Updated FIPS140 initialization and added a self test for it.
[gnutls:gnutls.git] / tests / fips-test.c
1 #include <config.h>
2 #include <stdint.h>
3 #include <stdio.h>
4 #include <string.h>
5 #include <utils.h>
6 #include <stdlib.h>
7 #include <gnutls/gnutls.h>
8 #include <gnutls/crypto.h>
9 #include <gnutls/abstract.h>
10 #include <gnutls/x509.h>
11 #include <gnutls/fips140.h>
12
13 void _gnutls_fips140_simulate_error(void);
14
15 /* This does check the FIPS140 support.
16  */
17
18 static void tls_log_func(int level, const char *str)
19 {
20         fprintf(stderr, "<%d>| %s", level, str);
21 }
22
23 static char key16[16];
24 static char iv16[16];
25
26 void doit(void)
27 {
28 int ret;
29 #ifdef ENABLE_FIPS140
30         gnutls_cipher_hd_t ch;
31         gnutls_hmac_hd_t mh;
32         gnutls_session_t session;
33         gnutls_pubkey_t pubkey;
34         gnutls_x509_privkey_t xprivkey;
35         gnutls_privkey_t privkey;
36         gnutls_datum_t key = { key16, sizeof(key16) };
37         gnutls_datum_t iv = { iv16, sizeof(iv16) };
38
39         fprintf(stderr, "Please note that you need to assure the library's integrity prior to running this test\n");
40
41         gnutls_global_set_log_function(tls_log_func);
42         if (debug)
43                 gnutls_global_set_log_level(4711);
44
45         ret = gnutls_fips140_mode_enabled();
46         if (ret == 0) {
47                 fail("We are not in FIPS140 mode\n");
48         }
49
50         ret = global_init();
51         if (ret < 0) {
52                 fail("Cannot initialize library\n");
53         }
54         
55         /* Try crypto.h functionality */
56         ret = gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv);
57         if (ret < 0) {
58                 fail("gnutls_cipher_init failed\n");
59         }
60         gnutls_cipher_deinit(ch);
61
62         ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size);
63         if (ret < 0) {
64                 fail("gnutls_hmac_init failed\n");
65         }
66         gnutls_hmac_deinit(mh, NULL);
67
68         ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16));
69         if (ret < 0) {
70                 fail("gnutls_rnd failed\n");
71         }
72
73         ret = gnutls_pubkey_init(&pubkey);
74         if (ret < 0) {
75                 fail("gnutls_pubkey_init failed\n");
76         }
77         gnutls_pubkey_deinit(pubkey);
78
79         ret = gnutls_privkey_init(&privkey);
80         if (ret < 0) {
81                 fail("gnutls_privkey_init failed\n");
82         }
83         gnutls_privkey_deinit(privkey);
84
85         ret = gnutls_x509_privkey_init(&xprivkey);
86         if (ret < 0) {
87                 fail("gnutls_privkey_init failed\n");
88         }
89         gnutls_x509_privkey_deinit(xprivkey);
90         
91         ret = gnutls_init(&session, 0);
92         if (ret < 0) {
93                 fail("gnutls_init failed\n");
94         }
95         gnutls_deinit(session);
96
97         /* Test when FIPS140 is set to error state */
98         _gnutls_fips140_simulate_error();
99         
100         
101         /* Try crypto.h functionality */
102         ret = gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv);
103         if (ret >= 0) {
104                 fail("gnutls_cipher_init succeeded when in FIPS140 error state\n");
105         }
106
107         ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size);
108         if (ret >= 0) {
109                 fail("gnutls_hmac_init succeeded when in FIPS140 error state\n");
110         }
111
112         ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16));
113         if (ret >= 0) {
114                 fail("gnutls_rnd succeeded when in FIPS140 error state\n");
115         }
116
117         ret = gnutls_pubkey_init(&pubkey);
118         if (ret >= 0) {
119                 fail("gnutls_pubkey_init succeeded when in FIPS140 error state\n");
120         }
121
122         ret = gnutls_privkey_init(&privkey);
123         if (ret >= 0) {
124                 fail("gnutls_privkey_init succeeded when in FIPS140 error state\n");
125         }
126
127         ret = gnutls_x509_privkey_init(&xprivkey);
128         if (ret >= 0) {
129                 fail("gnutls_x509_privkey_init succeeded when in FIPS140 error state\n");
130         }
131
132         ret = gnutls_init(&session, 0);
133         if (ret >= 0) {
134                 fail("gnutls_init succeeded when in FIPS140 error state\n");
135         }
136         
137         gnutls_global_deinit();
138         return 0;
139 #else
140         return 1; /* fail. This script shouldn't be called on this case */
141 #endif
142 }