/src/nss-nspr/nss/lib/freebl/fipsfreebl.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * PKCS #11 FIPS Power-Up Self Test. |
3 | | * |
4 | | * This Source Code Form is subject to the terms of the Mozilla Public |
5 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
6 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
7 | | /* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */ |
8 | | |
9 | | #ifndef NSS_FIPS_DISABLED |
10 | | #ifdef FREEBL_NO_DEPEND |
11 | | #include "stubs.h" |
12 | | #endif |
13 | | |
14 | | #include "blapi.h" |
15 | | #include "seccomon.h" /* Required for RSA. */ |
16 | | #include "secerr.h" |
17 | | #include "prtypes.h" |
18 | | #include "secitem.h" |
19 | | #include "pkcs11t.h" |
20 | | #include "cmac.h" |
21 | | |
22 | | #include "ec.h" /* Required for EC */ |
23 | | |
24 | | /* |
25 | | * different platforms have different ways of calling and initial entry point |
26 | | * when the dll/.so is loaded. Most platforms support either a posix pragma |
27 | | * or the GCC attribute. Some platforms suppor a pre-defined name, and some |
28 | | * platforms have a link line way of invoking this function. |
29 | | */ |
30 | | |
31 | | /* The pragma */ |
32 | | #if defined(USE_INIT_PRAGMA) |
33 | | #pragma init(bl_startup_tests) |
34 | | #endif |
35 | | |
36 | | /* GCC Attribute */ |
37 | | #if defined(__GNUC__) && !defined(NSS_NO_INIT_SUPPORT) |
38 | | #define INIT_FUNCTION __attribute__((constructor)) |
39 | | #else |
40 | | #define INIT_FUNCTION |
41 | | #endif |
42 | | |
43 | | static void INIT_FUNCTION bl_startup_tests(void); |
44 | | |
45 | | /* Windows pre-defined entry */ |
46 | | #if defined(XP_WIN) && !defined(NSS_NO_INIT_SUPPORT) |
47 | | #include <windows.h> |
48 | | |
49 | | BOOL WINAPI |
50 | | DllMain( |
51 | | HINSTANCE hinstDLL, // handle to DLL module |
52 | | DWORD fdwReason, // reason for calling function |
53 | | LPVOID lpReserved) // reserved |
54 | | { |
55 | | // Perform actions based on the reason for calling. |
56 | | switch (fdwReason) { |
57 | | case DLL_PROCESS_ATTACH: |
58 | | // Initialize once for each new process. |
59 | | // Return FALSE to fail DLL load. |
60 | | bl_startup_tests(); |
61 | | break; |
62 | | |
63 | | case DLL_THREAD_ATTACH: |
64 | | // Do thread-specific initialization. |
65 | | break; |
66 | | |
67 | | case DLL_THREAD_DETACH: |
68 | | // Do thread-specific cleanup. |
69 | | break; |
70 | | |
71 | | case DLL_PROCESS_DETACH: |
72 | | // Perform any necessary cleanup. |
73 | | break; |
74 | | } |
75 | | return TRUE; // Successful DLL_PROCESS_ATTACH. |
76 | | } |
77 | | #endif |
78 | | |
79 | | /* insert other platform dependent init entry points here, or modify |
80 | | * the linker line */ |
81 | | |
82 | | /* FIPS preprocessor directives for RC2-ECB and RC2-CBC. */ |
83 | | #define FIPS_RC2_KEY_LENGTH 5 /* 40-bits */ |
84 | | #define FIPS_RC2_ENCRYPT_LENGTH 8 /* 64-bits */ |
85 | | #define FIPS_RC2_DECRYPT_LENGTH 8 /* 64-bits */ |
86 | | |
87 | | /* FIPS preprocessor directives for RC4. */ |
88 | | #define FIPS_RC4_KEY_LENGTH 5 /* 40-bits */ |
89 | | #define FIPS_RC4_ENCRYPT_LENGTH 8 /* 64-bits */ |
90 | | #define FIPS_RC4_DECRYPT_LENGTH 8 /* 64-bits */ |
91 | | |
92 | | /* FIPS preprocessor directives for DES-ECB and DES-CBC. */ |
93 | | #define FIPS_DES_ENCRYPT_LENGTH 8 /* 64-bits */ |
94 | | #define FIPS_DES_DECRYPT_LENGTH 8 /* 64-bits */ |
95 | | |
96 | | /* FIPS preprocessor directives for DES3-CBC and DES3-ECB. */ |
97 | 0 | #define FIPS_DES3_ENCRYPT_LENGTH 8 /* 64-bits */ |
98 | 0 | #define FIPS_DES3_DECRYPT_LENGTH 8 /* 64-bits */ |
99 | | |
100 | | /* FIPS preprocessor directives for AES-ECB and AES-CBC. */ |
101 | 0 | #define FIPS_AES_BLOCK_SIZE 16 /* 128-bits */ |
102 | 0 | #define FIPS_AES_ENCRYPT_LENGTH 16 /* 128-bits */ |
103 | 0 | #define FIPS_AES_DECRYPT_LENGTH 16 /* 128-bits */ |
104 | 0 | #define FIPS_AES_CMAC_LENGTH 16 /* 128-bits */ |
105 | 0 | #define FIPS_AES_128_KEY_SIZE 16 /* 128-bits */ |
106 | 0 | #define FIPS_AES_192_KEY_SIZE 24 /* 192-bits */ |
107 | 0 | #define FIPS_AES_256_KEY_SIZE 32 /* 256-bits */ |
108 | | |
109 | | /* FIPS preprocessor directives for message digests */ |
110 | 10 | #define FIPS_KNOWN_HASH_MESSAGE_LENGTH 64 /* 512-bits */ |
111 | | |
112 | | /* FIPS preprocessor directives for RSA. */ |
113 | 0 | #define FIPS_RSA_TYPE siBuffer |
114 | 0 | #define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */ |
115 | 0 | #define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */ |
116 | | #define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */ |
117 | 0 | #define FIPS_RSA_COEFFICIENT_LENGTH 128 /* 1024-bits */ |
118 | 0 | #define FIPS_RSA_PRIME0_LENGTH 128 /* 1024-bits */ |
119 | 0 | #define FIPS_RSA_PRIME1_LENGTH 128 /* 1024-bits */ |
120 | 0 | #define FIPS_RSA_EXPONENT0_LENGTH 128 /* 1024-bits */ |
121 | 0 | #define FIPS_RSA_EXPONENT1_LENGTH 128 /* 1024-bits */ |
122 | 0 | #define FIPS_RSA_PRIVATE_EXPONENT_LENGTH 256 /* 2048-bits */ |
123 | 0 | #define FIPS_RSA_ENCRYPT_LENGTH 256 /* 2048-bits */ |
124 | 0 | #define FIPS_RSA_DECRYPT_LENGTH 256 /* 2048-bits */ |
125 | | #define FIPS_RSA_SIGNATURE_LENGTH 256 /* 2048-bits */ |
126 | 0 | #define FIPS_RSA_MODULUS_LENGTH 256 /* 2048-bits */ |
127 | | |
128 | | /* FIPS preprocessor directives for RNG. */ |
129 | | #define FIPS_RNG_XKEY_LENGTH 32 /* 256-bits */ |
130 | | |
131 | | static SECStatus |
132 | | freebl_fips_DES3_PowerUpSelfTest(void) |
133 | 0 | { |
134 | | /* DES3 Known Key (56-bits). */ |
135 | 0 | static const PRUint8 des3_known_key[] = { "ANSI Triple-DES Key Data" }; |
136 | | |
137 | | /* DES3-CBC Known Initialization Vector (64-bits). */ |
138 | 0 | static const PRUint8 des3_cbc_known_initialization_vector[] = { "Security" }; |
139 | | |
140 | | /* DES3 Known Plaintext (64-bits). */ |
141 | 0 | static const PRUint8 des3_ecb_known_plaintext[] = { "Netscape" }; |
142 | 0 | static const PRUint8 des3_cbc_known_plaintext[] = { "Netscape" }; |
143 | | |
144 | | /* DES3 Known Ciphertext (64-bits). */ |
145 | 0 | static const PRUint8 des3_ecb_known_ciphertext[] = { |
146 | 0 | 0x55, 0x8e, 0xad, 0x3c, 0xee, 0x49, 0x69, 0xbe |
147 | 0 | }; |
148 | 0 | static const PRUint8 des3_cbc_known_ciphertext[] = { |
149 | 0 | 0x43, 0xdc, 0x6a, 0xc1, 0xaf, 0xa6, 0x32, 0xf5 |
150 | 0 | }; |
151 | | |
152 | | /* DES3 variables. */ |
153 | 0 | PRUint8 des3_computed_ciphertext[FIPS_DES3_ENCRYPT_LENGTH]; |
154 | 0 | PRUint8 des3_computed_plaintext[FIPS_DES3_DECRYPT_LENGTH]; |
155 | 0 | DESContext *des3_context; |
156 | 0 | unsigned int des3_bytes_encrypted; |
157 | 0 | unsigned int des3_bytes_decrypted; |
158 | 0 | SECStatus des3_status; |
159 | | |
160 | | /*******************************************************/ |
161 | | /* DES3-ECB Single-Round Known Answer Encryption Test. */ |
162 | | /*******************************************************/ |
163 | |
|
164 | 0 | des3_context = DES_CreateContext(des3_known_key, NULL, |
165 | 0 | NSS_DES_EDE3, PR_TRUE); |
166 | |
|
167 | 0 | if (des3_context == NULL) { |
168 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
169 | 0 | return (SECFailure); |
170 | 0 | } |
171 | | |
172 | 0 | des3_status = DES_Encrypt(des3_context, des3_computed_ciphertext, |
173 | 0 | &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH, |
174 | 0 | des3_ecb_known_plaintext, |
175 | 0 | FIPS_DES3_DECRYPT_LENGTH); |
176 | |
|
177 | 0 | DES_DestroyContext(des3_context, PR_TRUE); |
178 | |
|
179 | 0 | if ((des3_status != SECSuccess) || |
180 | 0 | (des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH) || |
181 | 0 | (PORT_Memcmp(des3_computed_ciphertext, des3_ecb_known_ciphertext, |
182 | 0 | FIPS_DES3_ENCRYPT_LENGTH) != 0)) { |
183 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
184 | 0 | return (SECFailure); |
185 | 0 | } |
186 | | |
187 | | /*******************************************************/ |
188 | | /* DES3-ECB Single-Round Known Answer Decryption Test. */ |
189 | | /*******************************************************/ |
190 | | |
191 | 0 | des3_context = DES_CreateContext(des3_known_key, NULL, |
192 | 0 | NSS_DES_EDE3, PR_FALSE); |
193 | |
|
194 | 0 | if (des3_context == NULL) { |
195 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
196 | 0 | return (SECFailure); |
197 | 0 | } |
198 | | |
199 | 0 | des3_status = DES_Decrypt(des3_context, des3_computed_plaintext, |
200 | 0 | &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH, |
201 | 0 | des3_ecb_known_ciphertext, |
202 | 0 | FIPS_DES3_ENCRYPT_LENGTH); |
203 | |
|
204 | 0 | DES_DestroyContext(des3_context, PR_TRUE); |
205 | |
|
206 | 0 | if ((des3_status != SECSuccess) || |
207 | 0 | (des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH) || |
208 | 0 | (PORT_Memcmp(des3_computed_plaintext, des3_ecb_known_plaintext, |
209 | 0 | FIPS_DES3_DECRYPT_LENGTH) != 0)) { |
210 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
211 | 0 | return (SECFailure); |
212 | 0 | } |
213 | | |
214 | | /*******************************************************/ |
215 | | /* DES3-CBC Single-Round Known Answer Encryption Test. */ |
216 | | /*******************************************************/ |
217 | | |
218 | 0 | des3_context = DES_CreateContext(des3_known_key, |
219 | 0 | des3_cbc_known_initialization_vector, |
220 | 0 | NSS_DES_EDE3_CBC, PR_TRUE); |
221 | |
|
222 | 0 | if (des3_context == NULL) { |
223 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
224 | 0 | return (SECFailure); |
225 | 0 | } |
226 | | |
227 | 0 | des3_status = DES_Encrypt(des3_context, des3_computed_ciphertext, |
228 | 0 | &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH, |
229 | 0 | des3_cbc_known_plaintext, |
230 | 0 | FIPS_DES3_DECRYPT_LENGTH); |
231 | |
|
232 | 0 | DES_DestroyContext(des3_context, PR_TRUE); |
233 | |
|
234 | 0 | if ((des3_status != SECSuccess) || |
235 | 0 | (des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH) || |
236 | 0 | (PORT_Memcmp(des3_computed_ciphertext, des3_cbc_known_ciphertext, |
237 | 0 | FIPS_DES3_ENCRYPT_LENGTH) != 0)) { |
238 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
239 | 0 | return (SECFailure); |
240 | 0 | } |
241 | | |
242 | | /*******************************************************/ |
243 | | /* DES3-CBC Single-Round Known Answer Decryption Test. */ |
244 | | /*******************************************************/ |
245 | | |
246 | 0 | des3_context = DES_CreateContext(des3_known_key, |
247 | 0 | des3_cbc_known_initialization_vector, |
248 | 0 | NSS_DES_EDE3_CBC, PR_FALSE); |
249 | |
|
250 | 0 | if (des3_context == NULL) { |
251 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
252 | 0 | return (SECFailure); |
253 | 0 | } |
254 | | |
255 | 0 | des3_status = DES_Decrypt(des3_context, des3_computed_plaintext, |
256 | 0 | &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH, |
257 | 0 | des3_cbc_known_ciphertext, |
258 | 0 | FIPS_DES3_ENCRYPT_LENGTH); |
259 | |
|
260 | 0 | DES_DestroyContext(des3_context, PR_TRUE); |
261 | |
|
262 | 0 | if ((des3_status != SECSuccess) || |
263 | 0 | (des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH) || |
264 | 0 | (PORT_Memcmp(des3_computed_plaintext, des3_cbc_known_plaintext, |
265 | 0 | FIPS_DES3_DECRYPT_LENGTH) != 0)) { |
266 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
267 | 0 | return (SECFailure); |
268 | 0 | } |
269 | | |
270 | 0 | return (SECSuccess); |
271 | 0 | } |
272 | | |
273 | | /* AES self-test for 128-bit, 192-bit, or 256-bit key sizes*/ |
274 | | static SECStatus |
275 | | freebl_fips_AES_PowerUpSelfTest(int aes_key_size) |
276 | 0 | { |
277 | | /* AES Known Key (up to 256-bits). */ |
278 | 0 | static const PRUint8 aes_known_key[] = { "AES-128 RIJNDAELLEADNJIR 821-SEA" }; |
279 | | |
280 | | /* AES-CBC Known Initialization Vector (128-bits). */ |
281 | 0 | static const PRUint8 aes_cbc_known_initialization_vector[] = { "SecurityytiruceS" }; |
282 | | |
283 | | /* AES Known Plaintext (128-bits). (blocksize is 128-bits) */ |
284 | 0 | static const PRUint8 aes_known_plaintext[] = { "NetscapeepacsteN" }; |
285 | |
|
286 | 0 | static const PRUint8 aes_gcm_known_aad[] = { "MozillaallizoM" }; |
287 | | |
288 | | /* AES Known Ciphertext (128-bit key). */ |
289 | 0 | static const PRUint8 aes_ecb128_known_ciphertext[] = { |
290 | 0 | 0x3c, 0xa5, 0x96, 0xf3, 0x34, 0x6a, 0x96, 0xc1, |
291 | 0 | 0x03, 0x88, 0x16, 0x7b, 0x20, 0xbf, 0x35, 0x47 |
292 | 0 | }; |
293 | |
|
294 | 0 | static const PRUint8 aes_cbc128_known_ciphertext[] = { |
295 | 0 | 0xcf, 0x15, 0x1d, 0x4f, 0x96, 0xe4, 0x4f, 0x63, |
296 | 0 | 0x15, 0x54, 0x14, 0x1d, 0x4e, 0xd8, 0xd5, 0xea |
297 | 0 | }; |
298 | |
|
299 | 0 | static const PRUint8 aes_gcm128_known_ciphertext[] = { |
300 | 0 | 0x63, 0xf4, 0x95, 0x28, 0xe6, 0x78, 0xee, 0x6e, |
301 | 0 | 0x4f, 0xe0, 0xfc, 0x8d, 0xd7, 0xa2, 0xb1, 0xff, |
302 | 0 | 0x0c, 0x97, 0x1b, 0x0a, 0xdd, 0x97, 0x75, 0xed, |
303 | 0 | 0x8b, 0xde, 0xbf, 0x16, 0x5e, 0x57, 0x6b, 0x4f |
304 | 0 | }; |
305 | |
|
306 | 0 | static const PRUint8 aes_cmac128_known_ciphertext[] = { |
307 | 0 | 0x54, 0x11, 0xe2, 0x57, 0xbd, 0x2a, 0xdf, 0x9d, |
308 | 0 | 0x1a, 0x89, 0x72, 0x80, 0x84, 0x4c, 0x7e, 0x93 |
309 | 0 | }; |
310 | | |
311 | | /* AES Known Ciphertext (192-bit key). */ |
312 | 0 | static const PRUint8 aes_ecb192_known_ciphertext[] = { |
313 | 0 | 0xa0, 0x18, 0x62, 0xed, 0x88, 0x19, 0xcb, 0x62, |
314 | 0 | 0x88, 0x1d, 0x4d, 0xfe, 0x84, 0x02, 0x89, 0x0e |
315 | 0 | }; |
316 | |
|
317 | 0 | static const PRUint8 aes_cbc192_known_ciphertext[] = { |
318 | 0 | 0x83, 0xf7, 0xa4, 0x76, 0xd1, 0x6f, 0x07, 0xbe, |
319 | 0 | 0x07, 0xbc, 0x43, 0x2f, 0x6d, 0xad, 0x29, 0xe1 |
320 | 0 | }; |
321 | |
|
322 | 0 | static const PRUint8 aes_gcm192_known_ciphertext[] = { |
323 | 0 | 0xc1, 0x0b, 0x92, 0x1d, 0x68, 0x21, 0xf4, 0x25, |
324 | 0 | 0x41, 0x61, 0x20, 0x2d, 0x59, 0x7f, 0x53, 0xde, |
325 | 0 | 0x93, 0x39, 0xab, 0x09, 0x76, 0x41, 0x57, 0x2b, |
326 | 0 | 0x90, 0x2e, 0x44, 0xbb, 0x52, 0x03, 0xe9, 0x07 |
327 | 0 | }; |
328 | |
|
329 | 0 | static const PRUint8 aes_cmac192_known_ciphertext[] = { |
330 | 0 | 0x0e, 0x07, 0x99, 0x1e, 0xf6, 0xee, 0xfa, 0x2c, |
331 | 0 | 0x1b, 0xfc, 0xce, 0x94, 0x92, 0x2d, 0xf1, 0xab |
332 | 0 | }; |
333 | | |
334 | | /* AES Known Ciphertext (256-bit key). */ |
335 | 0 | static const PRUint8 aes_ecb256_known_ciphertext[] = { |
336 | 0 | 0xdb, 0xa6, 0x52, 0x01, 0x8a, 0x70, 0xae, 0x66, |
337 | 0 | 0x3a, 0x99, 0xd8, 0x95, 0x7f, 0xfb, 0x01, 0x67 |
338 | 0 | }; |
339 | |
|
340 | 0 | static const PRUint8 aes_cbc256_known_ciphertext[] = { |
341 | 0 | 0x37, 0xea, 0x07, 0x06, 0x31, 0x1c, 0x59, 0x27, |
342 | 0 | 0xc5, 0xc5, 0x68, 0x71, 0x6e, 0x34, 0x40, 0x16 |
343 | 0 | }; |
344 | |
|
345 | 0 | static const PRUint8 aes_gcm256_known_ciphertext[] = { |
346 | 0 | 0x5d, 0x9e, 0xd2, 0xa2, 0x74, 0x9c, 0xd9, 0x1c, |
347 | 0 | 0xd1, 0xc9, 0xee, 0x5d, 0xb6, 0xf2, 0xc9, 0xb6, |
348 | 0 | 0x79, 0x27, 0x53, 0x02, 0xa3, 0xdc, 0x22, 0xce, |
349 | 0 | 0xf4, 0xb0, 0xc1, 0x8c, 0x86, 0x51, 0xf5, 0xa1 |
350 | 0 | }; |
351 | |
|
352 | 0 | static const PRUint8 aes_cmac256_known_ciphertext[] = { |
353 | 0 | 0xc1, 0x26, 0x69, 0x32, 0x51, 0x13, 0x65, 0xac, |
354 | 0 | 0x71, 0x23, 0xe4, 0xe7, 0xb9, 0x0c, 0x88, 0x9f |
355 | |
|
356 | 0 | }; |
357 | |
|
358 | 0 | const PRUint8 *aes_ecb_known_ciphertext = |
359 | 0 | (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext |
360 | 0 | : aes_ecb256_known_ciphertext; |
361 | |
|
362 | 0 | const PRUint8 *aes_cbc_known_ciphertext = |
363 | 0 | (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cbc128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cbc192_known_ciphertext |
364 | 0 | : aes_cbc256_known_ciphertext; |
365 | |
|
366 | 0 | const PRUint8 *aes_gcm_known_ciphertext = |
367 | 0 | (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_gcm128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_gcm192_known_ciphertext |
368 | 0 | : aes_gcm256_known_ciphertext; |
369 | |
|
370 | 0 | const PRUint8 *aes_cmac_known_ciphertext = |
371 | 0 | (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext |
372 | 0 | : aes_cmac256_known_ciphertext; |
373 | | |
374 | | /* AES variables. */ |
375 | 0 | PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH * 2]; |
376 | 0 | PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH * 2]; |
377 | 0 | AESContext *aes_context; |
378 | 0 | CMACContext *cmac_context; |
379 | 0 | unsigned int aes_bytes_encrypted; |
380 | 0 | unsigned int aes_bytes_decrypted; |
381 | 0 | CK_NSS_GCM_PARAMS gcmParams; |
382 | 0 | SECStatus aes_status; |
383 | | |
384 | | /*check if aes_key_size is 128, 192, or 256 bits */ |
385 | 0 | if ((aes_key_size != FIPS_AES_128_KEY_SIZE) && |
386 | 0 | (aes_key_size != FIPS_AES_192_KEY_SIZE) && |
387 | 0 | (aes_key_size != FIPS_AES_256_KEY_SIZE)) { |
388 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
389 | 0 | return (SECFailure); |
390 | 0 | } |
391 | | |
392 | | /******************************************************/ |
393 | | /* AES-ECB Single-Round Known Answer Encryption Test: */ |
394 | | /******************************************************/ |
395 | | |
396 | 0 | aes_context = AES_CreateContext(aes_known_key, NULL, NSS_AES, PR_TRUE, |
397 | 0 | aes_key_size, FIPS_AES_BLOCK_SIZE); |
398 | |
|
399 | 0 | if (aes_context == NULL) { |
400 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
401 | 0 | return (SECFailure); |
402 | 0 | } |
403 | | |
404 | 0 | aes_status = AES_Encrypt(aes_context, aes_computed_ciphertext, |
405 | 0 | &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH, |
406 | 0 | aes_known_plaintext, |
407 | 0 | FIPS_AES_DECRYPT_LENGTH); |
408 | |
|
409 | 0 | AES_DestroyContext(aes_context, PR_TRUE); |
410 | |
|
411 | 0 | if ((aes_status != SECSuccess) || |
412 | 0 | (aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH) || |
413 | 0 | (PORT_Memcmp(aes_computed_ciphertext, aes_ecb_known_ciphertext, |
414 | 0 | FIPS_AES_ENCRYPT_LENGTH) != 0)) { |
415 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
416 | 0 | return (SECFailure); |
417 | 0 | } |
418 | | |
419 | | /******************************************************/ |
420 | | /* AES-ECB Single-Round Known Answer Decryption Test: */ |
421 | | /******************************************************/ |
422 | | |
423 | 0 | aes_context = AES_CreateContext(aes_known_key, NULL, NSS_AES, PR_FALSE, |
424 | 0 | aes_key_size, FIPS_AES_BLOCK_SIZE); |
425 | |
|
426 | 0 | if (aes_context == NULL) { |
427 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
428 | 0 | return (SECFailure); |
429 | 0 | } |
430 | | |
431 | 0 | aes_status = AES_Decrypt(aes_context, aes_computed_plaintext, |
432 | 0 | &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH, |
433 | 0 | aes_ecb_known_ciphertext, |
434 | 0 | FIPS_AES_ENCRYPT_LENGTH); |
435 | |
|
436 | 0 | AES_DestroyContext(aes_context, PR_TRUE); |
437 | |
|
438 | 0 | if ((aes_status != SECSuccess) || |
439 | 0 | (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) || |
440 | 0 | (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext, |
441 | 0 | FIPS_AES_DECRYPT_LENGTH) != 0)) { |
442 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
443 | 0 | return (SECFailure); |
444 | 0 | } |
445 | | |
446 | | /******************************************************/ |
447 | | /* AES-CBC Single-Round Known Answer Encryption Test. */ |
448 | | /******************************************************/ |
449 | | |
450 | 0 | aes_context = AES_CreateContext(aes_known_key, |
451 | 0 | aes_cbc_known_initialization_vector, |
452 | 0 | NSS_AES_CBC, PR_TRUE, aes_key_size, |
453 | 0 | FIPS_AES_BLOCK_SIZE); |
454 | |
|
455 | 0 | if (aes_context == NULL) { |
456 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
457 | 0 | return (SECFailure); |
458 | 0 | } |
459 | | |
460 | 0 | aes_status = AES_Encrypt(aes_context, aes_computed_ciphertext, |
461 | 0 | &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH, |
462 | 0 | aes_known_plaintext, |
463 | 0 | FIPS_AES_DECRYPT_LENGTH); |
464 | |
|
465 | 0 | AES_DestroyContext(aes_context, PR_TRUE); |
466 | |
|
467 | 0 | if ((aes_status != SECSuccess) || |
468 | 0 | (aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH) || |
469 | 0 | (PORT_Memcmp(aes_computed_ciphertext, aes_cbc_known_ciphertext, |
470 | 0 | FIPS_AES_ENCRYPT_LENGTH) != 0)) { |
471 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
472 | 0 | return (SECFailure); |
473 | 0 | } |
474 | | |
475 | | /******************************************************/ |
476 | | /* AES-CBC Single-Round Known Answer Decryption Test. */ |
477 | | /******************************************************/ |
478 | | |
479 | 0 | aes_context = AES_CreateContext(aes_known_key, |
480 | 0 | aes_cbc_known_initialization_vector, |
481 | 0 | NSS_AES_CBC, PR_FALSE, aes_key_size, |
482 | 0 | FIPS_AES_BLOCK_SIZE); |
483 | |
|
484 | 0 | if (aes_context == NULL) { |
485 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
486 | 0 | return (SECFailure); |
487 | 0 | } |
488 | | |
489 | 0 | aes_status = AES_Decrypt(aes_context, aes_computed_plaintext, |
490 | 0 | &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH, |
491 | 0 | aes_cbc_known_ciphertext, |
492 | 0 | FIPS_AES_ENCRYPT_LENGTH); |
493 | |
|
494 | 0 | AES_DestroyContext(aes_context, PR_TRUE); |
495 | |
|
496 | 0 | if ((aes_status != SECSuccess) || |
497 | 0 | (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) || |
498 | 0 | (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext, |
499 | 0 | FIPS_AES_DECRYPT_LENGTH) != 0)) { |
500 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
501 | 0 | return (SECFailure); |
502 | 0 | } |
503 | | |
504 | | /******************************************************/ |
505 | | /* AES-GCM Single-Round Known Answer Encryption Test. */ |
506 | | /******************************************************/ |
507 | | |
508 | 0 | gcmParams.pIv = (PRUint8 *)aes_cbc_known_initialization_vector; |
509 | 0 | gcmParams.ulIvLen = FIPS_AES_BLOCK_SIZE; |
510 | 0 | gcmParams.pAAD = (PRUint8 *)aes_gcm_known_aad; |
511 | 0 | gcmParams.ulAADLen = sizeof(aes_gcm_known_aad); |
512 | 0 | gcmParams.ulTagBits = FIPS_AES_BLOCK_SIZE * 8; |
513 | 0 | aes_context = AES_CreateContext(aes_known_key, |
514 | 0 | (PRUint8 *)&gcmParams, |
515 | 0 | NSS_AES_GCM, PR_TRUE, aes_key_size, |
516 | 0 | FIPS_AES_BLOCK_SIZE); |
517 | |
|
518 | 0 | if (aes_context == NULL) { |
519 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
520 | 0 | return (SECFailure); |
521 | 0 | } |
522 | | |
523 | 0 | aes_status = AES_Encrypt(aes_context, aes_computed_ciphertext, |
524 | 0 | &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH * 2, |
525 | 0 | aes_known_plaintext, |
526 | 0 | FIPS_AES_DECRYPT_LENGTH); |
527 | |
|
528 | 0 | AES_DestroyContext(aes_context, PR_TRUE); |
529 | |
|
530 | 0 | if ((aes_status != SECSuccess) || |
531 | 0 | (aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH * 2) || |
532 | 0 | (PORT_Memcmp(aes_computed_ciphertext, aes_gcm_known_ciphertext, |
533 | 0 | FIPS_AES_ENCRYPT_LENGTH * 2) != 0)) { |
534 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
535 | 0 | return (SECFailure); |
536 | 0 | } |
537 | | |
538 | | /******************************************************/ |
539 | | /* AES-GCM Single-Round Known Answer Decryption Test. */ |
540 | | /******************************************************/ |
541 | | |
542 | 0 | aes_context = AES_CreateContext(aes_known_key, |
543 | 0 | (PRUint8 *)&gcmParams, |
544 | 0 | NSS_AES_GCM, PR_FALSE, aes_key_size, |
545 | 0 | FIPS_AES_BLOCK_SIZE); |
546 | |
|
547 | 0 | if (aes_context == NULL) { |
548 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
549 | 0 | return (SECFailure); |
550 | 0 | } |
551 | | |
552 | 0 | aes_status = AES_Decrypt(aes_context, aes_computed_plaintext, |
553 | 0 | &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH * 2, |
554 | 0 | aes_gcm_known_ciphertext, |
555 | 0 | FIPS_AES_ENCRYPT_LENGTH * 2); |
556 | |
|
557 | 0 | AES_DestroyContext(aes_context, PR_TRUE); |
558 | |
|
559 | 0 | if ((aes_status != SECSuccess) || |
560 | 0 | (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) || |
561 | 0 | (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext, |
562 | 0 | FIPS_AES_DECRYPT_LENGTH) != 0)) { |
563 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
564 | 0 | return (SECFailure); |
565 | 0 | } |
566 | | |
567 | | /******************************************************/ |
568 | | /* AES-CMAC Known Answer Encryption Test. */ |
569 | | /******************************************************/ |
570 | 0 | cmac_context = CMAC_Create(CMAC_AES, aes_known_key, aes_key_size); |
571 | |
|
572 | 0 | if (cmac_context == NULL) { |
573 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
574 | 0 | return (SECFailure); |
575 | 0 | } |
576 | | |
577 | 0 | aes_status = CMAC_Begin(cmac_context); |
578 | 0 | if (aes_status != SECSuccess) { |
579 | 0 | CMAC_Destroy(cmac_context, PR_TRUE); |
580 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
581 | 0 | return (SECFailure); |
582 | 0 | } |
583 | | |
584 | 0 | aes_status = CMAC_Update(cmac_context, aes_known_plaintext, |
585 | 0 | FIPS_AES_DECRYPT_LENGTH); |
586 | 0 | if (aes_status != SECSuccess) { |
587 | 0 | CMAC_Destroy(cmac_context, PR_TRUE); |
588 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
589 | 0 | return (SECFailure); |
590 | 0 | } |
591 | | |
592 | 0 | aes_status = CMAC_Finish(cmac_context, aes_computed_ciphertext, |
593 | 0 | &aes_bytes_encrypted, FIPS_AES_CMAC_LENGTH); |
594 | |
|
595 | 0 | CMAC_Destroy(cmac_context, PR_TRUE); |
596 | |
|
597 | 0 | if ((aes_status != SECSuccess) || |
598 | 0 | (aes_bytes_encrypted != FIPS_AES_CMAC_LENGTH) || |
599 | 0 | (PORT_Memcmp(aes_computed_ciphertext, aes_cmac_known_ciphertext, |
600 | 0 | FIPS_AES_CMAC_LENGTH) != 0)) { |
601 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
602 | 0 | return (SECFailure); |
603 | 0 | } |
604 | | |
605 | 0 | return (SECSuccess); |
606 | 0 | } |
607 | | |
608 | | /* Known Hash Message (512-bits). Used for all hashes (incl. SHA-N [N>1]). */ |
609 | | static const PRUint8 known_hash_message[] = { |
610 | | "The test message for the MD2, MD5, and SHA-1 hashing algorithms." |
611 | | }; |
612 | | |
613 | | /****************************************************/ |
614 | | /* Single Round HMAC SHA-X test */ |
615 | | /****************************************************/ |
616 | | static SECStatus |
617 | | freebl_fips_HMAC(unsigned char *hmac_computed, |
618 | | const PRUint8 *secret_key, |
619 | | unsigned int secret_key_length, |
620 | | const PRUint8 *message, |
621 | | unsigned int message_length, |
622 | | HASH_HashType hashAlg) |
623 | 0 | { |
624 | 0 | SECStatus hmac_status = SECFailure; |
625 | 0 | HMACContext *cx = NULL; |
626 | 0 | SECHashObject *hashObj = NULL; |
627 | 0 | unsigned int bytes_hashed = 0; |
628 | |
|
629 | 0 | hashObj = (SECHashObject *)HASH_GetRawHashObject(hashAlg); |
630 | |
|
631 | 0 | if (!hashObj) |
632 | 0 | return (SECFailure); |
633 | | |
634 | 0 | cx = HMAC_Create(hashObj, secret_key, |
635 | 0 | secret_key_length, |
636 | 0 | PR_TRUE); /* PR_TRUE for in FIPS mode */ |
637 | |
|
638 | 0 | if (cx == NULL) |
639 | 0 | return (SECFailure); |
640 | | |
641 | 0 | HMAC_Begin(cx); |
642 | 0 | HMAC_Update(cx, message, message_length); |
643 | 0 | hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, |
644 | 0 | hashObj->length); |
645 | |
|
646 | 0 | HMAC_Destroy(cx, PR_TRUE); |
647 | |
|
648 | 0 | return (hmac_status); |
649 | 0 | } |
650 | | |
651 | | static SECStatus |
652 | | freebl_fips_HMAC_PowerUpSelfTest(void) |
653 | 0 | { |
654 | 0 | static const PRUint8 HMAC_known_secret_key[] = { |
655 | 0 | "Firefox and ThunderBird are awesome!" |
656 | 0 | }; |
657 | |
|
658 | 0 | static const PRUint8 HMAC_known_secret_key_length = sizeof HMAC_known_secret_key; |
659 | | |
660 | | /* known SHA1 hmac (20 bytes) */ |
661 | 0 | static const PRUint8 known_SHA1_hmac[] = { |
662 | 0 | 0xd5, 0x85, 0xf6, 0x5b, 0x39, 0xfa, 0xb9, 0x05, |
663 | 0 | 0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e, |
664 | 0 | 0x5d, 0x0e, 0x1e, 0x11 |
665 | 0 | }; |
666 | | |
667 | | /* known SHA224 hmac (28 bytes) */ |
668 | 0 | static const PRUint8 known_SHA224_hmac[] = { |
669 | 0 | 0x1c, 0xc3, 0x06, 0x8e, 0xce, 0x37, 0x68, 0xfb, |
670 | 0 | 0x1a, 0x82, 0x4a, 0xbe, 0x2b, 0x00, 0x51, 0xf8, |
671 | 0 | 0x9d, 0xb6, 0xe0, 0x90, 0x0d, 0x00, 0xc9, 0x64, |
672 | 0 | 0x9a, 0xb8, 0x98, 0x4e |
673 | 0 | }; |
674 | | |
675 | | /* known SHA256 hmac (32 bytes) */ |
676 | 0 | static const PRUint8 known_SHA256_hmac[] = { |
677 | 0 | 0x05, 0x75, 0x9a, 0x9e, 0x70, 0x5e, 0xe7, 0x44, |
678 | 0 | 0xe2, 0x46, 0x4b, 0x92, 0x22, 0x14, 0x22, 0xe0, |
679 | 0 | 0x1b, 0x92, 0x8a, 0x0c, 0xfe, 0xf5, 0x49, 0xe9, |
680 | 0 | 0xa7, 0x1b, 0x56, 0x7d, 0x1d, 0x29, 0x40, 0x48 |
681 | 0 | }; |
682 | | |
683 | | /* known SHA384 hmac (48 bytes) */ |
684 | 0 | static const PRUint8 known_SHA384_hmac[] = { |
685 | 0 | 0xcd, 0x56, 0x14, 0xec, 0x05, 0x53, 0x06, 0x2b, |
686 | 0 | 0x7e, 0x9c, 0x8a, 0x18, 0x5e, 0xea, 0xf3, 0x91, |
687 | 0 | 0x33, 0xfb, 0x64, 0xf6, 0xe3, 0x9f, 0x89, 0x0b, |
688 | 0 | 0xaf, 0xbe, 0x83, 0x4d, 0x3f, 0x3c, 0x43, 0x4d, |
689 | 0 | 0x4a, 0x0c, 0x56, 0x98, 0xf8, 0xca, 0xb4, 0xaa, |
690 | 0 | 0x9a, 0xf4, 0x0a, 0xaf, 0x4f, 0x69, 0xca, 0x87 |
691 | 0 | }; |
692 | | |
693 | | /* known SHA512 hmac (64 bytes) */ |
694 | 0 | static const PRUint8 known_SHA512_hmac[] = { |
695 | 0 | 0xf6, 0x0e, 0x97, 0x12, 0x00, 0x67, 0x6e, 0xb9, |
696 | 0 | 0x0c, 0xb2, 0x63, 0xf0, 0x60, 0xac, 0x75, 0x62, |
697 | 0 | 0x70, 0x95, 0x2a, 0x52, 0x22, 0xee, 0xdd, 0xd2, |
698 | 0 | 0x71, 0xb1, 0xe8, 0x26, 0x33, 0xd3, 0x13, 0x27, |
699 | 0 | 0xcb, 0xff, 0x44, 0xef, 0x87, 0x97, 0x16, 0xfb, |
700 | 0 | 0xd3, 0x0b, 0x48, 0xbe, 0x12, 0x4e, 0xda, 0xb1, |
701 | 0 | 0x89, 0x90, 0xfb, 0x06, 0x0c, 0xbe, 0xe5, 0xc4, |
702 | 0 | 0xff, 0x24, 0x37, 0x3d, 0xc7, 0xe4, 0xe4, 0x37 |
703 | 0 | }; |
704 | |
|
705 | 0 | SECStatus hmac_status; |
706 | 0 | PRUint8 hmac_computed[HASH_LENGTH_MAX]; |
707 | | |
708 | | /***************************************************/ |
709 | | /* HMAC SHA-1 Single-Round Known Answer HMAC Test. */ |
710 | | /***************************************************/ |
711 | |
|
712 | 0 | hmac_status = freebl_fips_HMAC(hmac_computed, |
713 | 0 | HMAC_known_secret_key, |
714 | 0 | HMAC_known_secret_key_length, |
715 | 0 | known_hash_message, |
716 | 0 | FIPS_KNOWN_HASH_MESSAGE_LENGTH, |
717 | 0 | HASH_AlgSHA1); |
718 | |
|
719 | 0 | if ((hmac_status != SECSuccess) || |
720 | 0 | (PORT_Memcmp(hmac_computed, known_SHA1_hmac, |
721 | 0 | SHA1_LENGTH) != 0)) { |
722 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
723 | 0 | return (SECFailure); |
724 | 0 | } |
725 | | |
726 | | /***************************************************/ |
727 | | /* HMAC SHA-224 Single-Round Known Answer Test. */ |
728 | | /***************************************************/ |
729 | | |
730 | 0 | hmac_status = freebl_fips_HMAC(hmac_computed, |
731 | 0 | HMAC_known_secret_key, |
732 | 0 | HMAC_known_secret_key_length, |
733 | 0 | known_hash_message, |
734 | 0 | FIPS_KNOWN_HASH_MESSAGE_LENGTH, |
735 | 0 | HASH_AlgSHA224); |
736 | |
|
737 | 0 | if ((hmac_status != SECSuccess) || |
738 | 0 | (PORT_Memcmp(hmac_computed, known_SHA224_hmac, |
739 | 0 | SHA224_LENGTH) != 0)) { |
740 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
741 | 0 | return (SECFailure); |
742 | 0 | } |
743 | | |
744 | | /***************************************************/ |
745 | | /* HMAC SHA-256 Single-Round Known Answer Test. */ |
746 | | /***************************************************/ |
747 | | |
748 | 0 | hmac_status = freebl_fips_HMAC(hmac_computed, |
749 | 0 | HMAC_known_secret_key, |
750 | 0 | HMAC_known_secret_key_length, |
751 | 0 | known_hash_message, |
752 | 0 | FIPS_KNOWN_HASH_MESSAGE_LENGTH, |
753 | 0 | HASH_AlgSHA256); |
754 | |
|
755 | 0 | if ((hmac_status != SECSuccess) || |
756 | 0 | (PORT_Memcmp(hmac_computed, known_SHA256_hmac, |
757 | 0 | SHA256_LENGTH) != 0)) { |
758 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
759 | 0 | return (SECFailure); |
760 | 0 | } |
761 | | |
762 | | /***************************************************/ |
763 | | /* HMAC SHA-384 Single-Round Known Answer Test. */ |
764 | | /***************************************************/ |
765 | | |
766 | 0 | hmac_status = freebl_fips_HMAC(hmac_computed, |
767 | 0 | HMAC_known_secret_key, |
768 | 0 | HMAC_known_secret_key_length, |
769 | 0 | known_hash_message, |
770 | 0 | FIPS_KNOWN_HASH_MESSAGE_LENGTH, |
771 | 0 | HASH_AlgSHA384); |
772 | |
|
773 | 0 | if ((hmac_status != SECSuccess) || |
774 | 0 | (PORT_Memcmp(hmac_computed, known_SHA384_hmac, |
775 | 0 | SHA384_LENGTH) != 0)) { |
776 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
777 | 0 | return (SECFailure); |
778 | 0 | } |
779 | | |
780 | | /***************************************************/ |
781 | | /* HMAC SHA-512 Single-Round Known Answer Test. */ |
782 | | /***************************************************/ |
783 | | |
784 | 0 | hmac_status = freebl_fips_HMAC(hmac_computed, |
785 | 0 | HMAC_known_secret_key, |
786 | 0 | HMAC_known_secret_key_length, |
787 | 0 | known_hash_message, |
788 | 0 | FIPS_KNOWN_HASH_MESSAGE_LENGTH, |
789 | 0 | HASH_AlgSHA512); |
790 | |
|
791 | 0 | if ((hmac_status != SECSuccess) || |
792 | 0 | (PORT_Memcmp(hmac_computed, known_SHA512_hmac, |
793 | 0 | SHA512_LENGTH) != 0)) { |
794 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
795 | 0 | return (SECFailure); |
796 | 0 | } |
797 | | |
798 | 0 | return (SECSuccess); |
799 | 0 | } |
800 | | |
801 | | SECStatus |
802 | | freebl_fips_TLS_PowerUpSelfTest(void) |
803 | 0 | { |
804 | 0 | static const PRUint8 TLS_known_secret_key[] = { |
805 | 0 | "Firefox and ThunderBird are awesome!" |
806 | 0 | }; |
807 | |
|
808 | 0 | static const PRUint8 TLS_known_secret_key_length = sizeof TLS_known_secret_key; |
809 | | |
810 | | /* known tls prf with sha1/md5 */ |
811 | 0 | static const PRUint8 known_TLS_PRF[] = { |
812 | 0 | 0x87, 0x4c, 0xc0, 0xc5, 0x15, 0x14, 0x2b, 0xdc, |
813 | 0 | 0x73, 0x48, 0x9e, 0x88, 0x9d, 0xf5, 0x83, 0x2f, |
814 | 0 | 0x2d, 0x66, 0x1e, 0x78, 0x6c, 0x54, 0x78, 0x29, |
815 | 0 | 0xb9, 0xa4, 0x4c, 0x90, 0x5e, 0xa2, 0xe6, 0x5c, |
816 | 0 | 0xf1, 0x4f, 0xb5, 0x95, 0xa5, 0x54, 0xc0, 0x9f, |
817 | 0 | 0x84, 0x47, 0xb4, 0x4c, 0xda, 0xae, 0x19, 0x29, |
818 | 0 | 0x2b, 0x91, 0x2a, 0x81, 0x9d, 0x3a, 0x30, 0x40, |
819 | 0 | 0xc5, 0xdf, 0xbb, 0xfa, 0xd8, 0x4c, 0xbc, 0x18 |
820 | 0 | }; |
821 | | |
822 | | /* known SHA256 tls mac */ |
823 | 0 | static const PRUint8 known_TLS_SHA256[] = { |
824 | 0 | 0x66, 0xd6, 0x94, 0xd4, 0x0d, 0x32, 0x61, 0x38, |
825 | 0 | 0x26, 0xf6, 0x8b, 0xfe, 0x9e, 0xac, 0xa2, 0xf5, |
826 | 0 | 0x40, 0x52, 0x74, 0x3f, 0xbe, 0xb8, 0xca, 0x94, |
827 | 0 | 0xc3, 0x64, 0xd6, 0x02, 0xf5, 0x88, 0x98, 0x35, |
828 | 0 | 0x73, 0x9f, 0xce, 0xaa, 0x68, 0xe3, 0x7c, 0x93, |
829 | 0 | 0x30, 0x21, 0x45, 0xec, 0xe9, 0x8f, 0x1c, 0x7e, |
830 | 0 | 0xd1, 0x54, 0xf5, 0xbe, 0xff, 0xc8, 0xd7, 0x72, |
831 | 0 | 0x7f, 0x9c, 0x0c, 0x7f, 0xa9, 0xd3, 0x4a, 0xd2 |
832 | 0 | }; |
833 | |
|
834 | | #ifdef NSS_FULL_POST |
835 | | /* known SHA224 tls mac */ |
836 | | static const PRUint8 known_TLS_SHA224[] = { |
837 | | 0xd8, 0x68, 0x15, 0xff, 0xa1, 0xa2, 0x5e, 0x16, |
838 | | 0xce, 0xb1, 0xfd, 0xbd, 0xda, 0x39, 0xbc, 0xa7, |
839 | | 0x27, 0x32, 0x78, 0x94, 0x66, 0xf0, 0x84, 0xcf, |
840 | | 0x46, 0xc0, 0x22, 0x76, 0xdc, 0x6b, 0x2e, 0xed, |
841 | | 0x1d, 0x2d, 0xd2, 0x93, 0xfd, 0xae, 0xca, 0xf9, |
842 | | 0xe0, 0x4c, 0x17, 0x23, 0x22, 0x5a, 0x73, 0x93, |
843 | | 0x20, 0x0a, 0xbd, 0xa0, 0x72, 0xf8, 0x8b, 0x74, |
844 | | 0xfb, 0xf1, 0xab, 0xb7, 0xe0, 0xec, 0x34, 0xc9 |
845 | | }; |
846 | | |
847 | | /* known SHA384 tls mac */ |
848 | | static const PRUint8 known_TLS_SHA384[] = { |
849 | | 0xb2, 0xac, 0x06, 0x10, 0xad, 0x50, 0xd5, 0xdc, |
850 | | 0xdb, 0x01, 0xea, 0xa6, 0x2d, 0x8a, 0x34, 0xb6, |
851 | | 0xeb, 0x84, 0xbc, 0x37, 0xc9, 0x9f, 0xa1, 0x9c, |
852 | | 0xd5, 0xbd, 0x4e, 0x66, 0x16, 0x24, 0xe5, 0x3d, |
853 | | 0xce, 0x74, 0xe0, 0x30, 0x41, 0x5c, 0xdb, 0xb7, |
854 | | 0x52, 0x1d, 0x2d, 0x4d, 0x9b, 0xbe, 0x6b, 0x86, |
855 | | 0xda, 0x8a, 0xca, 0x73, 0x39, 0xb4, 0xc7, 0x8f, |
856 | | 0x03, 0xb1, 0xf9, 0x7e, 0x65, 0xae, 0x17, 0x10 |
857 | | }; |
858 | | |
859 | | /* known SHA512 tls mac */ |
860 | | static const PRUint8 known_TLS_SHA512[] = { |
861 | | 0x73, 0x21, 0x4f, 0x40, 0x81, 0x1e, 0x90, 0xa1, |
862 | | 0x16, 0x40, 0x1e, 0x33, 0x69, 0xc5, 0x00, 0xc7, |
863 | | 0xc4, 0x81, 0xa3, 0x4f, 0xa7, 0xcc, 0x4a, 0xeb, |
864 | | 0x1a, 0x66, 0x00, 0x82, 0x52, 0xe2, 0x2f, 0x69, |
865 | | 0x14, 0x59, 0x05, 0x7c, 0xb0, 0x32, 0xce, 0xcc, |
866 | | 0xb7, 0xc9, 0xab, 0x0f, 0x73, 0x00, 0xe5, 0x52, |
867 | | 0x9d, 0x6b, 0x0e, 0x66, 0x4b, 0xb3, 0x0b, 0x0d, |
868 | | 0x34, 0x53, 0x97, 0x13, 0x84, 0x18, 0x31, 0x7a |
869 | | }; |
870 | | #endif |
871 | |
|
872 | 0 | SECStatus status; |
873 | 0 | PRUint8 tls_computed[HASH_LENGTH_MAX]; |
874 | 0 | SECItem secret; |
875 | 0 | SECItem seed; |
876 | 0 | SECItem result; |
877 | 0 | const char *tls_label = "fips test label"; |
878 | |
|
879 | 0 | secret.data = (unsigned char *)TLS_known_secret_key; |
880 | 0 | secret.len = TLS_known_secret_key_length; |
881 | 0 | seed.data = (unsigned char *)known_hash_message; |
882 | 0 | seed.len = FIPS_KNOWN_HASH_MESSAGE_LENGTH; |
883 | 0 | result.data = tls_computed; |
884 | 0 | result.len = sizeof(tls_computed); |
885 | | |
886 | | /***************************************************/ |
887 | | /* TLS 1.0 PRF Known Answer Test */ |
888 | | /***************************************************/ |
889 | |
|
890 | 0 | status = TLS_PRF(&secret, tls_label, &seed, &result, PR_TRUE); |
891 | |
|
892 | 0 | if ((status != SECSuccess) || |
893 | 0 | (result.len != HASH_LENGTH_MAX) || |
894 | 0 | (PORT_Memcmp(tls_computed, known_TLS_PRF, |
895 | 0 | HASH_LENGTH_MAX) != 0)) { |
896 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
897 | 0 | return (SECFailure); |
898 | 0 | } |
899 | | |
900 | | /***************************************************/ |
901 | | /* TLS 1.2 SHA-256 Known Answer Test. */ |
902 | | /***************************************************/ |
903 | | |
904 | 0 | status = TLS_P_hash(HASH_AlgSHA256, &secret, tls_label, |
905 | 0 | &seed, &result, PR_TRUE); |
906 | |
|
907 | 0 | if ((status != SECSuccess) || |
908 | 0 | (result.len != HASH_LENGTH_MAX) || |
909 | 0 | (PORT_Memcmp(tls_computed, known_TLS_SHA256, |
910 | 0 | HASH_LENGTH_MAX) != 0)) { |
911 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
912 | 0 | return (SECFailure); |
913 | 0 | } |
914 | | |
915 | | #ifdef NSS_FULL_POST |
916 | | /***************************************************/ |
917 | | /* TLS 1.2 SHA-224 Known Answer Test. */ |
918 | | /***************************************************/ |
919 | | |
920 | | status = TLS_P_hash(HASH_AlgSHA224, &secret, tls_label, |
921 | | &seed, &result, PR_TRUE); |
922 | | |
923 | | if ((status != SECSuccess) || |
924 | | (result.len != HASH_LENGTH_MAX) || |
925 | | (PORT_Memcmp(tls_computed, known_TLS_SHA224, |
926 | | HASH_LENGTH_MAX) != 0)) { |
927 | | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
928 | | return (SECFailure); |
929 | | } |
930 | | |
931 | | /***************************************************/ |
932 | | /* TLS 1.2 SHA-384 Known Answer Test. */ |
933 | | /***************************************************/ |
934 | | |
935 | | status = TLS_P_hash(HASH_AlgSHA384, &secret, tls_label, |
936 | | &seed, &result, PR_TRUE); |
937 | | |
938 | | if ((status != SECSuccess) || |
939 | | (result.len != HASH_LENGTH_MAX) || |
940 | | (PORT_Memcmp(tls_computed, known_TLS_SHA384, |
941 | | HASH_LENGTH_MAX) != 0)) { |
942 | | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
943 | | return (SECFailure); |
944 | | } |
945 | | |
946 | | /***************************************************/ |
947 | | /* TLS 1.2 SHA-512 Known Answer Test. */ |
948 | | /***************************************************/ |
949 | | |
950 | | status = TLS_P_hash(HASH_AlgSHA512, &secret, tls_label, |
951 | | &seed, &result, PR_TRUE); |
952 | | |
953 | | if ((status != SECSuccess) || |
954 | | (result.len != HASH_LENGTH_MAX) || |
955 | | (PORT_Memcmp(tls_computed, known_TLS_SHA512, |
956 | | HASH_LENGTH_MAX) != 0)) { |
957 | | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
958 | | return (SECFailure); |
959 | | } |
960 | | #endif |
961 | | |
962 | 0 | return (SECSuccess); |
963 | 0 | } |
964 | | |
965 | | static SECStatus |
966 | | freebl_fips_SHA_PowerUpSelfTest(void) |
967 | 2 | { |
968 | | /* SHA-1 Known Digest Message (160-bits). */ |
969 | 2 | static const PRUint8 sha1_known_digest[] = { |
970 | 2 | 0x0a, 0x6d, 0x07, 0xba, 0x1e, 0xbd, 0x8a, 0x1b, |
971 | 2 | 0x72, 0xf6, 0xc7, 0x22, 0xf1, 0x27, 0x9f, 0xf0, |
972 | 2 | 0xe0, 0x68, 0x47, 0x7a |
973 | 2 | }; |
974 | | |
975 | | /* SHA-224 Known Digest Message (224-bits). */ |
976 | 2 | static const PRUint8 sha224_known_digest[] = { |
977 | 2 | 0x89, 0x5e, 0x7f, 0xfd, 0x0e, 0xd8, 0x35, 0x6f, |
978 | 2 | 0x64, 0x6d, 0xf2, 0xde, 0x5e, 0xed, 0xa6, 0x7f, |
979 | 2 | 0x29, 0xd1, 0x12, 0x73, 0x42, 0x84, 0x95, 0x4f, |
980 | 2 | 0x8e, 0x08, 0xe5, 0xcb |
981 | 2 | }; |
982 | | |
983 | | /* SHA-256 Known Digest Message (256-bits). */ |
984 | 2 | static const PRUint8 sha256_known_digest[] = { |
985 | 2 | 0x38, 0xa9, 0xc1, 0xf0, 0x35, 0xf6, 0x5d, 0x61, |
986 | 2 | 0x11, 0xd4, 0x0b, 0xdc, 0xce, 0x35, 0x14, 0x8d, |
987 | 2 | 0xf2, 0xdd, 0xaf, 0xaf, 0xcf, 0xb7, 0x87, 0xe9, |
988 | 2 | 0x96, 0xa5, 0xd2, 0x83, 0x62, 0x46, 0x56, 0x79 |
989 | 2 | }; |
990 | | |
991 | | /* SHA-384 Known Digest Message (384-bits). */ |
992 | 2 | static const PRUint8 sha384_known_digest[] = { |
993 | 2 | 0x11, 0xfe, 0x1c, 0x00, 0x89, 0x48, 0xde, 0xb3, |
994 | 2 | 0x99, 0xee, 0x1c, 0x18, 0xb4, 0x10, 0xfb, 0xfe, |
995 | 2 | 0xe3, 0xa8, 0x2c, 0xf3, 0x04, 0xb0, 0x2f, 0xc8, |
996 | 2 | 0xa3, 0xc4, 0x5e, 0xea, 0x7e, 0x60, 0x48, 0x7b, |
997 | 2 | 0xce, 0x2c, 0x62, 0xf7, 0xbc, 0xa7, 0xe8, 0xa3, |
998 | 2 | 0xcf, 0x24, 0xce, 0x9c, 0xe2, 0x8b, 0x09, 0x72 |
999 | 2 | }; |
1000 | | |
1001 | | /* SHA-512 Known Digest Message (512-bits). */ |
1002 | 2 | static const PRUint8 sha512_known_digest[] = { |
1003 | 2 | 0xc8, 0xb3, 0x27, 0xf9, 0x0b, 0x24, 0xc8, 0xbf, |
1004 | 2 | 0x4c, 0xba, 0x33, 0x54, 0xf2, 0x31, 0xbf, 0xdb, |
1005 | 2 | 0xab, 0xfd, 0xb3, 0x15, 0xd7, 0xfa, 0x48, 0x99, |
1006 | 2 | 0x07, 0x60, 0x0f, 0x57, 0x41, 0x1a, 0xdd, 0x28, |
1007 | 2 | 0x12, 0x55, 0x25, 0xac, 0xba, 0x3a, 0x99, 0x12, |
1008 | 2 | 0x2c, 0x7a, 0x8f, 0x75, 0x3a, 0xe1, 0x06, 0x6f, |
1009 | 2 | 0x30, 0x31, 0xc9, 0x33, 0xc6, 0x1b, 0x90, 0x1a, |
1010 | 2 | 0x6c, 0x98, 0x9a, 0x87, 0xd0, 0xb2, 0xf8, 0x07 |
1011 | 2 | }; |
1012 | | |
1013 | | /* SHA-X variables. */ |
1014 | 2 | PRUint8 sha_computed_digest[HASH_LENGTH_MAX]; |
1015 | 2 | SECStatus sha_status; |
1016 | | |
1017 | | /*************************************************/ |
1018 | | /* SHA-1 Single-Round Known Answer Hashing Test. */ |
1019 | | /*************************************************/ |
1020 | | |
1021 | 2 | sha_status = SHA1_HashBuf(sha_computed_digest, known_hash_message, |
1022 | 2 | FIPS_KNOWN_HASH_MESSAGE_LENGTH); |
1023 | | |
1024 | 2 | if ((sha_status != SECSuccess) || |
1025 | 2 | (PORT_Memcmp(sha_computed_digest, sha1_known_digest, |
1026 | 2 | SHA1_LENGTH) != 0)) { |
1027 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1028 | 0 | return (SECFailure); |
1029 | 0 | } |
1030 | | |
1031 | | /***************************************************/ |
1032 | | /* SHA-224 Single-Round Known Answer Hashing Test. */ |
1033 | | /***************************************************/ |
1034 | | |
1035 | 2 | sha_status = SHA224_HashBuf(sha_computed_digest, known_hash_message, |
1036 | 2 | FIPS_KNOWN_HASH_MESSAGE_LENGTH); |
1037 | | |
1038 | 2 | if ((sha_status != SECSuccess) || |
1039 | 2 | (PORT_Memcmp(sha_computed_digest, sha224_known_digest, |
1040 | 2 | SHA224_LENGTH) != 0)) { |
1041 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1042 | 0 | return (SECFailure); |
1043 | 0 | } |
1044 | | |
1045 | | /***************************************************/ |
1046 | | /* SHA-256 Single-Round Known Answer Hashing Test. */ |
1047 | | /***************************************************/ |
1048 | | |
1049 | 2 | sha_status = SHA256_HashBuf(sha_computed_digest, known_hash_message, |
1050 | 2 | FIPS_KNOWN_HASH_MESSAGE_LENGTH); |
1051 | | |
1052 | 2 | if ((sha_status != SECSuccess) || |
1053 | 2 | (PORT_Memcmp(sha_computed_digest, sha256_known_digest, |
1054 | 2 | SHA256_LENGTH) != 0)) { |
1055 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1056 | 0 | return (SECFailure); |
1057 | 0 | } |
1058 | | |
1059 | | /***************************************************/ |
1060 | | /* SHA-384 Single-Round Known Answer Hashing Test. */ |
1061 | | /***************************************************/ |
1062 | | |
1063 | 2 | sha_status = SHA384_HashBuf(sha_computed_digest, known_hash_message, |
1064 | 2 | FIPS_KNOWN_HASH_MESSAGE_LENGTH); |
1065 | | |
1066 | 2 | if ((sha_status != SECSuccess) || |
1067 | 2 | (PORT_Memcmp(sha_computed_digest, sha384_known_digest, |
1068 | 2 | SHA384_LENGTH) != 0)) { |
1069 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1070 | 0 | return (SECFailure); |
1071 | 0 | } |
1072 | | |
1073 | | /***************************************************/ |
1074 | | /* SHA-512 Single-Round Known Answer Hashing Test. */ |
1075 | | /***************************************************/ |
1076 | | |
1077 | 2 | sha_status = SHA512_HashBuf(sha_computed_digest, known_hash_message, |
1078 | 2 | FIPS_KNOWN_HASH_MESSAGE_LENGTH); |
1079 | | |
1080 | 2 | if ((sha_status != SECSuccess) || |
1081 | 2 | (PORT_Memcmp(sha_computed_digest, sha512_known_digest, |
1082 | 2 | SHA512_LENGTH) != 0)) { |
1083 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1084 | 0 | return (SECFailure); |
1085 | 0 | } |
1086 | | |
1087 | 2 | return (SECSuccess); |
1088 | 2 | } |
1089 | | |
1090 | | static SECStatus |
1091 | | freebl_fips_RSA_PowerUpSelfTest(void) |
1092 | 0 | { |
1093 | | /* RSA Known Modulus used in both Public/Private Key Values (2048-bits). */ |
1094 | 0 | static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = { |
1095 | 0 | 0xb8, 0x15, 0x00, 0x33, 0xda, 0x0c, 0x9d, 0xa5, |
1096 | 0 | 0x14, 0x8c, 0xde, 0x1f, 0x23, 0x07, 0x54, 0xe2, |
1097 | 0 | 0xc6, 0xb9, 0x51, 0x04, 0xc9, 0x65, 0x24, 0x6e, |
1098 | 0 | 0x0a, 0x46, 0x34, 0x5c, 0x37, 0x86, 0x6b, 0x88, |
1099 | 0 | 0x24, 0x27, 0xac, 0xa5, 0x02, 0x79, 0xfb, 0xed, |
1100 | 0 | 0x75, 0xc5, 0x3f, 0x6e, 0xdf, 0x05, 0x5f, 0x0f, |
1101 | 0 | 0x20, 0x70, 0xa0, 0x5b, 0x85, 0xdb, 0xac, 0xb9, |
1102 | 0 | 0x5f, 0x02, 0xc2, 0x64, 0x1e, 0x84, 0x5b, 0x3e, |
1103 | 0 | 0xad, 0xbf, 0xf6, 0x2e, 0x51, 0xd6, 0xad, 0xf7, |
1104 | 0 | 0xa7, 0x86, 0x75, 0x86, 0xec, 0xa7, 0xe1, 0xf7, |
1105 | 0 | 0x08, 0xbf, 0xdc, 0x56, 0xb1, 0x3b, 0xca, 0xd8, |
1106 | 0 | 0xfc, 0x51, 0xdf, 0x9a, 0x2a, 0x37, 0x06, 0xf2, |
1107 | 0 | 0xd1, 0x6b, 0x9a, 0x5e, 0x2a, 0xe5, 0x20, 0x57, |
1108 | 0 | 0x35, 0x9f, 0x1f, 0x98, 0xcf, 0x40, 0xc7, 0xd6, |
1109 | 0 | 0x98, 0xdb, 0xde, 0xf5, 0x64, 0x53, 0xf7, 0x9d, |
1110 | 0 | 0x45, 0xf3, 0xd6, 0x78, 0xb9, 0xe3, 0xa3, 0x20, |
1111 | 0 | 0xcd, 0x79, 0x43, 0x35, 0xef, 0xd7, 0xfb, 0xb9, |
1112 | 0 | 0x80, 0x88, 0x27, 0x2f, 0x63, 0xa8, 0x67, 0x3d, |
1113 | 0 | 0x4a, 0xfa, 0x06, 0xc6, 0xd2, 0x86, 0x0b, 0xa7, |
1114 | 0 | 0x28, 0xfd, 0xe0, 0x1e, 0x93, 0x4b, 0x17, 0x2e, |
1115 | 0 | 0xb0, 0x11, 0x6f, 0xc6, 0x2b, 0x98, 0x0f, 0x15, |
1116 | 0 | 0xe3, 0x87, 0x16, 0x7a, 0x7c, 0x67, 0x3e, 0x12, |
1117 | 0 | 0x2b, 0xf8, 0xbe, 0x48, 0xc1, 0x97, 0x47, 0xf4, |
1118 | 0 | 0x1f, 0x81, 0x80, 0x12, 0x28, 0xe4, 0x7b, 0x1e, |
1119 | 0 | 0xb7, 0x00, 0xa4, 0xde, 0xaa, 0xfb, 0x0f, 0x77, |
1120 | 0 | 0x84, 0xa3, 0xd6, 0xb2, 0x03, 0x48, 0xdd, 0x53, |
1121 | 0 | 0x8b, 0x46, 0x41, 0x28, 0x52, 0xc4, 0x53, 0xf0, |
1122 | 0 | 0x1c, 0x95, 0xd9, 0x36, 0xe0, 0x0f, 0x26, 0x46, |
1123 | 0 | 0x9c, 0x61, 0x0e, 0x80, 0xca, 0x86, 0xaf, 0x39, |
1124 | 0 | 0x95, 0xe5, 0x60, 0x43, 0x61, 0x3e, 0x2b, 0xb4, |
1125 | 0 | 0xe8, 0xbd, 0x8d, 0x77, 0x62, 0xf5, 0x32, 0x43, |
1126 | 0 | 0x2f, 0x4b, 0x65, 0x82, 0x14, 0xdd, 0x29, 0x5b |
1127 | 0 | }; |
1128 | | |
1129 | | /* RSA Known Public Key Values (24-bits). */ |
1130 | 0 | static const PRUint8 rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = { 0x01, 0x00, 0x01 }; |
1131 | | /* RSA Known Private Key Values (version is 8-bits), */ |
1132 | | /* (private exponent is 2048-bits), */ |
1133 | | /* (private prime0 is 1024-bits), */ |
1134 | | /* (private prime1 is 1024-bits), */ |
1135 | | /* (private prime exponent0 is 1024-bits), */ |
1136 | | /* (private prime exponent1 is 1024-bits), */ |
1137 | | /* and (private coefficient is 1024-bits). */ |
1138 | 0 | static const PRUint8 rsa_version[] = { 0x00 }; |
1139 | |
|
1140 | 0 | static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] = { |
1141 | 0 | 0x29, 0x08, 0x05, 0x53, 0x89, 0x76, 0xe6, 0x6c, |
1142 | 0 | 0xb5, 0x77, 0xf0, 0xca, 0xdf, 0xf3, 0xf2, 0x67, |
1143 | 0 | 0xda, 0x03, 0xd4, 0x9b, 0x4c, 0x88, 0xce, 0xe5, |
1144 | 0 | 0xf8, 0x44, 0x4d, 0xc7, 0x80, 0x58, 0xe5, 0xff, |
1145 | 0 | 0x22, 0x8f, 0xf5, 0x5b, 0x92, 0x81, 0xbe, 0x35, |
1146 | 0 | 0xdf, 0xda, 0x67, 0x99, 0x3e, 0xfc, 0xe3, 0x83, |
1147 | 0 | 0x6b, 0xa7, 0xaf, 0x16, 0xb7, 0x6f, 0x8f, 0xc0, |
1148 | 0 | 0x81, 0xfd, 0x0b, 0x77, 0x65, 0x95, 0xfb, 0x00, |
1149 | 0 | 0xad, 0x99, 0xec, 0x35, 0xc6, 0xe8, 0x23, 0x3e, |
1150 | 0 | 0xe0, 0x88, 0x88, 0x09, 0xdb, 0x16, 0x50, 0xb7, |
1151 | 0 | 0xcf, 0xab, 0x74, 0x61, 0x9e, 0x7f, 0xc5, 0x67, |
1152 | 0 | 0x38, 0x56, 0xc7, 0x90, 0x85, 0x78, 0x5e, 0x84, |
1153 | 0 | 0x21, 0x49, 0xea, 0xce, 0xb2, 0xa0, 0xff, 0xe4, |
1154 | 0 | 0x70, 0x7f, 0x57, 0x7b, 0xa8, 0x36, 0xb8, 0x54, |
1155 | 0 | 0x8d, 0x1d, 0xf5, 0x44, 0x9d, 0x68, 0x59, 0xf9, |
1156 | 0 | 0x24, 0x6e, 0x85, 0x8f, 0xc3, 0x5f, 0x8a, 0x2c, |
1157 | 0 | 0x94, 0xb7, 0xbc, 0x0e, 0xa5, 0xef, 0x93, 0x06, |
1158 | 0 | 0x38, 0xcd, 0x07, 0x0c, 0xae, 0xb8, 0x44, 0x1a, |
1159 | 0 | 0xd8, 0xe7, 0xf5, 0x9a, 0x1e, 0x9c, 0x18, 0xc7, |
1160 | 0 | 0x6a, 0xc2, 0x7f, 0x28, 0x01, 0x4f, 0xb4, 0xb8, |
1161 | 0 | 0x90, 0x97, 0x5a, 0x43, 0x38, 0xad, 0xe8, 0x95, |
1162 | 0 | 0x68, 0x83, 0x1a, 0x1b, 0x10, 0x07, 0xe6, 0x02, |
1163 | 0 | 0x52, 0x1f, 0xbf, 0x76, 0x6b, 0x46, 0xd6, 0xfb, |
1164 | 0 | 0xc3, 0xbe, 0xb5, 0xac, 0x52, 0x53, 0x01, 0x1c, |
1165 | 0 | 0xf3, 0xc5, 0xeb, 0x64, 0xf2, 0x1e, 0xc4, 0x38, |
1166 | 0 | 0xe9, 0xaa, 0xd9, 0xc3, 0x72, 0x51, 0xa5, 0x44, |
1167 | 0 | 0x58, 0x69, 0x0b, 0x1b, 0x98, 0x7f, 0xf2, 0x23, |
1168 | 0 | 0xff, 0xeb, 0xf0, 0x75, 0x24, 0xcf, 0xc5, 0x1e, |
1169 | 0 | 0xb8, 0x6a, 0xc5, 0x2f, 0x4f, 0x23, 0x50, 0x7d, |
1170 | 0 | 0x15, 0x9d, 0x19, 0x7a, 0x0b, 0x82, 0xe0, 0x21, |
1171 | 0 | 0x5b, 0x5f, 0x9d, 0x50, 0x2b, 0x83, 0xe4, 0x48, |
1172 | 0 | 0xcc, 0x39, 0xe5, 0xfb, 0x13, 0x7b, 0x6f, 0x81 |
1173 | 0 | }; |
1174 | |
|
1175 | 0 | static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = { |
1176 | 0 | 0xe4, 0xbf, 0x21, 0x62, 0x9b, 0xa9, 0x77, 0x40, |
1177 | 0 | 0x8d, 0x2a, 0xce, 0xa1, 0x67, 0x5a, 0x4c, 0x96, |
1178 | 0 | 0x45, 0x98, 0x67, 0xbd, 0x75, 0x22, 0x33, 0x6f, |
1179 | 0 | 0xe6, 0xcb, 0x77, 0xde, 0x9e, 0x97, 0x7d, 0x96, |
1180 | 0 | 0x8c, 0x5e, 0x5d, 0x34, 0xfb, 0x27, 0xfc, 0x6d, |
1181 | 0 | 0x74, 0xdb, 0x9d, 0x2e, 0x6d, 0xf6, 0xea, 0xfc, |
1182 | 0 | 0xce, 0x9e, 0xda, 0xa7, 0x25, 0xa2, 0xf4, 0x58, |
1183 | 0 | 0x6d, 0x0a, 0x3f, 0x01, 0xc2, 0xb4, 0xab, 0x38, |
1184 | 0 | 0xc1, 0x14, 0x85, 0xb6, 0xfa, 0x94, 0xc3, 0x85, |
1185 | 0 | 0xf9, 0x3c, 0x2e, 0x96, 0x56, 0x01, 0xe7, 0xd6, |
1186 | 0 | 0x14, 0x71, 0x4f, 0xfb, 0x4c, 0x85, 0x52, 0xc4, |
1187 | 0 | 0x61, 0x1e, 0xa5, 0x1e, 0x96, 0x13, 0x0d, 0x8f, |
1188 | 0 | 0x66, 0xae, 0xa0, 0xcd, 0x7d, 0x25, 0x66, 0x19, |
1189 | 0 | 0x15, 0xc2, 0xcf, 0xc3, 0x12, 0x3c, 0xe8, 0xa4, |
1190 | 0 | 0x52, 0x4c, 0xcb, 0x28, 0x3c, 0xc4, 0xbf, 0x95, |
1191 | 0 | 0x33, 0xe3, 0x81, 0xea, 0x0c, 0x6c, 0xa2, 0x05 |
1192 | 0 | }; |
1193 | 0 | static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = { |
1194 | 0 | 0xce, 0x03, 0x94, 0xf4, 0xa9, 0x2c, 0x1e, 0x06, |
1195 | 0 | 0xe7, 0x40, 0x30, 0x01, 0xf7, 0xbb, 0x68, 0x8c, |
1196 | 0 | 0x27, 0xd2, 0x15, 0xe3, 0x28, 0x49, 0x5b, 0xa8, |
1197 | 0 | 0xc1, 0x9a, 0x42, 0x7e, 0x31, 0xf9, 0x08, 0x34, |
1198 | 0 | 0x81, 0xa2, 0x0f, 0x04, 0x61, 0x34, 0xe3, 0x36, |
1199 | 0 | 0x92, 0xb1, 0x09, 0x2b, 0xe9, 0xef, 0x84, 0x88, |
1200 | 0 | 0xbe, 0x9c, 0x98, 0x60, 0xa6, 0x60, 0x84, 0xe9, |
1201 | 0 | 0x75, 0x6f, 0xcc, 0x81, 0xd1, 0x96, 0xef, 0xdd, |
1202 | 0 | 0x2e, 0xca, 0xc4, 0xf5, 0x42, 0xfb, 0x13, 0x2b, |
1203 | 0 | 0x57, 0xbf, 0x14, 0x5e, 0xc2, 0x7f, 0x77, 0x35, |
1204 | 0 | 0x29, 0xc4, 0xe5, 0xe0, 0xf9, 0x6d, 0x15, 0x4a, |
1205 | 0 | 0x42, 0x56, 0x1c, 0x3e, 0x0c, 0xc5, 0xce, 0x70, |
1206 | 0 | 0x08, 0x63, 0x1e, 0x73, 0xdb, 0x7e, 0x74, 0x05, |
1207 | 0 | 0x32, 0x01, 0xc6, 0x36, 0x32, 0x75, 0x6b, 0xed, |
1208 | 0 | 0x9d, 0xfe, 0x7c, 0x7e, 0xa9, 0x57, 0xb4, 0xe9, |
1209 | 0 | 0x22, 0xe4, 0xe7, 0xfe, 0x36, 0x07, 0x9b, 0xdf |
1210 | 0 | }; |
1211 | 0 | static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = { |
1212 | 0 | 0x04, 0x5a, 0x3a, 0xa9, 0x64, 0xaa, 0xd9, 0xd1, |
1213 | 0 | 0x09, 0x9e, 0x99, 0xe5, 0xea, 0x50, 0x86, 0x8a, |
1214 | 0 | 0x89, 0x72, 0x77, 0xee, 0xdb, 0xee, 0xb5, 0xa9, |
1215 | 0 | 0xd8, 0x6b, 0x60, 0xb1, 0x84, 0xb4, 0xff, 0x37, |
1216 | 0 | 0xc1, 0x1d, 0xfe, 0x8a, 0x06, 0x89, 0x61, 0x3d, |
1217 | 0 | 0x37, 0xef, 0x01, 0xd3, 0xa3, 0x56, 0x02, 0x6c, |
1218 | 0 | 0xa3, 0x05, 0xd4, 0xc5, 0x3f, 0x6b, 0x15, 0x59, |
1219 | 0 | 0x25, 0x61, 0xff, 0x86, 0xea, 0x0c, 0x84, 0x01, |
1220 | 0 | 0x85, 0x72, 0xfd, 0x84, 0x58, 0xca, 0x41, 0xda, |
1221 | 0 | 0x27, 0xbe, 0xe4, 0x68, 0x09, 0xe4, 0xe9, 0x63, |
1222 | 0 | 0x62, 0x6a, 0x31, 0x8a, 0x67, 0x8f, 0x55, 0xde, |
1223 | 0 | 0xd4, 0xb6, 0x3f, 0x90, 0x10, 0x6c, 0xf6, 0x62, |
1224 | 0 | 0x17, 0x23, 0x15, 0x7e, 0x33, 0x76, 0x65, 0xb5, |
1225 | 0 | 0xee, 0x7b, 0x11, 0x76, 0xf5, 0xbe, 0xe0, 0xf2, |
1226 | 0 | 0x57, 0x7a, 0x8c, 0x97, 0x0c, 0x68, 0xf5, 0xf8, |
1227 | 0 | 0x41, 0xcf, 0x7f, 0x66, 0x53, 0xac, 0x31, 0x7d |
1228 | 0 | }; |
1229 | 0 | static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = { |
1230 | 0 | 0x93, 0x54, 0x14, 0x6e, 0x73, 0x9d, 0x4d, 0x4b, |
1231 | 0 | 0xfa, 0x8c, 0xf8, 0xc8, 0x2f, 0x76, 0x22, 0xea, |
1232 | 0 | 0x38, 0x80, 0x11, 0x8f, 0x05, 0xfc, 0x90, 0x44, |
1233 | 0 | 0x3b, 0x50, 0x2a, 0x45, 0x3d, 0x4f, 0xaf, 0x02, |
1234 | 0 | 0x7d, 0xc2, 0x7b, 0xa2, 0xd2, 0x31, 0x94, 0x5c, |
1235 | 0 | 0x2e, 0xc3, 0xd4, 0x9f, 0x47, 0x09, 0x37, 0x6a, |
1236 | 0 | 0xe3, 0x85, 0xf1, 0xa3, 0x0c, 0xd8, 0xf1, 0xb4, |
1237 | 0 | 0x53, 0x7b, 0xc4, 0x71, 0x02, 0x86, 0x42, 0xbb, |
1238 | 0 | 0x96, 0xff, 0x03, 0xa3, 0xb2, 0x67, 0x03, 0xea, |
1239 | 0 | 0x77, 0x31, 0xfb, 0x4b, 0x59, 0x24, 0xf7, 0x07, |
1240 | 0 | 0x59, 0xfb, 0xa9, 0xba, 0x1e, 0x26, 0x58, 0x97, |
1241 | 0 | 0x66, 0xa1, 0x56, 0x49, 0x39, 0xb1, 0x2c, 0x55, |
1242 | 0 | 0x0a, 0x6a, 0x78, 0x18, 0xba, 0xdb, 0xcf, 0xf4, |
1243 | 0 | 0xf7, 0x32, 0x35, 0xa2, 0x04, 0xab, 0xdc, 0xa7, |
1244 | 0 | 0x6d, 0xd9, 0xd5, 0x06, 0x6f, 0xec, 0x7d, 0x40, |
1245 | 0 | 0x4c, 0xe8, 0x0e, 0xd0, 0xc9, 0xaa, 0xdf, 0x59 |
1246 | 0 | }; |
1247 | 0 | static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = { |
1248 | 0 | 0x17, 0xd7, 0xf5, 0x0a, 0xf0, 0x68, 0x97, 0x96, |
1249 | 0 | 0xc4, 0x29, 0x18, 0x77, 0x9a, 0x1f, 0xe3, 0xf3, |
1250 | 0 | 0x12, 0x13, 0x0f, 0x7e, 0x7b, 0xb9, 0xc1, 0x91, |
1251 | 0 | 0xf9, 0xc7, 0x08, 0x56, 0x5c, 0xa4, 0xbc, 0x83, |
1252 | 0 | 0x71, 0xf9, 0x78, 0xd9, 0x2b, 0xec, 0xfe, 0x6b, |
1253 | 0 | 0xdc, 0x2f, 0x63, 0xc9, 0xcd, 0x50, 0x14, 0x5b, |
1254 | 0 | 0xd3, 0x6e, 0x85, 0x4d, 0x0c, 0xa2, 0x0b, 0xa0, |
1255 | 0 | 0x09, 0xb6, 0xca, 0x34, 0x9c, 0xc2, 0xc1, 0x4a, |
1256 | 0 | 0xb0, 0xbc, 0x45, 0x93, 0xa5, 0x7e, 0x99, 0xb5, |
1257 | 0 | 0xbd, 0xe4, 0x69, 0x29, 0x08, 0x28, 0xd2, 0xcd, |
1258 | 0 | 0xab, 0x24, 0x78, 0x48, 0x41, 0x26, 0x0b, 0x37, |
1259 | 0 | 0xa3, 0x43, 0xd1, 0x95, 0x1a, 0xd6, 0xee, 0x22, |
1260 | 0 | 0x1c, 0x00, 0x0b, 0xc2, 0xb7, 0xa4, 0xa3, 0x21, |
1261 | 0 | 0xa9, 0xcd, 0xe4, 0x69, 0xd3, 0x45, 0x02, 0xb1, |
1262 | 0 | 0xb7, 0x3a, 0xbf, 0x51, 0x35, 0x1b, 0x78, 0xc2, |
1263 | 0 | 0xcf, 0x0c, 0x0d, 0x60, 0x09, 0xa9, 0x44, 0x02 |
1264 | 0 | }; |
1265 | | |
1266 | | /* RSA Known Plaintext Message (1024-bits). */ |
1267 | 0 | static const PRUint8 rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = { |
1268 | 0 | "Known plaintext message utilized" |
1269 | 0 | "for RSA Encryption & Decryption" |
1270 | 0 | "blocks SHA256, SHA384 and " |
1271 | 0 | "SHA512 RSA Signature KAT tests. " |
1272 | 0 | "Known plaintext message utilized" |
1273 | 0 | "for RSA Encryption & Decryption" |
1274 | 0 | "blocks SHA256, SHA384 and " |
1275 | 0 | "SHA512 RSA Signature KAT tests." |
1276 | 0 | }; |
1277 | | |
1278 | | /* RSA Known Ciphertext (2048-bits). */ |
1279 | 0 | static const PRUint8 rsa_known_ciphertext[] = { |
1280 | 0 | 0x04, 0x12, 0x46, 0xe3, 0x6a, 0xee, 0xde, 0xdd, |
1281 | 0 | 0x49, 0xa1, 0xd9, 0x83, 0xf7, 0x35, 0xf9, 0x70, |
1282 | 0 | 0x88, 0x03, 0x2d, 0x01, 0x8b, 0xd1, 0xbf, 0xdb, |
1283 | 0 | 0xe5, 0x1c, 0x85, 0xbe, 0xb5, 0x0b, 0x48, 0x45, |
1284 | 0 | 0x7a, 0xf0, 0xa0, 0xe3, 0xa2, 0xbb, 0x4b, 0xf6, |
1285 | 0 | 0x27, 0xd0, 0x1b, 0x12, 0xe3, 0x77, 0x52, 0x34, |
1286 | 0 | 0x9e, 0x8e, 0x03, 0xd2, 0xf8, 0x79, 0x6e, 0x39, |
1287 | 0 | 0x79, 0x53, 0x3c, 0x44, 0x14, 0x94, 0xbb, 0x8d, |
1288 | 0 | 0xaa, 0x14, 0x44, 0xa0, 0x7b, 0xa5, 0x8c, 0x93, |
1289 | 0 | 0x5f, 0x99, 0xa4, 0xa3, 0x6e, 0x7a, 0x38, 0x40, |
1290 | 0 | 0x78, 0xfa, 0x36, 0x91, 0x5e, 0x9a, 0x9c, 0xba, |
1291 | 0 | 0x1e, 0xd4, 0xf9, 0xda, 0x4b, 0x0f, 0xa8, 0xa3, |
1292 | 0 | 0x1c, 0xf3, 0x3a, 0xd1, 0xa5, 0xb4, 0x51, 0x16, |
1293 | 0 | 0xed, 0x4b, 0xcf, 0xec, 0x93, 0x7b, 0x90, 0x21, |
1294 | 0 | 0xbc, 0x3a, 0xf4, 0x0b, 0xd1, 0x3a, 0x2b, 0xba, |
1295 | 0 | 0xa6, 0x7d, 0x5b, 0x53, 0xd8, 0x64, 0xf9, 0x29, |
1296 | 0 | 0x7b, 0x7f, 0x77, 0x3e, 0x51, 0x4c, 0x9a, 0x94, |
1297 | 0 | 0xd2, 0x4b, 0x4a, 0x8d, 0x61, 0x74, 0x97, 0xae, |
1298 | 0 | 0x53, 0x6a, 0xf4, 0x90, 0xc2, 0x2c, 0x49, 0xe2, |
1299 | 0 | 0xfa, 0xeb, 0x91, 0xc5, 0xe5, 0x83, 0x13, 0xc9, |
1300 | 0 | 0x44, 0x4b, 0x95, 0x2c, 0x57, 0x70, 0x15, 0x5c, |
1301 | 0 | 0x64, 0x8d, 0x1a, 0xfd, 0x2a, 0xc7, 0xb2, 0x9c, |
1302 | 0 | 0x5c, 0x99, 0xd3, 0x4a, 0xfd, 0xdd, 0xf6, 0x82, |
1303 | 0 | 0x87, 0x8c, 0x5a, 0xc4, 0xa8, 0x0d, 0x2a, 0xef, |
1304 | 0 | 0xc3, 0xa2, 0x7e, 0x8e, 0x67, 0x9f, 0x6f, 0x63, |
1305 | 0 | 0xdb, 0xbb, 0x1d, 0x31, 0xc4, 0xbb, 0xbc, 0x13, |
1306 | 0 | 0x3f, 0x54, 0xc6, 0xf6, 0xc5, 0x28, 0x32, 0xab, |
1307 | 0 | 0x96, 0x42, 0x10, 0x36, 0x40, 0x92, 0xbb, 0x57, |
1308 | 0 | 0x55, 0x38, 0xf5, 0x43, 0x7e, 0x43, 0xc4, 0x65, |
1309 | 0 | 0x47, 0x64, 0xaa, 0x0f, 0x4c, 0xe9, 0x49, 0x16, |
1310 | 0 | 0xec, 0x6a, 0x50, 0xfd, 0x14, 0x49, 0xca, 0xdb, |
1311 | 0 | 0x44, 0x54, 0xca, 0xbe, 0xa3, 0x0e, 0x5f, 0xef |
1312 | 0 | }; |
1313 | |
|
1314 | 0 | static const RSAPublicKey bl_public_key = { |
1315 | 0 | NULL, |
1316 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus, |
1317 | 0 | FIPS_RSA_MODULUS_LENGTH }, |
1318 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, |
1319 | 0 | FIPS_RSA_PUBLIC_EXPONENT_LENGTH } |
1320 | 0 | }; |
1321 | 0 | static const RSAPrivateKey bl_private_key = { |
1322 | 0 | NULL, |
1323 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_version, |
1324 | 0 | FIPS_RSA_PRIVATE_VERSION_LENGTH }, |
1325 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus, |
1326 | 0 | FIPS_RSA_MODULUS_LENGTH }, |
1327 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, |
1328 | 0 | FIPS_RSA_PUBLIC_EXPONENT_LENGTH }, |
1329 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_private_exponent, |
1330 | 0 | FIPS_RSA_PRIVATE_EXPONENT_LENGTH }, |
1331 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_prime0, |
1332 | 0 | FIPS_RSA_PRIME0_LENGTH }, |
1333 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_prime1, |
1334 | 0 | FIPS_RSA_PRIME1_LENGTH }, |
1335 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent0, |
1336 | 0 | FIPS_RSA_EXPONENT0_LENGTH }, |
1337 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent1, |
1338 | 0 | FIPS_RSA_EXPONENT1_LENGTH }, |
1339 | 0 | { FIPS_RSA_TYPE, (unsigned char *)rsa_coefficient, |
1340 | 0 | FIPS_RSA_COEFFICIENT_LENGTH } |
1341 | 0 | }; |
1342 | | |
1343 | | /* RSA variables. */ |
1344 | 0 | SECStatus rsa_status; |
1345 | 0 | RSAPublicKey rsa_public_key; |
1346 | 0 | RSAPrivateKey rsa_private_key; |
1347 | |
|
1348 | 0 | PRUint8 rsa_computed_ciphertext[FIPS_RSA_ENCRYPT_LENGTH]; |
1349 | 0 | PRUint8 rsa_computed_plaintext[FIPS_RSA_DECRYPT_LENGTH]; |
1350 | |
|
1351 | 0 | rsa_public_key = bl_public_key; |
1352 | 0 | rsa_private_key = bl_private_key; |
1353 | | |
1354 | | /**************************************************/ |
1355 | | /* RSA Single-Round Known Answer Encryption Test. */ |
1356 | | /**************************************************/ |
1357 | | |
1358 | | /* Perform RSA Public Key Encryption. */ |
1359 | 0 | rsa_status = RSA_PublicKeyOp(&rsa_public_key, |
1360 | 0 | rsa_computed_ciphertext, |
1361 | 0 | rsa_known_plaintext_msg); |
1362 | |
|
1363 | 0 | if ((rsa_status != SECSuccess) || |
1364 | 0 | (PORT_Memcmp(rsa_computed_ciphertext, rsa_known_ciphertext, |
1365 | 0 | FIPS_RSA_ENCRYPT_LENGTH) != 0)) |
1366 | 0 | goto rsa_loser; |
1367 | | |
1368 | | /**************************************************/ |
1369 | | /* RSA Single-Round Known Answer Decryption Test. */ |
1370 | | /**************************************************/ |
1371 | | |
1372 | | /* Perform RSA Private Key Decryption. */ |
1373 | 0 | rsa_status = RSA_PrivateKeyOp(&rsa_private_key, |
1374 | 0 | rsa_computed_plaintext, |
1375 | 0 | rsa_known_ciphertext); |
1376 | |
|
1377 | 0 | if ((rsa_status != SECSuccess) || |
1378 | 0 | (PORT_Memcmp(rsa_computed_plaintext, rsa_known_plaintext_msg, |
1379 | 0 | FIPS_RSA_DECRYPT_LENGTH) != 0)) |
1380 | 0 | goto rsa_loser; |
1381 | | |
1382 | 0 | return (SECSuccess); |
1383 | | |
1384 | 0 | rsa_loser: |
1385 | |
|
1386 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1387 | 0 | return (SECFailure); |
1388 | 0 | } |
1389 | | |
1390 | | static SECStatus |
1391 | | freebl_fips_ECDSA_Test(ECParams *ecparams, |
1392 | | const PRUint8 *knownSignature, |
1393 | | unsigned int knownSignatureLen) |
1394 | 0 | { |
1395 | | |
1396 | | /* ECDSA Known Seed info for curves nistp256 and nistk283 */ |
1397 | 0 | static const PRUint8 ecdsa_Known_Seed[] = { |
1398 | 0 | 0x6a, 0x9b, 0xf6, 0xf7, 0xce, 0xed, 0x79, 0x11, |
1399 | 0 | 0xf0, 0xc7, 0xc8, 0x9a, 0xa5, 0xd1, 0x57, 0xb1, |
1400 | 0 | 0x7b, 0x5a, 0x3b, 0x76, 0x4e, 0x7b, 0x7c, 0xbc, |
1401 | 0 | 0xf2, 0x76, 0x1c, 0x1c, 0x7f, 0xc5, 0x53, 0x2f |
1402 | 0 | }; |
1403 | |
|
1404 | 0 | static const PRUint8 msg[] = { |
1405 | 0 | "Firefox and ThunderBird are awesome!" |
1406 | 0 | }; |
1407 | |
|
1408 | 0 | unsigned char sha256[SHA256_LENGTH]; /* SHA-256 hash (256 bits) */ |
1409 | 0 | unsigned char sig[2 * MAX_ECKEY_LEN]; |
1410 | 0 | SECItem signature, digest; |
1411 | 0 | ECPrivateKey *ecdsa_private_key = NULL; |
1412 | 0 | ECPublicKey ecdsa_public_key; |
1413 | 0 | SECStatus ecdsaStatus = SECSuccess; |
1414 | | |
1415 | | /* Generates a new EC key pair. The private key is a supplied |
1416 | | * random value (in seed) and the public key is the result of |
1417 | | * performing a scalar point multiplication of that value with |
1418 | | * the curve's base point. |
1419 | | */ |
1420 | 0 | ecdsaStatus = EC_NewKeyFromSeed(ecparams, &ecdsa_private_key, |
1421 | 0 | ecdsa_Known_Seed, |
1422 | 0 | sizeof(ecdsa_Known_Seed)); |
1423 | 0 | if (ecdsaStatus != SECSuccess) { |
1424 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1425 | 0 | return (SECFailure); |
1426 | 0 | } |
1427 | | |
1428 | | /* construct public key from private key. */ |
1429 | 0 | ecdsa_public_key.ecParams = ecdsa_private_key->ecParams; |
1430 | 0 | ecdsa_public_key.publicValue = ecdsa_private_key->publicValue; |
1431 | | |
1432 | | /* validate public key value */ |
1433 | 0 | ecdsaStatus = EC_ValidatePublicKey(&ecdsa_public_key.ecParams, |
1434 | 0 | &ecdsa_public_key.publicValue); |
1435 | 0 | if (ecdsaStatus != SECSuccess) { |
1436 | 0 | goto loser; |
1437 | 0 | } |
1438 | | |
1439 | | /* validate public key value */ |
1440 | 0 | ecdsaStatus = EC_ValidatePublicKey(&ecdsa_private_key->ecParams, |
1441 | 0 | &ecdsa_private_key->publicValue); |
1442 | 0 | if (ecdsaStatus != SECSuccess) { |
1443 | 0 | goto loser; |
1444 | 0 | } |
1445 | | |
1446 | | /***************************************************/ |
1447 | | /* ECDSA Single-Round Known Answer Signature Test. */ |
1448 | | /***************************************************/ |
1449 | | |
1450 | 0 | ecdsaStatus = SHA256_HashBuf(sha256, msg, sizeof msg); |
1451 | 0 | if (ecdsaStatus != SECSuccess) { |
1452 | 0 | goto loser; |
1453 | 0 | } |
1454 | 0 | digest.type = siBuffer; |
1455 | 0 | digest.data = sha256; |
1456 | 0 | digest.len = SHA256_LENGTH; |
1457 | |
|
1458 | 0 | memset(sig, 0, sizeof sig); |
1459 | 0 | signature.type = siBuffer; |
1460 | 0 | signature.data = sig; |
1461 | 0 | signature.len = sizeof sig; |
1462 | |
|
1463 | 0 | ecdsaStatus = ECDSA_SignDigestWithSeed(ecdsa_private_key, &signature, |
1464 | 0 | &digest, ecdsa_Known_Seed, sizeof ecdsa_Known_Seed); |
1465 | 0 | if (ecdsaStatus != SECSuccess) { |
1466 | 0 | goto loser; |
1467 | 0 | } |
1468 | | |
1469 | 0 | if ((signature.len != knownSignatureLen) || |
1470 | 0 | (PORT_Memcmp(signature.data, knownSignature, |
1471 | 0 | knownSignatureLen) != 0)) { |
1472 | 0 | ecdsaStatus = SECFailure; |
1473 | 0 | goto loser; |
1474 | 0 | } |
1475 | | |
1476 | | /******************************************************/ |
1477 | | /* ECDSA Single-Round Known Answer Verification Test. */ |
1478 | | /******************************************************/ |
1479 | | |
1480 | | /* Perform ECDSA verification process. */ |
1481 | 0 | ecdsaStatus = ECDSA_VerifyDigest(&ecdsa_public_key, &signature, &digest); |
1482 | |
|
1483 | 0 | loser: |
1484 | | /* free the memory for the private key arena*/ |
1485 | 0 | PORT_FreeArena(ecdsa_private_key->ecParams.arena, PR_FALSE); |
1486 | |
|
1487 | 0 | if (ecdsaStatus != SECSuccess) { |
1488 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1489 | 0 | return (SECFailure); |
1490 | 0 | } |
1491 | 0 | return (SECSuccess); |
1492 | 0 | } |
1493 | | |
1494 | | static SECStatus |
1495 | | freebl_fips_ECDH_Test(ECParams *ecparams) |
1496 | 0 | { |
1497 | | |
1498 | | /* ECDH Known result (reused old CAVS vector) */ |
1499 | 0 | static const PRUint8 ecdh_known_pub_key_1[] = { |
1500 | 0 | EC_POINT_FORM_UNCOMPRESSED, |
1501 | | /* pubX */ |
1502 | 0 | 0x16, 0x81, 0x32, 0x86, 0xc8, 0xe4, 0x3a, 0x1f, |
1503 | 0 | 0x5d, 0xe3, 0x06, 0x22, 0x8b, 0x99, 0x14, 0x25, |
1504 | 0 | 0xf7, 0x9c, 0x5b, 0x1e, 0x96, 0x84, 0x85, 0x3b, |
1505 | 0 | 0x17, 0xfe, 0xf3, 0x1c, 0x0e, 0xed, 0xc4, 0xce, |
1506 | | /* pubY */ |
1507 | 0 | 0x7a, 0x44, 0xfe, 0xbd, 0x91, 0x71, 0x7d, 0x73, |
1508 | 0 | 0xd9, 0x45, 0xea, 0xae, 0x66, 0x78, 0xfa, 0x6e, |
1509 | 0 | 0x46, 0xcd, 0xfa, 0x95, 0x15, 0x47, 0x62, 0x5d, |
1510 | 0 | 0xbb, 0x1b, 0x9f, 0xe6, 0x39, 0xfc, 0xfd, 0x47 |
1511 | 0 | }; |
1512 | 0 | static const PRUint8 ecdh_known_priv_key_2[] = { |
1513 | 0 | 0xb4, 0x2a, 0xe3, 0x69, 0x19, 0xec, 0xf0, 0x42, |
1514 | 0 | 0x6d, 0x45, 0x8c, 0x94, 0x4a, 0x26, 0xa7, 0x5c, |
1515 | 0 | 0xea, 0x9d, 0xd9, 0x0f, 0x59, 0xe0, 0x1a, 0x9d, |
1516 | 0 | 0x7c, 0xb7, 0x1c, 0x04, 0x53, 0xb8, 0x98, 0x5a |
1517 | 0 | }; |
1518 | 0 | static const PRUint8 ecdh_known_hash_result[] = { |
1519 | 0 | 0x16, 0xf3, 0x85, 0xa2, 0x41, 0xf3, 0x7f, 0xc4, |
1520 | 0 | 0x0b, 0x56, 0x47, 0xee, 0xa7, 0x74, 0xb9, 0xdb, |
1521 | 0 | 0xe1, 0xfa, 0x22, 0xe9, 0x04, 0xf1, 0xb6, 0x12, |
1522 | 0 | 0x4b, 0x44, 0x8a, 0xbb, 0xbc, 0x08, 0x2b, 0xa7 |
1523 | 0 | }; |
1524 | |
|
1525 | 0 | SECItem ecdh_priv_2, ecdh_pub_1; |
1526 | 0 | SECItem ZZ = { 0, 0, 0 }; |
1527 | 0 | SECStatus ecdhStatus = SECSuccess; |
1528 | 0 | PRUint8 computed_hash_result[HASH_LENGTH_MAX]; |
1529 | |
|
1530 | 0 | ecdh_priv_2.data = (PRUint8 *)ecdh_known_priv_key_2; |
1531 | 0 | ecdh_priv_2.len = sizeof(ecdh_known_priv_key_2); |
1532 | 0 | ecdh_pub_1.data = (PRUint8 *)ecdh_known_pub_key_1; |
1533 | 0 | ecdh_pub_1.len = sizeof(ecdh_known_pub_key_1); |
1534 | | |
1535 | | /* Generates a new EC key pair. The private key is a supplied |
1536 | | * random value (in seed) and the public key is the result of |
1537 | | * performing a scalar point multiplication of that value with |
1538 | | * the curve's base point. |
1539 | | */ |
1540 | 0 | ecdhStatus = ECDH_Derive(&ecdh_pub_1, ecparams, &ecdh_priv_2, PR_FALSE, &ZZ); |
1541 | 0 | if (ecdhStatus != SECSuccess) { |
1542 | 0 | goto loser; |
1543 | 0 | } |
1544 | 0 | ecdhStatus = SHA256_HashBuf(computed_hash_result, ZZ.data, ZZ.len); |
1545 | 0 | if (ecdhStatus != SECSuccess) { |
1546 | 0 | goto loser; |
1547 | 0 | } |
1548 | | |
1549 | 0 | if (PORT_Memcmp(computed_hash_result, ecdh_known_hash_result, |
1550 | 0 | sizeof(ecdh_known_hash_result)) != 0) { |
1551 | 0 | ecdhStatus = SECFailure; |
1552 | 0 | goto loser; |
1553 | 0 | } |
1554 | | |
1555 | 0 | loser: |
1556 | 0 | if (ZZ.data) { |
1557 | 0 | SECITEM_FreeItem(&ZZ, PR_FALSE); |
1558 | 0 | } |
1559 | |
|
1560 | 0 | if (ecdhStatus != SECSuccess) { |
1561 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1562 | 0 | return (SECFailure); |
1563 | 0 | } |
1564 | 0 | return (SECSuccess); |
1565 | 0 | } |
1566 | | |
1567 | | static SECStatus |
1568 | | freebl_fips_EC_PowerUpSelfTest() |
1569 | 0 | { |
1570 | | |
1571 | | /* EC Known curve nistp256 == ECCCurve_X9_62_PRIME_256V1 params */ |
1572 | 0 | static const unsigned char p256_prime[] = { |
1573 | 0 | 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, |
1574 | 0 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
1575 | 0 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF |
1576 | 0 | }; |
1577 | 0 | static const unsigned char p256_a[] = { |
1578 | 0 | 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, |
1579 | 0 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
1580 | 0 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC |
1581 | 0 | }; |
1582 | 0 | static const unsigned char p256_b[] = { |
1583 | 0 | 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, 0x76, |
1584 | 0 | 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, 0x3B, 0xCE, |
1585 | 0 | 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B |
1586 | 0 | }; |
1587 | 0 | static const unsigned char p256_base[] = { |
1588 | 0 | 0x04, |
1589 | 0 | 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, 0x63, |
1590 | 0 | 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, |
1591 | 0 | 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, |
1592 | 0 | 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F, 0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, |
1593 | 0 | 0x0F, 0x9E, 0x16, 0x2B, 0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, |
1594 | 0 | 0x40, 0x68, 0x37, 0xBF, 0x51, 0xF5 |
1595 | 0 | }; |
1596 | 0 | static const unsigned char p256_order[] = { |
1597 | 0 | 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
1598 | 0 | 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, |
1599 | 0 | 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 |
1600 | 0 | }; |
1601 | 0 | static const unsigned char p256_encoding[] = { |
1602 | 0 | 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 |
1603 | 0 | }; |
1604 | 0 | static const ECParams ec_known_P256_Params = { |
1605 | 0 | NULL, |
1606 | 0 | ec_params_named, /* arena, type */ |
1607 | | /* fieldID */ |
1608 | 0 | { 256, ec_field_plain, /* size and type */ |
1609 | 0 | { { siBuffer, (unsigned char *)p256_prime, sizeof(p256_prime) } }, /* u.prime */ |
1610 | 0 | 0, |
1611 | 0 | 0, |
1612 | 0 | 0 }, |
1613 | | /* curve */ |
1614 | 0 | { /* a = curvea b = curveb */ |
1615 | | /* curve.a */ |
1616 | 0 | { siBuffer, (unsigned char *)p256_a, sizeof(p256_a) }, |
1617 | | /* curve.b */ |
1618 | 0 | { siBuffer, (unsigned char *)p256_b, sizeof(p256_b) }, |
1619 | | /* curve.seed */ |
1620 | 0 | { siBuffer, NULL, 0 } }, |
1621 | | /* base = 04xy*/ |
1622 | 0 | { siBuffer, (unsigned char *)p256_base, sizeof(p256_base) }, |
1623 | | /* order */ |
1624 | 0 | { siBuffer, (unsigned char *)p256_order, sizeof(p256_order) }, |
1625 | 0 | 1, /* cofactor */ |
1626 | | /* DEREncoding */ |
1627 | 0 | { siBuffer, (unsigned char *)p256_encoding, sizeof(p256_encoding) }, |
1628 | 0 | ECCurve_X9_62_PRIME_256V1, |
1629 | | /* curveOID */ |
1630 | 0 | { siBuffer, (unsigned char *)(p256_encoding) + 2, sizeof(p256_encoding) - 2 }, |
1631 | 0 | }; |
1632 | |
|
1633 | 0 | static const PRUint8 ecdsa_known_P256_signature[] = { |
1634 | 0 | 0x07, 0xb1, 0xcb, 0x57, 0x20, 0xa7, 0x10, 0xd6, |
1635 | 0 | 0x9d, 0x37, 0x4b, 0x1c, 0xdc, 0x35, 0x90, 0xff, |
1636 | 0 | 0x1a, 0x2d, 0x98, 0x95, 0x1b, 0x2f, 0xeb, 0x7f, |
1637 | 0 | 0xbb, 0x81, 0xca, 0xc0, 0x69, 0x75, 0xea, 0xc5, |
1638 | 0 | 0xa7, 0xd2, 0x20, 0xdd, 0x45, 0xf9, 0x2b, 0xdd, |
1639 | 0 | 0xda, 0x98, 0x99, 0x5b, 0x1c, 0x02, 0x3a, 0x27, |
1640 | 0 | 0x8b, 0x7d, 0xb6, 0xed, 0x0e, 0xe0, 0xa7, 0xac, |
1641 | 0 | 0xaa, 0x36, 0x2c, 0xfa, 0x1a, 0xdf, 0x0d, 0xe1 |
1642 | 0 | }; |
1643 | |
|
1644 | 0 | ECParams ecparams; |
1645 | |
|
1646 | 0 | SECStatus rv; |
1647 | | |
1648 | | /* ECDSA GF(p) prime field curve test */ |
1649 | 0 | ecparams = ec_known_P256_Params; |
1650 | 0 | rv = freebl_fips_ECDSA_Test(&ecparams, |
1651 | 0 | ecdsa_known_P256_signature, |
1652 | 0 | sizeof ecdsa_known_P256_signature); |
1653 | 0 | if (rv != SECSuccess) { |
1654 | 0 | return (SECFailure); |
1655 | 0 | } |
1656 | | /* ECDH GF(p) prime field curve test */ |
1657 | 0 | rv = freebl_fips_ECDH_Test(&ecparams); |
1658 | 0 | if (rv != SECSuccess) { |
1659 | 0 | return (SECFailure); |
1660 | 0 | } |
1661 | | |
1662 | 0 | return (SECSuccess); |
1663 | 0 | } |
1664 | | |
1665 | | static SECStatus |
1666 | | freebl_fips_DH_PowerUpSelfTest(void) |
1667 | 0 | { |
1668 | | /* DH Known P (2048-bits) */ |
1669 | 0 | static const PRUint8 dh_known_P[] = { |
1670 | 0 | 0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd, |
1671 | 0 | 0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef, |
1672 | 0 | 0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b, |
1673 | 0 | 0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e, |
1674 | 0 | 0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03, |
1675 | 0 | 0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc, |
1676 | 0 | 0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85, |
1677 | 0 | 0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01, |
1678 | 0 | 0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c, |
1679 | 0 | 0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03, |
1680 | 0 | 0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0, |
1681 | 0 | 0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5, |
1682 | 0 | 0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f, |
1683 | 0 | 0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9, |
1684 | 0 | 0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57, |
1685 | 0 | 0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70, |
1686 | 0 | 0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c, |
1687 | 0 | 0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d, |
1688 | 0 | 0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e, |
1689 | 0 | 0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc, |
1690 | 0 | 0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62, |
1691 | 0 | 0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12, |
1692 | 0 | 0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e, |
1693 | 0 | 0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b, |
1694 | 0 | 0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b, |
1695 | 0 | 0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55, |
1696 | 0 | 0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b, |
1697 | 0 | 0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97, |
1698 | 0 | 0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34, |
1699 | 0 | 0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c, |
1700 | 0 | 0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60, |
1701 | 0 | 0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f |
1702 | 0 | }; |
1703 | |
|
1704 | 0 | static const PRUint8 dh_known_Y_1[] = { |
1705 | 0 | 0xb4, 0xc7, 0x85, 0xba, 0xa6, 0x98, 0xb3, 0x77, |
1706 | 0 | 0x41, 0x2b, 0xd9, 0x9a, 0x72, 0x90, 0xa4, 0xac, |
1707 | 0 | 0xc4, 0xf7, 0xc2, 0x23, 0x9a, 0x68, 0xe2, 0x7d, |
1708 | 0 | 0x3a, 0x54, 0x45, 0x91, 0xc1, 0xd7, 0x8a, 0x17, |
1709 | 0 | 0x54, 0xd3, 0x37, 0xaa, 0x0c, 0xcd, 0x0b, 0xe2, |
1710 | 0 | 0xf2, 0x34, 0x0f, 0x17, 0xa8, 0x07, 0x88, 0xaf, |
1711 | 0 | 0xed, 0xc1, 0x02, 0xd4, 0xdb, 0xdc, 0x0f, 0x22, |
1712 | 0 | 0x51, 0x23, 0x40, 0xb9, 0x65, 0x6d, 0x39, 0xf4, |
1713 | 0 | 0xe1, 0x8b, 0x57, 0x7d, 0xb6, 0xd3, 0xf2, 0x6b, |
1714 | 0 | 0x02, 0xa9, 0x36, 0xf0, 0x0d, 0xe3, 0xdb, 0x9a, |
1715 | 0 | 0xbf, 0x20, 0x00, 0x4d, 0xec, 0x6f, 0x68, 0x95, |
1716 | 0 | 0xee, 0x59, 0x4e, 0x3c, 0xb6, 0xda, 0x7b, 0x19, |
1717 | 0 | 0x08, 0x9a, 0xef, 0x61, 0x43, 0xf5, 0xfb, 0x25, |
1718 | 0 | 0x70, 0x19, 0xc1, 0x5f, 0x0e, 0x0f, 0x6a, 0x63, |
1719 | 0 | 0x44, 0xe9, 0xcf, 0x33, 0xce, 0x13, 0x4f, 0x34, |
1720 | 0 | 0x3c, 0x94, 0x40, 0x8d, 0xf2, 0x65, 0x42, 0xef, |
1721 | 0 | 0x70, 0x54, 0xdd, 0x5f, 0xc1, 0xd7, 0x0b, 0xa6, |
1722 | 0 | 0x06, 0xd5, 0xa6, 0x47, 0xae, 0x2c, 0x1f, 0x5a, |
1723 | 0 | 0xa6, 0xb3, 0xc1, 0x38, 0x3a, 0x3b, 0x60, 0x94, |
1724 | 0 | 0xa2, 0x95, 0xab, 0xb2, 0x86, 0x82, 0xc5, 0x3b, |
1725 | 0 | 0xb8, 0x6f, 0x3e, 0x55, 0x86, 0x84, 0xe0, 0x00, |
1726 | 0 | 0xe5, 0xef, 0xca, 0x5c, 0xec, 0x7e, 0x38, 0x0f, |
1727 | 0 | 0x82, 0xa2, 0xb1, 0xee, 0x48, 0x1b, 0x32, 0xbb, |
1728 | 0 | 0x5a, 0x33, 0xa5, 0x01, 0xba, 0xca, 0xa6, 0x64, |
1729 | 0 | 0x61, 0xb6, 0xe5, 0x5c, 0x0e, 0x5f, 0x2c, 0x66, |
1730 | 0 | 0x0d, 0x01, 0x6a, 0x20, 0x04, 0x70, 0x68, 0x82, |
1731 | 0 | 0x93, 0x29, 0x15, 0x3b, 0x7a, 0x06, 0xb2, 0x92, |
1732 | 0 | 0x61, 0xcd, 0x7e, 0xa4, 0xc1, 0x15, 0x64, 0x3b, |
1733 | 0 | 0x3c, 0x51, 0x10, 0x4c, 0x87, 0xa6, 0xaf, 0x07, |
1734 | 0 | 0xce, 0x46, 0x82, 0x75, 0xf3, 0x90, 0xf3, 0x21, |
1735 | 0 | 0x55, 0x74, 0xc2, 0xe4, 0x96, 0x7d, 0xc3, 0xe6, |
1736 | 0 | 0x33, 0xa5, 0xc6, 0x51, 0xef, 0xec, 0x90, 0x08 |
1737 | 0 | }; |
1738 | |
|
1739 | 0 | static const PRUint8 dh_known_x_2[] = { |
1740 | 0 | 0x9e, 0x9b, 0xc3, 0x25, 0x53, 0xf9, 0xfc, 0x92, |
1741 | 0 | 0xb6, 0xae, 0x54, 0x8e, 0x23, 0x4c, 0x94, 0xba, |
1742 | 0 | 0x41, 0xe6, 0x29, 0x33, 0xb9, 0xdb, 0xff, 0x6d, |
1743 | 0 | 0xa8, 0xb8, 0x48, 0x49, 0x66, 0x11, 0xa6, 0x13 |
1744 | 0 | }; |
1745 | |
|
1746 | 0 | static const PRUint8 dh_known_hash_result[] = { |
1747 | 0 | 0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf, |
1748 | 0 | 0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81, |
1749 | 0 | 0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f, |
1750 | 0 | 0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10 |
1751 | 0 | }; |
1752 | | |
1753 | | /* DH variables. */ |
1754 | 0 | SECStatus dhStatus; |
1755 | 0 | SECItem dh_prime; |
1756 | 0 | SECItem dh_pub_key_1; |
1757 | 0 | SECItem dh_priv_key_2; |
1758 | 0 | SECItem ZZ = { 0, 0, 0 }; |
1759 | 0 | PRUint8 computed_hash_result[HASH_LENGTH_MAX]; |
1760 | |
|
1761 | 0 | dh_prime.data = (PRUint8 *)dh_known_P; |
1762 | 0 | dh_prime.len = sizeof(dh_known_P); |
1763 | 0 | dh_pub_key_1.data = (PRUint8 *)dh_known_Y_1; |
1764 | 0 | dh_pub_key_1.len = sizeof(dh_known_Y_1); |
1765 | 0 | dh_priv_key_2.data = (PRUint8 *)dh_known_x_2; |
1766 | 0 | dh_priv_key_2.len = sizeof(dh_known_x_2); |
1767 | | |
1768 | | /* execute the derive */ |
1769 | 0 | dhStatus = DH_Derive(&dh_pub_key_1, &dh_prime, &dh_priv_key_2, &ZZ, dh_prime.len); |
1770 | 0 | if (dhStatus != SECSuccess) { |
1771 | 0 | goto loser; |
1772 | 0 | } |
1773 | | |
1774 | 0 | dhStatus = SHA256_HashBuf(computed_hash_result, ZZ.data, ZZ.len); |
1775 | 0 | if (dhStatus != SECSuccess) { |
1776 | 0 | goto loser; |
1777 | 0 | } |
1778 | | |
1779 | 0 | if (PORT_Memcmp(computed_hash_result, dh_known_hash_result, |
1780 | 0 | sizeof(dh_known_hash_result)) != 0) { |
1781 | 0 | dhStatus = SECFailure; |
1782 | 0 | goto loser; |
1783 | 0 | } |
1784 | | |
1785 | 0 | loser: |
1786 | 0 | if (ZZ.data) { |
1787 | 0 | SECITEM_FreeItem(&ZZ, PR_FALSE); |
1788 | 0 | } |
1789 | |
|
1790 | 0 | if (dhStatus != SECSuccess) { |
1791 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1792 | 0 | return (SECFailure); |
1793 | 0 | } |
1794 | 0 | return (SECSuccess); |
1795 | 0 | } |
1796 | | |
1797 | | static SECStatus |
1798 | | freebl_fips_RNG_PowerUpSelfTest(void) |
1799 | 2 | { |
1800 | 2 | SECStatus rng_status = SECSuccess; |
1801 | | |
1802 | | /*******************************************/ |
1803 | | /* Run the SP 800-90 Health tests */ |
1804 | | /*******************************************/ |
1805 | 2 | rng_status = PRNGTEST_RunHealthTests(); |
1806 | 2 | if (rng_status != SECSuccess) { |
1807 | 2 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1808 | 2 | return SECFailure; |
1809 | 2 | } |
1810 | | |
1811 | 0 | return (SECSuccess); |
1812 | 2 | } |
1813 | | |
1814 | | static SECStatus |
1815 | | freebl_fipsSoftwareIntegrityTest(const char *libname) |
1816 | 0 | { |
1817 | 0 | SECStatus rv = SECSuccess; |
1818 | | |
1819 | | /* make sure that our check file signatures are OK */ |
1820 | 0 | if (!BLAPI_VerifySelf(libname)) { |
1821 | 0 | rv = SECFailure; |
1822 | 0 | } |
1823 | 0 | return rv; |
1824 | 0 | } |
1825 | | |
1826 | 4 | #define DO_FREEBL 1 |
1827 | 6 | #define DO_REST 2 |
1828 | | |
1829 | | static SECStatus |
1830 | | freebl_fipsPowerUpSelfTest(unsigned int tests) |
1831 | 2 | { |
1832 | 2 | SECStatus rv; |
1833 | | |
1834 | | /* |
1835 | | * stand alone freebl. Test hash, and rng |
1836 | | */ |
1837 | 2 | if (tests & DO_FREEBL) { |
1838 | | |
1839 | | /* SHA-X Power-Up SelfTest(s). */ |
1840 | 2 | rv = freebl_fips_SHA_PowerUpSelfTest(); |
1841 | | |
1842 | 2 | if (rv != SECSuccess) |
1843 | 0 | return rv; |
1844 | 2 | } |
1845 | | |
1846 | | /* |
1847 | | * test the rest of the algorithms not accessed through freebl |
1848 | | * standalone */ |
1849 | 2 | if (tests & DO_REST) { |
1850 | | |
1851 | | /* RNG Power-Up SelfTest(s). */ |
1852 | 2 | rv = freebl_fips_RNG_PowerUpSelfTest(); |
1853 | | |
1854 | 2 | if (rv != SECSuccess) |
1855 | 2 | return rv; |
1856 | | |
1857 | | /* DES3 Power-Up SelfTest(s). */ |
1858 | 0 | rv = freebl_fips_DES3_PowerUpSelfTest(); |
1859 | |
|
1860 | 0 | if (rv != SECSuccess) |
1861 | 0 | return rv; |
1862 | | |
1863 | | /* AES Power-Up SelfTest(s) for 128-bit key. */ |
1864 | 0 | rv = freebl_fips_AES_PowerUpSelfTest(FIPS_AES_128_KEY_SIZE); |
1865 | |
|
1866 | 0 | if (rv != SECSuccess) |
1867 | 0 | return rv; |
1868 | | |
1869 | | /* AES Power-Up SelfTest(s) for 192-bit key. */ |
1870 | 0 | rv = freebl_fips_AES_PowerUpSelfTest(FIPS_AES_192_KEY_SIZE); |
1871 | |
|
1872 | 0 | if (rv != SECSuccess) |
1873 | 0 | return rv; |
1874 | | |
1875 | | /* AES Power-Up SelfTest(s) for 256-bit key. */ |
1876 | 0 | rv = freebl_fips_AES_PowerUpSelfTest(FIPS_AES_256_KEY_SIZE); |
1877 | |
|
1878 | 0 | if (rv != SECSuccess) |
1879 | 0 | return rv; |
1880 | | |
1881 | | /* HMAC SHA-X Power-Up SelfTest(s). */ |
1882 | 0 | rv = freebl_fips_HMAC_PowerUpSelfTest(); |
1883 | |
|
1884 | 0 | if (rv != SECSuccess) |
1885 | 0 | return rv; |
1886 | | |
1887 | | /* TLS PRF Power-Up SelfTest(s). */ |
1888 | 0 | rv = freebl_fips_TLS_PowerUpSelfTest(); |
1889 | |
|
1890 | 0 | if (rv != SECSuccess) |
1891 | 0 | return rv; |
1892 | | |
1893 | | /* NOTE: RSA can only be tested in full freebl. It requires access to |
1894 | | * the locking primitives */ |
1895 | | /* RSA Power-Up SelfTest(s). */ |
1896 | 0 | rv = freebl_fips_RSA_PowerUpSelfTest(); |
1897 | |
|
1898 | 0 | if (rv != SECSuccess) |
1899 | 0 | return rv; |
1900 | | |
1901 | | /* DH Power-Up SelfTest(s). */ |
1902 | 0 | rv = freebl_fips_DH_PowerUpSelfTest(); |
1903 | |
|
1904 | 0 | if (rv != SECSuccess) |
1905 | 0 | return rv; |
1906 | | |
1907 | | /* EC Power-Up SelfTest(s). */ |
1908 | 0 | rv = freebl_fips_EC_PowerUpSelfTest(); |
1909 | |
|
1910 | 0 | if (rv != SECSuccess) |
1911 | 0 | return rv; |
1912 | 0 | } |
1913 | | /* Passed Power-Up SelfTest(s). */ |
1914 | 0 | return (SECSuccess); |
1915 | 2 | } |
1916 | | |
1917 | | /* |
1918 | | * state variables. NOTE: freebl has two uses: a standalone use which |
1919 | | * provided limitted access to the hash functions throught the NSSLOWHASH_ |
1920 | | * interface and an joint use from softoken, using the function pointer |
1921 | | * table. The standalone use can operation without nspr or nss-util, while |
1922 | | * the joint use requires both to be loaded. Certain functions (like RSA) |
1923 | | * needs locking from NSPR, for instance. |
1924 | | * |
1925 | | * At load time, we need to handle the two uses separately. If nspr and |
1926 | | * nss-util are loaded, then we can run all the selftests, but if nspr and |
1927 | | * nss-util are not loaded, then we can't run all the selftests, and we need |
1928 | | * to prevent the softoken function pointer table from operating until the |
1929 | | * libraries are loaded and we try to use them. |
1930 | | */ |
1931 | | static PRBool self_tests_freebl_ran = PR_FALSE; |
1932 | | static PRBool self_tests_ran = PR_FALSE; |
1933 | | static PRBool self_tests_freebl_success = PR_FALSE; |
1934 | | static PRBool self_tests_success = PR_FALSE; |
1935 | | |
1936 | | /* |
1937 | | * accessors for freebl |
1938 | | */ |
1939 | | PRBool |
1940 | | BL_POSTRan(PRBool freebl_only) |
1941 | 0 | { |
1942 | 0 | SECStatus rv; |
1943 | | /* if the freebl self tests didn't run, there is something wrong with |
1944 | | * our on load tests */ |
1945 | 0 | if (!self_tests_freebl_ran) { |
1946 | 0 | return PR_FALSE; |
1947 | 0 | } |
1948 | | /* if all the self tests have run, we are good */ |
1949 | 0 | if (self_tests_ran) { |
1950 | 0 | return PR_TRUE; |
1951 | 0 | } |
1952 | | /* if we only care about the freebl tests, we are good */ |
1953 | 0 | if (freebl_only) { |
1954 | 0 | return PR_TRUE; |
1955 | 0 | } |
1956 | | /* run the rest of the self tests */ |
1957 | | /* We could get there if freebl was loaded without the rest of the support |
1958 | | * libraries, but now we want to use more than just a standalone freebl. |
1959 | | * This requires the other libraries to be loaded. |
1960 | | * If they are now loaded, Try to run the rest of the selftests, |
1961 | | * otherwise fail (disabling access to these algorithms) */ |
1962 | 0 | self_tests_ran = PR_TRUE; |
1963 | 0 | BL_Init(); /* required by RSA */ |
1964 | 0 | RNG_RNGInit(); /* required by RSA */ |
1965 | 0 | rv = freebl_fipsPowerUpSelfTest(DO_REST); |
1966 | 0 | if (rv == SECSuccess) { |
1967 | 0 | self_tests_success = PR_TRUE; |
1968 | 0 | } |
1969 | 0 | return PR_TRUE; |
1970 | 0 | } |
1971 | | |
1972 | | #include "blname.c" |
1973 | | |
1974 | | /* |
1975 | | * This function is called at dll load time, the code tha makes this |
1976 | | * happen is platform specific on defined above. |
1977 | | */ |
1978 | | static void |
1979 | | bl_startup_tests(void) |
1980 | 2 | { |
1981 | 2 | const char *libraryName; |
1982 | 2 | PRBool freebl_only = PR_FALSE; |
1983 | 2 | SECStatus rv; |
1984 | | |
1985 | 2 | PORT_Assert(self_tests_freebl_ran == PR_FALSE); |
1986 | 2 | PORT_Assert(self_tests_success == PR_FALSE); |
1987 | 2 | self_tests_freebl_ran = PR_TRUE; /* we are running the tests */ |
1988 | 2 | self_tests_success = PR_FALSE; /* force it just in case */ |
1989 | 2 | self_tests_freebl_success = PR_FALSE; /* force it just in case */ |
1990 | | |
1991 | | #ifdef FREEBL_NO_DEPEND |
1992 | | rv = FREEBL_InitStubs(); |
1993 | | if (rv != SECSuccess) { |
1994 | | freebl_only = PR_TRUE; |
1995 | | } |
1996 | | #endif |
1997 | | |
1998 | 2 | self_tests_freebl_ran = PR_TRUE; /* we are running the tests */ |
1999 | | |
2000 | 2 | if (!freebl_only) { |
2001 | 2 | self_tests_ran = PR_TRUE; /* we're running all the tests */ |
2002 | 2 | BL_Init(); /* needs to be called before RSA can be used */ |
2003 | 2 | RNG_RNGInit(); |
2004 | 2 | } |
2005 | | |
2006 | | /* always run the post tests */ |
2007 | 2 | rv = freebl_fipsPowerUpSelfTest(freebl_only ? DO_FREEBL : DO_FREEBL | DO_REST); |
2008 | 2 | if (rv != SECSuccess) { |
2009 | 2 | return; |
2010 | 2 | } |
2011 | | |
2012 | 0 | libraryName = getLibName(); |
2013 | 0 | rv = freebl_fipsSoftwareIntegrityTest(libraryName); |
2014 | 0 | if (rv != SECSuccess) { |
2015 | 0 | return; |
2016 | 0 | } |
2017 | | |
2018 | | /* posts are happy, allow the fips module to function now */ |
2019 | 0 | self_tests_freebl_success = PR_TRUE; /* we always test the freebl stuff */ |
2020 | 0 | if (!freebl_only) { |
2021 | 0 | self_tests_success = PR_TRUE; |
2022 | 0 | } |
2023 | 0 | } |
2024 | | |
2025 | | /* |
2026 | | * this is called from the freebl init entry points that controll access to |
2027 | | * all other freebl functions. This prevents freebl from operating if our |
2028 | | * power on selftest failed. |
2029 | | */ |
2030 | | SECStatus |
2031 | | BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun) |
2032 | 2 | { |
2033 | | #ifdef NSS_NO_INIT_SUPPORT |
2034 | | /* this should only be set on platforms that can't handle one of the INIT |
2035 | | * schemes. This code allows those platforms to continue to function, |
2036 | | * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT |
2037 | | * is not set, and init support has not been properly enabled, freebl |
2038 | | * will always fail because of the test below |
2039 | | */ |
2040 | | if (!self_tests_freebl_ran) { |
2041 | | bl_startup_tests(); |
2042 | | } |
2043 | | #endif |
2044 | 2 | if (rerun) { |
2045 | | /* reset the flags */ |
2046 | 0 | self_tests_freebl_ran = PR_FALSE; |
2047 | 0 | self_tests_success = PR_FALSE; |
2048 | 0 | self_tests_success = PR_FALSE; |
2049 | 0 | self_tests_freebl_success = PR_FALSE; |
2050 | 0 | bl_startup_tests(); |
2051 | 0 | } |
2052 | | /* if the general self tests succeeded, we're done */ |
2053 | 2 | if (self_tests_success) { |
2054 | 0 | return SECSuccess; |
2055 | 0 | } |
2056 | | /* standalone freebl can initialize */ |
2057 | 2 | if (freebl_only && self_tests_freebl_success) { |
2058 | 0 | return SECSuccess; |
2059 | 0 | } |
2060 | 2 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2061 | 2 | return SECFailure; |
2062 | 2 | } |
2063 | | #endif |