Loading CHANGES +44 −1 Original line number Diff line number Diff line Loading @@ -2,7 +2,50 @@ OpenSSL CHANGES _______________ Changes between 0.9.8e and 0.9.8f [xx XXX xxxx] Changes between 0.9.8e and 0.9.8f-fips [xx XXX xxxx] *) Move error library so that all lhash dependencies are in a separate file. Include a simplified ERR_get_state() function for stand alone FIPS applications. Include a initialization function OPENSSL_init() to set all callbacks, automatically call OPENSSL_init() once when a cipher or digest is added. This should mean that almost all applications set the callbacks automatically. Exceptional cases can call OPENSSL_init() manually like this: #ifdef OPENSSL_HAVE_INIT OPENSSL_init(); #endif before starting any threads. [Steve Henson] *) Collect common functions into header file "fips_utl.h". [Steve Henson] *) Only enable dynamic lock functionality in CRYPTO_lock() when it is really needed. Move some lock functionality into new file dyn_lck.c . This further reduces FIPS dependencies allowing the complete removal of STACK and OBJ_bsearch(). [Steve Henson] *) Reduce FIPS test program dependencies by providing stand alone versions of some existing functions in libcrypto. Avoid use of BIOs by converting to system stdio. Move some functions in FIPS files: e.g. all use of BIO_printf(). [Steve Henson] *) Modify build of libcrypto in FIPS mode by using a perl script "arx.pl" which calls the archiver specifically excluding any FIPS dependencies in libcrypto. [Steve Henson] *) Port OpenSSL 0.9.7 FIPS code to 0.9.8. Convert to new Makefile form. Update Configure. Convert and update FIPS source files. Update libcrypto, libssl and apps with additional functionality from 0.9.7 FIPS code. Update Windows build system. [Steve Henson] Changes between 0.9.8e and 0.9.8f [23 Feb 2007] *) In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single Loading Configure +91 −2 Original line number Diff line number Diff line Loading @@ -6,7 +6,9 @@ eval 'exec perl -S $0 ${1+"$@"}' ## require 5.000; use strict; eval 'use strict;'; print STDERR "Warning: perl module strict not found.\n" if ($@); # see INSTALL for instructions. Loading Loading @@ -562,6 +564,11 @@ my $prefix=""; my $openssldir=""; my $exe_ext=""; my $install_prefix=""; my $fipslibdir="/usr/local/ssl/lib/"; my $nofipscanistercheck=0; my $fipsdso=0; my $fipscanisterinternal="n"; my $baseaddr="0xFB00000"; my $no_threads=0; my $threads=0; my $no_shared=0; # but "no-shared" is default Loading @@ -584,6 +591,7 @@ my $rc2 ="crypto/rc2/rc2.h"; my $bf ="crypto/bf/bf_locl.h"; my $bn_asm ="bn_asm.o"; my $des_enc="des_enc.o fcrypt_b.o"; my $fips_des_enc="fips_des_enc.o"; my $aes_enc="aes_core.o aes_cbc.o"; my $bf_enc ="bf_enc.o"; my $cast_enc="c_enc.o"; Loading @@ -595,6 +603,7 @@ my $rmd160_obj=""; my $processor=""; my $default_ranlib; my $perl; my $fips=0; # All of the following is disabled by default (RC5 was enabled before 0.9.8): Loading Loading @@ -718,12 +727,36 @@ PROCESS_ARGS: } elsif (/^386$/) { $processor=386; } elsif (/^fips$/) { $fips=1; } elsif (/^rsaref$/) { # No RSAref support any more since it's not needed. # The check for the option is there so scripts aren't # broken } elsif (/^nofipscanistercheck$/) { $fips = 1; $nofipscanistercheck = 1; } elsif (/^fipscanisterbuild$/) { $fips = 1; $nofipscanistercheck = 1; $fipslibdir=""; $fipscanisterinternal="y"; } elsif (/^fipsdso$/) { $fips = 1; $nofipscanistercheck = 1; $fipslibdir=""; $fipscanisterinternal="y"; $fipsdso = 1; } elsif (/^[-+]/) { if (/^-[lL](.*)$/) Loading Loading @@ -922,6 +955,8 @@ my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds; $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys()); $no_shared = 0 if ($fipsdso && !$IsMK1MF); $exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq "mingw"); $exe_ext=".pm" if ($target =~ /vos/); $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq ""); Loading Loading @@ -1187,6 +1222,27 @@ $bn_obj = $bn_asm unless $bn_obj ne ""; $cflags.=" -DOPENSSL_BN_ASM_PART_WORDS" if ($bn_obj =~ /bn86/); $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no_sse2 && $bn_obj =~ /bn86/); my $fips_des_obj; my $fips_aes_obj; my $fips_sha1_obj; if ($fips) { if ($des_obj =~ /\-elf\.o$/) { $fips_des_obj='asm/fips-dx86-elf.o'; $openssl_other_defines.="#define OPENSSL_FIPS_DES_ASM\n"; $fips_aes_obj='asm/fips-ax86-elf.o'; $openssl_other_defines.="#define OPENSSL_FIPS_AES_ASM\n"; } else { $fips_des_obj=$fips_des_enc; $fips_aes_obj='fips_aes_core.o'; } $fips_sha1_obj='asm/fips-sx86-elf.o' if ($sha1_obj =~ /\-elf\.o$/); $des_obj=$sha1_obj=$aes_obj=""; $openssl_other_defines.="#define OPENSSL_FIPS\n"; } $des_obj=$des_enc unless ($des_obj =~ /\.o$/); $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); $cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/); Loading Loading @@ -1297,6 +1353,8 @@ while (<IN>) s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/; s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/; s/^BN_ASM=.*$/BN_ASM= $bn_obj/; s/^FIPS_DES_ENC=.*$/FIPS_DES_ENC= $fips_des_obj/; s/^FIPS_AES_ENC=.*$/FIPS_AES_ENC= $fips_aes_obj/; s/^DES_ENC=.*$/DES_ENC= $des_obj/; s/^AES_ASM_OBJ=.*$/AES_ASM_OBJ= $aes_obj/; s/^BF_ENC=.*$/BF_ENC= $bf_obj/; Loading @@ -1305,6 +1363,7 @@ while (<IN>) s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/; s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/; s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/; s/^FIPS_SHA1_ASM_OBJ=.*$/FIPS_SHA1_ASM_OBJ= $fips_sha1_obj/; s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/; s/^PROCESSOR=.*/PROCESSOR= $processor/; s/^RANLIB=.*/RANLIB= $ranlib/; Loading @@ -1314,9 +1373,24 @@ while (<IN>) s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/; s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/; s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; if ($fipsdso) { s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/; s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/; s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl fips/; } else { s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips; s/^SHARED_FIPS=.*/SHARED_FIPS=/; s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/; } s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/; s/^BASEADDR=.*/BASEADDR=$baseaddr/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL) \$(SHARED_FIPS)/ if (!$no_shared); if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/) { my $sotmp = $1; Loading Loading @@ -1663,6 +1737,21 @@ libraries on this platform, they will at least look at it and try their best (but please first make sure you have tried with a current version of OpenSSL). EOF print <<\EOF if ($fipscanisterinternal eq "y"); WARNING: OpenSSL has been configured using unsupported option(s) to internally generate a fipscanister.o object module for TESTING PURPOSES ONLY; that compiled module is NOT FIPS 140-2 validated and CANNOT be used to replace the OpenSSL FIPS Object Module as identified by the CMVP (http://csrc.nist.gov/cryptval/) in any application requiring the use of FIPS 140-2 validated software. This is a OpenSSL 0.9.8-fips test version. See the file README.FIPS for details of how to build a test library. EOF exit(0); sub usage Loading Makefile.org +136 −10 Original line number Diff line number Diff line Loading @@ -65,6 +65,7 @@ EX_LIBS= EXE_EXT= ARFLAGS= AR=ar $(ARFLAGS) r ARD=ar $(ARFLAGS) d RANLIB= ranlib PERL= perl TAR= tar Loading @@ -86,6 +87,8 @@ PROCESSOR= # CPUID module collects small commonly used assembler snippets CPUID_OBJ= BN_ASM= bn_asm.o FIPS_DES_ENC= des_enc.o fcrypt_b.o FIPS_AES_ENC= fips_aes_core.o DES_ENC= des_enc.o fcrypt_b.o AES_ASM_OBJ=aes_core.o aes_cbc.o BF_ENC= bf_enc.o Loading @@ -93,6 +96,7 @@ CAST_ENC= c_enc.o RC4_ENC= rc4_enc.o RC5_ENC= rc5_enc.o MD5_ASM_OBJ= FIPS_SHA1_ASM_OBJ= SHA1_ASM_OBJ= RMD160_ASM_OBJ= Loading @@ -104,8 +108,34 @@ LIBKRB5= ZLIB_INCLUDE= LIBZLIB= DIRS= crypto ssl engines apps test tools SHLIBDIRS= crypto ssl # This is the location of fipscanister.o and friends. # The FIPS module build will place it $(INSTALLTOP)/lib # but since $(INSTALLTOP) can only take the default value # when the module is built it will be in /usr/local/ssl/lib # $(INSTALLTOP) for this build make be different so hard # code the path. FIPSLIBDIR=/usr/local/ssl/lib/ # This is set to "y" if fipscanister.o is compiled internally as # opposed to coming from an external validated location. FIPSCANISTERINTERNAL=n # The location of the library which contains fipscanister.o # normally it will be libcrypto unless fipsdso is set in which # case it will be libfips. If not compiling in FIPS mode at all # this is empty making it a useful test for a FIPS compile. FIPSCANLIB= # Shared library base address. Currently only used on Windows. # BASEADDR= DIRS= crypto fips-1.0 ssl engines apps test tools SHLIBDIRS= crypto ssl fips # dirs in crypto to build SDIRS= \ Loading Loading @@ -138,13 +168,14 @@ WDIRS= windows LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_FIPS= SHARED_LIBS= SHARED_LIBS_LINK_EXTS= SHARED_LDFLAGS= GENERAL= Makefile BASENAME= openssl NAME= $(BASENAME)-$(VERSION) NAME= $(BASENAME)-fips-$(VERSION) TARFILE= $(NAME).tar WTARFILE= $(NAME)-win.tar EXHEADER= e_os2.h Loading Loading @@ -191,6 +222,12 @@ BUILDENV= PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \ SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' \ MD5_ASM_OBJ='${MD5_ASM_OBJ}' \ RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' \ FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' \ FIPS_DES_ENC='${FIPS_DES_ENC}' \ FIPS_AES_ENC='${FIPS_AES_ENC}' \ FIPSLIBDIR='${FIPSLIBDIR}' FIPSCANLIB='${FIPSCANLIB}' \ FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' \ FIPS_EX_OBJ='${FIPS_EX_OBJ}' \ THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. Loading Loading @@ -222,13 +259,81 @@ BUILD_ONE_CMD=\ reflect: @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV) FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \ ../crypto/aes/aes_cfb.o \ ../crypto/aes/aes_ecb.o \ ../crypto/aes/aes_ofb.o \ ../crypto/bn/bn_add.o \ ../crypto/bn/bn_blind.o \ ../crypto/bn/bn_ctx.o \ ../crypto/bn/bn_div.o \ ../crypto/bn/bn_exp2.o \ ../crypto/bn/bn_exp.o \ ../crypto/bn/bn_gcd.o \ ../crypto/bn/bn_lib.o \ ../crypto/bn/bn_mod.o \ ../crypto/bn/bn_mont.o \ ../crypto/bn/bn_mul.o \ ../crypto/bn/bn_prime.o \ ../crypto/bn/bn_rand.o \ ../crypto/bn/bn_recp.o \ ../crypto/bn/bn_shift.o \ ../crypto/bn/bn_sqr.o \ ../crypto/bn/bn_word.o \ ../crypto/bn/bn_x931p.o \ ../crypto/buffer/buf_str.o \ ../crypto/cryptlib.o \ ../crypto/des/cfb64ede.o \ ../crypto/des/cfb64enc.o \ ../crypto/des/cfb_enc.o \ ../crypto/des/des_enc.o \ ../crypto/des/ecb3_enc.o \ ../crypto/des/ecb_enc.o \ ../crypto/des/ofb64ede.o \ ../crypto/des/ofb64enc.o \ ../crypto/des/fcrypt_b.o \ ../crypto/des/fcrypt.o \ ../crypto/dsa/dsa_utl.o \ ../crypto/dsa/dsa_sign.o \ ../crypto/dsa/dsa_vrf.o \ ../crypto/err/err.o \ ../crypto/evp/digest.o \ ../crypto/evp/m_sha1.o \ ../crypto/evp/p_sign.o \ ../crypto/evp/p_verify.o \ ../crypto/mem_clr.o \ ../crypto/mem.o \ ../crypto/rand/md_rand.o \ ../crypto/rand/rand_egd.o \ ../crypto/rand/randfile.o \ ../crypto/rand/rand_lib.o \ ../crypto/rand/rand_os2.o \ ../crypto/rand/rand_unix.o \ ../crypto/rand/rand_win.o \ ../crypto/rsa/rsa_lib.o \ ../crypto/rsa/rsa_none.o \ ../crypto/rsa/rsa_oaep.o \ ../crypto/rsa/rsa_pk1.o \ ../crypto/rsa/rsa_pss.o \ ../crypto/rsa/rsa_ssl.o \ ../crypto/rsa/rsa_x931.o \ ../crypto/uid.o sub_all: build_all build_all: build_libs build_apps build_tests build_tools build_libs: build_crypto build_ssl build_engines build_libs: build_crypto build_fips build_ssl build_engines build_crypto: @dir=crypto; target=all; $(BUILD_ONE_CMD) if [ -n "$(FIPSCANLIB)" ]; then \ EXCL_OBJ='$(BN_ASM) $(CPUID_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \ ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \ else \ ARX='${AR}' ; \ fi ; export ARX ; \ dir=crypto; target=all; $(BUILD_ONE_CMD) build_fips: @dir=fips-1.0; target=all; $(BUILD_ONE_CMD) build_ssl: @dir=ssl; target=all; $(BUILD_ONE_CMD) build_engines: Loading @@ -244,12 +349,18 @@ all_testapps: build_libs build_testapps build_testapps: @dir=crypto; target=testapps; $(BUILD_ONE_CMD) libcrypto$(SHLIB_EXT): libcrypto.a libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS) @if [ "$(SHLIB_TARGET)" != "" ]; then \ $(MAKE) SHLIBDIRS=crypto build-shared; \ if [ "$(FIPSCANLIB)" = "libfips" ]; then \ ( dir=fips-1.0; target=all; $(BUILD_ONE_CMD) ) ; \ $(ARD) libcrypto.a fipscanister.o ; \ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ $(AR) libcrypto.a fips-1.0/fipscanister.o ; \ else \ $(MAKE) SHLIBDIRS='crypto' build-shared; \ fi \ else \ echo "There's no support for shared libraries on this platform" >&2; \ exit 1; \ fi libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a Loading @@ -260,6 +371,21 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a exit 1; \ fi libfips$(SHLIB_EXT): libfips.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ if [ "$(FIPSCANLIB)" = "libfips" ]; then \ FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; FIPSLD_NPT="y"; \ FIPSLD_LIBFIPS=y; \ export CC FIPSLD_CC FIPSLD_NPT FIPSLD_LIBFIPS; \ fi; \ $(MAKE) -e SHLIBDIRS=fips build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi libfips.a: dir=fips-1.0; target=all; $(BUILD_ONE_CMD) clean-shared: @set -e; for i in $(SHLIBDIRS); do \ if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ Loading Loading @@ -451,7 +577,7 @@ tar: $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ tardy --user_number=0 --user_name=openssl \ --group_number=0 --group_name=openssl \ --prefix=openssl-$(VERSION) - |\ --prefix=openssl-fips-$(VERSION) - |\ gzip --best >../$(TARFILE).gz; \ rm -f ../$(TARFILE).list; \ ls -l ../$(TARFILE).gz Loading Makefile.shared +3 −1 Original line number Diff line number Diff line Loading @@ -144,7 +144,9 @@ LINK_SO_A_UNPACKED= \ SHOBJECTS=$$UNPACKDIR/*.o; \ $(LINK_SO) && rm -rf $$UNPACKDIR DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null # NB: force pass-through in case we are calling through fipsld. DETECT_GNU_LD=(FIPSLD_NPT="" FIPSLD_LIBFIPS="" ${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null DO_GNU_SO=$(CALC_VERSIONS); \ SHLIB=lib$(LIBNAME).so; \ Loading README +7 −1 Original line number Diff line number Diff line OpenSSL 0.9.8f-dev OpenSSL 0.9.8f-fips-dev test version Copyright (c) 1998-2007 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. WARNING ------- This version of OpenSSL is an initial port of the FIPS 140-2 code to OpenSSL 0.9.8. See the file README.FIPS for brief usage details. DESCRIPTION ----------- Loading Loading
CHANGES +44 −1 Original line number Diff line number Diff line Loading @@ -2,7 +2,50 @@ OpenSSL CHANGES _______________ Changes between 0.9.8e and 0.9.8f [xx XXX xxxx] Changes between 0.9.8e and 0.9.8f-fips [xx XXX xxxx] *) Move error library so that all lhash dependencies are in a separate file. Include a simplified ERR_get_state() function for stand alone FIPS applications. Include a initialization function OPENSSL_init() to set all callbacks, automatically call OPENSSL_init() once when a cipher or digest is added. This should mean that almost all applications set the callbacks automatically. Exceptional cases can call OPENSSL_init() manually like this: #ifdef OPENSSL_HAVE_INIT OPENSSL_init(); #endif before starting any threads. [Steve Henson] *) Collect common functions into header file "fips_utl.h". [Steve Henson] *) Only enable dynamic lock functionality in CRYPTO_lock() when it is really needed. Move some lock functionality into new file dyn_lck.c . This further reduces FIPS dependencies allowing the complete removal of STACK and OBJ_bsearch(). [Steve Henson] *) Reduce FIPS test program dependencies by providing stand alone versions of some existing functions in libcrypto. Avoid use of BIOs by converting to system stdio. Move some functions in FIPS files: e.g. all use of BIO_printf(). [Steve Henson] *) Modify build of libcrypto in FIPS mode by using a perl script "arx.pl" which calls the archiver specifically excluding any FIPS dependencies in libcrypto. [Steve Henson] *) Port OpenSSL 0.9.7 FIPS code to 0.9.8. Convert to new Makefile form. Update Configure. Convert and update FIPS source files. Update libcrypto, libssl and apps with additional functionality from 0.9.7 FIPS code. Update Windows build system. [Steve Henson] Changes between 0.9.8e and 0.9.8f [23 Feb 2007] *) In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single Loading
Configure +91 −2 Original line number Diff line number Diff line Loading @@ -6,7 +6,9 @@ eval 'exec perl -S $0 ${1+"$@"}' ## require 5.000; use strict; eval 'use strict;'; print STDERR "Warning: perl module strict not found.\n" if ($@); # see INSTALL for instructions. Loading Loading @@ -562,6 +564,11 @@ my $prefix=""; my $openssldir=""; my $exe_ext=""; my $install_prefix=""; my $fipslibdir="/usr/local/ssl/lib/"; my $nofipscanistercheck=0; my $fipsdso=0; my $fipscanisterinternal="n"; my $baseaddr="0xFB00000"; my $no_threads=0; my $threads=0; my $no_shared=0; # but "no-shared" is default Loading @@ -584,6 +591,7 @@ my $rc2 ="crypto/rc2/rc2.h"; my $bf ="crypto/bf/bf_locl.h"; my $bn_asm ="bn_asm.o"; my $des_enc="des_enc.o fcrypt_b.o"; my $fips_des_enc="fips_des_enc.o"; my $aes_enc="aes_core.o aes_cbc.o"; my $bf_enc ="bf_enc.o"; my $cast_enc="c_enc.o"; Loading @@ -595,6 +603,7 @@ my $rmd160_obj=""; my $processor=""; my $default_ranlib; my $perl; my $fips=0; # All of the following is disabled by default (RC5 was enabled before 0.9.8): Loading Loading @@ -718,12 +727,36 @@ PROCESS_ARGS: } elsif (/^386$/) { $processor=386; } elsif (/^fips$/) { $fips=1; } elsif (/^rsaref$/) { # No RSAref support any more since it's not needed. # The check for the option is there so scripts aren't # broken } elsif (/^nofipscanistercheck$/) { $fips = 1; $nofipscanistercheck = 1; } elsif (/^fipscanisterbuild$/) { $fips = 1; $nofipscanistercheck = 1; $fipslibdir=""; $fipscanisterinternal="y"; } elsif (/^fipsdso$/) { $fips = 1; $nofipscanistercheck = 1; $fipslibdir=""; $fipscanisterinternal="y"; $fipsdso = 1; } elsif (/^[-+]/) { if (/^-[lL](.*)$/) Loading Loading @@ -922,6 +955,8 @@ my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds; $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys()); $no_shared = 0 if ($fipsdso && !$IsMK1MF); $exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq "mingw"); $exe_ext=".pm" if ($target =~ /vos/); $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq ""); Loading Loading @@ -1187,6 +1222,27 @@ $bn_obj = $bn_asm unless $bn_obj ne ""; $cflags.=" -DOPENSSL_BN_ASM_PART_WORDS" if ($bn_obj =~ /bn86/); $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no_sse2 && $bn_obj =~ /bn86/); my $fips_des_obj; my $fips_aes_obj; my $fips_sha1_obj; if ($fips) { if ($des_obj =~ /\-elf\.o$/) { $fips_des_obj='asm/fips-dx86-elf.o'; $openssl_other_defines.="#define OPENSSL_FIPS_DES_ASM\n"; $fips_aes_obj='asm/fips-ax86-elf.o'; $openssl_other_defines.="#define OPENSSL_FIPS_AES_ASM\n"; } else { $fips_des_obj=$fips_des_enc; $fips_aes_obj='fips_aes_core.o'; } $fips_sha1_obj='asm/fips-sx86-elf.o' if ($sha1_obj =~ /\-elf\.o$/); $des_obj=$sha1_obj=$aes_obj=""; $openssl_other_defines.="#define OPENSSL_FIPS\n"; } $des_obj=$des_enc unless ($des_obj =~ /\.o$/); $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); $cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/); Loading Loading @@ -1297,6 +1353,8 @@ while (<IN>) s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/; s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/; s/^BN_ASM=.*$/BN_ASM= $bn_obj/; s/^FIPS_DES_ENC=.*$/FIPS_DES_ENC= $fips_des_obj/; s/^FIPS_AES_ENC=.*$/FIPS_AES_ENC= $fips_aes_obj/; s/^DES_ENC=.*$/DES_ENC= $des_obj/; s/^AES_ASM_OBJ=.*$/AES_ASM_OBJ= $aes_obj/; s/^BF_ENC=.*$/BF_ENC= $bf_obj/; Loading @@ -1305,6 +1363,7 @@ while (<IN>) s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/; s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/; s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/; s/^FIPS_SHA1_ASM_OBJ=.*$/FIPS_SHA1_ASM_OBJ= $fips_sha1_obj/; s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/; s/^PROCESSOR=.*/PROCESSOR= $processor/; s/^RANLIB=.*/RANLIB= $ranlib/; Loading @@ -1314,9 +1373,24 @@ while (<IN>) s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/; s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/; s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; if ($fipsdso) { s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/; s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/; s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl fips/; } else { s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips; s/^SHARED_FIPS=.*/SHARED_FIPS=/; s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/; } s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/; s/^BASEADDR=.*/BASEADDR=$baseaddr/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL) \$(SHARED_FIPS)/ if (!$no_shared); if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/) { my $sotmp = $1; Loading Loading @@ -1663,6 +1737,21 @@ libraries on this platform, they will at least look at it and try their best (but please first make sure you have tried with a current version of OpenSSL). EOF print <<\EOF if ($fipscanisterinternal eq "y"); WARNING: OpenSSL has been configured using unsupported option(s) to internally generate a fipscanister.o object module for TESTING PURPOSES ONLY; that compiled module is NOT FIPS 140-2 validated and CANNOT be used to replace the OpenSSL FIPS Object Module as identified by the CMVP (http://csrc.nist.gov/cryptval/) in any application requiring the use of FIPS 140-2 validated software. This is a OpenSSL 0.9.8-fips test version. See the file README.FIPS for details of how to build a test library. EOF exit(0); sub usage Loading
Makefile.org +136 −10 Original line number Diff line number Diff line Loading @@ -65,6 +65,7 @@ EX_LIBS= EXE_EXT= ARFLAGS= AR=ar $(ARFLAGS) r ARD=ar $(ARFLAGS) d RANLIB= ranlib PERL= perl TAR= tar Loading @@ -86,6 +87,8 @@ PROCESSOR= # CPUID module collects small commonly used assembler snippets CPUID_OBJ= BN_ASM= bn_asm.o FIPS_DES_ENC= des_enc.o fcrypt_b.o FIPS_AES_ENC= fips_aes_core.o DES_ENC= des_enc.o fcrypt_b.o AES_ASM_OBJ=aes_core.o aes_cbc.o BF_ENC= bf_enc.o Loading @@ -93,6 +96,7 @@ CAST_ENC= c_enc.o RC4_ENC= rc4_enc.o RC5_ENC= rc5_enc.o MD5_ASM_OBJ= FIPS_SHA1_ASM_OBJ= SHA1_ASM_OBJ= RMD160_ASM_OBJ= Loading @@ -104,8 +108,34 @@ LIBKRB5= ZLIB_INCLUDE= LIBZLIB= DIRS= crypto ssl engines apps test tools SHLIBDIRS= crypto ssl # This is the location of fipscanister.o and friends. # The FIPS module build will place it $(INSTALLTOP)/lib # but since $(INSTALLTOP) can only take the default value # when the module is built it will be in /usr/local/ssl/lib # $(INSTALLTOP) for this build make be different so hard # code the path. FIPSLIBDIR=/usr/local/ssl/lib/ # This is set to "y" if fipscanister.o is compiled internally as # opposed to coming from an external validated location. FIPSCANISTERINTERNAL=n # The location of the library which contains fipscanister.o # normally it will be libcrypto unless fipsdso is set in which # case it will be libfips. If not compiling in FIPS mode at all # this is empty making it a useful test for a FIPS compile. FIPSCANLIB= # Shared library base address. Currently only used on Windows. # BASEADDR= DIRS= crypto fips-1.0 ssl engines apps test tools SHLIBDIRS= crypto ssl fips # dirs in crypto to build SDIRS= \ Loading Loading @@ -138,13 +168,14 @@ WDIRS= windows LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_FIPS= SHARED_LIBS= SHARED_LIBS_LINK_EXTS= SHARED_LDFLAGS= GENERAL= Makefile BASENAME= openssl NAME= $(BASENAME)-$(VERSION) NAME= $(BASENAME)-fips-$(VERSION) TARFILE= $(NAME).tar WTARFILE= $(NAME)-win.tar EXHEADER= e_os2.h Loading Loading @@ -191,6 +222,12 @@ BUILDENV= PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \ SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' \ MD5_ASM_OBJ='${MD5_ASM_OBJ}' \ RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' \ FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' \ FIPS_DES_ENC='${FIPS_DES_ENC}' \ FIPS_AES_ENC='${FIPS_AES_ENC}' \ FIPSLIBDIR='${FIPSLIBDIR}' FIPSCANLIB='${FIPSCANLIB}' \ FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' \ FIPS_EX_OBJ='${FIPS_EX_OBJ}' \ THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. Loading Loading @@ -222,13 +259,81 @@ BUILD_ONE_CMD=\ reflect: @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV) FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \ ../crypto/aes/aes_cfb.o \ ../crypto/aes/aes_ecb.o \ ../crypto/aes/aes_ofb.o \ ../crypto/bn/bn_add.o \ ../crypto/bn/bn_blind.o \ ../crypto/bn/bn_ctx.o \ ../crypto/bn/bn_div.o \ ../crypto/bn/bn_exp2.o \ ../crypto/bn/bn_exp.o \ ../crypto/bn/bn_gcd.o \ ../crypto/bn/bn_lib.o \ ../crypto/bn/bn_mod.o \ ../crypto/bn/bn_mont.o \ ../crypto/bn/bn_mul.o \ ../crypto/bn/bn_prime.o \ ../crypto/bn/bn_rand.o \ ../crypto/bn/bn_recp.o \ ../crypto/bn/bn_shift.o \ ../crypto/bn/bn_sqr.o \ ../crypto/bn/bn_word.o \ ../crypto/bn/bn_x931p.o \ ../crypto/buffer/buf_str.o \ ../crypto/cryptlib.o \ ../crypto/des/cfb64ede.o \ ../crypto/des/cfb64enc.o \ ../crypto/des/cfb_enc.o \ ../crypto/des/des_enc.o \ ../crypto/des/ecb3_enc.o \ ../crypto/des/ecb_enc.o \ ../crypto/des/ofb64ede.o \ ../crypto/des/ofb64enc.o \ ../crypto/des/fcrypt_b.o \ ../crypto/des/fcrypt.o \ ../crypto/dsa/dsa_utl.o \ ../crypto/dsa/dsa_sign.o \ ../crypto/dsa/dsa_vrf.o \ ../crypto/err/err.o \ ../crypto/evp/digest.o \ ../crypto/evp/m_sha1.o \ ../crypto/evp/p_sign.o \ ../crypto/evp/p_verify.o \ ../crypto/mem_clr.o \ ../crypto/mem.o \ ../crypto/rand/md_rand.o \ ../crypto/rand/rand_egd.o \ ../crypto/rand/randfile.o \ ../crypto/rand/rand_lib.o \ ../crypto/rand/rand_os2.o \ ../crypto/rand/rand_unix.o \ ../crypto/rand/rand_win.o \ ../crypto/rsa/rsa_lib.o \ ../crypto/rsa/rsa_none.o \ ../crypto/rsa/rsa_oaep.o \ ../crypto/rsa/rsa_pk1.o \ ../crypto/rsa/rsa_pss.o \ ../crypto/rsa/rsa_ssl.o \ ../crypto/rsa/rsa_x931.o \ ../crypto/uid.o sub_all: build_all build_all: build_libs build_apps build_tests build_tools build_libs: build_crypto build_ssl build_engines build_libs: build_crypto build_fips build_ssl build_engines build_crypto: @dir=crypto; target=all; $(BUILD_ONE_CMD) if [ -n "$(FIPSCANLIB)" ]; then \ EXCL_OBJ='$(BN_ASM) $(CPUID_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \ ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \ else \ ARX='${AR}' ; \ fi ; export ARX ; \ dir=crypto; target=all; $(BUILD_ONE_CMD) build_fips: @dir=fips-1.0; target=all; $(BUILD_ONE_CMD) build_ssl: @dir=ssl; target=all; $(BUILD_ONE_CMD) build_engines: Loading @@ -244,12 +349,18 @@ all_testapps: build_libs build_testapps build_testapps: @dir=crypto; target=testapps; $(BUILD_ONE_CMD) libcrypto$(SHLIB_EXT): libcrypto.a libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS) @if [ "$(SHLIB_TARGET)" != "" ]; then \ $(MAKE) SHLIBDIRS=crypto build-shared; \ if [ "$(FIPSCANLIB)" = "libfips" ]; then \ ( dir=fips-1.0; target=all; $(BUILD_ONE_CMD) ) ; \ $(ARD) libcrypto.a fipscanister.o ; \ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ $(AR) libcrypto.a fips-1.0/fipscanister.o ; \ else \ $(MAKE) SHLIBDIRS='crypto' build-shared; \ fi \ else \ echo "There's no support for shared libraries on this platform" >&2; \ exit 1; \ fi libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a Loading @@ -260,6 +371,21 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a exit 1; \ fi libfips$(SHLIB_EXT): libfips.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ if [ "$(FIPSCANLIB)" = "libfips" ]; then \ FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; FIPSLD_NPT="y"; \ FIPSLD_LIBFIPS=y; \ export CC FIPSLD_CC FIPSLD_NPT FIPSLD_LIBFIPS; \ fi; \ $(MAKE) -e SHLIBDIRS=fips build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi libfips.a: dir=fips-1.0; target=all; $(BUILD_ONE_CMD) clean-shared: @set -e; for i in $(SHLIBDIRS); do \ if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ Loading Loading @@ -451,7 +577,7 @@ tar: $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ tardy --user_number=0 --user_name=openssl \ --group_number=0 --group_name=openssl \ --prefix=openssl-$(VERSION) - |\ --prefix=openssl-fips-$(VERSION) - |\ gzip --best >../$(TARFILE).gz; \ rm -f ../$(TARFILE).list; \ ls -l ../$(TARFILE).gz Loading
Makefile.shared +3 −1 Original line number Diff line number Diff line Loading @@ -144,7 +144,9 @@ LINK_SO_A_UNPACKED= \ SHOBJECTS=$$UNPACKDIR/*.o; \ $(LINK_SO) && rm -rf $$UNPACKDIR DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null # NB: force pass-through in case we are calling through fipsld. DETECT_GNU_LD=(FIPSLD_NPT="" FIPSLD_LIBFIPS="" ${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null DO_GNU_SO=$(CALC_VERSIONS); \ SHLIB=lib$(LIBNAME).so; \ Loading
README +7 −1 Original line number Diff line number Diff line OpenSSL 0.9.8f-dev OpenSSL 0.9.8f-fips-dev test version Copyright (c) 1998-2007 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. WARNING ------- This version of OpenSSL is an initial port of the FIPS 140-2 code to OpenSSL 0.9.8. See the file README.FIPS for brief usage details. DESCRIPTION ----------- Loading
