[openssl-commits] [openssl] master update
Emilia Kasper
emilia at openssl.org
Tue Feb 28 14:28:10 UTC 2017
The branch master has been updated
via 8a05d6bb264eefe224966a4c6415a173ad58861d (commit)
via b53338cbf8822dd774f9e4057307f347d2b63ff0 (commit)
via 223a90cc9a94d1f6abf04ef28dc30b03c3e5e0c1 (commit)
via e546e2cc8ca6f984cc1fb618b136bb28304927c9 (commit)
from 533b178db6aea206f07810ea20ecd43a90c51855 (commit)
- Log -----------------------------------------------------------------
commit 8a05d6bb264eefe224966a4c6415a173ad58861d
Author: Emilia Kasper <emilia at openssl.org>
Date: Tue Feb 28 14:54:07 2017 +0100
More Configure cleanup. Remove
- util/incore
- util/fipslink.pl
- the unused "baseaddr" configure switch
Reviewed-by: Stephen Henson <steve at openssl.org>
commit b53338cbf8822dd774f9e4057307f347d2b63ff0
Author: Emilia Kasper <emilia at openssl.org>
Date: Tue Feb 28 12:30:28 2017 +0100
Clean up references to FIPS
This removes the fips configure option. This option is broken as the
required FIPS code is not available.
FIPS_mode() and FIPS_mode_set() are retained for compatibility, but
FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to
turn FIPS mode off.
Reviewed-by: Stephen Henson <steve at openssl.org>
commit 223a90cc9a94d1f6abf04ef28dc30b03c3e5e0c1
Author: Emilia Kasper <emilia at openssl.org>
Date: Tue Feb 28 13:25:06 2017 +0100
Remove BN_DEBUG_TRIX
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit e546e2cc8ca6f984cc1fb618b136bb28304927c9
Author: Emilia Kasper <emilia at openssl.org>
Date: Tue Feb 28 11:47:10 2017 +0100
Remove debugging leftovers in apps/opt.c
Reviewed-by: Stephen Henson <steve at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
Configure | 42 +---
apps/openssl.c | 10 -
apps/opt.c | 89 ---------
crypto/aes/asm/aes-mips.pl | 4 -
crypto/bn/asm/sparcv8plus.S | 4 -
crypto/bn/bn_lcl.h | 8 -
crypto/des/asm/des_enc.m4 | 4 -
crypto/err/err_all.c | 9 -
crypto/evp/evp_cnf.c | 8 -
crypto/o_fips.c | 12 +-
crypto/o_init.c | 19 +-
crypto/rand/md_rand.c | 4 -
crypto/rand/rand_lib.c | 5 -
crypto/sha/asm/sha1-mips.pl | 4 -
crypto/sha/asm/sha512-mips.pl | 4 -
crypto/sparccpuid.S | 4 -
doc/man5/config.pod | 13 +-
include/openssl/opensslv.h | 6 +-
ssl/record/ssl3_record.c | 7 -
ssl/s3_cbc.c | 48 -----
ssl/ssl_ciph.c | 8 +-
ssl/ssl_lib.c | 5 -
ssl/ssl_locl.h | 4 -
ssl/statem/statem_lib.c | 4 +-
test/ssltest_old.c | 19 --
util/fipslink.pl | 115 -----------
util/incore | 454 ------------------------------------------
27 files changed, 12 insertions(+), 901 deletions(-)
delete mode 100644 util/fipslink.pl
delete mode 100755 util/incore
diff --git a/Configure b/Configure
index 4404963..86f68c7 100755
--- a/Configure
+++ b/Configure
@@ -302,12 +302,8 @@ $config{openssldir}="";
$config{processor}="";
$config{libdir}="";
$config{cross_compile_prefix}="";
-$config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/";
-my $nofipscanistercheck=0;
-$config{baseaddr}="0xFB00000";
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
-$config{fips}=0;
# Top level directories to build
$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ];
@@ -685,7 +681,7 @@ while (@argvcopy)
{ $config{processor}=386; }
elsif (/^fips$/)
{
- $config{fips}=1;
+ die "FIPS mode not supported\n";
}
elsif (/^rsaref$/)
{
@@ -695,8 +691,7 @@ while (@argvcopy)
}
elsif (/^nofipscanistercheck$/)
{
- $config{fips} = 1;
- $nofipscanistercheck = 1;
+ die "FIPS mode not supported\n";
}
elsif (/^[-+]/)
{
@@ -734,14 +729,6 @@ while (@argvcopy)
{
$withargs{fuzzer_include}=$1;
}
- elsif (/^--with-fipslibdir=(.*)$/)
- {
- $config{fipslibdir}="$1/";
- }
- elsif (/^--with-baseaddr=(.*)$/)
- {
- $config{baseaddr}="$1";
- }
elsif (/^--cross-compile-prefix=(.*)$/)
{
$config{cross_compile_prefix}=$1;
@@ -821,15 +808,6 @@ if ($libs =~ /(^|\s)-Wl,-rpath,/
"***** any of asan, msan or ubsan\n";
}
-if ($config{fips})
- {
- delete $disabled{"shared"} if ($disabled{"shared"} =~ /^default/);
- }
-else
- {
- @{$config{dirs}} = grep !/^fips$/, @{$config{dirs}};
- }
-
my @tocheckfor = (keys %disabled);
while (@tocheckfor) {
my %new_tocheckfor = ();
@@ -1058,15 +1036,6 @@ if (!$disabled{dso} && $target{dso_scheme} ne "")
$config{ex_libs}="$libs$config{ex_libs}" if ($libs ne "");
-if ($disabled{asm})
- {
- if ($config{fips})
- {
- @{$config{defines}} = grep !/^[BL]_ENDIAN$/, @{$config{defines}};
- @{$target{defines}} = grep !/^[BL]_ENDIAN$/, @{$target{defines}};
- }
- }
-
# If threads aren't disabled, check how possible they are
unless ($disabled{threads}) {
if ($auto_threads) {
@@ -1107,8 +1076,7 @@ if (defined($disabled{"deprecated"})) {
if ($target{shared_target} eq "")
{
$no_shared_warn = 1
- if ((!$disabled{shared} || !$disabled{"dynamic-engine"})
- && !$config{fips});
+ if (!$disabled{shared} || !$disabled{"dynamic-engine"});
$disabled{shared} = "no-shared-target";
$disabled{pic} = $disabled{shared} = $disabled{"dynamic-engine"} =
"no-shared-target";
@@ -1172,10 +1140,6 @@ unless ($disabled{asm}) {
push @{$config{defines}}, "OPENSSL_BN_ASM_MONT5" if ($target{bn_asm_src} =~ /-mont5/);
push @{$config{defines}}, "OPENSSL_BN_ASM_GF2m" if ($target{bn_asm_src} =~ /-gf2m/);
- if ($config{fips}) {
- push @{$config{openssl_other_defines}}, "OPENSSL_FIPS";
- }
-
if ($target{sha1_asm_src}) {
push @{$config{defines}}, "SHA1_ASM" if ($target{sha1_asm_src} =~ /sx86/ || $target{sha1_asm_src} =~ /sha1/);
push @{$config{defines}}, "SHA256_ASM" if ($target{sha1_asm_src} =~ /sha256/);
diff --git a/apps/openssl.c b/apps/openssl.c
index bb776eb..e42ee1e 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -21,9 +21,6 @@
# include <openssl/engine.h>
#endif
#include <openssl/err.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
#define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
#include "s_apps.h"
/* Needed to get the other O_xxx flags. */
@@ -143,15 +140,8 @@ int main(int argc, char *argv[])
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
if (getenv("OPENSSL_FIPS")) {
-#ifdef OPENSSL_FIPS
- if (!FIPS_mode_set(1)) {
- ERR_print_errors(bio_err);
- return 1;
- }
-#else
BIO_printf(bio_err, "FIPS mode not supported.\n");
return 1;
-#endif
}
if (!apps_startup())
diff --git a/apps/opt.c b/apps/opt.c
index f72ac64..499a0b5 100644
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -6,8 +6,6 @@
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
-
-/* #define COMPILE_STANDALONE_TEST_DRIVER */
#include "apps.h"
#include <string.h>
#if !defined(OPENSSL_SYS_MSDOS)
@@ -888,90 +886,3 @@ void opt_help(const OPTIONS *list)
BIO_printf(bio_err, "%s %s\n", start, help);
}
}
-
-#ifdef COMPILE_STANDALONE_TEST_DRIVER
-# include <sys/stat.h>
-
-typedef enum OPTION_choice {
- OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_IN, OPT_INFORM, OPT_OUT, OPT_COUNT, OPT_U, OPT_FLAG,
- OPT_STR, OPT_NOTUSED
-} OPTION_CHOICE;
-
-static OPTIONS options[] = {
- {OPT_HELP_STR, 1, '-', "Usage: %s flags\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
- {"help", OPT_HELP, '-', "Display this summary"},
- {"in", OPT_IN, '<', "input file"},
- {OPT_MORE_STR, 1, '-', "more detail about input"},
- {"inform", OPT_INFORM, 'f', "input file format; defaults to pem"},
- {"out", OPT_OUT, '>', "output file"},
- {"count", OPT_COUNT, 'p', "a counter greater than zero"},
- {"u", OPT_U, 'u', "an unsigned number"},
- {"flag", OPT_FLAG, 0, "just some flag"},
- {"str", OPT_STR, 's', "the magic word"},
- {"areallyverylongoption", OPT_HELP, '-', "long way for help"},
- {NULL}
-};
-
-BIO *bio_err;
-
-int app_isdir(const char *name)
-{
- struct stat sb;
-
- return name != NULL && stat(name, &sb) >= 0 && S_ISDIR(sb.st_mode);
-}
-
-int main(int ac, char **av)
-{
- OPTION_CHOICE o;
- char **rest;
- char *prog;
-
- bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
- prog = opt_init(ac, av, options);
- while ((o = opt_next()) != OPT_EOF) {
- switch (c) {
- case OPT_NOTUSED:
- case OPT_EOF:
- case OPT_ERR:
- printf("%s: Usage error; try -help.\n", prog);
- return 1;
- case OPT_HELP:
- opt_help(options);
- return 0;
- case OPT_IN:
- printf("in %s\n", opt_arg());
- break;
- case OPT_INFORM:
- printf("inform %s\n", opt_arg());
- break;
- case OPT_OUT:
- printf("out %s\n", opt_arg());
- break;
- case OPT_COUNT:
- printf("count %s\n", opt_arg());
- break;
- case OPT_U:
- printf("u %s\n", opt_arg());
- break;
- case OPT_FLAG:
- printf("flag\n");
- break;
- case OPT_STR:
- printf("str %s\n", opt_arg());
- break;
- }
- }
- argc = opt_num_rest();
- argv = opt_rest();
-
- printf("args = %d\n", argc);
- if (argc)
- while (*argv)
- printf(" %s\n", *argv++);
- return 0;
-}
-#endif
diff --git a/crypto/aes/asm/aes-mips.pl b/crypto/aes/asm/aes-mips.pl
index 0eb1474..ba3e454 100644
--- a/crypto/aes/asm/aes-mips.pl
+++ b/crypto/aes/asm/aes-mips.pl
@@ -105,10 +105,6 @@ $code.=<<___;
#include "mips_arch.h"
.text
-#ifdef OPENSSL_FIPSCANISTER
-# include <openssl/fipssyms.h>
-#endif
-
#if !defined(__mips_eabi) && (!defined(__vxworks) || defined(__pic__))
.option pic2
#endif
diff --git a/crypto/bn/asm/sparcv8plus.S b/crypto/bn/asm/sparcv8plus.S
index 714a136..f3c611a 100644
--- a/crypto/bn/asm/sparcv8plus.S
+++ b/crypto/bn/asm/sparcv8plus.S
@@ -144,10 +144,6 @@
* }
*/
-#ifdef OPENSSL_FIPSCANISTER
-#include <openssl/fipssyms.h>
-#endif
-
#if defined(__SUNPRO_C) && defined(__sparcv9)
/* They've said -xarch=v9 at command line */
.register %g2,#scratch
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index 5fb3814..eba8dd9 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -147,11 +147,6 @@ extern "C" {
# ifdef BN_DEBUG
# ifdef BN_DEBUG_RAND
-/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
-# ifndef RAND_bytes
-int RAND_bytes(unsigned char *buf, int num);
-# define BN_DEBUG_TRIX
-# endif
# define bn_pollute(a) \
do { \
const BIGNUM *_bnum1 = (a); \
@@ -167,9 +162,6 @@ int RAND_bytes(unsigned char *buf, int num);
sizeof(*_not_const) * (_bnum1->dmax - _bnum1->top)); \
} \
} while(0)
-# ifdef BN_DEBUG_TRIX
-# undef RAND_bytes
-# endif
# else
# define bn_pollute(a)
# endif
diff --git a/crypto/des/asm/des_enc.m4 b/crypto/des/asm/des_enc.m4
index 2d794d3..c1f6391 100644
--- a/crypto/des/asm/des_enc.m4
+++ b/crypto/des/asm/des_enc.m4
@@ -31,10 +31,6 @@
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_FIPSCANISTER
-#include <openssl/fipssyms.h>
-#endif
-
#if defined(__SUNPRO_C) && defined(__sparcv9)
# define ABI64 /* They've said -xarch=v9 at command line */
#elif defined(__GNUC__) && defined(__arch64__)
diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c
index 3b1304f..6cc8c8f 100644
--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -31,9 +31,6 @@
#include <openssl/ui.h>
#include <openssl/ocsp.h>
#include <openssl/err.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
#include <openssl/ts.h>
#include <openssl/cms.h>
#include <openssl/ct.h>
@@ -43,9 +40,6 @@
int err_load_crypto_strings_int(void)
{
if (
-#ifdef OPENSSL_FIPS
- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata) == 0 ||
-#endif
#ifndef OPENSSL_NO_ERR
ERR_load_ERR_strings() == 0 || /* include error strings for SYSerr */
ERR_load_BN_strings() == 0 ||
@@ -91,9 +85,6 @@ int err_load_crypto_strings_int(void)
#ifndef OPENSSL_NO_UI
ERR_load_UI_strings() == 0 ||
#endif
-# ifdef OPENSSL_FIPS
- ERR_load_FIPS_strings() == 0 ||
-# endif
# ifndef OPENSSL_NO_CMS
ERR_load_CMS_strings() == 0 ||
# endif
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 71d13b8..d0d61b2 100644
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -38,16 +38,8 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
return 0;
}
if (m > 0) {
-#ifdef OPENSSL_FIPS
- if (!FIPS_mode() && !FIPS_mode_set(1)) {
- EVPerr(EVP_F_ALG_MODULE_INIT,
- EVP_R_ERROR_SETTING_FIPS_MODE);
- return 0;
- }
-#else
EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED);
return 0;
-#endif
}
} else {
EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION);
diff --git a/crypto/o_fips.c b/crypto/o_fips.c
index bf6db65..050ea9c 100644
--- a/crypto/o_fips.c
+++ b/crypto/o_fips.c
@@ -8,27 +8,17 @@
*/
#include "internal/cryptlib.h"
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
int FIPS_mode(void)
{
-#ifdef OPENSSL_FIPS
- return FIPS_module_mode();
-#else
+ /* This version of the library does not support FIPS mode. */
return 0;
-#endif
}
int FIPS_mode_set(int r)
{
-#ifdef OPENSSL_FIPS
- return FIPS_module_mode_set(r);
-#else
if (r == 0)
return 1;
CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
return 0;
-#endif
}
diff --git a/crypto/o_init.c b/crypto/o_init.c
index 2e0c126..5eb7654 100644
--- a/crypto/o_init.c
+++ b/crypto/o_init.c
@@ -9,26 +9,13 @@
#include <e_os.h>
#include <openssl/err.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-# include <openssl/rand.h>
-#endif
/*
- * Perform any essential OpenSSL initialization operations. Currently only
- * sets FIPS callbacks
+ * Perform any essential OpenSSL initialization operations. Currently does
+ * nothing.
*/
void OPENSSL_init(void)
{
- static int done = 0;
- if (done)
- return;
- done = 1;
-#ifdef OPENSSL_FIPS
- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
- RAND_init_fips();
-#endif
+ return;
}
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 78da14a..8cbfae1 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -29,10 +29,6 @@
#include <internal/thread_once.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
-
#if defined(BN_DEBUG) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
# define PREDICT
#endif
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 2387126..fc47dc9 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -15,11 +15,6 @@
#include <openssl/engine.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-# include <openssl/fips_rand.h>
-#endif
-
#ifndef OPENSSL_NO_ENGINE
/* non-NULL if default_RAND_meth is ENGINE-provided */
static ENGINE *funct_ref = NULL;
diff --git a/crypto/sha/asm/sha1-mips.pl b/crypto/sha/asm/sha1-mips.pl
index d9911c8..ab29240 100644
--- a/crypto/sha/asm/sha1-mips.pl
+++ b/crypto/sha/asm/sha1-mips.pl
@@ -342,10 +342,6 @@ $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0xc0fff008" : "0xc0ff0000";
$code=<<___;
#include "mips_arch.h"
-#ifdef OPENSSL_FIPSCANISTER
-# include <openssl/fipssyms.h>
-#endif
-
.text
.set noat
diff --git a/crypto/sha/asm/sha512-mips.pl b/crypto/sha/asm/sha512-mips.pl
index 5464543..e6fd268 100644
--- a/crypto/sha/asm/sha512-mips.pl
+++ b/crypto/sha/asm/sha512-mips.pl
@@ -304,10 +304,6 @@ $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0xc0fff008" : "0xc0ff0000";
$code.=<<___;
#include "mips_arch.h"
-#ifdef OPENSSL_FIPSCANISTER
-# include <openssl/fipssyms.h>
-#endif
-
.text
.set noat
#if !defined(__mips_eabi) && (!defined(__vxworks) || defined(__pic__))
diff --git a/crypto/sparccpuid.S b/crypto/sparccpuid.S
index c6ca224..95acd2f 100644
--- a/crypto/sparccpuid.S
+++ b/crypto/sparccpuid.S
@@ -5,10 +5,6 @@
! in the file LICENSE in the source distribution or at
! https://www.openssl.org/source/license.html
-#ifdef OPENSSL_FIPSCANISTER
-#include <openssl/fipssyms.h>
-#endif
-
#if defined(__SUNPRO_C) && defined(__sparcv9)
# define ABI64 /* They've said -xarch=v9 at command line */
#elif defined(__GNUC__) && defined(__arch64__)
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 9df0ecb..24ebafb 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -193,17 +193,8 @@ This modules has the name B<alg_section> which points to a section containing
algorithm commands.
Currently the only algorithm command supported is B<fips_mode> whose
-value should be a boolean string such as B<on> or B<off>. If the value is
-B<on> this attempt to enter FIPS mode. If the call fails or the library is
-not FIPS capable then an error occurs.
-
-For example:
-
- alg_section = evp_settings
-
- [evp_settings]
-
- fips_mode = on
+value can only be the boolean string B<off>. If B<fips_mode> is set to B<on>,
+an error occurs as this library version is not FIPS capable.
=head2 SSL Configuration Module
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index df6e045..c6e15a5 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -40,11 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x10101000L
-# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-fips-dev xx XXX xxxx"
-# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-dev xx XXX xxxx"
-# endif
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-dev xx XXX xxxx"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index df7d012..84f54cb 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1119,13 +1119,6 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
EVP_MD_CTX_free(hmac);
return 0;
}
- if (!send && !SSL_READ_ETM(ssl) && FIPS_mode())
- if (!tls_fips_digest_extra(ssl->enc_read_ctx,
- mac_ctx, rec->input,
- rec->length, rec->orig_len)) {
- EVP_MD_CTX_free(hmac);
- return 0;
- }
}
EVP_MD_CTX_free(hmac);
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 3a75745..186ab17 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -89,8 +89,6 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
*/
char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
{
- if (FIPS_mode())
- return 0;
switch (EVP_MD_CTX_type(ctx)) {
case NID_md5:
case NID_sha1:
@@ -483,49 +481,3 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
EVP_MD_CTX_free(md_ctx);
return 0;
}
-
-/*
- * Due to the need to use EVP in FIPS mode we can't reimplement digests but
- * we can ensure the number of blocks processed is equal for all cases by
- * digesting additional data.
- */
-
-int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
- EVP_MD_CTX *mac_ctx, const unsigned char *data,
- size_t data_len, size_t orig_len)
-{
- size_t block_size, digest_pad, blocks_data, blocks_orig;
- if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
- return 1;
- block_size = EVP_MD_CTX_block_size(mac_ctx);
- /*-
- * We are in FIPS mode if we get this far so we know we have only SHA*
- * digests and TLS to deal with.
- * Minimum digest padding length is 17 for SHA384/SHA512 and 9
- * otherwise.
- * Additional header is 13 bytes. To get the number of digest blocks
- * processed round up the amount of data plus padding to the nearest
- * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
- * So we have:
- * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
- * equivalently:
- * blocks = (payload_len + digest_pad + 12)/block_size + 1
- * HMAC adds a constant overhead.
- * We're ultimately only interested in differences so this becomes
- * blocks = (payload_len + 29)/128
- * for SHA384/SHA512 and
- * blocks = (payload_len + 21)/64
- * otherwise.
- */
- digest_pad = block_size == 64 ? 21 : 29;
- blocks_orig = (orig_len + digest_pad) / block_size;
- blocks_data = (data_len + digest_pad) / block_size;
- /*
- * MAC enough blocks to make up the difference between the original and
- * actual lengths plus one extra block to ensure this is never a no op.
- * The "data" pointer should always have enough space to perform this
- * operation as it is large enough for a maximum length TLS buffer.
- */
- return EVP_DigestSignUpdate(mac_ctx, data,
- (blocks_orig - blocks_data + 1) * block_size);
-}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index e64e3da..0b60deb 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -577,9 +577,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
s->ssl_version < TLS1_VERSION)
return 1;
- if (FIPS_mode())
- return 1;
-
if (c->algorithm_enc == SSL_RC4 &&
c->algorithm_mac == SSL_MD5 &&
(evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
@@ -687,8 +684,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
/* drop those that use any of that is not available */
if (c == NULL || !c->valid)
continue;
- if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
- continue;
if ((c->algorithm_mkey & disabled_mkey) ||
(c->algorithm_auth & disabled_auth) ||
(c->algorithm_enc & disabled_enc) ||
@@ -1495,8 +1490,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
* to the resulting precedence to the STACK_OF(SSL_CIPHER).
*/
for (curr = head; curr != NULL; curr = curr->next) {
- if (curr->active
- && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
+ if (curr->active) {
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9382c2e..39254f1 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2504,11 +2504,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
return NULL;
- if (FIPS_mode() && (meth->version < TLS1_VERSION)) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE);
- return NULL;
- }
-
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
goto err;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index ac8c826..565fa36 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2358,10 +2358,6 @@ __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
const unsigned char *mac_secret,
size_t mac_secret_length, char is_sslv3);
-__owur int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
- EVP_MD_CTX *mac_ctx, const unsigned char *data,
- size_t data_len, size_t orig_len);
-
__owur int srp_generate_server_master_secret(SSL *s);
__owur int srp_generate_client_master_secret(SSL *s);
__owur int srp_verify_server_param(SSL *s, int *al);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index c871c00..ed1ecce 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1321,8 +1321,6 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
return SSL_R_UNSUPPORTED_PROTOCOL;
if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
- else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode())
- return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE;
return 0;
}
@@ -1680,7 +1678,7 @@ int ssl_choose_client_version(SSL *s, int version)
* Work out what version we should be using for the initial ClientHello if the
* version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
* options, the MinProtocol and MaxProtocol configuration commands, any Suite B
- * or FIPS_mode() constraints and any floor imposed by the security level here,
+ * constraints and any floor imposed by the security level here,
* so we don't advertise the wrong protocol version to only reject the outcome later.
*
* Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 1bfa983..649215d 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -699,9 +699,6 @@ static void sv_usage(void)
{
fprintf(stderr, "usage: ssltest [args ...]\n");
fprintf(stderr, "\n");
-#ifdef OPENSSL_FIPS
- fprintf(stderr, "-F - run test in FIPS mode\n");
-#endif
fprintf(stderr, " -server_auth - check server certificate\n");
fprintf(stderr, " -client_auth - do client authentication\n");
fprintf(stderr, " -v - more output\n");
@@ -989,9 +986,6 @@ int main(int argc, char *argv[])
COMP_METHOD *cm = NULL;
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
#endif
-#ifdef OPENSSL_FIPS
- int fips_mode = 0;
-#endif
int no_protocol;
int min_version = 0, max_version = 0;
#ifndef OPENSSL_NO_CT
@@ -1060,13 +1054,9 @@ int main(int argc, char *argv[])
while (argc >= 1) {
if (strcmp(*argv, "-F") == 0) {
-#ifdef OPENSSL_FIPS
- fips_mode = 1;
-#else
fprintf(stderr,
"not compiled with FIPS support, so exiting without running.\n");
EXIT(0);
-#endif
} else if (strcmp(*argv, "-server_auth") == 0)
server_auth = 1;
else if (strcmp(*argv, "-client_auth") == 0)
@@ -1383,15 +1373,6 @@ int main(int argc, char *argv[])
"to avoid protocol mismatch.\n");
EXIT(1);
}
-#ifdef OPENSSL_FIPS
- if (fips_mode) {
- if (!FIPS_mode_set(1)) {
- ERR_print_errors(bio_err);
- EXIT(1);
- } else
- fprintf(stderr, "*** IN FIPS MODE ***\n");
- }
-#endif
if (print_time) {
if (bio_type != BIO_PAIR) {
diff --git a/util/fipslink.pl b/util/fipslink.pl
deleted file mode 100644
index bb685bf..0000000
--- a/util/fipslink.pl
+++ /dev/null
@@ -1,115 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the OpenSSL license (the "License"). You may not use
-# this file except in compliance with the License. You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-sub check_env
- {
- my @ret;
- foreach (@_)
- {
- die "Environment variable $_ not defined!\n" unless exists $ENV{$_};
- push @ret, $ENV{$_};
- }
- return @ret;
- }
-
-
-my ($fips_cc,$fips_cc_args, $fips_link,$fips_target, $fips_libdir, $sha1_exe)
- = check_env("FIPS_CC", "FIPS_CC_ARGS", "FIPS_LINK", "FIPS_TARGET",
- "FIPSLIB_D", "FIPS_SHA1_EXE");
-
-
-
-if (exists $ENV{"PREMAIN_DSO_EXE"})
- {
- $fips_premain_dso = $ENV{"PREMAIN_DSO_EXE"};
- }
- else
- {
- $fips_premain_dso = "";
- }
-
-check_hash($sha1_exe, "fips_premain.c");
-check_hash($sha1_exe, "fipscanister.lib");
-
-
-print "Integrity check OK\n";
-
-if (is_premain_linked(@ARGV)) {
- print "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c\n";
- system "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c";
- die "First stage Compile failure" if $? != 0;
-} elsif (!defined($ENV{FIPS_SIG})) {
- die "no fips_premain.obj linked";
-}
-
-print "$fips_link @ARGV\n";
-system "$fips_link @ARGV";
-die "First stage Link failure" if $? != 0;
-
-if (defined($ENV{FIPS_SIG})) {
- print "$ENV{FIPS_SIG} $fips_target\n";
- system "$ENV{FIPS_SIG} $fips_target";
- die "$ENV{FIPS_SIG} $fips_target failed" if $? != 0;
- exit;
-}
-
-print "$fips_premain_dso $fips_target\n";
-system("$fips_premain_dso $fips_target >$fips_target.sha1");
-die "Get hash failure" if $? != 0;
-open my $sha1_res, '<', $fips_target.".sha1" or die "Get hash failure";
-$fips_hash=<$sha1_res>;
-close $sha1_res;
-unlink $fips_target.".sha1";
-$fips_hash =~ s|\R$||; # Better chomp
-die "Get hash failure" if $? != 0;
-
-
-print "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c\n";
-system "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c";
-die "Second stage Compile failure" if $? != 0;
-
-
-print "$fips_link @ARGV\n";
-system "$fips_link @ARGV";
-die "Second stage Link failure" if $? != 0;
-
-sub is_premain_linked
- {
- return 1 if (grep /fips_premain\.obj/, at _);
- foreach (@_)
- {
- if (/^@(.*)/ && -f $1)
- {
- open FD,$1 or die "can't open $1";
- my $ret = (grep /fips_premain\.obj/,<FD>)?1:0;
- close FD;
- return $ret;
- }
- }
- return 0;
- }
-
-sub check_hash
- {
- my ($sha1_exe, $filename) = @_;
- my ($hashfile, $hashval);
-
- open(IN, "${fips_libdir}/${filename}.sha1") || die "Cannot open file hash file ${fips_libdir}/${filename}.sha1";
- $hashfile = <IN>;
- close IN;
- $hashval = `$sha1_exe ${fips_libdir}/$filename`;
- $hashfile =~ s|\R$||; # Better chomp
- $hashval =~ s|\R$||; # Better chomp
- $hashfile =~ s/^.*=\s+//;
- $hashval =~ s/^.*=\s+//;
- die "Invalid hash syntax in file" if (length($hashfile) != 40);
- die "Invalid hash received for file" if (length($hashval) != 40);
- die "***HASH VALUE MISMATCH FOR FILE $filename ***" if ($hashval ne $hashfile);
- }
-
-
diff --git a/util/incore b/util/incore
deleted file mode 100755
index 26fcf95..0000000
--- a/util/incore
+++ /dev/null
@@ -1,454 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the OpenSSL license (the "License"). You may not use
-# this file except in compliance with the License. You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# The script embeds fingerprint into ELF executable object, either
-# application binary or shared library.
-
-######################################################################
-#
-# ELF symbol table parser by <appro at openssl.org>. The table entries
-# are extended with offset within executable file...
-#
-{ package ELF;
- use FileHandle;
-
- sub dup { my %copy=map {$_} @_; return \%copy; }
-
- sub Load {
- my $class = shift;
- my $self = {};
- my $FD = FileHandle->new(); # autoclose
-
- bless $self,$class;
-
- sysopen($FD,shift,0) or die "$!";
- binmode($FD);
-
- #################################################
- # read and parse elf_ehdr.e_ident...
- #
- read($FD,my $elf,16) or die "$!";
-
- my %e_ident;
- @e_ident{magic,class,data,version,osabi,abiver,pad}=
- unpack("a4C*",$elf);
-
- $!=42; # signal fipsld to revert to two-step link
- die "not ELF file" if ($e_ident{magic} ne chr(0177)."ELF");
-
- my $elf_bits = $e_ident{class}*32; # 32 or 64
- my $big_endian = $e_ident{data}-1; # 0 or 1
-
- if ($elf_bits==64) {
- if (!(((1<<31)<<1) && $big_endian==(unpack("L",pack("N",1))==1))) {
- die "ELF64 is supported only natively";
- }
- }
-
- #################################################
- # read and parse remainder of elf_ehdr...
- #
- read($FD,my $elfhdr,64) or die "$!";
-
- my %elf_ehdr;
- @elf_ehdr{e_type,e_machine,e_version,
- e_entry,e_phoff,e_shoff,e_flags,e_ehsize,
- e_phentsize,e_phnum,e_shentsize,e_shnum,e_shstrndx} =
- $elf_bits==32 ?
- unpack($big_endian?"nnN5n6":"vvV5v6",$elfhdr)
- : unpack("SSLQ3LS6",$elfhdr);
-
- # put aside e_machine in case one has to treat specific
- # platforms differently, see EM_ constants in elf.h for
- # assortment...
- $self->{e_machine} = $elf_ehdr{e_machine};
-
- #################################################
- # read and parse elf_shdr table...
- #
- my ($i,$sz,$symtab_idx,$blob,$strings);
-
- seek($FD,$elf_ehdr{e_shoff},0) or die "$!";
- read($FD,$blob,$elf_ehdr{e_shentsize}*$elf_ehdr{e_shnum}) or die "$!";
-
- my @sections;
- my $elf_shdr_struct=($elf_bits==32?($big_endian?"N10":"V10"):"L2Q4L2Q2");
- for ($sz=$elf_ehdr{e_shentsize},$i=0;$i<length($blob);$i+=$sz) {
- my %elf_shdr;
-
- @elf_shdr{sh_name,sh_type,sh_flags,
- sh_addr,sh_offset,sh_size,
- sh_link,sh_info,sh_addalign,sh_entsize} =
- unpack($elf_shdr_struct,substr($blob,$i,$sz));
-
- push(@sections,dup(%elf_shdr));
-
- # note SHT_SYMTAB or SHT_DYNSYM for future reference
- if ($elf_shdr{sh_type}==2 || $elf_shdr{sh_type}==11) {
- $symtab_idx = $#sections;
- }
- }
-
- # read strings table and map section names...
- seek($FD, at sections[$elf_ehdr{e_shstrndx}]->{sh_offset},0) or die "$!";
- read($FD,$strings, at sections[$elf_ehdr{e_shstrndx}]->{sh_size}) or die "$!";
- for (@sections) {
- $_->{sh_name}=(split(chr(0),substr($strings,$_->{sh_name},64)))[0];
- }
-
- #################################################
- # read symbol strings table...
- #
- $i=@sections[$symtab_idx]->{sh_link};
- seek($FD, at sections[$i]->{sh_offset},0) or die "$!";
- read($FD,$strings, at sections[$i]->{sh_size}) or die "$!";
-
- #################################################
- # read and parse elf_sym table...
- #
- seek($FD, at sections[$symtab_idx]->{sh_offset},0) or die "$!";
- read($FD,my $blob, at sections[$symtab_idx]->{sh_size}) or die "$!";
-
- for ($sz=@sections[$symtab_idx]->{sh_entsize},$i=0;$i<length($blob);$i+=$sz) {
- my %elf_sym;
-
- if ($elf_bits==32) {
- @elf_sym{st_name,st_value,st_size,st_info,st_other,st_shndx} =
- unpack($big_endian?"N3CCn":"V3CCv",substr($blob,$i,$sz));
- } else {
- @elf_sym{st_name,st_info,st_other,st_shndx,st_value,st_size} =
- unpack("LCCSQQ",substr($blob,$i,$sz));
- }
-
- my $st_type = $elf_sym{st_info}&0xf;
- my $st_bind = $elf_sym{st_info}>>4;
- my $st_secn = $elf_sym{st_shndx};
- my $name;
- # (STT_OBJECT || STT_FUNC)
- if ($st_bind<3 && ($st_type==1 || $st_type==2)
- && $st_secn <= $#sections # sane st_shndx
- && @sections[$st_secn]->{sh_type} # not SHN_UNDEF
- && ($name=(split(chr(0),substr($strings,$elf_sym{st_name},128)))[0])
- ) {
- # synthesize st_offset, ...
- $elf_sym{st_offset} = $elf_sym{st_value}
- - @sections[$st_secn]->{sh_addr}
- + @sections[$st_secn]->{sh_offset};
- $elf_sym{st_name} = $name;
- $elf_sym{st_section} = @sections[$st_secn]->{sh_name};
- # ... and add to lookup table
- $self->{symbols}{$name} = dup(%elf_sym);
- }
- }
-
- return $self;
- }
-
- sub Lookup {
- my $self = shift;
- my $name = shift;
- return $self->{symbols}{$name};
- }
-
- sub Traverse {
- my $self = shift;
- my $code = shift;
-
- if (ref($code) eq 'CODE') {
- for (keys(%{$self->{symbols}})) { &$code($self->{symbols}{$_}); }
- }
- }
-}
-
-######################################################################
-#
-# SHA1 and HMAC in Perl by <appro at openssl.org>.
-#
-{ package SHA1;
- use integer;
-
- {
- ################################### SHA1 block code generator
- my @V = ('$A','$B','$C','$D','$E');
- my $i;
-
- sub XUpdate {
- my $ret;
- $ret="(\$T=\$W[($i-16)%16]^\$W[($i-14)%16]^\$W[($i-8)%16]^\$W[($i-3)%16],\n\t";
- if ((1<<31)<<1) {
- $ret.=" \$W[$i%16]=((\$T<<1)|(\$T>>31))&0xffffffff)\n\t ";
- } else {
- $ret.=" \$W[$i%16]=(\$T<<1)|((\$T>>31)&1))\n\t ";
- }
- }
- sub tail {
- my ($a,$b,$c,$d,$e)=@V;
- my $ret;
- if ((1<<31)<<1) {
- $ret.="(($a<<5)|($a>>27));\n\t";
- $ret.="$b=($b<<30)|($b>>2); $e&=0xffffffff; #$b&=0xffffffff;\n\t";
- } else {
- $ret.="(($a<<5)|($a>>27)&0x1f);\n\t";
- $ret.="$b=($b<<30)|($b>>2)&0x3fffffff;\n\t";
- }
- $ret;
- }
- sub BODY_00_15 {
- my ($a,$b,$c,$d,$e)=@V;
- "$e+=\$W[$i]+0x5a827999+((($c^$d)&$b)^$d)+".tail();
- }
- sub BODY_16_19 {
- my ($a,$b,$c,$d,$e)=@V;
- "$e+=".XUpdate()."+0x5a827999+((($c^$d)&$b)^$d)+".tail();
- }
- sub BODY_20_39 {
- my ($a,$b,$c,$d,$e)=@V;
- "$e+=".XUpdate()."+0x6ed9eba1+($b^$c^$d)+".tail();
- }
- sub BODY_40_59 {
- my ($a,$b,$c,$d,$e)=@V;
- "$e+=".XUpdate()."+0x8f1bbcdc+(($b&$c)|(($b|$c)&$d))+".tail();
- }
- sub BODY_60_79 {
- my ($a,$b,$c,$d,$e)=@V;
- "$e+=".XUpdate()."+0xca62c1d6+($b^$c^$d)+".tail();
- }
-
- my $sha1_impl =
- 'sub block {
- my $self = @_[0];
- my @W = unpack("N16", at _[1]);
- my ($A,$B,$C,$D,$E,$T) = @{$self->{H}};
- ';
-
- $sha1_impl.='
- $A &= 0xffffffff;
- $B &= 0xffffffff;
- ' if ((1<<31)<<1);
-
- for($i=0;$i<16;$i++){ $sha1_impl.=BODY_00_15(); unshift(@V,pop(@V)); }
- for(;$i<20;$i++) { $sha1_impl.=BODY_16_19(); unshift(@V,pop(@V)); }
- for(;$i<40;$i++) { $sha1_impl.=BODY_20_39(); unshift(@V,pop(@V)); }
- for(;$i<60;$i++) { $sha1_impl.=BODY_40_59(); unshift(@V,pop(@V)); }
- for(;$i<80;$i++) { $sha1_impl.=BODY_60_79(); unshift(@V,pop(@V)); }
-
- $sha1_impl.='
- $self->{H}[0]+=$A; $self->{H}[1]+=$B; $self->{H}[2]+=$C;
- $self->{H}[3]+=$D; $self->{H}[4]+=$E; }';
-
- #print $sha1_impl,"\n";
- eval($sha1_impl); # generate code
- }
-
- sub Init {
- my $class = shift; # multiple instances...
- my $self = {};
-
- bless $self,$class;
- $self->{H} = [0x67452301,0xefcdab89,0x98badcfe,0x10325476,0xc3d2e1f0];
- $self->{N} = 0;
- return $self;
- }
-
- sub Update {
- my $self = shift;
- my $msg;
-
- foreach $msg (@_) {
- my $len = length($msg);
- my $num = length($self->{buf});
- my $off = 0;
-
- $self->{N} += $len;
-
- if (($num+$len)<64)
- { $self->{buf} .= $msg; next; }
- elsif ($num)
- { $self->{buf} .= substr($msg,0,($off=64-$num));
- $self->block($self->{buf});
- }
-
- while(($off+64) <= $len)
- { $self->block(substr($msg,$off,64));
- $off += 64;
- }
-
- $self->{buf} = substr($msg,$off);
- }
- return $self;
- }
-
- sub Final {
- my $self = shift;
- my $num = length($self->{buf});
-
- $self->{buf} .= chr(0x80); $num++;
- if ($num>56)
- { $self->{buf} .= chr(0)x(64-$num);
- $self->block($self->{buf});
- $self->{buf}=undef;
- $num=0;
- }
- $self->{buf} .= chr(0)x(56-$num);
- $self->{buf} .= pack("N2",($self->{N}>>29)&0x7,$self->{N}<<3);
- $self->block($self->{buf});
-
- return pack("N*",@{$self->{H}});
- }
-
- sub Selftest {
- my $hash;
-
- $hash=SHA1->Init()->Update('abc')->Final();
- die "SHA1 test#1" if (unpack("H*",$hash) ne 'a9993e364706816aba3e25717850c26c9cd0d89d');
-
- $hash=SHA1->Init()->Update('abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq')->Final();
- die "SHA1 test#2" if (unpack("H*",$hash) ne '84983e441c3bd26ebaae4aa1f95129e5e54670f1');
-
- #$hash=SHA1->Init()->Update('a'x1000000)->Final();
- #die "SHA1 test#3" if (unpack("H*",$hash) ne '34aa973cd4c4daa4f61eeb2bdbad27316534016f');
- }
-}
-
-{ package HMAC;
-
- sub Init {
- my $class = shift;
- my $key = shift;
- my $self = {};
-
- bless $self,$class;
-
- if (length($key)>64) {
- $key = SHA1->Init()->Update($key)->Final();
- }
- $key .= chr(0x00)x(64-length($key));
-
- my @ikey = map($_^=0x36,unpack("C*",$key));
- ($self->{hash} = SHA1->Init())->Update(pack("C*", at ikey));
- $self->{okey} = pack("C*",map($_^=0x36^0x5c, at ikey));
-
- return $self;
- }
-
- sub Update {
- my $self = shift;
- $self->{hash}->Update(@_);
- return $self;
- }
-
- sub Final {
- my $self = shift;
- my $ihash = $self->{hash}->Final();
- return SHA1->Init()->Update($self->{okey},$ihash)->Final();
- }
-
- sub Selftest {
- my $hmac;
-
- $hmac = HMAC->Init('0123456789:;<=>?@ABC')->Update('Sample #2')->Final();
- die "HMAC test" if (unpack("H*",$hmac) ne '0922d3405faa3d194f82a45830737d5cc6c75d24');
- }
-}
-
-######################################################################
-#
-# main()
-#
-my $legacy_mode;
-
-if ($ARGV<0 || ($#ARGV>0 && !($legacy_mode=(@ARGV[0] =~ /^\-(dso|exe)$/)))) {
- print STDERR "usage: $0 [-dso|-exe] elfbinary\n";
- exit(1);
-}
-
-$exe = ELF->Load(@ARGV[$#ARGV]);
-
-$FIPS_text_start = $exe->Lookup("FIPS_text_start") or die;
-$FIPS_text_end = $exe->Lookup("FIPS_text_end") or die;
-$FIPS_rodata_start = $exe->Lookup("FIPS_rodata_start") or die;
-$FIPS_rodata_end = $exe->Lookup("FIPS_rodata_end") or die;
-$FIPS_signature = $exe->Lookup("FIPS_signature") or die;
-
-# new cross-compile support
-$FIPS_text_startX = $exe->Lookup("FIPS_text_startX");
-$FIPS_text_endX = $exe->Lookup("FIPS_text_endX");
-
-if (!$legacy_mode) {
- if (!$FIPS_text_startX || !$FIPS_text_endX) {
- print STDERR "@ARGV[$#ARGV] is not cross-compiler aware.\n";
- exit(42); # signal fipsld to revert to two-step link
- }
-
- $FINGERPRINT_ascii_value
- = $exe->Lookup("FINGERPRINT_ascii_value");
-
-}
-if ($FIPS_text_startX && $FIPS_text_endX) {
- $FIPS_text_start = $FIPS_text_startX;
- $FIPS_text_end = $FIPS_text_endX;
-}
-
-sysopen(FD, at ARGV[$#ARGV],$legacy_mode?0:2) or die "$!"; # 2 is read/write
-binmode(FD);
-
-sub HMAC_Update {
- my ($hmac,$off,$len) = @_;
- my $blob;
-
- seek(FD,$off,0) or die "$!";
- read(FD,$blob,$len) or die "$!";
- $$hmac->Update($blob);
-}
-
-# fips/fips.c:FIPS_incore_fingerprint's Perl twin
-#
-sub FIPS_incore_fingerprint {
- my $p1 = $FIPS_text_start->{st_offset};
- my $p2 = $FIPS_text_end->{st_offset};
- my $p3 = $FIPS_rodata_start->{st_offset};
- my $p4 = $FIPS_rodata_end->{st_offset};
- my $sig = $FIPS_signature->{st_offset};
- my $ctx = HMAC->Init("etaonrishdlcupfm");
-
- # detect overlapping regions
- if ($p1<=$p3 && $p2>=$p3) {
- $p3 = $p1; $p4 = $p2>$p4?$p2:$p4; $p1 = 0; $p2 = 0;
- } elsif ($p3<=$p1 && $p4>=$p1) {
- $p3 = $p3; $p4 = $p2>$p4?$p2:$p4; $p1 = 0; $p2 = 0;
- }
-
- if ($p1) {
- HMAC_Update (\$ctx,$p1,$p2-$p1);
- }
-
- if ($sig>=$p3 && $sig<$p4) {
- # "punch" hole
- HMAC_Update(\$ctx,$p3,$sig-$p3);
- $p3 = $sig+20;
- HMAC_Update(\$ctx,$p3,$p4-$p3);
- } else {
- HMAC_Update(\$ctx,$p3,$p4-$p3);
- }
-
- return $ctx->Final();
-}
-
-$fingerprint = FIPS_incore_fingerprint();
-
-if ($legacy_mode) {
- print unpack("H*",$fingerprint);
-} elsif (defined($FINGERPRINT_ascii_value)) {
- seek(FD,$FINGERPRINT_ascii_value->{st_offset},0) or die "$!";
- print FD unpack("H*",$fingerprint) or die "$!";
-} else {
- seek(FD,$FIPS_signature->{st_offset},0) or die "$!";
- print FD $fingerprint or die "$!";
-}
-
-close (FD);
More information about the openssl-commits
mailing list