Initial incomplete POST overhaul: add support for POST callback to
allow status of POST to be monitored and/or failures induced.
diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index 2cfd5ef..e71ab11 100644
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c
@@ -665,6 +665,165 @@
printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
}
+static const char *post_get_sig(int id)
+ {
+ switch (id)
+ {
+ case EVP_PKEY_RSA:
+ return " (RSA)";
+
+ case EVP_PKEY_DSA:
+ return " (DSA)";
+
+ case EVP_PKEY_EC:
+ return " (ECDSA)";
+
+ default:
+ return " (UNKNOWN)";
+
+ }
+ }
+
+static const char *post_get_cipher(int id)
+ {
+ static char out[128];
+ switch(id)
+ {
+
+ case NID_aes_128_ecb:
+ return " (AES-128-ECB)";
+
+ case NID_des_ede3_ecb:
+ return " (DES-EDE3-ECB)";
+
+ default:
+ sprintf(out, " (NID=%d)", id);
+ return out;
+
+ }
+ }
+
+static int fail_id = -1;
+static int fail_sub = -1;
+static int fail_key = -1;
+
+static int post_cb(int op, int id, int subid, void *ex)
+ {
+ const char *idstr, *exstr = "";
+ int keytype = -1;
+ switch(id)
+ {
+ case FIPS_TEST_INTEGRITY:
+ idstr = "Integrity";
+ break;
+
+ case FIPS_TEST_DIGEST:
+ idstr = "Digest";
+ if (subid == NID_sha1)
+ exstr = " (SHA1)";
+ break;
+
+ case FIPS_TEST_CIPHER:
+ exstr = post_get_cipher(subid);
+ idstr = "Cipher";
+ break;
+
+ case FIPS_TEST_SIGNATURE:
+ if (ex)
+ {
+ EVP_PKEY *pkey = ex;
+ keytype = pkey->type;
+ exstr = post_get_sig(keytype);
+ }
+ idstr = "Signature";
+ break;
+
+ case FIPS_TEST_HMAC:
+ idstr = "HMAC";
+ break;
+
+ case FIPS_TEST_CMAC:
+ idstr = "HMAC";
+ break;
+
+ case FIPS_TEST_GCM:
+ idstr = "HMAC";
+ break;
+
+ case FIPS_TEST_CCM:
+ idstr = "HMAC";
+ break;
+
+ case FIPS_TEST_XTS:
+ idstr = "HMAC";
+ break;
+
+ case FIPS_TEST_X931:
+ idstr = "X9.31 PRNG";
+ break;
+
+ case FIPS_TEST_DRBG:
+ idstr = "DRBG";
+ break;
+
+ case FIPS_TEST_PAIRWISE:
+ if (ex)
+ {
+ EVP_PKEY *pkey = ex;
+ keytype = pkey->type;
+ exstr = post_get_sig(keytype);
+ }
+ idstr = "Pairwise Consistency";
+ break;
+
+ case FIPS_TEST_CONTINUOUS:
+ idstr = "Continuous PRNG";
+ break;
+
+ default:
+ idstr = "Unknown";
+ break;
+
+ }
+
+ switch(op)
+ {
+ case FIPS_POST_BEGIN:
+ printf("\tPOST started\n");
+ break;
+
+ case FIPS_POST_END:
+ printf("\tPOST %s\n", id ? "Success" : "Failed");
+ break;
+
+ case FIPS_POST_STARTED:
+ printf("\t\t%s%s test started\n", idstr, exstr);
+ break;
+
+ case FIPS_POST_SUCCESS:
+ printf("\t\t%s%s test OK\n", idstr, exstr);
+ break;
+
+ case FIPS_POST_FAIL:
+ printf("\t\t%s%s test FAILED!!\n", idstr, exstr);
+ break;
+
+ case FIPS_POST_CORRUPT:
+ if (fail_id == id
+ && (fail_key == -1 || fail_key == keytype)
+ && (fail_sub == -1 || fail_sub == subid))
+ {
+ printf("\t\t%s%s test failure induced\n", idstr, exstr);
+ return 0;
+ }
+ break;
+
+ }
+ return 1;
+ }
+
+
+
int main(int argc,char **argv)
{
@@ -676,47 +835,51 @@
fips_algtest_init_nofips();
+ FIPS_post_set_callback(post_cb);
+
printf("\tFIPS-mode test application\n\n");
if (argv[1]) {
/* Corrupted KAT tests */
- if (!strcmp(argv[1], "aes")) {
- FIPS_corrupt_aes();
- printf("AES encryption/decryption with corrupted KAT...\n");
+ if (!strcmp(argv[1], "integrity")) {
+ fail_id = FIPS_TEST_INTEGRITY;
+ } else if (!strcmp(argv[1], "aes")) {
+ fail_id = FIPS_TEST_CIPHER;
+ fail_sub = NID_aes_128_ecb;
} else if (!strcmp(argv[1], "aes-gcm")) {
FIPS_corrupt_aes_gcm();
printf("AES-GCM encryption/decryption with corrupted KAT...\n");
} else if (!strcmp(argv[1], "des")) {
- FIPS_corrupt_des();
- printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
+ fail_id = FIPS_TEST_CIPHER;
+ fail_sub = NID_des_ede3_ecb;
} else if (!strcmp(argv[1], "dsa")) {
- FIPS_corrupt_dsa();
- printf("DSA key generation and signature validation with corrupted KAT...\n");
+ fail_id = FIPS_TEST_SIGNATURE;
+ fail_key = EVP_PKEY_DSA;
} else if (!strcmp(argv[1], "ecdsa")) {
- FIPS_corrupt_ecdsa();
- printf("ECDSA key generation and signature validation with corrupted KAT...\n");
+ fail_id = FIPS_TEST_SIGNATURE;
+ fail_key = EVP_PKEY_EC;
} else if (!strcmp(argv[1], "rsa")) {
- FIPS_corrupt_rsa();
- printf("RSA key generation and signature validation with corrupted KAT...\n");
+ fail_id = FIPS_TEST_SIGNATURE;
+ fail_key = EVP_PKEY_RSA;
} else if (!strcmp(argv[1], "rsakey")) {
printf("RSA key generation and signature validation with corrupted key...\n");
bad_rsa = 1;
no_exit = 1;
} else if (!strcmp(argv[1], "rsakeygen")) {
- do_corrupt_rsa_keygen = 1;
+ fail_id = FIPS_TEST_PAIRWISE;
+ fail_key = EVP_PKEY_RSA;
no_exit = 1;
- printf("RSA key generation and signature validation with corrupted keygen...\n");
} else if (!strcmp(argv[1], "dsakey")) {
printf("DSA key generation and signature validation with corrupted key...\n");
bad_dsa = 1;
no_exit = 1;
} else if (!strcmp(argv[1], "dsakeygen")) {
- do_corrupt_dsa_keygen = 1;
+ fail_id = FIPS_TEST_PAIRWISE;
+ fail_key = EVP_PKEY_DSA;
no_exit = 1;
- printf("DSA key generation and signature validation with corrupted keygen...\n");
} else if (!strcmp(argv[1], "sha1")) {
- FIPS_corrupt_sha1();
- printf("SHA-1 hash with corrupted KAT...\n");
+ fail_id = FIPS_TEST_DIGEST;
+ fail_sub = NID_sha1;
} else if (!strcmp(argv[1], "drbg")) {
FIPS_corrupt_drbg();
} else if (!strcmp(argv[1], "rng")) {
