openssl/sme8/openssl-fips-0.9.8e-use-fipscheck.patch

Do not create a fips canister but use a fipscheck equivalent method for
integrity verification of both libssl and libcrypto shared libraries.
diff -up openssl-fips-0.9.8e/apps/Makefile.use-fipscheck openssl-fips-0.9.8e/apps/Makefile
--- openssl-fips-0.9.8e/apps/Makefile.use-fipscheck     2007-08-15 15:35:29.000000000 +0200
+++ openssl-fips-0.9.8e/apps/Makefile   2009-03-26 15:16:09.000000000 +0100
@@ -152,8 +152,6 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(
        $(RM) $(EXE)
        shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
                shlib_target="$(SHLIB_TARGET)"; \
-       elif [ -n "$(FIPSCANLIB)" ]; then \
-         FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
        fi; \
        LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
        [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
diff -up openssl-fips-0.9.8e/fips/fips.c.use-fipscheck openssl-fips-0.9.8e/fips/fips.c
--- openssl-fips-0.9.8e/fips/fips.c.use-fipscheck       2007-08-26 16:57:10.000000000 +0200
+++ openssl-fips-0.9.8e/fips/fips.c     2009-04-15 11:43:59.000000000 +0200
@@ -47,6 +47,8 @@
  *
  */
 
+#define _GNU_SOURCE
+
 #include <openssl/fips.h>
 #include <openssl/rand.h>
 #include <openssl/fips_rand.h>
@@ -56,6 +58,9 @@
 #include <openssl/rsa.h>
 #include <string.h>
 #include <limits.h>
+#include <dlfcn.h>
+#include <stdio.h>
+#include <stdlib.h>
 #include "fips_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -163,6 +168,7 @@ int FIPS_selftest()
        && FIPS_selftest_dsa();
     }
 
+#if 0
 extern const void         *FIPS_text_start(),  *FIPS_text_end();
 extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
 unsigned char              FIPS_signature [20] = { 0 };
@@ -241,6 +247,206 @@ int FIPS_check_incore_fingerprint(void)
 
     return 1;
     }
+#else
+/* we implement what libfipscheck does ourselves */
+
+static int
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
+{
+       Dl_info info;
+       void *dl, *sym;
+       int rv = -1;
+
+        dl = dlopen(libname, RTLD_LAZY);
+        if (dl == NULL) {
+               return -1;
+        }       
+
+       sym = dlsym(dl, symbolname);
+
+       if (sym != NULL && dladdr(sym, &info)) {
+               strncpy(path, info.dli_fname, pathlen-1);
+               path[pathlen-1] = '\0';
+               rv = 0;
+       }
+
+       dlclose(dl);    
+       
+       return rv;
+}
+
+static const char conv[] = "0123456789abcdef";
+
+static char *
+bin2hex(void *buf, size_t len)
+{
+       char *hex, *p;
+       unsigned char *src = buf;
+       
+       hex = malloc(len * 2 + 1);
+       if (hex == NULL)
+               return NULL;
+
+       p = hex;
+
+       while (len > 0) {
+               unsigned c;
+
+               c = *src;
+               src++;
+
+               *p = conv[c >> 4];
+               ++p;
+               *p = conv[c & 0x0f];
+               ++p;
+               --len;
+       }
+       *p = '\0';
+       return hex;
+}
+
+#define HMAC_PREFIX "." 
+#define HMAC_SUFFIX ".hmac" 
+#define READ_BUFFER_LENGTH 16384
+
+static char *
+make_hmac_path(const char *origpath)
+{
+       char *path, *p;
+       const char *fn;
+
+       path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
+       if(path == NULL) {
+               return NULL;
+       }
+
+       fn = strrchr(origpath, '/');
+       if (fn == NULL) {
+               fn = origpath;
+       } else {
+               ++fn;
+       }
+
+       strncpy(path, origpath, fn-origpath);
+       p = path + (fn - origpath);
+       p = stpcpy(p, HMAC_PREFIX);
+       p = stpcpy(p, fn);
+       p = stpcpy(p, HMAC_SUFFIX);
+
+       return path;
+}
+
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
+
+static int
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+{
+       FILE *f = NULL;
+       int rv = -1;
+       unsigned char rbuf[READ_BUFFER_LENGTH];
+       size_t len;
+       unsigned int hlen;
+       HMAC_CTX c;
+
+       HMAC_CTX_init(&c);
+
+       f = fopen(path, "r");
+
+       if (f == NULL) {
+               goto end;
+       }
+
+       HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
+
+       while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
+               HMAC_Update(&c, rbuf, len);
+       }
+
+       len = sizeof(rbuf);
+       /* reuse rbuf for hmac */
+       HMAC_Final(&c, rbuf, &hlen);
+
+       *buf = malloc(hlen);
+       if (*buf == NULL) {
+               goto end;
+       }
+
+       *hmaclen = hlen;
+
+       memcpy(*buf, rbuf, hlen);
+
+       rv = 0;
+end:
+       HMAC_CTX_cleanup(&c);
+
+       if (f)
+               fclose(f);
+
+       return rv;
+}
+
+static int
+FIPSCHECK_verify(const char *libname, const char *symbolname)
+{
+       char path[PATH_MAX+1];
+       int rv;
+       FILE *hf;
+       char *hmacpath, *p;
+       char *hmac = NULL;
+       size_t n;
+       
+       rv = get_library_path(libname, symbolname, path, sizeof(path));
+
+       if (rv < 0)
+               return 0;
+
+       hmacpath = make_hmac_path(path);
+
+       hf = fopen(hmacpath, "r");
+       if (hf == NULL) {
+               free(hmacpath);
+               return 0;
+       }
+
+       if (getline(&hmac, &n, hf) > 0) {
+               void *buf;
+               size_t hmaclen;
+               char *hex;
+
+               if ((p=strchr(hmac, '\n')) != NULL)
+                       *p = '\0';
+
+               if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
+                       rv = -4;
+                       goto end;
+               }
+
+               if ((hex=bin2hex(buf, hmaclen)) == NULL) {
+                       free(buf);
+                       rv = -5;
+                       goto end;
+               }
+
+               if (strcmp(hex, hmac) != 0) {
+                       rv = -1;
+               }
+               free(buf);
+               free(hex);
+       }
+
+end:
+       free(hmac);
+       free(hmacpath);
+       fclose(hf);
+
+       if (rv < 0)
+               return 0;
+
+       /* check successful */
+       return 1;       
+}
+
+#endif
 
 int FIPS_mode_set(int onoff)
     {
@@ -278,16 +484,17 @@ int FIPS_mode_set(int onoff)
            }
 #endif
 
-       if(fips_signature_witness() != FIPS_signature)
+       if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
            {
-           FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
+           FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
            }
 
-       if(!FIPS_check_incore_fingerprint())
+       if(!FIPSCHECK_verify("libssl.so.0.9.8e","SSL_CTX_new"))
            {
+           FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
@@ -403,11 +610,13 @@ int fips_clear_owning_thread(void)
        return ret;
        }
 
+#if 0
 unsigned char *fips_signature_witness(void)
        {
        extern unsigned char FIPS_signature[];
        return FIPS_signature;
        }
+#endif
 
 /* Generalized public key test routine. Signs and verifies the data
  * supplied in tbs using mesage digest md and setting option digest
diff -up openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck openssl-fips-0.9.8e/fips/fips_locl.h
--- openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck  2007-08-15 15:35:31.000000000 +0200
+++ openssl-fips-0.9.8e/fips/fips_locl.h        2009-03-26 15:15:39.000000000 +0100
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
 int fips_set_owning_thread(void);
 void fips_set_selftest_fail(void);
 int fips_clear_owning_thread(void);
+#if 0
 unsigned char *fips_signature_witness(void);
+#endif
 
 #define FIPS_MAX_CIPHER_TEST_SIZE      16
 
diff -up openssl-fips-0.9.8e/fips/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/Makefile
--- openssl-fips-0.9.8e/fips/Makefile.use-fipscheck     2007-08-15 15:35:30.000000000 +0200
+++ openssl-fips-0.9.8e/fips/Makefile   2009-04-15 11:41:25.000000000 +0200
@@ -62,9 +62,9 @@ testapps:
 
 all:
        @if [ -z "$(FIPSLIBDIR)" ]; then \
-               $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
+               $(MAKE) -e subdirs lib; \
        else \
-               $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
+               $(MAKE) -e lib; \
        fi
 
 # Idea behind fipscanister.o is to "seize" the sequestered code between
@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
                HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
                *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
        esac fi
-       ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
 
 # If another exception is immediately required, assign approprite
 # site-specific ld command to FIPS_SITE_LD environment variable.
@@ -141,8 +140,24 @@ links:
 lib:   $(LIB)
        @touch lib
 
-$(LIB):        $(FIPSLIBDIR)fipscanister.o
-       $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+$(LIB):        $(LIBOBJ) $(FIPS_OBJ_LISTS)
+       FIPS_ASM=""; \
+       list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
+       list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
+       list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
+       list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
+       if [ -n "$(CPUID_OBJ)" ]; then \
+               CPUID=../crypto/$(CPUID_OBJ) ; \
+       else \
+               CPUID="" ; \
+       fi ; \
+       objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
+       for i in $(FIPS_OBJ_LISTS); do \
+               dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
+               objs="$$objs `sed "$$script" $$i`"; \
+       done; \
+       objs="$$objs" ; \
+       $(AR) $(LIB) $$objs 
        $(RANLIB) $(LIB) || echo Never mind.
 
 $(FIPSCANLIB): $(FIPSCANLOC)
@@ -154,7 +169,7 @@ $(FIPSCANLIB):      $(FIPSCANLOC)
        $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
        @touch lib
 
-shared:        lib subdirs fips_premain_dso$(EXE_EXT)
+shared:        lib subdirs
 
 libs:
        @target=lib; $(RECURSIVE_MAKE)
@@ -178,10 +193,6 @@ install:
        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
        done;
        @target=install; $(RECURSIVE_MAKE)
-       @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
-               fips_premain.c.sha1 \
-               $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
-       chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
 
 lint:
        @target=lint; $(RECURSIVE_MAKE)
diff -up openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c
--- openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck   2007-08-15 15:35:46.000000000 +0200
+++ openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c 2009-04-15 11:58:37.000000000 +0200
@@ -62,20 +62,20 @@ void OPENSSL_cleanse(void *p,size_t len)
 
 #ifdef OPENSSL_FIPS
 
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
                      const char *key)
     {
-    int len=strlen(key);
+    size_t len=strlen(key);
     int i;
     unsigned char keymd[HMAC_MAX_MD_CBLOCK];
     unsigned char pad[HMAC_MAX_MD_CBLOCK];
 
     if (len > SHA_CBLOCK)
        {
-       SHA1_Init(md_ctx);
-       SHA1_Update(md_ctx,key,len);
-       SHA1_Final(keymd,md_ctx);
-       len=20;
+       SHA256_Init(md_ctx);
+       SHA256_Update(md_ctx,key,len);
+       SHA256_Final(keymd,md_ctx);
+       len=SHA256_DIGEST_LENGTH;
        }
     else
        memcpy(keymd,key,len);
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
 
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
        pad[i]=0x36^keymd[i];
-    SHA1_Init(md_ctx);
-    SHA1_Update(md_ctx,pad,SHA_CBLOCK);
+    SHA256_Init(md_ctx);
+    SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
 
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
        pad[i]=0x5c^keymd[i];
-    SHA1_Init(o_ctx);
-    SHA1_Update(o_ctx,pad,SHA_CBLOCK);
+    SHA256_Init(o_ctx);
+    SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
     }
 
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
     {
-    unsigned char buf[20];
+    unsigned char buf[SHA256_DIGEST_LENGTH];
 
-    SHA1_Final(buf,md_ctx);
-    SHA1_Update(o_ctx,buf,sizeof buf);
-    SHA1_Final(md,o_ctx);
+    SHA256_Final(buf,md_ctx);
+    SHA256_Update(o_ctx,buf,sizeof buf);
+    SHA256_Final(md,o_ctx);
     }
 
 #endif
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
 int main(int argc,char **argv)
     {
 #ifdef OPENSSL_FIPS
-    static char key[]="etaonrishdlcupfm";
+    static char key[]="orboDeJITITejsirpADONivirpUkvarP";
     int n,binary=0;
 
     if(argc < 2)
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
     for(; n < argc ; ++n)
        {
        FILE *f=fopen(argv[n],"rb");
-       SHA_CTX md_ctx,o_ctx;
-       unsigned char md[20];
+       SHA256_CTX md_ctx,o_ctx;
+       unsigned char md[SHA256_DIGEST_LENGTH];
        int i;
 
        if(!f)
@@ -139,7 +139,7 @@ int main(int argc,char **argv)
        for( ; ; )
            {
            char buf[1024];
-           int l=fread(buf,1,sizeof buf,f);
+           size_t l=fread(buf,1,sizeof buf,f);
 
            if(l == 0)
                {
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
                else
                    break;
                }
-           SHA1_Update(&md_ctx,buf,l);
+           SHA256_Update(&md_ctx,buf,l);
            }
        hmac_final(md,&md_ctx,&o_ctx);
 
        if (binary)
            {
-           fwrite(md,20,1,stdout);
+           fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
            break;      /* ... for single(!) file */
            }
 
-       printf("HMAC-SHA1(%s)= ",argv[n]);
-       for(i=0 ; i < 20 ; ++i)
+/*     printf("HMAC-SHA1(%s)= ",argv[n]); */
+       for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
            printf("%02x",md[i]);
        printf("\n");
        }
diff -up openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/sha/Makefile
--- openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck 2009-03-26 15:16:04.000000000 +0100
+++ openssl-fips-0.9.8e/fips/sha/Makefile       2009-04-15 11:57:17.000000000 +0200
@@ -47,7 +47,7 @@ lib:  $(LIBOBJ)
        @echo $(LIBOBJ) > lib
 
 ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
-       FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
+       FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
        $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
 
 files:
diff -up openssl-fips-0.9.8e/Makefile.org.use-fipscheck openssl-fips-0.9.8e/Makefile.org
--- openssl-fips-0.9.8e/Makefile.org.use-fipscheck      2009-03-26 15:15:39.000000000 +0100
+++ openssl-fips-0.9.8e/Makefile.org    2009-03-26 15:15:39.000000000 +0100
@@ -355,10 +355,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
                        $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
                        $(AR) libcrypto.a fips/fipscanister.o ; \
                else \
-                       if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
-                               FIPSLD_CC=$(CC); CC=fips/fipsld; \
-                               export CC FIPSLD_CC; \
-                       fi; \
                        $(MAKE) -e SHLIBDIRS='crypto' build-shared; \
                fi \
        else \
@@ -379,9 +375,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
 fips/fipscanister.o:   build_fips
 libfips$(SHLIB_EXT):           fips/fipscanister.o
        @if [ "$(SHLIB_TARGET)" != "" ]; then \
-               FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
                $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-                       CC=$${CC} LIBNAME=fips THIS=$@ \
+                       CC=$(CC) LIBNAME=fips THIS=$@ \
                        LIBEXTRAS=fips/fipscanister.o \
                        LIBDEPS="$(EX_LIBS)" \
                        LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
@@ -467,7 +462,7 @@ openssl.pc: Makefile
            echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
            echo 'Version: '$(VERSION); \
            echo 'Requires: '; \
-           echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+           echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
            echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 
 Makefile: Makefile.org Configure config
diff -up openssl-fips-0.9.8e/test/Makefile.use-fipscheck openssl-fips-0.9.8e/test/Makefile
--- openssl-fips-0.9.8e/test/Makefile.use-fipscheck     2007-08-26 16:57:41.000000000 +0200
+++ openssl-fips-0.9.8e/test/Makefile   2009-04-15 11:37:30.000000000 +0200
@@ -395,8 +395,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
        if [ "$(FIPSCANLIB)" = "libfips" ]; then \
                LIBRARIES="-L$(TOP) -lfips"; \
        else \
-               FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
-               LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
+               LIBRARIES="$(LIBCRYPTO)"; \
        fi; \
        $(MAKE) -f $(TOP)/Makefile.shared -e \
                CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
@@ -407,9 +406,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if 
                shlib_target="$(SHLIB_TARGET)"; \
        fi; \
        LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
-       if [ -z "$(SHARED_LIBS)" ] ; then \
-               FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
-       fi; \
        [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
        $(MAKE) -f $(TOP)/Makefile.shared -e \
                CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
1	wellsi	1.1	Do not create a fips canister but use a fipscheck equivalent method for
2			integrity verification of both libssl and libcrypto shared libraries.
3			diff -up openssl-fips-0.9.8e/apps/Makefile.use-fipscheck openssl-fips-0.9.8e/apps/Makefile
4			--- openssl-fips-0.9.8e/apps/Makefile.use-fipscheck 2007-08-15 15:35:29.000000000 +0200
5			+++ openssl-fips-0.9.8e/apps/Makefile 2009-03-26 15:16:09.000000000 +0100
6			@@ -152,8 +152,6 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(
7			$(RM) $(EXE)
8			shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
9			shlib_target="$(SHLIB_TARGET)"; \
10			- elif [ -n "$(FIPSCANLIB)" ]; then \
11			- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
12			fi; \
13			LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
14			[ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
15			diff -up openssl-fips-0.9.8e/fips/fips.c.use-fipscheck openssl-fips-0.9.8e/fips/fips.c
16			--- openssl-fips-0.9.8e/fips/fips.c.use-fipscheck 2007-08-26 16:57:10.000000000 +0200
17			+++ openssl-fips-0.9.8e/fips/fips.c 2009-04-15 11:43:59.000000000 +0200
18			@@ -47,6 +47,8 @@
19			*
20			*/
21
22			+#define _GNU_SOURCE
23			+
24			#include <openssl/fips.h>
25			#include <openssl/rand.h>
26			#include <openssl/fips_rand.h>
27			@@ -56,6 +58,9 @@
28			#include <openssl/rsa.h>
29			#include <string.h>
30			#include <limits.h>
31			+#include <dlfcn.h>
32			+#include <stdio.h>
33			+#include <stdlib.h>
34			#include "fips_locl.h"
35
36			#ifdef OPENSSL_FIPS
37			@@ -163,6 +168,7 @@ int FIPS_selftest()
38			&& FIPS_selftest_dsa();
39			}
40
41			+#if 0
42			extern const void FIPS_text_start(), FIPS_text_end();
43			extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
44			unsigned char FIPS_signature [20] = { 0 };
45			@@ -241,6 +247,206 @@ int FIPS_check_incore_fingerprint(void)
46
47			return 1;
48			}
49			+#else
50			+/* we implement what libfipscheck does ourselves */
51			+
52			+static int
53			+get_library_path(const char libname, const char symbolname, char *path, size_t pathlen)
54			+{
55			+ Dl_info info;
56			+ void dl, sym;
57			+ int rv = -1;
58			+
59			+ dl = dlopen(libname, RTLD_LAZY);
60			+ if (dl == NULL) {
61			+ return -1;
62			+ }
63			+
64			+ sym = dlsym(dl, symbolname);
65			+
66			+ if (sym != NULL && dladdr(sym, &info)) {
67			+ strncpy(path, info.dli_fname, pathlen-1);
68			+ path[pathlen-1] = '\0';
69			+ rv = 0;
70			+ }
71			+
72			+ dlclose(dl);
73			+
74			+ return rv;
75			+}
76			+
77			+static const char conv[] = "0123456789abcdef";
78			+
79			+static char *
80			+bin2hex(void *buf, size_t len)
81			+{
82			+ char hex, p;
83			+ unsigned char *src = buf;
84			+
85			+ hex = malloc(len * 2 + 1);
86			+ if (hex == NULL)
87			+ return NULL;
88			+
89			+ p = hex;
90			+
91			+ while (len > 0) {
92			+ unsigned c;
93			+
94			+ c = *src;
95			+ src++;
96			+
97			+ *p = conv[c >> 4];
98			+ ++p;
99			+ *p = conv[c & 0x0f];
100			+ ++p;
101			+ --len;
102			+ }
103			+ *p = '\0';
104			+ return hex;
105			+}
106			+
107			+#define HMAC_PREFIX "."
108			+#define HMAC_SUFFIX ".hmac"
109			+#define READ_BUFFER_LENGTH 16384
110			+
111			+static char *
112			+make_hmac_path(const char *origpath)
113			+{
114			+ char path, p;
115			+ const char *fn;
116			+
117			+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
118			+ if(path == NULL) {
119			+ return NULL;
120			+ }
121			+
122			+ fn = strrchr(origpath, '/');
123			+ if (fn == NULL) {
124			+ fn = origpath;
125			+ } else {
126			+ ++fn;
127			+ }
128			+
129			+ strncpy(path, origpath, fn-origpath);
130			+ p = path + (fn - origpath);
131			+ p = stpcpy(p, HMAC_PREFIX);
132			+ p = stpcpy(p, fn);
133			+ p = stpcpy(p, HMAC_SUFFIX);
134			+
135			+ return path;
136			+}
137			+
138			+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
139			+
140			+static int
141			+compute_file_hmac(const char path, void buf, size_t hmaclen)
142			+{
143			+ FILE *f = NULL;
144			+ int rv = -1;
145			+ unsigned char rbuf[READ_BUFFER_LENGTH];
146			+ size_t len;
147			+ unsigned int hlen;
148			+ HMAC_CTX c;
149			+
150			+ HMAC_CTX_init(&c);
151			+
152			+ f = fopen(path, "r");
153			+
154			+ if (f == NULL) {
155			+ goto end;
156			+ }
157			+
158			+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
159			+
160			+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
161			+ HMAC_Update(&c, rbuf, len);
162			+ }
163			+
164			+ len = sizeof(rbuf);
165			+ /* reuse rbuf for hmac */
166			+ HMAC_Final(&c, rbuf, &hlen);
167			+
168			+ *buf = malloc(hlen);
169			+ if (*buf == NULL) {
170			+ goto end;
171			+ }
172			+
173			+ *hmaclen = hlen;
174			+
175			+ memcpy(*buf, rbuf, hlen);
176			+
177			+ rv = 0;
178			+end:
179			+ HMAC_CTX_cleanup(&c);
180			+
181			+ if (f)
182			+ fclose(f);
183			+
184			+ return rv;
185			+}
186			+
187			+static int
188			+FIPSCHECK_verify(const char libname, const char symbolname)
189			+{
190			+ char path[PATH_MAX+1];
191			+ int rv;
192			+ FILE *hf;
193			+ char hmacpath, p;
194			+ char *hmac = NULL;
195			+ size_t n;
196			+
197			+ rv = get_library_path(libname, symbolname, path, sizeof(path));
198			+
199			+ if (rv < 0)
200			+ return 0;
201			+
202			+ hmacpath = make_hmac_path(path);
203			+
204			+ hf = fopen(hmacpath, "r");
205			+ if (hf == NULL) {
206			+ free(hmacpath);
207			+ return 0;
208			+ }
209			+
210			+ if (getline(&hmac, &n, hf) > 0) {
211			+ void *buf;
212			+ size_t hmaclen;
213			+ char *hex;
214			+
215			+ if ((p=strchr(hmac, '\n')) != NULL)
216			+ *p = '\0';
217			+
218			+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
219			+ rv = -4;
220			+ goto end;
221			+ }
222			+
223			+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
224			+ free(buf);
225			+ rv = -5;
226			+ goto end;
227			+ }
228			+
229			+ if (strcmp(hex, hmac) != 0) {
230			+ rv = -1;
231			+ }
232			+ free(buf);
233			+ free(hex);
234			+ }
235			+
236			+end:
237			+ free(hmac);
238			+ free(hmacpath);
239			+ fclose(hf);
240			+
241			+ if (rv < 0)
242			+ return 0;
243			+
244			+ /* check successful */
245			+ return 1;
246			+}
247			+
248			+#endif
249
250			int FIPS_mode_set(int onoff)
251			{
252			@@ -278,16 +484,17 @@ int FIPS_mode_set(int onoff)
253			}
254			#endif
255
256			- if(fips_signature_witness() != FIPS_signature)
257			+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
258			{
259			- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
260			+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
261			fips_selftest_fail = 1;
262			ret = 0;
263			goto end;
264			}
265
266			- if(!FIPS_check_incore_fingerprint())
267			+ if(!FIPSCHECK_verify("libssl.so.0.9.8e","SSL_CTX_new"))
268			{
269			+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
270			fips_selftest_fail = 1;
271			ret = 0;
272			goto end;
273			@@ -403,11 +610,13 @@ int fips_clear_owning_thread(void)
274			return ret;
275			}
276
277			+#if 0
278			unsigned char *fips_signature_witness(void)
279			{
280			extern unsigned char FIPS_signature[];
281			return FIPS_signature;
282			}
283			+#endif
284
285			/* Generalized public key test routine. Signs and verifies the data
286			* supplied in tbs using mesage digest md and setting option digest
287			diff -up openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck openssl-fips-0.9.8e/fips/fips_locl.h
288			--- openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck 2007-08-15 15:35:31.000000000 +0200
289			+++ openssl-fips-0.9.8e/fips/fips_locl.h 2009-03-26 15:15:39.000000000 +0100
290			@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
291			int fips_set_owning_thread(void);
292			void fips_set_selftest_fail(void);
293			int fips_clear_owning_thread(void);
294			+#if 0
295			unsigned char *fips_signature_witness(void);
296			+#endif
297
298			#define FIPS_MAX_CIPHER_TEST_SIZE 16
299
300			diff -up openssl-fips-0.9.8e/fips/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/Makefile
301			--- openssl-fips-0.9.8e/fips/Makefile.use-fipscheck 2007-08-15 15:35:30.000000000 +0200
302			+++ openssl-fips-0.9.8e/fips/Makefile 2009-04-15 11:41:25.000000000 +0200
303			@@ -62,9 +62,9 @@ testapps:
304
305			all:
306			@if [ -z "$(FIPSLIBDIR)" ]; then \
307			- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
308			+ $(MAKE) -e subdirs lib; \
309			else \
310			- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
311			+ $(MAKE) -e lib; \
312			fi
313
314			# Idea behind fipscanister.o is to "seize" the sequestered code between
315			@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
316			HP-UX\|OSF1\|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
317			*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
318			esac fi
319			- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
320
321			# If another exception is immediately required, assign approprite
322			# site-specific ld command to FIPS_SITE_LD environment variable.
323			@@ -141,8 +140,24 @@ links:
324			lib: $(LIB)
325			@touch lib
326
327			-$(LIB): $(FIPSLIBDIR)fipscanister.o
328			- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
329			+$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS)
330			+ FIPS_ASM=""; \
331			+ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
332			+ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
333			+ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
334			+ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
335			+ if [ -n "$(CPUID_OBJ)" ]; then \
336			+ CPUID=../crypto/$(CPUID_OBJ) ; \
337			+ else \
338			+ CPUID="" ; \
339			+ fi ; \
340			+ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
341			+ for i in $(FIPS_OBJ_LISTS); do \
342			+ dir=`dirname $$i`; script="s\|^\|$$dir/\|;s\| \| $$dir/\|g"; \
343			+ objs="$$objs `sed "$$script" $$i`"; \
344			+ done; \
345			+ objs="$$objs" ; \
346			+ $(AR) $(LIB) $$objs
347			$(RANLIB) $(LIB) \|\| echo Never mind.
348
349			$(FIPSCANLIB): $(FIPSCANLOC)
350			@@ -154,7 +169,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
351			$(RANLIB) ../$(FIPSCANLIB).a \|\| echo Never mind.
352			@touch lib
353
354			-shared: lib subdirs fips_premain_dso$(EXE_EXT)
355			+shared: lib subdirs
356
357			libs:
358			@target=lib; $(RECURSIVE_MAKE)
359			@@ -178,10 +193,6 @@ install:
360			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
361			done;
362			@target=install; $(RECURSIVE_MAKE)
363			- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
364			- fips_premain.c.sha1 \
365			- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
366			- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
367
368			lint:
369			@target=lint; $(RECURSIVE_MAKE)
370			diff -up openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c
371			--- openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck 2007-08-15 15:35:46.000000000 +0200
372			+++ openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c 2009-04-15 11:58:37.000000000 +0200
373			@@ -62,20 +62,20 @@ void OPENSSL_cleanse(void *p,size_t len)
374
375			#ifdef OPENSSL_FIPS
376
377			-static void hmac_init(SHA_CTX md_ctx,SHA_CTX o_ctx,
378			+static void hmac_init(SHA256_CTX md_ctx,SHA256_CTX o_ctx,
379			const char *key)
380			{
381			- int len=strlen(key);
382			+ size_t len=strlen(key);
383			int i;
384			unsigned char keymd[HMAC_MAX_MD_CBLOCK];
385			unsigned char pad[HMAC_MAX_MD_CBLOCK];
386
387			if (len > SHA_CBLOCK)
388			{
389			- SHA1_Init(md_ctx);
390			- SHA1_Update(md_ctx,key,len);
391			- SHA1_Final(keymd,md_ctx);
392			- len=20;
393			+ SHA256_Init(md_ctx);
394			+ SHA256_Update(md_ctx,key,len);
395			+ SHA256_Final(keymd,md_ctx);
396			+ len=SHA256_DIGEST_LENGTH;
397			}
398			else
399			memcpy(keymd,key,len);
400			@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
401
402			for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
403			pad[i]=0x36^keymd[i];
404			- SHA1_Init(md_ctx);
405			- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
406			+ SHA256_Init(md_ctx);
407			+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
408
409			for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
410			pad[i]=0x5c^keymd[i];
411			- SHA1_Init(o_ctx);
412			- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
413			+ SHA256_Init(o_ctx);
414			+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
415			}
416
417			-static void hmac_final(unsigned char md,SHA_CTX md_ctx,SHA_CTX *o_ctx)
418			+static void hmac_final(unsigned char md,SHA256_CTX md_ctx,SHA256_CTX *o_ctx)
419			{
420			- unsigned char buf[20];
421			+ unsigned char buf[SHA256_DIGEST_LENGTH];
422
423			- SHA1_Final(buf,md_ctx);
424			- SHA1_Update(o_ctx,buf,sizeof buf);
425			- SHA1_Final(md,o_ctx);
426			+ SHA256_Final(buf,md_ctx);
427			+ SHA256_Update(o_ctx,buf,sizeof buf);
428			+ SHA256_Final(md,o_ctx);
429			}
430
431			#endif
432			@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
433			int main(int argc,char **argv)
434			{
435			#ifdef OPENSSL_FIPS
436			- static char key[]="etaonrishdlcupfm";
437			+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
438			int n,binary=0;
439
440			if(argc < 2)
441			@@ -125,8 +125,8 @@ int main(int argc,char **argv)
442			for(; n < argc ; ++n)
443			{
444			FILE *f=fopen(argv[n],"rb");
445			- SHA_CTX md_ctx,o_ctx;
446			- unsigned char md[20];
447			+ SHA256_CTX md_ctx,o_ctx;
448			+ unsigned char md[SHA256_DIGEST_LENGTH];
449			int i;
450
451			if(!f)
452			@@ -139,7 +139,7 @@ int main(int argc,char **argv)
453			for( ; ; )
454			{
455			char buf[1024];
456			- int l=fread(buf,1,sizeof buf,f);
457			+ size_t l=fread(buf,1,sizeof buf,f);
458
459			if(l == 0)
460			{
461			@@ -151,18 +151,18 @@ int main(int argc,char **argv)
462			else
463			break;
464			}
465			- SHA1_Update(&md_ctx,buf,l);
466			+ SHA256_Update(&md_ctx,buf,l);
467			}
468			hmac_final(md,&md_ctx,&o_ctx);
469
470			if (binary)
471			{
472			- fwrite(md,20,1,stdout);
473			+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
474			break; /* ... for single(!) file */
475			}
476
477			- printf("HMAC-SHA1(%s)= ",argv[n]);
478			- for(i=0 ; i < 20 ; ++i)
479			+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
480			+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
481			printf("%02x",md[i]);
482			printf("\n");
483			}
484			diff -up openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/sha/Makefile
485			--- openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck 2009-03-26 15:16:04.000000000 +0100
486			+++ openssl-fips-0.9.8e/fips/sha/Makefile 2009-04-15 11:57:17.000000000 +0200
487			@@ -47,7 +47,7 @@ lib: $(LIBOBJ)
488			@echo $(LIBOBJ) > lib
489
490			../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
491			- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
492			+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
493			$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
494
495			files:
496			diff -up openssl-fips-0.9.8e/Makefile.org.use-fipscheck openssl-fips-0.9.8e/Makefile.org
497			--- openssl-fips-0.9.8e/Makefile.org.use-fipscheck 2009-03-26 15:15:39.000000000 +0100
498			+++ openssl-fips-0.9.8e/Makefile.org 2009-03-26 15:15:39.000000000 +0100
499			@@ -355,10 +355,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
500			$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
501			$(AR) libcrypto.a fips/fipscanister.o ; \
502			else \
503			- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
504			- FIPSLD_CC=$(CC); CC=fips/fipsld; \
505			- export CC FIPSLD_CC; \
506			- fi; \
507			$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
508			fi \
509			else \
510			@@ -379,9 +375,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
511			fips/fipscanister.o: build_fips
512			libfips$(SHLIB_EXT): fips/fipscanister.o
513			@if [ "$(SHLIB_TARGET)" != "" ]; then \
514			- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
515			$(MAKE) -f Makefile.shared -e $(BUILDENV) \
516			- CC=$${CC} LIBNAME=fips THIS=$@ \
517			+ CC=$(CC) LIBNAME=fips THIS=$@ \
518			LIBEXTRAS=fips/fipscanister.o \
519			LIBDEPS="$(EX_LIBS)" \
520			LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
521			@@ -467,7 +462,7 @@ openssl.pc: Makefile
522			echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
523			echo 'Version: '$(VERSION); \
524			echo 'Requires: '; \
525			- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
526			+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
527			echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
528
529			Makefile: Makefile.org Configure config
530			diff -up openssl-fips-0.9.8e/test/Makefile.use-fipscheck openssl-fips-0.9.8e/test/Makefile
531			--- openssl-fips-0.9.8e/test/Makefile.use-fipscheck 2007-08-26 16:57:41.000000000 +0200
532			+++ openssl-fips-0.9.8e/test/Makefile 2009-04-15 11:37:30.000000000 +0200
533			@@ -395,8 +395,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
534			if [ "$(FIPSCANLIB)" = "libfips" ]; then \
535			LIBRARIES="-L$(TOP) -lfips"; \
536			else \
537			- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
538			- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
539			+ LIBRARIES="$(LIBCRYPTO)"; \
540			fi; \
541			$(MAKE) -f $(TOP)/Makefile.shared -e \
542			CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
543			@@ -407,9 +406,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
544			shlib_target="$(SHLIB_TARGET)"; \
545			fi; \
546			LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
547			- if [ -z "$(SHARED_LIBS)" ] ; then \
548			- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
549			- fi; \
550			[ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
551			$(MAKE) -f $(TOP)/Makefile.shared -e \
552			CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \