From: Dr. Stephen Henson Date: Wed, 22 Jun 2011 12:30:18 +0000 (+0000) Subject: Now the FIPS capable OpenSSL is available simplify the various FIPS test X-Git-Tag: OpenSSL-fips-2_0-rc1~304 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ce02589259c4eecf5479d6d5714d8caee7b5e326;p=oweals%2Fopenssl.git Now the FIPS capable OpenSSL is available simplify the various FIPS test build options. All fispcanisterbuild builds only build fipscanister.o and include symbol renaming. Move all renamed symbols to fipssyms.h Update README.FIPS --- diff --git a/Configure b/Configure index fb8cceb430..cdef7f8506 100755 --- a/Configure +++ b/Configure @@ -894,6 +894,7 @@ EOF $nofipscanistercheck = 1; $fipslibdir=""; $fipscanisterinternal="y"; + $fipscanisteronly = 1; } elsif (/^fipsdso$/) { @@ -1134,11 +1135,6 @@ foreach (sort (keys %disabled)) my $exp_cflags = ""; -if ($fipscanisteronly == 2) - { - $exp_cflags .= " -DOPENSSL_FIPSSYMS"; - } - foreach (sort @experimental) { my $ALGO; @@ -1741,7 +1737,7 @@ while () s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/; } s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/; - if ($fipscanisteronly == 2 && exists $disabled{"ec2m"}) + if ($fipscanisteronly && exists $disabled{"ec2m"}) { next if (/ec2_/ || /bn_gf2m/); } @@ -1992,7 +1988,7 @@ EOF &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";'); &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s'); } - if ($depflags ne $default_depflags && !$make_depend && $fipscanisteronly != 2) { + if ($depflags ne $default_depflags && !$make_depend && !$fipscanisteronly) { print < #endif diff --git a/crypto/crypto.h b/crypto/crypto.h index 8fd2fe2ea9..64fbfe02ee 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -147,7 +147,7 @@ * non-FIPS OpenSSL. */ -#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSSYMS) +#if defined(OPENSSL_FIPSCANISTER) #include #endif diff --git a/fips/fips.h b/fips/fips.h index 44fd3a9dd8..3b679411f2 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -321,61 +321,6 @@ int FIPS_hmac_final(struct hmac_ctx_st *ctx, #endif -/* Where necessary redirect standard OpenSSL APIs to FIPS versions */ - -#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSAPI) - -#define CRYPTO_lock FIPS_lock -#define CRYPTO_add_lock FIPS_add_lock -#define CRYPTO_malloc FIPS_malloc -#define CRYPTO_free FIPS_free - -#define ERR_put_error FIPS_put_error -#define ERR_add_error_data FIPS_add_error_data - -#define EVP_MD_CTX_init FIPS_md_ctx_init -#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup -#define EVP_MD_CTX_create FIPS_md_ctx_create -#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy -#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type) -#define EVP_DigestInit FIPS_digestinit -#define EVP_DigestUpdate FIPS_digestupdate -#define EVP_Digest(data, count, md, size, type, impl) \ - FIPS_digest(data, count, md, size, type) -#define EVP_DigestFinal_ex FIPS_digestfinal -#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy - -#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \ - FIPS_cipherinit(ctx, cipher, key, iv, enc) - -#define EVP_CipherInit FIPS_cipherinit - -#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init -#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup -#define EVP_Cipher FIPS_cipher -#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl -#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new -#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free -#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy -#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length - -#define DSA_SIG_new FIPS_dsa_sig_new -#define DSA_SIG_free FIPS_dsa_sig_free - -#define ECDSA_SIG_new FIPS_ecdsa_sig_new -#define ECDSA_SIG_free FIPS_ecdsa_sig_free - -#define ecdsa_check fips_ecdsa_check -#define ecdh_check fips_ecdh_check - -#define RAND_bytes FIPS_rand_bytes -#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes -#define RAND_add FIPS_rand_add -#define RAND_seed FIPS_rand_seed -#define RAND_status FIPS_rand_status - -#endif - /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/fips/fipssyms.h b/fips/fipssyms.h index e49cf1b895..4b4c6ea92b 100644 --- a/fips/fipssyms.h +++ b/fips/fipssyms.h @@ -1,3 +1,57 @@ + +/* Where necessary redirect standard OpenSSL APIs to FIPS versions */ + +#define CRYPTO_lock FIPS_lock +#define CRYPTO_add_lock FIPS_add_lock +#define CRYPTO_malloc FIPS_malloc +#define CRYPTO_free FIPS_free + +#define ERR_put_error FIPS_put_error +#define ERR_add_error_data FIPS_add_error_data + +#define EVP_MD_CTX_init FIPS_md_ctx_init +#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup +#define EVP_MD_CTX_create FIPS_md_ctx_create +#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy +#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type) +#define EVP_DigestInit FIPS_digestinit +#define EVP_DigestUpdate FIPS_digestupdate +#define EVP_Digest(data, count, md, size, type, impl) \ + FIPS_digest(data, count, md, size, type) +#define EVP_DigestFinal_ex FIPS_digestfinal +#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy + +#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \ + FIPS_cipherinit(ctx, cipher, key, iv, enc) + +#define EVP_CipherInit FIPS_cipherinit + +#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init +#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup +#define EVP_Cipher FIPS_cipher +#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl +#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new +#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free +#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy +#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length + +#define DSA_SIG_new FIPS_dsa_sig_new +#define DSA_SIG_free FIPS_dsa_sig_free + +#define ECDSA_SIG_new FIPS_ecdsa_sig_new +#define ECDSA_SIG_free FIPS_ecdsa_sig_free + +#define ecdsa_check fips_ecdsa_check +#define ecdh_check fips_ecdh_check + +#define RAND_bytes FIPS_rand_bytes +#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes +#define RAND_add FIPS_rand_add +#define RAND_seed FIPS_rand_seed +#define RAND_status FIPS_rand_status + +/* Rename symbols so they don't clash with standard OpenSSL */ + #define AES_cfb128_encrypt fips_aes_cfb128_encrypt #define AES_cfb1_encrypt fips_aes_cfb1_encrypt #define AES_cfb8_encrypt fips_aes_cfb8_encrypt diff --git a/util/fipsas.pl b/util/fipsas.pl index cad7c08ca2..6e10d7d8d5 100644 --- a/util/fipsas.pl +++ b/util/fipsas.pl @@ -19,7 +19,7 @@ if ($ARGS[0] eq "norunasm") my $enabled = 0; -$enabled = 1 if $ENV{CFLAG} =~ /-DOPENSSL_FIPSSYMS/; +$enabled = 1 if $ENV{FIPSCANISTERINTERNAL} eq "y"; if ($enabled == 0 && $runasm) { diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 8f01f0c462..5d024b15cb 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -60,6 +60,7 @@ my %mf_import = ( CMLL_ENC => \$mf_cm_asm, MODES_ASM_OBJ => \$mf_modes_asm, FIPSCANISTERONLY => \$mf_fipscanisteronly + FIPSCANISTERINTERNAL => \$mf_fipscanisterinternal ); open(IN,"