Merge pull request #665 from cisco/libacvp_1_4_0-throttle

Merge libacvp 1.4.1 into main branch

README.md

@@ -227,8 +227,8 @@ need to link to those libraries.
 Murl is not supported in windows at this time.
 
 ## Running
-1. `export LD_LIBRARY_PATH=<path to ssl lib;path to curl lib>`
-2. Modify and run `scripts/nist_setup.sh`
+1. `export LD_LIBRARY_PATH="<path to ssl lib;path to curl lib>"`
+2. Modify scripts/nist_setup.sh and run `source scripts/nist_setup.sh`
 3. `./app/acvp_app --<options>`
 
 Use `./app/acvp_app --help` for more information on available options.

app/app_aes.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Cisco Systems, Inc.
+ * Copyright (c) 2021, Cisco Systems, Inc.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

app/app_cli.c

@@ -15,9 +15,11 @@
 #include "safe_lib.h"
 
 #ifdef ACVP_NO_RUNTIME
-# include "app_fips_lcl.h"
+#include "app_fips_lcl.h"
 #endif
 
+#include <openssl/crypto.h>
+
 #define ANSI_COLOR_RED "\x1b[31m"
 #define ANSI_COLOR_YELLOW "\x1b[33m"
 #define ANSI_COLOR_RESET "\x1b[0m"
@@ -60,7 +62,7 @@ static void print_usage(int code) {
         printf("For any activity requiring the creation of a test session and/or the processing\n");
         printf("of test cases, acvp_app requires the specification of at least one algorithm\n");
         printf("suite. Algorithm suites are enabled or disabled at build time depending on the\n");
-        printf("capabilities of the provided cryptographic library.\n");
+        printf("capabilities of the provided cryptographic library.\n\n");
     }
     printf("Algorithm Test Suites:\n");
     printf("      --all_algs (or -a, Enable all of the suites below)\n");
@@ -181,6 +183,34 @@ static void print_usage(int code) {
     printf("        ACV_OE_COMPILER\n\n");
 }
 
+static void print_version_info(void) {
+    printf("\nACVP library version(protocol version): %s(%s)\n\n", acvp_version(), acvp_protocol_version());
+
+#ifdef ACVP_NO_RUNTIME
+    printf("        Runtime mode: no\n");
+    printf(" FIPS module version: %s\n", FIPS_module_version_text());
+#else
+    printf("        Runtime mode: yes\n");
+    if (FIPS_mode()) {
+        printf("           FIPS mode: yes\n");
+    } else {
+        printf("           FIPS mode: no\n");
+    }
+#endif
+
+#ifdef OPENSSL_VERSION_TEXT
+    printf("Compiled SSL version: %s\n", OPENSSL_VERSION_TEXT);
+#else
+    printf("Compiled SSL version: not detected\n");
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    printf("  Linked SSL version: %s\n", SSLeay_version(SSLEAY_VERSION));
+#else
+    printf("  Linked SSL version: %s\n", OpenSSL_version(OPENSSL_VERSION));
+#endif
+}
+
 static ko_longopt_t longopts[] = {
     { "version", ko_no_argument, 301 },
     { "help", ko_optional_argument, 302 },
@@ -296,27 +326,27 @@ int ingest_cli(APP_CONFIG *cfg, int argc, char **argv) {
     default_config(cfg);
 
     while ((c = ketopt(&opt, argc, argv, 1, "vhas:u:r:p:", longopts)) >= 0) {
-        diff = 0;
+        diff = 1;
 
         switch (c) {
         case 'v':
-            printf("\nACVP library version(protocol version): %s(%s)\n", acvp_version(), acvp_protocol_version());
-            return 1;
-        case 'h':
-            print_usage(0);
-            return 1;
         case 301:
-            printf("\nACVP library version(protocol version): %s(%s)\n", acvp_version(), acvp_protocol_version());
+            print_version_info();
             return 1;
+        case 'h':
         case 302:
-            len = strnlen_s(opt.arg, JSON_FILENAME_LENGTH + 1);
-            if (len > JSON_FILENAME_LENGTH) {
-                printf("help option name too long\n");
-                return 1;
-            }
-            strncmp_s(opt.arg, len, "verbose", 7, &diff);
-            if (!diff) {
-                print_usage(ACVP_LOG_LVL_VERBOSE);
+            if (opt.arg) {
+                len = strnlen_s(opt.arg, JSON_FILENAME_LENGTH + 1);
+                if (len > JSON_FILENAME_LENGTH || len <= 0) {
+                    printf("invalid help option length\n");
+                    return 1;
+                }
+                strncmp_s(opt.arg, len, "--verbose", 9, &diff);
+                if (!diff) {
+                    print_usage(ACVP_LOG_LVL_VERBOSE);
+                } else {
+                    print_usage(0);
+                }
             } else { 
                 print_usage(0);
             }

app/app_cmac.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Cisco Systems, Inc.
+ * Copyright (c) 2021, Cisco Systems, Inc.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

app/app_des.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Cisco Systems, Inc.
+ * Copyright (c) 2021, Cisco Systems, Inc.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

app/app_drbg.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Cisco Systems, Inc.
+ * Copyright (c) 2021, Cisco Systems, Inc.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -78,7 +78,7 @@ int app_drbg_handler(ACVP_TEST_CASE *test_case) {
 
     alg = acvp_get_drbg_alg(tc->cipher);
     if (alg == 0) {
-        printf("Invalid cipher value");
+        printf("Invalid cipher value\n");
         return 1;
     }
 
@@ -225,6 +225,24 @@ int app_drbg_handler(ACVP_TEST_CASE *test_case) {
         break;
     }
 
+    if (!tc->pred_resist_enabled && tc->reseed && !tc->entropy_input_pr_0) {
+        printf("Missing entropy input needed for reseed\n");
+        return 1;
+    }
+    if (!drbg_entropy_len || !tc->pr1_len || !tc->pr2_len ||
+        !tc->entropy || !tc->entropy_input_pr_1 || !tc->entropy_input_pr_2) {
+        printf("Insufficient entropy for testing DRBG\n");
+        return 1;
+    }
+    if (!tc->drb) {
+        printf("Invalid output buffer for DRBG test\n");
+        return 1;
+    }
+    if (!tc->perso_string) {
+        printf("Missing persoString for DRBG test\n");
+        return 1;
+    }
+
     DRBG_CTX *drbg_ctx = NULL;
     DRBG_TEST_ENT entropy_nonce;
     memzero_s(&entropy_nonce, sizeof(DRBG_TEST_ENT));

app/app_dsa.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Cisco Systems, Inc.
+ * Copyright (c) 2021, Cisco Systems, Inc.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

app/app_ecdsa.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Cisco Systems, Inc.
+ * Copyright (c) 2021, Cisco Systems, Inc.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

app/app_fips_lcl.h

@@ -3,7 +3,7 @@
  *  using libacvp.
  */
 /*****************************************************************************
-* Copyright (c) 2019, Cisco Systems, Inc.
+* Copyright (c) 2021, Cisco Systems, Inc.
 * All rights reserved.
 
 * Redistribution and use in source and binary forms, with or without modification,

app/app_hmac.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Cisco Systems, Inc.
+ * Copyright (c) 2021, Cisco Systems, Inc.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

app/app_kas_kdf.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Cisco Systems, Inc.
+ * Copyright (c) 2021, Cisco Systems, Inc.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -13,6 +13,10 @@
 #include "app_lcl.h"
 #include "safe_lib.h"
 
+#ifdef ACVP_NO_RUNTIME
+#include "app_fips_lcl.h" /* All regular OpenSSL headers must come before here */
+#endif
+
 int app_kas_hkdf_handler(ACVP_TEST_CASE *test_case) {
     ACVP_KAS_HKDF_TC *stc = NULL;
     const EVP_MD *md = NULL;

app/app_kdf.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Cisco Systems, Inc.
+ * Copyright (c) 2021, Cisco Systems, Inc.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -16,6 +16,8 @@
 
 #define TLS_MD_MASTER_SECRET_CONST              "master secret"
 #define TLS_MD_MASTER_SECRET_CONST_SIZE         13
+#define TLS_MD_EXTENDED_MASTER_SECRET_CONST     "extended master secret"
+#define TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE 22
 #define TLS_MD_KEY_EXPANSION_CONST              "key expansion"
 #define TLS_MD_KEY_EXPANSION_CONST_SIZE         13
 
@@ -82,6 +84,13 @@ int app_pbkdf_handler(ACVP_TEST_CASE *test_case) {
     return 1;
 }
 
+int app_kdf_tls12_handler(ACVP_TEST_CASE *test_case) {
+    if (!test_case) {
+        return -1;
+    }
+    return 1;
+}
+
 int app_kdf_tls13_handler(ACVP_TEST_CASE *test_case) {
     if (!test_case) {
         return -1;

app/app_lcl.h

@@ -28,7 +28,7 @@ extern "C"
 #define JSON_STRING_LENGTH 32
 #define JSON_REQUEST_LENGTH 128
 
-char value[JSON_STRING_LENGTH];
+extern char value[JSON_STRING_LENGTH];
 
 typedef struct app_config {
     ACVP_LOG_LVL level;
@@ -106,6 +106,7 @@ int app_kdf108_handler(ACVP_TEST_CASE *test_case);
 int app_kdf135_ikev1_handler(ACVP_TEST_CASE *test_case);
 int app_kdf135_x963_handler(ACVP_TEST_CASE *test_case);
 int app_pbkdf_handler(ACVP_TEST_CASE *test_case);
+int app_kdf_tls12_handler(ACVP_TEST_CASE *test_case);
 int app_kdf_tls13_handler(ACVP_TEST_CASE *test_case);
 
 void app_dsa_cleanup(void);