From d58d546e2d64f85ba7ac409bcb7f7ef73048672a Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Tue, 7 Jun 2005 12:39:27 +0000 Subject: [PATCH] Initial support for DSO FIPS fingerprinting. --- fips/Makefile | 12 ++--- fips/aes/Makefile | 13 ++---- fips/des/Makefile | 13 ++---- fips/dsa/Makefile | 19 +++----- fips/fips.c | 77 +++++++++++++++++++++++++++++++-- fips/fips.h | 2 + fips/fips_err.h | 2 + fips/fipshashes.c | 8 ++-- fips/hmac/Makefile | 11 +---- fips/openssl_fips_fingerprint | 5 ++- fips/rand/Makefile | 15 ++----- fips/rsa/Makefile | 34 +++++---------- fips/sha/Makefile | 13 ++---- fips/sha/fips_standalone_sha1.c | 17 +++++++- test/Makefile | 63 +++++++++++---------------- 15 files changed, 161 insertions(+), 143 deletions(-) diff --git a/fips/Makefile b/fips/Makefile index 2ac2cd5eb7..4fe4075d96 100644 --- a/fips/Makefile +++ b/fips/Makefile @@ -21,7 +21,7 @@ AR= ar r PEX_LIBS= EX_LIBS= -CFLAGS= $(INCLUDE) $(CFLAG) +CFLAGS= $(INCLUDE) $(CFLAG) -DHMAC_EXT=\"$${HMAC_EXT:-sha1}\" LIBS= @@ -101,11 +101,7 @@ libs: done; tests: - @for i in $(FDIRS) ;\ - do \ - (cd $$i && echo "making tests in fips/$$i..." && \ - $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \ - done; + (cd ..; make DIRS=test) top_fips_test_suite: (cd $(TOP); $(MAKE) DIRS=fips FDIRS=. TARGET=fips_test_suite sub_target) @@ -114,8 +110,8 @@ fips_test_suite: fips_test_suite.o $(TOP)/libcrypto.a $(CC) $(CFLAGS) -o fips_test_suite fips_test_suite.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_test_suite || { rm fips_test_suite; false; } -fips_test: top top_fips_test_suite - cd testvectors && perl -p -i -e 's/COUNT=/COUNT = /' des[23]/req/*.req +fips_test: top tests + -cd testvectors && perl -p -i -e 's/COUNT=/COUNT = /' des[23]/req/*.req @for i in dsa sha aes des hmac rand rsa; \ do \ (cd $$i && echo "making fips_test in fips/$$i..." && $(MAKE) fips_test) \ diff --git a/fips/aes/Makefile b/fips/aes/Makefile index b33e0ce19e..c81cd39f06 100644 --- a/fips/aes/Makefile +++ b/fips/aes/Makefile @@ -66,18 +66,11 @@ tags: tests: -top_fips_aesavs: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_aesavs sub_target) - -fips_aesavs: fips_aesavs.o $(TOP)/libcrypto.a - $(CC) $(CFLAGS) -o fips_aesavs fips_aesavs.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_aesavs - -fips_test: top top_fips_aesavs - find ../testvectors/aes/req -name '*.req' > testlist +fips_test: + -find ../testvectors/aes/req -name '*.req' > testlist -rm -rf ../testvectors/aes/rsp mkdir ../testvectors/aes/rsp - ./fips_aesavs -d testlist + if [ -s testlist ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_aesavs -d testlist; fi lint: lint -DLINT $(INCLUDES) $(SRC)>fluff diff --git a/fips/des/Makefile b/fips/des/Makefile index 7526c0af5c..2e6b9d8f39 100644 --- a/fips/des/Makefile +++ b/fips/des/Makefile @@ -64,18 +64,11 @@ tags: tests: -top_fips_desmovs: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_desmovs sub_target) - -fips_desmovs: fips_desmovs.o $(TOP)/libcrypto.a - $(CC) $(CFLAGS) -o fips_desmovs fips_desmovs.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_desmovs - -fips_test: top_fips_desmovs - find ../testvectors/tdes/req -name '*.req' > testlist +fips_test: + -find ../testvectors/tdes/req -name '*.req' > testlist -rm -rf ../testvectors/tdes/rsp mkdir ../testvectors/tdes/rsp - ./fips_desmovs -d testlist + if [ -s testlist ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_desmovs -d testlist; fi lint: lint -DLINT $(INCLUDES) $(SRC)>fluff diff --git a/fips/dsa/Makefile b/fips/dsa/Makefile index c053661180..a07bea4f5f 100644 --- a/fips/dsa/Makefile +++ b/fips/dsa/Makefile @@ -18,7 +18,7 @@ AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile -TEST=fips_dsatest.c +TEST=fips_dsatest.c fips_dssvs.c APPS= LIB=$(TOP)/libcrypto.a @@ -62,23 +62,16 @@ tags: tests: -top_fips_dssvs: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_dssvs sub_target) - -fips_dssvs: fips_dssvs.o $(TOP)/libcrypto.a - $(CC) $(CFLAGS) -o fips_dssvs fips_dssvs.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_dssvs - Q=../testvectors/dsa/req A=../testvectors/dsa/rsp -fips_test: top_fips_dssvs +fips_test: -rm -rf $A mkdir $A - ./fips_dssvs pqg < $Q/PQGGen.req > $A/PQGGen.rsp - ./fips_dssvs keypair < $Q/KeyPair.req > $A/KeyPair.rsp - ./fips_dssvs siggen < $Q/SigGen.req > $A/SigGen.rsp - ./fips_dssvs sigver < $Q/SigVer.req > $A/SigVer.rsp + if [ -f $(Q)/PQGGen.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_dssvs pqg < $(Q)/PQGGen.req > $(A)/PQGGen.rsp; fi + if [ -f $(Q)/KeyPair.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_dssvs keypair < $(Q)/KeyPair.req > $(A)/KeyPair.rsp; fi + if [ -f $(Q)/SigGen.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_dssvs siggen < $(Q)/SigGen.req > $(A)/SigGen.rsp; fi + if [ -f $(Q)/SigVer.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_dssvs sigver < $Q/SigVer.req > $A/SigVer.rsp; fi lint: lint -DLINT $(INCLUDES) $(SRC)>fluff diff --git a/fips/fips.c b/fips/fips.c index 234445bb70..0bdaddf82c 100644 --- a/fips/fips.c +++ b/fips/fips.c @@ -145,6 +145,73 @@ int FIPS_selftest() && FIPS_selftest_dsa(); } +#ifndef HMAC_EXT +#define HMAC_EXT "sha1" +#endif + +static char key[]="etaonrishdlcupfm"; + +#ifdef OPENSSL_PIC +int DSO_pathbyaddr(void *addr,char *path,int sz); + +static int FIPS_check_dso() + { + unsigned char buf[1024]; + char path [512]; + unsigned char mdbuf[EVP_MAX_MD_SIZE]; + FILE *f; + HMAC_CTX hmac; + int len,n; + + len = DSO_pathbyaddr(NULL,path,sizeof(path)-sizeof(HMAC_EXT)); + if (len<=0) + { + FIPSerr(FIPS_F_FIPS_CHECK_DSO,FIPS_R_NO_DSO_PATH); + return 0; + } + + f=fopen(path,"rb"); + if(!f) + { + FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE); + return 0; + } + + HMAC_Init(&hmac,key,strlen(key),EVP_sha1()); + while(!feof(f)) + { + n=fread(buf,1,sizeof buf,f); + if(ferror(f)) + { + clearerr(f); + fclose(f); + FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE); + return 0; + } + if (n) HMAC_Update(&hmac,buf,n); + } + fclose(f); + HMAC_Final(&hmac,mdbuf,&n); + HMAC_CTX_cleanup(&hmac); + + path[len-1]='.'; + strcpy(path+len,HMAC_EXT); + f=fopen(path,"rb"); + if(!f || fread(buf,1,20,f) != 20) + { + if (f) fclose(f); + FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE_DIGEST); + return 0; + } + fclose(f); + if(memcmp(buf,mdbuf,20)) + { + FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_EXE_DIGEST_DOES_NOT_MATCH); + return 0; + } + return 1; + } +#else static int FIPS_check_exe(const char *path) { unsigned char buf[1024]; @@ -152,9 +219,8 @@ static int FIPS_check_exe(const char *path) unsigned int n; unsigned char mdbuf[EVP_MAX_MD_SIZE]; FILE *f; - static char key[]="etaonrishdlcupfm"; HMAC_CTX hmac; - const char *sha1_fmt="%s.sha1"; + const char *sha1_fmt="%s."HMAC_EXT; f=fopen(path,"rb"); #ifdef __CYGWIN32__ @@ -163,7 +229,7 @@ static int FIPS_check_exe(const char *path) just in case the behavior changes in the future... */ if (!f) { - sha1_fmt="%s.exe.sha1"; + sha1_fmt="%s.exe."HMAC_EXT; BIO_snprintf(p2,sizeof p2,"%s.exe",path); f=fopen(p2,"rb"); } @@ -205,6 +271,7 @@ static int FIPS_check_exe(const char *path) } return 1; } +#endif int FIPS_mode_set(int onoff,const char *path) { @@ -232,7 +299,11 @@ int FIPS_mode_set(int onoff,const char *path) goto end; } +#ifdef OPENSSL_PIC + if(!FIPS_check_dso()) +#else if(!FIPS_check_exe(path)) +#endif { fips_selftest_fail = 1; ret = 0; diff --git a/fips/fips.h b/fips/fips.h index 3dbdc661ce..98db0ed6dc 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -110,6 +110,7 @@ void ERR_load_FIPS_strings(void); #define FIPS_F_RSA_GENERATE_KEY 113 #define FIPS_F_RSA_X931_GENERATE_KEY 119 #define FIPS_F_SSLEAY_RAND_BYTES 101 +#define FIPS_F_FIPS_CHECK_DSO 120 /* Reason codes. */ #define FIPS_R_CANNOT_READ_EXE 103 @@ -122,6 +123,7 @@ void ERR_load_FIPS_strings(void); #define FIPS_R_NON_FIPS_METHOD 100 #define FIPS_R_PAIRWISE_TEST_FAILED 107 #define FIPS_R_SELFTEST_FAILED 101 +#define FIPS_R_NO_DSO_PATH 110 #ifdef __cplusplus } diff --git a/fips/fips_err.h b/fips/fips_err.h index 59144e4c24..c40cc5fbeb 100644 --- a/fips/fips_err.h +++ b/fips/fips_err.h @@ -90,6 +90,7 @@ static ERR_STRING_DATA FIPS_str_functs[]= {ERR_FUNC(FIPS_F_RSA_GENERATE_KEY), "RSA_generate_key"}, {ERR_FUNC(FIPS_F_RSA_X931_GENERATE_KEY), "RSA_X931_generate_key"}, {ERR_FUNC(FIPS_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"}, +{ERR_FINC(FIPS_F_FIPS_CHECK_DSO), "FIPS_check_dso"}, {0,NULL} }; @@ -105,6 +106,7 @@ static ERR_STRING_DATA FIPS_str_reasons[]= {ERR_REASON(FIPS_R_NON_FIPS_METHOD) ,"non fips method"}, {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED) ,"pairwise test failed"}, {ERR_REASON(FIPS_R_SELFTEST_FAILED) ,"selftest failed"}, +{ERR_REASON(FIPS_R_NO_DSO_PATH) ,"DSO can't be determined"}, {0,NULL} }; diff --git a/fips/fipshashes.c b/fips/fipshashes.c index dfcbc5a877..e0dcdca2e1 100644 --- a/fips/fipshashes.c +++ b/fips/fipshashes.c @@ -1,8 +1,8 @@ const char * const FIPS_source_hashes[] = { -"HMAC-SHA1(fips.c)= 9ff14b7f6f7db99c04de226a075a358e3578c4df", +"HMAC-SHA1(fips.c)= c5116c8f381d5981d840d240f66c8303b866f5f6", "HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898", -"HMAC-SHA1(fips.h)= 9e8d77f438eabc36273e2046aa209e6e78515103", -"HMAC-SHA1(fips_err.h)= fec567f1abe0f8d53a208b7f24b992dda2db3e4d", +"HMAC-SHA1(fips.h)= 23151c26e0c735c09b0f229a16a31235150b4ca4", +"HMAC-SHA1(fips_err.h)= b9cd3383335a4db7663dd3b7a4851e2d60998597", "HMAC-SHA1(aes/fips_aes_core.c)= b70bbbd675efe0613da0d57055310926a0104d55", "HMAC-SHA1(aes/asm/fips-ax86-elf.s)= f797b524a79196e7f59458a5b223432fcfd4a868", "HMAC-SHA1(aes/fips_aes_selftest.c)= 98b01502221e7fe529fd981222f2cbb52eb4cbe0", @@ -26,7 +26,7 @@ const char * const FIPS_source_hashes[] = { "HMAC-SHA1(rsa/fips_rsa_selftest.c)= a9dc47bd1001f795d1565111d26433c300101e06", "HMAC-SHA1(rsa/fips_rsa_x931g.c)= 1827d381bb21c53a38a7194cb1c428a2b5f1e3ab", "HMAC-SHA1(sha/fips_sha1dgst.c)= 26e529d630b5e754b4a29bd1bb697e991e7fdc04", -"HMAC-SHA1(sha/fips_standalone_sha1.c)= faae95bc36cc80f5be6a0cde02ebab0f63d4fd97", +"HMAC-SHA1(sha/fips_standalone_sha1.c)= 46a66875e68398eabca2e933958a2d865149ca1b", "HMAC-SHA1(sha/fips_sha1_selftest.c)= a08f9c1e2c0f63b9aa96b927c0333a03b020749f", "HMAC-SHA1(sha/asm/fips-sx86-elf.s)= ae66fb23ab8e1a2287e87a0a2dd30a4b9039fe63", "HMAC-SHA1(sha/fips_sha_locl.h)= 30b6d6bdbdc9db0d66dc89010c1f4fe1c7b60574", diff --git a/fips/hmac/Makefile b/fips/hmac/Makefile index 6a64289a38..2e1d92b89c 100644 --- a/fips/hmac/Makefile +++ b/fips/hmac/Makefile @@ -62,20 +62,13 @@ tags: tests: -top_fips_hmactest: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_hmactest sub_target) - -fips_hmactest: fips_hmactest.o $(TOP)/libcrypto.a - $(CC) $(CFLAGS) -o fips_hmactest fips_hmactest.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_hmactest - Q=../testvectors/hmac/req A=../testvectors/hmac/rsp -fips_test: top top_fips_hmactest +fips_test: -rm -rf $(A) mkdir $(A) - ./fips_hmactest < $(Q)/HMAC.req > $(A)/HMAC.rsp + if [ -f $(Q)/HMAC.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_hmactest < $(Q)/HMAC.req > $(A)/HMAC.rsp; fi lint: lint -DLINT $(INCLUDES) $(SRC)>fluff diff --git a/fips/openssl_fips_fingerprint b/fips/openssl_fips_fingerprint index d3dfb7eb61..eb8c9c253d 100755 --- a/fips/openssl_fips_fingerprint +++ b/fips/openssl_fips_fingerprint @@ -5,6 +5,7 @@ lib=$1 exe=$2 +ext=${HMAC_EXT:-sha1} # deal with the case where we're run from within the build and OpenSSL is # not yet installed. Also, make sure LD_LIBRARY_PATH is properly set in @@ -22,9 +23,9 @@ else fi echo "Checking library fingerprint for $lib" -openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/(.*\//(/" | diff -w $lib.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; } +openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/(.*\//(/" | diff -w $lib.$ext - || { echo "$libs fingerprint mismatch"; exit 1; } [ -x $exe.exe ] && exe=$exe.exe echo "Making fingerprint for $exe" -openssl sha1 -hmac etaonrishdlcupfm -binary $exe > $exe.sha1 || rm $exe.sha1 +openssl sha1 -hmac etaonrishdlcupfm -binary $exe > $exe.$ext || rm $exe.$ext diff --git a/fips/rand/Makefile b/fips/rand/Makefile index ccdc1ec517..8ac67dbae2 100644 --- a/fips/rand/Makefile +++ b/fips/rand/Makefile @@ -18,7 +18,7 @@ AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile -TEST= fips_randtest.c +TEST= fips_randtest.c fips_rngvs.c APPS= LIB=$(TOP)/libcrypto.a @@ -62,21 +62,14 @@ tags: tests: -top_fips_rngvs: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_rngvs sub_target) - -fips_rngvs: fips_rngvs.o $(TOP)/libcrypto.a - $(CC) $(CFLAGS) -o fips_rngvs fips_rngvs.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_rngvs - Q=../testvectors/rng/req A=../testvectors/rng/rsp -fips_test: top_fips_rngvs +fips_test: -rm -rf $(A) mkdir $(A) - ./fips_rngvs mct < $(Q)/ANSI931_TDES2MCT.req > $(A)/ANSI931_TDES2MCT.rsp - ./fips_rngvs vst < $(Q)/ANSI931_TDES2VST.req > $(A)/ANSI931_TDES2VST.rsp + if [ -f $(Q)/ANSI931_TDES2MCT.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rngvs mct < $(Q)/ANSI931_TDES2MCT.req > $(A)/ANSI931_TDES2MCT.rsp; fi + if [ -f $(Q)/ANSI931_TDES2VST.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rngvs vst < $(Q)/ANSI931_TDES2VST.req > $(A)/ANSI931_TDES2VST.rsp; fi lint: lint -DLINT $(INCLUDES) $(SRC)>fluff diff --git a/fips/rsa/Makefile b/fips/rsa/Makefile index 7ead499740..ab236df8de 100644 --- a/fips/rsa/Makefile +++ b/fips/rsa/Makefile @@ -62,35 +62,21 @@ tags: tests: -top_fips_rsastest: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_rsastest sub_target) - -top_fips_rsavtest: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_rsavtest sub_target) - -top_fips_rsagtest: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_rsagtest sub_target) - -fips_rsastest: fips_rsastest.o $(TOP)/libcrypto.a - $(CC) $(CFLAGS) -o fips_rsastest fips_rsastest.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_rsastest - -fips_rsavtest: fips_rsavtest.o $(TOP)/libcrypto.a - $(CC) $(CFLAGS) -o fips_rsavtest fips_rsavtest.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_rsavtest - -fips_rsagtest: fips_rsagtest.o $(TOP)/libcrypto.a - $(CC) $(CFLAGS) -o fips_rsagtest fips_rsagtest.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_rsagtest - Q=../testvectors/rsa/req A=../testvectors/rsa/rsp -fips_test: top top_fips_rsastest top_fips_rsavtest top_fips_rsagtest +fips_test: -rm -rf $(A) mkdir $(A) - ./fips_rsastest < $(Q)/SigGen15.req > $(A)/SigGen15.rsp - ./fips_rsavtest < $(Q)/SigVer15.req > $(A)/SigVer15.rsp + if [ -f $(Q)/SigGen15.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsastest < $(Q)/SigGen15.req > $(A)/SigGen15.rsp; fi + if [ -f $(Q)/SigVer15.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsavtest < $(Q)/SigVer15.req > $(A)/SigVer15.rsp; fi + if [ -f $(Q)/SigGenPSS.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsastest -saltlen 0 < $(Q)/SigGenPSS.req > $(A)/SigGenPSS.rsp; fi + if [ -f $(Q)/SigVerPSS.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsavtest -saltlen 0 < $(Q)/SigVerPSS.req > $(A)/SigVerPSS.rsp; fi + if [ -f $(Q)/SigGenRSA.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsastest -x931 < $(Q)/SigGenRSA.req > $(A)/SigGenRSA.rsp; fi + if [ -f $(Q)/SigVerRSA.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsavtest -x931 < $(Q)/SigVerRSA.req > $(A)/SigVerRSA.rsp; fi + if [ -f $(Q62)/SigGenPSS.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsastest -saltlen 62 < $(Q62)/SigGenPSS.req >$(A62)/SigGenPSS.rsp; fi + if [ -f $(Q62)/SigVerPSS.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsavtest -saltlen 62 <$(Q62)/SigVerPSS.req >$(A62)/SigVerPSS.rsp; fi + if [ -f $(Q)/KeyGenRSA.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsagtest < $(Q)/KeyGenRSA.req > $(A)/KeyGenRSA.rsp; fi lint: lint -DLINT $(INCLUDES) $(SRC)>fluff diff --git a/fips/sha/Makefile b/fips/sha/Makefile index 711b09eb05..ef00a1bb2a 100644 --- a/fips/sha/Makefile +++ b/fips/sha/Makefile @@ -72,13 +72,6 @@ tags: tests: -top_fips_shatest: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_shatest sub_target) - -fips_shatest: fips_shatest.o $(TOP)/libcrypto.a - $(CC) $(CFLAGS) -o fips_shatest fips_shatest.o $(PEX_LIBS) $(TOP)/libcrypto.a $(EX_LIBS) - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_shatest - Q=../testvectors/sha/req A=../testvectors/sha/rsp @@ -98,11 +91,13 @@ VECTORS = SHA1LongMsg \ SHA512Monte \ SHA512ShortMsg -fips_test: top_fips_shatest +fips_test: -rm -rf $(A) mkdir $(A) for file in $(VECTORS); do \ - ./fips_shatest $(Q)/$$file.req $(A)/$$file.rsp; \ + if [ -f $(Q)/$$file.req ]; then \ + $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_shatest $(Q)/$$file.req $(A)/$$file.rsp; \ + fi; \ done lint: diff --git a/fips/sha/fips_standalone_sha1.c b/fips/sha/fips_standalone_sha1.c index 2ea3a41ce5..8c10c2cd83 100644 --- a/fips/sha/fips_standalone_sha1.c +++ b/fips/sha/fips_standalone_sha1.c @@ -104,7 +104,7 @@ int main(int argc,char **argv) { #ifdef OPENSSL_FIPS static char key[]="etaonrishdlcupfm"; - int n; + int n,binary=0; if(argc < 2) { @@ -112,7 +112,14 @@ int main(int argc,char **argv) exit(1); } - for(n=1 ; n < argc ; ++n) + n=1; + if (!strcmp(argv[n],"-binary")) + { + n++; + binary=1; /* emit binary fingerprint... */ + } + + for(; n < argc ; ++n) { FILE *f=fopen(argv[n],"rb"); SHA_CTX md_ctx,o_ctx; @@ -145,6 +152,12 @@ int main(int argc,char **argv) } hmac_final(md,&md_ctx,&o_ctx); + if (binary) + { + fwrite(md,20,1,stdout); + break; /* ... for single(!) file */ + } + printf("HMAC-SHA1(%s)= ",argv[n]); for(i=0 ; i < 20 ; ++i) printf("%02x",md[i]); diff --git a/test/Makefile b/test/Makefile index 3405d7e5c9..3a20a5b57d 100644 --- a/test/Makefile +++ b/test/Makefile @@ -68,6 +68,8 @@ FIPS_HMACTEST= fips_hmactest FIPS_RSAVTEST= fips_rsavtest FIPS_RSASTEST= fips_rsastest FIPS_RSAGTEST= fips_rsagtest +FIPS_DSSVS= fips_dssvs +FIPS_RNGVS= fips_rngvs TESTS= alltests @@ -78,7 +80,8 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(IDEATEST)$(EXE_EXT) $(MD2TEST)$(E $(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(FIPS_DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \ $(EVPTEST)$(EXE_EXT) $(FIPS_AESTEST)$(EXE_EXT) \ $(FIPS_HMACTEST)$(EXE_EXT) $(FIPS_RSAVTEST)$(EXE_EXT) \ - $(FIPS_RSASTEST)$(EXE_EXT) $(FIPS_RSAGTEST)$(EXE_EXT) + $(FIPS_RSASTEST)$(EXE_EXT) $(FIPS_RSAGTEST)$(EXE_EXT) \ + $(FIPS_DSSVS)$(EXE_EXT) $(FIPS_RNGVS)$(EXE_EXT) # $(METHTEST)$(EXE_EXT) @@ -89,7 +92,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(IDEATEST).o $(MD2TEST).o $(MD4TEST).o $(MD5TEST). $(RANDTEST).o $(FIPS_RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \ $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(FIPS_DSATEST).o $(EXPTEST).o $(RSATEST).o \ $(EVPTEST).o $(FIPS_AESTEST).o $(FIPS_HMACTEST).o $(FIPS_RSAVTEST).o \ - $(FIPS_RSASTEST).o $(FIPS_RSAGTEST).o + $(FIPS_RSASTEST).o $(FIPS_RSAGTEST).o $(FIPS_DSSVS).o $(FIPS_RNGVS).o SRC= $(BNTEST).c $(ECTEST).c $(IDEATEST).c $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ $(HMACTEST).c \ $(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \ @@ -97,7 +100,7 @@ SRC= $(BNTEST).c $(ECTEST).c $(IDEATEST).c $(MD2TEST).c $(MD4TEST).c $(MD5TEST) $(RANDTEST).c $(FIPS_RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \ $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(FIPS_DSATEST).c $(EXPTEST).c $(RSATEST).c \ $(EVPTEST).c $(FIPS_AESTEST).c $(FIPS_HMACTEST).c $(FIPS_RSAVTEST).c \ - $(FIPS_RSASTEST).c $(FIPS_RSAGTEST).c + $(FIPS_RSASTEST).c $(FIPS_RSAGTEST).c $(FIPS_DSSVS).c $(FIPS_RNGVS).c EXHEADER= HEADER= $(EXHEADER) @@ -328,35 +331,31 @@ BUILD_CMD=if [ "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \ fi; -$(FIPS_AESTEST)$(EXE_EXT): $(FIPS_AESTEST).o $(DLIBCRYPTO) - @target=$(FIPS_AESTEST); $(BUILD_CMD) +FIPS_BUILD_CMD=$(BUILD_CMD) \ if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_AESTEST); \ + TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $$target; \ fi +$(FIPS_AESTEST)$(EXE_EXT): $(FIPS_AESTEST).o $(DLIBCRYPTO) + @target=$(FIPS_AESTEST); $(FIPS_BUILD_CMD) + $(FIPS_HMACTEST)$(EXE_EXT): $(FIPS_HMACTEST).o $(DLIBCRYPTO) - @target=$(FIPS_HMACTEST); $(BUILD_CMD) - if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_HMACTEST); \ - fi + @target=$(FIPS_HMACTEST); $(FIPS_BUILD_CMD) $(FIPS_RSAVTEST)$(EXE_EXT): $(FIPS_RSAVTEST).o $(DLIBCRYPTO) - @target=$(FIPS_RSAVTEST); $(BUILD_CMD) - if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_RSAVTEST); \ - fi + @target=$(FIPS_RSAVTEST); $(FIPS_BUILD_CMD) $(FIPS_RSASTEST)$(EXE_EXT): $(FIPS_RSASTEST).o $(DLIBCRYPTO) - @target=$(FIPS_RSASTEST); $(BUILD_CMD) - if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_RSASTEST); \ - fi + @target=$(FIPS_RSASTEST); $(FIPS_BUILD_CMD) $(FIPS_RSAGTEST)$(EXE_EXT): $(FIPS_RSAGTEST).o $(DLIBCRYPTO) - @target=$(FIPS_RSAGTEST); $(BUILD_CMD) - if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_RSAGTEST); \ - fi + @target=$(FIPS_RSAGTEST); $(FIPS_BUILD_CMD) + +$(FIPS_DSSVS)$(EXE_EXT): $(FIPS_DSSVS).o $(DLIBCRYPTO) + @target=$(FIPS_DSSVS); $(FIPS_BUILD_CMD) + +$(FIPS_RNGVS)$(EXE_EXT): $(FIPS_RNGVS).o $(DLIBCRYPTO) + @target=$(FIPS_RNGVS); $(FIPS_BUILD_CMD) $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO) @target=$(RSATEST); $(BUILD_CMD) @@ -383,10 +382,7 @@ $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO) @target=$(SHA1TEST); $(BUILD_CMD) $(FIPS_SHATEST)$(EXE_EXT): $(FIPS_SHATEST).o $(DLIBCRYPTO) - @target=$(FIPS_SHATEST); $(BUILD_CMD) - if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_SHATEST); \ - fi + @target=$(FIPS_SHATEST); $(FIPS_BUILD_CMD) $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO) @target=$(RMDTEST); $(BUILD_CMD) @@ -422,19 +418,13 @@ $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO) @target=$(DESTEST); $(BUILD_CMD) $(FIPS_DESTEST)$(EXE_EXT): $(FIPS_DESTEST).o $(DLIBCRYPTO) - @target=$(FIPS_DESTEST); $(BUILD_CMD) - if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_DESTEST); \ - fi + @target=$(FIPS_DESTEST); $(FIPS_BUILD_CMD) $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO) @target=$(RANDTEST); $(BUILD_CMD) $(FIPS_RANDTEST)$(EXE_EXT): $(FIPS_RANDTEST).o $(DLIBCRYPTO) - @target=$(FIPS_RANDTEST); $(BUILD_CMD) - if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_RANDTEST); \ - fi + @target=$(FIPS_RANDTEST); $(FIPS_BUILD_CMD) $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO) @target=$(DHTEST); $(BUILD_CMD) @@ -443,10 +433,7 @@ $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO) @target=$(DSATEST); $(BUILD_CMD) $(FIPS_DSATEST)$(EXE_EXT): $(FIPS_DSATEST).o $(DLIBCRYPTO) - @target=$(FIPS_DSATEST); $(BUILD_CMD) - if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_DSATEST); \ - fi + @target=$(FIPS_DSATEST); $(FIPS_BUILD_CMD) $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO) @target=$(METHTEST); $(BUILD_CMD) -- 2.25.1