root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Add single call public key sign and verify functions.

This commit is contained in:
Dr. Stephen Henson 2011-11-05 01:32:52 +00:00
parent b7de76b74d
commit 485ef852ac
13 changed files with 117 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -4,9 +4,14 @@
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
*) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
sign or verify all in one operation.
[Steve Henson]
*) Add fips_algvs: a multicall fips utility incorporaing all the algorithm *) Add fips_algvs: a multicall fips utility incorporaing all the algorithm
test programs and fips_test_suite. Includes functionality to parse test programs and fips_test_suite. Includes functionality to parse
the minimal script output of fipsalgest.pl directly. the minimal script output of fipsalgest.pl directly.
[Steve Henson]
*) Add authorisation parameter to FIPS_module_mode_set(). *) Add authorisation parameter to FIPS_module_mode_set().
[Steve Henson] [Steve Henson]

5
crypto/dsa/dsa.h
View File

@ -215,6 +215,11 @@ DSA_SIG * FIPS_dsa_sign_ctx(DSA *dsa, EVP_MD_CTX *ctx);
int FIPS_dsa_verify_digest(DSA *dsa, int FIPS_dsa_verify_digest(DSA *dsa,
const unsigned char *dig, int dlen, DSA_SIG *s); const unsigned char *dig, int dlen, DSA_SIG *s);
int FIPS_dsa_verify_ctx(DSA *dsa, EVP_MD_CTX *ctx, DSA_SIG *s); int FIPS_dsa_verify_ctx(DSA *dsa, EVP_MD_CTX *ctx, DSA_SIG *s);
int FIPS_dsa_verify(DSA *dsa, const unsigned char *msg, size_t msglen,
const EVP_MD *mhash, DSA_SIG *s);
DSA_SIG * FIPS_dsa_sign(DSA *dsa, const unsigned char *msg, size_t msglen,
const EVP_MD *mhash);
#endif #endif
DSA * DSA_new(void); DSA * DSA_new(void);

5
crypto/ecdsa/ecdsa.h
View File

@ -236,6 +236,11 @@ ECDSA_SIG * FIPS_ecdsa_sign_ctx(EC_KEY *key, EVP_MD_CTX *ctx);
int FIPS_ecdsa_verify_digest(EC_KEY *key, int FIPS_ecdsa_verify_digest(EC_KEY *key,
const unsigned char *dig, int dlen, ECDSA_SIG *s); const unsigned char *dig, int dlen, ECDSA_SIG *s);
int FIPS_ecdsa_verify_ctx(EC_KEY *key, EVP_MD_CTX *ctx, ECDSA_SIG *s); int FIPS_ecdsa_verify_ctx(EC_KEY *key, EVP_MD_CTX *ctx, ECDSA_SIG *s);
int FIPS_ecdsa_verify(EC_KEY *key, const unsigned char *msg, size_t msglen,
const EVP_MD *mhash, ECDSA_SIG *s);
ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
const unsigned char *msg, size_t msglen,
const EVP_MD *mhash);
#endif #endif

24
fips/dsa/fips_dsa_sign.c
View File

@ -114,4 +114,28 @@ int FIPS_dsa_verify_digest(DSA *dsa,
return dsa->meth->dsa_do_verify(dig,dlen,s,dsa); return dsa->meth->dsa_do_verify(dig,dlen,s,dsa);
} }
int FIPS_dsa_verify(DSA *dsa, const unsigned char *msg, size_t msglen,
const EVP_MD *mhash, DSA_SIG *s)
{
int ret=-1;
unsigned char dig[EVP_MAX_MD_SIZE];
unsigned int dlen;
FIPS_digest(msg, msglen, dig, &dlen, mhash);
ret=FIPS_dsa_verify_digest(dsa, dig, dlen, s);
OPENSSL_cleanse(dig, dlen);
return ret;
}
DSA_SIG * FIPS_dsa_sign(DSA *dsa, const unsigned char *msg, size_t msglen,
const EVP_MD *mhash)
{
DSA_SIG *s;
unsigned char dig[EVP_MAX_MD_SIZE];
unsigned int dlen;
FIPS_digest(msg, msglen, dig, &dlen, mhash);
s = FIPS_dsa_sign_digest(dsa, dig, dlen);
OPENSSL_cleanse(dig, dlen);
return s;
}
#endif #endif

15
fips/dsa/fips_dsatest.c
View File

@ -154,9 +154,7 @@ int main(int argc, char **argv)
unsigned char buf[256]; unsigned char buf[256];
unsigned long h; unsigned long h;
BN_GENCB cb; BN_GENCB cb;
EVP_MD_CTX mctx;
BN_GENCB_set(&cb, dsa_cb, stderr); BN_GENCB_set(&cb, dsa_cb, stderr);
FIPS_md_ctx_init(&mctx);
fips_algtest_init(); fips_algtest_init();
@ -210,19 +208,11 @@ int main(int argc, char **argv)
} }
DSA_generate_key(dsa); DSA_generate_key(dsa);
if (!FIPS_digestinit(&mctx, EVP_sha1())) sig = FIPS_dsa_sign(dsa, str1, 20, EVP_sha1());
goto end;
if (!FIPS_digestupdate(&mctx, str1, 20))
goto end;
sig = FIPS_dsa_sign_ctx(dsa, &mctx);
if (!sig) if (!sig)
goto end; goto end;
if (!FIPS_digestinit(&mctx, EVP_sha1())) if (FIPS_dsa_verify(dsa, str1, 20, EVP_sha1(), sig) != 1)
goto end;
if (!FIPS_digestupdate(&mctx, str1, 20))
goto end;
if (FIPS_dsa_verify_ctx(dsa, &mctx, sig) != 1)
goto end; goto end;
ret = 1; ret = 1;
@ -231,7 +221,6 @@ end:
if (sig) if (sig)
FIPS_dsa_sig_free(sig); FIPS_dsa_sig_free(sig);
if (dsa != NULL) FIPS_dsa_free(dsa); if (dsa != NULL) FIPS_dsa_free(dsa);
FIPS_md_ctx_cleanup(&mctx);
#if 0 #if 0
CRYPTO_mem_leaks(bio_err); CRYPTO_mem_leaks(bio_err);
#endif #endif

14
fips/dsa/fips_dssvs.c
View File

@ -632,9 +632,7 @@ static void siggen(FILE *in, FILE *out)
{ {
unsigned char msg[1024]; unsigned char msg[1024];
int n; int n;
EVP_MD_CTX mctx;
DSA_SIG *sig; DSA_SIG *sig;
FIPS_md_ctx_init(&mctx);
n=hex2bin(value,msg); n=hex2bin(value,msg);
@ -642,15 +640,12 @@ static void siggen(FILE *in, FILE *out)
exit(1); exit(1);
do_bn_print_name(out, "Y",dsa->pub_key); do_bn_print_name(out, "Y",dsa->pub_key);
FIPS_digestinit(&mctx, md); sig = FIPS_dsa_sign(dsa, msg, n, md);
FIPS_digestupdate(&mctx, msg, n);
sig = FIPS_dsa_sign_ctx(dsa, &mctx);
do_bn_print_name(out, "R",sig->r); do_bn_print_name(out, "R",sig->r);
do_bn_print_name(out, "S",sig->s); do_bn_print_name(out, "S",sig->s);
fputs(RESP_EOL, out); fputs(RESP_EOL, out);
FIPS_dsa_sig_free(sig); FIPS_dsa_sig_free(sig);
FIPS_md_ctx_cleanup(&mctx);
} }
} }
if (dsa) if (dsa)
@ -705,17 +700,12 @@ static void sigver(FILE *in, FILE *out)
sig->r=hex2bn(value); sig->r=hex2bn(value);
else if(!strcmp(keyword,"S")) else if(!strcmp(keyword,"S"))
{ {
EVP_MD_CTX mctx;
int r; int r;
FIPS_md_ctx_init(&mctx);
sig->s=hex2bn(value); sig->s=hex2bn(value);
FIPS_digestinit(&mctx, md);
FIPS_digestupdate(&mctx, msg, n);
no_err = 1; no_err = 1;
r = FIPS_dsa_verify_ctx(dsa, &mctx, sig); r = FIPS_dsa_verify(dsa, msg, n, md, sig);
no_err = 0; no_err = 0;
FIPS_md_ctx_cleanup(&mctx);
if (sig->s) if (sig->s)
{ {
BN_free(sig->s); BN_free(sig->s);

25
fips/ecdsa/fips_ecdsa_sign.c
View File

@ -87,3 +87,28 @@ int FIPS_ecdsa_verify_ctx(EC_KEY *key, EVP_MD_CTX *ctx, ECDSA_SIG *s)
return ret; return ret;
} }
int FIPS_ecdsa_verify(EC_KEY *key, const unsigned char *msg, size_t msglen,
const EVP_MD *mhash, ECDSA_SIG *s)
{
int ret=-1;
unsigned char dig[EVP_MAX_MD_SIZE];
unsigned int dlen;
FIPS_digest(msg, msglen, dig, &dlen, mhash);
ret=FIPS_ecdsa_verify_digest(key, dig, dlen, s);
OPENSSL_cleanse(dig, dlen);
return ret;
}
ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
const unsigned char *msg, size_t msglen,
const EVP_MD *mhash)
{
ECDSA_SIG *s;
unsigned char dig[EVP_MAX_MD_SIZE];
unsigned int dlen;
FIPS_digest(msg, msglen, dig, &dlen, mhash);
s = FIPS_dsa_sign_digest(key, dig, dlen);
OPENSSL_cleanse(dig, dlen);
return s;
}

14
fips/ecdsa/fips_ecdsavs.c
View File

@ -308,8 +308,6 @@ static int SigGen(FILE *in, FILE *out)
EC_KEY *key = NULL; EC_KEY *key = NULL;
ECDSA_SIG *sig = NULL; ECDSA_SIG *sig = NULL;
const EVP_MD *digest = NULL; const EVP_MD *digest = NULL;
EVP_MD_CTX mctx;
EVP_MD_CTX_init(&mctx);
Qx = BN_new(); Qx = BN_new();
Qy = BN_new(); Qy = BN_new();
while(fgets(buf, sizeof buf, in) != NULL) while(fgets(buf, sizeof buf, in) != NULL)
@ -345,9 +343,7 @@ static int SigGen(FILE *in, FILE *out)
return 0; return 0;
} }
FIPS_digestinit(&mctx, digest); sig = FIPS_ecdsa_sign(key, msg, mlen, digest);
FIPS_digestupdate(&mctx, msg, mlen);
sig = FIPS_ecdsa_sign_ctx(key, &mctx);
if (!sig) if (!sig)
{ {
@ -369,7 +365,6 @@ static int SigGen(FILE *in, FILE *out)
} }
BN_free(Qx); BN_free(Qx);
BN_free(Qy); BN_free(Qy);
FIPS_md_ctx_cleanup(&mctx);
return 1; return 1;
} }
@ -384,8 +379,6 @@ static int SigVer(FILE *in, FILE *out)
EC_KEY *key = NULL; EC_KEY *key = NULL;
ECDSA_SIG sg, *sig = &sg; ECDSA_SIG sg, *sig = &sg;
const EVP_MD *digest = NULL; const EVP_MD *digest = NULL;
EVP_MD_CTX mctx;
EVP_MD_CTX_init(&mctx);
sig->r = NULL; sig->r = NULL;
sig->s = NULL; sig->s = NULL;
while(fgets(buf, sizeof buf, in) != NULL) while(fgets(buf, sizeof buf, in) != NULL)
@ -450,10 +443,8 @@ static int SigVer(FILE *in, FILE *out)
return 0; return 0;
} }
FIPS_digestinit(&mctx, digest);
FIPS_digestupdate(&mctx, msg, mlen);
no_err = 1; no_err = 1;
rv = FIPS_ecdsa_verify_ctx(key, &mctx, sig); rv = FIPS_ecdsa_verify(key, msg, mlen, digest, sig);
EC_KEY_free(key); EC_KEY_free(key);
if (msg) if (msg)
OPENSSL_free(msg); OPENSSL_free(msg);
@ -471,7 +462,6 @@ static int SigVer(FILE *in, FILE *out)
BN_free(Qx); BN_free(Qx);
if (Qy) if (Qy)
BN_free(Qy); BN_free(Qy);
EVP_MD_CTX_cleanup(&mctx);
return 1; return 1;
} }
#ifdef FIPS_ALGVS #ifdef FIPS_ALGVS

10
fips/fips.h
View File

@ -224,6 +224,16 @@ int FIPS_rsa_verify_digest(struct rsa_st *rsa,
const struct env_md_st *mgf1Hash, const struct env_md_st *mgf1Hash,
const unsigned char *sigbuf, unsigned int siglen); const unsigned char *sigbuf, unsigned int siglen);
int FIPS_rsa_sign(struct rsa_st *rsa, const unsigned char *msg, int msglen,
const struct env_md_st *mhash, int rsa_pad_mode,
int saltlen, const struct env_md_st *mgf1Hash,
unsigned char *sigret, unsigned int *siglen);
int FIPS_rsa_verify(struct rsa_st *rsa, const unsigned char *msg, int msglen,
const struct env_md_st *mhash, int rsa_pad_mode,
int saltlen, const struct env_md_st *mgf1Hash,
const unsigned char *sigbuf, unsigned int siglen);
#ifdef OPENSSL_FIPSCAPABLE #ifdef OPENSSL_FIPSCAPABLE
int FIPS_digestinit(EVP_MD_CTX *ctx, const EVP_MD *type); int FIPS_digestinit(EVP_MD_CTX *ctx, const EVP_MD *type);

32
fips/fips_test_suite.c
View File

@ -144,11 +144,9 @@ static int FIPS_dsa_test(int bad)
DSA *dsa = NULL; DSA *dsa = NULL;
unsigned char dgst[] = "etaonrishdlc"; unsigned char dgst[] = "etaonrishdlc";
int r = 0; int r = 0;
EVP_MD_CTX mctx;
DSA_SIG *sig = NULL; DSA_SIG *sig = NULL;
ERR_clear_error(); ERR_clear_error();
FIPS_md_ctx_init(&mctx);
dsa = FIPS_dsa_new(); dsa = FIPS_dsa_new();
if (!dsa) if (!dsa)
goto end; goto end;
@ -159,23 +157,14 @@ static int FIPS_dsa_test(int bad)
if (bad) if (bad)
BN_add_word(dsa->pub_key, 1); BN_add_word(dsa->pub_key, 1);
if (!FIPS_digestinit(&mctx, EVP_sha256())) sig = FIPS_dsa_sign(dsa, dgst, sizeof(dgst) -1, EVP_sha256());
goto end;
if (!FIPS_digestupdate(&mctx, dgst, sizeof(dgst) - 1))
goto end;
sig = FIPS_dsa_sign_ctx(dsa, &mctx);
if (!sig) if (!sig)
goto end; goto end;
if (!FIPS_digestinit(&mctx, EVP_sha256())) r = FIPS_dsa_verify(dsa, dgst, sizeof(dgst) -1, EVP_sha256(), sig);
goto end;
if (!FIPS_digestupdate(&mctx, dgst, sizeof(dgst) - 1))
goto end;
r = FIPS_dsa_verify_ctx(dsa, &mctx, sig);
end: end:
if (sig) if (sig)
FIPS_dsa_sig_free(sig); FIPS_dsa_sig_free(sig);
FIPS_md_ctx_cleanup(&mctx);
if (dsa) if (dsa)
FIPS_dsa_free(dsa); FIPS_dsa_free(dsa);
if (r != 1) if (r != 1)
@ -193,11 +182,9 @@ static int FIPS_rsa_test(int bad)
unsigned char buf[256]; unsigned char buf[256];
unsigned int slen; unsigned int slen;
BIGNUM *bn; BIGNUM *bn;
EVP_MD_CTX mctx;
int r = 0; int r = 0;
ERR_clear_error(); ERR_clear_error();
FIPS_md_ctx_init(&mctx);
key = FIPS_rsa_new(); key = FIPS_rsa_new();
bn = BN_new(); bn = BN_new();
if (!key || !bn) if (!key || !bn)
@ -209,20 +196,13 @@ static int FIPS_rsa_test(int bad)
if (bad) if (bad)
BN_add_word(key->n, 1); BN_add_word(key->n, 1);
if (!FIPS_digestinit(&mctx, EVP_sha256())) if (!FIPS_rsa_sign(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
goto end; RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
if (!FIPS_digestupdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
goto end;
if (!FIPS_rsa_sign_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, &slen))
goto end; goto end;
if (!FIPS_digestinit(&mctx, EVP_sha256())) r = FIPS_rsa_verify(key, input_ptext, sizeof(input_ptext) - 1, EVP_sha256(),
goto end; RSA_PKCS1_PADDING, 0, NULL, buf, slen);
if (!FIPS_digestupdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
goto end;
r = FIPS_rsa_verify_ctx(key, &mctx, RSA_PKCS1_PADDING, 0, NULL, buf, slen);
end: end:
FIPS_md_ctx_cleanup(&mctx);
if (key) if (key)
FIPS_rsa_free(key); FIPS_rsa_free(key);
if (r != 1) if (r != 1)

29
fips/rsa/fips_rsa_sign.c
View File

@ -442,4 +442,33 @@ err:
return(ret); return(ret);
} }
int FIPS_rsa_sign(RSA *rsa, const unsigned char *msg, int msglen,
const EVP_MD *mhash, int rsa_pad_mode, int saltlen,
const EVP_MD *mgf1Hash,
unsigned char *sigret, unsigned int *siglen)
{
unsigned int md_len, rv;
unsigned char md[EVP_MAX_MD_SIZE];
FIPS_digest(msg, msglen, md, &md_len, mhash);
rv = FIPS_rsa_sign_digest(rsa, md, md_len, mhash, rsa_pad_mode,
saltlen, mgf1Hash, sigret, siglen);
OPENSSL_cleanse(md, md_len);
return rv;
}
int FIPS_rsa_verify(RSA *rsa, const unsigned char *msg, int msglen,
const EVP_MD *mhash, int rsa_pad_mode, int saltlen,
const EVP_MD *mgf1Hash,
const unsigned char *sigbuf, unsigned int siglen)
{
unsigned int md_len, rv;
unsigned char md[EVP_MAX_MD_SIZE];
FIPS_digest(msg, msglen, md, &md_len, mhash);
rv = FIPS_rsa_verify_digest(rsa, md, md_len, mhash, rsa_pad_mode,
saltlen, mgf1Hash, sigbuf, siglen);
OPENSSL_cleanse(md, md_len);
return rv;
}
#endif #endif

11
fips/rsa/fips_rsastest.c
View File

@ -325,15 +325,12 @@ static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
unsigned char *sigbuf = NULL; unsigned char *sigbuf = NULL;
int i, siglen, pad_mode; int i, siglen, pad_mode;
/* EVP_PKEY structure */ /* EVP_PKEY structure */
EVP_MD_CTX ctx;
siglen = RSA_size(rsa); siglen = RSA_size(rsa);
sigbuf = OPENSSL_malloc(siglen); sigbuf = OPENSSL_malloc(siglen);
if (!sigbuf) if (!sigbuf)
goto error; goto error;
FIPS_md_ctx_init(&ctx);
if (Saltlen >= 0) if (Saltlen >= 0)
pad_mode = RSA_PKCS1_PSS_PADDING; pad_mode = RSA_PKCS1_PSS_PADDING;
else if (Saltlen == -2) else if (Saltlen == -2)
@ -341,16 +338,10 @@ static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
else else
pad_mode = RSA_PKCS1_PADDING; pad_mode = RSA_PKCS1_PADDING;
if (!FIPS_digestinit(&ctx, dgst)) if (!FIPS_rsa_sign(rsa, Msg, Msglen, dgst, pad_mode, Saltlen, NULL,
goto error;
if (!FIPS_digestupdate(&ctx, Msg, Msglen))
goto error;
if (!FIPS_rsa_sign_ctx(rsa, &ctx, pad_mode, Saltlen, NULL,
sigbuf, (unsigned int *)&siglen)) sigbuf, (unsigned int *)&siglen))
goto error; goto error;
FIPS_md_ctx_cleanup(&ctx);
fputs("S = ", out); fputs("S = ", out);
for (i = 0; i < siglen; i++) for (i = 0; i < siglen; i++)

13
fips/rsa/fips_rsavtest.c
View File

@ -323,7 +323,6 @@ static int rsa_printver(FILE *out,
int ret = 0, r, pad_mode; int ret = 0, r, pad_mode;
/* Setup RSA and EVP_PKEY structures */ /* Setup RSA and EVP_PKEY structures */
RSA *rsa_pubkey = NULL; RSA *rsa_pubkey = NULL;
EVP_MD_CTX ctx;
unsigned char *buf = NULL; unsigned char *buf = NULL;
rsa_pubkey = FIPS_rsa_new(); rsa_pubkey = FIPS_rsa_new();
if (!rsa_pubkey) if (!rsa_pubkey)
@ -333,8 +332,6 @@ static int rsa_printver(FILE *out,
if (!rsa_pubkey->n || !rsa_pubkey->e) if (!rsa_pubkey->n || !rsa_pubkey->e)
goto error; goto error;
FIPS_md_ctx_init(&ctx);
if (Saltlen >= 0) if (Saltlen >= 0)
pad_mode = RSA_PKCS1_PSS_PADDING; pad_mode = RSA_PKCS1_PSS_PADDING;
else if (Saltlen == -2) else if (Saltlen == -2)
@ -342,19 +339,11 @@ static int rsa_printver(FILE *out,
else else
pad_mode = RSA_PKCS1_PADDING; pad_mode = RSA_PKCS1_PADDING;
if (!FIPS_digestinit(&ctx, dgst))
goto error;
if (!FIPS_digestupdate(&ctx, Msg, Msglen))
goto error;
no_err = 1; no_err = 1;
r = FIPS_rsa_verify_ctx(rsa_pubkey, &ctx, r = FIPS_rsa_verify(rsa_pubkey, Msg, Msglen, dgst,
pad_mode, Saltlen, NULL, S, Slen); pad_mode, Saltlen, NULL, S, Slen);
no_err = 0; no_err = 0;
FIPS_md_ctx_cleanup(&ctx);
if (r < 0) if (r < 0)
goto error; goto error;