1 files changed, 362 insertions, 44 deletions
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index 1ac5fd3a50..f2b92b2b25 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -15,6 +15,18 @@ my $engines = "";
 local $zlib_opt = 0;    # 0 = no zlib, 1 = static, 2 = dynamic
 local $zlib_lib = "";
+local $fips_canister_path = "";
+my $fips_premain_dso_exe_path = "";
+my $fips_premain_c_path = "";
+my $fips_sha1_exe_path = "";
+local $fipscanisterbuild = 0;
+local $fipsdso = 0;
+my $fipslibdir = "";
+my $baseaddr = "";
+my $ex_l_libs = "";
 open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
@@ -221,6 +233,8 @@ $cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2;
 $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
 $cflags.=" -DOPENSSL_NO_CMS" if $no_cms;
+$cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake;
+$cflags.=" -DOPENSSL_NO_CAPIENG" if $no_capieng;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
 $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
@@ -228,7 +242,7 @@ $cflags.=" -DOPENSSL_NO_ECDSA" if $no_ecdsa;
 $cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
 $cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
 $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
+$cflags.=" -DOPENSSL_FIPS"    if $fips;
 $cflags.= " -DZLIB" if $zlib_opt;
 $cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
@@ -250,9 +264,9 @@ else
 $ex_libs="$l_flags$ex_libs" if ($l_flags ne "");
 %shlib_ex_cflags=("SSL" => " -DOPENSSL_BUILD_SHLIBSSL",
-                  "CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO");
+                  "CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO",
+                  "FIPS" => " -DOPENSSL_BUILD_SHLIBCRYPTO");
 if ($msdos)
        {
@@ -280,11 +294,21 @@ for (;;)
                {
                if ($lib ne "")
                        {
-                        $uc=$lib;
+                        if ($fips && $dir =~ /^fips/)
-                        $uc =~ s/^lib(.*)\.a/$1/;
+                                {
-                        $uc =~ tr/a-z/A-Z/;
+                                $uc = "FIPS";
-                        $lib_nam{$uc}=$uc;
+                                }
-                        $lib_obj{$uc}.=$libobj." ";
+                        else
+                                {
+                                $uc=$lib;
+                                $uc =~ s/^lib(.*)\.a/$1/;
+                                $uc =~ tr/a-z/A-Z/;
+                                }
+                        if (($uc ne "FIPS") || $fipscanisterbuild)
+                                {
+                                $lib_nam{$uc}=$uc;
+                                $lib_obj{$uc}.=$libobj." ";
+                                }
                        }
                last if ($val eq "FINISHED");
                $lib="";
@@ -327,11 +351,130 @@ for (;;)
        if ($key eq "LIBNAMES" && $dir eq "engines" && $no_static_engine)
                { $engines.=$val }
+        if ($key eq "FIPS_EX_OBJ")
+                { 
+                $fips_ex_obj=&var_add("crypto",$val,0);
+                }
+        if ($key eq "FIPSLIBDIR")
+                {
+                $fipslibdir=$val;
+                $fipslibdir =~ s/\/$//;
+                $fipslibdir =~ s/\//$o/g;
+                }
+        if ($key eq "BASEADDR")
+                { $baseaddr=$val;}
        if (!($_=<IN>))
                { $_="RELATIVE_DIRECTORY=FINISHED\n"; }
        }
 close(IN);
+if ($fips)
+        {
+         
+        foreach (split " ", $fips_ex_obj)
+                {
+                $fips_exclude_obj{$1} = 1 if (/\/([^\/]*)$/);
+                }
+        $fips_exclude_obj{"cpu_win32"} = 1;
+        $fips_exclude_obj{"bn_asm"} = 1;
+        $fips_exclude_obj{"des_enc"} = 1;
+        $fips_exclude_obj{"fcrypt_b"} = 1;
+        $fips_exclude_obj{"aes_core"} = 1;
+        $fips_exclude_obj{"aes_cbc"} = 1;
+        my @ltmp = split " ", $lib_obj{"CRYPTO"};
+        $lib_obj{"CRYPTO"} = "";
+        foreach(@ltmp)
+                {
+                if (/\/([^\/]*)$/ && exists $fips_exclude_obj{$1})
+                        {
+                        if ($fipscanisterbuild)
+                                {
+                                $lib_obj{"FIPS"} .= "$_ ";
+                                }
+                        }
+                else
+                        {
+                        $lib_obj{"CRYPTO"} .= "$_ ";
+                        }
+                }
+        }
+if ($fipscanisterbuild)
+        {
+        $fips_canister_path = "\$(LIB_D)${o}fipscanister.lib" if $fips_canister_path eq "";
+        $fips_premain_c_path = "\$(LIB_D)${o}fips_premain.c";
+        }
+else
+        {
+        if ($fips_canister_path eq "")
+                {
+                $fips_canister_path = "\$(FIPSLIB_D)${o}fipscanister.lib";
+                }
+        if ($fips_premain_c_path eq "")
+                {
+                $fips_premain_c_path = "\$(FIPSLIB_D)${o}fips_premain.c";
+                }
+        }
+if ($fips)
+        {
+        if ($fips_sha1_exe_path eq "")
+                {
+                $fips_sha1_exe_path =
+                        "\$(BIN_D)${o}fips_standalone_sha1$exep";
+                }
+        }
+        else
+        {
+        $fips_sha1_exe_path = "";
+        }
+if ($fips_premain_dso_exe_path eq "")
+        {
+        $fips_premain_dso_exe_path = "\$(BIN_D)${o}fips_premain_dso$exep";
+        }
+#       $ex_build_targets .= "\$(BIN_D)${o}\$(E_PREMAIN_DSO)$exep" if ($fips);
+#$ex_l_libs .= " \$(L_FIPS)" if $fipsdso;
+if ($fips)
+        {
+        if (!$shlib)
+                {
+                $ex_build_targets .= " \$(LIB_D)$o$crypto_compat \$(PREMAIN_DSO_EXE)";
+                $ex_l_libs .= " \$(O_FIPSCANISTER)";
+                $ex_libs_dep .= " \$(O_FIPSCANISTER)" if $fipscanisterbuild;
+                }
+        if ($fipscanisterbuild)
+                {
+                $fipslibdir = "\$(LIB_D)";
+                }
+        else
+                {
+                if ($fipslibdir eq "")
+                        {
+                        open (IN, "util/fipslib_path.txt") || fipslib_error();
+                        $fipslibdir = <IN>;
+                        chomp $fipslibdir;
+                        close IN;
+                        }
+                fips_check_files($fipslibdir,
+                                "fipscanister.lib", "fipscanister.lib.sha1",
+                                "fips_premain.c", "fips_premain.c.sha1");
+                }
+        }
 if ($shlib)
        {
        $extra_install= <<"EOF";
@@ -397,6 +540,7 @@ SRC_D=$src_dir
 LINK=$link
 LFLAGS=$lflags
 RSC=$rsc
+FIPSLINK=\$(PERL) util${o}fipslink.pl
 AES_ASM_OBJ=$aes_asm_obj
 AES_ASM_SRC=$aes_asm_src
@@ -440,6 +584,17 @@ MKLIB=$bin_dir$mklib
 MLFLAGS=$mlflags
 ASM=$bin_dir$asm
+# FIPS validated module and support file locations
+E_PREMAIN_DSO=fips_premain_dso
+FIPSLIB_D=$fipslibdir
+BASEADDR=$baseaddr
+FIPS_PREMAIN_SRC=$fips_premain_c_path
+O_FIPSCANISTER=$fips_canister_path
+FIPS_SHA1_EXE=$fips_sha1_exe_path
+PREMAIN_DSO_EXE=$fips_premain_dso_exe_path
 ######################################################
 # You should not need to touch anything below this point
 ######################################################
@@ -447,6 +602,7 @@ ASM=$bin_dir$asm
 E_EXE=openssl
 SSL=$ssl
 CRYPTO=$crypto
+LIBFIPS=libosslfips
 # BIN_D  - Binary output directory
 # TEST_D - Binary test file output directory
@@ -467,12 +623,14 @@ INCL_D=\$(TMP_D)
 O_SSL=     \$(LIB_D)$o$plib\$(SSL)$shlibp
 O_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$shlibp
+O_FIPS=    \$(LIB_D)$o$plib\$(LIBFIPS)$shlibp
 SO_SSL=    $plib\$(SSL)$so_shlibp
 SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
 L_SSL=     \$(LIB_D)$o$plib\$(SSL)$libp
 L_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$libp
+L_FIPS=    \$(LIB_D)$o$plib\$(LIBFIPS)$libp
-L_LIBS= \$(L_SSL) \$(L_CRYPTO)
+L_LIBS= \$(L_SSL) \$(L_CRYPTO) $ex_l_libs
 ######################################################
 # Don't touch anything below this point
@@ -482,13 +640,13 @@ INC=-I\$(INC_D) -I\$(INCL_D)
 APP_CFLAGS=\$(INC) \$(CFLAG) \$(APP_CFLAG)
 LIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG)
 SHLIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) \$(SHLIB_CFLAG)
-LIBS_DEP=\$(O_CRYPTO) \$(O_SSL)
+LIBS_DEP=\$(O_CRYPTO) \$(O_SSL) $ex_libs_dep
 #############################################
 EOF
 $rules=<<"EOF";
-all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe
+all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers \$(FIPS_SHA1_EXE) lib exe $ex_build_targets
 banner:
 $banner
@@ -603,6 +761,26 @@ $rules.=&do_compile_rule("\$(OBJ_D)",$test,"\$(APP_CFLAGS)");
 $defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj);
 $rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)');
+# Special case rules for fips_start and fips_end fips_premain_dso
+if ($fips)
+        {
+        if ($fipscanisterbuild)
+                {
+                $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_start$obj",
+                        "fips${o}fips_canister.c",
+                        "-DFIPS_START \$(SHLIB_CFLAGS)");
+                $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_end$obj",
+                        "fips${o}fips_canister.c", "\$(SHLIB_CFLAGS)");
+                }
+        $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_standalone_sha1$obj",
+                "fips${o}sha${o}fips_standalone_sha1.c",
+                "\$(SHLIB_CFLAGS)");
+        $rules.=&cc_compile_target("\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj",
+                "fips${o}fips_premain.c",
+                "-DFINGERPRINT_PREMAIN_DSO_LOAD \$(SHLIB_CFLAGS)");
+        }
 foreach (values %lib_nam)
        {
        $lib_obj=$lib_obj{$_};
@@ -613,27 +791,41 @@ foreach (values %lib_nam)
                $rules.="\$(O_SSL):\n\n"; 
                next;
                }
-        if (($aes_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
+        if ((!$fips && ($_ eq "CRYPTO")) || ($fips && ($_ eq "FIPS")))
-                $lib_obj =~ s/\s(\S*\/aes_core\S*)/ \$(AES_ASM_OBJ)/;
-                $lib_obj =~ s/\s\S*\/aes_cbc\S*//;
-                $rules.=&do_asm_rule($aes_asm_obj,$aes_asm_src);
-                }
-        if (($bn_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
-                $lib_obj =~ s/\s\S*\/bn_asm\S*/ \$(BN_ASM_OBJ)/;
-                $rules.=&do_asm_rule($bn_asm_obj,$bn_asm_src);
-                }
-        if (($bnco_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
-                $lib_obj .= "\$(BNCO_ASM_OBJ)";
-                $rules.=&do_asm_rule($bnco_asm_obj,$bnco_asm_src);
-                }
-        if (($des_enc_obj ne "") && ($_ eq "CRYPTO"))
                {
-                $lib_obj =~ s/\s\S*des_enc\S*/ \$(DES_ENC_OBJ)/;
+                if ($cpuid_asm_obj ne "")
-                $lib_obj =~ s/\s\S*\/fcrypt_b\S*\s*/ /;
+                        {
-                $rules.=&do_asm_rule($des_enc_obj,$des_enc_src);
+                        $lib_obj =~ s/(\S*\/cryptlib\S*)/$1 \$(CPUID_ASM_OBJ)/;
+                        $rules.=&do_asm_rule($cpuid_asm_obj,$cpuid_asm_src);
+                        }
+                if ($aes_asm_obj ne "")
+                        {
+                        $lib_obj =~ s/\s(\S*\/aes_core\S*)/ \$(AES_ASM_OBJ)/;
+                        $lib_obj =~ s/\s\S*\/aes_cbc\S*//;
+                        $rules.=&do_asm_rule($aes_asm_obj,$aes_asm_src);
+                        }
+                if ($sha1_asm_obj ne "")
+                        {
+                        $lib_obj =~ s/\s(\S*\/sha1dgst\S*)/ $1 \$(SHA1_ASM_OBJ)/;
+                        $rules.=&do_asm_rule($sha1_asm_obj,$sha1_asm_src);
+                        }
+                if ($bn_asm_obj ne "")
+                        {
+                        $lib_obj =~ s/\s\S*\/bn_asm\S*/ \$(BN_ASM_OBJ)/;
+                        $rules.=&do_asm_rule($bn_asm_obj,$bn_asm_src);
+                        }
+                if ($bnco_asm_obj ne "")
+                        {
+                        $lib_obj .= "\$(BNCO_ASM_OBJ)";
+                        $rules.=&do_asm_rule($bnco_asm_obj,$bnco_asm_src);
+                        }
+                if ($des_enc_obj ne "")
+                        {
+                        $lib_obj =~ s/\s\S*des_enc\S*/ \$(DES_ENC_OBJ)/;
+                        $lib_obj =~ s/\s\S*\/fcrypt_b\S*\s*/ /;
+                        $rules.=&do_asm_rule($des_enc_obj,$des_enc_src);
+                        }
                }
        if (($bf_enc_obj ne "") && ($_ eq "CRYPTO"))
                {
@@ -660,21 +852,11 @@ foreach (values %lib_nam)
                $lib_obj =~ s/\s(\S*\/md5_dgst\S*)/ $1 \$(MD5_ASM_OBJ)/;
                $rules.=&do_asm_rule($md5_asm_obj,$md5_asm_src);
                }
-        if (($sha1_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
-                $lib_obj =~ s/\s(\S*\/sha1dgst\S*)/ $1 \$(SHA1_ASM_OBJ)/;
-                $rules.=&do_asm_rule($sha1_asm_obj,$sha1_asm_src);
-                }
        if (($rmd160_asm_obj ne "") && ($_ eq "CRYPTO"))
                {
                $lib_obj =~ s/\s(\S*\/rmd_dgst\S*)/ $1 \$(RMD160_ASM_OBJ)/;
                $rules.=&do_asm_rule($rmd160_asm_obj,$rmd160_asm_src);
                }
-        if (($cpuid_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
-                $lib_obj =~ s/\s(\S*\/cversion\S*)/ $1 \$(CPUID_ASM_OBJ)/;
-                $rules.=&do_asm_rule($cpuid_asm_obj,$cpuid_asm_src);
-                }
        $defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj);
        $lib=($slib)?" \$(SHLIB_CFLAGS)".$shlib_ex_cflags{$_}:" \$(LIB_CFLAGS)";
        $rules.=&do_compile_rule("\$(OBJ_D)",$lib_obj{$_},$lib);
@@ -689,15 +871,43 @@ if (($platform eq "VC-WIN32") || ($platform eq "VC-NT")) {
 \$(OBJ_D)\\\$(SSL).res: ms\\version32.rc
        \$(RSC) /fo"\$(OBJ_D)\\\$(SSL).res" /d SSL ms\\version32.rc
+\$(OBJ_D)\\\$(LIBFIPS).res: ms\\version32.rc
+        \$(RSC) /fo"\$(OBJ_D)\\\$(LIBFIPS).res" /d FIPS ms\\version32.rc
 EOF
 }
 $defs.=&do_defs("T_EXE",$test,"\$(TEST_D)",$exep);
 foreach (split(/\s+/,$test))
        {
+        my $t_libs;
        $t=&bname($_);
+        my $ltype;
+        # Check to see if test program is FIPS
+        if ($fips && /fips/)
+                {
+                # If fipsdso link to libosslfips.dll 
+                # otherwise perform static link to 
+                # $(O_FIPSCANISTER)
+                if ($fipsdso)
+                        {
+                        $t_libs = "\$(L_FIPS)";
+                        $ltype = 0;
+                        }
+                else
+                        {
+                        $t_libs = "\$(O_FIPSCANISTER)";
+                        $ltype = 2;
+                        }
+                }
+        else
+                {
+                $t_libs = "\$(L_LIBS)";
+                $ltype = 0;
+                }
        $tt="\$(OBJ_D)${o}$t${obj}";
-        $rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+        $rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","$t_libs \$(EX_LIBS)", $ltype);
        }
 $defs.=&do_defs("E_SHLIB",$engines,"\$(ENG_D)",$shlibp);
@@ -711,9 +921,69 @@ foreach (split(/\s+/,$engines))
 $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
-$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
-$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+if ($fips)
+        {
+        if ($shlib)
+                {
+                if ($fipsdso)
+                        {
+                        $rules.= &do_lib_rule("\$(CRYPTOOBJ)",
+                                        "\$(O_CRYPTO)", "$crypto",
+                                        $shlib, "", "");
+                        $rules.= &do_lib_rule(
+                                "\$(O_FIPSCANISTER)",
+                                "\$(O_FIPS)", "\$(LIBFIPS)",
+                                $shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
+                        $rules.= &do_sdef_rule();
+                        }
+                else
+                        {
+                        $rules.= &do_lib_rule(
+                                "\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
+                                "\$(O_CRYPTO)", "$crypto",
+                                $shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
+                        }
+                }
+        else
+                {
+                $rules.= &do_lib_rule("\$(CRYPTOOBJ)",
+                        "\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)", "");
+                $rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(FIPSOBJ)",
+                        "\$(LIB_D)$o$crypto_compat",$crypto,$shlib,"\$(SO_CRYPTO)", "");
+                }
+        }
+        else
+        {
+        $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,
+                                                        "\$(SO_CRYPTO)");
+        }
+if ($fips)
+        {
+        if ($fipscanisterbuild)
+                {
+                $rules.= &do_rlink_rule("\$(O_FIPSCANISTER)",
+                                        "\$(OBJ_D)${o}fips_start$obj",
+                                        "\$(FIPSOBJ)",
+                                        "\$(OBJ_D)${o}fips_end$obj",
+                                        "\$(FIPS_SHA1_EXE)", "");
+                $rules.=&do_link_rule("\$(FIPS_SHA1_EXE)",
+                                        "\$(OBJ_D)${o}fips_standalone_sha1$obj \$(OBJ_D)${o}sha1dgst$obj \$(SHA1_ASM_OBJ)",
+                                        "","\$(EX_LIBS)", 1);
+                }
+        else
+                {
+                $rules.=&do_link_rule("\$(FIPS_SHA1_EXE)",
+                                        "\$(OBJ_D)${o}fips_standalone_sha1$obj \$(O_FIPSCANISTER)",
+                                        "","", 1);
+                }
+        $rules.=&do_link_rule("\$(PREMAIN_DSO_EXE)","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(CRYPTOOBJ) \$(O_FIPSCANISTER)","","\$(EX_LIBS)", 1);
+        
+        }
+$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)", ($fips && !$shlib) ? 2 : 0);
 print $defs;
@@ -751,6 +1021,8 @@ sub var_add
        return("") if $no_dh   && $dir =~ /\/dh/;
        return("") if $no_ec   && $dir =~ /\/ec/;
        return("") if $no_cms  && $dir =~ /\/cms/;
+        return("") if $no_jpake  && $dir =~ /\/jpake/;
+        return("") if !$fips   && $dir =~ /^fips/;
        if ($no_des && $dir =~ /\/des/)
                {
                if ($val =~ /read_pwd/)
@@ -1010,6 +1282,7 @@ sub read_options
                "no-hmac" => \$no_hmac,
                "no-asm" => \$no_asm,
                "nasm" => \$nasm,
+                "ml64" => \$ml64,
                "nw-nasm" => \$nw_nasm,
                "nw-mwasm" => \$nw_mwasm,
                "gaswin" => \$gaswin,
@@ -1017,6 +1290,8 @@ sub read_options
                "no-ssl3" => \$no_ssl3,
                "no-tlsext" => \$no_tlsext,
                "no-cms" => \$no_cms,
+                "no-jpake" => \$no_jpake,
+                "no-capieng" => \$no_capieng,
                "no-err" => \$no_err,
                "no-sock" => \$no_sock,
                "no-krb5" => \$no_krb5,
@@ -1043,6 +1318,9 @@ sub read_options
                "no-shared" => 0,
                "no-zlib" => 0,
                "no-zlib-dynamic" => 0,
+                "fips" => \$fips,
+                "fipscanisterbuild" => [\$fips, \$fipscanisterbuild],
+                "fipsdso" => [\$fips, \$fipscanisterbuild, \$fipsdso],
                );
        if (exists $valid_options{$_})
@@ -1084,6 +1362,18 @@ sub read_options
                        {return 1;}
                return 0;
                }
+        # experimental-xxx is mostly like enable-xxx, but opensslconf.v
+        # will still set OPENSSL_NO_xxx unless we set OPENSSL_EXPERIMENTAL_xxx.
+        # (No need to fail if we don't know the algorithm -- this is for adventurous users only.)
+        elsif (/^experimental-/)
+                {
+                my $algo, $ALGO;
+                ($algo = $_) =~ s/^experimental-//;
+                ($ALGO = $algo) =~ tr/[a-z]/[A-Z]/;
+                $xcflags="-DOPENSSL_EXPERIMENTAL_$ALGO $xcflags";
+                
+                }
        elsif (/^--with-krb5-flavor=(.*)$/)
                {
                my $krb5_flavor = $1;
@@ -1107,3 +1397,31 @@ sub read_options
        else { return(0); }
        return(1);
        }
+sub fipslib_error
+        {
+        print STDERR "***FIPS module directory sanity check failed***\n";
+        print STDERR "FIPS module build failed, or was deleted\n";
+        print STDERR "Please rebuild FIPS module.\n"; 
+        exit 1;
+        }
+sub fips_check_files
+        {
+        my $dir = shift @_;
+        my $ret = 1;
+        if (!-d $dir)
+                {
+                print STDERR "FIPS module directory $dir does not exist\n";
+                fipslib_error();
+                }
+        foreach (@_)
+                {
+                if (!-f "$dir${o}$_")
+                        {
+                        print STDERR "FIPS module file $_ does not exist!\n";
+                        $ret = 0;
+                        }
+                }
+        fipslib_error() if ($ret == 0);
+        }

diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl index 1ac5fd3a50..f2b92b2b25 100644 --- a/src/lib/libcrypto/util/mk1mf.pl +++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -15,6 +15,18 @@ my $engines = "";
15	local $zlib_opt = 0; # 0 = no zlib, 1 = static, 2 = dynamic	15	local $zlib_opt = 0; # 0 = no zlib, 1 = static, 2 = dynamic
16	local $zlib_lib = "";	16	local $zlib_lib = "";
17		17
		18	local $fips_canister_path = "";
		19	my $fips_premain_dso_exe_path = "";
		20	my $fips_premain_c_path = "";
		21	my $fips_sha1_exe_path = "";
		22
		23	local $fipscanisterbuild = 0;
		24	local $fipsdso = 0;
		25
		26	my $fipslibdir = "";
		27	my $baseaddr = "";
		28
		29	my $ex_l_libs = "";
18		30
19	open(IN,"<Makefile") \|\| die "unable to open Makefile!\n";	31	open(IN,"<Makefile") \|\| die "unable to open Makefile!\n";
20	while(<IN>) {	32	while(<IN>) {
@@ -221,6 +233,8 @@ $cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2;
221	$cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;	233	$cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
222	$cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;	234	$cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
223	$cflags.=" -DOPENSSL_NO_CMS" if $no_cms;	235	$cflags.=" -DOPENSSL_NO_CMS" if $no_cms;
		236	$cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake;
		237	$cflags.=" -DOPENSSL_NO_CAPIENG" if $no_capieng;
224	$cflags.=" -DOPENSSL_NO_ERR" if $no_err;	238	$cflags.=" -DOPENSSL_NO_ERR" if $no_err;
225	$cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;	239	$cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
226	$cflags.=" -DOPENSSL_NO_EC" if $no_ec;	240	$cflags.=" -DOPENSSL_NO_EC" if $no_ec;
@@ -228,7 +242,7 @@ $cflags.=" -DOPENSSL_NO_ECDSA" if $no_ecdsa;
228	$cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;	242	$cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
229	$cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine;	243	$cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine;
230	$cflags.=" -DOPENSSL_NO_HW" if $no_hw;	244	$cflags.=" -DOPENSSL_NO_HW" if $no_hw;
231		245	$cflags.=" -DOPENSSL_FIPS" if $fips;
232	$cflags.= " -DZLIB" if $zlib_opt;	246	$cflags.= " -DZLIB" if $zlib_opt;
233	$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;	247	$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
234		248
@@ -250,9 +264,9 @@ else
250		264
251	$ex_libs="$l_flags$ex_libs" if ($l_flags ne "");	265	$ex_libs="$l_flags$ex_libs" if ($l_flags ne "");
252		266
253
254	%shlib_ex_cflags=("SSL" => " -DOPENSSL_BUILD_SHLIBSSL",	267	%shlib_ex_cflags=("SSL" => " -DOPENSSL_BUILD_SHLIBSSL",
255	"CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO");	268	"CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO",
		269	"FIPS" => " -DOPENSSL_BUILD_SHLIBCRYPTO");
256		270
257	if ($msdos)	271	if ($msdos)
258	{	272	{
@@ -280,11 +294,21 @@ for (;;)
280	{	294	{
281	if ($lib ne "")	295	if ($lib ne "")
282	{	296	{
283	$uc=$lib;	297	if ($fips && $dir =~ /^fips/)
284	$uc =~ s/^lib(.*)\.a/$1/;	298	{
285	$uc =~ tr/a-z/A-Z/;	299	$uc = "FIPS";
286	$lib_nam{$uc}=$uc;	300	}
287	$lib_obj{$uc}.=$libobj." ";	301	else
		302	{
		303	$uc=$lib;
		304	$uc =~ s/^lib(.*)\.a/$1/;
		305	$uc =~ tr/a-z/A-Z/;
		306	}
		307	if (($uc ne "FIPS") \|\| $fipscanisterbuild)
		308	{
		309	$lib_nam{$uc}=$uc;
		310	$lib_obj{$uc}.=$libobj." ";
		311	}
288	}	312	}
289	last if ($val eq "FINISHED");	313	last if ($val eq "FINISHED");
290	$lib="";	314	$lib="";
@@ -327,11 +351,130 @@ for (;;)
327	if ($key eq "LIBNAMES" && $dir eq "engines" && $no_static_engine)	351	if ($key eq "LIBNAMES" && $dir eq "engines" && $no_static_engine)
328	{ $engines.=$val }	352	{ $engines.=$val }
329		353
		354	if ($key eq "FIPS_EX_OBJ")
		355	{
		356	$fips_ex_obj=&var_add("crypto",$val,0);
		357	}
		358
		359	if ($key eq "FIPSLIBDIR")
		360	{
		361	$fipslibdir=$val;
		362	$fipslibdir =~ s/\/$//;
		363	$fipslibdir =~ s/\//$o/g;
		364	}
		365
		366	if ($key eq "BASEADDR")
		367	{ $baseaddr=$val;}
		368
330	if (!($_=<IN>))	369	if (!($_=<IN>))
331	{ $_="RELATIVE_DIRECTORY=FINISHED\n"; }	370	{ $_="RELATIVE_DIRECTORY=FINISHED\n"; }
332	}	371	}
333	close(IN);	372	close(IN);
334		373
		374	if ($fips)
		375	{
		376
		377	foreach (split " ", $fips_ex_obj)
		378	{
		379	$fips_exclude_obj{$1} = 1 if (/\/([^\/]*)$/);
		380	}
		381
		382	$fips_exclude_obj{"cpu_win32"} = 1;
		383	$fips_exclude_obj{"bn_asm"} = 1;
		384	$fips_exclude_obj{"des_enc"} = 1;
		385	$fips_exclude_obj{"fcrypt_b"} = 1;
		386	$fips_exclude_obj{"aes_core"} = 1;
		387	$fips_exclude_obj{"aes_cbc"} = 1;
		388
		389	my @ltmp = split " ", $lib_obj{"CRYPTO"};
		390
		391
		392	$lib_obj{"CRYPTO"} = "";
		393
		394	foreach(@ltmp)
		395	{
		396	if (/\/([^\/]*)$/ && exists $fips_exclude_obj{$1})
		397	{
		398	if ($fipscanisterbuild)
		399	{
		400	$lib_obj{"FIPS"} .= "$_ ";
		401	}
		402	}
		403	else
		404	{
		405	$lib_obj{"CRYPTO"} .= "$_ ";
		406	}
		407	}
		408
		409	}
		410
		411	if ($fipscanisterbuild)
		412	{
		413	$fips_canister_path = "\$(LIB_D)${o}fipscanister.lib" if $fips_canister_path eq "";
		414	$fips_premain_c_path = "\$(LIB_D)${o}fips_premain.c";
		415	}
		416	else
		417	{
		418	if ($fips_canister_path eq "")
		419	{
		420	$fips_canister_path = "\$(FIPSLIB_D)${o}fipscanister.lib";
		421	}
		422
		423	if ($fips_premain_c_path eq "")
		424	{
		425	$fips_premain_c_path = "\$(FIPSLIB_D)${o}fips_premain.c";
		426	}
		427	}
		428
		429	if ($fips)
		430	{
		431	if ($fips_sha1_exe_path eq "")
		432	{
		433	$fips_sha1_exe_path =
		434	"\$(BIN_D)${o}fips_standalone_sha1$exep";
		435	}
		436	}
		437	else
		438	{
		439	$fips_sha1_exe_path = "";
		440	}
		441
		442	if ($fips_premain_dso_exe_path eq "")
		443	{
		444	$fips_premain_dso_exe_path = "\$(BIN_D)${o}fips_premain_dso$exep";
		445	}
		446
		447	# $ex_build_targets .= "\$(BIN_D)${o}\$(E_PREMAIN_DSO)$exep" if ($fips);
		448
		449	#$ex_l_libs .= " \$(L_FIPS)" if $fipsdso;
		450
		451	if ($fips)
		452	{
		453	if (!$shlib)
		454	{
		455	$ex_build_targets .= " \$(LIB_D)$o$crypto_compat \$(PREMAIN_DSO_EXE)";
		456	$ex_l_libs .= " \$(O_FIPSCANISTER)";
		457	$ex_libs_dep .= " \$(O_FIPSCANISTER)" if $fipscanisterbuild;
		458	}
		459	if ($fipscanisterbuild)
		460	{
		461	$fipslibdir = "\$(LIB_D)";
		462	}
		463	else
		464	{
		465	if ($fipslibdir eq "")
		466	{
		467	open (IN, "util/fipslib_path.txt") \|\| fipslib_error();
		468	$fipslibdir = <IN>;
		469	chomp $fipslibdir;
		470	close IN;
		471	}
		472	fips_check_files($fipslibdir,
		473	"fipscanister.lib", "fipscanister.lib.sha1",
		474	"fips_premain.c", "fips_premain.c.sha1");
		475	}
		476	}
		477
335	if ($shlib)	478	if ($shlib)
336	{	479	{
337	$extra_install= <<"EOF";	480	$extra_install= <<"EOF";
@@ -397,6 +540,7 @@ SRC_D=$src_dir
397	LINK=$link	540	LINK=$link
398	LFLAGS=$lflags	541	LFLAGS=$lflags
399	RSC=$rsc	542	RSC=$rsc
		543	FIPSLINK=\$(PERL) util${o}fipslink.pl
400		544
401	AES_ASM_OBJ=$aes_asm_obj	545	AES_ASM_OBJ=$aes_asm_obj
402	AES_ASM_SRC=$aes_asm_src	546	AES_ASM_SRC=$aes_asm_src
@@ -440,6 +584,17 @@ MKLIB=$bin_dir$mklib
440	MLFLAGS=$mlflags	584	MLFLAGS=$mlflags
441	ASM=$bin_dir$asm	585	ASM=$bin_dir$asm
442		586
		587	# FIPS validated module and support file locations
		588
		589	E_PREMAIN_DSO=fips_premain_dso
		590
		591	FIPSLIB_D=$fipslibdir
		592	BASEADDR=$baseaddr
		593	FIPS_PREMAIN_SRC=$fips_premain_c_path
		594	O_FIPSCANISTER=$fips_canister_path
		595	FIPS_SHA1_EXE=$fips_sha1_exe_path
		596	PREMAIN_DSO_EXE=$fips_premain_dso_exe_path
		597
443	######################################################	598	######################################################
444	# You should not need to touch anything below this point	599	# You should not need to touch anything below this point
445	######################################################	600	######################################################
@@ -447,6 +602,7 @@ ASM=$bin_dir$asm
447	E_EXE=openssl	602	E_EXE=openssl
448	SSL=$ssl	603	SSL=$ssl
449	CRYPTO=$crypto	604	CRYPTO=$crypto
		605	LIBFIPS=libosslfips
450		606
451	# BIN_D - Binary output directory	607	# BIN_D - Binary output directory
452	# TEST_D - Binary test file output directory	608	# TEST_D - Binary test file output directory
@@ -467,12 +623,14 @@ INCL_D=\$(TMP_D)
467		623
468	O_SSL= \$(LIB_D)$o$plib\$(SSL)$shlibp	624	O_SSL= \$(LIB_D)$o$plib\$(SSL)$shlibp
469	O_CRYPTO= \$(LIB_D)$o$plib\$(CRYPTO)$shlibp	625	O_CRYPTO= \$(LIB_D)$o$plib\$(CRYPTO)$shlibp
		626	O_FIPS= \$(LIB_D)$o$plib\$(LIBFIPS)$shlibp
470	SO_SSL= $plib\$(SSL)$so_shlibp	627	SO_SSL= $plib\$(SSL)$so_shlibp
471	SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp	628	SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
472	L_SSL= \$(LIB_D)$o$plib\$(SSL)$libp	629	L_SSL= \$(LIB_D)$o$plib\$(SSL)$libp
473	L_CRYPTO= \$(LIB_D)$o$plib\$(CRYPTO)$libp	630	L_CRYPTO= \$(LIB_D)$o$plib\$(CRYPTO)$libp
		631	L_FIPS= \$(LIB_D)$o$plib\$(LIBFIPS)$libp
474		632
475	L_LIBS= \$(L_SSL) \$(L_CRYPTO)	633	L_LIBS= \$(L_SSL) \$(L_CRYPTO) $ex_l_libs
476		634
477	######################################################	635	######################################################
478	# Don't touch anything below this point	636	# Don't touch anything below this point
@@ -482,13 +640,13 @@ INC=-I\$(INC_D) -I\$(INCL_D)
482	APP_CFLAGS=\$(INC) \$(CFLAG) \$(APP_CFLAG)	640	APP_CFLAGS=\$(INC) \$(CFLAG) \$(APP_CFLAG)
483	LIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG)	641	LIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG)
484	SHLIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) \$(SHLIB_CFLAG)	642	SHLIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) \$(SHLIB_CFLAG)
485	LIBS_DEP=\$(O_CRYPTO) \$(O_SSL)	643	LIBS_DEP=\$(O_CRYPTO) \$(O_SSL) $ex_libs_dep
486		644
487	#############################################	645	#############################################
488	EOF	646	EOF
489		647
490	$rules=<<"EOF";	648	$rules=<<"EOF";
491	all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe	649	all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers \$(FIPS_SHA1_EXE) lib exe $ex_build_targets
492		650
493	banner:	651	banner:
494	$banner	652	$banner
@@ -603,6 +761,26 @@ $rules.=&do_compile_rule("\$(OBJ_D)",$test,"\$(APP_CFLAGS)");
603	$defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj);	761	$defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj);
604	$rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)');	762	$rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)');
605		763
		764	# Special case rules for fips_start and fips_end fips_premain_dso
		765
		766	if ($fips)
		767	{
		768	if ($fipscanisterbuild)
		769	{
		770	$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_start$obj",
		771	"fips${o}fips_canister.c",
		772	"-DFIPS_START \$(SHLIB_CFLAGS)");
		773	$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_end$obj",
		774	"fips${o}fips_canister.c", "\$(SHLIB_CFLAGS)");
		775	}
		776	$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_standalone_sha1$obj",
		777	"fips${o}sha${o}fips_standalone_sha1.c",
		778	"\$(SHLIB_CFLAGS)");
		779	$rules.=&cc_compile_target("\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj",
		780	"fips${o}fips_premain.c",
		781	"-DFINGERPRINT_PREMAIN_DSO_LOAD \$(SHLIB_CFLAGS)");
		782	}
		783
606	foreach (values %lib_nam)	784	foreach (values %lib_nam)
607	{	785	{
608	$lib_obj=$lib_obj{$_};	786	$lib_obj=$lib_obj{$_};
@@ -613,27 +791,41 @@ foreach (values %lib_nam)
613	$rules.="\$(O_SSL):\n\n";	791	$rules.="\$(O_SSL):\n\n";
614	next;	792	next;
615	}	793	}
616	if (($aes_asm_obj ne "") && ($_ eq "CRYPTO"))	794
617	{	795	if ((!$fips && ($_ eq "CRYPTO")) \|\| ($fips && ($_ eq "FIPS")))
618	$lib_obj =~ s/\s(\S\/aes_core\S)/ \$(AES_ASM_OBJ)/;
619	$lib_obj =~ s/\s\S\/aes_cbc\S//;
620	$rules.=&do_asm_rule($aes_asm_obj,$aes_asm_src);
621	}
622	if (($bn_asm_obj ne "") && ($_ eq "CRYPTO"))
623	{
624	$lib_obj =~ s/\s\S\/bn_asm\S/ \$(BN_ASM_OBJ)/;
625	$rules.=&do_asm_rule($bn_asm_obj,$bn_asm_src);
626	}
627	if (($bnco_asm_obj ne "") && ($_ eq "CRYPTO"))
628	{
629	$lib_obj .= "\$(BNCO_ASM_OBJ)";
630	$rules.=&do_asm_rule($bnco_asm_obj,$bnco_asm_src);
631	}
632	if (($des_enc_obj ne "") && ($_ eq "CRYPTO"))
633	{	796	{
634	$lib_obj =~ s/\s\Sdes_enc\S/ \$(DES_ENC_OBJ)/;	797	if ($cpuid_asm_obj ne "")
635	$lib_obj =~ s/\s\S\/fcrypt_b\S\s*/ /;	798	{
636	$rules.=&do_asm_rule($des_enc_obj,$des_enc_src);	799	$lib_obj =~ s/(\S\/cryptlib\S)/$1 \$(CPUID_ASM_OBJ)/;
		800	$rules.=&do_asm_rule($cpuid_asm_obj,$cpuid_asm_src);
		801	}
		802	if ($aes_asm_obj ne "")
		803	{
		804	$lib_obj =~ s/\s(\S\/aes_core\S)/ \$(AES_ASM_OBJ)/;
		805	$lib_obj =~ s/\s\S\/aes_cbc\S//;
		806	$rules.=&do_asm_rule($aes_asm_obj,$aes_asm_src);
		807	}
		808	if ($sha1_asm_obj ne "")
		809	{
		810	$lib_obj =~ s/\s(\S\/sha1dgst\S)/ $1 \$(SHA1_ASM_OBJ)/;
		811	$rules.=&do_asm_rule($sha1_asm_obj,$sha1_asm_src);
		812	}
		813	if ($bn_asm_obj ne "")
		814	{
		815	$lib_obj =~ s/\s\S\/bn_asm\S/ \$(BN_ASM_OBJ)/;
		816	$rules.=&do_asm_rule($bn_asm_obj,$bn_asm_src);
		817	}
		818	if ($bnco_asm_obj ne "")
		819	{
		820	$lib_obj .= "\$(BNCO_ASM_OBJ)";
		821	$rules.=&do_asm_rule($bnco_asm_obj,$bnco_asm_src);
		822	}
		823	if ($des_enc_obj ne "")
		824	{
		825	$lib_obj =~ s/\s\Sdes_enc\S/ \$(DES_ENC_OBJ)/;
		826	$lib_obj =~ s/\s\S\/fcrypt_b\S\s*/ /;
		827	$rules.=&do_asm_rule($des_enc_obj,$des_enc_src);
		828	}
637	}	829	}
638	if (($bf_enc_obj ne "") && ($_ eq "CRYPTO"))	830	if (($bf_enc_obj ne "") && ($_ eq "CRYPTO"))
639	{	831	{
@@ -660,21 +852,11 @@ foreach (values %lib_nam)
660	$lib_obj =~ s/\s(\S\/md5_dgst\S)/ $1 \$(MD5_ASM_OBJ)/;	852	$lib_obj =~ s/\s(\S\/md5_dgst\S)/ $1 \$(MD5_ASM_OBJ)/;
661	$rules.=&do_asm_rule($md5_asm_obj,$md5_asm_src);	853	$rules.=&do_asm_rule($md5_asm_obj,$md5_asm_src);
662	}	854	}
663	if (($sha1_asm_obj ne "") && ($_ eq "CRYPTO"))
664	{
665	$lib_obj =~ s/\s(\S\/sha1dgst\S)/ $1 \$(SHA1_ASM_OBJ)/;
666	$rules.=&do_asm_rule($sha1_asm_obj,$sha1_asm_src);
667	}
668	if (($rmd160_asm_obj ne "") && ($_ eq "CRYPTO"))	855	if (($rmd160_asm_obj ne "") && ($_ eq "CRYPTO"))
669	{	856	{
670	$lib_obj =~ s/\s(\S\/rmd_dgst\S)/ $1 \$(RMD160_ASM_OBJ)/;	857	$lib_obj =~ s/\s(\S\/rmd_dgst\S)/ $1 \$(RMD160_ASM_OBJ)/;
671	$rules.=&do_asm_rule($rmd160_asm_obj,$rmd160_asm_src);	858	$rules.=&do_asm_rule($rmd160_asm_obj,$rmd160_asm_src);
672	}	859	}
673	if (($cpuid_asm_obj ne "") && ($_ eq "CRYPTO"))
674	{
675	$lib_obj =~ s/\s(\S\/cversion\S)/ $1 \$(CPUID_ASM_OBJ)/;
676	$rules.=&do_asm_rule($cpuid_asm_obj,$cpuid_asm_src);
677	}
678	$defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj);	860	$defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj);
679	$lib=($slib)?" \$(SHLIB_CFLAGS)".$shlib_ex_cflags{$_}:" \$(LIB_CFLAGS)";	861	$lib=($slib)?" \$(SHLIB_CFLAGS)".$shlib_ex_cflags{$_}:" \$(LIB_CFLAGS)";
680	$rules.=&do_compile_rule("\$(OBJ_D)",$lib_obj{$_},$lib);	862	$rules.=&do_compile_rule("\$(OBJ_D)",$lib_obj{$_},$lib);
@@ -689,15 +871,43 @@ if (($platform eq "VC-WIN32") \|\| ($platform eq "VC-NT")) {
689	\$(OBJ_D)\\\$(SSL).res: ms\\version32.rc	871	\$(OBJ_D)\\\$(SSL).res: ms\\version32.rc
690	\$(RSC) /fo"\$(OBJ_D)\\\$(SSL).res" /d SSL ms\\version32.rc	872	\$(RSC) /fo"\$(OBJ_D)\\\$(SSL).res" /d SSL ms\\version32.rc
691		873
		874	\$(OBJ_D)\\\$(LIBFIPS).res: ms\\version32.rc
		875	\$(RSC) /fo"\$(OBJ_D)\\\$(LIBFIPS).res" /d FIPS ms\\version32.rc
		876
692	EOF	877	EOF
693	}	878	}
694		879
695	$defs.=&do_defs("T_EXE",$test,"\$(TEST_D)",$exep);	880	$defs.=&do_defs("T_EXE",$test,"\$(TEST_D)",$exep);
696	foreach (split(/\s+/,$test))	881	foreach (split(/\s+/,$test))
697	{	882	{
		883	my $t_libs;
698	$t=&bname($_);	884	$t=&bname($_);
		885	my $ltype;
		886	# Check to see if test program is FIPS
		887	if ($fips && /fips/)
		888	{
		889	# If fipsdso link to libosslfips.dll
		890	# otherwise perform static link to
		891	# $(O_FIPSCANISTER)
		892	if ($fipsdso)
		893	{
		894	$t_libs = "\$(L_FIPS)";
		895	$ltype = 0;
		896	}
		897	else
		898	{
		899	$t_libs = "\$(O_FIPSCANISTER)";
		900	$ltype = 2;
		901	}
		902	}
		903	else
		904	{
		905	$t_libs = "\$(L_LIBS)";
		906	$ltype = 0;
		907	}
		908
699	$tt="\$(OBJ_D)${o}$t${obj}";	909	$tt="\$(OBJ_D)${o}$t${obj}";
700	$rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");	910	$rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","$t_libs \$(EX_LIBS)", $ltype);
701	}	911	}
702		912
703	$defs.=&do_defs("E_SHLIB",$engines,"\$(ENG_D)",$shlibp);	913	$defs.=&do_defs("E_SHLIB",$engines,"\$(ENG_D)",$shlibp);
@@ -711,9 +921,69 @@ foreach (split(/\s+/,$engines))
711		921
712		922
713	$rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");	923	$rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
714	$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
715		924
716	$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");	925	if ($fips)
		926	{
		927	if ($shlib)
		928	{
		929	if ($fipsdso)
		930	{
		931	$rules.= &do_lib_rule("\$(CRYPTOOBJ)",
		932	"\$(O_CRYPTO)", "$crypto",
		933	$shlib, "", "");
		934	$rules.= &do_lib_rule(
		935	"\$(O_FIPSCANISTER)",
		936	"\$(O_FIPS)", "\$(LIBFIPS)",
		937	$shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
		938	$rules.= &do_sdef_rule();
		939	}
		940	else
		941	{
		942	$rules.= &do_lib_rule(
		943	"\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
		944	"\$(O_CRYPTO)", "$crypto",
		945	$shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
		946	}
		947	}
		948	else
		949	{
		950	$rules.= &do_lib_rule("\$(CRYPTOOBJ)",
		951	"\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)", "");
		952	$rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(FIPSOBJ)",
		953	"\$(LIB_D)$o$crypto_compat",$crypto,$shlib,"\$(SO_CRYPTO)", "");
		954	}
		955	}
		956	else
		957	{
		958	$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,
		959	"\$(SO_CRYPTO)");
		960	}
		961
		962	if ($fips)
		963	{
		964	if ($fipscanisterbuild)
		965	{
		966	$rules.= &do_rlink_rule("\$(O_FIPSCANISTER)",
		967	"\$(OBJ_D)${o}fips_start$obj",
		968	"\$(FIPSOBJ)",
		969	"\$(OBJ_D)${o}fips_end$obj",
		970	"\$(FIPS_SHA1_EXE)", "");
		971	$rules.=&do_link_rule("\$(FIPS_SHA1_EXE)",
		972	"\$(OBJ_D)${o}fips_standalone_sha1$obj \$(OBJ_D)${o}sha1dgst$obj \$(SHA1_ASM_OBJ)",
		973	"","\$(EX_LIBS)", 1);
		974	}
		975	else
		976	{
		977	$rules.=&do_link_rule("\$(FIPS_SHA1_EXE)",
		978	"\$(OBJ_D)${o}fips_standalone_sha1$obj \$(O_FIPSCANISTER)",
		979	"","", 1);
		980
		981	}
		982	$rules.=&do_link_rule("\$(PREMAIN_DSO_EXE)","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(CRYPTOOBJ) \$(O_FIPSCANISTER)","","\$(EX_LIBS)", 1);
		983
		984	}
		985
		986	$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)", ($fips && !$shlib) ? 2 : 0);
717		987
718	print $defs;	988	print $defs;
719		989
@@ -751,6 +1021,8 @@ sub var_add
751	return("") if $no_dh && $dir =~ /\/dh/;	1021	return("") if $no_dh && $dir =~ /\/dh/;
752	return("") if $no_ec && $dir =~ /\/ec/;	1022	return("") if $no_ec && $dir =~ /\/ec/;
753	return("") if $no_cms && $dir =~ /\/cms/;	1023	return("") if $no_cms && $dir =~ /\/cms/;
		1024	return("") if $no_jpake && $dir =~ /\/jpake/;
		1025	return("") if !$fips && $dir =~ /^fips/;
754	if ($no_des && $dir =~ /\/des/)	1026	if ($no_des && $dir =~ /\/des/)
755	{	1027	{
756	if ($val =~ /read_pwd/)	1028	if ($val =~ /read_pwd/)
@@ -1010,6 +1282,7 @@ sub read_options
1010	"no-hmac" => \$no_hmac,	1282	"no-hmac" => \$no_hmac,
1011	"no-asm" => \$no_asm,	1283	"no-asm" => \$no_asm,
1012	"nasm" => \$nasm,	1284	"nasm" => \$nasm,
		1285	"ml64" => \$ml64,
1013	"nw-nasm" => \$nw_nasm,	1286	"nw-nasm" => \$nw_nasm,
1014	"nw-mwasm" => \$nw_mwasm,	1287	"nw-mwasm" => \$nw_mwasm,
1015	"gaswin" => \$gaswin,	1288	"gaswin" => \$gaswin,
@@ -1017,6 +1290,8 @@ sub read_options
1017	"no-ssl3" => \$no_ssl3,	1290	"no-ssl3" => \$no_ssl3,
1018	"no-tlsext" => \$no_tlsext,	1291	"no-tlsext" => \$no_tlsext,
1019	"no-cms" => \$no_cms,	1292	"no-cms" => \$no_cms,
		1293	"no-jpake" => \$no_jpake,
		1294	"no-capieng" => \$no_capieng,
1020	"no-err" => \$no_err,	1295	"no-err" => \$no_err,
1021	"no-sock" => \$no_sock,	1296	"no-sock" => \$no_sock,
1022	"no-krb5" => \$no_krb5,	1297	"no-krb5" => \$no_krb5,
@@ -1043,6 +1318,9 @@ sub read_options
1043	"no-shared" => 0,	1318	"no-shared" => 0,
1044	"no-zlib" => 0,	1319	"no-zlib" => 0,
1045	"no-zlib-dynamic" => 0,	1320	"no-zlib-dynamic" => 0,
		1321	"fips" => \$fips,
		1322	"fipscanisterbuild" => [\$fips, \$fipscanisterbuild],
		1323	"fipsdso" => [\$fips, \$fipscanisterbuild, \$fipsdso],
1046	);	1324	);
1047		1325
1048	if (exists $valid_options{$_})	1326	if (exists $valid_options{$_})
@@ -1084,6 +1362,18 @@ sub read_options
1084	{return 1;}	1362	{return 1;}
1085	return 0;	1363	return 0;
1086	}	1364	}
		1365	# experimental-xxx is mostly like enable-xxx, but opensslconf.v
		1366	# will still set OPENSSL_NO_xxx unless we set OPENSSL_EXPERIMENTAL_xxx.
		1367	# (No need to fail if we don't know the algorithm -- this is for adventurous users only.)
		1368	elsif (/^experimental-/)
		1369	{
		1370	my $algo, $ALGO;
		1371	($algo = $_) =~ s/^experimental-//;
		1372	($ALGO = $algo) =~ tr/[a-z]/[A-Z]/;
		1373
		1374	$xcflags="-DOPENSSL_EXPERIMENTAL_$ALGO $xcflags";
		1375
		1376	}
1087	elsif (/^--with-krb5-flavor=(.*)$/)	1377	elsif (/^--with-krb5-flavor=(.*)$/)
1088	{	1378	{
1089	my $krb5_flavor = $1;	1379	my $krb5_flavor = $1;
@@ -1107,3 +1397,31 @@ sub read_options
1107	else { return(0); }	1397	else { return(0); }
1108	return(1);	1398	return(1);
1109	}	1399	}
		1400
		1401	sub fipslib_error
		1402	{
		1403	print STDERR "*FIPS module directory sanity check failed*\n";
		1404	print STDERR "FIPS module build failed, or was deleted\n";
		1405	print STDERR "Please rebuild FIPS module.\n";
		1406	exit 1;
		1407	}
		1408
		1409	sub fips_check_files
		1410	{
		1411	my $dir = shift @_;
		1412	my $ret = 1;
		1413	if (!-d $dir)
		1414	{
		1415	print STDERR "FIPS module directory $dir does not exist\n";
		1416	fipslib_error();
		1417	}
		1418	foreach (@_)
		1419	{
		1420	if (!-f "$dir${o}$_")
		1421	{
		1422	print STDERR "FIPS module file $_ does not exist!\n";
		1423	$ret = 0;
		1424	}
		1425	}
		1426	fipslib_error() if ($ret == 0);
		1427	}