Rework how our providers are built

We put almost everything in these internal static libraries: libcommon Block building code that can be used by all our implementations, legacy and non-legacy alike. libimplementations All non-legacy algorithm implementations and only them. All the code that ends up here is agnostic to the definitions of FIPS_MODE. liblegacy All legacy implementations. libnonfips Support code for the algorithm implementations. Built with FIPS_MODE undefined. Any code that checks that FIPS_MODE isn't defined must end up in this library. libfips Support code for the algorithm implementations. Built with FIPS_MODE defined. Any code that checks that FIPS_MODE is defined must end up in this library. The FIPS provider module is built from providers/fips/*.c and linked with libimplementations, libcommon and libfips. The Legacy provider module is built from providers/legacy/*.c and linked with liblegacy, libcommon and libcrypto. If module building is disabled, the object files from liblegacy and libcommon are added to libcrypto and the Legacy provider becomes a built-in provider. The Default provider module is built-in, so it ends up being linked with libimplementations, libcommon and libnonfips. For libcrypto in form of static library, the object files from those other libraries are simply being added to libcrypto. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10088)
author: Richard Levitte <levitte@openssl.org> 2019-10-04 01:38:17 +0200
committer: Richard Levitte <levitte@openssl.org> 2019-10-10 14:12:15 +0200
commit: dec95d75897125133380c7ce3c6ce58c93c06f10 (patch)
tree: c95ecfb434a58251f6f422d413eda49f1ac53857 /providers/common
parent: e805c2d6d36d6be3db8141abc98f3ce5c6fa9776 (diff)
14 files changed, 99 insertions, 66 deletions
diff --git a/providers/common/build.info b/providers/common/build.info
index 916cc3e4ea..95c2fd107e 100644
--- a/providers/common/build.info
+++ b/providers/common/build.info
@@ -1,5 +1,6 @@
 SUBDIRS=digests ciphers macs kdfs exchange keymgmt signature
-$COMMON=provider_util.c
 
-SOURCE[../../libcrypto]=$COMMON provider_err.c provlib.c
-SOURCE[../fips]=$COMMON
+SOURCE[../libcommon.a]=provider_err.c provlib.c
+$FIPSCOMMON=provider_util.c
+SOURCE[../libnonfips.a]=$FIPSCOMMON
+SOURCE[../libfips.a]=$FIPSCOMMON
diff --git a/providers/common/ciphers/build.info b/providers/common/ciphers/build.info
index 0969e6d378..77376cce1e 100644
--- a/providers/common/ciphers/build.info
+++ b/providers/common/ciphers/build.info
@@ -1,21 +1,26 @@
-LIBS=../../../libcrypto
+# This source is common building blockss for all ciphers in all our providers.
+SOURCE[../../libcommon.a]=\
+        cipher_common.c cipher_common_hw.c block.c \
+        cipher_gcm.c cipher_gcm_hw.c \
+        cipher_ccm.c cipher_ccm_hw.c
+
+# These are our implementations
+$GOAL=../../libimplementations.a
 
 IF[{- !$disabled{des} -}]
   $COMMON_DES=cipher_tdes.c cipher_tdes_hw.c
 ENDIF
 
-$COMMON=cipher_common.c cipher_common_hw.c block.c \
+SOURCE[$GOAL]=\
         cipher_aes.c cipher_aes_hw.c \
         cipher_aes_xts.c cipher_aes_xts_hw.c \
-        cipher_gcm.c cipher_gcm_hw.c \
         cipher_aes_gcm.c cipher_aes_gcm_hw.c \
-        cipher_ccm.c cipher_ccm_hw.c \
         cipher_aes_ccm.c cipher_aes_ccm_hw.c \
         cipher_aes_wrp.c \
         $COMMON_DES
-        
-SOURCE[../../../libcrypto]=$COMMON
-INCLUDE[../../../libcrypto]=. ../../../crypto
+# Because some default ciphers need it
+INCLUDE[$GOAL]=.
 
-SOURCE[../../fips]=$COMMON
-INCLUDE[../../fips]=. ../../../crypto
+# Finally, we have a few things that aren't FIPS agnostic
+SOURCE[../../libfips.a]=cipher_fips.c
+SOURCE[../../libnonfips.a]=cipher_fips.c
diff --git a/providers/common/ciphers/cipher_aes_xts.c b/providers/common/ciphers/cipher_aes_xts.c
index fdda733d24..d0b999081e 100644
--- a/providers/common/ciphers/cipher_aes_xts.c
+++ b/providers/common/ciphers/cipher_aes_xts.c
@@ -20,12 +20,6 @@
 #define AES_XTS_IV_BITS 128
 #define AES_XTS_BLOCK_BITS 8
 
-#ifdef FIPS_MODE
-static const int allow_insecure_decrypt = 0;
-#else
-static const int allow_insecure_decrypt = 1;
-#endif /* FIPS_MODE */
-
 /* forward declarations */
 static OSSL_OP_cipher_encrypt_init_fn aes_xts_einit;
 static OSSL_OP_cipher_decrypt_init_fn aes_xts_dinit;
diff --git a/providers/common/ciphers/cipher_aes_xts.h b/providers/common/ciphers/cipher_aes_xts.h
index 4f8a8f874f..16fb8c34cd 100644
--- a/providers/common/ciphers/cipher_aes_xts.h
+++ b/providers/common/ciphers/cipher_aes_xts.h
@@ -10,6 +10,12 @@
 #include <openssl/aes.h>
 #include "internal/ciphers/ciphercommon.h"
 
+/*
+ * Available in cipher_fips.c, and compiled with different values depending
+ * on we're in the FIPS module or not.
+ */
+extern const int allow_insecure_decrypt;
+
 PROV_CIPHER_FUNC(void, xts_stream,
                  (const unsigned char *in, unsigned char *out, size_t len,
                   const AES_KEY *key1, const AES_KEY *key2,
diff --git a/providers/common/ciphers/cipher_fips.c b/providers/common/ciphers/cipher_fips.c
new file mode 100644
index 0000000000..c99d6ed2f4
--- /dev/null
+++ b/providers/common/ciphers/cipher_fips.c
@@ -0,0 +1,16 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_aes_xts.h"
+
+#ifdef FIPS_MODE
+const int allow_insecure_decrypt = 0;
+#else
+const int allow_insecure_decrypt = 1;
+#endif /* FIPS_MODE */
diff --git a/providers/common/digests/build.info b/providers/common/digests/build.info
index fbbce36e87..2a8e8aa397 100644
--- a/providers/common/digests/build.info
+++ b/providers/common/digests/build.info
@@ -1,5 +1,7 @@
-$COMMON=sha2_prov.c sha3_prov.c digest_common.c
+# This source is common for all digests in all our providers.
+SOURCE[../../libcommon.a]=digest_common.c
 
-SOURCE[../../../libcrypto]=$COMMON
-SOURCE[../../fips]=$COMMON
-SOURCE[../../legacy]= digest_common.c
+# These are our implementations
+$GOAL=../../libimplementations.a
+
+SOURCE[$GOAL]=sha2_prov.c sha3_prov.c
diff --git a/providers/common/exchange/build.info b/providers/common/exchange/build.info
index c99c9d81b5..90ea0c9a02 100644
--- a/providers/common/exchange/build.info
+++ b/providers/common/exchange/build.info
@@ -1,7 +1,5 @@
-LIBS=../../../libcrypto
+$GOAL=../../libimplementations.a
+
 IF[{- !$disabled{dh} -}]
-  SOURCE[../../../libcrypto]=\
-          dh_exch.c
+  SOURCE[$GOAL]=dh_exch.c
 ENDIF
-
-
diff --git a/providers/common/kdfs/build.info b/providers/common/kdfs/build.info
index 8a723d488d..b2b354dc34 100644
--- a/providers/common/kdfs/build.info
+++ b/providers/common/kdfs/build.info
@@ -1,13 +1,5 @@
-$COMMON=tls1_prf.c hkdf.c kbkdf.c pbkdf2.c sskdf.c
+$GOAL=../../libimplementations.a
 
-LIBS=../../../libcrypto
-SOURCE[../../../libcrypto]=$COMMON
-INCLUDE[../../../libcrypto]=. ../../../crypto
-
-IF[{- !$disabled{fips} -}]
-  MODULES=../../fips
-  SOURCE[../../fips]=$COMMON
-  INCLUDE[../../fips]=. ../../../crypto
-ENDIF
-
-        
+SOURCE[$GOAL]=tls1_prf.c hkdf.c kbkdf.c pbkdf2.c sskdf.c
+SOURCE[../../libfips.a]=pbkdf2_fips.c
+SOURCE[../../libnonfips.a]=pbkdf2_fips.c
diff --git a/providers/common/kdfs/pbkdf2.c b/providers/common/kdfs/pbkdf2.c
index b98123b872..68aa0aa7c4 100644
--- a/providers/common/kdfs/pbkdf2.c
+++ b/providers/common/kdfs/pbkdf2.c
@@ -21,21 +21,13 @@
 #include "internal/providercommonerr.h"
 #include "internal/provider_algs.h"
 #include "internal/provider_util.h"
+#include "pbkdf2.h"
 
 /* Constants specified in SP800-132 */
 #define KDF_PBKDF2_MIN_KEY_LEN_BITS  112
 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
 #define KDF_PBKDF2_MIN_ITERATIONS 1000
 #define KDF_PBKDF2_MIN_SALT_LEN   (128 / 8)
-/*
- * For backwards compatibility reasons,
- * Extra checks are done by default in fips mode only.
- */
-#ifdef FIPS_MODE
-# define KDF_PBKDF2_DEFAULT_CHECKS 1
-#else
-# define KDF_PBKDF2_DEFAULT_CHECKS 0
-#endif /* FIPS_MODE */
 
 static OSSL_OP_kdf_newctx_fn kdf_pbkdf2_new;
 static OSSL_OP_kdf_freectx_fn kdf_pbkdf2_free;
@@ -111,7 +103,7 @@ static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx)
         /* This is an error, but there is no way to indicate such directly */
         ossl_prov_digest_reset(&ctx->digest);
     ctx->iter = PKCS5_DEFAULT_ITER;
-    ctx->lower_bound_checks = KDF_PBKDF2_DEFAULT_CHECKS;
+    ctx->lower_bound_checks = kdf_pbkdf2_default_checks;
 }
 
 static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
diff --git a/providers/common/kdfs/pbkdf2.h b/providers/common/kdfs/pbkdf2.h
new file mode 100644
index 0000000000..c8c2e5b8a7
--- /dev/null
+++ b/providers/common/kdfs/pbkdf2.h
@@ -0,0 +1,14 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Available in pbkdfe_fips.c, and compiled with different values depending
+ * on we're in the FIPS module or not.
+ */
+extern const int kdf_pbkdf2_default_checks;
diff --git a/providers/common/kdfs/pbkdf2_fips.c b/providers/common/kdfs/pbkdf2_fips.c
new file mode 100644
index 0000000000..d33782b24c
--- /dev/null
+++ b/providers/common/kdfs/pbkdf2_fips.c
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "pbkdf2.h"
+
+/*
+ * For backwards compatibility reasons,
+ * Extra checks are done by default in fips mode only.
+ */
+#ifdef FIPS_MODE
+const int kdf_pbkdf2_default_checks = 1;
+#else
+const int kdf_pbkdf2_default_checks = 0;
+#endif /* FIPS_MODE */
diff --git a/providers/common/keymgmt/build.info b/providers/common/keymgmt/build.info
index e66190c401..533c489077 100644
--- a/providers/common/keymgmt/build.info
+++ b/providers/common/keymgmt/build.info
@@ -1,9 +1,8 @@
-LIBS=../../../libcrypto
+$GOAL=../../libimplementations.a
+
 IF[{- !$disabled{dh} -}]
-  SOURCE[../../../libcrypto]=\
-          dh_kmgmt.c
+  SOURCE[$GOAL]=dh_kmgmt.c
 ENDIF
 IF[{- !$disabled{dsa} -}]
-  SOURCE[../../../libcrypto]=\
-          dsa_kmgmt.c
+  SOURCE[$GOAL]=dsa_kmgmt.c
 ENDIF
diff --git a/providers/common/macs/build.info b/providers/common/macs/build.info
index 832a1e76ec..1eafe70604 100644
--- a/providers/common/macs/build.info
+++ b/providers/common/macs/build.info
@@ -1,15 +1,9 @@
+$GOAL=../../libimplementations.a
+
 $COMMON=gmac_prov.c hmac_prov.c kmac_prov.c
 
 IF[{- !$disabled{cmac} -}]
   $COMMON=$COMMON cmac_prov.c
 ENDIF
 
-LIBS=../../../libcrypto
-SOURCE[../../../libcrypto]=$COMMON
-INCLUDE[../../../libcrypto]=. ../../../crypto
-
-IF[{- !$disabled{fips} -}]
-  MODULES=../../fips
-  SOURCE[../../fips]=$COMMON
-  INCLUDE[../../fips]=. ../../../crypto
-ENDIF
+SOURCE[$GOAL]=$COMMON
diff --git a/providers/common/signature/build.info b/providers/common/signature/build.info
index 5b64229dfc..496fb7d7d8 100644
--- a/providers/common/signature/build.info
+++ b/providers/common/signature/build.info
@@ -1,7 +1,7 @@
-LIBS=../../../libcrypto
+$GOAL=../../libimplementations.a
+
 IF[{- !$disabled{dsa} -}]
-  SOURCE[../../../libcrypto]=\
-          dsa.c
+  SOURCE[$GOAL]=dsa.c
 ENDIF
author	Richard Levitte <levitte@openssl.org>	2019-10-04 01:38:17 +0200
committer	Richard Levitte <levitte@openssl.org>	2019-10-10 14:12:15 +0200
commit	dec95d75897125133380c7ce3c6ce58c93c06f10 (patch)
tree	c95ecfb434a58251f6f422d413eda49f1ac53857 /providers/common
parent	e805c2d6d36d6be3db8141abc98f3ce5c6fa9776 (diff)