1 /*
2 * PKCS #11 FIPS Power-Up Self Test.
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7
8 #ifndef NSS_FIPS_DISABLED
9 #include "seccomon.h"
10 #include "blapi.h"
11 #include "softoken.h"
12 #include "lowkeyi.h"
13 #include "secoid.h"
14 #include "secerr.h"
15 #include "pkcs11i.h"
16 #include "lowpbe.h"
17
18 /*
19 * different platforms have different ways of calling and initial entry point
20 * when the dll/.so is loaded. Most platforms support either a posix pragma
21 * or the GCC attribute. Some platforms suppor a pre-defined name, and some
22 * platforms have a link line way of invoking this function.
23 */
24
25 /* The pragma */
26 #if defined(USE_INIT_PRAGMA)
27 #pragma init(sftk_startup_tests)
28 #endif
29
30 /* GCC Attribute */
31 #if defined(__GNUC__) && !defined(NSS_NO_INIT_SUPPORT)
32 #define INIT_FUNCTION __attribute__((constructor))
33 #else
34 #define INIT_FUNCTION
35 #endif
36
37 static void INIT_FUNCTION sftk_startup_tests(void);
38
39 /* Windows pre-defined entry */
40 #if defined(XP_WIN) && !defined(NSS_NO_INIT_SUPPORT)
41 #include <windows.h>
42
DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)43 BOOL WINAPI DllMain(
44 HINSTANCE hinstDLL, // handle to DLL module
45 DWORD fdwReason, // reason for calling function
46 LPVOID lpReserved) // reserved
47 {
48 // Perform actions based on the reason for calling.
49 switch (fdwReason) {
50 case DLL_PROCESS_ATTACH:
51 // Initialize once for each new process.
52 // Return FALSE to fail DLL load.
53 sftk_startup_tests();
54 break;
55
56 case DLL_THREAD_ATTACH:
57 // Do thread-specific initialization.
58 break;
59
60 case DLL_THREAD_DETACH:
61 // Do thread-specific cleanup.
62 break;
63
64 case DLL_PROCESS_DETACH:
65 // Perform any necessary cleanup.
66 break;
67 }
68 return TRUE; // Successful DLL_PROCESS_ATTACH.
69 }
70 #endif
71
72 /* FIPS preprocessor directives for RSA. */
73 #define FIPS_RSA_TYPE siBuffer
74 #define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */
75 #define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */
76 #define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */
77 #define FIPS_RSA_COEFFICIENT_LENGTH 128 /* 1024-bits */
78 #define FIPS_RSA_PRIME0_LENGTH 128 /* 1024-bits */
79 #define FIPS_RSA_PRIME1_LENGTH 128 /* 1024-bits */
80 #define FIPS_RSA_EXPONENT0_LENGTH 128 /* 1024-bits */
81 #define FIPS_RSA_EXPONENT1_LENGTH 128 /* 1024-bits */
82 #define FIPS_RSA_PRIVATE_EXPONENT_LENGTH 256 /* 2048-bits */
83 #define FIPS_RSA_ENCRYPT_LENGTH 256 /* 2048-bits */
84 #define FIPS_RSA_DECRYPT_LENGTH 256 /* 2048-bits */
85 #define FIPS_RSA_SIGNATURE_LENGTH 256 /* 2048-bits */
86 #define FIPS_RSA_MODULUS_LENGTH 256 /* 2048-bits */
87
88 /*
89 * Test the softoken RSA_HashSign and RSH_HashCheckSign.
90 */
91 static SECStatus
sftk_fips_RSA_PowerUpSigSelfTest(HASH_HashType shaAlg,NSSLOWKEYPublicKey * rsa_public_key,NSSLOWKEYPrivateKey * rsa_private_key,const unsigned char * rsa_known_msg,const unsigned int rsa_kmsg_length,const unsigned char * rsa_known_signature)92 sftk_fips_RSA_PowerUpSigSelfTest(HASH_HashType shaAlg,
93 NSSLOWKEYPublicKey *rsa_public_key,
94 NSSLOWKEYPrivateKey *rsa_private_key,
95 const unsigned char *rsa_known_msg,
96 const unsigned int rsa_kmsg_length,
97 const unsigned char *rsa_known_signature)
98 {
99 SECOidTag shaOid; /* SHA OID */
100 unsigned char sha[HASH_LENGTH_MAX]; /* SHA digest */
101 unsigned int shaLength = 0; /* length of SHA */
102 unsigned int rsa_bytes_signed;
103 unsigned char rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH];
104 SECStatus rv;
105
106 if (shaAlg == HASH_AlgSHA1) {
107 if (SHA1_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
108 goto loser;
109 }
110 shaLength = SHA1_LENGTH;
111 shaOid = SEC_OID_SHA1;
112 } else if (shaAlg == HASH_AlgSHA256) {
113 if (SHA256_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
114 goto loser;
115 }
116 shaLength = SHA256_LENGTH;
117 shaOid = SEC_OID_SHA256;
118 } else if (shaAlg == HASH_AlgSHA384) {
119 if (SHA384_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
120 goto loser;
121 }
122 shaLength = SHA384_LENGTH;
123 shaOid = SEC_OID_SHA384;
124 } else if (shaAlg == HASH_AlgSHA512) {
125 if (SHA512_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
126 goto loser;
127 }
128 shaLength = SHA512_LENGTH;
129 shaOid = SEC_OID_SHA512;
130 } else {
131 goto loser;
132 }
133
134 /*************************************************/
135 /* RSA Single-Round Known Answer Signature Test. */
136 /*************************************************/
137
138 /* Perform RSA signature with the RSA private key. */
139 rv = RSA_HashSign(shaOid,
140 rsa_private_key,
141 rsa_computed_signature,
142 &rsa_bytes_signed,
143 FIPS_RSA_SIGNATURE_LENGTH,
144 sha,
145 shaLength);
146
147 if ((rv != SECSuccess) ||
148 (rsa_bytes_signed != FIPS_RSA_SIGNATURE_LENGTH) ||
149 (PORT_Memcmp(rsa_computed_signature, rsa_known_signature,
150 FIPS_RSA_SIGNATURE_LENGTH) != 0)) {
151 goto loser;
152 }
153
154 /****************************************************/
155 /* RSA Single-Round Known Answer Verification Test. */
156 /****************************************************/
157
158 /* Perform RSA verification with the RSA public key. */
159 rv = RSA_HashCheckSign(shaOid,
160 rsa_public_key,
161 rsa_computed_signature,
162 rsa_bytes_signed,
163 sha,
164 shaLength);
165
166 if (rv != SECSuccess) {
167 goto loser;
168 }
169 return (SECSuccess);
170
171 loser:
172
173 return (SECFailure);
174 }
175
176 static SECStatus
sftk_fips_RSA_PowerUpSelfTest(void)177 sftk_fips_RSA_PowerUpSelfTest(void)
178 {
179 /* RSA Known Modulus used in both Public/Private Key Values (2048-bits). */
180 static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = {
181 0xb8, 0x15, 0x00, 0x33, 0xda, 0x0c, 0x9d, 0xa5,
182 0x14, 0x8c, 0xde, 0x1f, 0x23, 0x07, 0x54, 0xe2,
183 0xc6, 0xb9, 0x51, 0x04, 0xc9, 0x65, 0x24, 0x6e,
184 0x0a, 0x46, 0x34, 0x5c, 0x37, 0x86, 0x6b, 0x88,
185 0x24, 0x27, 0xac, 0xa5, 0x02, 0x79, 0xfb, 0xed,
186 0x75, 0xc5, 0x3f, 0x6e, 0xdf, 0x05, 0x5f, 0x0f,
187 0x20, 0x70, 0xa0, 0x5b, 0x85, 0xdb, 0xac, 0xb9,
188 0x5f, 0x02, 0xc2, 0x64, 0x1e, 0x84, 0x5b, 0x3e,
189 0xad, 0xbf, 0xf6, 0x2e, 0x51, 0xd6, 0xad, 0xf7,
190 0xa7, 0x86, 0x75, 0x86, 0xec, 0xa7, 0xe1, 0xf7,
191 0x08, 0xbf, 0xdc, 0x56, 0xb1, 0x3b, 0xca, 0xd8,
192 0xfc, 0x51, 0xdf, 0x9a, 0x2a, 0x37, 0x06, 0xf2,
193 0xd1, 0x6b, 0x9a, 0x5e, 0x2a, 0xe5, 0x20, 0x57,
194 0x35, 0x9f, 0x1f, 0x98, 0xcf, 0x40, 0xc7, 0xd6,
195 0x98, 0xdb, 0xde, 0xf5, 0x64, 0x53, 0xf7, 0x9d,
196 0x45, 0xf3, 0xd6, 0x78, 0xb9, 0xe3, 0xa3, 0x20,
197 0xcd, 0x79, 0x43, 0x35, 0xef, 0xd7, 0xfb, 0xb9,
198 0x80, 0x88, 0x27, 0x2f, 0x63, 0xa8, 0x67, 0x3d,
199 0x4a, 0xfa, 0x06, 0xc6, 0xd2, 0x86, 0x0b, 0xa7,
200 0x28, 0xfd, 0xe0, 0x1e, 0x93, 0x4b, 0x17, 0x2e,
201 0xb0, 0x11, 0x6f, 0xc6, 0x2b, 0x98, 0x0f, 0x15,
202 0xe3, 0x87, 0x16, 0x7a, 0x7c, 0x67, 0x3e, 0x12,
203 0x2b, 0xf8, 0xbe, 0x48, 0xc1, 0x97, 0x47, 0xf4,
204 0x1f, 0x81, 0x80, 0x12, 0x28, 0xe4, 0x7b, 0x1e,
205 0xb7, 0x00, 0xa4, 0xde, 0xaa, 0xfb, 0x0f, 0x77,
206 0x84, 0xa3, 0xd6, 0xb2, 0x03, 0x48, 0xdd, 0x53,
207 0x8b, 0x46, 0x41, 0x28, 0x52, 0xc4, 0x53, 0xf0,
208 0x1c, 0x95, 0xd9, 0x36, 0xe0, 0x0f, 0x26, 0x46,
209 0x9c, 0x61, 0x0e, 0x80, 0xca, 0x86, 0xaf, 0x39,
210 0x95, 0xe5, 0x60, 0x43, 0x61, 0x3e, 0x2b, 0xb4,
211 0xe8, 0xbd, 0x8d, 0x77, 0x62, 0xf5, 0x32, 0x43,
212 0x2f, 0x4b, 0x65, 0x82, 0x14, 0xdd, 0x29, 0x5b
213 };
214
215 /* RSA Known Public Key Values (24-bits). */
216 static const PRUint8 rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = { 0x01, 0x00, 0x01 };
217 /* RSA Known Private Key Values (version is 8-bits), */
218 /* (private exponent is 2048-bits), */
219 /* (private prime0 is 1024-bits), */
220 /* (private prime1 is 1024-bits), */
221 /* (private prime exponent0 is 1024-bits), */
222 /* (private prime exponent1 is 1024-bits), */
223 /* and (private coefficient is 1024-bits). */
224 static const PRUint8 rsa_version[] = { 0x00 };
225
226 static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] = {
227 0x29, 0x08, 0x05, 0x53, 0x89, 0x76, 0xe6, 0x6c,
228 0xb5, 0x77, 0xf0, 0xca, 0xdf, 0xf3, 0xf2, 0x67,
229 0xda, 0x03, 0xd4, 0x9b, 0x4c, 0x88, 0xce, 0xe5,
230 0xf8, 0x44, 0x4d, 0xc7, 0x80, 0x58, 0xe5, 0xff,
231 0x22, 0x8f, 0xf5, 0x5b, 0x92, 0x81, 0xbe, 0x35,
232 0xdf, 0xda, 0x67, 0x99, 0x3e, 0xfc, 0xe3, 0x83,
233 0x6b, 0xa7, 0xaf, 0x16, 0xb7, 0x6f, 0x8f, 0xc0,
234 0x81, 0xfd, 0x0b, 0x77, 0x65, 0x95, 0xfb, 0x00,
235 0xad, 0x99, 0xec, 0x35, 0xc6, 0xe8, 0x23, 0x3e,
236 0xe0, 0x88, 0x88, 0x09, 0xdb, 0x16, 0x50, 0xb7,
237 0xcf, 0xab, 0x74, 0x61, 0x9e, 0x7f, 0xc5, 0x67,
238 0x38, 0x56, 0xc7, 0x90, 0x85, 0x78, 0x5e, 0x84,
239 0x21, 0x49, 0xea, 0xce, 0xb2, 0xa0, 0xff, 0xe4,
240 0x70, 0x7f, 0x57, 0x7b, 0xa8, 0x36, 0xb8, 0x54,
241 0x8d, 0x1d, 0xf5, 0x44, 0x9d, 0x68, 0x59, 0xf9,
242 0x24, 0x6e, 0x85, 0x8f, 0xc3, 0x5f, 0x8a, 0x2c,
243 0x94, 0xb7, 0xbc, 0x0e, 0xa5, 0xef, 0x93, 0x06,
244 0x38, 0xcd, 0x07, 0x0c, 0xae, 0xb8, 0x44, 0x1a,
245 0xd8, 0xe7, 0xf5, 0x9a, 0x1e, 0x9c, 0x18, 0xc7,
246 0x6a, 0xc2, 0x7f, 0x28, 0x01, 0x4f, 0xb4, 0xb8,
247 0x90, 0x97, 0x5a, 0x43, 0x38, 0xad, 0xe8, 0x95,
248 0x68, 0x83, 0x1a, 0x1b, 0x10, 0x07, 0xe6, 0x02,
249 0x52, 0x1f, 0xbf, 0x76, 0x6b, 0x46, 0xd6, 0xfb,
250 0xc3, 0xbe, 0xb5, 0xac, 0x52, 0x53, 0x01, 0x1c,
251 0xf3, 0xc5, 0xeb, 0x64, 0xf2, 0x1e, 0xc4, 0x38,
252 0xe9, 0xaa, 0xd9, 0xc3, 0x72, 0x51, 0xa5, 0x44,
253 0x58, 0x69, 0x0b, 0x1b, 0x98, 0x7f, 0xf2, 0x23,
254 0xff, 0xeb, 0xf0, 0x75, 0x24, 0xcf, 0xc5, 0x1e,
255 0xb8, 0x6a, 0xc5, 0x2f, 0x4f, 0x23, 0x50, 0x7d,
256 0x15, 0x9d, 0x19, 0x7a, 0x0b, 0x82, 0xe0, 0x21,
257 0x5b, 0x5f, 0x9d, 0x50, 0x2b, 0x83, 0xe4, 0x48,
258 0xcc, 0x39, 0xe5, 0xfb, 0x13, 0x7b, 0x6f, 0x81
259 };
260
261 static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = {
262 0xe4, 0xbf, 0x21, 0x62, 0x9b, 0xa9, 0x77, 0x40,
263 0x8d, 0x2a, 0xce, 0xa1, 0x67, 0x5a, 0x4c, 0x96,
264 0x45, 0x98, 0x67, 0xbd, 0x75, 0x22, 0x33, 0x6f,
265 0xe6, 0xcb, 0x77, 0xde, 0x9e, 0x97, 0x7d, 0x96,
266 0x8c, 0x5e, 0x5d, 0x34, 0xfb, 0x27, 0xfc, 0x6d,
267 0x74, 0xdb, 0x9d, 0x2e, 0x6d, 0xf6, 0xea, 0xfc,
268 0xce, 0x9e, 0xda, 0xa7, 0x25, 0xa2, 0xf4, 0x58,
269 0x6d, 0x0a, 0x3f, 0x01, 0xc2, 0xb4, 0xab, 0x38,
270 0xc1, 0x14, 0x85, 0xb6, 0xfa, 0x94, 0xc3, 0x85,
271 0xf9, 0x3c, 0x2e, 0x96, 0x56, 0x01, 0xe7, 0xd6,
272 0x14, 0x71, 0x4f, 0xfb, 0x4c, 0x85, 0x52, 0xc4,
273 0x61, 0x1e, 0xa5, 0x1e, 0x96, 0x13, 0x0d, 0x8f,
274 0x66, 0xae, 0xa0, 0xcd, 0x7d, 0x25, 0x66, 0x19,
275 0x15, 0xc2, 0xcf, 0xc3, 0x12, 0x3c, 0xe8, 0xa4,
276 0x52, 0x4c, 0xcb, 0x28, 0x3c, 0xc4, 0xbf, 0x95,
277 0x33, 0xe3, 0x81, 0xea, 0x0c, 0x6c, 0xa2, 0x05
278 };
279 static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = {
280 0xce, 0x03, 0x94, 0xf4, 0xa9, 0x2c, 0x1e, 0x06,
281 0xe7, 0x40, 0x30, 0x01, 0xf7, 0xbb, 0x68, 0x8c,
282 0x27, 0xd2, 0x15, 0xe3, 0x28, 0x49, 0x5b, 0xa8,
283 0xc1, 0x9a, 0x42, 0x7e, 0x31, 0xf9, 0x08, 0x34,
284 0x81, 0xa2, 0x0f, 0x04, 0x61, 0x34, 0xe3, 0x36,
285 0x92, 0xb1, 0x09, 0x2b, 0xe9, 0xef, 0x84, 0x88,
286 0xbe, 0x9c, 0x98, 0x60, 0xa6, 0x60, 0x84, 0xe9,
287 0x75, 0x6f, 0xcc, 0x81, 0xd1, 0x96, 0xef, 0xdd,
288 0x2e, 0xca, 0xc4, 0xf5, 0x42, 0xfb, 0x13, 0x2b,
289 0x57, 0xbf, 0x14, 0x5e, 0xc2, 0x7f, 0x77, 0x35,
290 0x29, 0xc4, 0xe5, 0xe0, 0xf9, 0x6d, 0x15, 0x4a,
291 0x42, 0x56, 0x1c, 0x3e, 0x0c, 0xc5, 0xce, 0x70,
292 0x08, 0x63, 0x1e, 0x73, 0xdb, 0x7e, 0x74, 0x05,
293 0x32, 0x01, 0xc6, 0x36, 0x32, 0x75, 0x6b, 0xed,
294 0x9d, 0xfe, 0x7c, 0x7e, 0xa9, 0x57, 0xb4, 0xe9,
295 0x22, 0xe4, 0xe7, 0xfe, 0x36, 0x07, 0x9b, 0xdf
296 };
297 static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = {
298 0x04, 0x5a, 0x3a, 0xa9, 0x64, 0xaa, 0xd9, 0xd1,
299 0x09, 0x9e, 0x99, 0xe5, 0xea, 0x50, 0x86, 0x8a,
300 0x89, 0x72, 0x77, 0xee, 0xdb, 0xee, 0xb5, 0xa9,
301 0xd8, 0x6b, 0x60, 0xb1, 0x84, 0xb4, 0xff, 0x37,
302 0xc1, 0x1d, 0xfe, 0x8a, 0x06, 0x89, 0x61, 0x3d,
303 0x37, 0xef, 0x01, 0xd3, 0xa3, 0x56, 0x02, 0x6c,
304 0xa3, 0x05, 0xd4, 0xc5, 0x3f, 0x6b, 0x15, 0x59,
305 0x25, 0x61, 0xff, 0x86, 0xea, 0x0c, 0x84, 0x01,
306 0x85, 0x72, 0xfd, 0x84, 0x58, 0xca, 0x41, 0xda,
307 0x27, 0xbe, 0xe4, 0x68, 0x09, 0xe4, 0xe9, 0x63,
308 0x62, 0x6a, 0x31, 0x8a, 0x67, 0x8f, 0x55, 0xde,
309 0xd4, 0xb6, 0x3f, 0x90, 0x10, 0x6c, 0xf6, 0x62,
310 0x17, 0x23, 0x15, 0x7e, 0x33, 0x76, 0x65, 0xb5,
311 0xee, 0x7b, 0x11, 0x76, 0xf5, 0xbe, 0xe0, 0xf2,
312 0x57, 0x7a, 0x8c, 0x97, 0x0c, 0x68, 0xf5, 0xf8,
313 0x41, 0xcf, 0x7f, 0x66, 0x53, 0xac, 0x31, 0x7d
314 };
315 static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = {
316 0x93, 0x54, 0x14, 0x6e, 0x73, 0x9d, 0x4d, 0x4b,
317 0xfa, 0x8c, 0xf8, 0xc8, 0x2f, 0x76, 0x22, 0xea,
318 0x38, 0x80, 0x11, 0x8f, 0x05, 0xfc, 0x90, 0x44,
319 0x3b, 0x50, 0x2a, 0x45, 0x3d, 0x4f, 0xaf, 0x02,
320 0x7d, 0xc2, 0x7b, 0xa2, 0xd2, 0x31, 0x94, 0x5c,
321 0x2e, 0xc3, 0xd4, 0x9f, 0x47, 0x09, 0x37, 0x6a,
322 0xe3, 0x85, 0xf1, 0xa3, 0x0c, 0xd8, 0xf1, 0xb4,
323 0x53, 0x7b, 0xc4, 0x71, 0x02, 0x86, 0x42, 0xbb,
324 0x96, 0xff, 0x03, 0xa3, 0xb2, 0x67, 0x03, 0xea,
325 0x77, 0x31, 0xfb, 0x4b, 0x59, 0x24, 0xf7, 0x07,
326 0x59, 0xfb, 0xa9, 0xba, 0x1e, 0x26, 0x58, 0x97,
327 0x66, 0xa1, 0x56, 0x49, 0x39, 0xb1, 0x2c, 0x55,
328 0x0a, 0x6a, 0x78, 0x18, 0xba, 0xdb, 0xcf, 0xf4,
329 0xf7, 0x32, 0x35, 0xa2, 0x04, 0xab, 0xdc, 0xa7,
330 0x6d, 0xd9, 0xd5, 0x06, 0x6f, 0xec, 0x7d, 0x40,
331 0x4c, 0xe8, 0x0e, 0xd0, 0xc9, 0xaa, 0xdf, 0x59
332 };
333 static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = {
334 0x17, 0xd7, 0xf5, 0x0a, 0xf0, 0x68, 0x97, 0x96,
335 0xc4, 0x29, 0x18, 0x77, 0x9a, 0x1f, 0xe3, 0xf3,
336 0x12, 0x13, 0x0f, 0x7e, 0x7b, 0xb9, 0xc1, 0x91,
337 0xf9, 0xc7, 0x08, 0x56, 0x5c, 0xa4, 0xbc, 0x83,
338 0x71, 0xf9, 0x78, 0xd9, 0x2b, 0xec, 0xfe, 0x6b,
339 0xdc, 0x2f, 0x63, 0xc9, 0xcd, 0x50, 0x14, 0x5b,
340 0xd3, 0x6e, 0x85, 0x4d, 0x0c, 0xa2, 0x0b, 0xa0,
341 0x09, 0xb6, 0xca, 0x34, 0x9c, 0xc2, 0xc1, 0x4a,
342 0xb0, 0xbc, 0x45, 0x93, 0xa5, 0x7e, 0x99, 0xb5,
343 0xbd, 0xe4, 0x69, 0x29, 0x08, 0x28, 0xd2, 0xcd,
344 0xab, 0x24, 0x78, 0x48, 0x41, 0x26, 0x0b, 0x37,
345 0xa3, 0x43, 0xd1, 0x95, 0x1a, 0xd6, 0xee, 0x22,
346 0x1c, 0x00, 0x0b, 0xc2, 0xb7, 0xa4, 0xa3, 0x21,
347 0xa9, 0xcd, 0xe4, 0x69, 0xd3, 0x45, 0x02, 0xb1,
348 0xb7, 0x3a, 0xbf, 0x51, 0x35, 0x1b, 0x78, 0xc2,
349 0xcf, 0x0c, 0x0d, 0x60, 0x09, 0xa9, 0x44, 0x02
350 };
351
352 /* RSA Known Plaintext Message (1024-bits). */
353 static const PRUint8 rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = {
354 "Known plaintext message utilized"
355 "for RSA Encryption & Decryption"
356 "blocks SHA256, SHA384 and "
357 "SHA512 RSA Signature KAT tests. "
358 "Known plaintext message utilized"
359 "for RSA Encryption & Decryption"
360 "blocks SHA256, SHA384 and "
361 "SHA512 RSA Signature KAT tests."
362 };
363
364 /* RSA Known Signed Hash (2048-bits). */
365 static const PRUint8 rsa_known_sha256_signature[] = {
366 0x8c, 0x2d, 0x2e, 0xfb, 0x37, 0xb5, 0x6f, 0x38,
367 0x9f, 0x06, 0x5a, 0xf3, 0x8c, 0xa0, 0xd0, 0x7a,
368 0xde, 0xcf, 0xf9, 0x14, 0x95, 0x59, 0xd3, 0x5f,
369 0x51, 0x5d, 0x5d, 0xad, 0xd8, 0x71, 0x33, 0x50,
370 0x1d, 0x03, 0x3b, 0x3a, 0x32, 0x00, 0xb4, 0xde,
371 0x7f, 0xe4, 0xb1, 0xe5, 0x6b, 0x83, 0xf4, 0x80,
372 0x10, 0x3b, 0xb8, 0x8a, 0xdb, 0xe8, 0x0a, 0x42,
373 0x9e, 0x8d, 0xd7, 0xbe, 0xed, 0xde, 0x5a, 0x3d,
374 0xc6, 0xdb, 0xfe, 0x49, 0x6a, 0xe9, 0x1e, 0x75,
375 0x66, 0xf1, 0x3f, 0x9e, 0x3f, 0xff, 0x05, 0x65,
376 0xde, 0xca, 0x62, 0x62, 0xf3, 0xec, 0x53, 0x09,
377 0xa0, 0x37, 0xd5, 0x66, 0x62, 0x72, 0x14, 0xb6,
378 0x51, 0x32, 0x67, 0x50, 0xc1, 0xe1, 0x2f, 0x9e,
379 0x98, 0x4e, 0x53, 0x96, 0x55, 0x4b, 0xc4, 0x92,
380 0xc3, 0xb4, 0x80, 0xf0, 0x35, 0xc9, 0x00, 0x4b,
381 0x5c, 0x85, 0x92, 0xb1, 0xe8, 0x6e, 0xa5, 0x51,
382 0x38, 0x9f, 0xc9, 0x11, 0xb6, 0x14, 0xdf, 0x34,
383 0x64, 0x40, 0x82, 0x82, 0xde, 0x16, 0x69, 0x93,
384 0x89, 0x4e, 0x5c, 0x32, 0xf2, 0x0a, 0x4e, 0x9e,
385 0xbd, 0x63, 0x99, 0x4f, 0xf3, 0x15, 0x90, 0xc2,
386 0xfe, 0x6f, 0xb7, 0xf4, 0xad, 0xd4, 0x8e, 0x0b,
387 0xd2, 0xf5, 0x22, 0xd2, 0x71, 0x65, 0x13, 0xf7,
388 0x82, 0x7b, 0x75, 0xb6, 0xc1, 0xb4, 0x45, 0xbd,
389 0x8f, 0x95, 0xcf, 0x5b, 0x95, 0x32, 0xef, 0x18,
390 0x5f, 0xd3, 0xdf, 0x7e, 0x22, 0xdd, 0x25, 0xeb,
391 0xe1, 0xbf, 0x3b, 0x9a, 0x55, 0x75, 0x4f, 0x3c,
392 0x38, 0x67, 0x57, 0x04, 0x04, 0x57, 0x27, 0xf6,
393 0x34, 0x0e, 0x57, 0x8a, 0x7c, 0xff, 0x7d, 0xca,
394 0x8c, 0x06, 0xf8, 0x9d, 0xdb, 0xe4, 0xd8, 0x19,
395 0xdd, 0x4d, 0xfd, 0x8f, 0xa0, 0x06, 0x53, 0xe8,
396 0x33, 0x00, 0x70, 0x3f, 0x6b, 0xc3, 0xbd, 0x9a,
397 0x78, 0xb5, 0xa9, 0xef, 0x6d, 0xda, 0x67, 0x92
398 };
399
400 /* RSA Known Signed Hash (2048-bits). */
401 static const PRUint8 rsa_known_sha384_signature[] = {
402 0x20, 0x2d, 0x21, 0x3a, 0xaa, 0x1e, 0x05, 0x15,
403 0x5c, 0xca, 0x84, 0x86, 0xc0, 0x15, 0x81, 0xdf,
404 0xd4, 0x06, 0x9f, 0xe0, 0xc1, 0xed, 0xef, 0x0f,
405 0xfe, 0xb3, 0xc3, 0xbb, 0x28, 0xa5, 0x56, 0xbf,
406 0xe3, 0x11, 0x5c, 0xc2, 0xc0, 0x0b, 0xfa, 0xfa,
407 0x3d, 0xd3, 0x06, 0x20, 0xe2, 0xc9, 0xe4, 0x66,
408 0x28, 0xb7, 0xc0, 0x3b, 0x3c, 0x96, 0xc6, 0x49,
409 0x3b, 0xcf, 0x86, 0x49, 0x31, 0xaf, 0x5b, 0xa3,
410 0xec, 0x63, 0x10, 0xdf, 0xda, 0x2f, 0x68, 0xac,
411 0x7b, 0x3a, 0x49, 0xfa, 0xe6, 0x0d, 0xfe, 0x37,
412 0x17, 0x56, 0x8e, 0x5c, 0x48, 0x97, 0x43, 0xf7,
413 0xa0, 0xbc, 0xe3, 0x4b, 0x42, 0xde, 0x58, 0x1d,
414 0xd9, 0x5d, 0xb3, 0x08, 0x35, 0xbd, 0xa4, 0xe1,
415 0x80, 0xc3, 0x64, 0xab, 0x21, 0x97, 0xad, 0xfb,
416 0x71, 0xee, 0xa3, 0x3d, 0x9c, 0xaa, 0xfa, 0x16,
417 0x60, 0x46, 0x32, 0xda, 0x44, 0x2e, 0x10, 0x92,
418 0x20, 0xd8, 0x98, 0x80, 0x84, 0x75, 0x5b, 0x70,
419 0x91, 0x00, 0x33, 0x19, 0x69, 0xc9, 0x2a, 0xec,
420 0x3d, 0xe5, 0x5f, 0x0f, 0x9a, 0xa7, 0x97, 0x1f,
421 0x79, 0xc3, 0x1d, 0x65, 0x74, 0x62, 0xc5, 0xa1,
422 0x23, 0x65, 0x4b, 0x84, 0xa1, 0x03, 0x98, 0xf3,
423 0xf1, 0x02, 0x24, 0xca, 0xe5, 0xd4, 0xc8, 0xa2,
424 0x30, 0xad, 0x72, 0x7d, 0x29, 0x60, 0x1a, 0x8e,
425 0x6f, 0x23, 0xa4, 0xda, 0x68, 0xa4, 0x45, 0x9c,
426 0x39, 0x70, 0x44, 0x18, 0x4b, 0x73, 0xfe, 0xf8,
427 0x33, 0x53, 0x1d, 0x7e, 0x93, 0x93, 0xac, 0xc7,
428 0x1e, 0x6e, 0x6b, 0xfd, 0x9e, 0xba, 0xa6, 0x71,
429 0x70, 0x47, 0x6a, 0xd6, 0x82, 0x32, 0xa2, 0x6e,
430 0x20, 0x72, 0xb0, 0xba, 0xec, 0x91, 0xbb, 0x6b,
431 0xcc, 0x84, 0x0a, 0x33, 0x2b, 0x8a, 0x8d, 0xeb,
432 0x71, 0xcd, 0xca, 0x67, 0x1b, 0xad, 0x10, 0xd4,
433 0xce, 0x4f, 0xc0, 0x29, 0xec, 0xfa, 0xed, 0xfa
434 };
435
436 /* RSA Known Signed Hash (2048-bits). */
437 static const PRUint8 rsa_known_sha512_signature[] = {
438 0x35, 0x0e, 0x74, 0x9d, 0xeb, 0xc7, 0x67, 0x31,
439 0x9f, 0xff, 0x0b, 0xbb, 0x5e, 0x66, 0xb4, 0x2f,
440 0xbf, 0x72, 0x60, 0x4f, 0xe9, 0xbd, 0xec, 0xc8,
441 0x17, 0x79, 0x5f, 0x39, 0x83, 0xb4, 0x54, 0x2e,
442 0x01, 0xb9, 0xd3, 0x20, 0x47, 0xcb, 0xd4, 0x42,
443 0xf2, 0x6e, 0x36, 0xc1, 0x97, 0xad, 0xef, 0x8e,
444 0xe6, 0x51, 0xee, 0x5e, 0x9e, 0x88, 0xb4, 0x9d,
445 0xda, 0x3e, 0x77, 0x4b, 0xe8, 0xae, 0x48, 0x53,
446 0x2c, 0xc4, 0xd3, 0x25, 0x6b, 0x23, 0xb7, 0x54,
447 0x3c, 0x95, 0x8f, 0xfb, 0x6f, 0x6d, 0xc5, 0x56,
448 0x39, 0x69, 0x28, 0x0e, 0x74, 0x9b, 0x31, 0xe8,
449 0x76, 0x77, 0x2b, 0xc1, 0x44, 0x89, 0x81, 0x93,
450 0xfc, 0xf6, 0xec, 0x5f, 0x8f, 0x89, 0xfc, 0x1d,
451 0xa4, 0x53, 0x58, 0x8c, 0xe9, 0xc0, 0xc0, 0x26,
452 0xe6, 0xdf, 0x6d, 0x27, 0xb1, 0x8e, 0x3e, 0xb6,
453 0x47, 0xe1, 0x02, 0x96, 0xc2, 0x5f, 0x7f, 0x3d,
454 0xc5, 0x6c, 0x2f, 0xea, 0xaa, 0x5e, 0x39, 0xfc,
455 0x77, 0xca, 0x00, 0x02, 0x5c, 0x64, 0x7c, 0xce,
456 0x7d, 0x63, 0x82, 0x05, 0xed, 0xf7, 0x5b, 0x55,
457 0x58, 0xc0, 0xeb, 0x76, 0xd7, 0x95, 0x55, 0x37,
458 0x85, 0x7d, 0x17, 0xad, 0xd2, 0x11, 0xfd, 0x97,
459 0x48, 0xb5, 0xc2, 0x5e, 0xc7, 0x62, 0xc0, 0xe0,
460 0x68, 0xa8, 0x61, 0x14, 0x41, 0xca, 0x25, 0x3a,
461 0xec, 0x48, 0x54, 0x22, 0x83, 0x2b, 0x69, 0x54,
462 0xfd, 0xc8, 0x99, 0x9a, 0xee, 0x37, 0x03, 0xa3,
463 0x8f, 0x0f, 0x32, 0xb0, 0xaa, 0x74, 0x39, 0x04,
464 0x7c, 0xd9, 0xc2, 0x8f, 0xbe, 0xf2, 0xc4, 0xbe,
465 0xdd, 0x7a, 0x7a, 0x7f, 0x72, 0xd3, 0x80, 0x59,
466 0x18, 0xa0, 0xa1, 0x2d, 0x6f, 0xa3, 0xa9, 0x48,
467 0xed, 0x20, 0xa6, 0xea, 0xaa, 0x10, 0x83, 0x98,
468 0x0c, 0x13, 0x69, 0x6e, 0xcd, 0x31, 0x6b, 0xd0,
469 0x66, 0xa6, 0x5e, 0x30, 0x0c, 0x82, 0xd5, 0x81
470 };
471
472 static const RSAPublicKey bl_public_key = {
473 NULL,
474 { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,
475 FIPS_RSA_MODULUS_LENGTH },
476 { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent,
477 FIPS_RSA_PUBLIC_EXPONENT_LENGTH }
478 };
479 static const RSAPrivateKey bl_private_key = {
480 NULL,
481 { FIPS_RSA_TYPE, (unsigned char *)rsa_version,
482 FIPS_RSA_PRIVATE_VERSION_LENGTH },
483 { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,
484 FIPS_RSA_MODULUS_LENGTH },
485 { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent,
486 FIPS_RSA_PUBLIC_EXPONENT_LENGTH },
487 { FIPS_RSA_TYPE, (unsigned char *)rsa_private_exponent,
488 FIPS_RSA_PRIVATE_EXPONENT_LENGTH },
489 { FIPS_RSA_TYPE, (unsigned char *)rsa_prime0,
490 FIPS_RSA_PRIME0_LENGTH },
491 { FIPS_RSA_TYPE, (unsigned char *)rsa_prime1,
492 FIPS_RSA_PRIME1_LENGTH },
493 { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent0,
494 FIPS_RSA_EXPONENT0_LENGTH },
495 { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent1,
496 FIPS_RSA_EXPONENT1_LENGTH },
497 { FIPS_RSA_TYPE, (unsigned char *)rsa_coefficient,
498 FIPS_RSA_COEFFICIENT_LENGTH }
499 };
500
501 /* RSA variables. */
502 #ifdef CREATE_TEMP_ARENAS
503 PLArenaPool *rsa_public_arena;
504 PLArenaPool *rsa_private_arena;
505 #endif
506 NSSLOWKEYPublicKey *rsa_public_key;
507 NSSLOWKEYPrivateKey *rsa_private_key;
508 SECStatus rsa_status;
509
510 NSSLOWKEYPublicKey low_public_key = { NULL, NSSLOWKEYRSAKey };
511 NSSLOWKEYPrivateKey low_private_key = { NULL, NSSLOWKEYRSAKey };
512
513 /****************************************/
514 /* Compose RSA Public/Private Key Pair. */
515 /****************************************/
516
517 low_public_key.u.rsa = bl_public_key;
518 low_private_key.u.rsa = bl_private_key;
519
520 rsa_public_key = &low_public_key;
521 rsa_private_key = &low_private_key;
522
523 #ifdef CREATE_TEMP_ARENAS
524 /* Create some space for the RSA public key. */
525 rsa_public_arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
526
527 if (rsa_public_arena == NULL) {
528 PORT_SetError(SEC_ERROR_NO_MEMORY);
529 return (SECFailure);
530 }
531
532 /* Create some space for the RSA private key. */
533 rsa_private_arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
534
535 if (rsa_private_arena == NULL) {
536 PORT_FreeArena(rsa_public_arena, PR_TRUE);
537 PORT_SetError(SEC_ERROR_NO_MEMORY);
538 return (SECFailure);
539 }
540
541 rsa_public_key->arena = rsa_public_arena;
542 rsa_private_key->arena = rsa_private_arena;
543 #endif
544
545 /**************************************************/
546 /* RSA Hash tests */
547 /**************************************************/
548
549 rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA256,
550 rsa_public_key, rsa_private_key,
551 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
552 rsa_known_sha256_signature);
553 if (rsa_status != SECSuccess)
554 goto rsa_loser;
555
556 rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA384,
557 rsa_public_key, rsa_private_key,
558 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
559 rsa_known_sha384_signature);
560 if (rsa_status != SECSuccess)
561 goto rsa_loser;
562
563 rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA512,
564 rsa_public_key, rsa_private_key,
565 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
566 rsa_known_sha512_signature);
567 if (rsa_status != SECSuccess)
568 goto rsa_loser;
569
570 /* Dispose of all RSA key material. */
571 nsslowkey_DestroyPublicKey(rsa_public_key);
572 nsslowkey_DestroyPrivateKey(rsa_private_key);
573
574 return (SECSuccess);
575
576 rsa_loser:
577
578 nsslowkey_DestroyPublicKey(rsa_public_key);
579 nsslowkey_DestroyPrivateKey(rsa_private_key);
580
581 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
582 return (SECFailure);
583 }
584
585 static SECStatus
sftk_fips_HKDF_PowerUpSelfTest(void)586 sftk_fips_HKDF_PowerUpSelfTest(void)
587 {
588 SECStatus status;
589 static const unsigned char base_key[] = {
590 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
591 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
592 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
593 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
594 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
595 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
596 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
597 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f
598 };
599 static const unsigned char known_hkdf_sha256_key[] = {
600 0xdd, 0xdb, 0xeb, 0xe5, 0x6d, 0xd2, 0x96, 0xa4,
601 0x07, 0xc5, 0x7d, 0xda, 0x31, 0x56, 0x8d, 0xa5,
602 0x41, 0x3e, 0x90, 0xd4, 0xe6, 0x98, 0xeb, 0xf8,
603 0x5a, 0x49, 0x7f, 0x38, 0xef, 0x01, 0x8a, 0xe5,
604 0xda, 0x36, 0xe5, 0xcf, 0x21, 0xe3, 0x9f, 0xc3,
605 0x32, 0xb3, 0x1e, 0xf6, 0xc5, 0x10, 0x4c, 0x86,
606 0x53, 0x5e, 0x6f, 0xe0, 0x63, 0x6e, 0x43, 0x33,
607 0x61, 0x35, 0xf4, 0x17, 0x10, 0x77, 0x75, 0x2a
608 };
609 /* current NIST IG's say we only need to test one instance
610 * of kdfs, keep these others around in case the guidance
611 * changes */
612 #ifdef NSS_FULL_POST
613 static const unsigned char known_hkdf_sha384_key[] = {
614 0x35, 0x64, 0xc4, 0xa1, 0xcc, 0xc1, 0xdc, 0xe4,
615 0xe2, 0xca, 0x51, 0xae, 0xe8, 0x92, 0x88, 0x30,
616 0x8b, 0xb0, 0x2b, 0xac, 0x00, 0x15, 0xac, 0x15,
617 0x97, 0xc9, 0xf4, 0x6b, 0xf6, 0x3f, 0x97, 0xea,
618 0x48, 0x55, 0x38, 0x25, 0x06, 0x5d, 0x91, 0x64,
619 0xbd, 0x09, 0xf3, 0x44, 0xbc, 0x82, 0xbe, 0xdb,
620 0x5c, 0xd7, 0xf2, 0x24, 0xa5, 0x55, 0x8d, 0xa9,
621 0xa8, 0x85, 0xde, 0x8c, 0x33, 0xe0, 0x4d, 0xc3
622 };
623 static const unsigned char known_hkdf_sha512_key[] = {
624 0x63, 0x4e, 0xbc, 0x42, 0xb3, 0x56, 0x74, 0x7d,
625 0x1b, 0x55, 0xf0, 0x34, 0x54, 0xcb, 0x6d, 0x58,
626 0x39, 0x96, 0x10, 0xda, 0x03, 0x20, 0x8f, 0x77,
627 0x0d, 0xb4, 0xf7, 0xf6, 0x67, 0x0d, 0x5b, 0x6b,
628 0xd0, 0x30, 0xc4, 0xdd, 0x67, 0x61, 0x5d, 0x9a,
629 0xf5, 0x18, 0x6e, 0x1b, 0x60, 0x97, 0xc2, 0x4d,
630 0x23, 0x43, 0x69, 0xe6, 0x3b, 0xa5, 0xdf, 0xe9,
631 0x7c, 0xf1, 0x87, 0x48, 0x6f, 0xb9, 0xd3, 0x02
632 };
633 #endif
634 unsigned char outBytes[64] = { 0 };
635
636 CK_HKDF_PARAMS hkdf_params;
637
638 hkdf_params.bExpand = CK_TRUE;
639 hkdf_params.bExtract = CK_TRUE;
640 hkdf_params.ulSaltType = CKF_HKDF_SALT_DATA;
641 hkdf_params.pSalt = (CK_BYTE_PTR)base_key;
642 hkdf_params.ulSaltLen = sizeof(base_key);
643 hkdf_params.pInfo = (CK_BYTE_PTR)base_key;
644 hkdf_params.ulInfoLen = sizeof(base_key);
645
646 /**************************************************/
647 /* HKDF tests */
648 /**************************************************/
649
650 hkdf_params.prfHashMechanism = CKM_SHA256_HMAC;
651 status = sftk_HKDF(&hkdf_params, CK_INVALID_HANDLE, NULL,
652 base_key, 32, NULL, outBytes, sizeof(outBytes),
653 PR_TRUE, PR_TRUE);
654 if ((status != SECSuccess) ||
655 PORT_Memcmp(outBytes, known_hkdf_sha256_key, sizeof(outBytes)) != 0) {
656 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
657 return (SECFailure);
658 }
659
660 #ifdef NSS_FULL_POST
661 hkdf_params.prfHashMechanism = CKM_SHA384_HMAC;
662 status = sftk_HKDF(&hkdf_params, CK_INVALID_HANDLE, NULL,
663 base_key, 48, NULL, outBytes, sizeof(outBytes),
664 PR_TRUE, PR_TRUE);
665 if ((status != SECSuccess) ||
666 PORT_Memcmp(outBytes, known_hkdf_sha384_key, sizeof(outBytes)) != 0) {
667 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
668 return (SECFailure);
669 }
670
671 hkdf_params.prfHashMechanism = CKM_SHA512_HMAC;
672 status = sftk_HKDF(&hkdf_params, CK_INVALID_HANDLE, NULL,
673 base_key, 64, NULL, outBytes, sizeof(outBytes),
674 PR_TRUE, PR_TRUE);
675 if ((status != SECSuccess) ||
676 PORT_Memcmp(outBytes, known_hkdf_sha512_key, sizeof(outBytes)) != 0) {
677 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
678 return (SECFailure);
679 }
680 #endif
681
682 return (SECSuccess);
683 }
684
685 static PRBool sftk_self_tests_ran = PR_FALSE;
686 static PRBool sftk_self_tests_success = PR_FALSE;
687
688 /*
689 * This function is called at dll load time, the code tha makes this
690 * happen is platform specific on defined above.
691 */
692 static void
sftk_startup_tests(void)693 sftk_startup_tests(void)
694 {
695 SECStatus rv;
696 const char *libraryName = SOFTOKEN_LIB_NAME;
697
698 PORT_Assert(!sftk_self_tests_ran);
699 PORT_Assert(!sftk_self_tests_success);
700 sftk_self_tests_ran = PR_TRUE;
701 sftk_self_tests_success = PR_FALSE; /* just in case */
702
703 /* need to initiallize the oid library before the RSA tests */
704 rv = SECOID_Init();
705 if (rv != SECSuccess) {
706 return;
707 }
708 /* make sure freebl is initialized, or our RSA check
709 * may fail. This is normally done at freebl load time, but it's
710 * possible we may have shut freebl down without unloading it. */
711 rv = BL_Init();
712 if (rv != SECSuccess) {
713 return;
714 }
715
716 rv = RNG_RNGInit();
717 if (rv != SECSuccess) {
718 return;
719 }
720 /* check the RSA combined functions in softoken */
721 rv = sftk_fips_RSA_PowerUpSelfTest();
722 if (rv != SECSuccess) {
723 return;
724 }
725 if (!BLAPI_SHVerify(libraryName,
726 (PRFuncPtr)&sftk_fips_RSA_PowerUpSelfTest)) {
727 /* something is wrong with the library, fail without enabling
728 * the token */
729 return;
730 }
731 rv = sftk_fips_IKE_PowerUpSelfTests();
732 if (rv != SECSuccess) {
733 return;
734 }
735
736 rv = sftk_fips_SP800_108_PowerUpSelfTests();
737 if (rv != SECSuccess) {
738 return;
739 }
740
741 rv = sftk_fips_HKDF_PowerUpSelfTest();
742 if (rv != SECSuccess) {
743 return;
744 }
745
746 rv = sftk_fips_pbkdf_PowerUpSelfTests();
747 if (rv != SECSuccess) {
748 return;
749 }
750
751 sftk_self_tests_success = PR_TRUE;
752 }
753
754 /*
755 * this is called from nsc_Common_Initizialize entry points that gates access
756 * to * all other pkcs11 functions. This prevents softoken operation if our
757 * power on selftest failed.
758 */
759 CK_RV
sftk_FIPSEntryOK()760 sftk_FIPSEntryOK()
761 {
762 #ifdef NSS_NO_INIT_SUPPORT
763 /* this should only be set on platforms that can't handle one of the INIT
764 * schemes. This code allows those platforms to continue to function,
765 * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
766 * is not set, and init support has not been properly enabled, softken
767 * will always fail because of the test below
768 */
769 if (!sftk_self_tests_ran) {
770 sftk_startup_tests();
771 }
772 #endif
773 if (!sftk_self_tests_success) {
774 return CKR_DEVICE_ERROR;
775 }
776 return CKR_OK;
777 }
778 #else
779 #include "pkcs11t.h"
780 CK_RV
sftk_FIPSEntryOK()781 sftk_FIPSEntryOK()
782 {
783 return CKR_DEVICE_ERROR;
784 }
785 #endif /* NSS_FIPS_DISABLED */
786