Automagically seed FIPS PRNG. Add OPENSSL_FIPS flag.
This commit is contained in:
Ben Laurie
parent
4ef3352608
commit
4ccac96346
12
Configure
12
Configure
@ -10,7 +10,7 @@ use strict;
|
||||
|
||||
# see INSTALL for instructions.
|
||||
|
||||
my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
|
||||
my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [fips] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
|
||||
|
||||
# Options:
|
||||
#
|
||||
@ -135,12 +135,11 @@ my %table=(
|
||||
# Our development configs
|
||||
"purify", "purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
|
||||
"debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
|
||||
"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
|
||||
"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
|
||||
"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
|
||||
"debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
|
||||
"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
|
||||
"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::::",
|
||||
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
|
||||
"debug-ben-fips","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DDEBUG_SAFESTACK -DFIPS -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
|
||||
"debug-ben-fips-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DFIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
|
||||
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
@ -805,7 +804,10 @@ PROCESS_ARGS:
|
||||
elsif (/^386$/)
|
||||
{ $processor=386; }
|
||||
elsif (/^fips$/)
|
||||
{ $fips=1; }
|
||||
{
|
||||
$fips=1;
|
||||
$openssl_other_defines.="#define OPENSSL_FIPS\n";
|
||||
}
|
||||
elsif (/^rsaref$/)
|
||||
{
|
||||
# No RSAref support any more since it's not needed.
|
||||
|
||||
@ -46,7 +46,6 @@ top:
|
||||
@(cd ..; $(MAKE) DIRS=$(DIR) all)
|
||||
|
||||
all: subdirs lib check shared
|
||||
ls -l $(LIB) $(LIBOBJ)
|
||||
|
||||
check:
|
||||
TOP=`pwd`/$(TOP) ./fips_check_sha1 fingerprint.sha1 $(SRC) $(HEADER)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
SHA1(fips.c)= dfb2a82fcff1ee84b7674d84a0e0bf191cb759f3
|
||||
SHA1(fips.c)= ffe435925e0c7a39ad32d0bd4a3be6b733d65aef
|
||||
SHA1(fips_err_wrapper.c)= 0cbe881739f6e7d91308e2e74b92032e69007528
|
||||
SHA1(fips.h)= 5dc66fb941513cb732c51eeca6f44018d4acd7ae
|
||||
SHA1(fips_err.c)= 672c470bf38e01ba2a1fa2d52492bc31330dd974
|
||||
SHA1(fips.h)= b4e3fb8a1f3aa03a63094552bedaa2c58a35cb19
|
||||
SHA1(fips_err.c)= bd28a95630f6b2e7ac17bfae872c045216611b11
|
||||
|
||||
20
fips/fips.c
20
fips/fips.c
@ -50,6 +50,7 @@
|
||||
#include <openssl/fips.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/fips_rand.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
#ifdef FIPS
|
||||
|
||||
@ -62,13 +63,30 @@ int FIPS_selftest()
|
||||
|
||||
int FIPS_mode_set(int onoff)
|
||||
{
|
||||
FIPS_mode=onoff;
|
||||
if(onoff)
|
||||
{
|
||||
char buf[24];
|
||||
|
||||
/* Don't go into FIPS mode twice, just so we can do automagic
|
||||
seeding */
|
||||
if(FIPS_mode)
|
||||
FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
|
||||
|
||||
/* automagically seed PRNG if not already seeded */
|
||||
if(!FIPS_rand_seeded())
|
||||
{
|
||||
RAND_bytes(buf,sizeof buf);
|
||||
FIPS_set_prng_key(buf,buf+8);
|
||||
FIPS_rand_seed(buf+16,8);
|
||||
}
|
||||
|
||||
/* now switch into FIPS mode */
|
||||
FIPS_rand_check=&rand_fips_meth;
|
||||
RAND_set_rand_method(&rand_fips_meth);
|
||||
FIPS_mode=onoff;
|
||||
return FIPS_selftest();
|
||||
}
|
||||
FIPS_mode=onoff;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
@ -47,7 +47,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
#ifdef FIPS
|
||||
#if defined(FIPS) || defined(OPENSSL_FIPS)
|
||||
/* Note that these are defined in crypto/cryptlib.c so they're
|
||||
* available even without -lfips.
|
||||
*/
|
||||
@ -76,12 +76,14 @@ void ERR_load_FIPS_strings(void);
|
||||
|
||||
/* Function codes. */
|
||||
#define FIPS_F_FIPS_DSA_CHECK 102
|
||||
#define FIPS_F_FIPS_MODE_SET 105
|
||||
#define FIPS_F_FIPS_SELFTEST_AES 104
|
||||
#define FIPS_F_FIPS_SELFTEST_SHA1 103
|
||||
#define FIPS_F_HASH_FINAL 100
|
||||
#define FIPS_F_SSLEAY_RAND_BYTES 101
|
||||
|
||||
/* Reason codes. */
|
||||
#define FIPS_R_FIPS_MODE_ALREADY_SET 102
|
||||
#define FIPS_R_NON_FIPS_METHOD 100
|
||||
#define FIPS_R_SELFTEST_FAILED 101
|
||||
|
||||
|
||||
@ -67,6 +67,7 @@
|
||||
static ERR_STRING_DATA FIPS_str_functs[]=
|
||||
{
|
||||
{ERR_PACK(0,FIPS_F_FIPS_DSA_CHECK,0), "FIPS_dsa_check"},
|
||||
{ERR_PACK(0,FIPS_F_FIPS_MODE_SET,0), "FIPS_mode_set"},
|
||||
{ERR_PACK(0,FIPS_F_FIPS_SELFTEST_AES,0), "FIPS_selftest_aes"},
|
||||
{ERR_PACK(0,FIPS_F_FIPS_SELFTEST_SHA1,0), "FIPS_selftest_sha1"},
|
||||
{ERR_PACK(0,FIPS_F_HASH_FINAL,0), "HASH_FINAL"},
|
||||
@ -76,6 +77,7 @@ static ERR_STRING_DATA FIPS_str_functs[]=
|
||||
|
||||
static ERR_STRING_DATA FIPS_str_reasons[]=
|
||||
{
|
||||
{FIPS_R_FIPS_MODE_ALREADY_SET ,"fips mode already set"},
|
||||
{FIPS_R_NON_FIPS_METHOD ,"non fips method"},
|
||||
{FIPS_R_SELFTEST_FAILED ,"selftest failed"},
|
||||
{0,NULL}
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
SHA1(fips_rand.c)= 3ba9ead2bec03b9a31527761472616ee26d005dc
|
||||
SHA1(fips_rand.h)= c25efc81b5fade7d0cc406be5c9a083f20671b7d
|
||||
SHA1(fips_rand.c)= c071f4d7b5221f0f804b9deef5c958fc64176959
|
||||
SHA1(fips_rand.h)= da5ee76588070c97d47c939d069d250a1476a080
|
||||
|
||||
@ -73,14 +73,13 @@ static int test_mode;
|
||||
static unsigned char test_faketime[8];
|
||||
|
||||
static void fips_rand_cleanup(void);
|
||||
static void fips_rand_seed(const void *buf, int num);
|
||||
static void fips_rand_add(const void *buf, int num, double add_entropy);
|
||||
static int fips_rand_bytes(unsigned char *buf, int num);
|
||||
static int fips_rand_status(void);
|
||||
|
||||
RAND_METHOD rand_fips_meth=
|
||||
{
|
||||
fips_rand_seed,
|
||||
FIPS_rand_seed,
|
||||
fips_rand_bytes,
|
||||
fips_rand_cleanup,
|
||||
fips_rand_add,
|
||||
@ -103,6 +102,10 @@ void FIPS_test_mode(int test,const unsigned char faketime[8])
|
||||
memcpy(test_faketime,faketime,sizeof test_faketime);
|
||||
}
|
||||
|
||||
/* NB: this returns true if _partially_ seeded */
|
||||
int FIPS_rand_seeded()
|
||||
{ return key_set || n_seed; }
|
||||
|
||||
static void fips_gettime(unsigned char buf[8])
|
||||
{
|
||||
struct timeval tv;
|
||||
@ -144,7 +147,7 @@ static void fips_rand_cleanup(void)
|
||||
n_seed=0;
|
||||
}
|
||||
|
||||
static void fips_rand_seed(const void *buf_, int num)
|
||||
void FIPS_rand_seed(const void *buf_, int num)
|
||||
{
|
||||
const char *buf=buf_;
|
||||
int n;
|
||||
@ -186,7 +189,7 @@ static void fips_rand_seed(const void *buf_, int num)
|
||||
|
||||
static void fips_rand_add(const void *buf, int num, double add_entropy)
|
||||
{
|
||||
fips_rand_seed(buf,num);
|
||||
FIPS_rand_seed(buf,num);
|
||||
}
|
||||
|
||||
static int fips_rand_bytes(unsigned char *buf,int num)
|
||||
|
||||
@ -51,5 +51,8 @@
|
||||
|
||||
void FIPS_set_prng_key(const unsigned char k1[8],const unsigned char k2[8]);
|
||||
void FIPS_test_mode(int test,const unsigned char faketime[8]);
|
||||
void FIPS_rand_seed(const void *buf, int num);
|
||||
/* NB: this returns true if _partially_ seeded */
|
||||
int FIPS_rand_seeded(void);
|
||||
|
||||
extern RAND_METHOD rand_fips_meth;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user