From: Dr. Stephen Henson <steve@openssl.org>
Date: Sat, 10 Dec 2011 13:38:34 +0000 (+0000)
Subject: Updates from fips2 branch: close streams in test utilities, use cofactor ECDH
X-Git-Tag: master-post-reformat~2048
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=4fa35e7336100df98d8e3db61f3559671bc3f3cd;p=oweals%2Fopenssl.git

Updates from fips2 branch: close streams in test utilities, use cofactor ECDH
add new key and signature generation tests to fips_test_suite.
---

diff --git a/fips/dh/fips_dhvs.c b/fips/dh/fips_dhvs.c
index 3ba1977862..0fb52f79a4 100644
--- a/fips/dh/fips_dhvs.c
+++ b/fips/dh/fips_dhvs.c
@@ -279,6 +279,10 @@ int main(int argc, char **argv)
 							rhash, rhashlen);
 			}
 		}
+	if (in && in != stdin)
+		fclose(in);
+	if (out && out != stdout)
+		fclose(out);
 	return 0;
 	parse_error:
 	fprintf(stderr, "Error Parsing request file\n");
diff --git a/fips/ecdh/fips_ecdh_selftest.c b/fips/ecdh/fips_ecdh_selftest.c
index 2b21ceaf48..0b16c57aae 100644
--- a/fips/ecdh/fips_ecdh_selftest.c
+++ b/fips/ecdh/fips_ecdh_selftest.c
@@ -166,6 +166,7 @@ int FIPS_selftest_ecdh(void)
 			rv = -1;
 			goto err;
 			}
+		EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
 
 		if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y))
 			{
@@ -194,6 +195,7 @@ int FIPS_selftest_ecdh(void)
 			rv = -1;
 			goto err;
 			}
+		EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
 
 		if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y))
 			{
diff --git a/fips/ecdh/fips_ecdhvs.c b/fips/ecdh/fips_ecdhvs.c
index a30e335e2b..a1422868b3 100644
--- a/fips/ecdh/fips_ecdhvs.c
+++ b/fips/ecdh/fips_ecdhvs.c
@@ -261,6 +261,7 @@ static void ec_output_Zhash(FILE *out, int exout, EC_GROUP *group,
 	unsigned char chash[EVP_MAX_MD_SIZE];
 	int Zlen;
 	ec = EC_KEY_new();
+	EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
 	EC_KEY_set_group(ec, group);
 	peerkey = make_peer(group, cx, cy);
 	if (rhash == NULL)
@@ -413,6 +414,11 @@ int main(int argc, char **argv)
 			if (group)
 				EC_GROUP_free(group);
 			group = EC_GROUP_new_by_curve_name(nid);
+			if (!group)
+				{
+				fprintf(stderr, "ERROR: unsupported curve %s\n", buf + 1);
+				return 1;
+				}
 			}
 
 		if (strlen(buf) > 6 && !strncmp(buf, "[E", 2))
@@ -478,6 +484,10 @@ int main(int argc, char **argv)
 		BN_free(cy);
 	if (group)
 		EC_GROUP_free(group);
+	if (in && in != stdin)
+		fclose(in);
+	if (out && out != stdout)
+		fclose(out);
 	if (rv)
 		fprintf(stderr, "Error Parsing request file\n");
 	return rv;
diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index 2d0a4bba8b..cf8f085e95 100644
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c
@@ -650,6 +650,13 @@ static size_t drbg_test_cb(DRBG_CTX *ctx, unsigned char **pout,
 	return (min_len + 0xf) & ~0xf;
 	}
 
+/* Callback which returns 0 to indicate entropy source failure */
+static size_t drbg_fail_cb(DRBG_CTX *ctx, unsigned char **pout,
+                                int entropy, size_t min_len, size_t max_len)
+	{
+	return 0;
+	}
+
 /* DRBG test: just generate lots of data and trigger health checks */
 
 static int do_drbg_test(int type, int flags)
@@ -1036,7 +1043,7 @@ static int do_fail_all(int fullpost, int fullerr)
 	size_t i;
 	RSA *rsa = NULL;
 	DSA *dsa = NULL;
-	DRBG_CTX *dctx = NULL;
+	DRBG_CTX *dctx = NULL, *defctx = NULL;
 	EC_KEY *ec = NULL;
 	BIGNUM *bn = NULL;
 	unsigned char out[10];
@@ -1133,6 +1140,9 @@ static int do_fail_all(int fullpost, int fullerr)
 	else
 		printf("\tECDSA key generation failed as expected.\n");
 
+	FIPS_ec_key_free(ec);
+	ec = NULL;
+
 	fail_id = -1;
 	fail_sub = -1;
 	fail_key = -1;
@@ -1241,6 +1251,63 @@ static int do_fail_all(int fullpost, int fullerr)
 		printf("\tX9.31 continuous PRNG failed as expected\n");
 	FIPS_x931_stick(0);
 
+	/* Leave FIPS mode to clear error */
+	FIPS_module_mode_set(0, NULL);
+	/* Enter FIPS mode successfully */
+	if (!FIPS_module_mode_set(1, FIPS_AUTH_USER_PASS))
+		{
+		printf("\tError entering FIPS mode\n");
+		st_err++;
+		}
+
+	printf("    Testing operation failure with DRBG entropy failure\n");
+
+	/* Generate DSA key for later use */
+    	if (DSA_generate_key(dsa))
+		printf("\tDSA key generated OK as expected.\n");
+	else
+		{
+		printf("\tDSA key generation FAILED!!\n");
+		st_err++;
+		}
+
+	/* Initialise default DRBG context */
+	defctx = FIPS_get_default_drbg();
+	if (!defctx)
+		return 0;
+	if (!FIPS_drbg_init(defctx, NID_sha512, 0))
+		return 0;
+	/* Set entropy failure callback */
+	FIPS_drbg_set_callbacks(defctx, drbg_fail_cb, 0, 0x10, drbg_test_cb, 0);
+	if (FIPS_drbg_instantiate(defctx, dummy_drbg_entropy, 10))
+		{
+		printf("\tDRBG entropy fail OK incorrectly!!\n");
+		st_err++;
+		}
+	else
+		printf("\tDRBG entropy fail failed as expected\n");
+
+	if (FIPS_dsa_sign(dsa, dummy_drbg_entropy, 5, EVP_sha256()))
+		{
+		printf("\tDSA signing OK incorrectly!!\n");
+		st_err++;
+		}
+	else
+		printf("\tDSA signing failed as expected\n");
+
+	ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+
+	if (!ec)
+		return 0;
+
+    	if (EC_KEY_generate_key(ec))
+		{
+		printf("\tECDSA key generated OK incorrectly!!\n");
+		st_err++;
+		}
+	else
+		printf("\tECDSA key generation failed as expected.\n");
+
 	printf("  Induced failure test completed with %d errors\n", st_err);
 	post_quiet = 0; 
 	no_err = 0;
diff --git a/fips/rand/fips_drbgvs.c b/fips/rand/fips_drbgvs.c
index bcdfa6dac3..9aae88c3e1 100644
--- a/fips/rand/fips_drbgvs.c
+++ b/fips/rand/fips_drbgvs.c
@@ -176,7 +176,7 @@ int fips_drbgvs_main(int argc,char **argv)
 int main(int argc,char **argv)
 #endif
 	{
-	FILE *in, *out;
+	FILE *in = NULL, *out = NULL;
 	DRBG_CTX *dctx = NULL;
 	TEST_ENT t;
 	int r, nid = 0;
@@ -406,6 +406,10 @@ int main(int argc,char **argv)
 			}
 
 		}
+	if (in && in != stdin)
+		fclose(in);
+	if (out && out != stdout)
+		fclose(out);
 	return 0;
 	}