diff options
82 files changed, 17434 insertions, 44 deletions
diff --git a/Makefile.org b/Makefile.org index a918d6b7e1..d77a3e8762 100644 --- a/Makefile.org +++ b/Makefile.org @@ -131,7 +131,7 @@ FIPSCANLIB= BASEADDR= -DIRS= crypto fips-1.0 ssl engines apps test tools +DIRS= crypto fips ssl engines apps test tools SHLIBDIRS= crypto ssl fips # dirs in crypto to build @@ -330,7 +330,7 @@ build_crypto: fi ; export ARX ; \ dir=crypto; target=all; $(BUILD_ONE_CMD) build_fips: - @dir=fips-1.0; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD) + @dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD) build_ssl: @dir=ssl; target=all; $(BUILD_ONE_CMD) build_engines: @@ -352,10 +352,10 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS) if [ "$(FIPSCANLIB)" = "libfips" ]; then \ $(ARD) libcrypto.a fipscanister.o ; \ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ - $(AR) libcrypto.a fips-1.0/fipscanister.o ; \ + $(AR) libcrypto.a fips/fipscanister.o ; \ else \ if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ - FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; \ + FIPSLD_CC=$(CC); CC=fips/fipsld; \ export CC FIPSLD_CC; \ fi; \ $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ @@ -375,13 +375,13 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a exit 1; \ fi -fips-1.0/fipscanister.o: build_fips -libfips$(SHLIB_EXT): fips-1.0/fipscanister.o +fips/fipscanister.o: build_fips +libfips$(SHLIB_EXT): fips/fipscanister.o @if [ "$(SHLIB_TARGET)" != "" ]; then \ - FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \ $(MAKE) -f Makefile.shared -e $(BUILDENV) \ CC=$${CC} LIBNAME=fips THIS=$@ \ - LIBEXTRAS=fips-1.0/fipscanister.o \ + LIBEXTRAS=fips/fipscanister.o \ LIBDEPS="$(EX_LIBS)" \ LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ link_o.$(SHLIB_TARGET) || { rm -f $@; exit 1; } \ @@ -391,7 +391,7 @@ libfips$(SHLIB_EXT): fips-1.0/fipscanister.o fi libfips.a: - dir=fips-1.0; target=all; $(BUILD_ONE_CMD) + dir=fips; target=all; $(BUILD_ONE_CMD) clean-shared: @set -e; for i in $(SHLIBDIRS); do \ diff --git a/apps/Makefile b/apps/Makefile index 66ad4a364e..e00e7a6cc5 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -153,7 +153,7 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ elif [ -n "$(FIPSCANLIB)" ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index 3f19c15c5c..d3deb47e33 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -31,7 +31,7 @@ L COMP crypto/comp/comp.h crypto/comp/comp_err.c L ECDSA crypto/ecdsa/ecdsa.h crypto/ecdsa/ecs_err.c L ECDH crypto/ecdh/ecdh.h crypto/ecdh/ech_err.c L STORE crypto/store/store.h crypto/store/str_err.c -L FIPS fips-1.0/fips.h crypto/fips_err.h +L FIPS fips/fips.h crypto/fips_err.h # additional header files to be scanned for function names L NONE crypto/x509/x509_vfy.h NONE diff --git a/fips/.cvsignore b/fips/.cvsignore new file mode 100644 index 0000000000..34f2408d13 --- /dev/null +++ b/fips/.cvsignore @@ -0,0 +1,8 @@ +lib +Makefile.save +fips_test_suite +fips_premain_dso +fips_test_suite.sha1 +fipscanister.o.sha1 +*.flc +semantic.cache diff --git a/fips/Makefile b/fips/Makefile new file mode 100644 index 0000000000..314a627462 --- /dev/null +++ b/fips/Makefile @@ -0,0 +1,218 @@ +# +# OpenSSL/crypto/Makefile +# + +DIR= fips +TOP= .. +CC= cc +INCLUDE= -I. -I$(TOP) -I../include +# INCLUDES targets sudbirs! +INCLUDES= -I.. -I../.. -I../../include +CFLAG= -g +MAKEDEPPROG= makedepend +MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) +MAKEFILE= Makefile +RM= rm -f +AR= ar r +ARD= ar d +TEST= fips_test_suite.c +FIPS_TVDIR= testvectors +FIPS_TVOK= $$HOME/fips/tv.ok + +FIPSCANLOC= $(FIPSLIBDIR)fipscanister.o + +RECURSIVE_MAKE= [ -n "$(FDIRS)" ] && for i in $(FDIRS) ; do \ + (cd $$i && echo "making $$target in $(DIR)/$$i..." && \ + $(MAKE) -e TOP=../.. DIR=$$i INCLUDES='${INCLUDES}' $$target ) || exit 1; \ + done; + +PEX_LIBS= +EX_LIBS= + +CFLAGS= $(INCLUDE) $(CFLAG) -DHMAC_EXT=\"$${HMAC_EXT:-sha1}\" +ASFLAGS= $(INCLUDE) $(ASFLAG) +AFLAGS=$(ASFLAGS) + +LIBS= + +FDIRS=sha rand des aes dsa rsa dh hmac + +GENERAL=Makefile README fips-lib.com install.com + +LIB= $(TOP)/libcrypto.a +SHARED_LIB= $(FIPSCANLIB)$(SHLIB_EXT) +LIBSRC=fips.c +LIBOBJ=fips.o + +FIPS_OBJ_LISTS=sha/lib hmac/lib rand/lib des/lib aes/lib dsa/lib rsa/lib dh/lib + +SRC= $(LIBSRC) + +EXHEADER=fips.h +HEADER=$(EXHEADER) fips_utl.h fips_locl.h +EXE=fipsld + +ALL= $(GENERAL) $(SRC) $(HEADER) + +top: + @(cd ..; $(MAKE) DIRS=$(DIR) all) + +testapps: + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + +all: + @if [ -z "$(FIPSLIBDIR)" ]; then \ + $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ + else \ + $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ + fi + +# Idea behind fipscanister.o is to "seize" the sequestered code between +# known symbols for fingerprinting purposes, which would be commonly +# done with ld -r start.o ... end.o. The latter however presents a minor +# challenge on multi-ABI platforms. As just implied, we'd rather use ld, +# but the trouble is that we don't generally know how ABI-selection +# compiler flag is translated to corresponding linker flag. All compiler +# drivers seem to recognize -r flag and pass it down to linker, but some +# of them, including gcc, erroneously add -lc, as well as run-time +# components, such as crt1.o and alike. Fortunately among those vendor +# compilers which were observed to misinterpret -r flag multi-ABI ones +# are equipped with smart linkers, which don't require any ABI-selection +# flag and simply assume that all objects are of the same type as first +# one in command line. So the idea is to identify gcc and deficient +# vendor compiler drivers... + +fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o + FIPS_ASM=""; \ + list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \ + list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \ + list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \ + list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \ + if [ -n "$(CPUID_OBJ)" ]; then \ + CPUID=../crypto/$(CPUID_OBJ) ; \ + else \ + CPUID="" ; \ + fi ; \ + objs="fips_start.o $(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \ + for i in $(FIPS_OBJ_LISTS); do \ + dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \ + objs="$$objs `sed "$$script" $$i`"; \ + done; \ + objs="$$objs fips_end.o" ; \ + os="`(uname -s) 2>/dev/null`"; cflags="$(CFLAGS)"; \ + [ "$$os" = "AIX" ] && cflags="$$cflags -Wl,-bnoobjreorder"; \ + if [ -n "${FIPS_SITE_LD}" ]; then \ + set -x; ${FIPS_SITE_LD} -r -o $@ $$objs; \ + elif $(CC) -dumpversion >/dev/null 2>&1; then \ + set -x; $(CC) $$cflags -r -nostdlib -o $@ $$objs ; \ + else case "$$os" in \ + HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ + *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ + esac fi + ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 + +# If another exception is immediately required, assign approprite +# site-specific ld command to FIPS_SITE_LD environment variable. + +fips_start.o: fips_canister.c + $(CC) $(CFLAGS) -DFIPS_START -c -o $@ fips_canister.c +fips_end.o: fips_canister.c + $(CC) $(CFLAGS) -DFIPS_END -c -o $@ fips_canister.c +fips_premain_dso$(EXE_EXT): fips_premain.c + $(CC) $(CFLAGS) -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ fips_premain.c \ + $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS) +# this is executed only when linking with external fipscanister.o +fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c + $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o + +subdirs: + @target=all; $(RECURSIVE_MAKE) + +files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + @target=files; $(RECURSIVE_MAKE) + +links: + @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) + @$(PERL) $(TOP)/util/mklink.pl ../test $(TEST) + @target=links; $(RECURSIVE_MAKE) + +# lib: and $(LIB): are splitted to avoid end-less loop +lib: $(LIB) + @touch lib + +$(LIB): $(FIPSLIBDIR)fipscanister.o + $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o + $(RANLIB) $(LIB) || echo Never mind. + +$(FIPSCANLIB): $(FIPSCANLOC) + $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC) + if [ "$(FIPSCANLIB)" = "libfips" ]; then \ + $(AR) $(LIB) $(FIPSCANLOC) ; \ + $(RANLIB) $(LIB) || echo Never Mind. ; \ + fi + $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind. + @touch lib + +shared: lib subdirs fips_premain_dso$(EXE_EXT) + +libs: + @target=lib; $(RECURSIVE_MAKE) + +fips_test: top + @target=fips_test; $(RECURSIVE_MAKE) + +fips_test_diff: + @if diff -b -B -I '^\#' -cr -X fips-nodiff.txt $(FIPS_TVDIR) $(FIPS_TVOK) ; then \ + echo "FIPS diff OK" ; \ + else \ + echo "***FIPS DIFF ERROR***" ; exit 1 ; \ + fi + + +install: + @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... + @headerlist="$(EXHEADER)"; for i in $$headerlist ;\ + do \ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; + @target=install; $(RECURSIVE_MAKE) + @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \ + fips_premain.c.sha1 \ + $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ + chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* + +lint: + @target=lint; $(RECURSIVE_MAKE) + +depend: + @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC) + @[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) ) + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + +clean: + rm -f fipscanister.o.sha1 fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT) \ + *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff + @target=clean; $(RECURSIVE_MAKE) + +dclean: + $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new + mv -f Makefile.new $(MAKEFILE) + @target=dclean; $(RECURSIVE_MAKE) + +# DO NOT DELETE THIS LINE -- make depend depends on it. + +fips.o: ../include/openssl/asn1.h ../include/openssl/bio.h +fips.o: ../include/openssl/crypto.h ../include/openssl/des.h +fips.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h +fips.o: ../include/openssl/err.h ../include/openssl/evp.h +fips.o: ../include/openssl/fips.h ../include/openssl/fips_rand.h +fips.o: ../include/openssl/hmac.h ../include/openssl/lhash.h +fips.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +fips.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h +fips.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c +fips.o: fips_locl.h diff --git a/fips/aes/.cvsignore b/fips/aes/.cvsignore new file mode 100644 index 0000000000..439e6d3eb6 --- /dev/null +++ b/fips/aes/.cvsignore @@ -0,0 +1,4 @@ +lib +Makefile.save +*.flc +semantic.cache diff --git a/fips/aes/Makefile b/fips/aes/Makefile new file mode 100644 index 0000000000..dff1b97efa --- /dev/null +++ b/fips/aes/Makefile @@ -0,0 +1,112 @@ +# +# OpenSSL/fips/aes/Makefile +# + +DIR= aes +TOP= ../.. +CC= cc +INCLUDES= +CFLAG=-g +INSTALL_PREFIX= +OPENSSLDIR= /usr/local/ssl +INSTALLTOP=/usr/local/ssl +MAKEDEPPROG= makedepend +MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) +MAKEFILE= Makefile +AR= ar r + +ASFLAGS= $(INCLUDES) $(ASFLAG) +AFLAGS= $(ASFLAGS) + +CFLAGS= $(INCLUDES) $(CFLAG) + +GENERAL=Makefile +TEST=fips_aesavs.c +TESTDATA=fips_aes_data +APPS= + +LIB=$(TOP)/libcrypto.a +LIBSRC=fips_aes_selftest.c +LIBOBJ=fips_aes_selftest.o + +SRC= $(LIBSRC) + +EXHEADER= +HEADER= + +ALL= $(GENERAL) $(SRC) $(HEADER) + +top: + (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all) + +all: lib + +lib: $(LIBOBJ) + @echo $(LIBOBJ) > lib + +files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + +links: + @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) + @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) + @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TESTDATA) + @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) + +install: + @headerlist="$(EXHEADER)"; for i in $$headerlist; \ + do \ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done + +tags: + ctags $(SRC) + +tests: + +fips_test: + -find ../testvectors/aes/req -name '*.req' > testlist + -rm -rf ../testvectors/aes/rsp + mkdir ../testvectors/aes/rsp + if [ -s testlist ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_aesavs -d testlist; fi + +lint: + lint -DLINT $(INCLUDES) $(SRC)>fluff + +depend: + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) \ + $(SRC) $(TEST) + +dclean: + $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new + mv -f Makefile.new $(MAKEFILE) + +clean: + rm -f *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff testlist +# DO NOT DELETE THIS LINE -- make depend depends on it. + +fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +fips_aes_selftest.o: ../../include/openssl/crypto.h +fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h +fips_aes_selftest.o: ../../include/openssl/lhash.h +fips_aes_selftest.o: ../../include/openssl/obj_mac.h +fips_aes_selftest.o: ../../include/openssl/objects.h +fips_aes_selftest.o: ../../include/openssl/opensslconf.h +fips_aes_selftest.o: ../../include/openssl/opensslv.h +fips_aes_selftest.o: ../../include/openssl/ossl_typ.h +fips_aes_selftest.o: ../../include/openssl/safestack.h +fips_aes_selftest.o: ../../include/openssl/stack.h +fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c +fips_aesavs.o: ../../e_os.h ../../include/openssl/aes.h +fips_aesavs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +fips_aesavs.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +fips_aesavs.o: ../../include/openssl/err.h ../../include/openssl/evp.h +fips_aesavs.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h +fips_aesavs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +fips_aesavs.o: ../../include/openssl/opensslconf.h +fips_aesavs.o: ../../include/openssl/opensslv.h +fips_aesavs.o: ../../include/openssl/ossl_typ.h +fips_aesavs.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +fips_aesavs.o: ../../include/openssl/symhacks.h ../fips_utl.h fips_aesavs.c diff --git a/fips/aes/fips_aes_selftest.c b/fips/aes/fips_aes_selftest.c new file mode 100644 index 0000000000..441bbc18e7 --- /dev/null +++ b/fips/aes/fips_aes_selftest.c @@ -0,0 +1,101 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above |