diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-10-18 23:46:00 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-12-08 13:18:43 +0000 |
commit | 78c990c156ba79521e98728e9a604b4c5cc8adec (patch) | |
tree | 57debcafe0a8426fd24e659180a0812e928b0549 | |
parent | 00b4ee7664051a0dc589b1d81ba56582576a6ca4 (diff) |
Remove fipscanister from Configure, delete fips directory
Reviewed-by: Tim Hudson <tjh@openssl.org>
87 files changed, 4 insertions, 37786 deletions
@@ -703,8 +703,6 @@ my $install_prefix= "$ENV{'INSTALL_PREFIX'}"; my $cross_compile_prefix=""; my $fipslibdir="/usr/local/ssl/fips-2.0/lib/"; my $nofipscanistercheck=0; -my $fipscanisterinternal="n"; -my $fipscanisteronly = 0; my $baseaddr="0xFB00000"; my $no_threads=0; my $threads=0; @@ -761,21 +759,6 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental ); my @experimental = (); -# If ssl directory missing assume truncated FIPS tarball -if (!-d "ssl") - { - print STDERR "Auto Configuring fipsonly\n"; - $fips = 1; - $nofipscanistercheck = 1; - $fipslibdir=""; - $fipscanisterinternal="y"; - $fipscanisteronly = 2; - if (! -f "crypto/bn/bn_gf2m.c" ) - { - $disabled{ec2m} = "forced"; - } - } - # This is what $depflags will look like with the above defaults # (we need this to see if we should advise the user to run "make depend"): my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST"; @@ -925,32 +908,6 @@ PROCESS_ARGS: $fips = 1; $nofipscanistercheck = 1; } - elsif (/^fipscheck$/) - { - if ($fipscanisteronly != 2) - { - print STDERR <<"EOF"; -ERROR: FIPS not autodetected. Not running from restricted tarball?? -EOF - exit(1); - } - } - elsif (/^fipscanisteronly$/) - { - $fips = 1; - $nofipscanistercheck = 1; - $fipslibdir=""; - $fipscanisterinternal="y"; - $fipscanisteronly = 1; - } - elsif (/^fipscanisterbuild$/) - { - $fips = 1; - $nofipscanistercheck = 1; - $fipslibdir=""; - $fipscanisterinternal="y"; - $fipscanisteronly = 1; - } elsif (/^[-+]/) { if (/^--prefix=(.*)$/) @@ -1574,11 +1531,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($bn_obj =~ /-gf2m/); if ($fips) { $openssl_other_defines.="#define OPENSSL_FIPS\n"; - if ($fipscanisterinternal eq "y") - { - $openssl_other_defines.="#define OPENSSL_FIPSCANISTER\n"; - $cflags = "-DOPENSSL_FIPSCANISTER $cflags"; - } } $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); @@ -1619,7 +1571,6 @@ if ($aes_obj =~ /\.o$/) # aes-xts.o indicates presence of AES_xts_[en|de]crypt... $cflags.=" -DAES_XTS_ASM" if ($aes_obj =~ s/\s*aes\-xts\.o//); $aes_obj =~ s/\s*(vpaes|aesni)\-x86\.o//g if ($no_sse2); - $aes_obj =~ s/\s*(vp|bs)aes-\w*\.o//g if ($fipscanisterinternal eq "y"); $cflags.=" -DVPAES_ASM" if ($aes_obj =~ m/vpaes/); $cflags.=" -DBSAES_ASM" if ($aes_obj =~ m/bsaes/); } @@ -1690,35 +1641,12 @@ if ($strict_warnings) } } -if ($fipscanisterinternal eq "y") - { - open(IN,"<fips/fips_auth.in") || die "can't open fips_auth.in"; - open(OUT,">fips/fips_auth.h") || die "can't open fips_auth.h"; - while(<IN>) - { - s/FIPS_AUTH_KEY.*$/FIPS_AUTH_KEY $fips_auth_key/ if defined $fips_auth_key; - s/FIPS_AUTH_CRYPTO_OFFICER.*$/FIPS_AUTH_CRYPTO_OFFICER $fips_auth_officer/ if defined $fips_auth_officer; - s/FIPS_AUTH_CRYPTO_USER.*$/FIPS_AUTH_CRYPTO_USER $fips_auth_user/ if defined $fips_auth_user; - print OUT $_; - } - close IN; - close OUT; - } - -my $mforg = $fipscanisteronly ? "Makefile.fips" : "Makefile.org"; - -open(IN,"<$mforg") || die "unable to read $mforg:$!\n"; +open(IN,"<Makefile.org") || die "unable to read Makefile.org:$!\n"; unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new"; open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n"; -print OUT "### Generated automatically from $mforg by Configure.\n\n"; +print OUT "### Generated automatically from Makefile.org by Configure.\n\n"; my $sdirs=0; -if ($fipscanisteronly) - { - $aes_obj =~ s/aesni-sha1-x86_64.o//; - $bn_obj =~ s/modexp512-x86_64.o//; - } - while (<IN>) { chomp; @@ -1797,7 +1725,6 @@ while (<IN>) s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips; s/^SHARED_FIPS=.*/SHARED_FIPS=/; s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/; - s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/; s/^BASEADDR=.*/BASEADDR=$baseaddr/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; @@ -1821,10 +1748,6 @@ while (<IN>) s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/; } s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/; - if ($fipscanisteronly && exists $disabled{"ec2m"}) - { - next if (/ec2_/ || /bn_gf2m/); - } print OUT $_."\n"; } close(IN); @@ -2070,9 +1993,7 @@ EOF $make_targets .= " gentests" if $symlink; (system $make_command.$make_targets) == 0 or die "make $make_targets failed" if $make_targets ne ""; - if ( $fipscanisteronly ) - {} - elsif ( $perl =~ m@^/@) { + if ( $perl =~ m@^/@) { &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";'); &dofile("apps/CA.pl",$perl,'^#!/', '#!%s'); } else { @@ -2080,7 +2001,7 @@ EOF &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";'); &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s'); } - if ($depflags ne $default_depflags && !$make_depend && !$fipscanisteronly) { + if ($depflags ne $default_depflags && !$make_depend) { print <<EOF; Since you've disabled or enabled at least one algorithm, you need to do @@ -2185,21 +2106,6 @@ libraries on this platform, they will at least look at it and try their best (but please first make sure you have tried with a current version of OpenSSL). EOF -print <<\EOF if ($fipscanisterinternal eq "y"); - -WARNING: OpenSSL has been configured using unsupported option(s) to internally -generate a fipscanister.o object module for TESTING PURPOSES ONLY; that -compiled module is NOT FIPS 140-2 validated and CANNOT be used to replace the -OpenSSL FIPS Object Module as identified by the CMVP -(http://csrc.nist.gov/cryptval/) in any application requiring the use of FIPS -140-2 validated software. - -This is a test OpenSSL 2.0 FIPS module. - -See the file README.FIPS for details of how to build a test library. - -EOF - exit(0); sub usage diff --git a/Makefile.fips b/Makefile.fips deleted file mode 100644 index b3811dff22..0000000000 --- a/Makefile.fips +++ /dev/null @@ -1,638 +0,0 @@ -## -## Makefile for OpenSSL: fipscanister.o only -## - -VERSION=fips-2.0-test -MAJOR= -MINOR= -SHLIB_VERSION_NUMBER= -SHLIB_VERSION_HISTORY= -SHLIB_MAJOR= -SHLIB_MINOR= -SHLIB_EXT= -PLATFORM=dist -OPTIONS= -CONFIGURE_ARGS= -SHLIB_TARGET= - -# HERE indicates where this Makefile lives. This can be used to indicate -# where sub-Makefiles are expected to be. Currently has very limited usage, -# and should probably not be bothered with at all. -HERE=. - -# INSTALL_PREFIX is for package builders so that they can configure -# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/. -# Normally it is left empty. -INSTALL_PREFIX= -INSTALLTOP=/usr/local/ssl - -# Do not edit this manually. Use Configure --openssldir=DIR do change this! -OPENSSLDIR=/usr/local/ssl - -# NO_IDEA - Define to build without the IDEA algorithm -# NO_RC4 - Define to build without the RC4 algorithm -# NO_RC2 - Define to build without the RC2 algorithm -# THREADS - Define when building with threads, you will probably also need any -# system defines as well, i.e. _REENTERANT for Solaris 2.[34] -# TERMIO - Define the termio terminal subsystem, needed if sgtty is missing. -# TERMIOS - Define the termios terminal subsystem, Silicon Graphics. -# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3). -# DEVRANDOM - Give this the value of the 'random device' if your OS supports -# one. 32 bytes will be read from this when the random -# number generator is initalised. -# SSL_FORBID_ENULL - define if you want the server to be not able to use the -# NULL encryption ciphers. -# -# LOCK_DEBUG - turns on lots of lock debug output :-) -# REF_CHECK - turn on some xyz_free() assertions. -# REF_PRINT - prints some stuff on structure free. -# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff -# MFUNC - Make all Malloc/Free/Realloc calls call -# CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to -# call application defined callbacks via CRYPTO_set_mem_functions() -# MD5_ASM needs to be defined to use the x86 assembler for MD5 -# SHA1_ASM needs to be defined to use the x86 assembler for SHA1 -# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160 -# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8. It must -# equal 4. -# PKCS1_CHECK - pkcs1 tests. - -CC= cc -CFLAG= -O -DEPFLAG= -PEX_LIBS= -EX_LIBS= -EXE_EXT= -ARFLAGS= -AR=ar $(ARFLAGS) r -RANLIB= ranlib -NM= nm -PERL= perl -TAR= tar -TARFLAGS= --no-recursion -MAKEDEPPROG=makedepend -LIBDIR=lib - -# We let the C compiler driver to take care of .s files. This is done in -# order to be excused from maintaining a separate set of architecture -# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC -# gcc, then the driver will automatically translate it to -xarch=v8plus -# and pass it down to assembler. -#AS=$(CC) -c -ASFLAG=$(CFLAG) - -# For x86 assembler: Set PROCESSOR to 386 if you want to support -# the 80386. -PROCESSOR= - -# CPUID module collects small commonly used assembler snippets -CPUID_OBJ= -BN_ASM= bn_asm.o -DES_ENC= des_enc.o fcrypt_b.o -AES_ENC= aes_core.o aes_cbc.o -BF_ENC= bf_enc.o -CAST_ENC= c_enc.o -RC4_ENC= rc4_enc.o -RC5_ENC= rc5_enc.o -MD5_ASM_OBJ= -SHA1_ASM_OBJ= -RMD160_ASM_OBJ= -WP_ASM_OBJ= -CMLL_ENC= -MODES_ASM_OBJ= -PERLASM_SCHEME= - -# KRB5 stuff -KRB5_INCLUDES= -LIBKRB5= - -# Zlib stuff -ZLIB_INCLUDE= -LIBZLIB= - -# This is the location of fipscanister.o and friends. -# The FIPS module build will place it $(INSTALLTOP)/lib -# but since $(INSTALLTOP) can only take the default value -# when the module is built it will be in /usr/local/ssl/lib -# $(INSTALLTOP) for this build may be different so hard -# code the path. - -FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/ - -# This is set to "y" if fipscanister.o is compiled internally as -# opposed to coming from an external validated location. - -FIPSCANISTERINTERNAL=n - -# This is set if we only build fipscanister.o - -FIPSCANISTERONLY=y - -# The location of the library which contains fipscanister.o -# normally it will be libcrypto unless fipsdso is set in which -# case it will be libfips. If not compiling in FIPS mode at all -# this is empty making it a useful test for a FIPS compile. - -FIPSCANLIB= - -# Shared library base address. Currently only used on Windows. -# - -BASEADDR= - -DIRS= crypto fips test -ENGDIRS= ccgost -SHLIBDIRS= crypto - -# dirs in crypto to build -SDIRS= \ - sha hmac des aes modes \ - bn ec rsa dsa ecdsa dh \ - buffer evp ecdh cmac -# keep in mind that the above list is adjusted by ./Configure -# according to no-xxx arguments... - -LINKDIRS= \ - objects sha hmac des aes modes \ - bn ec rsa dsa ecdh cmac ecdsa dh engine \ - buffer bio stack lhash rand err \ - evp asn1 ui - -# tests to perform. "alltests" is a special word indicating that all tests -# should be performed. -TESTS = alltests - -MAKEFILE= Makefile - -MANDIR=$(OPENSSLDIR)/man -MAN1=1 -MAN3=3 -MANSUFFIX= -HTMLSUFFIX=html -HTMLDIR=$(OPENSSLDIR)/html -SHELL=/bin/sh - -TOP= . -ONEDIRS=out tmp -EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS -WDIRS= windows -LIBS= -SHARED_CRYPTO=libcrypto$(SHLIB_EXT) -SHARED_SSL=libssl$(SHLIB_EXT) -SHARED_LIBS= -SHARED_LIBS_LINK_EXTS= -SHARED_LDFLAGS= - -GENERAL= Makefile -BASENAME= openssl -NAME= $(BASENAME)-$(VERSION) -TARFILE= openssl-fips-2.0-test.tar -WTARFILE= $(NAME)-win.tar -EXHEADER= e_os2.h -HEADER= e_os.h - -all: Makefile build_all openssl.pc libssl.pc libcrypto.pc - -# as we stick to -e, CLEARE |