From b5e4469150f5df037695d0d57ef9af6ff85b4fdd Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Sat, 19 Jun 2004 13:15:35 +0000 Subject: [PATCH] The version that was actually submitted for FIPS testing. --- Makefile.org | 2 +- crypto/dh/dh.h | 1 - crypto/dh/dh_check.c | 4 ++++ crypto/dh/dh_err.c | 1 - crypto/dh/dh_gen.c | 14 +++++--------- crypto/dh/dh_key.c | 4 ++++ fips/Makefile | 27 +++++++++++++-------------- fips/fingerprint.sha1 | 4 ++-- fips/fips.h | 1 + fips/fips_err.h | 1 + fips/fips_make_sha1 | 3 +++ fips/fips_test_suite.c | 22 +++++++++++++--------- fips/openssl_fips_fingerprint | 3 +-- 13 files changed, 48 insertions(+), 39 deletions(-) diff --git a/Makefile.org b/Makefile.org index 1527ca45e2..b8ea8096af 100644 --- a/Makefile.org +++ b/Makefile.org @@ -186,7 +186,7 @@ SDIRS= objects \ buffer bio stack lhash rand err \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 -FDIRS= sha1 rand des aes dsa rsa +FDIRS= sha1 rand des aes dsa rsa dh # tests to perform. "alltests" is a special word indicating that all tests # should be performed. diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h index 1f734dae24..05851f8429 100644 --- a/crypto/dh/dh.h +++ b/crypto/dh/dh.h @@ -199,7 +199,6 @@ void ERR_load_DH_strings(void); /* Reason codes. */ #define DH_R_BAD_GENERATOR 101 -#define DH_R_NOT_PERMITTED_IN_FIPS_MODE 102 #define DH_R_NO_PRIVATE_VALUE 100 #ifdef __cplusplus diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index f0373f7d68..a7e9920efb 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -70,6 +70,8 @@ * should hold. */ +#ifndef OPENSSL_FIPS + int DH_check(const DH *dh, int *ret) { int ok=0; @@ -118,3 +120,5 @@ err: if (q != NULL) BN_free(q); return(ok); } + +#endif diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c index 17cf42d952..c2715044c9 100644 --- a/crypto/dh/dh_err.c +++ b/crypto/dh/dh_err.c @@ -78,7 +78,6 @@ static ERR_STRING_DATA DH_str_functs[]= static ERR_STRING_DATA DH_str_reasons[]= { {DH_R_BAD_GENERATOR ,"bad generator"}, -{DH_R_NOT_PERMITTED_IN_FIPS_MODE ,"not permitted in fips mode"}, {DH_R_NO_PRIVATE_VALUE ,"no private value"}, {0,NULL} }; diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c index 38675f2688..a49b6f9adb 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c @@ -60,7 +60,6 @@ #include "cryptlib.h" #include #include -#include /* We generate DH parameters as follows * find a prime q which is prime_len/2 bits long. @@ -87,6 +86,9 @@ * It's just as OK (and in some sense better) to use a generator of the * order-q subgroup. */ + +#ifndef OPENSSL_FIPS + DH *DH_generate_parameters(int prime_len, int generator, void (*callback)(int,int,void *), void *cb_arg) { @@ -95,14 +97,6 @@ DH *DH_generate_parameters(int prime_len, int generator, int g,ok= -1; BN_CTX *ctx=NULL; -#ifdef OPENSSL_FIPS - if(FIPS_mode) - { - DHerr(DH_F_DH_GENERATE_PARAMETERS, DH_R_NOT_PERMITTED_IN_FIPS_MODE); - return NULL; - } -#endif - ret=DH_new(); if (ret == NULL) goto err; ctx=BN_CTX_new(); @@ -176,3 +170,5 @@ err: } return(ret); } + +#endif diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 77f2f50b51..ff125c2296 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -62,6 +62,8 @@ #include #include +#ifndef OPENSSL_FIPS + static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, @@ -220,3 +222,5 @@ static int dh_finish(DH *dh) BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p); return(1); } + +#endif diff --git a/fips/Makefile b/fips/Makefile index 351e1443e2..ed6817404d 100644 --- a/fips/Makefile +++ b/fips/Makefile @@ -25,7 +25,7 @@ CFLAGS= $(INCLUDE) $(CFLAG) LIBS= -FDIRS=sha1 rand des aes dsa rsa +FDIRS=sha1 rand des aes dsa rsa dh GENERAL=Makefile README fips-lib.com install.com @@ -180,19 +180,18 @@ fips.o: ../include/openssl/des_old.h ../include/openssl/dh.h fips.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h fips.o: ../include/openssl/err.h ../include/openssl/evp.h fips.o: ../include/openssl/fips.h ../include/openssl/fips_rand.h -fips.o: ../include/openssl/hmac.h ../include/openssl/idea.h -fips.o: ../include/openssl/lhash.h ../include/openssl/md2.h -fips.o: ../include/openssl/md4.h ../include/openssl/md5.h -fips.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -fips.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -fips.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -fips.o: ../include/openssl/rand.h ../include/openssl/rc2.h -fips.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -fips.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -fips.o: ../include/openssl/safestack.h ../include/openssl/sha.h -fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c -fips.o: fips_locl.h +fips.o: ../include/openssl/hmac.h ../include/openssl/lhash.h +fips.o: ../include/openssl/md2.h ../include/openssl/md4.h +fips.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +fips.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +fips.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h +fips.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +fips.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +fips.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +fips.o: ../include/openssl/sha.h ../include/openssl/stack.h +fips.o: ../include/openssl/symhacks.h ../include/openssl/ui.h +fips.o: ../include/openssl/ui_compat.h fips.c fips_locl.h fips_err_wrapper.o: ../include/openssl/bio.h ../include/openssl/crypto.h fips_err_wrapper.o: ../include/openssl/e_os2.h ../include/openssl/err.h fips_err_wrapper.o: ../include/openssl/fips.h ../include/openssl/lhash.h diff --git a/fips/fingerprint.sha1 b/fips/fingerprint.sha1 index 7e6d85afea..4579b741db 100644 --- a/fips/fingerprint.sha1 +++ b/fips/fingerprint.sha1 @@ -1,4 +1,4 @@ HMAC-SHA1(fips.c)= 01d0a11be4f9c2cb2b2a57ab6ec473f61b206de6 HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898 -HMAC-SHA1(fips.h)= 4496c0e51c18d30bdc0ce440c384886870a61c40 -HMAC-SHA1(fips_err.h)= f4203a47100a815c21cf3a97092f91a595938f7c +HMAC-SHA1(fips.h)= e793b0a7017d57a37b89743cf59b40a30385b63f +HMAC-SHA1(fips_err.h)= 4a73f2a88e206f1f88edfd9b26609a0eed818491 diff --git a/fips/fips.h b/fips/fips.h index e169ebf43e..9ce48dce7b 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -105,6 +105,7 @@ void ERR_load_FIPS_strings(void); #define FIPS_F_FIPS_SELFTEST_RSA 108 #define FIPS_F_FIPS_SELFTEST_SHA1 103 #define FIPS_F_HASH_FINAL 100 +#define FIPS_F_DH_GENERATE_PARAMETERS 117 #define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 114 #define FIPS_F_RSA_GENERATE_KEY 113 #define FIPS_F_SSLEAY_RAND_BYTES 101 diff --git a/fips/fips_err.h b/fips/fips_err.h index e8dafa4900..d643c9f55f 100644 --- a/fips/fips_err.h +++ b/fips/fips_err.h @@ -80,6 +80,7 @@ static ERR_STRING_DATA FIPS_str_functs[]= {ERR_PACK(0,FIPS_F_FIPS_SELFTEST_RSA,0), "FIPS_selftest_rsa"}, {ERR_PACK(0,FIPS_F_FIPS_SELFTEST_SHA1,0), "FIPS_selftest_sha1"}, {ERR_PACK(0,FIPS_F_HASH_FINAL,0), "HASH_FINAL"}, +{ERR_PACK(0,FIPS_F_DH_GENERATE_PARAMETERS,0), "DH_generate_parameters"}, {ERR_PACK(0,FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,0), "RSA_EAY_PUBLIC_ENCRYPT"}, {ERR_PACK(0,FIPS_F_RSA_GENERATE_KEY,0), "RSA_generate_key"}, {ERR_PACK(0,FIPS_F_SSLEAY_RAND_BYTES,0), "SSLEAY_RAND_BYTES"}, diff --git a/fips/fips_make_sha1 b/fips/fips_make_sha1 index 3139d9f528..a326ea3a07 100755 --- a/fips/fips_make_sha1 +++ b/fips/fips_make_sha1 @@ -25,3 +25,6 @@ $S fips_des_enc.c asm/fips-dx86-elf.s fips_des_selftest.c fips_set_key.c fips_de cd ../rsa $S fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c > fingerprint.sha1 + +cd ../dh +$S fips_dh_check.c fips_dh_gen.c fips_dh_key.c > fingerprint.sha1 diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c index bafa11afc5..cb4386ae45 100644 --- a/fips/fips_test_suite.c +++ b/fips/fips_test_suite.c @@ -174,9 +174,13 @@ static int dh_test() ERR_clear_error(); dh = DH_generate_parameters(256, 2, NULL, NULL); - if (dh) - return 1; - return 0; + if (!dh) + { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + return 0; + } + return 1; } static int Error; @@ -226,9 +230,9 @@ int main(int argc,char **argv) /* Non-Approved cryptographic operation */ printf("0. Non-Approved cryptographic operation test...\n"); - printf("\ta. MD5..."); + printf("\ta. Excluded algorithm (MD5)..."); printf( md5_test() ? "successful\n" : Fail("FAILED!\n") ); - printf("\tb. D-H..."); + printf("\tb. Included algorithm (D-H)..."); printf( dh_test() ? "successful\n" : Fail("FAILED!\n") ); /* Power-up self test failure @@ -290,12 +294,12 @@ int main(int argc,char **argv) /* Non-Approved cryptographic operation */ printf("8. Non-Approved cryptographic operation test...\n"); - printf("\ta. MD5..."); + printf("\ta. Excluded algorithm (MD5)..."); printf( md5_test() ? Fail("passed INCORRECTLY!\n") : "failed as expected\n" ); - printf("\tb. D-H..."); - printf( dh_test() ? Fail("passed INCORRECTLY!\n") - : "failed as expected\n" ); + printf("\tb. Included algorithm (D-H)..."); + printf( dh_test() ? "successful as expected\n" + : Fail("failed INCORRECTLY!\n") ); printf("\nAll tests completed with %d errors\n", Error); return 0; diff --git a/fips/openssl_fips_fingerprint b/fips/openssl_fips_fingerprint index e20b38d43c..932f3cdc42 100755 --- a/fips/openssl_fips_fingerprint +++ b/fips/openssl_fips_fingerprint @@ -17,9 +17,8 @@ else LD_LIBRARY_PATH=.; export LD_LIBRARY_PATH fi -elib=`echo $lib| sed 's/\//\\\\\//g'` echo "Checking library fingerprint for $lib" -openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/$elib/libcrypto.a/" | diff ${lib%.a}.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; } +openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/(.*\//(/" | diff ${lib%.a}.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; } echo "Making fingerprint for $exe" openssl sha1 -hmac etaonrishdlcupfm -binary $exe > $exe.sha1