Add fingerprint chain and checking.

Makefile.org

@@ -226,7 +226,6 @@ all: Makefile.ssl sub_all openssl.pc sigs
 
 sigs:
 	fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.sha1
-	if [ "$(SHLIBEXT)" != "" ]; then fips/sha1/fips_standalone_sha1 libcrypto$(SHLIBEXT) >> libcrypto.sha1; fi
 
 sub_all:
 	@for i in $(DIRS); \

fips/Makefile.ssl

@@ -39,6 +39,7 @@ SRC= $(LIBSRC)
 
 EXHEADER=fips.h
 HEADER=$(EXHEADER) fips_err.c
+EXE=openssl_fips_fingerprint
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
 
@@ -104,17 +105,30 @@ tests:
 	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \
 	done;
 
+fips_test:
+	@for i in dsa sha1 aes des ; \
+	do \
+		(cd $$i && echo "making fips_test in fips/$$i..." && make fips_test) \
+	done;
+
 install:
 	@for i in $(EXHEADER) ;\
 	do \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+		(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+		chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
 	@for i in $(FDIRS) ;\
 	do \
-	(cd $$i && echo "making install in fips/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}'  INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
+		(cd $$i && echo "making install in fips/$$i..." && \
+		$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}'  INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
 	done;
+	@for i in $(EXE) ; \
+	do \
+		echo "installing $$i"; \
+		cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+		chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+		mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	done
 
 lint:
 	@for i in $(FDIRS) ;\

fips/aes/Makefile.ssl

@@ -67,10 +67,14 @@ tags:
 
 tests:
 
+top_fips_aesavs:
+	(cd ../..; $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_aesavs sub_target)
+
 fips_aesavs: fips_aesavs.o ../../libcrypto.a
 	$(CC) $(CFLAGS) -o fips_aesavs fips_aesavs.o ../../libcrypto.a
+	$(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_aesavs
 
-fips_test: top fips_aesavs
+fips_test: top top_fips_aesavs
 	find ../testvectors/aes/req -name '*.req' > testlist
 	-rm -rf ../testvectors/aes/rsp
 	mkdir ../testvectors/aes/rsp

fips/aes/fips_aesavs.c

@@ -889,7 +889,11 @@ int main(int argc, char **argv)
     int f_opt = 0, d_opt = 1;
 
 #ifdef FIPS
-    FIPS_mode_set(1);
+    if(!FIPS_mode_set(1,argv[0]))
+	{
+	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+	exit(1);
+	}
 #endif
     ERR_load_crypto_strings();
     if (argc > 1)

fips/des/Makefile.ssl

@@ -72,6 +72,7 @@ top_fips_desmovs:
 
 fips_desmovs: fips_desmovs.o ../../libcrypto.a
 	$(CC) $(CFLAGS) -o fips_desmovs fips_desmovs.o ../../libcrypto.a
+	$(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_desmovs
 
 fips_test: top_fips_desmovs
 	find ../testvectors/des/req -name '*.req' > testlist

fips/des/fips_desmovs.c

@@ -667,9 +667,10 @@ int main(int argc, char **argv)
     int f_opt = 0, d_opt = 1;
 
 #ifdef FIPS
-    if(!FIPS_mode_set(1))
+    if(!FIPS_mode_set(1,argv[0]))
 	{
-	fprintf(stderr,"Failed to enter FIPS mode.\n");
+	ERR_load_crypto_strings();
+	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
 	exit(1);
 	}
 #endif

fips/dsa/Makefile.ssl

@@ -72,6 +72,7 @@ top_fips_dssvs:
 
 fips_dssvs: fips_dssvs.o ../../libcrypto.a
 	$(CC) $(CFLAGS) -o fips_dssvs fips_dssvs.o ../../libcrypto.a
+	$(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_dssvs
 
 Q=../testvectors/dsa/req
 A=../testvectors/dsa/rsp

fips/dsa/fips_dsatest.c

@@ -143,12 +143,16 @@ int main(int argc, char **argv)
 	unsigned char sig[256];
 	unsigned int siglen;
 
-#ifdef FIPS
-	FIPS_mode_set(1);
-#endif
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
+#ifdef FIPS
+	if(!FIPS_mode_set(1,argv[0]))
+	    {
+	    ERR_print_errors(bio_err);
+	    exit(1);
+	    }
+#endif
 	CRYPTO_malloc_debug_init();
 	CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

fips/dsa/fips_dssvs.c

@@ -1,5 +1,7 @@
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
 #include <string.h>
 
 int hex2bin(const char *in, unsigned char *out)
@@ -127,6 +129,12 @@ int main(int argc,char **argv)
 	fprintf(stderr,"%s [primes|pqg]\n",argv[0]);
 	exit(1);
 	}
+    if(!FIPS_mode_set(1,argv[0]))
+	{
+	ERR_load_crypto_strings();
+	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+	exit(1);
+	}
     if(!strcmp(argv[1],"primes"))
 	primes();
     else

fips/fingerprint.sha1

@@ -1,4 +1,4 @@
-SHA1(fips.c)= 98c97fbf0e3b2a7c81572804ecc65fc8a8c9cc72
+SHA1(fips.c)= c33135b6ae585a1a953332e261984d38121727d5
 SHA1(fips_err_wrapper.c)= 0cbe881739f6e7d91308e2e74b92032e69007528
-SHA1(fips.h)= b4e3fb8a1f3aa03a63094552bedaa2c58a35cb19
-SHA1(fips_err.c)= bd28a95630f6b2e7ac17bfae872c045216611b11
+SHA1(fips.h)= 58386539af75f8f622b041a43bf1880fee8642f7
+SHA1(fips_err.c)= 8d9fd3ab3e6ca5297c5714e7f6cd9834e22b4cba

fips/fips.c

@@ -51,6 +51,9 @@
 #include <openssl/rand.h>
 #include <openssl/fips_rand.h>
 #include <openssl/err.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <limits.h>
 
 #ifdef FIPS
 
@@ -61,7 +64,53 @@ int FIPS_selftest()
 	&& FIPS_selftest_des();
     }
 
-int FIPS_mode_set(int onoff)
+static int FIPS_check_exe(const char *path)
+    {
+    BIO *bio, *md;
+    char buf[1024];
+    char p2[PATH_MAX];
+    int n;
+    char mdbuf[EVP_MAX_MD_SIZE];
+
+    bio=BIO_new_file(path,"rb");
+    if(!bio)
+	{
+	FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE);
+	return 0;
+	}
+    md=BIO_new(BIO_f_md());
+    BIO_set_md(md,EVP_sha1());
+    bio=BIO_push(md,bio);
+    do
+	{
+	n=BIO_read(bio,buf,sizeof buf);
+	if(n < 0)
+	    {
+	    BIO_free_all(bio);
+	    FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE);
+	    return 0;
+	    }
+	} while(n > 0);
+    BIO_gets(md,mdbuf,EVP_MAX_MD_SIZE);
+    BIO_free_all(bio);
+    snprintf(p2,sizeof p2,"%s.sha1",path);
+    bio=BIO_new_file(p2,"rb");
+    if(!bio || BIO_read(bio,buf,20) != 20)
+	{
+	BIO_free(bio);
+	FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_CANNOT_READ_EXE_DIGEST);
+	return 0;
+	}
+    BIO_free(bio);
+    if(memcmp(buf,mdbuf,20))
+	{
+	FIPSerr(FIPS_F_FIPS_CHECK_EXE,FIPS_R_EXE_DIGEST_DOES_NOT_MATCH);
+	return 0;
+	}
+    return 1;
+    }
+
+int FIPS_mode_set(int onoff,const char *path)
     {
     if(onoff)
 	{
@@ -72,6 +121,9 @@ int FIPS_mode_set(int onoff)
 	if(FIPS_mode)
 	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
 
+	if(!FIPS_check_exe(path))
+	    return 0;
+
 	/* automagically seed PRNG if not already seeded */
 	if(!FIPS_rand_seeded())
 	    {

fips/fips.h

@@ -55,7 +55,7 @@ extern int FIPS_mode;
 extern void *FIPS_rand_check;
 struct dsa_st;
 
-int FIPS_mode_set(int onoff);
+int FIPS_mode_set(int onoff,const char *path);
 int FIPS_dsa_check(struct dsa_st *dsa);
 int FIPS_selftest_sha1(void);
 int FIPS_selftest_aes(void);
@@ -75,6 +75,7 @@ void ERR_load_FIPS_strings(void);
 /* Error codes for the FIPS functions. */
 
 /* Function codes. */
+#define FIPS_F_FIPS_CHECK_EXE				 106
 #define FIPS_F_FIPS_DSA_CHECK				 102
 #define FIPS_F_FIPS_MODE_SET				 105
 #define FIPS_F_FIPS_SELFTEST_AES			 104
@@ -83,6 +84,9 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_F_SSLEAY_RAND_BYTES			 101
 
 /* Reason codes. */
+#define FIPS_R_CANNOT_READ_EXE				 103
+#define FIPS_R_CANNOT_READ_EXE_DIGEST			 104
+#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH		 105
 #define FIPS_R_FIPS_MODE_ALREADY_SET			 102
 #define FIPS_R_NON_FIPS_METHOD				 100
 #define FIPS_R_SELFTEST_FAILED				 101

fips/fips_err.c

@@ -66,6 +66,7 @@
 #ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA FIPS_str_functs[]=
 	{
+{ERR_PACK(0,FIPS_F_FIPS_CHECK_EXE,0),	"FIPS_CHECK_EXE"},
 {ERR_PACK(0,FIPS_F_FIPS_DSA_CHECK,0),	"FIPS_dsa_check"},
 {ERR_PACK(0,FIPS_F_FIPS_MODE_SET,0),	"FIPS_mode_set"},
 {ERR_PACK(0,FIPS_F_FIPS_SELFTEST_AES,0),	"FIPS_selftest_aes"},
@@ -77,6 +78,9 @@ static ERR_STRING_DATA FIPS_str_functs[]=
 
 static ERR_STRING_DATA FIPS_str_reasons[]=
 	{
+{FIPS_R_CANNOT_READ_EXE                  ,"cannot read exe"},
+{FIPS_R_CANNOT_READ_EXE_DIGEST           ,"cannot read exe digest"},
+{FIPS_R_EXE_DIGEST_DOES_NOT_MATCH        ,"exe digest does not match"},
 {FIPS_R_FIPS_MODE_ALREADY_SET            ,"fips mode already set"},
 {FIPS_R_NON_FIPS_METHOD                  ,"non fips method"},
 {FIPS_R_SELFTEST_FAILED                  ,"selftest failed"},

fips/fips_make_sha1

@@ -3,7 +3,7 @@
 S=`pwd`/fips/sha1/fips_standalone_sha1
 
 cd fips/sha1
-$S fips_standalone_sha1.c fips_sha1dgst.c fips_sha_locl.h fips_md32_common.h > standalone.sha1
+$S fips_sha1dgst.c fips_sha1_selftest.c fips_standalone_sha1.c fips_sha_locl.h fips_md32_common.h > standalone.sha1
 
 cd ..
 $S fips.c fips_err_wrapper.c fips.h fips_err.c > fingerprint.sha1

fips/sha1/Makefile.ssl

@@ -80,6 +80,7 @@ top_fips_sha1test:
 
 fips_sha1test: fips_sha1test.o ../../libcrypto.a
 	$(CC) $(CFLAGS) -o fips_sha1test fips_sha1test.o ../../libcrypto.a
+	$(TOP)/fips/openssl_fips_fingerprint ../../libcrypto.a fips_sha1test
 
 fips_test: top_fips_sha1test
 	-rm -rf ../testvectors/sha1/rsp

fips/sha1/fips_sha1test.c

@@ -4,6 +4,8 @@
 #include <string.h>
 #include <stdlib.h>
 #include <openssl/sha.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
 
 #define MAX_TEST_BITS 103432
 
@@ -60,6 +62,12 @@ int main(int argc,char **argv)
 	exit(1);
 	}
 
+    if(!FIPS_mode_set(1,argv[0]))
+	{
+	ERR_load_crypto_strings();
+	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+	exit(1);
+	}
     fp=fopen(argv[1],"r");
     if(!fp)
 	{