Expand security boundary to match 1.1.1 module.

2 files changed, 146 insertions, 2 deletions

diff --git a/CHANGES b/CHANGES
index badb8d42a9..426aff7673 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
 
+  *) Expand security boundary to match 1.1.1 module.
+     [Steve Henson]
+
   *) Remove redundant features: hash file source, editing of test vectors
      modify fipsld to use external fips_premain.c signature.
      [Steve Henson]
diff --git a/fips-1.0/Makefile b/fips-1.0/Makefile
index 69e92eb055..917da8b5da 100644
--- a/fips-1.0/Makefile
+++ b/fips-1.0/Makefile
@@ -17,6 +17,7 @@ MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 PERL=		perl
 RM=             rm -f
 AR=		ar r
+ARD=		ar d
 
 FIPSCANLOC=	$(FIPSLIBDIR)fipscanister.o
 
@@ -72,7 +73,8 @@ all:
 # vendor compiler drivers...
 
 fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
-	@objs="fips_start.o $(LIBOBJ)"; \
+	@FIPS_BN_ASM=`for i in $(BN_ASM) ; do echo -n "../crypto/bn/$$i " ; done`; \
+	objs="fips_start.o $(LIBOBJ) $(FIPS_EX_OBJ) $$FIPS_BN_ASM"; \
 	for i in $(FIPS_OBJ_LISTS); do \
 		dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
 		objs="$$objs `sed "$$script" $$i`"; \
@@ -129,7 +131,7 @@ links:
 	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
 	done;
 
-lib:	$(FIPSCANLOC)
+lib:	$(FIPSCANLOC) delexobj
 	$(AR) $(LIB) $(FIPSCANLOC)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
@@ -212,6 +214,145 @@ dclean:
 	$(MAKE) PERL='${PERL}' CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' dclean ); \
 	done;
 
+delexobj:
+	exdel=""; \
+	for i in $(FIPS_EX_OBJ) $(BN_ASM);\
+	do \
+	exdel="$$exdel "`basename $$i`""; \
+	done ; \
+	$(ARD) $(LIB) $$exdel
+
+FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
+	../crypto/aes/aes_cfb.o \
+	../crypto/aes/aes_ecb.o \
+	../crypto/aes/aes_ofb.o \
+	../crypto/asn1/a_bitstr.o \
+	../crypto/asn1/a_bytes.o \
+	../crypto/asn1/a_dup.o \
+	../crypto/asn1/a_int.o \
+	../crypto/asn1/a_object.o \
+	../crypto/asn1/asn1_err.o \
+	../crypto/asn1/asn1_lib.o \
+	../crypto/asn1/a_type.o \
+	../crypto/asn1/evp_asn1.o \
+	../crypto/asn1/tasn_dec.o \
+	../crypto/asn1/tasn_enc.o \
+	../crypto/asn1/tasn_fre.o \
+	../crypto/asn1/tasn_new.o \
+	../crypto/asn1/tasn_typ.o \
+	../crypto/asn1/tasn_utl.o \
+	../crypto/asn1/t_pkey.o \
+	../crypto/asn1/x_algor.o \
+	../crypto/asn1/x_bignum.o \
+	../crypto/asn1/x_long.o \
+	../crypto/asn1/x_sig.o \
+	../crypto/bio/bio_err.o \
+	../crypto/bio/bio_lib.o \
+	../crypto/bio/b_print.o \
+	../crypto/bio/bss_file.o \
+	../crypto/bn/bn_add.o \
+	../crypto/bn/bn_blind.o \
+	../crypto/bn/bn_ctx.o \
+	../crypto/bn/bn_div.o \
+	../crypto/bn/bn_err.o \
+	../crypto/bn/bn_exp2.o \
+	../crypto/bn/bn_exp.o \
+	../crypto/bn/bn_gcd.o \
+	../crypto/bn/bn_lib.o \
+	../crypto/bn/bn_mod.o \
+	../crypto/bn/bn_mont.o \
+	../crypto/bn/bn_mul.o \
+	../crypto/bn/bn_prime.o \
+	../crypto/bn/bn_print.o \
+	../crypto/bn/bn_rand.o \
+	../crypto/bn/bn_recp.o \
+	../crypto/bn/bn_shift.o \
+	../crypto/bn/bn_sqr.o \
+	../crypto/bn/bn_word.o \
+	../crypto/bn/bn_x931p.o \
+	../crypto/buffer/buf_err.o \
+	../crypto/buffer/buffer.o \
+	../crypto/conf/conf_err.o \
+	../crypto/cpt_err.o \
+	../crypto/cryptlib.o \
+	../crypto/des/cfb64ede.o \
+	../crypto/des/cfb64enc.o \
+	../crypto/des/cfb_enc.o \
+	../crypto/des/des_enc.o \
+	../crypto/des/ecb3_enc.o \
+	../crypto/des/ecb_enc.o \
+	../crypto/des/ofb64ede.o \
+	../crypto/des/ofb64enc.o \
+	../crypto/dh/dh_err.o \
+	../crypto/dh/dh_lib.o \
+	../crypto/dsa/dsa_asn1.o \
+	../crypto/dsa/dsa_err.o \
+	../crypto/dsa/dsa_lib.o \
+	../crypto/dsa/dsa_sign.o \
+	../crypto/dsa/dsa_vrf.o \
+	../crypto/dso/dso_err.o \
+	../crypto/ec/ec_err.o \
+	../crypto/engine/eng_err.o \
+	../crypto/engine/eng_init.o \
+	../crypto/engine/eng_lib.o \
+	../crypto/engine/eng_list.o \
+	../crypto/engine/eng_table.o \
+	../crypto/engine/tb_cipher.o \
+	../crypto/engine/tb_dh.o \
+	../crypto/engine/tb_digest.o \
+	../crypto/engine/tb_dsa.o \
+	../crypto/engine/tb_rand.o \
+	../crypto/engine/tb_rsa.o \
+	../crypto/err/err_all.o \
+	../crypto/err/err.o \
+	../crypto/err/err_prn.o \
+	../crypto/evp/digest.o \
+	../crypto/evp/e_aes.o \
+	../crypto/evp/e_des3.o \
+	../crypto/evp/e_des.o \
+	../crypto/evp/evp_enc.o \
+	../crypto/evp/evp_err.o \
+	../crypto/evp/evp_lib.o \
+	../crypto/evp/m_sha1.o \
+	../crypto/evp/p_lib.o \
+	../crypto/evp/p_sign.o \
+	../crypto/evp/p_verify.o \
+	../crypto/ex_data.o \
+	../crypto/lhash/lhash.o \
+	../crypto/mem_clr.o \
+	../crypto/mem_dbg.o \
+	../crypto/mem.o \
+	../crypto/objects/obj_dat.o \
+	../crypto/objects/obj_err.o \
+	../crypto/objects/obj_lib.o \
+	../crypto/ocsp/ocsp_err.o \
+	../crypto/pem/pem_err.o \
+	../crypto/pkcs12/pk12err.o \
+	../crypto/pkcs7/pkcs7err.o \
+	../crypto/rand/md_rand.o \
+	../crypto/rand/rand_egd.o \
+	../crypto/rand/rand_err.o \
+	../crypto/rand/randfile.o \
+	../crypto/rand/rand_lib.o \
+	../crypto/rand/rand_os2.o \
+	../crypto/rand/rand_unix.o \
+	../crypto/rand/rand_win.o \
+	../crypto/rsa/rsa_err.o \
+	../crypto/rsa/rsa_lib.o \
+	../crypto/rsa/rsa_none.o \
+	../crypto/rsa/rsa_oaep.o \
+	../crypto/rsa/rsa_pk1.o \
+	../crypto/rsa/rsa_pss.o \
+	../crypto/rsa/rsa_sign.o \
+	../crypto/rsa/rsa_ssl.o \
+	../crypto/rsa/rsa_x931.o \
+	../crypto/stack/stack.o \
+	../crypto/uid.o \
+	../crypto/ui/ui_err.o \
+	../crypto/x509v3/v3err.o \
+	../crypto/x509v3/v3_hex.o \
+	../crypto/x509/x509_err.o 
+
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 fips.o: ../include/openssl/aes.h ../include/openssl/asn1.h