OpenSSL: OpenSSL-fips2-0_9_7-stable: openssl/ CHANGES openssl/cr...

Thread: OpenSSL: OpenSSL-fips2-0_9_7-stable: openssl/ CHANGES openssl/cr...

Search this list only Search all lists
OpenSSL: OpenSSL-fips2-0_9_7-stable: openssl/ CHANGES openssl/cr...
	2007-01-24 07:00:15

OpenSSL CVS Repository http://cvs.openssl.org/ ____________________________________________________________________________ Server: cvs.openssl.org Name: Dr. Stephen Henson Root: /v/openssl/cvs Email: steveopenssl.org Module: openssl Date: 24-Jan-2007 14:00:15 Branch: OpenSSL-fips2-0_9_7-stable Handle: 2007012413001104 Added files: (Branch: OpenSSL-fips2-0_9_7-stable) openssl/fips-1.0/rsa fips_rsa_sign.c Modified files: (Branch: OpenSSL-fips2-0_9_7-stable) openssl CHANGES openssl/crypto/evp m_sha1.c openssl/crypto/rsa rsa.h openssl/fips-1.0 Makefile openssl/fips-1.0/rsa Makefile Log: Remove ASN1 library (and other) dependencies from fipscanister.o Summary: Revision Changes Path 1.977.2.189.2.2+5 -1 openssl/CHANGES 1.8.2.2.2.1 +11 -4 openssl/crypto/evp/m_sha1.c 1.36.2.21.2.1+7 -0 openssl/crypto/rsa/rsa.h 1.1.2.15.2.1+1 -54 openssl/fips-1.0/Makefile 1.1.2.2.2.1 +4 -2 openssl/fips-1.0/rsa/Makefile 1.1.2.1 +231 -0 openssl/fips-1.0/rsa/fips_rsa_sign.c ____________________________________________________________________________ patch -p0 <<' .' Index: openssl/CHANGES ============================================================================ $ cvs diff -u -r1.977.2.189.2.1 -r1.977.2.189.2.2 CHANGES --- openssl/CHANGES 24 Jan 2007 12:42:18 -0000 1.977.2.189.2.1 +++ openssl/CHANGES 24 Jan 2007 13:00:11 -0000 1.977.2.189.2.2 -4,7 +4,11 Changes between 0.9.7l and 0.9.7m-fips2 [xx XXX xxxx] - ) + ) New version of RSA_{sign,verify} for FIPS code. This uses pregenerated + DigestInfo encodings and thus avoids all ASN1 library dependencies. Update + FIPS digests to use new functions. Remove large numbers of obsolete + dependencies from fipscanister.o + [Steve Henson] Changes between 0.9.7l and 0.9.7m [xx XXX xxxx] . patch -p0 <<' .' Index: openssl/crypto/evp/m_sha1.c ============================================================================ $ cvs diff -u -r1.8.2.2 -r1.8.2.2.2.1 m_sha1.c --- openssl/crypto/evp/m_sha1.c 7 May 2005 17:21:28 -0000 1.8.2.2 +++ openssl/crypto/evp/m_sha1.c 24 Jan 2007 13:00:13 -0000 1.8.2.2.2.1 -63,6 +63,9 #include #include +#define EVP_PKEY_RSA_fips_method FIPS_rsa_sign,FIPS_rsa_verify, + {EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0} + static int init(EVP_MD_CTX ctx) { return SHA1_Init(ctx->md_data); } -90,7 +93,11 final, NULL, NULL, +#ifdef OPENSSL_FIPS + EVP_PKEY_RSA_fips_method, +#else EVP_PKEY_RSA_method, +#endif SHA_CBLOCK, sizeof(EVP_MD )+sizeof(SHA_CTX), }; -131,7 +138,7 final256, NULL, NULL, - EVP_PKEY_RSA_method, + EVP_PKEY_RSA_fips_method, SHA256_CBLOCK, sizeof(EVP_MD )+sizeof(SHA256_CTX), }; -150,7 +157,7 final256, NULL, NULL, - EVP_PKEY_RSA_method, + EVP_PKEY_RSA_fips_method, SHA256_CBLOCK, sizeof(EVP_MD )+sizeof(SHA256_CTX), }; -184,7 +191,7 final512, NULL, NULL, - EVP_PKEY_RSA_method, + EVP_PKEY_RSA_fips_method, SHA512_CBLOCK, sizeof(EVP_MD )+sizeof(SHA512_CTX), }; -203,7 +210,7 final512, NULL, NULL, - EVP_PKEY_RSA_method, + EVP_PKEY_RSA_fips_method, SHA512_CBLOCK, sizeof(EVP_MD )+sizeof(SHA512_CTX), }; . patch -p0 <<' .' Index: openssl/crypto/rsa/rsa.h ============================================================================ $ cvs diff -u -r1.36.2.21 -r1.36.2.21.2.1 rsa.h --- openssl/crypto/rsa/rsa.h 28 Sep 2006 11:53:50 -0000 1.36.2.21 +++ openssl/crypto/rsa/rsa.h 24 Jan 2007 13:00:14 -0000 1.36.2.21.2.1 -276,6 +276,13 int RSA_verify(int type, const unsigned char m, unsigned int m_length, unsigned char sigbuf, unsigned int siglen, RSA rsa); +#ifdef OPENSSL_FIPS +int FIPS_rsa_sign(int type, const unsigned char m, unsigned int m_length, + unsigned char sigret, unsigned int siglen, RSA rsa); +int FIPS_rsa_verify(int type, const unsigned char m, unsigned int m_length, + unsigned char sigbuf, unsigned int siglen, RSA rsa); +#endif + /* The following 2 function sign and verify a ASN1_OCTET_STRING * object inside PKCS#1 padded RSA encryption / int RSA_sign_ASN1_OCTET_STRING(int type, . patch -p0 <<' .' Index: openssl/fips-1.0/Makefile ============================================================================ $ cvs diff -u -r1.1.2.15 -r1.1.2.15.2.1 Makefile --- openssl/fips-1.0/Makefile 18 Jan 2007 13:29:15 -0000 1.1.2.15 +++ openssl/fips-1.0/Makefile 24 Jan 2007 13:00:14 -0000 1.1.2.15.2.1 -226,27 +226,6 ../crypto/aes/aes_cfb.o ../crypto/aes/aes_ecb.o ../crypto/aes/aes_ofb.o - ../crypto/asn1/a_bitstr.o - ../crypto/asn1/a_bytes.o - ../crypto/asn1/a_dup.o - ../crypto/asn1/a_int.o - ../crypto/asn1/a_object.o - ../crypto/asn1/asn1_err.o - ../crypto/asn1/asn1_lib.o - ../crypto/asn1/a_type.o - ../crypto/asn1/evp_asn1.o - ../crypto/asn1/tasn_dec.o - ../crypto/asn1/tasn_enc.o - ../crypto/asn1/tasn_fre.o - ../crypto/asn1/tasn_new.o - ../crypto/asn1/tasn_typ.o - ../crypto/asn1/tasn_utl.o - ../crypto/asn1/t_pkey.o - ../crypto/asn1/x_algor.o - ../crypto/asn1/x_bignum.o - ../crypto/asn1/x_long.o - ../crypto/asn1/x_sig.o - ../crypto/bio/bio_err.o ../crypto/bio/bio_lib.o ../crypto/bio/b_print.o ../crypto/bio/bss_file.o -254,7 +233,6 ../crypto/bn/bn_blind.o ../crypto/bn/bn_ctx.o ../crypto/bn/bn_div.o - ../crypto/bn/bn_err.o ../crypto/bn/bn_exp2.o ../crypto/bn/bn_exp.o ../crypto/bn/bn_gcd.o -270,10 +248,7 ../crypto/bn/bn_sqr.o ../crypto/bn/bn_word.o ../crypto/bn/bn_x931p.o - ../crypto/buffer/buf_err.o ../crypto/buffer/buffer.o - ../crypto/conf/conf_err.o - ../crypto/cpt_err.o ../crypto/cryptlib.o ../crypto/des/cfb64ede.o ../crypto/des/cfb64enc.o -283,38 +258,23 ../crypto/des/ecb_enc.o ../crypto/des/ofb64ede.o ../crypto/des/ofb64enc.o - ../crypto/dh/dh_err.o ../crypto/dh/dh_lib.o - ../crypto/dsa/dsa_asn1.o - ../crypto/dsa/dsa_err.o ../crypto/dsa/dsa_lib.o ../crypto/dsa/dsa_sign.o ../crypto/dsa/dsa_vrf.o - ../crypto/dso/dso_err.o - ../crypto/ec/ec_err.o - ../crypto/engine/eng_err.o ../crypto/engine/eng_init.o ../crypto/engine/eng_lib.o ../crypto/engine/eng_list.o ../crypto/engine/eng_table.o - ../crypto/engine/tb_cipher.o ../crypto/engine/tb_dh.o ../crypto/engine/tb_digest.o ../crypto/engine/tb_dsa.o ../crypto/engine/tb_rand.o ../crypto/engine/tb_rsa.o - ../crypto/err/err_all.o ../crypto/err/err.o ../crypto/err/err_prn.o ../crypto/evp/digest.o - ../crypto/evp/e_aes.o - ../crypto/evp/e_des3.o - ../crypto/evp/e_des.o - ../crypto/evp/evp_enc.o - ../crypto/evp/evp_err.o - ../crypto/evp/evp_lib.o ../crypto/evp/m_sha1.o - ../crypto/evp/p_lib.o ../crypto/evp/p_sign.o ../crypto/evp/p_verify.o ../crypto/ex_data.o -322,36 +282,23 ../crypto/mem_clr.o ../crypto/mem_dbg.o ../crypto/mem.o - ../crypto/objects/obj_dat.o - ../crypto/objects/obj_err.o - ../crypto/objects/obj_lib.o - ../crypto/ocsp/ocsp_err.o - ../crypto/pem/pem_err.o - ../crypto/pkcs12/pk12err.o - ../crypto/pkcs7/pkcs7err.o ../crypto/rand/md_rand.o ../crypto/rand/rand_egd.o - ../crypto/rand/rand_err.o ../crypto/rand/randfile.o ../crypto/rand/rand_lib.o ../crypto/rand/rand_os2.o ../crypto/rand/rand_unix.o ../crypto/rand/rand_win.o - ../crypto/rsa/rsa_err.o ../crypto/rsa/rsa_lib.o ../crypto/rsa/rsa_none.o ../crypto/rsa/rsa_oaep.o ../crypto/rsa/rsa_pk1.o ../crypto/rsa/rsa_pss.o - ../crypto/rsa/rsa_sign.o ../crypto/rsa/rsa_ssl.o ../crypto/rsa/rsa_x931.o ../crypto/stack/stack.o ../crypto/uid.o - ../crypto/ui/ui_err.o - ../crypto/x509v3/v3err.o - ../crypto/x509v3/v3_hex.o - ../crypto/x509/x509_err.o + ../crypto/x509v3/v3_hex.o # DO NOT DELETE THIS LINE -- make depend depends on it. . patch -p0 <<' .' Index: openssl/fips-1.0/rsa/Makefile ============================================================================ $ cvs diff -u -r1.1.2.2 -r1.1.2.2.2.1 Makefile --- openssl/fips-1.0/rsa/Makefile 4 Feb 2006 01:50:40 -0000 1.1.2.2 +++ openssl/fips-1.0/rsa/Makefile 24 Jan 2007 13:00:15 -0000 1.1.2.2.2.1 -22,8 +22,10 APPS= LIB=$(TOP)/libcrypto.a -LIBSRC=fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c fips_rsa_x931g.c -LIBOBJ=fips_rsa_eay.o fips_rsa_gen.o fips_rsa_selftest.o fips_rsa_x931g.o +LIBSRC=fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c fips_rsa_x931g.c + fips_rsa_sign.c +LIBOBJ=fips_rsa_eay.o fips_rsa_gen.o fips_rsa_selftest.o fips_rsa_x931g.o + fips_rsa_sign.o SRC= $(LIBSRC) . patch -p0 <<' .' Index: openssl/fips-1.0/rsa/fips_rsa_sign.c ============================================================================ $ cvs diff -u -r0 -r1.1.2.1 fips_rsa_sign.c --- /dev/null 2007-01-24 14:00:13 +0100 +++ fips_rsa_sign.c 2007-01-24 14:00:15 +0100 -0,0 +1,231 +/ fips_rsa_sign.c / +/ Written by Dr Stephen N Henson (shensonbigfoot.com) for the OpenSSL + * project 2007. + / +/ ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensingOpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eaycryptsoft.com). This product includes software written by Tim + * Hudson (tjhcryptsoft.com). + * + / + +#include +#include +#include +#include + +/ FIPS versions of RSA_sign() and RSA_verify(). + * These will only have to deal with SHA* signatures and by including + * pregenerated encodings all ASN1 dependencies can be avoided + / + +static const unsigned char sha1_bin[] = { + 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, + 0x00, 0x04, 0x14 +}; + +static const unsigned char sha224_bin[] = { + 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c +}; + +static const unsigned char sha256_bin[] = { + 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 +}; + +static const unsigned char sha384_bin[] = { + 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30 +}; + +static const unsigned char sha512_bin[] = { + 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 +}; + + +static const unsigned char fips_digestinfo_encoding(int nid, unsigned int len) + { + switch (nid) + { + + case NID_sha1: + len = sizeof(sha1_bin); + return sha1_bin; + + case NID_sha224: + len = sizeof(sha224_bin); + return sha224_bin; + + case NID_sha256: + len = sizeof(sha256_bin); + return sha256_bin; + + case NID_sha384: + len = sizeof(sha384_bin); + return sha384_bin; + + case NID_sha512: + len = sizeof(sha512_bin); + return sha512_bin; + + default: + return NULL; + + } + } + +int FIPS_rsa_sign(int type, const unsigned char m, unsigned int m_len, + unsigned char sigret, unsigned int siglen, RSA rsa) + { + int i,j,ret=1; + unsigned int dlen; + const unsigned char der; + / Largest DigestInfo: 19 (max encoding) + max MD / + unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE]; + if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) + { + return rsa->meth->rsa_sign(type, m, m_len, + sigret, siglen, rsa); + } + + if(m_len > EVP_MAX_MD_SIZE) + { + RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH); + return 0; + } + + der = fips_digestinfo_encoding(type, &dlen); + + if (!der) + { + RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE); + return(0); + } + memcpy(tmpdinfo, der, dlen); + memcpy(tmpdinfo + dlen, m, m_len); + + i = dlen + m_len; + + j=RSA_size(rsa); + if (i > (j-RSA_PKCS1_PADDING_SIZE)) + { + RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); + return(0); + } + j=RSA_private_encrypt(i,tmpdinfo,sigret,rsa,RSA_PKCS1_PADDING); + if (j <= 0) + ret=0; + else + siglen=j; + + OPENSSL_cleanse(tmpdinfo,i); + return(ret); + } + +int FIPS_rsa_verify(int dtype, const unsigned char m, unsigned int m_len, + unsigned char sigbuf, unsigned int siglen, RSA rsa) + { + int i,ret=0; + unsigned int dlen; + unsigned char s; + const unsigned char der; + + if (siglen != (unsigned int)RSA_size(rsa)) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); + return(0); + } + + if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) + { + return rsa->meth->rsa_verify(dtype, m, m_len, + sigbuf, siglen, rsa); + } + + s= OPENSSL_malloc((unsigned int)siglen); + if (s == NULL) + { + RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE); + goto err; + } + + i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); + + if (i <= 0) goto err; + + der = fips_digestinfo_encoding(dtype, &dlen); + + if (!der) + { + RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE); + return(0); + } + + / Compare, DigestInfo length, DigestInfo header and finally + * digest value itself + */ + if ((i != (dlen + m_len)) \|\| memcmp(der, s, dlen) + \|\| memcmp(s + dlen, m, m_len)) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + else + ret = 1; +err: + if (s != NULL) + { + OPENSSL_cleanse(s, siglen); + OPENSSL_free(s); + } + return(ret); + } . ______________________________________________________________________ OpenSSL Project http://www.openssl.org CVS Repository Commit List openssl-cvsopenssl.org Automated List Manager majordomoopenssl.org

[1]

about | contact Other archives ( Real Estate discussion Medical topics )