From 1f1790d15b40f0a9300c81f5f16e8707054cc1d7 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 23 Jan 2007 17:51:08 +0000 Subject: [PATCH] To reduce FIPS dependencies don't load error strings and avoid use of ASN1 versions of DSA signature functions. --- fips-1.0/dsa/fips_dsa_gen.c | 15 +++++++++++---- fips-1.0/dsa/fips_dsa_ossl.c | 2 +- fips-1.0/dsa/fips_dsa_selftest.c | 18 ++++++++++++++---- fips-1.0/dsa/fips_dsatest.c | 19 +++++++++++++------ fips-1.0/dsa/fips_dssvs.c | 6 ++++-- fips-1.0/fips.c | 1 - fips-1.0/fips_test_suite.c | 16 +++++++++------- fips-1.0/hmac/fips_hmactest.c | 2 -- fips-1.0/rand/fips_randtest.c | 1 - fips-1.0/rand/fips_rngvs.c | 1 - fips-1.0/rsa/fips_rsagtest.c | 1 - fips-1.0/rsa/fips_rsastest.c | 16 +++++----------- fips-1.0/rsa/fips_rsavtest.c | 14 +++++--------- fips-1.0/sha/fips_shatest.c | 2 -- 14 files changed, 62 insertions(+), 52 deletions(-) diff --git a/fips-1.0/dsa/fips_dsa_gen.c b/fips-1.0/dsa/fips_dsa_gen.c index 8ed1de0195..cb5eae2ced 100644 --- a/fips-1.0/dsa/fips_dsa_gen.c +++ b/fips-1.0/dsa/fips_dsa_gen.c @@ -93,11 +93,18 @@ static int fips_check_dsa(DSA *dsa) { static const unsigned char str1[]="12345678901234567890"; - unsigned char sig[256]; - unsigned int siglen; + int r = 0; + DSA_SIG *sig; - DSA_sign(0, str1, 20, sig, &siglen, dsa); - if(DSA_verify(0, str1, 20, sig, siglen, dsa) != 1) + sig = DSA_do_sign(str1, 20, dsa); + + if (sig) + { + r = DSA_do_verify(str1, 20, sig, dsa); + DSA_SIG_free(sig); + } + + if(r != 1) { FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); return 0; diff --git a/fips-1.0/dsa/fips_dsa_ossl.c b/fips-1.0/dsa/fips_dsa_ossl.c index f8f3a39343..ea1cba2902 100644 --- a/fips-1.0/dsa/fips_dsa_ossl.c +++ b/fips-1.0/dsa/fips_dsa_ossl.c @@ -164,7 +164,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, FIPS_DSA_SIZE_T dlen, DSA BN_sub(s,s,dsa->q); if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err; - ret=DSA_SIG_new(); + ret= DSA_SIG_new(); if (ret == NULL) goto err; ret->r = r; ret->s = s; diff --git a/fips-1.0/dsa/fips_dsa_selftest.c b/fips-1.0/dsa/fips_dsa_selftest.c index 795fda9587..91dcfc7326 100644 --- a/fips-1.0/dsa/fips_dsa_selftest.c +++ b/fips-1.0/dsa/fips_dsa_selftest.c @@ -112,8 +112,8 @@ int FIPS_selftest_dsa() int counter,i,j; unsigned char buf[256]; unsigned long h; - unsigned char sig[256]; - unsigned int siglen; + + DSA_SIG *sig = NULL; dsa=DSA_generate_parameters(512,seed,20,&counter,&h,NULL,NULL); @@ -156,8 +156,18 @@ int FIPS_selftest_dsa() return 0; } DSA_generate_key(dsa); - DSA_sign(0, str1, 20, sig, &siglen, dsa); - if(DSA_verify(0, str1, 20, sig, siglen, dsa) != 1) + sig = DSA_do_sign(str1, 20, dsa); + + if (sig) + { + i = DSA_do_verify(str1, 20, sig, dsa); + DSA_SIG_free(sig); + OPENSSL_free(sig); + } + else + i = 0; + + if (i != 1) { FIPSerr(FIPS_F_FIPS_SELFTEST_DSA,FIPS_R_SELFTEST_FAILED); return 0; diff --git a/fips-1.0/dsa/fips_dsatest.c b/fips-1.0/dsa/fips_dsatest.c index 5970b201e9..f4cc37b19a 100644 --- a/fips-1.0/dsa/fips_dsatest.c +++ b/fips-1.0/dsa/fips_dsatest.c @@ -140,8 +140,7 @@ int main(int argc, char **argv) int counter,ret=0,i,j; unsigned char buf[256]; unsigned long h; - unsigned char sig[256]; - unsigned int siglen; + DSA_SIG *sig = NULL; if (bio_err == NULL) bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); @@ -157,7 +156,6 @@ int main(int argc, char **argv) CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - ERR_load_crypto_strings(); FIPS_set_prng_key(rnd_key1,rnd_key2); RAND_seed(rnd_seed, sizeof rnd_seed); @@ -174,7 +172,7 @@ int main(int argc, char **argv) BIO_printf(bio_err,"\ncounter=%d h=%d\n",counter,h); if (dsa == NULL) goto end; - DSA_print(bio_err,dsa,0); + /*DSA_print(bio_err,dsa,0);*/ if (counter != 105) { BIO_printf(bio_err,"counter should be 105\n"); @@ -210,8 +208,17 @@ int main(int argc, char **argv) goto end; } DSA_generate_key(dsa); - DSA_sign(0, str1, 20, sig, &siglen, dsa); - if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) + + sig = DSA_do_sign(str1, 20, dsa); + + if (sig) + { + i = DSA_do_verify(str1, 20, sig, dsa); + DSA_SIG_free(sig); + } + else + i = 0; + if (i == 1) ret=1; end: if (!ret) diff --git a/fips-1.0/dsa/fips_dssvs.c b/fips-1.0/dsa/fips_dssvs.c index fe4e54f287..f234906ebd 100644 --- a/fips-1.0/dsa/fips_dssvs.c +++ b/fips-1.0/dsa/fips_dssvs.c @@ -301,7 +301,10 @@ void sigver() char *keyword, *value; int nmod=0; unsigned char hash[20]; - DSA_SIG *sig=DSA_SIG_new(); + DSA_SIG sg, *sig = &sg; + + sig->r = NULL; + sig->s = NULL; while(fgets(buf,sizeof buf,stdin) != NULL) { @@ -367,7 +370,6 @@ int main(int argc,char **argv) } if(!FIPS_mode_set(1)) { - ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); exit(1); } diff --git a/fips-1.0/fips.c b/fips-1.0/fips.c index bb833bfa2c..d2d35be528 100644 --- a/fips-1.0/fips.c +++ b/fips-1.0/fips.c @@ -135,7 +135,6 @@ int FIPS_selftest_failed(void) int FIPS_selftest() { - ERR_load_crypto_strings(); return FIPS_selftest_sha1() && FIPS_selftest_hmac() diff --git a/fips-1.0/fips_test_suite.c b/fips-1.0/fips_test_suite.c index 53bf1ab5b6..bd02133b6e 100644 --- a/fips-1.0/fips_test_suite.c +++ b/fips-1.0/fips_test_suite.c @@ -85,8 +85,8 @@ static int FIPS_dsa_test() { DSA *dsa = NULL; unsigned char dgst[] = "etaonrishdlc"; - unsigned char sig[256]; - unsigned int siglen; + DSA_SIG *sig = NULL; + int r = 0; ERR_clear_error(); dsa = DSA_generate_parameters(512,NULL,0,NULL,NULL,NULL,NULL); @@ -94,9 +94,13 @@ static int FIPS_dsa_test() return 0; if (!DSA_generate_key(dsa)) return 0; - if ( DSA_sign(0,dgst,sizeof(dgst) - 1,sig,&siglen,dsa) != 1 ) - return 0; - if ( DSA_verify(0,dgst,sizeof(dgst) - 1,sig,siglen,dsa) != 1 ) + sig = DSA_do_sign(dgst,sizeof(dgst) - 1,dsa); + if (sig) + { + r = DSA_do_verify(dgst,sizeof(dgst) - 1,sig,dsa); + DSA_SIG_free(sig); + } + if (r != 1) return 0; DSA_free(dsa); return 1; @@ -380,7 +384,6 @@ int main(int argc,char **argv) } if (!FIPS_mode_set(1)) { - ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); printf("Power-up self test failed\n"); exit(1); @@ -401,7 +404,6 @@ int main(int argc,char **argv) printf("2. Automatic power-up self test..."); if (!FIPS_mode_set(1)) { - ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); printf(Fail("FAILED!\n")); exit(1); diff --git a/fips-1.0/hmac/fips_hmactest.c b/fips-1.0/hmac/fips_hmactest.c index e26e33ee3f..267db73b6a 100644 --- a/fips-1.0/hmac/fips_hmactest.c +++ b/fips-1.0/hmac/fips_hmactest.c @@ -86,8 +86,6 @@ int main(int argc, char **argv) int ret = 1; - ERR_load_crypto_strings(); - err = BIO_new_fp(stderr, BIO_NOCLOSE); if (!err) diff --git a/fips-1.0/rand/fips_randtest.c b/fips-1.0/rand/fips_randtest.c index 6165944e56..f7e4d83634 100644 --- a/fips-1.0/rand/fips_randtest.c +++ b/fips-1.0/rand/fips_randtest.c @@ -217,7 +217,6 @@ int main() /*double d; */ long d; - ERR_load_crypto_strings(); RAND_set_rand_method(FIPS_rand_method()); run_test(&t1); diff --git a/fips-1.0/rand/fips_rngvs.c b/fips-1.0/rand/fips_rngvs.c index fdb38a5c82..0a56b828f2 100644 --- a/fips-1.0/rand/fips_rngvs.c +++ b/fips-1.0/rand/fips_rngvs.c @@ -254,7 +254,6 @@ int main(int argc,char **argv) } if(!FIPS_mode_set(1)) { - ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); exit(1); } diff --git a/fips-1.0/rsa/fips_rsagtest.c b/fips-1.0/rsa/fips_rsagtest.c index fdeb05c98b..3567b8c30f 100644 --- a/fips-1.0/rsa/fips_rsagtest.c +++ b/fips-1.0/rsa/fips_rsagtest.c @@ -93,7 +93,6 @@ int main(int argc, char **argv) BIO *in = NULL, *out = NULL, *err = NULL; int ret = 1; - ERR_load_crypto_strings(); err = BIO_new_fp(stderr, BIO_NOCLOSE); diff --git a/fips-1.0/rsa/fips_rsastest.c b/fips-1.0/rsa/fips_rsastest.c index c002065b11..9152311bda 100644 --- a/fips-1.0/rsa/fips_rsastest.c +++ b/fips-1.0/rsa/fips_rsastest.c @@ -84,7 +84,6 @@ int main(int argc, char **argv) BIO *in = NULL, *out = NULL, *err = NULL; int ret = 1, Saltlen = -1; - ERR_load_crypto_strings(); err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -326,15 +325,12 @@ static int rsa_printsig(BIO *err, BIO *out, RSA *rsa, const EVP_MD *dgst, unsigned char *sigbuf = NULL; int i, siglen; /* EVP_PKEY structure */ - EVP_PKEY *key = NULL; + EVP_PKEY pk; EVP_MD_CTX ctx; - key = EVP_PKEY_new(); - if (!key) - goto error; - if (!EVP_PKEY_set1_RSA(key, rsa)) - goto error; + pk.type = EVP_PKEY_RSA; + pk.pkey.rsa = rsa; - siglen = EVP_PKEY_size(key); + siglen = RSA_size(rsa); sigbuf = OPENSSL_malloc(siglen); if (!sigbuf) goto error; @@ -378,7 +374,7 @@ static int rsa_printsig(BIO *err, BIO *out, RSA *rsa, const EVP_MD *dgst, goto error; if (!EVP_SignUpdate(&ctx, Msg, Msglen)) goto error; - if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, key)) + if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, &pk)) goto error; } @@ -394,8 +390,6 @@ static int rsa_printsig(BIO *err, BIO *out, RSA *rsa, const EVP_MD *dgst, ret = 1; error: - if (key) - EVP_PKEY_free(key); return ret; } diff --git a/fips-1.0/rsa/fips_rsavtest.c b/fips-1.0/rsa/fips_rsavtest.c index 8be7e989d7..f75aaabf03 100644 --- a/fips-1.0/rsa/fips_rsavtest.c +++ b/fips-1.0/rsa/fips_rsavtest.c @@ -88,7 +88,6 @@ int main(int argc, char **argv) int ret = 1; int Saltlen = -1; - ERR_load_crypto_strings(); err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -330,19 +329,18 @@ static int rsa_printver(BIO *err, BIO *out, int ret = 0, r; /* Setup RSA and EVP_PKEY structures */ RSA *rsa_pubkey = NULL; - EVP_PKEY *pubkey = NULL; + EVP_PKEY pk; EVP_MD_CTX ctx; unsigned char *buf = NULL; rsa_pubkey = RSA_new(); - pubkey = EVP_PKEY_new(); - if (!rsa_pubkey || !pubkey) + if (!rsa_pubkey) goto error; rsa_pubkey->n = BN_dup(n); rsa_pubkey->e = BN_dup(e); if (!rsa_pubkey->n || !rsa_pubkey->e) goto error; - if (!EVP_PKEY_set1_RSA(pubkey, rsa_pubkey)) - goto error; + pk.type = EVP_PKEY_RSA; + pk.pkey.rsa = rsa_pubkey; EVP_MD_CTX_init(&ctx); @@ -395,7 +393,7 @@ static int rsa_printver(BIO *err, BIO *out, if (!EVP_VerifyUpdate(&ctx, Msg, Msglen)) goto error; - r = EVP_VerifyFinal(&ctx, S, Slen, pubkey); + r = EVP_VerifyFinal(&ctx, S, Slen, &pk); } @@ -415,8 +413,6 @@ static int rsa_printver(BIO *err, BIO *out, error: if (rsa_pubkey) RSA_free(rsa_pubkey); - if (pubkey) - EVP_PKEY_free(pubkey); if (buf) OPENSSL_free(buf); diff --git a/fips-1.0/sha/fips_shatest.c b/fips-1.0/sha/fips_shatest.c index 314a4b0da7..9ef0fa9e43 100644 --- a/fips-1.0/sha/fips_shatest.c +++ b/fips-1.0/sha/fips_shatest.c @@ -86,8 +86,6 @@ int main(int argc, char **argv) int ret = 1; - ERR_load_crypto_strings(); - err = BIO_new_fp(stderr, BIO_NOCLOSE); if (!err) -- 2.25.1