Update build system to make use of validated module in FIPS mode. (fcdf1d3f) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Configure

+18 −2

Original line number	Diff line number	Diff line
		@@ -621,6 +621,7 @@ my $prefix="";
		my $openssldir="";
		my $exe_ext="";
		my $install_prefix="";
		my $fipslibdir="/usr/local/ssl/lib";
		my $no_threads=0;
		my $no_shared=1;
		my $zlib=0;
		@@ -871,7 +872,7 @@ PROCESS_ARGS:
		}
		elsif (/^--with-fipslibdir=(.*)$/)
		{
		$withargs{"fipslibdir"}="$1";
		$fipslibdir="$1";
		}
		elsif (/^--with-zlib-include=(.*)$/)
		{
		@@ -976,6 +977,21 @@ chop $prefix if $prefix =~ /\/$/;
		$openssldir=$prefix . "/ssl" if $openssldir eq "";
		$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/\|^[a-zA-Z]:[\\\/])/;

		if ($fips && ! -f "$fipslibdir/fipscanister.o")
		{
		my $fipswinerr = "";
		$fipswinerr = <<EOF if $IsWindows;
		Ensure that the correct path to the FIPS module directory
		has been given to the --with-fipslibdir option.
		EOF
		print STDERR <<EOF;
		The file fipscanister.o could not be located. Please build and install the
		FIPS module using the instructions in the user guide before compiling OpenSSL
		in FIPS mode.$fipswinerr
		EOF
		exit 1;
		}


		print "IsWindows=$IsWindows\n";

		@@ -1322,7 +1338,7 @@ while (<IN>)
		s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
		s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
		s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
		s/^FIPSLIBDIR=.*/FIPSLIBDIR=$withargs{"fipslibdir"}/;
		s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
		s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
		s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
		s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;

Makefile.org

+9 −2

Original line number	Diff line number	Diff line
		@@ -176,7 +176,14 @@ LIBKRB5=
		ZLIB_INCLUDE=
		LIBZLIB=

		FIPSLIBDIR=$(INSTALLTOP)/lib
		# This is the location of fipscanister.o and friends.
		# The FIPS module build will place it $(INSTALLTOP)/lib
		# but since $(INSTALLTOP) can only take the default value
		# when the module is built it will be in /usr/local/ssl/lib
		# $(INSTALLTOP) for this build make be different so hard
		# code the path.

		FIPSLIBDIR=/usr/local/ssl/lib

		# When we're prepared to use shared libraries in the programs we link here
		# we might set SHLIB_MARK to '$(SHARED_LIBS)'.
		@@ -236,7 +243,7 @@ sub_all:
		do \
		if [ -d "$$i" ]; then \
		(cd $$i && echo "making all in $$i..." && \
		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) \|\| exit 1; \
		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSLIBDIR='${FIPSLIBDIR}' all ) \|\| exit 1; \
		else \
		$(MAKE) $$i; \
		fi; \

fips-1.0/Makefile

+6 −3

Original line number	Diff line number	Diff line
		@@ -55,7 +55,8 @@ all:
		fi

		check:
		$(PERL) ../util/checkhash.pl \|\| (rm fipscanister.o* 2>/dev/null; exit 1)
		# $(PERL) ../util/checkhash.pl \|\| (rm fipscanister.o* 2>/dev/null; exit 1)
		echo FIPS module not built: no check done

		# Idea behind fipscanister.o is to "seize" the sequestered code between
		# known symbols for fingerprinting purposes, which would be commonly
		@@ -71,6 +72,7 @@ check:
		# flag and simply assume that all objects are of the same type as first
		# one in command line. So the idea is to identify gcc and deficient
		# vendor compiler drivers...

		fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
		@objs="fips_start.o $(LIBOBJ)"; \
		for i in $(FIPS_OBJ_LISTS); do \
		@@ -87,6 +89,7 @@ fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
		*) set -x; $(CC) $(CFLAGS) -r -o $@ $$objs ;; \
		esac fi
		sha/fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1

		# If another exception is immediately required, assign approprite
		# site-specific ld command to FIPS_SITE_LD environment variable.

		@@ -128,8 +131,8 @@ links:
		$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
		done;

		lib: fipscanister.o
		$(AR) $(LIB) fipscanister.o
		lib: $(FIPSLIBDIR)/fipscanister.o
		$(AR) $(LIB) $(FIPSLIBDIR)/fipscanister.o
		$(RANLIB) $(LIB) \|\| echo Never mind.
		@touch lib

fips-1.0/fipsld

+17 −6

Original line number	Diff line number	Diff line
		@@ -10,6 +10,8 @@
		# command line syntax and $FIPSLD_CC or $CC environment variable set
		# and can even be used to compile source files.

		#set -x

		CC=${FIPSLD_CC:-${CC}}
		[ -n "${CC}" ] \|\| { echo '$CC is not defined'; exit 1; }

		@@ -30,6 +32,14 @@ TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`

		THERE="`echo $0 \| sed -e 's\|[^/]*$\|\|'`"..

		# Location of installed validated FIPS module
		FIPSLIBDIR=${FIPSLIBDIR:-/usr/local/ssl/lib}
		# If this is a build from a validated tarball use this instead
		# FIPSLIBDIR=${THERE}/fips-1.0

		[ -f "${FIPSLIBDIR}/fipscanister.o" ] \|\|
		{ echo "fipscanister.o not found"; exit 1; }

		HMAC_KEY="etaonrishdlcupfm"

		case "`(uname -s) 2>/dev/null`" in
		@@ -50,8 +60,10 @@ case "${TARGET}" in
		# Shared lib creation can be taking place in the source
		# directory only!!!
		FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
		CANISTER_O="${THERE}/fips-1.0/fipscanister.o"
		PREMAIN_C="${THERE}/fips-1.0/fips_premain.c"
		CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
		PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"

		echo Canister: $CANISTER_O

		# verify fipscanister.o against its detached signature...
		${FINGERTYPE} "${CANISTER_O}" \| sed "s/(.*\//(/" \| \
		@@ -96,16 +108,15 @@ case "${TARGET}" in
		# directory or off the installed binary target destination.
		if [ -x "${THERE}/fips-1.0/sha/fips_standalone_sha1" ]; then
		FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
		CANISTER_O="${THERE}/fips-1.0/fipscanister.o"
		PREMAIN_C="${THERE}/fips-1.0/fips_premain.c"
		else # Installed tree is expected to contain
		# lib/fipscanister.o, lib/fipscanister.o.sha1 and
		# lib/fips_premain.c [not to mention bin/openssl].
		FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
		CANISTER_O="${THERE}/lib/fipscanister.o"
		PREMAIN_C="${THERE}/lib/fips_premain.c"
		fi

		CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
		PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"

		# verify fipscanister.o against its detached signature...
		${FINGERTYPE} "${CANISTER_O}" \| sed "s/(.*\//(/" \| \
		diff -w "${CANISTER_O}.sha1" - \|\| \