OpenSSL CVS Repository
http://cvs.openssl.org/
____________________________________________________________
________________
Server: cvs.openssl.org Name: Dr.
Stephen Henson
Root: /v/openssl/cvs Email: steve openssl.org
Module: openssl Date:
08-Apr-2007 19:51:00
Branch: OpenSSL-fips-0_9_8-stable Handle:
2007040818505405
Added files: (Branch:
OpenSSL-fips-0_9_8-stable)
openssl/crypto/evp evp_cnf.c
Modified files: (Branch:
OpenSSL-fips-0_9_8-stable)
openssl CHANGES
openssl/apps openssl.cnf
openssl/crypto/asn1 asn_moid.c
openssl/crypto/conf conf_mall.c
openssl/crypto/evp Makefile evp.h evp_err.c
Log:
Add algorithm configuration module.
Summary:
Revision Changes Path
1.1238.2.65.2.10+3 -0 openssl/CHANGES
1.27.2.1.2.1+14 -6 openssl/apps/openssl.cnf
1.5.4.1 +1 -1 openssl/crypto/asn1/asn_moid.c
1.9.4.1 +2 -0 openssl/crypto/conf/conf_mall.c
1.4.2.3.2.2 +2 -2 openssl/crypto/evp/Makefile
1.112.2.4.2.3+8 -0 openssl/crypto/evp/evp.h
1.1.2.1 +121 -0 openssl/crypto/evp/evp_cnf.c
1.28.2.2.2.2+7 -1 openssl/crypto/evp/evp_err.c
____________________________________________________________
________________
patch -p0 <<' .'
Index: openssl/CHANGES
============================================================
================
$ cvs diff -u -r1.1238.2.65.2.9 -r1.1238.2.65.2.10
CHANGES
--- openssl/CHANGES 6 Apr 2007 00:30:12
-0000 1.1238.2.65.2.9
+++ openssl/CHANGES 8 Apr 2007 17:50:54
-0000 1.1238.2.65.2.10
-4,6 +4,9
Changes between 0.9.8e and 0.9.8f-fips [xx XXX xxxx]
+ *) Add algorithm config module. Currently just handles
setting FIPS mode.
+ [Steve Henson]
+
*) Rewrite self tests and pairwise tests to use EVP.
Add more extensive
self tests for RSA in all digests and modes.
[Steve Henson]
.
patch -p0 <<' .'
Index: openssl/apps/openssl.cnf
============================================================
================
$ cvs diff -u -r1.27.2.1 -r1.27.2.1.2.1 openssl.cnf
--- openssl/apps/openssl.cnf 16 Sep 2005 12:20:24
-0000 1.27.2.1
+++ openssl/apps/openssl.cnf 8 Apr 2007 17:50:56
-0000 1.27.2.1.2.1
-8,9 +8,8
HOME = .
RANDFILE = $ENV::HOME/.rnd
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
+# Uncomment out to enable OpenSSL configuration see
config(3)
+# openssl_conf = openssl_init
# To use this configuration file with the
"-extfile" option of the
# "openssl x509" utility, name here the section
containing the
-19,13 +18,22
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
+[openssl_init]
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+alg_section = algs
+
[ new_oids ]
-# We can add new OIDs in here for use by 'ca' and 'req'.
+# We can add new OIDs in here for use by any config aware
application
# Add a simple OID like this:
-# testoid1=1.2.3.4
+# shortname=Long Object Identifier Name, 1.2.3.4
# Or use config file substitution like this:
-# testoid2=$.5.6
+# testoid2=OID2 LONG NAME, $.5.6, OTHER OID
+
+[ algs ]
+# Algorithm configuration options. Currently just
fips_mode
+fips_mode = no
############################################################
########
[ ca ]
.
patch -p0 <<' .'
Index: openssl/crypto/asn1/asn_moid.c
============================================================
================
$ cvs diff -u -r1.5 -r1.5.4.1 asn_moid.c
--- openssl/crypto/asn1/asn_moid.c 27 Mar 2004 13:30:14
-0000 1.5
+++ openssl/crypto/asn1/asn_moid.c 8 Apr 2007 17:50:57
-0000 1.5.4.1
-149,7 +149,7
if (lntmp == NULL)
return 0;
memcpy(lntmp, ln, p - ln);
- lntmp[p - ln + 1] = 0;
+ lntmp[p - ln] = 0;
oid = OBJ_nid2obj(nid);
oid->ln = lntmp;
}
.
patch -p0 <<' .'
Index: openssl/crypto/conf/conf_mall.c
============================================================
================
$ cvs diff -u -r1.9 -r1.9.4.1 conf_mall.c
--- openssl/crypto/conf/conf_mall.c 30 Jan 2003 17:39:17
-0000 1.9
+++ openssl/crypto/conf/conf_mall.c 8 Apr 2007 17:50:57
-0000 1.9.4.1
-63,6 +63,7
#include <openssl/dso.h>
#include <openssl/x509.h>
#include <openssl/asn1.h>
+#include <openssl/evp.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
-76,5 +77,6
#ifndef OPENSSL_NO_ENGINE
ENGINE_add_conf_module();
#endif
+ EVP_add_alg_module();
}
.
patch -p0 <<' .'
Index: openssl/crypto/evp/Makefile
============================================================
================
$ cvs diff -u -r1.4.2.3.2.1 -r1.4.2.3.2.2 Makefile
--- openssl/crypto/evp/Makefile 22 Mar 2007 00:38:10
-0000 1.4.2.3.2.1
+++ openssl/crypto/evp/Makefile 8 Apr 2007 17:50:58
-0000 1.4.2.3.2.2
-18,7 +18,7
APPS=
LIB=$(TOP)/libcrypto.a
-LIBSRC= encode.c digest.c dig_eng.c evp_enc.c evp_key.c
evp_acnf.c
+LIBSRC= encode.c digest.c dig_eng.c evp_enc.c evp_key.c
evp_acnf.c evp_cnf.c
e_des.c e_bf.c e_idea.c e_des3.c e_camellia.c
e_rc4.c e_aes.c names.c
e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c
-30,7 +30,7
evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
e_old.c
-LIBOBJ= encode.o digest.o dig_eng.o evp_enc.o evp_key.o
evp_acnf.o
+LIBOBJ= encode.o digest.o dig_eng.o evp_enc.o evp_key.o
evp_acnf.o evp_cnf.o
e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o
e_rc4.o e_aes.o names.o
e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o
.
patch -p0 <<' .'
Index: openssl/crypto/evp/evp.h
============================================================
================
$ cvs diff -u -r1.112.2.4.2.2 -r1.112.2.4.2.3 evp.h
--- openssl/crypto/evp/evp.h 3 Apr 2007 21:01:27
-0000 1.112.2.4.2.2
+++ openssl/crypto/evp/evp.h 8 Apr 2007 17:50:58
-0000 1.112.2.4.2.3
-926,6 +926,8
#endif
#endif
+void EVP_add_alg_module(void);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script
mkerr.pl. Any changes
* made after this point may be overwritten when the
script is next run.
-936,6 +938,7
/* Function codes. */
#define EVP_F_AES_INIT_KEY 133
+#define EVP_F_ALG_MODULE_INIT 138
#define EVP_F_CAMELLIA_INIT_KEY 159
#define EVP_F_D2I_PKEY 100
#define EVP_F_DSAPKEY2PKCS8 134
-991,14 +994,18
#define EVP_R_DIFFERENT_KEY_TYPES 101
#define EVP_R_DISABLED_FOR_FIPS 144
#define EVP_R_ENCODE_ERROR 115
+#define EVP_R_ERROR_LOADING_SECTION 145
+#define EVP_R_ERROR_SETTING_FIPS_MODE 146
#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
#define EVP_R_EXPECTING_AN_RSA_KEY 127
#define EVP_R_EXPECTING_A_DH_KEY 128
#define EVP_R_EXPECTING_A_DSA_KEY 129
#define EVP_R_EXPECTING_A_ECDSA_KEY 141
#define EVP_R_EXPECTING_A_EC_KEY 142
+#define EVP_R_FIPS_MODE_NOT_SUPPORTED 147
#define EVP_R_INITIALIZATION_ERROR 134
#define EVP_R_INPUT_NOT_INITIALIZED 111
+#define EVP_R_INVALID_FIPS_MODE 148
#define EVP_R_INVALID_KEY_LENGTH 130
#define EVP_R_IV_TOO_LARGE 102
#define EVP_R_KEYGEN_FAILURE 120
-1010,6 +1017,7
#define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105
#define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117
#define EVP_R_PUBLIC_KEY_NOT_RSA 106
+#define EVP_R_UNKNOWN_OPTION 149
#define EVP_R_UNKNOWN_PBE_ALGORITHM 121
#define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135
#define EVP_R_UNSUPPORTED_CIPHER 107
.
patch -p0 <<' .'
Index: openssl/crypto/evp/evp_cnf.c
============================================================
================
$ cvs diff -u -r0 -r1.1.2.1 evp_cnf.c
--- /dev/null 2007-04-08 19:47:23 +0200
+++ evp_cnf.c 2007-04-08 19:50:59 +0200
-0,0 +1,121
+/* evp_cnf.c */
+/* Written by Stephen Henson (shensonbigfoot.com) for the OpenSSL
+ * project 2007.
+ */
+/*
============================================================
========
+ * Copyright (c) 2007 The OpenSSL Project. All rights
reserved.
+ *
+ * Redistribution and use in source and binary forms,
with or without
+ * modification, are permitted provided that the
following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the
above copyright
+ * notice, this list of conditions and the following
disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the
above copyright
+ * notice, this list of conditions and the following
disclaimer in
+ * the documentation and/or other materials provided
with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or
use of this
+ * software must display the following
acknowledgment:
+ * "This product includes software developed by
the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)&
quot;
+ *
+ * 4. The names "OpenSSL Toolkit" and
"OpenSSL Project" must not be used to
+ * endorse or promote products derived from this
software without
+ * prior written permission. For written permission,
please contact
+ * licensingOpenSSL.org.
+ *
+ * 5. Products derived from this software may not be
called "OpenSSL"
+ * nor may "OpenSSL" appear in their names
without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain
the following
+ * acknowledgment:
+ * "This product includes software developed by
the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)&
quot;
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS
IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL
PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
============================================================
========
+ *
+ * This product includes cryptographic software written
by Eric Young
+ * (eaycryptsoft.com). This product includes software
written by Tim
+ * Hudson (tjhcryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/fips.h>
+
+/* Algorithm configuration module. */
+
+static int alg_module_init(CONF_IMODULE *md, const CONF
*cnf)
+ {
+ int i;
+ const char *oid_section;
+ STACK_OF(CONF_VALUE) *sktmp;
+ CONF_VALUE *oval;
+ oid_section = CONF_imodule_get_value(md);
+ if(!(sktmp = NCONF_get_section(cnf, oid_section)))
+ {
+ EVPerr(EVP_F_ALG_MODULE_INIT,
EVP_R_ERROR_LOADING_SECTION);
+ return 0;
+ }
+ for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
+ {
+ oval = sk_CONF_VALUE_value(sktmp, i);
+ if (!strcmp(oval->name, "fips_mode"))
+ {
+ int m;
+ if (!X509V3_get_value_bool(oval, &m))
+ {
+ EVPerr(EVP_F_ALG_MODULE_INIT,
EVP_R_INVALID_FIPS_MODE);
+ return 0;
+ }
+ if (m > 0)
+ {
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode_set(1))
+ {
+ EVPerr(EVP_F_ALG_MODULE_INIT,
EVP_R_ERROR_SETTING_FIPS_MODE);
+ return 0;
+ }
+#else
+ EVPerr(EVP_F_ALG_MODULE_INIT,
EVP_R_FIPS_MODE_NOT_SUPPORTED);
+#endif
+ }
+ }
+ else
+ {
+ EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION);
+ ERR_add_error_data(4, "name=",
oval->name,
+ ", value=", oval->value);
+ }
+
+ }
+ return 1;
+ }
+
+void EVP_add_alg_module(void)
+ {
+ CONF_module_add("alg_section",
alg_module_init, 0);
+ }
.
patch -p0 <<' .'
Index: openssl/crypto/evp/evp_err.c
============================================================
================
$ cvs diff -u -r1.28.2.2.2.1 -r1.28.2.2.2.2 evp_err.c
--- openssl/crypto/evp/evp_err.c 22 Mar 2007 00:38:11
-0000 1.28.2.2.2.1
+++ openssl/crypto/evp/evp_err.c 8 Apr 2007 17:50:59
-0000 1.28.2.2.2.2
-1,6 +1,6
/* crypto/evp/evp_err.c */
/*
============================================================
========
- * Copyright (c) 1999-2005 The OpenSSL Project. All
rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project. All
rights reserved.
*
* Redistribution and use in source and binary forms,
with or without
* modification, are permitted provided that the
following conditions
-71,6 +71,7
static ERR_STRING_DATA EVP_str_functs[]=
{
{ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"},
+{ERR_FUNC(EVP_F_ALG_MODULE_INIT), "ALG_MODULE_INIT&quo
t;},
{ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY&
quot;},
{ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"},
{ERR_FUNC(EVP_F_DSAPKEY2PKCS8), "DSAPKEY2PKCS8"},
-129,14 +130,18
{ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different
key types"},
{ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled
for fips"},
{ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode
error"},
+{ERR_REASON(EVP_R_ERROR_LOADING_SECTION) ,"error
loading section"},
+{ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE),"error
setting fips mode"},
{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe
cipherinit error"},
{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting
an rsa key"},
{ERR_REASON(EVP_R_EXPECTING_A_DH_KEY) ,"expecting
a dh key"},
{ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY) ,"expecting
a dsa key"},
{ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) ,"expecting
a ecdsa key"},
{ERR_REASON(EVP_R_EXPECTING_A_EC_KEY) ,"expecting
a ec key"},
+{ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED),"fips
mode not supported"},
{ERR_REASON(EVP_R_INITIALIZATION_ERROR)
,"initialization error"},
{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not
initialized"},
+{ERR_REASON(EVP_R_INVALID_FIPS_MODE) ,"invalid
fips mode"},
{ERR_REASON(EVP_R_INVALID_KEY_LENGTH) ,"invalid
key length"},
{ERR_REASON(EVP_R_IV_TOO_LARGE) ,"iv too
large"},
{ERR_REASON(EVP_R_KEYGEN_FAILURE) ,"keygen
failure"},
-148,6 +153,7
{ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no
verify function configured"},
{ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8
unknown broken type"},
{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public
key not rsa"},
+{ERR_REASON(EVP_R_UNKNOWN_OPTION) ,"unknown
option"},
{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown
pbe algorithm"},
{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsupor
ted number of rounds"},
{ERR_REASON(EVP_R_UNSUPPORTED_CIPHER)
,"unsupported cipher"},
.
____________________________________________________________
__________
OpenSSL Project http://www.openssl.org
CVS Repository Commit List
openssl-cvsopenssl.org
Automated List Manager
majordomoopenssl.org
|
