From b8b47f67d0f4a4ff2d1c81cd4a39ad43d57e9c3b Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Sat, 6 Sep 2003 13:31:40 +0000 Subject: [PATCH] Add fingerprint chain and checking. --- Makefile.org | 1 - fips/Makefile.ssl | 22 +++++++++++++--- fips/aes/Makefile.ssl | 6 ++++- fips/aes/fips_aesavs.c | 6 ++++- fips/des/Makefile.ssl | 1 + fips/des/fips_desmovs.c | 5 ++-- fips/dsa/Makefile.ssl | 1 + fips/dsa/fips_dsatest.c | 10 +++++--- fips/dsa/fips_dssvs.c | 8 ++++++ fips/fingerprint.sha1 | 6 ++--- fips/fips.c | 54 ++++++++++++++++++++++++++++++++++++++- fips/fips.h | 6 ++++- fips/fips_err.c | 4 +++ fips/fips_make_sha1 | 2 +- fips/sha1/Makefile.ssl | 1 + fips/sha1/fips_sha1test.c | 8 ++++++ 16 files changed, 123 insertions(+), 18 deletions(-) diff --git a/Makefile.org b/Makefile.org index 3c27326e5c..59bbad0d52 100644 --- a/Makefile.org +++ b/Makefile.org @@ -226,7 +226,6 @@ all: Makefile.ssl sub_all openssl.pc sigs sigs: fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.sha1 - if [ "$(SHLIBEXT)" != "" ]; then fips/sha1/fips_standalone_sha1 libcrypto$(SHLIBEXT) >> libcrypto.sha1; fi sub_all: @for i in $(DIRS); \ diff --git a/fips/Makefile.ssl b/fips/Makefile.ssl index 16af713bc0..c8642d99c4 100644 --- a/fips/Makefile.ssl +++ b/fips/Makefile.ssl @@ -39,6 +39,7 @@ SRC= $(LIBSRC) EXHEADER=fips.h HEADER=$(EXHEADER) fips_err.c +EXE=openssl_fips_fingerprint ALL= $(GENERAL) $(SRC) $(HEADER) @@ -104,17 +105,30 @@ tests: $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \ done; +fips_test: + @for i in dsa sha1 aes des ; \ + do \ + (cd $$i && echo "making fips_test in fips/$$i..." && make fips_test) \ + done; + install: @for i in $(EXHEADER) ;\ do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; @for i in $(FDIRS) ;\ do \ - (cd $$i && echo "making install in fips/$$i..." && \ - $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \ + (cd $$i && echo "making install in fips/$$i..." && \ + $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \ done; + @for i in $(EXE) ; \ + do \ + echo "installing $$i"; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \ + done lint: @for i in $(FDIRS) ;\ diff --git a/fips/aes/Makefile.ssl b/fips/aes/Makefile.ssl index f5be1f72bf..2470059fa3 100644 --- a/fips/aes/Makefile.ssl +++ b/fips/aes/Makefile.ssl @@ -67,10 +67,14 @@ tags: tests: +top_fips_aesavs: + (cd ../..; $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_aesavs sub_target) + fips_aesavs: fips_aesavs.o ../../libcrypto.a $(CC) $(CFLAGS) -o fips_aesavs fips_aesavs.o ../../libcrypto.a + $(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_aesavs -fips_test: top fips_aesavs +fips_test: top top_fips_aesavs find ../testvectors/aes/req -name '*.req' > testlist -rm -rf ../testvectors/aes/rsp mkdir ../testvectors/aes/rsp diff --git a/fips/aes/fips_aesavs.c b/fips/aes/fips_aesavs.c index 5ccfd82fed..c4c534d0cd 100644 --- a/fips/aes/fips_aesavs.c +++ b/fips/aes/fips_aesavs.c @@ -889,7 +889,11 @@ int main(int argc, char **argv) int f_opt = 0, d_opt = 1; #ifdef FIPS - FIPS_mode_set(1); + if(!FIPS_mode_set(1,argv[0])) + { + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + exit(1); + } #endif ERR_load_crypto_strings(); if (argc > 1) diff --git a/fips/des/Makefile.ssl b/fips/des/Makefile.ssl index 3aa2f4a02b..1892389ddb 100644 --- a/fips/des/Makefile.ssl +++ b/fips/des/Makefile.ssl @@ -72,6 +72,7 @@ top_fips_desmovs: fips_desmovs: fips_desmovs.o ../../libcrypto.a $(CC) $(CFLAGS) -o fips_desmovs fips_desmovs.o ../../libcrypto.a + $(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_desmovs fips_test: top_fips_desmovs find ../testvectors/des/req -name '*.req' > testlist diff --git a/fips/des/fips_desmovs.c b/fips/des/fips_desmovs.c index 93399ac65b..8bb5dc6fdd 100644 --- a/fips/des/fips_desmovs.c +++ b/fips/des/fips_desmovs.c @@ -667,9 +667,10 @@ int main(int argc, char **argv) int f_opt = 0, d_opt = 1; #ifdef FIPS - if(!FIPS_mode_set(1)) + if(!FIPS_mode_set(1,argv[0])) { - fprintf(stderr,"Failed to enter FIPS mode.\n"); + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); exit(1); } #endif diff --git a/fips/dsa/Makefile.ssl b/fips/dsa/Makefile.ssl index 3d68e1b619..de50533458 100644 --- a/fips/dsa/Makefile.ssl +++ b/fips/dsa/Makefile.ssl @@ -72,6 +72,7 @@ top_fips_dssvs: fips_dssvs: fips_dssvs.o ../../libcrypto.a $(CC) $(CFLAGS) -o fips_dssvs fips_dssvs.o ../../libcrypto.a + $(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_dssvs Q=../testvectors/dsa/req A=../testvectors/dsa/rsp diff --git a/fips/dsa/fips_dsatest.c b/fips/dsa/fips_dsatest.c index 1107a00b69..53dc8d881a 100644 --- a/fips/dsa/fips_dsatest.c +++ b/fips/dsa/fips_dsatest.c @@ -143,12 +143,16 @@ int main(int argc, char **argv) unsigned char sig[256]; unsigned int siglen; -#ifdef FIPS - FIPS_mode_set(1); -#endif if (bio_err == NULL) bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); +#ifdef FIPS + if(!FIPS_mode_set(1,argv[0])) + { + ERR_print_errors(bio_err); + exit(1); + } +#endif CRYPTO_malloc_debug_init(); CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); diff --git a/fips/dsa/fips_dssvs.c b/fips/dsa/fips_dssvs.c index 2fba010b34..a2884a9bf7 100644 --- a/fips/dsa/fips_dssvs.c +++ b/fips/dsa/fips_dssvs.c @@ -1,5 +1,7 @@ #include #include +#include +#include #include int hex2bin(const char *in, unsigned char *out) @@ -127,6 +129,12 @@ int main(int argc,char **argv) fprintf(stderr,"%s [primes|pqg]\n",argv[0]); exit(1); } + if(!FIPS_mode_set(1,argv[0])) + { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + exit(1); + } if(!strcmp(argv[1],"primes")) primes(); else diff --git a/fips/fingerprint.sha1 b/fips/fingerprint.sha1 index f09d87a8ba..562372088c 100644 --- a/fips/fingerprint.sha1 +++ b/fips/fingerprint.sha1 @@ -1,4 +1,4 @@ -SHA1(fips.c)= 98c97fbf0e3b2a7c81572804ecc65fc8a8c9cc72 +SHA1(fips.c)= c33135b6ae585a1a953332e261984d38121727d5 SHA1(fips_err_wrapper.c)= 0cbe881739f6e7d91308e2e74b92032e69007528 -SHA1(fips.h)= b4e3fb8a1f3aa03a63094552bedaa2c58a35cb19 -SHA1(fips_err.c)= bd28a95630f6b2e7ac17bfae872c045216611b11 +SHA1(fips.h)= 58386539af75f8f622b041a43bf1880fee8642f7 +SHA1(fips_err.c)= 8d9fd3ab3e6ca5297c5714e7f6cd9834e22b4cba diff --git a/fips/fips.c b/fips/fips.c index 85514b9cd5..b0c8069c6b 100644 --- a/fips/fips.c +++ b/fips/fips.c @@ -51,6 +51,9 @@ #include #include #include +#include +#include +#include #ifdef FIPS @@ -61,7 +64,53 @@ int FIPS_selftest() && FIPS_selftest_des(); } -int FIPS_mode_set(int onoff) +static int FIPS_check_exe(const char *path) + { + BIO *bio, *md; + char buf[1024]; + char p2[PATH_MAX]; + int n; + char mdbuf[EVP_MAX_MD_SIZE]; + + bio=BIO_new_file(path,"rb"); + if(!bio) + { + FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE); + return 0; + } + md=BIO_new(BIO_f_md()); + BIO_set_md(md,EVP_sha1()); + bio=BIO_push(md,bio); + do + { + n=BIO_read(bio,buf,sizeof buf); + if(n < 0) + { + BIO_free_all(bio); + FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE); + return 0; + } + } while(n > 0); + BIO_gets(md,mdbuf,EVP_MAX_MD_SIZE); + BIO_free_all(bio); + snprintf(p2,sizeof p2,"%s.sha1",path); + bio=BIO_new_file(p2,"rb"); + if(!bio || BIO_read(bio,buf,20) != 20) + { + BIO_free(bio); + FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE_DIGEST); + return 0; + } + BIO_free(bio); + if(memcmp(buf,mdbuf,20)) + { + FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_EXE_DIGEST_DOES_NOT_MATCH); + return 0; + } + return 1; + } + +int FIPS_mode_set(int onoff,const char *path) { if(onoff) { @@ -72,6 +121,9 @@ int FIPS_mode_set(int onoff) if(FIPS_mode) FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET); + if(!FIPS_check_exe(path)) + return 0; + /* automagically seed PRNG if not already seeded */ if(!FIPS_rand_seeded()) { diff --git a/fips/fips.h b/fips/fips.h index f3ebb582ce..a93edd4976 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -55,7 +55,7 @@ extern int FIPS_mode; extern void *FIPS_rand_check; struct dsa_st; -int FIPS_mode_set(int onoff); +int FIPS_mode_set(int onoff,const char *path); int FIPS_dsa_check(struct dsa_st *dsa); int FIPS_selftest_sha1(void); int FIPS_selftest_aes(void); @@ -75,6 +75,7 @@ void ERR_load_FIPS_strings(void); /* Error codes for the FIPS functions. */ /* Function codes. */ +#define FIPS_F_FIPS_CHECK_EXE 106 #define FIPS_F_FIPS_DSA_CHECK 102 #define FIPS_F_FIPS_MODE_SET 105 #define FIPS_F_FIPS_SELFTEST_AES 104 @@ -83,6 +84,9 @@ void ERR_load_FIPS_strings(void); #define FIPS_F_SSLEAY_RAND_BYTES 101 /* Reason codes. */ +#define FIPS_R_CANNOT_READ_EXE 103 +#define FIPS_R_CANNOT_READ_EXE_DIGEST 104 +#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH 105 #define FIPS_R_FIPS_MODE_ALREADY_SET 102 #define FIPS_R_NON_FIPS_METHOD 100 #define FIPS_R_SELFTEST_FAILED 101 diff --git a/fips/fips_err.c b/fips/fips_err.c index 3d60967204..90c30320f2 100644 --- a/fips/fips_err.c +++ b/fips/fips_err.c @@ -66,6 +66,7 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA FIPS_str_functs[]= { +{ERR_PACK(0,FIPS_F_FIPS_CHECK_EXE,0), "FIPS_CHECK_EXE"}, {ERR_PACK(0,FIPS_F_FIPS_DSA_CHECK,0), "FIPS_dsa_check"}, {ERR_PACK(0,FIPS_F_FIPS_MODE_SET,0), "FIPS_mode_set"}, {ERR_PACK(0,FIPS_F_FIPS_SELFTEST_AES,0), "FIPS_selftest_aes"}, @@ -77,6 +78,9 @@ static ERR_STRING_DATA FIPS_str_functs[]= static ERR_STRING_DATA FIPS_str_reasons[]= { +{FIPS_R_CANNOT_READ_EXE ,"cannot read exe"}, +{FIPS_R_CANNOT_READ_EXE_DIGEST ,"cannot read exe digest"}, +{FIPS_R_EXE_DIGEST_DOES_NOT_MATCH ,"exe digest does not match"}, {FIPS_R_FIPS_MODE_ALREADY_SET ,"fips mode already set"}, {FIPS_R_NON_FIPS_METHOD ,"non fips method"}, {FIPS_R_SELFTEST_FAILED ,"selftest failed"}, diff --git a/fips/fips_make_sha1 b/fips/fips_make_sha1 index 8d5d72fcd5..1699a956d3 100755 --- a/fips/fips_make_sha1 +++ b/fips/fips_make_sha1 @@ -3,7 +3,7 @@ S=`pwd`/fips/sha1/fips_standalone_sha1 cd fips/sha1 -$S fips_standalone_sha1.c fips_sha1dgst.c fips_sha_locl.h fips_md32_common.h > standalone.sha1 +$S fips_sha1dgst.c fips_sha1_selftest.c fips_standalone_sha1.c fips_sha_locl.h fips_md32_common.h > standalone.sha1 cd .. $S fips.c fips_err_wrapper.c fips.h fips_err.c > fingerprint.sha1 diff --git a/fips/sha1/Makefile.ssl b/fips/sha1/Makefile.ssl index a4f3ce436b..ed6f6c8420 100644 --- a/fips/sha1/Makefile.ssl +++ b/fips/sha1/Makefile.ssl @@ -80,6 +80,7 @@ top_fips_sha1test: fips_sha1test: fips_sha1test.o ../../libcrypto.a $(CC) $(CFLAGS) -o fips_sha1test fips_sha1test.o ../../libcrypto.a + $(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_sha1test fips_test: top_fips_sha1test -rm -rf ../testvectors/sha1/rsp diff --git a/fips/sha1/fips_sha1test.c b/fips/sha1/fips_sha1test.c index 1724edb4c2..ca62d71272 100644 --- a/fips/sha1/fips_sha1test.c +++ b/fips/sha1/fips_sha1test.c @@ -4,6 +4,8 @@ #include #include #include +#include +#include #define MAX_TEST_BITS 103432 @@ -60,6 +62,12 @@ int main(int argc,char **argv) exit(1); } + if(!FIPS_mode_set(1,argv[0])) + { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + exit(1); + } fp=fopen(argv[1],"r"); if(!fp) { -- 2.25.1