From: Dr. Stephen Henson Date: Tue, 28 Mar 2006 12:10:37 +0000 (+0000) Subject: Update build system to make use of validated module in FIPS mode. X-Git-Tag: OpenSSL_0_9_7j~11 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=fcdf1d3fc713574bd7c1df3d4bb30636bd61d3c4;p=oweals%2Fopenssl.git Update build system to make use of validated module in FIPS mode. --- diff --git a/Configure b/Configure index 119d8fe04b..54b33513e8 100755 --- a/Configure +++ b/Configure @@ -621,6 +621,7 @@ my $prefix=""; my $openssldir=""; my $exe_ext=""; my $install_prefix=""; +my $fipslibdir="/usr/local/ssl/lib"; my $no_threads=0; my $no_shared=1; my $zlib=0; @@ -871,7 +872,7 @@ PROCESS_ARGS: } elsif (/^--with-fipslibdir=(.*)$/) { - $withargs{"fipslibdir"}="$1"; + $fipslibdir="$1"; } elsif (/^--with-zlib-include=(.*)$/) { @@ -976,6 +977,21 @@ chop $prefix if $prefix =~ /\/$/; $openssldir=$prefix . "/ssl" if $openssldir eq ""; $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; +if ($fips && ! -f "$fipslibdir/fipscanister.o") + { + my $fipswinerr = ""; + $fipswinerr = <) s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/; s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/; - s/^FIPSLIBDIR=.*/FIPSLIBDIR=$withargs{"fipslibdir"}/; + s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; diff --git a/Makefile.org b/Makefile.org index fd69cab293..2e0bb2f2ef 100644 --- a/Makefile.org +++ b/Makefile.org @@ -176,7 +176,14 @@ LIBKRB5= ZLIB_INCLUDE= LIBZLIB= -FIPSLIBDIR=$(INSTALLTOP)/lib +# This is the location of fipscanister.o and friends. +# The FIPS module build will place it $(INSTALLTOP)/lib +# but since $(INSTALLTOP) can only take the default value +# when the module is built it will be in /usr/local/ssl/lib +# $(INSTALLTOP) for this build make be different so hard +# code the path. + +FIPSLIBDIR=/usr/local/ssl/lib # When we're prepared to use shared libraries in the programs we link here # we might set SHLIB_MARK to '$(SHARED_LIBS)'. @@ -236,7 +243,7 @@ sub_all: do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \ else \ $(MAKE) $$i; \ fi; \ diff --git a/fips-1.0/Makefile b/fips-1.0/Makefile index 28ae5354ce..891a40b36a 100644 --- a/fips-1.0/Makefile +++ b/fips-1.0/Makefile @@ -55,7 +55,8 @@ all: fi check: - $(PERL) ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1) +# $(PERL) ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1) + echo FIPS module not built: no check done # Idea behind fipscanister.o is to "seize" the sequestered code between # known symbols for fingerprinting purposes, which would be commonly @@ -71,6 +72,7 @@ check: # flag and simply assume that all objects are of the same type as first # one in command line. So the idea is to identify gcc and deficient # vendor compiler drivers... + fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o @objs="fips_start.o $(LIBOBJ)"; \ for i in $(FIPS_OBJ_LISTS); do \ @@ -87,6 +89,7 @@ fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o *) set -x; $(CC) $(CFLAGS) -r -o $@ $$objs ;; \ esac fi sha/fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 + # If another exception is immediately required, assign approprite # site-specific ld command to FIPS_SITE_LD environment variable. @@ -128,8 +131,8 @@ links: $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \ done; -lib: fipscanister.o - $(AR) $(LIB) fipscanister.o +lib: $(FIPSLIBDIR)/fipscanister.o + $(AR) $(LIB) $(FIPSLIBDIR)/fipscanister.o $(RANLIB) $(LIB) || echo Never mind. @touch lib diff --git a/fips-1.0/fipsld b/fips-1.0/fipsld index 5506b30943..819f68731f 100755 --- a/fips-1.0/fipsld +++ b/fips-1.0/fipsld @@ -10,6 +10,8 @@ # command line syntax and $FIPSLD_CC or $CC environment variable set # and can even be used to compile source files. +#set -x + CC=${FIPSLD_CC:-${CC}} [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; } @@ -30,6 +32,14 @@ TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` THERE="`echo $0 | sed -e 's|[^/]*$||'`".. +# Location of installed validated FIPS module +FIPSLIBDIR=${FIPSLIBDIR:-/usr/local/ssl/lib} +# If this is a build from a validated tarball use this instead +# FIPSLIBDIR=${THERE}/fips-1.0 + +[ -f "${FIPSLIBDIR}/fipscanister.o" ] || + { echo "fipscanister.o not found"; exit 1; } + HMAC_KEY="etaonrishdlcupfm" case "`(uname -s) 2>/dev/null`" in @@ -50,8 +60,10 @@ case "${TARGET}" in # Shared lib creation can be taking place in the source # directory only!!! FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1" - CANISTER_O="${THERE}/fips-1.0/fipscanister.o" - PREMAIN_C="${THERE}/fips-1.0/fips_premain.c" + CANISTER_O="${FIPSLIBDIR}/fipscanister.o" + PREMAIN_C="${FIPSLIBDIR}/fips_premain.c" + +echo Canister: $CANISTER_O # verify fipscanister.o against its detached signature... ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ @@ -96,16 +108,15 @@ case "${TARGET}" in # directory or off the installed binary target destination. if [ -x "${THERE}/fips-1.0/sha/fips_standalone_sha1" ]; then FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1" - CANISTER_O="${THERE}/fips-1.0/fipscanister.o" - PREMAIN_C="${THERE}/fips-1.0/fips_premain.c" else # Installed tree is expected to contain # lib/fipscanister.o, lib/fipscanister.o.sha1 and # lib/fips_premain.c [not to mention bin/openssl]. FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" - CANISTER_O="${THERE}/lib/fipscanister.o" - PREMAIN_C="${THERE}/lib/fips_premain.c" fi + CANISTER_O="${FIPSLIBDIR}/fipscanister.o" + PREMAIN_C="${FIPSLIBDIR}/fips_premain.c" + # verify fipscanister.o against its detached signature... ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ diff -w "${CANISTER_O}.sha1" - || \