From: Dr. Stephen Henson Date: Thu, 25 Jan 2007 18:47:19 +0000 (+0000) Subject: New build option fipsdso X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=af10d72e10ed519115552dbe563d6a3c484e796b;p=oweals%2Fopenssl.git New build option fipsdso --- diff --git a/CHANGES b/CHANGES index 8f20c5a3fa..f72c65f765 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 0.9.7l and 0.9.7m-fips2 [xx XXX xxxx] + *) New build option fipsdso to link fipscanister.o into a DSO called + libfips.so and modify build system to link against it. + [Steve Henson] + *) New version of RSA_{sign,verify} for FIPS code. This uses pregenerated DigestInfo encodings and thus avoids all ASN1 library dependencies. Update FIPS digests to use new functions. Remove large numbers of obsolete diff --git a/Configure b/Configure index c5ba750047..24046a1e5d 100755 --- a/Configure +++ b/Configure @@ -623,6 +623,7 @@ my $exe_ext=""; my $install_prefix=""; my $fipslibdir="/usr/local/ssl/lib/"; my $nofipscanistercheck=0; +my $fipsdso=0; my $fipscanisterinternal="n"; my $baseaddr="0xFB00000"; my $no_threads=0; @@ -843,6 +844,27 @@ PROCESS_ARGS: # The check for the option is there so scripts aren't # broken } + elsif (/^nofipscanistercheck$/) + { + $fips = 1; + $nofipscanistercheck = 1; + } + elsif (/^fipscanisterbuild$/) + { + $fips = 1; + $nofipscanistercheck = 1; + $fipslibdir=""; + $fipscanisterinternal="y"; + } + elsif (/^fipsdso$/) + { + $fips = 1; + $nofipscanistercheck = 1; + $fipslibdir=""; + $fipscanisterinternal="y"; + $fipsdso = 1; + $no_shared = 0; + } elsif (/^[-+]/) { if (/^-[lL](.*)$/) @@ -873,16 +895,6 @@ PROCESS_ARGS: { $withargs{"zlib-lib"}=$1; } - elsif (/^--nofipscanistercheck$/) - { - $nofipscanistercheck = 1; - } - elsif (/^--fipscanisterbuild$/) - { - $nofipscanistercheck = 1; - $fipslibdir=""; - $fipscanisterinternal="y"; - } elsif (/^--with-fipslibdir=(.*)$/) { $fipslibdir="$1/"; @@ -1356,6 +1368,16 @@ while () s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/; s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; + if ($fipsdso) + { + s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/; + s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/; + } + else + { + s/^FIPSCANLIB=.*/FIPSCANLIB=/; + s/^SHARED_FIPS=.*/SHARED_FIPS=/; + } s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/; s/^BASEADDR=.*/BASEADDR=$baseaddr/; s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/; diff --git a/Makefile.org b/Makefile.org index daeab8e3c8..a36340d584 100644 --- a/Makefile.org +++ b/Makefile.org @@ -185,6 +185,7 @@ LIBZLIB= FIPSLIBDIR=/usr/local/ssl/lib/ FIPSCANISTERINTERNAL=n +FIPSCANLIB= # Shared library base address. Currently only used on Windows. # @@ -227,6 +228,7 @@ WDIRS= windows LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) +SHARED_FIPS= SHARED_LIBS= SHARED_LIBS_LINK_EXTS= SHARED_LDFLAGS= @@ -249,7 +251,7 @@ sub_all: do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' FIPSCANLIB='${FIPSCANLIB}' all ) || exit 1; \ else \ $(MAKE) $$i; \ fi; \ @@ -266,9 +268,15 @@ sub_target: fi; \ done; -libcrypto$(SHLIB_EXT): libcrypto.a +libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS) @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=crypto build-shared; \ + if [ "$(FIPSCANLIB)" = "libfips" ]; then \ + $(ARD) libcrypto.a fipscanister.o ; \ + $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ + $(AR) libcrypto.a fips-1.0/fipscanister.o ; \ + else \ + $(MAKE) SHLIBDIRS='crypto' build-shared; \ + fi \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi @@ -280,6 +288,13 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a echo "There's no support for shared libraries on this platform" >&2; \ fi +libfips$(SHLIB_EXT): + @if [ "$(SHLIB_TARGET)" != "" ]; then \ + $(MAKE) SHLIBDIRS=fips build-shared; \ + else \ + echo "There's no support for shared libraries on this platform" >&2; \ + fi + clean-shared: @for i in $(SHLIBDIRS); do \ if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ diff --git a/fips-1.0/fipsld b/fips-1.0/fipsld index a28c67dd97..3db6fc3fb7 100755 --- a/fips-1.0/fipsld +++ b/fips-1.0/fipsld @@ -32,6 +32,11 @@ TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` THERE="`echo $0 | sed -e 's|[^/]*$||'`".. +# FIPSCANLIB is the library containing fipscanister.o by default it is +# libcrypto.a + +FIPSCANLIB=${FIPSCANLIB:-libcrypto} + # FIPSLIBDIR is location of installed validated FIPS module # if FIPSCANISTERINTERNAL="y" link against internally generated fipscanister.o if [ "x$FIPSCANISTERINTERNAL" != "xy" ]; then @@ -59,7 +64,7 @@ case "${TARGET}" in esac case "${TARGET}" in -*libcrypto*|*.dll) # must be linking a shared lib... +*${FIPCANLIB}*|*.dll) # must be linking a shared lib... # Shared lib creation can be taking place in the source # directory only!!! FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1" @@ -78,15 +83,15 @@ echo Canister: $CANISTER_O diff -w "${PREMAIN_C}.sha1" - || \ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } - # Temporarily remove fipscanister.o from libcrypto.a! + # Temporarily remove fipscanister.o from library! # We are required to use the standalone copy... - trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}"; - (ranlib "${THERE}/libcrypto.a") 2>/dev/null; + trap 'ar r "${THERE}/$FIPSCANLIB.a" "${CANISTER_O}"; + (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null; sleep 1; touch -c "${TARGET}"' 0 - ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || : - (ranlib "${THERE}/libcrypto.a") 2>/dev/null || : + ar d "${THERE}/$FIPSCANLIB.a" fipscanister.o 2>&1 > /dev/null || : + (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null || : ${CC} "${CANISTER_O}" \ "${PREMAIN_C}" \ diff --git a/test/Makefile b/test/Makefile index 317df837fe..1eeba890eb 100644 --- a/test/Makefile +++ b/test/Makefile @@ -342,8 +342,13 @@ STANDALONE_BUILD_CMD=SHARED_LIBS="$(SHARED_LIBS)"; \ fi; \ if [ -z "$$SHARED_LIBS" ]; then \ set -x; $${CC:-$(CC)} -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \ - else set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ - $(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \ + else set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH ; \ + if [ "$(FIPSCANLIB)" = "libfips" ]; then \ + fipsexlib="-lfips" ; \ + else \ + fipsexlib="-lcrypto" ; \ + fi ; \ + $(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) -L.. $$fipsexlib ; \ fi FIPS_BUILD_CMD=if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \