mirror of
https://github.com/openssl/openssl.git
synced 2025-01-06 13:26:43 +08:00
d3ed80802d
The build file templates have code to pick up the 'fips' attribute and thereby find out what module is the FIPS without having to resort to ugly hard coding. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13032)
194 lines
7.2 KiB
Plaintext
194 lines
7.2 KiB
Plaintext
# We place all implementations in static libraries, and then let the
|
|
# provider mains pilfer what they want through symbol resolution when
|
|
# linking.
|
|
#
|
|
# The non-legacy implementations (libimplementations) must be made FIPS
|
|
# agnostic as much as possible, as well as the common building blocks
|
|
# (libcommon). The legacy implementations (liblegacy) will never be
|
|
# part of the FIPS provider.
|
|
#
|
|
# If there is anything that isn't FIPS agnostic, it should be set aside
|
|
# in its own source file, which is then included directly into other
|
|
# static libraries geared for FIPS and non-FIPS providers, and built
|
|
# separately.
|
|
#
|
|
# libcommon.a Contains common building blocks, potentially
|
|
# needed both by non-legacy and legacy code.
|
|
#
|
|
# libimplementations.a Contains all non-legacy implementations.
|
|
# liblegacy.a Contains all legacy implementations.
|
|
#
|
|
# libfips.a Contains all things needed to support
|
|
# FIPS implementations, such as code from
|
|
# crypto/ and object files that contain
|
|
# FIPS-specific code. FIPS_MODULE is defined
|
|
# for this library. The FIPS module uses
|
|
# this.
|
|
# libnonfips.a Corresponds to libfips.a, but built with
|
|
# FIPS_MODULE undefined. The default and legacy
|
|
# providers use this.
|
|
#
|
|
# This is how different provider modules should be linked:
|
|
#
|
|
# FIPS:
|
|
# -o fips.so {object files...} libimplementations.a libcommon.a libfips.a
|
|
# Non-FIPS:
|
|
# -o module.so {object files...} libimplementations.a libcommon.a libnonfips.a
|
|
#
|
|
# It is crucial that code that checks for the FIPS_MODULE macro end up in
|
|
# libfips.a and libnonfips.a, never in libcommon.a.
|
|
# It is crucial that such code is written so libfips.a and libnonfips.a doesn't
|
|
# end up depending on libimplementations.a or libcommon.a.
|
|
# It is crucial that such code is written so libcommon.a doesn't end up
|
|
# depending on libimplementations.a.
|
|
#
|
|
# Code in providers/implementations/ should be written in such a way that the
|
|
# OSSL_DISPATCH arrays (and preferably the majority of the actual code) ends
|
|
# up in either libimplementations.a or liblegacy.a.
|
|
# If need be, write an abstraction layer in separate source files and make them
|
|
# libfips.a / libnonfips.a sources.
|
|
|
|
SUBDIRS=common implementations
|
|
|
|
INCLUDE[../libcrypto]=common/include
|
|
|
|
# Libraries we're dealing with
|
|
$LIBCOMMON=libcommon.a
|
|
$LIBIMPLEMENTATIONS=libimplementations.a
|
|
$LIBLEGACY=liblegacy.a
|
|
$LIBNONFIPS=libnonfips.a
|
|
$LIBFIPS=libfips.a
|
|
|
|
# Enough of our implementations include prov/ciphercommon.h (present in
|
|
# providers/implementations/include), which includes crypto/*_platform.h
|
|
# (present in include), which in turn may include very internal header
|
|
# files in crypto/, so let's have a common include list for them all.
|
|
$COMMON_INCLUDES=../crypto ../include implementations/include common/include
|
|
|
|
INCLUDE[$LIBCOMMON]=$COMMON_INCLUDES
|
|
INCLUDE[$LIBIMPLEMENTATIONS]=.. $COMMON_INCLUDES
|
|
INCLUDE[$LIBLEGACY]=.. $COMMON_INCLUDES
|
|
INCLUDE[$LIBNONFIPS]=.. $COMMON_INCLUDES
|
|
INCLUDE[$LIBFIPS]=.. $COMMON_INCLUDES
|
|
DEFINE[$LIBFIPS]=FIPS_MODULE
|
|
|
|
# Weak dependencies to provide library order information.
|
|
# We make it weak so they aren't both used always; what is
|
|
# actually used is determined by non-weak dependencies.
|
|
DEPEND[$LIBIMPLEMENTATIONS]{weak}=$LIBFIPS $LIBNONFIPS
|
|
DEPEND[$LIBCOMMON]{weak}=$LIBFIPS
|
|
|
|
# Strong dependencies. This ensures that any time libimplementations
|
|
# is used, libcommon gets included as well.
|
|
DEPEND[$LIBIMPLEMENTATIONS]=$LIBCOMMON
|
|
DEPEND[$LIBNONFIPS]=../libcrypto
|
|
# It's tempting to make libcommon depend on ../libcrypto. However,
|
|
# since the FIPS provider module must NOT depend on ../libcrypto, we
|
|
# need to set that dependency up specifically for the final products
|
|
# that use $LIBCOMMON or anything that depends on it.
|
|
|
|
# Libraries common to all providers, must be built regardless
|
|
LIBS{noinst}=$LIBCOMMON
|
|
# Libraries that are common for all non-FIPS providers, must be built regardless
|
|
LIBS{noinst}=$LIBNONFIPS $LIBIMPLEMENTATIONS
|
|
|
|
#
|
|
# Default provider stuff
|
|
#
|
|
# Because the default provider is built in, it means that libcrypto must
|
|
# include all the object files that are needed (we do that indirectly,
|
|
# by using the appropriate libraries as source). Note that for shared
|
|
# libraries, SOURCEd libraries are considered as if the where specified
|
|
# with DEPEND.
|
|
$DEFAULTGOAL=../libcrypto
|
|
SOURCE[$DEFAULTGOAL]=$LIBIMPLEMENTATIONS $LIBNONFIPS
|
|
SOURCE[$DEFAULTGOAL]=defltprov.c
|
|
# Some legacy implementations depend on provider header files
|
|
INCLUDE[$DEFAULTGOAL]=implementations/include
|
|
|
|
LIBS=$DEFAULTGOAL
|
|
|
|
#
|
|
# Base provider stuff
|
|
#
|
|
# Because the base provider is built in, it means that libcrypto
|
|
# must include all of the object files that are needed.
|
|
$BASEGOAL=../libcrypto
|
|
SOURCE[$BASEGOAL]=$LIBIMPLEMENTATIONS $LIBNONFIPS
|
|
SOURCE[$BASEGOAL]=baseprov.c
|
|
INCLUDE[$BASEGOAL]=implementations/include
|
|
|
|
#
|
|
# FIPS provider stuff
|
|
#
|
|
# We define it this way to ensure that configdata.pm will have all the
|
|
# necessary information even if we don't build the module. This will allow
|
|
# us to make all kinds of checks on the source, based on what we specify in
|
|
# diverse build.info files. libfips.a, fips.so and their sources aren't
|
|
# built unless the proper LIBS or MODULES statement has been seen, so we
|
|
# have those and only those within a condition.
|
|
SUBDIRS=fips
|
|
$FIPSGOAL=fips
|
|
DEPEND[$FIPSGOAL]=$LIBIMPLEMENTATIONS $LIBFIPS
|
|
INCLUDE[$FIPSGOAL]=../include
|
|
DEFINE[$FIPSGOAL]=FIPS_MODULE
|
|
IF[{- defined $target{shared_defflag} -}]
|
|
SOURCE[$FIPSGOAL]=fips.ld
|
|
GENERATE[fips.ld]=../util/providers.num
|
|
ENDIF
|
|
|
|
IF[{- !$disabled{fips} -}]
|
|
# This is the trigger to actually build the FIPS module. Without these
|
|
# statements, the final build file will not have a trace of it.
|
|
MODULES{fips}=$FIPSGOAL
|
|
LIBS{noinst}=$LIBFIPS
|
|
ENDIF
|
|
|
|
#
|
|
# Legacy provider stuff
|
|
#
|
|
IF[{- !$disabled{legacy} -}]
|
|
# The legacy implementation library
|
|
LIBS{noinst}=$LIBLEGACY
|
|
DEPEND[$LIBLEGACY]=$LIBCOMMON $LIBNONFIPS
|
|
|
|
# The Legacy provider
|
|
IF[{- $disabled{module} -}]
|
|
# Become built in
|
|
# In this case, we need to do the same thing a for the default provider,
|
|
# and make the liblegacy object files end up in libcrypto. We could also
|
|
# just say that for the built-in legacy, we put the source directly in
|
|
# libcrypto instead of going via liblegacy, but that makes writing the
|
|
# implementation specific build.info files harder to write, so we don't.
|
|
$LEGACYGOAL=../libcrypto
|
|
SOURCE[$LEGACYGOAL]=$LIBLEGACY
|
|
DEFINE[$LIBLEGACY]=STATIC_LEGACY
|
|
DEFINE[$LEGACYGOAL]=STATIC_LEGACY
|
|
ELSE
|
|
# Become a module
|
|
# In this case, we can work with dependencies
|
|
$LEGACYGOAL=legacy
|
|
MODULES=$LEGACYGOAL
|
|
DEPEND[$LEGACYGOAL]=$LIBLEGACY
|
|
IF[{- defined $target{shared_defflag} -}]
|
|
SOURCE[legacy]=legacy.ld
|
|
GENERATE[legacy.ld]=../util/providers.num
|
|
ENDIF
|
|
ENDIF
|
|
|
|
# Common things that are valid no matter what form the Legacy provider
|
|
# takes.
|
|
SOURCE[$LEGACYGOAL]=legacyprov.c
|
|
INCLUDE[$LEGACYGOAL]=../include implementations/include common/include
|
|
ENDIF
|
|
|
|
#
|
|
# Null provider stuff
|
|
#
|
|
# Because the null provider is built in, it means that libcrypto must
|
|
# include all the object files that are needed.
|
|
$NULLGOAL=../libcrypto
|
|
SOURCE[$NULLGOAL]=nullprov.c prov_running.c
|
|
|
|
SOURCE[$LIBNONFIPS]=prov_running.c
|