X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=fips%2Ffipsalgtest.pl;h=30cd9c0ebde6a789ce599d698b5ed6d91942c01c;hp=56992cd577f665e57e4b2357c5a1c31a05f5fb7e;hb=da2a5a79efd785ec5e93cd2b5d1662a7f5b72abf;hpb=764ef43962327c7252fd12d309bbf1cd86b95545 diff --git a/fips/fipsalgtest.pl b/fips/fipsalgtest.pl index 56992cd577..30cd9c0ebd 100644 --- a/fips/fipsalgtest.pl +++ b/fips/fipsalgtest.pl @@ -1,5 +1,5 @@ #!/usr/bin/perl -w -# Perl utility to run or verify FIPS 140-2 CMVP algorithm tests based on the +# Perl utility to run or verify FIPS 140-2 CAVP algorithm tests based on the # pathnames of input algorithm test files actually present (the unqualified # file names are consistent but the pathnames are not). # @@ -12,16 +12,48 @@ my @fips_dsa_test_list = ( "DSA", - [ "PQGGen", "fips_dssvs pqg" ], - [ "KeyPair", "fips_dssvs keypair" ], - [ "SigGen", "fips_dssvs siggen" ], - [ "SigVer", "fips_dssvs sigver" ] + [ "PQGGen", "fips_dssvs pqg", "path:[^C]DSA/.*PQGGen" ], + [ "KeyPair", "fips_dssvs keypair", "path:[^C]DSA/.*KeyPair" ], + [ "SigGen", "fips_dssvs siggen", "path:[^C]DSA/.*SigGen" ], + [ "SigVer", "fips_dssvs sigver", "path:[^C]DSA/.*SigVer" ] ); my @fips_dsa_pqgver_test_list = ( - [ "PQGVer", "fips_dssvs pqgver" ] + [ "PQGVer", "fips_dssvs pqgver", "path:[^C]DSA/.*PQGVer" ] + +); + +# DSA2 tests +my @fips_dsa2_test_list = ( + + "DSA2", + + [ "PQGGen", "fips_dssvs pqg", "path:[^C]DSA2/.*PQGGen" ], + [ "KeyPair", "fips_dssvs keypair", "path:[^C]DSA2/.*KeyPair" ], + [ "SigGen", "fips_dssvs siggen", "path:[^C]DSA2/.*SigGen" ], + [ "SigVer", "fips_dssvs sigver", "path:[^C]DSA2/.*SigVer" ], + [ "PQGVer", "fips_dssvs pqgver", "path:[^C]DSA2/.*PQGVer" ] + +); + +# ECDSA and ECDSA2 tests +my @fips_ecdsa_test_list = ( + + "ECDSA", + + [ "KeyPair", "fips_ecdsavs KeyPair", "path:/ECDSA/.*KeyPair" ], + [ "PKV", "fips_ecdsavs PKV", "path:/ECDSA/.*PKV" ], + [ "SigGen", "fips_ecdsavs SigGen", "path:/ECDSA/.*SigGen" ], + [ "SigVer", "fips_ecdsavs SigVer", "path:/ECDSA/.*SigVer" ], + + "ECDSA2", + + [ "KeyPair", "fips_ecdsavs KeyPair", "path:/ECDSA2/.*KeyPair" ], + [ "PKV", "fips_ecdsavs PKV", "path:/ECDSA2/.*PKV" ], + [ "SigGen", "fips_ecdsavs SigGen", "path:/ECDSA2/.*SigGen" ], + [ "SigVer", "fips_ecdsavs SigVer", "path:/ECDSA2/.*SigVer" ], ); @@ -49,9 +81,9 @@ my @fips_rsa_test_list = ( my @fips_rsa_pss0_test_list = ( [ "SigGenPSS(0)", "fips_rsastest -saltlen 0", - '^\s*#\s*salt\s+len:\s+0\s*$' ], + 'file:^\s*#\s*salt\s+len:\s+0\s*$' ], [ "SigVerPSS(0)", "fips_rsavtest -saltlen 0", - '^\s*#\s*salt\s+len:\s+0\s*$' ], + 'file:^\s*#\s*salt\s+len:\s+0\s*$' ], ); @@ -59,9 +91,9 @@ my @fips_rsa_pss0_test_list = ( my @fips_rsa_pss62_test_list = ( [ "SigGenPSS(62)", "fips_rsastest -saltlen 62", - '^\s*#\s*salt\s+len:\s+62\s*$' ], + 'file:^\s*#\s*salt\s+len:\s+62\s*$' ], [ "SigVerPSS(62)", "fips_rsavtest -saltlen 62", - '^\s*#\s*salt\s+len:\s+62\s*$' ], + 'file:^\s*#\s*salt\s+len:\s+62\s*$' ], ); # SHA tests @@ -266,6 +298,55 @@ my @fips_aes_cfb1_test_list = ( ); +my @fips_aes_ccm_test_list = ( + + # AES CCM tests + + "AES CCM", + + [ "DVPT128", "fips_gcmtest -ccm" ], + [ "DVPT192", "fips_gcmtest -ccm" ], + [ "DVPT256", "fips_gcmtest -ccm" ], + [ "VADT128", "fips_gcmtest -ccm" ], + [ "VADT192", "fips_gcmtest -ccm" ], + [ "VADT256", "fips_gcmtest -ccm" ], + [ "VNT128", "fips_gcmtest -ccm" ], + [ "VNT192", "fips_gcmtest -ccm" ], + [ "VNT256", "fips_gcmtest -ccm" ], + [ "VPT128", "fips_gcmtest -ccm" ], + [ "VPT192", "fips_gcmtest -ccm" ], + [ "VPT256", "fips_gcmtest -ccm" ], + [ "VTT128", "fips_gcmtest -ccm" ], + [ "VTT192", "fips_gcmtest -ccm" ], + [ "VTT256", "fips_gcmtest -ccm" ] + +); + +my @fips_aes_gcm_test_list = ( + + # AES GCM tests + + "AES GCM", + + [ "gcmDecrypt128", "fips_gcmtest -decrypt" ], + [ "gcmDecrypt192", "fips_gcmtest -decrypt" ], + [ "gcmDecrypt256", "fips_gcmtest -decrypt" ], + [ "gcmEncryptIntIV128", "fips_gcmtest -encrypt" ], + [ "gcmEncryptIntIV192", "fips_gcmtest -encrypt" ], + [ "gcmEncryptIntIV256", "fips_gcmtest -encrypt" ], + +); + +my @fips_aes_xts_test_list = ( + # AES XTS tests + + "AES XTS", + + [ "XTSGenAES128", "fips_gcmtest -xts" ], + [ "XTSGenAES256", "fips_gcmtest -xts" ], + +); + # Triple DES tests my @fips_des3_test_list = ( @@ -348,6 +429,39 @@ my @fips_des3_cfb1_test_list = ( ); +my @fips_drbg_test_list = ( + + # SP800-90 DRBG tests + "SP800-90 DRBG", + [ "CTR_DRBG", "fips_drbgvs" ], + [ "Dual_EC_DRBG", "fips_drbgvs" ], + [ "Hash_DRBG", "fips_drbgvs" ], + [ "HMAC_DRBG", "fips_drbgvs" ] + +); + +my @fips_dh_test_list = ( + + # DH + "DH Ephemeral Primitives Only", + [ "KASValidityTest_FFCEphem_NOKC_ZZOnly_init", "fips_dhvs dhver" ], + [ "KASValidityTest_FFCEphem_NOKC_ZZOnly_resp", "fips_dhvs dhver" ], + +); + +my @fips_ecdh_test_list = ( + + # ECDH + "ECDH Ephemeral Primitives Only", + [ "KAS_ECC_CDH_PrimitiveTest", "fips_ecdhvs ecdhgen" ], +# [ "KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init", +# "fips_ecdhvs ecdhver" ], +# [ "KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp", +# "fips_ecdhvs ecdhver" ], + +); + + # Verification special cases. # In most cases the output of a test is deterministic and # it can be compared to a known good result. A few involve @@ -359,13 +473,21 @@ my @fips_des3_cfb1_test_list = ( # my %verify_special = ( - "PQGGen" => "fips_dssvs pqgver", - "KeyPair" => "fips_dssvs keyver", - "SigGen" => "fips_dssvs sigver", - "SigGen15" => "fips_rsavtest", - "SigGenRSA" => "fips_rsavtest -x931", - "SigGenPSS(0)" => "fips_rsavtest -saltlen 0", - "SigGenPSS(62)" => "fips_rsavtest -saltlen 62", + "DSA:PQGGen" => "fips_dssvs pqgver", + "DSA:KeyPair" => "fips_dssvs keyver", + "DSA:SigGen" => "fips_dssvs sigver", + "DSA2:PQGGen" => "fips_dssvs pqgver", + "DSA2:KeyPair" => "fips_dssvs keyver", + "DSA2:SigGen" => "fips_dssvs sigver", + "ECDSA:KeyPair" => "fips_ecdsavs PKV", + "ECDSA:SigGen" => "fips_ecdsavs SigVer", + "ECDSA2:KeyPair" => "fips_ecdsavs PKV", + "ECDSA2:SigGen" => "fips_ecdsavs SigVer", + "RSA:SigGen15" => "fips_rsavtest", + "RSA:SigGenRSA" => "fips_rsavtest -x931", + "RSA:SigGenPSS(0)" => "fips_rsavtest -saltlen 0", + "RSA:SigGenPSS(62)" => "fips_rsavtest -saltlen 62", + "ECDH Ephemeral Primitives Only:KAS_ECC_CDH_PrimitiveTest" => "skip" ); my $win32 = $^O =~ m/mswin/i; @@ -373,32 +495,47 @@ my $onedir = 0; my $filter = ""; my $tvdir; my $tprefix; -my $shwrap_prefix; my $debug = 0; my $quiet = 0; my $notest = 0; my $verify = 1; -my $rspdir = "rsp"; +my $rspdir = "resp"; my $ignore_missing = 0; my $ignore_bogus = 0; my $bufout = ''; my $list_tests = 0; +my $minimal_script = 0; +my $outfile = ''; +my $no_warn_missing = 0; +my $no_warn_bogus = 0; +my $rmcmd = "rm -rf"; +my $mkcmd = "mkdir"; +my $cmpall = 0; my %fips_enabled = ( - dsa => 1, - "dsa-pqgver" => 0, - rsa => 1, - "rsa-pss0" => 0, + "dsa" => 1, + "dsa2" => 2, + "dsa-pqgver" => 2, + "ecdsa" => 2, + "rsa" => 1, + "rsa-pss0" => 2, "rsa-pss62" => 1, - sha => 1, - hmac => 1, - cmac => 0, + "sha" => 1, + "hmac" => 1, + "cmac" => 2, "rand-aes" => 1, "rand-des2" => 0, - aes => 1, - "aes-cfb1" => 0, - des3 => 1, - "des3-cfb1" => 0 + "aes" => 1, + "aes-cfb1" => 2, + "des3" => 1, + "des3-cfb1" => 2, + "drbg" => 2, + "aes-ccm" => 2, + "aes-xts" => 2, + "aes-gcm" => 2, + "dh" => 0, + "ecdh" => 2, + "v2" => 1, ); foreach (@ARGV) { @@ -411,15 +548,32 @@ foreach (@ARGV) { elsif ( $_ eq "--debug" ) { $debug = 1; } + elsif ( $_ eq "--quiet-missing" ) { + $ignore_missing = 1; + $no_warn_missing = 1; + } elsif ( $_ eq "--ignore-missing" ) { $ignore_missing = 1; } + elsif ( $_ eq "--quiet-bogus" ) { + $ignore_bogus = 1; + $no_warn_bogus = 1; + } elsif ( $_ eq "--ignore-bogus" ) { $ignore_bogus = 1; } - elsif ( $_ eq "--generate" ) { + elsif ( $_ eq "--minimal-script" ) { + $minimal_script = 1; + } + elsif (/--generate-script=(.*)$/) { + $outfile = $1; + $verify = 0; + } elsif ( $_ eq "--generate" ) { $verify = 0; } + elsif ( $_ eq "--compare-all" ) { + $cmpall = 1; + } elsif ( $_ eq "--notest" ) { $notest = 1; } @@ -435,12 +589,15 @@ foreach (@ARGV) { elsif (/--tprefix=(.*)$/) { $tprefix = $1; } - elsif (/--shwrap_prefix=(.*)$/) { - $shwrap_prefix = $1; + elsif (/^--disable-all$/) { + foreach (keys %fips_enabled) { + $fips_enabled{$_} = 0; + } } elsif (/^--(enable|disable)-(.*)$/) { if ( !exists $fips_enabled{$2} ) { print STDERR "Unknown test $2\n"; + exit(1); } if ( $1 eq "enable" ) { $fips_enabled{$2} = 1; @@ -452,6 +609,15 @@ foreach (@ARGV) { elsif (/--filter=(.*)$/) { $filter = $1; } + elsif (/--rm=(.*)$/) { + $rmcmd = $1; + } + elsif (/--script-tprefix=(.*)$/) { + $stprefix = $1; + } + elsif (/--mkdir=(.*)$/) { + $mkcmd = $1; + } elsif (/^--list-tests$/) { $list_tests = 1; } @@ -463,8 +629,17 @@ foreach (@ARGV) { my @fips_test_list; + +if (!$fips_enabled{"v2"}) { + foreach (keys %fips_enabled) { + $fips_enabled{$_} = 0 if $fips_enabled{$_} == 2; + } +} + push @fips_test_list, @fips_dsa_test_list if $fips_enabled{"dsa"}; push @fips_test_list, @fips_dsa_pqgver_test_list if $fips_enabled{"dsa-pqgver"}; +push @fips_test_list, @fips_dsa2_test_list if $fips_enabled{"dsa2"}; +push @fips_test_list, @fips_ecdsa_test_list if $fips_enabled{"ecdsa"}; push @fips_test_list, @fips_rsa_test_list if $fips_enabled{"rsa"}; push @fips_test_list, @fips_rsa_pss0_test_list if $fips_enabled{"rsa-pss0"}; push @fips_test_list, @fips_rsa_pss62_test_list if $fips_enabled{"rsa-pss62"}; @@ -477,6 +652,12 @@ push @fips_test_list, @fips_aes_test_list if $fips_enabled{"aes"}; push @fips_test_list, @fips_aes_cfb1_test_list if $fips_enabled{"aes-cfb1"}; push @fips_test_list, @fips_des3_test_list if $fips_enabled{"des3"}; push @fips_test_list, @fips_des3_cfb1_test_list if $fips_enabled{"des3-cfb1"}; +push @fips_test_list, @fips_drbg_test_list if $fips_enabled{"drbg"}; +push @fips_test_list, @fips_aes_ccm_test_list if $fips_enabled{"aes-ccm"}; +push @fips_test_list, @fips_aes_gcm_test_list if $fips_enabled{"aes-gcm"}; +push @fips_test_list, @fips_aes_xts_test_list if $fips_enabled{"aes-xts"}; +push @fips_test_list, @fips_dh_test_list if $fips_enabled{"dh"}; +push @fips_test_list, @fips_ecdh_test_list if $fips_enabled{"ecdh"}; if ($list_tests) { my ( $test, $en ); @@ -491,11 +672,9 @@ if ($list_tests) { foreach (@fips_test_list) { next unless ref($_); - my $nm = $_->[0]; - $_->[3] = ""; - $_->[4] = ""; - print STDERR "Duplicate test $nm\n" if exists $fips_tests{$nm}; - $fips_tests{$nm} = $_; + my $nm = $$_[0]; + $$_[3] = ""; + $$_[4] = ""; } $tvdir = "." unless defined $tvdir; @@ -513,17 +692,13 @@ if ($win32) { else { if ($onedir) { $tprefix = "./" unless defined $tprefix; - $shwrap_prefix = "./" unless defined $shwrap_prefix; } else { $tprefix = "../test/" unless defined $tprefix; - $shwrap_prefix = "../util/" unless defined $shwrap_prefix; } } -sanity_check_exe( $win32, $tprefix, $shwrap_prefix ); - -my $cmd_prefix = $win32 ? "" : "${shwrap_prefix}shlib_wrap.sh "; +sanity_check_exe( $win32, $tprefix) if $outfile eq ""; find_files( $filter, $tvdir ); @@ -533,8 +708,8 @@ my ( $runerr, $cmperr, $cmpok, $scheckrunerr, $scheckerr, $scheckok, $skipcnt ) = ( 0, 0, 0, 0, 0, 0, 0 ); exit(0) if $notest; - -run_tests( $verify, $win32, $tprefix, $filter, $tvdir ); +print "Outputting commands to $outfile\n" if $outfile ne ""; +run_tests( $verify, $win32, $tprefix, $filter, $tvdir, $outfile ); if ($verify) { print "ALGORITHM TEST VERIFY SUMMARY REPORT:\n"; @@ -553,7 +728,7 @@ if ($verify) { print "***ALL TESTS SUCCESSFUL***\n"; } } -else { +elsif ($outfile eq "") { print "ALGORITHM TEST SUMMARY REPORT:\n"; print "Tests skipped due to missing files: $skipcnt\n"; print "Algorithm test program execution failures: $runerr\n"; @@ -570,38 +745,46 @@ else { sub Help { ( my $cmd ) = ( $0 =~ m#([^/]+)$# ); print < Optional root for *.req file search - --filter= - --onedir Assume all components in current directory - --rspdir= Name of subdirectories containing *.rsp files, default "rsp" - --shwrap_prefix= - --tprefix= - --ignore-bogus Ignore duplicate or bogus files - --ignore-missing Ignore missing test files - --quiet Shhh.... - --generate Generate algorithm test output - --win32 Win32 environment - --enable- Enable algorithm set . - --disable- Disable algorithm set . +$cmd: generate run CAVP algorithm tests + --debug Enable debug output + --dir= Optional root for *.req file search + --filter= Regex for input files of interest + --onedir Assume all components in current directory + --rspdir= Name of subdirectories containing *.rsp files, default "resp" + --tprefix= Pathname prefix for directory containing test programs + --ignore-bogus Ignore duplicate or bogus files + --ignore-missing Ignore missing test files + --quiet Shhh.... + --quiet-bogus Skip unrecognized file warnings + --quiet-missing Skip missing request file warnings + --generate Generate algorithm test output + --generate-script= Generate script to call algorithm programs + --minimal-script Simplest possible output for --generate-script + --win32 Win32 environment + --compare-all Verify unconditionally for all tests + --list-tests Show individual tests + --mkdir= Specify "mkdir" command + --notest Exit before running tests + --rm= Specify "rm" command + --script-tprefix Pathname prefix for --generate-script output + --enable- Enable algorithm set . + --disable- Disable algorithm set . Where can be one of: EOF while (my ($key, $value) = each %fips_enabled) { printf "\t\t%-20s(%s by default)\n", $key , - $value ? "enabled" : "disabled"; + $value == 1 ? "enabled" : "disabled"; } } # Sanity check to see if all necessary executables exist sub sanity_check_exe { - my ( $win32, $tprefix, $shwrap_prefix ) = @_; + my ( $win32, $tprefix, ) = @_; my %exe_list; my $bad = 0; - $exe_list{ $shwrap_prefix . "shlib_wrap.sh" } = 1 unless $win32; foreach (@fips_test_list) { next unless ref($_); my $cmd = $_->[1]; @@ -638,8 +821,8 @@ sub find_files { if ( -f "$_" ) { if (/\/([^\/]*)\.rsp$/) { $tref = find_test($1, $_); - $testname = $$tref[0]; if ( defined $tref ) { + $testname = $$tref[0]; if ( $$tref[4] eq "" ) { $$tref[4] = $_; } @@ -650,15 +833,15 @@ sub find_files { } } else { - print STDERR "WARNING: bogus file $_\n"; + print STDERR "WARNING: bogus file $_\n" unless $no_warn_bogus; $nbogus++; } } next unless /$filter.*\.req$/i; if (/\/([^\/]*)\.req$/) { $tref = find_test($1, $_); - $testname = $$tref[0]; if ( defined $tref ) { + $testname = $$tref[0]; if ( $$tref[3] eq "" ) { $$tref[3] = $_; } @@ -670,7 +853,7 @@ sub find_files { } elsif ( !/SHAmix\.req$/ ) { - print STDERR "WARNING: unrecognized filename $_\n"; + print STDERR "WARNING: unrecognized filename $_\n" unless $no_warn_bogus; $nbogus++; } } @@ -690,9 +873,21 @@ sub find_test { my ( $test, $path ) = @_; foreach $tref (@fips_test_list) { next unless ref($tref); - my ( $tst, $cmd, $regexp, $req, $resp ) = @$tref; + my ( $tst, $cmd, $excmd, $req, $resp ) = @$tref; + my $regexp; $tst =~ s/\(.*$//; - if ($tst eq $test) { + $test =~ s/_186-2//; + if (defined $excmd) { + if ($excmd =~ /^path:(.*)$/) { + my $fmatch = $1; + return $tref if ($path =~ /$fmatch/); + next; + } + elsif ($excmd =~ /^file:(.*)$/) { + $regexp = $1; + } + } + if ($test eq $tst) { return $tref if (!defined $regexp); my $found = 0; my $line; @@ -718,7 +913,7 @@ sub sanity_check_files { #print STDERR "FILES $tst, $cmd, $req, $resp\n"; if ( $req eq "" ) { - print STDERR "WARNING: missing request file for $tst\n"; + print STDERR "WARNING: missing request file for $tst\n" unless $no_warn_missing; $bad = 1; next; } @@ -745,12 +940,55 @@ sub sanity_check_files { } sub run_tests { - my ( $verify, $win32, $tprefix, $filter, $tvdir ) = @_; + my ( $verify, $win32, $tprefix, $filter, $tvdir, $outfile ) = @_; my ( $tname, $tref ); my $bad = 0; + my $lastdir = ""; + $stprefix = $tprefix unless defined $stprefix; + if ($outfile ne "") { + open OUT, ">$outfile" || die "Can't open $outfile"; + } + if ($outfile ne "" && !$minimal_script) { + if ($win32) { + print OUT <<\END; +@echo off +rem Test vector run script +rem Auto generated by fipsalgtest.pl script +rem Do not edit + +echo Running Algorithm Tests + +END + } else { + print OUT <