openssl: Remove fips module from base system.

To comply with FIPS 140 guidance, you must be using a specifically
validated and approved version of the fips module. Currently, only
OpenSSL 3.0.8 and 3.0.9 have been approved by NIST for FIPS 140
validation. As such, we need to stop shipping later versions of the
module in the base system.

MFC after:	1 week
Differential Revision: https://reviews.freebsd.org/D46223
This commit is contained in:
Gordon Tetlow
2024-08-04 14:10:46 -07:00
parent a2f53837f0
commit 86dd740dd7
3 changed files with 4 additions and 341 deletions
+3
View File
@@ -51,6 +51,9 @@
# xargs -n1 | sort | uniq -d;
# done
# 20240827: retire fips.so
OLD_LIBS+=usr/lib/ossl-modules/fips.so
# 20240824: sound examples: midi.c moved out of oss/
OLD_FILES+=share/examples/sound/oss/midi.c
+1 -1
View File
@@ -1,4 +1,4 @@
SUBDIR= fips legacy
SUBDIR= legacy
SUBDIR_PARALLEL=
.include <bsd.subdir.mk>
-340
View File
@@ -1,340 +0,0 @@
SHLIB_NAME?= fips.so
CFLAGS+= -DFIPS_MODULE
SRCS+= fips_entry.c fipsprov.c self_test.c self_test_kats.c
.include "../../Makefile.common"
# crypto
SRCS+= provider_core.c provider_predefined.c \
core_fetch.c core_algorithm.c core_namemap.c self_test_core.c
SRCS+= cpuid.c ctype.c
.if defined(ASM_aarch64)
SRCS+= arm64cpuid.S armcap.c
ACFLAGS.arm64cpuid.S= -march=armv8-a+crypto
.elif defined(ASM_amd64)
SRCS+= x86_64cpuid.S
.elif defined(ASM_arm)
SRCS+= armv4cpuid.S armcap.c
.elif defined(ASM_i386)
SRCS+= x86cpuid.S
.elif defined(ASM_powerpc)
SRCS+= ppccpuid.S ppccap.c
.elif defined(ASM_powerpc64)
SRCS+= ppccpuid.S ppccap.c
.elif defined(ASM_powerpc64le)
SRCS+= ppccpuid.S ppccap.c
.else
SRCS+= mem_clr.c
.endif
# crypto/aes
SRCS+= aes_cfb.c aes_ecb.c aes_ige.c aes_misc.c aes_ofb.c aes_wrap.c
.if defined(ASM_aarch64)
SRCS+= aes_cbc.c aes_core.c aesv8-armx.S vpaes-armv8.S
ACFLAGS.aesv8-armx.S= -march=armv8-a+crypto
.elif defined(ASM_amd64)
SRCS+= aes-x86_64.S aesni-mb-x86_64.S aesni-sha1-x86_64.S
SRCS+= aesni-sha256-x86_64.S aesni-x86_64.S bsaes-x86_64.S vpaes-x86_64.S
.elif defined(ASM_arm)
SRCS+= aes_cbc.c aes-armv4.S aesv8-armx.S bsaes-armv7.S
.elif defined(ASM_i386)
SRCS+= aes-586.S aesni-x86.S vpaes-x86.S
.elif defined(ASM_powerpc)
SRCS+= aes_cbc.c aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S
.elif defined(ASM_powerpc64)
SRCS+= aes_cbc.c aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S
.elif defined(ASM_powerpc64le)
SRCS+= aes_cbc.c aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S
.else
SRCS+= aes_cbc.c aes_core.c
.endif
# crypto/bn
SRCS+= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c
.if defined(ASM_aarch64)
SRCS+= armv8-mont.S bn_asm.c
.elif defined(ASM_amd64)
SRCS+= rsaz-avx2.S rsaz-avx512.S rsaz-x86_64.S rsaz_exp.c rsaz_exp_x2.c
SRCS+= x86_64-gcc.c x86_64-gf2m.S x86_64-mont.S x86_64-mont5.S
.elif defined(ASM_arm)
SRCS+= armv4-gf2m.S armv4-mont.S bn_asm.c
.elif defined(ASM_i386)
SRCS+= bn-586.S co-586.S x86-gf2m.S x86-mont.S
.elif defined(ASM_powerpc)
SRCS+= bn_ppc.c bn-ppc.S ppc-mont.S
.elif defined(ASM_powerpc64)
SRCS+= bn_ppc.c bn-ppc.S ppc-mont.S
.elif defined(ASM_powerpc64le)
SRCS+= bn_ppc.c bn-ppc.S ppc-mont.S
.else
SRCS+= bn_asm.c
.endif
# crypto/buffer
SRCS+= buffer.c
# crypto/cmac
SRCS+= cmac.c
# crypto/des
SRCS+= set_key.c ecb3_enc.c
.if defined(ASM_i386)
SRCS+= crypt586.S des-586.S
.else
SRCS+= des_enc.c fcrypt_b.c
.endif
# crypto/dh
SRCS+= dh_lib.c dh_key.c dh_group_params.c dh_check.c dh_backend.c dh_gen.c \
dh_kdf.c
# crypto/dsa
SRCS+= dsa_sign.c dsa_vrf.c dsa_lib.c dsa_ossl.c dsa_check.c \
dsa_key.c dsa_backend.c dsa_gen.c
# crypto/ec
SRCS+= ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c \
ec_curve.c ec_check.c ec_key.c ec_kmeth.c ecx_key.c ec_asn1.c \
ec2_smpl.c \
ecp_oct.c ec2_oct.c ec_oct.c ecdh_ossl.c \
ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c curve25519.c \
curve448/f_generic.c curve448/scalar.c \
curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \
ec_backend.c ecx_backend.c ecdh_kdf.c curve448/arch_64/f_impl64.c \
curve448/arch_32/f_impl32.c
SRCS+= cryptlib.c params.c params_from_text.c bsearch.c ex_data.c o_str.c \
threads_pthread.c threads_none.c initthread.c \
context.c sparse_array.c asn1_dsa.c packet.c param_build.c \
param_build_set.c der_writer.c threads_lib.c params_dup.c
.include <bsd.opts.mk>
.if ${MACHINE_ABI:Mlittle-endian} && ${MACHINE_ABI:Mlong64}
SRCS+= ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c
.endif
.if defined(ASM_aarch64)
SRCS+= ecp_nistz256-armv8.S ecp_nistz256.c
.elif defined(ASM_amd64)
SRCS+= ecp_nistz256-x86_64.S ecp_nistz256.c x25519-x86_64.S
.elif defined(ASM_arm)
SRCS+= ecp_nistz256-armv4.S ecp_nistz256.c
.elif defined(ASM_i386)
SRCS+= ecp_nistz256-x86.S ecp_nistz256.c
.elif defined(ASM_powerpc64)
SRCS+= ecp_nistp521-ppc64.S ecp_nistz256-ppc64.S ecp_nistz256.c ecp_ppc.c x25519-ppc64.S
.elif defined(ASM_powerpc64le)
SRCS+= ecp_nistp521-ppc64.S ecp_nistz256-ppc64.S ecp_nistz256.c ecp_ppc.c x25519-ppc64.S
.endif
# crypto/evp
SRCS+= digest.c evp_enc.c evp_lib.c evp_fetch.c evp_utils.c \
mac_lib.c mac_meth.c keymgmt_meth.c keymgmt_lib.c kdf_lib.c kdf_meth.c \
m_sigver.c pmeth_lib.c signature.c p_lib.c pmeth_gn.c exchange.c \
evp_rand.c asymcipher.c kem.c dh_support.c ec_support.c pmeth_check.c
# crypto/ffc
SRCS+= ffc_params.c ffc_params_generate.c ffc_key_generate.c \
ffc_params_validate.c ffc_key_validate.c ffc_backend.c \
ffc_dh.c
# crypto/hmac
SRCS+= hmac.c
# crypto/lhash
SRCS+= lhash.c
# crypto/modes
SRCS+= cbc128.c ctr128.c cfb128.c ofb128.c gcm128.c ccm128.c xts128.c
SRCS+= wrap128.c
.if defined(ASM_aarch64)
SRCS+= ghashv8-armx.S aes-gcm-armv8_64.S
ACFLAGS.ghashv8-armx.S= -march=armv8-a+crypto
.elif defined(ASM_amd64)
SRCS+= aesni-gcm-x86_64.S ghash-x86_64.S
.elif defined(ASM_arm)
SRCS+= ghash-armv4.S ghashv8-armx.S
.elif defined(ASM_i386)
SRCS+= ghash-x86.S
.elif defined(ASM_powerpc)
SRCS+= ghashp8-ppc.S
.elif defined(ASM_powerpc64)
SRCS+= ghashp8-ppc.S
.elif defined(ASM_powerpc64le)
SRCS+= ghashp8-ppc.S
.endif
# crypto/property
SRCS+= property_string.c property_parse.c property_query.c property.c defn_cache.c
# crypto/rand
SRCS+= rand_lib.c
# crypto/rsa
SRCS+= rsa_ossl.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_pk1.c \
rsa_none.c rsa_oaep.c rsa_chk.c rsa_pss.c rsa_x931.c rsa_crpt.c \
rsa_sp800_56b_gen.c rsa_sp800_56b_check.c rsa_backend.c \
rsa_mp_names.c rsa_schemes.c
SRCS+= rsa_acvp_test_params.c
# crypto/sha
SRCS+= sha1dgst.c sha256.c sha512.c sha3.c
.if defined(ASM_aarch64)
SRCS+= keccak1600-armv8.S sha1-armv8.S sha256-armv8.S sha512-armv8.S
.elif defined(ASM_amd64)
SRCS+= keccak1600-x86_64.S sha1-mb-x86_64.S sha1-x86_64.S
SRCS+= sha256-mb-x86_64.S sha256-x86_64.S sha512-x86_64.S
.elif defined(ASM_arm)
SRCS+= keccak1600-armv4.S sha1-armv4-large.S sha256-armv4.S sha512-armv4.S
.elif defined(ASM_i386)
SRCS+= keccak1600.c sha1-586.S sha256-586.S sha512-586.S
.elif defined(ASM_powerpc)
SRCS+= keccak1600.c sha_ppc.c sha1-ppc.S sha256-ppc.S sha512-ppc.S sha256p8-ppc.S sha512p8-ppc.S
.elif defined(ASM_powerpc64)
SRCS+= keccak1600-ppc64.S sha_ppc.c sha1-ppc.S sha256-ppc.S sha512-ppc.S sha256p8-ppc.S sha512p8-ppc.S
.elif defined(ASM_powerpc64le)
SRCS+= keccak1600-ppc64.S sha_ppc.c sha1-ppc.S sha256-ppc.S sha512-ppc.S sha256p8-ppc.S sha512p8-ppc.S
.else
SRCS+= keccak1600.c
.endif
# crypto/stack
SRCS+= stack.c
# common
SRCS+= capabilities.c bio_prov.c digest_to_nid.c \
securitycheck.c provider_seeding.c
SRCS+= securitycheck_fips.c
# common/der
SRCS+= der_rsa_gen.c der_rsa_key.c
SRCS+= der_rsa_sig.c
SRCS+= der_dsa_gen.c der_dsa_key.c
SRCS+= der_dsa_sig.c
SRCS+= der_ec_gen.c der_ec_key.c
SRCS+= der_ec_sig.c
SRCS+= der_ecx_gen.c der_ecx_key.c
SRCS+= der_wrap_gen.c
# asymciphers
SRCS+= rsa_enc.c
# ciphers
SRCS+= ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \
ciphercommon_gcm.c ciphercommon_gcm_hw.c \
ciphercommon_ccm.c ciphercommon_ccm_hw.c
SRCS+= cipher_aes.c cipher_aes_hw.c \
cipher_aes_xts.c cipher_aes_xts_hw.c \
cipher_aes_gcm.c cipher_aes_gcm_hw.c \
cipher_aes_ccm.c cipher_aes_ccm_hw.c \
cipher_aes_wrp.c \
cipher_aes_cbc_hmac_sha.c \
cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \
cipher_cts.c
SRCS+= cipher_aes_xts_fips.c
SRCS+= cipher_tdes.c cipher_tdes_common.c cipher_tdes_hw.c
# digests
SRCS+= digestcommon.c
SRCS+= sha2_prov.c
SRCS+= sha3_prov.c
# exchange
SRCS+= dh_exch.c
SRCS+= ecx_exch.c
SRCS+= ecdh_exch.c
SRCS+= kdf_exch.c
# kdfs
SRCS+= tls1_prf.c
SRCS+= hkdf.c
SRCS+= kbkdf.c
SRCS+= pbkdf2.c
SRCS+= pbkdf2_fips.c
SRCS+= sskdf.c
SRCS+= sshkdf.c
SRCS+= x942kdf.c
# kem
SRCS+= rsa_kem.c
# keymgmt
SRCS+= dh_kmgmt.c
SRCS+= dsa_kmgmt.c
SRCS+= ec_kmgmt.c
SRCS+= ecx_kmgmt.c
SRCS+= kdf_legacy_kmgmt.c
SRCS+= mac_legacy_kmgmt.c
SRCS+= rsa_kmgmt.c
# macs
SRCS+= gmac_prov.c
SRCS+= hmac_prov.c
SRCS+= kmac_prov.c
SRCS+= cmac_prov.c
# rands
SRCS+= drbg.c test_rng.c drbg_ctr.c drbg_hash.c drbg_hmac.c crngt.c
# signature
SRCS+= dsa_sig.c
SRCS+= eddsa_sig.c ecdsa_sig.c
SRCS+= mac_legacy_sig.c
SRCS+= rsa_sig.c
# ssl
SRCS+= record/tls_pad.c s3_cbc.c
.include <bsd.lib.mk>
.if defined(ASM_${MACHINE_CPUARCH})
.PATH: ${SRCTOP}/sys/crypto/openssl/${MACHINE_CPUARCH}
.if defined(ASM_amd64)
.PATH: ${LCRYPTO_SRC}/crypto/bn/asm
.endif
.elif defined(ASM_${MACHINE_ARCH})
.PATH: ${SRCTOP}/sys/crypto/openssl/${MACHINE_ARCH}
.endif
.PATH: ${LCRYPTO_SRC}/crypto \
${LCRYPTO_SRC}/crypto/aes \
${LCRYPTO_SRC}/crypto/bio \
${LCRYPTO_SRC}/crypto/bn \
${LCRYPTO_SRC}/crypto/buffer \
${LCRYPTO_SRC}/crypto/cmac \
${LCRYPTO_SRC}/crypto/des \
${LCRYPTO_SRC}/crypto/dh \
${LCRYPTO_SRC}/crypto/dsa \
${LCRYPTO_SRC}/crypto/ec \
${LCRYPTO_SRC}/crypto/evp \
${LCRYPTO_SRC}/crypto/ffc \
${LCRYPTO_SRC}/crypto/hmac \
${LCRYPTO_SRC}/crypto/lhash \
${LCRYPTO_SRC}/crypto/modes \
${LCRYPTO_SRC}/crypto/property \
${LCRYPTO_SRC}/crypto/rand \
${LCRYPTO_SRC}/crypto/rsa \
${LCRYPTO_SRC}/crypto/sha \
${LCRYPTO_SRC}/crypto/stack \
${LCRYPTO_SRC}/providers/fips \
${LCRYPTO_SRC}/providers/common/der \
${LCRYPTO_SRC}/providers/implementations/asymciphers \
${LCRYPTO_SRC}/providers/implementations/ciphers \
${LCRYPTO_SRC}/providers/implementations/digests \
${LCRYPTO_SRC}/providers/implementations/exchange \
${LCRYPTO_SRC}/providers/implementations/kdfs \
${LCRYPTO_SRC}/providers/implementations/kem \
${LCRYPTO_SRC}/providers/implementations/keymgmt \
${LCRYPTO_SRC}/providers/implementations/macs \
${LCRYPTO_SRC}/providers/implementations/rands \
${LCRYPTO_SRC}/providers/implementations/signature \
${LCRYPTO_SRC}/ssl