diff options
| -rwxr-xr-x | Configure | 10 | ||||
| -rw-r--r-- | README.FIPS | 17 | ||||
| -rw-r--r-- | crypto/arm_arch.h | 2 | ||||
| -rw-r--r-- | crypto/crypto.h | 2 | ||||
| -rw-r--r-- | fips/fips.h | 55 | ||||
| -rw-r--r-- | fips/fipssyms.h | 54 | ||||
| -rw-r--r-- | util/fipsas.pl | 2 | ||||
| -rwxr-xr-x | util/mk1mf.pl | 5 |
8 files changed, 65 insertions, 82 deletions
@@ -894,6 +894,7 @@ EOF $nofipscanistercheck = 1; $fipslibdir=""; $fipscanisterinternal="y"; + $fipscanisteronly = 1; } elsif (/^fipsdso$/) { @@ -1134,11 +1135,6 @@ foreach (sort (keys %disabled)) my $exp_cflags = ""; -if ($fipscanisteronly == 2) - { - $exp_cflags .= " -DOPENSSL_FIPSSYMS"; - } - foreach (sort @experimental) { my $ALGO; @@ -1741,7 +1737,7 @@ while (<IN>) s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/; } s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/; - if ($fipscanisteronly == 2 && exists $disabled{"ec2m"}) + if ($fipscanisteronly && exists $disabled{"ec2m"}) { next if (/ec2_/ || /bn_gf2m/); } @@ -1992,7 +1988,7 @@ EOF &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";'); &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s'); } - if ($depflags ne $default_depflags && !$make_depend && $fipscanisteronly != 2) { + if ($depflags ne $default_depflags && !$make_depend && !$fipscanisteronly) { print <<EOF; Since you've disabled or enabled at least one algorithm, you need to do diff --git a/README.FIPS b/README.FIPS index bae0a00f43..686308fcef 100644 --- a/README.FIPS +++ b/README.FIPS @@ -35,23 +35,10 @@ Run test vectors: 4. It should say "passed all tests" at the end. Report full details of any failures. -Run: - -make clean - -to remove any object modules from previous compile. - -Run symbol hiding test: - -./config fipscanisteronly -DOPENSSL_FIPSSYMS -make - -This time only the fips utilities should be built. - Examine the external symbols in fips/fipscanister.o they should all begin with FIPS or fips. One way to check with GNU nm is: -nm -g --defined-only fips/fipscanister.o | grep -v -i fips + nm -g --defined-only fips/fipscanister.o | grep -v -i fips If you get *any* output at all from this test (i.e. symbols not starting with fips or FIPS) please report it. @@ -76,7 +63,7 @@ Once you've created the tarball extract into a fresh directory and do: make You can then run the algorithm tests as above. This build automatically uses -fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate. +fipscanisterbuild and no-ec2m as appropriate. FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE. diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h index db7047cc05..82401add19 100644 --- a/crypto/arm_arch.h +++ b/crypto/arm_arch.h @@ -35,7 +35,7 @@ # endif # endif -#ifdef OPENSSL_FIPSSYMS +#ifdef OPENSSL_FIPSCANISTERBUILD #include <openssl/fipssyms.h> #endif diff --git a/crypto/crypto.h b/crypto/crypto.h index 8fd2fe2ea9..64fbfe02ee 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -147,7 +147,7 @@ * non-FIPS OpenSSL. */ -#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSSYMS) +#if defined(OPENSSL_FIPSCANISTER) #include <openssl/fipssyms.h> #endif diff --git a/fips/fips.h b/fips/fips.h index 44fd3a9dd8..3b679411f2 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -321,61 +321,6 @@ int FIPS_hmac_final(struct hmac_ctx_st *ctx, #endif -/* Where necessary redirect standard OpenSSL APIs to FIPS versions */ - -#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSAPI) - -#define CRYPTO_lock FIPS_lock -#define CRYPTO_add_lock FIPS_add_lock -#define CRYPTO_malloc FIPS_malloc -#define CRYPTO_free FIPS_free - -#define ERR_put_error FIPS_put_error -#define ERR_add_error_data FIPS_add_error_data - -#define EVP_MD_CTX_init FIPS_md_ctx_init -#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup -#define EVP_MD_CTX_create FIPS_md_ctx_create -#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy -#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type) -#define EVP_DigestInit FIPS_digestinit -#define EVP_DigestUpdate FIPS_digestupdate -#define EVP_Digest(data, count, md, size, type, impl) \ - FIPS_digest(data, count, md, size, type) -#define EVP_DigestFinal_ex FIPS_digestfinal -#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy - -#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \ - FIPS_cipherinit(ctx, cipher, key, iv, enc) - -#define EVP_CipherInit FIPS_cipherinit - -#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init -#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup -#define EVP_Cipher FIPS_cipher -#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl -#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new -#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free -#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy -#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length - -#define DSA_SIG_new FIPS_dsa_sig_new -#define DSA_SIG_free FIPS_dsa_sig_free - -#define ECDSA_SIG_new FIPS_ecdsa_sig_new -#define ECDSA_SIG_free FIPS_ecdsa_sig_free - -#define ecdsa_check fips_ecdsa_check -#define ecdh_check fips_ecdh_check - -#define RAND_bytes FIPS_rand_bytes -#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes -#define RAND_add FIPS_rand_add -#define RAND_seed FIPS_rand_seed -#define RAND_status FIPS_rand_status - -#endif - /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/fips/fipssyms.h b/fips/fipssyms.h index e49cf1b895..4b4c6ea92b 100644 --- a/fips/fipssyms.h +++ b/fips/fipssyms.h @@ -1,3 +1,57 @@ + +/* Where necessary redirect standard OpenSSL APIs to FIPS versions */ + +#define CRYPTO_lock FIPS_lock +#define CRYPTO_add_lock FIPS_add_lock +#define CRYPTO_malloc FIPS_malloc +#define CRYPTO_free FIPS_free + +#define ERR_put_error FIPS_put_error +#define ERR_add_error_data FIPS_add_error_data + +#define EVP_MD_CTX_init FIPS_md_ctx_init +#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup +#define EVP_MD_CTX_create FIPS_md_ctx_create +#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy +#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type) +#define EVP_DigestInit FIPS_digestinit +#define EVP_DigestUpdate FIPS_digestupdate +#define EVP_Digest(data, count, md, size, type, impl) \ + FIPS_digest(data, count, md, size, type) +#define EVP_DigestFinal_ex FIPS_digestfinal +#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy + +#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \ + FIPS_cipherinit(ctx, cipher, key, iv, enc) + +#define EVP_CipherInit FIPS_cipherinit + +#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init +#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup +#define EVP_Cipher FIPS_cipher +#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl +#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new +#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free +#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy +#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length + +#define DSA_SIG_new FIPS_dsa_sig_new +#define DSA_SIG_free FIPS_dsa_sig_free + +#define ECDSA_SIG_new FIPS_ecdsa_sig_new +#define ECDSA_SIG_free FIPS_ecdsa_sig_free + +#define ecdsa_check fips_ecdsa_check +#define ecdh_check fips_ecdh_check + +#define RAND_bytes FIPS_rand_bytes +#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes +#define RAND_add FIPS_rand_add +#define RAND_seed FIPS_rand_seed +#define RAND_status FIPS_rand_status + +/* Rename symbols so they don't clash with standard OpenSSL */ + #define AES_cfb128_encrypt fips_aes_cfb128_encrypt #define AES_cfb1_encrypt fips_aes_cfb1_encrypt #define AES_cfb8_encrypt fips_aes_cfb8_encrypt diff --git a/util/fipsas.pl b/util/fipsas.pl index cad7c08ca2..6e10d7d8d5 100644 --- a/util/fipsas.pl +++ b/util/fipsas.pl @@ -19,7 +19,7 @@ if ($ARGS[0] eq "norunasm") my $enabled = 0; -$enabled = 1 if $ENV{CFLAG} =~ /-DOPENSSL_FIPSSYMS/; +$enabled = 1 if $ENV{FIPSCANISTERINTERNAL} eq "y"; if ($enabled == 0 && $runasm) { diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 8f01f0c462..5d024b15cb 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -60,6 +60,7 @@ my %mf_import = ( CMLL_ENC => \$mf_cm_asm, MODES_ASM_OBJ => \$mf_modes_asm, FIPSCANISTERONLY => \$mf_fipscanisteronly + FIPSCANISTERINTERNAL => \$mf_fipscanisterinternal ); open(IN,"<Makefile") || die "unable to open Makefile!\n"; @@ -75,7 +76,7 @@ close(IN); $debug = 1 if $mf_platform =~ /^debug-/; -if ($mf_fipscanisteronly eq "y") { +if ($mf_fipscanisterinternal eq "y") { $fips = 1; $fipscanisterbuild = 1; $fipscanisteronly = 1; @@ -1196,7 +1197,7 @@ sub perlasm_compile_target $bname =~ s/(.*)\.[^\.]$/$1/; $ret ="\$(TMP_D)$o$bname.asm: $source\n"; $ret.="\t\$(PERL) $source $asmtype \$(CFLAG) >\$\@\n"; - if ($cflags =~ /-DOPENSSL_FIPSSYMS/) + if ($fipscanisteronly) { $ret .= "\t\$(PERL) util\\fipsas.pl . \$@ norunasm \$(CFLAG)\n"; } |