mirror of
https://github.com/openssl/openssl.git
synced 2024-12-09 05:51:54 +08:00
05869bba7f
providers/fipsmodule.cnf is generated using 'openssl fipsinstall' with the openssl program in the build directory. Fixes #14315 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14320)
204 lines
7.8 KiB
Plaintext
204 lines
7.8 KiB
Plaintext
# We place all implementations in static libraries, and then let the
|
|
# provider mains pilfer what they want through symbol resolution when
|
|
# linking.
|
|
#
|
|
# The non-legacy implementations (libimplementations) must be made FIPS
|
|
# agnostic as much as possible, as well as the common building blocks
|
|
# (libcommon). The legacy implementations (liblegacy) will never be
|
|
# part of the FIPS provider.
|
|
#
|
|
# If there is anything that isn't FIPS agnostic, it should be set aside
|
|
# in its own source file, which is then included directly into other
|
|
# static libraries geared for FIPS and non-FIPS providers, and built
|
|
# separately.
|
|
#
|
|
# libcommon.a Contains common building blocks, potentially
|
|
# needed both by non-legacy and legacy code.
|
|
#
|
|
# libimplementations.a Contains all non-legacy implementations.
|
|
# liblegacy.a Contains all legacy implementations.
|
|
#
|
|
# libfips.a Contains all things needed to support
|
|
# FIPS implementations, such as code from
|
|
# crypto/ and object files that contain
|
|
# FIPS-specific code. FIPS_MODULE is defined
|
|
# for this library. The FIPS module uses
|
|
# this.
|
|
# libnonfips.a Corresponds to libfips.a, but built with
|
|
# FIPS_MODULE undefined. The default and legacy
|
|
# providers use this.
|
|
#
|
|
# This is how different provider modules should be linked:
|
|
#
|
|
# FIPS:
|
|
# -o fips.so {object files...} libimplementations.a libcommon.a libfips.a
|
|
# Non-FIPS:
|
|
# -o module.so {object files...} libimplementations.a libcommon.a libnonfips.a
|
|
#
|
|
# It is crucial that code that checks for the FIPS_MODULE macro end up in
|
|
# libfips.a and libnonfips.a, never in libcommon.a.
|
|
# It is crucial that such code is written so libfips.a and libnonfips.a doesn't
|
|
# end up depending on libimplementations.a or libcommon.a.
|
|
# It is crucial that such code is written so libcommon.a doesn't end up
|
|
# depending on libimplementations.a.
|
|
#
|
|
# Code in providers/implementations/ should be written in such a way that the
|
|
# OSSL_DISPATCH arrays (and preferably the majority of the actual code) ends
|
|
# up in either libimplementations.a or liblegacy.a.
|
|
# If need be, write an abstraction layer in separate source files and make them
|
|
# libfips.a / libnonfips.a sources.
|
|
|
|
SUBDIRS=common implementations
|
|
|
|
INCLUDE[../libcrypto]=common/include
|
|
|
|
# Libraries we're dealing with
|
|
$LIBCOMMON=libcommon.a
|
|
$LIBIMPLEMENTATIONS=libimplementations.a
|
|
$LIBLEGACY=liblegacy.a
|
|
$LIBNONFIPS=libnonfips.a
|
|
$LIBFIPS=libfips.a
|
|
|
|
# Enough of our implementations include prov/ciphercommon.h (present in
|
|
# providers/implementations/include), which includes crypto/*_platform.h
|
|
# (present in include), which in turn may include very internal header
|
|
# files in crypto/, so let's have a common include list for them all.
|
|
$COMMON_INCLUDES=../crypto ../include implementations/include common/include
|
|
|
|
INCLUDE[$LIBCOMMON]=$COMMON_INCLUDES
|
|
INCLUDE[$LIBIMPLEMENTATIONS]=.. $COMMON_INCLUDES
|
|
INCLUDE[$LIBLEGACY]=.. $COMMON_INCLUDES
|
|
INCLUDE[$LIBNONFIPS]=.. $COMMON_INCLUDES
|
|
INCLUDE[$LIBFIPS]=.. $COMMON_INCLUDES
|
|
DEFINE[$LIBFIPS]=FIPS_MODULE
|
|
|
|
# Weak dependencies to provide library order information.
|
|
# We make it weak so they aren't both used always; what is
|
|
# actually used is determined by non-weak dependencies.
|
|
DEPEND[$LIBIMPLEMENTATIONS]{weak}=$LIBFIPS $LIBNONFIPS
|
|
DEPEND[$LIBCOMMON]{weak}=$LIBFIPS
|
|
|
|
# Strong dependencies. This ensures that any time libimplementations
|
|
# is used, libcommon gets included as well.
|
|
DEPEND[$LIBIMPLEMENTATIONS]=$LIBCOMMON
|
|
DEPEND[$LIBNONFIPS]=../libcrypto
|
|
# It's tempting to make libcommon depend on ../libcrypto. However,
|
|
# since the FIPS provider module must NOT depend on ../libcrypto, we
|
|
# need to set that dependency up specifically for the final products
|
|
# that use $LIBCOMMON or anything that depends on it.
|
|
|
|
# Libraries common to all providers, must be built regardless
|
|
LIBS{noinst}=$LIBCOMMON
|
|
# Libraries that are common for all non-FIPS providers, must be built regardless
|
|
LIBS{noinst}=$LIBNONFIPS $LIBIMPLEMENTATIONS
|
|
|
|
#
|
|
# Default provider stuff
|
|
#
|
|
# Because the default provider is built in, it means that libcrypto must
|
|
# include all the object files that are needed (we do that indirectly,
|
|
# by using the appropriate libraries as source). Note that for shared
|
|
# libraries, SOURCEd libraries are considered as if the where specified
|
|
# with DEPEND.
|
|
$DEFAULTGOAL=../libcrypto
|
|
SOURCE[$DEFAULTGOAL]=$LIBIMPLEMENTATIONS $LIBNONFIPS
|
|
SOURCE[$DEFAULTGOAL]=defltprov.c
|
|
# Some legacy implementations depend on provider header files
|
|
INCLUDE[$DEFAULTGOAL]=implementations/include
|
|
|
|
LIBS=$DEFAULTGOAL
|
|
|
|
#
|
|
# Base provider stuff
|
|
#
|
|
# Because the base provider is built in, it means that libcrypto
|
|
# must include all of the object files that are needed.
|
|
$BASEGOAL=../libcrypto
|
|
SOURCE[$BASEGOAL]=$LIBIMPLEMENTATIONS $LIBNONFIPS
|
|
SOURCE[$BASEGOAL]=baseprov.c
|
|
INCLUDE[$BASEGOAL]=implementations/include
|
|
|
|
#
|
|
# FIPS provider stuff
|
|
#
|
|
# We define it this way to ensure that configdata.pm will have all the
|
|
# necessary information even if we don't build the module. This will allow
|
|
# us to make all kinds of checks on the source, based on what we specify in
|
|
# diverse build.info files. libfips.a, fips.so and their sources aren't
|
|
# built unless the proper LIBS or MODULES statement has been seen, so we
|
|
# have those and only those within a condition.
|
|
SUBDIRS=fips
|
|
$FIPSGOAL=fips
|
|
DEPEND[$FIPSGOAL]=$LIBIMPLEMENTATIONS $LIBFIPS
|
|
INCLUDE[$FIPSGOAL]=../include
|
|
DEFINE[$FIPSGOAL]=FIPS_MODULE
|
|
IF[{- defined $target{shared_defflag} -}]
|
|
SOURCE[$FIPSGOAL]=fips.ld
|
|
GENERATE[fips.ld]=../util/providers.num
|
|
ENDIF
|
|
|
|
IF[{- !$disabled{fips} -}]
|
|
# This is the trigger to actually build the FIPS module. Without these
|
|
# statements, the final build file will not have a trace of it.
|
|
MODULES{fips}=$FIPSGOAL
|
|
LIBS{noinst}=$LIBFIPS
|
|
|
|
# For tests that try to use the FIPS module, we need to make a local fips
|
|
# module installation. We have the output go to standard output, because
|
|
# the generated commands in build templates are expected to catch that,
|
|
# and thereby keep control over the exact output file location.
|
|
DEPEND[|tests|]=fipsmodule.cnf
|
|
GENERATE[fipsmodule.cnf]=../apps/openssl fipsinstall \
|
|
-module providers/$(FIPSMODULENAME) -provider_name fips \
|
|
-mac_name HMAC -section_name fips_sect -out -
|
|
DEPEND[fipsmodule.cnf]=$FIPSGOAL
|
|
ENDIF
|
|
|
|
#
|
|
# Legacy provider stuff
|
|
#
|
|
IF[{- !$disabled{legacy} -}]
|
|
# The legacy implementation library
|
|
LIBS{noinst}=$LIBLEGACY
|
|
DEPEND[$LIBLEGACY]=$LIBCOMMON $LIBNONFIPS
|
|
|
|
# The Legacy provider
|
|
IF[{- $disabled{module} -}]
|
|
# Become built in
|
|
# In this case, we need to do the same thing a for the default provider,
|
|
# and make the liblegacy object files end up in libcrypto. We could also
|
|
# just say that for the built-in legacy, we put the source directly in
|
|
# libcrypto instead of going via liblegacy, but that makes writing the
|
|
# implementation specific build.info files harder to write, so we don't.
|
|
$LEGACYGOAL=../libcrypto
|
|
SOURCE[$LEGACYGOAL]=$LIBLEGACY
|
|
DEFINE[$LIBLEGACY]=STATIC_LEGACY
|
|
DEFINE[$LEGACYGOAL]=STATIC_LEGACY
|
|
ELSE
|
|
# Become a module
|
|
# In this case, we can work with dependencies
|
|
$LEGACYGOAL=legacy
|
|
MODULES=$LEGACYGOAL
|
|
DEPEND[$LEGACYGOAL]=$LIBLEGACY
|
|
IF[{- defined $target{shared_defflag} -}]
|
|
SOURCE[legacy]=legacy.ld
|
|
GENERATE[legacy.ld]=../util/providers.num
|
|
ENDIF
|
|
ENDIF
|
|
|
|
# Common things that are valid no matter what form the Legacy provider
|
|
# takes.
|
|
SOURCE[$LEGACYGOAL]=legacyprov.c
|
|
INCLUDE[$LEGACYGOAL]=../include implementations/include common/include
|
|
ENDIF
|
|
|
|
#
|
|
# Null provider stuff
|
|
#
|
|
# Because the null provider is built in, it means that libcrypto must
|
|
# include all the object files that are needed.
|
|
$NULLGOAL=../libcrypto
|
|
SOURCE[$NULLGOAL]=nullprov.c prov_running.c
|
|
|
|
SOURCE[$LIBNONFIPS]=prov_running.c
|