared parameters
592 if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
604 unsigned char userkey[16] =
605 { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
609 key = FIPS_rsa_new();
613 BN_set_word(bn, 65537);
614 if (!RSA_generate_key_ex(key, 1024,bn,NULL))
618 n = BN_num_bytes(key->d);
619 printf(" Generated %d byte RSA private key\n", n);
620 printf("\tBN key before overwriting:\n");
621 do_bn_print(stdout, key->d);
622 BN_rand(key->d,n*8,-1,0);
623 printf("\tBN key after overwriting:\n");
624 do_bn_print(stdout, key->d);
626 printf("\tchar buffer key before overwriting: \n\t\t");
627 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
629 RAND_bytes(userkey, sizeof userkey);
630 printf("\tchar buffer key after overwriting: \n\t\t");
631 for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
639 /* Dummy Entropy for DRBG tests. WARNING: THIS IS TOTALLY BOGUS
640 * HAS ZERO SECURITY AND MUST NOT BE USED IN REAL APPLICATIONS.
643 static unsigned char dummy_drbg_entropy[1024];
645 static size_t drbg_test_cb(DRBG_CTX *ctx, unsigned char **pout,
646 int entropy, size_t min_len, size_t max_len)
648 *pout = dummy_drbg_entropy;
649 /* Round up to multiple of block size */
650 return (min_len + 0xf) & ~0xf;
653 /* DRBG test: just generate lots of data and trigger health checks */
655 static int do_drbg_test(int type, int flags)
660 unsigned char randout[1024];
661 dctx = FIPS_drbg_new(type, flags);
664 FIPS_drbg_set_callbacks(dctx, drbg_test_cb, 0, 0x10, drbg_test_cb, 0);
665 for (i = 0; i < sizeof(dummy_drbg_entropy); i++)
667 dummy_drbg_entropy[i] = i & 0xff;
669 if (!FIPS_drbg_instantiate(dctx, dummy_drbg_entropy, 10))
671 FIPS_drbg_set_check_interval(dctx, 10);
672 for (i = 0; i < 32; i++)
674 if (!FIPS_drbg_generate(dctx, randout, sizeof(randout), 0, NULL, 0))
676 if (!FIPS_drbg_generate(dctx, randout, sizeof(randout), 0, dummy_drbg_entropy, 1))
681 FIPS_drbg_free(dctx);
690 static int do_drbg_all(void)
692 static DRBG_LIST drbg_types[] =
699 {NID_hmacWithSHA1, 0},
700 {NID_hmacWithSHA224, 0},
701 {NID_hmacWithSHA256, 0},
702 {NID_hmacWithSHA384, 0},
703 {NID_hmacWithSHA512, 0},
704 {NID_aes_128_ctr, 0},
705 {NID_aes_192_ctr, 0},
706 {NID_aes_256_ctr, 0},
707 {NID_aes_128_ctr, DRBG_FLAG_CTR_USE_DF},
708 {NID_aes_192_ctr, DRBG_FLAG_CTR_USE_DF},
709 {NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF},
710 {(NID_X9_62_prime256v1 << 16)|NID_sha1, 0},
711 {(NID_X9_62_prime256v1 << 16)|NID_sha224, 0},
712 {(NID_X9_62_prime256v1 << 16)|NID_sha256, 0},
713 {(NID_X9_62_prime256v1 << 16)|NID_sha384, 0},
714 {(NID_X9_62_prime256v1 << 16)|NID_sha512, 0},
715 {(NID_secp384r1 << 16)|NID_sha224, 0},
716 {(NID_secp384r1 << 16)|NID_sha256, 0},
717 {(NID_secp384r1 << 16)|NID_sha384, 0},
718 {(NID_secp384r1 << 16)|NID_sha512, 0},
719 {(NID_secp521r1 << 16)|NID_sha256, 0},
720 {(NID_secp521r1 << 16)|NID_sha384, 0},
721 {(NID_secp521r1 << 16)|NID_sha512, 0},
726 for (lst = drbg_types;; lst++)
730 if (!do_drbg_test(lst->type, lst->flags))
737 static const char * Fail(const char *msg)
743 static void test_msg(const char *msg, int result)
745 printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
748 /* Table of IDs for POST translating between NIDs and names */
756 POST_ID id_list[] = {
758 {NID_sha224, "SHA224"},
759 {NID_sha256, "SHA256"},
760 {NID_sha384, "SHA384"},
761 {NID_sha512, "SHA512"},
762 {NID_hmacWithSHA1, "HMAC-SHA1"},
763 {NID_hmacWithSHA224, "HMAC-SHA224"},
764 {NID_hmacWithSHA256, "HMAC-SHA256"},
765 {NID_hmacWithSHA384, "HMAC-SHA384"},
766 {NID_hmacWithSHA512, "HMAC-SHA512"},
767 {EVP_PKEY_RSA, "RSA"},
768 {EVP_PKEY_DSA, "DSA"},
769 {EVP_PKEY_EC, "ECDSA"},
770 {NID_aes_128_cbc, "AES-128-CBC"},
771 {NID_aes_192_cbc, "AES-192-CBC"},
772 {NID_aes_256_cbc, "AES-256-CBC"},
773 {NID_aes_128_ctr, "AES-128-CTR"},
774 {NID_aes_192_ctr, "AES-192-CTR"},
775 {NID_aes_256_ctr, "AES-256-CTR"},
776 {NID_aes_128_ecb, "AES-128-ECB"},
777 {NID_aes_128_xts, "AES-128-XTS"},
778 {NID_aes_256_xts, "AES-256-XTS"},
779 {NID_des_ede3_cbc, "DES-EDE3-CBC"},
780 {NID_des_ede3_ecb, "DES-EDE3-ECB"},
781 {NID_secp224r1, "P-224"},
782 {NID_sect233r1, "B-233"},
783 {NID_sect233k1, "K-233"},
784 {NID_X9_62_prime256v1, "P-256"},
785 {NID_secp384r1, "P-384"},
786 {NID_secp521r1, "P-521"},
790 static const char *lookup_id(int id)
794 for (n = id_list; n->name; n++)
799 sprintf(out, "ID=%d", id);
803 static int fail_id = -1;
804 static int fail_sub = -1;
805 static int fail_key = -1;
807 static int post_cb(int op, int id, int subid, void *ex)
809 const char *idstr, *exstr = "";
812 #ifdef FIPS_POST_TIME
813 static struct timespec start, end, tstart, tend;
817 case FIPS_TEST_INTEGRITY:
821 case FIPS_TEST_DIGEST:
823 exstr = lookup_id(subid);
826 case FIPS_TEST_CIPHER:
827 exstr = lookup_id(subid);
831 case FIPS_TEST_SIGNATURE:
835 keytype = pkey->type;
836 if (keytype == EVP_PKEY_EC)
840 grp = EC_KEY_get0_group(pkey->pkey.ec);
841 cnid = EC_GROUP_get_curve_name(grp);
842 sprintf(asctmp, "ECDSA %s", lookup_id(cnid));
846 exstr = lookup_id(keytype);
852 exstr = lookup_id(subid);
858 exstr = lookup_id(subid);
867 exstr = lookup_id(subid);
875 idstr = "X9.31 PRNG";
876 sprintf(asctmp, "keylen=%d", subid);
882 if (*(int *)ex & DRBG_FLAG_CTR_USE_DF)
884 sprintf(asctmp, "%s DF", lookup_id(subid));
887 else if (subid >> 16)
889 sprintf(asctmp, "%s %s",
890 lookup_id(subid >> 16),
891 lookup_id(subid & 0xFFFF));
895 exstr = lookup_id(subid);
898 case FIPS_TEST_PAIRWISE:
902 keytype = pkey->type;
903 exstr = lookup_id(keytype);
905 idstr = "Pairwise Consistency";
908 case FIPS_TEST_CONTINUOUS:
909 idstr = "Continuous PRNG";
914 exstr = lookup_id(subid);
925 case FIPS_POST_BEGIN:
926 #ifdef FIPS_POST_TIME
927 clock_getres(CLOCK_REALTIME, &tstart);
928 printf("\tTimer resolution %ld s, %ld ns\n",
929 (long)tstart.tv_sec, (long)tstart.tv_nsec);
930 clock_gettime(CLOCK_REALTIME, &tstart);
932 printf("\tPOST started\n");
936 printf("\tPOST %s\n", id ? "Success" : "Failed");
937 #ifdef FIPS_POST_TIME
938 clock_gettime(CLOCK_REALTIME, &tend);
939 printf("\t\tTook %f seconds\n",
940 (double)((tend.tv_sec+tend.tv_nsec*1e-9)
941 - (tstart.tv_sec+tstart.tv_nsec*1e-9)));
945 case FIPS_POST_STARTED:
946 printf("\t\t%s %s test started\n", idstr, exstr);
947 #ifdef FIPS_POST_TIME
948 clock_gettime(CLOCK_REALTIME, &start);
952 case FIPS_POST_SUCCESS:
953 printf("\t\t%s %s test OK\n", idstr, exstr);
954 #ifdef FIPS_POST_TIME
955 clock_gettime(CLOCK_REALTIME, &end);
956 printf("\t\t\tTook %f seconds\n",
957 (double)((end.tv_sec+end.tv_nsec*1e-9)
958 - (start.tv_sec+start.tv_nsec*1e-9)));
963 printf("\t\t%s %s test FAILED!!\n", idstr, exstr);
966 case FIPS_POST_CORRUPT:
968 && (fail_key == -1 || fail_key == keytype)
969 && (fail_sub == -1 || fail_sub == subid))
971 printf("\t\t%s %s test failure induced\n", idstr, exstr);
981 int fips_test_suite_main(int argc, char **argv)
983 int main(int argc, char **argv)
986 int bad_rsa = 0, bad_dsa = 0;
987 int do_rng_stick = 0;
988 int do_drbg_stick = 0;
991 char *pass = FIPS_AUTH_USER_PASS;
993 FIPS_post_set_callback(post_cb);
995 printf("\tFIPS-mode test application\n");
997 printf("\t%s\n\n", FIPS_module_version_text());
1000 /* Corrupted KAT tests */
1001 if (!strcmp(argv[1], "integrity")) {
1002 fail_id = FIPS_TEST_INTEGRITY;
1003 } else if (!strcmp(argv[1], "aes")) {
1004 fail_id = FIPS_TEST_CIPHER;
1005 fail_sub = NID_aes_128_ecb;
1006 } else if (!strcmp(argv[1], "aes-ccm")) {
1007 fail_id = FIPS_TEST_CCM;
1008 } else if (!strcmp(argv[1], "aes-gcm")) {
1009 fail_id = FIPS_TEST_GCM;
1010 } else if (!strcmp(argv[1], "aes-xts")) {
1011 fail_id = FIPS_TEST_XTS;
1012 } else if (!strcmp(argv[1], "des")) {
1013 fail_id = FIPS_TEST_CIPHER;
1014 fail_sub = NID_des_ede3_ecb;
1015 } else if (!strcmp(argv[1], "dsa")) {
1016 fail_id = FIPS_TEST_SIGNATURE;
1017 fail_key = EVP_PKEY_DSA;
1018 } else if (!strcmp(argv[1], "ecdh")) {
1019 fail_id = FIPS_TEST_ECDH;
1020 } else if (!strcmp(argv[1], "ecdsa")) {
1021 fail_id = FIPS_TEST_SIGNATURE;
1022 fail_key = EVP_PKEY_EC;
1023 } else if (!strcmp(argv[1], "rsa")) {
1024 fail_id = FIPS_TEST_SIGNATURE;
1025 fail_key = EVP_PKEY_RSA;
1026 } else if (!strcmp(argv[1], "rsakey")) {
1027 printf("RSA key generation and signature validation with corrupted key...\n");
1030 } else if (!strcmp(argv[1], "rsakeygen")) {
1031 fail_id = FIPS_TEST_PAIRWISE;
1032 fail_key = EVP_PKEY_RSA;
1034 } else if (!strcmp(argv[1], "dsakey")) {
1035 printf("DSA key generation and signature validation with corrupted key...\n");
1038 } else if (!strcmp(argv[1], "dsakeygen")) {
1039 fail_id = FIPS_TEST_PAIRWISE;
1040 fail_key = EVP_PKEY_DSA;
1042 } else if (!strcmp(argv[1], "sha1")) {
1043 fail_id = FIPS_TEST_DIGEST;
1044 } else if (!strcmp(argv[1], "hmac")) {
1045 fail_id = FIPS_TEST_HMAC;
1046 } else if (!strcmp(argv[1], "cmac")) {
1047 fail_id = FIPS_TEST_CMAC;
1048 } else if (!strcmp(argv[1], "drbg")) {
1049 fail_id = FIPS_TEST_DRBG;
1050 } else if (!strcmp(argv[1], "rng")) {
1051 fail_id = FIPS_TEST_X931;
1052 } else if (!strcmp(argv[1], "nodh")) {
1055 } else if (!strcmp(argv[1], "post")) {
1057 } else if (!strcmp(argv[1], "rngstick")) {
1060 printf("RNG test with stuck continuous test...\n");
1061 } else if (!strcmp(argv[1], "drbgentstick")) {
1063 } else if (!strcmp(argv[1], "drbgstick")) {
1066 printf("DRBG test with stuck continuous test...\n");
1067 } else if (!strcmp(argv[1], "user")) {
1068 pass = FIPS_AUTH_USER_PASS;
1069 } else if (!strcmp(argv[1], "officer")) {
1070 pass = FIPS_AUTH_OFFICER_PASS;
1071 } else if (!strcmp(argv[1], "badpass")) {
1072 pass = "bad invalid password";
1073 } else if (!strcmp(argv[1], "nopass")) {
1076 printf("Bad argument \"%s\"\n", argv[1]);
1080 fips_algtest_init_nofips();
1081 if (!FIPS_module_mode_set(1, pass)) {
1082 printf("Power-up self test failed\n");
1085 printf("Power-up self test successful\n");
1090 fips_algtest_init_nofips();
1092 /* Non-Approved cryptographic operation
1094 printf("1. Non-Approved cryptographic operation test...\n");
1096 printf("\t D-H test skipped\n");
1098 test_msg("\ta. Included algorithm (D-H)...", dh_test());
1100 /* Power-up self test
1103 test_msg("2. Automatic power-up self test", FIPS_module_mode_set(1, pass));
1104 if (!FIPS_module_mode())
1111 /* AES encryption/decryption
1113 test_msg("3a. AES encryption/decryption", FIPS_aes_test());
1114 /* AES GCM encryption/decryption
1116 test_msg("3b. AES-GCM encryption/decryption", FIPS_aes_gcm_test());
1118 /* RSA key generation and encryption/decryption
1120 test_msg("4. RSA key generation and encryption/decryption",
1121 FIPS_rsa_test(bad_rsa));
1123 /* DES-CBC encryption/decryption
1125 test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
1127 /* DSA key generation and signature validation
1129 test_msg("6. DSA key generation and signature validation",
1130 FIPS_dsa_test(bad_dsa));
1134 test_msg("7a. SHA-1 hash", FIPS_sha1_test());
1138 test_msg("7b. SHA-256 hash", FIPS_sha256_test());
1142 test_msg("7c. SHA-512 hash", FIPS_sha512_test());
1146 test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
1148 /* HMAC-SHA-224 hash
1150 test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
1152 /* HMAC-SHA-256 hash
1154 test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
1156 /* HMAC-SHA-384 hash
1158 test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
1160 /* HMAC-SHA-512 hash
1162 test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
1164 /* CMAC-AES-128 hash
1166 test_msg("8a. CMAC-AES-128 hash", FIPS_cmac_aes128_test());
1168 /* CMAC-AES-192 hash
1170 test_msg("8b. CMAC-AES-192 hash", FIPS_cmac_aes192_test());
1172 /* CMAC-AES-256 hash
1174 test_msg("8c. CMAC-AES-256 hash", FIPS_cmac_aes256_test());
1176 # if 0 /* Not a FIPS algorithm */
1179 test_msg("8d. CMAC-TDEA-2 hash", FIPS_cmac_tdea2_test());
1184 test_msg("8e. CMAC-TDEA-3 hash", FIPS_cmac_tdea3_test());
1186 /* Non-Approved cryptographic operation
1188 printf("9. Non-Approved cryptographic operation test...\n");
1189 printf("\ta. Included algorithm (D-H)...%s\n",
1191 dh_test() ? "successful as expected"
1192 : Fail("failed INCORRECTLY!") );
1196 printf("10. Zero-ization...\n\t%s\n",
1197 Zeroize() ? "successful as expected"
1198 : Fail("failed INCORRECTLY!") );
1200 printf("11. Complete DRBG health check...\n");
1201 printf("\t%s\n", FIPS_selftest_drbg_all() ? "successful as expected"
1202 : Fail("failed INCORRECTLY!") );
1204 printf("12. DRBG generation check...\n");
1205 printf("\t%s\n", do_drbg_all() ? "successful as expected"
1206 : Fail("failed INCORRECTLY!") );
1208 printf("\nAll tests completed with %d errors\n", Error);
1209 return Error ? 1 : 0;