Date: Sat, 31 Aug 2024 16:28:01 GMT From: Gordon Tetlow <gordon@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 86dd740dd73a - main - openssl: Remove fips module from base system. Message-ID: <202408311628.47VGS1UW098072@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/src/commit/?id=86dd740dd73aa88477ff450b2359abda1ad68534 commit 86dd740dd73aa88477ff450b2359abda1ad68534 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2024-08-04 21:10:46 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2024-08-31 16:24:30 +0000 openssl: Remove fips module from base system. To comply with FIPS 140 guidance, you must be using a specifically validated and approved version of the fips module. Currently, only OpenSSL 3.0.8 and 3.0.9 have been approved by NIST for FIPS 140 validation. As such, we need to stop shipping later versions of the module in the base system. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D46223 --- ObsoleteFiles.inc | 3 + secure/lib/libcrypto/modules/Makefile | 2 +- secure/lib/libcrypto/modules/fips/Makefile | 340 ----------------------------- 3 files changed, 4 insertions(+), 341 deletions(-) diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index 5ce960fdca82..fe1eb89f1c9c 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -51,6 +51,9 @@ # xargs -n1 | sort | uniq -d; # done +# 20240827: retire fips.so +OLD_LIBS+=usr/lib/ossl-modules/fips.so + # 20240824: sound examples: midi.c moved out of oss/ OLD_FILES+=share/examples/sound/oss/midi.c diff --git a/secure/lib/libcrypto/modules/Makefile b/secure/lib/libcrypto/modules/Makefile index 0e01eb3b8ef2..69a8470ff20b 100644 --- a/secure/lib/libcrypto/modules/Makefile +++ b/secure/lib/libcrypto/modules/Makefile @@ -1,4 +1,4 @@ -SUBDIR= fips legacy +SUBDIR= legacy SUBDIR_PARALLEL= .include <bsd.subdir.mk> diff --git a/secure/lib/libcrypto/modules/fips/Makefile b/secure/lib/libcrypto/modules/fips/Makefile deleted file mode 100644 index 0f4889f3ff81..000000000000 --- a/secure/lib/libcrypto/modules/fips/Makefile +++ /dev/null @@ -1,340 +0,0 @@ -SHLIB_NAME?= fips.so - -CFLAGS+= -DFIPS_MODULE - -SRCS+= fips_entry.c fipsprov.c self_test.c self_test_kats.c - -.include "../../Makefile.common" - -# crypto -SRCS+= provider_core.c provider_predefined.c \ - core_fetch.c core_algorithm.c core_namemap.c self_test_core.c - -SRCS+= cpuid.c ctype.c -.if defined(ASM_aarch64) -SRCS+= arm64cpuid.S armcap.c -ACFLAGS.arm64cpuid.S= -march=armv8-a+crypto -.elif defined(ASM_amd64) -SRCS+= x86_64cpuid.S -.elif defined(ASM_arm) -SRCS+= armv4cpuid.S armcap.c -.elif defined(ASM_i386) -SRCS+= x86cpuid.S -.elif defined(ASM_powerpc) -SRCS+= ppccpuid.S ppccap.c -.elif defined(ASM_powerpc64) -SRCS+= ppccpuid.S ppccap.c -.elif defined(ASM_powerpc64le) -SRCS+= ppccpuid.S ppccap.c -.else -SRCS+= mem_clr.c -.endif - -# crypto/aes -SRCS+= aes_cfb.c aes_ecb.c aes_ige.c aes_misc.c aes_ofb.c aes_wrap.c -.if defined(ASM_aarch64) -SRCS+= aes_cbc.c aes_core.c aesv8-armx.S vpaes-armv8.S -ACFLAGS.aesv8-armx.S= -march=armv8-a+crypto -.elif defined(ASM_amd64) -SRCS+= aes-x86_64.S aesni-mb-x86_64.S aesni-sha1-x86_64.S -SRCS+= aesni-sha256-x86_64.S aesni-x86_64.S bsaes-x86_64.S vpaes-x86_64.S -.elif defined(ASM_arm) -SRCS+= aes_cbc.c aes-armv4.S aesv8-armx.S bsaes-armv7.S -.elif defined(ASM_i386) -SRCS+= aes-586.S aesni-x86.S vpaes-x86.S -.elif defined(ASM_powerpc) -SRCS+= aes_cbc.c aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S -.elif defined(ASM_powerpc64) -SRCS+= aes_cbc.c aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S -.elif defined(ASM_powerpc64le) -SRCS+= aes_cbc.c aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S -.else -SRCS+= aes_cbc.c aes_core.c -.endif - -# crypto/bn -SRCS+= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ - bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ - bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \ - bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ - bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c -.if defined(ASM_aarch64) -SRCS+= armv8-mont.S bn_asm.c -.elif defined(ASM_amd64) -SRCS+= rsaz-avx2.S rsaz-avx512.S rsaz-x86_64.S rsaz_exp.c rsaz_exp_x2.c -SRCS+= x86_64-gcc.c x86_64-gf2m.S x86_64-mont.S x86_64-mont5.S -.elif defined(ASM_arm) -SRCS+= armv4-gf2m.S armv4-mont.S bn_asm.c -.elif defined(ASM_i386) -SRCS+= bn-586.S co-586.S x86-gf2m.S x86-mont.S -.elif defined(ASM_powerpc) -SRCS+= bn_ppc.c bn-ppc.S ppc-mont.S -.elif defined(ASM_powerpc64) -SRCS+= bn_ppc.c bn-ppc.S ppc-mont.S -.elif defined(ASM_powerpc64le) -SRCS+= bn_ppc.c bn-ppc.S ppc-mont.S -.else -SRCS+= bn_asm.c -.endif - -# crypto/buffer -SRCS+= buffer.c - -# crypto/cmac -SRCS+= cmac.c - -# crypto/des -SRCS+= set_key.c ecb3_enc.c -.if defined(ASM_i386) -SRCS+= crypt586.S des-586.S -.else -SRCS+= des_enc.c fcrypt_b.c -.endif - -# crypto/dh -SRCS+= dh_lib.c dh_key.c dh_group_params.c dh_check.c dh_backend.c dh_gen.c \ - dh_kdf.c - -# crypto/dsa -SRCS+= dsa_sign.c dsa_vrf.c dsa_lib.c dsa_ossl.c dsa_check.c \ - dsa_key.c dsa_backend.c dsa_gen.c - -# crypto/ec -SRCS+= ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c \ - ec_curve.c ec_check.c ec_key.c ec_kmeth.c ecx_key.c ec_asn1.c \ - ec2_smpl.c \ - ecp_oct.c ec2_oct.c ec_oct.c ecdh_ossl.c \ - ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c curve25519.c \ - curve448/f_generic.c curve448/scalar.c \ - curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \ - ec_backend.c ecx_backend.c ecdh_kdf.c curve448/arch_64/f_impl64.c \ - curve448/arch_32/f_impl32.c -SRCS+= cryptlib.c params.c params_from_text.c bsearch.c ex_data.c o_str.c \ - threads_pthread.c threads_none.c initthread.c \ - context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ - param_build_set.c der_writer.c threads_lib.c params_dup.c - -.include <bsd.opts.mk> -.if ${MACHINE_ABI:Mlittle-endian} && ${MACHINE_ABI:Mlong64} -SRCS+= ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c -.endif -.if defined(ASM_aarch64) -SRCS+= ecp_nistz256-armv8.S ecp_nistz256.c -.elif defined(ASM_amd64) -SRCS+= ecp_nistz256-x86_64.S ecp_nistz256.c x25519-x86_64.S -.elif defined(ASM_arm) -SRCS+= ecp_nistz256-armv4.S ecp_nistz256.c -.elif defined(ASM_i386) -SRCS+= ecp_nistz256-x86.S ecp_nistz256.c -.elif defined(ASM_powerpc64) -SRCS+= ecp_nistp521-ppc64.S ecp_nistz256-ppc64.S ecp_nistz256.c ecp_ppc.c x25519-ppc64.S -.elif defined(ASM_powerpc64le) -SRCS+= ecp_nistp521-ppc64.S ecp_nistz256-ppc64.S ecp_nistz256.c ecp_ppc.c x25519-ppc64.S -.endif - -# crypto/evp -SRCS+= digest.c evp_enc.c evp_lib.c evp_fetch.c evp_utils.c \ - mac_lib.c mac_meth.c keymgmt_meth.c keymgmt_lib.c kdf_lib.c kdf_meth.c \ - m_sigver.c pmeth_lib.c signature.c p_lib.c pmeth_gn.c exchange.c \ - evp_rand.c asymcipher.c kem.c dh_support.c ec_support.c pmeth_check.c - -# crypto/ffc -SRCS+= ffc_params.c ffc_params_generate.c ffc_key_generate.c \ - ffc_params_validate.c ffc_key_validate.c ffc_backend.c \ - ffc_dh.c - -# crypto/hmac -SRCS+= hmac.c - -# crypto/lhash -SRCS+= lhash.c - -# crypto/modes -SRCS+= cbc128.c ctr128.c cfb128.c ofb128.c gcm128.c ccm128.c xts128.c -SRCS+= wrap128.c -.if defined(ASM_aarch64) -SRCS+= ghashv8-armx.S aes-gcm-armv8_64.S -ACFLAGS.ghashv8-armx.S= -march=armv8-a+crypto -.elif defined(ASM_amd64) -SRCS+= aesni-gcm-x86_64.S ghash-x86_64.S -.elif defined(ASM_arm) -SRCS+= ghash-armv4.S ghashv8-armx.S -.elif defined(ASM_i386) -SRCS+= ghash-x86.S -.elif defined(ASM_powerpc) -SRCS+= ghashp8-ppc.S -.elif defined(ASM_powerpc64) -SRCS+= ghashp8-ppc.S -.elif defined(ASM_powerpc64le) -SRCS+= ghashp8-ppc.S -.endif - -# crypto/property -SRCS+= property_string.c property_parse.c property_query.c property.c defn_cache.c - -# crypto/rand -SRCS+= rand_lib.c - -# crypto/rsa -SRCS+= rsa_ossl.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_pk1.c \ - rsa_none.c rsa_oaep.c rsa_chk.c rsa_pss.c rsa_x931.c rsa_crpt.c \ - rsa_sp800_56b_gen.c rsa_sp800_56b_check.c rsa_backend.c \ - rsa_mp_names.c rsa_schemes.c -SRCS+= rsa_acvp_test_params.c - -# crypto/sha -SRCS+= sha1dgst.c sha256.c sha512.c sha3.c -.if defined(ASM_aarch64) -SRCS+= keccak1600-armv8.S sha1-armv8.S sha256-armv8.S sha512-armv8.S -.elif defined(ASM_amd64) -SRCS+= keccak1600-x86_64.S sha1-mb-x86_64.S sha1-x86_64.S -SRCS+= sha256-mb-x86_64.S sha256-x86_64.S sha512-x86_64.S -.elif defined(ASM_arm) -SRCS+= keccak1600-armv4.S sha1-armv4-large.S sha256-armv4.S sha512-armv4.S -.elif defined(ASM_i386) -SRCS+= keccak1600.c sha1-586.S sha256-586.S sha512-586.S -.elif defined(ASM_powerpc) -SRCS+= keccak1600.c sha_ppc.c sha1-ppc.S sha256-ppc.S sha512-ppc.S sha256p8-ppc.S sha512p8-ppc.S -.elif defined(ASM_powerpc64) -SRCS+= keccak1600-ppc64.S sha_ppc.c sha1-ppc.S sha256-ppc.S sha512-ppc.S sha256p8-ppc.S sha512p8-ppc.S -.elif defined(ASM_powerpc64le) -SRCS+= keccak1600-ppc64.S sha_ppc.c sha1-ppc.S sha256-ppc.S sha512-ppc.S sha256p8-ppc.S sha512p8-ppc.S -.else -SRCS+= keccak1600.c -.endif - -# crypto/stack -SRCS+= stack.c - -# common -SRCS+= capabilities.c bio_prov.c digest_to_nid.c \ - securitycheck.c provider_seeding.c -SRCS+= securitycheck_fips.c - -# common/der -SRCS+= der_rsa_gen.c der_rsa_key.c -SRCS+= der_rsa_sig.c - -SRCS+= der_dsa_gen.c der_dsa_key.c -SRCS+= der_dsa_sig.c - -SRCS+= der_ec_gen.c der_ec_key.c -SRCS+= der_ec_sig.c - -SRCS+= der_ecx_gen.c der_ecx_key.c - -SRCS+= der_wrap_gen.c - -# asymciphers -SRCS+= rsa_enc.c - -# ciphers -SRCS+= ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \ - ciphercommon_gcm.c ciphercommon_gcm_hw.c \ - ciphercommon_ccm.c ciphercommon_ccm_hw.c -SRCS+= cipher_aes.c cipher_aes_hw.c \ - cipher_aes_xts.c cipher_aes_xts_hw.c \ - cipher_aes_gcm.c cipher_aes_gcm_hw.c \ - cipher_aes_ccm.c cipher_aes_ccm_hw.c \ - cipher_aes_wrp.c \ - cipher_aes_cbc_hmac_sha.c \ - cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \ - cipher_cts.c -SRCS+= cipher_aes_xts_fips.c -SRCS+= cipher_tdes.c cipher_tdes_common.c cipher_tdes_hw.c - -# digests -SRCS+= digestcommon.c -SRCS+= sha2_prov.c -SRCS+= sha3_prov.c - -# exchange -SRCS+= dh_exch.c -SRCS+= ecx_exch.c -SRCS+= ecdh_exch.c -SRCS+= kdf_exch.c - -# kdfs -SRCS+= tls1_prf.c -SRCS+= hkdf.c -SRCS+= kbkdf.c -SRCS+= pbkdf2.c -SRCS+= pbkdf2_fips.c -SRCS+= sskdf.c -SRCS+= sshkdf.c -SRCS+= x942kdf.c - -# kem -SRCS+= rsa_kem.c - -# keymgmt -SRCS+= dh_kmgmt.c -SRCS+= dsa_kmgmt.c -SRCS+= ec_kmgmt.c -SRCS+= ecx_kmgmt.c -SRCS+= kdf_legacy_kmgmt.c -SRCS+= mac_legacy_kmgmt.c -SRCS+= rsa_kmgmt.c - -# macs -SRCS+= gmac_prov.c -SRCS+= hmac_prov.c -SRCS+= kmac_prov.c -SRCS+= cmac_prov.c - -# rands -SRCS+= drbg.c test_rng.c drbg_ctr.c drbg_hash.c drbg_hmac.c crngt.c - -# signature -SRCS+= dsa_sig.c -SRCS+= eddsa_sig.c ecdsa_sig.c -SRCS+= mac_legacy_sig.c -SRCS+= rsa_sig.c - -# ssl -SRCS+= record/tls_pad.c s3_cbc.c - -.include <bsd.lib.mk> - -.if defined(ASM_${MACHINE_CPUARCH}) -.PATH: ${SRCTOP}/sys/crypto/openssl/${MACHINE_CPUARCH} -.if defined(ASM_amd64) -.PATH: ${LCRYPTO_SRC}/crypto/bn/asm -.endif -.elif defined(ASM_${MACHINE_ARCH}) -.PATH: ${SRCTOP}/sys/crypto/openssl/${MACHINE_ARCH} -.endif - -.PATH: ${LCRYPTO_SRC}/crypto \ - ${LCRYPTO_SRC}/crypto/aes \ - ${LCRYPTO_SRC}/crypto/bio \ - ${LCRYPTO_SRC}/crypto/bn \ - ${LCRYPTO_SRC}/crypto/buffer \ - ${LCRYPTO_SRC}/crypto/cmac \ - ${LCRYPTO_SRC}/crypto/des \ - ${LCRYPTO_SRC}/crypto/dh \ - ${LCRYPTO_SRC}/crypto/dsa \ - ${LCRYPTO_SRC}/crypto/ec \ - ${LCRYPTO_SRC}/crypto/evp \ - ${LCRYPTO_SRC}/crypto/ffc \ - ${LCRYPTO_SRC}/crypto/hmac \ - ${LCRYPTO_SRC}/crypto/lhash \ - ${LCRYPTO_SRC}/crypto/modes \ - ${LCRYPTO_SRC}/crypto/property \ - ${LCRYPTO_SRC}/crypto/rand \ - ${LCRYPTO_SRC}/crypto/rsa \ - ${LCRYPTO_SRC}/crypto/sha \ - ${LCRYPTO_SRC}/crypto/stack \ - ${LCRYPTO_SRC}/providers/fips \ - ${LCRYPTO_SRC}/providers/common/der \ - ${LCRYPTO_SRC}/providers/implementations/asymciphers \ - ${LCRYPTO_SRC}/providers/implementations/ciphers \ - ${LCRYPTO_SRC}/providers/implementations/digests \ - ${LCRYPTO_SRC}/providers/implementations/exchange \ - ${LCRYPTO_SRC}/providers/implementations/kdfs \ - ${LCRYPTO_SRC}/providers/implementations/kem \ - ${LCRYPTO_SRC}/providers/implementations/keymgmt \ - ${LCRYPTO_SRC}/providers/implementations/macs \ - ${LCRYPTO_SRC}/providers/implementations/rands \ - ${LCRYPTO_SRC}/providers/implementations/signature \ - ${LCRYPTO_SRC}/ssl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202408311628.47VGS1UW098072>