wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
10672 commits 20 branches 302 tags 153 MiB
Commit graph

355 commits

Author SHA1 Message Date
Andy Polyakov
03e389cf04 Allow for dynamic base in Win64 FIPS module. 2011-09-14 20:48:49 +00:00
Dr. Stephen Henson
93256bf5d1 Update CMAC/HMAC sefltests to use NIDs instead of function pointers. 
Simplify HMAC selftest as each test currently uses the same key and
hash data.
 2011-09-14 15:49:50 +00:00
Dr. Stephen Henson
15094852de new function to lookup FIPS supported ciphers by NID 2011-09-14 13:25:48 +00:00
Dr. Stephen Henson
a11f06b2dc More extensive DRBG health check. New function to call health check 
for all DRBG combinations.
 2011-09-12 18:47:39 +00:00
Dr. Stephen Henson
361d18a208 Check length of additional input in DRBG generate function. 2011-09-12 18:45:05 +00:00
Dr. Stephen Henson
de2132de93 Delete strength parameter from FIPS_drbg_generate. It isn't very useful 
(strength can be queried using FIPS_drbg_get_strength ) and adds a
substantial extra overhead to health check (need to check every combination
of parameters).
 2011-09-12 13:20:57 +00:00
Dr. Stephen Henson
9e56c99e1a Check we recognise DRBG type in fips_drbgvs.c initialised DRBG_CTX if we 
don't set type in FIPS_drbg_new().
 2011-09-12 12:56:20 +00:00
Dr. Stephen Henson
288fe07a6e Fix 3DES Monte Carlo test file output which previously outputted 
extra bogus lines. Update fipsalgtest.pl to tolerate the old format.
 2011-09-11 18:05:40 +00:00
Dr. Stephen Henson
7fdcb45745 Add support for Dual EC DRBG from SP800-90. Include updates to algorithm 
tests and POST code.
 2011-09-09 17:16:43 +00:00
Dr. Stephen Henson
d98360392a Put quick DRBG selftest return after first generate operation. 2011-09-07 10:26:38 +00:00
Dr. Stephen Henson
bbb19418e6 Add error codes for DRBG KAT failures. 
Add abbreviated DRBG KAT for POST which only performs a single generate
operations instead of four.
 2011-09-06 20:46:27 +00:00
Dr. Stephen Henson
ea17b0feec Check reseed interval before generating output. 2011-09-05 15:45:13 +00:00
Dr. Stephen Henson
7634137b8a Place DRBG in error state if health check fails. 2011-09-05 15:32:32 +00:00
Dr. Stephen Henson
74c40744ca Don't perform full DRBG health check on all DRBG types on power up, just 
one shorter KAT per mechanism.
 2011-09-04 22:48:06 +00:00
Dr. Stephen Henson
1567b3904c Update dependencies. 2011-09-04 18:44:28 +00:00
Dr. Stephen Henson
06e771b580 Add header to Makefile. 2011-09-04 18:36:20 +00:00
Dr. Stephen Henson
eb9e63df61 Extension of DRBG selftests using new data. 
Test PR and no PR and test initial generate before the reseed too.

Move selftest data to separate fips_drbg_selftest.h header file.
 2011-09-04 18:35:33 +00:00
Dr. Stephen Henson
fa85c1dbf5 Rename some more symbols for fips module. 2011-09-02 15:10:54 +00:00
Dr. Stephen Henson
d35c284b73 Print private key component is -exout parameter is given. 2011-08-29 16:09:07 +00:00
Dr. Stephen Henson
00220f8111 Fix ecdh primitives test command line. 2011-08-29 15:35:35 +00:00
Dr. Stephen Henson
2abaa9caaf Add support for DSA2 PQG generation of g parameter. 2011-08-27 12:30:47 +00:00
Dr. Stephen Henson
f55f5f775e Add support for canonical generation of DSA parameter g. 
Modify fips_dssvs to support appropriate file format.
 2011-08-26 14:51:49 +00:00
Dr. Stephen Henson
e6133727fb Rename sparc symbols. 2011-08-23 21:06:44 +00:00
Dr. Stephen Henson
46883b67de Correct maximum request length. SP800-90 quotes maximum bits, not bytes. 2011-08-19 23:25:10 +00:00
Dr. Stephen Henson
c20de0386a Fix fipsalgtest.pl to still work with old test vectors. 2011-08-18 16:06:24 +00:00
Dr. Stephen Henson
9015ee1826 Enable rsa-pss0 for non-v2 tests. 2011-08-15 14:50:00 +00:00
Dr. Stephen Henson
7f06921eca Remove redundant assignment. 2011-08-11 13:22:04 +00:00
Dr. Stephen Henson
20f12e63ff Add HMAC DRBG from SP800-90 2011-08-08 22:07:38 +00:00
Dr. Stephen Henson
b38fd40db4 Use "resp" for default directory name for .rsp files. 2011-08-08 18:06:40 +00:00
Dr. Stephen Henson
8d7fbd021b Fix DSA to skip EOL test when parsing mod line. 2011-08-08 14:47:51 +00:00
Dr. Stephen Henson
49e9b97885 Initial support for tests for 2.0 module. Not complete and not all working 
yet.

Allow test type to be determined by a regexp on the pathname. So tests like:

DSA/SigVer, DSA2/SigVer, ECDSA/SigVer, ECDSA2/SigVer can all be
distinguished.
 2011-08-08 14:47:04 +00:00
Dr. Stephen Henson
a678580bb8 Fix warnings. 2011-07-25 21:58:11 +00:00
Dr. Stephen Henson
66b86a4fd5 More symbol renaming. 2011-07-22 14:29:27 +00:00
Andy Polyakov
167cb62537 fips_canister.c: add support for embedded ppc linux. 2011-07-22 09:42:11 +00:00
Dr. Stephen Henson
1ad2e14aaa Rename another symbol. 2011-07-21 13:43:19 +00:00
Dr. Stephen Henson
81c2920849 Add support for ECCCDH test format. 2011-07-18 00:45:05 +00:00
Andy Polyakov
b79853c262 fips/Makefile: HP-UX-specific update. 2011-07-13 22:30:33 +00:00
Richard Levitte
b520e4b1d5 Add a tool that (semi)automatically created the API documentation 
required for FIPS.
 2011-07-05 15:40:58 +00:00
Dr. Stephen Henson
449f2517c6 Rename symbol. 2011-07-05 11:12:41 +00:00
Dr. Stephen Henson
01a9a7592e Add functions to return FIPS module version. 2011-07-04 23:38:16 +00:00
Dr. Stephen Henson
fc30530402 Fix CPRNG test for Hash DRBG. 2011-06-26 12:29:26 +00:00
Dr. Stephen Henson
a96b90b66b typo 2011-06-24 15:30:21 +00:00
Dr. Stephen Henson
d1a70cc9eb Add stub for HMAC DRBG. 2011-06-24 14:28:34 +00:00
Dr. Stephen Henson
ce02589259 Now the FIPS capable OpenSSL is available simplify the various FIPS test 
build options.

All fispcanisterbuild builds only build fipscanister.o and include symbol
renaming.

Move all renamed symbols to fipssyms.h

Update README.FIPS
 2011-06-22 12:30:18 +00:00
Dr. Stephen Henson
93dd7d3848 add symbol rename 2011-06-22 11:41:31 +00:00
Dr. Stephen Henson
279a0001b6 Add prototype for null cipher. 2011-06-21 16:14:01 +00:00
Dr. Stephen Henson
ee033faa43 typo 2011-06-20 19:58:12 +00:00
Dr. Stephen Henson
9ebc37e667 add null cipher to FIPS module 2011-06-20 19:48:44 +00:00
Dr. Stephen Henson
fdb65c836c Don't include des.h any more: it is not needed. 2011-06-16 14:12:42 +00:00
Dr. Stephen Henson
1d55dd86dd Allow applications to specify alternative FIPS RAND methods if they 
are sure they are OK.

API to retrieve FIPS rand method.
 2011-06-13 20:28:45 +00:00
Dr. Stephen Henson
b08e372bf6 Use FIPSCAPABLE for FIPS module functions used in FIPS capable OpenSSL. 2011-06-12 15:37:51 +00:00
Dr. Stephen Henson
0435dc1902 HMAC fips prototypes 2011-06-12 15:02:53 +00:00
Dr. Stephen Henson
e6e7b4e825 CMAC FIPS prototypes. 2011-06-12 14:11:57 +00:00
Dr. Stephen Henson
603bc9395c more prototypes in fips.h 2011-06-09 15:18:55 +00:00
Dr. Stephen Henson
da9234130a Add more prototypes. 2011-06-09 13:50:53 +00:00
Dr. Stephen Henson
4960411e1f Add flags for DH FIPS method. 
Update/fix prototypes in fips.h
 2011-06-08 15:53:08 +00:00
Dr. Stephen Henson
7f0d1be3a6 Add prototypes for some FIPS EC functions. 2011-06-06 15:24:02 +00:00
Dr. Stephen Henson
644ce07ecd Move function prototype to fips.h 2011-06-06 11:56:58 +00:00
Richard Levitte
8d515259e2 No spaces in assignements in a shell script... 2011-06-04 09:00:59 +00:00
Dr. Stephen Henson
549c4ad35b Add "OPENSSL_FIPSCAPABLE" define for a version of OpenSSL which is 
FIPS capable: i.e. FIPS module is supplied externally.
 2011-06-03 16:26:58 +00:00
Dr. Stephen Henson
267229b141 Constify RSA signature buffer. 2011-06-03 12:38:18 +00:00
Dr. Stephen Henson
0cabe4e172 Move FIPS RSA function definitions to fips.h 
New function to lookup digests by NID in module.

Minor optimisation: if supplied hash is NULL to FIPS RSA functions and
we are using PKCS padding get digest NID from otherwise unused saltlen
parameter instead.
 2011-06-02 17:30:22 +00:00
Dr. Stephen Henson
e7ee10d3dc Clone digest prototypes. 2011-06-01 14:18:28 +00:00
Dr. Stephen Henson
bce1af7762 Add DSA and ECDSA "clone digests" to module for compatibility with old 
applications.
 2011-06-01 14:07:32 +00:00
Dr. Stephen Henson
06843f826f Fake CPU caps so fips_standalone_sha1 compiles. 
Initialise update function for bad digest inits.
 2011-05-31 16:22:21 +00:00
Dr. Stephen Henson
3e2e231852 Add more cipher prototypes. 2011-05-29 16:16:55 +00:00
Dr. Stephen Henson
87829ac926 Prototypes for more FIPS functions for use in FIPS capable OpenSSL. 2011-05-29 15:56:23 +00:00
Dr. Stephen Henson
c33066900c Add FIPS_digestinit prototype for FIPS capable OpenSSL. 2011-05-28 23:02:23 +00:00
Dr. Stephen Henson
f87ff24bc4 Add prototypes for FIPS EVP implementations: for use in FIPS capable 
OpenSSL.
 2011-05-28 21:03:31 +00:00
Dr. Stephen Henson
9a205e5981 Rename many internal only module functions from FIPS_* to fips_*. 2011-05-27 21:11:54 +00:00
Dr. Stephen Henson
eb62cd807b Typo. 2011-05-26 22:01:49 +00:00
Dr. Stephen Henson
64f5178d67 Use FIPSLD_LIBCRYPTO for consistency with other env variables in fipsld. 
Use current directory for fips_premain_dso
 2011-05-26 21:20:14 +00:00
Dr. Stephen Henson
e558c2aa3f In fipsld use FIPSLIBCRYPTO environment variable to specify an alternative 
location for libcrypto.a, support shared library builds in different
source tree.
 2011-05-26 21:15:45 +00:00
Dr. Stephen Henson
ed0a35f222 Install fips_standalone_sha1 and make use of it in fipsld script. 2011-05-26 13:59:11 +00:00
Dr. Stephen Henson
ecfe2d1753 More symbol renaming. 2011-05-25 16:01:37 +00:00
Dr. Stephen Henson
73ab341130 PR: 2522 
Submitted by: Henrik Grindal Bakken <henribak@cisco.com>

Don't compare past end of buffer.
 2011-05-23 12:27:43 +00:00
Dr. Stephen Henson
f76b1baf86 Fix error discrepancy. 2011-05-12 14:28:09 +00:00
Andy Polyakov
f24e95b72c fips_canister.c: pick more neutral macro name. 2011-05-11 20:17:06 +00:00
Dr. Stephen Henson
2f38b38986 Set FIPS mode for values other than 1. The only current effect 
is to return a consistent value. So calling FIPS_module_mode_set(n)
for n != 0 will result in FIPS_module_mode() returning n. This
will support future expansion of more FIPS modes e.g. a Suite B mode.
 2011-05-11 14:49:01 +00:00
Dr. Stephen Henson
c2fd598994 Rename FIPS_mode_set and FIPS_mode. Theses symbols will be defined in 
the FIPS capable OpenSSL.
 2011-05-11 14:43:38 +00:00
Dr. Stephen Henson
7919c07947 Typo. 2011-05-10 10:57:03 +00:00
Andy Polyakov
ab67c517ae fips_canister.c: fix typo. 2011-05-10 10:03:23 +00:00
Andy Polyakov
31b46ebb62 fips_canister.c: initial support for cross-compiling. "Initial" refers 
to the two-entry list of verified platforms in #ifndef
FIPS_REF_POINT_IS_SAFE_TO_CROSS_COMPILE pre-processor section.
 2011-05-10 09:53:59 +00:00
Dr. Stephen Henson
dc7995eeb8 Initialise rc. 2011-05-09 21:21:29 +00:00
Dr. Stephen Henson
ad4784953d Return error codes for selftest failure instead of hard assertion errors. 2011-05-06 17:38:39 +00:00
Dr. Stephen Henson
c184711124 Hide more symbols. 2011-05-05 23:10:32 +00:00
Dr. Stephen Henson
6313d628da Remove superfluous PRNG self tests. 
Print timer resolution.
 2011-05-04 23:17:29 +00:00
Dr. Stephen Henson
d16765919d Fix warning. 2011-05-04 14:34:36 +00:00
Dr. Stephen Henson
a95bbadb57 Include fipssyms.h for ARM builds to translate symbols. 
Translate arm symbol to fips_*.
 2011-05-04 14:16:03 +00:00
Dr. Stephen Henson
e350458a63 Remove useless setting. 2011-05-04 01:09:52 +00:00
Dr. Stephen Henson
9243a86d75 Use faster curves for ECDSA self test. 2011-05-02 12:13:04 +00:00
Dr. Stephen Henson
fc98a4377d Use more portable clock_gettime() for fips_test_suite timing. 
Output times of each subtest.
 2011-05-02 11:09:38 +00:00
Dr. Stephen Henson
fd600c0037 Stop warning in VxWorks. 2011-05-01 20:55:05 +00:00
Dr. Stephen Henson
a32ad6891b Quick hack to time POST. 2011-05-01 20:54:42 +00:00
Dr. Stephen Henson
2325315ba3 Two more symbol renames. 2011-05-01 19:07:16 +00:00
Dr. Stephen Henson
8a2024ea59 Handle multiple CPUID_OBJ correctly. 2011-05-01 19:06:39 +00:00
Dr. Stephen Henson
42c7c6764e Rename some more symbols. 2011-05-01 17:51:40 +00:00
Dr. Stephen Henson
bd4b0137fc For FIPS algorithm test utilities use our own version of strcasecmp and 
strncasecmp to cover cases where platforms don't support them.
 2011-05-01 16:18:52 +00:00
Dr. Stephen Henson
2f6efd6acb Some changes to support VxWorks in the validted module. 2011-05-01 15:36:54 +00:00
Dr. Stephen Henson
ee872e99f7 Update symbol translation table. 2011-05-01 14:33:59 +00:00
Dr. Stephen Henson
c4d162873f Don't assume version of rm supports -rf: use RM instead. 2011-04-28 20:52:21 +00:00
Dr. Stephen Henson
1eb8939695 Stop warnings about undefined _exit on Android. 
Additional script output options to fipsalgtest.pl
 2011-04-28 12:20:12 +00:00
Dr. Stephen Henson
7979626995 Recognise invalid enable/disable options. 
Option to shut up bogus warnings.
 2011-04-24 12:13:32 +00:00
Dr. Stephen Henson
e0d1a2f80a Always return multiple of block length bytes from default DRBG seed 
callback.

Handle case where no multiple of the block size is in the interval
[min_len, max_len].
 2011-04-23 20:05:19 +00:00
Dr. Stephen Henson
cac4fb58e0 Add PRNG security strength checking. 2011-04-23 19:55:55 +00:00
Dr. Stephen Henson
74fac927b0 Return errors instead of aborting when selftest fails. 2011-04-22 11:12:56 +00:00
Dr. Stephen Henson
da9ead8db2 Add XTS test vector support to fipsalgtest.pl 2011-04-22 01:05:53 +00:00
Dr. Stephen Henson
bef5013961 Rewrite OutputValue to avoid use of buffer when printing out hex values. 
Delete unused functions from fips_utl.h.

Increase xts line buffer.
 2011-04-22 00:41:35 +00:00
Dr. Stephen Henson
b8b6a13a56 Add continuous RNG test to entropy source. Entropy callbacks now need 
to specify a "block length".
 2011-04-21 14:17:15 +00:00
Dr. Stephen Henson
7608978861 Update DRBG to use new POST scheme. 2011-04-20 18:05:05 +00:00
Dr. Stephen Henson
14264b19de Add periodic DRBG health checks as required by SP800-90. 2011-04-20 17:06:38 +00:00
Dr. Stephen Henson
8da18ea1a5 Add partial GCM tests to fipsalgtest.pl 2011-04-20 15:06:44 +00:00
Dr. Stephen Henson
7aaa88e55c Add partial DH and ECDH primitives only testing to fipsalgtest.pl 2011-04-20 14:33:39 +00:00
Dr. Stephen Henson
84c7a8f7dc Warn if lines are truncated in algorithm test utilities. 
Support for new test files: DRBG and CCM.
 2011-04-20 13:20:31 +00:00
Dr. Stephen Henson
cb1b3aa151 Add AES CCM selftest. 2011-04-19 18:57:58 +00:00
Dr. Stephen Henson
b5dd178740 Fix EVP CCM decrypt. Add decrypt support to algorithm test program. 2011-04-18 22:48:40 +00:00
Dr. Stephen Henson
b3a45e7db5 CCM encrypt algorithm test support. 2011-04-18 16:31:11 +00:00
Dr. Stephen Henson
ca8630ba81 Remove shlib_wrap.sh as it is not needed (all algorithm tests are 
staticly linked to fipscanister.o). Add option to generate a shell
script to run all tests: this is useful for platforms that don't have
perl.
 2011-04-17 15:39:47 +00:00
Dr. Stephen Henson
764ef43962 Remove PSS salt length detection hack from fipslagtest.pl by allowing a regexp 
search of the file to determine its type. This will be needed for other tests
later...
 2011-04-16 23:54:19 +00:00
Dr. Stephen Henson
75707a324f Add "post" option to fips_test_suite to run the POST only and exit. 2011-04-15 20:09:34 +00:00
Dr. Stephen Henson
bf8131f79f Add XTS selftest, include in fips_test_suite. 2011-04-15 11:30:19 +00:00
Dr. Stephen Henson
06b7e5a0e4 Add algorithm driver for XTS mode. Fix several bugs in EVP XTS implementation. 2011-04-15 02:49:30 +00:00
Dr. Stephen Henson
706735aea3 Add new POST support to X9.31 PRNG. 2011-04-14 18:29:49 +00:00
Dr. Stephen Henson
8f331999f5 Report each cipher used with CMAC tests. 
Only add one error to error queue if a specific test type fails.
 2011-04-14 16:38:20 +00:00
Dr. Stephen Henson
9338f290d1 Revise fips_test_suite to use table of IDs for human readable strings. 
Modify HMAC selftest callbacks to notify each digest type used.
 2011-04-14 16:14:41 +00:00
Dr. Stephen Henson
8038511c27 Update CMAC, HMAC, GCM to use new POST system. 
Fix crash if callback not set.
 2011-04-14 13:10:00 +00:00
Dr. Stephen Henson
a6311f856b Remove several of the old obsolete FIPS_corrupt_*() functions. 2011-04-14 11:30:51 +00:00
Dr. Stephen Henson
ac892b7aa6 Initial incomplete POST overhaul: add support for POST callback to 
allow status of POST to be monitored and/or failures induced.
 2011-04-14 11:15:10 +00:00
Dr. Stephen Henson
114c8e220b Use consistent FIPS tarball name. 
Add XTS to FIPS build.

Hide XTS symbol names.
 2011-04-12 23:59:05 +00:00
Dr. Stephen Henson
4bd1e895fa Update fips_pkey_signature_test: use fixed string if supplies tbs is 
NULL. Always allocate signature buffer.

Update ECDSA selftest to use fips_pkey_signature_test. Add copyright notice
to file.
 2011-04-12 17:41:53 +00:00
Dr. Stephen Henson
9b08dbe903 Complete rewrite of FIPS_selftest_dsa(). Use hardcoded 2048 bit DSA key 
and SHA384. Use fips_pkey_signature_test().
 2011-04-12 16:26:52 +00:00
Dr. Stephen Henson
3d607309e6 Update RSA selftest code to use a 2048 bit RSA and only a single KAT 
for PSS+SHA256
 2011-04-12 15:38:34 +00:00
Dr. Stephen Henson
49cb5e0b40 Fix memory leaks: uninstantiate DRBG during health checks. Cleanup md_ctx 
when performing ECDSA selftest.
 2011-04-12 14:28:06 +00:00
Dr. Stephen Henson
e2abfd58cc Stop warning and fix memory leaks. 2011-04-12 13:02:56 +00:00
Dr. Stephen Henson
6223352683 Update ECDSA selftest to use hard coded private keys. Include tests for 
prime and binary fields.
 2011-04-12 11:49:35 +00:00
Dr. Stephen Henson
1a4d93bfb5 Update fips_premain.c fingerprint. 2011-04-12 11:48:00 +00:00
Dr. Stephen Henson
63c82f8abb Update copyright year. 
Zero ciphertext and plaintext temporary buffers.

Check FIPS_cipher() return value.
 2011-04-11 21:32:51 +00:00
Dr. Stephen Henson
6909dccc32 Set length to 41 (40 hex characters + null). 2011-04-11 14:50:11 +00:00
Dr. Stephen Henson
ac319dd82b Typo: fix duplicate call. 2011-04-10 23:32:19 +00:00
Dr. Stephen Henson
55e328f580 Add error for health check failure. 
Rebuild all FIPS error codes to clean out old obsolete codes.
 2011-04-09 17:46:31 +00:00
Dr. Stephen Henson
f3823ddfcf Before initalising a live DRBG (i.e. not in test mode) run a complete health 
check on a DRBG of the same type.
 2011-04-09 17:27:07 +00:00
Dr. Stephen Henson
68ea88b8d1 New function to return security strength of PRNG. 2011-04-09 16:49:59 +00:00
Dr. Stephen Henson
6653c6f2e8 Update OpenSSL DRBG support code. Use date time vector as additional data. 
Set FIPS RAND_METHOD at same time as OpenSSL RAND_METHOD.
 2011-04-06 23:40:22 +00:00
Dr. Stephen Henson
42bd0a6b3c Update fipssyms.h to keep all symbols in FIPS,fips namespace. 
Rename drbg_cprng_test to fips_drbg_cprng_test.

Remove rand files from Makefile.fips.
 2011-04-05 15:48:05 +00:00
Dr. Stephen Henson
05e24c87dd Extensive reorganisation of PRNG handling in FIPS module: all calls 
now use an internal RAND_METHOD. All dependencies to OpenSSL standard
PRNG are now removed: it is the applications resposibility to setup
the FIPS PRNG and initalise it.

Initial OpenSSL RAND_init_fips() function that will setup the DRBG
for the "FIPS capable OpenSSL".
 2011-04-05 15:24:10 +00:00
Dr. Stephen Henson
cab0595c14 Rename deprecated FIPS_rand functions to FIPS_x931. These shouldn't be 
used by applications directly and the X9.31 PRNG is deprecated by new
FIPS140-2 rules anyway.
 2011-04-05 12:42:31 +00:00
Dr. Stephen Henson
f4bd65dae3 Set error code is additional data callback fails. 2011-04-04 17:03:35 +00:00
Dr. Stephen Henson
8776ef63c1 Change FIPS locking functions to macros so we get useful line information. 
Set fips_thread_set properly.
 2011-04-04 15:38:21 +00:00
Dr. Stephen Henson
ded1999702 Change RNG test to block oriented instead of request oriented, add option 
to test a "stuck" DRBG.
 2011-04-04 14:47:31 +00:00
Dr. Stephen Henson
7d48743b95 restore .cvsignore 2011-04-01 18:40:30 +00:00