From: Dr. Stephen Henson <steve@openssl.org>
Date: Thu, 25 Jan 2007 18:47:19 +0000 (+0000)
Subject: New build option fipsdso
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=af10d72e10ed519115552dbe563d6a3c484e796b;p=oweals%2Fopenssl.git
New build option fipsdso
---
diff --git a/CHANGES b/CHANGES
index 8f20c5a3fa..f72c65f765 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
Changes between 0.9.7l and 0.9.7m-fips2 [xx XXX xxxx]
+ *) New build option fipsdso to link fipscanister.o into a DSO called
+ libfips.so and modify build system to link against it.
+ [Steve Henson]
+
*) New version of RSA_{sign,verify} for FIPS code. This uses pregenerated
DigestInfo encodings and thus avoids all ASN1 library dependencies. Update
FIPS digests to use new functions. Remove large numbers of obsolete
diff --git a/Configure b/Configure
index c5ba750047..24046a1e5d 100755
--- a/Configure
+++ b/Configure
@@ -623,6 +623,7 @@ my $exe_ext="";
my $install_prefix="";
my $fipslibdir="/usr/local/ssl/lib/";
my $nofipscanistercheck=0;
+my $fipsdso=0;
my $fipscanisterinternal="n";
my $baseaddr="0xFB00000";
my $no_threads=0;
@@ -843,6 +844,27 @@ PROCESS_ARGS:
# The check for the option is there so scripts aren't
# broken
}
+ elsif (/^nofipscanistercheck$/)
+ {
+ $fips = 1;
+ $nofipscanistercheck = 1;
+ }
+ elsif (/^fipscanisterbuild$/)
+ {
+ $fips = 1;
+ $nofipscanistercheck = 1;
+ $fipslibdir="";
+ $fipscanisterinternal="y";
+ }
+ elsif (/^fipsdso$/)
+ {
+ $fips = 1;
+ $nofipscanistercheck = 1;
+ $fipslibdir="";
+ $fipscanisterinternal="y";
+ $fipsdso = 1;
+ $no_shared = 0;
+ }
elsif (/^[-+]/)
{
if (/^-[lL](.*)$/)
@@ -873,16 +895,6 @@ PROCESS_ARGS:
{
$withargs{"zlib-lib"}=$1;
}
- elsif (/^--nofipscanistercheck$/)
- {
- $nofipscanistercheck = 1;
- }
- elsif (/^--fipscanisterbuild$/)
- {
- $nofipscanistercheck = 1;
- $fipslibdir="";
- $fipscanisterinternal="y";
- }
elsif (/^--with-fipslibdir=(.*)$/)
{
$fipslibdir="$1/";
@@ -1356,6 +1368,16 @@ while (<IN>)
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+ if ($fipsdso)
+ {
+ s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/;
+ s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/;
+ }
+ else
+ {
+ s/^FIPSCANLIB=.*/FIPSCANLIB=/;
+ s/^SHARED_FIPS=.*/SHARED_FIPS=/;
+ }
s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/;
s/^BASEADDR=.*/BASEADDR=$baseaddr/;
s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
diff --git a/Makefile.org b/Makefile.org
index daeab8e3c8..a36340d584 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -185,6 +185,7 @@ LIBZLIB=
FIPSLIBDIR=/usr/local/ssl/lib/
FIPSCANISTERINTERNAL=n
+FIPSCANLIB=
# Shared library base address. Currently only used on Windows.
#
@@ -227,6 +228,7 @@ WDIRS= windows
LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
SHARED_SSL=libssl$(SHLIB_EXT)
+SHARED_FIPS=
SHARED_LIBS=
SHARED_LIBS_LINK_EXTS=
SHARED_LDFLAGS=
@@ -249,7 +251,7 @@ sub_all:
do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making all in $$i..." && \
- $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \
+ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' FIPSCANLIB='${FIPSCANLIB}' all ) || exit 1; \
else \
$(MAKE) $$i; \
fi; \
@@ -266,9 +268,15 @@ sub_target:
fi; \
done;
-libcrypto$(SHLIB_EXT): libcrypto.a
+libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS)
@if [ "$(SHLIB_TARGET)" != "" ]; then \
- $(MAKE) SHLIBDIRS=crypto build-shared; \
+ if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+ $(ARD) libcrypto.a fipscanister.o ; \
+ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
+ $(AR) libcrypto.a fips-1.0/fipscanister.o ; \
+ else \
+ $(MAKE) SHLIBDIRS='crypto' build-shared; \
+ fi \
else \
echo "There's no support for shared libraries on this platform" >&2; \
fi
@@ -280,6 +288,13 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
echo "There's no support for shared libraries on this platform" >&2; \
fi
+libfips$(SHLIB_EXT):
+ @if [ "$(SHLIB_TARGET)" != "" ]; then \
+ $(MAKE) SHLIBDIRS=fips build-shared; \
+ else \
+ echo "There's no support for shared libraries on this platform" >&2; \
+ fi
+
clean-shared:
@for i in $(SHLIBDIRS); do \
if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
diff --git a/fips-1.0/fipsld b/fips-1.0/fipsld
index a28c67dd97..3db6fc3fb7 100755
--- a/fips-1.0/fipsld
+++ b/fips-1.0/fipsld
@@ -32,6 +32,11 @@ TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
+# FIPSCANLIB is the library containing fipscanister.o by default it is
+# libcrypto.a
+
+FIPSCANLIB=${FIPSCANLIB:-libcrypto}
+
# FIPSLIBDIR is location of installed validated FIPS module
# if FIPSCANISTERINTERNAL="y" link against internally generated fipscanister.o
if [ "x$FIPSCANISTERINTERNAL" != "xy" ]; then
@@ -59,7 +64,7 @@ case "${TARGET}" in
esac
case "${TARGET}" in
-*libcrypto*|*.dll) # must be linking a shared lib...
+*${FIPCANLIB}*|*.dll) # must be linking a shared lib...
# Shared lib creation can be taking place in the source
# directory only!!!
FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
@@ -78,15 +83,15 @@ echo Canister: $CANISTER_O
diff -w "${PREMAIN_C}.sha1" - || \
{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
- # Temporarily remove fipscanister.o from libcrypto.a!
+ # Temporarily remove fipscanister.o from library!
# We are required to use the standalone copy...
- trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
- (ranlib "${THERE}/libcrypto.a") 2>/dev/null;
+ trap 'ar r "${THERE}/$FIPSCANLIB.a" "${CANISTER_O}";
+ (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null;
sleep 1;
touch -c "${TARGET}"' 0
- ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || :
- (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
+ ar d "${THERE}/$FIPSCANLIB.a" fipscanister.o 2>&1 > /dev/null || :
+ (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null || :
${CC} "${CANISTER_O}" \
"${PREMAIN_C}" \
diff --git a/test/Makefile b/test/Makefile
index 317df837fe..1eeba890eb 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -342,8 +342,13 @@ STANDALONE_BUILD_CMD=SHARED_LIBS="$(SHARED_LIBS)"; \
fi; \
if [ -z "$$SHARED_LIBS" ]; then \
set -x; $${CC:-$(CC)} -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
- else set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
- $(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
+ else set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH ; \
+ if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+ fipsexlib="-lfips" ; \
+ else \
+ fipsexlib="-lcrypto" ; \
+ fi ; \
+ $(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) -L.. $$fipsexlib ; \
fi
FIPS_BUILD_CMD=if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \