-SUBDIRS=common default
+# We place all implementations in static libraries, and then let the
+# provider mains pilfer what they want through symbol resolution when
+# linking.
+#
+# The non-legacy implementations (libimplementations) must be made FIPS
+# agnostic as much as possible, as well as the common building blocks
+# (libcommon). The legacy implementations (liblegacy) will never be
+# part of the FIPS provider.
+#
+# If there is anything that isn't FIPS agnostic, it should be set aside
+# in its own source file, which is then included directly into other
+# static libraries geared for FIPS and non-FIPS providers, and built
+# separately.
+#
+# libcommon.a Contains common building blocks, potentially
+# needed both by non-legacy and legacy code.
+#
+# libimplementations.a Contains all non-legacy implementations.
+# liblegacy.a Contains all legacy implementations.
+#
+# libfips.a Contains all things needed to support
+# FIPS implementations, such as code from
+# crypto/ and object files that contain
+# FIPS-specific code. FIPS_MODULE is defined
+# for this library. The FIPS module uses
+# this.
+# libnonfips.a Corresponds to libfips.a, but built with
+# FIPS_MODULE undefined. The default and legacy
+# providers use this.
+#
+# This is how different provider modules should be linked:
+#
+# FIPS:
+# -o fips.so {object files...} libimplementations.a libcommon.a libfips.a
+# Non-FIPS:
+# -o module.so {object files...} libimplementations.a libcommon.a libnonfips.a
+#
+# It is crucial that code that checks for the FIPS_MODULE macro end up in
+# libfips.a and libnonfips.a, never in libcommon.a.
+# It is crucial that such code is written so libfips.a and libnonfips.a doesn't
+# end up depending on libimplementations.a or libcommon.a.
+# It is crucial that such code is written so libcommon.a doesn't end up
+# depending on libimplementations.a.
+#
+# Code in providers/implementations/ should be written in such a way that the
+# OSSL_DISPATCH arrays (and preferably the majority of the actual code) ends
+# up in either libimplementations.a or liblegacy.a.
+# If need be, write an abstraction layer in separate source files and make them
+# libfips.a / libnonfips.a sources.
+
+SUBDIRS=common implementations
+
+INCLUDE[../libcrypto]=common/include
+
+# Libraries we're dealing with
+$LIBCOMMON=libcommon.a
+$LIBIMPLEMENTATIONS=libimplementations.a
+$LIBLEGACY=liblegacy.a
+$LIBNONFIPS=libnonfips.a
+$LIBFIPS=libfips.a
+
+# Enough of our implementations include prov/ciphercommon.h (present in
+# providers/implementations/include), which includes crypto/*_platform.h
+# (present in include), which in turn may include very internal header
+# files in crypto/, so let's have a common include list for them all.
+$COMMON_INCLUDES=../crypto ../include implementations/include common/include
+
+INCLUDE[$LIBCOMMON]=$COMMON_INCLUDES
+INCLUDE[$LIBIMPLEMENTATIONS]=.. $COMMON_INCLUDES
+INCLUDE[$LIBLEGACY]=.. $COMMON_INCLUDES
+INCLUDE[$LIBNONFIPS]=.. $COMMON_INCLUDES
+INCLUDE[$LIBFIPS]=.. $COMMON_INCLUDES
+DEFINE[$LIBFIPS]=FIPS_MODULE
+
+# Weak dependencies to provide library order information.
+# We make it weak so they aren't both used always; what is
+# actually used is determined by non-weak dependencies.
+DEPEND[$LIBIMPLEMENTATIONS]{weak}=$LIBFIPS $LIBNONFIPS
+DEPEND[$LIBCOMMON]{weak}=$LIBFIPS
+
+# Strong dependencies. This ensures that any time libimplementations
+# is used, libcommon gets included as well.
+DEPEND[$LIBIMPLEMENTATIONS]=$LIBCOMMON
+DEPEND[$LIBNONFIPS]=../libcrypto
+# It's tempting to make libcommon depend on ../libcrypto. However,
+# since the FIPS provider module must NOT depend on ../libcrypto, we
+# need to set that dependency up specifically for the final products
+# that use $LIBCOMMON or anything that depends on it.
+
+# Libraries common to all providers, must be built regardless
+LIBS{noinst}=$LIBCOMMON
+# Libraries that are common for all non-FIPS providers, must be built regardless
+LIBS{noinst}=$LIBNONFIPS $LIBIMPLEMENTATIONS
+
+#
+# Default provider stuff
+#
+# Because the default provider is built in, it means that libcrypto must
+# include all the object files that are needed (we do that indirectly,
+# by using the appropriate libraries as source). Note that for shared
+# libraries, SOURCEd libraries are considered as if the where specified
+# with DEPEND.
+$DEFAULTGOAL=../libcrypto
+SOURCE[$DEFAULTGOAL]=$LIBIMPLEMENTATIONS $LIBNONFIPS
+SOURCE[$DEFAULTGOAL]=defltprov.c
+# Some legacy implementations depend on provider header files
+INCLUDE[$DEFAULTGOAL]=implementations/include
+
+LIBS=$DEFAULTGOAL
+
+#
+# Base provider stuff
+#
+# Because the base provider is built in, it means that libcrypto
+# must include all of the object files that are needed.
+$BASEGOAL=../libcrypto
+SOURCE[$BASEGOAL]=$LIBIMPLEMENTATIONS $LIBNONFIPS
+SOURCE[$BASEGOAL]=baseprov.c
+INCLUDE[$BASEGOAL]=implementations/include
+
+#
+# FIPS provider stuff
+#
+# We define it this way to ensure that configdata.pm will have all the
+# necessary information even if we don't build the module. This will allow
+# us to make all kinds of checks on the source, based on what we specify in
+# diverse build.info files. libfips.a, fips.so and their sources aren't
+# built unless the proper LIBS or MODULES statement has been seen, so we
+# have those and only those within a condition.
+SUBDIRS=fips
+$FIPSGOAL=fips
+DEPEND[$FIPSGOAL]=$LIBIMPLEMENTATIONS $LIBFIPS
+INCLUDE[$FIPSGOAL]=../include
+DEFINE[$FIPSGOAL]=FIPS_MODULE
+IF[{- defined $target{shared_defflag} -}]
+ SOURCE[$FIPSGOAL]=fips.ld
+ GENERATE[fips.ld]=../util/providers.num
+ENDIF
IF[{- !$disabled{fips} -}]
- SUBDIRS=fips
- MODULES=fips
- IF[{- defined $target{shared_defflag} -}]
- SOURCE[fips]=fips.ld
- GENERATE[fips.ld]=../util/providers.num
- ENDIF
- INCLUDE[fips]=.. ../include ../crypto/include
- DEFINE[fips]=FIPS_MODE
+ # This is the trigger to actually build the FIPS module. Without these
+ # statements, the final build file will not have a trace of it.
+ MODULES=$FIPSGOAL
+ LIBS{noinst}=$LIBFIPS
ENDIF
+#
+# Legacy provider stuff
+#
IF[{- !$disabled{legacy} -}]
- SUBDIRS=legacy
- MODULES=legacy
- IF[{- defined $target{shared_defflag} -}]
- SOURCE[legacy]=legacy.ld
- GENERATE[legacy.ld]=../util/providers.num
+ # The legacy implementation library
+ LIBS{noinst}=$LIBLEGACY
+ DEPEND[$LIBLEGACY]=$LIBCOMMON $LIBNONFIPS
+
+ # The Legacy provider
+ IF[{- $disabled{module} -}]
+ # Become built in
+ # In this case, we need to do the same thing a for the default provider,
+ # and make the liblegacy object files end up in libcrypto. We could also
+ # just say that for the built-in legacy, we put the source directly in
+ # libcrypto instead of going via liblegacy, but that makes writing the
+ # implementation specific build.info files harder to write, so we don't.
+ $LEGACYGOAL=../libcrypto
+ SOURCE[$LEGACYGOAL]=$LIBLEGACY
+ DEFINE[$LIBLEGACY]=STATIC_LEGACY
+ DEFINE[$LEGACYGOAL]=STATIC_LEGACY
+ ELSE
+ # Become a module
+ # In this case, we can work with dependencies
+ $LEGACYGOAL=legacy
+ MODULES=$LEGACYGOAL
+ DEPEND[$LEGACYGOAL]=$LIBLEGACY
+ IF[{- defined $target{shared_defflag} -}]
+ SOURCE[legacy]=legacy.ld
+ GENERATE[legacy.ld]=../util/providers.num
+ ENDIF
ENDIF
- INCLUDE[legacy]=.. ../include ../crypto/include
- DEPEND[legacy]=../libcrypto
+
+ # Common things that are valid no matter what form the Legacy provider
+ # takes.
+ SOURCE[$LEGACYGOAL]=legacyprov.c
+ INCLUDE[$LEGACYGOAL]=../include implementations/include common/include
ENDIF
+
+#
+# Null provider stuff
+#
+# Because the null provider is built in, it means that libcrypto must
+# include all the object files that are needed.
+$NULLGOAL=../libcrypto
+SOURCE[$NULLGOAL]=nullprov.c prov_running.c
+
+SOURCE[$LIBNONFIPS]=prov_running.c
projects / openssl.git / blobdiff