sigs:
fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.sha1
- if [ "$(SHLIBEXT)" != "" ]; then fips/sha1/fips_standalone_sha1 libcrypto$(SHLIBEXT) >> libcrypto.sha1; fi
sub_all:
@for i in $(DIRS); \
EXHEADER=fips.h
HEADER=$(EXHEADER) fips_err.c
+EXE=openssl_fips_fingerprint
ALL= $(GENERAL) $(SRC) $(HEADER)
$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \
done;
+fips_test:
+ @for i in dsa sha1 aes des ; \
+ do \
+ (cd $$i && echo "making fips_test in fips/$$i..." && make fips_test) \
+ done;
+
install:
@for i in $(EXHEADER) ;\
do \
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
@for i in $(FDIRS) ;\
do \
- (cd $$i && echo "making install in fips/$$i..." && \
- $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
+ (cd $$i && echo "making install in fips/$$i..." && \
+ $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
done;
+ @for i in $(EXE) ; \
+ do \
+ echo "installing $$i"; \
+ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+ done
lint:
@for i in $(FDIRS) ;\
tests:
+top_fips_aesavs:
+ (cd ../..; $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_aesavs sub_target)
+
fips_aesavs: fips_aesavs.o ../../libcrypto.a
$(CC) $(CFLAGS) -o fips_aesavs fips_aesavs.o ../../libcrypto.a
+ $(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_aesavs
-fips_test: top fips_aesavs
+fips_test: top top_fips_aesavs
find ../testvectors/aes/req -name '*.req' > testlist
-rm -rf ../testvectors/aes/rsp
mkdir ../testvectors/aes/rsp
int f_opt = 0, d_opt = 1;
#ifdef FIPS
- FIPS_mode_set(1);
+ if(!FIPS_mode_set(1,argv[0]))
+ {
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ exit(1);
+ }
#endif
ERR_load_crypto_strings();
if (argc > 1)
fips_desmovs: fips_desmovs.o ../../libcrypto.a
$(CC) $(CFLAGS) -o fips_desmovs fips_desmovs.o ../../libcrypto.a
+ $(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_desmovs
fips_test: top_fips_desmovs
find ../testvectors/des/req -name '*.req' > testlist
int f_opt = 0, d_opt = 1;
#ifdef FIPS
- if(!FIPS_mode_set(1))
+ if(!FIPS_mode_set(1,argv[0]))
{
- fprintf(stderr,"Failed to enter FIPS mode.\n");
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
exit(1);
}
#endif
fips_dssvs: fips_dssvs.o ../../libcrypto.a
$(CC) $(CFLAGS) -o fips_dssvs fips_dssvs.o ../../libcrypto.a
+ $(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_dssvs
Q=../testvectors/dsa/req
A=../testvectors/dsa/rsp
unsigned char sig[256];
unsigned int siglen;
-#ifdef FIPS
- FIPS_mode_set(1);
-#endif
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+#ifdef FIPS
+ if(!FIPS_mode_set(1,argv[0]))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+#endif
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#include <openssl/bn.h>
#include <openssl/dsa.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
#include <string.h>
int hex2bin(const char *in, unsigned char *out)
fprintf(stderr,"%s [primes|pqg]\n",argv[0]);
exit(1);
}
+ if(!FIPS_mode_set(1,argv[0]))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ exit(1);
+ }
if(!strcmp(argv[1],"primes"))
primes();
else
-SHA1(fips.c)= 98c97fbf0e3b2a7c81572804ecc65fc8a8c9cc72
+SHA1(fips.c)= c33135b6ae585a1a953332e261984d38121727d5
SHA1(fips_err_wrapper.c)= 0cbe881739f6e7d91308e2e74b92032e69007528
-SHA1(fips.h)= b4e3fb8a1f3aa03a63094552bedaa2c58a35cb19
-SHA1(fips_err.c)= bd28a95630f6b2e7ac17bfae872c045216611b11
+SHA1(fips.h)= 58386539af75f8f622b041a43bf1880fee8642f7
+SHA1(fips_err.c)= 8d9fd3ab3e6ca5297c5714e7f6cd9834e22b4cba
#include <openssl/rand.h>
#include <openssl/fips_rand.h>
#include <openssl/err.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <limits.h>
#ifdef FIPS
&& FIPS_selftest_des();
}
-int FIPS_mode_set(int onoff)
+static int FIPS_check_exe(const char *path)
+ {
+ BIO *bio, *md;
+ char buf[1024];
+ char p2[PATH_MAX];
+ int n;
+ char mdbuf[EVP_MAX_MD_SIZE];
+
+ bio=BIO_new_file(path,"rb");
+ if(!bio)
+ {
+ FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE);
+ return 0;
+ }
+ md=BIO_new(BIO_f_md());
+ BIO_set_md(md,EVP_sha1());
+ bio=BIO_push(md,bio);
+ do
+ {
+ n=BIO_read(bio,buf,sizeof buf);
+ if(n < 0)
+ {
+ BIO_free_all(bio);
+ FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE);
+ return 0;
+ }
+ } while(n > 0);
+ BIO_gets(md,mdbuf,EVP_MAX_MD_SIZE);
+ BIO_free_all(bio);
+ snprintf(p2,sizeof p2,"%s.sha1",path);
+ bio=BIO_new_file(p2,"rb");
+ if(!bio || BIO_read(bio,buf,20) != 20)
+ {
+ BIO_free(bio);
+ FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE_DIGEST);
+ return 0;
+ }
+ BIO_free(bio);
+ if(memcmp(buf,mdbuf,20))
+ {
+ FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_EXE_DIGEST_DOES_NOT_MATCH);
+ return 0;
+ }
+ return 1;
+ }
+
+int FIPS_mode_set(int onoff,const char *path)
{
if(onoff)
{
if(FIPS_mode)
FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
+ if(!FIPS_check_exe(path))
+ return 0;
+
/* automagically seed PRNG if not already seeded */
if(!FIPS_rand_seeded())
{
extern void *FIPS_rand_check;
struct dsa_st;
-int FIPS_mode_set(int onoff);
+int FIPS_mode_set(int onoff,const char *path);
int FIPS_dsa_check(struct dsa_st *dsa);
int FIPS_selftest_sha1(void);
int FIPS_selftest_aes(void);
/* Error codes for the FIPS functions. */
/* Function codes. */
+#define FIPS_F_FIPS_CHECK_EXE 106
#define FIPS_F_FIPS_DSA_CHECK 102
#define FIPS_F_FIPS_MODE_SET 105
#define FIPS_F_FIPS_SELFTEST_AES 104
#define FIPS_F_SSLEAY_RAND_BYTES 101
/* Reason codes. */
+#define FIPS_R_CANNOT_READ_EXE 103
+#define FIPS_R_CANNOT_READ_EXE_DIGEST 104
+#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH 105
#define FIPS_R_FIPS_MODE_ALREADY_SET 102
#define FIPS_R_NON_FIPS_METHOD 100
#define FIPS_R_SELFTEST_FAILED 101
#ifndef OPENSSL_NO_ERR
static ERR_STRING_DATA FIPS_str_functs[]=
{
+{ERR_PACK(0,FIPS_F_FIPS_CHECK_EXE,0), "FIPS_CHECK_EXE"},
{ERR_PACK(0,FIPS_F_FIPS_DSA_CHECK,0), "FIPS_dsa_check"},
{ERR_PACK(0,FIPS_F_FIPS_MODE_SET,0), "FIPS_mode_set"},
{ERR_PACK(0,FIPS_F_FIPS_SELFTEST_AES,0), "FIPS_selftest_aes"},
static ERR_STRING_DATA FIPS_str_reasons[]=
{
+{FIPS_R_CANNOT_READ_EXE ,"cannot read exe"},
+{FIPS_R_CANNOT_READ_EXE_DIGEST ,"cannot read exe digest"},
+{FIPS_R_EXE_DIGEST_DOES_NOT_MATCH ,"exe digest does not match"},
{FIPS_R_FIPS_MODE_ALREADY_SET ,"fips mode already set"},
{FIPS_R_NON_FIPS_METHOD ,"non fips method"},
{FIPS_R_SELFTEST_FAILED ,"selftest failed"},
S=`pwd`/fips/sha1/fips_standalone_sha1
cd fips/sha1
-$S fips_standalone_sha1.c fips_sha1dgst.c fips_sha_locl.h fips_md32_common.h > standalone.sha1
+$S fips_sha1dgst.c fips_sha1_selftest.c fips_standalone_sha1.c fips_sha_locl.h fips_md32_common.h > standalone.sha1
cd ..
$S fips.c fips_err_wrapper.c fips.h fips_err.c > fingerprint.sha1
fips_sha1test: fips_sha1test.o ../../libcrypto.a
$(CC) $(CFLAGS) -o fips_sha1test fips_sha1test.o ../../libcrypto.a
+ $(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_sha1test
fips_test: top_fips_sha1test
-rm -rf ../testvectors/sha1/rsp
#include <string.h>
#include <stdlib.h>
#include <openssl/sha.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
#define MAX_TEST_BITS 103432
exit(1);
}
+ if(!FIPS_mode_set(1,argv[0]))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ exit(1);
+ }
fp=fopen(argv[1],"r");
if(!fp)
{
projects / oweals / openssl.git / commitdiff