printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
}
+/* Table of IDs for POST translating between NIDs and names */
+
+typedef struct
+ {
+ int id;
+ const char *name;
+ } POST_ID;
+
+POST_ID id_list[] = {
+ {NID_sha1, "SHA1"},
+ {NID_sha224, "SHA224"},
+ {NID_sha256, "SHA256"},
+ {NID_sha384, "SHA384"},
+ {NID_sha512, "SHA512"},
+ {NID_hmacWithSHA1, "HMAC-SHA1"},
+ {NID_hmacWithSHA224, "HMAC-SHA224"},
+ {NID_hmacWithSHA256, "HMAC-SHA256"},
+ {NID_hmacWithSHA384, "HMAC-SHA384"},
+ {NID_hmacWithSHA512, "HMAC-SHA512"},
+ {EVP_PKEY_RSA, "RSA"},
+ {EVP_PKEY_DSA, "DSA"},
+ {EVP_PKEY_EC, "ECDSA"},
+ {NID_aes_128_cbc, "AES-128-CBC"},
+ {NID_aes_192_cbc, "AES-192-CBC"},
+ {NID_aes_256_cbc, "AES-256-CBC"},
+ {NID_aes_128_ctr, "AES-128-CTR"},
+ {NID_aes_192_ctr, "AES-192-CTR"},
+ {NID_aes_256_ctr, "AES-256-CTR"},
+ {NID_aes_128_ecb, "AES-128-ECB"},
+ {NID_aes_128_xts, "AES-128-XTS"},
+ {NID_aes_256_xts, "AES-256-XTS"},
+ {NID_des_ede3_cbc, "DES-EDE3-CBC"},
+ {NID_des_ede3_ecb, "DES-EDE3-ECB"},
+ {0, NULL}
+};
+
+static const char *lookup_id(int id)
+ {
+ POST_ID *n;
+ static char out[40];
+ for (n = id_list; n->name; n++)
+ {
+ if (n->id == id)
+ return n->name;
+ }
+ sprintf(out, "ID=%d", id);
+ return out;
+ }
+
+static int fail_id = -1;
+static int fail_sub = -1;
+static int fail_key = -1;
+
+static int post_cb(int op, int id, int subid, void *ex)
+ {
+ const char *idstr, *exstr = "";
+ char asctmp[20];
+ int keytype = -1;
+#ifdef FIPS_POST_TIME
+ static struct timespec start, end, tstart, tend;
+#endif
+ switch(id)
+ {
+ case FIPS_TEST_INTEGRITY:
+ idstr = "Integrity";
+ break;
+
+ case FIPS_TEST_DIGEST:
+ idstr = "Digest";
+ exstr = lookup_id(subid);
+ break;
+
+ case FIPS_TEST_CIPHER:
+ exstr = lookup_id(subid);
+ idstr = "Cipher";
+ break;
+
+ case FIPS_TEST_SIGNATURE:
+ if (ex)
+ {
+ EVP_PKEY *pkey = ex;
+ keytype = pkey->type;
+ exstr = lookup_id(keytype);
+ }
+ idstr = "Signature";
+ break;
+
+ case FIPS_TEST_HMAC:
+ exstr = lookup_id(subid);
+ idstr = "HMAC";
+ break;
+
+ case FIPS_TEST_CMAC:
+ idstr = "CMAC";
+ exstr = lookup_id(subid);
+ break;
+
+ case FIPS_TEST_GCM:
+ idstr = "GCM";
+ break;
+
+ case FIPS_TEST_XTS:
+ idstr = "XTS";
+ exstr = lookup_id(subid);
+ break;
+
+ case FIPS_TEST_CCM:
+ idstr = "CCM";
+ break;
+
+ case FIPS_TEST_X931:
+ idstr = "X9.31 PRNG";
+ sprintf(asctmp, "keylen=%d", subid);
+ exstr = asctmp;
+ break;
+
+ case FIPS_TEST_DRBG:
+ idstr = "DRBG";
+ if (*(int *)ex & DRBG_FLAG_CTR_USE_DF)
+ {
+ sprintf(asctmp, "%s DF", lookup_id(subid));
+ exstr = asctmp;
+ }
+ else
+ exstr = lookup_id(subid);
+ break;
+
+ case FIPS_TEST_PAIRWISE:
+ if (ex)
+ {
+ EVP_PKEY *pkey = ex;
+ keytype = pkey->type;
+ exstr = lookup_id(keytype);
+ }
+ idstr = "Pairwise Consistency";
+ break;
+
+ case FIPS_TEST_CONTINUOUS:
+ idstr = "Continuous PRNG";
+ break;
+
+ default:
+ idstr = "Unknown";
+ break;
+
+ }
+
+ switch(op)
+ {
+ case FIPS_POST_BEGIN:
+#ifdef FIPS_POST_TIME
+ clock_getres(CLOCK_REALTIME, &tstart);
+ printf("\tTimer resolution %ld s, %ld ns\n",
+ (long)tstart.tv_sec, (long)tstart.tv_nsec);
+ clock_gettime(CLOCK_REALTIME, &tstart);
+#endif
+ printf("\tPOST started\n");
+ break;
+
+ case FIPS_POST_END:
+ printf("\tPOST %s\n", id ? "Success" : "Failed");
+#ifdef FIPS_POST_TIME
+ clock_gettime(CLOCK_REALTIME, &tend);
+ printf("\t\tTook %f seconds\n",
+ (double)((tend.tv_sec+tend.tv_nsec*1e-9)
+ - (tstart.tv_sec+tstart.tv_nsec*1e-9)));
+#endif
+ break;
+
+ case FIPS_POST_STARTED:
+ printf("\t\t%s %s test started\n", idstr, exstr);
+#ifdef FIPS_POST_TIME
+ clock_gettime(CLOCK_REALTIME, &start);
+#endif
+ break;
+
+ case FIPS_POST_SUCCESS:
+ printf("\t\t%s %s test OK\n", idstr, exstr);
+#ifdef FIPS_POST_TIME
+ clock_gettime(CLOCK_REALTIME, &end);
+ printf("\t\t\tTook %f seconds\n",
+ (double)((end.tv_sec+end.tv_nsec*1e-9)
+ - (start.tv_sec+start.tv_nsec*1e-9)));
+#endif
+ break;
+
+ case FIPS_POST_FAIL:
+ printf("\t\t%s %s test FAILED!!\n", idstr, exstr);
+ break;
+
+ case FIPS_POST_CORRUPT:
+ if (fail_id == id
+ && (fail_key == -1 || fail_key == keytype)
+ && (fail_sub == -1 || fail_sub == subid))
+ {
+ printf("\t\t%s %s test failure induced\n", idstr, exstr);
+ return 0;
+ }
+ break;
+
+ }
+ return 1;
+ }
+
int main(int argc,char **argv)
{
-
- int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
int bad_rsa = 0, bad_dsa = 0;
int do_rng_stick = 0;
+ int do_drbg_stick = 0;
int no_exit = 0;
- fips_algtest_init_nofips();
- printf("\tFIPS-mode test application\n\n");
+ FIPS_post_set_callback(post_cb);
+
+ printf("\tFIPS-mode test application\n");
- /* Load entropy from external file, if any */
- RAND_load_file(".rnd", 1024);
+ printf("\t%s\n\n", FIPS_module_version_text());
if (argv[1]) {
/* Corrupted KAT tests */
- if (!strcmp(argv[1], "aes")) {
- FIPS_corrupt_aes();
- printf("AES encryption/decryption with corrupted KAT...\n");
+ if (!strcmp(argv[1], "integrity")) {
+ fail_id = FIPS_TEST_INTEGRITY;
+ } else if (!strcmp(argv[1], "aes")) {
+ fail_id = FIPS_TEST_CIPHER;
+ fail_sub = NID_aes_128_ecb;
+ } else if (!strcmp(argv[1], "aes-ccm")) {
+ fail_id = FIPS_TEST_CCM;
} else if (!strcmp(argv[1], "aes-gcm")) {
- FIPS_corrupt_aes_gcm();
- printf("AES-GCM encryption/decryption with corrupted KAT...\n");
+ fail_id = FIPS_TEST_GCM;
+ } else if (!strcmp(argv[1], "aes-xts")) {
+ fail_id = FIPS_TEST_XTS;
} else if (!strcmp(argv[1], "des")) {
- FIPS_corrupt_des();
- printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
+ fail_id = FIPS_TEST_CIPHER;
+ fail_sub = NID_des_ede3_ecb;
} else if (!strcmp(argv[1], "dsa")) {
- FIPS_corrupt_dsa();
- printf("DSA key generation and signature validation with corrupted KAT...\n");
+ fail_id = FIPS_TEST_SIGNATURE;
+ fail_key = EVP_PKEY_DSA;
} else if (!strcmp(argv[1], "ecdsa")) {
- FIPS_corrupt_ecdsa();
- printf("ECDSA key generation and signature validation with corrupted KAT...\n");
+ fail_id = FIPS_TEST_SIGNATURE;
+ fail_key = EVP_PKEY_EC;
} else if (!strcmp(argv[1], "rsa")) {
- FIPS_corrupt_rsa();
- printf("RSA key generation and signature validation with corrupted KAT...\n");
+ fail_id = FIPS_TEST_SIGNATURE;
+ fail_key = EVP_PKEY_RSA;
} else if (!strcmp(argv[1], "rsakey")) {
printf("RSA key generation and signature validation with corrupted key...\n");
bad_rsa = 1;
no_exit = 1;
} else if (!strcmp(argv[1], "rsakeygen")) {
- do_corrupt_rsa_keygen = 1;
+ fail_id = FIPS_TEST_PAIRWISE;
+ fail_key = EVP_PKEY_RSA;
no_exit = 1;
- printf("RSA key generation and signature validation with corrupted keygen...\n");
} else if (!strcmp(argv[1], "dsakey")) {
printf("DSA key generation and signature validation with corrupted key...\n");
bad_dsa = 1;
no_exit = 1;
} else if (!strcmp(argv[1], "dsakeygen")) {
- do_corrupt_dsa_keygen = 1;
+ fail_id = FIPS_TEST_PAIRWISE;
+ fail_key = EVP_PKEY_DSA;
no_exit = 1;
- printf("DSA key generation and signature validation with corrupted keygen...\n");
} else if (!strcmp(argv[1], "sha1")) {
- FIPS_corrupt_sha1();
- printf("SHA-1 hash with corrupted KAT...\n");
+ fail_id = FIPS_TEST_DIGEST;
+ } else if (!strcmp(argv[1], "hmac")) {
+ fail_id = FIPS_TEST_HMAC;
+ } else if (!strcmp(argv[1], "cmac")) {
+ fail_id = FIPS_TEST_CMAC;
} else if (!strcmp(argv[1], "drbg")) {
- FIPS_corrupt_drbg();
+ fail_id = FIPS_TEST_DRBG;
} else if (!strcmp(argv[1], "rng")) {
- FIPS_corrupt_rng();
+ fail_id = FIPS_TEST_X931;
+ } else if (!strcmp(argv[1], "post")) {
+ fail_id = -1;
} else if (!strcmp(argv[1], "rngstick")) {
do_rng_stick = 1;
no_exit = 1;
printf("RNG test with stuck continuous test...\n");
+ } else if (!strcmp(argv[1], "drbgentstick")) {
+ do_entropy_stick();
+ } else if (!strcmp(argv[1], "drbgstick")) {
+ do_drbg_stick = 1;
+ no_exit = 1;
+ printf("DRBG test with stuck continuous test...\n");
} else {
printf("Bad argument \"%s\"\n", argv[1]);
exit(1);
}
if (!no_exit) {
- if (!FIPS_mode_set(1)) {
+ fips_algtest_init_nofips();
+ if (!FIPS_module_mode_set(1)) {
printf("Power-up self test failed\n");
exit(1);
}
}
}
+ fips_algtest_init_nofips();
+
/* Non-Approved cryptographic operation
*/
printf("1. Non-Approved cryptographic operation test...\n");
/* Power-up self test
*/
ERR_clear_error();
- test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
- if (!FIPS_mode())
+ test_msg("2. Automatic power-up self test", FIPS_module_mode_set(1));
+ if (!FIPS_module_mode())
exit(1);
- if (do_corrupt_dsa_keygen)
- FIPS_corrupt_dsa_keygen();
- if (do_corrupt_rsa_keygen)
- FIPS_corrupt_rsa_keygen();
+ if (do_drbg_stick)
+ FIPS_drbg_stick();
if (do_rng_stick)
- FIPS_rng_stick();
+ FIPS_x931_stick();
/* AES encryption/decryption
*/
projects / openssl.git / blobdiff