Add fipscanisterbuild configuration option and update Makefile.org: doesn't compile yet
This commit is contained in:
Dr. Stephen Henson
parent
9bafd8f7b3
commit
1ab2f7f1cb
75
Configure
75
Configure
@ -647,6 +647,11 @@ my $openssldir="";
|
||||
my $exe_ext="";
|
||||
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
|
||||
my $cross_compile_prefix="";
|
||||
my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
|
||||
my $nofipscanistercheck=0;
|
||||
my $fipsdso=0;
|
||||
my $fipscanisterinternal="n";
|
||||
my $baseaddr="0xFB00000";
|
||||
my $no_threads=0;
|
||||
my $threads=0;
|
||||
my $no_shared=0; # but "no-shared" is default
|
||||
@ -681,6 +686,7 @@ my $cmll_enc="camellia.o cmll_misc.o cmll_cbc.o";
|
||||
my $processor="";
|
||||
my $default_ranlib;
|
||||
my $perl;
|
||||
my $fips=0;
|
||||
|
||||
|
||||
# All of the following is disabled by default (RC5 was enabled before 0.9.8):
|
||||
@ -833,6 +839,26 @@ PROCESS_ARGS:
|
||||
# The check for the option is there so scripts aren't
|
||||
# broken
|
||||
}
|
||||
elsif (/^nofipscanistercheck$/)
|
||||
{
|
||||
$fips = 1;
|
||||
$nofipscanistercheck = 1;
|
||||
}
|
||||
elsif (/^fipscanisterbuild$/)
|
||||
{
|
||||
$fips = 1;
|
||||
$nofipscanistercheck = 1;
|
||||
$fipslibdir="";
|
||||
$fipscanisterinternal="y";
|
||||
}
|
||||
elsif (/^fipsdso$/)
|
||||
{
|
||||
$fips = 1;
|
||||
$nofipscanistercheck = 1;
|
||||
$fipslibdir="";
|
||||
$fipscanisterinternal="y";
|
||||
$fipsdso = 1;
|
||||
}
|
||||
elsif (/^[-+]/)
|
||||
{
|
||||
if (/^-[lL](.*)$/ or /^-Wl,/)
|
||||
@ -1398,6 +1424,15 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no_sse2 && $bn_obj =~ /86/);
|
||||
|
||||
$cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/);
|
||||
|
||||
if ($fips)
|
||||
{
|
||||
$openssl_other_defines.="#define OPENSSL_FIPS\n";
|
||||
if ($fipscanisterinternal eq "y")
|
||||
{
|
||||
$openssl_other_defines.="#define OPENSSL_FIPSCANISTER\n";
|
||||
}
|
||||
}
|
||||
|
||||
$cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
|
||||
$des_obj=$des_enc unless ($des_obj =~ /\.o$/);
|
||||
$bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/);
|
||||
@ -1574,6 +1609,21 @@ while (<IN>)
|
||||
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
|
||||
s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
|
||||
s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
|
||||
s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
|
||||
if ($fipsdso)
|
||||
{
|
||||
s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/;
|
||||
s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/;
|
||||
s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl fips/;
|
||||
}
|
||||
else
|
||||
{
|
||||
s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
|
||||
s/^SHARED_FIPS=.*/SHARED_FIPS=/;
|
||||
s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/;
|
||||
}
|
||||
s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/;
|
||||
s/^BASEADDR=.*/BASEADDR=$baseaddr/;
|
||||
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
|
||||
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
|
||||
s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
|
||||
@ -1884,9 +1934,16 @@ BEGIN
|
||||
BEGIN
|
||||
BLOCK "040904b0"
|
||||
BEGIN
|
||||
#if defined(FIPS)
|
||||
VALUE "Comments", "WARNING: TEST VERSION ONLY ***NOT*** FIPS 140-2 VALIDATED.\\0"
|
||||
#endif
|
||||
// Required:
|
||||
VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0"
|
||||
#if defined(FIPS)
|
||||
VALUE "FileDescription", "TEST UNVALIDATED FIPS140-2 DLL\\0"
|
||||
#else
|
||||
VALUE "FileDescription", "OpenSSL Shared Library\\0"
|
||||
#endif
|
||||
VALUE "FileVersion", "$version\\0"
|
||||
#if defined(CRYPTO)
|
||||
VALUE "InternalName", "libeay32\\0"
|
||||
@ -1894,6 +1951,9 @@ BEGIN
|
||||
#elif defined(SSL)
|
||||
VALUE "InternalName", "ssleay32\\0"
|
||||
VALUE "OriginalFilename", "ssleay32.dll\\0"
|
||||
#elif defined(FIPS)
|
||||
VALUE "InternalName", "libosslfips\\0"
|
||||
VALUE "OriginalFilename", "libosslfips.dll\\0"
|
||||
#endif
|
||||
VALUE "ProductName", "The OpenSSL Toolkit\\0"
|
||||
VALUE "ProductVersion", "$version\\0"
|
||||
@ -1936,6 +1996,21 @@ libraries on this platform, they will at least look at it and try their best
|
||||
(but please first make sure you have tried with a current version of OpenSSL).
|
||||
EOF
|
||||
|
||||
print <<\EOF if ($fipscanisterinternal eq "y");
|
||||
|
||||
WARNING: OpenSSL has been configured using unsupported option(s) to internally
|
||||
generate a fipscanister.o object module for TESTING PURPOSES ONLY; that
|
||||
compiled module is NOT FIPS 140-2 validated and CANNOT be used to replace the
|
||||
OpenSSL FIPS Object Module as identified by the CMVP
|
||||
(http://csrc.nist.gov/cryptval/) in any application requiring the use of FIPS
|
||||
140-2 validated software.
|
||||
|
||||
This is an OpenSSL 1.1.0 test version.
|
||||
|
||||
See the file README.FIPS for details of how to build a test library.
|
||||
|
||||
EOF
|
||||
|
||||
exit(0);
|
||||
|
||||
sub usage
|
||||
|
||||
115
Makefile.org
115
Makefile.org
@ -110,7 +110,33 @@ LIBKRB5=
|
||||
ZLIB_INCLUDE=
|
||||
LIBZLIB=
|
||||
|
||||
DIRS= crypto ssl engines apps test tools
|
||||
# This is the location of fipscanister.o and friends.
|
||||
# The FIPS module build will place it $(INSTALLTOP)/lib
|
||||
# but since $(INSTALLTOP) can only take the default value
|
||||
# when the module is built it will be in /usr/local/ssl/lib
|
||||
# $(INSTALLTOP) for this build make be different so hard
|
||||
# code the path.
|
||||
|
||||
FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
|
||||
|
||||
# This is set to "y" if fipscanister.o is compiled internally as
|
||||
# opposed to coming from an external validated location.
|
||||
|
||||
FIPSCANISTERINTERNAL=n
|
||||
|
||||
# The location of the library which contains fipscanister.o
|
||||
# normally it will be libcrypto unless fipsdso is set in which
|
||||
# case it will be libfips. If not compiling in FIPS mode at all
|
||||
# this is empty making it a useful test for a FIPS compile.
|
||||
|
||||
FIPSCANLIB=
|
||||
|
||||
# Shared library base address. Currently only used on Windows.
|
||||
#
|
||||
|
||||
BASEADDR=
|
||||
|
||||
DIRS= crypto fips ssl engines apps test tools
|
||||
ENGDIRS= ccgost
|
||||
SHLIBDIRS= crypto ssl
|
||||
|
||||
@ -207,6 +233,10 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
|
||||
WP_ASM_OBJ='$(WP_ASM_OBJ)' \
|
||||
MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \
|
||||
PERLASM_SCHEME='$(PERLASM_SCHEME)' \
|
||||
FIPSLIBDIR='${FIPSLIBDIR}' \
|
||||
FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
|
||||
FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' \
|
||||
FIPS_EX_OBJ='${FIPS_EX_OBJ}' \
|
||||
THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
|
||||
# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
|
||||
# which in turn eliminates ambiguities in variable treatment with -e.
|
||||
@ -238,13 +268,92 @@ BUILD_ONE_CMD=\
|
||||
reflect:
|
||||
@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
|
||||
|
||||
|
||||
# FIXME
|
||||
|
||||
FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
|
||||
../crypto/aes/aes_ecb.o \
|
||||
../crypto/aes/aes_ofb.o \
|
||||
../crypto/bn/bn_add.o \
|
||||
../crypto/bn/bn_blind.o \
|
||||
../crypto/bn/bn_ctx.o \
|
||||
../crypto/bn/bn_div.o \
|
||||
../crypto/bn/bn_exp2.o \
|
||||
../crypto/bn/bn_exp.o \
|
||||
../crypto/bn/bn_gcd.o \
|
||||
../crypto/bn/bn_lib.o \
|
||||
../crypto/bn/bn_mod.o \
|
||||
../crypto/bn/bn_mont.o \
|
||||
../crypto/bn/bn_mul.o \
|
||||
../crypto/bn/bn_prime.o \
|
||||
../crypto/bn/bn_rand.o \
|
||||
../crypto/bn/bn_recp.o \
|
||||
../crypto/bn/bn_shift.o \
|
||||
../crypto/bn/bn_sqr.o \
|
||||
../crypto/bn/bn_word.o \
|
||||
../crypto/bn/bn_x931p.o \
|
||||
../crypto/buffer/buf_str.o \
|
||||
../crypto/cryptlib.o \
|
||||
../crypto/des/cfb64ede.o \
|
||||
../crypto/des/cfb64enc.o \
|
||||
../crypto/des/cfb_enc.o \
|
||||
../crypto/des/ecb3_enc.o \
|
||||
../crypto/des/ofb64ede.o \
|
||||
../crypto/des/fcrypt.o \
|
||||
../crypto/des/set_key.o \
|
||||
../crypto/dh/dh_check.o \
|
||||
../crypto/dh/dh_gen.o \
|
||||
../crypto/dh/dh_key.o \
|
||||
../crypto/dsa/dsa_gen.o \
|
||||
../crypto/dsa/dsa_key.o \
|
||||
../crypto/dsa/dsa_ossl.o \
|
||||
../crypto/dsa/dsa_sign.o \
|
||||
../crypto/dsa/dsa_vrf.o \
|
||||
../crypto/evp/e_aes.o \
|
||||
../crypto/evp/e_des3.o \
|
||||
../crypto/evp/m_sha1.o \
|
||||
../crypto/hmac/hmac.o \
|
||||
../crypto/mem.o \
|
||||
../crypto/modes/cfb128.o \
|
||||
../crypto/modes/ctr128.o \
|
||||
../crypto/modes/ofb128.o \
|
||||
../crypto/rand/md_rand.o \
|
||||
../crypto/rand/rand_egd.o \
|
||||
../crypto/rand/randfile.o \
|
||||
../crypto/rand/rand_lib.o \
|
||||
../crypto/rand/rand_os2.o \
|
||||
../crypto/rand/rand_unix.o \
|
||||
../crypto/rand/rand_win.o \
|
||||
../crypto/rsa/rsa_eay.o \
|
||||
../crypto/rsa/rsa_gen.o \
|
||||
../crypto/rsa/rsa_crpt.o \
|
||||
../crypto/rsa/rsa_none.o \
|
||||
../crypto/rsa/rsa_oaep.o \
|
||||
../crypto/rsa/rsa_pk1.o \
|
||||
../crypto/rsa/rsa_pss.o \
|
||||
../crypto/rsa/rsa_ssl.o \
|
||||
../crypto/rsa/rsa_x931.o \
|
||||
../crypto/sha/sha1dgst.o \
|
||||
../crypto/sha/sha256.o \
|
||||
../crypto/sha/sha512.o \
|
||||
../crypto/uid.o
|
||||
|
||||
sub_all: build_all
|
||||
build_all: build_libs build_apps build_tests build_tools
|
||||
|
||||
build_libs: build_crypto build_ssl build_engines
|
||||
build_libs: build_crypto build_fips build_ssl build_engines
|
||||
|
||||
build_fips:
|
||||
@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
|
||||
|
||||
build_crypto:
|
||||
@dir=crypto; target=all; $(BUILD_ONE_CMD)
|
||||
if [ -n "$(FIPSCANLIB)" ]; then \
|
||||
EXCL_OBJ='$(AES_ENC) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
|
||||
ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
|
||||
else \
|
||||
ARX='${AR}' ; \
|
||||
fi ; export ARX ; \
|
||||
dir=crypto; target=all; $(BUILD_ONE_CMD)
|
||||
build_ssl:
|
||||
@dir=ssl; target=all; $(BUILD_ONE_CMD)
|
||||
build_engines:
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user