diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2011-06-22 12:30:18 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2011-06-22 12:30:18 +0000 |
| commit | ce02589259c4eecf5479d6d5714d8caee7b5e326 (patch) | |
| tree | 7477803fa00800e44d494f58c3f51c6aae409906 | |
| parent | 93dd7d3848d750f25137cd08ebde7bc06706c13d (diff) | |
Now the FIPS capable OpenSSL is available simplify the various FIPS test
build options.
All fispcanisterbuild builds only build fipscanister.o and include symbol
renaming.
Move all renamed symbols to fipssyms.h
Update README.FIPS
| -rwxr-xr-x | Configure | 10 | ||||
| -rw-r--r-- | README.FIPS | 17 | ||||
| -rw-r--r-- | crypto/arm_arch.h | 2 | ||||
| -rw-r--r-- | crypto/crypto.h | 2 | ||||
| -rw-r--r-- | fips/fips.h | 55 | ||||
| -rw-r--r-- | fips/fipssyms.h | 54 | ||||
| -rw-r--r-- | util/fipsas.pl | 2 | ||||
| -rwxr-xr-x | util/mk1mf.pl | 5 |
8 files changed, 65 insertions, 82 deletions
@@ -894,6 +894,7 @@ EOF $nofipscanistercheck = 1; $fipslibdir=""; $fipscanisterinternal="y"; + $fipscanisteronly = 1; } elsif (/^fipsdso$/) { @@ -1134,11 +1135,6 @@ foreach (sort (keys %disabled)) my $exp_cflags = ""; -if ($fipscanisteronly == 2) - { - $exp_cflags .= " -DOPENSSL_FIPSSYMS"; - } - foreach (sort @experimental) { my $ALGO; @@ -1741,7 +1737,7 @@ while (<IN>) s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/; } s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/; - if ($fipscanisteronly == 2 && exists $disabled{"ec2m"}) + if ($fipscanisteronly && exists $disabled{"ec2m"}) { next if (/ec2_/ || /bn_gf2m/); } @@ -1992,7 +1988,7 @@ EOF &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";'); &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s'); } - if ($depflags ne $default_depflags && !$make_depend && $fipscanisteronly != 2) { + if ($depflags ne $default_depflags && !$make_depend && !$fipscanisteronly) { print <<EOF; Since you've disabled or enabled at least one algorithm, you need to do diff --git a/README.FIPS b/README.FIPS index bae0a00f43..686308fcef 100644 --- a/README.FIPS +++ b/README.FIPS @@ -35,23 +35,10 @@ Run test vectors: 4. It should say "passed all tests" at the end. Report full details of any failures. -Run: - -make clean - -to remove any object modules from previous compile. - -Run symbol hiding test: - -./config fipscanisteronly -DOPENSSL_FIPSSYMS -make - -This time only the fips utilities should be built. - Examine the external symbols in fips/fipscanister.o they should all begin with FIPS or fips. One way to check with GNU nm is: -nm -g --defined-only fips/fipscanister.o | grep -v -i fips + nm -g --defined-only fips/fipscanister.o | grep -v -i fips If you get *any* output at all from this test (i.e. symbols not starting with fips or FIPS) please report it. @@ -76,7 +63,7 @@ Once you've created the tarball extract into a fresh directory and do: make You can then run the algorithm tests as above. This build automatically uses -fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate. +fipscanisterbuild and no-ec2m as appropriate. FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE. diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h index db7047cc05..82401add19 100644 --- a/crypto/arm_arch.h +++ b/crypto/arm_arch.h @@ -35,7 +35,7 @@ # endif # endif -#ifdef OPENSSL_FIPSSYMS +#ifdef OPENSSL_FIPSCANISTERBUILD #include <openssl/fipssyms.h> #endif diff --git a/crypto/crypto.h b/crypto/crypto.h index 8fd2fe2ea9..64fbfe02ee 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -147,7 +147,7 @@ * non-FIPS OpenSSL. */ -#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSSYMS) +#if defined(OPENSSL_FIPSCANISTER) #include <openssl/fipssyms.h> #endif diff --git a/fips/fips.h b/fips/fips.h index 44fd3a9dd8..3b679411f2 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -321,61 +321,6 @@ int FIPS_hmac_final(struct hmac_ctx_st *ctx, #endif -/* Where necessary redirect standard OpenSSL APIs to FIPS versions */ - -#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSAPI) - -#define CRYPTO_lock FIPS_lock -#define CRYPTO_add_lock FIPS_add_lock -#define CRYPTO_malloc FIPS_malloc -#define CRYPTO_free FIPS_free - -#define ERR_put_error FIPS_put_error -#define ERR_add_error_data FIPS_add_error_data - -#define EVP_MD_CTX_init FIPS_md_ctx_init -#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup -#define EVP_MD_CTX_create FIPS_md_ctx_create -#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy -#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type) -#define EVP_DigestInit FIPS_digestinit -#define EVP_DigestUpdate FIPS_digestupdate -#define EVP_Digest(data, count, md, size, type, impl) \ - FIPS_digest(data, count, md, size, type) -#define EVP_DigestFinal_ex FIPS_digestfinal -#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy - -#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \ - FIPS_cipherinit(ctx, cipher, key, iv, enc) - -#define EVP_CipherInit FIPS_cipherinit - -#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init -#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup -#define EVP_Cipher FIPS_cipher -#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl -#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new -#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free -#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy -#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length - -#define DSA_SIG_new FIPS_dsa_sig_new -#define DSA_SIG_free FIPS_dsa_sig_free - -#define ECDSA_SIG_new FIPS_ecdsa_sig_new -#define ECDSA_SIG_free FIPS_ecdsa_sig_free - -#define ecdsa_check fips_ecdsa_check -#define ecdh_check fips_ecdh_check - -#define RAND_bytes FIPS_rand_bytes -#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes -#define RAND_add FIPS_rand_add -#define RAND_seed FIPS_rand_seed -#define RAND_status FIPS_rand_status - -#endif - /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/fips/fipssyms.h b/fips/fipssyms.h index e49cf1b895..4b4c6ea92b 100644 --- a/fips/fipssyms.h +++ b/fips/fipssyms.h @@ -1,3 +1,57 @@ + +/* Where necessary redirect standard OpenSSL APIs to FIPS versions */ + +#define CRYPTO_lock FIPS_lock +#define CRYPTO_add_lock FIPS_add_lock +#define CRYPTO_malloc FIPS_malloc +#define CRYPTO_free FIPS_free + +#define ERR_put_error FIPS_put_error +#define ERR_add_error_data FIPS_add_error_data + +#define EVP_MD_CTX_init FIPS_md_ctx_init +#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup +#define EVP_MD_CTX_create FIPS_md_ctx_create +#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy +#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type) +#define EVP_DigestInit FIPS_digestinit +#define EVP_DigestUpdate FIPS_digestupdate +#define EVP_Digest(data, count, md, size, type, impl) \ + FIPS_digest(data, count, md, size, type) +#define EVP_DigestFinal_ex FIPS_digestfinal +#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy + +#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \ + FIPS_cipherinit(ctx, cipher, key, iv, enc) + +#define EVP_CipherInit FIPS_cipherinit + +#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init +#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup +#define EVP_Cipher FIPS_cipher +#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl +#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new +#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free +#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy +#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length + +#define DSA_SIG_new FIPS_dsa_sig_new +#define DSA_SIG_free FIPS_dsa_sig_free + +#define ECDSA_SIG_new FIPS_ecdsa_sig_new +#define ECDSA_SIG_free FIPS_ecdsa_sig_free + +#define ecdsa_check fips_ecdsa_check +#define ecdh_check fips_ecdh_check + +#define RAND_bytes FIPS_rand_bytes +#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes +#define RAND_add FIPS_rand_add +#define RAND_seed FIPS_rand_seed +#define RAND_status FIPS_rand_status + +/* Rename symbols so they don't clash with standard OpenSSL */ + #define AES_cfb128_encrypt fips_aes_cfb128_encrypt #define AES_cfb1_encrypt fips_aes_cfb1_encrypt #define AES_cfb8_encrypt fips_aes_cfb8_encrypt diff --git a/util/fipsas.pl b/util/fipsas.pl index cad7c08ca2..6e10d7d8d5 100644 --- a/util/fipsas.pl +++ b/util/fipsas.pl @@ -19,7 +19,7 @@ if ($ARGS[0] eq "norunasm") my $enabled = 0; -$enabled = 1 if $ENV{CFLAG} =~ /-DOPENSSL_FIPSSYMS/; +$enabled = 1 if $ENV{FIPSCANISTERINTERNAL} eq "y"; if ($enabled == 0 && $runasm) { diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 8f01f0c462..5d024b15cb 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -60,6 +60,7 @@ my %mf_import = ( CMLL_ENC => \$mf_cm_asm, MODES_ASM_OBJ => \$mf_modes_asm, FIPSCANISTERONLY => \$mf_fipscanisteronly + FIPSCANISTERINTERNAL => \$mf_fipscanisterinternal ); open(IN,"<Makefile") || die "unable to open Makefile!\n"; @@ -75,7 +76,7 @@ close(IN); $debug = 1 if $mf_platform =~ /^debug-/; -if ($mf_fipscanisteronly eq "y") { +if ($mf_fipscanisterinternal eq "y") { $fips = 1; $fipscanisterbuild = 1; $fipscanisteronly = 1; @@ -1196,7 +1197,7 @@ sub perlasm_compile_target $bname =~ s/(.*)\.[^\.]$/$1/; $ret ="\$(TMP_D)$o$bname.asm: $source\n"; $ret.="\t\$(PERL) $source $asmtype \$(CFLAG) >\$\@\n"; - if ($cflags =~ /-DOPENSSL_FIPSSYMS/) + if ($fipscanisteronly) { $ret .= "\t\$(PERL) util\\fipsas.pl . \$@ norunasm \$(CFLAG)\n"; } |