##### MacOS X (a.k.a. Rhapsody or Darwin) setup
"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::",
-"darwin-ppc-cc","cc:-O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
##### A/UX
my $ranlib = $fields[$idx_ranlib];
my $arflags = $fields[$idx_arflags];
+# '%' in $lflags is used to split flags to "pre-" and post-flags
+my ($prelflags,$postlflags)=split('%',$lflags);
+if (defined($postlflags)) { $lflags=$postlflags; }
+else { $lflags=$prelflags; undef $prelflags; }
+
my $no_shared_warn=0;
my $no_user_cflags=0;
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
s/^CFLAG=.*$/CFLAG= $cflags/;
s/^DEPFLAG=.*$/DEPFLAG= $depflags/;
+ s/^PEX_LIBS=.*$/PEX_LIBS= $prelflags/;
s/^EX_LIBS=.*$/EX_LIBS= $lflags/;
s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/;
s/^BASEADDR=.*/BASEADDR=$baseaddr/;
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
- s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL) \$(SHARED_FIPS)/ if (!$no_shared);
+ s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_FIPS) \$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
{
my $sotmp = $1;
sub_all: build_all
build_all: build_libs build_apps build_tests build_tools
-build_libs: build_crypto build_fips build_ssl build_engines
+build_libs: build_crypto build_fips build_ssl build_shared build_engines
build_crypto:
if [ -n "$(FIPSCANLIB)" ]; then \
fi ; export ARX ; \
dir=crypto; target=all; $(BUILD_ONE_CMD)
build_fips:
- @dir=fips-1.0; target=all; $(BUILD_ONE_CMD)
+ @dir=fips-1.0; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
build_ssl:
@dir=ssl; target=all; $(BUILD_ONE_CMD)
build_engines:
build_testapps:
@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
+build_shared: $(SHARED_LIBS)
libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS)
@if [ "$(SHLIB_TARGET)" != "" ]; then \
if [ "$(FIPSCANLIB)" = "libfips" ]; then \
- ( dir=fips-1.0; target=all; $(BUILD_ONE_CMD) ) ; \
$(ARD) libcrypto.a fipscanister.o ; \
$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
$(AR) libcrypto.a fips-1.0/fipscanister.o ; \
else \
if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; \
- FIPSLD_NPT="y"; FIPSLD_LIBFIPS=y; \
- export CC FIPSLD_CC FIPSLD_NPT FIPSLD_LIBFIPS; \
+ export CC FIPSLD_CC; \
fi; \
$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
fi \
else \
echo "There's no support for shared libraries on this platform" >&2; \
+ exit 1; \
fi
libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
@if [ "$(SHLIB_TARGET)" != "" ]; then \
- $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
+ shlibdeps=-lcrypto; \
+ [ "$(FIPSCANLIB)" = "libfips" ] && shlibdeps="$$shlibdeps -lfips"; \
+ $(MAKE) SHLIBDIRS=ssl SHLIBDEPS="$$shlibdeps" build-shared; \
else \
echo "There's no support for shared libraries on this platform" >&2 ; \
exit 1; \
fi
-libfips$(SHLIB_EXT): libfips.a
+fips-1.0/fipscanister.o: build_fips
+libfips$(SHLIB_EXT): fips-1.0/fipscanister.o
@if [ "$(SHLIB_TARGET)" != "" ]; then \
- if [ "$(FIPSCANLIB)" = "libfips" ]; then \
- FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; FIPSLD_NPT="y"; \
- FIPSLD_LIBFIPS=y; \
- export CC FIPSLD_CC FIPSLD_NPT FIPSLD_LIBFIPS; \
- fi; \
- $(MAKE) -e SHLIBDIRS=fips build-shared; \
+ FIPSLD_CC=$(CC); CC=fips-1.0/fipsld; export CC FIPSLD_CC; \
+ $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+ CC=$${CC} LIBNAME=fips THIS=$@ \
+ LIBEXTRAS=fips-1.0/fipscanister.o \
+ LIBDEPS="$(EX_LIBS)" \
+ LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ link_o.$(SHLIB_TARGET) || { rm -f $@; exit 1; } \
else \
echo "There's no support for shared libraries on this platform" >&2; \
+ exit 1; \
fi
libfips.a:
LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \
SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
- nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \
LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${SHAREDCMD} $${SHAREDFLAGS} \
-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
- ) && $(SYMLINK_SO); \
- ( $(SET_X); rm -f lib$(LIBNAME).exp )
+ ) && $(SYMLINK_SO)
SYMLINK_SO= \
if [ -n "$$INHIBIT_SYMLINKS" ]; then :; else \
$unistd =
$thread_cflag = -D_REENTRANT
$sys_id = MACOSX
-$lflags =
+$lflags = -Wl,-search_paths_first%
$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
$cpuid_obj =
$bn_obj =
$unistd =
$thread_cflag = -D_REENTRANT
$sys_id = MACOSX
-$lflags = -Wl,-search_paths_first
+$lflags = -Wl,-search_paths_first%
$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
$cpuid_obj =
$bn_obj = osx_ppc32.o
elif [ -n "$(FIPSCANLIB)" ]; then \
FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \
fi; \
- if [ "$${shlib_target}" = "darwin-shared" ] ; then \
- LIBRARIES="$(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO)" ; \
- else \
- LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
- fi; \
+ LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
+ [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
$(MAKE) -f $(TOP)/Makefile.shared -e \
CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
top:
@(cd ..; $(MAKE) DIRS=$(DIR) all)
-all: shared
+all: lib
buildinf.h: ../Makefile
( echo "#ifndef MK1MF_BUILD"; \
@target=links; $(RECURSIVE_MAKE)
# lib: and $(LIB): are splitted to avoid end-less loop
-lib: $(LIB)
+lib: buildinf.h $(LIB) subdirs
@touch lib
$(LIB): $(LIBOBJ)
$(ARX) $(LIB) $(LIBOBJ)
@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
all:
- @if [ -n "$(FIPSCANLIB)" ]; then \
- $(MAKE) -e subdirs lib shared; \
+ @if [ -z "$(FIPSLIBDIR)" ]; then \
+ $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
+ else \
+ $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
fi
# Idea behind fipscanister.o is to "seize" the sequestered code between
objs="$$objs `sed "$$script" $$i`"; \
done; \
objs="$$objs fips_end.o" ; \
+ os="`(uname -s) 2>/dev/null`"; cflags="$(CFLAGS)"; \
+ [ "$$os" = "AIX" ] && cflags="$$cflags -Wl,-bnoobjreorder"; \
if [ -n "${FIPS_SITE_LD}" ]; then \
set -x; ${FIPS_SITE_LD} -r -o $@ $$objs; \
elif $(CC) -dumpversion >/dev/null 2>&1; then \
- set -x; $(CC) $(CFLAGS) -r -nostdlib -o $@ $$objs ; \
- else case "`(uname -s) 2>/dev/null`" in \
+ set -x; $(CC) $$cflags -r -nostdlib -o $@ $$objs ; \
+ else case "$$os" in \
HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
- AIX) set -x; $(CC) $(CFLAGS) -Wl,-bnoobjreorder -r -o $@ $$objs ;; \
- *) set -x; $(CC) $(CFLAGS) -r -o $@ $$objs ;; \
+ *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
esac fi
- sha/fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
+ ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
# If another exception is immediately required, assign approprite
# site-specific ld command to FIPS_SITE_LD environment variable.
$(CC) $(CFLAGS) -DFIPS_END -c -o $@ fips_canister.c
fips_premain_dso$(EXE_EXT): fips_premain.c
$(CC) $(CFLAGS) -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ fips_premain.c \
- ../libcrypto.a $(EX_LIBS)
+ $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS)
+# this is executed only when linking with external fipscanister.o
+fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c
+ $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o
subdirs:
@target=all; $(RECURSIVE_MAKE)
@target=links; $(RECURSIVE_MAKE)
# lib: and $(LIB): are splitted to avoid end-less loop
-lib: $(FIPSCANLIB) $(FIPSCANLOC)
+lib: $(LIB)
@touch lib
+$(LIB): $(FIPSLIBDIR)fipscanister.o
+ $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+ $(RANLIB) $(LIB) || echo Never mind.
+
$(FIPSCANLIB): $(FIPSCANLOC)
$(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC)
if [ "$(FIPSCANLIB)" = "libfips" ]; then \
@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
clean:
- rm -f fipscanister.o.sha1 fips_premain_dso$(EXE_EXT) \
+ rm -f fipscanister.o.sha1 fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT) \
*.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
@target=clean; $(RECURSIVE_MAKE)
#!/bin/sh -e
#
-# Copyright (c) 2005 The OpenSSL Project.
+# Copyright (c) 2005-2007 The OpenSSL Project.
#
# Depending on output file name, the script either embeds fingerprint
# into libcrypto.so or static application. "Static" refers to static
# Initially -c wasn't intended to be interpreted here, but it might
# make life easier for those who want to build FIPS-ified applications
# with minimal [if any] modifications to their Makefiles...
-( while [ "x$1" != "x" -a "x$1" != "x-c" ]; do shift; done;
+( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
[ $# -ge 1 ]
) && exec ${CC} "$@"
+TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
+
# If using an auto-tooled (autoconf/automake/libtool) project,
# configure will fail when testing the compiler or even performing
-# simple checks. Pass-thru to compiler directly if not linking
-# to libcrypto, allowing auto-tooled applications to utilize fipsld
-# (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc ./configure && make )
-# If FIPSLD_NPT is set never call the pass-thru: the standalone fips commands
-# need this because they don't link to libcrypto
-[ -z "$FIPSLD_NPT" -a -z "$FIPSLD_LIBFIPS" ] && {
-case "$*" in
- *libcrypto.a*)
- ;;
- *-lcrypto*)
- ;;
- *)
- exec ${CC} $*
- ;;
+# simple checks. Pass-through to compiler directly if application is
+# is not being linked with libcrypto, allowing auto-tooled applications
+# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
+# ./configure && make). But keep in mind[!] that if certified code
+# resides in a shared library, then fipsld *may not* be used and
+# end-developer should not modify application configuration and build
+# procedures. This is because in-core fingerprint and associated
+# procedures are already embedded into and executed in shared library
+# context.
+case `basename "${TARGET}"` in
+libcrypto*|libfips*|*.dll) ;;
+*) case "$*" in
+ *libcrypto.a*|*-lcrypto*) ;;
+ *) exec ${CC} "$@" ;;
+ esac
esac
-}
+
+[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
# Turn on debugging output?
( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
[ $# -ge 1 ]
) && set -x
-TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
-[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
-
THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
-# FIPSCANLIB is the library containing fipscanister.o by default it is
-# libcrypto.a
-
-FIPSCANLIB=${FIPSCANLIB:-libcrypto}
-
-# FIPSLIBDIR is location of installed validated FIPS module
-# if FIPSCANISTERINTERNAL="y" link against internally generated fipscanister.o
-if [ "x$FIPSCANISTERINTERNAL" != "xy" ]; then
- FIPSLIBDIR=${FIPSLIBDIR:-/usr/local/ssl/lib}
-else
- FIPSLIBDIR=${THERE}/fips-1.0
+# If set, FIPSLIBDIR is location of installed validated FIPS module
+if [ -n "${FIPSLIBDIR}" ]; then
+ CANISTER_O="${FIPSLIBDIR}"
+elif [ -f "${THERE}/fips-1.0/fipscanister.o" ]; then
+ CANISTER_O="${THERE}/fips-1.0/fipscanister.o"
+elif [ -f "${THERE}/lib/fipscanister.o" ]; then
+ CANISTER_O="${THERE}/lib/fipscanister.o"
fi
+[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
-[ -f "${FIPSLIBDIR}/fipscanister.o" ] ||
- { echo "fipscanister.o not found"; exit 1; }
+PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
HMAC_KEY="etaonrishdlcupfm"
[!/]*) TARGET=./${TARGET} ;;
esac
-case "${TARGET}" in
-*${FIPSCANLIB}*|*.dll) # must be linking a shared lib...
- # Shared lib creation can be taking place in the source
+case `basename "${TARGET}"` in
+libfips*|*fips.dll)
+ # libfips.so creation can be taking place in the source
# directory only!!!
- FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
- CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
- PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"
-echo Canister: $CANISTER_O
+ FINGERTYPE="${THERE}/fips-1.0/fips_standalone_sha1"
+ # fipscanister.o should be specified on command line...
+ CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
+ [ -n "$CANISTER_O" ] || { echo "fipscanister.o is not found"; exit 1; }
+ PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
# verify fipspremain.c against its detached signature...
${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
diff -w "${PREMAIN_C}.sha1" - || \
{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
- # Special case: if FIPSLD_LIBFIPS is asserted we are building
- # libfips shared library and fipscanister.o is already present
- # in libfips.a
- if [ -n "$FIPSLD_LIBFIPS" ] ; then
- ${CC} "${PREMAIN_C}" \
- ${_WL_PREMAIN} "$@"
- else
-
- # verify fipscanister.o against its detached signature...
- ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
- diff -w "${CANISTER_O}.sha1" - || \
- { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
-
- # Temporarily remove fipscanister.o from library!
- # We are required to use the standalone copy...
- trap 'ar r "${THERE}/$FIPSCANLIB.a" "${CANISTER_O}";
- (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null;
- sleep 1;
- touch -c "${TARGET}"' 0
-
- ar d "${THERE}/$FIPSCANLIB.a" fipscanister.o 2>&1 > /dev/null || :
- (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null || :
-
- ${CC} "${CANISTER_O}" \
- "${PREMAIN_C}" \
- ${_WL_PREMAIN} "$@"
- fi
+ # verify fipscanister.o against its detached signature...
+ ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
+ diff -w "${CANISTER_O}.sha1" - || \
+ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
+
+ /bin/rm -f "${TARGET}"
+ ${CC} "${PREMAIN_C}" ${_WL_PREMAIN} "$@"
# generate signature...
- SIG=`("${THERE}/fips-1.0/fips_premain_dso" "${TARGET}" || rm "${TARGET}")`
+ SIG=`"${THERE}/fips-1.0/fips_premain_dso" "${TARGET}"`
+ /bin/rm -f "${TARGET}"
if [ -z "${SIG}" ]; then
echo "unable to collect signature"; exit 1
fi
- if [ -n "$FIPSLD_LIBFIPS" ] ; then
- ${CC} -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
- ${_WL_PREMAIN} "$@"
- else
+ # recompile with signature...
+ ${CC} -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" ${_WL_PREMAIN} "$@"
+ ;;
+libcrypto*|*.dll) # must be linking a shared lib...
+ # Shared lib creation can be taking place in the source
+ # directory only, but fipscanister.o can reside elsewhere...
+ FINGERTYPE="${THERE}/fips-1.0/fips_standalone_sha1"
+
+ # verify fipspremain.c against its detached signature...
+ ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
+ diff -w "${PREMAIN_C}.sha1" - || \
+ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
+ # verify fipscanister.o against its detached signature...
+ ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
+ diff -w "${CANISTER_O}.sha1" - || \
+ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
+
+ # Temporarily remove fipscanister.o from libcrypto.a!
+ # We are required to use the standalone copy...
+ trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
+ (ranlib "${THERE}/libcrypto.a") 2>/dev/null;
+ sleep 1;
+ touch -c "${TARGET}"' 0
+
+ ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || :
+ (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
+
+ /bin/rm -f "${TARGET}"
+ ${CC} "${CANISTER_O}" \
+ "${PREMAIN_C}" \
+ ${_WL_PREMAIN} "$@"
- # recompile with signature...
- ${CC} "${CANISTER_O}" \
- -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
- ${_WL_PREMAIN} "$@"
+ # generate signature...
+ SIG=`"${THERE}/fips-1.0/fips_premain_dso" "${TARGET}"`
+ /bin/rm -f "${TARGET}"
+ if [ -z "${SIG}" ]; then
+ echo "unable to collect signature"; exit 1
fi
+
+ # recompile with signature...
+ ${CC} "${CANISTER_O}" \
+ -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
+ ${_WL_PREMAIN} "$@"
;;
*) # must be linking statically...
# Static linking can be taking place either in the source
# directory or off the installed binary target destination.
- if [ -x "${THERE}/fips-1.0/sha/fips_standalone_sha1" ]; then
- FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
+ if [ -x "${THERE}/fips-1.0/fips_standalone_sha1" ]; then
+ FINGERTYPE="${THERE}/fips-1.0/fips_standalone_sha1"
else # Installed tree is expected to contain
# lib/fipscanister.o, lib/fipscanister.o.sha1 and
# lib/fips_premain.c [not to mention bin/openssl].
FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
fi
- CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
- PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"
-
# verify fipscanister.o against its detached signature...
${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
diff -w "${CANISTER_O}.sha1" - || \
{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
# verify fips_premain.c against its detached signature...
-# ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
-# diff -w "${PREMAIN_C}.sha1" - || \
-# { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
+ ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
+ diff -w "${PREMAIN_C}.sha1" - || \
+ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
+ /bin/rm -f "${TARGET}"
${CC} "${CANISTER_O}" \
"${PREMAIN_C}" \
${_WL_PREMAIN} "$@"
# generate signature...
- SIG=`("${TARGET}" || /bin/rm "${TARGET}")`
+ SIG=`"${TARGET}"`
+ /bin/rm -f "${TARGET}"
if [ -z "${SIG}" ]; then
echo "unable to collect signature"; exit 1
fi
top:
(cd $(TOP); $(MAKE) DIRS=fips-1.0 SDIRS=$(DIR) sub_all)
-all: fips_standalone_sha1$(EXE_EXT) lib
+all: ../fips_standalone_sha1$(EXE_EXT) lib
lib: $(LIBOBJ)
@echo $(LIBOBJ) > lib
-fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
+../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
- $(CC) -o fips_standalone_sha1$(EXE_EXT) $(CFLAGS) \
- fips_standalone_sha1.o $$FIPS_SHA_ASM
+ $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
files:
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
#include <openssl/sha.h>
#include <openssl/hmac.h>
+#ifndef FIPSCANISTER_O
int FIPS_selftest_failed() { return 0; }
void FIPS_selftest_check() {}
void OPENSSL_cleanse(void *p,size_t len) {}
+#endif
#ifdef OPENSSL_FIPS
top:
(cd ..; $(MAKE) DIRS=$(DIR) all)
-all: shared
+all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
shlib_target="$(SHLIB_TARGET)"; \
fi; \
- if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \
- LIBRARIES="$(DLIBSSL) $(DLIBCRYPTO) $(LIBKRB5)"; \
- else \
- LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
- fi; \
+ LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
+ [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
$(MAKE) -f $(TOP)/Makefile.shared -e \
APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
shlib_target="$(SHLIB_TARGET)"; \
fi; \
- if [ "$(FIPSCANLIB)" != "libfips" -o -z "$(SHARED_LIBS)" -o "$${shlib_target}" = "darwin-shared" ] ; then \
- LIBRARIES=""; \
- if [ -n "$(FIPSCANLIB)" ]; then \
- FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; FIPSLD_NPT="y" \
- export CC FIPSLD_CC FIPSLD_NPT ; \
- fi; \
- else \
- LIBRARIES="$(LIBFIPS)"; \
+ LIBRARIES="$(LIBCRYPTO) $(LIBKRB5)"; \
+ if [ -z "$(SHARED_LIBS)" ] ; then \
+ FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \
fi; \
+ [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="-L$(TOP) -lfips"; \
$(MAKE) -f $(TOP)/Makefile.shared -e \
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
FIPS_CRYPTO_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
shlib_target="$(SHLIB_TARGET)"; \
fi; \
- if [ -z "$(SHARED_LIBS)" -o "$${shlib_target}" = "darwin-shared" ] ; then \
- LIBRARIES="$(DLIBSSL) $(DLIBCRYPTO) $(LIBKRB5)"; \
- if [ -n "$(FIPSCANLIB)" ]; then \
- FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; FIPSLD_NPT="y" \
- export CC FIPSLD_CC FIPSLD_NPT ; \
- fi; \
- else \
- LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
+ LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
+ if [ -z "$(SHARED_LIBS)" ] ; then \
+ FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \
fi; \
+ [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
$(MAKE) -f $(TOP)/Makefile.shared -e \
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
projects / thirdparty / openssl.git / commitdiff
