From: Dr. Stephen Henson Date: Mon, 2 Jul 2007 11:22:50 +0000 (+0000) Subject: Check selftest status in all crypto operations and abort with X-Git-Tag: FIPS_098_TEST_1~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ffc35e73b49cc2069ad879b0d065810f031d5570;p=thirdparty%2Fopenssl.git Check selftest status in all crypto operations and abort with a fatal error on failure. --- diff --git a/CHANGES b/CHANGES index 5cb29ca5fd7..37af6c570e1 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 0.9.8e and 0.9.8f-fips [xx XXX xxxx] + *) Check for selftest status in all crypto operations and exit with a + fatal error if selftest failed. + [Steve Henson] + *) New flag in EVP_CIPHER: EVP_CIPH_FLAG_DEFAULT_ASN1. This will automatically use EVP_CIPHER_{get,set}_asn1_iv and avoid the need for any ASN1 dependencies in FIPS library. Move AES and 3DES diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 9c1a8adf0cd..89eda8fd106 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -120,6 +120,9 @@ void EVP_MD_CTX_init(EVP_MD_CTX *ctx) { +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif memset(ctx,'\0',sizeof *ctx); } diff --git a/crypto/evp/enc_min.c b/crypto/evp/enc_min.c index dac5ca73d2e..d1b14fafc5c 100644 --- a/crypto/evp/enc_min.c +++ b/crypto/evp/enc_min.c @@ -68,6 +68,9 @@ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) { +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif memset(ctx,0,sizeof(EVP_CIPHER_CTX)); /* ctx->cipher=NULL; */ } diff --git a/fips-1.0/dh/fips_dh_key.c b/fips-1.0/dh/fips_dh_key.c index b6798076f73..7f5854f4761 100644 --- a/fips-1.0/dh/fips_dh_key.c +++ b/fips-1.0/dh/fips_dh_key.c @@ -64,6 +64,7 @@ #endif #ifndef OPENSSL_NO_DH #include +#include #ifdef OPENSSL_FIPS @@ -241,6 +242,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, static int dh_init(DH *dh) { + FIPS_selftest_check(); dh->flags |= DH_FLAG_CACHE_MONT_P; return(1); } diff --git a/fips-1.0/dsa/fips_dsa_ossl.c b/fips-1.0/dsa/fips_dsa_ossl.c index c00a9c4c897..fb3893afc38 100644 --- a/fips-1.0/dsa/fips_dsa_ossl.c +++ b/fips-1.0/dsa/fips_dsa_ossl.c @@ -377,6 +377,7 @@ static int dsa_do_verify(const unsigned char *dgst, FIPS_DSA_SIZE_T dgst_len, DS static int dsa_init(DSA *dsa) { + FIPS_selftest_check(); dsa->flags|=DSA_FLAG_CACHE_MONT_P; return(1); } diff --git a/fips-1.0/rsa/fips_rsa_eay.c b/fips-1.0/rsa/fips_rsa_eay.c index 45b3bd1b1a2..69170b16b3b 100644 --- a/fips-1.0/rsa/fips_rsa_eay.c +++ b/fips-1.0/rsa/fips_rsa_eay.c @@ -891,6 +891,7 @@ err: static int RSA_eay_init(RSA *rsa) { + FIPS_selftest_check(); rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; return(1); }