As for complementary fips.c modification. Goal is to ensure that
FIPS_signature does not end up in .bss segment, one guaranteed to
be zeroed upon program start-up. One would expect explicitly
initialized values to end up in .data segment, but it turned out
that values explicitly initialized with zeros can end up in .bss.
The modification does not affect program flow, because first byte
was the only one of significance [to FINGERPRINT_premain].
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 34f39b062c76fbd3082521b26edee7f53afc061d)
Special note about additional -pie flag in android-armv7. The initial
reason for adding it is that Android 5 refuses to execute non-PIE
binaries. But what about older systems and previously validated
platforms? It should be noted that flag is not used when compiling
object code, fipscanister.o in this context, only when linking
applications, *supplementary* fips_algvs used during validation
procedure.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 6db8e3bdc9ef83d83b83f3eec9722c96daa91f82)
Resolved conflicts:
test/fips_algvs.c
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 97fbb0c88c2f601f98e25e57b9f6f9679d14f3a8)
Resolved conflicts:
Configure
config
In the current code, the check isn't redundant.
And in fact the REAL check was missing.
This avoids a NULL-deref crash.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Don't try to raise SIGABRT if not defined.
Return from fips_dhvs.c main instead of calling exit.
Workaround for lack of GetSystemFileAsFileTime.
Disable optimisation for part of bn_nist.c to avoid compiler bug.
Remove /WX flag so we don't exist on warnings.
of all fips test utilities in a single binary and some minimal script
parsing for platforms lacking a suitable shell.
In order to keep changes to the build system to a minimum it #includes all
the utilities C source files (yuck).
