FIPS related updates for Windows build. Only build fipscanister.o from the

GMAKE target. Use precompiled fipscanister.o from other targets. Update fipslink.pl script to check fipscanister.o and fips_premain.c hashes.
2006-01-26 17:34:57 +00:00 · 2006-01-26 17:34:57 +00:00 · f6bbb5b67d
commit f6bbb5b67d
parent c9f4204ae8
4 changed files with 95 additions and 34 deletions
--- a/util/fipslink.pl
+++ b/util/fipslink.pl
@ -12,8 +12,9 @@ sub check_env
 	}


-my ($fips_cc,$fips_cc_args, $fips_link,$fips_target)
-	 = check_env("FIPS_CC", "FIPS_CC_ARGS", "FIPS_LINK", "FIPS_TARGET");
+my ($fips_cc,$fips_cc_args, $fips_link,$fips_target, $fips_libdir)
+	 = check_env("FIPS_CC", "FIPS_CC_ARGS", "FIPS_LINK", "FIPS_TARGET",
+	 	"FIPS_LIBDIR");



@ -26,9 +27,14 @@ if (exists $ENV{"FIPS_PREMAIN_DSO"})
 	$fips_premain_dso = "";
 	}

+check_hash("fips_premain.c");
+check_hash("fipscanister.o");

-print "$fips_cc $fips_cc_args\n";
-system "$fips_cc $fips_cc_args";
+
+print "Integrity check OK\n";
+
+print "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c\n";
+system "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c";
 die "First stage Compile failure" if $? != 0;

 print "$fips_link @ARGV\n";
@ -42,8 +48,8 @@ chomp $fips_hash;
 die "Get hash failure" if $? != 0;


-print "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args\n";
-system "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args";
+print "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c\n";
+system "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c";
 die "Second stage Compile failure" if $? != 0;


@ -51,3 +57,22 @@ print "$fips_link @ARGV\n";
 system "$fips_link @ARGV";
 die "Second stage Link failure" if $? != 0;

+sub check_hash
+	{
+	my ($filename) = @_;
+	my ($hashfile, $hashval);
+
+	open(IN, "${fips_libdir}/${filename}.sha1") || die "Cannot open file hash file ${fips_libdir}/${filename}.sha1";
+	$hashfile = <IN>;
+	close IN;
+	$hashval = `${fips_libdir}/fips_standalone_sha1.exe ${fips_libdir}/$filename`;
+	chomp $hashfile;
+	chomp $hashval;
+	$hashfile =~ s/^.*=\s+//;
+	$hashval =~ s/^.*=\s+//;
+	die "Invalid hash syntax in file" if (length($hashfile) != 40);
+	die "Invalid hash received for file" if (length($hashval) != 40);
+	die "***HASH VALUE MISMATCH FOR FILE $filename ***" if ($hashval ne $hashfile); 
+	}
+
+
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@ -13,6 +13,9 @@ $banner="\t\@echo Building OpenSSL";
 local $zlib_opt = 0;	# 0 = no zlib, 1 = static, 2 = dynamic
 local $zlib_lib = "";

+my $fips_canister_path = "";
+my $fipslibdir = "fipslib";
+
 open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
    $ssl_version=$1 if (/^VERSION=(.*)$/);
@ -111,6 +114,8 @@ $tmp_def="tmp";
 $mkdir="-mkdir";
 $mkcanister="ld -r -o";

+$ex_build_targets = "";
+
 ($ssl,$crypto)=("ssl","crypto");
 $ranlib="echo ranlib";

@ -301,8 +306,11 @@ for (;;)
 				$uc =~ s/^lib(.*)\.a/$1/;
 				$uc =~ tr/a-z/A-Z/;
 				}
-			$lib_nam{$uc}=$uc;
-			$lib_obj{$uc}.=$libobj." ";
+			if (($uc ne "FIPS") || $fips_canister_build)
+				{
+				$lib_nam{$uc}=$uc;
+				$lib_obj{$uc}.=$libobj." ";
+				}
 			}
 		last if ($val eq "FINISHED");
 		$lib="";
@ -348,6 +356,13 @@ for (;;)
 	}
 close(IN);

+if ($fips_canister_path eq "")
+	{
+	$fips_canister_path = "\$(FIPSLIB_D)${o}fipscanister.o";
+	}
+
+	$ex_build_targets .= "\$(FIPSLIB_D)${o}\$(E_PREMAIN_DSO)$exep" if ($fips_canister_build);
+
 $defs= <<"EOF";
 # This makefile has been automatically generated from the OpenSSL distribution.
 # This single makefile will build the complete OpenSSL distribution and
@ -428,6 +443,10 @@ TMP_D=$tmp_dir
 INC_D=$inc_dir
 INCO_D=$inc_dir${o}openssl

+# Directory containing FIPS module
+
+FIPSLIB_D=$fipslibdir
+
 CP=$cp
 RM=$rm
 RANLIB=$ranlib
@ -463,7 +482,7 @@ INCL_D=\$(TMP_D)

 O_SSL=     \$(LIB_D)$o$plib\$(SSL)$shlibp
 O_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$shlibp
-O_FIPSCANISTER= \$(LIB_D)${o}fipscanister$obj
+O_FIPSCANISTER= $fips_canister_path
 SO_SSL=    $plib\$(SSL)$so_shlibp
 SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
 L_SSL=     \$(LIB_D)$o$plib\$(SSL)$libp
@ -485,7 +504,7 @@ LIBS_DEP=\$(O_CRYPTO) \$(O_SSL)
 EOF

 $rules=<<"EOF";
-all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe
+all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) \$(FIPSLIB_D) headers lib exe $ex_build_targets

 banner:
 $banner
@ -508,6 +527,9 @@ $banner
 \$(INC_D):
 	\$(MKDIR) \$(INC_D)

+\$(FIPSLIB_D):
+	\$(MKDIR) \$(FIPSLIB_D)
+
 headers: \$(HEADER) \$(EXHEADER)
 	@

@ -597,21 +619,19 @@ $rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)');

 # Special case rules for fips_start and fips_end fips_premain_dso

-if ($fips)
+if ($fips && $fips_canister_build)
 	{
 	$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_start$obj",
 		"fips${o}fips_canister.c", "-DFIPS_START \$(SHLIB_CFLAGS)");
 	$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_end$obj",
 		"fips${o}fips_canister.c", "\$(SHLIB_CFLAGS)");
+	$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_standalone_sha1$obj",
+		"fips${o}sha${o}fips_standalone_sha1.c", "\$(SHLIB_CFLAGS)");
 	$rules.=&cc_compile_target("\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj",
 		"fips${o}fips_premain.c",
 		"-DFINGERPRINT_PREMAIN_DSO_LOAD \$(SHLIB_CFLAGS)");
-	$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_standalone_sha1$obj",
-		"fips${o}sha${o}fips_standalone_sha1.c", "\$(SHLIB_CFLAGS)");
 	}

-
-
 foreach (values %lib_nam)
 	{
 	$lib_obj=$lib_obj{$_};
@ -696,12 +716,13 @@ if ($fips)
 		{
 		$rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
 			"\$(O_CRYPTO)",$crypto,$shlib, "\$(SO_CRYPTO)",
-			"0xFB00000", "\$(BIN_D)$o\$(E_PREMAIN_DSO)$exep",
+			"0xFB00000", "\$(FIPSLIB_D)$o\$(E_PREMAIN_DSO)$exep",
 					"fips${o}fips_premain.c");
 		}
 	else
 		{
 		$rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
+#		$rules.= &do_lib_rule("\$(CRYPTOOBJ)",
 			"\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)", "");
 		}
 	}
@ -712,12 +733,16 @@ if ($fips)
 	}


+if ($fips && $fips_canister_build)
+	{
+	$rules.= &do_rlink_rule("\$(O_FIPSCANISTER)", "\$(OBJ_D)${o}fips_start$obj \$(FIPSOBJ) \$(OBJ_D)${o}fips_end$obj", "\$(FIPSLIB_D)${o}fips_standalone_sha1$exep", "") if $fips_canister_build;
+	$rules.=&do_link_rule("\$(FIPSLIB_D)${o}\$(E_PREMAIN_DSO)$exep","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(O_CRYPTO)","","\$(EX_LIBS)", 1);
+	}
+	
+	$rules.=&do_link_rule("\$(FIPSLIB_D)${o}fips_standalone_sha1$exep","\$(OBJ_D)${o}fips_standalone_sha1$obj \$(OBJ_D)${o}fips_sha1dgst$obj","","", 1);
+
 if ($fips)
 	{
-	$rules.= &do_rlink_rule("\$(O_FIPSCANISTER)", "\$(OBJ_D)${o}fips_start$obj \$(FIPSOBJ) \$(OBJ_D)${o}fips_end$obj", "\$(BIN_D)${o}fips_standalone_sha1$exep");
-	$rules.=&do_link_rule("\$(BIN_D)$o\$(E_PREMAIN_DSO)$exep","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(CRYPTOOBJ) \$(O_FIPCANISTER)","","\$(EX_LIBS) \$(O_FIPSCANISTER)");
-	$rules.=&do_link_rule("\$(BIN_D)${o}fips_standalone_sha1$exep","\$(OBJ_D)${o}fips_standalone_sha1$obj \$(OBJ_D)${o}fips_sha1dgst$obj","","", 1);
-
 	$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)",0,"\$(BIN_D)$o\$(E_EXE)$exep");
 	}
 else
--- a/util/pl/VC-32-GMAKE.pl
+++ b/util/pl/VC-32-GMAKE.pl
@ -14,6 +14,8 @@ $rm='rm';

 $zlib_lib="zlib1.lib";

+$fips_canister_build = 1 if $fips; 
+
 # C compiler stuff
 $cc='cl';
 $cflags=' -MD -W3 -WX -G5 -Ox -O2 -Ob2 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
@ -21,9 +23,9 @@ $cflags.=' -D_CRT_SECURE_NO_DEPRECATE';	# shut up VC8
 $lflags="-nologo -subsystem:console -machine:I386 -opt:ref";
 $mlflags='';

-$out_def="out32";
-$tmp_def="tmp32";
-$inc_def="inc32";
+$out_def="gmout32";
+$tmp_def="gmtmp32";
+$inc_def="gminc32";

 if ($debug)
 	{
@ -98,8 +100,8 @@ if ($shlib)
 	$mlflags.=" $lflags -dll";
 #	$cflags =~ s| -MD| -MT|;
 	$lib_cflag=" -D_WINDLL";
-	$out_def="out32dll";
-	$tmp_def="tmp32dll";
+	$out_def="gmout32dll";
+	$tmp_def="gmtmp32dll";
 	}

 $cflags.=" -Fd$out_def";
@ -137,12 +139,13 @@ sub do_lib_rule
 		$ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
 		if (defined $fips_get_sig)
 			{
-			$ret.="$target: $objs $fips_get_sig\n";
+			$ret.="$target: \$(O_FIPSCANISTER) $objs $fips_get_sig\n";
 			$ret.="\tFIPS_LINK=\$(LINK) ";
 			$ret.="FIPS_CC=\$(CC) ";
-			$ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c \$(SRC_D)${o}fips${o}fips_premain.c\" ";
+			$ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\" ";
 			$ret.="FIPS_PREMAIN_DSO=$fips_get_sig ";
 			$ret.="FIPS_TARGET=$target ";
+			$ret.="FIPS_LIBDIR=\$(FIPSLIB_D) ";
 			$ret.="\$(FIPSLINK) \$(MLFLAGS) $base_arg $efile$target ";
 			$ret.="-def:ms/${Name}.def \$(SHLIB_EX_OBJ) $objs ";
 			$ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n\n";
@ -163,24 +166,27 @@ sub do_link_rule
 	local($ret,$_);
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($targer);
-	$ret.="$target: $files $dep_libs\n";
 	if ($standalone)
 		{
+		$ret.="$target: $files $dep_libs\n";
 		$ret.="\t\$(LINK) \$(LFLAGS) $efile$target ";
 		$ret.="$files $libs\n\n";
 		}
 	elsif ($fips && !$shlib)
 		{
+		$ret.="$target: \$(O_FIPSCANISTER) $files $dep_libs\n";
 		$ret.="\tFIPS_LINK=\$(LINK) ";
 		$ret.="FIPS_CC=\$(CC) ";
-		$ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c \$(SRC_D)${o}fips${o}fips_premain.c\" ";
+		$ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\" ";
 		$ret.="FIPS_PREMAIN_DSO= ";
 		$ret.="FIPS_TARGET=$target ";
+		$ret.="FIPS_LIBDIR=\$(FIPSLIB_D) ";
 		$ret.=" \$(FIPSLINK) \$(LFLAGS) $efile$target ";
 		$ret.="\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n\n";
 		}
 	else
 		{
+		$ret.="$target: $files $dep_libs\n";
 		$ret.="\t\$(LINK) \$(LFLAGS) $efile$target ";
 		$ret.="\$(APP_EX_OBJ) $files $libs\n\n";
 		}
@ -190,14 +196,17 @@ sub do_link_rule

 sub do_rlink_rule
 	{
-	local($target,$files,$check_hash)=@_;
+	local($target,$files,$check_hash, $deps)=@_;
 	local($ret,$_);

 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($targer);
-	$ret.="$target: $check_hash $files $dep_libs\n";
+	$ret.="$target: $check_hash $files $deps\n";
 	$ret.="\t\$(PERL) util${o}checkhash.pl -chdir fips -program_path ..$o$check_hash\n";
-	$ret.="\t\$(MKCANISTER) $target $files\n\n";
+	$ret.="\t\$(MKCANISTER) $target $files\n";
+	$ret.="\t$check_hash $target > $target.sha1\n";
+	$ret.="\t\$(CP) fips${o}fips_premain.c \$(FIPSLIB_D)\n";
+	$ret.="\t$check_hash \$(FIPSLIB_D)${o}fips_premain.c > \$(FIPSLIB_D)${o}fips_premain.c.sha1\n\n";
 	return($ret);
 	}

--- a/util/pl/VC-32.pl
+++ b/util/pl/VC-32.pl
@ -137,9 +137,10 @@ sub do_lib_rule
 			$ret.="$target: $objs $fips_get_sig\n";
 			$ret.="\tSET FIPS_LINK=\$(LINK)\n";
 			$ret.="\tSET FIPS_CC=\$(CC)\n";
-			$ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c \$(SRC_D)${o}fips${o}fips_premain.c\n";
+			$ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
 			$ret.="\tSET FIPS_PREMAIN_DSO=$fips_get_sig\n";
 			$ret.="\tSET FIPS_TARGET=$target\n";
+			$ret.="\tSET FIPS_LIBDIR=\$(FIPSLIB_D)\n";
 			$ret.="\t\$(FIPSLINK) \$(MLFLAGS) $base_arg $efile$target ";
 			$ret.="/def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs ";
 			$ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n";
@ -170,9 +171,10 @@ sub do_link_rule
 		{
 		$ret.="\tSET FIPS_LINK=\$(LINK)\n";
 		$ret.="\tSET FIPS_CC=\$(CC)\n";
-		$ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c \$(SRC_D)${o}fips${o}fips_premain.c\n";
+		$ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
 		$ret.="\tSET FIPS_PREMAIN_DSO=\n";
 		$ret.="\tSET FIPS_TARGET=$target\n";
+		$ret.="\tSET FIPS_LIBDIR=\$(FIPSLIB_D)\n";
 		$ret.="  \$(FIPSLINK) \$(LFLAGS) $efile$target @<<\n";
 		$ret.="  \$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n";
 		}