diff options
| author | Ben Laurie <ben@openssl.org> | 2003-07-27 21:00:51 +0400 |
|---|---|---|
| committer | Ben Laurie <ben@openssl.org> | 2003-07-27 21:00:51 +0400 |
| commit | 75622f1ece530cab5ee1864c8d1e3d2dec5d6913 (patch) | |
| tree | 6d4c63b1c0c66f76236f4985722c5e3a548175b7 /crypto | |
| parent | a052dd6532321ebb01936d1dcdb99481f741ad6a (diff) | |
Unfinished FIPS stuff for review/improvement.
Diffstat (limited to 'crypto')
31 files changed, 173 insertions, 57 deletions
diff --git a/crypto/aes/Makefile.ssl b/crypto/aes/Makefile.ssl index 364d05bbfe..a39bc9065e 100644 --- a/crypto/aes/Makefile.ssl +++ b/crypto/aes/Makefile.ssl @@ -91,7 +91,8 @@ aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c aes_locl.h aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c aes_locl.h aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h -aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h +aes_core.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h +aes_core.o: aes_core.c aes_locl.h aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c aes_locl.h aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c index 2f41a825f8..0b925a8566 100644 --- a/crypto/aes/aes_core.c +++ b/crypto/aes/aes_core.c @@ -37,8 +37,11 @@ #include <stdlib.h> #include <openssl/aes.h> +#include <openssl/fips.h> #include "aes_locl.h" +#ifndef FIPS + /* Te0[x] = S [x].[02, 01, 01, 03]; Te1[x] = S [x].[03, 02, 01, 01]; @@ -1255,3 +1258,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out, PUTU32(out + 12, s3); } +#endif /* ndef FIPS */ diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index 2924def2bb..8fe063ff5e 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -66,6 +66,11 @@ static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */ #endif +#ifdef FIPS +int FIPS_mode; +void *FIPS_rand_check; +#endif /* def FIPS */ + DECLARE_STACK_OF(CRYPTO_dynlock) IMPLEMENT_STACK_OF(CRYPTO_dynlock) diff --git a/crypto/des/des.h b/crypto/des/des.h index daaf239dbe..bb3a0e299d 100644 --- a/crypto/des/des.h +++ b/crypto/des/des.h @@ -128,7 +128,7 @@ OPENSSL_DECLARE_GLOBAL(int,DES_rw_mode); /* defaults to DES_PCBC_MODE */ #define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode) const char *DES_options(void); -void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, +void DES_ecb3_encrypt(const unsigned char *input, unsigned char *output, DES_key_schedule *ks1,DES_key_schedule *ks2, DES_key_schedule *ks3, int enc); DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output, diff --git a/crypto/des/des_old.c b/crypto/des/des_old.c index 7e4cd7180d..88e9802aad 100644 --- a/crypto/des/des_old.c +++ b/crypto/des/des_old.c @@ -84,7 +84,7 @@ void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock des_key_schedule ks1,des_key_schedule ks2, des_key_schedule ks3, int enc) { - DES_ecb3_encrypt((const_DES_cblock *)input, output, + DES_ecb3_encrypt((const unsigned char *)input, (unsigned char *)output, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2, (DES_key_schedule *)ks3, enc); } diff --git a/crypto/des/destest.c b/crypto/des/destest.c index 3983ac8e5f..e3e9d77f14 100644 --- a/crypto/des/destest.c +++ b/crypto/des/destest.c @@ -439,8 +439,8 @@ int main(int argc, char *argv[]) memcpy(in,plain_data[i],8); memset(out,0,8); memset(outin,0,8); - des_ecb2_encrypt(&in,&out,ks,ks2,DES_ENCRYPT); - des_ecb2_encrypt(&out,&outin,ks,ks2,DES_DECRYPT); + des_ecb2_encrypt(in,out,ks,ks2,DES_ENCRYPT); + des_ecb2_encrypt(out,outin,ks,ks2,DES_DECRYPT); if (memcmp(out,cipher_ecb2[i],8) != 0) { diff --git a/crypto/des/ecb3_enc.c b/crypto/des/ecb3_enc.c index c3437bc606..fa0c9c4d4f 100644 --- a/crypto/des/ecb3_enc.c +++ b/crypto/des/ecb3_enc.c @@ -58,15 +58,13 @@ #include "des_locl.h" -void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, +void DES_ecb3_encrypt(const unsigned char *in, unsigned char *out, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, int enc) { register DES_LONG l0,l1; DES_LONG ll[2]; - const unsigned char *in = &(*input)[0]; - unsigned char *out = &(*output)[0]; c2l(in,l0); c2l(in,l1); diff --git a/crypto/dsa/Makefile.ssl b/crypto/dsa/Makefile.ssl index 014d006347..045d302ce8 100644 --- a/crypto/dsa/Makefile.ssl +++ b/crypto/dsa/Makefile.ssl @@ -153,7 +153,8 @@ dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h +dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/fips.h dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h @@ -164,8 +165,10 @@ dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +dsa_vrf.o: ../../include/openssl/engine.h ../../include/openssl/err.h +dsa_vrf.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dsa_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -dsa_vrf.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_vrf.c +dsa_vrf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +dsa_vrf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +dsa_vrf.o: ../../include/openssl/ui.h ../cryptlib.h dsa_vrf.c diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index b9e7f3ea5c..f95ffa9fe1 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -65,6 +65,7 @@ #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef FIPS static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, @@ -346,3 +347,4 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, { return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } +#endif diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index 89205026f0..03846e539b 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -64,9 +64,17 @@ #include <openssl/dsa.h> #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif +#include <openssl/fips.h> DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { +#ifdef FIPS + if(FIPS_mode && !FIPS_dsa_check(dsa)) + return NULL; +#endif return dsa->meth->dsa_do_sign(dgst, dlen, dsa); } @@ -87,6 +95,10 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { +#ifdef FIPS + if(FIPS_mode && !FIPS_dsa_check(dsa)) + return 0; +#endif return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); } diff --git a/crypto/dsa/dsa_vrf.c b/crypto/dsa/dsa_vrf.c index c4aeddd056..d8728a0ebc 100644 --- a/crypto/dsa/dsa_vrf.c +++ b/crypto/dsa/dsa_vrf.c @@ -65,10 +65,18 @@ #include <openssl/rand.h> #include <openssl/asn1.h> #include <openssl/asn1_mac.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif +#include <openssl/fips.h> int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { +#ifdef FIPS + if(FIPS_mode && !FIPS_dsa_check(dsa)) + return -1; +#endif return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); } diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h index 8686879e1a..84fb5a2a62 100644 --- a/crypto/engine/engine.h +++ b/crypto/engine/engine.h @@ -630,6 +630,10 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, if(!fn(e,id)) return 0; \ return 1; } +#if defined(__OpenBSD__) || defined(__FreeBSD__) +void ENGINE_setup_bsd_cryptodev(void); +#endif + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/crypto/err/err.h b/crypto/err/err.h index 988ef81aa0..1ba9913b64 100644 --- a/crypto/err/err.h +++ b/crypto/err/err.h @@ -131,6 +131,7 @@ typedef struct err_state_st #define ERR_LIB_OCSP 39 #define ERR_LIB_UI 40 #define ERR_LIB_COMP 41 +#define ERR_LIB_FIPS 42 #define ERR_LIB_USER 128 @@ -159,6 +160,7 @@ typedef struct err_state_st #define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__) #define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__) #define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__) +#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__) /* Borland C seems too stupid to be able to shift and do longs in * the pre-processor :-( */ diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index dc505d9d9d..c8e2dafd93 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -87,6 +87,7 @@ #endif #include <openssl/ocsp.h> #include <openssl/err.h> +#include <openssl/fips.h> void ERR_load_crypto_strings(void) { @@ -130,4 +131,7 @@ void ERR_load_crypto_strings(void) ERR_load_OCSP_strings(); ERR_load_UI_strings(); #endif +#ifdef FIPS + ERR_load_FIPS_strings(); +#endif } diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index 29a69dfdd4..378fbb9242 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -27,6 +27,7 @@ L DSO crypto/dso/dso.h crypto/dso/dso_err.c L ENGINE crypto/engine/engine.h crypto/engine/eng_err.c L OCSP crypto/ocsp/ocsp.h crypto/ocsp/ocsp_err.c L UI crypto/ui/ui.h crypto/ui/ui_err.c +L FIPS fips/fips.h fips/fips_err.c # additional header files to be scanned for function names L NONE crypto/x509/x509_vfy.h NONE diff --git a/crypto/evp/Makefile.ssl b/crypto/evp/Makefile.ssl index 3279be5bda..772afd71f5 100644 --- a/crypto/evp/Makefile.ssl +++ b/crypto/evp/Makefile.ssl @@ -185,13 +185,14 @@ c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h c_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h c_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -c_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h -c_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h -c_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h -c_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h -c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h -c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h +c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h +c_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h +c_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h +c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h c_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h c_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h c_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h diff --git a/crypto/evp/c_all.c b/crypto/evp/c_all.c index 1b31a14e37..879d84ae79 100644 --- a/crypto/evp/c_all.c +++ b/crypto/evp/c_all.c @@ -59,6 +59,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include <openssl/engine.h> #if 0 #undef OpenSSL_add_all_algorithms diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index fe8bcda631..581e8f7fa2 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -85,16 +85,24 @@ IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, NULL) static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) { + const unsigned char *iv, int enc) + { + int ret; if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE || enc) - AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); else - AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + + if(ret < 0) + { + EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); + return 0; + } return 1; -} + } #endif diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 077860e7b6..95a9d68ac7 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -85,7 +85,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { BLOCK_CIPHER_ecb_loop() - DES_ecb3_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), + DES_ecb3_encrypt(in + i,out + i, &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, ctx->encrypt); diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index 45a25f968d..daf181ff8f 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -823,6 +823,7 @@ void ERR_load_EVP_strings(void); /* Error codes for the EVP functions. */ /* Function codes. */ +#define EVP_F_AES_INIT_KEY 129 #define EVP_F_D2I_PKEY 100 #define EVP_F_EVP_CIPHERINIT 123 #define EVP_F_EVP_CIPHER_CTX_CTRL 124 @@ -853,6 +854,7 @@ void ERR_load_EVP_strings(void); #define EVP_F_RC5_CTRL 125 /* Reason codes. */ +#define EVP_R_AES_KEY_SETUP_FAILED 140 #define EVP_R_BAD_BLOCK_LENGTH 136 #define EVP_R_BAD_DECRYPT 100 #define EVP_R_BAD_KEY_LENGTH 137 diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 3a23d21c21..be6d442521 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,6 +1,6 @@ /* crypto/evp/evp_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,6 +66,7 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA EVP_str_functs[]= { +{ERR_PACK(0,EVP_F_AES_INIT_KEY,0), "AES_INIT_KEY"}, {ERR_PACK(0,EVP_F_D2I_PKEY,0), "D2I_PKEY"}, {ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0), "EVP_CipherInit"}, {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0), "EVP_CIPHER_CTX_ctrl"}, @@ -99,6 +100,7 @@ static ERR_STRING_DATA EVP_str_functs[]= static ERR_STRING_DATA EVP_str_reasons[]= { +{EVP_R_AES_KEY_SETUP_FAILED ,"aes key setup failed"}, {EVP_R_BAD_BLOCK_LENGTH ,"bad block length"}, {EVP_R_BAD_DECRYPT ,"bad decrypt"}, {EVP_R_BAD_KEY_LENGTH ,"bad key length"}, diff --git a/crypto/md32_common.h b/crypto/md32_common.h index 573850b122..6d65c52fcd 100644 --- a/crypto/md32_common.h +++ b/crypto/md32_common.h @@ -128,6 +128,9 @@ * <appro@fy.chalmers.se> */ +#include <openssl/fips.h> +#include <openssl/err.h> + #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) #error "DATA_ORDER must be defined!" #endif @@ -555,6 +558,14 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c) static const unsigned char end[4]={0x80,0x00,0x00,0x00}; const unsigned char *cp=end; +#ifdef FIPS + if(FIPS_mode) + { + FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); + return 0; + } +#endif + /* c->num should definitly have room for at least one more byte. */ p=c->data; i=c->num>>2; diff --git a/crypto/md4/Makefile.ssl b/crypto/md4/Makefile.ssl index 4d2d7369e6..0b81e6fe36 100644 --- a/crypto/md4/Makefile.ssl +++ b/crypto/md4/Makefile.ssl @@ -80,10 +80,13 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h -md4_dgst.o: ../../include/openssl/opensslconf.h -md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_dgst.c -md4_dgst.o: md4_locl.h +md4_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +md4_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h +md4_dgst.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h +md4_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +md4_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +md4_dgst.o: ../md32_common.h md4_dgst.c md4_locl.h md4_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h md4_one.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h md4_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h diff --git a/crypto/md5/Makefile.ssl b/crypto/md5/Makefile.ssl index 2d4df972ff..55d2cd9b0b 100644 --- a/crypto/md5/Makefile.ssl +++ b/crypto/md5/Makefile.ssl @@ -116,10 +116,13 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md5.h -md5_dgst.o: ../../include/openssl/opensslconf.h -md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_dgst.c -md5_dgst.o: md5_locl.h +md5_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +md5_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h +md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h +md5_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +md5_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +md5_dgst.o: ../md32_common.h md5_dgst.c md5_locl.h md5_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h md5_one.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h md5_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h diff --git a/crypto/rand/Makefile.ssl b/crypto/rand/Makefile.ssl index b25421e3ab..a89912c3a4 100644 --- a/crypto/rand/Makefile.ssl +++ b/crypto/rand/Makefile.ssl @@ -88,19 +88,19 @@ md_rand.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h md_rand.o: ../../include/openssl/des.h ../../include/openssl/des_old.h md_rand.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h md_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -md_rand.o: ../../include/openssl/evp.h ../../include/openssl/idea.h -md_rand.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h -md_rand.o: ../../include/openssl/md4.h ../../include/openssl/md5.h -md_rand.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h -md_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h -md_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -md_rand.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h -md_rand.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h -md_rand.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h -md_rand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -md_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -md_rand.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h -md_rand.o: md_rand.c rand_lcl.h +md_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h +md_rand.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h +md_rand.o: ../../include/openssl/md2.h ../../include/openssl/md4.h +md_rand.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +md_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +md_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +md_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h +md_rand.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h +md_rand.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h +md_rand.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +md_rand.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h +md_rand.o: ../../include/openssl/ui_compat.h md_rand.c rand_lcl.h rand_egd.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h rand_egd.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h rand_egd.o: rand_egd.c @@ -114,15 +114,17 @@ rand_err.o: rand_err.c rand_lib.o: ../../e_os.h ../../include/openssl/asn1.h rand_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rand_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +rand_lib.o: ../../include/openssl/des.h ../../include/openssl/des_old.h rand_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h rand_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h -rand_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +rand_lib.o: ../../include/openssl/err.h ../../include/openssl/fips.h +rand_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/lhash.h rand_lib.o: ../../include/openssl/opensslconf.h rand_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rand_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rand_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h rand_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -rand_lib.o: ../cryptlib.h rand_lib.c +rand_lib.o: ../../include/openssl/ui_compat.h ../cryptlib.h rand_lib.c rand_os2.o: ../../e_os.h ../../include/openssl/aes.h rand_os2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rand_os2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index eeffc0df4c..4fdb7005d3 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -126,6 +126,7 @@ #include <openssl/crypto.h> #include <openssl/err.h> +#include <openssl/fips.h> #ifdef BN_DEBUG # define PREDICT @@ -332,6 +333,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) #endif int do_stir_pool = 0; +#ifdef FIPS + if(FIPS_mode) + { + FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD); + return 0; + } +#endif + #ifdef PREDICT if (rand_predictable) { diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h index 606382dd21..4b998000c8 100644 --- a/crypto/rand/rand.h +++ b/crypto/rand/rand.h @@ -121,10 +121,12 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ /* Function codes. */ +#define RAND_F_FIPS_RAND_BYTES 102 #define RAND_F_RAND_GET_RAND_METHOD 101 #define RAND_F_SSLEAY_RAND_BYTES 100 /* Reason codes. */ +#define RAND_R_NON_FIPS_METHOD 101 #define RAND_R_PRNG_NOT_SEEDED 100 #ifdef __cplusplus diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c index b77267e213..774ed4df86 100644 --- a/crypto/rand/rand_err.c +++ b/crypto/rand/rand_err.c @@ -1,6 +1,6 @@ /* crypto/rand/rand_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,6 +66,7 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA RAND_str_functs[]= { +{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0), "FIPS_RAND_BYTES"}, {ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0), "RAND_get_rand_method"}, {ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0), "SSLEAY_RAND_BYTES"}, {0,NULL} @@ -73,6 +74,7 @@ static ERR_STRING_DATA RAND_str_functs[]= static ERR_STRING_DATA RAND_str_reasons[]= { +{RAND_R_NON_FIPS_METHOD ,"non fips method"}, {RAND_R_PRNG_NOT_SEEDED ,"PRNG not seeded"}, {0,NULL} }; diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 513e338985..9b6943e07e 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -63,6 +63,8 @@ #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif +#include <openssl/fips.h> +#include <openssl/fips_rand.h> #ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ @@ -85,6 +87,15 @@ int RAND_set_rand_method(const RAND_METHOD *meth) const RAND_METHOD *RAND_get_rand_method(void) { +#ifdef FIPS + if(FIPS_mode && default_RAND_meth != FIPS_rand_check) + { + RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD); + return 0; + } +#endif + + if (!default_RAND_meth) { #ifndef OPENSSL_NO_ENGINE diff --git a/crypto/ripemd/Makefile.ssl b/crypto/ripemd/Makefile.ssl index 3583dfdcaf..67fd7f8134 100644 --- a/crypto/ripemd/Makefile.ssl +++ b/crypto/ripemd/Makefile.ssl @@ -97,9 +97,14 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +rmd_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +rmd_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h +rmd_dgst.o: ../../include/openssl/opensslconf.h rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h -rmd_dgst.o: ../md32_common.h rmd_dgst.c rmd_locl.h rmdconst.h +rmd_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +rmd_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h rmd_dgst.c +rmd_dgst.o: rmd_locl.h rmdconst.h rmd_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h rmd_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h rmd_one.o: ../../include/openssl/ripemd.h ../../include/openssl/safestack.h diff --git a/crypto/sha/Makefile.ssl b/crypto/sha/Makefile.ssl index 864645c8b5..37555715fd 100644 --- a/crypto/sha/Makefile.ssl +++ b/crypto/sha/Makefile.ssl @@ -102,12 +102,22 @@ sha1_one.o: ../../include/openssl/opensslconf.h sha1_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h sha1_one.o: ../../include/openssl/sha.h ../../include/openssl/stack.h sha1_one.o: ../../include/openssl/symhacks.h sha1_one.c -sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h -sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h -sha1dgst.o: ../md32_common.h sha1dgst.c sha_locl.h -sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h -sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h -sha_dgst.o: ../md32_common.h sha_dgst.c sha_locl.h +sha1dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +sha1dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h +sha1dgst.o: ../../include/openssl/opensslconf.h +sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +sha1dgst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +sha1dgst.o: ../../include/openssl/symhacks.h ../md32_common.h sha1dgst.c +sha1dgst.o: sha_locl.h +sha_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +sha_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h +sha_dgst.o: ../../include/openssl/opensslconf.h +sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +sha_dgst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +sha_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h sha_dgst.c +sha_dgst.o: sha_locl.h sha_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h sha_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h sha_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h |