Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
25c65429
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
8 个月 前同步成功
通知
8
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
25c65429
编写于
2月 15, 2011
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add non-FIPS algorithm blocking and selftest checking.
上级
14567b14
变更
10
隐藏空白更改
内联
并排
Showing
10 changed file
with
119 addition
and
10 deletion
+119
-10
CHANGES
CHANGES
+5
-2
crypto/evp/evp.h
crypto/evp/evp.h
+1
-0
crypto/evp/evp_err.c
crypto/evp/evp_err.c
+1
-0
crypto/fips_err.h
crypto/fips_err.h
+2
-0
fips/des/fips_des_selftest.c
fips/des/fips_des_selftest.c
+0
-8
fips/dsa/fips_dsa_sign.c
fips/dsa/fips_dsa_sign.c
+2
-0
fips/fips.h
fips/fips.h
+5
-0
fips/rsa/fips_rsa_sign.c
fips/rsa/fips_rsa_sign.c
+4
-0
fips/utl/fips_enc.c
fips/utl/fips_enc.c
+54
-0
fips/utl/fips_md.c
fips/utl/fips_md.c
+45
-0
未找到文件。
CHANGES
浏览文件 @
25c65429
...
...
@@ -4,10 +4,13 @@
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
*) Add selftest checks and algorithm block of non-fips algorithms in
FIPS mode. Remove DES2 from selftests.
[Steve Henson]
*) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
return internal method without any ENGINE dependencies. Add new
tiny fips sign and verify functions. Initial incomplete algorithm
test program.
tiny fips sign and verify functions.
[Steve Henson]
*) New build option no-ec2m to disable characteristic 2 code.
...
...
crypto/evp/evp.h
浏览文件 @
25c65429
...
...
@@ -1319,6 +1319,7 @@ void ERR_load_EVP_strings(void);
#define EVP_R_DECODE_ERROR 114
#define EVP_R_DIFFERENT_KEY_TYPES 101
#define EVP_R_DIFFERENT_PARAMETERS 153
#define EVP_R_DISABLED_FOR_FIPS 163
#define EVP_R_ENCODE_ERROR 115
#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
#define EVP_R_EXPECTING_AN_RSA_KEY 127
...
...
crypto/evp/evp_err.c
浏览文件 @
25c65429
...
...
@@ -162,6 +162,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
{
ERR_REASON
(
EVP_R_DECODE_ERROR
)
,
"decode error"
},
{
ERR_REASON
(
EVP_R_DIFFERENT_KEY_TYPES
)
,
"different key types"
},
{
ERR_REASON
(
EVP_R_DIFFERENT_PARAMETERS
)
,
"different parameters"
},
{
ERR_REASON
(
EVP_R_DISABLED_FOR_FIPS
)
,
"disabled for fips"
},
{
ERR_REASON
(
EVP_R_ENCODE_ERROR
)
,
"encode error"
},
{
ERR_REASON
(
EVP_R_EVP_PBE_CIPHERINIT_ERROR
),
"evp pbe cipherinit error"
},
{
ERR_REASON
(
EVP_R_EXPECTING_AN_RSA_KEY
)
,
"expecting an rsa key"
},
...
...
crypto/fips_err.h
浏览文件 @
25c65429
...
...
@@ -80,6 +80,8 @@ static ERR_STRING_DATA FIPS_str_functs[]=
{
ERR_FUNC
(
FIPS_F_FIPS_CHECK_DSA
),
"FIPS_CHECK_DSA"
},
{
ERR_FUNC
(
FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT
),
"FIPS_check_incore_fingerprint"
},
{
ERR_FUNC
(
FIPS_F_FIPS_CHECK_RSA
),
"fips_check_rsa"
},
{
ERR_FUNC
(
FIPS_F_FIPS_CIPHERINIT
),
"FIPS_CIPHERINIT"
},
{
ERR_FUNC
(
FIPS_F_FIPS_DIGESTINIT
),
"FIPS_DIGESTINIT"
},
{
ERR_FUNC
(
FIPS_F_FIPS_DSA_CHECK
),
"FIPS_DSA_CHECK"
},
{
ERR_FUNC
(
FIPS_F_FIPS_MODE_SET
),
"FIPS_mode_set"
},
{
ERR_FUNC
(
FIPS_F_FIPS_PKEY_SIGNATURE_TEST
),
"fips_pkey_signature_test"
},
...
...
fips/des/fips_des_selftest.c
浏览文件 @
25c65429
...
...
@@ -111,14 +111,6 @@ int FIPS_selftest_des()
int
n
,
ret
=
0
;
EVP_CIPHER_CTX
ctx
;
FIPS_cipher_ctx_init
(
&
ctx
);
/* Encrypt/decrypt with 2-key 3DES and compare to known answers */
for
(
n
=
0
;
n
<
2
;
++
n
)
{
if
(
!
fips_cipher_test
(
&
ctx
,
EVP_des_ede_ecb
(),
tests2
[
n
].
key
,
NULL
,
tests2
[
n
].
plaintext
,
tests2
[
n
].
ciphertext
,
8
))
goto
err
;
}
/* Encrypt/decrypt with 3DES and compare to known answers */
for
(
n
=
0
;
n
<
2
;
++
n
)
...
...
fips/dsa/fips_dsa_sign.c
浏览文件 @
25c65429
...
...
@@ -84,6 +84,7 @@ DSA_SIG * FIPS_dsa_sign_ctx(DSA *dsa, EVP_MD_CTX *ctx)
DSA_SIG
*
FIPS_dsa_sign_digest
(
DSA
*
dsa
,
const
unsigned
char
*
dig
,
int
dlen
)
{
FIPS_selftest_check
();
return
dsa
->
meth
->
dsa_do_sign
(
dig
,
dlen
,
dsa
);
}
...
...
@@ -101,6 +102,7 @@ int FIPS_dsa_verify_ctx(DSA *dsa, EVP_MD_CTX *ctx, DSA_SIG *s)
int
FIPS_dsa_verify_digest
(
DSA
*
dsa
,
const
unsigned
char
*
dig
,
int
dlen
,
DSA_SIG
*
s
)
{
FIPS_selftest_check
();
return
dsa
->
meth
->
dsa_do_verify
(
dig
,
dlen
,
s
,
dsa
);
}
...
...
fips/fips.h
浏览文件 @
25c65429
...
...
@@ -114,6 +114,9 @@ void FIPS_set_locking_callbacks(void (*func)(int mode, int type,
int
(
*
add_cb
)(
int
*
pointer
,
int
amount
,
int
type
,
const
char
*
file
,
int
line
));
#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
alg " previous FIPS forbidden algorithm error ignored");
/* Where necessary redirect standard OpenSSL APIs to FIPS versions */
#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSAPI)
...
...
@@ -179,6 +182,8 @@ void ERR_load_FIPS_strings(void);
#define FIPS_F_FIPS_CHECK_DSA 104
#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
#define FIPS_F_FIPS_CHECK_RSA 106
#define FIPS_F_FIPS_CIPHERINIT 128
#define FIPS_F_FIPS_DIGESTINIT 127
#define FIPS_F_FIPS_DSA_CHECK 107
#define FIPS_F_FIPS_MODE_SET 108
#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
...
...
fips/rsa/fips_rsa_sign.c
浏览文件 @
25c65429
...
...
@@ -219,6 +219,8 @@ int FIPS_rsa_sign_digest(RSA *rsa, const unsigned char *md, int md_len,
/* Largest DigestInfo: 19 (max encoding) + max MD */
unsigned
char
tmpdinfo
[
19
+
EVP_MAX_MD_SIZE
];
FIPS_selftest_check
();
md_type
=
M_EVP_MD_type
(
mhash
);
if
(
rsa_pad_mode
==
RSA_X931_PADDING
)
...
...
@@ -326,6 +328,8 @@ int FIPS_rsa_verify_digest(RSA *rsa, const unsigned char *dig, int diglen,
return
(
0
);
}
FIPS_selftest_check
();
md_type
=
M_EVP_MD_type
(
mhash
);
s
=
OPENSSL_malloc
((
unsigned
int
)
siglen
);
...
...
fips/utl/fips_enc.c
浏览文件 @
25c65429
...
...
@@ -78,9 +78,53 @@ EVP_CIPHER_CTX *FIPS_cipher_ctx_new(void)
return
ctx
;
}
/* The purpose of these is to trap programs that attempt to use non FIPS
* algorithms in FIPS mode and ignore the errors.
*/
static
int
bad_init
(
EVP_CIPHER_CTX
*
ctx
,
const
unsigned
char
*
key
,
const
unsigned
char
*
iv
,
int
enc
)
{
FIPS_ERROR_IGNORED
(
"Cipher init"
);
return
0
;}
static
int
bad_do_cipher
(
EVP_CIPHER_CTX
*
ctx
,
unsigned
char
*
out
,
const
unsigned
char
*
in
,
size_t
inl
)
{
FIPS_ERROR_IGNORED
(
"Cipher update"
);
return
0
;}
/* NB: no cleanup because it is allowed after failed init */
static
int
bad_set_asn1
(
EVP_CIPHER_CTX
*
ctx
,
ASN1_TYPE
*
typ
)
{
FIPS_ERROR_IGNORED
(
"Cipher set_asn1"
);
return
0
;}
static
int
bad_get_asn1
(
EVP_CIPHER_CTX
*
ctx
,
ASN1_TYPE
*
typ
)
{
FIPS_ERROR_IGNORED
(
"Cipher get_asn1"
);
return
0
;}
static
int
bad_ctrl
(
EVP_CIPHER_CTX
*
ctx
,
int
type
,
int
arg
,
void
*
ptr
)
{
FIPS_ERROR_IGNORED
(
"Cipher ctrl"
);
return
0
;}
static
const
EVP_CIPHER
bad_cipher
=
{
0
,
0
,
0
,
0
,
0
,
bad_init
,
bad_do_cipher
,
NULL
,
0
,
bad_set_asn1
,
bad_get_asn1
,
bad_ctrl
,
NULL
};
int
FIPS_cipherinit
(
EVP_CIPHER_CTX
*
ctx
,
const
EVP_CIPHER
*
cipher
,
const
unsigned
char
*
key
,
const
unsigned
char
*
iv
,
int
enc
)
{
if
(
FIPS_selftest_failed
())
{
FIPSerr
(
FIPS_F_FIPS_CIPHERINIT
,
FIPS_R_FIPS_SELFTEST_FAILED
);
ctx
->
cipher
=
&
bad_cipher
;
return
0
;
}
if
(
enc
==
-
1
)
enc
=
ctx
->
encrypt
;
else
...
...
@@ -91,6 +135,14 @@ int FIPS_cipherinit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
}
if
(
cipher
)
{
/* Only FIPS ciphers allowed */
if
(
FIPS_mode
()
&&
!
(
cipher
->
flags
&
EVP_CIPH_FLAG_FIPS
)
&&
!
(
ctx
->
flags
&
EVP_CIPH_FLAG_NON_FIPS_ALLOW
))
{
EVPerr
(
EVP_F_FIPS_CIPHERINIT
,
EVP_R_DISABLED_FOR_FIPS
);
ctx
->
cipher
=
&
bad_cipher
;
return
0
;
}
/* Ensure a context left lying around from last time is cleared
* (the previous check attempted to avoid this if the same
* ENGINE and EVP_CIPHER could be used). */
...
...
@@ -208,6 +260,7 @@ int FIPS_cipher_ctx_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
EVPerr
(
EVP_F_FIPS_CIPHER_CTX_CTRL
,
EVP_R_NO_CIPHER_SET
);
return
0
;
}
FIPS_selftest_check
();
if
(
!
ctx
->
cipher
->
ctrl
)
{
EVPerr
(
EVP_F_FIPS_CIPHER_CTX_CTRL
,
EVP_R_CTRL_NOT_IMPLEMENTED
);
...
...
@@ -226,5 +279,6 @@ int FIPS_cipher_ctx_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
int
FIPS_cipher
(
EVP_CIPHER_CTX
*
ctx
,
unsigned
char
*
out
,
const
unsigned
char
*
in
,
unsigned
int
inl
)
{
FIPS_selftest_check
();
return
ctx
->
cipher
->
do_cipher
(
ctx
,
out
,
in
,
inl
);
}
fips/utl/fips_md.c
浏览文件 @
25c65429
...
...
@@ -135,9 +135,51 @@ EVP_MD_CTX *FIPS_md_ctx_create(void)
return
ctx
;
}
/* The purpose of these is to trap programs that attempt to use non FIPS
* algorithms in FIPS mode and ignore the errors.
*/
static
int
bad_init
(
EVP_MD_CTX
*
ctx
)
{
FIPS_ERROR_IGNORED
(
"Digest init"
);
return
0
;}
static
int
bad_update
(
EVP_MD_CTX
*
ctx
,
const
void
*
data
,
size_t
count
)
{
FIPS_ERROR_IGNORED
(
"Digest update"
);
return
0
;}
static
int
bad_final
(
EVP_MD_CTX
*
ctx
,
unsigned
char
*
md
)
{
FIPS_ERROR_IGNORED
(
"Digest Final"
);
return
0
;}
static
const
EVP_MD
bad_md
=
{
0
,
0
,
0
,
0
,
bad_init
,
bad_update
,
bad_final
,
NULL
,
NULL
,
NULL
,
0
,
{
0
,
0
,
0
,
0
},
};
int
FIPS_digestinit
(
EVP_MD_CTX
*
ctx
,
const
EVP_MD
*
type
)
{
M_EVP_MD_CTX_clear_flags
(
ctx
,
EVP_MD_CTX_FLAG_CLEANED
);
if
(
FIPS_selftest_failed
())
{
FIPSerr
(
FIPS_F_FIPS_DIGESTINIT
,
FIPS_R_FIPS_SELFTEST_FAILED
);
ctx
->
digest
=
&
bad_md
;
return
0
;
}
if
(
FIPS_mode
()
&&
!
(
type
->
flags
&
EVP_MD_FLAG_FIPS
)
&&
!
(
ctx
->
flags
&
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
))
{
EVPerr
(
EVP_F_FIPS_DIGESTINIT
,
EVP_R_DISABLED_FOR_FIPS
);
ctx
->
digest
=
&
bad_md
;
return
0
;
}
if
(
ctx
->
digest
!=
type
)
{
if
(
ctx
->
digest
&&
ctx
->
digest
->
ctx_size
)
...
...
@@ -162,6 +204,7 @@ int FIPS_digestinit(EVP_MD_CTX *ctx, const EVP_MD *type)
int
FIPS_digestupdate
(
EVP_MD_CTX
*
ctx
,
const
void
*
data
,
size_t
count
)
{
FIPS_selftest_check
();
return
ctx
->
update
(
ctx
,
data
,
count
);
}
...
...
@@ -170,6 +213,8 @@ int FIPS_digestfinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
{
int
ret
;
FIPS_selftest_check
();
OPENSSL_assert
(
ctx
->
digest
->
md_size
<=
EVP_MAX_MD_SIZE
);
ret
=
ctx
->
digest
->
final
(
ctx
,
md
);
if
(
size
!=
NULL
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录