aboutsummaryrefslogtreecommitdiffstats
path: root/fips
diff options
context:
space:
mode:
Diffstat (limited to 'fips')
-rw-r--r--fips/Makefile14
-rw-r--r--fips/aes/fips_aesavs.c8
-rw-r--r--fips/des/fips_desmovs.c31
-rw-r--r--fips/dsa/fips_dsa_key.c2
-rw-r--r--fips/dsa/fips_dsa_sign.c2
-rw-r--r--fips/dsa/fips_dsatest.c2
-rw-r--r--fips/dsa/fips_dssvs.c25
-rw-r--r--fips/fips_locl.h1
-rw-r--r--fips/fips_test_suite.c79
-rw-r--r--fips/fips_utl.h16
-rwxr-xr-xfips/fipsalgtest.pl55
-rwxr-xr-xfips/fipsld12
-rw-r--r--fips/hmac/fips_hmac.c4
-rw-r--r--fips/hmac/fips_hmac_selftest.c2
-rw-r--r--fips/rand/fips_rand.c4
-rw-r--r--fips/rand/fips_rngvs.c4
-rw-r--r--fips/rsa/fips_rsagtest.c2
-rw-r--r--fips/rsa/fips_rsastest.c2
-rw-r--r--fips/rsa/fips_rsavtest.c3
-rw-r--r--fips/sha/Makefile6
-rw-r--r--fips/sha/fips_sha1_selftest.c2
21 files changed, 167 insertions, 109 deletions
diff --git a/fips/Makefile b/fips/Makefile
index e038be8f13f7..720a883a6949 100644
--- a/fips/Makefile
+++ b/fips/Makefile
@@ -63,7 +63,7 @@ testapps:
all:
@if [ -z "$(FIPSLIBDIR)" ]; then \
$(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
- else \
+ else \
$(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
fi
@@ -109,7 +109,7 @@ fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
esac fi
- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
+ ./fips_standalone_sha1$(EXE_EXT) fipscanister.o > fipscanister.o.sha1
# If another exception is immediately required, assign approprite
# site-specific ld command to FIPS_SITE_LD environment variable.
@@ -123,7 +123,11 @@ fips_premain_dso$(EXE_EXT): fips_premain.c
$(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS)
# this is executed only when linking with external fipscanister.o
fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c
- $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS)
+ if [ -z $(HOSTCC) ] ; then \
+ $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS) ; \
+ else \
+ $(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../include -I../crypto sha/fips_standalone_sha1.c ../crypto/sha/sha1dgst.c ; \
+ fi
subdirs:
@target=all; $(RECURSIVE_MAKE)
@@ -188,8 +192,8 @@ install:
done
cp -p -f $(FIPSLIBDIR)fipscanister.o $(FIPSLIBDIR)fipscanister.o.sha1 \
$(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fips_premain.c.sha1 \
- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
+ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/; \
+ chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/fips*
lint:
@target=lint; $(RECURSIVE_MAKE)
diff --git a/fips/aes/fips_aesavs.c b/fips/aes/fips_aesavs.c
index 9ce613b96dff..a3c8b400afe0 100644
--- a/fips/aes/fips_aesavs.c
+++ b/fips/aes/fips_aesavs.c
@@ -89,7 +89,7 @@ int main(int argc, char *argv[])
/*-----------------------------------------------*/
-int AESTest(EVP_CIPHER_CTX *ctx,
+static int AESTest(EVP_CIPHER_CTX *ctx,
char *amode, int akeysz, unsigned char *aKey,
unsigned char *iVec,
int dir, /* 0 = decrypt, 1 = encrypt */
@@ -238,7 +238,7 @@ enum XCrypt {XDECRYPT, XENCRYPT};
#define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1)
#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8)))
-int do_mct(char *amode,
+static int do_mct(char *amode,
int akeysz, unsigned char *aKey,unsigned char *iVec,
int dir, unsigned char *text, int len,
FILE *rfp)
@@ -546,7 +546,7 @@ int do_mct(char *amode,
# Fri Aug 30 04:07:22 PM
----------------------------*/
-int proc_file(char *rqfile, char *rspfile)
+static int proc_file(char *rqfile, char *rspfile)
{
char afn[256], rfn[256];
FILE *afp = NULL, *rfp = NULL;
@@ -767,7 +767,7 @@ int proc_file(char *rqfile, char *rspfile)
err =1;
break;
}
- if (len >= sizeof(plaintext))
+ if (len >= (int)sizeof(plaintext))
{
printf("Buffer overflow\n");
}
diff --git a/fips/des/fips_desmovs.c b/fips/des/fips_desmovs.c
index 2d3424cf9f82..f96a5cabd478 100644
--- a/fips/des/fips_desmovs.c
+++ b/fips/des/fips_desmovs.c
@@ -88,7 +88,7 @@ int main(int argc, char *argv[])
#define VERBOSE 0
-int DESTest(EVP_CIPHER_CTX *ctx,
+static int DESTest(EVP_CIPHER_CTX *ctx,
char *amode, int akeysz, unsigned char *aKey,
unsigned char *iVec,
int dir, /* 0 = decrypt, 1 = encrypt */
@@ -110,15 +110,10 @@ int DESTest(EVP_CIPHER_CTX *ctx,
cipher = EVP_des_ede3_cfb64();
else if (strncasecmp(amode, "OFB", 3) == 0)
cipher = EVP_des_ede3_ofb();
-#if 0
- else if(!strcasecmp(amode,"CFB1"))
- {
- ctx->cbits = 1;
- ctx->cmode = EVP_CIPH_CFB_MODE;
- }
-#endif
else if(!strcasecmp(amode,"CFB8"))
cipher = EVP_des_ede3_cfb8();
+ else if(!strcasecmp(amode,"CFB1"))
+ cipher = EVP_des_ede3_cfb1();
else
{
printf("Unknown mode: %s\n", amode);
@@ -127,20 +122,22 @@ int DESTest(EVP_CIPHER_CTX *ctx,
if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
return 0;
+ if(!strcasecmp(amode,"CFB1"))
+ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
EVP_Cipher(ctx, out, in, len);
return 1;
}
-
-void DebugValue(char *tag, unsigned char *val, int len)
+#if 0
+static void DebugValue(char *tag, unsigned char *val, int len)
{
char obuf[2048];
int olen;
olen = bin2hex(val, len, obuf);
printf("%s = %.*s\n", tag, olen, obuf);
}
-
-void shiftin(unsigned char *dst,unsigned char *src,int nbits)
+#endif
+static void shiftin(unsigned char *dst,unsigned char *src,int nbits)
{
int n;
@@ -160,7 +157,7 @@ char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"};
enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64};
int Sizes[6]={64,64,64,1,8,64};
-void do_mct(char *amode,
+static void do_mct(char *amode,
int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec,
int dir, unsigned char *text, int len,
FILE *rfp)
@@ -200,11 +197,11 @@ void do_mct(char *amode,
if(imode != ECB)
OutputValue("IV",ivec,8,rfp,0);
OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1);
-
+#if 0
/* compensate for endianness */
if(imode == CFB1)
text[0]<<=7;
-
+#endif
memcpy(text0,text,8);
for(j=0 ; j < 10000 ; ++j)
@@ -267,7 +264,7 @@ void do_mct(char *amode,
}
}
-int proc_file(char *rqfile, char *rspfile)
+static int proc_file(char *rqfile, char *rspfile)
{
char afn[256], rfn[256];
FILE *afp = NULL, *rfp = NULL;
@@ -535,7 +532,7 @@ int proc_file(char *rqfile, char *rspfile)
err =1;
break;
}
- if (len >= sizeof(plaintext))
+ if (len >= (int)sizeof(plaintext))
{
printf("Buffer overflow\n");
}
diff --git a/fips/dsa/fips_dsa_key.c b/fips/dsa/fips_dsa_key.c
index b5f8cfa1d0a8..9f21033b2146 100644
--- a/fips/dsa/fips_dsa_key.c
+++ b/fips/dsa/fips_dsa_key.c
@@ -78,7 +78,7 @@ void FIPS_corrupt_dsa_keygen(void)
static int dsa_builtin_keygen(DSA *dsa);
-int fips_check_dsa(DSA *dsa)
+static int fips_check_dsa(DSA *dsa)
{
EVP_PKEY pk;
unsigned char tbs[] = "DSA Pairwise Check Data";
diff --git a/fips/dsa/fips_dsa_sign.c b/fips/dsa/fips_dsa_sign.c
index 32ea0b0feaf1..7a4d51d7345e 100644
--- a/fips/dsa/fips_dsa_sign.c
+++ b/fips/dsa/fips_dsa_sign.c
@@ -70,6 +70,7 @@
* case of a DSA signature.
*/
+#if 0
int FIPS_dsa_size(DSA *r)
{
int ilen;
@@ -83,6 +84,7 @@ int FIPS_dsa_size(DSA *r)
*/
return ilen * 2 + 6;
}
+#endif
/* Tiny ASN1 encoder for DSA_SIG structure. We can assume r, s smaller than
* 0x80 octets as by the DSA standards they will be less than 2^160
diff --git a/fips/dsa/fips_dsatest.c b/fips/dsa/fips_dsatest.c
index c7e0f5164f2b..1aec089ae144 100644
--- a/fips/dsa/fips_dsatest.c
+++ b/fips/dsa/fips_dsatest.c
@@ -69,7 +69,6 @@
#include <openssl/rand.h>
#include <openssl/bio.h>
#include <openssl/err.h>
-#include <openssl/dsa.h>
#include <openssl/bn.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
@@ -83,6 +82,7 @@ int main(int argc, char *argv[])
return(0);
}
#else
+#include <openssl/dsa.h>
#include <openssl/fips.h>
#include <openssl/fips_rand.h>
#include <openssl/dsa.h>
diff --git a/fips/dsa/fips_dssvs.c b/fips/dsa/fips_dssvs.c
index aa74e8e636f6..45f4e1ce47de 100644
--- a/fips/dsa/fips_dssvs.c
+++ b/fips/dsa/fips_dssvs.c
@@ -40,7 +40,7 @@ static void pbn(const char *name, BIGNUM *bn)
return;
}
-void primes()
+static void primes()
{
char buf[10240];
char lbuf[10240];
@@ -63,7 +63,7 @@ void primes()
}
}
-void pqg()
+static void pqg()
{
char buf[1024];
char lbuf[1024];
@@ -112,7 +112,7 @@ void pqg()
}
}
-void pqgver()
+static void pqgver()
{
char buf[1024];
char lbuf[1024];
@@ -131,6 +131,7 @@ void pqgver()
fputs(buf,stdout);
continue;
}
+ fputs(buf, stdout);
if(!strcmp(keyword,"[mod"))
nmod=atoi(value);
else if(!strcmp(keyword,"P"))
@@ -158,12 +159,6 @@ void pqgver()
fprintf(stderr, "Parse Error\n");
exit (1);
}
- pbn("P",p);
- pbn("Q",q);
- pbn("G",g);
- pv("Seed",seed,20);
- printf("c = %d\n",counter);
- printf("H = %lx\n",h);
dsa = FIPS_dsa_new();
if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL))
{
@@ -174,7 +169,7 @@ void pqgver()
|| (counter != counter2) || (h != h2))
printf("Result = F\n");
else
- printf("Result = T\n");
+ printf("Result = P\n");
BN_free(p);
BN_free(q);
BN_free(g);
@@ -217,7 +212,7 @@ static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
return 1;
}
-void keyver()
+static void keyver()
{
char buf[1024];
char lbuf[1024];
@@ -286,7 +281,7 @@ void keyver()
if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y))
printf("Result = F\n");
else
- printf("Result = T\n");
+ printf("Result = P\n");
}
BN_free(X);
BN_free(Y);
@@ -304,7 +299,7 @@ void keyver()
BN_free(Y2);
}
-void keypair()
+static void keypair()
{
char buf[1024];
char lbuf[1024];
@@ -353,7 +348,7 @@ void keypair()
}
}
-void siggen()
+static void siggen()
{
char buf[1024];
char lbuf[1024];
@@ -426,7 +421,7 @@ void siggen()
FIPS_dsa_free(dsa);
}
-void sigver()
+static void sigver()
{
DSA *dsa=NULL;
char buf[1024];
diff --git a/fips/fips_locl.h b/fips/fips_locl.h
index 03fed36e3cfd..b3ea289ccd9c 100644
--- a/fips/fips_locl.h
+++ b/fips/fips_locl.h
@@ -64,6 +64,7 @@ int fips_set_owning_thread(void);
void fips_set_selftest_fail(void);
int fips_clear_owning_thread(void);
unsigned char *fips_signature_witness(void);
+int fips_check_rsa(RSA *rsa);
#define FIPS_MAX_CIPHER_TEST_SIZE 16
diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index 78a15b7758f5..2bc0ba9080fb 100644
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c
@@ -18,9 +18,6 @@
#include <stdlib.h>
#include <openssl/aes.h>
#include <openssl/des.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/dh.h>
#include <openssl/hmac.h>
#include <openssl/err.h>
@@ -37,6 +34,10 @@ int main(int argc, char *argv[])
}
#else
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/dh.h>
+
#include <openssl/fips.h>
#include "fips_utl.h"
@@ -379,7 +380,8 @@ static int Zeroize()
BIGNUM *bn;
unsigned char userkey[16] =
{ 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
- int i, n;
+ size_t i;
+ int n;
key = FIPS_rsa_new();
bn = BN_new();
@@ -410,13 +412,18 @@ static int Zeroize()
}
static int Error;
-const char * Fail(const char *msg)
+static const char * Fail(const char *msg)
{
do_print_errors();
Error++;
return msg;
}
+static void test_msg(const char *msg, int result)
+ {
+ printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
+ }
+
int main(int argc,char **argv)
{
@@ -487,20 +494,14 @@ int main(int argc,char **argv)
/* Non-Approved cryptographic operation
*/
printf("1. Non-Approved cryptographic operation test...\n");
- printf("\ta. Included algorithm (D-H)...");
- printf( dh_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("\ta. Included algorithm (D-H)...", dh_test());
/* Power-up self test
*/
ERR_clear_error();
- printf("2. Automatic power-up self test...");
- if (!FIPS_mode_set(1))
- {
- do_print_errors();
- printf(Fail("FAILED!\n"));
+ test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
+ if (!FIPS_mode())
exit(1);
- }
- printf("successful\n");
if (do_corrupt_dsa_keygen)
FIPS_corrupt_dsa_keygen();
if (do_corrupt_rsa_keygen)
@@ -510,76 +511,66 @@ int main(int argc,char **argv)
/* AES encryption/decryption
*/
- printf("3. AES encryption/decryption...");
- printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("3. AES encryption/decryption", FIPS_aes_test());
/* RSA key generation and encryption/decryption
*/
- printf("4. RSA key generation and encryption/decryption...");
- printf( FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("4. RSA key generation and encryption/decryption",
+ FIPS_rsa_test(bad_rsa));
/* DES-CBC encryption/decryption
*/
- printf("5. DES-ECB encryption/decryption...");
- printf( FIPS_des3_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
/* DSA key generation and signature validation
*/
- printf("6. DSA key generation and signature validation...");
- printf( FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("6. DSA key generation and signature validation",
+ FIPS_dsa_test(bad_dsa));
/* SHA-1 hash
*/
- printf("7a. SHA-1 hash...");
- printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("7a. SHA-1 hash", FIPS_sha1_test());
/* SHA-256 hash
*/
- printf("7b. SHA-256 hash...");
- printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("7b. SHA-256 hash", FIPS_sha256_test());
/* SHA-512 hash
*/
- printf("7c. SHA-512 hash...");
- printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("7c. SHA-512 hash", FIPS_sha512_test());
/* HMAC-SHA-1 hash
*/
- printf("7d. HMAC-SHA-1 hash...");
- printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
/* HMAC-SHA-224 hash
*/
- printf("7e. HMAC-SHA-224 hash...");
- printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
/* HMAC-SHA-256 hash
*/
- printf("7f. HMAC-SHA-256 hash...");
- printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
/* HMAC-SHA-384 hash
*/
- printf("7g. HMAC-SHA-384 hash...");
- printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
/* HMAC-SHA-512 hash
*/
- printf("7h. HMAC-SHA-512 hash...");
- printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
+ test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
/* Non-Approved cryptographic operation
*/
printf("8. Non-Approved cryptographic operation test...\n");
- printf("\ta. Included algorithm (D-H)...");
- printf( dh_test() ? "successful as expected\n"
- : Fail("failed INCORRECTLY!\n") );
+ printf("\ta. Included algorithm (D-H)...%s\n",
+ dh_test() ? "successful as expected"
+ : Fail("failed INCORRECTLY!") );
/* Zeroization
*/
- printf("9. Zero-ization...\n");
- printf( Zeroize() ? "\tsuccessful as expected\n"
- : Fail("\tfailed INCORRECTLY!\n") );
+ printf("9. Zero-ization...\n\t%s\n",
+ Zeroize() ? "successful as expected"
+ : Fail("failed INCORRECTLY!") );
printf("\nAll tests completed with %d errors\n", Error);
return Error ? 1 : 0;
diff --git a/fips/fips_utl.h b/fips/fips_utl.h
index 02d4e44c82f4..85d9e12781fc 100644
--- a/fips/fips_utl.h
+++ b/fips/fips_utl.h
@@ -47,6 +47,22 @@
*
*/
+void do_print_errors(void);
+int hex2bin(const char *in, unsigned char *out);
+unsigned char *hex2bin_m(const char *in, long *plen);
+int do_hex2bn(BIGNUM **pr, const char *in);
+int do_bn_print(FILE *out, BIGNUM *bn);
+int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn);
+int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf);
+BIGNUM *hex2bn(const char *in);
+int bin2hex(const unsigned char *in,int len,char *out);
+void pv(const char *tag,const unsigned char *val,int len);
+int tidy_line(char *linebuf, char *olinebuf);
+int bint2bin(const char *in, int len, unsigned char *out);
+int bin2bint(const unsigned char *in,int len,char *out);
+void PrintValue(char *tag, unsigned char *val, int len);
+void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode);
+
void do_print_errors(void)
{
const char *file, *data;
diff --git a/fips/fipsalgtest.pl b/fips/fipsalgtest.pl
index 44a5ccac7ad0..851cc98dd9f1 100755
--- a/fips/fipsalgtest.pl
+++ b/fips/fipsalgtest.pl
@@ -19,6 +19,12 @@ my @fips_dsa_test_list = (
);
+my @fips_dsa_pqgver_test_list = (
+
+ [ "PQGVer", "fips_dssvs pqgver" ]
+
+);
+
# RSA tests
my @fips_rsa_test_list = (
@@ -304,6 +310,24 @@ my @fips_des3_test_list = (
);
+my @fips_des3_cfb1_test_list = (
+
+ # DES3 CFB1 tests
+
+ [ "TCFB1invperm", "fips_desmovs -f" ],
+ [ "TCFB1MMT1", "fips_desmovs -f" ],
+ [ "TCFB1MMT2", "fips_desmovs -f" ],
+ [ "TCFB1MMT3", "fips_desmovs -f" ],
+ [ "TCFB1Monte1", "fips_desmovs -f" ],
+ [ "TCFB1Monte2", "fips_desmovs -f" ],
+ [ "TCFB1Monte3", "fips_desmovs -f" ],
+ [ "TCFB1permop", "fips_desmovs -f" ],
+ [ "TCFB1subtab", "fips_desmovs -f" ],
+ [ "TCFB1varkey", "fips_desmovs -f" ],
+ [ "TCFB1vartext", "fips_desmovs -f" ],
+
+);
+
# Verification special cases.
# In most cases the output of a test is deterministic and
# it can be compared to a known good result. A few involve
@@ -342,6 +366,7 @@ my $list_tests = 0;
my %fips_enabled = (
dsa => 1,
+ "dsa-pqgver" => 0,
rsa => 1,
"rsa-pss0" => 0,
"rsa-pss62" => 1,
@@ -351,7 +376,8 @@ my %fips_enabled = (
"rand-des2" => 0,
aes => 1,
"aes-cfb1" => 0,
- des3 => 1
+ des3 => 1,
+ "des3-cfb1" => 0
);
foreach (@ARGV) {
@@ -417,6 +443,7 @@ foreach (@ARGV) {
my @fips_test_list;
push @fips_test_list, @fips_dsa_test_list if $fips_enabled{"dsa"};
+push @fips_test_list, @fips_dsa_pqgver_test_list if $fips_enabled{"dsa-pqgver"};
push @fips_test_list, @fips_rsa_test_list if $fips_enabled{"rsa"};
push @fips_test_list, @fips_rsa_pss0_test_list if $fips_enabled{"rsa-pss0"};
push @fips_test_list, @fips_rsa_pss62_test_list if $fips_enabled{"rsa-pss62"};
@@ -427,6 +454,7 @@ push @fips_test_list, @fips_rand_des2_test_list if $fips_enabled{"rand-des2"};
push @fips_test_list, @fips_aes_test_list if $fips_enabled{"aes"};
push @fips_test_list, @fips_aes_cfb1_test_list if $fips_enabled{"aes-cfb1"};
push @fips_test_list, @fips_des3_test_list if $fips_enabled{"des3"};
+push @fips_test_list, @fips_des3_cfb1_test_list if $fips_enabled{"des3-cfb1"};
if ($list_tests) {
my ( $test, $en );
@@ -525,7 +553,7 @@ $cmd: generate run CMVP algorithm tests
--dir=<dirname> Optional root for *.req file search
--filter=<regexp>
--onedir <dirname> Assume all components in current directory
- --rspdir=<dirname> Name of subdirectories containing *.rsp files, default "resp"
+ --rspdir=<dirname> Name of subdirectories containing *.rsp files, default "rsp"
--shwrap_prefix=<prefix>
--tprefix=<prefix>
--ignore-bogus Ignore duplicate or bogus files
@@ -533,7 +561,16 @@ $cmd: generate run CMVP algorithm tests
--quiet Shhh....
--generate Generate algorithm test output
--win32 Win32 environment
+ --enable-<alg> Enable algorithm set <alg>.
+ --disable-<alg> Disable algorithm set <alg>.
+ Where <alg> can be one of:
EOF
+
+while (my ($key, $value) = each %fips_enabled)
+ {
+ printf "\t\t%-20s(%s by default)\n", $key ,
+ $value ? "enabled" : "disabled";
+ }
}
# Sanity check to see if all necessary executables exist
@@ -720,10 +757,10 @@ sub run_tests {
}
my $cmd = "$cmd_prefix$tprefix$tcmd ";
if ( $tcmd =~ /-f$/ ) {
- $cmd .= "$req $out";
+ $cmd .= "\"$req\" \"$out\"";
}
else {
- $cmd .= "<$req >$out";
+ $cmd .= "<\"$req\" >\"$out\"";
}
print STDERR "DEBUG: running test $tname\n" if ( $debug && !$verify );
system($cmd);
@@ -739,7 +776,7 @@ sub run_tests {
$vout =~ s/\.rsp$/.ver/;
$tcmd = $verify_special{$tname};
$cmd = "$cmd_prefix$tprefix$tcmd ";
- $cmd .= "<$out >$vout";
+ $cmd .= "<\"$out\" >\"$vout\"";
system($cmd);
if ( $? != 0 ) {
print STDERR
@@ -806,11 +843,11 @@ sub cmp_file {
return 1;
}
if ( !defined($rspline) ) {
- print STDERR "ERROR: $tname EOF on $rspf\n";
+ print STDERR "ERROR: $tname EOF on $rsp\n";
return 0;
}
if ( !defined($tstline) ) {
- print STDERR "ERROR: $tname EOF on $tstf\n";
+ print STDERR "ERROR: $tname EOF on $tst\n";
return 0;
}
@@ -821,7 +858,7 @@ sub cmp_file {
if ( $tstline ne $rspline ) {
print STDERR "ERROR: $tname mismatch:\n";
- print STDERR "\t $tstline != $rspline\n";
+ print STDERR "\t \"$tstline\" != \"$rspline\"\n";
return 0;
}
}
@@ -842,6 +879,8 @@ sub next_line {
# Translate multiple space into one
s/\s+/ /g;
+ # Delete trailing whitespace
+ s/\s+$//;
return $_;
}
return undef;
diff --git a/fips/fipsld b/fips/fipsld
index c71d4d95a5fb..8c26c8596dec 100755
--- a/fips/fipsld
+++ b/fips/fipsld
@@ -117,7 +117,11 @@ lib*|*.dll) # must be linking a shared lib...
${_WL_PREMAIN} "$@"
# generate signature...
- SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"`
+ if [ -z "${FIPS_SIG}" ]; then
+ SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"`
+ else
+ SIG=`"${FIPS_SIG}" -dso "${TARGET}"`
+ fi
/bin/rm -f "${TARGET}"
if [ -z "${SIG}" ]; then
echo "unable to collect signature"; exit 1
@@ -156,7 +160,11 @@ lib*|*.dll) # must be linking a shared lib...
${_WL_PREMAIN} "$@"
# generate signature...
- SIG=`"${TARGET}"`
+ if [ -z "${FIPS_SIG}" ]; then
+ SIG=`"${TARGET}"`
+ else
+ SIG=`"${FIPS_SIG}" -exe "${TARGET}"`
+ fi
/bin/rm -f "${TARGET}"
if [ -z "${SIG}" ]; then
echo "unable to collect signature"; exit 1
diff --git a/fips/hmac/fips_hmac.c b/fips/hmac/fips_hmac.c
index 7c49c9882ad1..69a10da84338 100644
--- a/fips/hmac/fips_hmac.c
+++ b/fips/hmac/fips_hmac.c
@@ -88,7 +88,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
reset=1;
j=M_EVP_MD_block_size(md);
- OPENSSL_assert(j <= sizeof ctx->key);
+ OPENSSL_assert(j <= (int)sizeof ctx->key);
if (j < len)
{
EVP_DigestInit_ex(&ctx->md_ctx,md, impl);
@@ -98,7 +98,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
}
else
{
- OPENSSL_assert(len <= sizeof ctx->key);
+ OPENSSL_assert(len <= (int)sizeof ctx->key);
memcpy(ctx->key,key,len);
ctx->key_length=len;
}
diff --git a/fips/hmac/fips_hmac_selftest.c b/fips/hmac/fips_hmac_selftest.c
index a697770732f7..73455ffee2ed 100644
--- a/fips/hmac/fips_hmac_selftest.c
+++ b/fips/hmac/fips_hmac_selftest.c
@@ -111,7 +111,7 @@ static const HMAC_KAT vector[] = {
int FIPS_selftest_hmac()
{
- int n;
+ size_t n;
unsigned int outlen;
unsigned char out[EVP_MAX_MD_SIZE];
const EVP_MD *md;
diff --git a/fips/rand/fips_rand.c b/fips/rand/fips_rand.c
index 58453e996db3..9492b157c15c 100644
--- a/fips/rand/fips_rand.c
+++ b/fips/rand/fips_rand.c
@@ -114,7 +114,7 @@ void FIPS_rng_stick(void)
fips_prng_fail = 1;
}
-void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
+static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
{
ctx->seeded = 0;
ctx->keyed = 0;
@@ -192,7 +192,7 @@ static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
return 1;
}
-int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
+static int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
{
if (ctx->keyed)
{
diff --git a/fips/rand/fips_rngvs.c b/fips/rand/fips_rngvs.c
index cb904eaf0ba4..80a80170f83d 100644
--- a/fips/rand/fips_rngvs.c
+++ b/fips/rand/fips_rngvs.c
@@ -31,7 +31,7 @@ int main(int argc, char **argv)
#include "fips_utl.h"
-void vst()
+static void vst()
{
unsigned char *key = NULL;
unsigned char *v = NULL;
@@ -108,7 +108,7 @@ void vst()
}
}
-void mct()
+static void mct()
{
unsigned char *key = NULL;
unsigned char *v = NULL;
diff --git a/fips/rsa/fips_rsagtest.c b/fips/rsa/fips_rsagtest.c
index 33a3d7a48cd4..657e1b697555 100644
--- a/fips/rsa/fips_rsagtest.c
+++ b/fips/rsa/fips_rsagtest.c
@@ -63,7 +63,6 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/err.h>
-#include <openssl/rsa.h>
#include <openssl/bn.h>
#include <openssl/x509v3.h>
@@ -77,6 +76,7 @@ int main(int argc, char *argv[])
#else
+#include <openssl/rsa.h>
#include "fips_utl.h"
int rsa_test(FILE *out, FILE *in);
diff --git a/fips/rsa/fips_rsastest.c b/fips/rsa/fips_rsastest.c
index 16c174a2f81d..452084ff9fca 100644
--- a/fips/rsa/fips_rsastest.c
+++ b/fips/rsa/fips_rsastest.c
@@ -63,7 +63,6 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/err.h>
-#include <openssl/rsa.h>
#include <openssl/bn.h>
#include <openssl/x509v3.h>
@@ -77,6 +76,7 @@ int main(int argc, char *argv[])
#else
+#include <openssl/rsa.h>
#include "fips_utl.h"
static int rsa_stest(FILE *out, FILE *in, int Saltlen);
diff --git a/fips/rsa/fips_rsavtest.c b/fips/rsa/fips_rsavtest.c
index 6340f190a3f9..aadab275363b 100644
--- a/fips/rsa/fips_rsavtest.c
+++ b/fips/rsa/fips_rsavtest.c
@@ -65,7 +65,6 @@
#include <openssl/err.h>
#include <openssl/x509v3.h>
#include <openssl/bn.h>
-#include <openssl/rsa.h>
#ifndef OPENSSL_FIPS
@@ -77,6 +76,8 @@ int main(int argc, char *argv[])
#else
+#include <openssl/rsa.h>
+
#include "fips_utl.h"
int rsa_test(FILE *out, FILE *in, int saltlen);
diff --git a/fips/sha/Makefile b/fips/sha/Makefile
index a661640bc6a7..0f8cca975aec 100644
--- a/fips/sha/Makefile
+++ b/fips/sha/Makefile
@@ -46,8 +46,12 @@ lib: $(LIBOBJ)
@echo $(LIBOBJ) > lib
../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
+ if [ -z "$(HOSTCC)" ] ; then \
FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
- $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
+ $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM ; \
+ else \
+ $(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../../include -I../../crypto fips_standalone_sha1.c ../../crypto/sha/sha1dgst.c ; \
+ fi
files:
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
diff --git a/fips/sha/fips_sha1_selftest.c b/fips/sha/fips_sha1_selftest.c
index ba6a29ed94ec..4c0d463e6fbb 100644
--- a/fips/sha/fips_sha1_selftest.c
+++ b/fips/sha/fips_sha1_selftest.c
@@ -78,7 +78,7 @@ void FIPS_corrupt_sha1()
int FIPS_selftest_sha1()
{
- int n;
+ size_t n;
for(n=0 ; n<sizeof(test)/sizeof(test[0]) ; ++n)
{