Update fipsld to use external signature for fips_premain.c . Update build system

remove redundant source file hash checks.

diff --git a/CHANGES b/CHANGES
index 176b432713e72fad9c24e2fb9c99815464f3901e..badb8d42a9a9d41c89a90f79bc11c519b0696186 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
 
+  *) Remove redundant features: hash file source, editing of test vectors
+     modify fipsld to use external fips_premain.c signature.
+     [Steve Henson]
+
   *) New perl script mkfipsscr.pl to create shell scripts or batch files to
      run algorithm test programs.
      [Steve Henson]

diff --git a/fips-1.0/Makefile b/fips-1.0/Makefile
index 891a40b36a45e31281d398e14d0e7b09c1c9b25b..6f7b0212233876088230a48f14ef90c9ee7921be 100644 (file)
--- a/fips-1.0/Makefile
+++ b/fips-1.0/Makefile
@@ -18,6 +18,8 @@ PERL=         perl
 RM=             rm -f
 AR=            ar r
 
+FIPSCANLOC=    $(FIPSLIBDIR)/fipscanister.o
+
 PEX_LIBS=
 EX_LIBS=
 
@@ -51,13 +53,9 @@ top:
 
 all:
        @if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-               $(MAKE) -e subdirs check lib shared; \
+               $(MAKE) -e subdirs $(FIPSCHECK) lib shared; \
        fi
 
-check:
-#      $(PERL) ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1)
-       echo FIPS module not built: no check done
-
 # Idea behind fipscanister.o is to "seize" the sequestered code between
 # known symbols for fingerprinting purposes, which would be commonly
 # done with ld -r start.o ... end.o. The latter however presents a minor
@@ -131,8 +129,8 @@ links:
        $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
        done;
 
-lib:   $(FIPSLIBDIR)/fipscanister.o
-       $(AR) $(LIB) $(FIPSLIBDIR)/fipscanister.o
+lib:   $(FIPSCANLOC)
+       $(AR) $(LIB) $(FIPSCANLOC)
        $(RANLIB) $(LIB) || echo Never mind.
        @touch lib
 
@@ -152,7 +150,6 @@ tests:
        (cd ..; make DIRS=test)
 
 fips_test: top tests
-       -cd testvectors && perl -p -i -e 's/COUNT=/COUNT = /' des[23]/req/*.req
        @for i in dsa sha aes des hmac rand rsa; \
        do \
                (cd $$i && echo "making fips_test in fips/$$i..." && $(MAKE) fips_test) \

diff --git a/fips-1.0/fips_premain.c.sha1 b/fips-1.0/fips_premain.c.sha1
new file mode 100644 (file)
index 0000000..967ec89
--- /dev/null
+++ b/fips-1.0/fips_premain.c.sha1
@@ -0,0 +1 @@
+HMAC-SHA1(fips_premain.c)= 6a08d15c578f1258246181bf52134ae974aa5a80

diff --git a/fips-1.0/fipshashes.c b/fips-1.0/fipshashes.c
deleted file mode 100644 (file)
index b96fe2c..0000000
--- a/fips-1.0/fipshashes.c
+++ /dev/null
@@ -1,43 +0,0 @@
-const char * const FIPS_source_hashes[] = {
-"HMAC-SHA1(Makefile)= 369e2e023b73789e6af4b8fa2503a7b909c4c3f0",
-"HMAC-SHA1(fips.c)= 3a2deb3c319512952bf5547ed92116a7e0db472b",
-"HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898",
-"HMAC-SHA1(fips.h)= 57d602d18efe0594f806fbcc64269e9440638ef4",
-"HMAC-SHA1(fips_err.h)= e0649ee1d60c8162f7eeb293f89f3b63ac85202a",
-"HMAC-SHA1(fips_locl.h)= f90a23c7f68642727012bbfd48ed58706383ad71",
-"HMAC-SHA1(fips_canister.c)= da6d0f5daf9594881fd060773a5f3e057ba302ff",
-"HMAC-SHA1(fips_premain.c)= 6a08d15c578f1258246181bf52134ae974aa5a80",
-"HMAC-SHA1(aes/fips_aes_core.c)= b70bbbd675efe0613da0d57055310926a0104d55",
-"HMAC-SHA1(aes/asm/fips-ax86-elf.s)= f797b524a79196e7f59458a5b223432fcfd4a868",
-"HMAC-SHA1(aes/fips_aes_selftest.c)= 98b01502221e7fe529fd981222f2cbb52eb4cbe0",
-"HMAC-SHA1(aes/fips_aes_locl.h)= a98eb0aa449f1d95b8064e261b2ac2b1f328685e",
-"HMAC-SHA1(des/fips_des_enc.c)= 9527f8ea81602358f1aa11348237fdb1e9eeff32",
-"HMAC-SHA1(des/asm/fips-dx86-elf.s)= 9570b03422ffbe5d3d090f91758ebfd46acd5d57",
-"HMAC-SHA1(des/fips_des_selftest.c)= 3bc574e51647c5f5ab45d1007b2cf461d67764a9",
-"HMAC-SHA1(des/fips_set_key.c)= cd1ba25d29376849523a9ddc194c3156a8a7a913",
-"HMAC-SHA1(des/fips_des_locl.h)= e008da40dc6913e374edd66a20d44e1752f00583",
-"HMAC-SHA1(dh/fips_dh_check.c)= 63347e2007e224381d4a7b6d871633889de72cf3",
-"HMAC-SHA1(dh/fips_dh_gen.c)= 93fe69b758ca9d70d70cda1c57fff4eb5c668e85",
-"HMAC-SHA1(dh/fips_dh_key.c)= 2d79eb8d59929ec129d34f53b5aded4a290a28ca",
-"HMAC-SHA1(dsa/fips_dsa_ossl.c)= 2fadb271897a775f023393aa22ddede8a76eec0d",
-"HMAC-SHA1(dsa/fips_dsa_gen.c)= 78c879484fd849312ca4828b957df3842b70efc0",
-"HMAC-SHA1(dsa/fips_dsa_selftest.c)= 7c2ba8d82feda2aadc8b769a3b6c4c25a6356e01",
-"HMAC-SHA1(rand/fips_rand.c)= 7e3964447a81cfe4e75df981827d14a5fe0c2923",
-"HMAC-SHA1(rand/fips_rand.h)= bf009ea8963e79b1e414442ede9ae7010a03160b",
-"HMAC-SHA1(rand/fips_rand_selftest.c)= 5661f383decf0708d0230409fe1564223e834a3b",
-"HMAC-SHA1(rsa/fips_rsa_eay.c)= 2512f849a220daa083f346b10effdb2ee96d4395",
-"HMAC-SHA1(rsa/fips_rsa_gen.c)= 577466931c054d99caf4ac2aefff0e35efd94024",
-"HMAC-SHA1(rsa/fips_rsa_selftest.c)= a9dc47bd1001f795d1565111d26433c300101e06",
-"HMAC-SHA1(rsa/fips_rsa_x931g.c)= 1827d381bb21c53a38a7194cb1c428a2b5f1e3ab",
-"HMAC-SHA1(sha/fips_sha1dgst.c)= 26e529d630b5e754b4a29bd1bb697e991e7fdc04",
-"HMAC-SHA1(sha/fips_standalone_sha1.c)= 46a66875e68398eabca2e933958a2d865149ca1b",
-"HMAC-SHA1(sha/fips_sha1_selftest.c)= a08f9c1e2c0f63b9aa96b927c0333a03b020749f",
-"HMAC-SHA1(sha/asm/fips-sx86-elf.s)= ae66fb23ab8e1a2287e87a0a2dd30a4b9039fe63",
-"HMAC-SHA1(sha/fips_sha_locl.h)= 30b6d6bdbdc9db0d66dc89010c1f4fe1c7b60574",
-"HMAC-SHA1(sha/fips_md32_common.h)= c34d8b7785d3194ff968cf6d3efdd2bfcaec1fad",
-"HMAC-SHA1(sha/fips_sha.h)= cbe98c211cff1684adfa3fe6e6225e92a0a25f6c",
-"HMAC-SHA1(sha/fips_sha256.c)= 97e6dee22a1fe993cc48aa8ff37af10701d7f599",
-"HMAC-SHA1(sha/fips_sha512.c)= 74e6ef26de96f774d233888b831289e69834dd79",
-"HMAC-SHA1(hmac/fips_hmac.c)= a477cec1da76c0092979c4a875b6469339bff7ef",
-"HMAC-SHA1(hmac/fips_hmac_selftest.c)= ebb32b205babf4300017de767fd6e3f1879765c9",
-};

diff --git a/fips-1.0/fipsld b/fips-1.0/fipsld
index 819f68731f0c626aad76289fb76c52e6d79ade85..9ee9da103d9a8832e59a429f6a602ea5f53477b7 100755 (executable)
--- a/fips-1.0/fipsld
+++ b/fips-1.0/fipsld
@@ -70,12 +70,17 @@ echo Canister: $CANISTER_O
                diff -w "${CANISTER_O}.sha1" - || \
        { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
 
+       # verify fipspremain.c against its detached signature...
+       ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
+               diff -w "${PREMAIN_C}.sha1" - || \
+       { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
+
        # verify fips_premain.c against its signature embedded into
        # fipscanister.o...
-       SIG=`${FINGERTYPE} "${PREMAIN_C}" | sed -n "s/(.*\//(/;/^./p"`
-       REF=`strings "${CANISTER_O}" | grep "HMAC-SHA1(fips_premain\\.c)"`
-       [ "${SIG}" = "${REF}" ] || \
-       { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
+       #SIG=`${FINGERTYPE} "${PREMAIN_C}" | sed -n "s/(.*\//(/;/^./p"`
+       #REF=`strings "${CANISTER_O}" | grep "HMAC-SHA1(fips_premain\\.c)"`
+       #[ "${SIG}" = "${REF}" ] || \
+       #{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
 
        # Temporarily remove fipscanister.o from libcrypto.a!
        # We are required to use the standalone copy...