The version that was actually submitted for FIPS testing.

Makefile.org

@@ -186,7 +186,7 @@ SDIRS=  objects \
 	buffer bio stack lhash rand err \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
 
-FDIRS=	sha1 rand des aes dsa rsa
+FDIRS=	sha1 rand des aes dsa rsa dh
 
 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.

crypto/dh/dh.h

@@ -199,7 +199,6 @@ void ERR_load_DH_strings(void);
 
 /* Reason codes. */
 #define DH_R_BAD_GENERATOR				 101
-#define DH_R_NOT_PERMITTED_IN_FIPS_MODE			 102
 #define DH_R_NO_PRIVATE_VALUE				 100
 
 #ifdef  __cplusplus

crypto/dh/dh_check.c

@@ -70,6 +70,8 @@
  * should hold.
  */
 
+#ifndef OPENSSL_FIPS
+
 int DH_check(const DH *dh, int *ret)
 	{
 	int ok=0;
@@ -118,3 +120,5 @@ err:
 	if (q != NULL) BN_free(q);
 	return(ok);
 	}
+
+#endif

crypto/dh/dh_err.c

@@ -78,7 +78,6 @@ static ERR_STRING_DATA DH_str_functs[]=
 static ERR_STRING_DATA DH_str_reasons[]=
 	{
 {DH_R_BAD_GENERATOR                      ,"bad generator"},
-{DH_R_NOT_PERMITTED_IN_FIPS_MODE         ,"not permitted in fips mode"},
 {DH_R_NO_PRIVATE_VALUE                   ,"no private value"},
 {0,NULL}
 	};

crypto/dh/dh_gen.c

@@ -60,7 +60,6 @@
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/fips.h>
 
 /* We generate DH parameters as follows
  * find a prime q which is prime_len/2 bits long.
@@ -87,6 +86,9 @@
  * It's just as OK (and in some sense better) to use a generator of the
  * order-q subgroup.
  */
+
+#ifndef OPENSSL_FIPS
+
 DH *DH_generate_parameters(int prime_len, int generator,
 	     void (*callback)(int,int,void *), void *cb_arg)
 	{
@@ -95,14 +97,6 @@ DH *DH_generate_parameters(int prime_len, int generator,
 	int g,ok= -1;
 	BN_CTX *ctx=NULL;
 
-#ifdef OPENSSL_FIPS
-	if(FIPS_mode)
-		{
-		DHerr(DH_F_DH_GENERATE_PARAMETERS, DH_R_NOT_PERMITTED_IN_FIPS_MODE);
-		return NULL;
-		}
-#endif
-
 	ret=DH_new();
 	if (ret == NULL) goto err;
 	ctx=BN_CTX_new();
@@ -176,3 +170,5 @@ err:
 		}
 	return(ret);
 	}
+
+#endif

crypto/dh/dh_key.c

@@ -62,6 +62,8 @@
 #include <openssl/rand.h>
 #include <openssl/dh.h>
 
+#ifndef OPENSSL_FIPS
+
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
@@ -220,3 +222,5 @@ static int dh_finish(DH *dh)
 		BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
 	return(1);
 	}
+
+#endif

fips/Makefile

@@ -25,7 +25,7 @@ CFLAGS= $(INCLUDE) $(CFLAG)
 
 LIBS=
 
-FDIRS=sha1 rand des aes dsa rsa
+FDIRS=sha1 rand des aes dsa rsa dh
 
 GENERAL=Makefile README fips-lib.com install.com
 
@@ -180,19 +180,18 @@ fips.o: ../include/openssl/des_old.h ../include/openssl/dh.h
 fips.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
 fips.o: ../include/openssl/err.h ../include/openssl/evp.h
 fips.o: ../include/openssl/fips.h ../include/openssl/fips_rand.h
-fips.o: ../include/openssl/hmac.h ../include/openssl/idea.h
-fips.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-fips.o: ../include/openssl/md4.h ../include/openssl/md5.h
-fips.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-fips.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-fips.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-fips.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-fips.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-fips.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-fips.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c
-fips.o: fips_locl.h
+fips.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+fips.o: ../include/openssl/md2.h ../include/openssl/md4.h
+fips.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+fips.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+fips.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
+fips.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+fips.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+fips.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+fips.o: ../include/openssl/sha.h ../include/openssl/stack.h
+fips.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
+fips.o: ../include/openssl/ui_compat.h fips.c fips_locl.h
 fips_err_wrapper.o: ../include/openssl/bio.h ../include/openssl/crypto.h
 fips_err_wrapper.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 fips_err_wrapper.o: ../include/openssl/fips.h ../include/openssl/lhash.h

fips/fingerprint.sha1

@@ -1,4 +1,4 @@
 HMAC-SHA1(fips.c)= 01d0a11be4f9c2cb2b2a57ab6ec473f61b206de6
 HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898
-HMAC-SHA1(fips.h)= 4496c0e51c18d30bdc0ce440c384886870a61c40
-HMAC-SHA1(fips_err.h)= f4203a47100a815c21cf3a97092f91a595938f7c
+HMAC-SHA1(fips.h)= e793b0a7017d57a37b89743cf59b40a30385b63f
+HMAC-SHA1(fips_err.h)= 4a73f2a88e206f1f88edfd9b26609a0eed818491

fips/fips.h

@@ -105,6 +105,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_F_FIPS_SELFTEST_RSA			 108
 #define FIPS_F_FIPS_SELFTEST_SHA1			 103
 #define FIPS_F_HASH_FINAL				 100
+#define FIPS_F_DH_GENERATE_PARAMETERS			 117
 #define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT			 114
 #define FIPS_F_RSA_GENERATE_KEY				 113
 #define FIPS_F_SSLEAY_RAND_BYTES			 101

fips/fips_err.h

@@ -80,6 +80,7 @@ static ERR_STRING_DATA FIPS_str_functs[]=
 {ERR_PACK(0,FIPS_F_FIPS_SELFTEST_RSA,0),	"FIPS_selftest_rsa"},
 {ERR_PACK(0,FIPS_F_FIPS_SELFTEST_SHA1,0),	"FIPS_selftest_sha1"},
 {ERR_PACK(0,FIPS_F_HASH_FINAL,0),	"HASH_FINAL"},
+{ERR_PACK(0,FIPS_F_DH_GENERATE_PARAMETERS,0),	"DH_generate_parameters"},
 {ERR_PACK(0,FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,0),	"RSA_EAY_PUBLIC_ENCRYPT"},
 {ERR_PACK(0,FIPS_F_RSA_GENERATE_KEY,0),	"RSA_generate_key"},
 {ERR_PACK(0,FIPS_F_SSLEAY_RAND_BYTES,0),	"SSLEAY_RAND_BYTES"},

fips/fips_make_sha1

@@ -25,3 +25,6 @@ $S fips_des_enc.c asm/fips-dx86-elf.s fips_des_selftest.c fips_set_key.c fips_de
 
 cd ../rsa
 $S fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c > fingerprint.sha1
+
+cd ../dh
+$S fips_dh_check.c fips_dh_gen.c fips_dh_key.c > fingerprint.sha1

fips/fips_test_suite.c

@@ -174,9 +174,13 @@ static int dh_test()
 
     ERR_clear_error();
     dh = DH_generate_parameters(256, 2, NULL, NULL);
-    if (dh)
-        return 1;
-    return 0;
+    if (!dh)
+	{
+	ERR_load_crypto_strings();
+        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+	return 0;
+	}
+    return 1;
     }
 
 static int Error;
@@ -226,9 +230,9 @@ int main(int argc,char **argv)
     /* Non-Approved cryptographic operation
     */
     printf("0. Non-Approved cryptographic operation test...\n");
-    printf("\ta. MD5...");
+    printf("\ta. Excluded algorithm (MD5)...");
     printf( md5_test() ? "successful\n" :  Fail("FAILED!\n") );
-    printf("\tb. D-H...");
+    printf("\tb. Included algorithm (D-H)...");
     printf( dh_test() ? "successful\n" :  Fail("FAILED!\n") );
 
     /* Power-up self test failure
@@ -290,12 +294,12 @@ int main(int argc,char **argv)
     /* Non-Approved cryptographic operation
     */
     printf("8. Non-Approved cryptographic operation test...\n");
-    printf("\ta. MD5...");
+    printf("\ta. Excluded algorithm (MD5)...");
     printf( md5_test() ? Fail("passed INCORRECTLY!\n")
 	    : "failed as expected\n" );
-    printf("\tb. D-H...");
-    printf( dh_test() ? Fail("passed INCORRECTLY!\n")
-	    : "failed as expected\n" );
+    printf("\tb. Included algorithm (D-H)...");
+    printf( dh_test() ? "successful as expected\n"
+	    : Fail("failed INCORRECTLY!\n") );
 
     printf("\nAll tests completed with %d errors\n", Error);
     return 0;

fips/openssl_fips_fingerprint

@@ -17,9 +17,8 @@ else
     LD_LIBRARY_PATH=.; export LD_LIBRARY_PATH
 fi
 
-elib=`echo $lib| sed 's/\//\\\\\//g'`
 echo "Checking library fingerprint for $lib"
-openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/$elib/libcrypto.a/" | diff ${lib%.a}.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; }
+openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/(.*\//(/" | diff ${lib%.a}.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; }
 
 echo "Making fingerprint for $exe"
 openssl sha1 -hmac etaonrishdlcupfm -binary $exe > $exe.sha1