From 8f0d89092e2567d0a562fa89dcbdff0c40353b86 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Wed, 1 Aug 2007 11:33:17 +0000 Subject: [PATCH] Jumbo framework update. --- Configure | 12 +- Makefile.org | 31 +++-- Makefile.shared | 4 +- TABLE | 4 +- apps/Makefile | 7 +- crypto/Makefile | 4 +- fips-1.0/Makefile | 30 +++-- fips-1.0/fipsld | 181 +++++++++++++++------------- fips-1.0/sha/Makefile | 7 +- fips-1.0/sha/fips_standalone_sha1.c | 2 + ssl/Makefile | 2 +- test/Makefile | 31 ++--- 12 files changed, 166 insertions(+), 149 deletions(-) diff --git a/Configure b/Configure index 5e4a0f069c..b928c6dd36 100755 --- a/Configure +++ b/Configure @@ -503,8 +503,8 @@ my %table=( ##### MacOS X (a.k.a. Rhapsody or Darwin) setup "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::", -"darwin-ppc-cc","cc:-O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", -"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", +"darwin-ppc-cc","cc:-O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", +"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", ##### A/UX @@ -1028,6 +1028,11 @@ my $shared_extension = $fields[$idx_shared_extension]; my $ranlib = $fields[$idx_ranlib]; my $arflags = $fields[$idx_arflags]; +# '%' in $lflags is used to split flags to "pre-" and post-flags +my ($prelflags,$postlflags)=split('%',$lflags); +if (defined($postlflags)) { $lflags=$postlflags; } +else { $lflags=$prelflags; undef $prelflags; } + my $no_shared_warn=0; my $no_user_cflags=0; @@ -1361,6 +1366,7 @@ while () s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc"; s/^CFLAG=.*$/CFLAG= $cflags/; s/^DEPFLAG=.*$/DEPFLAG= $depflags/; + s/^PEX_LIBS=.*$/PEX_LIBS= $prelflags/; s/^EX_LIBS=.*$/EX_LIBS= $lflags/; s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/; s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/; @@ -1399,7 +1405,7 @@ while () s/^BASEADDR=.*/BASEADDR=$baseaddr/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; - s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL) \$(SHARED_FIPS)/ if (!$no_shared); + s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_FIPS) \$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/) { my $sotmp = $1; diff --git a/Makefile.org b/Makefile.org index 363cd02280..a918d6b7e1 100644 --- a/Makefile.org +++ b/Makefile.org @@ -319,7 +319,7 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \ sub_all: build_all build_all: build_libs build_apps build_tests build_tools -build_libs: build_crypto build_fips build_ssl build_engines +build_libs: build_crypto build_fips build_ssl build_shared build_engines build_crypto: if [ -n "$(FIPSCANLIB)" ]; then \ @@ -330,7 +330,7 @@ build_crypto: fi ; export ARX ; \ dir=crypto; target=all; $(BUILD_ONE_CMD) build_fips: - @dir=fips-1.0; target=all; $(BUILD_ONE_CMD) + @dir=fips-1.0; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD) build_ssl: @dir=ssl; target=all; $(BUILD_ONE_CMD) build_engines: @@ -346,43 +346,48 @@ all_testapps: build_libs build_testapps build_testapps: @dir=crypto; target=testapps; $(BUILD_ONE_CMD) +build_shared: $(SHARED_LIBS) libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS) @if [ "$(SHLIB_TARGET)" != "" ]; then \ if [ "$(FIPSCANLIB)" = "libfips" ]; then \ - ( dir=fips-1.0; target=all; $(BUILD_ONE_CMD) ) ; \ $(ARD) libcrypto.a fipscanister.o ; \ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ $(AR) libcrypto.a fips-1.0/fipscanister.o ; \ else \ if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; \ - FIPSLD_NPT="y"; FIPSLD_LIBFIPS=y; \ - export CC FIPSLD_CC FIPSLD_NPT FIPSLD_LIBFIPS; \ + export CC FIPSLD_CC; \ fi; \ $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ fi \ else \ echo "There's no support for shared libraries on this platform" >&2; \ + exit 1; \ fi libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ + shlibdeps=-lcrypto; \ + [ "$(FIPSCANLIB)" = "libfips" ] && shlibdeps="$$shlibdeps -lfips"; \ + $(MAKE) SHLIBDIRS=ssl SHLIBDEPS="$$shlibdeps" build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2 ; \ exit 1; \ fi -libfips$(SHLIB_EXT): libfips.a +fips-1.0/fipscanister.o: build_fips +libfips$(SHLIB_EXT): fips-1.0/fipscanister.o @if [ "$(SHLIB_TARGET)" != "" ]; then \ - if [ "$(FIPSCANLIB)" = "libfips" ]; then \ - FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; FIPSLD_NPT="y"; \ - FIPSLD_LIBFIPS=y; \ - export CC FIPSLD_CC FIPSLD_NPT FIPSLD_LIBFIPS; \ - fi; \ - $(MAKE) -e SHLIBDIRS=fips build-shared; \ + FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; export CC FIPSLD_CC; \ + $(MAKE) -f Makefile.shared -e $(BUILDENV) \ + CC=$${CC} LIBNAME=fips THIS=$@ \ + LIBEXTRAS=fips-1.0/fipscanister.o \ + LIBDEPS="$(EX_LIBS)" \ + LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ + link_o.$(SHLIB_TARGET) || { rm -f $@; exit 1; } \ else \ echo "There's no support for shared libraries on this platform" >&2; \ + exit 1; \ fi libfips.a: diff --git a/Makefile.shared b/Makefile.shared index cb189a434c..681cc193bf 100644 --- a/Makefile.shared +++ b/Makefile.shared @@ -101,15 +101,13 @@ LINK_SO= \ LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \ SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \ SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \ - nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \ LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \ LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ $${SHAREDCMD} $${SHAREDFLAGS} \ -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \ $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \ - ) && $(SYMLINK_SO); \ - ( $(SET_X); rm -f lib$(LIBNAME).exp ) + ) && $(SYMLINK_SO) SYMLINK_SO= \ if [ -n "$$INHIBIT_SYMLINKS" ]; then :; else \ diff --git a/TABLE b/TABLE index 9e74aab9bf..d6b6eeb8cc 100644 --- a/TABLE +++ b/TABLE @@ -951,7 +951,7 @@ $cflags = -O3 -fomit-frame-pointer -fno-common $unistd = $thread_cflag = -D_REENTRANT $sys_id = MACOSX -$lflags = +$lflags = -Wl,-search_paths_first% $bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR $cpuid_obj = $bn_obj = @@ -978,7 +978,7 @@ $cflags = -O3 -DB_ENDIAN $unistd = $thread_cflag = -D_REENTRANT $sys_id = MACOSX -$lflags = -Wl,-search_paths_first +$lflags = -Wl,-search_paths_first% $bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR $cpuid_obj = $bn_obj = osx_ppc32.o diff --git a/apps/Makefile b/apps/Makefile index b7db1840e6..66ad4a364e 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -155,11 +155,8 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) elif [ -n "$(FIPSCANLIB)" ]; then \ FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \ fi; \ - if [ "$${shlib_target}" = "darwin-shared" ] ; then \ - LIBRARIES="$(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO)" ; \ - else \ - LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ - fi; \ + LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ + [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ diff --git a/crypto/Makefile b/crypto/Makefile index 8bbec3054f..63204f55cf 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -47,7 +47,7 @@ ALL= $(GENERAL) $(SRC) $(HEADER) top: @(cd ..; $(MAKE) DIRS=$(DIR) all) -all: shared +all: lib buildinf.h: ../Makefile ( echo "#ifndef MK1MF_BUILD"; \ @@ -95,7 +95,7 @@ links: @target=links; $(RECURSIVE_MAKE) # lib: and $(LIB): are splitted to avoid end-less loop -lib: $(LIB) +lib: buildinf.h $(LIB) subdirs @touch lib $(LIB): $(LIBOBJ) $(ARX) $(LIB) $(LIBOBJ) diff --git a/fips-1.0/Makefile b/fips-1.0/Makefile index b5d89875d8..c36ce82a1c 100644 --- a/fips-1.0/Makefile +++ b/fips-1.0/Makefile @@ -61,8 +61,10 @@ testapps: @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi all: - @if [ -n "$(FIPSCANLIB)" ]; then \ - $(MAKE) -e subdirs lib shared; \ + @if [ -z "$(FIPSLIBDIR)" ]; then \ + $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ + else \ + $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ fi # Idea behind fipscanister.o is to "seize" the sequestered code between @@ -97,16 +99,17 @@ fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o objs="$$objs `sed "$$script" $$i`"; \ done; \ objs="$$objs fips_end.o" ; \ + os="`(uname -s) 2>/dev/null`"; cflags="$(CFLAGS)"; \ + [ "$$os" = "AIX" ] && cflags="$$cflags -Wl,-bnoobjreorder"; \ if [ -n "${FIPS_SITE_LD}" ]; then \ set -x; ${FIPS_SITE_LD} -r -o $@ $$objs; \ elif $(CC) -dumpversion >/dev/null 2>&1; then \ - set -x; $(CC) $(CFLAGS) -r -nostdlib -o $@ $$objs ; \ - else case "`(uname -s) 2>/dev/null`" in \ + set -x; $(CC) $$cflags -r -nostdlib -o $@ $$objs ; \ + else case "$$os" in \ HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ - AIX) set -x; $(CC) $(CFLAGS) -Wl,-bnoobjreorder -r -o $@ $$objs ;; \ - *) set -x; $(CC) $(CFLAGS) -r -o $@ $$objs ;; \ + *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ esac fi - sha/fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 + ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 # If another exception is immediately required, assign approprite # site-specific ld command to FIPS_SITE_LD environment variable. @@ -117,7 +120,10 @@ fips_end.o: fips_canister.c $(CC) $(CFLAGS) -DFIPS_END -c -o $@ fips_canister.c fips_premain_dso$(EXE_EXT): fips_premain.c $(CC) $(CFLAGS) -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ fips_premain.c \ - ../libcrypto.a $(EX_LIBS) + $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS) +# this is executed only when linking with external fipscanister.o +fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c + $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o subdirs: @target=all; $(RECURSIVE_MAKE) @@ -132,9 +138,13 @@ links: @target=links; $(RECURSIVE_MAKE) # lib: and $(LIB): are splitted to avoid end-less loop -lib: $(FIPSCANLIB) $(FIPSCANLOC) +lib: $(LIB) @touch lib +$(LIB): $(FIPSLIBDIR)fipscanister.o + $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o + $(RANLIB) $(LIB) || echo Never mind. + $(FIPSCANLIB): $(FIPSCANLOC) $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC) if [ "$(FIPSCANLIB)" = "libfips" ]; then \ @@ -182,7 +192,7 @@ depend: @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi clean: - rm -f fipscanister.o.sha1 fips_premain_dso$(EXE_EXT) \ + rm -f fipscanister.o.sha1 fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT) \ *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff @target=clean; $(RECURSIVE_MAKE) diff --git a/fips-1.0/fipsld b/fips-1.0/fipsld index 863e3b3dcf..dbc2ab100b 100755 --- a/fips-1.0/fipsld +++ b/fips-1.0/fipsld @@ -1,6 +1,6 @@ #!/bin/sh -e # -# Copyright (c) 2005 The OpenSSL Project. +# Copyright (c) 2005-2007 The OpenSSL Project. # # Depending on output file name, the script either embeds fingerprint # into libcrypto.so or static application. "Static" refers to static @@ -18,54 +18,51 @@ CC=${FIPSLD_CC:-${CC}} # Initially -c wasn't intended to be interpreted here, but it might # make life easier for those who want to build FIPS-ified applications # with minimal [if any] modifications to their Makefiles... -( while [ "x$1" != "x" -a "x$1" != "x-c" ]; do shift; done; +( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done; [ $# -ge 1 ] ) && exec ${CC} "$@" +TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` + # If using an auto-tooled (autoconf/automake/libtool) project, # configure will fail when testing the compiler or even performing -# simple checks. Pass-thru to compiler directly if not linking -# to libcrypto, allowing auto-tooled applications to utilize fipsld -# (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc ./configure && make ) -# If FIPSLD_NPT is set never call the pass-thru: the standalone fips commands -# need this because they don't link to libcrypto -[ -z "$FIPSLD_NPT" -a -z "$FIPSLD_LIBFIPS" ] && { -case "$*" in - *libcrypto.a*) - ;; - *-lcrypto*) - ;; - *) - exec ${CC} $* - ;; +# simple checks. Pass-through to compiler directly if application is +# is not being linked with libcrypto, allowing auto-tooled applications +# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc +# ./configure && make). But keep in mind[!] that if certified code +# resides in a shared library, then fipsld *may not* be used and +# end-developer should not modify application configuration and build +# procedures. This is because in-core fingerprint and associated +# procedures are already embedded into and executed in shared library +# context. +case `basename "${TARGET}"` in +libcrypto*|libfips*|*.dll) ;; +*) case "$*" in + *libcrypto.a*|*-lcrypto*) ;; + *) exec ${CC} "$@" ;; + esac esac -} + +[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } # Turn on debugging output? ( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done; [ $# -ge 1 ] ) && set -x -TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` -[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } - THERE="`echo $0 | sed -e 's|[^/]*$||'`".. -# FIPSCANLIB is the library containing fipscanister.o by default it is -# libcrypto.a - -FIPSCANLIB=${FIPSCANLIB:-libcrypto} - -# FIPSLIBDIR is location of installed validated FIPS module -# if FIPSCANISTERINTERNAL="y" link against internally generated fipscanister.o -if [ "x$FIPSCANISTERINTERNAL" != "xy" ]; then - FIPSLIBDIR=${FIPSLIBDIR:-/usr/local/ssl/lib} -else - FIPSLIBDIR=${THERE}/fips-1.0 +# If set, FIPSLIBDIR is location of installed validated FIPS module +if [ -n "${FIPSLIBDIR}" ]; then + CANISTER_O="${FIPSLIBDIR}" +elif [ -f "${THERE}/fips-1.0/fipscanister.o" ]; then + CANISTER_O="${THERE}/fips-1.0/fipscanister.o" +elif [ -f "${THERE}/lib/fipscanister.o" ]; then + CANISTER_O="${THERE}/lib/fipscanister.o" fi +[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; } -[ -f "${FIPSLIBDIR}/fipscanister.o" ] || - { echo "fipscanister.o not found"; exit 1; } +PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c HMAC_KEY="etaonrishdlcupfm" @@ -82,95 +79,109 @@ case "${TARGET}" in [!/]*) TARGET=./${TARGET} ;; esac -case "${TARGET}" in -*${FIPSCANLIB}*|*.dll) # must be linking a shared lib... - # Shared lib creation can be taking place in the source +case `basename "${TARGET}"` in +libfips*|*fips.dll) + # libfips.so creation can be taking place in the source # directory only!!! - FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1" - CANISTER_O="${FIPSLIBDIR}/fipscanister.o" - PREMAIN_C="${FIPSLIBDIR}/fips_premain.c" -echo Canister: $CANISTER_O + FINGERTYPE="${THERE}/fips-1.0/fips_standalone_sha1" + # fipscanister.o should be specified on command line... + CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)` + [ -n "$CANISTER_O" ] || { echo "fipscanister.o is not found"; exit 1; } + PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c # verify fipspremain.c against its detached signature... ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ diff -w "${PREMAIN_C}.sha1" - || \ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } - # Special case: if FIPSLD_LIBFIPS is asserted we are building - # libfips shared library and fipscanister.o is already present - # in libfips.a - if [ -n "$FIPSLD_LIBFIPS" ] ; then - ${CC} "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - else - - # verify fipscanister.o against its detached signature... - ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ - diff -w "${CANISTER_O}.sha1" - || \ - { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } - - # Temporarily remove fipscanister.o from library! - # We are required to use the standalone copy... - trap 'ar r "${THERE}/$FIPSCANLIB.a" "${CANISTER_O}"; - (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null; - sleep 1; - touch -c "${TARGET}"' 0 - - ar d "${THERE}/$FIPSCANLIB.a" fipscanister.o 2>&1 > /dev/null || : - (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null || : - - ${CC} "${CANISTER_O}" \ - "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - fi + # verify fipscanister.o against its detached signature... + ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ + diff -w "${CANISTER_O}.sha1" - || \ + { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } + + /bin/rm -f "${TARGET}" + ${CC} "${PREMAIN_C}" ${_WL_PREMAIN} "$@" # generate signature... - SIG=`("${THERE}/fips-1.0/fips_premain_dso" "${TARGET}" || rm "${TARGET}")` + SIG=`"${THERE}/fips-1.0/fips_premain_dso" "${TARGET}"` + /bin/rm -f "${TARGET}" if [ -z "${SIG}" ]; then echo "unable to collect signature"; exit 1 fi - if [ -n "$FIPSLD_LIBFIPS" ] ; then - ${CC} -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - else + # recompile with signature... + ${CC} -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" ${_WL_PREMAIN} "$@" + ;; +libcrypto*|*.dll) # must be linking a shared lib... + # Shared lib creation can be taking place in the source + # directory only, but fipscanister.o can reside elsewhere... + FINGERTYPE="${THERE}/fips-1.0/fips_standalone_sha1" + + # verify fipspremain.c against its detached signature... + ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ + diff -w "${PREMAIN_C}.sha1" - || \ + { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } + # verify fipscanister.o against its detached signature... + ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ + diff -w "${CANISTER_O}.sha1" - || \ + { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } + + # Temporarily remove fipscanister.o from libcrypto.a! + # We are required to use the standalone copy... + trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}"; + (ranlib "${THERE}/libcrypto.a") 2>/dev/null; + sleep 1; + touch -c "${TARGET}"' 0 + + ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || : + (ranlib "${THERE}/libcrypto.a") 2>/dev/null || : + + /bin/rm -f "${TARGET}" + ${CC} "${CANISTER_O}" \ + "${PREMAIN_C}" \ + ${_WL_PREMAIN} "$@" - # recompile with signature... - ${CC} "${CANISTER_O}" \ - -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" + # generate signature... + SIG=`"${THERE}/fips-1.0/fips_premain_dso" "${TARGET}"` + /bin/rm -f "${TARGET}" + if [ -z "${SIG}" ]; then + echo "unable to collect signature"; exit 1 fi + + # recompile with signature... + ${CC} "${CANISTER_O}" \ + -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ + ${_WL_PREMAIN} "$@" ;; *) # must be linking statically... # Static linking can be taking place either in the source # directory or off the installed binary target destination. - if [ -x "${THERE}/fips-1.0/sha/fips_standalone_sha1" ]; then - FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1" + if [ -x "${THERE}/fips-1.0/fips_standalone_sha1" ]; then + FINGERTYPE="${THERE}/fips-1.0/fips_standalone_sha1" else # Installed tree is expected to contain # lib/fipscanister.o, lib/fipscanister.o.sha1 and # lib/fips_premain.c [not to mention bin/openssl]. FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" fi - CANISTER_O="${FIPSLIBDIR}/fipscanister.o" - PREMAIN_C="${FIPSLIBDIR}/fips_premain.c" - # verify fipscanister.o against its detached signature... ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ diff -w "${CANISTER_O}.sha1" - || \ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } # verify fips_premain.c against its detached signature... -# ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ -# diff -w "${PREMAIN_C}.sha1" - || \ -# { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } + ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ + diff -w "${PREMAIN_C}.sha1" - || \ + { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } + /bin/rm -f "${TARGET}" ${CC} "${CANISTER_O}" \ "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" # generate signature... - SIG=`("${TARGET}" || /bin/rm "${TARGET}")` + SIG=`"${TARGET}"` + /bin/rm -f "${TARGET}" if [ -z "${SIG}" ]; then echo "unable to collect signature"; exit 1 fi diff --git a/fips-1.0/sha/Makefile b/fips-1.0/sha/Makefile index 83daa4ebfc..cf3c1c3258 100644 --- a/fips-1.0/sha/Makefile +++ b/fips-1.0/sha/Makefile @@ -41,15 +41,14 @@ ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd $(TOP); $(MAKE) DIRS=fips-1.0 SDIRS=$(DIR) sub_all) -all: fips_standalone_sha1$(EXE_EXT) lib +all: ../fips_standalone_sha1$(EXE_EXT) lib lib: $(LIBOBJ) @echo $(LIBOBJ) > lib -fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o +../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ - $(CC) -o fips_standalone_sha1$(EXE_EXT) $(CFLAGS) \ - fips_standalone_sha1.o $$FIPS_SHA_ASM + $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM files: $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO diff --git a/fips-1.0/sha/fips_standalone_sha1.c b/fips-1.0/sha/fips_standalone_sha1.c index f18eaf0c90..058b71a20f 100644 --- a/fips-1.0/sha/fips_standalone_sha1.c +++ b/fips-1.0/sha/fips_standalone_sha1.c @@ -54,9 +54,11 @@ #include #include +#ifndef FIPSCANISTER_O int FIPS_selftest_failed() { return 0; } void FIPS_selftest_check() {} void OPENSSL_cleanse(void *p,size_t len) {} +#endif #ifdef OPENSSL_FIPS diff --git a/ssl/Makefile b/ssl/Makefile index 5b355483cf..2c149691c1 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -53,7 +53,7 @@ ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ..; $(MAKE) DIRS=$(DIR) all) -all: shared +all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) diff --git a/test/Makefile b/test/Makefile index 2338406d30..9bb7a1b2ba 100644 --- a/test/Makefile +++ b/test/Makefile @@ -354,11 +354,8 @@ $(DLIBCRYPTO): BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ fi; \ - if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ - LIBRARIES="$(DLIBSSL) $(DLIBCRYPTO) $(LIBKRB5)"; \ - else \ - LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ - fi; \ + LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ + [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ @@ -397,15 +394,11 @@ $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO) FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ fi; \ - if [ "$(FIPSCANLIB)" != "libfips" -o -z "$(SHARED_LIBS)" -o "$${shlib_target}" = "darwin-shared" ] ; then \ - LIBRARIES=""; \ - if [ -n "$(FIPSCANLIB)" ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; FIPSLD_NPT="y" \ - export CC FIPSLD_CC FIPSLD_NPT ; \ - fi; \ - else \ - LIBRARIES="$(LIBFIPS)"; \ + LIBRARIES="$(LIBCRYPTO) $(LIBKRB5)"; \ + if [ -z "$(SHARED_LIBS)" ] ; then \ + FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \ fi; \ + [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="-L$(TOP) -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ @@ -414,15 +407,11 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ fi; \ - if [ -z "$(SHARED_LIBS)" -o "$${shlib_target}" = "darwin-shared" ] ; then \ - LIBRARIES="$(DLIBSSL) $(DLIBCRYPTO) $(LIBKRB5)"; \ - if [ -n "$(FIPSCANLIB)" ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; FIPSLD_NPT="y" \ - export CC FIPSLD_CC FIPSLD_NPT ; \ - fi; \ - else \ - LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ + LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ + if [ -z "$(SHARED_LIBS)" ] ; then \ + FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \ fi; \ + [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ -- 2.25.1