# see INSTALL for instructions.
-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [fips] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
# Options:
#
# Our development configs
"purify", "purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
"debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
-"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
+"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
"debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
+"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::::",
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
-"debug-ben-fips","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DDEBUG_SAFESTACK -DFIPS -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
"debug-ben-fips-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DFIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
elsif (/^386$/)
{ $processor=386; }
elsif (/^fips$/)
- { $fips=1; }
+ {
+ $fips=1;
+ $openssl_other_defines.="#define OPENSSL_FIPS\n";
+ }
elsif (/^rsaref$/)
{
# No RSAref support any more since it's not needed.
@(cd ..; $(MAKE) DIRS=$(DIR) all)
all: subdirs lib check shared
- ls -l $(LIB) $(LIBOBJ)
check:
TOP=`pwd`/$(TOP) ./fips_check_sha1 fingerprint.sha1 $(SRC) $(HEADER)
-SHA1(fips.c)= dfb2a82fcff1ee84b7674d84a0e0bf191cb759f3
+SHA1(fips.c)= ffe435925e0c7a39ad32d0bd4a3be6b733d65aef
SHA1(fips_err_wrapper.c)= 0cbe881739f6e7d91308e2e74b92032e69007528
-SHA1(fips.h)= 5dc66fb941513cb732c51eeca6f44018d4acd7ae
-SHA1(fips_err.c)= 672c470bf38e01ba2a1fa2d52492bc31330dd974
+SHA1(fips.h)= b4e3fb8a1f3aa03a63094552bedaa2c58a35cb19
+SHA1(fips_err.c)= bd28a95630f6b2e7ac17bfae872c045216611b11
#include <openssl/fips.h>
#include <openssl/rand.h>
#include <openssl/fips_rand.h>
+#include <openssl/err.h>
#ifdef FIPS
int FIPS_mode_set(int onoff)
{
- FIPS_mode=onoff;
if(onoff)
{
+ char buf[24];
+
+ /* Don't go into FIPS mode twice, just so we can do automagic
+ seeding */
+ if(FIPS_mode)
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
+
+ /* automagically seed PRNG if not already seeded */
+ if(!FIPS_rand_seeded())
+ {
+ RAND_bytes(buf,sizeof buf);
+ FIPS_set_prng_key(buf,buf+8);
+ FIPS_rand_seed(buf+16,8);
+ }
+
+ /* now switch into FIPS mode */
FIPS_rand_check=&rand_fips_meth;
RAND_set_rand_method(&rand_fips_meth);
+ FIPS_mode=onoff;
return FIPS_selftest();
}
+ FIPS_mode=onoff;
return 1;
}
*
*/
-#ifdef FIPS
+#if defined(FIPS) || defined(OPENSSL_FIPS)
/* Note that these are defined in crypto/cryptlib.c so they're
* available even without -lfips.
*/
/* Function codes. */
#define FIPS_F_FIPS_DSA_CHECK 102
+#define FIPS_F_FIPS_MODE_SET 105
#define FIPS_F_FIPS_SELFTEST_AES 104
#define FIPS_F_FIPS_SELFTEST_SHA1 103
#define FIPS_F_HASH_FINAL 100
#define FIPS_F_SSLEAY_RAND_BYTES 101
/* Reason codes. */
+#define FIPS_R_FIPS_MODE_ALREADY_SET 102
#define FIPS_R_NON_FIPS_METHOD 100
#define FIPS_R_SELFTEST_FAILED 101
static ERR_STRING_DATA FIPS_str_functs[]=
{
{ERR_PACK(0,FIPS_F_FIPS_DSA_CHECK,0), "FIPS_dsa_check"},
+{ERR_PACK(0,FIPS_F_FIPS_MODE_SET,0), "FIPS_mode_set"},
{ERR_PACK(0,FIPS_F_FIPS_SELFTEST_AES,0), "FIPS_selftest_aes"},
{ERR_PACK(0,FIPS_F_FIPS_SELFTEST_SHA1,0), "FIPS_selftest_sha1"},
{ERR_PACK(0,FIPS_F_HASH_FINAL,0), "HASH_FINAL"},
static ERR_STRING_DATA FIPS_str_reasons[]=
{
+{FIPS_R_FIPS_MODE_ALREADY_SET ,"fips mode already set"},
{FIPS_R_NON_FIPS_METHOD ,"non fips method"},
{FIPS_R_SELFTEST_FAILED ,"selftest failed"},
{0,NULL}
-SHA1(fips_rand.c)= 3ba9ead2bec03b9a31527761472616ee26d005dc
-SHA1(fips_rand.h)= c25efc81b5fade7d0cc406be5c9a083f20671b7d
+SHA1(fips_rand.c)= c071f4d7b5221f0f804b9deef5c958fc64176959
+SHA1(fips_rand.h)= da5ee76588070c97d47c939d069d250a1476a080
static unsigned char test_faketime[8];
static void fips_rand_cleanup(void);
-static void fips_rand_seed(const void *buf, int num);
static void fips_rand_add(const void *buf, int num, double add_entropy);
static int fips_rand_bytes(unsigned char *buf, int num);
static int fips_rand_status(void);
RAND_METHOD rand_fips_meth=
{
- fips_rand_seed,
+ FIPS_rand_seed,
fips_rand_bytes,
fips_rand_cleanup,
fips_rand_add,
memcpy(test_faketime,faketime,sizeof test_faketime);
}
+/* NB: this returns true if _partially_ seeded */
+int FIPS_rand_seeded()
+ { return key_set || n_seed; }
+
static void fips_gettime(unsigned char buf[8])
{
struct timeval tv;
n_seed=0;
}
-static void fips_rand_seed(const void *buf_, int num)
+void FIPS_rand_seed(const void *buf_, int num)
{
const char *buf=buf_;
int n;
static void fips_rand_add(const void *buf, int num, double add_entropy)
{
- fips_rand_seed(buf,num);
+ FIPS_rand_seed(buf,num);
}
static int fips_rand_bytes(unsigned char *buf,int num)
void FIPS_set_prng_key(const unsigned char k1[8],const unsigned char k2[8]);
void FIPS_test_mode(int test,const unsigned char faketime[8]);
+void FIPS_rand_seed(const void *buf, int num);
+/* NB: this returns true if _partially_ seeded */
+int FIPS_rand_seeded(void);
extern RAND_METHOD rand_fips_meth;
projects / oweals / openssl.git / commitdiff