buffer bio stack lhash rand err \
evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
-FDIRS= sha1 rand des aes dsa rsa
+FDIRS= sha1 rand des aes dsa rsa dh
# tests to perform. "alltests" is a special word indicating that all tests
# should be performed.
/* Reason codes. */
#define DH_R_BAD_GENERATOR 101
-#define DH_R_NOT_PERMITTED_IN_FIPS_MODE 102
#define DH_R_NO_PRIVATE_VALUE 100
#ifdef __cplusplus
* should hold.
*/
+#ifndef OPENSSL_FIPS
+
int DH_check(const DH *dh, int *ret)
{
int ok=0;
if (q != NULL) BN_free(q);
return(ok);
}
+
+#endif
static ERR_STRING_DATA DH_str_reasons[]=
{
{DH_R_BAD_GENERATOR ,"bad generator"},
-{DH_R_NOT_PERMITTED_IN_FIPS_MODE ,"not permitted in fips mode"},
{DH_R_NO_PRIVATE_VALUE ,"no private value"},
{0,NULL}
};
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/dh.h>
-#include <openssl/fips.h>
/* We generate DH parameters as follows
* find a prime q which is prime_len/2 bits long.
* It's just as OK (and in some sense better) to use a generator of the
* order-q subgroup.
*/
+
+#ifndef OPENSSL_FIPS
+
DH *DH_generate_parameters(int prime_len, int generator,
void (*callback)(int,int,void *), void *cb_arg)
{
int g,ok= -1;
BN_CTX *ctx=NULL;
-#ifdef OPENSSL_FIPS
- if(FIPS_mode)
- {
- DHerr(DH_F_DH_GENERATE_PARAMETERS, DH_R_NOT_PERMITTED_IN_FIPS_MODE);
- return NULL;
- }
-#endif
-
ret=DH_new();
if (ret == NULL) goto err;
ctx=BN_CTX_new();
}
return(ret);
}
+
+#endif
#include <openssl/rand.h>
#include <openssl/dh.h>
+#ifndef OPENSSL_FIPS
+
static int generate_key(DH *dh);
static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
return(1);
}
+
+#endif
LIBS=
-FDIRS=sha1 rand des aes dsa rsa
+FDIRS=sha1 rand des aes dsa rsa dh
GENERAL=Makefile README fips-lib.com install.com
fips.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
fips.o: ../include/openssl/err.h ../include/openssl/evp.h
fips.o: ../include/openssl/fips.h ../include/openssl/fips_rand.h
-fips.o: ../include/openssl/hmac.h ../include/openssl/idea.h
-fips.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-fips.o: ../include/openssl/md4.h ../include/openssl/md5.h
-fips.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-fips.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-fips.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-fips.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-fips.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-fips.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-fips.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c
-fips.o: fips_locl.h
+fips.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+fips.o: ../include/openssl/md2.h ../include/openssl/md4.h
+fips.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+fips.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+fips.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
+fips.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+fips.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+fips.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+fips.o: ../include/openssl/sha.h ../include/openssl/stack.h
+fips.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
+fips.o: ../include/openssl/ui_compat.h fips.c fips_locl.h
fips_err_wrapper.o: ../include/openssl/bio.h ../include/openssl/crypto.h
fips_err_wrapper.o: ../include/openssl/e_os2.h ../include/openssl/err.h
fips_err_wrapper.o: ../include/openssl/fips.h ../include/openssl/lhash.h
HMAC-SHA1(fips.c)= 01d0a11be4f9c2cb2b2a57ab6ec473f61b206de6
HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898
-HMAC-SHA1(fips.h)= 4496c0e51c18d30bdc0ce440c384886870a61c40
-HMAC-SHA1(fips_err.h)= f4203a47100a815c21cf3a97092f91a595938f7c
+HMAC-SHA1(fips.h)= e793b0a7017d57a37b89743cf59b40a30385b63f
+HMAC-SHA1(fips_err.h)= 4a73f2a88e206f1f88edfd9b26609a0eed818491
#define FIPS_F_FIPS_SELFTEST_RSA 108
#define FIPS_F_FIPS_SELFTEST_SHA1 103
#define FIPS_F_HASH_FINAL 100
+#define FIPS_F_DH_GENERATE_PARAMETERS 117
#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 114
#define FIPS_F_RSA_GENERATE_KEY 113
#define FIPS_F_SSLEAY_RAND_BYTES 101
{ERR_PACK(0,FIPS_F_FIPS_SELFTEST_RSA,0), "FIPS_selftest_rsa"},
{ERR_PACK(0,FIPS_F_FIPS_SELFTEST_SHA1,0), "FIPS_selftest_sha1"},
{ERR_PACK(0,FIPS_F_HASH_FINAL,0), "HASH_FINAL"},
+{ERR_PACK(0,FIPS_F_DH_GENERATE_PARAMETERS,0), "DH_generate_parameters"},
{ERR_PACK(0,FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,0), "RSA_EAY_PUBLIC_ENCRYPT"},
{ERR_PACK(0,FIPS_F_RSA_GENERATE_KEY,0), "RSA_generate_key"},
{ERR_PACK(0,FIPS_F_SSLEAY_RAND_BYTES,0), "SSLEAY_RAND_BYTES"},
cd ../rsa
$S fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c > fingerprint.sha1
+
+cd ../dh
+$S fips_dh_check.c fips_dh_gen.c fips_dh_key.c > fingerprint.sha1
ERR_clear_error();
dh = DH_generate_parameters(256, 2, NULL, NULL);
- if (dh)
- return 1;
- return 0;
+ if (!dh)
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ return 0;
+ }
+ return 1;
}
static int Error;
/* Non-Approved cryptographic operation
*/
printf("0. Non-Approved cryptographic operation test...\n");
- printf("\ta. MD5...");
+ printf("\ta. Excluded algorithm (MD5)...");
printf( md5_test() ? "successful\n" : Fail("FAILED!\n") );
- printf("\tb. D-H...");
+ printf("\tb. Included algorithm (D-H)...");
printf( dh_test() ? "successful\n" : Fail("FAILED!\n") );
/* Power-up self test failure
/* Non-Approved cryptographic operation
*/
printf("8. Non-Approved cryptographic operation test...\n");
- printf("\ta. MD5...");
+ printf("\ta. Excluded algorithm (MD5)...");
printf( md5_test() ? Fail("passed INCORRECTLY!\n")
: "failed as expected\n" );
- printf("\tb. D-H...");
- printf( dh_test() ? Fail("passed INCORRECTLY!\n")
- : "failed as expected\n" );
+ printf("\tb. Included algorithm (D-H)...");
+ printf( dh_test() ? "successful as expected\n"
+ : Fail("failed INCORRECTLY!\n") );
printf("\nAll tests completed with %d errors\n", Error);
return 0;
LD_LIBRARY_PATH=.; export LD_LIBRARY_PATH
fi
-elib=`echo $lib| sed 's/\//\\\\\//g'`
echo "Checking library fingerprint for $lib"
-openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/$elib/libcrypto.a/" | diff ${lib%.a}.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; }
+openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/(.*\//(/" | diff ${lib%.a}.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; }
echo "Making fingerprint for $exe"
openssl sha1 -hmac etaonrishdlcupfm -binary $exe > $exe.sha1