PROV: Relegate most of the FIPS provider code to libfips.a

provider/fips/fipsprov.c contains a number of symbols that get used by
anything that's included in libfips.a, at least on Unix.
Unfortunately, there are platforms that do not support resolving
symbols to things that are already included in the end product (module
in this case) being built; they only support resolving symbols with
what comes next in the linking process.

The offending symbols in this case are FIPS_security_check_enabled,
c_thread_start and ossl_fips_intern_provider_init.

We resolve this by placing provider/fips/fipsprov.c in libfips.a along
with everything else there.  That takes care of the offending symbols.
What remains is to ensure that there is an entry point in an object
file used directly when linking the module, providers/fips/fips_entry.c

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15370)

diff --git a/providers/fips/build.info b/providers/fips/build.info
index 8d3c5e20499012c48a1eead5740f4ac8f027a6b0..2bfc58501e941b429d1dd9ae153c5f0e5f2d1b69 100644 (file)
--- a/providers/fips/build.info
+++ b/providers/fips/build.info
@@ -1,2 +1,6 @@
-SOURCE[../fips]=fipsprov.c self_test.c self_test_kats.c
-INCLUDE[../fips]=../implementations/include ../common/include ../..
+# We include the provider implementation into ../libfips.a, so that all
+# platforms can resolve symbols in other members of that library.
+SOURCE[../libfips.a]=fipsprov.c self_test.c self_test_kats.c
+
+# It is necessary to have an explicit entry point
+SOURCE[../fips]=fips_entry.c

diff --git a/providers/fips/fips_entry.c b/providers/fips/fips_entry.c
new file mode 100644 (file)
index 0000000..c2c8d5d
--- /dev/null
+++ b/providers/fips/fips_entry.c
@@ -0,0 +1,19 @@
+/*
+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/core.h>
+
+OSSL_provider_init_fn OSSL_provider_init_int;
+int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
+                       const OSSL_DISPATCH *in,
+                       const OSSL_DISPATCH **out,
+                       void **provctx)
+{
+    return OSSL_provider_init_int(handle, in, out, provctx);
+}

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index c28995fc44ee723c82258ccd4cd12a36ca6b71c1..580eea574f09c2b4820a05fd03ca21a262753959 100644 (file)
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -518,10 +518,26 @@ static const OSSL_DISPATCH intern_dispatch_table[] = {
     { 0, NULL }
 };
 
-int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
-                       const OSSL_DISPATCH *in,
-                       const OSSL_DISPATCH **out,
-                       void **provctx)
+/*
+ * On VMS, the provider init function name is expected to be uppercase,
+ * see the pragmas in <openssl/core.h>.  Let's do the same with this
+ * internal name.  This is how symbol names are treated by default
+ * by the compiler if nothing else is said, but since this is part
+ * of libfips, and we build our libraries with mixed case symbol names,
+ * we must switch back to this default explicitly here.
+ */
+#ifdef __VMS
+# pragma names save
+# pragma names uppercase,truncated
+#endif
+OSSL_provider_init_fn OSSL_provider_init_int;
+#ifdef __VMS
+# pragma names restore
+#endif
+int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
+                           const OSSL_DISPATCH *in,
+                           const OSSL_DISPATCH **out,
+                           void **provctx)
 {
     FIPS_GLOBAL *fgbl;
     OSSL_LIB_CTX *libctx = NULL;