PROV: Relegate most of the FIPS provider code to libfips.a

provider/fips/fipsprov.c contains a number of symbols that get used by anything that's included in libfips.a, at least on Unix. Unfortunately, there are platforms that do not support resolving symbols to things that are already included in the end product (module in this case) being built; they only support resolving symbols with what comes next in the linking process. The offending symbols in this case are FIPS_security_check_enabled, c_thread_start and ossl_fips_intern_provider_init. We resolve this by placing provider/fips/fipsprov.c in libfips.a along with everything else there. That takes care of the offending symbols. What remains is to ensure that there is an entry point in an object file used directly when linking the module, providers/fips/fips_entry.c Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15370)
2 years ago · b938544969
parent d2f82495a2
commit b938544969
3 changed files with 45 additions and 6 deletions
--- a/providers/fips/build.info
+++ b/providers/fips/build.info
@ -1,2 +1,6 @@
-SOURCE[../fips]=fipsprov.c self_test.c self_test_kats.c
-INCLUDE[../fips]=../implementations/include ../common/include ../..
+# We include the provider implementation into ../libfips.a, so that all
+# platforms can resolve symbols in other members of that library.
+SOURCE[../libfips.a]=fipsprov.c self_test.c self_test_kats.c
+
+# It is necessary to have an explicit entry point
+SOURCE[../fips]=fips_entry.c
--- a/providers/fips/fips_entry.c
+++ b/providers/fips/fips_entry.c
@ -0,0 +1,19 @@
+/*
+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/core.h>
+
+OSSL_provider_init_fn OSSL_provider_init_int;
+int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
+                       const OSSL_DISPATCH *in,
+                       const OSSL_DISPATCH **out,
+                       void **provctx)
+{
+    return OSSL_provider_init_int(handle, in, out, provctx);
+}
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@ -518,10 +518,26 @@ static const OSSL_DISPATCH intern_dispatch_table[] = {
    { 0, NULL }
 };

-int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
-                       const OSSL_DISPATCH *in,
-                       const OSSL_DISPATCH **out,
-                       void **provctx)
+/*
+ * On VMS, the provider init function name is expected to be uppercase,
+ * see the pragmas in <openssl/core.h>.  Let's do the same with this
+ * internal name.  This is how symbol names are treated by default
+ * by the compiler if nothing else is said, but since this is part
+ * of libfips, and we build our libraries with mixed case symbol names,
+ * we must switch back to this default explicitly here.
+ */
+#ifdef __VMS
+# pragma names save
+# pragma names uppercase,truncated
+#endif
+OSSL_provider_init_fn OSSL_provider_init_int;
+#ifdef __VMS
+# pragma names restore
+#endif
+int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
+                           const OSSL_DISPATCH *in,
+                           const OSSL_DISPATCH **out,
+                           void **provctx)
 {
    FIPS_GLOBAL *fgbl;
    OSSL_LIB_CTX *libctx = NULL;