Update README.FIPS to reflect changes.

[oweals/openssl.git] / Configure

diff --git a/Configure b/Configure
index 6717105ecb449b65519c4c0696a0189b4604cb4a..a7662c8b65dc0c661db57ad95016a7a4b019c449 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -567,7 +567,7 @@ my $prefix="";
 my $openssldir="";
 my $exe_ext="";
 my $install_prefix="";
-my $fipslibdir="/usr/local/ssl/lib/fips-1.0/";
+my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
 my $nofipscanistercheck=0;
 my $fipsdso=0;
 my $fipscanisterinternal="n";
@@ -619,6 +619,7 @@ my %disabled = ( # "what"         => "comment"
                  "rfc3779"        => "default",
                  "seed"           => "default",
                  "shared"         => "default",
+                 "tlsext"         => "default",
                  "zlib"           => "default",
                  "zlib-dynamic"   => "default"
                );
@@ -882,6 +883,10 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
        $disabled{"tls1"} = "forced";
        }
 
+if (defined($disabled{"tls1"}))
+       {
+       $disabled{"tlsext"} = "forced";
+       }
 
 if ($target eq "TABLE") {
        foreach $target (sort keys %table) {
@@ -1010,7 +1015,7 @@ if ($openssldir eq "" and $prefix eq "")
        {
        if ($fips)
                {
-               $openssldir="/usr/local/ssl/fips-1.0";
+               $openssldir="/usr/local/ssl/fips";
                }
        else
                {
@@ -1165,6 +1170,8 @@ if ($no_asm)
        {
        $cpuid_obj=$bn_obj=$des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj="";
        $sha1_obj=$md5_obj=$rmd160_obj="";
+       $cflags=~s/\-D[BL]_ENDIAN//             if ($fips);
+       $thread_cflags=~s/\-D[BL]_ENDIAN//      if ($fips);
        }
 
 if (!$no_shared)
@@ -1219,12 +1226,19 @@ if (!$IsMK1MF)
        }
 
 $cpuid_obj.=" uplink.o uplink-cof.o" if ($cflags =~ /\-DOPENSSL_USE_APPLINK/);
-# Compiler fix-ups
-if ($target =~ /icc$/)
+
+#
+# Platform fix-ups
+#
+if ($target =~ /\-icc$/)       # Intel C compiler
        {
-       my($iccver)=`$cc -V 2>&1`;
-       if ($iccver =~ /Version ([0-9]+)\./)    { $iccver=$1; }
-       else                                    { $iccver=0;  }
+       my $iccver=0;
+       if (open(FD,"$cc -V 2>&1 |"))
+               {
+               while(<FD>) { $iccver=$1 if (/Version ([0-9]+)\./); }
+               close(FD);
+               }
+
        if ($iccver>=8)
                {
                # Eliminate unnecessary dependency from libirc.a. This is
@@ -1232,6 +1246,28 @@ if ($target =~ /icc$/)
                # apps/openssl can end up in endless loop upon startup...
                $cflags.=" -Dmemcpy=__builtin_memcpy -Dmemset=__builtin_memset";
                }
+       if ($iccver>=9)
+               {
+               $cflags.=" -i-static";
+               $cflags=~s/\-no_cpprt/-no-cpprt/;
+               }
+       if ($iccver>=10)
+               {
+               $cflags=~s/\-i\-static/-static-intel/;
+               }
+       }
+
+# Unlike other OSes (like Solaris, Linux, Tru64, IRIX) BSD run-time
+# linkers (tested OpenBSD, NetBSD and FreeBSD) "demand" RPATH set on
+# .so objects. Apparently application RPATH is not global and does
+# not apply to .so linked with other .so. Problem manifests itself
+# when libssl.so fails to load libcrypto.so. One can argue that we
+# should engrave this into Makefile.shared rules or into BSD-* config
+# lines above. Meanwhile let's try to be cautious and pass -rpath to
+# linker only when --prefix is not /usr.
+if ($target =~ /^BSD\-/)
+       {
+       $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
        }
 
 if ($sys_id ne "")