Commit ce025892 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Now the FIPS capable OpenSSL is available simplify the various FIPS test 

build options.

All fispcanisterbuild builds only build fipscanister.o and include symbol
renaming.

Move all renamed symbols to fipssyms.h

Update README.FIPS
parent 93dd7d38

Configure

+3 −7
Original line number Diff line number Diff line
@@ -894,6 +894,7 @@ EOF 
			$nofipscanistercheck = 1;

			$fipslibdir="";

			$fipscanisterinternal="y";

			$fipscanisteronly = 1;

			}

		elsif (/^fipsdso$/)

			{
@@ -1134,11 +1135,6 @@ foreach (sort (keys %disabled)) 


my $exp_cflags = "";



if ($fipscanisteronly == 2)

	{

	$exp_cflags .= " -DOPENSSL_FIPSSYMS";

	}



foreach (sort @experimental)

	{

	my $ALGO;
@@ -1741,7 +1737,7 @@ while (<IN>) 
		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/;

		}

	s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/;

	if ($fipscanisteronly == 2 && exists $disabled{"ec2m"})

	if ($fipscanisteronly && exists $disabled{"ec2m"})

		{

		next if (/ec2_/ || /bn_gf2m/);

		}
@@ -1992,7 +1988,7 @@ EOF 
	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";',  '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');

	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');

	}

	if ($depflags ne $default_depflags && !$make_depend && $fipscanisteronly != 2) {

	if ($depflags ne $default_depflags && !$make_depend && !$fipscanisteronly) {

		print <<EOF;



Since you've disabled or enabled at least one algorithm, you need to do

README.FIPS

+2 −15
Original line number Diff line number Diff line
@@ -35,19 +35,6 @@ Run test vectors: 
4. It should say "passed all tests" at the end. Report full details of any

   failures.



Run:



make clean



to remove any object modules from previous compile.



Run symbol hiding test:



./config fipscanisteronly -DOPENSSL_FIPSSYMS

make



This time only the fips utilities should be built.



Examine the external symbols in fips/fipscanister.o they should all begin

with FIPS or fips. One way to check with GNU nm is:
@@ -76,7 +63,7 @@ Once you've created the tarball extract into a fresh directory and do: 
make



You can then run the algorithm tests as above. This build automatically uses

fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.

fipscanisterbuild and no-ec2m as appropriate.



FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.

crypto/arm_arch.h

+1 −1
Original line number Diff line number Diff line
@@ -35,7 +35,7 @@ 
#  endif

# endif



#ifdef OPENSSL_FIPSSYMS

#ifdef OPENSSL_FIPSCANISTERBUILD

#include <openssl/fipssyms.h>

#endif

crypto/crypto.h

+1 −1
Original line number Diff line number Diff line
@@ -147,7 +147,7 @@ 
 * non-FIPS OpenSSL.

 */



#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSSYMS)

#if defined(OPENSSL_FIPSCANISTER)

#include <openssl/fipssyms.h>

#endif

fips/fips.h

+0 −55
Original line number Diff line number Diff line
@@ -321,61 +321,6 @@ int FIPS_hmac_final(struct hmac_ctx_st *ctx, 


#endif



/* Where necessary redirect standard OpenSSL APIs to FIPS versions */



#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSAPI)



#define CRYPTO_lock FIPS_lock

#define CRYPTO_add_lock FIPS_add_lock

#define CRYPTO_malloc FIPS_malloc

#define CRYPTO_free FIPS_free



#define ERR_put_error FIPS_put_error

#define ERR_add_error_data FIPS_add_error_data



#define EVP_MD_CTX_init FIPS_md_ctx_init

#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup

#define EVP_MD_CTX_create FIPS_md_ctx_create

#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy

#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type)

#define EVP_DigestInit FIPS_digestinit

#define EVP_DigestUpdate FIPS_digestupdate

#define EVP_Digest(data, count, md, size, type, impl) \

			FIPS_digest(data, count, md, size, type)

#define EVP_DigestFinal_ex FIPS_digestfinal

#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy



#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \

				FIPS_cipherinit(ctx, cipher, key, iv, enc)



#define EVP_CipherInit FIPS_cipherinit



#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init

#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup

#define EVP_Cipher FIPS_cipher

#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl

#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new

#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free

#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy

#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length



#define DSA_SIG_new FIPS_dsa_sig_new

#define DSA_SIG_free FIPS_dsa_sig_free



#define ECDSA_SIG_new FIPS_ecdsa_sig_new

#define ECDSA_SIG_free FIPS_ecdsa_sig_free



#define ecdsa_check fips_ecdsa_check

#define ecdh_check fips_ecdh_check



#define RAND_bytes FIPS_rand_bytes

#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes

#define RAND_add FIPS_rand_add

#define RAND_seed FIPS_rand_seed

#define RAND_status FIPS_rand_status



#endif



/* BEGIN ERROR CODES */

/* The following lines are auto generated by the script mkerr.pl. Any changes

 * made after this point may be overwritten when the script is next run.