fips_check_rsa update.

diff --git a/fips/fips.h b/fips/fips.h
index b1621b7de96f5ff94cceca1669292bdea2b4b660..2ed828fd7349ddfd1f942cb0682857f49349998e 100644 (file)
--- a/fips/fips.h
+++ b/fips/fips.h
@@ -119,6 +119,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_R_NON_FIPS_METHOD                          100
 #define FIPS_R_PAIRWISE_TEST_FAILED                     107
 #define FIPS_R_SELFTEST_FAILED                          101
+#define FIPS_R_KEY_TOO_SHORT                            108
 
 #ifdef  __cplusplus
 }

diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index 2532e51f429a633c41f154c692aab6a35e2f2d31..a127e791453319af884a1a341f2ce057cd71c791 100644 (file)
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c
@@ -261,34 +261,16 @@ int main(int argc,char **argv)
 
     /* Non-Approved cryptographic operation
     */
-    printf("0. Non-Approved cryptographic operation test...\n");
+    printf("1. Non-Approved cryptographic operation test...\n");
     printf("\ta. Excluded algorithm (MD5)...");
     printf( md5_test() ? "successful\n" :  Fail("FAILED!\n") );
     printf("\tb. Included algorithm (D-H)...");
     printf( dh_test() ? "successful\n" :  Fail("FAILED!\n") );
 
-    /* Power-up self test failure
-    */
-    printf("1. Automatic power-up self test...");
-    printf( FIPS_mode_set(1,"/dev/null") ? Fail("passed INCORRECTLY!\n") : "failed as expected\n" );
-
-    /* Algorithm call when uninitialized failure
-    */
-    printf("\ta. AES API failure on failed power-up self test...");
-    printf( FIPS_aes_test() ? Fail("passed INCORRECTLY!\n") :"failed as expected\n" );
-    printf("\tb. RSA API failure on failed power-up self test...");
-    printf( FIPS_rsa_test() ? Fail("passed INCORRECTLY!\n") :  "failed as expected\n" );
-    printf("\tc. DES API failure on failed power-up self test...");
-    printf( FIPS_des_test() ? Fail("passed INCORRECTLY!\n") : "failed as expected\n" );
-    printf("\td. DSA API failure on failed power-up self test...");
-    printf( FIPS_dsa_test() ? Fail("passed INCORRECTLY!\n") :  "failed as expected\n" );
-    printf("\te. SHA1 API failure on failed power-up self test...");
-    printf( FIPS_sha1_test() ? Fail("passed INCORRECTLY!\n") : "failed as expected\n" );
-
-    /* Power-up self test retry
+    /* Power-up self test
     */
     ERR_clear_error();
-    printf("2. Automatic power-up self test retry...");
+    printf("2. Automatic power-up self test...");
     if (!FIPS_mode_set(1,argv[0]))
        {
        ERR_load_crypto_strings();

diff --git a/fips/fipshashes.c b/fips/fipshashes.c
index e2793115eb8ffdcbcdba6d2ff972d0f84d64df13..4b087f7f4e5aa4ac9aef7297665af90501a97b27 100644 (file)
--- a/fips/fipshashes.c
+++ b/fips/fipshashes.c
@@ -1,7 +1,7 @@
 const char * const FIPS_source_hashes[] = {
 "HMAC-SHA1(fips.c)= 7cbbda3b9e8aec46ee31797179cb72faeef80712",
 "HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898",
-"HMAC-SHA1(fips.h)= 8f48edb7734408c1a82cbb97106f8d823f0b7c91",
+"HMAC-SHA1(fips.h)= e85fdc2fe6ad2dbf0662691e87af4b6b240da62e",
 "HMAC-SHA1(fips_err.h)= 0b2bd6999ee5792fec3739689cde5f352789e63a",
 "HMAC-SHA1(aes/fips_aes_core.c)= b70bbbd675efe0613da0d57055310926a0104d55",
 "HMAC-SHA1(aes/asm/fips-ax86-elf.s)= f797b524a79196e7f59458a5b223432fcfd4a868",
@@ -22,7 +22,7 @@ const char * const FIPS_source_hashes[] = {
 "HMAC-SHA1(rand/fips_rand.h)= bf009ea8963e79b1e414442ede9ae7010a03160b",
 "HMAC-SHA1(rand/fips_rand_selftest.c)= d9c8985e08feecefafe667ad0119d444b42f807c",
 "HMAC-SHA1(rsa/fips_rsa_eay.c)= 2596773a7af8f037427217b79f56858296961d66",
-"HMAC-SHA1(rsa/fips_rsa_gen.c)= beedbc14a7b262d36a2b829494030f3032563bac",
+"HMAC-SHA1(rsa/fips_rsa_gen.c)= af83b857d2be13d59e7f1516e6b1a25edd6369c3",
 "HMAC-SHA1(rsa/fips_rsa_selftest.c)= a9dc47bd1001f795d1565111d26433c300101e06",
 "HMAC-SHA1(sha1/fips_sha1dgst.c)= 26e529d630b5e754b4a29bd1bb697e991e7fdc04",
 "HMAC-SHA1(sha1/fips_standalone_sha1.c)= faae95bc36cc80f5be6a0cde02ebab0f63d4fd97",

diff --git a/fips/rsa/fips_rsa_gen.c b/fips/rsa/fips_rsa_gen.c
index 71b268a1bbcf61e9825befb949aded4cef5a7888..433ce79745d25f295417b8366794fd83d6a6aaa3 100644 (file)
--- a/fips/rsa/fips_rsa_gen.c
+++ b/fips/rsa/fips_rsa_gen.c
@@ -73,10 +73,13 @@ static int fips_check_rsa(RSA *rsa)
     int n, ret = 0;
     unsigned char tctext[256], *ctext = tctext;
     unsigned char tptext[256], *ptext = tptext;
-    /* The longest we can have with OAEP padding and a 512 bit key */
+    /* The longest we can have with PKCS#1 v1.5 padding and a 512 bit key,
+     * namely 512/8-11-1 = 52 bytes */
     static const unsigned char original_ptext[] =
-       "\x01\x23\x45\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0"
-       "\x23\x45\x67\x89\xab\xcd";
+       "\x01\x23\x45\x67\x89\xab\xcd\xef\x01\x23\x45\x67\x89\xab\xcd\xef"
+       "\x01\x23\x45\x67\x89\xab\xcd\xef\x01\x23\x45\x67\x89\xab\xcd\xef"
+       "\x01\x23\x45\x67\x89\xab\xcd\xef\x01\x23\x45\x67\x89\xab\xcd\xef"
+       "\x01\x23\x45\x67";
 
     if (RSA_size(rsa) > sizeof(tctext))
        {
@@ -91,8 +94,8 @@ static int fips_check_rsa(RSA *rsa)
        
 
     /* this will fail for keys shorter than 512 bits */
-    n=RSA_public_encrypt(sizeof(original_ptext)-1,original_ptext,ctext,rsa,
-                        RSA_PKCS1_OAEP_PADDING);
+    n=RSA_private_encrypt(sizeof(original_ptext)-1,original_ptext,ctext,rsa,
+                        RSA_PKCS1_PADDING);
     if(n < 0)
        {
        ERR_print_errors_fp(OPENSSL_stderr());
@@ -103,7 +106,7 @@ static int fips_check_rsa(RSA *rsa)
        FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
        goto error;
        }
-    n=RSA_private_decrypt(n,ctext,ptext,rsa,RSA_PKCS1_OAEP_PADDING);
+    n=RSA_public_decrypt(n,ctext,ptext,rsa,RSA_PKCS1_PADDING);
     if(n < 0)
        {
        ERR_print_errors_fp(OPENSSL_stderr());
@@ -136,6 +139,12 @@ RSA *RSA_generate_key(FIPS_RSA_SIZE_T bits, unsigned long e_value,
        int bitsp,bitsq,ok= -1,n=0,i;
        BN_CTX *ctx=NULL,*ctx2=NULL;
 
+       if (bits < 512)
+           {
+           FIPSerr(FIPS_F_RSA_GENERATE_KEY,FIPS_R_KEY_TOO_SHORT);
+           return NULL;
+           }
+
        if(FIPS_selftest_failed())
            {
            FIPSerr(FIPS_F_RSA_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);