From: Ben Laurie Date: Fri, 5 Mar 2004 08:28:01 +0000 (+0000) Subject: Add pairwise tests, fix makefiles. X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=09773532ed93cbe8f9f3047fdd6088d7adf1c524;p=oweals%2Fopenssl.git Add pairwise tests, fix makefiles. --- diff --git a/Makefile.org b/Makefile.org index 19b5c243ba..f2e31a5794 100644 --- a/Makefile.org +++ b/Makefile.org @@ -817,7 +817,7 @@ install: all install_docs cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ if ! egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ - fi \ + fi; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi; \ @@ -859,6 +859,7 @@ install: all install_docs if [ -f "$$i" ]; then \ ( echo installing $$i; \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi; \ done; diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index ef87c3e637..30607ca579 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -64,6 +64,7 @@ #include #include +#ifndef OPENSSL_FIPS int DSA_generate_key(DSA *dsa) { int ok=0; @@ -103,3 +104,4 @@ err: return(ok); } #endif +#endif diff --git a/fips/dsa/Makefile.ssl b/fips/dsa/Makefile.ssl index d7d4f9d58b..eb94ad8e74 100644 --- a/fips/dsa/Makefile.ssl +++ b/fips/dsa/Makefile.ssl @@ -56,11 +56,12 @@ links: @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) install: - @for i in $(EXHEADER) ; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; +# some shells don't like empty lists +# @for i in $(EXHEADER) ; \ +# do \ +# (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ +# chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ +# done; tags: ctags $(SRC) diff --git a/fips/dsa/fingerprint.sha1 b/fips/dsa/fingerprint.sha1 index 4784cd542f..9a4d3fe900 100644 --- a/fips/dsa/fingerprint.sha1 +++ b/fips/dsa/fingerprint.sha1 @@ -1,3 +1,3 @@ SHA1(fips_dsa_ossl.c)= 592cd23f6e63bc08b9c960014d52aad05594f913 -SHA1(fips_dsa_gen.c)= 87e185e25c1d606922651ea264470cb93c04e6a8 +SHA1(fips_dsa_gen.c)= 418cbd83675130cf7c45f3ea669b96167a1d65aa SHA1(fips_dsa_selftest.c)= d638e2d13912befe42e0ed6efa8a27719b6689d5 diff --git a/fips/dsa/fips_dsa_gen.c b/fips/dsa/fips_dsa_gen.c index b326bb5b4d..9524a4e21b 100644 --- a/fips/dsa/fips_dsa_gen.c +++ b/fips/dsa/fips_dsa_gen.c @@ -88,6 +88,21 @@ #ifdef OPENSSL_FIPS +static int fips_check_dsa(DSA *dsa) + { + static const unsigned char str1[]="12345678901234567890"; + unsigned char sig[256]; + unsigned int siglen; + + DSA_sign(0, str1, 20, sig, &siglen, dsa); + if(DSA_verify(0, str1, 20, sig, siglen, dsa) != 1) + { + FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); + return 0; + } + return 1; + } + DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, @@ -310,6 +325,49 @@ err: if (mont != NULL) BN_MONT_CTX_free(mont); return(ok?ret:NULL); } + +int DSA_generate_key(DSA *dsa) + { + int ok=0; + BN_CTX *ctx=NULL; + BIGNUM *pub_key=NULL,*priv_key=NULL; + + if ((ctx=BN_CTX_new()) == NULL) goto err; + + if (dsa->priv_key == NULL) + { + if ((priv_key=BN_new()) == NULL) goto err; + } + else + priv_key=dsa->priv_key; + + do + if (!BN_rand_range(priv_key,dsa->q)) goto err; + while (BN_is_zero(priv_key)); + + if (dsa->pub_key == NULL) + { + if ((pub_key=BN_new()) == NULL) goto err; + } + else + pub_key=dsa->pub_key; + + if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err; + + dsa->priv_key=priv_key; + dsa->pub_key=pub_key; + + if(!fips_check_dsa(dsa)) + goto err; + + ok=1; + +err: + if ((pub_key != NULL) && (dsa->pub_key == NULL)) BN_free(pub_key); + if ((priv_key != NULL) && (dsa->priv_key == NULL)) BN_free(priv_key); + if (ctx != NULL) BN_CTX_free(ctx); + return(ok); + } #endif #endif diff --git a/fips/fingerprint.sha1 b/fips/fingerprint.sha1 index b282604234..94d96b7ca1 100644 --- a/fips/fingerprint.sha1 +++ b/fips/fingerprint.sha1 @@ -1,4 +1,4 @@ SHA1(fips.c)= 3ce5c4660e56e1a1c1ef177f3536b3098bb65290 SHA1(fips_err_wrapper.c)= ad4a2ffa18743c83827de398c811eb6124ba0b27 -SHA1(fips.h)= a664b76451ff3d3674e7c79b6d56d547ffb9e5be -SHA1(fips_err.h)= 54f9f9931fdef839dcfbf7807a1977199ad4b4f1 +SHA1(fips.h)= da5e4f1bb957eb808c818507a76c8dcaa06dcec0 +SHA1(fips_err.h)= 8a6c9283e478afae4b30c033c5f885b1d20e75c1 diff --git a/fips/fips.h b/fips/fips.h index a9adfc1506..6abf8f5e67 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -83,7 +83,9 @@ void ERR_load_FIPS_strings(void); #define FIPS_F_DSA_DO_SIGN 111 #define FIPS_F_DSA_DO_VERIFY 112 #define FIPS_F_DSA_GENERATE_PARAMETERS 110 +#define FIPS_F_FIPS_CHECK_DSA 116 #define FIPS_F_FIPS_CHECK_EXE 106 +#define FIPS_F_FIPS_CHECK_RSA 115 #define FIPS_F_FIPS_DSA_CHECK 102 #define FIPS_F_FIPS_MODE_SET 105 #define FIPS_F_FIPS_SELFTEST_AES 104 @@ -103,6 +105,7 @@ void ERR_load_FIPS_strings(void); #define FIPS_R_FIPS_MODE_ALREADY_SET 102 #define FIPS_R_FIPS_SELFTEST_FAILED 106 #define FIPS_R_NON_FIPS_METHOD 100 +#define FIPS_R_PAIRWISE_TEST_FAILED 107 #define FIPS_R_SELFTEST_FAILED 101 #ifdef __cplusplus diff --git a/fips/fips_err.h b/fips/fips_err.h index c5c683b368..e8dafa4900 100644 --- a/fips/fips_err.h +++ b/fips/fips_err.h @@ -69,7 +69,9 @@ static ERR_STRING_DATA FIPS_str_functs[]= {ERR_PACK(0,FIPS_F_DSA_DO_SIGN,0), "DSA_do_sign"}, {ERR_PACK(0,FIPS_F_DSA_DO_VERIFY,0), "DSA_do_verify"}, {ERR_PACK(0,FIPS_F_DSA_GENERATE_PARAMETERS,0), "DSA_generate_parameters"}, +{ERR_PACK(0,FIPS_F_FIPS_CHECK_DSA,0), "FIPS_CHECK_DSA"}, {ERR_PACK(0,FIPS_F_FIPS_CHECK_EXE,0), "FIPS_CHECK_EXE"}, +{ERR_PACK(0,FIPS_F_FIPS_CHECK_RSA,0), "FIPS_CHECK_RSA"}, {ERR_PACK(0,FIPS_F_FIPS_DSA_CHECK,0), "FIPS_dsa_check"}, {ERR_PACK(0,FIPS_F_FIPS_MODE_SET,0), "FIPS_mode_set"}, {ERR_PACK(0,FIPS_F_FIPS_SELFTEST_AES,0), "FIPS_selftest_aes"}, @@ -92,6 +94,7 @@ static ERR_STRING_DATA FIPS_str_reasons[]= {FIPS_R_FIPS_MODE_ALREADY_SET ,"fips mode already set"}, {FIPS_R_FIPS_SELFTEST_FAILED ,"fips selftest failed"}, {FIPS_R_NON_FIPS_METHOD ,"non fips method"}, +{FIPS_R_PAIRWISE_TEST_FAILED ,"pairwise test failed"}, {FIPS_R_SELFTEST_FAILED ,"selftest failed"}, {0,NULL} }; diff --git a/fips/rsa/Makefile.ssl b/fips/rsa/Makefile.ssl index 383bc2510a..8306397507 100644 --- a/fips/rsa/Makefile.ssl +++ b/fips/rsa/Makefile.ssl @@ -56,11 +56,12 @@ links: @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) install: - @for i in $(EXHEADER) ; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; +# some shells don't like empty lists +# @for i in $(EXHEADER) ; \ +# do \ +# (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ +# chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ +# done; tags: ctags $(SRC) diff --git a/fips/rsa/fingerprint.sha1 b/fips/rsa/fingerprint.sha1 index e03de116ba..14caeb1d23 100644 --- a/fips/rsa/fingerprint.sha1 +++ b/fips/rsa/fingerprint.sha1 @@ -1,3 +1,3 @@ SHA1(fips_rsa_eay.c)= eacbcc656f1f046509abb9cc0207880b58ae8b90 -SHA1(fips_rsa_gen.c)= bfc4d7204f714a354a2e652318c5e82518441427 +SHA1(fips_rsa_gen.c)= eb47b6add96f4fe2396538b8ef394d16c4b1e87f SHA1(fips_rsa_selftest.c)= 0106c4c565833ad2c8975b7d38765038a58f037c diff --git a/fips/rsa/fips_rsa_gen.c b/fips/rsa/fips_rsa_gen.c index 06ffbd3769..dd0b04c5c2 100644 --- a/fips/rsa/fips_rsa_gen.c +++ b/fips/rsa/fips_rsa_gen.c @@ -65,6 +65,44 @@ #ifdef OPENSSL_FIPS +static int fips_check_rsa(RSA *rsa) + { + int n; + unsigned char ctext[256]; + unsigned char ptext[256]; + static unsigned char original_ptext[] = + "\x01\x23\x45\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0" + "\x23\x45\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0\x12" + "\x45\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0\x12\x34" + "\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0\x12\x34\x56"; + + n=RSA_public_encrypt(sizeof(original_ptext)-1,original_ptext,ctext,rsa, + RSA_NO_PADDING); + if(n < 0) + { + ERR_print_errors_fp(stderr); + exit(1); + } + if(!memcmp(ctext,original_ptext,n)) + { + FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED); + return 0; + } + n=RSA_private_decrypt(n,ctext,ptext,rsa,RSA_NO_PADDING); + if(n < 0) + { + ERR_print_errors_fp(stderr); + exit(1); + } + if(n != sizeof(original_ptext)-1 || memcmp(ptext,original_ptext,n)) + { + FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED); + return 0; + } + + return 1; + } + RSA *RSA_generate_key(int bits, unsigned long e_value, void (*callback)(int,int,void *), void *cb_arg) { @@ -184,6 +222,9 @@ RSA *RSA_generate_key(int bits, unsigned long e_value, rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2); if (rsa->iqmp == NULL) goto err; + if(!fips_check_rsa(rsa)) + goto err; + ok=1; err: if (ok == -1)