diff options
Diffstat (limited to 'crypto/openssl/fips')
21 files changed, 167 insertions, 109 deletions
diff --git a/crypto/openssl/fips/Makefile b/crypto/openssl/fips/Makefile index e038be8..720a883 100644 --- a/crypto/openssl/fips/Makefile +++ b/crypto/openssl/fips/Makefile @@ -63,7 +63,7 @@ testapps: all: @if [ -z "$(FIPSLIBDIR)" ]; then \ $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ - else \ + else \ $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ fi @@ -109,7 +109,7 @@ fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ esac fi - ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 + ./fips_standalone_sha1$(EXE_EXT) fipscanister.o > fipscanister.o.sha1 # If another exception is immediately required, assign approprite # site-specific ld command to FIPS_SITE_LD environment variable. @@ -123,7 +123,11 @@ fips_premain_dso$(EXE_EXT): fips_premain.c $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS) # this is executed only when linking with external fipscanister.o fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c - $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS) + if [ -z $(HOSTCC) ] ; then \ + $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS) ; \ + else \ + $(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../include -I../crypto sha/fips_standalone_sha1.c ../crypto/sha/sha1dgst.c ; \ + fi subdirs: @target=all; $(RECURSIVE_MAKE) @@ -188,8 +192,8 @@ install: done cp -p -f $(FIPSLIBDIR)fipscanister.o $(FIPSLIBDIR)fipscanister.o.sha1 \ $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fips_premain.c.sha1 \ - $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ - chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/; \ + chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/fips* lint: @target=lint; $(RECURSIVE_MAKE) diff --git a/crypto/openssl/fips/aes/fips_aesavs.c b/crypto/openssl/fips/aes/fips_aesavs.c index 9ce613b..a3c8b40 100644 --- a/crypto/openssl/fips/aes/fips_aesavs.c +++ b/crypto/openssl/fips/aes/fips_aesavs.c @@ -89,7 +89,7 @@ int main(int argc, char *argv[]) /*-----------------------------------------------*/ -int AESTest(EVP_CIPHER_CTX *ctx, +static int AESTest(EVP_CIPHER_CTX *ctx, char *amode, int akeysz, unsigned char *aKey, unsigned char *iVec, int dir, /* 0 = decrypt, 1 = encrypt */ @@ -238,7 +238,7 @@ enum XCrypt {XDECRYPT, XENCRYPT}; #define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1) #define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8))) -int do_mct(char *amode, +static int do_mct(char *amode, int akeysz, unsigned char *aKey,unsigned char *iVec, int dir, unsigned char *text, int len, FILE *rfp) @@ -546,7 +546,7 @@ int do_mct(char *amode, # Fri Aug 30 04:07:22 PM ----------------------------*/ -int proc_file(char *rqfile, char *rspfile) +static int proc_file(char *rqfile, char *rspfile) { char afn[256], rfn[256]; FILE *afp = NULL, *rfp = NULL; @@ -767,7 +767,7 @@ int proc_file(char *rqfile, char *rspfile) err =1; break; } - if (len >= sizeof(plaintext)) + if (len >= (int)sizeof(plaintext)) { printf("Buffer overflow\n"); } diff --git a/crypto/openssl/fips/des/fips_desmovs.c b/crypto/openssl/fips/des/fips_desmovs.c index 2d3424c..f96a5ca 100644 --- a/crypto/openssl/fips/des/fips_desmovs.c +++ b/crypto/openssl/fips/des/fips_desmovs.c @@ -88,7 +88,7 @@ int main(int argc, char *argv[]) #define VERBOSE 0 -int DESTest(EVP_CIPHER_CTX *ctx, +static int DESTest(EVP_CIPHER_CTX *ctx, char *amode, int akeysz, unsigned char *aKey, unsigned char *iVec, int dir, /* 0 = decrypt, 1 = encrypt */ @@ -110,15 +110,10 @@ int DESTest(EVP_CIPHER_CTX *ctx, cipher = EVP_des_ede3_cfb64(); else if (strncasecmp(amode, "OFB", 3) == 0) cipher = EVP_des_ede3_ofb(); -#if 0 - else if(!strcasecmp(amode,"CFB1")) - { - ctx->cbits = 1; - ctx->cmode = EVP_CIPH_CFB_MODE; - } -#endif else if(!strcasecmp(amode,"CFB8")) cipher = EVP_des_ede3_cfb8(); + else if(!strcasecmp(amode,"CFB1")) + cipher = EVP_des_ede3_cfb1(); else { printf("Unknown mode: %s\n", amode); @@ -127,20 +122,22 @@ int DESTest(EVP_CIPHER_CTX *ctx, if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0) return 0; + if(!strcasecmp(amode,"CFB1")) + M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS); EVP_Cipher(ctx, out, in, len); return 1; } - -void DebugValue(char *tag, unsigned char *val, int len) +#if 0 +static void DebugValue(char *tag, unsigned char *val, int len) { char obuf[2048]; int olen; olen = bin2hex(val, len, obuf); printf("%s = %.*s\n", tag, olen, obuf); } - -void shiftin(unsigned char *dst,unsigned char *src,int nbits) +#endif +static void shiftin(unsigned char *dst,unsigned char *src,int nbits) { int n; @@ -160,7 +157,7 @@ char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"}; enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64}; int Sizes[6]={64,64,64,1,8,64}; -void do_mct(char *amode, +static void do_mct(char *amode, int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec, int dir, unsigned char *text, int len, FILE *rfp) @@ -200,11 +197,11 @@ void do_mct(char *amode, if(imode != ECB) OutputValue("IV",ivec,8,rfp,0); OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1); - +#if 0 /* compensate for endianness */ if(imode == CFB1) text[0]<<=7; - +#endif memcpy(text0,text,8); for(j=0 ; j < 10000 ; ++j) @@ -267,7 +264,7 @@ void do_mct(char *amode, } } -int proc_file(char *rqfile, char *rspfile) +static int proc_file(char *rqfile, char *rspfile) { char afn[256], rfn[256]; FILE *afp = NULL, *rfp = NULL; @@ -535,7 +532,7 @@ int proc_file(char *rqfile, char *rspfile) err =1; break; } - if (len >= sizeof(plaintext)) + if (len >= (int)sizeof(plaintext)) { printf("Buffer overflow\n"); } diff --git a/crypto/openssl/fips/dsa/fips_dsa_key.c b/crypto/openssl/fips/dsa/fips_dsa_key.c index b5f8cfa..9f21033 100644 --- a/crypto/openssl/fips/dsa/fips_dsa_key.c +++ b/crypto/openssl/fips/dsa/fips_dsa_key.c @@ -78,7 +78,7 @@ void FIPS_corrupt_dsa_keygen(void) static int dsa_builtin_keygen(DSA *dsa); -int fips_check_dsa(DSA *dsa) +static int fips_check_dsa(DSA *dsa) { EVP_PKEY pk; unsigned char tbs[] = "DSA Pairwise Check Data"; diff --git a/crypto/openssl/fips/dsa/fips_dsa_sign.c b/crypto/openssl/fips/dsa/fips_dsa_sign.c index 32ea0b0..7a4d51d 100644 --- a/crypto/openssl/fips/dsa/fips_dsa_sign.c +++ b/crypto/openssl/fips/dsa/fips_dsa_sign.c @@ -70,6 +70,7 @@ * case of a DSA signature. */ +#if 0 int FIPS_dsa_size(DSA *r) { int ilen; @@ -83,6 +84,7 @@ int FIPS_dsa_size(DSA *r) */ return ilen * 2 + 6; } +#endif /* Tiny ASN1 encoder for DSA_SIG structure. We can assume r, s smaller than * 0x80 octets as by the DSA standards they will be less than 2^160 diff --git a/crypto/openssl/fips/dsa/fips_dsatest.c b/crypto/openssl/fips/dsa/fips_dsatest.c index c7e0f51..1aec089 100644 --- a/crypto/openssl/fips/dsa/fips_dsatest.c +++ b/crypto/openssl/fips/dsa/fips_dsatest.c @@ -69,7 +69,6 @@ #include <openssl/rand.h> #include <openssl/bio.h> #include <openssl/err.h> -#include <openssl/dsa.h> #include <openssl/bn.h> #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> @@ -83,6 +82,7 @@ int main(int argc, char *argv[]) return(0); } #else +#include <openssl/dsa.h> #include <openssl/fips.h> #include <openssl/fips_rand.h> #include <openssl/dsa.h> diff --git a/crypto/openssl/fips/dsa/fips_dssvs.c b/crypto/openssl/fips/dsa/fips_dssvs.c index aa74e8e..45f4e1c 100644 --- a/crypto/openssl/fips/dsa/fips_dssvs.c +++ b/crypto/openssl/fips/dsa/fips_dssvs.c @@ -40,7 +40,7 @@ static void pbn(const char *name, BIGNUM *bn) return; } -void primes() +static void primes() { char buf[10240]; char lbuf[10240]; @@ -63,7 +63,7 @@ void primes() } } -void pqg() +static void pqg() { char buf[1024]; char lbuf[1024]; @@ -112,7 +112,7 @@ void pqg() } } -void pqgver() +static void pqgver() { char buf[1024]; char lbuf[1024]; @@ -131,6 +131,7 @@ void pqgver() fputs(buf,stdout); continue; } + fputs(buf, stdout); if(!strcmp(keyword,"[mod")) nmod=atoi(value); else if(!strcmp(keyword,"P")) @@ -158,12 +159,6 @@ void pqgver() fprintf(stderr, "Parse Error\n"); exit (1); } - pbn("P",p); - pbn("Q",q); - pbn("G",g); - pv("Seed",seed,20); - printf("c = %d\n",counter); - printf("H = %lx\n",h); dsa = FIPS_dsa_new(); if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL)) { @@ -174,7 +169,7 @@ void pqgver() || (counter != counter2) || (h != h2)) printf("Result = F\n"); else - printf("Result = T\n"); + printf("Result = P\n"); BN_free(p); BN_free(q); BN_free(g); @@ -217,7 +212,7 @@ static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g, return 1; } -void keyver() +static void keyver() { char buf[1024]; char lbuf[1024]; @@ -286,7 +281,7 @@ void keyver() if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y)) printf("Result = F\n"); else - printf("Result = T\n"); + printf("Result = P\n"); } BN_free(X); BN_free(Y); @@ -304,7 +299,7 @@ void keyver() BN_free(Y2); } -void keypair() +static void keypair() { char buf[1024]; char lbuf[1024]; @@ -353,7 +348,7 @@ void keypair() } } -void siggen() +static void siggen() { char buf[1024]; char lbuf[1024]; @@ -426,7 +421,7 @@ void siggen() FIPS_dsa_free(dsa); } -void sigver() +static void sigver() { DSA *dsa=NULL; char buf[1024]; diff --git a/crypto/openssl/fips/fips_locl.h b/crypto/openssl/fips/fips_locl.h index 03fed36..b3ea289 100644 --- a/crypto/openssl/fips/fips_locl.h +++ b/crypto/openssl/fips/fips_locl.h @@ -64,6 +64,7 @@ int fips_set_owning_thread(void); void fips_set_selftest_fail(void); int fips_clear_owning_thread(void); unsigned char *fips_signature_witness(void); +int fips_check_rsa(RSA *rsa); #define FIPS_MAX_CIPHER_TEST_SIZE 16 diff --git a/crypto/openssl/fips/fips_test_suite.c b/crypto/openssl/fips/fips_test_suite.c index 78a15b7..2bc0ba9 100644 --- a/crypto/openssl/fips/fips_test_suite.c +++ b/crypto/openssl/fips/fips_test_suite.c @@ -18,9 +18,6 @@ #include <stdlib.h> #include <openssl/aes.h> #include <openssl/des.h> -#include <openssl/rsa.h> -#include <openssl/dsa.h> -#include <openssl/dh.h> #include <openssl/hmac.h> #include <openssl/err.h> @@ -37,6 +34,10 @@ int main(int argc, char *argv[]) } #else +#include <openssl/rsa.h> +#include <openssl/dsa.h> +#include <openssl/dh.h> + #include <openssl/fips.h> #include "fips_utl.h" @@ -379,7 +380,8 @@ static int Zeroize() BIGNUM *bn; unsigned char userkey[16] = { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 }; - int i, n; + size_t i; + int n; key = FIPS_rsa_new(); bn = BN_new(); @@ -410,13 +412,18 @@ static int Zeroize() } static int Error; -const char * Fail(const char *msg) +static const char * Fail(const char *msg) { do_print_errors(); Error++; return msg; } +static void test_msg(const char *msg, int result) + { + printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!")); + } + int main(int argc,char **argv) { @@ -487,20 +494,14 @@ int main(int argc,char **argv) /* Non-Approved cryptographic operation */ printf("1. Non-Approved cryptographic operation test...\n"); - printf("\ta. Included algorithm (D-H)..."); - printf( dh_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("\ta. Included algorithm (D-H)...", dh_test()); /* Power-up self test */ ERR_clear_error(); - printf("2. Automatic power-up self test..."); - if (!FIPS_mode_set(1)) - { - do_print_errors(); - printf(Fail("FAILED!\n")); + test_msg("2. Automatic power-up self test", FIPS_mode_set(1)); + if (!FIPS_mode()) exit(1); - } - printf("successful\n"); if (do_corrupt_dsa_keygen) FIPS_corrupt_dsa_keygen(); if (do_corrupt_rsa_keygen) @@ -510,76 +511,66 @@ int main(int argc,char **argv) /* AES encryption/decryption */ - printf("3. AES encryption/decryption..."); - printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("3. AES encryption/decryption", FIPS_aes_test()); /* RSA key generation and encryption/decryption */ - printf("4. RSA key generation and encryption/decryption..."); - printf( FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n") ); + test_msg("4. RSA key generation and encryption/decryption", + FIPS_rsa_test(bad_rsa)); /* DES-CBC encryption/decryption */ - printf("5. DES-ECB encryption/decryption..."); - printf( FIPS_des3_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test()); /* DSA key generation and signature validation */ - printf("6. DSA key generation and signature validation..."); - printf( FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n") ); + test_msg("6. DSA key generation and signature validation", + FIPS_dsa_test(bad_dsa)); /* SHA-1 hash */ - printf("7a. SHA-1 hash..."); - printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("7a. SHA-1 hash", FIPS_sha1_test()); /* SHA-256 hash */ - printf("7b. SHA-256 hash..."); - printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("7b. SHA-256 hash", FIPS_sha256_test()); /* SHA-512 hash */ - printf("7c. SHA-512 hash..."); - printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("7c. SHA-512 hash", FIPS_sha512_test()); /* HMAC-SHA-1 hash */ - printf("7d. HMAC-SHA-1 hash..."); - printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test()); /* HMAC-SHA-224 hash */ - printf("7e. HMAC-SHA-224 hash..."); - printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test()); /* HMAC-SHA-256 hash */ - printf("7f. HMAC-SHA-256 hash..."); - printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test()); /* HMAC-SHA-384 hash */ - printf("7g. HMAC-SHA-384 hash..."); - printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test()); /* HMAC-SHA-512 hash */ - printf("7h. HMAC-SHA-512 hash..."); - printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") ); + test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test()); /* Non-Approved cryptographic operation */ printf("8. Non-Approved cryptographic operation test...\n"); - printf("\ta. Included algorithm (D-H)..."); - printf( dh_test() ? "successful as expected\n" - : Fail("failed INCORRECTLY!\n") ); + printf("\ta. Included algorithm (D-H)...%s\n", + dh_test() ? "successful as expected" + : Fail("failed INCORRECTLY!") ); /* Zeroization */ - printf("9. Zero-ization...\n"); - printf( Zeroize() ? "\tsuccessful as expected\n" - : Fail("\tfailed INCORRECTLY!\n") ); + printf("9. Zero-ization...\n\t%s\n", + Zeroize() ? "successful as expected" + : Fail("failed INCORRECTLY!") ); printf("\nAll tests completed with %d errors\n", Error); return Error ? 1 : 0; diff --git a/crypto/openssl/fips/fips_utl.h b/crypto/openssl/fips/fips_utl.h index 02d4e44..85d9e12 100644 --- a/crypto/openssl/fips/fips_utl.h +++ b/crypto/openssl/fips/fips_utl.h @@ -47,6 +47,22 @@ * */ +void do_print_errors(void); +int hex2bin(const char *in, unsigned char *out); +unsigned char *hex2bin_m(const char *in, long *plen); +int do_hex2bn(BIGNUM **pr, const char *in); +int do_bn_print(FILE *out, BIGNUM *bn); +int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn); +int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf); +BIGNUM *hex2bn(const char *in); +int bin2hex(const unsigned char *in,int len,char *out); +void pv(const char *tag,const unsigned char *val,int len); +int tidy_line(char *linebuf, char *olinebuf); +int bint2bin(const char *in, int len, unsigned char *out); +int bin2bint(const unsigned char *in,int len,char *out); +void PrintValue(char *tag, unsigned char *val, int len); +void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode); + void do_print_errors(void) { const char *file, *data; diff --git a/crypto/openssl/fips/fipsalgtest.pl b/crypto/openssl/fips/fipsalgtest.pl index 44a5cca..851cc98 100755 --- a/crypto/openssl/fips/fipsalgtest.pl +++ b/crypto/openssl/fips/fipsalgtest.pl @@ -19,6 +19,12 @@ my @fips_dsa_test_list = ( ); +my @fips_dsa_pqgver_test_list = ( + + [ "PQGVer", "fips_dssvs pqgver" ] + +); + # RSA tests my @fips_rsa_test_list = ( @@ -304,6 +310,24 @@ my @fips_des3_test_list = ( ); +my @fips_des3_cfb1_test_list = ( + + # DES3 CFB1 tests + + [ "TCFB1invperm", "fips_desmovs -f" ], + [ "TCFB1MMT1", "fips_desmovs -f" ], + [ "TCFB1MMT2", "fips_desmovs -f" ], + [ "TCFB1MMT3", "fips_desmovs -f" ], + [ "TCFB1Monte1", "fips_desmovs -f" ], + [ "TCFB1Monte2", "fips_desmovs -f" ], + [ "TCFB1Monte3", "fips_desmovs -f" ], + [ "TCFB1permop", "fips_desmovs -f" ], + [ "TCFB1subtab", "fips_desmovs -f" ], + [ "TCFB1varkey", "fips_desmovs -f" ], + [ "TCFB1vartext", "fips_desmovs -f" ], + +); + # Verification special cases. # In most cases the output of a test is deterministic and # it can be compared to a known good result. A few involve @@ -342,6 +366,7 @@ my $list_tests = 0; my %fips_enabled = ( dsa => 1, + "dsa-pqgver" => 0, rsa => 1, "rsa-pss0" => 0, "rsa-pss62" => 1, @@ -351,7 +376,8 @@ my %fips_enabled = ( "rand-des2" => 0, aes => 1, "aes-cfb1" => 0, - des3 => 1 + des3 => 1, + "des3-cfb1" => 0 ); foreach (@ARGV) { @@ -417,6 +443,7 @@ foreach (@ARGV) { my @fips_test_list; push @fips_test_list, @fips_dsa_test_list if $fips_enabled{"dsa"}; +push @fips_test_list, @fips_dsa_pqgver_test_list if $fips_enabled{"dsa-pqgver"}; push @fips_test_list, @fips_rsa_test_list if $fips_enabled{"rsa"}; push @fips_test_list, @fips_rsa_pss0_test_list if $fips_enabled{"rsa-pss0"}; push @fips_test_list, @fips_rsa_pss62_test_list if $fips_enabled{"rsa-pss62"}; @@ -427,6 +454,7 @@ push @fips_test_list, @fips_rand_des2_test_list if $fips_enabled{"rand-des2"}; push @fips_test_list, @fips_aes_test_list if $fips_enabled{"aes"}; push @fips_test_list, @fips_aes_cfb1_test_list if $fips_enabled{"aes-cfb1"}; push @fips_test_list, @fips_des3_test_list if $fips_enabled{"des3"}; +push @fips_test_list, @fips_des3_cfb1_test_list if $fips_enabled{"des3-cfb1"}; if ($list_tests) { my ( $test, $en ); @@ -525,7 +553,7 @@ $cmd: generate run CMVP algorithm tests --dir=<dirname> Optional root for *.req file search --filter=<regexp> --onedir <dirname> Assume all components in current directory - --rspdir=<dirname> Name of subdirectories containing *.rsp files, default "resp" + --rspdir=<dirname> Name of subdirectories containing *.rsp files, default "rsp" --shwrap_prefix=<prefix> --tprefix=<prefix> --ignore-bogus Ignore duplicate or bogus files @@ -533,7 +561,16 @@ $cmd: generate run CMVP algorithm tests --quiet Shhh.... --generate Generate algorithm test output --win32 Win32 environment + --enable-<alg> Enable algorithm set <alg>. + --disable-<alg> Disable algorithm set <alg>. + Where <alg> can be one of: EOF + +while (my ($key, $value) = each %fips_enabled) + { + printf "\t\t%-20s(%s by default)\n", $key , + $value ? "enabled" : "disabled"; + } } # Sanity check to see if all necessary executables exist @@ -720,10 +757,10 @@ sub run_tests { } my $cmd = "$cmd_prefix$tprefix$tcmd "; if ( $tcmd =~ /-f$/ ) { - $cmd .= "$req $out"; + $cmd .= "\"$req\" \"$out\""; } else { - $cmd .= "<$req >$out"; + $cmd .= "<\"$req\" >\"$out\""; } print STDERR "DEBUG: running test $tname\n" if ( $debug && !$verify ); system($cmd); @@ -739,7 +776,7 @@ sub run_tests { $vout =~ s/\.rsp$/.ver/; $tcmd = $verify_special{$tname}; $cmd = "$cmd_prefix$tprefix$tcmd "; - $cmd .= "<$out >$vout"; + $cmd .= "<\"$out\" >\"$vout\""; system($cmd); if ( $? != 0 ) { print STDERR @@ -806,11 +843,11 @@ sub cmp_file { return 1; } if ( !defined($rspline) ) { - print STDERR "ERROR: $tname EOF on $rspf\n"; + print STDERR "ERROR: $tname EOF on $rsp\n"; return 0; } if ( !defined($tstline) ) { - print STDERR "ERROR: $tname EOF on $tstf\n"; + print STDERR "ERROR: $tname EOF on $tst\n"; return 0; } @@ -821,7 +858,7 @@ sub cmp_file { if ( $tstline ne $rspline ) { print STDERR "ERROR: $tname mismatch:\n"; - print STDERR "\t $tstline != $rspline\n"; + print STDERR "\t \"$tstline\" != \"$rspline\"\n"; return 0; } } @@ -842,6 +879,8 @@ sub next_line { # Translate multiple space into one s/\s+/ /g; + # Delete trailing whitespace + s/\s+$//; return $_; } return undef; diff --git a/crypto/openssl/fips/fipsld b/crypto/openssl/fips/fipsld index c71d4d9..8c26c85 100755 --- a/crypto/openssl/fips/fipsld +++ b/crypto/openssl/fips/fipsld @@ -117,7 +117,11 @@ lib*|*.dll) # must be linking a shared lib... ${_WL_PREMAIN} "$@" # generate signature... - SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"` + if [ -z "${FIPS_SIG}" ]; then + SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"` + else + SIG=`"${FIPS_SIG}" -dso "${TARGET}"` + fi /bin/rm -f "${TARGET}" if [ -z "${SIG}" ]; then echo "unable to collect signature"; exit 1 @@ -156,7 +160,11 @@ lib*|*.dll) # must be linking a shared lib... ${_WL_PREMAIN} "$@" # generate signature... - SIG=`"${TARGET}"` + if [ -z "${FIPS_SIG}" ]; then + SIG=`"${TARGET}"` + else + SIG=`"${FIPS_SIG}" -exe "${TARGET}"` + fi /bin/rm -f "${TARGET}" if [ -z "${SIG}" ]; then echo "unable to collect signature"; exit 1 diff --git a/crypto/openssl/fips/hmac/fips_hmac.c b/crypto/openssl/fips/hmac/fips_hmac.c index 7c49c98..69a10da 100644 --- a/crypto/openssl/fips/hmac/fips_hmac.c +++ b/crypto/openssl/fips/hmac/fips_hmac.c @@ -88,7 +88,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, reset=1; j=M_EVP_MD_block_size(md); - OPENSSL_assert(j <= sizeof ctx->key); + OPENSSL_assert(j <= (int)sizeof ctx->key); if (j < len) { EVP_DigestInit_ex(&ctx->md_ctx,md, impl); @@ -98,7 +98,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, } else { - OPENSSL_assert(len <= sizeof ctx->key); + OPENSSL_assert(len <= (int)sizeof ctx->key); memcpy(ctx->key,key,len); ctx->key_length=len; } diff --git a/crypto/openssl/fips/hmac/fips_hmac_selftest.c b/crypto/openssl/fips/hmac/fips_hmac_selftest.c index a697770..73455ff 100644 --- a/crypto/openssl/fips/hmac/fips_hmac_selftest.c +++ b/crypto/openssl/fips/hmac/fips_hmac_selftest.c @@ -111,7 +111,7 @@ static const HMAC_KAT vector[] = { int FIPS_selftest_hmac() { - int n; + size_t n; unsigned int outlen; unsigned char out[EVP_MAX_MD_SIZE]; const EVP_MD *md; diff --git a/crypto/openssl/fips/rand/fips_rand.c b/crypto/openssl/fips/rand/fips_rand.c index 58453e9..9492b15 100644 --- a/crypto/openssl/fips/rand/fips_rand.c +++ b/crypto/openssl/fips/rand/fips_rand.c @@ -114,7 +114,7 @@ void FIPS_rng_stick(void) fips_prng_fail = 1; } -void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx) +static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx) { ctx->seeded = 0; ctx->keyed = 0; @@ -192,7 +192,7 @@ static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx, return 1; } -int fips_set_test_mode(FIPS_PRNG_CTX *ctx) +static int fips_set_test_mode(FIPS_PRNG_CTX *ctx) { if (ctx->keyed) { diff --git a/crypto/openssl/fips/rand/fips_rngvs.c b/crypto/openssl/fips/rand/fips_rngvs.c index cb904ea..80a8017 100644 --- a/crypto/openssl/fips/rand/fips_rngvs.c +++ b/crypto/openssl/fips/rand/fips_rngvs.c @@ -31,7 +31,7 @@ int main(int argc, char **argv) #include "fips_utl.h" -void vst() +static void vst() { unsigned char *key = NULL; unsigned char *v = NULL; @@ -108,7 +108,7 @@ void vst() } } -void mct() +static void mct() { unsigned char *key = NULL; unsigned char *v = NULL; diff --git a/crypto/openssl/fips/rsa/fips_rsagtest.c b/crypto/openssl/fips/rsa/fips_rsagtest.c index 33a3d7a..657e1b6 100644 --- a/crypto/openssl/fips/rsa/fips_rsagtest.c +++ b/crypto/openssl/fips/rsa/fips_rsagtest.c @@ -63,7 +63,6 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/err.h> -#include <openssl/rsa.h> #include <openssl/bn.h> #include <openssl/x509v3.h> @@ -77,6 +76,7 @@ int main(int argc, char *argv[]) #else +#include <openssl/rsa.h> #include "fips_utl.h" int rsa_test(FILE *out, FILE *in); diff --git a/crypto/openssl/fips/rsa/fips_rsastest.c b/crypto/openssl/fips/rsa/fips_rsastest.c index 16c174a..452084f 100644 --- a/crypto/openssl/fips/rsa/fips_rsastest.c +++ b/crypto/openssl/fips/rsa/fips_rsastest.c @@ -63,7 +63,6 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/err.h> -#include <openssl/rsa.h> #include <openssl/bn.h> #include <openssl/x509v3.h> @@ -77,6 +76,7 @@ int main(int argc, char *argv[]) #else +#include <openssl/rsa.h> #include "fips_utl.h" static int rsa_stest(FILE *out, FILE *in, int Saltlen); diff --git a/crypto/openssl/fips/rsa/fips_rsavtest.c b/crypto/openssl/fips/rsa/fips_rsavtest.c index 6340f19..aadab27 100644 --- a/crypto/openssl/fips/rsa/fips_rsavtest.c +++ b/crypto/openssl/fips/rsa/fips_rsavtest.c @@ -65,7 +65,6 @@ #include <openssl/err.h> #include <openssl/x509v3.h> #include <openssl/bn.h> -#include <openssl/rsa.h> #ifndef OPENSSL_FIPS @@ -77,6 +76,8 @@ int main(int argc, char *argv[]) #else +#include <openssl/rsa.h> + #include "fips_utl.h" int rsa_test(FILE *out, FILE *in, int saltlen); diff --git a/crypto/openssl/fips/sha/Makefile b/crypto/openssl/fips/sha/Makefile index a661640..0f8cca9 100644 --- a/crypto/openssl/fips/sha/Makefile +++ b/crypto/openssl/fips/sha/Makefile @@ -46,8 +46,12 @@ lib: $(LIBOBJ) @echo $(LIBOBJ) > lib ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o + if [ -z "$(HOSTCC)" ] ; then \ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ - $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM + $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM ; \ + else \ + $(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../../include -I../../crypto fips_standalone_sha1.c ../../crypto/sha/sha1dgst.c ; \ + fi files: $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO diff --git a/crypto/openssl/fips/sha/fips_sha1_selftest.c b/crypto/openssl/fips/sha/fips_sha1_selftest.c index ba6a29e..4c0d463 100644 --- a/crypto/openssl/fips/sha/fips_sha1_selftest.c +++ b/crypto/openssl/fips/sha/fips_sha1_selftest.c @@ -78,7 +78,7 @@ void FIPS_corrupt_sha1() int FIPS_selftest_sha1() { - int n; + size_t n; for(n=0 ; n<sizeof(test)/sizeof(test[0]) ; ++n) { |