Merge fips directory from FIPS branch.

author: Dr. Stephen Henson <steve@openssl.org> 2008-09-16 10:12:23 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2008-09-16 10:12:23 +0000
commit: 59f3477b8236fd431d2cee942b46e3034e0a7b10 (patch)
tree: 32d1bc9149c5f98e5d85bbbcc354601310f040eb /fips
parent: f947b818bf573c231c6b8a98a06902f8a0b78d08 (diff)
72 files changed, 18468 insertions, 0 deletions
diff --git a/fips/.cvsignore b/fips/.cvsignore
new file mode 100644
index 0000000000..34f2408d13
--- /dev/null
+++ b/fips/.cvsignore
@@ -0,0 +1,8 @@
+lib
+Makefile.save
+fips_test_suite
+fips_premain_dso
+fips_test_suite.sha1
+fipscanister.o.sha1
+*.flc
+semantic.cache
diff --git a/fips/Makefile b/fips/Makefile
new file mode 100644
index 0000000000..04b1fb08ae
--- /dev/null
+++ b/fips/Makefile
@@ -0,0 +1,219 @@
+#
+# OpenSSL/crypto/Makefile
+#
+
+DIR=		fips
+TOP=		..
+CC=		cc
+INCLUDE=	-I. -I$(TOP) -I../include
+# INCLUDES targets sudbirs!
+INCLUDES=	-I.. -I../.. -I../../include
+CFLAG=		-g
+MAKEDEPPROG=	makedepend
+MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile
+RM=             rm -f
+AR=		ar r
+ARD=		ar d
+TEST=		fips_test_suite.c
+FIPS_TVDIR=	testvectors
+FIPS_TVOK=	$$HOME/fips/tv.ok
+
+FIPSCANLOC=	$(FIPSLIBDIR)fipscanister.o
+
+RECURSIVE_MAKE=	[ -n "$(FDIRS)" ] && for i in $(FDIRS) ; do \
+		    (cd $$i && echo "making $$target in $(DIR)/$$i..." && \
+		    $(MAKE) -e TOP=../.. DIR=$$i INCLUDES='${INCLUDES}' $$target ) || exit 1; \
+		done;
+
+PEX_LIBS=
+EX_LIBS=
+ 
+CFLAGS= $(INCLUDE) $(CFLAG) -DHMAC_EXT=\"$${HMAC_EXT:-sha1}\"
+ASFLAGS= $(INCLUDE) $(ASFLAG)
+AFLAGS=$(ASFLAGS)
+
+LIBS=
+
+FDIRS=sha rand des aes dsa rsa dh hmac
+
+GENERAL=Makefile README fips-lib.com install.com
+
+LIB= $(TOP)/libcrypto.a
+SHARED_LIB= $(FIPSCANLIB)$(SHLIB_EXT)
+LIBSRC=fips.c 
+LIBOBJ=fips.o
+
+FIPS_OBJ_LISTS=sha/lib hmac/lib rand/lib des/lib aes/lib dsa/lib rsa/lib dh/lib
+
+SRC= $(LIBSRC)
+
+EXHEADER=fips.h
+HEADER=$(EXHEADER) fips_utl.h fips_locl.h
+EXE=fipsld
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	@(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+testapps:
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+
+all:
+	@if [ -z "$(FIPSLIBDIR)" ]; then \
+		$(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
+	else \
+		$(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
+	fi
+
+# Idea behind fipscanister.o is to "seize" the sequestered code between
+# known symbols for fingerprinting purposes, which would be commonly
+# done with ld -r start.o ... end.o. The latter however presents a minor
+# challenge on multi-ABI platforms. As just implied, we'd rather use ld,
+# but the trouble is that we don't generally know how ABI-selection
+# compiler flag is translated to corresponding linker flag. All compiler
+# drivers seem to recognize -r flag and pass it down to linker, but some
+# of them, including gcc, erroneously add -lc, as well as run-time
+# components, such as crt1.o and alike. Fortunately among those vendor
+# compilers which were observed to misinterpret -r flag multi-ABI ones
+# are equipped with smart linkers, which don't require any ABI-selection
+# flag and simply assume that all objects are of the same type as first
+# one in command line. So the idea is to identify gcc and deficient
+# vendor compiler drivers...
+
+fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
+	FIPS_ASM=""; \
+	list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
+	list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
+	list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
+	list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
+	if [ -n "$(CPUID_OBJ)" ]; then \
+		CPUID=../crypto/$(CPUID_OBJ) ; \
+	else \
+		CPUID="" ; \
+	fi ; \
+	objs="fips_start.o $(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
+	for i in $(FIPS_OBJ_LISTS); do \
+		dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
+		objs="$$objs `sed "$$script" $$i`"; \
+	done; \
+	objs="$$objs fips_end.o" ; \
+	os="`(uname -s) 2>/dev/null`"; cflags="$(CFLAGS)"; \
+	[ "$$os" = "AIX" ] && cflags="$$cflags -Wl,-bnoobjreorder"; \
+	if [ -n "${FIPS_SITE_LD}" ]; then \
+		set -x; ${FIPS_SITE_LD} -r -o $@ $$objs; \
+	elif $(CC) -dumpversion >/dev/null 2>&1; then \
+		set -x; $(CC) $$cflags -r -nostdlib -o $@ $$objs ; \
+	else case "$$os" in \
+		HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
+		*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
+	esac fi
+	./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
+
+# If another exception is immediately required, assign approprite
+# site-specific ld command to FIPS_SITE_LD environment variable.
+
+fips_start.o: fips_canister.c
+	$(CC) $(CFLAGS) -DFIPS_START -c -o $@ fips_canister.c
+fips_end.o: fips_canister.c
+	$(CC) $(CFLAGS) -DFIPS_END -c -o $@ fips_canister.c
+fips_premain_dso$(EXE_EXT): fips_premain.c
+	$(CC) $(CFLAGS) -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ fips_premain.c \
+		$(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS)
+# this is executed only when linking with external fipscanister.o
+fips_standalone_sha1$(EXE_EXT):	sha/fips_standalone_sha1.c
+	$(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o
+
+subdirs:
+	@target=all; $(RECURSIVE_MAKE)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+	@target=files; $(RECURSIVE_MAKE)
+
+links:
+	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
+	@target=links; $(RECURSIVE_MAKE)
+
+# lib: and $(LIB): are splitted to avoid end-less loop
+lib:	$(LIB)
+	if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)"]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi
+	@touch lib
+
+$(LIB):	$(FIPSLIBDIR)fipscanister.o
+	$(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+	$(RANLIB) $(LIB) || echo Never mind.
+
+$(FIPSCANLIB):	$(FIPSCANLOC)
+	$(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC)
+	if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+		$(AR) $(LIB) $(FIPSCANLOC) ; \
+		$(RANLIB) $(LIB) || echo Never Mind. ; \
+	fi
+	$(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
+	@touch lib
+
+shared:	lib subdirs fips_premain_dso$(EXE_EXT)
+
+libs:
+	@target=lib; $(RECURSIVE_MAKE)
+
+fips_test: top
+	@target=fips_test; $(RECURSIVE_MAKE)
+
+fips_test_diff:
+	@if diff -b -B -I '^\#' -cr -X fips-nodiff.txt $(FIPS_TVDIR) $(FIPS_TVOK) ; then \
+		echo "FIPS diff OK" ; \
+	else \
+		echo "***FIPS DIFF ERROR***" ; exit 1 ; \
+	fi
+
+
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ;\
+	do \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+	@target=install; $(RECURSIVE_MAKE)
+	@cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
+		fips_premain.c.sha1 \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
+	chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
+
+lint:
+	@target=lint; $(RECURSIVE_MAKE)
+
+depend:
+	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+	@[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) )
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+
+clean:
+	rm -f fipscanister.o.sha1 fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT) \
+		*.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	@target=clean; $(RECURSIVE_MAKE)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+	@target=dclean; $(RECURSIVE_MAKE)
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+fips.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+fips.o: ../include/openssl/crypto.h ../include/openssl/des.h
+fips.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
+fips.o: ../include/openssl/err.h ../include/openssl/evp.h
+fips.o: ../include/openssl/fips.h ../include/openssl/fips_rand.h
+fips.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+fips.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+fips.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
+fips.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c
+fips.o: fips_locl.h
diff --git a/fips/aes/.cvsignore b/fips/aes/.cvsignore
new file mode 100644
index 0000000000..439e6d3eb6
--- /dev/null
+++ b/fips/aes/.cvsignore
@@ -0,0 +1,4 @@
+lib
+Makefile.save
+*.flc
+semantic.cache
diff --git a/fips/aes/Makefile b/fips/aes/Makefile
new file mode 100644
index 0000000000..dff1b97efa
--- /dev/null
+++ b/fips/aes/Makefile
@@ -0,0 +1,112 @@
+#
+# OpenSSL/fips/aes/Makefile
+#
+
+DIR=	aes
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKEDEPPROG=	makedepend
+MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=	Makefile
+AR=		ar r
+
+ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=fips_aesavs.c
+TESTDATA=fips_aes_data
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=fips_aes_selftest.c
+LIBOBJ=fips_aes_selftest.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=
+HEADER=
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	@echo $(LIBOBJ) > lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TESTDATA)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS)
+
+install:
+	@headerlist="$(EXHEADER)"; for i in $$headerlist; \
+	do  \
+	  (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	  chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+fips_test:
+	-find ../testvectors/aes/req -name '*.req' > testlist
+	-rm -rf ../testvectors/aes/rsp
+	mkdir ../testvectors/aes/rsp
+	if [ -s testlist ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_aesavs -d testlist; fi
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) \
+		$(SRC) $(TEST)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff testlist
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+fips_aes_selftest.o: ../../include/openssl/crypto.h
+fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+fips_aes_selftest.o: ../../include/openssl/lhash.h
+fips_aes_selftest.o: ../../include/openssl/obj_mac.h
+fips_aes_selftest.o: ../../include/openssl/objects.h
+fips_aes_selftest.o: ../../include/openssl/opensslconf.h
+fips_aes_selftest.o: ../../include/openssl/opensslv.h
+fips_aes_selftest.o: ../../include/openssl/ossl_typ.h
+fips_aes_selftest.o: ../../include/openssl/safestack.h
+fips_aes_selftest.o: ../../include/openssl/stack.h
+fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
+fips_aesavs.o: ../../e_os.h ../../include/openssl/aes.h
+fips_aesavs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+fips_aesavs.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+fips_aesavs.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+fips_aesavs.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+fips_aesavs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+fips_aesavs.o: ../../include/openssl/opensslconf.h
+fips_aesavs.o: ../../include/openssl/opensslv.h
+fips_aesavs.o: ../../include/openssl/ossl_typ.h
+fips_aesavs.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+fips_aesavs.o: ../../include/openssl/symhacks.h ../fips_utl.h fips_aesavs.c
diff --git a/fips/aes/fips_aes_selftest.c b/fips/aes/fips_aes_selftest.c
new file mode 100644
index 0000000000..441bbc18e7
--- /dev/null
+++ b/fips/aes/fips_aes_selftest.c
@@ -0,0 +1,101 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include <openssl/evp.h>
+
+#ifdef OPENSSL_FIPS
+static struct
+    {
+    unsigned char key[16];
+    unsigned char plaintext[16];
+    unsigned char ciphertext[16];
+    } tests[]=
+	{
+	{
+	{ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+	  0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F },
+	{ 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
+	  0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF },
+	{ 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30,
+	  0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A },
+	},
+	};
+
+void FIPS_corrupt_aes()
+    {
author	Dr. Stephen Henson <steve@openssl.org>	2008-09-16 10:12:23 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2008-09-16 10:12:23 +0000
commit	59f3477b8236fd431d2cee942b46e3034e0a7b10 (patch)
tree	32d1bc9149c5f98e5d85bbbcc354601310f040eb /fips
parent	f947b818bf573c231c6b8a98a06902f8a0b78d08 (diff)