From fc0e014ca3631b700a7e144fb5d08141f3cf52a3 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Thu, 19 May 2005 22:29:55 +0000 Subject: [PATCH] fips_check_rsa update. --- fips/fips.h | 1 + fips/fips_test_suite.c | 24 +++--------------------- fips/fipshashes.c | 4 ++-- fips/rsa/fips_rsa_gen.c | 21 +++++++++++++++------ 4 files changed, 21 insertions(+), 29 deletions(-) diff --git a/fips/fips.h b/fips/fips.h index b1621b7de9..2ed828fd73 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -119,6 +119,7 @@ void ERR_load_FIPS_strings(void); #define FIPS_R_NON_FIPS_METHOD 100 #define FIPS_R_PAIRWISE_TEST_FAILED 107 #define FIPS_R_SELFTEST_FAILED 101 +#define FIPS_R_KEY_TOO_SHORT 108 #ifdef __cplusplus } diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c index 2532e51f42..a127e79145 100644 --- a/fips/fips_test_suite.c +++ b/fips/fips_test_suite.c @@ -261,34 +261,16 @@ int main(int argc,char **argv) /* Non-Approved cryptographic operation */ - printf("0. Non-Approved cryptographic operation test...\n"); + printf("1. Non-Approved cryptographic operation test...\n"); printf("\ta. Excluded algorithm (MD5)..."); printf( md5_test() ? "successful\n" : Fail("FAILED!\n") ); printf("\tb. Included algorithm (D-H)..."); printf( dh_test() ? "successful\n" : Fail("FAILED!\n") ); - /* Power-up self test failure - */ - printf("1. Automatic power-up self test..."); - printf( FIPS_mode_set(1,"/dev/null") ? Fail("passed INCORRECTLY!\n") : "failed as expected\n" ); - - /* Algorithm call when uninitialized failure - */ - printf("\ta. AES API failure on failed power-up self test..."); - printf( FIPS_aes_test() ? Fail("passed INCORRECTLY!\n") :"failed as expected\n" ); - printf("\tb. RSA API failure on failed power-up self test..."); - printf( FIPS_rsa_test() ? Fail("passed INCORRECTLY!\n") : "failed as expected\n" ); - printf("\tc. DES API failure on failed power-up self test..."); - printf( FIPS_des_test() ? Fail("passed INCORRECTLY!\n") : "failed as expected\n" ); - printf("\td. DSA API failure on failed power-up self test..."); - printf( FIPS_dsa_test() ? Fail("passed INCORRECTLY!\n") : "failed as expected\n" ); - printf("\te. SHA1 API failure on failed power-up self test..."); - printf( FIPS_sha1_test() ? Fail("passed INCORRECTLY!\n") : "failed as expected\n" ); - - /* Power-up self test retry + /* Power-up self test */ ERR_clear_error(); - printf("2. Automatic power-up self test retry..."); + printf("2. Automatic power-up self test..."); if (!FIPS_mode_set(1,argv[0])) { ERR_load_crypto_strings(); diff --git a/fips/fipshashes.c b/fips/fipshashes.c index e2793115eb..4b087f7f4e 100644 --- a/fips/fipshashes.c +++ b/fips/fipshashes.c @@ -1,7 +1,7 @@ const char * const FIPS_source_hashes[] = { "HMAC-SHA1(fips.c)= 7cbbda3b9e8aec46ee31797179cb72faeef80712", "HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898", -"HMAC-SHA1(fips.h)= 8f48edb7734408c1a82cbb97106f8d823f0b7c91", +"HMAC-SHA1(fips.h)= e85fdc2fe6ad2dbf0662691e87af4b6b240da62e", "HMAC-SHA1(fips_err.h)= 0b2bd6999ee5792fec3739689cde5f352789e63a", "HMAC-SHA1(aes/fips_aes_core.c)= b70bbbd675efe0613da0d57055310926a0104d55", "HMAC-SHA1(aes/asm/fips-ax86-elf.s)= f797b524a79196e7f59458a5b223432fcfd4a868", @@ -22,7 +22,7 @@ const char * const FIPS_source_hashes[] = { "HMAC-SHA1(rand/fips_rand.h)= bf009ea8963e79b1e414442ede9ae7010a03160b", "HMAC-SHA1(rand/fips_rand_selftest.c)= d9c8985e08feecefafe667ad0119d444b42f807c", "HMAC-SHA1(rsa/fips_rsa_eay.c)= 2596773a7af8f037427217b79f56858296961d66", -"HMAC-SHA1(rsa/fips_rsa_gen.c)= beedbc14a7b262d36a2b829494030f3032563bac", +"HMAC-SHA1(rsa/fips_rsa_gen.c)= af83b857d2be13d59e7f1516e6b1a25edd6369c3", "HMAC-SHA1(rsa/fips_rsa_selftest.c)= a9dc47bd1001f795d1565111d26433c300101e06", "HMAC-SHA1(sha1/fips_sha1dgst.c)= 26e529d630b5e754b4a29bd1bb697e991e7fdc04", "HMAC-SHA1(sha1/fips_standalone_sha1.c)= faae95bc36cc80f5be6a0cde02ebab0f63d4fd97", diff --git a/fips/rsa/fips_rsa_gen.c b/fips/rsa/fips_rsa_gen.c index 71b268a1bb..433ce79745 100644 --- a/fips/rsa/fips_rsa_gen.c +++ b/fips/rsa/fips_rsa_gen.c @@ -73,10 +73,13 @@ static int fips_check_rsa(RSA *rsa) int n, ret = 0; unsigned char tctext[256], *ctext = tctext; unsigned char tptext[256], *ptext = tptext; - /* The longest we can have with OAEP padding and a 512 bit key */ + /* The longest we can have with PKCS#1 v1.5 padding and a 512 bit key, + * namely 512/8-11-1 = 52 bytes */ static const unsigned char original_ptext[] = - "\x01\x23\x45\x67\x89\xab\xcd\xef\x12\x34\x56\x78\x9a\xbc\xde\xf0" - "\x23\x45\x67\x89\xab\xcd"; + "\x01\x23\x45\x67\x89\xab\xcd\xef\x01\x23\x45\x67\x89\xab\xcd\xef" + "\x01\x23\x45\x67\x89\xab\xcd\xef\x01\x23\x45\x67\x89\xab\xcd\xef" + "\x01\x23\x45\x67\x89\xab\xcd\xef\x01\x23\x45\x67\x89\xab\xcd\xef" + "\x01\x23\x45\x67"; if (RSA_size(rsa) > sizeof(tctext)) { @@ -91,8 +94,8 @@ static int fips_check_rsa(RSA *rsa) /* this will fail for keys shorter than 512 bits */ - n=RSA_public_encrypt(sizeof(original_ptext)-1,original_ptext,ctext,rsa, - RSA_PKCS1_OAEP_PADDING); + n=RSA_private_encrypt(sizeof(original_ptext)-1,original_ptext,ctext,rsa, + RSA_PKCS1_PADDING); if(n < 0) { ERR_print_errors_fp(OPENSSL_stderr()); @@ -103,7 +106,7 @@ static int fips_check_rsa(RSA *rsa) FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED); goto error; } - n=RSA_private_decrypt(n,ctext,ptext,rsa,RSA_PKCS1_OAEP_PADDING); + n=RSA_public_decrypt(n,ctext,ptext,rsa,RSA_PKCS1_PADDING); if(n < 0) { ERR_print_errors_fp(OPENSSL_stderr()); @@ -136,6 +139,12 @@ RSA *RSA_generate_key(FIPS_RSA_SIZE_T bits, unsigned long e_value, int bitsp,bitsq,ok= -1,n=0,i; BN_CTX *ctx=NULL,*ctx2=NULL; + if (bits < 512) + { + FIPSerr(FIPS_F_RSA_GENERATE_KEY,FIPS_R_KEY_TOO_SHORT); + return NULL; + } + if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_RSA_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED); -- 2.25.1