diff options
| author | Bob Beck <bbe@google.com> | 2024-06-24 20:29:52 +0000 |
|---|---|---|
| committer | David Benjamin <davidben@google.com> | 2024-06-24 20:32:36 +0000 |
| commit | f01108e4761e1d4189cb134322c3cb01dc71ef87 (patch) | |
| tree | 6fdb7be65766f4268e2f2a3dc032d2f9b5f51076 | |
| parent | 26468aea6483135b156fb03a5693c495dbad2e0f (diff) | |
| download | boringssl-master.zip boringssl-master.tar.gz boringssl-master.tar.bz2 | |
This reverts commit 26468aea6483135b156fb03a5693c495dbad2e0f.
Change-Id: I50951239b4b79544f7e8914a6f86d2b38c098a2d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69627
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
| -rw-r--r-- | util/fipstools/CMakeLists.txt | 12 | ||||
| -rw-r--r-- | util/fipstools/test_fips.c | 43 |
2 files changed, 23 insertions, 32 deletions
diff --git a/util/fipstools/CMakeLists.txt b/util/fipstools/CMakeLists.txt index 69e1284..87abf0a 100644 --- a/util/fipstools/CMakeLists.txt +++ b/util/fipstools/CMakeLists.txt @@ -1,6 +1,8 @@ -add_executable( - test_fips +if(FIPS) + add_executable( + test_fips - test_fips.c -) -target_link_libraries(test_fips crypto) + test_fips.c + ) + target_link_libraries(test_fips crypto) +endif() diff --git a/util/fipstools/test_fips.c b/util/fipstools/test_fips.c index 87ef89e..bb36853 100644 --- a/util/fipstools/test_fips.c +++ b/util/fipstools/test_fips.c @@ -37,9 +37,7 @@ #include "../../crypto/fipsmodule/tls/internal.h" #include "../../crypto/internal.h" -OPENSSL_MSVC_PRAGMA(warning(disable : 4295)) -#if defined(BORINGSSL_FIPS) static void hexdump(const void *a, size_t len) { const unsigned char *in = (const unsigned char *)a; for (size_t i = 0; i < len; i++) { @@ -48,7 +46,6 @@ static void hexdump(const void *a, size_t len) { printf("\n"); } -#endif int main(int argc, char **argv) { // Ensure that the output is line-buffered rather than fully buffered. When @@ -65,27 +62,17 @@ int main(int argc, char **argv) { const uint32_t module_version = FIPS_version(); if (module_version == 0) { printf("No module version set\n"); - printf("FAIL\n"); - fflush(stdout); - abort(); + goto err; } printf("Module: '%s', version: %" PRIu32 " hash:\n", FIPS_module_name(), module_version); -#if !defined(BORINGSSL_FIPS) - // |module_version| will be zero, so the non-FIPS build will never get - // this far. - printf("Non zero module version in non-FIPS build - should not happen!\n"); - printf("FAIL\n"); - fflush(stdout); - abort(); -} +#if !defined(OPENSSL_ASAN) + hexdump(FIPS_module_hash(), SHA256_DIGEST_LENGTH); #else -#if defined(OPENSSL_ASAN) printf("(not available when compiled for ASAN)"); -#else - hexdump(FIPS_module_hash(), SHA256_DIGEST_LENGTH); #endif + printf("\n"); static const uint8_t kAESKey[16] = "BoringCrypto Key"; static const uint8_t kPlaintext[64] = @@ -162,8 +149,8 @@ int main(int argc, char **argv) { printf("About to AES-GCM open "); hexdump(output, out_len); if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce, - EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), output, - out_len, NULL, 0)) { + EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), + output, out_len, NULL, 0)) { printf("AES-GCM decrypt failed\n"); goto err; } @@ -191,8 +178,8 @@ int main(int argc, char **argv) { memcpy(&des_iv, &kDESIV, sizeof(des_iv)); printf("About to 3DES-CBC decrypt "); hexdump(kPlaintext, sizeof(kPlaintext)); - DES_ede3_cbc_encrypt(output, output, sizeof(kPlaintext), &des1, &des2, &des3, - &des_iv, DES_DECRYPT); + DES_ede3_cbc_encrypt(output, output, sizeof(kPlaintext), &des1, + &des2, &des3, &des_iv, DES_DECRYPT); printf(" got "); hexdump(output, sizeof(kPlaintext)); @@ -294,8 +281,9 @@ int main(int argc, char **argv) { hexdump(kPlaintextSHA256, sizeof(kPlaintextSHA256)); ECDSA_SIG *sig = ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key); - if (sig == NULL || !ECDSA_do_verify(kPlaintextSHA256, - sizeof(kPlaintextSHA256), sig, ec_key)) { + if (sig == NULL || + !ECDSA_do_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), sig, + ec_key)) { printf("ECDSA Sign/Verify PWCT failed.\n"); goto err; } @@ -317,7 +305,7 @@ int main(int argc, char **argv) { /* ECDSA with an invalid public key. */ ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - static const uint8_t kNotValidX926[] = {1, 2, 3, 4, 5, 6}; + static const uint8_t kNotValidX926[] = {1,2,3,4,5,6}; if (!EC_KEY_oct2key(ec_key, kNotValidX926, sizeof(kNotValidX926), /*ctx=*/NULL)) { printf("Error while parsing invalid ECDSA public key\n"); @@ -399,8 +387,10 @@ int main(int argc, char **argv) { /* FFDH */ printf("About to compute FFDH key-agreement:\n"); DH *dh = DH_get_rfc7919_2048(); - uint8_t dh_result[2048 / 8]; - if (!dh || !DH_generate_key(dh) || sizeof(dh_result) != DH_size(dh) || + uint8_t dh_result[2048/8]; + if (!dh || + !DH_generate_key(dh) || + sizeof(dh_result) != DH_size(dh) || DH_compute_key_padded(dh_result, DH_get0_pub_key(dh), dh) != sizeof(dh_result)) { fprintf(stderr, "FFDH failed.\n"); @@ -419,4 +409,3 @@ err: fflush(stdout); abort(); } -#endif // !defined(BORINGSSL_FIPS) |