Loading CHANGES +7 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,13 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] *) New algorithm test program fips_dhvs to handle DH primitives only testing. [Steve Henson] *) New function DH_compute_key_padded() to compute a DH key and pad with leading zeroes if needed: this complies with SP800-56A et al. [Steve Henson] *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by anything, incomplete, subject to change and largely untested at present. [Steve Henson] Loading fips/dh/Makefile +1 −1 Original line number Diff line number Diff line Loading @@ -18,7 +18,7 @@ AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= TEST= fips_dhvs.c APPS= LIB=$(TOP)/libcrypto.a Loading fips/dh/fips_dhvs.c 0 → 100644 +223 −0 Original line number Diff line number Diff line /* fips/dh/fips_dhvs.c */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ /* ==================================================================== * Copyright (c) 2011 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== */ #define OPENSSL_FIPSAPI #include <openssl/opensslconf.h> #ifndef OPENSSL_FIPS #include <stdio.h> int main(int argc, char **argv) { printf("No FIPS DRBG support\n"); return(0); } #else #include <openssl/crypto.h> #include <openssl/bn.h> #include <openssl/dh.h> #include <openssl/fips.h> #include <openssl/err.h> #include <openssl/evp.h> #include <string.h> #include <ctype.h> #include "fips_utl.h" static const EVP_MD *parse_md(char *line) { char *p; if (line[0] != '[' || line[1] != 'F') return NULL; p = strchr(line, '-'); if (!p) return NULL; line = p + 1; p = strchr(line, ']'); if (!p) return NULL; *p = 0; p = line; while(isspace(*p)) p++; if (!strcmp(p, "SHA1")) return EVP_sha1(); else if (!strcmp(p, "SHA224")) return EVP_sha224(); else if (!strcmp(p, "SHA256")) return EVP_sha256(); else if (!strcmp(p, "SHA384")) return EVP_sha384(); else if (!strcmp(p, "SHA512")) return EVP_sha512(); else return NULL; } int main(int argc,char **argv) { FILE *in, *out; char buf[2048], lbuf[2048]; unsigned char *rhash, chash[EVP_MAX_MD_SIZE]; long rhashlen; DH *dh = NULL; const EVP_MD *md = NULL; BIGNUM *peerkey = NULL; char *keyword = NULL, *value = NULL; fips_set_error_print(); if (argc == 3) { in = fopen(argv[1], "r"); if (!in) { fprintf(stderr, "Error opening input file\n"); exit(1); } out = fopen(argv[2], "w"); if (!out) { fprintf(stderr, "Error opening output file\n"); exit(1); } } else if (argc == 1) { in = stdin; out = stdout; } else { fprintf(stderr,"%s (infile outfile)\n",argv[0]); exit(1); } dh = FIPS_dh_new(); while (fgets(buf, sizeof(buf), in) != NULL) { fputs(buf, out); if (strlen(buf) > 6 && !strncmp(buf, "[F", 2)) { md = parse_md(buf); if (md == NULL) goto parse_error; if (dh) FIPS_dh_free(dh); dh = FIPS_dh_new(); continue; } if (!parse_line(&keyword, &value, lbuf, buf)) continue; if (!strcmp(keyword, "P")) { if (!do_hex2bn(&dh->p, value)) goto parse_error; } else if (!strcmp(keyword, "Q")) { if (!do_hex2bn(&dh->q, value)) goto parse_error; } else if (!strcmp(keyword, "G")) { if (!do_hex2bn(&dh->g, value)) goto parse_error; } else if (!strcmp(keyword, "XephemIUT")) { if (!do_hex2bn(&dh->priv_key, value)) goto parse_error; } else if (!strcmp(keyword, "YephemIUT")) { if (!do_hex2bn(&dh->pub_key, value)) goto parse_error; } else if (!strcmp(keyword, "YephemCAVS")) { if (!do_hex2bn(&peerkey, value)) goto parse_error; } else if (!strcmp(keyword, "CAVSHashZZ")) { int Zlen; unsigned char *Z; if (!md) goto parse_error; rhash = hex2bin_m(value, &rhashlen); if (!rhash || rhashlen != M_EVP_MD_size(md)) goto parse_error; Z = OPENSSL_malloc(BN_num_bytes(dh->p)); if (!Z) exit(1); Zlen = DH_compute_key_padded(Z, peerkey, dh); OutputValue("Z", Z, Zlen, out, 0); FIPS_digest(Z, Zlen, chash, NULL, md); OutputValue("IUTHashZZ", chash, rhashlen, out, 0); fprintf(out, "Result = %s\n", memcmp(chash, rhash, rhashlen) ? "F" : "P"); OPENSSL_free(Z); } } return 0; parse_error: fprintf(stderr, "Error Parsing request file\n"); exit(1); } #endif test/Makefile +7 −3 Original line number Diff line number Diff line Loading @@ -75,6 +75,7 @@ FIPS_DSATEST= fips_dsatest FIPS_DSSVS= fips_dssvs FIPS_RNGVS= fips_rngvs FIPS_DRBGVS= fips_drbgvs FIPS_DHVS= fips_dhvs FIPS_ECDSAVS= fips_ecdsavs FIPS_TEST_SUITE=fips_test_suite Loading @@ -96,7 +97,7 @@ FIPSEXE=$(FIPS_SHATEST)$(EXE_EXT) $(FIPS_DESTEST)$(EXE_EXT) \ $(FIPS_RSASTEST)$(EXE_EXT) $(FIPS_RSAGTEST)$(EXE_EXT) \ $(FIPS_DSSVS)$(EXE_EXT) $(FIPS_DSATEST)$(EXE_EXT) \ $(FIPS_RNGVS)$(EXE_EXT) $(FIPS_DRBGVS)$(EXE_EXT) \ $(FIPS_TEST_SUITE)$(EXE_EXT) \ $(FIPS_DHVS)$(EXE_EXT) $(FIPS_TEST_SUITE)$(EXE_EXT) \ $(FIPS_GCMTEST)$(EXE_EXT) $(FIPS_ECDSAVS)$(EXE_EXT) # $(METHTEST)$(EXE_EXT) Loading @@ -113,7 +114,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(IDEATEST).o \ $(FIPS_AESTEST).o $(FIPS_HMACTEST).o $(FIPS_RSAVTEST).o \ $(FIPS_RSASTEST).o $(FIPS_RSAGTEST).o $(FIPS_GCMTEST).o \ $(FIPS_DSSVS).o $(FIPS_DSATEST).o $(FIPS_RNGVS).o $(FIPS_DRBGVS).o \ $(FIPS_TEST_SUITE).o $(FIPS_ECDSAVS).o \ $(FIPS_TEST_SUITE).o $(FIPS_DHVS).o $(FIPS_ECDSAVS).o \ $(EVPTEST).o $(IGETEST).o $(JPAKETEST).o SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ Loading @@ -126,7 +127,7 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ $(FIPS_AESTEST).c $(FIPS_HMACTEST).c $(FIPS_RSAVTEST).c \ $(FIPS_RSASTEST).c $(FIPS_RSAGTEST).c $(FIPS_GCMTEST).c \ $(FIPS_DSSVS).c $(FIPS_DSATEST).c $(FIPS_RNGVS).c $(FIPS_DRBGVS).c \ $(FIPS_TEST_SUITE).c $(FIPS_ECDSAVS).c \ $(FIPS_TEST_SUITE).c $(FIPS_DHVS).c $(FIPS_ECDSAVS).c \ $(EVPTEST).c $(IGETEST).c $(JPAKETEST).c EXHEADER= Loading Loading @@ -472,6 +473,9 @@ $(FIPS_DSATEST)$(EXE_EXT): $(FIPS_DSATEST).o $(DLIBCRYPTO) $(FIPS_DSSVS)$(EXE_EXT): $(FIPS_DSSVS).o $(DLIBCRYPTO) @target=$(FIPS_DSSVS); $(FIPS_BUILD_CMD) $(FIPS_DHVS)$(EXE_EXT): $(FIPS_DHVS).o $(DLIBCRYPTO) @target=$(FIPS_DHVS); $(FIPS_BUILD_CMD) $(FIPS_ECDSAVS)$(EXE_EXT): $(FIPS_ECDSAVS).o $(DLIBCRYPTO) @target=$(FIPS_ECDSAVS); $(FIPS_BUILD_CMD) Loading Loading
CHANGES +7 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,13 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] *) New algorithm test program fips_dhvs to handle DH primitives only testing. [Steve Henson] *) New function DH_compute_key_padded() to compute a DH key and pad with leading zeroes if needed: this complies with SP800-56A et al. [Steve Henson] *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by anything, incomplete, subject to change and largely untested at present. [Steve Henson] Loading
fips/dh/Makefile +1 −1 Original line number Diff line number Diff line Loading @@ -18,7 +18,7 @@ AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= TEST= fips_dhvs.c APPS= LIB=$(TOP)/libcrypto.a Loading
fips/dh/fips_dhvs.c 0 → 100644 +223 −0 Original line number Diff line number Diff line /* fips/dh/fips_dhvs.c */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ /* ==================================================================== * Copyright (c) 2011 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== */ #define OPENSSL_FIPSAPI #include <openssl/opensslconf.h> #ifndef OPENSSL_FIPS #include <stdio.h> int main(int argc, char **argv) { printf("No FIPS DRBG support\n"); return(0); } #else #include <openssl/crypto.h> #include <openssl/bn.h> #include <openssl/dh.h> #include <openssl/fips.h> #include <openssl/err.h> #include <openssl/evp.h> #include <string.h> #include <ctype.h> #include "fips_utl.h" static const EVP_MD *parse_md(char *line) { char *p; if (line[0] != '[' || line[1] != 'F') return NULL; p = strchr(line, '-'); if (!p) return NULL; line = p + 1; p = strchr(line, ']'); if (!p) return NULL; *p = 0; p = line; while(isspace(*p)) p++; if (!strcmp(p, "SHA1")) return EVP_sha1(); else if (!strcmp(p, "SHA224")) return EVP_sha224(); else if (!strcmp(p, "SHA256")) return EVP_sha256(); else if (!strcmp(p, "SHA384")) return EVP_sha384(); else if (!strcmp(p, "SHA512")) return EVP_sha512(); else return NULL; } int main(int argc,char **argv) { FILE *in, *out; char buf[2048], lbuf[2048]; unsigned char *rhash, chash[EVP_MAX_MD_SIZE]; long rhashlen; DH *dh = NULL; const EVP_MD *md = NULL; BIGNUM *peerkey = NULL; char *keyword = NULL, *value = NULL; fips_set_error_print(); if (argc == 3) { in = fopen(argv[1], "r"); if (!in) { fprintf(stderr, "Error opening input file\n"); exit(1); } out = fopen(argv[2], "w"); if (!out) { fprintf(stderr, "Error opening output file\n"); exit(1); } } else if (argc == 1) { in = stdin; out = stdout; } else { fprintf(stderr,"%s (infile outfile)\n",argv[0]); exit(1); } dh = FIPS_dh_new(); while (fgets(buf, sizeof(buf), in) != NULL) { fputs(buf, out); if (strlen(buf) > 6 && !strncmp(buf, "[F", 2)) { md = parse_md(buf); if (md == NULL) goto parse_error; if (dh) FIPS_dh_free(dh); dh = FIPS_dh_new(); continue; } if (!parse_line(&keyword, &value, lbuf, buf)) continue; if (!strcmp(keyword, "P")) { if (!do_hex2bn(&dh->p, value)) goto parse_error; } else if (!strcmp(keyword, "Q")) { if (!do_hex2bn(&dh->q, value)) goto parse_error; } else if (!strcmp(keyword, "G")) { if (!do_hex2bn(&dh->g, value)) goto parse_error; } else if (!strcmp(keyword, "XephemIUT")) { if (!do_hex2bn(&dh->priv_key, value)) goto parse_error; } else if (!strcmp(keyword, "YephemIUT")) { if (!do_hex2bn(&dh->pub_key, value)) goto parse_error; } else if (!strcmp(keyword, "YephemCAVS")) { if (!do_hex2bn(&peerkey, value)) goto parse_error; } else if (!strcmp(keyword, "CAVSHashZZ")) { int Zlen; unsigned char *Z; if (!md) goto parse_error; rhash = hex2bin_m(value, &rhashlen); if (!rhash || rhashlen != M_EVP_MD_size(md)) goto parse_error; Z = OPENSSL_malloc(BN_num_bytes(dh->p)); if (!Z) exit(1); Zlen = DH_compute_key_padded(Z, peerkey, dh); OutputValue("Z", Z, Zlen, out, 0); FIPS_digest(Z, Zlen, chash, NULL, md); OutputValue("IUTHashZZ", chash, rhashlen, out, 0); fprintf(out, "Result = %s\n", memcmp(chash, rhash, rhashlen) ? "F" : "P"); OPENSSL_free(Z); } } return 0; parse_error: fprintf(stderr, "Error Parsing request file\n"); exit(1); } #endif
test/Makefile +7 −3 Original line number Diff line number Diff line Loading @@ -75,6 +75,7 @@ FIPS_DSATEST= fips_dsatest FIPS_DSSVS= fips_dssvs FIPS_RNGVS= fips_rngvs FIPS_DRBGVS= fips_drbgvs FIPS_DHVS= fips_dhvs FIPS_ECDSAVS= fips_ecdsavs FIPS_TEST_SUITE=fips_test_suite Loading @@ -96,7 +97,7 @@ FIPSEXE=$(FIPS_SHATEST)$(EXE_EXT) $(FIPS_DESTEST)$(EXE_EXT) \ $(FIPS_RSASTEST)$(EXE_EXT) $(FIPS_RSAGTEST)$(EXE_EXT) \ $(FIPS_DSSVS)$(EXE_EXT) $(FIPS_DSATEST)$(EXE_EXT) \ $(FIPS_RNGVS)$(EXE_EXT) $(FIPS_DRBGVS)$(EXE_EXT) \ $(FIPS_TEST_SUITE)$(EXE_EXT) \ $(FIPS_DHVS)$(EXE_EXT) $(FIPS_TEST_SUITE)$(EXE_EXT) \ $(FIPS_GCMTEST)$(EXE_EXT) $(FIPS_ECDSAVS)$(EXE_EXT) # $(METHTEST)$(EXE_EXT) Loading @@ -113,7 +114,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(IDEATEST).o \ $(FIPS_AESTEST).o $(FIPS_HMACTEST).o $(FIPS_RSAVTEST).o \ $(FIPS_RSASTEST).o $(FIPS_RSAGTEST).o $(FIPS_GCMTEST).o \ $(FIPS_DSSVS).o $(FIPS_DSATEST).o $(FIPS_RNGVS).o $(FIPS_DRBGVS).o \ $(FIPS_TEST_SUITE).o $(FIPS_ECDSAVS).o \ $(FIPS_TEST_SUITE).o $(FIPS_DHVS).o $(FIPS_ECDSAVS).o \ $(EVPTEST).o $(IGETEST).o $(JPAKETEST).o SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ Loading @@ -126,7 +127,7 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ $(FIPS_AESTEST).c $(FIPS_HMACTEST).c $(FIPS_RSAVTEST).c \ $(FIPS_RSASTEST).c $(FIPS_RSAGTEST).c $(FIPS_GCMTEST).c \ $(FIPS_DSSVS).c $(FIPS_DSATEST).c $(FIPS_RNGVS).c $(FIPS_DRBGVS).c \ $(FIPS_TEST_SUITE).c $(FIPS_ECDSAVS).c \ $(FIPS_TEST_SUITE).c $(FIPS_DHVS).c $(FIPS_ECDSAVS).c \ $(EVPTEST).c $(IGETEST).c $(JPAKETEST).c EXHEADER= Loading Loading @@ -472,6 +473,9 @@ $(FIPS_DSATEST)$(EXE_EXT): $(FIPS_DSATEST).o $(DLIBCRYPTO) $(FIPS_DSSVS)$(EXE_EXT): $(FIPS_DSSVS).o $(DLIBCRYPTO) @target=$(FIPS_DSSVS); $(FIPS_BUILD_CMD) $(FIPS_DHVS)$(EXE_EXT): $(FIPS_DHVS).o $(DLIBCRYPTO) @target=$(FIPS_DHVS); $(FIPS_BUILD_CMD) $(FIPS_ECDSAVS)$(EXE_EXT): $(FIPS_ECDSAVS).o $(DLIBCRYPTO) @target=$(FIPS_ECDSAVS); $(FIPS_BUILD_CMD) Loading
