Pick up FIPS-140 certification work.

This consists of the following: 1)Move FIPS integrity and post tests to dll load time. 2) Extra data clearing of CPS, change to the prime check requirements. 3) Allow FIPS level 1. This is detected by whether or not there is a password on the database. 4) Update fipstest to handle new tests and the latest formats used by NIST. Also make running of the tests automated. bob
sailfishos-mirror · Aug 31, 2015 · 4a825ac · 4a825ac
1 parent 19626bf
commit 4a825ac
Show file tree

Hide file tree

Showing 58 changed files with 5,742 additions and 3,737 deletions.
diff --git a/cmd/bltest/blapitest.c b/cmd/bltest/blapitest.c
@@ -3610,7 +3610,7 @@ int main(int argc, char **argv)
 
     /* Do FIPS self-test */
     if (bltest.commands[cmd_FIPS].activated) {
-	CK_RV ckrv = sftk_fipsPowerUpSelfTest();
+	CK_RV ckrv = sftk_FIPSEntryOK();
 	fprintf(stdout, "CK_RV: %ld.\n", ckrv);
         PORT_Free(cipherInfo);
         if (ckrv == CKR_OK)

diff --git a/cmd/fipstest/aes.sh b/cmd/fipstest/aes.sh
@@ -1,8 +1,9 @@
 #!/bin/sh
+# 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
+#
 #
 # A Bourne shell script for running the NIST AES Algorithm Validation Suite
 #
@@ -12,6 +13,12 @@
 # directory where the REQUEST (.req) files reside.  The script generates the
 # RESPONSE (.rsp) files in the same directory.
 
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/AES
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
 cbc_kat_requests="
 CBCGFSbox128.req
 CBCGFSbox192.req
@@ -66,33 +73,40 @@ ECBMMT192.req
 ECBMMT256.req
 "
 
-for request in $ecb_kat_requests; do
+if [ ${COMMAND} = "verify" ]; then
+    for request in $cbc_kat_requests $cbc_mct_requests $cbc_mmt_requests $ecb_kat_requests $ecb_mct_requests $ecb_mmt_requests; do
+	sh ./validate1.sh ${TESTDIR} $request
+    done
+    exit 0
+fi
+
+for request in $cbc_kat_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
-    fipstest aes kat ecb $request > $response
+    fipstest aes kat cbc ${REQDIR}/$request > ${RSPDIR}/$response
 done
-for request in $ecb_mmt_requests; do
+for request in $cbc_mct_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
-    fipstest aes mmt ecb $request > $response
+    fipstest aes mct cbc ${REQDIR}/$request > ${RSPDIR}/$response
 done
-for request in $ecb_mct_requests; do
+for request in $cbc_mmt_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
-    fipstest aes mct ecb $request > $response
+    fipstest aes mmt cbc ${REQDIR}/$request > ${RSPDIR}/$response
 done
-for request in $cbc_kat_requests; do
+for request in $ecb_kat_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
-    fipstest aes kat cbc $request > $response
+    fipstest aes kat ecb ${REQDIR}/$request > ${RSPDIR}/$response
 done
-for request in $cbc_mmt_requests; do
+for request in $ecb_mct_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
-    fipstest aes mmt cbc $request > $response
+    fipstest aes mct ecb ${REQDIR}/$request > ${RSPDIR}/$response
 done
-for request in $cbc_mct_requests; do
+for request in $ecb_mmt_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
-    fipstest aes mct cbc $request > $response
+    fipstest aes mmt ecb ${REQDIR}/$request > ${RSPDIR}/$response
 done
diff --git a/cmd/fipstest/aesgcm.sh b/cmd/fipstest/aesgcm.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST AES Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/AES_GCM
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+gcm_decrypt_requests="
+gcmDecrypt128.req
+gcmDecrypt192.req
+gcmDecrypt256.req
+"
+
+gcm_encrypt_extiv_requests="
+gcmEncryptExtIV128.req
+gcmEncryptExtIV192.req
+gcmEncryptExtIV256.req
+"
+gcm_encrypt_intiv_requests="
+"
+
+#gcm_encrypt_intiv_requests="
+#gcmEncryptIntIV128.req
+#gcmEncryptIntIV192.req
+#gcmEncryptIntIV256.req
+#"
+
+if [ ${COMMAND} = "verify" ]; then
+    for request in $gcm_decrypt_requests $gcm_encrypt_extiv_requests; do
+	sh ./validate1.sh ${TESTDIR} $request ' ' '-e /Reason:/d'
+    done
+    for request in $gcm_encrypt_intiv_requests; do
+	name=`basename $request .req`
+    	echo ">>>>>  $name"
+        fipstest aes gcm decrypt ${RSPDIR}/$name.rsp | grep FAIL
+    done
+    exit 0
+fi
+
+for request in $gcm_decrypt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes gcm decrypt ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $gcm_encrypt_intiv_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes gcm encrypt_intiv ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $gcm_encrypt_extiv_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes gcm encrypt_extiv ${REQDIR}/$request > ${RSPDIR}/$response
+done
diff --git a/cmd/fipstest/dsa.sh b/cmd/fipstest/dsa.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
+# 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
 #
 # A Bourne shell script for running the NIST DSA Validation System
 #
@@ -11,28 +11,61 @@
 # shared libraries/DLLs are on the search path.  Then run this script in the
 # directory where the REQUEST (.req) files reside.  The script generates the
 # RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/DSA2
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+
+#
+# several of the DSA tests do use known answer tests to verify the result.
+# in those cases, feed generated tests back into the fipstest tool and
+# see if we can verify those value. NOTE: th PQGVer and SigVer tests verify
+# the dsa pqgver and dsa sigver functions, so we know they can detect errors
+# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular.
+#
+if [ ${COMMAND} = "verify" ]; then
+# verify generated keys
+    name=KeyPair
+    echo ">>>>>  $name"
+    fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify generated pqg values
+    name=PQGGen
+    echo ">>>>>  $name"
+    fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify PQGVer with known answer
+#    sh ./validate1.sh ${TESTDIR} PQGVer.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+# verify signatures
+    name=SigGen
+    echo ">>>>>  $name"
+    fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify SigVer with known answer
+    sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;'
+    exit 0
+fi
 
 request=KeyPair.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
-fipstest dsa keypair $request > $response
+fipstest dsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=PQGGen.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
-fipstest dsa pqggen $request > $response
+fipstest dsa pqggen ${REQDIR}/$request > ${RSPDIR}/$response
 
-request=PQGVer.req
+request=PQGVer1863.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
-fipstest dsa pqgver $request > $response
+fipstest dsa pqgver ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=SigGen.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
-fipstest dsa siggen $request > $response
+fipstest dsa siggen ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=SigVer.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
-fipstest dsa sigver $request > $response
+fipstest dsa sigver ${REQDIR}/$request > ${RSPDIR}/$response
diff --git a/cmd/fipstest/ecdsa.sh b/cmd/fipstest/ecdsa.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
+# 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
 #
 # A Bourne shell script for running the NIST ECDSA Validation System
 #
@@ -11,23 +11,50 @@
 # shared libraries/DLLs are on the search path.  Then run this script in the
 # directory where the REQUEST (.req) files reside.  The script generates the
 # RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/ECDSA2
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+#
+# several of the ECDSA tests do not use known answer tests to verify the result.
+# In those cases, feed generated tests back into the fipstest tool and
+# see if we can verify those value. NOTE:  PQGVer and SigVer tests verify
+# the dsa pqgver and dsa sigver functions, so we know they can detect errors
+# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular.
+#
+if [ ${COMMAND} = "verify" ]; then
+# verify generated keys
+    name=KeyPair
+    echo ">>>>>  $name"
+    fipstest ecdsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    sh ./validate1.sh ${TESTDIR} PKV.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+# verify signatures
+    name=SigGen
+    echo ">>>>>  $name"
+    fipstest ecdsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify SigVer with known answer
+    sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+    exit 0
+fi
 
 request=KeyPair.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
-fipstest ecdsa keypair $request > $response
+fipstest ecdsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=PKV.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
-fipstest ecdsa pkv $request > $response
+fipstest ecdsa pkv ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=SigGen.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
-fipstest ecdsa siggen $request > $response
+fipstest ecdsa siggen ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=SigVer.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
-fipstest ecdsa sigver $request > $response
+fipstest ecdsa sigver ${REQDIR}/$request > ${RSPDIR}/$response