|
 |
c4366c |
Do not create a fips canister but use a fipscheck equivalent method for
|
|
|
c4366c |
integrity verification of both libssl and libcrypto shared libraries.
|
|
|
c4366c |
diff -up openssl-fips-0.9.8e/apps/Makefile.use-fipscheck openssl-fips-0.9.8e/apps/Makefile
|
|
|
c4366c |
--- openssl-fips-0.9.8e/apps/Makefile.use-fipscheck 2007-08-15 15:35:29.000000000 +0200
|
|
|
c4366c |
+++ openssl-fips-0.9.8e/apps/Makefile 2009-03-26 15:16:09.000000000 +0100
|
|
|
c4366c |
@@ -152,8 +152,6 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(
|
|
|
c4366c |
$(RM) $(EXE)
|
|
|
c4366c |
shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
|
|
|
c4366c |
shlib_target="$(SHLIB_TARGET)"; \
|
|
|
c4366c |
- elif [ -n "$(FIPSCANLIB)" ]; then \
|
|
|
c4366c |
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
|
|
c4366c |
fi; \
|
|
|
c4366c |
LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
|
|
|
c4366c |
[ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
|
|
|
c4366c |
diff -up openssl-fips-0.9.8e/fips/fips.c.use-fipscheck openssl-fips-0.9.8e/fips/fips.c
|
|
|
c4366c |
--- openssl-fips-0.9.8e/fips/fips.c.use-fipscheck 2007-08-26 16:57:10.000000000 +0200
|
|
|
c4366c |
+++ openssl-fips-0.9.8e/fips/fips.c 2009-04-15 11:43:59.000000000 +0200
|
|
|
c4366c |
@@ -47,6 +47,8 @@
|
|
|
c4366c |
*
|
|
|
c4366c |
*/
|
|
|
c4366c |
|
|
|
c4366c |
+#define _GNU_SOURCE
|
|
|
c4366c |
+
|
|
|
c4366c |
#include <openssl/fips.h>
|
|
|
c4366c |
#include <openssl/rand.h>
|
|
|
c4366c |
#include <openssl/fips_rand.h>
|
|
|
c4366c |
@@ -56,6 +58,9 @@
|
|
|
c4366c |
#include <openssl/rsa.h>
|
|
|
c4366c |
#include <string.h>
|
|
|
c4366c |
#include <limits.h>
|
|
|
c4366c |
+#include <dlfcn.h>
|
|
|
c4366c |
+#include <stdio.h>
|
|
|
c4366c |
+#include <stdlib.h>
|
|
|
c4366c |
#include "fips_locl.h"
|
|
|
c4366c |
|
|
|
c4366c |
#ifdef OPENSSL_FIPS
|
|
|
c4366c |
@@ -163,6 +168,7 @@ int FIPS_selftest()
|
|
|
c4366c |
&& FIPS_selftest_dsa();
|
|
|
c4366c |
}
|
|
|
c4366c |
|
|
|
c4366c |
+#if 0
|
|
|
c4366c |
extern const void *FIPS_text_start(), *FIPS_text_end();
|
|
|
c4366c |
extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
|
|
|
c4366c |
unsigned char FIPS_signature [20] = { 0 };
|
|
|
c4366c |
@@ -241,6 +247,206 @@ int FIPS_check_incore_fingerprint(void)
|
|
|
c4366c |
|
|
|
c4366c |
return 1;
|
|
|
c4366c |
}
|
|
|
c4366c |
+#else
|
|
|
c4366c |
+/* we implement what libfipscheck does ourselves */
|
|
|
c4366c |
+
|
|
|
c4366c |
+static int
|
|
|
c4366c |
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
|
|
|
c4366c |
+{
|
|
|
c4366c |
+ Dl_info info;
|
|
|
c4366c |
+ void *dl, *sym;
|
|
|
c4366c |
+ int rv = -1;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ dl = dlopen(libname, RTLD_LAZY);
|
|
|
c4366c |
+ if (dl == NULL) {
|
|
|
c4366c |
+ return -1;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ sym = dlsym(dl, symbolname);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if (sym != NULL && dladdr(sym, &info)) {
|
|
|
c4366c |
+ strncpy(path, info.dli_fname, pathlen-1);
|
|
|
c4366c |
+ path[pathlen-1] = '\0';
|
|
|
c4366c |
+ rv = 0;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ dlclose(dl);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ return rv;
|
|
|
c4366c |
+}
|
|
|
c4366c |
+
|
|
|
c4366c |
+static const char conv[] = "0123456789abcdef";
|
|
|
c4366c |
+
|
|
|
c4366c |
+static char *
|
|
|
c4366c |
+bin2hex(void *buf, size_t len)
|
|
|
c4366c |
+{
|
|
|
c4366c |
+ char *hex, *p;
|
|
|
c4366c |
+ unsigned char *src = buf;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ hex = malloc(len * 2 + 1);
|
|
|
c4366c |
+ if (hex == NULL)
|
|
|
c4366c |
+ return NULL;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ p = hex;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ while (len > 0) {
|
|
|
c4366c |
+ unsigned c;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ c = *src;
|
|
|
c4366c |
+ src++;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ *p = conv[c >> 4];
|
|
|
c4366c |
+ ++p;
|
|
|
c4366c |
+ *p = conv[c & 0x0f];
|
|
|
c4366c |
+ ++p;
|
|
|
c4366c |
+ --len;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+ *p = '\0';
|
|
|
c4366c |
+ return hex;
|
|
|
c4366c |
+}
|
|
|
c4366c |
+
|
|
|
c4366c |
+#define HMAC_PREFIX "."
|
|
|
c4366c |
+#define HMAC_SUFFIX ".hmac"
|
|
|
c4366c |
+#define READ_BUFFER_LENGTH 16384
|
|
|
c4366c |
+
|
|
|
c4366c |
+static char *
|
|
|
c4366c |
+make_hmac_path(const char *origpath)
|
|
|
c4366c |
+{
|
|
|
c4366c |
+ char *path, *p;
|
|
|
c4366c |
+ const char *fn;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
|
|
|
c4366c |
+ if(path == NULL) {
|
|
|
c4366c |
+ return NULL;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ fn = strrchr(origpath, '/');
|
|
|
c4366c |
+ if (fn == NULL) {
|
|
|
c4366c |
+ fn = origpath;
|
|
|
c4366c |
+ } else {
|
|
|
c4366c |
+ ++fn;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ strncpy(path, origpath, fn-origpath);
|
|
|
c4366c |
+ p = path + (fn - origpath);
|
|
|
c4366c |
+ p = stpcpy(p, HMAC_PREFIX);
|
|
|
c4366c |
+ p = stpcpy(p, fn);
|
|
|
c4366c |
+ p = stpcpy(p, HMAC_SUFFIX);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ return path;
|
|
|
c4366c |
+}
|
|
|
c4366c |
+
|
|
|
c4366c |
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
|
|
|
c4366c |
+
|
|
|
c4366c |
+static int
|
|
|
c4366c |
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
|
|
|
c4366c |
+{
|
|
|
c4366c |
+ FILE *f = NULL;
|
|
|
c4366c |
+ int rv = -1;
|
|
|
c4366c |
+ unsigned char rbuf[READ_BUFFER_LENGTH];
|
|
|
c4366c |
+ size_t len;
|
|
|
c4366c |
+ unsigned int hlen;
|
|
|
c4366c |
+ HMAC_CTX c;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ HMAC_CTX_init(&c);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ f = fopen(path, "r");
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if (f == NULL) {
|
|
|
c4366c |
+ goto end;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
|
|
|
c4366c |
+
|
|
|
c4366c |
+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
|
|
|
c4366c |
+ HMAC_Update(&c, rbuf, len);
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ len = sizeof(rbuf);
|
|
|
c4366c |
+ /* reuse rbuf for hmac */
|
|
|
c4366c |
+ HMAC_Final(&c, rbuf, &hlen);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ *buf = malloc(hlen);
|
|
|
c4366c |
+ if (*buf == NULL) {
|
|
|
c4366c |
+ goto end;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ *hmaclen = hlen;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ memcpy(*buf, rbuf, hlen);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ rv = 0;
|
|
|
c4366c |
+end:
|
|
|
c4366c |
+ HMAC_CTX_cleanup(&c);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if (f)
|
|
|
c4366c |
+ fclose(f);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ return rv;
|
|
|
c4366c |
+}
|
|
|
c4366c |
+
|
|
|
c4366c |
+static int
|
|
|
c4366c |
+FIPSCHECK_verify(const char *libname, const char *symbolname)
|
|
|
c4366c |
+{
|
|
|
c4366c |
+ char path[PATH_MAX+1];
|
|
|
c4366c |
+ int rv;
|
|
|
c4366c |
+ FILE *hf;
|
|
|
c4366c |
+ char *hmacpath, *p;
|
|
|
c4366c |
+ char *hmac = NULL;
|
|
|
c4366c |
+ size_t n;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ rv = get_library_path(libname, symbolname, path, sizeof(path));
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if (rv < 0)
|
|
|
c4366c |
+ return 0;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ hmacpath = make_hmac_path(path);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ hf = fopen(hmacpath, "r");
|
|
|
c4366c |
+ if (hf == NULL) {
|
|
|
c4366c |
+ free(hmacpath);
|
|
|
c4366c |
+ return 0;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if (getline(&hmac, &n, hf) > 0) {
|
|
|
c4366c |
+ void *buf;
|
|
|
c4366c |
+ size_t hmaclen;
|
|
|
c4366c |
+ char *hex;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if ((p=strchr(hmac, '\n')) != NULL)
|
|
|
c4366c |
+ *p = '\0';
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
|
|
|
c4366c |
+ rv = -4;
|
|
|
c4366c |
+ goto end;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
|
|
|
c4366c |
+ free(buf);
|
|
|
c4366c |
+ rv = -5;
|
|
|
c4366c |
+ goto end;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if (strcmp(hex, hmac) != 0) {
|
|
|
c4366c |
+ rv = -1;
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+ free(buf);
|
|
|
c4366c |
+ free(hex);
|
|
|
c4366c |
+ }
|
|
|
c4366c |
+
|
|
|
c4366c |
+end:
|
|
|
c4366c |
+ free(hmac);
|
|
|
c4366c |
+ free(hmacpath);
|
|
|
c4366c |
+ fclose(hf);
|
|
|
c4366c |
+
|
|
|
c4366c |
+ if (rv < 0)
|
|
|
c4366c |
+ return 0;
|
|
|
c4366c |
+
|
|
|
c4366c |
+ /* check successful */
|
|
|
c4366c |
+ return 1;
|
|
|
c4366c |
+}
|
|
|
c4366c |
+
|
|
|
c4366c |
+#endif
|
|
|
c4366c |
|
|
|
c4366c |
int FIPS_mode_set(int onoff)
|
|
|
c4366c |
{
|
|
|
c4366c |
@@ -278,16 +484,17 @@ int FIPS_mode_set(int onoff)
|
|
|
c4366c |
}
|
|
|
c4366c |
#endif
|
|
|
c4366c |
|
|
|
c4366c |
- if(fips_signature_witness() != FIPS_signature)
|
|
|
c4366c |
+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
|
|
|
c4366c |
{
|
|
|
c4366c |
- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
|
|
|
c4366c |
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
|
|
c4366c |
fips_selftest_fail = 1;
|
|
|
c4366c |
ret = 0;
|
|
|
c4366c |
goto end;
|
|
|
c4366c |
}
|
|
|
c4366c |
|
|
|
c4366c |
- if(!FIPS_check_incore_fingerprint())
|
|
|
c4366c |
+ if(!FIPSCHECK_verify("libssl.so.0.9.8e","SSL_CTX_new"))
|
|
|
c4366c |
{
|
|
|
c4366c |
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
|
|
c4366c |
fips_selftest_fail = 1;
|
|
|
c4366c |
ret = 0;
|
|
|
c4366c |
goto end;
|
|
|
c4366c |
@@ -403,11 +610,13 @@ int fips_clear_owning_thread(void)
|
|
|
c4366c |
return ret;
|
|
|
c4366c |
}
|
|
|
c4366c |
|
|
|
c4366c |
+#if 0
|
|
|
c4366c |
unsigned char *fips_signature_witness(void)
|
|
|
c4366c |
{
|
|
|
c4366c |
extern unsigned char FIPS_signature[];
|
|
|
c4366c |
return FIPS_signature;
|
|
|
c4366c |
}
|
|
|
c4366c |
+#endif
|
|
|
c4366c |
|
|
|
c4366c |
/* Generalized public key test routine. Signs and verifies the data
|
|
|
c4366c |
* supplied in tbs using mesage digest md and setting option digest
|
|
|
c4366c |
diff -up openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck openssl-fips-0.9.8e/fips/fips_locl.h
|
|
|
c4366c |
--- openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck 2007-08-15 15:35:31.000000000 +0200
|
|
|
c4366c |
+++ openssl-fips-0.9.8e/fips/fips_locl.h 2009-03-26 15:15:39.000000000 +0100
|
|
|
c4366c |
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
|
|
|
c4366c |
int fips_set_owning_thread(void);
|
|
|
c4366c |
void fips_set_selftest_fail(void);
|
|
|
c4366c |
int fips_clear_owning_thread(void);
|
|
|
c4366c |
+#if 0
|
|
|
c4366c |
unsigned char *fips_signature_witness(void);
|
|
|
c4366c |
+#endif
|
|
|
c4366c |
|
|
|
c4366c |
#define FIPS_MAX_CIPHER_TEST_SIZE 16
|
|
|
c4366c |
|
|
|
c4366c |
diff -up openssl-fips-0.9.8e/fips/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/Makefile
|
|
|
c4366c |
--- openssl-fips-0.9.8e/fips/Makefile.use-fipscheck 2007-08-15 15:35:30.000000000 +0200
|
|
|
c4366c |
+++ openssl-fips-0.9.8e/fips/Makefile 2009-04-15 11:41:25.000000000 +0200
|
|
|
c4366c |
@@ -62,9 +62,9 @@ testapps:
|
|
|
c4366c |
|
|
|
c4366c |
all:
|
|
|
c4366c |
@if [ -z "$(FIPSLIBDIR)" ]; then \
|
|
|
c4366c |
- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
|
|
|
c4366c |
+ $(MAKE) -e subdirs lib; \
|
|
|
c4366c |
else \
|
|
|
c4366c |
- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
|
|
|
c4366c |
+ $(MAKE) -e lib; \
|
|
|
c4366c |
fi
|
|
|
c4366c |
|
|
|
c4366c |
# Idea behind fipscanister.o is to "seize" the sequestered code between
|
|
|
c4366c |
@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
|
|
|
c4366c |
HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
|
|
|
c4366c |
*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
|
|
|
c4366c |
esac fi
|
|
|
c4366c |
- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
|
|
|
c4366c |
|
|
|
c4366c |
# If another exception is immediately required, assign approprite
|
|
|
c4366c |
# site-specific ld command to FIPS_SITE_LD environment variable.
|
|
|
c4366c |
@@ -141,8 +140,24 @@ links:
|
|
|
c4366c |
lib: $(LIB)
|
|
|
c4366c |
@touch lib
|
|
|
c4366c |
|
|
|
c4366c |
-$(LIB): $(FIPSLIBDIR)fipscanister.o
|
|
|
c4366c |
- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
|
|
|
c4366c |
+$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS)
|
|
|
c4366c |
+ FIPS_ASM=""; \
|
|
|
c4366c |
+ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
|
|
|
c4366c |
+ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
|
|
|
c4366c |
+ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
|
|
|
c4366c |
+ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
|
|
|
c4366c |
+ if [ -n "$(CPUID_OBJ)" ]; then \
|
|
|
c4366c |
+ CPUID=../crypto/$(CPUID_OBJ) ; \
|
|
|
c4366c |
+ else \
|
|
|
c4366c |
+ CPUID="" ; \
|
|
|
c4366c |
+ fi ; \
|
|
|
c4366c |
+ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
|
|
|
c4366c |
+ for i in $(FIPS_OBJ_LISTS); do \
|
|
|
c4366c |
+ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
|
|
|
c4366c |
+ objs="$$objs `sed "$$script" $$i`"; \
|
|
|
c4366c |
+ done; \
|
|
|
c4366c |
+ objs="$$objs" ; \
|
|
|
c4366c |
+ $(AR) $(LIB) $$objs
|
|
|
c4366c |
$(RANLIB) $(LIB) || echo Never mind.
|
|
|
c4366c |
|
|
|
c4366c |
$(FIPSCANLIB): $(FIPSCANLOC)
|
|
|
c4366c |
@@ -154,7 +169,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
|
|
|
c4366c |
$(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
|
|
|
c4366c |
@touch lib
|
|
|
c4366c |
|
|
|
c4366c |
-shared: lib subdirs fips_premain_dso$(EXE_EXT)
|
|
|
c4366c |
+shared: lib subdirs
|
|
|
c4366c |
|
|
|
c4366c |
libs:
|
|
|
c4366c |
@target=lib; $(RECURSIVE_MAKE)
|
|
|
c4366c |
@@ -178,10 +193,6 @@ install:
|
|
|
c4366c |
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
|
|
|
c4366c |
done;
|
|
|
c4366c |
@target=install; $(RECURSIVE_MAKE)
|
|
|
c4366c |
- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
|
|
|
c4366c |
- fips_premain.c.sha1 \
|
|
|
c4366c |
- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
|
|
|
c4366c |
- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
|
|
|
c4366c |
|
|
|
c4366c |
lint:
|
|
|
c4366c |
@target=lint; $(RECURSIVE_MAKE)
|
|
|
c4366c |
diff -up openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c
|
|
|
c4366c |
--- openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck 2007-08-15 15:35:46.000000000 +0200
|
|
|
c4366c |
+++ openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c 2009-04-15 11:58:37.000000000 +0200
|
|
|
c4366c |
@@ -62,20 +62,20 @@ void OPENSSL_cleanse(void *p,size_t len)
|
|
|
c4366c |
|
|
|
c4366c |
#ifdef OPENSSL_FIPS
|
|
|
c4366c |
|
|
|
c4366c |
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
|
|
|
c4366c |
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
|
|
|
c4366c |
const char *key)
|
|
|
c4366c |
{
|
|
|
c4366c |
- int len=strlen(key);
|
|
|
c4366c |
+ size_t len=strlen(key);
|
|
|
c4366c |
int i;
|
|
|
c4366c |
unsigned char keymd[HMAC_MAX_MD_CBLOCK];
|
|
|
c4366c |
unsigned char pad[HMAC_MAX_MD_CBLOCK];
|
|
|
c4366c |
|
|
|
c4366c |
if (len > SHA_CBLOCK)
|
|
|
c4366c |
{
|
|
|
c4366c |
- SHA1_Init(md_ctx);
|
|
|
c4366c |
- SHA1_Update(md_ctx,key,len);
|
|
|
c4366c |
- SHA1_Final(keymd,md_ctx);
|
|
|
c4366c |
- len=20;
|
|
|
c4366c |
+ SHA256_Init(md_ctx);
|
|
|
c4366c |
+ SHA256_Update(md_ctx,key,len);
|
|
|
c4366c |
+ SHA256_Final(keymd,md_ctx);
|
|
|
c4366c |
+ len=SHA256_DIGEST_LENGTH;
|
|
|
c4366c |
}
|
|
|
c4366c |
else
|
|
|
c4366c |
memcpy(keymd,key,len);
|
|
|
c4366c |
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
|
|
|
c4366c |
|
|
|
c4366c |
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
|
|
c4366c |
pad[i]=0x36^keymd[i];
|
|
|
c4366c |
- SHA1_Init(md_ctx);
|
|
|
c4366c |
- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
|
|
|
c4366c |
+ SHA256_Init(md_ctx);
|
|
|
c4366c |
+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
|
|
|
c4366c |
|
|
|
c4366c |
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
|
|
c4366c |
pad[i]=0x5c^keymd[i];
|
|
|
c4366c |
- SHA1_Init(o_ctx);
|
|
|
c4366c |
- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
|
|
|
c4366c |
+ SHA256_Init(o_ctx);
|
|
|
c4366c |
+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
|
|
|
c4366c |
}
|
|
|
c4366c |
|
|
|
c4366c |
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
|
|
|
c4366c |
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
|
|
|
c4366c |
{
|
|
|
c4366c |
- unsigned char buf[20];
|
|
|
c4366c |
+ unsigned char buf[SHA256_DIGEST_LENGTH];
|
|
|
c4366c |
|
|
|
c4366c |
- SHA1_Final(buf,md_ctx);
|
|
|
c4366c |
- SHA1_Update(o_ctx,buf,sizeof buf);
|
|
|
c4366c |
- SHA1_Final(md,o_ctx);
|
|
|
c4366c |
+ SHA256_Final(buf,md_ctx);
|
|
|
c4366c |
+ SHA256_Update(o_ctx,buf,sizeof buf);
|
|
|
c4366c |
+ SHA256_Final(md,o_ctx);
|
|
|
c4366c |
}
|
|
|
c4366c |
|
|
|
c4366c |
#endif
|
|
|
c4366c |
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
|
|
|
c4366c |
int main(int argc,char **argv)
|
|
|
c4366c |
{
|
|
|
c4366c |
#ifdef OPENSSL_FIPS
|
|
|
c4366c |
- static char key[]="etaonrishdlcupfm";
|
|
|
c4366c |
+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
|
|
|
c4366c |
int n,binary=0;
|
|
|
c4366c |
|
|
|
c4366c |
if(argc < 2)
|
|
|
c4366c |
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
|
|
|
c4366c |
for(; n < argc ; ++n)
|
|
|
c4366c |
{
|
|
|
c4366c |
FILE *f=fopen(argv[n],"rb");
|
|
|
c4366c |
- SHA_CTX md_ctx,o_ctx;
|
|
|
c4366c |
- unsigned char md[20];
|
|
|
c4366c |
+ SHA256_CTX md_ctx,o_ctx;
|
|
|
c4366c |
+ unsigned char md[SHA256_DIGEST_LENGTH];
|
|
|
c4366c |
int i;
|
|
|
c4366c |
|
|
|
c4366c |
if(!f)
|
|
|
c4366c |
@@ -139,7 +139,7 @@ int main(int argc,char **argv)
|
|
|
c4366c |
for( ; ; )
|
|
|
c4366c |
{
|
|
|
c4366c |
char buf[1024];
|
|
|
c4366c |
- int l=fread(buf,1,sizeof buf,f);
|
|
|
c4366c |
+ size_t l=fread(buf,1,sizeof buf,f);
|
|
|
c4366c |
|
|
|
c4366c |
if(l == 0)
|
|
|
c4366c |
{
|
|
|
c4366c |
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
|
|
|
c4366c |
else
|
|
|
c4366c |
break;
|
|
|
c4366c |
}
|
|
|
c4366c |
- SHA1_Update(&md_ctx,buf,l);
|
|
|
c4366c |
+ SHA256_Update(&md_ctx,buf,l);
|
|
|
c4366c |
}
|
|
|
c4366c |
hmac_final(md,&md_ctx,&o_ctx);
|
|
|
c4366c |
|
|
|
c4366c |
if (binary)
|
|
|
c4366c |
{
|
|
|
c4366c |
- fwrite(md,20,1,stdout);
|
|
|
c4366c |
+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
|
|
|
c4366c |
break; /* ... for single(!) file */
|
|
|
c4366c |
}
|
|
|
c4366c |
|
|
|
c4366c |
- printf("HMAC-SHA1(%s)= ",argv[n]);
|
|
|
c4366c |
- for(i=0 ; i < 20 ; ++i)
|
|
|
c4366c |
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
|
|
|
c4366c |
+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
|
|
|
c4366c |
printf("%02x",md[i]);
|
|
|
c4366c |
printf("\n");
|
|
|
c4366c |
}
|
|
|
c4366c |
diff -up openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/sha/Makefile
|
|
|
c4366c |
--- openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck 2009-03-26 15:16:04.000000000 +0100
|
|
|
c4366c |
+++ openssl-fips-0.9.8e/fips/sha/Makefile 2009-04-15 11:57:17.000000000 +0200
|
|
|
c4366c |
@@ -47,7 +47,7 @@ lib: $(LIBOBJ)
|
|
|
c4366c |
@echo $(LIBOBJ) > lib
|
|
|
c4366c |
|
|
|
c4366c |
../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
|
|
|
c4366c |
- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
|
|
c4366c |
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
|
|
c4366c |
$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
|
|
|
c4366c |
|
|
|
c4366c |
files:
|
|
|
c4366c |
diff -up openssl-fips-0.9.8e/Makefile.org.use-fipscheck openssl-fips-0.9.8e/Makefile.org
|
|
|
c4366c |
--- openssl-fips-0.9.8e/Makefile.org.use-fipscheck 2009-03-26 15:15:39.000000000 +0100
|
|
|
c4366c |
+++ openssl-fips-0.9.8e/Makefile.org 2009-03-26 15:15:39.000000000 +0100
|
|
|
c4366c |
@@ -355,10 +355,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
|
|
|
c4366c |
$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
|
|
|
c4366c |
$(AR) libcrypto.a fips/fipscanister.o ; \
|
|
|
c4366c |
else \
|
|
|
c4366c |
- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
|
|
|
c4366c |
- FIPSLD_CC=$(CC); CC=fips/fipsld; \
|
|
|
c4366c |
- export CC FIPSLD_CC; \
|
|
|
c4366c |
- fi; \
|
|
|
c4366c |
$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
|
|
|
c4366c |
fi \
|
|
|
c4366c |
else \
|
|
|
c4366c |
@@ -379,9 +375,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
|
|
|
c4366c |
fips/fipscanister.o: build_fips
|
|
|
c4366c |
libfips$(SHLIB_EXT): fips/fipscanister.o
|
|
|
c4366c |
@if [ "$(SHLIB_TARGET)" != "" ]; then \
|
|
|
c4366c |
- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
|
|
|
c4366c |
$(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
|
|
c4366c |
- CC=$${CC} LIBNAME=fips THIS=$@ \
|
|
|
c4366c |
+ CC=$(CC) LIBNAME=fips THIS=$@ \
|
|
|
c4366c |
LIBEXTRAS=fips/fipscanister.o \
|
|
|
c4366c |
LIBDEPS="$(EX_LIBS)" \
|
|
|
c4366c |
LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
|
|
c4366c |
@@ -467,7 +462,7 @@ openssl.pc: Makefile
|
|
|
c4366c |
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
|
|
|
c4366c |
echo 'Version: '$(VERSION); \
|
|
|
c4366c |
echo 'Requires: '; \
|
|
|
c4366c |
- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
|
|
|
c4366c |
+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
|
|
|
c4366c |
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
|
|
|
c4366c |
|
|
|
c4366c |
Makefile: Makefile.org Configure config
|
|
|
c4366c |
diff -up openssl-fips-0.9.8e/test/Makefile.use-fipscheck openssl-fips-0.9.8e/test/Makefile
|
|
|
c4366c |
--- openssl-fips-0.9.8e/test/Makefile.use-fipscheck 2007-08-26 16:57:41.000000000 +0200
|
|
|
c4366c |
+++ openssl-fips-0.9.8e/test/Makefile 2009-04-15 11:37:30.000000000 +0200
|
|
|
c4366c |
@@ -395,8 +395,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
|
|
|
c4366c |
if [ "$(FIPSCANLIB)" = "libfips" ]; then \
|
|
|
c4366c |
LIBRARIES="-L$(TOP) -lfips"; \
|
|
|
c4366c |
else \
|
|
|
c4366c |
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
|
|
c4366c |
- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
|
|
|
c4366c |
+ LIBRARIES="$(LIBCRYPTO)"; \
|
|
|
c4366c |
fi; \
|
|
|
c4366c |
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
|
|
c4366c |
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
|
|
|
c4366c |
@@ -407,9 +406,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
|
|
|
c4366c |
shlib_target="$(SHLIB_TARGET)"; \
|
|
|
c4366c |
fi; \
|
|
|
c4366c |
LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
|
|
|
c4366c |
- if [ -z "$(SHARED_LIBS)" ] ; then \
|
|
|
c4366c |
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
|
|
c4366c |
- fi; \
|
|
|
c4366c |
[ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
|
|
|
c4366c |
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
|
|
c4366c |
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
|