Redirect DSA operations to FIPS module in FIPS mode.

author Dr. Stephen Henson <steve@openssl.org>

Thu, 9 Jun 2011 13:54:09 +0000 (13:54 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Thu, 9 Jun 2011 13:54:09 +0000 (13:54 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Thu, 9 Jun 2011 13:54:09 +0000 (13:54 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Thu, 9 Jun 2011 13:54:09 +0000 (13:54 +0000)
diff --git a/CHANGES b/CHANGES

index 386ca462761f2dfeaf403e1d5d95f33aac3ede49..647836b89bb6109f3e7a806303c71c184e1d371a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
  
   Changes between 1.0.0d and 1.0.1  [xx XXX xxxx]
  
+  *) Redirect DSA and DH operations to FIPS module in FIPS mode.
+     [Steve Henson]
+
    *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
       FIPS EC methods unconditionally for now.
       [Steve Henson]
diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h

index 3d362d140aba93acf8a7e8204a9aec5387179e62..6a21b2cce238e215a97e088eaffdda9cc7a6d136 100644 (file)
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -97,6 +97,21 @@
                                                * be used for all exponents.
                                                */
  
+/* If this flag is set the DSA method is FIPS compliant and can be used
+ * in FIPS mode. This is set in the validated module method. If an
+ * application sets this flag in its own methods it is its reposibility
+ * to ensure the result is compliant.
+ */
+
+#define DSA_FLAG_FIPS_METHOD                   0x0400
+
+/* If this flag is set the operations normally disabled in FIPS mode are
+ * permitted it is then the applications responsibility to ensure that the
+ * usage is compliant.
+ */
+
+#define DSA_FLAG_NON_FIPS_ALLOW                        0x0400
+
  #ifdef  __cplusplus
  extern "C" {
  #endif
@@ -272,6 +287,7 @@ void ERR_load_DSA_strings(void);
  #define DSA_F_DSAPARAMS_PRINT_FP                        101
  #define DSA_F_DSA_DO_SIGN                               112
  #define DSA_F_DSA_DO_VERIFY                             113
+#define DSA_F_DSA_GENERATE_PARAMETERS_EX                123
  #define DSA_F_DSA_NEW_METHOD                            103
  #define DSA_F_DSA_PARAM_DECODE                          119
  #define DSA_F_DSA_PRINT_FP                              105
@@ -299,6 +315,7 @@ void ERR_load_DSA_strings(void);
  #define DSA_R_MISSING_PARAMETERS                        101
  #define DSA_R_MODULUS_TOO_LARGE                                 103
  #define DSA_R_NEED_NEW_SETUP_VALUES                     110
+#define DSA_R_NON_FIPS_DSA_METHOD                       111
  #define DSA_R_NO_PARAMETERS_SET                                 107
  #define DSA_R_PARAMETER_ENCODING_ERROR                  105
  
diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c

index 2981eabeafc3eac5dd379f0e7ade28ca34511306..bada41fcce4793e473a5cc9eb14ef3c3aff1ad03 100644 (file)
--- a/crypto/dsa/dsa_err.c
+++ b/crypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
  /* crypto/dsa/dsa_err.c */
  /* ====================================================================
- * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
@@ -76,6 +76,7 @@ static ERR_STRING_DATA DSA_str_functs[]=
  {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP),   "DSAparams_print_fp"},
  {ERR_FUNC(DSA_F_DSA_DO_SIGN),  "DSA_do_sign"},
  {ERR_FUNC(DSA_F_DSA_DO_VERIFY),        "DSA_do_verify"},
+{ERR_FUNC(DSA_F_DSA_GENERATE_PARAMETERS_EX),   "DSA_generate_parameters_ex"},
  {ERR_FUNC(DSA_F_DSA_NEW_METHOD),       "DSA_new_method"},
  {ERR_FUNC(DSA_F_DSA_PARAM_DECODE),     "DSA_PARAM_DECODE"},
  {ERR_FUNC(DSA_F_DSA_PRINT_FP), "DSA_print_fp"},
@@ -106,6 +107,7 @@ static ERR_STRING_DATA DSA_str_reasons[]=
  {ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
  {ERR_REASON(DSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},
  {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
+{ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD)   ,"non fips dsa method"},
  {ERR_REASON(DSA_R_NO_PARAMETERS_SET)     ,"no parameters set"},
  {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
  {0,NULL}
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c

index e6a545201614609706a1cdd604ad9735a709659d..cc73a23724fe15f796597d55aef8b9b7d1ed7da7 100644 (file)
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -81,13 +81,32 @@
  #include <openssl/sha.h>
  #include "dsa_locl.h"
  
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
  int DSA_generate_parameters_ex(DSA *ret, int bits,
                 const unsigned char *seed_in, int seed_len,
                 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
         {
+       if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
+                       && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW))
+               {
+               DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
+               return 0;
+               }
+
         if(ret->meth->dsa_paramgen)
                 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
                                 counter_ret, h_ret, cb);
+#ifdef OPENSSL_FIPS
+       else if (FIPS_mode())
+               {
+               return FIPS_dsa_generate_parameters_ex(ret, bits, 
+                                                       seed_in, seed_len,
+                                                       counter_ret, h_ret, cb);
+               }
+#endif
         else
                 {
                 const EVP_MD *evpmd;
diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c

index e9b75902dbc25e21ab9565855c33ccdadbc1a272..f7960901a01fc171d085a7deb610a392ecd7a431 100644 (file)
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -70,6 +70,10 @@
  #include <openssl/dh.h>
  #endif
  
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
  const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;
  
  static const DSA_METHOD *default_DSA_method = NULL;
@@ -82,7 +86,14 @@ void DSA_set_default_method(const DSA_METHOD *meth)
  const DSA_METHOD *DSA_get_default_method(void)
         {
         if(!default_DSA_method)
-               default_DSA_method = DSA_OpenSSL();
+               {
+#ifdef OPENSSL_FIPS
+               if (FIPS_mode())
+                       default_DSA_method = FIPS_dsa_openssl();
+               else
+#endif
+                       default_DSA_method = DSA_OpenSSL();
+               }
         return default_DSA_method;
         }
  
@@ -163,7 +174,7 @@ DSA *DSA_new_method(ENGINE *engine)
         ret->method_mont_p=NULL;
  
         ret->references=1;
-       ret->flags=ret->meth->flags;
+       ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
         if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c

index e02365a8b133248f0e9a2cb7c0c555841bc7bb3e..c3cc3642cea83199249a1253624dd6b2a9343938 100644 (file)
--- a/crypto/dsa/dsa_sign.c
+++ b/crypto/dsa/dsa_sign.c
@@ -65,11 +65,27 @@
  
  DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         {
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
+                       && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+               {
+               DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD);
+               return NULL;
+               }
+#endif
         return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
         }
  
  int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         {
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
+                       && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+               {
+               DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD);
+               return 0;
+               }
+#endif
         return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
         }
  
diff --git a/crypto/dsa/dsa_vrf.c b/crypto/dsa/dsa_vrf.c

index 286ed28cfa5bcab46f75daf437e55d4246fc32d6..674cb5fa5f5b9839932402ece6a47ded96b622ab 100644 (file)
--- a/crypto/dsa/dsa_vrf.c
+++ b/crypto/dsa/dsa_vrf.c
@@ -64,5 +64,13 @@
  int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                   DSA *dsa)
         {
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
+                       && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+               {
+               DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD);
+               return -1;
+               }
+#endif
         return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
         }
author	Dr. Stephen Henson <steve@openssl.org>
	Thu, 9 Jun 2011 13:54:09 +0000 (13:54 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Thu, 9 Jun 2011 13:54:09 +0000 (13:54 +0000)
CHANGES		patch \| blob \| history
crypto/dsa/dsa.h		patch \| blob \| history
crypto/dsa/dsa_err.c		patch \| blob \| history
crypto/dsa/dsa_gen.c		patch \| blob \| history
crypto/dsa/dsa_lib.c		patch \| blob \| history
crypto/dsa/dsa_sign.c		patch \| blob \| history
crypto/dsa/dsa_vrf.c		patch \| blob \| history