diff options
70 files changed, 6025 insertions, 74 deletions
@@ -140,6 +140,8 @@ my %table=( "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::", "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", +"debug-ben-fips","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DFIPS -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o", +"debug-ben-fips-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DFIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o", "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", diff --git a/Makefile.org b/Makefile.org index e80b22a32a..61f11f4147 100644 --- a/Makefile.org +++ b/Makefile.org @@ -173,8 +173,8 @@ LIBKRB5= # we might set SHLIB_MARK to '$(SHARED_LIBS)'. SHLIB_MARK= -DIRS= crypto ssl $(SHLIB_MARK) apps test tools -SHLIBDIRS= crypto ssl +DIRS= fips crypto ssl $(SHLIB_MARK) apps test tools +SHLIBDIRS= fips crypto ssl # dirs in crypto to build SDIRS= \ @@ -202,6 +202,7 @@ ONEDIRS=out tmp EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS WDIRS= windows LIBS= libcrypto.a libssl.a +SIGS= libcrypto.a.sha1 libcrypto$(SHLIBEXT).sha1 SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_LIBS= @@ -219,7 +220,7 @@ HEADER= e_os.h # When we're prepared to use shared libraries in the programs we link here # we might remove 'clean-shared' from the targets to perform at this stage -all: Makefile.ssl sub_all openssl.pc +all: Makefile.ssl sub_all openssl.pc sigs sub_all: @for i in $(DIRS); \ @@ -831,6 +832,14 @@ install: all install_docs sed -e '1,/^$$/d' doc/openssl-shared.txt; \ fi; \ fi + @for i in $(SIGS) ;\ + do \ + if [ -f "$$i" ]; then \ + ( echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + fi; \ + done; cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig diff --git a/crypto/aes/Makefile.ssl b/crypto/aes/Makefile.ssl index 364d05bbfe..a39bc9065e 100644 --- a/crypto/aes/Makefile.ssl +++ b/crypto/aes/Makefile.ssl @@ -91,7 +91,8 @@ aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c aes_locl.h aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c aes_locl.h aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h -aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h +aes_core.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h +aes_core.o: aes_core.c aes_locl.h aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c aes_locl.h aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c index 2f41a825f8..0b925a8566 100644 --- a/crypto/aes/aes_core.c +++ b/crypto/aes/aes_core.c @@ -37,8 +37,11 @@ #include <stdlib.h> #include <openssl/aes.h> +#include <openssl/fips.h> #include "aes_locl.h" +#ifndef FIPS + /* Te0[x] = S [x].[02, 01, 01, 03]; Te1[x] = S [x].[03, 02, 01, 01]; @@ -1255,3 +1258,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out, PUTU32(out + 12, s3); } +#endif /* ndef FIPS */ diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index 2924def2bb..8fe063ff5e 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -66,6 +66,11 @@ static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */ #endif +#ifdef FIPS +int FIPS_mode; +void *FIPS_rand_check; +#endif /* def FIPS */ + DECLARE_STACK_OF(CRYPTO_dynlock) IMPLEMENT_STACK_OF(CRYPTO_dynlock) diff --git a/crypto/des/des.h b/crypto/des/des.h index daaf239dbe..bb3a0e299d 100644 --- a/crypto/des/des.h +++ b/crypto/des/des.h @@ -128,7 +128,7 @@ OPENSSL_DECLARE_GLOBAL(int,DES_rw_mode); /* defaults to DES_PCBC_MODE */ #define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode) const char *DES_options(void); -void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, +void DES_ecb3_encrypt(const unsigned char *input, unsigned char *output, DES_key_schedule *ks1,DES_key_schedule *ks2, DES_key_schedule *ks3, int enc); DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output, diff --git a/crypto/des/des_old.c b/crypto/des/des_old.c index 7e4cd7180d..88e9802aad 100644 --- a/crypto/des/des_old.c +++ b/crypto/des/des_old.c @@ -84,7 +84,7 @@ void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock des_key_schedule ks1,des_key_schedule ks2, des_key_schedule ks3, int enc) { - DES_ecb3_encrypt((const_DES_cblock *)input, output, + DES_ecb3_encrypt((const unsigned char *)input, (unsigned char *)output, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2, (DES_key_schedule *)ks3, enc); } diff --git a/crypto/des/destest.c b/crypto/des/destest.c index 3983ac8e5f..e3e9d77f14 100644 --- a/crypto/des/destest.c +++ b/crypto/des/destest.c @@ -439,8 +439,8 @@ int main(int argc, char *argv[]) memcpy(in,plain_data[i],8); memset(out,0,8); memset(outin,0,8); - des_ecb2_encrypt(&in,&out,ks,ks2,DES_ENCRYPT); - des_ecb2_encrypt(&out,&outin,ks,ks2,DES_DECRYPT); + des_ecb2_encrypt(in,out,ks,ks2,DES_ENCRYPT); + des_ecb2_encrypt(out,outin,ks,ks2,DES_DECRYPT); if (memcmp(out,cipher_ecb2[i],8) != 0) { diff --git a/crypto/des/ecb3_enc.c b/crypto/des/ecb3_enc.c index c3437bc606..fa0c9c4d4f 100644 --- a/crypto/des/ecb3_enc.c +++ b/crypto/des/ecb3_enc.c @@ -58,15 +58,13 @@ #include "des_locl.h" -void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, +void DES_ecb3_encrypt(const unsigned char *in, unsigned char *out, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, int enc) { register DES_LONG l0,l1; DES_LONG ll[2]; - const unsigned char *in = &(*input)[0]; - unsigned char *out = &(*output)[0]; c2l(in,l0); c2l(in,l1); diff --git a/crypto/dsa/Makefile.ssl b/crypto/dsa/Makefile.ssl index 014d006347..045d302ce8 100644 --- a/crypto/dsa/Makefile.ssl +++ b/crypto/dsa/Makefile.ssl @@ -153,7 +153,8 @@ dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h +dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/fips.h dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h @@ -164,8 +165,10 @@ dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +dsa_vrf.o: ../../include/openssl/engine.h ../../include/openssl/err.h +dsa_vrf.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dsa_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -dsa_vrf.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_vrf.c +dsa_vrf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +dsa_vrf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +dsa_vrf.o: ../../include/openssl/ui.h ../cryptlib.h dsa_vrf.c diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index b9e7f3ea5c..f95ffa9fe1 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -65,6 +65,7 @@ #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef FIPS static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, @@ -346,3 +347,4 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, { return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } +#endif diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index 89205026f0..03846e539b 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -64,9 +64,17 @@ #include <openssl/dsa.h> #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif +#include <openssl/fips.h> DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { +#ifdef FIPS + if(FIPS_mode && !FIPS_dsa_check(dsa)) + return NULL; +#endif return dsa->meth->dsa_do_sign(dgst, dlen, dsa); } @@ -87,6 +95,10 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { +#ifdef FIPS + if(FIPS_mode && !FIPS_dsa_check(dsa)) + return 0; +#endif return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); } diff --git a/crypto/dsa/dsa_vrf.c b/crypto/dsa/dsa_vrf.c index c4aeddd056..d8728a0ebc 100644 --- a/crypto/dsa/dsa_vrf.c +++ b/crypto/dsa/dsa_vrf.c @@ -65,10 +65,18 @@ #include <openssl/rand.h> #include <openssl/asn1.h> #include <openssl/asn1_mac.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif +#include <openssl/fips.h> int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { +#ifdef FIPS + if(FIPS_mode && !FIPS_dsa_check(dsa)) + return -1; +#endif return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); } diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h index 8686879e1a..84fb5a2a62 100644 --- a/crypto/engine/engine.h +++ b/crypto/engine/engine.h @@ -630,6 +630,10 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, if(!fn(e,id)) return 0; \ return 1; } +#if defined(__OpenBSD__) || defined(__FreeBSD__) +void ENGINE_setup_bsd_cryptodev(void); +#endif + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/crypto/err/err.h b/crypto/err/err.h index 988ef81aa0..1ba9913b64 100644 --- a/crypto/err/err.h +++ b/crypto/err/err.h @@ -131,6 +131,7 @@ typedef struct err_state_st #define ERR_LIB_OCSP 39 #define ERR_LIB_UI 40 #define ERR_LIB_COMP 41 +#define ERR_LIB_FIPS 42 #define ERR_LIB_USER 128 @@ -159,6 +160,7 @@ typedef struct err_state_st #define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__) #define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__) #define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__) +#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__) /* Borland C seems too stupid to be able to shift and do longs in * the pre-processor :-( */ diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index dc505d9d9d..c8e2dafd93 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -87,6 +87,7 @@ #endif #include <openssl/ocsp.h> #include <openssl/err.h> +#include <openssl/fips.h> void ERR_load_crypto_strings(void) { @@ -130,4 +131,7 @@ void ERR_load_crypto_strings(void) ERR_load_OCSP_strings(); ERR_load_UI_strings(); #endif +#ifdef FIPS + ERR_load_FIPS_strings(); +#endif } diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index 29a69dfdd4..378fbb9242 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -27,6 +27,7 @@ L DSO crypto/dso/dso.h crypto/dso/dso_err.c L ENGINE crypto/engine/engine.h crypto/engine/eng_err.c L OCSP crypto/ocsp/ocsp.h crypto/ocsp/ocsp_err.c L UI crypto/ui/ui.h crypto/ui/ui_err.c +L FIPS fips/fips.h fips/fips_err.c # additional header files to be scanned for function names L NONE crypto/x509/x509_vfy.h NONE diff --git a/crypto/evp/Makefile.ssl b/crypto/evp/Makefile.ssl index 3279be5bda..772afd71f5 100644 --- a/crypto/evp/Makefile.ssl +++ b/crypto/evp/Makefile.ssl @@ -185,13 +185,14 @@ c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h c_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h c_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -c_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h -c_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h -c_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h -c_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h -c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h -c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h +c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h +c_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h +c_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h +c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h c_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h c_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h c_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h diff --git a/crypto/evp/c_all.c b/crypto/evp/c_all.c index 1b31a14e37..879d84ae79 100644 --- a/crypto/evp/c_all.c +++ b/crypto/evp/c_all.c @@ -59,6 +59,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include <openssl/engine.h> #if 0 #undef OpenSSL_add_all_algorithms diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index fe8bcda631..581e8f7fa2 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -85,16 +85,24 @@ IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, NULL) static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) { + const unsigned char *iv, int enc) + { + int ret; if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE || enc) - AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); else - AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + + if(ret < 0) |