fipsfreebl.c (80019B)
1 /* 2 * PKCS #11 FIPS Power-Up Self Test. 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 /* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */ 8 9 #ifndef NSS_FIPS_DISABLED 10 #ifdef FREEBL_NO_DEPEND 11 #include "stubs.h" 12 #endif 13 14 #include "blapi.h" 15 #include "seccomon.h" /* Required for RSA. */ 16 #include "secerr.h" 17 #include "prtypes.h" 18 #include "secitem.h" 19 #include "pkcs11t.h" 20 #include "cmac.h" 21 22 #include "ec.h" /* Required for EC */ 23 24 /* 25 * different platforms have different ways of calling and initial entry point 26 * when the dll/.so is loaded. Most platforms support either a posix pragma 27 * or the GCC attribute. Some platforms suppor a pre-defined name, and some 28 * platforms have a link line way of invoking this function. 29 */ 30 31 /* The pragma */ 32 #if defined(USE_INIT_PRAGMA) 33 #pragma init(bl_startup_tests) 34 #endif 35 36 /* GCC Attribute */ 37 #if defined(__GNUC__) && !defined(NSS_NO_INIT_SUPPORT) 38 #define INIT_FUNCTION __attribute__((constructor)) 39 #else 40 #define INIT_FUNCTION 41 #endif 42 43 static void INIT_FUNCTION bl_startup_tests(void); 44 45 /* Windows pre-defined entry */ 46 #if defined(XP_WIN) && !defined(NSS_NO_INIT_SUPPORT) 47 #include <windows.h> 48 49 BOOL WINAPI 50 DllMain( 51 HINSTANCE hinstDLL, // handle to DLL module 52 DWORD fdwReason, // reason for calling function 53 LPVOID lpReserved) // reserved 54 { 55 // Perform actions based on the reason for calling. 56 switch (fdwReason) { 57 case DLL_PROCESS_ATTACH: 58 // Initialize once for each new process. 59 // Return FALSE to fail DLL load. 60 bl_startup_tests(); 61 break; 62 63 case DLL_THREAD_ATTACH: 64 // Do thread-specific initialization. 65 break; 66 67 case DLL_THREAD_DETACH: 68 // Do thread-specific cleanup. 69 break; 70 71 case DLL_PROCESS_DETACH: 72 // Perform any necessary cleanup. 73 break; 74 } 75 return TRUE; // Successful DLL_PROCESS_ATTACH. 76 } 77 #endif 78 79 /* insert other platform dependent init entry points here, or modify 80 * the linker line */ 81 82 /* FIPS preprocessor directives for RC2-ECB and RC2-CBC. */ 83 #define FIPS_RC2_KEY_LENGTH 5 /* 40-bits */ 84 #define FIPS_RC2_ENCRYPT_LENGTH 8 /* 64-bits */ 85 #define FIPS_RC2_DECRYPT_LENGTH 8 /* 64-bits */ 86 87 /* FIPS preprocessor directives for RC4. */ 88 #define FIPS_RC4_KEY_LENGTH 5 /* 40-bits */ 89 #define FIPS_RC4_ENCRYPT_LENGTH 8 /* 64-bits */ 90 #define FIPS_RC4_DECRYPT_LENGTH 8 /* 64-bits */ 91 92 /* FIPS preprocessor directives for DES-ECB and DES-CBC. */ 93 #define FIPS_DES_ENCRYPT_LENGTH 8 /* 64-bits */ 94 #define FIPS_DES_DECRYPT_LENGTH 8 /* 64-bits */ 95 96 /* FIPS preprocessor directives for DES3-CBC and DES3-ECB. */ 97 #define FIPS_DES3_ENCRYPT_LENGTH 8 /* 64-bits */ 98 #define FIPS_DES3_DECRYPT_LENGTH 8 /* 64-bits */ 99 100 /* FIPS preprocessor directives for AES-ECB and AES-CBC. */ 101 #define FIPS_AES_BLOCK_SIZE 16 /* 128-bits */ 102 #define FIPS_AES_ENCRYPT_LENGTH 16 /* 128-bits */ 103 #define FIPS_AES_DECRYPT_LENGTH 16 /* 128-bits */ 104 #define FIPS_AES_CMAC_LENGTH 16 /* 128-bits */ 105 #define FIPS_AES_128_KEY_SIZE 16 /* 128-bits */ 106 #define FIPS_AES_192_KEY_SIZE 24 /* 192-bits */ 107 #define FIPS_AES_256_KEY_SIZE 32 /* 256-bits */ 108 109 /* FIPS preprocessor directives for message digests */ 110 #define FIPS_KNOWN_HASH_MESSAGE_LENGTH 64 /* 512-bits */ 111 112 /* FIPS preprocessor directives for RSA. */ 113 #define FIPS_RSA_TYPE siBuffer 114 #define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */ 115 #define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */ 116 #define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */ 117 #define FIPS_RSA_COEFFICIENT_LENGTH 128 /* 1024-bits */ 118 #define FIPS_RSA_PRIME0_LENGTH 128 /* 1024-bits */ 119 #define FIPS_RSA_PRIME1_LENGTH 128 /* 1024-bits */ 120 #define FIPS_RSA_EXPONENT0_LENGTH 128 /* 1024-bits */ 121 #define FIPS_RSA_EXPONENT1_LENGTH 128 /* 1024-bits */ 122 #define FIPS_RSA_PRIVATE_EXPONENT_LENGTH 256 /* 2048-bits */ 123 #define FIPS_RSA_ENCRYPT_LENGTH 256 /* 2048-bits */ 124 #define FIPS_RSA_DECRYPT_LENGTH 256 /* 2048-bits */ 125 #define FIPS_RSA_SIGNATURE_LENGTH 256 /* 2048-bits */ 126 #define FIPS_RSA_MODULUS_LENGTH 256 /* 2048-bits */ 127 128 /* FIPS preprocessor directives for RNG. */ 129 #define FIPS_RNG_XKEY_LENGTH 32 /* 256-bits */ 130 131 static SECStatus 132 freebl_fips_DES3_PowerUpSelfTest(void) 133 { 134 /* DES3 Known Key (56-bits). */ 135 static const PRUint8 des3_known_key[] = { "ANSI Triple-DES Key Data" }; 136 137 /* DES3-CBC Known Initialization Vector (64-bits). */ 138 static const PRUint8 des3_cbc_known_initialization_vector[] = { "Security" }; 139 140 /* DES3 Known Plaintext (64-bits). */ 141 static const PRUint8 des3_ecb_known_plaintext[] = { "Netscape" }; 142 static const PRUint8 des3_cbc_known_plaintext[] = { "Netscape" }; 143 144 /* DES3 Known Ciphertext (64-bits). */ 145 static const PRUint8 des3_ecb_known_ciphertext[] = { 146 0x55, 0x8e, 0xad, 0x3c, 0xee, 0x49, 0x69, 0xbe 147 }; 148 static const PRUint8 des3_cbc_known_ciphertext[] = { 149 0x43, 0xdc, 0x6a, 0xc1, 0xaf, 0xa6, 0x32, 0xf5 150 }; 151 152 /* DES3 variables. */ 153 PRUint8 des3_computed_ciphertext[FIPS_DES3_ENCRYPT_LENGTH]; 154 PRUint8 des3_computed_plaintext[FIPS_DES3_DECRYPT_LENGTH]; 155 DESContext *des3_context; 156 unsigned int des3_bytes_encrypted; 157 unsigned int des3_bytes_decrypted; 158 SECStatus des3_status; 159 160 /*******************************************************/ 161 /* DES3-ECB Single-Round Known Answer Encryption Test. */ 162 /*******************************************************/ 163 164 des3_context = DES_CreateContext(des3_known_key, NULL, 165 NSS_DES_EDE3, PR_TRUE); 166 167 if (des3_context == NULL) { 168 PORT_SetError(SEC_ERROR_NO_MEMORY); 169 return (SECFailure); 170 } 171 172 des3_status = DES_Encrypt(des3_context, des3_computed_ciphertext, 173 &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH, 174 des3_ecb_known_plaintext, 175 FIPS_DES3_DECRYPT_LENGTH); 176 177 DES_DestroyContext(des3_context, PR_TRUE); 178 179 if ((des3_status != SECSuccess) || 180 (des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH) || 181 (PORT_Memcmp(des3_computed_ciphertext, des3_ecb_known_ciphertext, 182 FIPS_DES3_ENCRYPT_LENGTH) != 0)) { 183 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 184 return (SECFailure); 185 } 186 187 /*******************************************************/ 188 /* DES3-ECB Single-Round Known Answer Decryption Test. */ 189 /*******************************************************/ 190 191 des3_context = DES_CreateContext(des3_known_key, NULL, 192 NSS_DES_EDE3, PR_FALSE); 193 194 if (des3_context == NULL) { 195 PORT_SetError(SEC_ERROR_NO_MEMORY); 196 return (SECFailure); 197 } 198 199 des3_status = DES_Decrypt(des3_context, des3_computed_plaintext, 200 &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH, 201 des3_ecb_known_ciphertext, 202 FIPS_DES3_ENCRYPT_LENGTH); 203 204 DES_DestroyContext(des3_context, PR_TRUE); 205 206 if ((des3_status != SECSuccess) || 207 (des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH) || 208 (PORT_Memcmp(des3_computed_plaintext, des3_ecb_known_plaintext, 209 FIPS_DES3_DECRYPT_LENGTH) != 0)) { 210 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 211 return (SECFailure); 212 } 213 214 /*******************************************************/ 215 /* DES3-CBC Single-Round Known Answer Encryption Test. */ 216 /*******************************************************/ 217 218 des3_context = DES_CreateContext(des3_known_key, 219 des3_cbc_known_initialization_vector, 220 NSS_DES_EDE3_CBC, PR_TRUE); 221 222 if (des3_context == NULL) { 223 PORT_SetError(SEC_ERROR_NO_MEMORY); 224 return (SECFailure); 225 } 226 227 des3_status = DES_Encrypt(des3_context, des3_computed_ciphertext, 228 &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH, 229 des3_cbc_known_plaintext, 230 FIPS_DES3_DECRYPT_LENGTH); 231 232 DES_DestroyContext(des3_context, PR_TRUE); 233 234 if ((des3_status != SECSuccess) || 235 (des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH) || 236 (PORT_Memcmp(des3_computed_ciphertext, des3_cbc_known_ciphertext, 237 FIPS_DES3_ENCRYPT_LENGTH) != 0)) { 238 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 239 return (SECFailure); 240 } 241 242 /*******************************************************/ 243 /* DES3-CBC Single-Round Known Answer Decryption Test. */ 244 /*******************************************************/ 245 246 des3_context = DES_CreateContext(des3_known_key, 247 des3_cbc_known_initialization_vector, 248 NSS_DES_EDE3_CBC, PR_FALSE); 249 250 if (des3_context == NULL) { 251 PORT_SetError(SEC_ERROR_NO_MEMORY); 252 return (SECFailure); 253 } 254 255 des3_status = DES_Decrypt(des3_context, des3_computed_plaintext, 256 &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH, 257 des3_cbc_known_ciphertext, 258 FIPS_DES3_ENCRYPT_LENGTH); 259 260 DES_DestroyContext(des3_context, PR_TRUE); 261 262 if ((des3_status != SECSuccess) || 263 (des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH) || 264 (PORT_Memcmp(des3_computed_plaintext, des3_cbc_known_plaintext, 265 FIPS_DES3_DECRYPT_LENGTH) != 0)) { 266 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 267 return (SECFailure); 268 } 269 270 return (SECSuccess); 271 } 272 273 /* AES self-test for 128-bit, 192-bit, or 256-bit key sizes*/ 274 static SECStatus 275 freebl_fips_AES_PowerUpSelfTest(int aes_key_size) 276 { 277 /* AES Known Key (up to 256-bits). */ 278 static const PRUint8 aes_known_key[] = { "AES-128 RIJNDAELLEADNJIR 821-SEA" }; 279 280 /* AES-CBC Known Initialization Vector (128-bits). */ 281 static const PRUint8 aes_cbc_known_initialization_vector[] = { "SecurityytiruceS" }; 282 283 /* AES Known Plaintext (128-bits). (blocksize is 128-bits) */ 284 static const PRUint8 aes_known_plaintext[] = { "NetscapeepacsteN" }; 285 286 static const PRUint8 aes_gcm_known_aad[] = { "MozillaallizoM" }; 287 288 /* AES Known Ciphertext (128-bit key). */ 289 static const PRUint8 aes_ecb128_known_ciphertext[] = { 290 0x3c, 0xa5, 0x96, 0xf3, 0x34, 0x6a, 0x96, 0xc1, 291 0x03, 0x88, 0x16, 0x7b, 0x20, 0xbf, 0x35, 0x47 292 }; 293 294 static const PRUint8 aes_cbc128_known_ciphertext[] = { 295 0xcf, 0x15, 0x1d, 0x4f, 0x96, 0xe4, 0x4f, 0x63, 296 0x15, 0x54, 0x14, 0x1d, 0x4e, 0xd8, 0xd5, 0xea 297 }; 298 299 static const PRUint8 aes_gcm128_known_ciphertext[] = { 300 0x63, 0xf4, 0x95, 0x28, 0xe6, 0x78, 0xee, 0x6e, 301 0x4f, 0xe0, 0xfc, 0x8d, 0xd7, 0xa2, 0xb1, 0xff, 302 0x0c, 0x97, 0x1b, 0x0a, 0xdd, 0x97, 0x75, 0xed, 303 0x8b, 0xde, 0xbf, 0x16, 0x5e, 0x57, 0x6b, 0x4f 304 }; 305 306 static const PRUint8 aes_cmac128_known_ciphertext[] = { 307 0x54, 0x11, 0xe2, 0x57, 0xbd, 0x2a, 0xdf, 0x9d, 308 0x1a, 0x89, 0x72, 0x80, 0x84, 0x4c, 0x7e, 0x93 309 }; 310 311 /* AES Known Ciphertext (192-bit key). */ 312 static const PRUint8 aes_ecb192_known_ciphertext[] = { 313 0xa0, 0x18, 0x62, 0xed, 0x88, 0x19, 0xcb, 0x62, 314 0x88, 0x1d, 0x4d, 0xfe, 0x84, 0x02, 0x89, 0x0e 315 }; 316 317 static const PRUint8 aes_cbc192_known_ciphertext[] = { 318 0x83, 0xf7, 0xa4, 0x76, 0xd1, 0x6f, 0x07, 0xbe, 319 0x07, 0xbc, 0x43, 0x2f, 0x6d, 0xad, 0x29, 0xe1 320 }; 321 322 static const PRUint8 aes_gcm192_known_ciphertext[] = { 323 0xc1, 0x0b, 0x92, 0x1d, 0x68, 0x21, 0xf4, 0x25, 324 0x41, 0x61, 0x20, 0x2d, 0x59, 0x7f, 0x53, 0xde, 325 0x93, 0x39, 0xab, 0x09, 0x76, 0x41, 0x57, 0x2b, 326 0x90, 0x2e, 0x44, 0xbb, 0x52, 0x03, 0xe9, 0x07 327 }; 328 329 static const PRUint8 aes_cmac192_known_ciphertext[] = { 330 0x0e, 0x07, 0x99, 0x1e, 0xf6, 0xee, 0xfa, 0x2c, 331 0x1b, 0xfc, 0xce, 0x94, 0x92, 0x2d, 0xf1, 0xab 332 }; 333 334 /* AES Known Ciphertext (256-bit key). */ 335 static const PRUint8 aes_ecb256_known_ciphertext[] = { 336 0xdb, 0xa6, 0x52, 0x01, 0x8a, 0x70, 0xae, 0x66, 337 0x3a, 0x99, 0xd8, 0x95, 0x7f, 0xfb, 0x01, 0x67 338 }; 339 340 static const PRUint8 aes_cbc256_known_ciphertext[] = { 341 0x37, 0xea, 0x07, 0x06, 0x31, 0x1c, 0x59, 0x27, 342 0xc5, 0xc5, 0x68, 0x71, 0x6e, 0x34, 0x40, 0x16 343 }; 344 345 static const PRUint8 aes_gcm256_known_ciphertext[] = { 346 0x5d, 0x9e, 0xd2, 0xa2, 0x74, 0x9c, 0xd9, 0x1c, 347 0xd1, 0xc9, 0xee, 0x5d, 0xb6, 0xf2, 0xc9, 0xb6, 348 0x79, 0x27, 0x53, 0x02, 0xa3, 0xdc, 0x22, 0xce, 349 0xf4, 0xb0, 0xc1, 0x8c, 0x86, 0x51, 0xf5, 0xa1 350 }; 351 352 static const PRUint8 aes_cmac256_known_ciphertext[] = { 353 0xc1, 0x26, 0x69, 0x32, 0x51, 0x13, 0x65, 0xac, 354 0x71, 0x23, 0xe4, 0xe7, 0xb9, 0x0c, 0x88, 0x9f 355 356 }; 357 358 const PRUint8 *aes_ecb_known_ciphertext = 359 (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext 360 : aes_ecb256_known_ciphertext; 361 362 const PRUint8 *aes_cbc_known_ciphertext = 363 (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cbc128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cbc192_known_ciphertext 364 : aes_cbc256_known_ciphertext; 365 366 const PRUint8 *aes_gcm_known_ciphertext = 367 (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_gcm128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_gcm192_known_ciphertext 368 : aes_gcm256_known_ciphertext; 369 370 const PRUint8 *aes_cmac_known_ciphertext = 371 (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext 372 : aes_cmac256_known_ciphertext; 373 374 /* AES variables. */ 375 PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH * 2]; 376 PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH * 2]; 377 AESContext *aes_context; 378 CMACContext *cmac_context; 379 unsigned int aes_bytes_encrypted; 380 unsigned int aes_bytes_decrypted; 381 CK_NSS_GCM_PARAMS gcmParams; 382 SECStatus aes_status; 383 384 /*check if aes_key_size is 128, 192, or 256 bits */ 385 if ((aes_key_size != FIPS_AES_128_KEY_SIZE) && 386 (aes_key_size != FIPS_AES_192_KEY_SIZE) && 387 (aes_key_size != FIPS_AES_256_KEY_SIZE)) { 388 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 389 return (SECFailure); 390 } 391 392 /******************************************************/ 393 /* AES-ECB Single-Round Known Answer Encryption Test: */ 394 /******************************************************/ 395 396 aes_context = AES_CreateContext(aes_known_key, NULL, NSS_AES, PR_TRUE, 397 aes_key_size, FIPS_AES_BLOCK_SIZE); 398 399 if (aes_context == NULL) { 400 PORT_SetError(SEC_ERROR_NO_MEMORY); 401 return (SECFailure); 402 } 403 404 aes_status = AES_Encrypt(aes_context, aes_computed_ciphertext, 405 &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH, 406 aes_known_plaintext, 407 FIPS_AES_DECRYPT_LENGTH); 408 409 AES_DestroyContext(aes_context, PR_TRUE); 410 411 if ((aes_status != SECSuccess) || 412 (aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH) || 413 (PORT_Memcmp(aes_computed_ciphertext, aes_ecb_known_ciphertext, 414 FIPS_AES_ENCRYPT_LENGTH) != 0)) { 415 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 416 return (SECFailure); 417 } 418 419 /******************************************************/ 420 /* AES-ECB Single-Round Known Answer Decryption Test: */ 421 /******************************************************/ 422 423 aes_context = AES_CreateContext(aes_known_key, NULL, NSS_AES, PR_FALSE, 424 aes_key_size, FIPS_AES_BLOCK_SIZE); 425 426 if (aes_context == NULL) { 427 PORT_SetError(SEC_ERROR_NO_MEMORY); 428 return (SECFailure); 429 } 430 431 aes_status = AES_Decrypt(aes_context, aes_computed_plaintext, 432 &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH, 433 aes_ecb_known_ciphertext, 434 FIPS_AES_ENCRYPT_LENGTH); 435 436 AES_DestroyContext(aes_context, PR_TRUE); 437 438 if ((aes_status != SECSuccess) || 439 (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) || 440 (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext, 441 FIPS_AES_DECRYPT_LENGTH) != 0)) { 442 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 443 return (SECFailure); 444 } 445 446 /******************************************************/ 447 /* AES-CBC Single-Round Known Answer Encryption Test. */ 448 /******************************************************/ 449 450 aes_context = AES_CreateContext(aes_known_key, 451 aes_cbc_known_initialization_vector, 452 NSS_AES_CBC, PR_TRUE, aes_key_size, 453 FIPS_AES_BLOCK_SIZE); 454 455 if (aes_context == NULL) { 456 PORT_SetError(SEC_ERROR_NO_MEMORY); 457 return (SECFailure); 458 } 459 460 aes_status = AES_Encrypt(aes_context, aes_computed_ciphertext, 461 &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH, 462 aes_known_plaintext, 463 FIPS_AES_DECRYPT_LENGTH); 464 465 AES_DestroyContext(aes_context, PR_TRUE); 466 467 if ((aes_status != SECSuccess) || 468 (aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH) || 469 (PORT_Memcmp(aes_computed_ciphertext, aes_cbc_known_ciphertext, 470 FIPS_AES_ENCRYPT_LENGTH) != 0)) { 471 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 472 return (SECFailure); 473 } 474 475 /******************************************************/ 476 /* AES-CBC Single-Round Known Answer Decryption Test. */ 477 /******************************************************/ 478 479 aes_context = AES_CreateContext(aes_known_key, 480 aes_cbc_known_initialization_vector, 481 NSS_AES_CBC, PR_FALSE, aes_key_size, 482 FIPS_AES_BLOCK_SIZE); 483 484 if (aes_context == NULL) { 485 PORT_SetError(SEC_ERROR_NO_MEMORY); 486 return (SECFailure); 487 } 488 489 aes_status = AES_Decrypt(aes_context, aes_computed_plaintext, 490 &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH, 491 aes_cbc_known_ciphertext, 492 FIPS_AES_ENCRYPT_LENGTH); 493 494 AES_DestroyContext(aes_context, PR_TRUE); 495 496 if ((aes_status != SECSuccess) || 497 (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) || 498 (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext, 499 FIPS_AES_DECRYPT_LENGTH) != 0)) { 500 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 501 return (SECFailure); 502 } 503 504 /******************************************************/ 505 /* AES-GCM Single-Round Known Answer Encryption Test. */ 506 /******************************************************/ 507 508 gcmParams.pIv = (PRUint8 *)aes_cbc_known_initialization_vector; 509 gcmParams.ulIvLen = FIPS_AES_BLOCK_SIZE; 510 gcmParams.pAAD = (PRUint8 *)aes_gcm_known_aad; 511 gcmParams.ulAADLen = sizeof(aes_gcm_known_aad); 512 gcmParams.ulTagBits = FIPS_AES_BLOCK_SIZE * 8; 513 aes_context = AES_CreateContext(aes_known_key, 514 (PRUint8 *)&gcmParams, 515 NSS_AES_GCM, PR_TRUE, aes_key_size, 516 FIPS_AES_BLOCK_SIZE); 517 518 if (aes_context == NULL) { 519 PORT_SetError(SEC_ERROR_NO_MEMORY); 520 return (SECFailure); 521 } 522 523 aes_status = AES_Encrypt(aes_context, aes_computed_ciphertext, 524 &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH * 2, 525 aes_known_plaintext, 526 FIPS_AES_DECRYPT_LENGTH); 527 528 AES_DestroyContext(aes_context, PR_TRUE); 529 530 if ((aes_status != SECSuccess) || 531 (aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH * 2) || 532 (PORT_Memcmp(aes_computed_ciphertext, aes_gcm_known_ciphertext, 533 FIPS_AES_ENCRYPT_LENGTH * 2) != 0)) { 534 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 535 return (SECFailure); 536 } 537 538 /******************************************************/ 539 /* AES-GCM Single-Round Known Answer Decryption Test. */ 540 /******************************************************/ 541 542 aes_context = AES_CreateContext(aes_known_key, 543 (PRUint8 *)&gcmParams, 544 NSS_AES_GCM, PR_FALSE, aes_key_size, 545 FIPS_AES_BLOCK_SIZE); 546 547 if (aes_context == NULL) { 548 PORT_SetError(SEC_ERROR_NO_MEMORY); 549 return (SECFailure); 550 } 551 552 aes_status = AES_Decrypt(aes_context, aes_computed_plaintext, 553 &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH * 2, 554 aes_gcm_known_ciphertext, 555 FIPS_AES_ENCRYPT_LENGTH * 2); 556 557 AES_DestroyContext(aes_context, PR_TRUE); 558 559 if ((aes_status != SECSuccess) || 560 (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) || 561 (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext, 562 FIPS_AES_DECRYPT_LENGTH) != 0)) { 563 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 564 return (SECFailure); 565 } 566 567 /******************************************************/ 568 /* AES-CMAC Known Answer Encryption Test. */ 569 /******************************************************/ 570 cmac_context = CMAC_Create(CMAC_AES, aes_known_key, aes_key_size); 571 572 if (cmac_context == NULL) { 573 PORT_SetError(SEC_ERROR_NO_MEMORY); 574 return (SECFailure); 575 } 576 577 aes_status = CMAC_Begin(cmac_context); 578 if (aes_status != SECSuccess) { 579 CMAC_Destroy(cmac_context, PR_TRUE); 580 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 581 return (SECFailure); 582 } 583 584 aes_status = CMAC_Update(cmac_context, aes_known_plaintext, 585 FIPS_AES_DECRYPT_LENGTH); 586 if (aes_status != SECSuccess) { 587 CMAC_Destroy(cmac_context, PR_TRUE); 588 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 589 return (SECFailure); 590 } 591 592 aes_status = CMAC_Finish(cmac_context, aes_computed_ciphertext, 593 &aes_bytes_encrypted, FIPS_AES_CMAC_LENGTH); 594 595 CMAC_Destroy(cmac_context, PR_TRUE); 596 597 if ((aes_status != SECSuccess) || 598 (aes_bytes_encrypted != FIPS_AES_CMAC_LENGTH) || 599 (PORT_Memcmp(aes_computed_ciphertext, aes_cmac_known_ciphertext, 600 FIPS_AES_CMAC_LENGTH) != 0)) { 601 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 602 return (SECFailure); 603 } 604 605 return (SECSuccess); 606 } 607 608 /* Known Hash Message (512-bits). Used for all hashes (incl. SHA-N [N>1]). */ 609 static const PRUint8 known_hash_message[] = { 610 "The test message for the MD2, MD5, and SHA-1 hashing algorithms." 611 }; 612 613 /****************************************************/ 614 /* Single Round HMAC SHA-X test */ 615 /****************************************************/ 616 static SECStatus 617 freebl_fips_HMAC(unsigned char *hmac_computed, 618 const PRUint8 *secret_key, 619 unsigned int secret_key_length, 620 const PRUint8 *message, 621 unsigned int message_length, 622 HASH_HashType hashAlg) 623 { 624 SECStatus hmac_status = SECFailure; 625 HMACContext *cx = NULL; 626 SECHashObject *hashObj = NULL; 627 unsigned int bytes_hashed = 0; 628 629 hashObj = (SECHashObject *)HASH_GetRawHashObject(hashAlg); 630 631 if (!hashObj) 632 return (SECFailure); 633 634 cx = HMAC_Create(hashObj, secret_key, 635 secret_key_length, 636 PR_TRUE); /* PR_TRUE for in FIPS mode */ 637 638 if (cx == NULL) 639 return (SECFailure); 640 641 HMAC_Begin(cx); 642 HMAC_Update(cx, message, message_length); 643 hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, 644 hashObj->length); 645 646 HMAC_Destroy(cx, PR_TRUE); 647 648 return (hmac_status); 649 } 650 651 static SECStatus 652 freebl_fips_HMAC_PowerUpSelfTest(void) 653 { 654 static const PRUint8 HMAC_known_secret_key[] = { 655 "Firefox and ThunderBird are awesome!" 656 }; 657 658 static const PRUint8 HMAC_known_secret_key_length = sizeof HMAC_known_secret_key; 659 660 /* known SHA1 hmac (20 bytes) */ 661 static const PRUint8 known_SHA1_hmac[] = { 662 0xd5, 0x85, 0xf6, 0x5b, 0x39, 0xfa, 0xb9, 0x05, 663 0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e, 664 0x5d, 0x0e, 0x1e, 0x11 665 }; 666 667 /* known SHA224 hmac (28 bytes) */ 668 static const PRUint8 known_SHA224_hmac[] = { 669 0x1c, 0xc3, 0x06, 0x8e, 0xce, 0x37, 0x68, 0xfb, 670 0x1a, 0x82, 0x4a, 0xbe, 0x2b, 0x00, 0x51, 0xf8, 671 0x9d, 0xb6, 0xe0, 0x90, 0x0d, 0x00, 0xc9, 0x64, 672 0x9a, 0xb8, 0x98, 0x4e 673 }; 674 675 /* known SHA256 hmac (32 bytes) */ 676 static const PRUint8 known_SHA256_hmac[] = { 677 0x05, 0x75, 0x9a, 0x9e, 0x70, 0x5e, 0xe7, 0x44, 678 0xe2, 0x46, 0x4b, 0x92, 0x22, 0x14, 0x22, 0xe0, 679 0x1b, 0x92, 0x8a, 0x0c, 0xfe, 0xf5, 0x49, 0xe9, 680 0xa7, 0x1b, 0x56, 0x7d, 0x1d, 0x29, 0x40, 0x48 681 }; 682 683 /* known SHA384 hmac (48 bytes) */ 684 static const PRUint8 known_SHA384_hmac[] = { 685 0xcd, 0x56, 0x14, 0xec, 0x05, 0x53, 0x06, 0x2b, 686 0x7e, 0x9c, 0x8a, 0x18, 0x5e, 0xea, 0xf3, 0x91, 687 0x33, 0xfb, 0x64, 0xf6, 0xe3, 0x9f, 0x89, 0x0b, 688 0xaf, 0xbe, 0x83, 0x4d, 0x3f, 0x3c, 0x43, 0x4d, 689 0x4a, 0x0c, 0x56, 0x98, 0xf8, 0xca, 0xb4, 0xaa, 690 0x9a, 0xf4, 0x0a, 0xaf, 0x4f, 0x69, 0xca, 0x87 691 }; 692 693 /* known SHA512 hmac (64 bytes) */ 694 static const PRUint8 known_SHA512_hmac[] = { 695 0xf6, 0x0e, 0x97, 0x12, 0x00, 0x67, 0x6e, 0xb9, 696 0x0c, 0xb2, 0x63, 0xf0, 0x60, 0xac, 0x75, 0x62, 697 0x70, 0x95, 0x2a, 0x52, 0x22, 0xee, 0xdd, 0xd2, 698 0x71, 0xb1, 0xe8, 0x26, 0x33, 0xd3, 0x13, 0x27, 699 0xcb, 0xff, 0x44, 0xef, 0x87, 0x97, 0x16, 0xfb, 700 0xd3, 0x0b, 0x48, 0xbe, 0x12, 0x4e, 0xda, 0xb1, 701 0x89, 0x90, 0xfb, 0x06, 0x0c, 0xbe, 0xe5, 0xc4, 702 0xff, 0x24, 0x37, 0x3d, 0xc7, 0xe4, 0xe4, 0x37 703 }; 704 705 SECStatus hmac_status; 706 PRUint8 hmac_computed[HASH_LENGTH_MAX]; 707 708 /***************************************************/ 709 /* HMAC SHA-1 Single-Round Known Answer HMAC Test. */ 710 /***************************************************/ 711 712 hmac_status = freebl_fips_HMAC(hmac_computed, 713 HMAC_known_secret_key, 714 HMAC_known_secret_key_length, 715 known_hash_message, 716 FIPS_KNOWN_HASH_MESSAGE_LENGTH, 717 HASH_AlgSHA1); 718 719 if ((hmac_status != SECSuccess) || 720 (PORT_Memcmp(hmac_computed, known_SHA1_hmac, 721 SHA1_LENGTH) != 0)) { 722 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 723 return (SECFailure); 724 } 725 726 /***************************************************/ 727 /* HMAC SHA-224 Single-Round Known Answer Test. */ 728 /***************************************************/ 729 730 hmac_status = freebl_fips_HMAC(hmac_computed, 731 HMAC_known_secret_key, 732 HMAC_known_secret_key_length, 733 known_hash_message, 734 FIPS_KNOWN_HASH_MESSAGE_LENGTH, 735 HASH_AlgSHA224); 736 737 if ((hmac_status != SECSuccess) || 738 (PORT_Memcmp(hmac_computed, known_SHA224_hmac, 739 SHA224_LENGTH) != 0)) { 740 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 741 return (SECFailure); 742 } 743 744 /***************************************************/ 745 /* HMAC SHA-256 Single-Round Known Answer Test. */ 746 /***************************************************/ 747 748 hmac_status = freebl_fips_HMAC(hmac_computed, 749 HMAC_known_secret_key, 750 HMAC_known_secret_key_length, 751 known_hash_message, 752 FIPS_KNOWN_HASH_MESSAGE_LENGTH, 753 HASH_AlgSHA256); 754 755 if ((hmac_status != SECSuccess) || 756 (PORT_Memcmp(hmac_computed, known_SHA256_hmac, 757 SHA256_LENGTH) != 0)) { 758 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 759 return (SECFailure); 760 } 761 762 /***************************************************/ 763 /* HMAC SHA-384 Single-Round Known Answer Test. */ 764 /***************************************************/ 765 766 hmac_status = freebl_fips_HMAC(hmac_computed, 767 HMAC_known_secret_key, 768 HMAC_known_secret_key_length, 769 known_hash_message, 770 FIPS_KNOWN_HASH_MESSAGE_LENGTH, 771 HASH_AlgSHA384); 772 773 if ((hmac_status != SECSuccess) || 774 (PORT_Memcmp(hmac_computed, known_SHA384_hmac, 775 SHA384_LENGTH) != 0)) { 776 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 777 return (SECFailure); 778 } 779 780 /***************************************************/ 781 /* HMAC SHA-512 Single-Round Known Answer Test. */ 782 /***************************************************/ 783 784 hmac_status = freebl_fips_HMAC(hmac_computed, 785 HMAC_known_secret_key, 786 HMAC_known_secret_key_length, 787 known_hash_message, 788 FIPS_KNOWN_HASH_MESSAGE_LENGTH, 789 HASH_AlgSHA512); 790 791 if ((hmac_status != SECSuccess) || 792 (PORT_Memcmp(hmac_computed, known_SHA512_hmac, 793 SHA512_LENGTH) != 0)) { 794 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 795 return (SECFailure); 796 } 797 798 return (SECSuccess); 799 } 800 801 SECStatus 802 freebl_fips_TLS_PowerUpSelfTest(void) 803 { 804 static const PRUint8 TLS_known_secret_key[] = { 805 "Firefox and ThunderBird are awesome!" 806 }; 807 808 static const PRUint8 TLS_known_secret_key_length = sizeof TLS_known_secret_key; 809 810 /* known tls prf with sha1/md5 */ 811 static const PRUint8 known_TLS_PRF[] = { 812 0x87, 0x4c, 0xc0, 0xc5, 0x15, 0x14, 0x2b, 0xdc, 813 0x73, 0x48, 0x9e, 0x88, 0x9d, 0xf5, 0x83, 0x2f, 814 0x2d, 0x66, 0x1e, 0x78, 0x6c, 0x54, 0x78, 0x29, 815 0xb9, 0xa4, 0x4c, 0x90, 0x5e, 0xa2, 0xe6, 0x5c, 816 0xf1, 0x4f, 0xb5, 0x95, 0xa5, 0x54, 0xc0, 0x9f, 817 0x84, 0x47, 0xb4, 0x4c, 0xda, 0xae, 0x19, 0x29, 818 0x2b, 0x91, 0x2a, 0x81, 0x9d, 0x3a, 0x30, 0x40, 819 0xc5, 0xdf, 0xbb, 0xfa, 0xd8, 0x4c, 0xbc, 0x18 820 }; 821 822 /* known SHA256 tls mac */ 823 static const PRUint8 known_TLS_SHA256[] = { 824 0x66, 0xd6, 0x94, 0xd4, 0x0d, 0x32, 0x61, 0x38, 825 0x26, 0xf6, 0x8b, 0xfe, 0x9e, 0xac, 0xa2, 0xf5, 826 0x40, 0x52, 0x74, 0x3f, 0xbe, 0xb8, 0xca, 0x94, 827 0xc3, 0x64, 0xd6, 0x02, 0xf5, 0x88, 0x98, 0x35, 828 0x73, 0x9f, 0xce, 0xaa, 0x68, 0xe3, 0x7c, 0x93, 829 0x30, 0x21, 0x45, 0xec, 0xe9, 0x8f, 0x1c, 0x7e, 830 0xd1, 0x54, 0xf5, 0xbe, 0xff, 0xc8, 0xd7, 0x72, 831 0x7f, 0x9c, 0x0c, 0x7f, 0xa9, 0xd3, 0x4a, 0xd2 832 }; 833 834 #ifdef NSS_FULL_POST 835 /* known SHA224 tls mac */ 836 static const PRUint8 known_TLS_SHA224[] = { 837 0xd8, 0x68, 0x15, 0xff, 0xa1, 0xa2, 0x5e, 0x16, 838 0xce, 0xb1, 0xfd, 0xbd, 0xda, 0x39, 0xbc, 0xa7, 839 0x27, 0x32, 0x78, 0x94, 0x66, 0xf0, 0x84, 0xcf, 840 0x46, 0xc0, 0x22, 0x76, 0xdc, 0x6b, 0x2e, 0xed, 841 0x1d, 0x2d, 0xd2, 0x93, 0xfd, 0xae, 0xca, 0xf9, 842 0xe0, 0x4c, 0x17, 0x23, 0x22, 0x5a, 0x73, 0x93, 843 0x20, 0x0a, 0xbd, 0xa0, 0x72, 0xf8, 0x8b, 0x74, 844 0xfb, 0xf1, 0xab, 0xb7, 0xe0, 0xec, 0x34, 0xc9 845 }; 846 847 /* known SHA384 tls mac */ 848 static const PRUint8 known_TLS_SHA384[] = { 849 0xb2, 0xac, 0x06, 0x10, 0xad, 0x50, 0xd5, 0xdc, 850 0xdb, 0x01, 0xea, 0xa6, 0x2d, 0x8a, 0x34, 0xb6, 851 0xeb, 0x84, 0xbc, 0x37, 0xc9, 0x9f, 0xa1, 0x9c, 852 0xd5, 0xbd, 0x4e, 0x66, 0x16, 0x24, 0xe5, 0x3d, 853 0xce, 0x74, 0xe0, 0x30, 0x41, 0x5c, 0xdb, 0xb7, 854 0x52, 0x1d, 0x2d, 0x4d, 0x9b, 0xbe, 0x6b, 0x86, 855 0xda, 0x8a, 0xca, 0x73, 0x39, 0xb4, 0xc7, 0x8f, 856 0x03, 0xb1, 0xf9, 0x7e, 0x65, 0xae, 0x17, 0x10 857 }; 858 859 /* known SHA512 tls mac */ 860 static const PRUint8 known_TLS_SHA512[] = { 861 0x73, 0x21, 0x4f, 0x40, 0x81, 0x1e, 0x90, 0xa1, 862 0x16, 0x40, 0x1e, 0x33, 0x69, 0xc5, 0x00, 0xc7, 863 0xc4, 0x81, 0xa3, 0x4f, 0xa7, 0xcc, 0x4a, 0xeb, 864 0x1a, 0x66, 0x00, 0x82, 0x52, 0xe2, 0x2f, 0x69, 865 0x14, 0x59, 0x05, 0x7c, 0xb0, 0x32, 0xce, 0xcc, 866 0xb7, 0xc9, 0xab, 0x0f, 0x73, 0x00, 0xe5, 0x52, 867 0x9d, 0x6b, 0x0e, 0x66, 0x4b, 0xb3, 0x0b, 0x0d, 868 0x34, 0x53, 0x97, 0x13, 0x84, 0x18, 0x31, 0x7a 869 }; 870 #endif 871 872 SECStatus status; 873 PRUint8 tls_computed[HASH_LENGTH_MAX]; 874 SECItem secret; 875 SECItem seed; 876 SECItem result; 877 const char *tls_label = "fips test label"; 878 879 secret.data = (unsigned char *)TLS_known_secret_key; 880 secret.len = TLS_known_secret_key_length; 881 seed.data = (unsigned char *)known_hash_message; 882 seed.len = FIPS_KNOWN_HASH_MESSAGE_LENGTH; 883 result.data = tls_computed; 884 result.len = sizeof(tls_computed); 885 886 /***************************************************/ 887 /* TLS 1.0 PRF Known Answer Test */ 888 /***************************************************/ 889 890 status = TLS_PRF(&secret, tls_label, &seed, &result, PR_TRUE); 891 892 if ((status != SECSuccess) || 893 (result.len != HASH_LENGTH_MAX) || 894 (PORT_Memcmp(tls_computed, known_TLS_PRF, 895 HASH_LENGTH_MAX) != 0)) { 896 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 897 return (SECFailure); 898 } 899 900 /***************************************************/ 901 /* TLS 1.2 SHA-256 Known Answer Test. */ 902 /***************************************************/ 903 904 status = TLS_P_hash(HASH_AlgSHA256, &secret, tls_label, 905 &seed, &result, PR_TRUE); 906 907 if ((status != SECSuccess) || 908 (result.len != HASH_LENGTH_MAX) || 909 (PORT_Memcmp(tls_computed, known_TLS_SHA256, 910 HASH_LENGTH_MAX) != 0)) { 911 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 912 return (SECFailure); 913 } 914 915 #ifdef NSS_FULL_POST 916 /***************************************************/ 917 /* TLS 1.2 SHA-224 Known Answer Test. */ 918 /***************************************************/ 919 920 status = TLS_P_hash(HASH_AlgSHA224, &secret, tls_label, 921 &seed, &result, PR_TRUE); 922 923 if ((status != SECSuccess) || 924 (result.len != HASH_LENGTH_MAX) || 925 (PORT_Memcmp(tls_computed, known_TLS_SHA224, 926 HASH_LENGTH_MAX) != 0)) { 927 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 928 return (SECFailure); 929 } 930 931 /***************************************************/ 932 /* TLS 1.2 SHA-384 Known Answer Test. */ 933 /***************************************************/ 934 935 status = TLS_P_hash(HASH_AlgSHA384, &secret, tls_label, 936 &seed, &result, PR_TRUE); 937 938 if ((status != SECSuccess) || 939 (result.len != HASH_LENGTH_MAX) || 940 (PORT_Memcmp(tls_computed, known_TLS_SHA384, 941 HASH_LENGTH_MAX) != 0)) { 942 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 943 return (SECFailure); 944 } 945 946 /***************************************************/ 947 /* TLS 1.2 SHA-512 Known Answer Test. */ 948 /***************************************************/ 949 950 status = TLS_P_hash(HASH_AlgSHA512, &secret, tls_label, 951 &seed, &result, PR_TRUE); 952 953 if ((status != SECSuccess) || 954 (result.len != HASH_LENGTH_MAX) || 955 (PORT_Memcmp(tls_computed, known_TLS_SHA512, 956 HASH_LENGTH_MAX) != 0)) { 957 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 958 return (SECFailure); 959 } 960 #endif 961 962 return (SECSuccess); 963 } 964 965 static SECStatus 966 freebl_fips_SHA_PowerUpSelfTest(void) 967 { 968 /* SHA-1 Known Digest Message (160-bits). */ 969 static const PRUint8 sha1_known_digest[] = { 970 0x0a, 0x6d, 0x07, 0xba, 0x1e, 0xbd, 0x8a, 0x1b, 971 0x72, 0xf6, 0xc7, 0x22, 0xf1, 0x27, 0x9f, 0xf0, 972 0xe0, 0x68, 0x47, 0x7a 973 }; 974 975 /* SHA-224 Known Digest Message (224-bits). */ 976 static const PRUint8 sha224_known_digest[] = { 977 0x89, 0x5e, 0x7f, 0xfd, 0x0e, 0xd8, 0x35, 0x6f, 978 0x64, 0x6d, 0xf2, 0xde, 0x5e, 0xed, 0xa6, 0x7f, 979 0x29, 0xd1, 0x12, 0x73, 0x42, 0x84, 0x95, 0x4f, 980 0x8e, 0x08, 0xe5, 0xcb 981 }; 982 983 /* SHA-256 Known Digest Message (256-bits). */ 984 static const PRUint8 sha256_known_digest[] = { 985 0x38, 0xa9, 0xc1, 0xf0, 0x35, 0xf6, 0x5d, 0x61, 986 0x11, 0xd4, 0x0b, 0xdc, 0xce, 0x35, 0x14, 0x8d, 987 0xf2, 0xdd, 0xaf, 0xaf, 0xcf, 0xb7, 0x87, 0xe9, 988 0x96, 0xa5, 0xd2, 0x83, 0x62, 0x46, 0x56, 0x79 989 }; 990 991 /* SHA-384 Known Digest Message (384-bits). */ 992 static const PRUint8 sha384_known_digest[] = { 993 0x11, 0xfe, 0x1c, 0x00, 0x89, 0x48, 0xde, 0xb3, 994 0x99, 0xee, 0x1c, 0x18, 0xb4, 0x10, 0xfb, 0xfe, 995 0xe3, 0xa8, 0x2c, 0xf3, 0x04, 0xb0, 0x2f, 0xc8, 996 0xa3, 0xc4, 0x5e, 0xea, 0x7e, 0x60, 0x48, 0x7b, 997 0xce, 0x2c, 0x62, 0xf7, 0xbc, 0xa7, 0xe8, 0xa3, 998 0xcf, 0x24, 0xce, 0x9c, 0xe2, 0x8b, 0x09, 0x72 999 }; 1000 1001 /* SHA-512 Known Digest Message (512-bits). */ 1002 static const PRUint8 sha512_known_digest[] = { 1003 0xc8, 0xb3, 0x27, 0xf9, 0x0b, 0x24, 0xc8, 0xbf, 1004 0x4c, 0xba, 0x33, 0x54, 0xf2, 0x31, 0xbf, 0xdb, 1005 0xab, 0xfd, 0xb3, 0x15, 0xd7, 0xfa, 0x48, 0x99, 1006 0x07, 0x60, 0x0f, 0x57, 0x41, 0x1a, 0xdd, 0x28, 1007 0x12, 0x55, 0x25, 0xac, 0xba, 0x3a, 0x99, 0x12, 1008 0x2c, 0x7a, 0x8f, 0x75, 0x3a, 0xe1, 0x06, 0x6f, 1009 0x30, 0x31, 0xc9, 0x33, 0xc6, 0x1b, 0x90, 0x1a, 1010 0x6c, 0x98, 0x9a, 0x87, 0xd0, 0xb2, 0xf8, 0x07 1011 }; 1012 1013 /* SHA-X variables. */ 1014 PRUint8 sha_computed_digest[HASH_LENGTH_MAX]; 1015 SECStatus sha_status; 1016 1017 /*************************************************/ 1018 /* SHA-1 Single-Round Known Answer Hashing Test. */ 1019 /*************************************************/ 1020 1021 sha_status = SHA1_HashBuf(sha_computed_digest, known_hash_message, 1022 FIPS_KNOWN_HASH_MESSAGE_LENGTH); 1023 1024 if ((sha_status != SECSuccess) || 1025 (PORT_Memcmp(sha_computed_digest, sha1_known_digest, 1026 SHA1_LENGTH) != 0)) { 1027 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1028 return (SECFailure); 1029 } 1030 1031 /***************************************************/ 1032 /* SHA-224 Single-Round Known Answer Hashing Test. */ 1033 /***************************************************/ 1034 1035 sha_status = SHA224_HashBuf(sha_computed_digest, known_hash_message, 1036 FIPS_KNOWN_HASH_MESSAGE_LENGTH); 1037 1038 if ((sha_status != SECSuccess) || 1039 (PORT_Memcmp(sha_computed_digest, sha224_known_digest, 1040 SHA224_LENGTH) != 0)) { 1041 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1042 return (SECFailure); 1043 } 1044 1045 /***************************************************/ 1046 /* SHA-256 Single-Round Known Answer Hashing Test. */ 1047 /***************************************************/ 1048 1049 sha_status = SHA256_HashBuf(sha_computed_digest, known_hash_message, 1050 FIPS_KNOWN_HASH_MESSAGE_LENGTH); 1051 1052 if ((sha_status != SECSuccess) || 1053 (PORT_Memcmp(sha_computed_digest, sha256_known_digest, 1054 SHA256_LENGTH) != 0)) { 1055 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1056 return (SECFailure); 1057 } 1058 1059 /***************************************************/ 1060 /* SHA-384 Single-Round Known Answer Hashing Test. */ 1061 /***************************************************/ 1062 1063 sha_status = SHA384_HashBuf(sha_computed_digest, known_hash_message, 1064 FIPS_KNOWN_HASH_MESSAGE_LENGTH); 1065 1066 if ((sha_status != SECSuccess) || 1067 (PORT_Memcmp(sha_computed_digest, sha384_known_digest, 1068 SHA384_LENGTH) != 0)) { 1069 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1070 return (SECFailure); 1071 } 1072 1073 /***************************************************/ 1074 /* SHA-512 Single-Round Known Answer Hashing Test. */ 1075 /***************************************************/ 1076 1077 sha_status = SHA512_HashBuf(sha_computed_digest, known_hash_message, 1078 FIPS_KNOWN_HASH_MESSAGE_LENGTH); 1079 1080 if ((sha_status != SECSuccess) || 1081 (PORT_Memcmp(sha_computed_digest, sha512_known_digest, 1082 SHA512_LENGTH) != 0)) { 1083 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1084 return (SECFailure); 1085 } 1086 1087 return (SECSuccess); 1088 } 1089 1090 static SECStatus 1091 freebl_fips_RSA_PowerUpSelfTest(void) 1092 { 1093 /* RSA Known Modulus used in both Public/Private Key Values (2048-bits). */ 1094 static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = { 1095 0xb8, 0x15, 0x00, 0x33, 0xda, 0x0c, 0x9d, 0xa5, 1096 0x14, 0x8c, 0xde, 0x1f, 0x23, 0x07, 0x54, 0xe2, 1097 0xc6, 0xb9, 0x51, 0x04, 0xc9, 0x65, 0x24, 0x6e, 1098 0x0a, 0x46, 0x34, 0x5c, 0x37, 0x86, 0x6b, 0x88, 1099 0x24, 0x27, 0xac, 0xa5, 0x02, 0x79, 0xfb, 0xed, 1100 0x75, 0xc5, 0x3f, 0x6e, 0xdf, 0x05, 0x5f, 0x0f, 1101 0x20, 0x70, 0xa0, 0x5b, 0x85, 0xdb, 0xac, 0xb9, 1102 0x5f, 0x02, 0xc2, 0x64, 0x1e, 0x84, 0x5b, 0x3e, 1103 0xad, 0xbf, 0xf6, 0x2e, 0x51, 0xd6, 0xad, 0xf7, 1104 0xa7, 0x86, 0x75, 0x86, 0xec, 0xa7, 0xe1, 0xf7, 1105 0x08, 0xbf, 0xdc, 0x56, 0xb1, 0x3b, 0xca, 0xd8, 1106 0xfc, 0x51, 0xdf, 0x9a, 0x2a, 0x37, 0x06, 0xf2, 1107 0xd1, 0x6b, 0x9a, 0x5e, 0x2a, 0xe5, 0x20, 0x57, 1108 0x35, 0x9f, 0x1f, 0x98, 0xcf, 0x40, 0xc7, 0xd6, 1109 0x98, 0xdb, 0xde, 0xf5, 0x64, 0x53, 0xf7, 0x9d, 1110 0x45, 0xf3, 0xd6, 0x78, 0xb9, 0xe3, 0xa3, 0x20, 1111 0xcd, 0x79, 0x43, 0x35, 0xef, 0xd7, 0xfb, 0xb9, 1112 0x80, 0x88, 0x27, 0x2f, 0x63, 0xa8, 0x67, 0x3d, 1113 0x4a, 0xfa, 0x06, 0xc6, 0xd2, 0x86, 0x0b, 0xa7, 1114 0x28, 0xfd, 0xe0, 0x1e, 0x93, 0x4b, 0x17, 0x2e, 1115 0xb0, 0x11, 0x6f, 0xc6, 0x2b, 0x98, 0x0f, 0x15, 1116 0xe3, 0x87, 0x16, 0x7a, 0x7c, 0x67, 0x3e, 0x12, 1117 0x2b, 0xf8, 0xbe, 0x48, 0xc1, 0x97, 0x47, 0xf4, 1118 0x1f, 0x81, 0x80, 0x12, 0x28, 0xe4, 0x7b, 0x1e, 1119 0xb7, 0x00, 0xa4, 0xde, 0xaa, 0xfb, 0x0f, 0x77, 1120 0x84, 0xa3, 0xd6, 0xb2, 0x03, 0x48, 0xdd, 0x53, 1121 0x8b, 0x46, 0x41, 0x28, 0x52, 0xc4, 0x53, 0xf0, 1122 0x1c, 0x95, 0xd9, 0x36, 0xe0, 0x0f, 0x26, 0x46, 1123 0x9c, 0x61, 0x0e, 0x80, 0xca, 0x86, 0xaf, 0x39, 1124 0x95, 0xe5, 0x60, 0x43, 0x61, 0x3e, 0x2b, 0xb4, 1125 0xe8, 0xbd, 0x8d, 0x77, 0x62, 0xf5, 0x32, 0x43, 1126 0x2f, 0x4b, 0x65, 0x82, 0x14, 0xdd, 0x29, 0x5b 1127 }; 1128 1129 /* RSA Known Public Key Values (24-bits). */ 1130 static const PRUint8 rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = { 0x01, 0x00, 0x01 }; 1131 /* RSA Known Private Key Values (version is 8-bits), */ 1132 /* (private exponent is 2048-bits), */ 1133 /* (private prime0 is 1024-bits), */ 1134 /* (private prime1 is 1024-bits), */ 1135 /* (private prime exponent0 is 1024-bits), */ 1136 /* (private prime exponent1 is 1024-bits), */ 1137 /* and (private coefficient is 1024-bits). */ 1138 static const PRUint8 rsa_version[] = { 0x00 }; 1139 1140 static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] = { 1141 0x29, 0x08, 0x05, 0x53, 0x89, 0x76, 0xe6, 0x6c, 1142 0xb5, 0x77, 0xf0, 0xca, 0xdf, 0xf3, 0xf2, 0x67, 1143 0xda, 0x03, 0xd4, 0x9b, 0x4c, 0x88, 0xce, 0xe5, 1144 0xf8, 0x44, 0x4d, 0xc7, 0x80, 0x58, 0xe5, 0xff, 1145 0x22, 0x8f, 0xf5, 0x5b, 0x92, 0x81, 0xbe, 0x35, 1146 0xdf, 0xda, 0x67, 0x99, 0x3e, 0xfc, 0xe3, 0x83, 1147 0x6b, 0xa7, 0xaf, 0x16, 0xb7, 0x6f, 0x8f, 0xc0, 1148 0x81, 0xfd, 0x0b, 0x77, 0x65, 0x95, 0xfb, 0x00, 1149 0xad, 0x99, 0xec, 0x35, 0xc6, 0xe8, 0x23, 0x3e, 1150 0xe0, 0x88, 0x88, 0x09, 0xdb, 0x16, 0x50, 0xb7, 1151 0xcf, 0xab, 0x74, 0x61, 0x9e, 0x7f, 0xc5, 0x67, 1152 0x38, 0x56, 0xc7, 0x90, 0x85, 0x78, 0x5e, 0x84, 1153 0x21, 0x49, 0xea, 0xce, 0xb2, 0xa0, 0xff, 0xe4, 1154 0x70, 0x7f, 0x57, 0x7b, 0xa8, 0x36, 0xb8, 0x54, 1155 0x8d, 0x1d, 0xf5, 0x44, 0x9d, 0x68, 0x59, 0xf9, 1156 0x24, 0x6e, 0x85, 0x8f, 0xc3, 0x5f, 0x8a, 0x2c, 1157 0x94, 0xb7, 0xbc, 0x0e, 0xa5, 0xef, 0x93, 0x06, 1158 0x38, 0xcd, 0x07, 0x0c, 0xae, 0xb8, 0x44, 0x1a, 1159 0xd8, 0xe7, 0xf5, 0x9a, 0x1e, 0x9c, 0x18, 0xc7, 1160 0x6a, 0xc2, 0x7f, 0x28, 0x01, 0x4f, 0xb4, 0xb8, 1161 0x90, 0x97, 0x5a, 0x43, 0x38, 0xad, 0xe8, 0x95, 1162 0x68, 0x83, 0x1a, 0x1b, 0x10, 0x07, 0xe6, 0x02, 1163 0x52, 0x1f, 0xbf, 0x76, 0x6b, 0x46, 0xd6, 0xfb, 1164 0xc3, 0xbe, 0xb5, 0xac, 0x52, 0x53, 0x01, 0x1c, 1165 0xf3, 0xc5, 0xeb, 0x64, 0xf2, 0x1e, 0xc4, 0x38, 1166 0xe9, 0xaa, 0xd9, 0xc3, 0x72, 0x51, 0xa5, 0x44, 1167 0x58, 0x69, 0x0b, 0x1b, 0x98, 0x7f, 0xf2, 0x23, 1168 0xff, 0xeb, 0xf0, 0x75, 0x24, 0xcf, 0xc5, 0x1e, 1169 0xb8, 0x6a, 0xc5, 0x2f, 0x4f, 0x23, 0x50, 0x7d, 1170 0x15, 0x9d, 0x19, 0x7a, 0x0b, 0x82, 0xe0, 0x21, 1171 0x5b, 0x5f, 0x9d, 0x50, 0x2b, 0x83, 0xe4, 0x48, 1172 0xcc, 0x39, 0xe5, 0xfb, 0x13, 0x7b, 0x6f, 0x81 1173 }; 1174 1175 static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = { 1176 0xe4, 0xbf, 0x21, 0x62, 0x9b, 0xa9, 0x77, 0x40, 1177 0x8d, 0x2a, 0xce, 0xa1, 0x67, 0x5a, 0x4c, 0x96, 1178 0x45, 0x98, 0x67, 0xbd, 0x75, 0x22, 0x33, 0x6f, 1179 0xe6, 0xcb, 0x77, 0xde, 0x9e, 0x97, 0x7d, 0x96, 1180 0x8c, 0x5e, 0x5d, 0x34, 0xfb, 0x27, 0xfc, 0x6d, 1181 0x74, 0xdb, 0x9d, 0x2e, 0x6d, 0xf6, 0xea, 0xfc, 1182 0xce, 0x9e, 0xda, 0xa7, 0x25, 0xa2, 0xf4, 0x58, 1183 0x6d, 0x0a, 0x3f, 0x01, 0xc2, 0xb4, 0xab, 0x38, 1184 0xc1, 0x14, 0x85, 0xb6, 0xfa, 0x94, 0xc3, 0x85, 1185 0xf9, 0x3c, 0x2e, 0x96, 0x56, 0x01, 0xe7, 0xd6, 1186 0x14, 0x71, 0x4f, 0xfb, 0x4c, 0x85, 0x52, 0xc4, 1187 0x61, 0x1e, 0xa5, 0x1e, 0x96, 0x13, 0x0d, 0x8f, 1188 0x66, 0xae, 0xa0, 0xcd, 0x7d, 0x25, 0x66, 0x19, 1189 0x15, 0xc2, 0xcf, 0xc3, 0x12, 0x3c, 0xe8, 0xa4, 1190 0x52, 0x4c, 0xcb, 0x28, 0x3c, 0xc4, 0xbf, 0x95, 1191 0x33, 0xe3, 0x81, 0xea, 0x0c, 0x6c, 0xa2, 0x05 1192 }; 1193 static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = { 1194 0xce, 0x03, 0x94, 0xf4, 0xa9, 0x2c, 0x1e, 0x06, 1195 0xe7, 0x40, 0x30, 0x01, 0xf7, 0xbb, 0x68, 0x8c, 1196 0x27, 0xd2, 0x15, 0xe3, 0x28, 0x49, 0x5b, 0xa8, 1197 0xc1, 0x9a, 0x42, 0x7e, 0x31, 0xf9, 0x08, 0x34, 1198 0x81, 0xa2, 0x0f, 0x04, 0x61, 0x34, 0xe3, 0x36, 1199 0x92, 0xb1, 0x09, 0x2b, 0xe9, 0xef, 0x84, 0x88, 1200 0xbe, 0x9c, 0x98, 0x60, 0xa6, 0x60, 0x84, 0xe9, 1201 0x75, 0x6f, 0xcc, 0x81, 0xd1, 0x96, 0xef, 0xdd, 1202 0x2e, 0xca, 0xc4, 0xf5, 0x42, 0xfb, 0x13, 0x2b, 1203 0x57, 0xbf, 0x14, 0x5e, 0xc2, 0x7f, 0x77, 0x35, 1204 0x29, 0xc4, 0xe5, 0xe0, 0xf9, 0x6d, 0x15, 0x4a, 1205 0x42, 0x56, 0x1c, 0x3e, 0x0c, 0xc5, 0xce, 0x70, 1206 0x08, 0x63, 0x1e, 0x73, 0xdb, 0x7e, 0x74, 0x05, 1207 0x32, 0x01, 0xc6, 0x36, 0x32, 0x75, 0x6b, 0xed, 1208 0x9d, 0xfe, 0x7c, 0x7e, 0xa9, 0x57, 0xb4, 0xe9, 1209 0x22, 0xe4, 0xe7, 0xfe, 0x36, 0x07, 0x9b, 0xdf 1210 }; 1211 static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = { 1212 0x04, 0x5a, 0x3a, 0xa9, 0x64, 0xaa, 0xd9, 0xd1, 1213 0x09, 0x9e, 0x99, 0xe5, 0xea, 0x50, 0x86, 0x8a, 1214 0x89, 0x72, 0x77, 0xee, 0xdb, 0xee, 0xb5, 0xa9, 1215 0xd8, 0x6b, 0x60, 0xb1, 0x84, 0xb4, 0xff, 0x37, 1216 0xc1, 0x1d, 0xfe, 0x8a, 0x06, 0x89, 0x61, 0x3d, 1217 0x37, 0xef, 0x01, 0xd3, 0xa3, 0x56, 0x02, 0x6c, 1218 0xa3, 0x05, 0xd4, 0xc5, 0x3f, 0x6b, 0x15, 0x59, 1219 0x25, 0x61, 0xff, 0x86, 0xea, 0x0c, 0x84, 0x01, 1220 0x85, 0x72, 0xfd, 0x84, 0x58, 0xca, 0x41, 0xda, 1221 0x27, 0xbe, 0xe4, 0x68, 0x09, 0xe4, 0xe9, 0x63, 1222 0x62, 0x6a, 0x31, 0x8a, 0x67, 0x8f, 0x55, 0xde, 1223 0xd4, 0xb6, 0x3f, 0x90, 0x10, 0x6c, 0xf6, 0x62, 1224 0x17, 0x23, 0x15, 0x7e, 0x33, 0x76, 0x65, 0xb5, 1225 0xee, 0x7b, 0x11, 0x76, 0xf5, 0xbe, 0xe0, 0xf2, 1226 0x57, 0x7a, 0x8c, 0x97, 0x0c, 0x68, 0xf5, 0xf8, 1227 0x41, 0xcf, 0x7f, 0x66, 0x53, 0xac, 0x31, 0x7d 1228 }; 1229 static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = { 1230 0x93, 0x54, 0x14, 0x6e, 0x73, 0x9d, 0x4d, 0x4b, 1231 0xfa, 0x8c, 0xf8, 0xc8, 0x2f, 0x76, 0x22, 0xea, 1232 0x38, 0x80, 0x11, 0x8f, 0x05, 0xfc, 0x90, 0x44, 1233 0x3b, 0x50, 0x2a, 0x45, 0x3d, 0x4f, 0xaf, 0x02, 1234 0x7d, 0xc2, 0x7b, 0xa2, 0xd2, 0x31, 0x94, 0x5c, 1235 0x2e, 0xc3, 0xd4, 0x9f, 0x47, 0x09, 0x37, 0x6a, 1236 0xe3, 0x85, 0xf1, 0xa3, 0x0c, 0xd8, 0xf1, 0xb4, 1237 0x53, 0x7b, 0xc4, 0x71, 0x02, 0x86, 0x42, 0xbb, 1238 0x96, 0xff, 0x03, 0xa3, 0xb2, 0x67, 0x03, 0xea, 1239 0x77, 0x31, 0xfb, 0x4b, 0x59, 0x24, 0xf7, 0x07, 1240 0x59, 0xfb, 0xa9, 0xba, 0x1e, 0x26, 0x58, 0x97, 1241 0x66, 0xa1, 0x56, 0x49, 0x39, 0xb1, 0x2c, 0x55, 1242 0x0a, 0x6a, 0x78, 0x18, 0xba, 0xdb, 0xcf, 0xf4, 1243 0xf7, 0x32, 0x35, 0xa2, 0x04, 0xab, 0xdc, 0xa7, 1244 0x6d, 0xd9, 0xd5, 0x06, 0x6f, 0xec, 0x7d, 0x40, 1245 0x4c, 0xe8, 0x0e, 0xd0, 0xc9, 0xaa, 0xdf, 0x59 1246 }; 1247 static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = { 1248 0x17, 0xd7, 0xf5, 0x0a, 0xf0, 0x68, 0x97, 0x96, 1249 0xc4, 0x29, 0x18, 0x77, 0x9a, 0x1f, 0xe3, 0xf3, 1250 0x12, 0x13, 0x0f, 0x7e, 0x7b, 0xb9, 0xc1, 0x91, 1251 0xf9, 0xc7, 0x08, 0x56, 0x5c, 0xa4, 0xbc, 0x83, 1252 0x71, 0xf9, 0x78, 0xd9, 0x2b, 0xec, 0xfe, 0x6b, 1253 0xdc, 0x2f, 0x63, 0xc9, 0xcd, 0x50, 0x14, 0x5b, 1254 0xd3, 0x6e, 0x85, 0x4d, 0x0c, 0xa2, 0x0b, 0xa0, 1255 0x09, 0xb6, 0xca, 0x34, 0x9c, 0xc2, 0xc1, 0x4a, 1256 0xb0, 0xbc, 0x45, 0x93, 0xa5, 0x7e, 0x99, 0xb5, 1257 0xbd, 0xe4, 0x69, 0x29, 0x08, 0x28, 0xd2, 0xcd, 1258 0xab, 0x24, 0x78, 0x48, 0x41, 0x26, 0x0b, 0x37, 1259 0xa3, 0x43, 0xd1, 0x95, 0x1a, 0xd6, 0xee, 0x22, 1260 0x1c, 0x00, 0x0b, 0xc2, 0xb7, 0xa4, 0xa3, 0x21, 1261 0xa9, 0xcd, 0xe4, 0x69, 0xd3, 0x45, 0x02, 0xb1, 1262 0xb7, 0x3a, 0xbf, 0x51, 0x35, 0x1b, 0x78, 0xc2, 1263 0xcf, 0x0c, 0x0d, 0x60, 0x09, 0xa9, 0x44, 0x02 1264 }; 1265 1266 /* RSA Known Plaintext Message (1024-bits). */ 1267 static const PRUint8 rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = { 1268 "Known plaintext message utilized" 1269 "for RSA Encryption & Decryption" 1270 "blocks SHA256, SHA384 and " 1271 "SHA512 RSA Signature KAT tests. " 1272 "Known plaintext message utilized" 1273 "for RSA Encryption & Decryption" 1274 "blocks SHA256, SHA384 and " 1275 "SHA512 RSA Signature KAT tests." 1276 }; 1277 1278 /* RSA Known Ciphertext (2048-bits). */ 1279 static const PRUint8 rsa_known_ciphertext[] = { 1280 0x04, 0x12, 0x46, 0xe3, 0x6a, 0xee, 0xde, 0xdd, 1281 0x49, 0xa1, 0xd9, 0x83, 0xf7, 0x35, 0xf9, 0x70, 1282 0x88, 0x03, 0x2d, 0x01, 0x8b, 0xd1, 0xbf, 0xdb, 1283 0xe5, 0x1c, 0x85, 0xbe, 0xb5, 0x0b, 0x48, 0x45, 1284 0x7a, 0xf0, 0xa0, 0xe3, 0xa2, 0xbb, 0x4b, 0xf6, 1285 0x27, 0xd0, 0x1b, 0x12, 0xe3, 0x77, 0x52, 0x34, 1286 0x9e, 0x8e, 0x03, 0xd2, 0xf8, 0x79, 0x6e, 0x39, 1287 0x79, 0x53, 0x3c, 0x44, 0x14, 0x94, 0xbb, 0x8d, 1288 0xaa, 0x14, 0x44, 0xa0, 0x7b, 0xa5, 0x8c, 0x93, 1289 0x5f, 0x99, 0xa4, 0xa3, 0x6e, 0x7a, 0x38, 0x40, 1290 0x78, 0xfa, 0x36, 0x91, 0x5e, 0x9a, 0x9c, 0xba, 1291 0x1e, 0xd4, 0xf9, 0xda, 0x4b, 0x0f, 0xa8, 0xa3, 1292 0x1c, 0xf3, 0x3a, 0xd1, 0xa5, 0xb4, 0x51, 0x16, 1293 0xed, 0x4b, 0xcf, 0xec, 0x93, 0x7b, 0x90, 0x21, 1294 0xbc, 0x3a, 0xf4, 0x0b, 0xd1, 0x3a, 0x2b, 0xba, 1295 0xa6, 0x7d, 0x5b, 0x53, 0xd8, 0x64, 0xf9, 0x29, 1296 0x7b, 0x7f, 0x77, 0x3e, 0x51, 0x4c, 0x9a, 0x94, 1297 0xd2, 0x4b, 0x4a, 0x8d, 0x61, 0x74, 0x97, 0xae, 1298 0x53, 0x6a, 0xf4, 0x90, 0xc2, 0x2c, 0x49, 0xe2, 1299 0xfa, 0xeb, 0x91, 0xc5, 0xe5, 0x83, 0x13, 0xc9, 1300 0x44, 0x4b, 0x95, 0x2c, 0x57, 0x70, 0x15, 0x5c, 1301 0x64, 0x8d, 0x1a, 0xfd, 0x2a, 0xc7, 0xb2, 0x9c, 1302 0x5c, 0x99, 0xd3, 0x4a, 0xfd, 0xdd, 0xf6, 0x82, 1303 0x87, 0x8c, 0x5a, 0xc4, 0xa8, 0x0d, 0x2a, 0xef, 1304 0xc3, 0xa2, 0x7e, 0x8e, 0x67, 0x9f, 0x6f, 0x63, 1305 0xdb, 0xbb, 0x1d, 0x31, 0xc4, 0xbb, 0xbc, 0x13, 1306 0x3f, 0x54, 0xc6, 0xf6, 0xc5, 0x28, 0x32, 0xab, 1307 0x96, 0x42, 0x10, 0x36, 0x40, 0x92, 0xbb, 0x57, 1308 0x55, 0x38, 0xf5, 0x43, 0x7e, 0x43, 0xc4, 0x65, 1309 0x47, 0x64, 0xaa, 0x0f, 0x4c, 0xe9, 0x49, 0x16, 1310 0xec, 0x6a, 0x50, 0xfd, 0x14, 0x49, 0xca, 0xdb, 1311 0x44, 0x54, 0xca, 0xbe, 0xa3, 0x0e, 0x5f, 0xef 1312 }; 1313 1314 static const RSAPublicKey bl_public_key = { 1315 NULL, 1316 { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus, 1317 FIPS_RSA_MODULUS_LENGTH }, 1318 { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, 1319 FIPS_RSA_PUBLIC_EXPONENT_LENGTH } 1320 }; 1321 static const RSAPrivateKey bl_private_key = { 1322 NULL, 1323 { FIPS_RSA_TYPE, (unsigned char *)rsa_version, 1324 FIPS_RSA_PRIVATE_VERSION_LENGTH }, 1325 { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus, 1326 FIPS_RSA_MODULUS_LENGTH }, 1327 { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, 1328 FIPS_RSA_PUBLIC_EXPONENT_LENGTH }, 1329 { FIPS_RSA_TYPE, (unsigned char *)rsa_private_exponent, 1330 FIPS_RSA_PRIVATE_EXPONENT_LENGTH }, 1331 { FIPS_RSA_TYPE, (unsigned char *)rsa_prime0, 1332 FIPS_RSA_PRIME0_LENGTH }, 1333 { FIPS_RSA_TYPE, (unsigned char *)rsa_prime1, 1334 FIPS_RSA_PRIME1_LENGTH }, 1335 { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent0, 1336 FIPS_RSA_EXPONENT0_LENGTH }, 1337 { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent1, 1338 FIPS_RSA_EXPONENT1_LENGTH }, 1339 { FIPS_RSA_TYPE, (unsigned char *)rsa_coefficient, 1340 FIPS_RSA_COEFFICIENT_LENGTH } 1341 }; 1342 1343 /* RSA variables. */ 1344 SECStatus rsa_status; 1345 RSAPublicKey rsa_public_key; 1346 RSAPrivateKey rsa_private_key; 1347 1348 PRUint8 rsa_computed_ciphertext[FIPS_RSA_ENCRYPT_LENGTH]; 1349 PRUint8 rsa_computed_plaintext[FIPS_RSA_DECRYPT_LENGTH]; 1350 1351 rsa_public_key = bl_public_key; 1352 rsa_private_key = bl_private_key; 1353 1354 /**************************************************/ 1355 /* RSA Single-Round Known Answer Encryption Test. */ 1356 /**************************************************/ 1357 1358 /* Perform RSA Public Key Encryption. */ 1359 rsa_status = RSA_PublicKeyOp(&rsa_public_key, 1360 rsa_computed_ciphertext, 1361 rsa_known_plaintext_msg); 1362 1363 if ((rsa_status != SECSuccess) || 1364 (PORT_Memcmp(rsa_computed_ciphertext, rsa_known_ciphertext, 1365 FIPS_RSA_ENCRYPT_LENGTH) != 0)) 1366 goto rsa_loser; 1367 1368 /**************************************************/ 1369 /* RSA Single-Round Known Answer Decryption Test. */ 1370 /**************************************************/ 1371 1372 /* Perform RSA Private Key Decryption. */ 1373 rsa_status = RSA_PrivateKeyOp(&rsa_private_key, 1374 rsa_computed_plaintext, 1375 rsa_known_ciphertext); 1376 1377 if ((rsa_status != SECSuccess) || 1378 (PORT_Memcmp(rsa_computed_plaintext, rsa_known_plaintext_msg, 1379 FIPS_RSA_DECRYPT_LENGTH) != 0)) 1380 goto rsa_loser; 1381 1382 return (SECSuccess); 1383 1384 rsa_loser: 1385 1386 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1387 return (SECFailure); 1388 } 1389 1390 static SECStatus 1391 freebl_fips_ECDSA_Test(ECParams *ecparams, 1392 const PRUint8 *knownSignature, 1393 unsigned int knownSignatureLen) 1394 { 1395 1396 /* ECDSA Known Seed info for curves nistp256 and nistk283 */ 1397 static const PRUint8 ecdsa_Known_Seed[] = { 1398 0x6a, 0x9b, 0xf6, 0xf7, 0xce, 0xed, 0x79, 0x11, 1399 0xf0, 0xc7, 0xc8, 0x9a, 0xa5, 0xd1, 0x57, 0xb1, 1400 0x7b, 0x5a, 0x3b, 0x76, 0x4e, 0x7b, 0x7c, 0xbc, 1401 0xf2, 0x76, 0x1c, 0x1c, 0x7f, 0xc5, 0x53, 0x2f 1402 }; 1403 1404 static const PRUint8 msg[] = { 1405 "Firefox and ThunderBird are awesome!" 1406 }; 1407 1408 unsigned char sha256[SHA256_LENGTH]; /* SHA-256 hash (256 bits) */ 1409 unsigned char sig[2 * MAX_ECKEY_LEN]; 1410 SECItem signature, digest; 1411 ECPrivateKey *ecdsa_private_key = NULL; 1412 ECPublicKey ecdsa_public_key; 1413 SECStatus ecdsaStatus = SECSuccess; 1414 1415 /* Generates a new EC key pair. The private key is a supplied 1416 * random value (in seed) and the public key is the result of 1417 * performing a scalar point multiplication of that value with 1418 * the curve's base point. 1419 */ 1420 ecdsaStatus = EC_NewKeyFromSeed(ecparams, &ecdsa_private_key, 1421 ecdsa_Known_Seed, 1422 sizeof(ecdsa_Known_Seed)); 1423 if (ecdsaStatus != SECSuccess) { 1424 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1425 return (SECFailure); 1426 } 1427 1428 /* construct public key from private key. */ 1429 ecdsa_public_key.ecParams = ecdsa_private_key->ecParams; 1430 ecdsa_public_key.publicValue = ecdsa_private_key->publicValue; 1431 1432 /* validate public key value */ 1433 ecdsaStatus = EC_ValidatePublicKey(&ecdsa_public_key.ecParams, 1434 &ecdsa_public_key.publicValue); 1435 if (ecdsaStatus != SECSuccess) { 1436 goto loser; 1437 } 1438 1439 /* validate public key value */ 1440 ecdsaStatus = EC_ValidatePublicKey(&ecdsa_private_key->ecParams, 1441 &ecdsa_private_key->publicValue); 1442 if (ecdsaStatus != SECSuccess) { 1443 goto loser; 1444 } 1445 1446 /***************************************************/ 1447 /* ECDSA Single-Round Known Answer Signature Test. */ 1448 /***************************************************/ 1449 1450 ecdsaStatus = SHA256_HashBuf(sha256, msg, sizeof msg); 1451 if (ecdsaStatus != SECSuccess) { 1452 goto loser; 1453 } 1454 digest.type = siBuffer; 1455 digest.data = sha256; 1456 digest.len = SHA256_LENGTH; 1457 1458 memset(sig, 0, sizeof sig); 1459 signature.type = siBuffer; 1460 signature.data = sig; 1461 signature.len = sizeof sig; 1462 1463 ecdsaStatus = ECDSA_SignDigestWithSeed(ecdsa_private_key, &signature, 1464 &digest, ecdsa_Known_Seed, sizeof ecdsa_Known_Seed); 1465 if (ecdsaStatus != SECSuccess) { 1466 goto loser; 1467 } 1468 1469 if ((signature.len != knownSignatureLen) || 1470 (PORT_Memcmp(signature.data, knownSignature, 1471 knownSignatureLen) != 0)) { 1472 ecdsaStatus = SECFailure; 1473 goto loser; 1474 } 1475 1476 /******************************************************/ 1477 /* ECDSA Single-Round Known Answer Verification Test. */ 1478 /******************************************************/ 1479 1480 /* Perform ECDSA verification process. */ 1481 ecdsaStatus = ECDSA_VerifyDigest(&ecdsa_public_key, &signature, &digest); 1482 1483 loser: 1484 /* free the memory for the private key arena*/ 1485 PORT_FreeArena(ecdsa_private_key->ecParams.arena, PR_FALSE); 1486 1487 if (ecdsaStatus != SECSuccess) { 1488 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1489 return (SECFailure); 1490 } 1491 return (SECSuccess); 1492 } 1493 1494 static SECStatus 1495 freebl_fips_ECDH_Test(ECParams *ecparams) 1496 { 1497 1498 /* ECDH Known result (reused old CAVS vector) */ 1499 static const PRUint8 ecdh_known_pub_key_1[] = { 1500 EC_POINT_FORM_UNCOMPRESSED, 1501 /* pubX */ 1502 0x16, 0x81, 0x32, 0x86, 0xc8, 0xe4, 0x3a, 0x1f, 1503 0x5d, 0xe3, 0x06, 0x22, 0x8b, 0x99, 0x14, 0x25, 1504 0xf7, 0x9c, 0x5b, 0x1e, 0x96, 0x84, 0x85, 0x3b, 1505 0x17, 0xfe, 0xf3, 0x1c, 0x0e, 0xed, 0xc4, 0xce, 1506 /* pubY */ 1507 0x7a, 0x44, 0xfe, 0xbd, 0x91, 0x71, 0x7d, 0x73, 1508 0xd9, 0x45, 0xea, 0xae, 0x66, 0x78, 0xfa, 0x6e, 1509 0x46, 0xcd, 0xfa, 0x95, 0x15, 0x47, 0x62, 0x5d, 1510 0xbb, 0x1b, 0x9f, 0xe6, 0x39, 0xfc, 0xfd, 0x47 1511 }; 1512 static const PRUint8 ecdh_known_priv_key_2[] = { 1513 0xb4, 0x2a, 0xe3, 0x69, 0x19, 0xec, 0xf0, 0x42, 1514 0x6d, 0x45, 0x8c, 0x94, 0x4a, 0x26, 0xa7, 0x5c, 1515 0xea, 0x9d, 0xd9, 0x0f, 0x59, 0xe0, 0x1a, 0x9d, 1516 0x7c, 0xb7, 0x1c, 0x04, 0x53, 0xb8, 0x98, 0x5a 1517 }; 1518 static const PRUint8 ecdh_known_hash_result[] = { 1519 0x16, 0xf3, 0x85, 0xa2, 0x41, 0xf3, 0x7f, 0xc4, 1520 0x0b, 0x56, 0x47, 0xee, 0xa7, 0x74, 0xb9, 0xdb, 1521 0xe1, 0xfa, 0x22, 0xe9, 0x04, 0xf1, 0xb6, 0x12, 1522 0x4b, 0x44, 0x8a, 0xbb, 0xbc, 0x08, 0x2b, 0xa7 1523 }; 1524 1525 SECItem ecdh_priv_2, ecdh_pub_1; 1526 SECItem ZZ = { 0, 0, 0 }; 1527 SECStatus ecdhStatus = SECSuccess; 1528 PRUint8 computed_hash_result[HASH_LENGTH_MAX]; 1529 1530 ecdh_priv_2.data = (PRUint8 *)ecdh_known_priv_key_2; 1531 ecdh_priv_2.len = sizeof(ecdh_known_priv_key_2); 1532 ecdh_pub_1.data = (PRUint8 *)ecdh_known_pub_key_1; 1533 ecdh_pub_1.len = sizeof(ecdh_known_pub_key_1); 1534 1535 /* Generates a new EC key pair. The private key is a supplied 1536 * random value (in seed) and the public key is the result of 1537 * performing a scalar point multiplication of that value with 1538 * the curve's base point. 1539 */ 1540 ecdhStatus = ECDH_Derive(&ecdh_pub_1, ecparams, &ecdh_priv_2, PR_FALSE, &ZZ); 1541 if (ecdhStatus != SECSuccess) { 1542 goto loser; 1543 } 1544 ecdhStatus = SHA256_HashBuf(computed_hash_result, ZZ.data, ZZ.len); 1545 if (ecdhStatus != SECSuccess) { 1546 goto loser; 1547 } 1548 1549 if (PORT_Memcmp(computed_hash_result, ecdh_known_hash_result, 1550 sizeof(ecdh_known_hash_result)) != 0) { 1551 ecdhStatus = SECFailure; 1552 goto loser; 1553 } 1554 1555 loser: 1556 if (ZZ.data) { 1557 SECITEM_FreeItem(&ZZ, PR_FALSE); 1558 } 1559 1560 if (ecdhStatus != SECSuccess) { 1561 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1562 return (SECFailure); 1563 } 1564 return (SECSuccess); 1565 } 1566 1567 static SECStatus 1568 freebl_fips_EC_PowerUpSelfTest() 1569 { 1570 1571 /* EC Known curve nistp256 == ECCCurve_X9_62_PRIME_256V1 params */ 1572 static const unsigned char p256_prime[] = { 1573 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 1574 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 1575 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF 1576 }; 1577 static const unsigned char p256_a[] = { 1578 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 1579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 1580 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC 1581 }; 1582 static const unsigned char p256_b[] = { 1583 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, 0x76, 1584 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, 0x3B, 0xCE, 1585 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B 1586 }; 1587 static const unsigned char p256_base[] = { 1588 0x04, 1589 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, 0x63, 1590 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 1591 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, 1592 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F, 0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 1593 0x0F, 0x9E, 0x16, 0x2B, 0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 1594 0x40, 0x68, 0x37, 0xBF, 0x51, 0xF5 1595 }; 1596 static const unsigned char p256_order[] = { 1597 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 1598 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 1599 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 1600 }; 1601 static const unsigned char p256_encoding[] = { 1602 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 1603 }; 1604 static const ECParams ec_known_P256_Params = { 1605 NULL, 1606 ec_params_named, /* arena, type */ 1607 /* fieldID */ 1608 { 256, ec_field_plain, /* size and type */ 1609 { { siBuffer, (unsigned char *)p256_prime, sizeof(p256_prime) } }, /* u.prime */ 1610 0, 1611 0, 1612 0 }, 1613 /* curve */ 1614 { /* a = curvea b = curveb */ 1615 /* curve.a */ 1616 { siBuffer, (unsigned char *)p256_a, sizeof(p256_a) }, 1617 /* curve.b */ 1618 { siBuffer, (unsigned char *)p256_b, sizeof(p256_b) }, 1619 /* curve.seed */ 1620 { siBuffer, NULL, 0 } }, 1621 /* base = 04xy*/ 1622 { siBuffer, (unsigned char *)p256_base, sizeof(p256_base) }, 1623 /* order */ 1624 { siBuffer, (unsigned char *)p256_order, sizeof(p256_order) }, 1625 1, /* cofactor */ 1626 /* DEREncoding */ 1627 { siBuffer, (unsigned char *)p256_encoding, sizeof(p256_encoding) }, 1628 ECCurve_X9_62_PRIME_256V1, 1629 /* curveOID */ 1630 { siBuffer, (unsigned char *)(p256_encoding) + 2, sizeof(p256_encoding) - 2 }, 1631 }; 1632 1633 static const PRUint8 ecdsa_known_P256_signature[] = { 1634 0x07, 0xb1, 0xcb, 0x57, 0x20, 0xa7, 0x10, 0xd6, 1635 0x9d, 0x37, 0x4b, 0x1c, 0xdc, 0x35, 0x90, 0xff, 1636 0x1a, 0x2d, 0x98, 0x95, 0x1b, 0x2f, 0xeb, 0x7f, 1637 0xbb, 0x81, 0xca, 0xc0, 0x69, 0x75, 0xea, 0xc5, 1638 0xa7, 0xd2, 0x20, 0xdd, 0x45, 0xf9, 0x2b, 0xdd, 1639 0xda, 0x98, 0x99, 0x5b, 0x1c, 0x02, 0x3a, 0x27, 1640 0x8b, 0x7d, 0xb6, 0xed, 0x0e, 0xe0, 0xa7, 0xac, 1641 0xaa, 0x36, 0x2c, 0xfa, 0x1a, 0xdf, 0x0d, 0xe1 1642 }; 1643 1644 ECParams ecparams; 1645 1646 SECStatus rv; 1647 1648 /* ECDSA GF(p) prime field curve test */ 1649 ecparams = ec_known_P256_Params; 1650 rv = freebl_fips_ECDSA_Test(&ecparams, 1651 ecdsa_known_P256_signature, 1652 sizeof ecdsa_known_P256_signature); 1653 if (rv != SECSuccess) { 1654 return (SECFailure); 1655 } 1656 /* ECDH GF(p) prime field curve test */ 1657 rv = freebl_fips_ECDH_Test(&ecparams); 1658 if (rv != SECSuccess) { 1659 return (SECFailure); 1660 } 1661 1662 return (SECSuccess); 1663 } 1664 1665 static SECStatus 1666 freebl_fips_DH_PowerUpSelfTest(void) 1667 { 1668 /* DH Known P (2048-bits) */ 1669 static const PRUint8 dh_known_P[] = { 1670 0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd, 1671 0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef, 1672 0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b, 1673 0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e, 1674 0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03, 1675 0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc, 1676 0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85, 1677 0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01, 1678 0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c, 1679 0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03, 1680 0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0, 1681 0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5, 1682 0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f, 1683 0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9, 1684 0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57, 1685 0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70, 1686 0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c, 1687 0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d, 1688 0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e, 1689 0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc, 1690 0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62, 1691 0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12, 1692 0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e, 1693 0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b, 1694 0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b, 1695 0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55, 1696 0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b, 1697 0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97, 1698 0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34, 1699 0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c, 1700 0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60, 1701 0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f 1702 }; 1703 1704 static const PRUint8 dh_known_Y_1[] = { 1705 0xb4, 0xc7, 0x85, 0xba, 0xa6, 0x98, 0xb3, 0x77, 1706 0x41, 0x2b, 0xd9, 0x9a, 0x72, 0x90, 0xa4, 0xac, 1707 0xc4, 0xf7, 0xc2, 0x23, 0x9a, 0x68, 0xe2, 0x7d, 1708 0x3a, 0x54, 0x45, 0x91, 0xc1, 0xd7, 0x8a, 0x17, 1709 0x54, 0xd3, 0x37, 0xaa, 0x0c, 0xcd, 0x0b, 0xe2, 1710 0xf2, 0x34, 0x0f, 0x17, 0xa8, 0x07, 0x88, 0xaf, 1711 0xed, 0xc1, 0x02, 0xd4, 0xdb, 0xdc, 0x0f, 0x22, 1712 0x51, 0x23, 0x40, 0xb9, 0x65, 0x6d, 0x39, 0xf4, 1713 0xe1, 0x8b, 0x57, 0x7d, 0xb6, 0xd3, 0xf2, 0x6b, 1714 0x02, 0xa9, 0x36, 0xf0, 0x0d, 0xe3, 0xdb, 0x9a, 1715 0xbf, 0x20, 0x00, 0x4d, 0xec, 0x6f, 0x68, 0x95, 1716 0xee, 0x59, 0x4e, 0x3c, 0xb6, 0xda, 0x7b, 0x19, 1717 0x08, 0x9a, 0xef, 0x61, 0x43, 0xf5, 0xfb, 0x25, 1718 0x70, 0x19, 0xc1, 0x5f, 0x0e, 0x0f, 0x6a, 0x63, 1719 0x44, 0xe9, 0xcf, 0x33, 0xce, 0x13, 0x4f, 0x34, 1720 0x3c, 0x94, 0x40, 0x8d, 0xf2, 0x65, 0x42, 0xef, 1721 0x70, 0x54, 0xdd, 0x5f, 0xc1, 0xd7, 0x0b, 0xa6, 1722 0x06, 0xd5, 0xa6, 0x47, 0xae, 0x2c, 0x1f, 0x5a, 1723 0xa6, 0xb3, 0xc1, 0x38, 0x3a, 0x3b, 0x60, 0x94, 1724 0xa2, 0x95, 0xab, 0xb2, 0x86, 0x82, 0xc5, 0x3b, 1725 0xb8, 0x6f, 0x3e, 0x55, 0x86, 0x84, 0xe0, 0x00, 1726 0xe5, 0xef, 0xca, 0x5c, 0xec, 0x7e, 0x38, 0x0f, 1727 0x82, 0xa2, 0xb1, 0xee, 0x48, 0x1b, 0x32, 0xbb, 1728 0x5a, 0x33, 0xa5, 0x01, 0xba, 0xca, 0xa6, 0x64, 1729 0x61, 0xb6, 0xe5, 0x5c, 0x0e, 0x5f, 0x2c, 0x66, 1730 0x0d, 0x01, 0x6a, 0x20, 0x04, 0x70, 0x68, 0x82, 1731 0x93, 0x29, 0x15, 0x3b, 0x7a, 0x06, 0xb2, 0x92, 1732 0x61, 0xcd, 0x7e, 0xa4, 0xc1, 0x15, 0x64, 0x3b, 1733 0x3c, 0x51, 0x10, 0x4c, 0x87, 0xa6, 0xaf, 0x07, 1734 0xce, 0x46, 0x82, 0x75, 0xf3, 0x90, 0xf3, 0x21, 1735 0x55, 0x74, 0xc2, 0xe4, 0x96, 0x7d, 0xc3, 0xe6, 1736 0x33, 0xa5, 0xc6, 0x51, 0xef, 0xec, 0x90, 0x08 1737 }; 1738 1739 static const PRUint8 dh_known_x_2[] = { 1740 0x9e, 0x9b, 0xc3, 0x25, 0x53, 0xf9, 0xfc, 0x92, 1741 0xb6, 0xae, 0x54, 0x8e, 0x23, 0x4c, 0x94, 0xba, 1742 0x41, 0xe6, 0x29, 0x33, 0xb9, 0xdb, 0xff, 0x6d, 1743 0xa8, 0xb8, 0x48, 0x49, 0x66, 0x11, 0xa6, 0x13 1744 }; 1745 1746 static const PRUint8 dh_known_hash_result[] = { 1747 0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf, 1748 0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81, 1749 0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f, 1750 0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10 1751 }; 1752 1753 /* DH variables. */ 1754 SECStatus dhStatus; 1755 SECItem dh_prime; 1756 SECItem dh_pub_key_1; 1757 SECItem dh_priv_key_2; 1758 SECItem ZZ = { 0, 0, 0 }; 1759 PRUint8 computed_hash_result[HASH_LENGTH_MAX]; 1760 1761 dh_prime.data = (PRUint8 *)dh_known_P; 1762 dh_prime.len = sizeof(dh_known_P); 1763 dh_pub_key_1.data = (PRUint8 *)dh_known_Y_1; 1764 dh_pub_key_1.len = sizeof(dh_known_Y_1); 1765 dh_priv_key_2.data = (PRUint8 *)dh_known_x_2; 1766 dh_priv_key_2.len = sizeof(dh_known_x_2); 1767 1768 /* execute the derive */ 1769 dhStatus = DH_Derive(&dh_pub_key_1, &dh_prime, &dh_priv_key_2, &ZZ, dh_prime.len); 1770 if (dhStatus != SECSuccess) { 1771 goto loser; 1772 } 1773 1774 dhStatus = SHA256_HashBuf(computed_hash_result, ZZ.data, ZZ.len); 1775 if (dhStatus != SECSuccess) { 1776 goto loser; 1777 } 1778 1779 if (PORT_Memcmp(computed_hash_result, dh_known_hash_result, 1780 sizeof(dh_known_hash_result)) != 0) { 1781 dhStatus = SECFailure; 1782 goto loser; 1783 } 1784 1785 loser: 1786 if (ZZ.data) { 1787 SECITEM_FreeItem(&ZZ, PR_FALSE); 1788 } 1789 1790 if (dhStatus != SECSuccess) { 1791 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1792 return (SECFailure); 1793 } 1794 return (SECSuccess); 1795 } 1796 1797 static SECStatus 1798 freebl_fips_RNG_PowerUpSelfTest(void) 1799 { 1800 SECStatus rng_status = SECSuccess; 1801 1802 /*******************************************/ 1803 /* Run the SP 800-90 Health tests */ 1804 /*******************************************/ 1805 rng_status = PRNGTEST_RunHealthTests(); 1806 if (rng_status != SECSuccess) { 1807 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1808 return SECFailure; 1809 } 1810 1811 return (SECSuccess); 1812 } 1813 1814 static SECStatus 1815 freebl_fipsSoftwareIntegrityTest(const char *libname) 1816 { 1817 SECStatus rv = SECSuccess; 1818 1819 /* make sure that our check file signatures are OK */ 1820 if (!BLAPI_VerifySelf(libname)) { 1821 rv = SECFailure; 1822 } 1823 return rv; 1824 } 1825 1826 #define DO_FREEBL 1 1827 #define DO_REST 2 1828 1829 static SECStatus 1830 freebl_fipsPowerUpSelfTest(unsigned int tests) 1831 { 1832 SECStatus rv; 1833 1834 /* 1835 * stand alone freebl. Test hash, and rng 1836 */ 1837 if (tests & DO_FREEBL) { 1838 1839 /* SHA-X Power-Up SelfTest(s). */ 1840 rv = freebl_fips_SHA_PowerUpSelfTest(); 1841 1842 if (rv != SECSuccess) 1843 return rv; 1844 } 1845 1846 /* 1847 * test the rest of the algorithms not accessed through freebl 1848 * standalone */ 1849 if (tests & DO_REST) { 1850 1851 /* RNG Power-Up SelfTest(s). */ 1852 rv = freebl_fips_RNG_PowerUpSelfTest(); 1853 1854 if (rv != SECSuccess) 1855 return rv; 1856 1857 /* DES3 Power-Up SelfTest(s). */ 1858 rv = freebl_fips_DES3_PowerUpSelfTest(); 1859 1860 if (rv != SECSuccess) 1861 return rv; 1862 1863 /* AES Power-Up SelfTest(s) for 128-bit key. */ 1864 rv = freebl_fips_AES_PowerUpSelfTest(FIPS_AES_128_KEY_SIZE); 1865 1866 if (rv != SECSuccess) 1867 return rv; 1868 1869 /* AES Power-Up SelfTest(s) for 192-bit key. */ 1870 rv = freebl_fips_AES_PowerUpSelfTest(FIPS_AES_192_KEY_SIZE); 1871 1872 if (rv != SECSuccess) 1873 return rv; 1874 1875 /* AES Power-Up SelfTest(s) for 256-bit key. */ 1876 rv = freebl_fips_AES_PowerUpSelfTest(FIPS_AES_256_KEY_SIZE); 1877 1878 if (rv != SECSuccess) 1879 return rv; 1880 1881 /* HMAC SHA-X Power-Up SelfTest(s). */ 1882 rv = freebl_fips_HMAC_PowerUpSelfTest(); 1883 1884 if (rv != SECSuccess) 1885 return rv; 1886 1887 /* TLS PRF Power-Up SelfTest(s). */ 1888 rv = freebl_fips_TLS_PowerUpSelfTest(); 1889 1890 if (rv != SECSuccess) 1891 return rv; 1892 1893 /* NOTE: RSA can only be tested in full freebl. It requires access to 1894 * the locking primitives */ 1895 /* RSA Power-Up SelfTest(s). */ 1896 rv = freebl_fips_RSA_PowerUpSelfTest(); 1897 1898 if (rv != SECSuccess) 1899 return rv; 1900 1901 /* DH Power-Up SelfTest(s). */ 1902 rv = freebl_fips_DH_PowerUpSelfTest(); 1903 1904 if (rv != SECSuccess) 1905 return rv; 1906 1907 /* EC Power-Up SelfTest(s). */ 1908 rv = freebl_fips_EC_PowerUpSelfTest(); 1909 1910 if (rv != SECSuccess) 1911 return rv; 1912 } 1913 /* Passed Power-Up SelfTest(s). */ 1914 return (SECSuccess); 1915 } 1916 1917 /* 1918 * state variables. NOTE: freebl has two uses: a standalone use which 1919 * provided limitted access to the hash functions throught the NSSLOWHASH_ 1920 * interface and an joint use from softoken, using the function pointer 1921 * table. The standalone use can operation without nspr or nss-util, while 1922 * the joint use requires both to be loaded. Certain functions (like RSA) 1923 * needs locking from NSPR, for instance. 1924 * 1925 * At load time, we need to handle the two uses separately. If nspr and 1926 * nss-util are loaded, then we can run all the selftests, but if nspr and 1927 * nss-util are not loaded, then we can't run all the selftests, and we need 1928 * to prevent the softoken function pointer table from operating until the 1929 * libraries are loaded and we try to use them. 1930 */ 1931 static PRBool self_tests_freebl_ran = PR_FALSE; 1932 static PRBool self_tests_ran = PR_FALSE; 1933 static PRBool self_tests_freebl_success = PR_FALSE; 1934 static PRBool self_tests_success = PR_FALSE; 1935 1936 /* 1937 * accessors for freebl 1938 */ 1939 PRBool 1940 BL_POSTRan(PRBool freebl_only) 1941 { 1942 SECStatus rv; 1943 /* if the freebl self tests didn't run, there is something wrong with 1944 * our on load tests */ 1945 if (!self_tests_freebl_ran) { 1946 return PR_FALSE; 1947 } 1948 /* if all the self tests have run, we are good */ 1949 if (self_tests_ran) { 1950 return PR_TRUE; 1951 } 1952 /* if we only care about the freebl tests, we are good */ 1953 if (freebl_only) { 1954 return PR_TRUE; 1955 } 1956 /* run the rest of the self tests */ 1957 /* We could get there if freebl was loaded without the rest of the support 1958 * libraries, but now we want to use more than just a standalone freebl. 1959 * This requires the other libraries to be loaded. 1960 * If they are now loaded, Try to run the rest of the selftests, 1961 * otherwise fail (disabling access to these algorithms) */ 1962 self_tests_ran = PR_TRUE; 1963 BL_Init(); /* required by RSA */ 1964 RNG_RNGInit(); /* required by RSA */ 1965 rv = freebl_fipsPowerUpSelfTest(DO_REST); 1966 if (rv == SECSuccess) { 1967 self_tests_success = PR_TRUE; 1968 } 1969 return PR_TRUE; 1970 } 1971 1972 #include "blname.c" 1973 1974 /* 1975 * This function is called at dll load time, the code tha makes this 1976 * happen is platform specific on defined above. 1977 */ 1978 static void 1979 bl_startup_tests(void) 1980 { 1981 const char *libraryName; 1982 PRBool freebl_only = PR_FALSE; 1983 SECStatus rv; 1984 1985 PORT_Assert(self_tests_freebl_ran == PR_FALSE); 1986 PORT_Assert(self_tests_success == PR_FALSE); 1987 self_tests_freebl_ran = PR_TRUE; /* we are running the tests */ 1988 self_tests_success = PR_FALSE; /* force it just in case */ 1989 self_tests_freebl_success = PR_FALSE; /* force it just in case */ 1990 1991 #ifdef FREEBL_NO_DEPEND 1992 rv = FREEBL_InitStubs(); 1993 if (rv != SECSuccess) { 1994 freebl_only = PR_TRUE; 1995 } 1996 #endif 1997 1998 self_tests_freebl_ran = PR_TRUE; /* we are running the tests */ 1999 2000 if (!freebl_only) { 2001 self_tests_ran = PR_TRUE; /* we're running all the tests */ 2002 BL_Init(); /* needs to be called before RSA can be used */ 2003 RNG_RNGInit(); 2004 } 2005 2006 /* always run the post tests */ 2007 rv = freebl_fipsPowerUpSelfTest(freebl_only ? DO_FREEBL : DO_FREEBL | DO_REST); 2008 if (rv != SECSuccess) { 2009 return; 2010 } 2011 2012 libraryName = getLibName(); 2013 rv = freebl_fipsSoftwareIntegrityTest(libraryName); 2014 if (rv != SECSuccess) { 2015 return; 2016 } 2017 2018 /* posts are happy, allow the fips module to function now */ 2019 self_tests_freebl_success = PR_TRUE; /* we always test the freebl stuff */ 2020 if (!freebl_only) { 2021 self_tests_success = PR_TRUE; 2022 } 2023 } 2024 2025 /* 2026 * this is called from the freebl init entry points that controll access to 2027 * all other freebl functions. This prevents freebl from operating if our 2028 * power on selftest failed. 2029 */ 2030 SECStatus 2031 BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun) 2032 { 2033 #ifdef NSS_NO_INIT_SUPPORT 2034 /* this should only be set on platforms that can't handle one of the INIT 2035 * schemes. This code allows those platforms to continue to function, 2036 * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT 2037 * is not set, and init support has not been properly enabled, freebl 2038 * will always fail because of the test below 2039 */ 2040 if (!self_tests_freebl_ran) { 2041 bl_startup_tests(); 2042 } 2043 #endif 2044 if (rerun) { 2045 /* reset the flags */ 2046 self_tests_freebl_ran = PR_FALSE; 2047 self_tests_success = PR_FALSE; 2048 self_tests_success = PR_FALSE; 2049 self_tests_freebl_success = PR_FALSE; 2050 bl_startup_tests(); 2051 } 2052 /* if the general self tests succeeded, we're done */ 2053 if (self_tests_success) { 2054 return SECSuccess; 2055 } 2056 /* standalone freebl can initialize */ 2057 if (freebl_only && self_tests_freebl_success) { 2058 return SECSuccess; 2059 } 2060 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2061 return SECFailure; 2062 } 2063 #endif