cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
if ! egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
- fi \
+ fi; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
fi; \
if [ -f "$$i" ]; then \
( echo installing $$i; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
fi; \
done;
#include <openssl/dsa.h>
#include <openssl/rand.h>
+#ifndef OPENSSL_FIPS
int DSA_generate_key(DSA *dsa)
{
int ok=0;
return(ok);
}
#endif
+#endif
@$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS)
install:
- @for i in $(EXHEADER) ; \
- do \
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
+# some shells don't like empty lists
+# @for i in $(EXHEADER) ; \
+# do \
+# (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+# chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+# done;
tags:
ctags $(SRC)
SHA1(fips_dsa_ossl.c)= 592cd23f6e63bc08b9c960014d52aad05594f913
-SHA1(fips_dsa_gen.c)= 87e185e25c1d606922651ea264470cb93c04e6a8
+SHA1(fips_dsa_gen.c)= 418cbd83675130cf7c45f3ea669b96167a1d65aa
SHA1(fips_dsa_selftest.c)= d638e2d13912befe42e0ed6efa8a27719b6689d5
#ifdef OPENSSL_FIPS
+static int fips_check_dsa(DSA *dsa)
+ {
+ static const unsigned char str1[]="12345678901234567890";
+ unsigned char sig[256];
+ unsigned int siglen;
+
+ DSA_sign(0, str1, 20, sig, &siglen, dsa);
+ if(DSA_verify(0, str1, 20, sig, siglen, dsa) != 1)
+ {
+ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
+ return 0;
+ }
+ return 1;
+ }
+
DSA *DSA_generate_parameters(int bits,
unsigned char *seed_in, int seed_len,
int *counter_ret, unsigned long *h_ret,
if (mont != NULL) BN_MONT_CTX_free(mont);
return(ok?ret:NULL);
}
+
+int DSA_generate_key(DSA *dsa)
+ {
+ int ok=0;
+ BN_CTX *ctx=NULL;
+ BIGNUM *pub_key=NULL,*priv_key=NULL;
+
+ if ((ctx=BN_CTX_new()) == NULL) goto err;
+
+ if (dsa->priv_key == NULL)
+ {
+ if ((priv_key=BN_new()) == NULL) goto err;
+ }
+ else
+ priv_key=dsa->priv_key;
+
+ do
+ if (!BN_rand_range(priv_key,dsa->q)) goto err;
+ while (BN_is_zero(priv_key));
+
+ if (dsa->pub_key == NULL)
+ {
+ if ((pub_key=BN_new()) == NULL) goto err;
+ }
+ else
+ pub_key=dsa->pub_key;
+
+ if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err;
+
+ dsa->priv_key=priv_key;
+ dsa->pub_key=pub_key;
+
+ if(!fips_check_dsa(dsa))
+ goto err;
+
+ ok=1;
+
+err:
+ if ((pub_key != NULL) && (dsa->pub_key == NULL)) BN_free(pub_key);
+ if ((priv_key != NULL) && (dsa->priv_key == NULL)) BN_free(priv_key);
+ if (ctx != NULL) BN_CTX_free(ctx);
+ return(ok);
+ }
#endif
#endif
SHA1(fips.c)= 3ce5c4660e56e1a1c1ef177f3536b3098bb65290
SHA1(fips_err_wrapper.c)= ad4a2ffa18743c83827de398c811eb6124ba0b27
-SHA1(fips.h)= a664b76451ff3d3674e7c79b6d56d547ffb9e5be
-SHA1(fips_err.h)= 54f9f9931fdef839dcfbf7807a1977199ad4b4f1
+SHA1(fips.h)= da5e4f1bb957eb808c818507a76c8dcaa06dcec0
+SHA1(fips_err.h)= 8a6c9283e478afae4b30c033c5f885b1d20e75c1
#define FIPS_F_DSA_DO_SIGN 111
#define FIPS_F_DSA_DO_VERIFY 112
#define FIPS_F_DSA_GENERATE_PARAMETERS 110
+#define FIPS_F_FIPS_CHECK_DSA 116
#define FIPS_F_FIPS_CHECK_EXE 106
+#define FIPS_F_FIPS_CHECK_RSA 115
#define FIPS_F_FIPS_DSA_CHECK 102
#define FIPS_F_FIPS_MODE_SET 105
#define FIPS_F_FIPS_SELFTEST_AES 104
#define FIPS_R_FIPS_MODE_ALREADY_SET 102
#define FIPS_R_FIPS_SELFTEST_FAILED 106
#define FIPS_R_NON_FIPS_METHOD 100
+#define FIPS_R_PAIRWISE_TEST_FAILED 107
#define FIPS_R_SELFTEST_FAILED 101
#ifdef __cplusplus
{ERR_PACK(0,FIPS_F_DSA_DO_SIGN,0), "DSA_do_sign"},
{ERR_PACK(0,FIPS_F_DSA_DO_VERIFY,0), "DSA_do_verify"},
{ERR_PACK(0,FIPS_F_DSA_GENERATE_PARAMETERS,0), "DSA_generate_parameters"},
+{ERR_PACK(0,FIPS_F_FIPS_CHECK_DSA,0), "FIPS_CHECK_DSA"},
{ERR_PACK(0,FIPS_F_FIPS_CHECK_EXE,0), "FIPS_CHECK_EXE"},
+{ERR_PACK(0,FIPS_F_FIPS_CHECK_RSA,0), "FIPS_CHECK_RSA"},
{ERR_PACK(0,FIPS_F_FIPS_DSA_CHECK,0), "FIPS_dsa_check"},
{ERR_PACK(0,FIPS_F_FIPS_MODE_SET,0), "FIPS_mode_set"},
{ERR_PACK(0,FIPS_F_FIPS_SELFTEST_AES,0), "FIPS_selftest_aes"},
{FIPS_R_FIPS_MODE_ALREADY_SET ,"fips mode already set"},
{FIPS_R_FIPS_SELFTEST_FAILED ,"fips selftest failed"},
{FIPS_R_NON_FIPS_METHOD ,"non fips method"},
+{FIPS_R_PAIRWISE_TEST_FAILED ,"pairwise test failed"},
{FIPS_R_SELFTEST_FAILED ,"selftest failed"},
{0,NULL}
};
@$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS)
install:
- @for i in $(EXHEADER) ; \
- do \
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
+# some shells don't like empty lists
+# @for i in $(EXHEADER) ; \
+# do \
+# (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+# chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+# done;
tags:
ctags $(SRC)
SHA1(fips_rsa_eay.c)= eacbcc656f1f046509abb9cc0207880b58ae8b90
-SHA1(fips_rsa_gen.c)= bfc4d7204f714a354a2e652318c5e82518441427
+SHA1(fips_rsa_gen.c)= eb47b6add96f4fe2396538b8ef394d16c4b1e87f
SHA1(fips_rsa_selftest.c)= 0106c4c565833ad2c8975b7d38765038a58f037c
#ifdef OPENSSL_FIPS
+static int fips_check_rsa(RSA *rsa)
+ {
+ int n;
+ unsigned char ctext[256];
+ unsigned char ptext[256];
+ static unsigned char original_ptext[] =
+ "\x01\x23\x45\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0"
+ "\x23\x45\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0\x12"
+ "\x45\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0\x12\x34"
+ "\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0\x12\x34\x56";
+
+ n=RSA_public_encrypt(sizeof(original_ptext)-1,original_ptext,ctext,rsa,
+ RSA_NO_PADDING);
+ if(n < 0)
+ {
+ ERR_print_errors_fp(stderr);
+ exit(1);
+ }
+ if(!memcmp(ctext,original_ptext,n))
+ {
+ FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
+ return 0;
+ }
+ n=RSA_private_decrypt(n,ctext,ptext,rsa,RSA_NO_PADDING);
+ if(n < 0)
+ {
+ ERR_print_errors_fp(stderr);
+ exit(1);
+ }
+ if(n != sizeof(original_ptext)-1 || memcmp(ptext,original_ptext,n))
+ {
+ FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
+ return 0;
+ }
+
+ return 1;
+ }
+
RSA *RSA_generate_key(int bits, unsigned long e_value,
void (*callback)(int,int,void *), void *cb_arg)
{
rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
if (rsa->iqmp == NULL) goto err;
+ if(!fips_check_rsa(rsa))
+ goto err;
+
ok=1;
err:
if (ok == -1)
projects / oweals / openssl.git / commitdiff