Add fipscanisterbuild configuration option and update Makefile.org: doesn't compile yet

diff --git a/Configure b/Configure
index b638a0bd98430fe2e94605f71521f187e392add1..c62da8c5dda7ddd179005d3133c6dca7032f47e4 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -647,6 +647,11 @@ my $openssldir="";
 my $exe_ext="";
 my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
 my $cross_compile_prefix="";
 my $exe_ext="";
 my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
 my $cross_compile_prefix="";

+my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
+my $nofipscanistercheck=0;
+my $fipsdso=0;
+my $fipscanisterinternal="n";
+my $baseaddr="0xFB00000";

 my $no_threads=0;
 my $threads=0;
 my $no_shared=0; # but "no-shared" is default
 my $no_threads=0;
 my $threads=0;
 my $no_shared=0; # but "no-shared" is default


@@ -681,6 +686,7 @@ my $cmll_enc="camellia.o cmll_misc.o cmll_cbc.o";
 my $processor="";
 my $default_ranlib;
 my $perl;
 my $processor="";
 my $default_ranlib;
 my $perl;

+my $fips=0;

 
 
 # All of the following is disabled by default (RC5 was enabled before 0.9.8):
 
 
 # All of the following is disabled by default (RC5 was enabled before 0.9.8):


@@ -833,6 +839,26 @@ PROCESS_ARGS:
                        # The check for the option is there so scripts aren't
                        # broken
                        }
                        # The check for the option is there so scripts aren't
                        # broken
                        }

+               elsif (/^nofipscanistercheck$/)
+                       {
+                       $fips = 1;
+                       $nofipscanistercheck = 1;
+                       }
+               elsif (/^fipscanisterbuild$/)
+                       {
+                       $fips = 1;
+                       $nofipscanistercheck = 1;
+                       $fipslibdir="";
+                       $fipscanisterinternal="y";
+                       }
+               elsif (/^fipsdso$/)
+                       {
+                       $fips = 1;
+                       $nofipscanistercheck = 1;
+                       $fipslibdir="";
+                       $fipscanisterinternal="y";
+                       $fipsdso = 1;
+                       }

                elsif (/^[-+]/)
                        {
                        if (/^-[lL](.*)$/ or /^-Wl,/)
                elsif (/^[-+]/)
                        {
                        if (/^-[lL](.*)$/ or /^-Wl,/)


@@ -1398,6 +1424,15 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no_sse2 && $bn_obj =~ /86/);
 
 $cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/);
 
 
 $cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/);
 

+if ($fips)
+       {
+       $openssl_other_defines.="#define OPENSSL_FIPS\n";
+       if ($fipscanisterinternal eq "y")
+               {
+               $openssl_other_defines.="#define OPENSSL_FIPSCANISTER\n";
+               }
+       }
+

 $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
 $des_obj=$des_enc      unless ($des_obj =~ /\.o$/);
 $bf_obj=$bf_enc                unless ($bf_obj =~ /\.o$/);
 $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
 $des_obj=$des_enc      unless ($des_obj =~ /\.o$/);
 $bf_obj=$bf_enc                unless ($bf_obj =~ /\.o$/);


@@ -1574,6 +1609,21 @@ while (<IN>)
        s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
        s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
        s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
        s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
        s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
        s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;

+       s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+       if ($fipsdso)
+               {
+               s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/;
+               s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/;
+               s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl fips/;
+               }
+       else
+               {
+               s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
+               s/^SHARED_FIPS=.*/SHARED_FIPS=/;
+               s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/;
+               }
+       s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/;
+       s/^BASEADDR=.*/BASEADDR=$baseaddr/;

        s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
        s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
        s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
        s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
        s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
        s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);


@@ -1884,9 +1934,16 @@ BEGIN
     BEGIN
        BLOCK "040904b0"
        BEGIN
     BEGIN
        BLOCK "040904b0"
        BEGIN

+#if defined(FIPS)
+           VALUE "Comments", "WARNING: TEST VERSION ONLY ***NOT*** FIPS 140-2 VALIDATED.\\0"
+#endif

            // Required:            
            VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0"
            // Required:            
            VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0"

+#if defined(FIPS)
+           VALUE "FileDescription", "TEST UNVALIDATED FIPS140-2 DLL\\0"
+#else

            VALUE "FileDescription", "OpenSSL Shared Library\\0"
            VALUE "FileDescription", "OpenSSL Shared Library\\0"

+#endif

            VALUE "FileVersion", "$version\\0"
 #if defined(CRYPTO)
            VALUE "InternalName", "libeay32\\0"
            VALUE "FileVersion", "$version\\0"
 #if defined(CRYPTO)
            VALUE "InternalName", "libeay32\\0"


@@ -1894,6 +1951,9 @@ BEGIN
 #elif defined(SSL)
            VALUE "InternalName", "ssleay32\\0"
            VALUE "OriginalFilename", "ssleay32.dll\\0"
 #elif defined(SSL)
            VALUE "InternalName", "ssleay32\\0"
            VALUE "OriginalFilename", "ssleay32.dll\\0"

+#elif defined(FIPS)
+           VALUE "InternalName", "libosslfips\\0"
+           VALUE "OriginalFilename", "libosslfips.dll\\0"

 #endif
            VALUE "ProductName", "The OpenSSL Toolkit\\0"
            VALUE "ProductVersion", "$version\\0"
 #endif
            VALUE "ProductName", "The OpenSSL Toolkit\\0"
            VALUE "ProductVersion", "$version\\0"


@@ -1936,6 +1996,21 @@ libraries on this platform, they will at least look at it and try their best
 (but please first make sure you have tried with a current version of OpenSSL).
 EOF
 
 (but please first make sure you have tried with a current version of OpenSSL).
 EOF
 

+print <<\EOF if ($fipscanisterinternal eq "y");
+
+WARNING: OpenSSL has been configured using unsupported option(s) to internally
+generate a fipscanister.o object module for TESTING PURPOSES ONLY; that
+compiled module is NOT FIPS 140-2 validated and CANNOT be used to replace the
+OpenSSL FIPS Object Module as identified by the CMVP
+(http://csrc.nist.gov/cryptval/) in any application requiring the use of FIPS
+140-2 validated software. 
+
+This is an OpenSSL 1.1.0 test version.
+
+See the file README.FIPS for details of how to build a test library.
+
+EOF
+

 exit(0);
 
 sub usage
 exit(0);
 
 sub usage

diff --git a/Makefile.org b/Makefile.org
index 48abf3dc1204f31c93f6e3a6c531baf9ede5c448..6fd7acf8bea53492bfecc2cd431ec9f32e558eea 100644 (file)
--- a/Makefile.org
+++ b/Makefile.org
@@ -110,7 +110,33 @@ LIBKRB5=
 ZLIB_INCLUDE=
 LIBZLIB=
 
 ZLIB_INCLUDE=
 LIBZLIB=
 

-DIRS=   crypto ssl engines apps test tools
+# This is the location of fipscanister.o and friends.
+# The FIPS module build will place it $(INSTALLTOP)/lib
+# but since $(INSTALLTOP) can only take the default value
+# when the module is built it will be in /usr/local/ssl/lib
+# $(INSTALLTOP) for this build make be different so hard
+# code the path.
+
+FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
+
+# This is set to "y" if fipscanister.o is compiled internally as
+# opposed to coming from an external validated location.
+
+FIPSCANISTERINTERNAL=n
+
+# The location of the library which contains fipscanister.o
+# normally it will be libcrypto unless fipsdso is set in which
+# case it will be libfips. If not compiling in FIPS mode at all
+# this is empty making it a useful test for a FIPS compile.
+
+FIPSCANLIB=
+
+# Shared library base address. Currently only used on Windows.
+#
+
+BASEADDR=
+
+DIRS=   crypto fips ssl engines apps test tools

 ENGDIRS= ccgost
 SHLIBDIRS= crypto ssl
 
 ENGDIRS= ccgost
 SHLIBDIRS= crypto ssl
 


@@ -207,6 +233,10 @@ BUILDENV=  PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
                WP_ASM_OBJ='$(WP_ASM_OBJ)'                      \
                MODES_ASM_OBJ='$(MODES_ASM_OBJ)'                \
                PERLASM_SCHEME='$(PERLASM_SCHEME)'              \
                WP_ASM_OBJ='$(WP_ASM_OBJ)'                      \
                MODES_ASM_OBJ='$(MODES_ASM_OBJ)'                \
                PERLASM_SCHEME='$(PERLASM_SCHEME)'              \

+               FIPSLIBDIR='${FIPSLIBDIR}'                      \
+               FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"      \
+               FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}'  \
+               FIPS_EX_OBJ='${FIPS_EX_OBJ}'    \

                THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
 # which in turn eliminates ambiguities in variable treatment with -e.
                THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
 # which in turn eliminates ambiguities in variable treatment with -e.


@@ -238,13 +268,92 @@ BUILD_ONE_CMD=\
 reflect:
        @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 
 reflect:
        @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 

+
+# FIXME
+
+FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
+       ../crypto/aes/aes_ecb.o \
+       ../crypto/aes/aes_ofb.o \
+       ../crypto/bn/bn_add.o \
+       ../crypto/bn/bn_blind.o \
+       ../crypto/bn/bn_ctx.o \
+       ../crypto/bn/bn_div.o \
+       ../crypto/bn/bn_exp2.o \
+       ../crypto/bn/bn_exp.o \
+       ../crypto/bn/bn_gcd.o \
+       ../crypto/bn/bn_lib.o \
+       ../crypto/bn/bn_mod.o \
+       ../crypto/bn/bn_mont.o \
+       ../crypto/bn/bn_mul.o \
+       ../crypto/bn/bn_prime.o \
+       ../crypto/bn/bn_rand.o \
+       ../crypto/bn/bn_recp.o \
+       ../crypto/bn/bn_shift.o \
+       ../crypto/bn/bn_sqr.o \
+       ../crypto/bn/bn_word.o \
+       ../crypto/bn/bn_x931p.o \
+       ../crypto/buffer/buf_str.o \
+       ../crypto/cryptlib.o \
+       ../crypto/des/cfb64ede.o \
+       ../crypto/des/cfb64enc.o \
+       ../crypto/des/cfb_enc.o \
+       ../crypto/des/ecb3_enc.o \
+       ../crypto/des/ofb64ede.o \
+       ../crypto/des/fcrypt.o \
+       ../crypto/des/set_key.o \
+       ../crypto/dh/dh_check.o \
+       ../crypto/dh/dh_gen.o \
+       ../crypto/dh/dh_key.o \
+       ../crypto/dsa/dsa_gen.o \
+       ../crypto/dsa/dsa_key.o \
+       ../crypto/dsa/dsa_ossl.o \
+       ../crypto/dsa/dsa_sign.o \
+       ../crypto/dsa/dsa_vrf.o \
+       ../crypto/evp/e_aes.o \
+       ../crypto/evp/e_des3.o \
+       ../crypto/evp/m_sha1.o \
+       ../crypto/hmac/hmac.o \
+       ../crypto/mem.o \
+       ../crypto/modes/cfb128.o \
+       ../crypto/modes/ctr128.o \
+       ../crypto/modes/ofb128.o \
+       ../crypto/rand/md_rand.o \
+       ../crypto/rand/rand_egd.o \
+       ../crypto/rand/randfile.o \
+       ../crypto/rand/rand_lib.o \
+       ../crypto/rand/rand_os2.o \
+       ../crypto/rand/rand_unix.o \
+       ../crypto/rand/rand_win.o \
+       ../crypto/rsa/rsa_eay.o \
+       ../crypto/rsa/rsa_gen.o \
+       ../crypto/rsa/rsa_crpt.o \
+       ../crypto/rsa/rsa_none.o \
+       ../crypto/rsa/rsa_oaep.o \
+       ../crypto/rsa/rsa_pk1.o \
+       ../crypto/rsa/rsa_pss.o \
+       ../crypto/rsa/rsa_ssl.o \
+       ../crypto/rsa/rsa_x931.o \
+       ../crypto/sha/sha1dgst.o \
+       ../crypto/sha/sha256.o \
+       ../crypto/sha/sha512.o \
+       ../crypto/uid.o
+

 sub_all: build_all
 build_all: build_libs build_apps build_tests build_tools
 
 sub_all: build_all
 build_all: build_libs build_apps build_tests build_tools
 

-build_libs: build_crypto build_ssl build_engines
+build_libs: build_crypto build_fips build_ssl build_engines
+
+build_fips:
+       @dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)

 
 build_crypto:
 
 build_crypto:

-       @dir=crypto; target=all; $(BUILD_ONE_CMD)
+       if [ -n "$(FIPSCANLIB)" ]; then \
+               EXCL_OBJ='$(AES_ENC) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
+               ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
+       else \
+               ARX='${AR}' ; \
+       fi ; export ARX ; \
+               dir=crypto; target=all; $(BUILD_ONE_CMD)

 build_ssl:
        @dir=ssl; target=all; $(BUILD_ONE_CMD)
 build_engines:
 build_ssl:
        @dir=ssl; target=all; $(BUILD_ONE_CMD)
 build_engines: