Now the FIPS capable OpenSSL is available simplify the various FIPS test

build options.

All fispcanisterbuild builds only build fipscanister.o and include symbol
renaming.

Move all renamed symbols to fipssyms.h

Update README.FIPS

diff --git a/Configure b/Configure
index fb8cceb430e52da8f0ee6762f08459b2398209c9..cdef7f8506d0f6e3b84d1ee415af83774f66fa0d 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -894,6 +894,7 @@ EOF
                        $nofipscanistercheck = 1;
                        $fipslibdir="";
                        $fipscanisterinternal="y";
+                       $fipscanisteronly = 1;
                        }
                elsif (/^fipsdso$/)
                        {
@@ -1134,11 +1135,6 @@ foreach (sort (keys %disabled))
 
 my $exp_cflags = "";
 
-if ($fipscanisteronly == 2)
-       {
-       $exp_cflags .= " -DOPENSSL_FIPSSYMS";
-       }
-
 foreach (sort @experimental)
        {
        my $ALGO;
@@ -1741,7 +1737,7 @@ while (<IN>)
                s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/;
                }
        s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/;
-       if ($fipscanisteronly == 2 && exists $disabled{"ec2m"})
+       if ($fipscanisteronly && exists $disabled{"ec2m"})
                {
                next if (/ec2_/ || /bn_gf2m/);
                }
@@ -1992,7 +1988,7 @@ EOF
            &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";',  '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
            &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
        }
-       if ($depflags ne $default_depflags && !$make_depend && $fipscanisteronly != 2) {
+       if ($depflags ne $default_depflags && !$make_depend && !$fipscanisteronly) {
                print <<EOF;
 
 Since you've disabled or enabled at least one algorithm, you need to do

diff --git a/README.FIPS b/README.FIPS
index bae0a00f436dcf04f71e88a6f08300a8d8ace0fe..686308fcef30f07a7004b687fd41698962fa595f 100644 (file)
--- a/README.FIPS
+++ b/README.FIPS
@@ -35,23 +35,10 @@ Run test vectors:
 4. It should say "passed all tests" at the end. Report full details of any
    failures.
 
-Run:
-
-make clean
-
-to remove any object modules from previous compile.
-
-Run symbol hiding test:
-
-./config fipscanisteronly -DOPENSSL_FIPSSYMS
-make
-
-This time only the fips utilities should be built.
-
 Examine the external symbols in fips/fipscanister.o they should all begin
 with FIPS or fips. One way to check with GNU nm is:
 
-nm -g --defined-only fips/fipscanister.o | grep -v -i fips
+       nm -g --defined-only fips/fipscanister.o | grep -v -i fips
 
 If you get *any* output at all from this test (i.e. symbols not starting with
 fips or FIPS) please report it.
@@ -76,7 +63,7 @@ Once you've created the tarball extract into a fresh directory and do:
 make
 
 You can then run the algorithm tests as above. This build automatically uses
-fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.
+fipscanisterbuild and no-ec2m as appropriate.
 
 FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
 

diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h
index db7047cc0534921adb2094590b3830787aebe2af..82401add1914137c412fcc51947015213ec99937 100644 (file)
--- a/crypto/arm_arch.h
+++ b/crypto/arm_arch.h
@@ -35,7 +35,7 @@
 #  endif
 # endif
 
-#ifdef OPENSSL_FIPSSYMS
+#ifdef OPENSSL_FIPSCANISTERBUILD
 #include <openssl/fipssyms.h>
 #endif
 

diff --git a/crypto/crypto.h b/crypto/crypto.h
index 8fd2fe2ea95cca828556fe75452dd745af78ee2c..64fbfe02eec05cbc0243a4ee868adf39cd431954 100644 (file)
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -147,7 +147,7 @@
  * non-FIPS OpenSSL.
  */
 
-#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSSYMS)
+#if defined(OPENSSL_FIPSCANISTER)
 #include <openssl/fipssyms.h>
 #endif
 

diff --git a/fips/fips.h b/fips/fips.h
index 44fd3a9dd84c515dc52b6baf10075901540238a9..3b679411f252ed7270e6011f5fbce282221a9d88 100644 (file)
--- a/fips/fips.h
+++ b/fips/fips.h
@@ -321,61 +321,6 @@ int FIPS_hmac_final(struct hmac_ctx_st *ctx,
 
 #endif
 
-/* Where necessary redirect standard OpenSSL APIs to FIPS versions */
-
-#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSAPI)
-
-#define CRYPTO_lock FIPS_lock
-#define CRYPTO_add_lock FIPS_add_lock
-#define CRYPTO_malloc FIPS_malloc
-#define CRYPTO_free FIPS_free
-
-#define ERR_put_error FIPS_put_error
-#define ERR_add_error_data FIPS_add_error_data
-
-#define EVP_MD_CTX_init FIPS_md_ctx_init
-#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup
-#define EVP_MD_CTX_create FIPS_md_ctx_create
-#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy
-#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type)
-#define EVP_DigestInit FIPS_digestinit
-#define EVP_DigestUpdate FIPS_digestupdate
-#define EVP_Digest(data, count, md, size, type, impl) \
-                       FIPS_digest(data, count, md, size, type)
-#define EVP_DigestFinal_ex FIPS_digestfinal
-#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy
-
-#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \
-                               FIPS_cipherinit(ctx, cipher, key, iv, enc)
-
-#define EVP_CipherInit FIPS_cipherinit
-
-#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init
-#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup
-#define EVP_Cipher FIPS_cipher
-#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl
-#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new
-#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free
-#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy
-#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length
-
-#define DSA_SIG_new FIPS_dsa_sig_new
-#define DSA_SIG_free FIPS_dsa_sig_free
-
-#define ECDSA_SIG_new FIPS_ecdsa_sig_new
-#define ECDSA_SIG_free FIPS_ecdsa_sig_free
-
-#define ecdsa_check fips_ecdsa_check
-#define ecdh_check fips_ecdh_check
-
-#define RAND_bytes FIPS_rand_bytes
-#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes
-#define RAND_add FIPS_rand_add
-#define RAND_seed FIPS_rand_seed
-#define RAND_status FIPS_rand_status
-
-#endif
-
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.

diff --git a/fips/fipssyms.h b/fips/fipssyms.h
index e49cf1b895fe72cae6111f20a845012927f831f2..4b4c6ea92b569fe7bd126033f95cc8baba022ca8 100644 (file)
--- a/fips/fipssyms.h
+++ b/fips/fipssyms.h
@@ -1,3 +1,57 @@
+
+/* Where necessary redirect standard OpenSSL APIs to FIPS versions */
+
+#define CRYPTO_lock FIPS_lock
+#define CRYPTO_add_lock FIPS_add_lock
+#define CRYPTO_malloc FIPS_malloc
+#define CRYPTO_free FIPS_free
+
+#define ERR_put_error FIPS_put_error
+#define ERR_add_error_data FIPS_add_error_data
+
+#define EVP_MD_CTX_init FIPS_md_ctx_init
+#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup
+#define EVP_MD_CTX_create FIPS_md_ctx_create
+#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy
+#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type)
+#define EVP_DigestInit FIPS_digestinit
+#define EVP_DigestUpdate FIPS_digestupdate
+#define EVP_Digest(data, count, md, size, type, impl) \
+                       FIPS_digest(data, count, md, size, type)
+#define EVP_DigestFinal_ex FIPS_digestfinal
+#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy
+
+#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \
+                               FIPS_cipherinit(ctx, cipher, key, iv, enc)
+
+#define EVP_CipherInit FIPS_cipherinit
+
+#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init
+#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup
+#define EVP_Cipher FIPS_cipher
+#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl
+#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new
+#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free
+#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy
+#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length
+
+#define DSA_SIG_new FIPS_dsa_sig_new
+#define DSA_SIG_free FIPS_dsa_sig_free
+
+#define ECDSA_SIG_new FIPS_ecdsa_sig_new
+#define ECDSA_SIG_free FIPS_ecdsa_sig_free
+
+#define ecdsa_check fips_ecdsa_check
+#define ecdh_check fips_ecdh_check
+
+#define RAND_bytes FIPS_rand_bytes
+#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes
+#define RAND_add FIPS_rand_add
+#define RAND_seed FIPS_rand_seed
+#define RAND_status FIPS_rand_status
+
+/* Rename symbols so they don't clash with standard OpenSSL */
+
 #define AES_cfb128_encrypt fips_aes_cfb128_encrypt
 #define AES_cfb1_encrypt fips_aes_cfb1_encrypt
 #define AES_cfb8_encrypt fips_aes_cfb8_encrypt

diff --git a/util/fipsas.pl b/util/fipsas.pl
index cad7c08ca202af7ad9a9473f7ae1c11d40801e82..6e10d7d8d5c636fdc103daddb651e3ac94b14538 100644 (file)
--- a/util/fipsas.pl
+++ b/util/fipsas.pl
@@ -19,7 +19,7 @@ if ($ARGS[0] eq "norunasm")
 
 my $enabled = 0;
 
-$enabled = 1 if $ENV{CFLAG} =~ /-DOPENSSL_FIPSSYMS/;
+$enabled = 1 if $ENV{FIPSCANISTERINTERNAL} eq "y";
 
 if ($enabled == 0 && $runasm)
        {

diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index 8f01f0c462fc60feb520003d79749017a8b4b10b..5d024b15cb8be8f02be31c78ba347e210f0992df 100755 (executable)
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -60,6 +60,7 @@ my %mf_import = (
        CMLL_ENC       => \$mf_cm_asm,
        MODES_ASM_OBJ  => \$mf_modes_asm,
        FIPSCANISTERONLY  => \$mf_fipscanisteronly
+       FIPSCANISTERINTERNAL  => \$mf_fipscanisterinternal
 );
 
 open(IN,"<Makefile") || die "unable to open Makefile!\n";
@@ -75,7 +76,7 @@ close(IN);
 
 $debug = 1 if $mf_platform =~ /^debug-/;
 
-if ($mf_fipscanisteronly eq "y") {
+if ($mf_fipscanisterinternal eq "y") {
        $fips = 1;
        $fipscanisterbuild = 1;
        $fipscanisteronly = 1;
@@ -1196,7 +1197,7 @@ sub perlasm_compile_target
        $bname =~ s/(.*)\.[^\.]$/$1/;
        $ret ="\$(TMP_D)$o$bname.asm: $source\n";
        $ret.="\t\$(PERL) $source $asmtype \$(CFLAG) >\$\@\n";
-       if ($cflags =~ /-DOPENSSL_FIPSSYMS/)
+       if ($fipscanisteronly)
                {
                $ret .= "\t\$(PERL) util\\fipsas.pl . \$@ norunasm \$(CFLAG)\n";
                }