diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2011-10-19 22:34:53 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2011-10-19 22:34:53 +0000 |
| commit | 5e4eb9954b415fd685bfda69603bec52c5843778 (patch) | |
| tree | 5a131d77836b3d292f151b236da15e3d99b60098 /fips/fips.c | |
| parent | 227a822ab628267b5fd1b168a0a0bd58482b35ef (diff) | |
add authentication parameter to FIPS_module_mode_set
Diffstat (limited to 'fips/fips.c')
| -rw-r--r-- | fips/fips.c | 52 |
1 files changed, 51 insertions, 1 deletions
diff --git a/fips/fips.c b/fips/fips.c index a8f0f0374d..5cb4bfd48e 100644 --- a/fips/fips.c +++ b/fips/fips.c @@ -61,6 +61,7 @@ #include <string.h> #include <limits.h> #include "fips_locl.h" +#include "fips_auth.h" #ifdef OPENSSL_FIPS @@ -70,7 +71,10 @@ #define PATH_MAX 1024 #endif +#define atox(c) ((c)>='a'?((c)-'a'+10):((c)>='A'?(c)-'A'+10:(c)-'0')) + static int fips_selftest_fail = 0; +static int fips_auth_fail = 0; static int fips_mode = 0; static int fips_started = 0; @@ -238,7 +242,46 @@ int FIPS_check_incore_fingerprint(void) return rv; } -int FIPS_module_mode_set(int onoff) +static int fips_asc_check(const unsigned char *sig, const char *asc_sig) + { + char tsig[20]; + const char *p; + int i; + if (strlen(asc_sig) != 40) + return 0; + for (i = 0, p = asc_sig; i < 20; i++, p += 2) + tsig[i] = (atox(p[0]) << 4) | atox(p[1]); + if (memcmp(tsig, sig, 20)) + return 0; + return 1; + } + +static int fips_check_auth(const char *auth) + { + unsigned char auth_hmac[20]; + unsigned int hmac_len; + if (fips_auth_fail) + return 0; + if (strlen(auth) < FIPS_AUTH_MIN_LEN) + return 0; + if (!HMAC(EVP_sha1(), FIPS_AUTH_KEY, strlen(FIPS_AUTH_KEY), + (unsigned char *)auth, strlen(auth), auth_hmac, &hmac_len)) + return 0; + if (hmac_len != sizeof(auth_hmac)) + return 0; + + if (fips_asc_check(auth_hmac, FIPS_AUTH_CRYPTO_OFFICER)) + return 1; + + if (fips_asc_check(auth_hmac, FIPS_AUTH_CRYPTO_USER)) + return 1; + + return 0; + } + + + +int FIPS_module_mode_set(int onoff, const char *auth) { int ret = 0; @@ -250,6 +293,13 @@ int FIPS_module_mode_set(int onoff) { fips_selftest_fail = 0; + if (!fips_check_auth(auth)) + { + fips_auth_fail = 1; + fips_selftest_fail = 1; + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_AUTHENTICATION_FAILURE); + return 0; + } /* Don't go into FIPS mode twice, just so we can do automagic seeding */ |