Rebase OpenSSL FIPS stuff (todo: static, win32 and redhat)

middagj · Nov 25, 2014 · f9fac7a · f9fac7a
1 parent 3a2c375
commit f9fac7a
Show file tree

Hide file tree

Showing 33 changed files with 435 additions and 17 deletions.
diff --git a/FIPS-NOTES.md b/FIPS-NOTES.md
@@ -0,0 +1,56 @@
+# FIPS 140-2
+
+The OpenSSL crypto backend can be a FIPS 140-2 capable library,
+cf. the OpenSSL FIPS 140 documents SecurityPolicy and UserGuide.
+
+## Introduction
+
+Please read the OpenSSL FIPS 140 documents about to get
+a FIPS Capable OpenSSL library.
+
+## Hard points
+
+Reread the OpenSSL FIPS 140 documents as they are hard to apply.
+
+Note the following is for Unix/Linux.
+
+Now I suppose you have a >= 1.0.1e capable static library (a
+dynamic library is far easier but always possible and often
+dubious from a security point of view... BTW if you have built
+a FIPS Capable OpenSSL library you should not be afraid of
+extra complexity :-).
+
+Do not forget to compile OpenSSL with position indepent code
+(aka PIC) as the libsofthsm.so requires it. The FIPS module
+canister is already compiled this way.
+
+A usual issue is the C++ compiler not compiling .c files as C code.
+A simple test can show this, put in foo.c file this code:
+
+foo() { char *x = "ab"; }
+
+and compile with the C and C++ compilers with all warnings:
+the C++ compiler should raise an extra warning or error about
+the no type for foo() and/or for the char* string constant.
+
+When this raises some errors in the fispld script, you have to
+insert '-x c' and '-x none' before and after each .c file
+in the C++ commands, for instance using this wrapper:
+
+-------------------------------- cut here --------------------------------
+#!/bin/sh
+
+commands="g++"
+
+for elem in $@
+do
+ case $elem in
+   *.c) commands+=" -x c $elem -x none";;
+   *) commands+=" $elem";;
+ esac
+done
+
+exec $commands
+-------------------------------- end --------------------------------
+
+In any cases you have to set CC and CXX to fipsld.
diff --git a/m4/acx_crypto_backend.m4 b/m4/acx_crypto_backend.m4
@@ -42,6 +42,28 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 	fi
 	AM_CONDITIONAL([WITH_GOST], [test "x${enable_gost}" = "xyes"])
 
+	# Second check for the FIPS 140-2 mode
+
+	AC_ARG_ENABLE(fips,
+		AC_HELP_STRING([--enable-fips],
+			[Enable support for FIPS 140-2 mode (default disabled)]
+		),
+		[enable_fips="${enableval}"],
+		[enable_fips="no"]
+	)
+	AC_MSG_CHECKING(for FIPS 140-2 mode)
+	if test "x${enable_fips}" = "xyes"; then
+		AC_MSG_RESULT(yes)
+		AC_DEFINE_UNQUOTED(
+			[WITH_FIPS],
+			[],
+			[Compile with FIPS 140-2 mode]
+		)
+	else
+		AC_MSG_RESULT(no)
+	fi
+	AM_CONDITIONAL([WITH_GOST], [test "x${enable_fips}" = "xyes"])
+
 	# Then check what crypto library we want to use
 
 	AC_ARG_WITH(crypto-backend,
@@ -57,7 +79,11 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 	if test "x${crypto_backend}" = "xopenssl"; then
 		AC_MSG_RESULT(OpenSSL)
 
-		ACX_OPENSSL(1,0,0)
+		if test "x${enable_fips}" = "xyes"; then
+			ACX_OPENSSL(1,0,1)
+		else
+			ACX_OPENSSL(1,0,0)
+		fi
 
 		CRYPTO_INCLUDES=$OPENSSL_INCLUDES
 		CRYPTO_LIBS=$OPENSSL_LIBS
@@ -67,10 +93,17 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 		fi
 
 		if test "x${enable_gost}" = "xyes"; then
+			if test "x${enable_fips}" = "xyes"; then
+				AC_MSG_ERROR([GOST is not FIPS approved])
+			fi
 			ACX_OPENSSL_GOST
 		fi
 
-		ACX_OPENSSL_EVPAESWRAP
+		if test "x${enable_fips}" = "xyes"; then
+			ACX_OPENSSL_FIPS
+		else
+			ACX_OPENSSL_EVPAESWRAP
+		fi
 
 		AC_DEFINE_UNQUOTED(
 			[WITH_OPENSSL],
@@ -90,6 +123,10 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 			ACX_BOTAN_ECC
 		fi
 
+		if test	"x${enable_fips}" = "xyes"; then
+			AC_MSG_ERROR([Botan does not support FIPS 140-2 mode])
+		fi
+
 		if test "x${enable_gost}" = "xyes"; then
 			ACX_BOTAN_GOST
 		fi

diff --git a/m4/acx_openssl_fips.m4 b/m4/acx_openssl_fips.m4
@@ -0,0 +1,50 @@
+AC_DEFUN([ACX_OPENSSL_FIPS],[
+	AC_MSG_CHECKING(for OpenSSL FIPS capable library)
+
+	tmp_CPPFLAGS=$CPPFLAGS
+	tmp_LIBS=$LIBS
+
+	CPPFLAGS="$CPPFLAGS $CRYPTO_INCLUDES"
+	LIBS="$LIBS $CRYPTO_LIBS"
+
+	# check whether we can build an application which can
+	# "reference the OpenSSL FIPS object module"
+
+	AC_LANG_PUSH([C])
+	AC_RUN_IFELSE([
+		AC_LANG_SOURCE([[
+			#include <openssl/crypto.h>
+			int main()
+			{
+				return !FIPS_mode_set(1);
+			}
+		]])
+	],[
+		AC_MSG_RESULT([Found working FIPS_mode_set()])
+	],[
+		AC_MSG_RESULT([FIPS_mode_set(1) failed])
+		AC_MSG_ERROR([OpenSSL library is not FIPS capable])
+	],[])
+	AC_LANG_POP([C])
+
+	# build missing fips_premain_dso tool
+
+	if test "x${FIPSLD_CC}" != "x"; then
+		THERE="`echo $CC | sed -e 's|[[^/]]*$||'`"..
+		if test "x${FIPSLIBDIR}" != "x"; then
+			PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"
+		elif test -f "${THERE}/fips/fips_premain.c"; then
+			PREMAIN_C="${THERE}/fips/fips_premain.c"
+		elif test -f "${THERE}/lib/fips_premain.c"; then
+			PREMAIN_C="${THERE}/lib/fips_premain.c"
+		else
+			AC_MSG_WARN([can't find fips_premain.c])
+		fi
+
+		$FIPSLD_CC $CPPFLAGS -DFINGERPRINT_PREMAIN_DSO_LOAD \
+		-o src/lib/fips_premain_dso $PREMAIN_C $LIBS
+	fi
+
+	CPPFLAGS=$tmp_CPPFLAGS
+	LIBS=$tmp_LIBS
+])
diff --git a/src/bin/keyconv/softhsm2-keyconv-ossl.cpp b/src/bin/keyconv/softhsm2-keyconv-ossl.cpp
@@ -51,6 +51,13 @@
 void crypto_init()
 {
 	OpenSSL_add_all_algorithms();
+#ifdef WITH_FIPS
+	if (!FIPS_mode_set(1))
+	{
+		fprintf(stderr, "ERROR: can't enter into FIPS mode.\n");
+		exit(0);
+	}
+#endif
 }
 
 // Final OpenSSL

diff --git a/src/bin/util/softhsm2-util-ossl.cpp b/src/bin/util/softhsm2-util-ossl.cpp
@@ -51,6 +51,16 @@ void crypto_init()
 {
 	// We do not need to do this one
 	// OpenSSL_add_all_algorithms();
+#ifdef WITH_FIPS
+	// The PKCS#11 library might be using a FIPS capable OpenSSL
+	if (FIPS_mode())
+		return;
+	if (!FIPS_mode_set(1))
+	{
+		fprintf(stderr, "ERROR: can't enter into FIPS mode.\n");
+		exit(0);
+	}
+#endif
 }
 
 // Final OpenSSL