Dr. Stephen Henson
e2abfd58cc
Stop warning and fix memory leaks.
2011-04-12 13:02:56 +00:00
Dr. Stephen Henson
6223352683
Update ECDSA selftest to use hard coded private keys. Include tests for
...
prime and binary fields.
2011-04-12 11:49:35 +00:00
Dr. Stephen Henson
1a4d93bfb5
Update fips_premain.c fingerprint.
2011-04-12 11:48:00 +00:00
Dr. Stephen Henson
63c82f8abb
Update copyright year.
...
Zero ciphertext and plaintext temporary buffers.
Check FIPS_cipher() return value.
2011-04-11 21:32:51 +00:00
Dr. Stephen Henson
6909dccc32
Set length to 41 (40 hex characters + null).
2011-04-11 14:50:11 +00:00
Dr. Stephen Henson
ac319dd82b
Typo: fix duplicate call.
2011-04-10 23:32:19 +00:00
Dr. Stephen Henson
55e328f580
Add error for health check failure.
...
Rebuild all FIPS error codes to clean out old obsolete codes.
2011-04-09 17:46:31 +00:00
Dr. Stephen Henson
f3823ddfcf
Before initalising a live DRBG (i.e. not in test mode) run a complete health
...
check on a DRBG of the same type.
2011-04-09 17:27:07 +00:00
Dr. Stephen Henson
68ea88b8d1
New function to return security strength of PRNG.
2011-04-09 16:49:59 +00:00
Dr. Stephen Henson
6653c6f2e8
Update OpenSSL DRBG support code. Use date time vector as additional data.
...
Set FIPS RAND_METHOD at same time as OpenSSL RAND_METHOD.
2011-04-06 23:40:22 +00:00
Dr. Stephen Henson
42bd0a6b3c
Update fipssyms.h to keep all symbols in FIPS,fips namespace.
...
Rename drbg_cprng_test to fips_drbg_cprng_test.
Remove rand files from Makefile.fips.
2011-04-05 15:48:05 +00:00
Dr. Stephen Henson
05e24c87dd
Extensive reorganisation of PRNG handling in FIPS module: all calls
...
now use an internal RAND_METHOD. All dependencies to OpenSSL standard
PRNG are now removed: it is the applications resposibility to setup
the FIPS PRNG and initalise it.
Initial OpenSSL RAND_init_fips() function that will setup the DRBG
for the "FIPS capable OpenSSL".
2011-04-05 15:24:10 +00:00
Dr. Stephen Henson
cab0595c14
Rename deprecated FIPS_rand functions to FIPS_x931. These shouldn't be
...
used by applications directly and the X9.31 PRNG is deprecated by new
FIPS140-2 rules anyway.
2011-04-05 12:42:31 +00:00
Dr. Stephen Henson
f4bd65dae3
Set error code is additional data callback fails.
2011-04-04 17:03:35 +00:00
Dr. Stephen Henson
8776ef63c1
Change FIPS locking functions to macros so we get useful line information.
...
Set fips_thread_set properly.
2011-04-04 15:38:21 +00:00
Dr. Stephen Henson
ded1999702
Change RNG test to block oriented instead of request oriented, add option
...
to test a "stuck" DRBG.
2011-04-04 14:47:31 +00:00
Dr. Stephen Henson
7d48743b95
restore .cvsignore
2011-04-01 18:40:30 +00:00
Dr. Stephen Henson
b26f324824
delete lib file
2011-04-01 18:40:05 +00:00
Dr. Stephen Henson
02eb92abad
temporarily update .cvsignore
2011-04-01 18:38:51 +00:00
Dr. Stephen Henson
e5cadaf8db
Only zeroise sensitive parts of DRBG context, so the type and flags
...
are undisturbed.
Allow setting of "rand" callbacks for DRBG.
2011-04-01 17:49:45 +00:00
Dr. Stephen Henson
8cf88778ea
Allow FIPS malloc callback setting. Automatically set some callbacks
...
in OPENSSL_init().
2011-04-01 16:23:16 +00:00
Dr. Stephen Henson
011c865640
Initial switch to DRBG base PRNG in FIPS mode. Include bogus seeding for
...
test applications.
2011-04-01 14:46:07 +00:00
Dr. Stephen Henson
212a08080c
Unused, untested, provisional RAND interface for DRBG.
2011-03-31 18:06:07 +00:00
Dr. Stephen Henson
e06de4dd35
Remove redundant definitions. Give error code if DRBG sefltest fails.
2011-03-31 17:23:12 +00:00
Dr. Stephen Henson
52b6ee8245
Reorganise DRBG API so the entropy and nonce callbacks can return a
...
pointer to a buffer instead of copying to a fixed length buffer. This
removes the entropy and nonce length restrictions.
2011-03-31 17:15:54 +00:00
Dr. Stephen Henson
bb61a6c80d
fix warnings
2011-03-31 17:12:49 +00:00
Dr. Stephen Henson
5198009885
Add .cvsignore
2011-03-25 16:37:30 +00:00
Dr. Stephen Henson
cd22dfbf01
Have all algorithm test programs call fips_algtest_init() at startup:
...
this will perform all standalone operations such as setting error
callbacks, entering FIPS mode etc.
2011-03-25 16:36:46 +00:00
Dr. Stephen Henson
d4178c8fb1
Disable cmac tests by default so the old algorithm test vectors work.
2011-03-25 16:34:20 +00:00
Dr. Stephen Henson
dad7851485
Allow setting of get_entropy and get_nonce callbacks outside test mode.
...
Test mode is now set when a DRBG context is initialised.
2011-03-25 14:38:37 +00:00
Dr. Stephen Henson
9db6974f77
Add .cvsignore
2011-03-25 14:26:23 +00:00
Dr. Stephen Henson
8e5dbc23df
Remove unused function.
2011-03-25 14:24:23 +00:00
Dr. Stephen Henson
bd7e6bd44b
Fix compiler warnings.
2011-03-25 12:36:02 +00:00
Richard Levitte
e775bbc464
* fips/cmac/fips_cmac_selftest.c: Because the examples in SP_800-38B
...
aren't trustworthy (see examples 13 and 14, they have the same mac,
as do examples 17 and 18), use examples from official test vectors
instead.
2011-03-25 09:24:02 +00:00
Richard Levitte
d8ba2a42e9
* fips/fipsalgtest.pl: Test the testvectors for all the CMAC ciphers
...
we support.
2011-03-25 08:48:26 +00:00
Richard Levitte
af267e4315
* fips/cmac/fips_cmactest.c: Some say TDEA, others say TDES. Support
...
both names.
2011-03-25 08:44:37 +00:00
Richard Levitte
d15467d582
* fips/cmac/fips_cmactest.c: Changed to accept all the ciphers we
...
support (Two Key TDEA is not supported), to handle really big
messages (some of the test vectors have messages 65536 bytes long),
and to handle cases where there are several keys (Three Key TDEA)
2011-03-25 08:40:33 +00:00
Richard Levitte
c6dbe90895
make update
2011-03-24 22:59:02 +00:00
Richard Levitte
37942b93af
Implement FIPS CMAC.
...
* fips/fips_test_suite.c, fips/fipsalgtest.pl, test/Makefile: Hook in
test cases and build test program.
2011-03-24 22:57:52 +00:00
Richard Levitte
399aa6b5ff
Implement FIPS CMAC.
...
* fips/cmac/*: Implement the basis for FIPS CMAC, using FIPS HMAC as
an example.
* crypto/cmac/cmac.c: Enable the FIPS API. Change to use M_EVP macros
where possible.
* crypto/evp/evp.h: (some of the macros get added with this change)
* fips/fips.h, fips/utl/fips_enc.c: Add a few needed functions and use
macros to have cmac.c use these functions.
* Makefile.org, fips/Makefile, fips/fips.c: Hook it in.
2011-03-24 22:55:02 +00:00
Dr. Stephen Henson
beb895083c
Free DRBG context in self tests.
2011-03-21 14:40:57 +00:00
Dr. Stephen Henson
5904882eaa
Typo.
2011-03-18 18:17:55 +00:00
Dr. Stephen Henson
1e803100de
Implement continuous RNG test for SP800-90 DRBGs.
2011-03-17 18:53:33 +00:00
Dr. Stephen Henson
96ec46f7c0
Implement health checks needed by SP800-90.
...
Fix warnings.
Instantiate DRBGs at maximum strength.
2011-03-17 16:55:24 +00:00
Dr. Stephen Henson
fbbabb646c
Add extensive DRBG selftest data and option to corrupt it in fips_test_suite.
2011-03-16 15:52:12 +00:00
Dr. Stephen Henson
1b76fac5ae
Check requested security strength in DRBG. Add function to retrieve the
...
security strength.
2011-03-11 17:42:11 +00:00
Dr. Stephen Henson
1acc24a8ba
Make no-ec2m work again.
2011-03-10 01:00:30 +00:00
Dr. Stephen Henson
f52e552a93
Add a few more symbol renames.
2011-03-09 23:53:41 +00:00
Dr. Stephen Henson
8857b380e2
Add ECDH to validated module.
2011-03-09 23:44:06 +00:00
Dr. Stephen Henson
a6de7133bb
Enter FIPS mode in fips_dhvs. Support file I/O in fips_ecdsavs.
2011-03-09 14:55:10 +00:00
Dr. Stephen Henson
0fa714a4f0
Update fips_dhvs to handle functional test by generating keys.
2011-03-09 14:39:54 +00:00
Dr. Stephen Henson
0392f94fbc
Typo.
2011-03-08 21:29:07 +00:00
Dr. Stephen Henson
11e80de3ee
New initial DH algorithm test driver.
2011-03-08 19:10:17 +00:00
Dr. Stephen Henson
a1e7883edb
Add meaningful error codes to DRBG.
2011-03-08 14:16:30 +00:00
Dr. Stephen Henson
dd0d2df562
Add file I/O to fips_drbgvs program.
2011-03-08 13:51:34 +00:00
Dr. Stephen Henson
ce57f0d5c2
Support I/O with files in new fips_gcmtest program.
2011-03-08 13:42:21 +00:00
Dr. Stephen Henson
c34a652e1e
Remove redirection from fipsalgtest.pl script.
2011-03-08 13:29:46 +00:00
Dr. Stephen Henson
12b77cbec3
Remove need for redirection on RNG and DSS algorithm test programs: some
...
platforms don't support it.
2011-03-08 13:27:29 +00:00
Dr. Stephen Henson
e45c6c4e25
Uninstantiate and free functions for DRBG.
2011-03-07 16:51:17 +00:00
Dr. Stephen Henson
ff4a19a471
Fix couple of bugs in CTR DRBG implementation.
2011-03-06 13:10:37 +00:00
Dr. Stephen Henson
868f12988c
Updates to DRBG: fix bugs in infrastructure. Add initial experimental
...
algorithm test generator.
2011-03-06 12:35:09 +00:00
Dr. Stephen Henson
591cbfae3c
Initial, provisional, subject to wholesale change, untested, probably
...
not working, incomplete and unused SP800-90 DRBGs for CTR and Hash modes.
Did I say this was untested?
2011-03-04 18:00:21 +00:00
Dr. Stephen Henson
949c6f8ccf
Stop warnings.
2011-02-23 16:06:33 +00:00
Dr. Stephen Henson
30ff3278ae
Add DllMain to fips symbols: will need to call this in FIPS capable OpenSSL.
2011-02-23 15:16:12 +00:00
Dr. Stephen Henson
071eb6b592
Add new symbols to fipssyms.h
2011-02-23 15:04:06 +00:00
Dr. Stephen Henson
b7056b6414
Update dependencies.
2011-02-21 17:51:59 +00:00
Dr. Stephen Henson
37eae9909a
Remove unnecessary dependencies.
2011-02-21 17:35:53 +00:00
Dr. Stephen Henson
3deb010dc0
x509v3.h header file not needed in fips algorithm test utilities.
2011-02-21 16:36:47 +00:00
Dr. Stephen Henson
947ff113d2
add ECDSA POST
2011-02-18 17:25:00 +00:00
Dr. Stephen Henson
acf254f86e
AES GCM selftests.
2011-02-18 17:09:33 +00:00
Dr. Stephen Henson
d47691ecfe
Correct fipssyms.h for more assembly language symbols.
2011-02-17 17:45:09 +00:00
Dr. Stephen Henson
01ad8195aa
Remove debugging command.
...
Reorder fipssyms.h to include assembly language symbols at the end.
2011-02-17 15:33:32 +00:00
Dr. Stephen Henson
017bc57bf9
Experimental FIPS symbol renaming.
...
Fixups under fips/ to make symbol renaming work.
2011-02-16 14:49:50 +00:00
Dr. Stephen Henson
0fbf8f447b
Add pairwise consistency test to EC.
2011-02-15 16:58:28 +00:00
Dr. Stephen Henson
c81f8f59be
Use SHA-256 in fips_test_suite.
2011-02-15 16:58:06 +00:00
Dr. Stephen Henson
225a9e296b
Update pairwise consistency checks to use SHA-256.
2011-02-15 16:18:18 +00:00
Dr. Stephen Henson
25c6542944
Add non-FIPS algorithm blocking and selftest checking.
2011-02-15 16:03:47 +00:00
Dr. Stephen Henson
fe082202c0
Ignore final '\n' when checking if hex line length is odd.
2011-02-15 15:56:13 +00:00
Dr. Stephen Henson
fbc164ec2f
Add support for SigGen and KeyPair tests.
2011-02-15 14:16:57 +00:00
Dr. Stephen Henson
943a0ceed0
Update ECDSA test program to handle ECDSA2 format files.
...
Correctly handle hex strings with an odd number of digits.
2011-02-14 19:42:49 +00:00
Dr. Stephen Henson
5d2f1538a0
Add .cvsignore.
2011-02-14 17:28:28 +00:00
Dr. Stephen Henson
fe26d066ff
Add ECDSA functionality to fips module. Initial very incomplete version
...
of algorithm test program.
2011-02-14 17:14:55 +00:00
Dr. Stephen Henson
c876a4b7b1
Include support for an add_lock callback to tiny FIPS locking API.
2011-02-14 17:05:42 +00:00
Dr. Stephen Henson
e990b4f838
Remove dependency of dsa_sign.o and dsa_vrf.o: new functions FIPS_dsa_sig_new
...
and FIPS_dsa_sig_free, reimplment DSA_SIG_new and DSA_SIG_free from ASN1
library.
2011-02-13 18:45:41 +00:00
Dr. Stephen Henson
e47af46cd8
Change FIPS source and utilities to use the "FIPS_" names directly
...
instead of using regular OpenSSL API names.
2011-02-12 18:25:18 +00:00
Dr. Stephen Henson
30b56225cc
New "fispcanisteronly" build option: only build fipscanister.o and
...
associated utilities. This functionality will be used by the validated
tarball.
2011-02-11 19:02:34 +00:00
Dr. Stephen Henson
a4113c52b2
Disable FIPS restrictions when doing GCM testing.
2011-02-10 01:46:25 +00:00
Dr. Stephen Henson
b3d8022edd
Add GCM IV generator. Add some FIPS restrictions to GCM. Update fips_gcmtest.
2011-02-09 16:21:43 +00:00
Dr. Stephen Henson
f4bfe97fc9
Equally experimental encrypt side for fips_gcmtest. Currently this uses IVs
...
in the request file need to update it to generate IVs once we have an IV
generator in place.
2011-02-08 19:25:24 +00:00
Dr. Stephen Henson
9afe95099d
Set values to NULL after freeing them.
2011-02-08 18:25:57 +00:00
Dr. Stephen Henson
9dd346c90d
Experimental incomplete AES GCM algorithm test program.
2011-02-08 18:15:59 +00:00
Dr. Stephen Henson
f4001a0d19
Link GCM into FIPS module. Check return value in EVP gcm.
2011-02-08 15:10:42 +00:00
Dr. Stephen Henson
634b66186a
Typo.
2011-02-07 14:36:55 +00:00
Dr. Stephen Henson
7e95116064
Remove unneeded functions, make some functions and variables static.
2011-02-04 17:56:57 +00:00
Dr. Stephen Henson
14ae26f2e4
Transfer error redirection to fips.h, add OPENSSL_FIPSAPI to source files
...
that use it.
2011-02-03 17:00:24 +00:00
Dr. Stephen Henson
c2a459315a
Use single X931 key generation source file for FIPS and non-FIPS builds.
2011-02-03 12:47:56 +00:00
Bodo Möller
2440d8b1db
Fix error codes.
2011-02-03 10:03:23 +00:00
Dr. Stephen Henson
ee9884654b
Cope with new DSA2 file format where some p/q only tests are made.
2011-02-02 17:48:03 +00:00
Dr. Stephen Henson
a5b196a22c
Add sign/verify digest API to handle an explicit digest instead of finalising
...
a context.
2011-02-02 14:21:33 +00:00
Dr. Stephen Henson
b6104f9ad8
Remove DSA parameter generation from DSA selftest. It is unnecessary and
...
can be very slow on embedded platforms. Hard code DSA parameters instead.
2011-02-02 14:20:45 +00:00
Dr. Stephen Henson
96d5997f5b
Don't try to set pmd if it is NULL.
2011-02-01 19:15:12 +00:00
Dr. Stephen Henson
92eb4c551d
Add DSA2 support to final algorithm tests: keypair and keyver.
2011-02-01 18:53:48 +00:00
Dr. Stephen Henson
89f63d06f8
Support more DSA2 tests.
2011-02-01 17:54:23 +00:00
Dr. Stephen Henson
2ecc150530
Tolerate mixed case and leading zeroes when comparing.
2011-02-01 17:15:53 +00:00
Dr. Stephen Henson
7f64c26588
Since FIPS 186-3 specifies we use the leftmost bits of the digest
...
we shouldn't reject digest lengths larger than SHA256: the FIPS
algorithm tests include SHA384 and SHA512 tests.
2011-02-01 12:52:01 +00:00
Dr. Stephen Henson
3dd9b31dc4
Provisional, experimental support for DSA2 parameter generation algorithm.
...
Not properly integrated or tested yet.
2011-01-31 19:44:09 +00:00
Dr. Stephen Henson
7edfe67456
Move all FIPSAPI renames into fips.h header file, include early in
...
crypto.h if needed.
Modify source tree to handle change.
2011-01-27 19:10:56 +00:00
Dr. Stephen Henson
d8ad2e6112
add .cvsignore
2011-01-27 18:11:36 +00:00
Dr. Stephen Henson
1097bde192
add FIPS API malloc/free
2011-01-27 18:09:05 +00:00
Dr. Stephen Henson
7cc684f4f7
Redirect FIPS memory allocation to FIPS_malloc() routine, remove
...
OpenSSL malloc dependencies.
2011-01-27 17:23:43 +00:00
Dr. Stephen Henson
e36d6b8f79
add fips_dsatest.c file
2011-01-27 16:52:49 +00:00
Dr. Stephen Henson
aa87945f47
Update source files to handle new FIPS_lock() location. Add FIPS_lock()
...
definition. Remove stale function references from fips.h
2011-01-27 15:57:31 +00:00
Dr. Stephen Henson
7c8ced94c3
Change OPENSSL_FIPSEVP to OPENSSL_FIPSAPI as it doesn't just refer
...
to EVP any more.
Move locking #define into fips.h.
Set FIPS locking callbacks at same time as OpenSSL locking callbacks.
2011-01-27 15:22:26 +00:00
Dr. Stephen Henson
6ff9c48811
New FIPS_lock() function for minimal FIPS locking API: to avoid dependencies
...
on OpenSSL locking code. Use API in some internal FIPS files.
Remove redundant ENGINE defines from fips.h
2011-01-27 14:29:48 +00:00
Dr. Stephen Henson
c11845a4ab
add fips_premain.c.sha1
2011-01-26 01:15:54 +00:00
Dr. Stephen Henson
ec3657f81f
add fips_sha1_selftest.c
2011-01-26 01:11:12 +00:00
Dr. Stephen Henson
d69c6653ef
add fips/sha files
2011-01-26 01:09:52 +00:00
Dr. Stephen Henson
aaff7a0464
add fips/aes/Makefile
2011-01-26 01:05:48 +00:00
Dr. Stephen Henson
1d44454d6d
add fips/des/Makefile
2011-01-26 01:04:53 +00:00
Dr. Stephen Henson
5d3bfb9066
add fips/Makefile
2011-01-26 01:03:54 +00:00
Dr. Stephen Henson
aeb8996c38
add some missing fips files
2011-01-26 00:58:09 +00:00
Dr. Stephen Henson
2b4b28dc32
And so it begins... again.
...
Initial FIPS 140-2 code ported to HEAD. Doesn't even compile yet, may have
missing files, extraneous files and other nastiness.
In other words: it's experimental ATM, OK?
2011-01-26 00:56:19 +00:00