Commit graph

45 commits

Author SHA1 Message Date
Dr. Stephen Henson
f76b1baf86 Fix error discrepancy. 2011-05-12 14:28:09 +00:00
Dr. Stephen Henson
c2fd598994 Rename FIPS_mode_set and FIPS_mode. Theses symbols will be defined in
the FIPS capable OpenSSL.
2011-05-11 14:43:38 +00:00
Dr. Stephen Henson
ad4784953d Return error codes for selftest failure instead of hard assertion errors. 2011-05-06 17:38:39 +00:00
Dr. Stephen Henson
cac4fb58e0 Add PRNG security strength checking. 2011-04-23 19:55:55 +00:00
Dr. Stephen Henson
74fac927b0 Return errors instead of aborting when selftest fails. 2011-04-22 11:12:56 +00:00
Dr. Stephen Henson
b8b6a13a56 Add continuous RNG test to entropy source. Entropy callbacks now need
to specify a "block length".
2011-04-21 14:17:15 +00:00
Dr. Stephen Henson
14264b19de Add periodic DRBG health checks as required by SP800-90. 2011-04-20 17:06:38 +00:00
Dr. Stephen Henson
cb1b3aa151 Add AES CCM selftest. 2011-04-19 18:57:58 +00:00
Dr. Stephen Henson
bf8131f79f Add XTS selftest, include in fips_test_suite. 2011-04-15 11:30:19 +00:00
Dr. Stephen Henson
706735aea3 Add new POST support to X9.31 PRNG. 2011-04-14 18:29:49 +00:00
Dr. Stephen Henson
8038511c27 Update CMAC, HMAC, GCM to use new POST system.
Fix crash if callback not set.
2011-04-14 13:10:00 +00:00
Dr. Stephen Henson
a6311f856b Remove several of the old obsolete FIPS_corrupt_*() functions. 2011-04-14 11:30:51 +00:00
Dr. Stephen Henson
ac892b7aa6 Initial incomplete POST overhaul: add support for POST callback to
allow status of POST to be monitored and/or failures induced.
2011-04-14 11:15:10 +00:00
Dr. Stephen Henson
4bd1e895fa Update fips_pkey_signature_test: use fixed string if supplies tbs is
NULL. Always allocate signature buffer.

Update ECDSA selftest to use fips_pkey_signature_test. Add copyright notice
to file.
2011-04-12 17:41:53 +00:00
Dr. Stephen Henson
49cb5e0b40 Fix memory leaks: uninstantiate DRBG during health checks. Cleanup md_ctx
when performing ECDSA selftest.
2011-04-12 14:28:06 +00:00
Dr. Stephen Henson
55e328f580 Add error for health check failure.
Rebuild all FIPS error codes to clean out old obsolete codes.
2011-04-09 17:46:31 +00:00
Dr. Stephen Henson
6653c6f2e8 Update OpenSSL DRBG support code. Use date time vector as additional data.
Set FIPS RAND_METHOD at same time as OpenSSL RAND_METHOD.
2011-04-06 23:40:22 +00:00
Dr. Stephen Henson
05e24c87dd Extensive reorganisation of PRNG handling in FIPS module: all calls
now use an internal RAND_METHOD. All dependencies to OpenSSL standard
PRNG are now removed: it is the applications resposibility to setup
the FIPS PRNG and initalise it.

Initial OpenSSL RAND_init_fips() function that will setup the DRBG
for the "FIPS capable OpenSSL".
2011-04-05 15:24:10 +00:00
Dr. Stephen Henson
cab0595c14 Rename deprecated FIPS_rand functions to FIPS_x931. These shouldn't be
used by applications directly and the X9.31 PRNG is deprecated by new
FIPS140-2 rules anyway.
2011-04-05 12:42:31 +00:00
Dr. Stephen Henson
f4bd65dae3 Set error code is additional data callback fails. 2011-04-04 17:03:35 +00:00
Dr. Stephen Henson
ded1999702 Change RNG test to block oriented instead of request oriented, add option
to test a "stuck" DRBG.
2011-04-04 14:47:31 +00:00
Dr. Stephen Henson
8cf88778ea Allow FIPS malloc callback setting. Automatically set some callbacks
in OPENSSL_init().
2011-04-01 16:23:16 +00:00
Dr. Stephen Henson
e06de4dd35 Remove redundant definitions. Give error code if DRBG sefltest fails. 2011-03-31 17:23:12 +00:00
Richard Levitte
399aa6b5ff Implement FIPS CMAC.
* fips/cmac/*: Implement the basis for FIPS CMAC, using FIPS HMAC as
  an example.
* crypto/cmac/cmac.c: Enable the FIPS API.  Change to use M_EVP macros
  where possible.
* crypto/evp/evp.h: (some of the macros get added with this change)
* fips/fips.h, fips/utl/fips_enc.c: Add a few needed functions and use
  macros to have cmac.c use these functions.
* Makefile.org, fips/Makefile, fips/fips.c: Hook it in.
2011-03-24 22:55:02 +00:00
Dr. Stephen Henson
1e803100de Implement continuous RNG test for SP800-90 DRBGs. 2011-03-17 18:53:33 +00:00
Dr. Stephen Henson
96ec46f7c0 Implement health checks needed by SP800-90.
Fix warnings.

Instantiate DRBGs at maximum strength.
2011-03-17 16:55:24 +00:00
Dr. Stephen Henson
fbbabb646c Add extensive DRBG selftest data and option to corrupt it in fips_test_suite. 2011-03-16 15:52:12 +00:00
Dr. Stephen Henson
1b76fac5ae Check requested security strength in DRBG. Add function to retrieve the
security strength.
2011-03-11 17:42:11 +00:00
Dr. Stephen Henson
8857b380e2 Add ECDH to validated module. 2011-03-09 23:44:06 +00:00
Dr. Stephen Henson
a1e7883edb Add meaningful error codes to DRBG. 2011-03-08 14:16:30 +00:00
Dr. Stephen Henson
947ff113d2 add ECDSA POST 2011-02-18 17:25:00 +00:00
Dr. Stephen Henson
acf254f86e AES GCM selftests. 2011-02-18 17:09:33 +00:00
Dr. Stephen Henson
0fbf8f447b Add pairwise consistency test to EC. 2011-02-15 16:58:28 +00:00
Dr. Stephen Henson
25c6542944 Add non-FIPS algorithm blocking and selftest checking. 2011-02-15 16:03:47 +00:00
Dr. Stephen Henson
fe26d066ff Add ECDSA functionality to fips module. Initial very incomplete version
of algorithm test program.
2011-02-14 17:14:55 +00:00
Dr. Stephen Henson
c876a4b7b1 Include support for an add_lock callback to tiny FIPS locking API. 2011-02-14 17:05:42 +00:00
Dr. Stephen Henson
e990b4f838 Remove dependency of dsa_sign.o and dsa_vrf.o: new functions FIPS_dsa_sig_new
and FIPS_dsa_sig_free, reimplment DSA_SIG_new and DSA_SIG_free from ASN1
library.
2011-02-13 18:45:41 +00:00
Dr. Stephen Henson
14ae26f2e4 Transfer error redirection to fips.h, add OPENSSL_FIPSAPI to source files
that use it.
2011-02-03 17:00:24 +00:00
Dr. Stephen Henson
3dd9b31dc4 Provisional, experimental support for DSA2 parameter generation algorithm.
Not properly integrated or tested yet.
2011-01-31 19:44:09 +00:00
Dr. Stephen Henson
7edfe67456 Move all FIPSAPI renames into fips.h header file, include early in
crypto.h if needed.

Modify source tree to handle change.
2011-01-27 19:10:56 +00:00
Dr. Stephen Henson
7cc684f4f7 Redirect FIPS memory allocation to FIPS_malloc() routine, remove
OpenSSL malloc dependencies.
2011-01-27 17:23:43 +00:00
Dr. Stephen Henson
aa87945f47 Update source files to handle new FIPS_lock() location. Add FIPS_lock()
definition. Remove stale function references from fips.h
2011-01-27 15:57:31 +00:00
Dr. Stephen Henson
7c8ced94c3 Change OPENSSL_FIPSEVP to OPENSSL_FIPSAPI as it doesn't just refer
to EVP any more.

Move locking #define into fips.h.

Set FIPS locking callbacks at same time as OpenSSL locking callbacks.
2011-01-27 15:22:26 +00:00
Dr. Stephen Henson
6ff9c48811 New FIPS_lock() function for minimal FIPS locking API: to avoid dependencies
on OpenSSL locking code. Use API in some internal FIPS files.

Remove redundant ENGINE defines from fips.h
2011-01-27 14:29:48 +00:00
Dr. Stephen Henson
2b4b28dc32 And so it begins... again.
Initial FIPS 140-2 code ported to HEAD. Doesn't even compile yet, may have
missing files, extraneous files and other nastiness.

In other words: it's experimental ATM, OK?
2011-01-26 00:56:19 +00:00