OpenSSL: OpenSSL-fips-0_9_8-stable: openssl/fips-1.0/dsa/ fips

Thread: OpenSSL: OpenSSL-fips-0_9_8-stable: openssl/fips-1.0/dsa/ fips_d...

Search this list only Search all lists
OpenSSL: OpenSSL-fips-0_9_8-stable: openssl/fips-1.0/dsa/ fips_d...
Germany	2007-08-14 19:36:07
OpenSSL CVS Repository http://cvs.openssl.org/ ____________________________________________________________ ________________ Server: cvs.openssl.org Name: Dr. Stephen Henson Root: /v/openssl/cvs Email: steveopenssl.org Module: openssl Date: 15-Aug-2007 02:36:06 Branch: OpenSSL-fips-0_9_8-stable Handle: 2007081501360203 Modified files: (Branch: OpenSSL-fips-0_9_8-stable) openssl/fips-1.0 fips.c fips_locl.h fips_test_suite.c openssl/fips-1.0/dsa fips_dsa_key.c openssl/fips-1.0/rand fips_rand.c openssl/fips-1.0/rsa fips_rsa_gen.c fips_rsa_sign.c Log: Indicate failure if any selftest fails. Increase keysizes in fips_test_suite Summary: Revision Changes Path 1.1.2.5 +2 -0 openssl/fips-1.0/dsa/fips_dsa_key.c 1.1.4.9 +5 -0 openssl/fips-1.0/fips.c 1.1.4.5 +1 -0 openssl/fips-1.0/fips_locl.h 1.1.4.6 +2 -2 openssl/fips-1.0/fips_test_suite.c 1.1.4.7 +3 -0 openssl/fips-1.0/rand/fips_rand.c 1.1.4.7 +41 -2 openssl/fips-1.0/rsa/fips_rsa_gen.c 1.1.4.9 +3 -3 openssl/fips-1.0/rsa/fips_rsa_sign.c ____________________________________________________________ ________________ patch -p0 <<' .' Index: openssl/fips-1.0/dsa/fips_dsa_key.c ============================================================ ================ $ cvs diff -u -r1.1.2.4 -r1.1.2.5 fips_dsa_key.c --- openssl/fips-1.0/dsa/fips_dsa_key.c 14 Aug 2007 13:20:35 -0000 1.1.2.4 +++ openssl/fips-1.0/dsa/fips_dsa_key.c 15 Aug 2007 00:36:03 -0000 1.1.2.5 -65,6 +65,7 #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/fips.h> +#include "fips_locl.h" #ifdef OPENSSL_FIPS -81,6 +82,7 NULL, 0, EVP_dss1(), 0, NULL)) { FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED) ; + fips_set_selftest_fail(); return 0; } return 1; . patch -p0 <<' .' Index: openssl/fips-1.0/fips.c ============================================================ ================ $ cvs diff -u -r1.1.4.8 -r1.1.4.9 fips.c --- openssl/fips-1.0/fips.c 14 Aug 2007 13:33:33 -0000 1.1.4.8 +++ openssl/fips-1.0/fips.c 15 Aug 2007 00:36:02 -0000 1.1.4.9 -147,6 +147,11 } } +void fips_set_selftest_fail(void) + { + fips_selftest_fail = 1; + } + int FIPS_selftest() { . patch -p0 <<' .' Index: openssl/fips-1.0/fips_locl.h ============================================================ ================ $ cvs diff -u -r1.1.4.4 -r1.1.4.5 fips_locl.h --- openssl/fips-1.0/fips_locl.h 1 Jul 2007 23:19:14 -0000 1.1.4.4 +++ openssl/fips-1.0/fips_locl.h 15 Aug 2007 00:36:02 -0000 1.1.4.5 -61,6 +61,7 void fips_set_started(void); int fips_is_owning_thread(void); int fips_set_owning_thread(void); +void fips_set_selftest_fail(void); int fips_clear_owning_thread(void); unsigned char fips_signature_witness(void); . patch -p0 <<' .' Index: openssl/fips-1.0/fips_test_suite.c ============================================================ ================ $ cvs diff -u -r1.1.4.5 -r1.1.4.6 fips_test_suite.c --- openssl/fips-1.0/fips_test_suite.c 10 Jul 2007 22:00:55 -0000 1.1.4.5 +++ openssl/fips-1.0/fips_test_suite.c 15 Aug 2007 00:36:02 -0000 1.1.4.6 -100,7 +100,7 dsa = FIPS_dsa_new(); if (!dsa) goto end; - if (!DSA_generate_parameters_ex(dsa, 512,NULL,0,NULL,NULL,NULL)) + if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL)) goto end; if (!DSA_generate_key(dsa)) goto end; -354,7 +354,7 dh = FIPS_dh_new(); if (!dh) return 0; - if (!DH_generate_parameters_ex(dh, 256, 2, NULL)) + if (!DH_generate_parameters_ex(dh, 1024, 2, NULL)) return 0; FIPS_dh_free(dh); return 1; . patch -p0 <<' .' Index: openssl/fips-1.0/rand/fips_rand.c ============================================================ ================ $ cvs diff -u -r1.1.4.6 -r1.1.4.7 fips_rand.c --- openssl/fips-1.0/rand/fips_rand.c 14 Aug 2007 13:17:28 -0000 1.1.4.6 +++ openssl/fips-1.0/rand/fips_rand.c 15 Aug 2007 00:36:04 -0000 1.1.4.7 -77,6 +77,7 #endif #include <string.h> #include <openssl/fips.h> +#include "fips_locl.h" #ifdef OPENSSL_FIPS -294,12 +295,14 for (i = 0; i < AES_BLOCK_LENGTH; i++) tmp[i] = R[i] ^ I[i]; AES_encrypt(tmp, ctx->V, &ctx->ks); + / Continuouse PRNG test / if (ctx->second) { if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) { RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK); ctx->error = 1; + fips_set_selftest_fail(); return 0; } } . patch -p0 <<' .' Index: openssl/fips-1.0/rsa/fips_rsa_gen.c ============================================================ ================ $ cvs diff -u -r1.1.4.6 -r1.1.4.7 fips_rsa_gen.c --- openssl/fips-1.0/rsa/fips_rsa_gen.c 14 Aug 2007 13:20:41 -0000 1.1.4.6 +++ openssl/fips-1.0/rsa/fips_rsa_gen.c 15 Aug 2007 00:36:05 -0000 1.1.4.7 -71,27 +71,66 #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/fips.h> +#include "fips_locl.h" #ifdef OPENSSL_FIPS int fips_check_rsa(RSA rsa) { const unsigned char tbs[] = "RSA Pairwise Check Data"; + unsigned char ctbuf = NULL, ptbuf = NULL; + int len, ret = 0; EVP_PKEY pk; pk.type = EVP_PKEY_RSA; pk.pkey.rsa = rsa; + /* Perform pairwise consistency signature test / if (!fips_pkey_signature_test(&pk, tbs, -1, NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) \|\| !fips_pkey_signature_test(&pk, tbs, -1, NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL) \|\| !fips_pkey_signature_test(&pk, tbs, -1, NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL)) + goto err; + / Now perform pairwise consistency encrypt/decrypt test / + ctbuf = OPENSSL_malloc(RSA_size(rsa)); + if (!ctbuf) + goto err; + + len = RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, RSA_PKCS1_PADDING); + if (len <= 0) + goto err; + / Check ciphertext doesn't match plaintext / + if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) + goto err; + ptbuf = OPENSSL_malloc(RSA_size(rsa)); + + if (!ptbuf) + goto err; + len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); + if (len != (sizeof(tbs) - 1)) + goto err; + if (memcmp(ptbuf, tbs, len)) + goto err; + + ret = 1; + + if (!ptbuf) + goto err; + + err: + if (ret == 0) { + fips_set_selftest_fail(); FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED) ; - return 0; } - return 1; + + if (ctbuf) + OPENSSL_free(ctbuf); + if (ptbuf) + OPENSSL_free(ptbuf); + + return ret; } static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB cb); . patch -p0 <<' .' Index: openssl/fips-1.0/rsa/fips_rsa_sign.c ============================================================ ================ $ cvs diff -u -r1.1.4.8 -r1.1.4.9 fips_rsa_sign.c --- openssl/fips-1.0/rsa/fips_rsa_sign.c 14 Aug 2007 13:20:41 -0000 1.1.4.8 +++ openssl/fips-1.0/rsa/fips_rsa_sign.c 15 Aug 2007 00:36:05 -0000 1.1.4.9 -191,12 +191,12 static int fips_rsa_sign(int type, const unsigned char x, unsigned int y, unsigned char sigret, unsigned int siglen, EVP_MD_SVCTX sv) { - int i,j,ret=0; + int i=0,j,ret=0; unsigned int dlen; const unsigned char der; unsigned int m_len; int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK; - int rsa_pad_mode; + int rsa_pad_mode = 0; RSA rsa = sv->key; /* Largest DigestInfo: 19 (max encoding) + max MD / unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE]; -301,7 +301,7 int i,ret=0; unsigned int dlen, diglen; int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK; - int rsa_pad_mode; + int rsa_pad_mode = 0; unsigned char s; const unsigned char *der; unsigned char dig[EVP_MAX_MD_SIZE]; . ____________________________________________________________ __________ OpenSSL Project http://www.openssl.org CVS Repository Commit List openssl-cvsopenssl.org Automated List Manager majordomoopenssl.org

[1]

about | contact Other archives ( Real Estate discussion Medical topics )