From dec95d75897125133380c7ce3c6ce58c93c06f10 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 4 Oct 2019 01:38:17 +0200 Subject: [PATCH] Rework how our providers are built We put almost everything in these internal static libraries: libcommon Block building code that can be used by all our implementations, legacy and non-legacy alike. libimplementations All non-legacy algorithm implementations and only them. All the code that ends up here is agnostic to the definitions of FIPS_MODE. liblegacy All legacy implementations. libnonfips Support code for the algorithm implementations. Built with FIPS_MODE undefined. Any code that checks that FIPS_MODE isn't defined must end up in this library. libfips Support code for the algorithm implementations. Built with FIPS_MODE defined. Any code that checks that FIPS_MODE is defined must end up in this library. The FIPS provider module is built from providers/fips/*.c and linked with libimplementations, libcommon and libfips. The Legacy provider module is built from providers/legacy/*.c and linked with liblegacy, libcommon and libcrypto. If module building is disabled, the object files from liblegacy and libcommon are added to libcrypto and the Legacy provider becomes a built-in provider. The Default provider module is built-in, so it ends up being linked with libimplementations, libcommon and libnonfips. For libcrypto in form of static library, the object files from those other libraries are simply being added to libcrypto. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10088) --- crypto/aes/build.info | 4 +- crypto/bn/build.info | 4 +- crypto/buffer/build.info | 2 +- crypto/build.info | 6 +- crypto/cmac/build.info | 2 +- crypto/des/build.info | 2 +- crypto/ec/build.info | 4 +- crypto/evp/build.info | 2 +- crypto/hmac/build.info | 2 +- crypto/lhash/build.info | 2 +- crypto/modes/build.info | 4 +- crypto/property/build.info | 2 +- crypto/rand/build.info | 2 +- crypto/sha/build.info | 4 +- crypto/stack/build.info | 2 +- providers/build.info | 146 ++++++++++++++++++++-- providers/common/build.info | 7 +- providers/common/ciphers/build.info | 23 ++-- providers/common/ciphers/cipher_aes_xts.c | 6 - providers/common/ciphers/cipher_aes_xts.h | 6 + providers/common/ciphers/cipher_fips.c | 16 +++ providers/common/digests/build.info | 10 +- providers/common/exchange/build.info | 8 +- providers/common/kdfs/build.info | 16 +-- providers/common/kdfs/pbkdf2.c | 12 +- providers/common/kdfs/pbkdf2.h | 14 +++ providers/common/kdfs/pbkdf2_fips.c | 20 +++ providers/common/keymgmt/build.info | 9 +- providers/common/macs/build.info | 12 +- providers/common/signature/build.info | 6 +- providers/default/build.info | 8 +- providers/default/ciphers/build.info | 26 ++-- providers/default/digests/build.info | 7 +- providers/default/kdfs/build.info | 5 +- providers/default/macs/build.info | 10 +- providers/fips/build.info | 1 + providers/legacy/digests/build.info | 23 ++-- 37 files changed, 288 insertions(+), 147 deletions(-) create mode 100644 providers/common/ciphers/cipher_fips.c create mode 100644 providers/common/kdfs/pbkdf2.h create mode 100644 providers/common/kdfs/pbkdf2_fips.c diff --git a/crypto/aes/build.info b/crypto/aes/build.info index aac88012b4..59c009761e 100644 --- a/crypto/aes/build.info +++ b/crypto/aes/build.info @@ -62,8 +62,8 @@ ENDIF $COMMON=aes_misc.c aes_ecb.c $AESASM SOURCE[../../libcrypto]=$COMMON aes_cfb.c aes_ofb.c aes_ige.c aes_wrap.c DEFINE[../../libcrypto]=$AESDEF -SOURCE[../../providers/fips]=$COMMON -DEFINE[../../providers/fips]=$AESDEF +SOURCE[../../providers/libfips.a]=$COMMON +DEFINE[../../providers/libfips.a]=$AESDEF GENERATE[aes-ia64.s]=asm/aes-ia64.S diff --git a/crypto/bn/build.info b/crypto/bn/build.info index 18b5950f6d..75b84d0df6 100644 --- a/crypto/bn/build.info +++ b/crypto/bn/build.info @@ -109,8 +109,8 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ bn_rsa_fips186_4.c $BNASM SOURCE[../../libcrypto]=$COMMON bn_print.c bn_err.c bn_depr.c bn_srp.c DEFINE[../../libcrypto]=$BNDEF -SOURCE[../../providers/fips]=$COMMON -DEFINE[../../providers/fips]=$BNDEF +SOURCE[../../providers/libfips.a]=$COMMON +DEFINE[../../providers/libfips.a]=$BNDEF INCLUDE[../../libcrypto]=../../crypto/include diff --git a/crypto/buffer/build.info b/crypto/buffer/build.info index 63de1a570f..6f31397be7 100644 --- a/crypto/buffer/build.info +++ b/crypto/buffer/build.info @@ -1,3 +1,3 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=buffer.c buf_err.c -SOURCE[../../providers/fips]=buffer.c +SOURCE[../../providers/libfips.a]=buffer.c diff --git a/crypto/build.info b/crypto/build.info index 5d3b123d69..f41ecf448f 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -63,7 +63,7 @@ $CORE_COMMON=provider_core.c provider_predefined.c \ core_fetch.c core_algorithm.c core_namemap.c SOURCE[../libcrypto]=$CORE_COMMON provider_conf.c -SOURCE[../providers/fips]=$CORE_COMMON +SOURCE[../providers/libfips.a]=$CORE_COMMON # Central utilities $UTIL_COMMON=\ @@ -78,8 +78,8 @@ SOURCE[../libcrypto]=$UTIL_COMMON \ o_fopen.c getenv.c o_init.c o_fips.c init.c trace.c provider.c \ $UPLINKSRC DEFINE[../libcrypto]=$UTIL_DEFINE $UPLINKDEF -SOURCE[../providers/fips]=$UTIL_COMMON -DEFINE[../providers/fips]=$UTIL_DEFINE +SOURCE[../providers/libfips.a]=$UTIL_COMMON +DEFINE[../providers/libfips.a]=$UTIL_DEFINE DEPEND[info.o]=buildinf.h diff --git a/crypto/cmac/build.info b/crypto/cmac/build.info index f6c8bfabbc..a2f6f218c2 100644 --- a/crypto/cmac/build.info +++ b/crypto/cmac/build.info @@ -3,4 +3,4 @@ LIBS=../../libcrypto $COMMON=cmac.c SOURCE[../../libcrypto]=$COMMON cm_ameth.c -SOURCE[../../providers/fips]=$COMMON +SOURCE[../../providers/libfips.a]=$COMMON diff --git a/crypto/des/build.info b/crypto/des/build.info index 774bad754b..b1c1e624c2 100644 --- a/crypto/des/build.info +++ b/crypto/des/build.info @@ -20,7 +20,7 @@ SOURCE[../../libcrypto]=$COMMON\ ofb64ede.c ofb64enc.c ofb_enc.c \ str2key.c pcbc_enc.c qud_cksm.c rand_key.c \ fcrypt.c xcbc_enc.c cbc_cksm.c -SOURCE[../../providers/fips]=$COMMON +SOURCE[../../providers/libfips.a]=$COMMON GENERATE[des_enc-sparc.S]=asm/des_enc.m4 GENERATE[dest4-sparcv9.S]=asm/dest4-sparcv9.pl diff --git a/crypto/ec/build.info b/crypto/ec/build.info index d140b5d64b..40aef36798 100644 --- a/crypto/ec/build.info +++ b/crypto/ec/build.info @@ -57,8 +57,8 @@ $COMMON=ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c \ SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c ecx_meth.c ec_err.c \ ecdh_kdf.c eck_prn.c DEFINE[../../libcrypto]=$ECDEF -SOURCE[../../providers/fips]=$COMMON -DEFINE[../../providers/fips]=$ECDEF +SOURCE[../../providers/libfips.a]=$COMMON +DEFINE[../../providers/libfips.a]=$ECDEF GENERATE[ecp_nistz256-x86.s]=asm/ecp_nistz256-x86.pl diff --git a/crypto/evp/build.info b/crypto/evp/build.info index 9c71930c05..94f033bbc1 100644 --- a/crypto/evp/build.info +++ b/crypto/evp/build.info @@ -18,7 +18,7 @@ SOURCE[../../libcrypto]=$COMMON\ e_chacha20_poly1305.c \ pkey_mac.c exchange.c \ legacy_sha.c legacy_md5_sha1.c -SOURCE[../../providers/fips]=$COMMON +SOURCE[../../providers/libfips.a]=$COMMON INCLUDE[e_aes.o]=.. ../modes INCLUDE[e_aes_cbc_hmac_sha1.o]=../modes diff --git a/crypto/hmac/build.info b/crypto/hmac/build.info index 56ad67ef8f..4ed90c09f4 100644 --- a/crypto/hmac/build.info +++ b/crypto/hmac/build.info @@ -3,4 +3,4 @@ LIBS=../../libcrypto $COMMON=hmac.c SOURCE[../../libcrypto]=$COMMON hm_ameth.c -SOURCE[../../providers/fips]=$COMMON +SOURCE[../../providers/libfips.a]=$COMMON diff --git a/crypto/lhash/build.info b/crypto/lhash/build.info index 0aa12a1eb3..b3176b8358 100644 --- a/crypto/lhash/build.info +++ b/crypto/lhash/build.info @@ -1,5 +1,5 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ lhash.c lh_stats.c -SOURCE[../../providers/fips]=\ +SOURCE[../../providers/libfips.a]=\ lhash.c diff --git a/crypto/modes/build.info b/crypto/modes/build.info index 8a8aead651..4ae0d8b011 100644 --- a/crypto/modes/build.info +++ b/crypto/modes/build.info @@ -54,8 +54,8 @@ SOURCE[../../libcrypto]=$COMMON \ cts128.c ocb128.c siv128.c DEFINE[../../libcrypto]=$MODESDEF -SOURCE[../../providers/fips]=$COMMON -DEFINE[../../providers/fips]=$MODESDEF +SOURCE[../../providers/libfips.a]=$COMMON +DEFINE[../../providers/libfips.a]=$MODESDEF INCLUDE[gcm128.o]=.. diff --git a/crypto/property/build.info b/crypto/property/build.info index db3c944498..bfa1f0602f 100644 --- a/crypto/property/build.info +++ b/crypto/property/build.info @@ -1,4 +1,4 @@ LIBS=../../libcrypto $COMMON=property_string.c property_parse.c property.c defn_cache.c SOURCE[../../libcrypto]=$COMMON property_err.c -SOURCE[../../providers/fips]=$COMMON +SOURCE[../../providers/libfips.a]=$COMMON diff --git a/crypto/rand/build.info b/crypto/rand/build.info index 3e0a9c7432..0925c4b2de 100644 --- a/crypto/rand/build.info +++ b/crypto/rand/build.info @@ -4,4 +4,4 @@ $COMMON=rand_lib.c rand_crng_test.c rand_win.c rand_unix.c rand_vms.c \ drbg_lib.c drbg_ctr.c rand_vxworks.c drbg_hash.c drbg_hmac.c SOURCE[../../libcrypto]=$COMMON randfile.c rand_err.c rand_egd.c -SOURCE[../../providers/fips]=$COMMON +SOURCE[../../providers/libfips.a]=$COMMON diff --git a/crypto/sha/build.info b/crypto/sha/build.info index 67d9fd4723..25c64a0e2c 100644 --- a/crypto/sha/build.info +++ b/crypto/sha/build.info @@ -76,8 +76,8 @@ ENDIF $COMMON=sha1dgst.c sha256.c sha512.c sha3.c $SHA1ASM $KECCAK1600ASM SOURCE[../../libcrypto]=$COMMON sha1_one.c DEFINE[../../libcrypto]=$SHA1DEF $KECCAK1600DEF -SOURCE[../../providers/fips]= $COMMON -DEFINE[../../providers/fips]= $SHA1DEF $KECCAK1600DEF +SOURCE[../../providers/libfips.a]= $COMMON +DEFINE[../../providers/libfips.a]= $SHA1DEF $KECCAK1600DEF GENERATE[sha1-586.s]=asm/sha1-586.pl DEPEND[sha1-586.s]=../perlasm/x86asm.pl diff --git a/crypto/stack/build.info b/crypto/stack/build.info index e4183e089c..23d83a6f11 100644 --- a/crypto/stack/build.info +++ b/crypto/stack/build.info @@ -1,3 +1,3 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=stack.c -SOURCE[../../providers/fips]=stack.c +SOURCE[../../providers/libfips.a]=stack.c diff --git a/providers/build.info b/providers/build.info index 80b2952494..e951c6229d 100644 --- a/providers/build.info +++ b/providers/build.info @@ -1,30 +1,150 @@ +# We place all implementations in static libraries, and then let the +# provider mains pilfer what they want through symbol resolution when +# linking. +# +# The non-legacy implementations (libimplementations) must be made FIPS +# agnostic as much as possible, as well as the common building blocks +# (libcommon). The legacy implementations (liblegacy) will never be +# part of the FIPS provider. +# +# If there is anything that isn't FIPS agnostic, it should be set aside +# in its own source file, which is then included directly into other +# static libraries geared for FIPS and non-FIPS providers, and built +# separately. +# +# libcommon.a Contains common building blocks, potentially +# needed both by non-legacy and legacy code. +# +# libimplementations.a Contains all non-legacy implementations. +# liblegacy.a Contains all legacy implementaions. +# +# libfips.a Contains all things needed to support +# FIPS implementations, such as code from +# crypto/ and object files that contain +# FIPS-specific code. FIPS_MODE is defined +# for this library. The FIPS module uses +# this. +# libnonfips.a Corresponds to libfips.a, but built with +# FIPS_MODE undefined. The default and legacy +# providers use this. + SUBDIRS=common default INCLUDE[../libcrypto]=common/include +# Libraries we're dealing with +$LIBCOMMON=libcommon.a +$LIBIMPLEMENTATIONS=libimplementations.a +$LIBLEGACY=liblegacy.a +$LIBNONFIPS=libnonfips.a +$LIBFIPS=libfips.a + +# Enough of our implementations include prov/ciphercommon.h (present in +# providers/common/include), which includes crypto/ciphermode_platform.h +# (present in include), which in turn may include very internal header +# files in crypto/, so let's have a common include list for them all. +$COMMON_INCLUDES=../crypto ../include common/include + +INCLUDE[$LIBCOMMON]=$COMMON_INCLUDES +INCLUDE[$LIBIMPLEMENTATIONS]=.. $COMMON_INCLUDES default/include +INCLUDE[$LIBLEGACY]=$COMMON_INCLUDES +INCLUDE[$LIBNONFIPS]=$COMMON_INCLUDES +INCLUDE[$LIBFIPS]=.. $COMMON_INCLUDES +DEFINE[$LIBFIPS]=FIPS_MODE + +# Weak dependencies to provide library order information. +# We make it weak so they aren't both used always; what is +# actually used is determined by non-weak dependencies. +DEPEND[$LIBIMPLEMENTATIONS]{weak}=$LIBFIPS $LIBNONFIPS +DEPEND[$LIBCOMMON]{weak}=$LIBFIPS + +# Strong dependencies. This ensures that any time libimplementations +# is used, libcommon gets included as well. +DEPEND[$LIBIMPLEMENTATIONS]=$LIBCOMMON +DEPEND[$LIBNONFIPS]=../libcrypto +# It's tempting to make libcommon depend on ../libcrypto. However, +# since the FIPS provider module must NOT depend on ../libcrypto, we +# need to set that dependency up specifically for the final products +# that use $LIBCOMMON or anything that depends on it. + +# Libraries common to all providers, must be built regardless +LIBS{noinst}=$LIBCOMMON +# Libraries that are common for all non-FIPS providers, must be built regardless +LIBS{noinst}=$LIBNONFIPS $LIBIMPLEMENTATIONS + +# +# Default provider stuff +# +# Because the default provider is built in, it means that libcrypto must +# include all the object files that are needed (we do that indirectly, +# by using the appropriate libraries as source). Note that for shared +# libraries, SOURCEd libraries are considered as if the where specified +# with DEPEND. +$DEFAULTGOAL=../libcrypto +SOURCE[$DEFAULTGOAL]=$LIBIMPLEMENTATIONS $LIBNONFIPS + +LIBS=$DEFAULTGOAL + +# +# FIPS provider stuff +# +# We define it this way to ensure that configdata.pm will have all the +# necessary information even if we don't build the module. This will allow +# us to make all kinds of checks on the source, based on what we specify in +# diverse build.info files. libfips.a, fips.so and their sources aren't +# built unless the proper LIBS or MODULES statement has been seen, so we +# have those and only those within a condition. +SUBDIRS=fips +$FIPSGOAL=fips +DEPEND[$FIPSGOAL]=$LIBIMPLEMENTATIONS $LIBFIPS +INCLUDE[$FIPSGOAL]=../include +IF[{- defined $target{shared_defflag} -}] + SOURCE[$FIPSGOAL]=fips.ld + GENERATE[fips.ld]=../util/providers.num +ENDIF + IF[{- !$disabled{fips} -}] - SUBDIRS=fips - MODULES=fips - IF[{- defined $target{shared_defflag} -}] - SOURCE[fips]=fips.ld - GENERATE[fips.ld]=../util/providers.num - ENDIF - INCLUDE[fips]=.. ../include common/include - DEFINE[fips]=FIPS_MODE + # This is the trigger to actually build the FIPS module. Without these + # statements, the final build file will not have a trace of it. + MODULES=$FIPSGOAL + LIBS{noinst}=$LIBFIPS ENDIF +# +# Legacy provider stuff +# IF[{- !$disabled{legacy} -}] + # The legacy implementation library SUBDIRS=legacy + LIBS{noinst}=$LIBLEGACY + DEPEND[$LIBLEGACY]=$LIBCOMMON $LIBNONFIPS + + # The Legacy provider IF[{- $disabled{module} -}] - LIBS=../libcrypto - DEFINE[../libcrypto]=STATIC_LEGACY + # Become built in + # In this case, we need to do the same thing a for the default provider, + # and make the liblegacy object files end up in libcrypto. We could also + # just say that for the built-in legacy, we put the source directly in + # libcrypto instead of going via liblegacy, but that makes writing the + # implementation specific build.info files harder to write, so we don't. + $LEGACYGOAL=../libcrypto + SOURCE[$LEGACYGOAL]=$LIBLEGACY + DEFINE[$LIBLEGACY]=STATIC_LEGACY + DEFINE[$LEGACYGOAL]=STATIC_LEGACY ELSE - MODULES=legacy + # Become a module + # In this case, we can work with dependencies + $LEGACYGOAL=legacy + MODULES=$LEGACYGOAL + DEPEND[$LEGACYGOAL]=$LIBLEGACY IF[{- defined $target{shared_defflag} -}] SOURCE[legacy]=legacy.ld GENERATE[legacy.ld]=../util/providers.num ENDIF - DEPEND[legacy]=../libcrypto - INCLUDE[legacy]=.. ../include common/include ENDIF + + # Common things that are valid no matter what form the Legacy provider + # takes. + INCLUDE[$LEGACYGOAL]=../include common/include ENDIF + diff --git a/providers/common/build.info b/providers/common/build.info index 916cc3e4ea..95c2fd107e 100644 --- a/providers/common/build.info +++ b/providers/common/build.info @@ -1,5 +1,6 @@ SUBDIRS=digests ciphers macs kdfs exchange keymgmt signature -$COMMON=provider_util.c -SOURCE[../../libcrypto]=$COMMON provider_err.c provlib.c -SOURCE[../fips]=$COMMON +SOURCE[../libcommon.a]=provider_err.c provlib.c +$FIPSCOMMON=provider_util.c +SOURCE[../libnonfips.a]=$FIPSCOMMON +SOURCE[../libfips.a]=$FIPSCOMMON diff --git a/providers/common/ciphers/build.info b/providers/common/ciphers/build.info index 0969e6d378..77376cce1e 100644 --- a/providers/common/ciphers/build.info +++ b/providers/common/ciphers/build.info @@ -1,21 +1,26 @@ -LIBS=../../../libcrypto +# This source is common building blockss for all ciphers in all our providers. +SOURCE[../../libcommon.a]=\ + cipher_common.c cipher_common_hw.c block.c \ + cipher_gcm.c cipher_gcm_hw.c \ + cipher_ccm.c cipher_ccm_hw.c + +# These are our implementations +$GOAL=../../libimplementations.a IF[{- !$disabled{des} -}] $COMMON_DES=cipher_tdes.c cipher_tdes_hw.c ENDIF -$COMMON=cipher_common.c cipher_common_hw.c block.c \ +SOURCE[$GOAL]=\ cipher_aes.c cipher_aes_hw.c \ cipher_aes_xts.c cipher_aes_xts_hw.c \ - cipher_gcm.c cipher_gcm_hw.c \ cipher_aes_gcm.c cipher_aes_gcm_hw.c \ - cipher_ccm.c cipher_ccm_hw.c \ cipher_aes_ccm.c cipher_aes_ccm_hw.c \ cipher_aes_wrp.c \ $COMMON_DES - -SOURCE[../../../libcrypto]=$COMMON -INCLUDE[../../../libcrypto]=. ../../../crypto +# Because some default ciphers need it +INCLUDE[$GOAL]=. -SOURCE[../../fips]=$COMMON -INCLUDE[../../fips]=. ../../../crypto +# Finally, we have a few things that aren't FIPS agnostic +SOURCE[../../libfips.a]=cipher_fips.c +SOURCE[../../libnonfips.a]=cipher_fips.c diff --git a/providers/common/ciphers/cipher_aes_xts.c b/providers/common/ciphers/cipher_aes_xts.c index fdda733d24..d0b999081e 100644 --- a/providers/common/ciphers/cipher_aes_xts.c +++ b/providers/common/ciphers/cipher_aes_xts.c @@ -20,12 +20,6 @@ #define AES_XTS_IV_BITS 128 #define AES_XTS_BLOCK_BITS 8 -#ifdef FIPS_MODE -static const int allow_insecure_decrypt = 0; -#else -static const int allow_insecure_decrypt = 1; -#endif /* FIPS_MODE */ - /* forward declarations */ static OSSL_OP_cipher_encrypt_init_fn aes_xts_einit; static OSSL_OP_cipher_decrypt_init_fn aes_xts_dinit; diff --git a/providers/common/ciphers/cipher_aes_xts.h b/providers/common/ciphers/cipher_aes_xts.h index 4f8a8f874f..16fb8c34cd 100644 --- a/providers/common/ciphers/cipher_aes_xts.h +++ b/providers/common/ciphers/cipher_aes_xts.h @@ -10,6 +10,12 @@ #include #include "internal/ciphers/ciphercommon.h" +/* + * Available in cipher_fips.c, and compiled with different values depending + * on we're in the FIPS module or not. + */ +extern const int allow_insecure_decrypt; + PROV_CIPHER_FUNC(void, xts_stream, (const unsigned char *in, unsigned char *out, size_t len, const AES_KEY *key1, const AES_KEY *key2, diff --git a/providers/common/ciphers/cipher_fips.c b/providers/common/ciphers/cipher_fips.c new file mode 100644 index 0000000000..c99d6ed2f4 --- /dev/null +++ b/providers/common/ciphers/cipher_fips.c @@ -0,0 +1,16 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "cipher_aes_xts.h" + +#ifdef FIPS_MODE +const int allow_insecure_decrypt = 0; +#else +const int allow_insecure_decrypt = 1; +#endif /* FIPS_MODE */ diff --git a/providers/common/digests/build.info b/providers/common/digests/build.info index fbbce36e87..2a8e8aa397 100644 --- a/providers/common/digests/build.info +++ b/providers/common/digests/build.info @@ -1,5 +1,7 @@ -$COMMON=sha2_prov.c sha3_prov.c digest_common.c +# This source is common for all digests in all our providers. +SOURCE[../../libcommon.a]=digest_common.c -SOURCE[../../../libcrypto]=$COMMON -SOURCE[../../fips]=$COMMON -SOURCE[../../legacy]= digest_common.c +# These are our implementations +$GOAL=../../libimplementations.a + +SOURCE[$GOAL]=sha2_prov.c sha3_prov.c diff --git a/providers/common/exchange/build.info b/providers/common/exchange/build.info index c99c9d81b5..90ea0c9a02 100644 --- a/providers/common/exchange/build.info +++ b/providers/common/exchange/build.info @@ -1,7 +1,5 @@ -LIBS=../../../libcrypto +$GOAL=../../libimplementations.a + IF[{- !$disabled{dh} -}] - SOURCE[../../../libcrypto]=\ - dh_exch.c + SOURCE[$GOAL]=dh_exch.c ENDIF - - diff --git a/providers/common/kdfs/build.info b/providers/common/kdfs/build.info index 8a723d488d..b2b354dc34 100644 --- a/providers/common/kdfs/build.info +++ b/providers/common/kdfs/build.info @@ -1,13 +1,5 @@ -$COMMON=tls1_prf.c hkdf.c kbkdf.c pbkdf2.c sskdf.c +$GOAL=../../libimplementations.a -LIBS=../../../libcrypto -SOURCE[../../../libcrypto]=$COMMON -INCLUDE[../../../libcrypto]=. ../../../crypto - -IF[{- !$disabled{fips} -}] - MODULES=../../fips - SOURCE[../../fips]=$COMMON - INCLUDE[../../fips]=. ../../../crypto -ENDIF - - +SOURCE[$GOAL]=tls1_prf.c hkdf.c kbkdf.c pbkdf2.c sskdf.c +SOURCE[../../libfips.a]=pbkdf2_fips.c +SOURCE[../../libnonfips.a]=pbkdf2_fips.c diff --git a/providers/common/kdfs/pbkdf2.c b/providers/common/kdfs/pbkdf2.c index b98123b872..68aa0aa7c4 100644 --- a/providers/common/kdfs/pbkdf2.c +++ b/providers/common/kdfs/pbkdf2.c @@ -21,21 +21,13 @@ #include "internal/providercommonerr.h" #include "internal/provider_algs.h" #include "internal/provider_util.h" +#include "pbkdf2.h" /* Constants specified in SP800-132 */ #define KDF_PBKDF2_MIN_KEY_LEN_BITS 112 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF #define KDF_PBKDF2_MIN_ITERATIONS 1000 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) -/* - * For backwards compatibility reasons, - * Extra checks are done by default in fips mode only. - */ -#ifdef FIPS_MODE -# define KDF_PBKDF2_DEFAULT_CHECKS 1 -#else -# define KDF_PBKDF2_DEFAULT_CHECKS 0 -#endif /* FIPS_MODE */ static OSSL_OP_kdf_newctx_fn kdf_pbkdf2_new; static OSSL_OP_kdf_freectx_fn kdf_pbkdf2_free; @@ -111,7 +103,7 @@ static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx) /* This is an error, but there is no way to indicate such directly */ ossl_prov_digest_reset(&ctx->digest); ctx->iter = PKCS5_DEFAULT_ITER; - ctx->lower_bound_checks = KDF_PBKDF2_DEFAULT_CHECKS; + ctx->lower_bound_checks = kdf_pbkdf2_default_checks; } static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, diff --git a/providers/common/kdfs/pbkdf2.h b/providers/common/kdfs/pbkdf2.h new file mode 100644 index 0000000000..c8c2e5b8a7 --- /dev/null +++ b/providers/common/kdfs/pbkdf2.h @@ -0,0 +1,14 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Available in pbkdfe_fips.c, and compiled with different values depending + * on we're in the FIPS module or not. + */ +extern const int kdf_pbkdf2_default_checks; diff --git a/providers/common/kdfs/pbkdf2_fips.c b/providers/common/kdfs/pbkdf2_fips.c new file mode 100644 index 0000000000..d33782b24c --- /dev/null +++ b/providers/common/kdfs/pbkdf2_fips.c @@ -0,0 +1,20 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "pbkdf2.h" + +/* + * For backwards compatibility reasons, + * Extra checks are done by default in fips mode only. + */ +#ifdef FIPS_MODE +const int kdf_pbkdf2_default_checks = 1; +#else +const int kdf_pbkdf2_default_checks = 0; +#endif /* FIPS_MODE */ diff --git a/providers/common/keymgmt/build.info b/providers/common/keymgmt/build.info index e66190c401..533c489077 100644 --- a/providers/common/keymgmt/build.info +++ b/providers/common/keymgmt/build.info @@ -1,9 +1,8 @@ -LIBS=../../../libcrypto +$GOAL=../../libimplementations.a + IF[{- !$disabled{dh} -}] - SOURCE[../../../libcrypto]=\ - dh_kmgmt.c + SOURCE[$GOAL]=dh_kmgmt.c ENDIF IF[{- !$disabled{dsa} -}] - SOURCE[../../../libcrypto]=\ - dsa_kmgmt.c + SOURCE[$GOAL]=dsa_kmgmt.c ENDIF diff --git a/providers/common/macs/build.info b/providers/common/macs/build.info index 832a1e76ec..1eafe70604 100644 --- a/providers/common/macs/build.info +++ b/providers/common/macs/build.info @@ -1,15 +1,9 @@ +$GOAL=../../libimplementations.a + $COMMON=gmac_prov.c hmac_prov.c kmac_prov.c IF[{- !$disabled{cmac} -}] $COMMON=$COMMON cmac_prov.c ENDIF -LIBS=../../../libcrypto -SOURCE[../../../libcrypto]=$COMMON -INCLUDE[../../../libcrypto]=. ../../../crypto - -IF[{- !$disabled{fips} -}] - MODULES=../../fips - SOURCE[../../fips]=$COMMON - INCLUDE[../../fips]=. ../../../crypto -ENDIF +SOURCE[$GOAL]=$COMMON diff --git a/providers/common/signature/build.info b/providers/common/signature/build.info index 5b64229dfc..496fb7d7d8 100644 --- a/providers/common/signature/build.info +++ b/providers/common/signature/build.info @@ -1,7 +1,7 @@ -LIBS=../../../libcrypto +$GOAL=../../libimplementations.a + IF[{- !$disabled{dsa} -}] - SOURCE[../../../libcrypto]=\ - dsa.c + SOURCE[$GOAL]=dsa.c ENDIF diff --git a/providers/default/build.info b/providers/default/build.info index ca78cce0a8..31ae507965 100644 --- a/providers/default/build.info +++ b/providers/default/build.info @@ -1,6 +1,4 @@ -SUBDIRS=digests macs ciphers SUBDIRS=digests kdfs macs ciphers -LIBS=../../libcrypto -SOURCE[../../libcrypto]=\ - defltprov.c -INCLUDE[../../libcrypto]=include +$GOAL=../../libcrypto +SOURCE[$GOAL]=defltprov.c +INCLUDE[$GOAL]=include diff --git a/providers/default/ciphers/build.info b/providers/default/ciphers/build.info index 5142357c7e..0440789573 100644 --- a/providers/default/ciphers/build.info +++ b/providers/default/ciphers/build.info @@ -1,7 +1,7 @@ -LIBS=../../../libcrypto +$GOAL=../../libimplementations.a IF[{- !$disabled{des} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_tdes_default.c cipher_tdes_default_hw.c \ cipher_tdes_wrap.c cipher_tdes_wrap_hw.c \ cipher_desx.c cipher_desx_hw.c \ @@ -9,59 +9,59 @@ IF[{- !$disabled{des} -}] ENDIF IF[{- !$disabled{aria} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_aria.c cipher_aria_hw.c \ cipher_aria_gcm.c cipher_aria_gcm_hw.c \ cipher_aria_ccm.c cipher_aria_ccm_hw.c ENDIF IF[{- !$disabled{camellia} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_camellia.c cipher_camellia_hw.c ENDIF IF[{- !$disabled{bf} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_blowfish.c cipher_blowfish_hw.c ENDIF IF[{- !$disabled{idea} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_idea.c cipher_idea_hw.c ENDIF IF[{- !$disabled{cast} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_cast5.c cipher_cast5_hw.c ENDIF IF[{- !$disabled{seed} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_seed.c cipher_seed_hw.c ENDIF IF[{- !$disabled{sm4} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_sm4.c cipher_sm4_hw.c ENDIF IF[{- !$disabled{ocb} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_aes_ocb.c cipher_aes_ocb_hw.c ENDIF IF[{- !$disabled{rc4} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_rc4.c cipher_rc4_hw.c ENDIF IF[{- !$disabled{rc5} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_rc5.c cipher_rc5_hw.c ENDIF IF[{- !$disabled{rc2} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ cipher_rc2.c cipher_rc2_hw.c ENDIF diff --git a/providers/default/digests/build.info b/providers/default/digests/build.info index 9d61229ae7..6869657ec9 100644 --- a/providers/default/digests/build.info +++ b/providers/default/digests/build.info @@ -1,15 +1,16 @@ +$GOAL=../../libimplementations.a IF[{- !$disabled{blake2} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ blake2_prov.c blake2b_prov.c blake2s_prov.c ENDIF IF[{- !$disabled{sm3} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ sm3_prov.c ENDIF IF[{- !$disabled{md5} -}] - SOURCE[../../../libcrypto]=\ + SOURCE[$GOAL]=\ md5_prov.c md5_sha1_prov.c ENDIF diff --git a/providers/default/kdfs/build.info b/providers/default/kdfs/build.info index 27047c5286..90b127d731 100644 --- a/providers/default/kdfs/build.info +++ b/providers/default/kdfs/build.info @@ -1,3 +1,2 @@ -LIBS=../../../libcrypto -SOURCE[../../../libcrypto]=scrypt.c sshkdf.c x942kdf.c -INCLUDE[../../../libcrypto]=. ../../../crypto +$GOAL=../../libimplementations.a +SOURCE[$GOAL]=scrypt.c sshkdf.c x942kdf.c diff --git a/providers/default/macs/build.info b/providers/default/macs/build.info index fa7f5e479a..821a3d467b 100644 --- a/providers/default/macs/build.info +++ b/providers/default/macs/build.info @@ -1,15 +1,13 @@ -LIBS=../../../libcrypto +$GOAL=../../libimplementations.a IF[{- !$disabled{blake2} -}] - SOURCE[../../../libcrypto]=blake2b_mac.c blake2s_mac.c + SOURCE[$GOAL]=blake2b_mac.c blake2s_mac.c ENDIF IF[{- !$disabled{siphash} -}] - SOURCE[../../../libcrypto]=siphash_prov.c + SOURCE[$GOAL]=siphash_prov.c ENDIF IF[{- !$disabled{poly1305} -}] - SOURCE[../../../libcrypto]=poly1305_prov.c + SOURCE[$GOAL]=poly1305_prov.c ENDIF - -INCLUDE[../../../libcrypto]=. ../../../crypto diff --git a/providers/fips/build.info b/providers/fips/build.info index 9b8effa85c..829d8ef3ea 100644 --- a/providers/fips/build.info +++ b/providers/fips/build.info @@ -1,2 +1,3 @@ SOURCE[../fips]=fipsprov.c selftest.c +INCLUDE[../fips]=../common/include \ No newline at end of file diff --git a/providers/legacy/digests/build.info b/providers/legacy/digests/build.info index 2c85970dde..4e1aeb6ddd 100644 --- a/providers/legacy/digests/build.info +++ b/providers/legacy/digests/build.info @@ -1,30 +1,21 @@ -IF[{- $disabled{module} -}] - $GOAL=../../../libcrypto -ELSE - $GOAL=../../legacy -ENDIF +$GOAL=../../liblegacy.a IF[{- !$disabled{md2} -}] - SOURCE[$GOAL]=\ - md2_prov.c + SOURCE[$GOAL]=md2_prov.c ENDIF IF[{- !$disabled{md4} -}] - SOURCE[$GOAL]=\ - md4_prov.c + SOURCE[$GOAL]=md4_prov.c ENDIF IF[{- !$disabled{mdc2} -}] - SOURCE[$GOAL]=\ - mdc2_prov.c + SOURCE[$GOAL]=mdc2_prov.c ENDIF IF[{- !$disabled{whirlpool} -}] - SOURCE[$GOAL]=\ - wp_prov.c + SOURCE[$GOAL]=wp_prov.c ENDIF IF[{- !$disabled{rmd160} -}] - SOURCE[$GOAL]=\ - ripemd_prov.c -ENDIF \ No newline at end of file + SOURCE[$GOAL]=ripemd_prov.c +ENDIF -- 2.25.1