mirror of https://github.com/openssl/openssl
Now the FIPS capable OpenSSL is available simplify the various FIPS test
build options. All fispcanisterbuild builds only build fipscanister.o and include symbol renaming. Move all renamed symbols to fipssyms.h Update README.FIPS
This commit is contained in:
Dr. Stephen Henson
parent
93dd7d3848
commit
ce02589259
10
Configure
10
Configure
|
|
@ -894,6 +894,7 @@ EOF
|
|||
$nofipscanistercheck = 1;
|
||||
$fipslibdir="";
|
||||
$fipscanisterinternal="y";
|
||||
$fipscanisteronly = 1;
|
||||
}
|
||||
elsif (/^fipsdso$/)
|
||||
{
|
||||
|
|
@ -1134,11 +1135,6 @@ foreach (sort (keys %disabled))
|
|||
|
||||
my $exp_cflags = "";
|
||||
|
||||
if ($fipscanisteronly == 2)
|
||||
{
|
||||
$exp_cflags .= " -DOPENSSL_FIPSSYMS";
|
||||
}
|
||||
|
||||
foreach (sort @experimental)
|
||||
{
|
||||
my $ALGO;
|
||||
|
|
@ -1741,7 +1737,7 @@ while (<IN>)
|
|||
s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/;
|
||||
}
|
||||
s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/;
|
||||
if ($fipscanisteronly == 2 && exists $disabled{"ec2m"})
|
||||
if ($fipscanisteronly && exists $disabled{"ec2m"})
|
||||
{
|
||||
next if (/ec2_/ || /bn_gf2m/);
|
||||
}
|
||||
|
|
@ -1992,7 +1988,7 @@ EOF
|
|||
&dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
|
||||
&dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
|
||||
}
|
||||
if ($depflags ne $default_depflags && !$make_depend && $fipscanisteronly != 2) {
|
||||
if ($depflags ne $default_depflags && !$make_depend && !$fipscanisteronly) {
|
||||
print <<EOF;
|
||||
|
||||
Since you've disabled or enabled at least one algorithm, you need to do
|
||||
|
|
|
|||
17
README.FIPS
17
README.FIPS
|
|
@ -35,23 +35,10 @@ Run test vectors:
|
|||
4. It should say "passed all tests" at the end. Report full details of any
|
||||
failures.
|
||||
|
||||
Run:
|
||||
|
||||
make clean
|
||||
|
||||
to remove any object modules from previous compile.
|
||||
|
||||
Run symbol hiding test:
|
||||
|
||||
./config fipscanisteronly -DOPENSSL_FIPSSYMS
|
||||
make
|
||||
|
||||
This time only the fips utilities should be built.
|
||||
|
||||
Examine the external symbols in fips/fipscanister.o they should all begin
|
||||
with FIPS or fips. One way to check with GNU nm is:
|
||||
|
||||
nm -g --defined-only fips/fipscanister.o | grep -v -i fips
|
||||
nm -g --defined-only fips/fipscanister.o | grep -v -i fips
|
||||
|
||||
If you get *any* output at all from this test (i.e. symbols not starting with
|
||||
fips or FIPS) please report it.
|
||||
|
|
@ -76,7 +63,7 @@ Once you've created the tarball extract into a fresh directory and do:
|
|||
make
|
||||
|
||||
You can then run the algorithm tests as above. This build automatically uses
|
||||
fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.
|
||||
fipscanisterbuild and no-ec2m as appropriate.
|
||||
|
||||
FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
|
||||
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@
|
|||
# endif
|
||||
# endif
|
||||
|
||||
#ifdef OPENSSL_FIPSSYMS
|
||||
#ifdef OPENSSL_FIPSCANISTERBUILD
|
||||
#include <openssl/fipssyms.h>
|
||||
#endif
|
||||
|
||||
|
|
|
|||
|
|
@ -147,7 +147,7 @@
|
|||
* non-FIPS OpenSSL.
|
||||
*/
|
||||
|
||||
#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSSYMS)
|
||||
#if defined(OPENSSL_FIPSCANISTER)
|
||||
#include <openssl/fipssyms.h>
|
||||
#endif
|
||||
|
||||
|
|
|
|||
55
fips/fips.h
55
fips/fips.h
|
|
@ -321,61 +321,6 @@ int FIPS_hmac_final(struct hmac_ctx_st *ctx,
|
|||
|
||||
#endif
|
||||
|
||||
/* Where necessary redirect standard OpenSSL APIs to FIPS versions */
|
||||
|
||||
#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSAPI)
|
||||
|
||||
#define CRYPTO_lock FIPS_lock
|
||||
#define CRYPTO_add_lock FIPS_add_lock
|
||||
#define CRYPTO_malloc FIPS_malloc
|
||||
#define CRYPTO_free FIPS_free
|
||||
|
||||
#define ERR_put_error FIPS_put_error
|
||||
#define ERR_add_error_data FIPS_add_error_data
|
||||
|
||||
#define EVP_MD_CTX_init FIPS_md_ctx_init
|
||||
#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup
|
||||
#define EVP_MD_CTX_create FIPS_md_ctx_create
|
||||
#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy
|
||||
#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type)
|
||||
#define EVP_DigestInit FIPS_digestinit
|
||||
#define EVP_DigestUpdate FIPS_digestupdate
|
||||
#define EVP_Digest(data, count, md, size, type, impl) \
|
||||
FIPS_digest(data, count, md, size, type)
|
||||
#define EVP_DigestFinal_ex FIPS_digestfinal
|
||||
#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy
|
||||
|
||||
#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \
|
||||
FIPS_cipherinit(ctx, cipher, key, iv, enc)
|
||||
|
||||
#define EVP_CipherInit FIPS_cipherinit
|
||||
|
||||
#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init
|
||||
#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup
|
||||
#define EVP_Cipher FIPS_cipher
|
||||
#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl
|
||||
#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new
|
||||
#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free
|
||||
#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy
|
||||
#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length
|
||||
|
||||
#define DSA_SIG_new FIPS_dsa_sig_new
|
||||
#define DSA_SIG_free FIPS_dsa_sig_free
|
||||
|
||||
#define ECDSA_SIG_new FIPS_ecdsa_sig_new
|
||||
#define ECDSA_SIG_free FIPS_ecdsa_sig_free
|
||||
|
||||
#define ecdsa_check fips_ecdsa_check
|
||||
#define ecdh_check fips_ecdh_check
|
||||
|
||||
#define RAND_bytes FIPS_rand_bytes
|
||||
#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes
|
||||
#define RAND_add FIPS_rand_add
|
||||
#define RAND_seed FIPS_rand_seed
|
||||
#define RAND_status FIPS_rand_status
|
||||
|
||||
#endif
|
||||
|
||||
/* BEGIN ERROR CODES */
|
||||
/* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||
* made after this point may be overwritten when the script is next run.
|
||||
|
|
|
|||
|
|
@ -1,3 +1,57 @@
|
|||
|
||||
/* Where necessary redirect standard OpenSSL APIs to FIPS versions */
|
||||
|
||||
#define CRYPTO_lock FIPS_lock
|
||||
#define CRYPTO_add_lock FIPS_add_lock
|
||||
#define CRYPTO_malloc FIPS_malloc
|
||||
#define CRYPTO_free FIPS_free
|
||||
|
||||
#define ERR_put_error FIPS_put_error
|
||||
#define ERR_add_error_data FIPS_add_error_data
|
||||
|
||||
#define EVP_MD_CTX_init FIPS_md_ctx_init
|
||||
#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup
|
||||
#define EVP_MD_CTX_create FIPS_md_ctx_create
|
||||
#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy
|
||||
#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type)
|
||||
#define EVP_DigestInit FIPS_digestinit
|
||||
#define EVP_DigestUpdate FIPS_digestupdate
|
||||
#define EVP_Digest(data, count, md, size, type, impl) \
|
||||
FIPS_digest(data, count, md, size, type)
|
||||
#define EVP_DigestFinal_ex FIPS_digestfinal
|
||||
#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy
|
||||
|
||||
#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \
|
||||
FIPS_cipherinit(ctx, cipher, key, iv, enc)
|
||||
|
||||
#define EVP_CipherInit FIPS_cipherinit
|
||||
|
||||
#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init
|
||||
#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup
|
||||
#define EVP_Cipher FIPS_cipher
|
||||
#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl
|
||||
#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new
|
||||
#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free
|
||||
#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy
|
||||
#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length
|
||||
|
||||
#define DSA_SIG_new FIPS_dsa_sig_new
|
||||
#define DSA_SIG_free FIPS_dsa_sig_free
|
||||
|
||||
#define ECDSA_SIG_new FIPS_ecdsa_sig_new
|
||||
#define ECDSA_SIG_free FIPS_ecdsa_sig_free
|
||||
|
||||
#define ecdsa_check fips_ecdsa_check
|
||||
#define ecdh_check fips_ecdh_check
|
||||
|
||||
#define RAND_bytes FIPS_rand_bytes
|
||||
#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes
|
||||
#define RAND_add FIPS_rand_add
|
||||
#define RAND_seed FIPS_rand_seed
|
||||
#define RAND_status FIPS_rand_status
|
||||
|
||||
/* Rename symbols so they don't clash with standard OpenSSL */
|
||||
|
||||
#define AES_cfb128_encrypt fips_aes_cfb128_encrypt
|
||||
#define AES_cfb1_encrypt fips_aes_cfb1_encrypt
|
||||
#define AES_cfb8_encrypt fips_aes_cfb8_encrypt
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ if ($ARGS[0] eq "norunasm")
|
|||
|
||||
my $enabled = 0;
|
||||
|
||||
$enabled = 1 if $ENV{CFLAG} =~ /-DOPENSSL_FIPSSYMS/;
|
||||
$enabled = 1 if $ENV{FIPSCANISTERINTERNAL} eq "y";
|
||||
|
||||
if ($enabled == 0 && $runasm)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ my %mf_import = (
|
|||
CMLL_ENC => \$mf_cm_asm,
|
||||
MODES_ASM_OBJ => \$mf_modes_asm,
|
||||
FIPSCANISTERONLY => \$mf_fipscanisteronly
|
||||
FIPSCANISTERINTERNAL => \$mf_fipscanisterinternal
|
||||
);
|
||||
|
||||
open(IN,"<Makefile") || die "unable to open Makefile!\n";
|
||||
|
|
@ -75,7 +76,7 @@ close(IN);
|
|||
|
||||
$debug = 1 if $mf_platform =~ /^debug-/;
|
||||
|
||||
if ($mf_fipscanisteronly eq "y") {
|
||||
if ($mf_fipscanisterinternal eq "y") {
|
||||
$fips = 1;
|
||||
$fipscanisterbuild = 1;
|
||||
$fipscanisteronly = 1;
|
||||
|
|
@ -1196,7 +1197,7 @@ sub perlasm_compile_target
|
|||
$bname =~ s/(.*)\.[^\.]$/$1/;
|
||||
$ret ="\$(TMP_D)$o$bname.asm: $source\n";
|
||||
$ret.="\t\$(PERL) $source $asmtype \$(CFLAG) >\$\@\n";
|
||||
if ($cflags =~ /-DOPENSSL_FIPSSYMS/)
|
||||
if ($fipscanisteronly)
|
||||
{
|
||||
$ret .= "\t\$(PERL) util\\fipsas.pl . \$@ norunasm \$(CFLAG)\n";
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue