my $openssldir="";
my $exe_ext="";
my $install_prefix="";
+my $fipslibdir="/usr/local/ssl/lib";
my $no_threads=0;
my $no_shared=1;
my $zlib=0;
}
elsif (/^--with-fipslibdir=(.*)$/)
{
- $withargs{"fipslibdir"}="$1";
+ $fipslibdir="$1";
}
elsif (/^--with-zlib-include=(.*)$/)
{
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+if ($fips && ! -f "$fipslibdir/fipscanister.o")
+ {
+ my $fipswinerr = "";
+ $fipswinerr = <<EOF if $IsWindows;
+ Ensure that the correct path to the FIPS module directory
+has been given to the --with-fipslibdir option.
+EOF
+ print STDERR <<EOF;
+The file fipscanister.o could not be located. Please build and install the
+FIPS module using the instructions in the user guide before compiling OpenSSL
+in FIPS mode.$fipswinerr
+EOF
+ exit 1;
+ }
+
print "IsWindows=$IsWindows\n";
s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
- s/^FIPSLIBDIR=.*/FIPSLIBDIR=$withargs{"fipslibdir"}/;
+ s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
ZLIB_INCLUDE=
LIBZLIB=
-FIPSLIBDIR=$(INSTALLTOP)/lib
+# This is the location of fipscanister.o and friends.
+# The FIPS module build will place it $(INSTALLTOP)/lib
+# but since $(INSTALLTOP) can only take the default value
+# when the module is built it will be in /usr/local/ssl/lib
+# $(INSTALLTOP) for this build make be different so hard
+# code the path.
+
+FIPSLIBDIR=/usr/local/ssl/lib
# When we're prepared to use shared libraries in the programs we link here
# we might set SHLIB_MARK to '$(SHARED_LIBS)'.
do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making all in $$i..." && \
- $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \
else \
$(MAKE) $$i; \
fi; \
fi
check:
- $(PERL) ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1)
+# $(PERL) ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1)
+ echo FIPS module not built: no check done
# Idea behind fipscanister.o is to "seize" the sequestered code between
# known symbols for fingerprinting purposes, which would be commonly
# flag and simply assume that all objects are of the same type as first
# one in command line. So the idea is to identify gcc and deficient
# vendor compiler drivers...
+
fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
@objs="fips_start.o $(LIBOBJ)"; \
for i in $(FIPS_OBJ_LISTS); do \
*) set -x; $(CC) $(CFLAGS) -r -o $@ $$objs ;; \
esac fi
sha/fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
+
# If another exception is immediately required, assign approprite
# site-specific ld command to FIPS_SITE_LD environment variable.
$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
done;
-lib: fipscanister.o
- $(AR) $(LIB) fipscanister.o
+lib: $(FIPSLIBDIR)/fipscanister.o
+ $(AR) $(LIB) $(FIPSLIBDIR)/fipscanister.o
$(RANLIB) $(LIB) || echo Never mind.
@touch lib
# command line syntax and $FIPSLD_CC or $CC environment variable set
# and can even be used to compile source files.
+#set -x
+
CC=${FIPSLD_CC:-${CC}}
[ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
+# Location of installed validated FIPS module
+FIPSLIBDIR=${FIPSLIBDIR:-/usr/local/ssl/lib}
+# If this is a build from a validated tarball use this instead
+# FIPSLIBDIR=${THERE}/fips-1.0
+
+[ -f "${FIPSLIBDIR}/fipscanister.o" ] ||
+ { echo "fipscanister.o not found"; exit 1; }
+
HMAC_KEY="etaonrishdlcupfm"
case "`(uname -s) 2>/dev/null`" in
# Shared lib creation can be taking place in the source
# directory only!!!
FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
- CANISTER_O="${THERE}/fips-1.0/fipscanister.o"
- PREMAIN_C="${THERE}/fips-1.0/fips_premain.c"
+ CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
+ PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"
+
+echo Canister: $CANISTER_O
# verify fipscanister.o against its detached signature...
${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
# directory or off the installed binary target destination.
if [ -x "${THERE}/fips-1.0/sha/fips_standalone_sha1" ]; then
FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
- CANISTER_O="${THERE}/fips-1.0/fipscanister.o"
- PREMAIN_C="${THERE}/fips-1.0/fips_premain.c"
else # Installed tree is expected to contain
# lib/fipscanister.o, lib/fipscanister.o.sha1 and
# lib/fips_premain.c [not to mention bin/openssl].
FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
- CANISTER_O="${THERE}/lib/fipscanister.o"
- PREMAIN_C="${THERE}/lib/fips_premain.c"
fi
+ CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
+ PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"
+
# verify fipscanister.o against its detached signature...
${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
diff -w "${CANISTER_O}.sha1" - || \
projects / openssl.git / commitdiff