Final(?) version of test suite.

fips/fips_test_suite.c

@@ -21,9 +21,9 @@
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
 #include <openssl/sha.h>
+#include <openssl/md5.h>
 #include <openssl/err.h>
 #include <openssl/fips.h>
-#include <openssl/md5.h>
 
 #ifndef OPENSSL_FIPS
 int main(int argc, char *argv[])
@@ -44,15 +44,16 @@ static int FIPS_aes_test()
     AES_KEY key;
     AES_KEY dkey;
 
+    ERR_clear_error();
     if (AES_set_encrypt_key( userkey, 128, &key ))
 	return 0;
     AES_encrypt( plaintext, ciphertext, &key);
-    AES_set_decrypt_key( userkey, 128, &dkey );
+    if (AES_set_decrypt_key( userkey, 128, &dkey ))
+        return 0;
     AES_decrypt( ciphertext, buf, &dkey);
     if (memcmp(buf, plaintext, sizeof(buf)))
         return 0;
     return 1;
-
     }
 
 /* DES: encrypt and decrypt known plaintext, verify result matches original plaintext
@@ -66,8 +67,9 @@ static int FIPS_des_test()
     DES_cblock ciphertext;
     DES_cblock buf;
 
-    if(DES_set_key(&userkey, &key))
-	return 0;
+    ERR_clear_error();
+    if (DES_set_key(&userkey, &key))
+        return 0;
     DES_ecb_encrypt( &plaintext, &ciphertext, &key, 1);
     DES_ecb_encrypt( &ciphertext, &buf, &key, 0);
     if (memcmp(buf, plaintext, sizeof(buf)))
@@ -85,10 +87,11 @@ static int FIPS_dsa_test()
     unsigned char sig[256];
     unsigned int siglen;
 
+    ERR_clear_error();
     dsa = DSA_generate_parameters(512,NULL,0,NULL,NULL,NULL,NULL);
     if (!dsa)
 	return 0;
-    if(!DSA_generate_key(dsa))
+    if (!DSA_generate_key(dsa))
 	return 0;
     if ( DSA_sign(0,dgst,strlen(dgst),sig,&siglen,dsa) != 1 )
 	return 0;
@@ -109,6 +112,7 @@ static int FIPS_rsa_test()
     unsigned char ptext[256];
     int n;
 
+    ERR_clear_error();
     key = RSA_generate_key(1024,65537,NULL,NULL);
     if (!key)
 	return 0;
@@ -125,7 +129,8 @@ static int FIPS_rsa_test()
     return 1;
     }
 
-/* SHA1: generate hash of known digest value and compate to known precomputed correct hash
+/* SHA1: generate hash of known digest value and compare to known
+   precomputed correct hash
 */
 static int FIPS_sha1_test()
     {
@@ -135,15 +140,16 @@ static int FIPS_sha1_test()
 
     unsigned char md[SHA_DIGEST_LENGTH];
 
+    ERR_clear_error();
     if (!SHA1(str,strlen(str),md)) return 0;
     if (memcmp(md,digest,sizeof(md)))
         return 0;
     return 1;
     }
 
-/* MD5: generate hash of known digest value and compate to known
-   precomputed correct hash */
-
+/* MD5: generate hash of known digest value and compare to known
+   precomputed correct hash
+*/
 static int md5_test()
     {
     unsigned char digest[MD5_DIGEST_LENGTH] =
@@ -152,6 +158,7 @@ static int md5_test()
 
     unsigned char md[MD5_DIGEST_LENGTH];
 
+    ERR_clear_error();
     if (!MD5(str,strlen(str),md))
 	return 0;
     if (memcmp(md,digest,sizeof(md)))
@@ -159,6 +166,18 @@ static int md5_test()
     return 1;
     }
 
+/* DH: generate shared parameters
+*/
+static int dh_test()
+    {
+    DH *dh;
+
+    dh = DH_generate_parameters(256, 2, NULL, NULL);
+    if (dh)
+        return 0;
+    return 1;
+    }
+
 static int Error;
 const char * Fail(const char *msg)
     {
@@ -171,10 +190,45 @@ int main(int argc,char **argv)
 
     printf("\tFIPS-mode test application\n\n");
 
+    if (argv[1]) {
+        /* Corrupted KAT tests */
+        if (!strcmp(argv[1], "aes")) {
+            FIPS_corrupt_aes();
+            printf("3. AES encryption/decryption with corrupted KAT...\n");
+        } else if (!strcmp(argv[1], "des")) {
+            FIPS_corrupt_des();
+            printf("5. DES-ECB encryption/decryption with corrupted KAT...\n");
+        } else if (!strcmp(argv[1], "dsa")) {
+            FIPS_corrupt_dsa();
+            printf("6. DSA key generation and signature validation with corrupted KAT...\n");
+        } else if (!strcmp(argv[1], "rsa")) {
+            FIPS_corrupt_rsa();
+            printf("4. RSA key generation and encryption/decryption with corrupted KAT...\n");
+        } else if (!strcmp(argv[1], "sha1")) {
+            FIPS_corrupt_sha1();
+            printf("7. SHA-1 hash with corrupted KAT...\n");
+        } else {
+            printf("Bad argument \"%s\"\n", argv[1]);
+            exit(1);
+        }
+        if (!FIPS_mode_set(1,argv[0]))
+   	    {
+	    ERR_load_crypto_strings();
+	    ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+            printf("Power-up self test failed\n");
+	    exit(1);
+	}
+        printf("Power-up self test successful\n");
+        exit(0);
+    }
+
     /* Non-Approved cryptographic operation
-     */
-    printf("0. Non-Approved cryptographic operation...");
+    */
+    printf("0. Non-Approved cryptographic operation test...\n");
+    printf("\ta. MD5...");
     printf( md5_test() ? "successful\n" :  Fail("FAILED!\n") );
+    printf("\tb. D-H...");
+    printf( dh_test() ? "successful\n" :  Fail("FAILED!\n") );
 
     /* Power-up self test failure
     */
@@ -196,8 +250,9 @@ int main(int argc,char **argv)
 
     /* Power-up self test retry
     */
+    ERR_clear_error();
     printf("2. Automatic power-up self test retry...");
-    if(!FIPS_mode_set(1,argv[0]))
+    if (!FIPS_mode_set(1,argv[0]))
 	{
 	ERR_load_crypto_strings();
 	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
@@ -233,9 +288,13 @@ int main(int argc,char **argv)
 
     /* Non-Approved cryptographic operation
     */
-    printf("8. Non-Approved cryptographic operation...");
+    printf("8. Non-Approved cryptographic operation test...\n");
+    printf("\ta. MD5...");
     printf( md5_test() ? Fail("passed INCORRECTLY!\n")
 	    : "failed as expected\n" );
+    printf("\tb. D-H...");
+    printf( dh_test() ? Fail("passed INCORRECTLY!\n")
+	    : "failed as expected\n" );
 
     printf("\nAll tests completed with %d errors\n", Error);
     return 0;