Changes between 0.9.8e and 0.9.8f-fips [xx XXX xxxx]
+ *) Use standard implementations of SHAx, DES, AES under crypto/ in FIPS
+ mode to avoid having to maintain two versions. This will also make use
+ of appropriate assembly language optimizations.
+ [Steve Henson]
+
*) Check for selftest status in all crypto operations and exit with a
fatal error if selftest failed.
[Steve Henson]
$cflags.=" -DOPENSSL_BN_ASM_PART_WORDS" if ($bn_obj =~ /bn86/);
$cflags.=" -DOPENSSL_IA32_SSE2" if (!$no_sse2 && $bn_obj =~ /bn86/);
-my $fips_des_obj;
-my $fips_aes_obj;
-my $fips_sha1_obj;
if ($fips)
{
- if ($des_obj =~ /\-elf\.o$/)
- {
- $fips_des_obj='asm/fips-dx86-elf.o';
- $openssl_other_defines.="#define OPENSSL_FIPS_DES_ASM\n";
- $fips_aes_obj='asm/fips-ax86-elf.o';
- $openssl_other_defines.="#define OPENSSL_FIPS_AES_ASM\n";
- }
- else {
- $fips_des_obj=$fips_des_enc;
- $fips_aes_obj='fips_aes_core.o';
- }
- $fips_sha1_obj='asm/fips-sx86-elf.o' if ($sha1_obj =~ /\-elf\.o$/);
- $des_obj=$sha1_obj=$aes_obj="";
$openssl_other_defines.="#define OPENSSL_FIPS\n";
}
s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/;
s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
- s/^FIPS_DES_ENC=.*$/FIPS_DES_ENC= $fips_des_obj/;
- s/^FIPS_AES_ENC=.*$/FIPS_AES_ENC= $fips_aes_obj/;
s/^DES_ENC=.*$/DES_ENC= $des_obj/;
s/^AES_ASM_OBJ=.*$/AES_ASM_OBJ= $aes_obj/;
s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/;
s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/;
s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/;
- s/^FIPS_SHA1_ASM_OBJ=.*$/FIPS_SHA1_ASM_OBJ= $fips_sha1_obj/;
s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/;
s/^PROCESSOR=.*/PROCESSOR= $processor/;
s/^RANLIB=.*/RANLIB= $ranlib/;
# CPUID module collects small commonly used assembler snippets
CPUID_OBJ=
BN_ASM= bn_asm.o
-FIPS_DES_ENC= des_enc.o fcrypt_b.o
-FIPS_AES_ENC= fips_aes_core.o
DES_ENC= des_enc.o fcrypt_b.o
AES_ASM_OBJ=aes_core.o aes_cbc.o
BF_ENC= bf_enc.o
RC4_ENC= rc4_enc.o
RC5_ENC= rc5_enc.o
MD5_ASM_OBJ=
-FIPS_SHA1_ASM_OBJ=
SHA1_ASM_OBJ=
RMD160_ASM_OBJ=
SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' \
MD5_ASM_OBJ='${MD5_ASM_OBJ}' \
RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' \
- FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' \
- FIPS_DES_ENC='${FIPS_DES_ENC}' \
- FIPS_AES_ENC='${FIPS_AES_ENC}' \
FIPSLIBDIR='${FIPSLIBDIR}' FIPSCANLIB='${FIPSCANLIB}' \
FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' \
FIPS_EX_OBJ='${FIPS_EX_OBJ}' \
reflect:
@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
-FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
- ../crypto/aes/aes_cfb.o \
+FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
../crypto/aes/aes_ecb.o \
../crypto/aes/aes_ofb.o \
../crypto/bn/bn_add.o \
../crypto/des/cfb64ede.o \
../crypto/des/cfb64enc.o \
../crypto/des/cfb_enc.o \
- ../crypto/des/des_enc.o \
../crypto/des/ecb3_enc.o \
../crypto/des/ecb_enc.o \
../crypto/des/ofb64ede.o \
../crypto/des/ofb64enc.o \
- ../crypto/des/fcrypt_b.o \
../crypto/des/fcrypt.o \
+ ../crypto/des/set_key.o \
../crypto/dsa/dsa_utl.o \
../crypto/dsa/dsa_sign.o \
../crypto/dsa/dsa_vrf.o \
../crypto/rsa/rsa_pss.o \
../crypto/rsa/rsa_ssl.o \
../crypto/rsa/rsa_x931.o \
+ ../crypto/sha/sha1dgst.o \
+ ../crypto/sha/sha256.o \
+ ../crypto/sha/sha512.o \
../crypto/uid.o
sub_all: build_all
build_crypto:
if [ -n "$(FIPSCANLIB)" ]; then \
- EXCL_OBJ='$(BN_ASM) $(CPUID_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
+ EXCL_OBJ='$(AES_ASM_OBJ) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
else \
ARX='${AR}' ; \
#include <openssl/aes.h>
#include "aes_locl.h"
-#ifndef OPENSSL_FIPS
-
/*
Te0[x] = S [x].[02, 01, 01, 03];
Te1[x] = S [x].[03, 02, 01, 01];
int i = 0;
u32 temp;
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
+
if (!userKey || !key)
return -1;
if (bits != 128 && bits != 192 && bits != 256)
}
#endif /* AES_ASM */
-
-#endif
#include "des_locl.h"
-#ifndef OPENSSL_FIPS
-
void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
{
register DES_LONG l,r,t,u;
data[1]=r;
}
-#endif
-
#ifndef DES_DEFAULT_OPTIONS
#if !defined(OPENSSL_FIPS_DES_ASM)
*/
#include "des_locl.h"
-#ifndef OPENSSL_FIPS
-
OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key); /* defaults to false */
static const unsigned char odd_parity[256]={
k = &schedule->ks->deslong[0];
in = &(*key)[0];
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
+
c2l(in,c);
c2l(in,d);
}
*/
-#endif
#include <openssl/sha.h>
#include <openssl/crypto.h>
-#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_FIPS)
+#if !defined(OPENSSL_NO_SHA1)
unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
{
SHA_CTX c;
#include <openssl/opensslv.h>
-#ifndef OPENSSL_FIPS
const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT;
/* The implementation is in ../md32_common.h */
#include "sha_locl.h"
-#else
-
-static void *dummy=&dummy;
-
-#endif
-
#endif
#include <openssl/fips.h>
#include <openssl/opensslv.h>
-#ifndef OPENSSL_FIPS
-
const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT;
int SHA224_Init (SHA256_CTX *c)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL;
c->h[2]=0x3070dd17UL; c->h[3]=0xf70e5939UL;
c->h[4]=0xffc00b31UL; c->h[5]=0x68581511UL;
int SHA256_Init (SHA256_CTX *c)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL;
c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL;
c->h[4]=0x510e527fUL; c->h[5]=0x9b05688cUL;
{ sha256_block (ctx,in,num,0); }
#endif /* OPENSSL_NO_SHA256 */
-
-#endif
*/
#include <openssl/opensslconf.h>
#include <openssl/fips.h>
-#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) && !defined(OPENSSL_FIPS)
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
/*
* IMPLEMENTATION NOTES.
*
int SHA384_Init (SHA512_CTX *c)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
c->h[0]=U64(0xcbbb9d5dc1059ed8);
c->h[1]=U64(0x629a292a367cd507);
c->h[2]=U64(0x9159015a3070dd17);
int SHA512_Init (SHA512_CTX *c)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
c->h[0]=U64(0x6a09e667f3bcc908);
c->h[1]=U64(0xbb67ae8584caa73b);
c->h[2]=U64(0x3c6ef372fe94f82b);
int HASH_INIT (SHA_CTX *c)
#endif
{
+#if defined(SHA_1) && defined(OPENSSL_FIPS)
+ FIPS_selftest_check();
+#endif
c->h0=INIT_DATA_h0;
c->h1=INIT_DATA_h1;
c->h2=INIT_DATA_h2;
# vendor compiler drivers...
fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
- @FIPS_BN_ASM=""; for i in $(BN_ASM) ; do FIPS_BN_ASM="$$FIPS_BN_ASM ../crypto/bn/$$i" ; done; \
+ FIPS_ASM=""; for i in $(BN_ASM) ; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
+ for i in $(AES_ASM_OBJ) ; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
+ for i in $(DES_ENC) ; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
+ for i in $(SHA1_ASM_OBJ) ; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
if [ -n "$(CPUID_OBJ)" ]; then \
CPUID=../crypto/$(CPUID_OBJ) ; \
else \
CPUID="" ; \
fi ; \
- objs="fips_start.o $(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_BN_ASM"; \
+ objs="fips_start.o $(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
for i in $(FIPS_OBJ_LISTS); do \
dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
objs="$$objs `sed "$$script" $$i`"; \
MAKEFILE= Makefile
AR= ar r
-FIPS_AES_ENC=fips_aes_core.o
-
ASFLAGS= $(INCLUDES) $(ASFLAG)
AFLAGS= $(ASFLAGS)
APPS=
LIB=$(TOP)/libcrypto.a
-LIBSRC=fips_aes_core.c asm/fips-ax86-elf.s fips_aes_selftest.c
-LIBOBJ=$(FIPS_AES_ENC) fips_aes_selftest.o
+LIBSRC=fips_aes_selftest.c
+LIBOBJ=fips_aes_selftest.o
SRC= $(LIBSRC)
all: lib
lib: $(LIBOBJ)
- echo FIPS_AES_ENC: $(FIPS_AES_ENC)
@echo $(LIBOBJ) > lib
files:
ASFLAGS= $(INCLUDES) $(ASFLAG)
AFLAGS= $(ASFLAGS)
-FIPS_DES_ENC=fips_des_enc.o
-
CFLAGS= $(INCLUDES) $(CFLAG)
GENERAL=Makefile
APPS=
LIB=$(TOP)/libcrypto.a
-LIBSRC=fips_des_enc.c asm/fips-dx86-elf.s fips_des_selftest.c fips_set_key.c
-LIBOBJ=$(FIPS_DES_ENC) fips_des_selftest.o fips_set_key.o
+LIBSRC=fips_des_selftest.c
+LIBOBJ=fips_des_selftest.o
SRC= $(LIBSRC)
int n;
char *keyword, *value;
int nmod=0;
- unsigned char hash[20];
DSA_SIG sg, *sig = &sg;
sig->r = NULL;
}
else if(!strcmp(keyword,"Msg"))
{
-
n=hex2bin(value,msg);
pv("Msg",msg,n);
- SHA1(msg,n,hash);
}
else if(!strcmp(keyword,"Y"))
dsa->pub_key=hex2bn(value);
unsigned char md[SHA_DIGEST_LENGTH];
ERR_clear_error();
- if (!SHA1(str,sizeof(str) - 1,md)) return 0;
+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0;
if (memcmp(md,digest,sizeof(md)))
return 0;
return 1;
EXE= fips_standalone_sha1$(EXE_EXT)
LIB=$(TOP)/libcrypto.a
-LIBSRC=fips_sha1dgst.c fips_sha1_selftest.c asm/fips-sx86-elf.s \
- fips_sha256.c fips_sha512.c
-LIBOBJ=fips_sha1dgst.o fips_sha1_selftest.o $(FIPS_SHA1_ASM_OBJ) \
- fips_sha256.o fips_sha512.o
+LIBSRC=fips_sha1_selftest.c
+LIBOBJ=fips_sha1_selftest.o
SRC= $(LIBSRC) fips_standalone_sha1.c
lib: $(LIBOBJ)
@echo $(LIBOBJ) > lib
-fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o fips_sha1dgst.o $(FIPS_SHA1_ASM_OBJ)
+fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
$(CC) -o fips_standalone_sha1$(EXE_EXT) $(CFLAGS) \
- fips_standalone_sha1.o fips_sha1dgst.o $(FIPS_SHA1_ASM_OBJ)
+ fips_standalone_sha1.o ../crypto/sha/sha1dgst.o $$FIPS_SHA_ASM
files:
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
#include <string.h>
#include <openssl/err.h>
#include <openssl/fips.h>
-#include <openssl/fips_sha.h>
+#include <openssl/evp.h>
+#include <openssl/sha.h>
#ifdef OPENSSL_FIPS
static char test[][60]=
{
unsigned char md[SHA_DIGEST_LENGTH];
- SHA1((unsigned char*)test[n],strlen(test[n]),md);
+ EVP_Digest(test[n],strlen(test[n]),md, NULL, EVP_sha1(), NULL);
if(memcmp(md,ret[n],sizeof md))
{
FIPSerr(FIPS_F_FIPS_SELFTEST_SHA,FIPS_R_SELFTEST_FAILED);
projects / oweals / openssl.git / commitdiff