From 3fa1a444ce3b6fbe70f501b7352153a785cdf97a Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 15 Sep 2008 22:24:39 +0000 Subject: [PATCH] Merge apps changes from FIPS branch. --- apps/apps.h | 3 +++ apps/dgst.c | 49 +++++++++++++++++++++++++++++++++++++++++------ apps/enc.c | 13 ++++++++++++- apps/genrsa.c | 15 ++++++++++++++- apps/makeapps.com | 2 +- apps/openssl.c | 32 ++++++++++++++++--------------- apps/pkcs12.c | 9 ++++++++- 7 files changed, 98 insertions(+), 25 deletions(-) diff --git a/apps/apps.h b/apps/apps.h index 0df170813a..c1ce1bc90c 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -149,9 +149,11 @@ int WIN32_rename(const char *oldname,const char *newname); #ifndef NON_MAIN CONF *config=NULL; BIO *bio_err=NULL; +int in_FIPS_mode=0; #else extern CONF *config; extern BIO *bio_err; +extern int in_FIPS_mode; #endif #else @@ -160,6 +162,7 @@ extern BIO *bio_err; extern CONF *config; extern char *default_config_file; extern BIO *bio_err; +extern int in_FIPS_mode; #endif diff --git a/apps/dgst.c b/apps/dgst.c index c5ecf93d1b..5a50cc3ef7 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -76,7 +76,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file,BIO *bmd,const char *hmac_key); + const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow); int MAIN(int, char **); @@ -101,14 +101,16 @@ int MAIN(int argc, char **argv) EVP_PKEY *sigkey = NULL; unsigned char *sigbuf = NULL; int siglen = 0; + unsigned int sig_flags = 0; char *passargin = NULL, *passin = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif char *hmac_key=NULL; + int non_fips_allow = 0; apps_startup(); - +ERR_load_crypto_strings(); if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) { BIO_printf(bio_err,"out of memory\n"); @@ -167,6 +169,27 @@ int MAIN(int argc, char **argv) keyfile=*(++argv); do_verify = 1; } + else if (strcmp(*argv,"-x931") == 0) + sig_flags = EVP_MD_CTX_FLAG_PAD_X931; + else if (strcmp(*argv,"-pss_saltlen") == 0) + { + int saltlen; + if (--argc < 1) break; + saltlen=atoi(*(++argv)); + if (saltlen == -1) + sig_flags = EVP_MD_CTX_FLAG_PSS_MREC; + else if (saltlen == -2) + sig_flags = EVP_MD_CTX_FLAG_PSS_MDLEN; + else if (saltlen < -2 || saltlen >= 0xFFFE) + { + BIO_printf(bio_err, "Invalid PSS salt length %d\n", saltlen); + goto end; + } + else + sig_flags = saltlen; + sig_flags <<= 16; + sig_flags |= EVP_MD_CTX_FLAG_PAD_PSS; + } else if (strcmp(*argv,"-signature") == 0) { if (--argc < 1) break; @@ -190,6 +213,8 @@ int MAIN(int argc, char **argv) out_bin = 1; else if (strcmp(*argv,"-d") == 0) debug=1; + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow=1; else if (!strcmp(*argv,"-fips-fingerprint")) hmac_key = "etaonrishdlcupfm"; else if (!strcmp(*argv,"-hmac")) @@ -356,8 +381,20 @@ int MAIN(int argc, char **argv) goto end; } } - + if (non_fips_allow) + { + EVP_MD_CTX *md_ctx; + BIO_get_md_ctx(bmd,&md_ctx); + EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + } + + if (sig_flags) + { + EVP_MD_CTX *md_ctx; + BIO_get_md_ctx(bmd,&md_ctx); + EVP_MD_CTX_set_flags(md_ctx, sig_flags); + } /* we use md as a filter, reading from 'in' */ if (!BIO_set_md(bmd,md)) @@ -373,7 +410,7 @@ int MAIN(int argc, char **argv) { BIO_set_fp(in,stdin,BIO_NOCLOSE); err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, - siglen,"","(stdin)",bmd,hmac_key); + siglen,"","(stdin)",bmd,hmac_key,non_fips_allow); } else { @@ -399,7 +436,7 @@ int MAIN(int argc, char **argv) else tmp=""; r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, - siglen,tmp,argv[i],bmd,hmac_key); + siglen,tmp,argv[i],bmd,hmac_key,non_fips_allow); if(r) err=r; if(tofree) @@ -426,7 +463,7 @@ end: int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file,BIO *bmd,const char *hmac_key) + const char *file,BIO *bmd,const char *hmac_key,int non_fips_allow) { unsigned int len; int i; diff --git a/apps/enc.c b/apps/enc.c index a41ea800ac..47c6eb604d 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -127,6 +127,7 @@ int MAIN(int argc, char **argv) char *engine = NULL; #endif const EVP_MD *dgst=NULL; + int non_fips_allow = 0; apps_startup(); @@ -261,6 +262,8 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; md= *(++argv); } + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow = 1; else if ((argv[0][0] == '-') && ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) { @@ -314,7 +317,10 @@ bad: if (dgst == NULL) { - dgst = EVP_md5(); + if (in_FIPS_mode) + dgst = EVP_sha1(); + else + dgst = EVP_md5(); } if (bufsize != NULL) @@ -549,6 +555,11 @@ bad: */ BIO_get_cipher_ctx(benc, &ctx); + + if (non_fips_allow) + EVP_CIPHER_CTX_set_flags(ctx, + EVP_CIPH_FLAG_NON_FIPS_ALLOW); + if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) { BIO_printf(bio_err, "Error setting cipher %s\n", diff --git a/apps/genrsa.c b/apps/genrsa.c index 1599bb7a69..fdc0d4a07d 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -95,6 +95,7 @@ int MAIN(int argc, char **argv) int ret=1; int i,num=DEFBITS; long l; + int use_x931 = 0; const EVP_CIPHER *enc=NULL; unsigned long f4=RSA_F4; char *outfile=NULL; @@ -138,6 +139,8 @@ int MAIN(int argc, char **argv) f4=3; else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0) f4=RSA_F4; + else if (strcmp(*argv,"-x931") == 0) + use_x931 = 1; #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { @@ -266,7 +269,17 @@ bad: BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n", num); - if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) + if (use_x931) + { + BIGNUM *pubexp; + pubexp = BN_new(); + if (!BN_set_word(pubexp, f4)) + goto err; + if (!RSA_X931_generate_key_ex(rsa, num, pubexp, &cb)) + goto err; + BN_free(pubexp); + } + else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) goto err; app_RAND_write_file(NULL, bio_err); diff --git a/apps/makeapps.com b/apps/makeapps.com index 826ab5bec6..0580a1f401 100644 --- a/apps/makeapps.com +++ b/apps/makeapps.com @@ -142,7 +142,7 @@ $ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+- "RSA;RSAUTL;DSA;DSAPARAM;EC;ECPARAM;"+- "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+- "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+- - "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;CMS;RAND;ENGINE;OCSP;PRIME" + "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP;PRIME" $ TCPIP_PROGRAMS = ",," $ IF COMPILER .EQS. "VAXC" THEN - TCPIP_PROGRAMS = ",OPENSSL," diff --git a/apps/openssl.c b/apps/openssl.c index ec25f990fe..7d2b476cf0 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -147,6 +147,7 @@ char *default_config_file=NULL; #ifdef MONOLITH CONF *config=NULL; BIO *bio_err=NULL; +int in_FIPS_mode=0; #endif @@ -232,6 +233,19 @@ int main(int Argc, char *Argv[]) arg.data=NULL; arg.count=0; + in_FIPS_mode = 0; + +#ifdef OPENSSL_FIPS + if(getenv("OPENSSL_FIPS")) { + if (!FIPS_mode_set(1)) { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + EXIT(1); + } + in_FIPS_mode = 1; + } +#endif + if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); @@ -273,21 +287,9 @@ int main(int Argc, char *Argv[]) i=NCONF_load(config,p,&errline); if (i == 0) { - if (ERR_GET_REASON(ERR_peek_last_error()) - == CONF_R_NO_SUCH_FILE) - { - BIO_printf(bio_err, - "WARNING: can't open config file: %s\n",p); - ERR_clear_error(); - NCONF_free(config); - config = NULL; - } - else - { - ERR_print_errors(bio_err); - NCONF_free(config); - exit(1); - } + NCONF_free(config); + config = NULL; + ERR_clear_error(); } prog=prog_init(); diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 268390ebe8..ec74769de9 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -111,7 +111,7 @@ int MAIN(int argc, char **argv) int maciter = PKCS12_DEFAULT_ITER; int twopass = 0; int keytype = 0; - int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + int cert_pbe; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1; int macver = 1; @@ -128,6 +128,13 @@ int MAIN(int argc, char **argv) apps_startup(); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + else +#endif + cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); -- 2.25.1