The version that was actually submitted for FIPS testing.

diff --git a/Makefile.org b/Makefile.org
index 1527ca45e23c426e7c1907b092a0ab07d3f96901..b8ea8096af5ccb3c27c53fefb283a6c7531cd4fe 100644 (file)
--- a/Makefile.org
+++ b/Makefile.org
@@ -186,7 +186,7 @@ SDIRS=  objects \
        buffer bio stack lhash rand err \
        evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
 
-FDIRS= sha1 rand des aes dsa rsa
+FDIRS= sha1 rand des aes dsa rsa dh
 
 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.

diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h
index 1f734dae24ea90ef77d8f34259b95f4c921639c6..05851f84294c3bc53b68793ed69f0c18aacfa80c 100644 (file)
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -199,7 +199,6 @@ void ERR_load_DH_strings(void);
 
 /* Reason codes. */
 #define DH_R_BAD_GENERATOR                              101
-#define DH_R_NOT_PERMITTED_IN_FIPS_MODE                         102
 #define DH_R_NO_PRIVATE_VALUE                           100
 
 #ifdef  __cplusplus

diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index f0373f7d6878a01ba12720a4f5068c888770eaad..a7e9920efb0f0027c87e32da3c811707e0a3814b 100644 (file)
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -70,6 +70,8 @@
  * should hold.
  */
 
+#ifndef OPENSSL_FIPS
+
 int DH_check(const DH *dh, int *ret)
        {
        int ok=0;
@@ -118,3 +120,5 @@ err:
        if (q != NULL) BN_free(q);
        return(ok);
        }
+
+#endif

diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 17cf42d9528a7bd7c966b5f39376dbead6085153..c2715044c9122825a981eaff457a37ee042ccccf 100644 (file)
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -78,7 +78,6 @@ static ERR_STRING_DATA DH_str_functs[]=
 static ERR_STRING_DATA DH_str_reasons[]=
        {
 {DH_R_BAD_GENERATOR                      ,"bad generator"},
-{DH_R_NOT_PERMITTED_IN_FIPS_MODE         ,"not permitted in fips mode"},
 {DH_R_NO_PRIVATE_VALUE                   ,"no private value"},
 {0,NULL}
        };

diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 38675f2688bef55b202de27c09a96172d7cf8ac4..a49b6f9adb838cc04283c173df07dd418ba39d36 100644 (file)
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -60,7 +60,6 @@
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/fips.h>
 
 /* We generate DH parameters as follows
  * find a prime q which is prime_len/2 bits long.
@@ -87,6 +86,9 @@
  * It's just as OK (and in some sense better) to use a generator of the
  * order-q subgroup.
  */
+
+#ifndef OPENSSL_FIPS
+
 DH *DH_generate_parameters(int prime_len, int generator,
             void (*callback)(int,int,void *), void *cb_arg)
        {
@@ -95,14 +97,6 @@ DH *DH_generate_parameters(int prime_len, int generator,
        int g,ok= -1;
        BN_CTX *ctx=NULL;
 
-#ifdef OPENSSL_FIPS
-       if(FIPS_mode)
-               {
-               DHerr(DH_F_DH_GENERATE_PARAMETERS, DH_R_NOT_PERMITTED_IN_FIPS_MODE);
-               return NULL;
-               }
-#endif
-
        ret=DH_new();
        if (ret == NULL) goto err;
        ctx=BN_CTX_new();
@@ -176,3 +170,5 @@ err:
                }
        return(ret);
        }
+
+#endif

diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 77f2f50b516668686c619798af9bb7052e055951..ff125c2296fb2158d76b05d2051729d7be91a035 100644 (file)
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -62,6 +62,8 @@
 #include <openssl/rand.h>
 #include <openssl/dh.h>
 
+#ifndef OPENSSL_FIPS
+
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
@@ -220,3 +222,5 @@ static int dh_finish(DH *dh)
                BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
        return(1);
        }
+
+#endif

diff --git a/fips/Makefile b/fips/Makefile
index 351e1443e2b452658e31595cdeecc826e813af51..ed6817404d5ed57ee52e9cdf284148e7cfee148f 100644 (file)
--- a/fips/Makefile
+++ b/fips/Makefile
@@ -25,7 +25,7 @@ CFLAGS= $(INCLUDE) $(CFLAG)
 
 LIBS=
 
-FDIRS=sha1 rand des aes dsa rsa
+FDIRS=sha1 rand des aes dsa rsa dh
 
 GENERAL=Makefile README fips-lib.com install.com
 
@@ -180,19 +180,18 @@ fips.o: ../include/openssl/des_old.h ../include/openssl/dh.h
 fips.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
 fips.o: ../include/openssl/err.h ../include/openssl/evp.h
 fips.o: ../include/openssl/fips.h ../include/openssl/fips_rand.h
-fips.o: ../include/openssl/hmac.h ../include/openssl/idea.h
-fips.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-fips.o: ../include/openssl/md4.h ../include/openssl/md5.h
-fips.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-fips.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-fips.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-fips.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-fips.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-fips.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-fips.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c
-fips.o: fips_locl.h
+fips.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+fips.o: ../include/openssl/md2.h ../include/openssl/md4.h
+fips.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+fips.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+fips.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
+fips.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+fips.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+fips.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+fips.o: ../include/openssl/sha.h ../include/openssl/stack.h
+fips.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
+fips.o: ../include/openssl/ui_compat.h fips.c fips_locl.h
 fips_err_wrapper.o: ../include/openssl/bio.h ../include/openssl/crypto.h
 fips_err_wrapper.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 fips_err_wrapper.o: ../include/openssl/fips.h ../include/openssl/lhash.h

diff --git a/fips/fingerprint.sha1 b/fips/fingerprint.sha1
index 7e6d85afeab002fdf93fa89accdd30f78b7d3764..4579b741dbdbe3ec87d0679d0c1375d8c278fa55 100644 (file)
--- a/fips/fingerprint.sha1
+++ b/fips/fingerprint.sha1
@@ -1,4 +1,4 @@
 HMAC-SHA1(fips.c)= 01d0a11be4f9c2cb2b2a57ab6ec473f61b206de6
 HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898
-HMAC-SHA1(fips.h)= 4496c0e51c18d30bdc0ce440c384886870a61c40
-HMAC-SHA1(fips_err.h)= f4203a47100a815c21cf3a97092f91a595938f7c
+HMAC-SHA1(fips.h)= e793b0a7017d57a37b89743cf59b40a30385b63f
+HMAC-SHA1(fips_err.h)= 4a73f2a88e206f1f88edfd9b26609a0eed818491

diff --git a/fips/fips.h b/fips/fips.h
index e169ebf43e713ac2c7158c16560b06da515f9f51..9ce48dce7bc83a393462fdf4bf8d043a7bf87e3e 100644 (file)
--- a/fips/fips.h
+++ b/fips/fips.h
@@ -105,6 +105,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_F_FIPS_SELFTEST_RSA                        108
 #define FIPS_F_FIPS_SELFTEST_SHA1                       103
 #define FIPS_F_HASH_FINAL                               100
+#define FIPS_F_DH_GENERATE_PARAMETERS                   117
 #define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT                   114
 #define FIPS_F_RSA_GENERATE_KEY                                 113
 #define FIPS_F_SSLEAY_RAND_BYTES                        101

diff --git a/fips/fips_err.h b/fips/fips_err.h
index e8dafa4900f7ab9c97016bfeab9f380bd2cd35fe..d643c9f55fb700b647e2a238c8f92a9b97206958 100644 (file)
--- a/fips/fips_err.h
+++ b/fips/fips_err.h
@@ -80,6 +80,7 @@ static ERR_STRING_DATA FIPS_str_functs[]=
 {ERR_PACK(0,FIPS_F_FIPS_SELFTEST_RSA,0),       "FIPS_selftest_rsa"},
 {ERR_PACK(0,FIPS_F_FIPS_SELFTEST_SHA1,0),      "FIPS_selftest_sha1"},
 {ERR_PACK(0,FIPS_F_HASH_FINAL,0),      "HASH_FINAL"},
+{ERR_PACK(0,FIPS_F_DH_GENERATE_PARAMETERS,0),  "DH_generate_parameters"},
 {ERR_PACK(0,FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,0),  "RSA_EAY_PUBLIC_ENCRYPT"},
 {ERR_PACK(0,FIPS_F_RSA_GENERATE_KEY,0),        "RSA_generate_key"},
 {ERR_PACK(0,FIPS_F_SSLEAY_RAND_BYTES,0),       "SSLEAY_RAND_BYTES"},

diff --git a/fips/fips_make_sha1 b/fips/fips_make_sha1
index 3139d9f528d6d73683fe4322e26c36124239f9c7..a326ea3a0750c8b1b915b9652d4df39c2cc1e32f 100755 (executable)
--- a/fips/fips_make_sha1
+++ b/fips/fips_make_sha1
@@ -25,3 +25,6 @@ $S fips_des_enc.c asm/fips-dx86-elf.s fips_des_selftest.c fips_set_key.c fips_de
 
 cd ../rsa
 $S fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c > fingerprint.sha1
+
+cd ../dh
+$S fips_dh_check.c fips_dh_gen.c fips_dh_key.c > fingerprint.sha1

diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index bafa11afc589524512ead966eb7f4cc0e0a7e423..cb4386ae450e1177d5be68d52ec0a171e2250f02 100644 (file)
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c
@@ -174,9 +174,13 @@ static int dh_test()
 
     ERR_clear_error();
     dh = DH_generate_parameters(256, 2, NULL, NULL);
-    if (dh)
-        return 1;
-    return 0;
+    if (!dh)
+       {
+       ERR_load_crypto_strings();
+        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+       return 0;
+       }
+    return 1;
     }
 
 static int Error;
@@ -226,9 +230,9 @@ int main(int argc,char **argv)
     /* Non-Approved cryptographic operation
     */
     printf("0. Non-Approved cryptographic operation test...\n");
-    printf("\ta. MD5...");
+    printf("\ta. Excluded algorithm (MD5)...");
     printf( md5_test() ? "successful\n" :  Fail("FAILED!\n") );
-    printf("\tb. D-H...");
+    printf("\tb. Included algorithm (D-H)...");
     printf( dh_test() ? "successful\n" :  Fail("FAILED!\n") );
 
     /* Power-up self test failure
@@ -290,12 +294,12 @@ int main(int argc,char **argv)
     /* Non-Approved cryptographic operation
     */
     printf("8. Non-Approved cryptographic operation test...\n");
-    printf("\ta. MD5...");
+    printf("\ta. Excluded algorithm (MD5)...");
     printf( md5_test() ? Fail("passed INCORRECTLY!\n")
            : "failed as expected\n" );
-    printf("\tb. D-H...");
-    printf( dh_test() ? Fail("passed INCORRECTLY!\n")
-           : "failed as expected\n" );
+    printf("\tb. Included algorithm (D-H)...");
+    printf( dh_test() ? "successful as expected\n"
+           : Fail("failed INCORRECTLY!\n") );
 
     printf("\nAll tests completed with %d errors\n", Error);
     return 0;

diff --git a/fips/openssl_fips_fingerprint b/fips/openssl_fips_fingerprint
index e20b38d43c3b690e95425cd801872ceca22483c0..932f3cdc4259633f6af1e9ded351440e3ca72691 100755 (executable)
--- a/fips/openssl_fips_fingerprint
+++ b/fips/openssl_fips_fingerprint
@@ -17,9 +17,8 @@ else
     LD_LIBRARY_PATH=.; export LD_LIBRARY_PATH
 fi
 
-elib=`echo $lib| sed 's/\//\\\\\//g'`
 echo "Checking library fingerprint for $lib"
-openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/$elib/libcrypto.a/" | diff ${lib%.a}.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; }
+openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/(.*\//(/" | diff ${lib%.a}.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; }
 
 echo "Making fingerprint for $exe"
 openssl sha1 -hmac etaonrishdlcupfm -binary $exe > $exe.sha1