Add support for SHA-XXX in RSA tests.
Make fips_check_rsa work for key lengths > 2048 bits.
int FIPS_selftest_rsa(void);
void FIPS_corrupt_dsa(void);
int FIPS_selftest_dsa(void);
+int FIPS_selftest_rng(void);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
const char * const FIPS_source_hashes[] = {
"HMAC-SHA1(fips.c)= 23f2470208ebbc7daeae50ad7b13e7cd7e269477",
"HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898",
-"HMAC-SHA1(fips.h)= 87423b80f7635f08fbea23897c64e999166360a2",
+"HMAC-SHA1(fips.h)= c0260653a24bb6a986e726326d404b79dfc01b62",
"HMAC-SHA1(fips_err.h)= d356c4436362dba2974f767e06c6be1c90dbfe9f",
"HMAC-SHA1(aes/fips_aes_core.c)= b70bbbd675efe0613da0d57055310926a0104d55",
"HMAC-SHA1(aes/asm/fips-ax86-elf.s)= 361df58c4838e55cf0b5fa1427c81c253e551388",
"HMAC-SHA1(rand/fips_rand.h)= bf009ea8963e79b1e414442ede9ae7010a03160b",
"HMAC-SHA1(rand/fips_rand_selftest.c)= d9c8985e08feecefafe667ad0119d444b42f807c",
"HMAC-SHA1(rsa/fips_rsa_eay.c)= 2596773a7af8f037427217b79f56858296961d66",
-"HMAC-SHA1(rsa/fips_rsa_gen.c)= 713d2e0d7a1a682b1794f1224b7afe01272ba755",
+"HMAC-SHA1(rsa/fips_rsa_gen.c)= beedbc14a7b262d36a2b829494030f3032563bac",
"HMAC-SHA1(rsa/fips_rsa_selftest.c)= dcd0970a4de2d7f0d2333d6a3efb1ae350209b57",
"HMAC-SHA1(sha1/fips_sha1dgst.c)= 26e529d630b5e754b4a29bd1bb697e991e7fdc04",
"HMAC-SHA1(sha1/fips_standalone_sha1.c)= faae95bc36cc80f5be6a0cde02ebab0f63d4fd97",
static int fips_check_rsa(RSA *rsa)
{
- int n;
- unsigned char ctext[256];
- unsigned char ptext[256];
+ int n, ret = 0;
+ unsigned char tctext[256], *ctext = tctext;
+ unsigned char tptext[256], *ptext = tptext;
/* The longest we can have with OAEP padding and a 512 bit key */
static const unsigned char original_ptext[] =
"\x01\x23\x45\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0"
"\x23\x45\x67\x89\xab\xcd";
+ if (RSA_size(rsa) > sizeof(tctext))
+ {
+ ctext = OPENSSL_malloc(RSA_size(rsa));
+ ptext = OPENSSL_malloc(RSA_size(rsa));
+ if (!ctext || !ptext)
+ {
+ ERR_print_errors_fp(OPENSSL_stderr());
+ exit(1);
+ }
+ }
+
+
/* this will fail for keys shorter than 512 bits */
n=RSA_public_encrypt(sizeof(original_ptext)-1,original_ptext,ctext,rsa,
RSA_PKCS1_OAEP_PADDING);
if(!memcmp(ctext,original_ptext,n))
{
FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
- return 0;
+ goto error;
}
n=RSA_private_decrypt(n,ctext,ptext,rsa,RSA_PKCS1_OAEP_PADDING);
if(n < 0)
if(n != sizeof(original_ptext)-1 || memcmp(ptext,original_ptext,n))
{
FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
- return 0;
+ goto error;
+ }
+
+ ret = 1;
+
+ error:
+
+ if (RSA_size(rsa) > sizeof(tctext))
+ {
+ OPENSSL_free(ctext);
+ OPENSSL_free(ptext);
}
- return 1;
+ return ret;
}
RSA *RSA_generate_key(FIPS_RSA_SIZE_T bits, unsigned long e_value,
#include <openssl/x509v3.h>
static int rsa_stest(BIO *err, BIO *out, BIO *in);
-static int rsa_printsig(BIO *err, BIO *out, RSA *pkey,
+static int rsa_printsig(BIO *err, BIO *out, RSA *rsa, const EVP_MD *dgst,
unsigned char *Msg, long Msglen);
int main(int argc, char **argv)
char *linebuf, *olinebuf, *p, *q;
char *keyword, *value;
RSA *rsa = NULL;
+ const EVP_MD *dgst = NULL;
unsigned char *Msg = NULL;
long Msglen;
int keylen = -1, current_keylen = -1;
}
else if (!strcmp(keyword, "SHAAlg"))
{
- if (strcmp(value, "SHA1"))
+ if (!strcmp(value, "SHA1"))
+ dgst = EVP_sha1();
+ else if (!strcmp(value, "SHA224"))
+ dgst = EVP_sha224();
+ else if (!strcmp(value, "SHA256"))
+ dgst = EVP_sha256();
+ else if (!strcmp(value, "SHA384"))
+ dgst = EVP_sha384();
+ else if (!strcmp(value, "SHA512"))
+ dgst = EVP_sha512();
+ else
{
BIO_printf(err,
"FATAL: unsupported algorithm \"%s\"\n",
{
if (Msg)
goto parse_error;
+ if (strlen(value) & 1)
+ *(--value) = '0';
Msg = string_to_hex(value, &Msglen);
if (!Msg)
goto parse_error;
current_keylen = keylen;
}
- if (Msg)
+ if (Msg && dgst)
{
- if (!rsa_printsig(err, out, rsa, Msg, Msglen))
+ if (!rsa_printsig(err, out, rsa, dgst, Msg, Msglen))
goto error;
OPENSSL_free(Msg);
Msg = NULL;
}
-static int rsa_printsig(BIO *err, BIO *out, RSA *rsa,
+static int rsa_printsig(BIO *err, BIO *out, RSA *rsa, const EVP_MD *dgst,
unsigned char *Msg, long Msglen)
{
int ret = 0;
EVP_MD_CTX_init(&ctx);
- if (!EVP_SignInit_ex(&ctx, EVP_sha1(), NULL))
+ if (!EVP_SignInit_ex(&ctx, dgst, NULL))
goto error;
if (!EVP_SignUpdate(&ctx, Msg, Msglen))
goto error;
static int rsa_test(BIO *err, BIO *out, BIO *in);
static int rsa_printver(BIO *err, BIO *out,
BIGNUM *n, BIGNUM *e,
+ const EVP_MD *dgst,
unsigned char *Msg, long Msglen,
unsigned char *S, long Slen);
{
char *linebuf, *olinebuf, *p, *q;
char *keyword, *value;
+ const EVP_MD *dgst = NULL;
BIGNUM *n = NULL, *e = NULL;
unsigned char *Msg = NULL, *S = NULL;
long Msglen, Slen;
}
else if (!strcmp(keyword, "SHAAlg"))
{
- if (strcmp(value, "SHA1"))
+ if (!strcmp(value, "SHA1"))
+ dgst = EVP_sha1();
+ else if (!strcmp(value, "SHA224"))
+ dgst = EVP_sha224();
+ else if (!strcmp(value, "SHA256"))
+ dgst = EVP_sha256();
+ else if (!strcmp(value, "SHA384"))
+ dgst = EVP_sha384();
+ else if (!strcmp(value, "SHA512"))
+ dgst = EVP_sha512();
+ else
{
BIO_printf(err,
"FATAL: unsupported algorithm \"%s\"\n",
{
if (Msg)
goto parse_error;
+ if (strlen(value) & 1)
+ *(--value) = '0';
Msg = string_to_hex(value, &Msglen);
if (!Msg)
goto parse_error;
{
if (S)
goto parse_error;
+ if (strlen(value) & 1)
+ *(--value) = '0';
S = string_to_hex(value, &Slen);
if (!S)
goto parse_error;
BIO_puts(out, olinebuf);
- if (n && e && Msg && S)
+ if (n && e && Msg && S && dgst)
{
- if (!rsa_printver(err, out, n, e, Msg, Msglen, S, Slen))
+ if (!rsa_printver(err, out, n, e, dgst,
+ Msg, Msglen, S, Slen))
goto error;
OPENSSL_free(Msg);
Msg = NULL;
static int rsa_printver(BIO *err, BIO *out,
BIGNUM *n, BIGNUM *e,
+ const EVP_MD *dgst,
unsigned char *Msg, long Msglen,
unsigned char *S, long Slen)
{
EVP_MD_CTX_init(&ctx);
- if (!EVP_VerifyInit_ex(&ctx, EVP_sha1(), NULL))
+ if (!EVP_VerifyInit_ex(&ctx, dgst, NULL))
goto error;
if (!EVP_VerifyUpdate(&ctx, Msg, Msglen))
goto error;
projects / oweals / openssl.git / commitdiff