Make reservations in FIPS code for upcoming size_t-fication of OpenSSL API.

And couple of bug-fixes in fips/rand code [return without lock release and
incorrect return value in fips_rand_bytes].

diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 72c7c3344d3f74ebeb832ef1065363665ed5a623..fcbf0f3ccd00b19c0481b2985ee83bf7234c11c0 100644 (file)
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -26,7 +26,11 @@
  *  major minor fix final patch/beta)
  */
 #define OPENSSL_VERSION_NUMBER 0x00907050L
+#ifdef OPENSSL_FIPS
+#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.7e-fips-dev XX xxx XXXX"
+#else
 #define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.7e-dev XX xxx XXXX"
+#endif
 #define OPENSSL_VERSION_PTEXT  " part of " OPENSSL_VERSION_TEXT
 
 

diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h
index f8a369794aef03c6c53e803a050ccab748a5315f..cb30eed1cdfbf43ed7fae5f6967dc188a85ecf87 100644 (file)
--- a/crypto/rand/rand.h
+++ b/crypto/rand/rand.h
@@ -71,6 +71,10 @@
 extern "C" {
 #endif
 
+#if defined(OPENSSL_FIPS)
+#define FIPS_RAND_SIZE_T int
+#endif
+
 typedef struct rand_meth_st
        {
        void (*seed)(const void *buf, int num);

diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h
index 3fd54a10cc7ca6f418def5f99de804bf28ca402e..a26ed5ddc1c06e06c7d635fa4dea80099b261fa5 100644 (file)
--- a/crypto/sha/sha.h
+++ b/crypto/sha/sha.h
@@ -69,6 +69,10 @@ extern "C" {
 #error SHA is disabled.
 #endif
 
+#if defined(OPENSSL_FIPS)
+#define FIPS_SHA_SIZE_T unsigned long
+#endif
+
 /*
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !

diff --git a/fips/rand/fingerprint.sha1 b/fips/rand/fingerprint.sha1
index 11421113e08f1bfce07ec17afa5485489c5bc72a..f6482327792c1a2a900fac3fc1a39694e5fd9083 100644 (file)
--- a/fips/rand/fingerprint.sha1
+++ b/fips/rand/fingerprint.sha1
@@ -1,2 +1,2 @@
-HMAC-SHA1(fips_rand.c)= 58be68c405269c9a4c35ee19642c4da982374769
-HMAC-SHA1(fips_rand.h)= 889afc9a526fe59138326134950b733627a7e9cf
+HMAC-SHA1(fips_rand.c)= 9371bac9e8929fe26327383f6e7fb11f06671565
+HMAC-SHA1(fips_rand.h)= 0567b1fe9b0efe034a537f335659b0b681809791

diff --git a/fips/rand/fips_rand.c b/fips/rand/fips_rand.c
index 2ff197ebb07754d4f25988b15d2e82e9fde18d81..15c270b4464826def79ccc637d39a4c8641ca2e8 100644 (file)
--- a/fips/rand/fips_rand.c
+++ b/fips/rand/fips_rand.c
@@ -75,8 +75,8 @@
 #define SEED_SIZE      8
 
 static unsigned char seed[SEED_SIZE];
-static int n_seed;
-static int o_seed;
+static FIPS_RAND_SIZE_T n_seed;
+static FIPS_RAND_SIZE_T o_seed;
 static DES_cblock key1;
 static DES_cblock key2;
 static DES_key_schedule ks1,ks2;
@@ -90,8 +90,8 @@ static int key_pid;
 #endif
 
 static void fips_rand_cleanup(void);
-static void fips_rand_add(const void *buf, int num, double add_entropy);
-static int fips_rand_bytes(unsigned char *buf, int num);
+static void fips_rand_add(const void *buf, FIPS_RAND_SIZE_T num, double add_entropy);
+static int fips_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num);
 static int fips_rand_status(void);
 
 static RAND_METHOD rand_fips_meth=
@@ -195,10 +195,10 @@ static void fips_rand_cleanup(void)
     n_seed=0;
     }
 
-void FIPS_rand_seed(const void *buf_, int num)
+void FIPS_rand_seed(const void *buf_, FIPS_RAND_SIZE_T num)
     {
     const char *buf=buf_;
-    int n;
+    FIPS_RAND_SIZE_T n;
     static int init;
 
     /* If the key hasn't been set, we can't seed! */
@@ -219,7 +219,7 @@ void FIPS_rand_seed(const void *buf_, int num)
      */
     for(n=0 ; n < num ; )
        {
-       int t=num-n;
+       FIPS_RAND_SIZE_T t=num-n;
 
        if(o_seed+t > sizeof seed)
            t=sizeof seed-o_seed;
@@ -239,14 +239,14 @@ void FIPS_rand_seed(const void *buf_, int num)
     CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
     }
 
-static void fips_rand_add(const void *buf, int num, double add_entropy)
+static void fips_rand_add(const void *buf, FIPS_RAND_SIZE_T num, double add_entropy)
     {
     FIPS_rand_seed(buf,num);
     }
 
-static int fips_rand_bytes(unsigned char *buf,int num)
+static int fips_rand_bytes(unsigned char *buf,FIPS_RAND_SIZE_T num)
     {
-    int n;
+    FIPS_RAND_SIZE_T n;
     unsigned char timeseed[8];
     unsigned char intermediate[SEED_SIZE];
     unsigned char output[SEED_SIZE];
@@ -261,6 +261,18 @@ static int fips_rand_bytes(unsigned char *buf,int num)
        return 0;
        }
 
+#ifdef FIPS_RAND_MAX_SIZE_T
+    if (num > FIPS_RAND_MAX_SIZE_T)
+       {
+#ifdef RAND_R_PRNG_ASKING_FOR_TOO_MUCH
+       RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_ASKING_FOR_TOO_MUCH);
+       return 0;
+#else
+       return -1; /* signal "not supported" condition */
+#endif
+       }
+#endif
+
 #ifndef GETPID_IS_MEANINGLESS
     pid=getpid();
     if(pid != seed_pid)
@@ -283,7 +295,7 @@ static int fips_rand_bytes(unsigned char *buf,int num)
     for(n=0 ; n < num ; )
        {
        unsigned char t[SEED_SIZE];
-       int l;
+       FIPS_RAND_SIZE_T l;
        
        /* now generate a full 64 bits of "randomness" */
        for(l=0 ; l < sizeof t ; ++l)
@@ -296,6 +308,7 @@ static int fips_rand_bytes(unsigned char *buf,int num)
        if(second && !memcmp(output,previous,sizeof previous))
            {
            RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_STUCK);
+           CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
            return 0;
            }
        memcpy(previous,output,sizeof previous);
@@ -308,7 +321,7 @@ static int fips_rand_bytes(unsigned char *buf,int num)
 
     CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
-    return num;
+    return 1;
     }
 
 static int fips_rand_status(void)

diff --git a/fips/rand/fips_rand.h b/fips/rand/fips_rand.h
index d50eaa8a5098c32851526c10054bb75295694532..1286b63ab29845399299c316158fb8e629139274 100644 (file)
--- a/fips/rand/fips_rand.h
+++ b/fips/rand/fips_rand.h
@@ -60,7 +60,7 @@ extern "C" {
 
 void FIPS_set_prng_key(const unsigned char k1[8],const unsigned char k2[8]);
 void FIPS_test_mode(int test,const unsigned char faketime[8]);
-void FIPS_rand_seed(const void *buf, int num);
+void FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
 /* NB: this returns true if _partially_ seeded */
 int FIPS_rand_seeded(void);
 

diff --git a/fips/rand/fips_randtest.c b/fips/rand/fips_randtest.c
index ff9c91cd36a425522846343fa7b114478b16a769..98fe83ca4a4a56b6f9b48da0665735291cd6d15a 100644 (file)
--- a/fips/rand/fips_randtest.c
+++ b/fips/rand/fips_randtest.c
@@ -191,14 +191,14 @@ static void run_test(const PRNGtest *t)
     FIPS_test_mode(1,t->time);
     RAND_seed(t->seed,sizeof t->seed);
 
-    if(RAND_bytes(buf,8) != 8)
+    if(RAND_bytes(buf,8) <= 0)
        {
        ERR_print_errors_fp(stderr);
        exit(2);
        }
     compare(buf,t->block1,8);
     for(n=0 ; n < 99 ; ++n)
-       if(RAND_bytes(buf,8) != 8)
+       if(RAND_bytes(buf,8) <= 0)
            {
            ERR_print_errors_fp(stderr);
            exit(2);

diff --git a/fips/sha1/fingerprint.sha1 b/fips/sha1/fingerprint.sha1
index 7e6d05e8e926df6a74e66d94e864e1756889c8ce..9b57f9d9945e19c992f9b2f612d6f11627776ecd 100644 (file)
--- a/fips/sha1/fingerprint.sha1
+++ b/fips/sha1/fingerprint.sha1
@@ -1,5 +1,5 @@
 HMAC-SHA1(fips_sha1dgst.c)= 10575600a9540eb15188a7d3b0b031e60aedbc18
 HMAC-SHA1(fips_sha1_selftest.c)= 98910a0c85eff1688bd7adb23e738dc75b39546e
 HMAC-SHA1(asm/sx86-elf.s)= 6286cba0ea3b071e67ab5c1e607d1387de6a871d
-HMAC-SHA1(fips_sha_locl.h)= 199ceca9016ba5514997ce1fcd22be7d4f66e9b5
-HMAC-SHA1(fips_md32_common.h)= 5bd82fd4f27c9c9f5164dafbb617272fa5c96521
+HMAC-SHA1(fips_sha_locl.h)= b793c80946d1029a630844393e294b27f61b1485
+HMAC-SHA1(fips_md32_common.h)= cd86b0f4a9a22552dce8db3ae5f2614e54a61f15

diff --git a/fips/sha1/fips_md32_common.h b/fips/sha1/fips_md32_common.h
index cf8d31f351afbb725228e363fa0236eadc58d8e3..e714475dc6cc785c8d9f19800cf1e7d45f641ed2 100644 (file)
--- a/fips/sha1/fips_md32_common.h
+++ b/fips/sha1/fips_md32_common.h
@@ -179,7 +179,7 @@
  */
 #undef ROTATE
 #ifndef PEDANTIC
-# if 0 /* defined(_MSC_VER) */
+# if defined(_MSC_VER) || defined(__ICC)
 #  define ROTATE(a,n)  _lrotl(a,n)
 # elif defined(__MWERKS__)
 #  if defined(__POWERPC__)
@@ -410,11 +410,11 @@
  * Time for some action:-)
  */
 
-int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
+int HASH_UPDATE (HASH_CTX *c, const void *data_, FIPS_SHA_SIZE_T len)
        {
        const unsigned char *data=data_;
        register HASH_LONG * p;
-       register unsigned long l;
+       register HASH_LONG l;
        int sw,sc,ew,ec;
 
        if(FIPS_selftest_fail)
@@ -422,7 +422,7 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
 
        if (len==0) return 1;
 
-       l=(c->Nl+(len<<3))&0xffffffffL;
+       l=(c->Nl+(((HASH_LONG)len)<<3))&0xffffffffUL;
        /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
         * Wei Dai <weidai@eskimo.com> for pointing it out. */
        if (l < c->Nl) /* overflow */
@@ -487,7 +487,7 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
                if ((((unsigned long)data)%4) == 0)
                        {
                        /* data is properly aligned so that we can cast it: */
-                       HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,sw);
+                       HASH_BLOCK_DATA_ORDER_ALIGNED (c,(const HASH_LONG *)data,sw);
                        sw*=HASH_CBLOCK;
                        data+=sw;
                        len-=sw;
@@ -535,7 +535,7 @@ void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
 #if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
        if ((((unsigned long)data)%4) == 0)
                /* data is properly aligned so that we can cast it: */
-               HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,1);
+               HASH_BLOCK_DATA_ORDER_ALIGNED (c,(const HASH_LONG *)data,1);
        else
 #if !defined(HASH_BLOCK_DATA_ORDER)
                {

diff --git a/fips/sha1/fips_sha_locl.h b/fips/sha1/fips_sha_locl.h
index 61d41465019328c8a9a4b3fd73f6800d83efe978..5008aa79b978100337b5f7359b80683ae924ec8f 100644 (file)
--- a/fips/sha1/fips_sha_locl.h
+++ b/fips/sha1/fips_sha_locl.h
@@ -93,8 +93,8 @@
 # define HASH_BLOCK_DATA_ORDER         sha_block_data_order
 # define Xupdate(a,ix,ia,ib,ic,id)     (ix=(a)=(ia^ib^ic^id))
 
-  void sha_block_host_order (SHA_CTX *c, const void *p,int num);
-  void sha_block_data_order (SHA_CTX *c, const void *p,int num);
+  void sha_block_host_order (SHA_CTX *c, const void *p,FIPS_SHA_SIZE_T num);
+  void sha_block_data_order (SHA_CTX *c, const void *p,FIPS_SHA_SIZE_T num);
 
 #elif defined(SHA_1)
 
@@ -124,8 +124,8 @@
 #   define HASH_BLOCK_DATA_ORDER_ALIGNED       sha1_block_asm_data_order
 #  endif
 # endif
-  void sha1_block_host_order (SHA_CTX *c, const void *p,int num);
-  void sha1_block_data_order (SHA_CTX *c, const void *p,int num);
+  void sha1_block_host_order (SHA_CTX *c, const void *p,FIPS_SHA_SIZE_T num);
+  void sha1_block_data_order (SHA_CTX *c, const void *p,FIPS_SHA_SIZE_T num);
 
 #else
 # error "Either SHA_0 or SHA_1 must be defined."
@@ -222,7 +222,7 @@ int HASH_INIT (SHA_CTX *c)
 #endif
 
 #ifndef DONT_IMPLEMENT_BLOCK_HOST_ORDER
-void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
+void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, FIPS_SHA_SIZE_T num)
        {
        const SHA_LONG *W=d;
        register unsigned MD32_REG_T A,B,C,D,E,T;
@@ -350,7 +350,7 @@ void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
 #endif
 
 #ifndef DONT_IMPLEMENT_BLOCK_DATA_ORDER
-void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num)
+void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, FIPS_SHA_SIZE_T num)
        {
        const unsigned char *data=p;
        register unsigned MD32_REG_T A,B,C,D,E,T,l;

diff --git a/fips/sha1/standalone.sha1 b/fips/sha1/standalone.sha1
index 3ce81512609836f1797314831cae0e152a138f4d..d11f6424f20e72fd2f964b01ddde70f42e4f7845 100644 (file)
--- a/fips/sha1/standalone.sha1
+++ b/fips/sha1/standalone.sha1
@@ -2,5 +2,5 @@ HMAC-SHA1(fips_sha1dgst.c)= 10575600a9540eb15188a7d3b0b031e60aedbc18
 HMAC-SHA1(fips_sha1_selftest.c)= 98910a0c85eff1688bd7adb23e738dc75b39546e
 HMAC-SHA1(asm/sx86-elf.s)= 6286cba0ea3b071e67ab5c1e607d1387de6a871d
 HMAC-SHA1(fips_standalone_sha1.c)= c17f83ccfe601558b33b6df27d2d82887b8c9dc2
-HMAC-SHA1(fips_sha_locl.h)= 199ceca9016ba5514997ce1fcd22be7d4f66e9b5
-HMAC-SHA1(fips_md32_common.h)= 5bd82fd4f27c9c9f5164dafbb617272fa5c96521
+HMAC-SHA1(fips_sha_locl.h)= b793c80946d1029a630844393e294b27f61b1485
+HMAC-SHA1(fips_md32_common.h)= cd86b0f4a9a22552dce8db3ae5f2614e54a61f15