Changes between 0.9.7l and 0.9.7m-fips2 [xx XXX xxxx]
+ *) New build option fipsdso to link fipscanister.o into a DSO called
+ libfips.so and modify build system to link against it.
+ [Steve Henson]
+
*) New version of RSA_{sign,verify} for FIPS code. This uses pregenerated
DigestInfo encodings and thus avoids all ASN1 library dependencies. Update
FIPS digests to use new functions. Remove large numbers of obsolete
my $install_prefix="";
my $fipslibdir="/usr/local/ssl/lib/";
my $nofipscanistercheck=0;
+my $fipsdso=0;
my $fipscanisterinternal="n";
my $baseaddr="0xFB00000";
my $no_threads=0;
# The check for the option is there so scripts aren't
# broken
}
+ elsif (/^nofipscanistercheck$/)
+ {
+ $fips = 1;
+ $nofipscanistercheck = 1;
+ }
+ elsif (/^fipscanisterbuild$/)
+ {
+ $fips = 1;
+ $nofipscanistercheck = 1;
+ $fipslibdir="";
+ $fipscanisterinternal="y";
+ }
+ elsif (/^fipsdso$/)
+ {
+ $fips = 1;
+ $nofipscanistercheck = 1;
+ $fipslibdir="";
+ $fipscanisterinternal="y";
+ $fipsdso = 1;
+ $no_shared = 0;
+ }
elsif (/^[-+]/)
{
if (/^-[lL](.*)$/)
{
$withargs{"zlib-lib"}=$1;
}
- elsif (/^--nofipscanistercheck$/)
- {
- $nofipscanistercheck = 1;
- }
- elsif (/^--fipscanisterbuild$/)
- {
- $nofipscanistercheck = 1;
- $fipslibdir="";
- $fipscanisterinternal="y";
- }
elsif (/^--with-fipslibdir=(.*)$/)
{
$fipslibdir="$1/";
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+ if ($fipsdso)
+ {
+ s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/;
+ s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/;
+ }
+ else
+ {
+ s/^FIPSCANLIB=.*/FIPSCANLIB=/;
+ s/^SHARED_FIPS=.*/SHARED_FIPS=/;
+ }
s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/;
s/^BASEADDR=.*/BASEADDR=$baseaddr/;
s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
FIPSLIBDIR=/usr/local/ssl/lib/
FIPSCANISTERINTERNAL=n
+FIPSCANLIB=
# Shared library base address. Currently only used on Windows.
#
LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
SHARED_SSL=libssl$(SHLIB_EXT)
+SHARED_FIPS=
SHARED_LIBS=
SHARED_LIBS_LINK_EXTS=
SHARED_LDFLAGS=
do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making all in $$i..." && \
- $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \
+ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' FIPSCANLIB='${FIPSCANLIB}' all ) || exit 1; \
else \
$(MAKE) $$i; \
fi; \
fi; \
done;
-libcrypto$(SHLIB_EXT): libcrypto.a
+libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS)
@if [ "$(SHLIB_TARGET)" != "" ]; then \
- $(MAKE) SHLIBDIRS=crypto build-shared; \
+ if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+ $(ARD) libcrypto.a fipscanister.o ; \
+ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
+ $(AR) libcrypto.a fips-1.0/fipscanister.o ; \
+ else \
+ $(MAKE) SHLIBDIRS='crypto' build-shared; \
+ fi \
else \
echo "There's no support for shared libraries on this platform" >&2; \
fi
echo "There's no support for shared libraries on this platform" >&2; \
fi
+libfips$(SHLIB_EXT):
+ @if [ "$(SHLIB_TARGET)" != "" ]; then \
+ $(MAKE) SHLIBDIRS=fips build-shared; \
+ else \
+ echo "There's no support for shared libraries on this platform" >&2; \
+ fi
+
clean-shared:
@for i in $(SHLIBDIRS); do \
if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
+# FIPSCANLIB is the library containing fipscanister.o by default it is
+# libcrypto.a
+
+FIPSCANLIB=${FIPSCANLIB:-libcrypto}
+
# FIPSLIBDIR is location of installed validated FIPS module
# if FIPSCANISTERINTERNAL="y" link against internally generated fipscanister.o
if [ "x$FIPSCANISTERINTERNAL" != "xy" ]; then
esac
case "${TARGET}" in
-*libcrypto*|*.dll) # must be linking a shared lib...
+*${FIPCANLIB}*|*.dll) # must be linking a shared lib...
# Shared lib creation can be taking place in the source
# directory only!!!
FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
diff -w "${PREMAIN_C}.sha1" - || \
{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
- # Temporarily remove fipscanister.o from libcrypto.a!
+ # Temporarily remove fipscanister.o from library!
# We are required to use the standalone copy...
- trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
- (ranlib "${THERE}/libcrypto.a") 2>/dev/null;
+ trap 'ar r "${THERE}/$FIPSCANLIB.a" "${CANISTER_O}";
+ (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null;
sleep 1;
touch -c "${TARGET}"' 0
- ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || :
- (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
+ ar d "${THERE}/$FIPSCANLIB.a" fipscanister.o 2>&1 > /dev/null || :
+ (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null || :
${CC} "${CANISTER_O}" \
"${PREMAIN_C}" \
fi; \
if [ -z "$$SHARED_LIBS" ]; then \
set -x; $${CC:-$(CC)} -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
- else set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
- $(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
+ else set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH ; \
+ if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+ fipsexlib="-lfips" ; \
+ else \
+ fipsexlib="-lcrypto" ; \
+ fi ; \
+ $(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) -L.. $$fipsexlib ; \
fi
FIPS_BUILD_CMD=if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
projects / oweals / openssl.git / commitdiff