[openssl] master update
Richard Levitte
levitte at openssl.org
Wed May 26 13:11:57 UTC 2021
The branch master has been updated
via 7c499c7da93561fd620338cc4f8691c1dbc9ee36 (commit)
via f5657ce8e664cbb1e3314f54385b9a4d653e6bae (commit)
via 6dd07a9328950ff8bf3f95ad35caf3a4e1e33a15 (commit)
via a2405c5f2019707d1a4306f152faa9ccda5f4cd5 (commit)
from bfd6b619b6ccba8aee6b1d9ea1af21f0e03567dc (commit)
- Log -----------------------------------------------------------------
commit 7c499c7da93561fd620338cc4f8691c1dbc9ee36
Author: Richard Levitte <levitte at openssl.org>
Date: Mon May 24 14:25:28 2021 +0200
TEST: Add test specific fipsmodule.cnf, and use it
We add the concept of preparation recipes, which are performed
unconditionally. They are all expected to match the pattern
test/recipes/00-prep_*.t.
We add one such preparation recipe, test/recipes/00-prep_fipsmodule_cnf.t,
which helps us generate a test specific fipsmodule.cnf, to be used by
all other tests.
Fixes #15166
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
commit f5657ce8e664cbb1e3314f54385b9a4d653e6bae
Author: Richard Levitte <levitte at openssl.org>
Date: Mon May 24 14:24:32 2021 +0200
Build file templates: rework FIPS module installation
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
commit 6dd07a9328950ff8bf3f95ad35caf3a4e1e33a15
Author: Richard Levitte <levitte at openssl.org>
Date: Mon May 24 14:19:38 2021 +0200
Build file templates: rework how general dependencies are computed
For some types of targets, we pretty much know what kinds of files all
the dependencies are. For some, however, we can't assume anything,
and are faced with dependencies in platform agnostic form. We need to
find those in diverse places in %unified_info, and deduce from there
how they should be converted to a platform specific form.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
commit a2405c5f2019707d1a4306f152faa9ccda5f4cd5
Author: Richard Levitte <levitte at openssl.org>
Date: Mon May 24 14:06:00 2021 +0200
Rework how providers/fipsmodule.cnf is produced
First of all, we have concluded that we can calculate the integrity
checksum with a simple perl script.
Second, having the production of providers/fipsmodule.cnf as a
dependency for run_tests wasn't quite right. What we really want is
to generate it as soon as a new providers/fips.so is produced. That
required a small bit of fiddling with how diverse dependencies are
made.
Fixes #15166
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
-----------------------------------------------------------------------
Summary of changes:
Configurations/descrip.mms.tmpl | 99 +++++++++++---------
Configurations/unix-Makefile.tmpl | 97 ++++++++++----------
Configurations/windows-makefile.tmpl | 101 +++++++++++----------
providers/build.info | 15 +--
...t_fipsmodule_cnf.t => 00-prep_fipsmodule_cnf.t} | 19 ++--
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
test/recipes/90-test_threads.t | 2 +-
test/run_tests.pl | 11 ++-
util/mk-fipsmodule-cnf.pl | 44 +++++++++
9 files changed, 225 insertions(+), 165 deletions(-)
copy test/recipes/{01-test_fipsmodule_cnf.t => 00-prep_fipsmodule_cnf.t} (66%)
create mode 100644 util/mk-fipsmodule-cnf.pl
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 4188e29020..3430f7258d 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -62,7 +62,12 @@
@{$unified_info{modules}};
our @install_modules =
grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
- && !$unified_info{attributes}->{modules}->{$_}->{engine} }
+ && !$unified_info{attributes}->{modules}->{$_}->{engine}
+ && !$unified_info{attributes}->{modules}->{$_}->{fips} }
+ @{$unified_info{modules}};
+ our @install_fipsmodules =
+ grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
+ && $unified_info{attributes}->{modules}->{$_}->{fips} }
@{$unified_info{modules}};
our @install_programs =
grep { !$unified_info{attributes}->{programs}->{$_}->{noinst} }
@@ -269,15 +274,23 @@ SHLIB_TARGET={- $target{shared_target} -}
LIBS={- join(", ", map { "-\n\t".$_.".OLB" } @libs) -}
SHLIBS={- join(", ", map { "-\n\t".$_.".EXE" } @shlibs) -}
-FIPSMODULENAME={- # We do some extra checking here, as there should be only one
- use File::Basename;
- my @fipsmodules =
- grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
- && $unified_info{attributes}->{modules}->{$_}->{fips} }
- @{$unified_info{modules}};
- die "More that one FIPS module" if scalar @fipsmodules > 1;
+MODULES={- join(", ", map { "-\n\t".$_.".EXE" }
+ # Drop all modules that are dependencies, they will
+ # be processed through their dependents
+ grep { my $x = $_;
+ !grep { grep { $_ eq $x } @$_ }
+ values %{$unified_info{depends}} }
+ @{$unified_info{modules}}) -}
+FIPSMODULE={- # We do some extra checking here, as there should be only one
+ use File::Basename;
+ our @fipsmodules =
+ grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
+ && $unified_info{attributes}->{modules}->{$_}->{fips} }
+ @{$unified_info{modules}};
+ die "More that one FIPS module" if scalar @fipsmodules > 1;
+ join(" ", map { platform->dso($_) } @fipsmodules) -}
+FIPSMODULENAME={- die "More that one FIPS module" if scalar @fipsmodules > 1;
join(", ", map { basename(platform->dso($_)) } @fipsmodules) -}
-MODULES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{modules}}) -}
PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{programs}}) -}
SCRIPTS={- join(", ", map { "-\n\t".$_ } @{$unified_info{scripts}}) -}
{- output_off() if $disabled{makedepend}; "" -}
@@ -307,6 +320,8 @@ INSTALL_LIBS={- join(", ", map { "-\n\t".$_.".OLB" } @install_libs) -}
INSTALL_SHLIBS={- join(", ", map { "-\n\t".$_.".EXE" } @install_shlibs) -}
INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @install_engines) -}
INSTALL_MODULES={- join(", ", map { "-\n\t".$_.".EXE" } @install_modules) -}
+INSTALL_FIPSMODULE={- join(", ", map { "-\n\t".$_.".EXE" } @install_fipsmodules) -}
+INSTALL_FIPSMODULECONF=[.providers]fipsmodule.cnf
INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @install_programs) -}
BIN_SCRIPTS={- join(", ", @install_bin_scripts) -}
MISC_SCRIPTS={- join(", ", @install_misc_scripts) -}
@@ -549,17 +564,20 @@ install_docs : install_html_docs
uninstall_docs : uninstall_html_docs
-install_fips : install_sw
+{- output_off() if $disabled{fips}; "" -}
+install_fips : install_sw $(INSTALL_FIPSMODULECONF)
+ @ WRITE SYS$OUTPUT "*** Installing FIPS module"
+ COPY/PROT=W:RE $(INSTALL_FIPSMODULES) -
+ ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME)
@ WRITE SYS$OUTPUT "*** Installing FIPS module configuration"
- @ WRITE SYS$OUTPUT "fipsinstall $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).cnf"
- openssl fipsinstall -
- -module ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME) -
- -out ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME).cnf -
- -macopt "hexkey:$(FIPSKEY)"
+ COPY/PROT=W:RE $(INSTALL_FIPSMODULESCONF) OSSL_DATAROOT:[000000]
uninstall_fips : uninstall_sw
@ WRITE SYS$OUTPUT "*** Uninstalling FIPS module configuration"
- DELETE ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME).cnf;*
+ DELETE OSSL_DATAROOT:[000000]fipsmodule.cnf;*
+ @ WRITE SYS$OUTPUT "*** Uninstalling FIPS module"
+ DELETE ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME);*
+{- output_on() if $disabled{fips}; "" -}
install_ssldirs : check_INSTALLTOP
- CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
@@ -754,6 +772,17 @@ reconfigure reconf :
use File::Spec::Functions qw/abs2rel rel2abs catfile catdir/;
use File::Spec::Unix;
+ # Helper function to convert dependencies in platform agnostic form to
+ # dependencies in platform form.
+ sub compute_platform_depends {
+ map { my $x = $_;
+
+ grep { $x eq $_ } @{$unified_info{programs}} and platform->bin($x)
+ or grep { $x eq $_ } @{$unified_info{modules}} and platform->dso($x)
+ or grep { $x eq $_ } @{$unified_info{libraries}} and platform->lib($x)
+ or platform->convertext($x); } @_;
+ }
+
# Helper function to figure out dependencies on libraries
# It takes a list of library names and outputs a list of dependencies
sub compute_lib_depends {
@@ -844,7 +873,7 @@ EOF
sub generatetarget {
my %args = @_;
- my $deps = join(" ", @{$args{deps}});
+ my $deps = join(" ", compute_platform_depends(@{$args{deps}}));
return <<"EOF";
$args{target} : $deps
EOF
@@ -856,7 +885,9 @@ EOF
my $gen_args = join('', map { " $_" }
@{$args{generator}}[1..$#{$args{generator}}]);
my $gen_incs = join("", map { ' "-I'.$_.'"' } @{$args{generator_incs}});
- my $deps = join(", -\n\t\t", @{$args{generator_deps}}, @{$args{deps}});
+ my $deps = join(", -\n\t\t",
+ compute_platform_depends(@{$args{generator_deps}},
+ @{$args{deps}}));
if ($args{src} =~ /\.html$/) {
#
@@ -949,38 +980,22 @@ EOF
my $dofile = abs2rel(rel2abs(catfile($config{sourcedir},
"util", "dofile.pl")),
rel2abs($config{builddir}));
- my @modules = ( 'configdata.pm',
- grep { $_ =~ m|\.pm$| } @{$args{deps}} );
- my %moduleincs = map { '"-I'.dirname($_).'"' => 1 } @modules;
- $deps = join(' ', $deps, @modules);
- @modules = map { '"-M'.basename($_, '.pm').'"' } @modules;
- my $modules = join(' ', '', sort keys %moduleincs, @modules);
+ my @perlmodules = ( 'configdata.pm',
+ grep { $_ =~ m|\.pm$| } @{$args{deps}} );
+ my %perlmoduleincs = map { '"-I'.dirname($_).'"' => 1 } @perlmodules;
+ $deps = join(' ', $deps, compute_platform_depends(@perlmodules));
+ @perlmodules = map { '"-M'.basename($_, '.pm').'"' } @perlmodules;
+ my $perlmodules = join(' ', '', sort keys %perlmoduleincs, @perlmodules);
return <<"EOF";
$args{src} : $gen0 $deps
- \$(PERL)$modules $dofile "-o$target{build_file}" $gen0$gen_args > \$\@
+ \$(PERL)$perlmodules $dofile "-o$target{build_file}" $gen0$gen_args > \$\@
EOF
} elsif (grep { $_ eq $gen0 } @{$unified_info{programs}}) {
#
# Generic generator using OpenSSL programs
#
- # Redo $deps, because programs aren't expected to have deps of their
- # own. This is a little more tricky, though, because running programs
- # may have dependencies on all sorts of files, so we search through
- # our database of programs and modules to see if our dependencies
- # are one of those.
- $deps = join(' ', map { my $x = $_;
- if (grep { $x eq $_ }
- @{$unified_info{programs}}) {
- platform->bin($x);
- } elsif (grep { $x eq $_ }
- @{$unified_info{modules}}) {
- platform->dso($x);
- } else {
- $x;
- }
- } @{$args{deps}});
- # Also redo $gen0, to ensure that we have the proper extension
+ # Redo $gen0, to ensure that we have the proper extension
$gen0 = platform->bin($gen0);
return <<"EOF";
$args{src} : $gen0 $deps
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 5a5d44ce15..78db83a377 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -90,14 +90,21 @@ SHLIB_INFO={- join(" \\\n" . ' ' x 11,
MODULES={- join(" \\\n" . ' ' x 8,
fill_lines(" ", $COLUMNS - 8,
map { platform->dso($_) }
+ # Drop all modules that are dependencies, they will
+ # be processed through their dependents
+ grep { my $x = $_;
+ !grep { grep { $_ eq $x } @$_ }
+ values %{$unified_info{depends}} }
@{$unified_info{modules}})) -}
-FIPSMODULENAME={- # We do some extra checking here, as there should be only one
- use File::Basename;
- my @fipsmodules =
- grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
- && $unified_info{attributes}->{modules}->{$_}->{fips} }
- @{$unified_info{modules}};
- die "More that one FIPS module" if scalar @fipsmodules > 1;
+FIPSMODULE={- # We do some extra checking here, as there should be only one
+ use File::Basename;
+ our @fipsmodules =
+ grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
+ && $unified_info{attributes}->{modules}->{$_}->{fips} }
+ @{$unified_info{modules}};
+ die "More that one FIPS module" if scalar @fipsmodules > 1;
+ join(" ", map { platform->dso($_) } @fipsmodules) -}
+FIPSMODULENAME={- die "More that one FIPS module" if scalar @fipsmodules > 1;
join(" ", map { basename(platform->dso($_)) } @fipsmodules) -}
PROGRAMS={- join(" \\\n" . ' ' x 9,
@@ -166,23 +173,24 @@ INSTALL_ENGINES={-
&& $unified_info{attributes}->{modules}->{$_}->{engine} }
@{$unified_info{modules}}))
-}
-INSTALL_FIPS={-
+INSTALL_MODULES={-
join(" \\\n" . ' ' x 16,
fill_lines(" ", $COLUMNS - 16,
map { platform->dso($_) }
grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
- && $unified_info{attributes}->{modules}->{$_}->{fips} }
+ && !$unified_info{attributes}->{modules}->{$_}->{engine}
+ && !$unified_info{attributes}->{modules}->{$_}->{fips} }
@{$unified_info{modules}}))
-}
-INSTALL_MODULES={-
+INSTALL_FIPSMODULE={-
join(" \\\n" . ' ' x 16,
fill_lines(" ", $COLUMNS - 16,
map { platform->dso($_) }
grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
- && !$unified_info{attributes}->{modules}->{$_}->{engine}
- && !$unified_info{attributes}->{modules}->{$_}->{fips} }
+ && $unified_info{attributes}->{modules}->{$_}->{fips} }
@{$unified_info{modules}}))
-}
+INSTALL_FIPSMODULECONF=providers/fipsmodule.cnf
INSTALL_PROGRAMS={-
join(" \\\n" . ' ' x 16,
fill_lines(" ", $COLUMNS - 16, map { platform->bin($_) }
@@ -614,18 +622,18 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs
$(RM) -r $(DESTDIR)$(DOCDIR)
{- output_off() if $disabled{fips}; "" -}
-install_fips: build_sw providers/fipsmodule.cnf
+install_fips: build_sw $(INSTALL_FIPSMODULECONF)
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)
@$(ECHO) "*** Installing FIPS module"
- @$(ECHO) "install $(INSTALL_FIPS) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
- @cp "$(INSTALL_FIPS)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
+ @$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
+ @cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
@chmod 755 $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
@mv -f $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new \
$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)
@$(ECHO) "*** Installing FIPS module configuration"
- @$(ECHO) "install providers/fipsmodule.cnf -> $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf"
- @cp providers/fipsmodule.cnf $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
+ @$(ECHO) "install $(INSTALL_FIPSMODULECONF) -> $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf"
+ @cp $(INSTALL_FIPSMODULECONF) $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
uninstall_fips:
@$(ECHO) "*** Uninstalling FIPS module configuration"
@@ -1450,6 +1458,17 @@ reconfigure reconf:
use File::Basename;
use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/;
+ # Helper function to convert dependencies in platform agnostic form to
+ # dependencies in platform form.
+ sub compute_platform_depends {
+ map { my $x = $_;
+
+ grep { $x eq $_ } @{$unified_info{programs}} and platform->bin($x)
+ or grep { $x eq $_ } @{$unified_info{modules}} and platform->dso($x)
+ or grep { $x eq $_ } @{$unified_info{libraries}} and platform->lib($x)
+ or platform->convertext($x); } @_;
+ }
+
# Helper function to figure out dependencies on libraries
# It takes a list of library names and outputs a list of dependencies
sub compute_lib_depends {
@@ -1464,7 +1483,7 @@ reconfigure reconf:
sub generatetarget {
my %args = @_;
- my $deps = join(" ", @{$args{deps}});
+ my $deps = join(" ", compute_platform_depends(@{$args{deps}}));
return <<"EOF";
$args{target}: $deps
EOF
@@ -1478,7 +1497,8 @@ EOF
my $gen_incs = join("", map { " -I".$_ } @{$args{generator_incs}});
my $incs = join("", map { " -I".$_ } @{$args{incs}});
my $defs = join("", map { " -D".$_ } @{$args{defs}});
- my $deps = join(" ", @{$args{generator_deps}}, @{$args{deps}});
+ my $deps = join(" ", compute_platform_depends(@{$args{generator_deps}},
+ @{$args{deps}}));
if ($args{src} =~ /\.html$/) {
#
@@ -1555,38 +1575,22 @@ EOF
my $dofile = abs2rel(rel2abs(catfile($config{sourcedir},
"util", "dofile.pl")),
rel2abs($config{builddir}));
- my @modules = ( 'configdata.pm',
- grep { $_ =~ m|\.pm$| } @{$args{deps}} );
- my %moduleincs = map { '"-I'.dirname($_).'"' => 1 } @modules;
- $deps = join(' ', $deps, @modules);
- @modules = map { "-M".basename($_, '.pm') } @modules;
- my $modules = join(' ', '', sort keys %moduleincs, @modules);
+ my @perlmodules = ( 'configdata.pm',
+ grep { $_ =~ m|\.pm$| } @{$args{deps}} );
+ my %perlmoduleincs = map { '"-I'.dirname($_).'"' => 1 } @perlmodules;
+ $deps = join(' ', $deps, compute_platform_depends(@perlmodules));
+ @perlmodules = map { "-M".basename($_, '.pm') } @perlmodules;
+ my $perlmodules = join(' ', '', sort keys %perlmoduleincs, @perlmodules);
return <<"EOF";
$args{src}: $gen0 $deps
- \$(PERL)$modules "$dofile" "-o$target{build_file}" $gen0$gen_args > \$@
+ \$(PERL)$perlmodules "$dofile" "-o$target{build_file}" $gen0$gen_args > \$@
EOF
} elsif (grep { $_ eq $gen0 } @{$unified_info{programs}}) {
#
# Generic generator using OpenSSL programs
#
- # Redo $deps, because programs aren't expected to have deps of their
- # own. This is a little more tricky, though, because running programs
- # may have dependencies on all sorts of files, so we search through
- # our database of programs and modules to see if our dependencies
- # are one of those.
- $deps = join(' ', map { my $x = $_;
- if (grep { $x eq $_ }
- @{$unified_info{programs}}) {
- platform->bin($x);
- } elsif (grep { $x eq $_ }
- @{$unified_info{modules}}) {
- platform->dso($x);
- } else {
- $x;
- }
- } @{$args{deps}});
- # Also redo $gen0, to ensure that we have the proper extension where
+ # Redo $gen0, to ensure that we have the proper extension where
# necessary.
$gen0 = platform->bin($gen0);
# Use $(PERL) to execute wrap.pl directly to avoid calling env
@@ -1933,11 +1937,8 @@ EOF
sub generatedir {
my %args = @_;
my $dir = $args{dir};
- my @deps = map { platform->convertext($_) } @{$args{deps}};
+ my @deps = compute_platform_depends(@{$args{deps}});
my @comments = ();
- my %extinfo = ( dso => platform->dsoext(),
- lib => platform->libext(),
- bin => platform->binext() );
# We already have a 'test' target, and the top directory is just plain
# silly
@@ -1952,7 +1953,7 @@ EOF
if ($type ne "lib") {
foreach my $prod (@{$unified_info{dirinfo}->{$dir}->{products}->{$type}}) {
if (dirname($prod) eq $dir) {
- push @deps, $prod.$extinfo{$type};
+ push @deps, compute_platform_depends($prod);
} else {
push @comments, "# No support to produce $type ".join(", ", @{$unified_info{dirinfo}->{$dir}->{products}->{$type}});
}
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index b36592d383..af8a81c8b2 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -49,17 +49,25 @@ SHLIB_VERSION_NUMBER={- $config{shlib_version} -}
LIBS={- join(" ", map { ( platform->sharedlib_import($_), platform->staticlib($_) ) } @{$unified_info{libraries}}) -}
SHLIBS={- join(" ", map { platform->sharedlib($_) // () } @{$unified_info{libraries}}) -}
SHLIBPDBS={- join(" ", map { platform->sharedlibpdb($_) // () } @{$unified_info{libraries}}) -}
-MODULES={- our @MODULES = map { platform->dso($_) } @{$unified_info{modules}};
+MODULES={- our @MODULES = map { platform->dso($_) }
+ # Drop all modules that are dependencies, they will
+ # be processed through their dependents
+ grep { my $x = $_;
+ !grep { grep { $_ eq $x } @$_ }
+ values %{$unified_info{depends}} }
+ @{$unified_info{modules}};
join(" ", @MODULES) -}
MODULEPDBS={- join(" ", map { platform->dsopdb($_) } @{$unified_info{modules}}) -}
-FIPSMODULENAME={- # We do some extra checking here, as there should be only one
- use File::Basename;
- my @fipsmodules =
- grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
- && $unified_info{attributes}->{modules}->{$_}->{fips} }
- @{$unified_info{modules}};
- die "More that one FIPS module" if scalar @fipsmodules > 1;
- join(" ", map { basename(platform->dso($_)) } @fipsmodules) -}
+FIPSMODULE={- # We do some extra checking here, as there should be only one
+ use File::Basename;
+ our @fipsmodules =
+ grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
+ && $unified_info{attributes}->{modules}->{$_}->{fips} }
+ @{$unified_info{modules}};
+ die "More that one FIPS module" if scalar @fipsmodules > 1;
+ join(" ", map { basename(platform->dso($_)) } @fipsmodules) -}
+FIPSMODULENAME={- die "More that one FIPS module" if scalar @fipsmodules > 1;
+ join(", ", map { basename(platform->dso($_)) } @fipsmodules) -}
PROGRAMS={- our @PROGRAMS = map { platform->bin($_) } @{$unified_info{programs}}; join(" ", @PROGRAMS) -}
PROGRAMPDBS={- join(" ", map { $_.".pdb" } @{$unified_info{programs}}) -}
SCRIPTS={- our @SCRIPTS = @{$unified_info{scripts}}; join(" ", @SCRIPTS) -}
@@ -104,12 +112,6 @@ INSTALL_ENGINEPDBS={-
&& $unified_info{attributes}->{modules}->{$_}->{engine} }
@{$unified_info{modules}})
-}
-INSTALL_FIPS={-
- join(" ", map { quotify1(platform->dso($_)) }
- grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
- && $unified_info{attributes}->{modules}->{$_}->{fips} }
- @{$unified_info{modules}})
--}
INSTALL_MODULES={-
join(" ", map { quotify1(platform->dso($_)) }
grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
@@ -123,6 +125,13 @@ INSTALL_MODULEPDBS={-
&& !$unified_info{attributes}->{modules}->{$_}->{engine} }
@{$unified_info{modules}})
-}
+INSTALL_FIPSMODULE={-
+ join(" ", map { quotify1(platform->dso($_)) }
+ grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
+ && $unified_info{attributes}->{modules}->{$_}->{fips} }
+ @{$unified_info{modules}})
+-}
+INSTALL_FIPSMODULECONF=providers\fipsmodule.cnf
INSTALL_PROGRAMS={-
join(" ", map { quotify1(platform->bin($_)) }
grep { !$unified_info{attributes}->{programs}->{$_}->{noinst} }
@@ -491,13 +500,13 @@ install_fips: build_sw providers\fipsmodule.cnf
# @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)\util\mkdir-p.pl $(MODULESDIR)
@$(ECHO) "*** Installing FIPS module"
- @$(ECHO) "install $(INSTALL_FIPS) -> $(MODULESDIR)\$(FIPSMODULENAME)"
- @copy "$(INSTALL_FIPS)" $(MODULESDIR)\$(FIPSMODULENAME).new
+ @$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(MODULESDIR)\$(FIPSMODULENAME)"
+ @copy "$(INSTALL_FIPSMODULE)" $(MODULESDIR)\$(FIPSMODULENAME).new
@move /Y $(MODULESDIR)\$(FIPSMODULENAME).new \
$(MODULESDIR)\$(FIPSMODULENAME)
@$(ECHO) "*** Installing FIPS module configuration"
- @$(ECHO) "install providers\fipsmodule.cnf -> $(OPENSSLDIR)\fipsmodule.cnf"
- @copy providers\fipsmodule.cnf "$(OPENSSLDIR)\fipsmodule.cnf"
+ @$(ECHO) "install $(INSTALL_FIPSMODULECONF) -> $(OPENSSLDIR)\fipsmodule.cnf"
+ @copy $(INSTALL_FIPSMODULECONF) "$(OPENSSLDIR)\fipsmodule.cnf"
uninstall_fips:
@$(ECHO) "*** Uninstalling FIPS module configuration"
@@ -661,6 +670,17 @@ reconfigure reconf:
use File::Basename;
use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs file_name_is_absolute/;
+ # Helper function to convert dependencies in platform agnostic form to
+ # dependencies in platform form.
+ sub compute_platform_depends {
+ map { my $x = $_;
+
+ grep { $x eq $_ } @{$unified_info{programs}} and platform->bin($x)
+ or grep { $x eq $_ } @{$unified_info{modules}} and platform->dso($x)
+ or grep { $x eq $_ } @{$unified_info{libraries}} and platform->lib($x)
+ or platform->convertext($x); } @_;
+ }
+
# Helper function to figure out dependencies on libraries
# It takes a list of library names and outputs a list of dependencies
sub compute_lib_depends {
@@ -672,7 +692,7 @@ reconfigure reconf:
sub generatetarget {
my %args = @_;
- my $deps = join(" ", @{$args{deps}});
+ my $deps = join(" ", compute_platform_depends(@{$args{deps}}));
return <<"EOF";
$args{target}: $deps
EOF
@@ -690,11 +710,10 @@ EOF
my $gen_incs = join("", map { " -I\"$_\"" } @{$args{generator_incs}});
my $incs = join("", map { " -I\"$_\"" } @{$args{incs}});
my $defs = join("", map { " -D".$_ } @{$args{defs}});
- my $deps = @{$args{deps}} ?
- join(' ',
- map { file_name_is_absolute($_) || ($_ =~ m|^../|) ? "\"$_\"" : $_ }
- (@{$args{generator_deps}}, @{$args{deps}}))
- : '';
+ my $deps = join(' ',
+ map { file_name_is_absolute($_) || ($_ =~ m|^../|) ? "\"$_\"" : $_ }
+ compute_platform_depends(@{$args{generator_deps}},
+ @{$args{deps}}));
if ($args{src} =~ /\.html$/) {
#
@@ -773,38 +792,22 @@ EOF
my $dofile = abs2rel(rel2abs(catfile($config{sourcedir},
"util", "dofile.pl")),
rel2abs($config{builddir}));
- my @modules = ( 'configdata.pm',
- grep { $_ =~ m|\.pm$| } @{$args{deps}} );
- my %moduleincs = map { '"-I'.dirname($_).'"' => 1 } @modules;
- $deps = join(' ', $deps, @modules);
- @modules = map { "-M".basename($_, '.pm') } @modules;
- my $modules = join(' ', '', sort keys %moduleincs, @modules);
+ my @perlmodules = ( 'configdata.pm',
+ grep { $_ =~ m|\.pm$| } @{$args{deps}} );
+ my %perlmoduleincs = map { '"-I'.dirname($_).'"' => 1 } @perlmodules;
+ $deps = join(' ', $deps, compute_platform_depends(@perlmodules));
+ @perlmodules = map { "-M".basename($_, '.pm') } @perlmodules;
+ my $perlmodules = join(' ', '', sort keys %perlmoduleincs, @perlmodules);
return <<"EOF";
$args{src}: "$gen0" $deps
- "\$(PERL)"$modules "$dofile" "-o$target{build_file}" "$gen0"$gen_args > \$@
+ "\$(PERL)"$perlmodules "$dofile" "-o$target{build_file}" "$gen0"$gen_args > \$@
EOF
} elsif (grep { $_ eq $gen0 } @{$unified_info{programs}}) {
#
# Generic generator using OpenSSL programs
#
- # Redo $deps, because programs aren't expected to have deps of their
- # own. This is a little more tricky, though, because running programs
- # may have dependencies on all sorts of files, so we search through
- # our database of programs and modules to see if our dependencies
- # are one of those.
- $deps = join(' ', map { my $x = $_;
- if (grep { $x eq $_ }
- @{$unified_info{programs}}) {
- platform->bin($x);
- } elsif (grep { $x eq $_ }
- @{$unified_info{modules}}) {
- platform->dso($x);
- } else {
- $x;
- }
- } @{$args{deps}});
- # Also redo $gen0, to ensure that we have the proper extension.
+ # Redo $gen0, to ensure that we have the proper extension.
$gen0 = platform->bin($gen0);
return <<"EOF";
$args{src}: $gen0 $deps "\$(BLDDIR)\\util\\wrap.pl"
diff --git a/providers/build.info b/providers/build.info
index e9ec4cf646..3f55f3aa44 100644
--- a/providers/build.info
+++ b/providers/build.info
@@ -114,17 +114,10 @@ IF[{- !$disabled{fips} -}]
GENERATE[fips.ld]=../util/providers.num
ENDIF
- # For tests that try to use the FIPS module, we need to make a local fips
- # module installation. We have the output go to standard output, because
- # the generated commands in build templates are expected to catch that,
- # and thereby keep control over the exact output file location.
- IF[{- !$disabled{tests} -}]
- DEPEND[|run_tests|]=fipsmodule.cnf
- GENERATE[fipsmodule.cnf]=../apps/openssl fipsinstall \
- -module providers/$(FIPSMODULENAME) -provider_name fips \
- -mac_name HMAC -section_name fips_sect
- DEPEND[fipsmodule.cnf]=$FIPSGOAL
- ENDIF
+ DEPEND[|build_modules_nodep|]=fipsmodule.cnf
+ GENERATE[fipsmodule.cnf]=../util/mk-fipsmodule-cnf.pl \
+ -module $(FIPSMODULE) -section_name fips_sect -key $(FIPSKEY)
+ DEPEND[fipsmodule.cnf]=$FIPSGOAL
ENDIF
#
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
similarity index 66%
copy from test/recipes/01-test_fipsmodule_cnf.t
copy to test/recipes/00-prep_fipsmodule_cnf.t
index 16a89faa58..8d53e8a40f 100644
--- a/test/recipes/01-test_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
@@ -6,9 +6,6 @@
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
-# This is a sanity checker to see that the fipsmodule.cnf that's been
-# generated for testing is valid.
-
use strict;
use warnings;
@@ -16,7 +13,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file srctop_file data
use OpenSSL::Test::Utils;
BEGIN {
- setup("test_fipsmodule");
+ setup("prep_fipsmodule");
}
use lib srctop_dir('Configurations');
@@ -24,14 +21,16 @@ use lib bldtop_dir('.');
use platform;
my $no_check = disabled("fips");
-plan skip_all => "Test only supported in a fips build"
+plan skip_all => "FIPS module config file only supported in a fips build"
if $no_check;
-plan tests => 1;
my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
-my $fipsmoduleconf = bldtop_file('providers', 'fipsmodule.cnf');
+my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf');
+
+plan tests => 1;
-# verify the $fipsconf file
+# Create the $fipsmoduleconf file
ok(run(app(['openssl', 'fipsinstall',
- '-in', $fipsmoduleconf, '-module', $fipsmodule, '-verify'])),
- "fipsinstall verify");
+ '-module', $fipsmodule, '-provider_name', 'fips',
+ '-section_name', 'fips_sect', '-out', $fipsmoduleconf])),
+ "fips install");
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
index 16a89faa58..ce594817d5 100644
--- a/test/recipes/01-test_fipsmodule_cnf.t
+++ b/test/recipes/01-test_fipsmodule_cnf.t
@@ -29,7 +29,7 @@ plan skip_all => "Test only supported in a fips build"
plan tests => 1;
my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
-my $fipsmoduleconf = bldtop_file('providers', 'fipsmodule.cnf');
+my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf');
# verify the $fipsconf file
ok(run(app(['openssl', 'fipsinstall',
diff --git a/test/recipes/90-test_threads.t b/test/recipes/90-test_threads.t
index 651fa805d5..d373fcbd16 100644
--- a/test/recipes/90-test_threads.t
+++ b/test/recipes/90-test_threads.t
@@ -38,7 +38,7 @@ if ($no_fips) {
# status is required.
open CFGBASE, '<', $config_path;
-open CFGINC, '<', bldtop_file('/providers/fipsmodule.cnf');
+open CFGINC, '<', bldtop_file('/test/fipsmodule.cnf');
open CFGOUT, '>', 'thread.cnf';
while (<CFGBASE>) {
diff --git a/test/run_tests.pl b/test/run_tests.pl
index 3d72a218bf..9f34ab9e7e 100644
--- a/test/run_tests.pl
+++ b/test/run_tests.pl
@@ -34,7 +34,7 @@ my $libdir = rel2abs(catdir($srctop, "util", "perl"));
my $jobs = $ENV{HARNESS_JOBS} // 1;
$ENV{OPENSSL_CONF} = rel2abs(catdir($srctop, "apps", "openssl.cnf"));
-$ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "providers"));
+$ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test"));
$ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers"));
$ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines"));
$ENV{CTLOG_FILE} = rel2abs(catdir($srctop, "test", "ct", "log_list.cnf"));
@@ -134,10 +134,15 @@ foreach my $arg (@ARGV ? @ARGV : ('alltests')) {
sub find_matching_tests {
my ($glob) = @_;
+ # prep recipes are mandatory
+ my @recipes = glob(catfile($recipesdir,"00-prep_*.t"));
+
if ($glob =~ m|^[\d\[\]\?\-]+$|) {
- return glob(catfile($recipesdir,"$glob-*.t"));
+ push @recipes, glob(catfile($recipesdir,"$glob-*.t"));
+ } else {
+ push @recipes, glob(catfile($recipesdir,"*-$glob.t"));
}
- return glob(catfile($recipesdir,"*-$glob.t"));
+ return @recipes;
}
# The following is quite a bit of hackery to adapt to both TAP::Harness
diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl
new file mode 100644
index 0000000000..6a86e06b8b
--- /dev/null
+++ b/util/mk-fipsmodule-cnf.pl
@@ -0,0 +1,44 @@
+#! /usr/bin/env perl
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use Getopt::Long;
+
+my $activate = 1;
+my $conditional_errors = 1;
+my $security_checks = 1;
+my $mac_key;
+my $module_name;
+my $section_name = "fips_sect";
+
+GetOptions("key=s" => \$mac_key,
+ "module=s" => \$module_name,
+ "section_name=s" => \$section_name)
+ or die "Error when getting command line arguments";
+
+my $mac_keylen = length($mac_key);
+
+use Digest::SHA qw(hmac_sha256_hex);
+my $module_size = [ stat($module_name) ]->[7];
+
+open my $fh, "<:raw", $module_name or die "Trying to open $module_name: $!";
+read $fh, my $data, $module_size or die "Trying to read $module_name: $!";
+close $fh;
+
+# Calculate HMAC-SHA256 in hex, and split it into a list of two character
+# chunks, and join the chunks with colons.
+my @module_mac
+ = ( uc(hmac_sha256_hex($data, pack("H$mac_keylen", $mac_key))) =~ m/../g );
+my $module_mac = join(':', @module_mac);
+
+print <<_____;
+[$section_name]
+activate = $activate
+conditional-errors = $conditional_errors
+security-checks = $security_checks
+module-mac = $module_mac
+_____
More information about the openssl-commits
mailing list