From 1ab2f7f1cb6c9fa2747c39e60b5fe7e8ba15acef Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 26 Jan 2011 12:31:30 +0000 Subject: [PATCH] Add fipscanisterbuild configuration option and update Makefile.org: doesn't compile yet --- Configure | 75 +++++++++++++++++++++++++++++++++ Makefile.org | 115 +++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 187 insertions(+), 3 deletions(-) diff --git a/Configure b/Configure index b638a0bd98..c62da8c5dd 100755 --- a/Configure +++ b/Configure @@ -647,6 +647,11 @@ my $openssldir=""; my $exe_ext=""; my $install_prefix= "$ENV{'INSTALL_PREFIX'}"; my $cross_compile_prefix=""; +my $fipslibdir="/usr/local/ssl/fips-1.0/lib/"; +my $nofipscanistercheck=0; +my $fipsdso=0; +my $fipscanisterinternal="n"; +my $baseaddr="0xFB00000"; my $no_threads=0; my $threads=0; my $no_shared=0; # but "no-shared" is default @@ -681,6 +686,7 @@ my $cmll_enc="camellia.o cmll_misc.o cmll_cbc.o"; my $processor=""; my $default_ranlib; my $perl; +my $fips=0; # All of the following is disabled by default (RC5 was enabled before 0.9.8): @@ -833,6 +839,26 @@ PROCESS_ARGS: # The check for the option is there so scripts aren't # broken } + elsif (/^nofipscanistercheck$/) + { + $fips = 1; + $nofipscanistercheck = 1; + } + elsif (/^fipscanisterbuild$/) + { + $fips = 1; + $nofipscanistercheck = 1; + $fipslibdir=""; + $fipscanisterinternal="y"; + } + elsif (/^fipsdso$/) + { + $fips = 1; + $nofipscanistercheck = 1; + $fipslibdir=""; + $fipscanisterinternal="y"; + $fipsdso = 1; + } elsif (/^[-+]/) { if (/^-[lL](.*)$/ or /^-Wl,/) @@ -1398,6 +1424,15 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no_sse2 && $bn_obj =~ /86/); $cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/); +if ($fips) + { + $openssl_other_defines.="#define OPENSSL_FIPS\n"; + if ($fipscanisterinternal eq "y") + { + $openssl_other_defines.="#define OPENSSL_FIPSCANISTER\n"; + } + } + $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); $des_obj=$des_enc unless ($des_obj =~ /\.o$/); $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); @@ -1574,6 +1609,21 @@ while () s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/; s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/; + s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; + if ($fipsdso) + { + s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/; + s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/; + s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl fips/; + } + else + { + s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips; + s/^SHARED_FIPS=.*/SHARED_FIPS=/; + s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/; + } + s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/; + s/^BASEADDR=.*/BASEADDR=$baseaddr/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); @@ -1884,9 +1934,16 @@ BEGIN BEGIN BLOCK "040904b0" BEGIN +#if defined(FIPS) + VALUE "Comments", "WARNING: TEST VERSION ONLY ***NOT*** FIPS 140-2 VALIDATED.\\0" +#endif // Required: VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0" +#if defined(FIPS) + VALUE "FileDescription", "TEST UNVALIDATED FIPS140-2 DLL\\0" +#else VALUE "FileDescription", "OpenSSL Shared Library\\0" +#endif VALUE "FileVersion", "$version\\0" #if defined(CRYPTO) VALUE "InternalName", "libeay32\\0" @@ -1894,6 +1951,9 @@ BEGIN #elif defined(SSL) VALUE "InternalName", "ssleay32\\0" VALUE "OriginalFilename", "ssleay32.dll\\0" +#elif defined(FIPS) + VALUE "InternalName", "libosslfips\\0" + VALUE "OriginalFilename", "libosslfips.dll\\0" #endif VALUE "ProductName", "The OpenSSL Toolkit\\0" VALUE "ProductVersion", "$version\\0" @@ -1936,6 +1996,21 @@ libraries on this platform, they will at least look at it and try their best (but please first make sure you have tried with a current version of OpenSSL). EOF +print <<\EOF if ($fipscanisterinternal eq "y"); + +WARNING: OpenSSL has been configured using unsupported option(s) to internally +generate a fipscanister.o object module for TESTING PURPOSES ONLY; that +compiled module is NOT FIPS 140-2 validated and CANNOT be used to replace the +OpenSSL FIPS Object Module as identified by the CMVP +(http://csrc.nist.gov/cryptval/) in any application requiring the use of FIPS +140-2 validated software. + +This is an OpenSSL 1.1.0 test version. + +See the file README.FIPS for details of how to build a test library. + +EOF + exit(0); sub usage diff --git a/Makefile.org b/Makefile.org index 48abf3dc12..6fd7acf8be 100644 --- a/Makefile.org +++ b/Makefile.org @@ -110,7 +110,33 @@ LIBKRB5= ZLIB_INCLUDE= LIBZLIB= -DIRS= crypto ssl engines apps test tools +# This is the location of fipscanister.o and friends. +# The FIPS module build will place it $(INSTALLTOP)/lib +# but since $(INSTALLTOP) can only take the default value +# when the module is built it will be in /usr/local/ssl/lib +# $(INSTALLTOP) for this build make be different so hard +# code the path. + +FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/ + +# This is set to "y" if fipscanister.o is compiled internally as +# opposed to coming from an external validated location. + +FIPSCANISTERINTERNAL=n + +# The location of the library which contains fipscanister.o +# normally it will be libcrypto unless fipsdso is set in which +# case it will be libfips. If not compiling in FIPS mode at all +# this is empty making it a useful test for a FIPS compile. + +FIPSCANLIB= + +# Shared library base address. Currently only used on Windows. +# + +BASEADDR= + +DIRS= crypto fips ssl engines apps test tools ENGDIRS= ccgost SHLIBDIRS= crypto ssl @@ -207,6 +233,10 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \ WP_ASM_OBJ='$(WP_ASM_OBJ)' \ MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \ PERLASM_SCHEME='$(PERLASM_SCHEME)' \ + FIPSLIBDIR='${FIPSLIBDIR}' \ + FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \ + FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' \ + FIPS_EX_OBJ='${FIPS_EX_OBJ}' \ THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. @@ -238,13 +268,92 @@ BUILD_ONE_CMD=\ reflect: @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV) + +# FIXME + +FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \ + ../crypto/aes/aes_ecb.o \ + ../crypto/aes/aes_ofb.o \ + ../crypto/bn/bn_add.o \ + ../crypto/bn/bn_blind.o \ + ../crypto/bn/bn_ctx.o \ + ../crypto/bn/bn_div.o \ + ../crypto/bn/bn_exp2.o \ + ../crypto/bn/bn_exp.o \ + ../crypto/bn/bn_gcd.o \ + ../crypto/bn/bn_lib.o \ + ../crypto/bn/bn_mod.o \ + ../crypto/bn/bn_mont.o \ + ../crypto/bn/bn_mul.o \ + ../crypto/bn/bn_prime.o \ + ../crypto/bn/bn_rand.o \ + ../crypto/bn/bn_recp.o \ + ../crypto/bn/bn_shift.o \ + ../crypto/bn/bn_sqr.o \ + ../crypto/bn/bn_word.o \ + ../crypto/bn/bn_x931p.o \ + ../crypto/buffer/buf_str.o \ + ../crypto/cryptlib.o \ + ../crypto/des/cfb64ede.o \ + ../crypto/des/cfb64enc.o \ + ../crypto/des/cfb_enc.o \ + ../crypto/des/ecb3_enc.o \ + ../crypto/des/ofb64ede.o \ + ../crypto/des/fcrypt.o \ + ../crypto/des/set_key.o \ + ../crypto/dh/dh_check.o \ + ../crypto/dh/dh_gen.o \ + ../crypto/dh/dh_key.o \ + ../crypto/dsa/dsa_gen.o \ + ../crypto/dsa/dsa_key.o \ + ../crypto/dsa/dsa_ossl.o \ + ../crypto/dsa/dsa_sign.o \ + ../crypto/dsa/dsa_vrf.o \ + ../crypto/evp/e_aes.o \ + ../crypto/evp/e_des3.o \ + ../crypto/evp/m_sha1.o \ + ../crypto/hmac/hmac.o \ + ../crypto/mem.o \ + ../crypto/modes/cfb128.o \ + ../crypto/modes/ctr128.o \ + ../crypto/modes/ofb128.o \ + ../crypto/rand/md_rand.o \ + ../crypto/rand/rand_egd.o \ + ../crypto/rand/randfile.o \ + ../crypto/rand/rand_lib.o \ + ../crypto/rand/rand_os2.o \ + ../crypto/rand/rand_unix.o \ + ../crypto/rand/rand_win.o \ + ../crypto/rsa/rsa_eay.o \ + ../crypto/rsa/rsa_gen.o \ + ../crypto/rsa/rsa_crpt.o \ + ../crypto/rsa/rsa_none.o \ + ../crypto/rsa/rsa_oaep.o \ + ../crypto/rsa/rsa_pk1.o \ + ../crypto/rsa/rsa_pss.o \ + ../crypto/rsa/rsa_ssl.o \ + ../crypto/rsa/rsa_x931.o \ + ../crypto/sha/sha1dgst.o \ + ../crypto/sha/sha256.o \ + ../crypto/sha/sha512.o \ + ../crypto/uid.o + sub_all: build_all build_all: build_libs build_apps build_tests build_tools -build_libs: build_crypto build_ssl build_engines +build_libs: build_crypto build_fips build_ssl build_engines + +build_fips: + @dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD) build_crypto: - @dir=crypto; target=all; $(BUILD_ONE_CMD) + if [ -n "$(FIPSCANLIB)" ]; then \ + EXCL_OBJ='$(AES_ENC) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \ + ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \ + else \ + ARX='${AR}' ; \ + fi ; export ARX ; \ + dir=crypto; target=all; $(BUILD_ONE_CMD) build_ssl: @dir=ssl; target=all; $(BUILD_ONE_CMD) build_engines: -- 2.25.1