Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
086e32a6
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
9
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
086e32a6
编写于
5月 19, 2011
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Implement FIPS_mode and FIPS_mode_set
上级
05b4fc6c
变更
15
隐藏空白更改
内联
并排
Showing
15 changed file
with
189 addition
and
8 deletion
+189
-8
CHANGES
CHANGES
+4
-0
apps/openssl.c
apps/openssl.c
+1
-4
crypto/Makefile
crypto/Makefile
+2
-2
crypto/cpt_err.c
crypto/cpt_err.c
+3
-1
crypto/crypto.h
crypto/crypto.h
+5
-0
crypto/o_fips.c
crypto/o_fips.c
+83
-0
ssl/s23_clnt.c
ssl/s23_clnt.c
+16
-0
ssl/s23_srvr.c
ssl/s23_srvr.c
+12
-0
ssl/s3_clnt.c
ssl/s3_clnt.c
+5
-0
ssl/s3_enc.c
ssl/s3_enc.c
+9
-0
ssl/s3_srvr.c
ssl/s3_srvr.c
+2
-0
ssl/ssl_ciph.c
ssl/ssl_ciph.c
+7
-0
ssl/ssl_lib.c
ssl/ssl_lib.c
+8
-0
ssl/ssltest.c
ssl/ssltest.c
+30
-1
ssl/t1_enc.c
ssl/t1_enc.c
+2
-0
未找到文件。
CHANGES
浏览文件 @
086e32a6
...
...
@@ -4,6 +4,10 @@
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
*) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
FIPS modules versions.
[Steve Henson]
*) Add TLS v1.2 client side support for client authentication. Keep cache
of handshake records longer as we don't know the hash algorithm to use
until after the certificate request message is received.
...
...
apps/openssl.c
浏览文件 @
086e32a6
...
...
@@ -315,10 +315,7 @@ int main(int Argc, char *ARGV[])
if
(
getenv
(
"OPENSSL_FIPS"
))
{
#ifdef OPENSSL_FIPS
/* For now call FIPS_module_mode_set(): will call
* FIPS_mode_set() later.
*/
if
(
!
FIPS_module_mode_set
(
1
))
{
if
(
!
FIPS_mode_set
(
1
))
{
ERR_load_crypto_strings
();
ERR_print_errors
(
BIO_new_fp
(
stderr
,
BIO_NOCLOSE
));
EXIT
(
1
);
...
...
crypto/Makefile
浏览文件 @
086e32a6
...
...
@@ -36,10 +36,10 @@ LIB= $(TOP)/libcrypto.a
SHARED_LIB
=
libcrypto
$(SHLIB_EXT)
LIBSRC
=
cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c
\
ebcdic.c uid.c o_time.c o_str.c o_dir.c thr_id.c lock.c fips_ers.c
\
o_init.c
o_init.c
o_fips.c
LIBOBJ
=
cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o
\
ebcdic.o uid.o o_time.o o_str.o o_dir.o thr_id.o lock.o fips_ers.o
\
o_init.o
$(CPUID_OBJ)
o_init.o
o_fips.o
$(CPUID_OBJ)
SRC
=
$(LIBSRC)
...
...
crypto/cpt_err.c
浏览文件 @
086e32a6
/* crypto/cpt_err.c */
/* ====================================================================
* Copyright (c) 1999-20
06
The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-20
11
The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
...
...
@@ -76,6 +76,7 @@ static ERR_STRING_DATA CRYPTO_str_functs[]=
{
ERR_FUNC
(
CRYPTO_F_CRYPTO_SET_EX_DATA
),
"CRYPTO_set_ex_data"
},
{
ERR_FUNC
(
CRYPTO_F_DEF_ADD_INDEX
),
"DEF_ADD_INDEX"
},
{
ERR_FUNC
(
CRYPTO_F_DEF_GET_CLASS
),
"DEF_GET_CLASS"
},
{
ERR_FUNC
(
CRYPTO_F_FIPS_MODE_SET
),
"FIPS_mode_set"
},
{
ERR_FUNC
(
CRYPTO_F_INT_DUP_EX_DATA
),
"INT_DUP_EX_DATA"
},
{
ERR_FUNC
(
CRYPTO_F_INT_FREE_EX_DATA
),
"INT_FREE_EX_DATA"
},
{
ERR_FUNC
(
CRYPTO_F_INT_NEW_EX_DATA
),
"INT_NEW_EX_DATA"
},
...
...
@@ -84,6 +85,7 @@ static ERR_STRING_DATA CRYPTO_str_functs[]=
static
ERR_STRING_DATA
CRYPTO_str_reasons
[]
=
{
{
ERR_REASON
(
CRYPTO_R_FIPS_MODE_NOT_SUPPORTED
),
"fips mode not supported"
},
{
ERR_REASON
(
CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK
),
"no dynlock create callback"
},
{
0
,
NULL
}
};
...
...
crypto/crypto.h
浏览文件 @
086e32a6
...
...
@@ -560,6 +560,9 @@ unsigned int *OPENSSL_ia32cap_loc(void);
#define OPENSSL_ia32cap ((OPENSSL_ia32cap_loc())[0])
int
OPENSSL_isservice
(
void
);
int
FIPS_mode
(
void
);
int
FIPS_mode_set
(
int
r
);
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
...
...
@@ -575,11 +578,13 @@ void ERR_load_CRYPTO_strings(void);
#define CRYPTO_F_CRYPTO_SET_EX_DATA 102
#define CRYPTO_F_DEF_ADD_INDEX 104
#define CRYPTO_F_DEF_GET_CLASS 105
#define CRYPTO_F_FIPS_MODE_SET 109
#define CRYPTO_F_INT_DUP_EX_DATA 106
#define CRYPTO_F_INT_FREE_EX_DATA 107
#define CRYPTO_F_INT_NEW_EX_DATA 108
/* Reason codes. */
#define CRYPTO_R_FIPS_MODE_NOT_SUPPORTED 101
#define CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK 100
#ifdef __cplusplus
...
...
crypto/o_fips.c
0 → 100644
浏览文件 @
086e32a6
/* Written by Stephen henson (steve@openssl.org) for the OpenSSL
* project 2011.
*/
/* ====================================================================
* Copyright (c) 2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include "cryptlib.h"
#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#endif
int
FIPS_mode
(
void
)
{
#ifdef OPENSSL_FIPS
return
FIPS_module_mode
();
#else
return
0
;
#endif
}
int
FIPS_mode_set
(
int
r
)
{
#ifdef OPENSSL_FIPS
return
FIPS_module_mode_set
(
r
);
#else
if
(
r
==
0
)
return
1
;
CRYPTOerr
(
CRYPTO_F_FIPS_MODE_SET
,
CRYPTO_R_FIPS_MODE_NOT_SUPPORTED
);
return
0
;
#endif
}
ssl/s23_clnt.c
浏览文件 @
086e32a6
...
...
@@ -356,6 +356,14 @@ static int ssl23_client_hello(SSL *s)
version_major
=
TLS1_VERSION_MAJOR
;
version_minor
=
TLS1_VERSION_MINOR
;
}
#ifdef OPENSSL_FIPS
else
if
(
FIPS_mode
())
{
SSLerr
(
SSL_F_SSL23_CLIENT_HELLO
,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE
);
return
-
1
;
}
#endif
else
if
(
version
==
SSL3_VERSION
)
{
version_major
=
SSL3_VERSION_MAJOR
;
...
...
@@ -639,6 +647,14 @@ static int ssl23_get_server_hello(SSL *s)
if
((
p
[
2
]
==
SSL3_VERSION_MINOR
)
&&
!
(
s
->
options
&
SSL_OP_NO_SSLv3
))
{
#ifdef OPENSSL_FIPS
if
(
FIPS_mode
())
{
SSLerr
(
SSL_F_SSL23_GET_SERVER_HELLO
,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE
);
goto
err
;
}
#endif
s
->
version
=
SSL3_VERSION
;
s
->
method
=
SSLv3_client_method
();
}
...
...
ssl/s23_srvr.c
浏览文件 @
086e32a6
...
...
@@ -115,6 +115,9 @@
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#endif
static
const
SSL_METHOD
*
ssl23_get_server_method
(
int
ver
);
int
ssl23_get_client_hello
(
SSL
*
s
);
...
...
@@ -422,6 +425,15 @@ int ssl23_get_client_hello(SSL *s)
}
}
#ifdef OPENSSL_FIPS
if
(
FIPS_mode
()
&&
(
s
->
version
<
TLS1_VERSION
))
{
SSLerr
(
SSL_F_SSL23_GET_CLIENT_HELLO
,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE
);
goto
err
;
}
#endif
if
(
s
->
state
==
SSL23_ST_SR_CLNT_HELLO_B
)
{
/* we have SSLv3/TLSv1 in an SSLv2 header
...
...
ssl/s3_clnt.c
浏览文件 @
086e32a6
...
...
@@ -157,6 +157,9 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#endif
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
...
...
@@ -1709,6 +1712,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
q
=
md_buf
;
for
(
num
=
2
;
num
>
0
;
num
--
)
{
EVP_MD_CTX_set_flags
(
&
md_ctx
,
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
);
EVP_DigestInit_ex
(
&
md_ctx
,(
num
==
2
)
?
s
->
ctx
->
md5
:
s
->
ctx
->
sha1
,
NULL
);
EVP_DigestUpdate
(
&
md_ctx
,
&
(
s
->
s3
->
client_random
[
0
]),
SSL3_RANDOM_SIZE
);
...
...
ssl/s3_enc.c
浏览文件 @
086e32a6
...
...
@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
#endif
k
=
0
;
EVP_MD_CTX_init
(
&
m5
);
EVP_MD_CTX_set_flags
(
&
m5
,
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
);
EVP_MD_CTX_init
(
&
s1
);
for
(
i
=
0
;
(
int
)
i
<
num
;
i
+=
MD5_DIGEST_LENGTH
)
{
...
...
@@ -614,6 +615,13 @@ int ssl3_digest_cached_records(SSL *s)
{
s
->
s3
->
handshake_dgst
[
i
]
=
EVP_MD_CTX_create
();
EVP_DigestInit_ex
(
s
->
s3
->
handshake_dgst
[
i
],
md
,
NULL
);
#ifdef OPENSSL_FIPS
if
(
EVP_MD_nid
(
md
)
==
NID_md5
)
{
EVP_MD_CTX_set_flags
(
s
->
s3
->
handshake_dgst
[
i
],
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
);
}
#endif
EVP_DigestUpdate
(
s
->
s3
->
handshake_dgst
[
i
],
hdata
,
hdatalen
);
}
else
...
...
@@ -669,6 +677,7 @@ static int ssl3_handshake_mac(SSL *s, int md_nid,
return
0
;
}
EVP_MD_CTX_init
(
&
ctx
);
EVP_MD_CTX_set_flags
(
&
ctx
,
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
);
EVP_MD_CTX_copy_ex
(
&
ctx
,
d
);
n
=
EVP_MD_CTX_size
(
&
ctx
);
if
(
n
<
0
)
...
...
ssl/s3_srvr.c
浏览文件 @
086e32a6
...
...
@@ -1899,6 +1899,8 @@ int ssl3_send_server_key_exchange(SSL *s)
{
EVP_DigestInit_ex
(
&
md_ctx
,(
num
==
2
)
?
s
->
ctx
->
md5
:
s
->
ctx
->
sha1
,
NULL
);
EVP_MD_CTX_set_flags
(
&
md_ctx
,
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
);
EVP_DigestUpdate
(
&
md_ctx
,
&
(
s
->
s3
->
client_random
[
0
]),
SSL3_RANDOM_SIZE
);
EVP_DigestUpdate
(
&
md_ctx
,
&
(
s
->
s3
->
server_random
[
0
]),
SSL3_RANDOM_SIZE
);
EVP_DigestUpdate
(
&
md_ctx
,
&
(
d
[
4
]),
n
);
...
...
ssl/ssl_ciph.c
浏览文件 @
086e32a6
...
...
@@ -740,6 +740,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
c
=
ssl_method
->
get_cipher
(
i
);
/* drop those that use any of that is not available */
if
((
c
!=
NULL
)
&&
c
->
valid
&&
#ifdef OPENSSL_FIPS
(
!
FIPS_mode
()
||
(
c
->
algo_strength
&
SSL_FIPS
))
&&
#endif
!
(
c
->
algorithm_mkey
&
disabled_mkey
)
&&
!
(
c
->
algorithm_auth
&
disabled_auth
)
&&
!
(
c
->
algorithm_enc
&
disabled_enc
)
&&
...
...
@@ -1439,7 +1442,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/
for
(
curr
=
head
;
curr
!=
NULL
;
curr
=
curr
->
next
)
{
#ifdef OPENSSL_FIPS
if
(
curr
->
active
&&
(
!
FIPS_mode
()
||
curr
->
cipher
->
algo_strength
&
SSL_FIPS
))
#else
if
(
curr
->
active
)
#endif
{
sk_SSL_CIPHER_push
(
cipherstack
,
curr
->
cipher
);
#ifdef CIPHER_DEBUG
...
...
ssl/ssl_lib.c
浏览文件 @
086e32a6
...
...
@@ -1660,6 +1660,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
return
(
NULL
);
}
#ifdef OPENSSL_FIPS
if
(
FIPS_mode
()
&&
(
meth
->
version
<
TLS1_VERSION
))
{
SSLerr
(
SSL_F_SSL_CTX_NEW
,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE
);
return
NULL
;
}
#endif
if
(
SSL_get_ex_data_X509_STORE_CTX_idx
()
<
0
)
{
SSLerr
(
SSL_F_SSL_CTX_NEW
,
SSL_R_X509_VERIFICATION_SETUP_PROBLEMS
);
...
...
ssl/ssltest.c
浏览文件 @
086e32a6
...
...
@@ -395,6 +395,9 @@ static void sv_usage(void)
{
fprintf
(
stderr
,
"usage: ssltest [args ...]
\n
"
);
fprintf
(
stderr
,
"
\n
"
);
#ifdef OPENSSL_FIPS
fprintf
(
stderr
,
"-F - run test in FIPS mode
\n
"
);
#endif
fprintf
(
stderr
,
" -server_auth - check server certificate
\n
"
);
fprintf
(
stderr
,
" -client_auth - do client authentication
\n
"
);
fprintf
(
stderr
,
" -proxy - allow proxy certificates
\n
"
);
...
...
@@ -630,6 +633,9 @@ int main(int argc, char *argv[])
STACK_OF
(
SSL_COMP
)
*
ssl_comp_methods
=
NULL
;
#endif
int
test_cipherlist
=
0
;
#ifdef OPENSSL_FIPS
int
fips_mode
=
0
;
#endif
verbose
=
0
;
debug
=
0
;
...
...
@@ -661,7 +667,16 @@ int main(int argc, char *argv[])
while
(
argc
>=
1
)
{
if
(
strcmp
(
*
argv
,
"-server_auth"
)
==
0
)
if
(
!
strcmp
(
*
argv
,
"-F"
))
{
#ifdef OPENSSL_FIPS
fips_mode
=
1
;
#else
fprintf
(
stderr
,
"not compiled with FIPS support, so exitting without running.
\n
"
);
EXIT
(
0
);
#endif
}
else
if
(
strcmp
(
*
argv
,
"-server_auth"
)
==
0
)
server_auth
=
1
;
else
if
(
strcmp
(
*
argv
,
"-client_auth"
)
==
0
)
client_auth
=
1
;
...
...
@@ -885,6 +900,20 @@ bad:
EXIT
(
1
);
}
#ifdef OPENSSL_FIPS
if
(
fips_mode
)
{
if
(
!
FIPS_mode_set
(
1
))
{
ERR_load_crypto_strings
();
ERR_print_errors
(
BIO_new_fp
(
stderr
,
BIO_NOCLOSE
));
EXIT
(
1
);
}
else
fprintf
(
stderr
,
"*** IN FIPS MODE ***
\n
"
);
}
#endif
if
(
print_time
)
{
if
(
!
bio_pair
)
...
...
ssl/t1_enc.c
浏览文件 @
086e32a6
...
...
@@ -171,6 +171,8 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
EVP_MD_CTX_init
(
&
ctx
);
EVP_MD_CTX_init
(
&
ctx_tmp
);
EVP_MD_CTX_set_flags
(
&
ctx
,
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
);
EVP_MD_CTX_set_flags
(
&
ctx_tmp
,
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
);
mac_key
=
EVP_PKEY_new_mac_key
(
EVP_PKEY_HMAC
,
NULL
,
sec
,
sec_len
);
if
(
!
mac_key
)
goto
err
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录