Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
+ *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
+ sign or verify all in one operation.
+ [Steve Henson]
+
*) Add fips_algvs: a multicall fips utility incorporaing all the algorithm
test programs and fips_test_suite. Includes functionality to parse
the minimal script output of fipsalgest.pl directly.
+ [Steve Henson]
*) Add authorisation parameter to FIPS_module_mode_set().
[Steve Henson]
int FIPS_dsa_verify_digest(DSA *dsa,
const unsigned char *dig, int dlen, DSA_SIG *s);
int FIPS_dsa_verify_ctx(DSA *dsa, EVP_MD_CTX *ctx, DSA_SIG *s);
+int FIPS_dsa_verify(DSA *dsa, const unsigned char *msg, size_t msglen,
+ const EVP_MD *mhash, DSA_SIG *s);
+DSA_SIG * FIPS_dsa_sign(DSA *dsa, const unsigned char *msg, size_t msglen,
+ const EVP_MD *mhash);
+
#endif
DSA * DSA_new(void);
int FIPS_ecdsa_verify_digest(EC_KEY *key,
const unsigned char *dig, int dlen, ECDSA_SIG *s);
int FIPS_ecdsa_verify_ctx(EC_KEY *key, EVP_MD_CTX *ctx, ECDSA_SIG *s);
+int FIPS_ecdsa_verify(EC_KEY *key, const unsigned char *msg, size_t msglen,
+ const EVP_MD *mhash, ECDSA_SIG *s);
+ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
+ const unsigned char *msg, size_t msglen,
+ const EVP_MD *mhash);
#endif
return dsa->meth->dsa_do_verify(dig,dlen,s,dsa);
}
+int FIPS_dsa_verify(DSA *dsa, const unsigned char *msg, size_t msglen,
+ const EVP_MD *mhash, DSA_SIG *s)
+ {
+ int ret=-1;
+ unsigned char dig[EVP_MAX_MD_SIZE];
+ unsigned int dlen;
+ FIPS_digest(msg, msglen, dig, &dlen, mhash);
+ ret=FIPS_dsa_verify_digest(dsa, dig, dlen, s);
+ OPENSSL_cleanse(dig, dlen);
+ return ret;
+ }
+
+DSA_SIG * FIPS_dsa_sign(DSA *dsa, const unsigned char *msg, size_t msglen,
+ const EVP_MD *mhash)
+ {
+ DSA_SIG *s;
+ unsigned char dig[EVP_MAX_MD_SIZE];
+ unsigned int dlen;
+ FIPS_digest(msg, msglen, dig, &dlen, mhash);
+ s = FIPS_dsa_sign_digest(dsa, dig, dlen);
+ OPENSSL_cleanse(dig, dlen);
+ return s;
+ }
+
#endif
unsigned char buf[256];
unsigned long h;
BN_GENCB cb;
- EVP_MD_CTX mctx;
BN_GENCB_set(&cb, dsa_cb, stderr);
- FIPS_md_ctx_init(&mctx);
fips_algtest_init();
}
DSA_generate_key(dsa);
- if (!FIPS_digestinit(&mctx, EVP_sha1()))
- goto end;
- if (!FIPS_digestupdate(&mctx, str1, 20))
- goto end;
- sig = FIPS_dsa_sign_ctx(dsa, &mctx);
+ sig = FIPS_dsa_sign(dsa, str1, 20, EVP_sha1());
if (!sig)
goto end;
- if (!FIPS_digestinit(&mctx, EVP_sha1()))
- goto end;
- if (!FIPS_digestupdate(&mctx, str1, 20))
- goto end;
- if (FIPS_dsa_verify_ctx(dsa, &mctx, sig) != 1)
+ if (FIPS_dsa_verify(dsa, str1, 20, EVP_sha1(), sig) != 1)
goto end;
ret = 1;
if (sig)
FIPS_dsa_sig_free(sig);
if (dsa != NULL) FIPS_dsa_free(dsa);
- FIPS_md_ctx_cleanup(&mctx);
#if 0
CRYPTO_mem_leaks(bio_err);
#endif
{
unsigned char msg[1024];
int n;
- EVP_MD_CTX mctx;
DSA_SIG *sig;
- FIPS_md_ctx_init(&mctx);
n=hex2bin(value,msg);
exit(1);
do_bn_print_name(out, "Y",dsa->pub_key);
- FIPS_digestinit(&mctx, md);
- FIPS_digestupdate(&mctx, msg, n);
- sig = FIPS_dsa_sign_ctx(dsa, &mctx);
+ sig = FIPS_dsa_sign(dsa, msg, n, md);
do_bn_print_name(out, "R",sig->r);
do_bn_print_name(out, "S",sig->s);
fputs(RESP_EOL, out);
FIPS_dsa_sig_free(sig);
- FIPS_md_ctx_cleanup(&mctx);
}
}
if (dsa)
sig->r=hex2bn(value);
else if(!strcmp(keyword,"S"))
{
- EVP_MD_CTX mctx;
int r;
- FIPS_md_ctx_init(&mctx);
sig->s=hex2bn(value);
- FIPS_digestinit(&mctx, md);
- FIPS_digestupdate(&mctx, msg, n);
no_err = 1;
- r = FIPS_dsa_verify_ctx(dsa, &mctx, sig);
+ r = FIPS_dsa_verify(dsa, msg, n, md, sig);
no_err = 0;
- FIPS_md_ctx_cleanup(&mctx);
if (sig->s)
{
BN_free(sig->s);
return ret;
}
+int FIPS_ecdsa_verify(EC_KEY *key, const unsigned char *msg, size_t msglen,
+ const EVP_MD *mhash, ECDSA_SIG *s)
+ {
+ int ret=-1;
+ unsigned char dig[EVP_MAX_MD_SIZE];
+ unsigned int dlen;
+ FIPS_digest(msg, msglen, dig, &dlen, mhash);
+ ret=FIPS_ecdsa_verify_digest(key, dig, dlen, s);
+ OPENSSL_cleanse(dig, dlen);
+ return ret;
+ }
+
+ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
+ const unsigned char *msg, size_t msglen,
+ const EVP_MD *mhash)
+ {
+ ECDSA_SIG *s;
+ unsigned char dig[EVP_MAX_MD_SIZE];
+ unsigned int dlen;
+ FIPS_digest(msg, msglen, dig, &dlen, mhash);
+ s = FIPS_dsa_sign_digest(key, dig, dlen);
+ OPENSSL_cleanse(dig, dlen);
+ return s;
+ }
+
EC_KEY *key = NULL;
ECDSA_SIG *sig = NULL;
const EVP_MD *digest = NULL;
- EVP_MD_CTX mctx;
- EVP_MD_CTX_init(&mctx);
Qx = BN_new();
Qy = BN_new();
while(fgets(buf, sizeof buf, in) != NULL)
return 0;
}
- FIPS_digestinit(&mctx, digest);
- FIPS_digestupdate(&mctx, msg, mlen);
- sig = FIPS_ecdsa_sign_ctx(key, &mctx);
+ sig = FIPS_ecdsa_sign(key, msg, mlen, digest);
if (!sig)
{
}
BN_free(Qx);
BN_free(Qy);
- FIPS_md_ctx_cleanup(&mctx);
return 1;
}
EC_KEY *key = NULL;
ECDSA_SIG sg, *sig = &sg;
const EVP_MD *digest = NULL;
- EVP_MD_CTX mctx;
- EVP_MD_CTX_init(&mctx);
sig->r = NULL;
sig->s = NULL;
while(fgets(buf, sizeof buf, in) != NULL)
return 0;
}
- FIPS_digestinit(&mctx, digest);
- FIPS_digestupdate(&mctx, msg, mlen);
no_err = 1;
- rv = FIPS_ecdsa_verify_ctx(key, &mctx, sig);
+ rv = FIPS_ecdsa_verify(key, msg, mlen, digest, sig);
EC_KEY_free(key);
if (msg)
OPENSSL_free(msg);
BN_free(Qx);
if (Qy)
BN_free(Qy);
- EVP_MD_CTX_cleanup(&mctx);
return 1;
}
#ifdef FIPS_ALGVS
const struct env_md_st *mgf1Hash,
const unsigned char *sigbuf, unsigned int siglen);
+int FIPS_rsa_sign(struct rsa_st *rsa, const unsigned char *msg, int msglen,
+ const struct env_md_st *mhash, int rsa_pad_mode,
+ int saltlen, const struct env_md_st *mgf1Hash,
+ unsigned char *sigret, unsigned int *siglen);
+
+int FIPS_rsa_verify(struct rsa_st *rsa, const unsigned char *msg, int msglen,
+ const struct env_md_st *mhash, int rsa_pad_mode,
+ int saltlen, const struct env_md_st *mgf1Hash,
+ const unsigned char *sigbuf, unsigned int siglen);
+
#ifdef OPENSSL_FIPSCAPABLE
int FIPS_digestinit(EVP_MD_CTX *ctx, const EVP_MD *type);
DSA *dsa = NULL;
unsigned char dgst[] = "etaonrishdlc";
int r = 0;
- EVP_MD_CTX mctx;
DSA_SIG *sig = NULL;
ERR_clear_error();
- FIPS_md_ctx_init(&mctx);
dsa = FIPS_dsa_new();
if (!dsa)
goto end;
if (bad)
BN_add_word(dsa->pub_key, 1);
- if (!FIPS_digestinit(&mctx, EVP_sha256()))
- goto end;
- if (!FIPS_digestupdate(&mctx, dgst, sizeof(dgst) - 1))
- goto end;
- sig = FIPS_dsa_sign_ctx(dsa, &mctx);
+ sig = FIPS_dsa_sign(dsa, dgst, sizeof(dgst) -1, EVP_sha256());
if (!sig)
goto end;
- if (!FIPS_digestinit(&mctx, EVP_sha256()))
- goto end;
- if (!FIPS_digestupdate(&mctx, dgst, sizeof(dgst) - 1))
- goto end;
- r = FIPS_dsa_verify_ctx(dsa, &mctx, sig);
+ r = FIPS_dsa_verify(dsa, dgst, sizeof(dgst) -1, EVP_sha256(), sig);
end:
if (sig)
FIPS_dsa_sig_free(sig);
- FIPS_md_ctx_cleanup(&mctx);
if (dsa)
FIPS_dsa_free(dsa);
if (r != 1)
unsigned char buf[256];
unsigned int slen;
BIGNUM *bn;
- EVP_MD_CTX mctx;
int r = 0;
ERR_clear_error();
- FIPS_md_ctx_init(&mctx);
key = FIPS_rsa_new();
bn = BN_new();
if (!key || !bn)
if (bad)
BN_add_word(key->n, 1);
- if (!FIPS_digestinit(&mctx, EVP_sha256()))
- goto end;
- if (!FIPS_digestupdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
- goto end;
- if (!FIPS_rsa_sign_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
+ if (!FIPS_rsa_sign(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
+ RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
goto end;
- if (!FIPS_digestinit(&mctx, EVP_sha256()))
- goto end;
- if (!FIPS_digestupdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
- goto end;
- r = FIPS_rsa_verify_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, slen);
+ r = FIPS_rsa_verify(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
+ RSA_PKCS1_PADDING, 0, NULL, buf, slen);
end:
- FIPS_md_ctx_cleanup(&mctx);
if (key)
FIPS_rsa_free(key);
if (r != 1)
return(ret);
}
+int FIPS_rsa_sign(RSA *rsa, const unsigned char *msg, int msglen,
+ const EVP_MD *mhash, int rsa_pad_mode, int saltlen,
+ const EVP_MD *mgf1Hash,
+ unsigned char *sigret, unsigned int *siglen)
+ {
+ unsigned int md_len, rv;
+ unsigned char md[EVP_MAX_MD_SIZE];
+ FIPS_digest(msg, msglen, md, &md_len, mhash);
+ rv = FIPS_rsa_sign_digest(rsa, md, md_len, mhash, rsa_pad_mode,
+ saltlen, mgf1Hash, sigret, siglen);
+ OPENSSL_cleanse(md, md_len);
+ return rv;
+ }
+
+
+int FIPS_rsa_verify(RSA *rsa, const unsigned char *msg, int msglen,
+ const EVP_MD *mhash, int rsa_pad_mode, int saltlen,
+ const EVP_MD *mgf1Hash,
+ const unsigned char *sigbuf, unsigned int siglen)
+ {
+ unsigned int md_len, rv;
+ unsigned char md[EVP_MAX_MD_SIZE];
+ FIPS_digest(msg, msglen, md, &md_len, mhash);
+ rv = FIPS_rsa_verify_digest(rsa, md, md_len, mhash, rsa_pad_mode,
+ saltlen, mgf1Hash, sigbuf, siglen);
+ OPENSSL_cleanse(md, md_len);
+ return rv;
+ }
+
#endif
unsigned char *sigbuf = NULL;
int i, siglen, pad_mode;
/* EVP_PKEY structure */
- EVP_MD_CTX ctx;
siglen = RSA_size(rsa);
sigbuf = OPENSSL_malloc(siglen);
if (!sigbuf)
goto error;
- FIPS_md_ctx_init(&ctx);
-
if (Saltlen >= 0)
pad_mode = RSA_PKCS1_PSS_PADDING;
else if (Saltlen == -2)
else
pad_mode = RSA_PKCS1_PADDING;
- if (!FIPS_digestinit(&ctx, dgst))
- goto error;
- if (!FIPS_digestupdate(&ctx, Msg, Msglen))
- goto error;
- if (!FIPS_rsa_sign_ctx(rsa, &ctx, pad_mode, Saltlen, NULL,
+ if (!FIPS_rsa_sign(rsa, Msg, Msglen, dgst, pad_mode, Saltlen, NULL,
sigbuf, (unsigned int *)&siglen))
goto error;
- FIPS_md_ctx_cleanup(&ctx);
-
fputs("S = ", out);
for (i = 0; i < siglen; i++)
int ret = 0, r, pad_mode;
/* Setup RSA and EVP_PKEY structures */
RSA *rsa_pubkey = NULL;
- EVP_MD_CTX ctx;
unsigned char *buf = NULL;
rsa_pubkey = FIPS_rsa_new();
if (!rsa_pubkey)
if (!rsa_pubkey->n || !rsa_pubkey->e)
goto error;
- FIPS_md_ctx_init(&ctx);
-
if (Saltlen >= 0)
pad_mode = RSA_PKCS1_PSS_PADDING;
else if (Saltlen == -2)
else
pad_mode = RSA_PKCS1_PADDING;
- if (!FIPS_digestinit(&ctx, dgst))
- goto error;
- if (!FIPS_digestupdate(&ctx, Msg, Msglen))
- goto error;
-
no_err = 1;
- r = FIPS_rsa_verify_ctx(rsa_pubkey, &ctx,
+ r = FIPS_rsa_verify(rsa_pubkey, Msg, Msglen, dgst,
pad_mode, Saltlen, NULL, S, Slen);
no_err = 0;
-
- FIPS_md_ctx_cleanup(&ctx);
-
if (r < 0)
goto error;
projects / openssl / commitdiff