New build option fipsdso

2007-01-25 18:47:19 +00:00 · 2007-01-25 18:47:19 +00:00 · af10d72e10
commit af10d72e10
parent 8e664b2055
5 changed files with 72 additions and 21 deletions
--- a/4
+++ b/4
@ -4,6 +4,10 @@

 Changes between 0.9.7l and 0.9.7m-fips2 [xx XXX xxxx]

+  *) New build option fipsdso to link fipscanister.o into a DSO called 
+     libfips.so and modify build system to link against it.
+     [Steve Henson]
+
  *) New version of RSA_{sign,verify} for FIPS code. This uses pregenerated
     DigestInfo encodings and thus avoids all ASN1 library dependencies. Update
     FIPS digests to use new functions. Remove large numbers of obsolete 
--- a/42
+++ b/42
@ -623,6 +623,7 @@ my $exe_ext="";
 my $install_prefix="";
 my $fipslibdir="/usr/local/ssl/lib/";
 my $nofipscanistercheck=0;
+my $fipsdso=0;
 my $fipscanisterinternal="n";
 my $baseaddr="0xFB00000";
 my $no_threads=0;
@ -843,6 +844,27 @@ PROCESS_ARGS:
 			# The check for the option is there so scripts aren't
 			# broken
 			}
+		elsif (/^nofipscanistercheck$/)
+			{
+			$fips = 1;
+			$nofipscanistercheck = 1;
+			}
+		elsif (/^fipscanisterbuild$/)
+			{
+			$fips = 1;
+			$nofipscanistercheck = 1;
+			$fipslibdir="";
+			$fipscanisterinternal="y";
+			}
+		elsif (/^fipsdso$/)
+			{
+			$fips = 1;
+			$nofipscanistercheck = 1;
+			$fipslibdir="";
+			$fipscanisterinternal="y";
+			$fipsdso = 1;
+			$no_shared = 0;
+			}
 		elsif (/^[-+]/)
 			{
 			if (/^-[lL](.*)$/)
@ -873,16 +895,6 @@ PROCESS_ARGS:
 				{
 				$withargs{"zlib-lib"}=$1;
 				}
-			elsif (/^--nofipscanistercheck$/)
-				{
-				$nofipscanistercheck = 1;
-				}
-			elsif (/^--fipscanisterbuild$/)
-				{
-				$nofipscanistercheck = 1;
-				$fipslibdir="";
-				$fipscanisterinternal="y";
-				}
 			elsif (/^--with-fipslibdir=(.*)$/)
 				{
 				$fipslibdir="$1/";
@ -1356,6 +1368,16 @@ while (<IN>)
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
 	s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
 	s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+	if ($fipsdso)
+		{
+		s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/;
+		s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/;
+		}
+	else
+		{
+		s/^FIPSCANLIB=.*/FIPSCANLIB=/;
+		s/^SHARED_FIPS=.*/SHARED_FIPS=/;
+		}
 	s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/;
 	s/^BASEADDR=.*/BASEADDR=$baseaddr/;
 	s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
--- a/Makefile.org
+++ b/Makefile.org
@ -185,6 +185,7 @@ LIBZLIB=

 FIPSLIBDIR=/usr/local/ssl/lib/
 FIPSCANISTERINTERNAL=n
+FIPSCANLIB=

 # Shared library base address. Currently only used on Windows.
 #
@ -227,6 +228,7 @@ WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
+SHARED_FIPS=
 SHARED_LIBS=
 SHARED_LIBS_LINK_EXTS=
 SHARED_LDFLAGS=
@ -249,7 +251,7 @@ sub_all:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' FIPSCANLIB='${FIPSCANLIB}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
@ -266,9 +268,15 @@ sub_target:
 	fi; \
 	done;

-libcrypto$(SHLIB_EXT): libcrypto.a
+libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS)
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		$(MAKE) SHLIBDIRS=crypto build-shared; \
+		if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+			$(ARD) libcrypto.a fipscanister.o ; \
+			$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
+			$(AR) libcrypto.a fips-1.0/fipscanister.o ; \
+		else \
+			$(MAKE) SHLIBDIRS='crypto' build-shared; \
+		fi \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi
@ -280,6 +288,13 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi

+libfips$(SHLIB_EXT):
+	@if [ "$(SHLIB_TARGET)" != "" ]; then \
+		$(MAKE) SHLIBDIRS=fips build-shared; \
+	else \
+		echo "There's no support for shared libraries on this platform" >&2; \
+	fi
+
 clean-shared:
 	@for i in $(SHLIBDIRS); do \
 		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
--- a/fips-1.0/fipsld
+++ b/fips-1.0/fipsld
@ -32,6 +32,11 @@ TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`

 THERE="`echo $0 | sed -e 's|[^/]*$||'`"..

+# FIPSCANLIB is the library containing fipscanister.o by default it is
+# libcrypto.a
+
+FIPSCANLIB=${FIPSCANLIB:-libcrypto}
+
 # FIPSLIBDIR is location of installed validated FIPS module
 # if FIPSCANISTERINTERNAL="y" link against internally generated fipscanister.o
 if [ "x$FIPSCANISTERINTERNAL" != "xy" ]; then
@ -59,7 +64,7 @@ case "${TARGET}" in
 esac

 case "${TARGET}" in
-*libcrypto*|*.dll)	# must be linking a shared lib...
+*${FIPCANLIB}*|*.dll)	# must be linking a shared lib...
 	# Shared lib creation can be taking place in the source
 	# directory only!!!
 	FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
@ -78,15 +83,15 @@ echo Canister: $CANISTER_O
 		diff -w "${PREMAIN_C}.sha1" - || \
 	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }

-	# Temporarily remove fipscanister.o from libcrypto.a!
+	# Temporarily remove fipscanister.o from library!
 	# We are required to use the standalone copy...
-	trap	'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
-		 (ranlib "${THERE}/libcrypto.a") 2>/dev/null;
+	trap	'ar r "${THERE}/$FIPSCANLIB.a" "${CANISTER_O}";
+		 (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null;
 		 sleep 1;
 		 touch -c "${TARGET}"' 0

-	ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || :
-	(ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
+	ar d "${THERE}/$FIPSCANLIB.a" fipscanister.o 2>&1 > /dev/null || :
+	(ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null || :

 	${CC}	"${CANISTER_O}" \
 		"${PREMAIN_C}" \
--- a/test/Makefile
+++ b/test/Makefile
@ -342,8 +342,13 @@ STANDALONE_BUILD_CMD=SHARED_LIBS="$(SHARED_LIBS)"; \
 	fi; \
 	if [ -z "$$SHARED_LIBS" ]; then \
 		set -x; $${CC:-$(CC)} -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
-	else	set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-		$(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
+	else	set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH ; \
+		if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+			fipsexlib="-lfips" ; \
+		else \
+			fipsexlib="-lcrypto" ; \
+		fi ; \
+		$(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) -L.. $$fipsexlib ; \
 	fi

 FIPS_BUILD_CMD=if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \