diff --git a/Configure b/Configure index fb8cceb430..cdef7f8506 100755 --- a/Configure +++ b/Configure @@ -894,6 +894,7 @@ EOF $nofipscanistercheck = 1; $fipslibdir=""; $fipscanisterinternal="y"; + $fipscanisteronly = 1; } elsif (/^fipsdso$/) { @@ -1134,11 +1135,6 @@ foreach (sort (keys %disabled)) my $exp_cflags = ""; -if ($fipscanisteronly == 2) - { - $exp_cflags .= " -DOPENSSL_FIPSSYMS"; - } - foreach (sort @experimental) { my $ALGO; @@ -1741,7 +1737,7 @@ while () s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/; } s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/; - if ($fipscanisteronly == 2 && exists $disabled{"ec2m"}) + if ($fipscanisteronly && exists $disabled{"ec2m"}) { next if (/ec2_/ || /bn_gf2m/); } @@ -1992,7 +1988,7 @@ EOF &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";'); &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s'); } - if ($depflags ne $default_depflags && !$make_depend && $fipscanisteronly != 2) { + if ($depflags ne $default_depflags && !$make_depend && !$fipscanisteronly) { print < #endif diff --git a/crypto/crypto.h b/crypto/crypto.h index 8fd2fe2ea9..64fbfe02ee 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -147,7 +147,7 @@ * non-FIPS OpenSSL. */ -#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSSYMS) +#if defined(OPENSSL_FIPSCANISTER) #include #endif diff --git a/fips/fips.h b/fips/fips.h index 44fd3a9dd8..3b679411f2 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -321,61 +321,6 @@ int FIPS_hmac_final(struct hmac_ctx_st *ctx, #endif -/* Where necessary redirect standard OpenSSL APIs to FIPS versions */ - -#if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSAPI) - -#define CRYPTO_lock FIPS_lock -#define CRYPTO_add_lock FIPS_add_lock -#define CRYPTO_malloc FIPS_malloc -#define CRYPTO_free FIPS_free - -#define ERR_put_error FIPS_put_error -#define ERR_add_error_data FIPS_add_error_data - -#define EVP_MD_CTX_init FIPS_md_ctx_init -#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup -#define EVP_MD_CTX_create FIPS_md_ctx_create -#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy -#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type) -#define EVP_DigestInit FIPS_digestinit -#define EVP_DigestUpdate FIPS_digestupdate -#define EVP_Digest(data, count, md, size, type, impl) \ - FIPS_digest(data, count, md, size, type) -#define EVP_DigestFinal_ex FIPS_digestfinal -#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy - -#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \ - FIPS_cipherinit(ctx, cipher, key, iv, enc) - -#define EVP_CipherInit FIPS_cipherinit - -#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init -#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup -#define EVP_Cipher FIPS_cipher -#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl -#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new -#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free -#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy -#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length - -#define DSA_SIG_new FIPS_dsa_sig_new -#define DSA_SIG_free FIPS_dsa_sig_free - -#define ECDSA_SIG_new FIPS_ecdsa_sig_new -#define ECDSA_SIG_free FIPS_ecdsa_sig_free - -#define ecdsa_check fips_ecdsa_check -#define ecdh_check fips_ecdh_check - -#define RAND_bytes FIPS_rand_bytes -#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes -#define RAND_add FIPS_rand_add -#define RAND_seed FIPS_rand_seed -#define RAND_status FIPS_rand_status - -#endif - /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/fips/fipssyms.h b/fips/fipssyms.h index e49cf1b895..4b4c6ea92b 100644 --- a/fips/fipssyms.h +++ b/fips/fipssyms.h @@ -1,3 +1,57 @@ + +/* Where necessary redirect standard OpenSSL APIs to FIPS versions */ + +#define CRYPTO_lock FIPS_lock +#define CRYPTO_add_lock FIPS_add_lock +#define CRYPTO_malloc FIPS_malloc +#define CRYPTO_free FIPS_free + +#define ERR_put_error FIPS_put_error +#define ERR_add_error_data FIPS_add_error_data + +#define EVP_MD_CTX_init FIPS_md_ctx_init +#define EVP_MD_CTX_cleanup FIPS_md_ctx_cleanup +#define EVP_MD_CTX_create FIPS_md_ctx_create +#define EVP_MD_CTX_destroy FIPS_md_ctx_destroy +#define EVP_DigestInit_ex(ctx, type, impl) FIPS_digestinit(ctx, type) +#define EVP_DigestInit FIPS_digestinit +#define EVP_DigestUpdate FIPS_digestupdate +#define EVP_Digest(data, count, md, size, type, impl) \ + FIPS_digest(data, count, md, size, type) +#define EVP_DigestFinal_ex FIPS_digestfinal +#define EVP_MD_CTX_copy_ex FIPS_md_ctx_copy + +#define EVP_CipherInit_ex(ctx, cipher, impl, key, iv, enc) \ + FIPS_cipherinit(ctx, cipher, key, iv, enc) + +#define EVP_CipherInit FIPS_cipherinit + +#define EVP_CIPHER_CTX_init FIPS_cipher_ctx_init +#define EVP_CIPHER_CTX_cleanup FIPS_cipher_ctx_cleanup +#define EVP_Cipher FIPS_cipher +#define EVP_CIPHER_CTX_ctrl FIPS_cipher_ctx_ctrl +#define EVP_CIPHER_CTX_new FIPS_cipher_ctx_new +#define EVP_CIPHER_CTX_free FIPS_cipher_ctx_free +#define EVP_CIPHER_CTX_copy FIPS_cipher_ctx_copy +#define EVP_CIPHER_CTX_set_key_length FIPS_cipher_ctx_set_key_length + +#define DSA_SIG_new FIPS_dsa_sig_new +#define DSA_SIG_free FIPS_dsa_sig_free + +#define ECDSA_SIG_new FIPS_ecdsa_sig_new +#define ECDSA_SIG_free FIPS_ecdsa_sig_free + +#define ecdsa_check fips_ecdsa_check +#define ecdh_check fips_ecdh_check + +#define RAND_bytes FIPS_rand_bytes +#define RAND_pseudo_bytes FIPS_rand_pseudo_bytes +#define RAND_add FIPS_rand_add +#define RAND_seed FIPS_rand_seed +#define RAND_status FIPS_rand_status + +/* Rename symbols so they don't clash with standard OpenSSL */ + #define AES_cfb128_encrypt fips_aes_cfb128_encrypt #define AES_cfb1_encrypt fips_aes_cfb1_encrypt #define AES_cfb8_encrypt fips_aes_cfb8_encrypt diff --git a/util/fipsas.pl b/util/fipsas.pl index cad7c08ca2..6e10d7d8d5 100644 --- a/util/fipsas.pl +++ b/util/fipsas.pl @@ -19,7 +19,7 @@ if ($ARGS[0] eq "norunasm") my $enabled = 0; -$enabled = 1 if $ENV{CFLAG} =~ /-DOPENSSL_FIPSSYMS/; +$enabled = 1 if $ENV{FIPSCANISTERINTERNAL} eq "y"; if ($enabled == 0 && $runasm) { diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 8f01f0c462..5d024b15cb 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -60,6 +60,7 @@ my %mf_import = ( CMLL_ENC => \$mf_cm_asm, MODES_ASM_OBJ => \$mf_modes_asm, FIPSCANISTERONLY => \$mf_fipscanisteronly + FIPSCANISTERINTERNAL => \$mf_fipscanisterinternal ); open(IN,"