openssl/sme8/openssl-fips-0.9.8e-use-fipscheck.patch

Do not create a fips canister but use a fipscheck equivalent method for
integrity verification of both libssl and libcrypto shared libraries.
diff -up openssl-fips-0.9.8e/apps/Makefile.use-fipscheck openssl-fips-0.9.8e/apps/Makefile
--- openssl-fips-0.9.8e/apps/Makefile.use-fipscheck     2007-08-15 15:35:29.000000000 +0200
+++ openssl-fips-0.9.8e/apps/Makefile   2009-03-26 15:16:09.000000000 +0100
@@ -152,8 +152,6 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(
        $(RM) $(EXE)
        shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
                shlib_target="$(SHLIB_TARGET)"; \
-       elif [ -n "$(FIPSCANLIB)" ]; then \
-         FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
        fi; \
        LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
        [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
diff -up openssl-fips-0.9.8e/fips/fips.c.use-fipscheck openssl-fips-0.9.8e/fips/fips.c
--- openssl-fips-0.9.8e/fips/fips.c.use-fipscheck       2007-08-26 16:57:10.000000000 +0200
+++ openssl-fips-0.9.8e/fips/fips.c     2009-04-15 11:43:59.000000000 +0200
@@ -47,6 +47,8 @@
  *
  */
 
+#define _GNU_SOURCE
+
 #include <openssl/fips.h>
 #include <openssl/rand.h>
 #include <openssl/fips_rand.h>
@@ -56,6 +58,9 @@
 #include <openssl/rsa.h>
 #include <string.h>
 #include <limits.h>
+#include <dlfcn.h>
+#include <stdio.h>
+#include <stdlib.h>
 #include "fips_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -163,6 +168,7 @@ int FIPS_selftest()
        && FIPS_selftest_dsa();
     }
 
+#if 0
 extern const void         *FIPS_text_start(),  *FIPS_text_end();
 extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
 unsigned char              FIPS_signature [20] = { 0 };
@@ -241,6 +247,206 @@ int FIPS_check_incore_fingerprint(void)
 
     return 1;
     }
+#else
+/* we implement what libfipscheck does ourselves */
+
+static int
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
+{
+       Dl_info info;
+       void *dl, *sym;
+       int rv = -1;
+
+        dl = dlopen(libname, RTLD_LAZY);
+        if (dl == NULL) {
+               return -1;
+        }       
+
+       sym = dlsym(dl, symbolname);
+
+       if (sym != NULL && dladdr(sym, &info)) {
+               strncpy(path, info.dli_fname, pathlen-1);
+               path[pathlen-1] = '\0';
+               rv = 0;
+       }
+
+       dlclose(dl);    
+       
+       return rv;
+}
+
+static const char conv[] = "0123456789abcdef";
+
+static char *
+bin2hex(void *buf, size_t len)
+{
+       char *hex, *p;
+       unsigned char *src = buf;
+       
+       hex = malloc(len * 2 + 1);
+       if (hex == NULL)
+               return NULL;
+
+       p = hex;
+
+       while (len > 0) {
+               unsigned c;
+
+               c = *src;
+               src++;
+
+               *p = conv[c >> 4];
+               ++p;
+               *p = conv[c & 0x0f];
+               ++p;
+               --len;
+       }
+       *p = '\0';
+       return hex;
+}
+
+#define HMAC_PREFIX "." 
+#define HMAC_SUFFIX ".hmac" 
+#define READ_BUFFER_LENGTH 16384
+
+static char *
+make_hmac_path(const char *origpath)
+{
+       char *path, *p;
+       const char *fn;
+
+       path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
+       if(path == NULL) {
+               return NULL;
+       }
+
+       fn = strrchr(origpath, '/');
+       if (fn == NULL) {
+               fn = origpath;
+       } else {
+               ++fn;
+       }
+
+       strncpy(path, origpath, fn-origpath);
+       p = path + (fn - origpath);
+       p = stpcpy(p, HMAC_PREFIX);
+       p = stpcpy(p, fn);
+       p = stpcpy(p, HMAC_SUFFIX);
+
+       return path;
+}
+
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
+
+static int
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+{
+       FILE *f = NULL;
+       int rv = -1;
+       unsigned char rbuf[READ_BUFFER_LENGTH];
+       size_t len;
+       unsigned int hlen;
+       HMAC_CTX c;
+
+       HMAC_CTX_init(&c);
+
+       f = fopen(path, "r");
+
+       if (f == NULL) {
+               goto end;
+       }
+
+       HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
+
+       while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
+               HMAC_Update(&c, rbuf, len);
+       }
+
+       len = sizeof(rbuf);
+       /* reuse rbuf for hmac */
+       HMAC_Final(&c, rbuf, &hlen);
+
+       *buf = malloc(hlen);
+       if (*buf == NULL) {
+               goto end;
+       }
+
+       *hmaclen = hlen;
+
+       memcpy(*buf, rbuf, hlen);
+
+       rv = 0;
+end:
+       HMAC_CTX_cleanup(&c);
+
+       if (f)
+               fclose(f);
+
+       return rv;
+}
+
+static int
+FIPSCHECK_verify(const char *libname, const char *symbolname)
+{
+       char path[PATH_MAX+1];
+       int rv;
+       FILE *hf;
+       char *hmacpath, *p;
+       char *hmac = NULL;
+       size_t n;
+       
+       rv = get_library_path(libname, symbolname, path, sizeof(path));
+
+       if (rv < 0)
+               return 0;
+
+       hmacpath = make_hmac_path(path);
+
+       hf = fopen(hmacpath, "r");
+       if (hf == NULL) {
+               free(hmacpath);
+               return 0;
+       }
+
+       if (getline(&hmac, &n, hf) > 0) {
+               void *buf;
+               size_t hmaclen;
+               char *hex;
+
+               if ((p=strchr(hmac, '\n')) != NULL)
+                       *p = '\0';
+
+               if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
+                       rv = -4;
+                       goto end;
+               }
+
+               if ((hex=bin2hex(buf, hmaclen)) == NULL) {
+                       free(buf);
+                       rv = -5;
+                       goto end;
+               }
+
+               if (strcmp(hex, hmac) != 0) {
+                       rv = -1;
+               }
+               free(buf);
+               free(hex);
+       }
+
+end:
+       free(hmac);
+       free(hmacpath);
+       fclose(hf);
+
+       if (rv < 0)
+               return 0;
+
+       /* check successful */
+       return 1;       
+}
+
+#endif
 
 int FIPS_mode_set(int onoff)
     {
@@ -278,16 +484,17 @@ int FIPS_mode_set(int onoff)
            }
 #endif
 
-       if(fips_signature_witness() != FIPS_signature)
+       if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
            {
-           FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
+           FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
            }
 
-       if(!FIPS_check_incore_fingerprint())
+       if(!FIPSCHECK_verify("libssl.so.0.9.8e","SSL_CTX_new"))
            {
+           FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
            fips_selftest_fail = 1;
            ret = 0;
            goto end;
@@ -403,11 +610,13 @@ int fips_clear_owning_thread(void)
        return ret;
        }
 
+#if 0
 unsigned char *fips_signature_witness(void)
        {
        extern unsigned char FIPS_signature[];
        return FIPS_signature;
        }
+#endif
 
 /* Generalized public key test routine. Signs and verifies the data
  * supplied in tbs using mesage digest md and setting option digest
diff -up openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck openssl-fips-0.9.8e/fips/fips_locl.h
--- openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck  2007-08-15 15:35:31.000000000 +0200
+++ openssl-fips-0.9.8e/fips/fips_locl.h        2009-03-26 15:15:39.000000000 +0100
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
 int fips_set_owning_thread(void);
 void fips_set_selftest_fail(void);
 int fips_clear_owning_thread(void);
+#if 0
 unsigned char *fips_signature_witness(void);
+#endif
 
 #define FIPS_MAX_CIPHER_TEST_SIZE      16
 
diff -up openssl-fips-0.9.8e/fips/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/Makefile
--- openssl-fips-0.9.8e/fips/Makefile.use-fipscheck     2007-08-15 15:35:30.000000000 +0200
+++ openssl-fips-0.9.8e/fips/Makefile   2009-04-15 11:41:25.000000000 +0200
@@ -62,9 +62,9 @@ testapps:
 
 all:
        @if [ -z "$(FIPSLIBDIR)" ]; then \
-               $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
+               $(MAKE) -e subdirs lib; \
        else \
-               $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
+               $(MAKE) -e lib; \
        fi
 
 # Idea behind fipscanister.o is to "seize" the sequestered code between
@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
                HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
                *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
        esac fi
-       ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
 
 # If another exception is immediately required, assign approprite
 # site-specific ld command to FIPS_SITE_LD environment variable.
@@ -141,8 +140,24 @@ links:
 lib:   $(LIB)
        @touch lib
 
-$(LIB):        $(FIPSLIBDIR)fipscanister.o
-       $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+$(LIB):        $(LIBOBJ) $(FIPS_OBJ_LISTS)
+       FIPS_ASM=""; \
+       list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
+       list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
+       list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
+       list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
+       if [ -n "$(CPUID_OBJ)" ]; then \
+               CPUID=../crypto/$(CPUID_OBJ) ; \
+       else \
+               CPUID="" ; \
+       fi ; \
+       objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
+       for i in $(FIPS_OBJ_LISTS); do \
+               dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
+               objs="$$objs `sed "$$script" $$i`"; \
+       done; \
+       objs="$$objs" ; \
+       $(AR) $(LIB) $$objs 
        $(RANLIB) $(LIB) || echo Never mind.
 
 $(FIPSCANLIB): $(FIPSCANLOC)
@@ -154,7 +169,7 @@ $(FIPSCANLIB):      $(FIPSCANLOC)
        $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
        @touch lib
 
-shared:        lib subdirs fips_premain_dso$(EXE_EXT)
+shared:        lib subdirs
 
 libs:
        @target=lib; $(RECURSIVE_MAKE)
@@ -178,10 +193,6 @@ install:
        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
        done;
        @target=install; $(RECURSIVE_MAKE)
-       @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
-               fips_premain.c.sha1 \
-               $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
-       chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
 
 lint:
        @target=lint; $(RECURSIVE_MAKE)
diff -up openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c
--- openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck   2007-08-15 15:35:46.000000000 +0200
+++ openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c 2009-04-15 11:58:37.000000000 +0200
@@ -62,20 +62,20 @@ void OPENSSL_cleanse(void *p,size_t len)
 
 #ifdef OPENSSL_FIPS
 
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
                      const char *key)
     {
-    int len=strlen(key);
+    size_t len=strlen(key);
     int i;
     unsigned char keymd[HMAC_MAX_MD_CBLOCK];
     unsigned char pad[HMAC_MAX_MD_CBLOCK];
 
     if (len > SHA_CBLOCK)
        {
-       SHA1_Init(md_ctx);
-       SHA1_Update(md_ctx,key,len);
-       SHA1_Final(keymd,md_ctx);
-       len=20;
+       SHA256_Init(md_ctx);
+       SHA256_Update(md_ctx,key,len);
+       SHA256_Final(keymd,md_ctx);
+       len=SHA256_DIGEST_LENGTH;
        }
     else
        memcpy(keymd,key,len);
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
 
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
        pad[i]=0x36^keymd[i];
-    SHA1_Init(md_ctx);
-    SHA1_Update(md_ctx,pad,SHA_CBLOCK);
+    SHA256_Init(md_ctx);
+    SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
 
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
        pad[i]=0x5c^keymd[i];
-    SHA1_Init(o_ctx);
-    SHA1_Update(o_ctx,pad,SHA_CBLOCK);
+    SHA256_Init(o_ctx);
+    SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
     }
 
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
     {
-    unsigned char buf[20];
+    unsigned char buf[SHA256_DIGEST_LENGTH];
 
-    SHA1_Final(buf,md_ctx);
-    SHA1_Update(o_ctx,buf,sizeof buf);
-    SHA1_Final(md,o_ctx);
+    SHA256_Final(buf,md_ctx);
+    SHA256_Update(o_ctx,buf,sizeof buf);
+    SHA256_Final(md,o_ctx);
     }
 
 #endif
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
 int main(int argc,char **argv)
     {
 #ifdef OPENSSL_FIPS
-    static char key[]="etaonrishdlcupfm";
+    static char key[]="orboDeJITITejsirpADONivirpUkvarP";
     int n,binary=0;
 
     if(argc < 2)
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
     for(; n < argc ; ++n)
        {
        FILE *f=fopen(argv[n],"rb");
-       SHA_CTX md_ctx,o_ctx;
-       unsigned char md[20];
+       SHA256_CTX md_ctx,o_ctx;
+       unsigned char md[SHA256_DIGEST_LENGTH];
        int i;
 
        if(!f)
@@ -139,7 +139,7 @@ int main(int argc,char **argv)
        for( ; ; )
            {
            char buf[1024];
-           int l=fread(buf,1,sizeof buf,f);
+           size_t l=fread(buf,1,sizeof buf,f);
 
            if(l == 0)
                {
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
                else
                    break;
                }
-           SHA1_Update(&md_ctx,buf,l);
+           SHA256_Update(&md_ctx,buf,l);
            }
        hmac_final(md,&md_ctx,&o_ctx);
 
        if (binary)
            {
-           fwrite(md,20,1,stdout);
+           fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
            break;      /* ... for single(!) file */
            }
 
-       printf("HMAC-SHA1(%s)= ",argv[n]);
-       for(i=0 ; i < 20 ; ++i)
+/*     printf("HMAC-SHA1(%s)= ",argv[n]); */
+       for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
            printf("%02x",md[i]);
        printf("\n");
        }
diff -up openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/sha/Makefile
--- openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck 2009-03-26 15:16:04.000000000 +0100
+++ openssl-fips-0.9.8e/fips/sha/Makefile       2009-04-15 11:57:17.000000000 +0200
@@ -47,7 +47,7 @@ lib:  $(LIBOBJ)
        @echo $(LIBOBJ) > lib
 
 ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
-       FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
+       FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
        $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
 
 files:
diff -up openssl-fips-0.9.8e/Makefile.org.use-fipscheck openssl-fips-0.9.8e/Makefile.org
--- openssl-fips-0.9.8e/Makefile.org.use-fipscheck      2009-03-26 15:15:39.000000000 +0100
+++ openssl-fips-0.9.8e/Makefile.org    2009-03-26 15:15:39.000000000 +0100
@@ -355,10 +355,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
                        $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
                        $(AR) libcrypto.a fips/fipscanister.o ; \
                else \
-                       if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
-                               FIPSLD_CC=$(CC); CC=fips/fipsld; \
-                               export CC FIPSLD_CC; \
-                       fi; \
                        $(MAKE) -e SHLIBDIRS='crypto' build-shared; \
                fi \
        else \
@@ -379,9 +375,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
 fips/fipscanister.o:   build_fips
 libfips$(SHLIB_EXT):           fips/fipscanister.o
        @if [ "$(SHLIB_TARGET)" != "" ]; then \
-               FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
                $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-                       CC=$${CC} LIBNAME=fips THIS=$@ \
+                       CC=$(CC) LIBNAME=fips THIS=$@ \
                        LIBEXTRAS=fips/fipscanister.o \
                        LIBDEPS="$(EX_LIBS)" \
                        LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
@@ -467,7 +462,7 @@ openssl.pc: Makefile
            echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
            echo 'Version: '$(VERSION); \
            echo 'Requires: '; \
-           echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+           echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
            echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 
 Makefile: Makefile.org Configure config
diff -up openssl-fips-0.9.8e/test/Makefile.use-fipscheck openssl-fips-0.9.8e/test/Makefile
--- openssl-fips-0.9.8e/test/Makefile.use-fipscheck     2007-08-26 16:57:41.000000000 +0200
+++ openssl-fips-0.9.8e/test/Makefile   2009-04-15 11:37:30.000000000 +0200
@@ -395,8 +395,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
        if [ "$(FIPSCANLIB)" = "libfips" ]; then \
                LIBRARIES="-L$(TOP) -lfips"; \
        else \
-               FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
-               LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
+               LIBRARIES="$(LIBCRYPTO)"; \
        fi; \
        $(MAKE) -f $(TOP)/Makefile.shared -e \
                CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
@@ -407,9 +406,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if 
                shlib_target="$(SHLIB_TARGET)"; \
        fi; \
        LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
-       if [ -z "$(SHARED_LIBS)" ] ; then \
-               FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
-       fi; \
        [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
        $(MAKE) -f $(TOP)/Makefile.shared -e \
                CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
1	Do not create a fips canister but use a fipscheck equivalent method for
2	integrity verification of both libssl and libcrypto shared libraries.
3	diff -up openssl-fips-0.9.8e/apps/Makefile.use-fipscheck openssl-fips-0.9.8e/apps/Makefile
4	--- openssl-fips-0.9.8e/apps/Makefile.use-fipscheck 2007-08-15 15:35:29.000000000 +0200
5	+++ openssl-fips-0.9.8e/apps/Makefile 2009-03-26 15:16:09.000000000 +0100
6	@@ -152,8 +152,6 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(
7	$(RM) $(EXE)
8	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
9	shlib_target="$(SHLIB_TARGET)"; \
10	- elif [ -n "$(FIPSCANLIB)" ]; then \
11	- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
12	fi; \
13	LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
14	[ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
15	diff -up openssl-fips-0.9.8e/fips/fips.c.use-fipscheck openssl-fips-0.9.8e/fips/fips.c
16	--- openssl-fips-0.9.8e/fips/fips.c.use-fipscheck 2007-08-26 16:57:10.000000000 +0200
17	+++ openssl-fips-0.9.8e/fips/fips.c 2009-04-15 11:43:59.000000000 +0200
18	@@ -47,6 +47,8 @@
19	*
20	*/
21
22	+#define _GNU_SOURCE
23	+
24	#include <openssl/fips.h>
25	#include <openssl/rand.h>
26	#include <openssl/fips_rand.h>
27	@@ -56,6 +58,9 @@
28	#include <openssl/rsa.h>
29	#include <string.h>
30	#include <limits.h>
31	+#include <dlfcn.h>
32	+#include <stdio.h>
33	+#include <stdlib.h>
34	#include "fips_locl.h"
35
36	#ifdef OPENSSL_FIPS
37	@@ -163,6 +168,7 @@ int FIPS_selftest()
38	&& FIPS_selftest_dsa();
39	}
40
41	+#if 0
42	extern const void FIPS_text_start(), FIPS_text_end();
43	extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
44	unsigned char FIPS_signature [20] = { 0 };
45	@@ -241,6 +247,206 @@ int FIPS_check_incore_fingerprint(void)
46
47	return 1;
48	}
49	+#else
50	+/* we implement what libfipscheck does ourselves */
51	+
52	+static int
53	+get_library_path(const char libname, const char symbolname, char *path, size_t pathlen)
54	+{
55	+ Dl_info info;
56	+ void dl, sym;
57	+ int rv = -1;
58	+
59	+ dl = dlopen(libname, RTLD_LAZY);
60	+ if (dl == NULL) {
61	+ return -1;
62	+ }
63	+
64	+ sym = dlsym(dl, symbolname);
65	+
66	+ if (sym != NULL && dladdr(sym, &info)) {
67	+ strncpy(path, info.dli_fname, pathlen-1);
68	+ path[pathlen-1] = '\0';
69	+ rv = 0;
70	+ }
71	+
72	+ dlclose(dl);
73	+
74	+ return rv;
75	+}
76	+
77	+static const char conv[] = "0123456789abcdef";
78	+
79	+static char *
80	+bin2hex(void *buf, size_t len)
81	+{
82	+ char hex, p;
83	+ unsigned char *src = buf;
84	+
85	+ hex = malloc(len * 2 + 1);
86	+ if (hex == NULL)
87	+ return NULL;
88	+
89	+ p = hex;
90	+
91	+ while (len > 0) {
92	+ unsigned c;
93	+
94	+ c = *src;
95	+ src++;
96	+
97	+ *p = conv[c >> 4];
98	+ ++p;
99	+ *p = conv[c & 0x0f];
100	+ ++p;
101	+ --len;
102	+ }
103	+ *p = '\0';
104	+ return hex;
105	+}
106	+
107	+#define HMAC_PREFIX "."
108	+#define HMAC_SUFFIX ".hmac"
109	+#define READ_BUFFER_LENGTH 16384
110	+
111	+static char *
112	+make_hmac_path(const char *origpath)
113	+{
114	+ char path, p;
115	+ const char *fn;
116	+
117	+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
118	+ if(path == NULL) {
119	+ return NULL;
120	+ }
121	+
122	+ fn = strrchr(origpath, '/');
123	+ if (fn == NULL) {
124	+ fn = origpath;
125	+ } else {
126	+ ++fn;
127	+ }
128	+
129	+ strncpy(path, origpath, fn-origpath);
130	+ p = path + (fn - origpath);
131	+ p = stpcpy(p, HMAC_PREFIX);
132	+ p = stpcpy(p, fn);
133	+ p = stpcpy(p, HMAC_SUFFIX);
134	+
135	+ return path;
136	+}
137	+
138	+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
139	+
140	+static int
141	+compute_file_hmac(const char path, void buf, size_t hmaclen)
142	+{
143	+ FILE *f = NULL;
144	+ int rv = -1;
145	+ unsigned char rbuf[READ_BUFFER_LENGTH];
146	+ size_t len;
147	+ unsigned int hlen;
148	+ HMAC_CTX c;
149	+
150	+ HMAC_CTX_init(&c);
151	+
152	+ f = fopen(path, "r");
153	+
154	+ if (f == NULL) {
155	+ goto end;
156	+ }
157	+
158	+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
159	+
160	+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
161	+ HMAC_Update(&c, rbuf, len);
162	+ }
163	+
164	+ len = sizeof(rbuf);
165	+ /* reuse rbuf for hmac */
166	+ HMAC_Final(&c, rbuf, &hlen);
167	+
168	+ *buf = malloc(hlen);
169	+ if (*buf == NULL) {
170	+ goto end;
171	+ }
172	+
173	+ *hmaclen = hlen;
174	+
175	+ memcpy(*buf, rbuf, hlen);
176	+
177	+ rv = 0;
178	+end:
179	+ HMAC_CTX_cleanup(&c);
180	+
181	+ if (f)
182	+ fclose(f);
183	+
184	+ return rv;
185	+}
186	+
187	+static int
188	+FIPSCHECK_verify(const char libname, const char symbolname)
189	+{
190	+ char path[PATH_MAX+1];
191	+ int rv;
192	+ FILE *hf;
193	+ char hmacpath, p;
194	+ char *hmac = NULL;
195	+ size_t n;
196	+
197	+ rv = get_library_path(libname, symbolname, path, sizeof(path));
198	+
199	+ if (rv < 0)
200	+ return 0;
201	+
202	+ hmacpath = make_hmac_path(path);
203	+
204	+ hf = fopen(hmacpath, "r");
205	+ if (hf == NULL) {
206	+ free(hmacpath);
207	+ return 0;
208	+ }
209	+
210	+ if (getline(&hmac, &n, hf) > 0) {
211	+ void *buf;
212	+ size_t hmaclen;
213	+ char *hex;
214	+
215	+ if ((p=strchr(hmac, '\n')) != NULL)
216	+ *p = '\0';
217	+
218	+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
219	+ rv = -4;
220	+ goto end;
221	+ }
222	+
223	+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
224	+ free(buf);
225	+ rv = -5;
226	+ goto end;
227	+ }
228	+
229	+ if (strcmp(hex, hmac) != 0) {
230	+ rv = -1;
231	+ }
232	+ free(buf);
233	+ free(hex);
234	+ }
235	+
236	+end:
237	+ free(hmac);
238	+ free(hmacpath);
239	+ fclose(hf);
240	+
241	+ if (rv < 0)
242	+ return 0;
243	+
244	+ /* check successful */
245	+ return 1;
246	+}
247	+
248	+#endif
249
250	int FIPS_mode_set(int onoff)
251	{
252	@@ -278,16 +484,17 @@ int FIPS_mode_set(int onoff)
253	}
254	#endif
255
256	- if(fips_signature_witness() != FIPS_signature)
257	+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
258	{
259	- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
260	+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
261	fips_selftest_fail = 1;
262	ret = 0;
263	goto end;
264	}
265
266	- if(!FIPS_check_incore_fingerprint())
267	+ if(!FIPSCHECK_verify("libssl.so.0.9.8e","SSL_CTX_new"))
268	{
269	+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
270	fips_selftest_fail = 1;
271	ret = 0;
272	goto end;
273	@@ -403,11 +610,13 @@ int fips_clear_owning_thread(void)
274	return ret;
275	}
276
277	+#if 0
278	unsigned char *fips_signature_witness(void)
279	{
280	extern unsigned char FIPS_signature[];
281	return FIPS_signature;
282	}
283	+#endif
284
285	/* Generalized public key test routine. Signs and verifies the data
286	* supplied in tbs using mesage digest md and setting option digest
287	diff -up openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck openssl-fips-0.9.8e/fips/fips_locl.h
288	--- openssl-fips-0.9.8e/fips/fips_locl.h.use-fipscheck 2007-08-15 15:35:31.000000000 +0200
289	+++ openssl-fips-0.9.8e/fips/fips_locl.h 2009-03-26 15:15:39.000000000 +0100
290	@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
291	int fips_set_owning_thread(void);
292	void fips_set_selftest_fail(void);
293	int fips_clear_owning_thread(void);
294	+#if 0
295	unsigned char *fips_signature_witness(void);
296	+#endif
297
298	#define FIPS_MAX_CIPHER_TEST_SIZE 16
299
300	diff -up openssl-fips-0.9.8e/fips/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/Makefile
301	--- openssl-fips-0.9.8e/fips/Makefile.use-fipscheck 2007-08-15 15:35:30.000000000 +0200
302	+++ openssl-fips-0.9.8e/fips/Makefile 2009-04-15 11:41:25.000000000 +0200
303	@@ -62,9 +62,9 @@ testapps:
304
305	all:
306	@if [ -z "$(FIPSLIBDIR)" ]; then \
307	- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
308	+ $(MAKE) -e subdirs lib; \
309	else \
310	- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
311	+ $(MAKE) -e lib; \
312	fi
313
314	# Idea behind fipscanister.o is to "seize" the sequestered code between
315	@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
316	HP-UX\|OSF1\|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
317	*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
318	esac fi
319	- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
320
321	# If another exception is immediately required, assign approprite
322	# site-specific ld command to FIPS_SITE_LD environment variable.
323	@@ -141,8 +140,24 @@ links:
324	lib: $(LIB)
325	@touch lib
326
327	-$(LIB): $(FIPSLIBDIR)fipscanister.o
328	- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
329	+$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS)
330	+ FIPS_ASM=""; \
331	+ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
332	+ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
333	+ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
334	+ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
335	+ if [ -n "$(CPUID_OBJ)" ]; then \
336	+ CPUID=../crypto/$(CPUID_OBJ) ; \
337	+ else \
338	+ CPUID="" ; \
339	+ fi ; \
340	+ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
341	+ for i in $(FIPS_OBJ_LISTS); do \
342	+ dir=`dirname $$i`; script="s\|^\|$$dir/\|;s\| \| $$dir/\|g"; \
343	+ objs="$$objs `sed "$$script" $$i`"; \
344	+ done; \
345	+ objs="$$objs" ; \
346	+ $(AR) $(LIB) $$objs
347	$(RANLIB) $(LIB) \|\| echo Never mind.
348
349	$(FIPSCANLIB): $(FIPSCANLOC)
350	@@ -154,7 +169,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
351	$(RANLIB) ../$(FIPSCANLIB).a \|\| echo Never mind.
352	@touch lib
353
354	-shared: lib subdirs fips_premain_dso$(EXE_EXT)
355	+shared: lib subdirs
356
357	libs:
358	@target=lib; $(RECURSIVE_MAKE)
359	@@ -178,10 +193,6 @@ install:
360	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
361	done;
362	@target=install; $(RECURSIVE_MAKE)
363	- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
364	- fips_premain.c.sha1 \
365	- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
366	- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
367
368	lint:
369	@target=lint; $(RECURSIVE_MAKE)
370	diff -up openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c
371	--- openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c.use-fipscheck 2007-08-15 15:35:46.000000000 +0200
372	+++ openssl-fips-0.9.8e/fips/sha/fips_standalone_sha1.c 2009-04-15 11:58:37.000000000 +0200
373	@@ -62,20 +62,20 @@ void OPENSSL_cleanse(void *p,size_t len)
374
375	#ifdef OPENSSL_FIPS
376
377	-static void hmac_init(SHA_CTX md_ctx,SHA_CTX o_ctx,
378	+static void hmac_init(SHA256_CTX md_ctx,SHA256_CTX o_ctx,
379	const char *key)
380	{
381	- int len=strlen(key);
382	+ size_t len=strlen(key);
383	int i;
384	unsigned char keymd[HMAC_MAX_MD_CBLOCK];
385	unsigned char pad[HMAC_MAX_MD_CBLOCK];
386
387	if (len > SHA_CBLOCK)
388	{
389	- SHA1_Init(md_ctx);
390	- SHA1_Update(md_ctx,key,len);
391	- SHA1_Final(keymd,md_ctx);
392	- len=20;
393	+ SHA256_Init(md_ctx);
394	+ SHA256_Update(md_ctx,key,len);
395	+ SHA256_Final(keymd,md_ctx);
396	+ len=SHA256_DIGEST_LENGTH;
397	}
398	else
399	memcpy(keymd,key,len);
400	@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
401
402	for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
403	pad[i]=0x36^keymd[i];
404	- SHA1_Init(md_ctx);
405	- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
406	+ SHA256_Init(md_ctx);
407	+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
408
409	for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
410	pad[i]=0x5c^keymd[i];
411	- SHA1_Init(o_ctx);
412	- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
413	+ SHA256_Init(o_ctx);
414	+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
415	}
416
417	-static void hmac_final(unsigned char md,SHA_CTX md_ctx,SHA_CTX *o_ctx)
418	+static void hmac_final(unsigned char md,SHA256_CTX md_ctx,SHA256_CTX *o_ctx)
419	{
420	- unsigned char buf[20];
421	+ unsigned char buf[SHA256_DIGEST_LENGTH];
422
423	- SHA1_Final(buf,md_ctx);
424	- SHA1_Update(o_ctx,buf,sizeof buf);
425	- SHA1_Final(md,o_ctx);
426	+ SHA256_Final(buf,md_ctx);
427	+ SHA256_Update(o_ctx,buf,sizeof buf);
428	+ SHA256_Final(md,o_ctx);
429	}
430
431	#endif
432	@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
433	int main(int argc,char **argv)
434	{
435	#ifdef OPENSSL_FIPS
436	- static char key[]="etaonrishdlcupfm";
437	+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
438	int n,binary=0;
439
440	if(argc < 2)
441	@@ -125,8 +125,8 @@ int main(int argc,char **argv)
442	for(; n < argc ; ++n)
443	{
444	FILE *f=fopen(argv[n],"rb");
445	- SHA_CTX md_ctx,o_ctx;
446	- unsigned char md[20];
447	+ SHA256_CTX md_ctx,o_ctx;
448	+ unsigned char md[SHA256_DIGEST_LENGTH];
449	int i;
450
451	if(!f)
452	@@ -139,7 +139,7 @@ int main(int argc,char **argv)
453	for( ; ; )
454	{
455	char buf[1024];
456	- int l=fread(buf,1,sizeof buf,f);
457	+ size_t l=fread(buf,1,sizeof buf,f);
458
459	if(l == 0)
460	{
461	@@ -151,18 +151,18 @@ int main(int argc,char **argv)
462	else
463	break;
464	}
465	- SHA1_Update(&md_ctx,buf,l);
466	+ SHA256_Update(&md_ctx,buf,l);
467	}
468	hmac_final(md,&md_ctx,&o_ctx);
469
470	if (binary)
471	{
472	- fwrite(md,20,1,stdout);
473	+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
474	break; /* ... for single(!) file */
475	}
476
477	- printf("HMAC-SHA1(%s)= ",argv[n]);
478	- for(i=0 ; i < 20 ; ++i)
479	+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
480	+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
481	printf("%02x",md[i]);
482	printf("\n");
483	}
484	diff -up openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck openssl-fips-0.9.8e/fips/sha/Makefile
485	--- openssl-fips-0.9.8e/fips/sha/Makefile.use-fipscheck 2009-03-26 15:16:04.000000000 +0100
486	+++ openssl-fips-0.9.8e/fips/sha/Makefile 2009-04-15 11:57:17.000000000 +0200
487	@@ -47,7 +47,7 @@ lib: $(LIBOBJ)
488	@echo $(LIBOBJ) > lib
489
490	../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
491	- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
492	+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
493	$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
494
495	files:
496	diff -up openssl-fips-0.9.8e/Makefile.org.use-fipscheck openssl-fips-0.9.8e/Makefile.org
497	--- openssl-fips-0.9.8e/Makefile.org.use-fipscheck 2009-03-26 15:15:39.000000000 +0100
498	+++ openssl-fips-0.9.8e/Makefile.org 2009-03-26 15:15:39.000000000 +0100
499	@@ -355,10 +355,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
500	$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
501	$(AR) libcrypto.a fips/fipscanister.o ; \
502	else \
503	- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
504	- FIPSLD_CC=$(CC); CC=fips/fipsld; \
505	- export CC FIPSLD_CC; \
506	- fi; \
507	$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
508	fi \
509	else \
510	@@ -379,9 +375,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
511	fips/fipscanister.o: build_fips
512	libfips$(SHLIB_EXT): fips/fipscanister.o
513	@if [ "$(SHLIB_TARGET)" != "" ]; then \
514	- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
515	$(MAKE) -f Makefile.shared -e $(BUILDENV) \
516	- CC=$${CC} LIBNAME=fips THIS=$@ \
517	+ CC=$(CC) LIBNAME=fips THIS=$@ \
518	LIBEXTRAS=fips/fipscanister.o \
519	LIBDEPS="$(EX_LIBS)" \
520	LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
521	@@ -467,7 +462,7 @@ openssl.pc: Makefile
522	echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
523	echo 'Version: '$(VERSION); \
524	echo 'Requires: '; \
525	- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
526	+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
527	echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
528
529	Makefile: Makefile.org Configure config
530	diff -up openssl-fips-0.9.8e/test/Makefile.use-fipscheck openssl-fips-0.9.8e/test/Makefile
531	--- openssl-fips-0.9.8e/test/Makefile.use-fipscheck 2007-08-26 16:57:41.000000000 +0200
532	+++ openssl-fips-0.9.8e/test/Makefile 2009-04-15 11:37:30.000000000 +0200
533	@@ -395,8 +395,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
534	if [ "$(FIPSCANLIB)" = "libfips" ]; then \
535	LIBRARIES="-L$(TOP) -lfips"; \
536	else \
537	- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
538	- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
539	+ LIBRARIES="$(LIBCRYPTO)"; \
540	fi; \
541	$(MAKE) -f $(TOP)/Makefile.shared -e \
542	CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
543	@@ -407,9 +406,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
544	shlib_target="$(SHLIB_TARGET)"; \
545	fi; \
546	LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
547	- if [ -z "$(SHARED_LIBS)" ] ; then \
548	- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
549	- fi; \
550	[ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
551	$(MAKE) -f $(TOP)/Makefile.shared -e \
552	CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \