1 /* ====================================================================
2 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
5 * This command is intended as a test driver for the FIPS-140 testing
6 * lab performing FIPS-140 validation. It demonstrates the use of the
7 * OpenSSL library ito perform a variety of common cryptographic
8 * functions. A power-up self test is demonstrated by deliberately
9 * pointing to an invalid executable hash
11 * Contributed by Steve Marquess.
19 #include <openssl/aes.h>
20 #include <openssl/des.h>
21 #include <openssl/hmac.h>
22 #include <openssl/err.h>
24 #include <openssl/bn.h>
25 #include <openssl/rand.h>
26 #include <openssl/sha.h>
29 int main(int argc, char *argv[])
31 printf("No FIPS support\n");
36 # include <openssl/rsa.h>
37 # include <openssl/dsa.h>
38 # include <openssl/dh.h>
40 # include <openssl/fips.h>
41 # include "fips_utl.h"
44 * AES: encrypt and decrypt known plaintext, verify result matches original
47 static int FIPS_aes_test(void)
50 unsigned char pltmp[16];
51 unsigned char citmp[16];
52 unsigned char key[16] =
53 { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
54 unsigned char plaintext[16] = "etaonrishdlcu";
56 EVP_CIPHER_CTX_init(&ctx);
57 if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 1) <= 0)
59 EVP_Cipher(&ctx, citmp, plaintext, 16);
60 if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 0) <= 0)
62 EVP_Cipher(&ctx, pltmp, citmp, 16);
63 if (memcmp(pltmp, plaintext, 16))
67 EVP_CIPHER_CTX_cleanup(&ctx);
71 static int FIPS_des3_test(void)
74 unsigned char pltmp[8];
75 unsigned char citmp[8];
77 { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,
78 19, 20, 21, 22, 23, 24
80 unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
82 EVP_CIPHER_CTX_init(&ctx);
83 if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 1) <= 0)
85 EVP_Cipher(&ctx, citmp, plaintext, 8);
86 if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 0) <= 0)
88 EVP_Cipher(&ctx, pltmp, citmp, 8);
89 if (memcmp(pltmp, plaintext, 8))
93 EVP_CIPHER_CTX_cleanup(&ctx);
98 * DSA: generate keys and sign, verify input plaintext.
100 static int FIPS_dsa_test(int bad)
104 unsigned char dgst[] = "etaonrishdlc";
105 unsigned char buf[60];
111 EVP_MD_CTX_init(&mctx);
112 dsa = FIPS_dsa_new();
115 if (!DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL))
117 if (!DSA_generate_key(dsa))
120 BN_add_word(dsa->pub_key, 1);
122 pk.type = EVP_PKEY_DSA;
125 if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
127 if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
129 if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
132 if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
134 if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
136 r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
138 EVP_MD_CTX_cleanup(&mctx);
147 * RSA: generate keys and sign, verify input plaintext.
149 static int FIPS_rsa_test(int bad)
152 unsigned char input_ptext[] = "etaonrishdlc";
153 unsigned char buf[256];
161 EVP_MD_CTX_init(&mctx);
162 key = FIPS_rsa_new();
166 BN_set_word(bn, 65537);
167 if (!RSA_generate_key_ex(key, 1024, bn, NULL))
171 BN_add_word(key->n, 1);
173 pk.type = EVP_PKEY_RSA;
176 if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
178 if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
180 if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
183 if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
185 if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
187 r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
189 EVP_MD_CTX_cleanup(&mctx);
198 * SHA1: generate hash of known digest value and compare to known precomputed
201 static int FIPS_sha1_test()
203 unsigned char digest[SHA_DIGEST_LENGTH] =
204 { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a,
205 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18
207 unsigned char str[] = "etaonrishd";
209 unsigned char md[SHA_DIGEST_LENGTH];
212 if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha1(), NULL))
214 if (memcmp(md, digest, sizeof(md)))
220 * SHA256: generate hash of known digest value and compare to known
221 * precomputed correct hash
223 static int FIPS_sha256_test()
225 unsigned char digest[SHA256_DIGEST_LENGTH] =
226 { 0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9,
227 0x68, 0xc0, 0xea, 0x40, 0x91,
228 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6,
229 0x50, 0x4f, 0x47, 0x57
231 unsigned char str[] = "etaonrishd";
233 unsigned char md[SHA256_DIGEST_LENGTH];
236 if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha256(), NULL))
238 if (memcmp(md, digest, sizeof(md)))
244 * SHA512: generate hash of known digest value and compare to known
245 * precomputed correct hash
247 static int FIPS_sha512_test()
249 unsigned char digest[SHA512_DIGEST_LENGTH] =
250 { 0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f,
251 0x94, 0x71, 0x64, 0x28, 0xca,
252 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2,
253 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
254 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f,
255 0x24, 0xb1, 0xd9, 0x40, 0x22,
256 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6,
257 0xeb, 0x2d, 0x42, 0x1d, 0xa3
259 unsigned char str[] = "etaonrishd";
261 unsigned char md[SHA512_DIGEST_LENGTH];
264 if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha512(), NULL))
266 if (memcmp(md, digest, sizeof(md)))
272 * HMAC-SHA1: generate hash of known digest value and compare to known
273 * precomputed correct hash
275 static int FIPS_hmac_sha1_test()
277 unsigned char key[] = "etaonrishd";
278 unsigned char iv[] = "Sample text";
279 unsigned char kaval[EVP_MAX_MD_SIZE] =
280 { 0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea,
281 0x56, 0x1b, 0x61, 0x2e, 0x70,
282 0xb2, 0xfb, 0xec, 0xc6
285 unsigned char out[EVP_MAX_MD_SIZE];
290 (EVP_sha1(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, &outlen))
292 if (memcmp(out, kaval, outlen))
298 * HMAC-SHA224: generate hash of known digest value and compare to known
299 * precomputed correct hash
301 static int FIPS_hmac_sha224_test()
303 unsigned char key[] = "etaonrishd";
304 unsigned char iv[] = "Sample text";
305 unsigned char kaval[EVP_MAX_MD_SIZE] =
306 { 0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe,
307 0x1c, 0xb2, 0xf0, 0x20, 0x35,
308 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19
311 unsigned char out[EVP_MAX_MD_SIZE];
316 (EVP_sha224(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
319 if (memcmp(out, kaval, outlen))
325 * HMAC-SHA256: generate hash of known digest value and compare to known
326 * precomputed correct hash
328 static int FIPS_hmac_sha256_test()
330 unsigned char key[] = "etaonrishd";
331 unsigned char iv[] = "Sample text";
332 unsigned char kaval[EVP_MAX_MD_SIZE] =
333 { 0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36,
334 0x02, 0xf5, 0x72, 0x33, 0x87,
335 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee,
336 0x51, 0xff, 0xda, 0x24, 0xf4
339 unsigned char out[EVP_MAX_MD_SIZE];
344 (EVP_sha256(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
347 if (memcmp(out, kaval, outlen))
353 * HMAC-SHA384: generate hash of known digest value and compare to known
354 * precomputed correct hash
356 static int FIPS_hmac_sha384_test()
358 unsigned char key[] = "etaonrishd";
359 unsigned char iv[] = "Sample text";
360 unsigned char kaval[EVP_MAX_MD_SIZE] =
361 { 0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08,
362 0x26, 0x99, 0xef, 0x3b, 0x10,
363 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b,
364 0xac, 0xb0, 0x07, 0x39, 0x08,
365 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3,
366 0xf3, 0xb8, 0x9b, 0x88, 0x1c
369 unsigned char out[EVP_MAX_MD_SIZE];
374 (EVP_sha384(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
377 if (memcmp(out, kaval, outlen))
383 * HMAC-SHA512: generate hash of known digest value and compare to known
384 * precomputed correct hash
386 static int FIPS_hmac_sha512_test()
388 unsigned char key[] = "etaonrishd";
389 unsigned char iv[] = "Sample text";
390 unsigned char kaval[EVP_MAX_MD_SIZE] =
391 { 0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3,
392 0x77, 0x59, 0x85, 0xa9, 0xe6,
393 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1,
394 0xad, 0x7e, 0x24, 0xca, 0xb1,
395 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52,
396 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
397 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96,
398 0x3d, 0xa6, 0xd9, 0x2a, 0x53
401 unsigned char out[EVP_MAX_MD_SIZE];
406 (EVP_sha512(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
409 if (memcmp(out, kaval, outlen))
415 * DH: generate shared parameters
424 if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
437 unsigned char userkey[16] =
438 { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f,
439 0x83, 0x02, 0xb1, 0x09, 0x68
444 key = FIPS_rsa_new();
448 BN_set_word(bn, 65537);
449 if (!RSA_generate_key_ex(key, 1024, bn, NULL))
453 n = BN_num_bytes(key->d);
454 printf(" Generated %d byte RSA private key\n", n);
455 printf("\tBN key before overwriting:\n");
456 do_bn_print(stdout, key->d);
457 BN_rand(key->d, n * 8, -1, 0);
458 printf("\tBN key after overwriting:\n");
459 do_bn_print(stdout, key->d);
461 printf("\tchar buffer key before overwriting: \n\t\t");
462 for (i = 0; i < sizeof(userkey); i++)
463 printf("%02x", userkey[i]);
465 RAND_bytes(userkey, sizeof userkey);
466 printf("\tchar buffer key after overwriting: \n\t\t");
467 for (i = 0; i < sizeof(userkey); i++)
468 printf("%02x", userkey[i]);
475 static const char *Fail(const char *msg)
482 static void test_msg(const char *msg, int result)
484 printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
487 int main(int argc, char **argv)
490 int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
491 int bad_rsa = 0, bad_dsa = 0;
492 int do_rng_stick = 0;
495 printf("\tFIPS-mode test application\n\n");
497 /* Load entropy from external file, if any */
498 RAND_load_file(".rnd", 1024);
501 /* Corrupted KAT tests */
502 if (!strcmp(argv[1], "aes")) {
504 printf("AES encryption/decryption with corrupted KAT...\n");
505 } else if (!strcmp(argv[1], "des")) {
507 printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
508 } else if (!strcmp(argv[1], "dsa")) {
511 ("DSA key generation and signature validation with corrupted KAT...\n");
512 } else if (!strcmp(argv[1], "rsa")) {
515 ("RSA key generation and signature validation with corrupted KAT...\n");
516 } else if (!strcmp(argv[1], "rsakey")) {
518 ("RSA key generation and signature validation with corrupted key...\n");
521 } else if (!strcmp(argv[1], "rsakeygen")) {
522 do_corrupt_rsa_keygen = 1;
525 ("RSA key generation and signature validation with corrupted keygen...\n");
526 } else if (!strcmp(argv[1], "dsakey")) {
528 ("DSA key generation and signature validation with corrupted key...\n");
531 } else if (!strcmp(argv[1], "dsakeygen")) {
532 do_corrupt_dsa_keygen = 1;
535 ("DSA key generation and signature validation with corrupted keygen...\n");
536 } else if (!strcmp(argv[1], "sha1")) {
538 printf("SHA-1 hash with corrupted KAT...\n");
539 } else if (!strcmp(argv[1], "rng")) {
541 } else if (!strcmp(argv[1], "rngstick")) {
544 printf("RNG test with stuck continuous test...\n");
546 printf("Bad argument \"%s\"\n", argv[1]);
550 if (!FIPS_mode_set(1)) {
552 printf("Power-up self test failed\n");
555 printf("Power-up self test successful\n");
561 * Non-Approved cryptographic operation
563 printf("1. Non-Approved cryptographic operation test...\n");
564 test_msg("\ta. Included algorithm (D-H)...", dh_test());
570 test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
573 if (do_corrupt_dsa_keygen)
574 FIPS_corrupt_dsa_keygen();
575 if (do_corrupt_rsa_keygen)
576 FIPS_corrupt_rsa_keygen();
581 * AES encryption/decryption
583 test_msg("3. AES encryption/decryption", FIPS_aes_test());
586 * RSA key generation and encryption/decryption
588 test_msg("4. RSA key generation and encryption/decryption",
589 FIPS_rsa_test(bad_rsa));
592 * DES-CBC encryption/decryption
594 test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
597 * DSA key generation and signature validation
599 test_msg("6. DSA key generation and signature validation",
600 FIPS_dsa_test(bad_dsa));
605 test_msg("7a. SHA-1 hash", FIPS_sha1_test());
610 test_msg("7b. SHA-256 hash", FIPS_sha256_test());
615 test_msg("7c. SHA-512 hash", FIPS_sha512_test());
620 test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
625 test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
630 test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
635 test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
640 test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
643 * Non-Approved cryptographic operation
645 printf("8. Non-Approved cryptographic operation test...\n");
646 printf("\ta. Included algorithm (D-H)...%s\n",
647 dh_test()? "successful as expected" : Fail("failed INCORRECTLY!"));
652 printf("9. Zero-ization...\n\t%s\n",
653 Zeroize()? "successful as expected" : Fail("failed INCORRECTLY!"));
655 printf("\nAll tests completed with %d errors\n", Error);
656 return Error ? 1 : 0;