Add FIPS shared mode. This change adds a FIPS integrity check using shared libraries. Unlike with the static case, a shared build can take advantage of the linker resolving relocations and thus doesn't need delocation. It does mean that both .text and .rodata sections need to be handled, however, so the hashing format is slightly different. inject-hash.go is updated to be able to rewrite shared libraries to inject the correct hash value. Change-Id: I9a71910cd6df3a85e4efac896b0913e65b5f875b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36024 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>

commit: d72e47fddbbb2938ff3eb737bb4491647fac8bac [log] [tgz]
author: Adam Langley <alangley@gmail.com> Thu May 09 16:39:49 2019 -0700
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu May 30 19:03:16 2019 +0000
tree: ca3b7794c2b202dded142234ffb7608b146fbb85
parent: 9b896cf148e692fca46d7f34d0e45d1c58764db3 [diff] [blame]
diff --git a/include/openssl/cpu.h b/include/openssl/cpu.h
index ad5fc94..eb36a57 100644
--- a/include/openssl/cpu.h
+++ b/include/openssl/cpu.h

@@ -93,7 +93,7 @@
 // bits in XCR0, so it is not necessary to check those.
 extern uint32_t OPENSSL_ia32cap_P[4];
 
-#if defined(BORINGSSL_FIPS)
+#if defined(BORINGSSL_FIPS) && !defined(BORINGSSL_SHARED_LIBRARY)
 const uint32_t *OPENSSL_ia32cap_get(void);
 #else
 OPENSSL_INLINE const uint32_t *OPENSSL_ia32cap_get(void) {
commit	d72e47fddbbb2938ff3eb737bb4491647fac8bac	[log] [tgz]
author	Adam Langley <alangley@gmail.com>	Thu May 09 16:39:49 2019 -0700
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Thu May 30 19:03:16 2019 +0000
tree	ca3b7794c2b202dded142234ffb7608b146fbb85
parent	9b896cf148e692fca46d7f34d0e45d1c58764db3 [diff] [blame]