Acasă Explorează Ajutor
Autentificare
OWEALs
/
openssl
oglindă de git://git.openssl.org/openssl.git
2
0
Bifurcare 0
Fisiere Probleme 1 Wiki
Arbore: 08557cf22c
Ramuri Etichete
openssl
/
fips
/
fipsld

fipsld 6.0 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178 
  1. #!/bin/sh -e
    2. 

  2. #
    3. 

  3. # Copyright (c) 2005-2007 The OpenSSL Project.
    4. 

  4. #
    5. 

  5. # Depending on output file name, the script either embeds fingerprint
    6. 

  6. # into libcrypto.so or static application. "Static" refers to static
    7. 

  7. # libcrypto.a, not [necessarily] application per se.
    8. 

  8. #
    9. 

  9. # Even though this script is called fipsld, it expects C compiler
    10. 

  10. # command line syntax and $FIPSLD_CC or $CC environment variable set
    11. 

  11. # and can even be used to compile source files.
    12. 

  12. 

  13. #set -x
    14. 

  14. 

  15. CC=${FIPSLD_CC:-${CC}}
    16. 

  16. [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
    17. 

  17. 

  18. # Initially -c wasn't intended to be interpreted here, but it might
    19. 

  19. # make life easier for those who want to build FIPS-ified applications
    20. 

  20. # with minimal [if any] modifications to their Makefiles...
    21. 

  21. (   while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
    22. 

  22.     [ $# -ge 1 ]
    23. 

  23. ) && exec ${CC} "$@"
    24. 

  24. 

  25. TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
    26. 

  26. 

  27. # If using an auto-tooled (autoconf/automake/libtool) project,
    28. 

  28. # configure will fail when testing the compiler or even performing
    29. 

  29. # simple checks. Pass-through to compiler directly if application is
    30. 

  30. # is not being linked with libcrypto, allowing auto-tooled applications
    31. 

  31. # to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
    32. 

  32. # ./configure && make). But keep in mind[!] that if certified code
    33. 

  33. # resides in a shared library, then fipsld *may not* be used and
    34. 

  34. # end-developer should not modify application configuration and build
    35. 

  35. # procedures. This is because in-core fingerprint and associated
    36. 

  36. # procedures are already embedded into and executed in shared library
    37. 

  37. # context.
    38. 

  38. case `basename "${TARGET}"` in
    39. 

  39. libcrypto*|libfips*|*.dll)		;;
    40. 

  40. *)	case "$*" in
    41. 

  41. 	*libcrypto.a*|*-lcrypto*|*fipscanister.o*)	;;
    42. 

  42. 	*)	exec ${CC} "$@"		;;
    43. 

  43. 	esac
    44. 

  44. esac
    45. 

  45. 

  46. [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
    47. 

  47. 

  48. # Turn on debugging output?
    49. 

  49. (   while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
    50. 

  50.     [ $# -ge 1 ]
    51. 

  51. ) && set -x
    52. 

  52. 

  53. THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
    54. 

  54. 

  55. # fipscanister.o can appear in command line
    56. 

  56. CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
    57. 

  57. if [ -z "${CANISTER_O}" ]; then
    58. 

  58. 	# If set, FIPSLIBDIR is location of installed validated FIPS module
    59. 

  59. 	if [ -n "${FIPSLIBDIR}" ]; then
    60. 

  60. 		CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
    61. 

  61. 	elif [ -f "${THERE}/fips/fipscanister.o" ]; then
    62. 

  62. 		CANISTER_O="${THERE}/fips/fipscanister.o"
    63. 

  63. 	elif [ -f "${THERE}/lib/fipscanister.o" ]; then
    64. 

  64. 		CANISTER_O="${THERE}/lib/fipscanister.o"
    65. 

  65. 	fi
    66. 

  66. 	CANISTER_O_CMD="${CANISTER_O}"
    67. 

  67. fi
    68. 

  68. [ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
    69. 

  69. 

  70. PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
    71. 

  71. 

  72. HMAC_KEY="etaonrishdlcupfm"
    73. 

  73. 

  74. case "`(uname -s) 2>/dev/null`" in
    75. 

  75. OSF1|IRIX*)	_WL_PREMAIN="-Wl,-init,FINGERPRINT_premain"	;;
    76. 

  76. HP-UX)		_WL_PREMAIN="-Wl,+init,FINGERPRINT_premain"	;;
    77. 

  77. AIX)		_WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
    78. 

  78. Darwin)		(   while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
    79. 

  79. 		    [ $# -ge 1 ]
    80. 

  80. 		) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
    81. 

  81. esac
    82. 

  82. 

  83. case "${TARGET}" in
    84. 

  84. [!/]*)	TARGET=./${TARGET} ;;
    85. 

  85. esac
    86. 

  86. 

  87. case `basename "${TARGET}"` in
    88. 

  88. lib*|*.dll)	# must be linking a shared lib...
    89. 

  89. 	# Shared lib creation can be taking place in the source
    90. 

  90. 	# directory only, but fipscanister.o can reside elsewhere...
    91. 

  91. 	FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
    92. 

  92. 

  93. 	# verify fipspremain.c against its detached signature...
    94. 

  94. 	${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
    95. 

  95. 		diff -w "${PREMAIN_C}.sha1" - || \
    96. 

  96. 	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
    97. 

  97. 	# verify fipscanister.o against its detached signature...
    98. 

  98. 	${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
    99. 

  99. 		diff -w "${CANISTER_O}.sha1" - || \
    100. 

  100. 	{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
    101. 

  101. 

  102. 	# Temporarily remove fipscanister.o from libcrypto.a!
    103. 

  103. 	# We are required to use the standalone copy...
    104. 

  104. 	if [ -f "${THERE}/libcrypto.a" ]; then
    105. 

  105. 	    if ar d "${THERE}/libcrypto.a" fipscanister.o; then
    106. 

  106. 		(ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
    107. 

  107. 		trap	'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
    108. 

  108. 			 (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :;
    109. 

  109. 			 sleep 1;
    110. 

  110. 			 touch -c "${TARGET}"' 0
    111. 

  111. 	    fi
    112. 

  112. 	fi
    113. 

  113. 

  114. 	/bin/rm -f "${TARGET}"
    115. 

  115. 	${CC}	${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
    116. 

  116. 		"${PREMAIN_C}" \
    117. 

  117. 		${_WL_PREMAIN} "$@"
    118. 

  118. 

  119. 	# generate signature...
    120. 

  120. 	if [ -z "${FIPS_SIG}" ]; then
    121. 

  121. 		SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"`
    122. 

  122. 	else
    123. 

  123. 		SIG=`"${FIPS_SIG}" -dso "${TARGET}"`
    124. 

  124. 	fi
    125. 

  125. 	/bin/rm -f "${TARGET}"
    126. 

  126. 	if [ -z "${SIG}" ]; then
    127. 

  127. 	   echo "unable to collect signature"; exit 1
    128. 

  128. 	fi
    129. 

  129. 

  130. 	# recompile with signature...
    131. 

  131. 	${CC}	${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
    132. 

  132. 		-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
    133. 

  133. 		${_WL_PREMAIN} "$@"
    134. 

  134. 	;;
    135. 

  135. 

  136. *)	# must be linking statically...
    137. 

  137. 	# Static linking can be taking place either in the source
    138. 

  138. 	# directory or off the installed binary target destination.
    139. 

  139. 	if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
    140. 

  140. 		FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
    141. 

  141. 	else	# Installed tree is expected to contain
    142. 

  142. 		# lib/fipscanister.o, lib/fipscanister.o.sha1 and
    143. 

  143. 		# lib/fips_premain.c [not to mention bin/openssl].
    144. 

  144. 		FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
    145. 

  145. 	fi
    146. 

  146. 

  147. 	# verify fipscanister.o against its detached signature...
    148. 

  148. 	${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
    149. 

  149. 		diff -w "${CANISTER_O}.sha1" - || \
    150. 

  150. 	{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
    151. 

  151. 

  152. 	# verify fips_premain.c against its detached signature...
    153. 

  153. 	${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
    154. 

  154. 		diff -w "${PREMAIN_C}.sha1" - || \
    155. 

  155. 	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
    156. 

  156. 

  157. 	/bin/rm -f "${TARGET}"
    158. 

  158. 	${CC}	${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
    159. 

  159. 		"${PREMAIN_C}" \
    160. 

  160. 		${_WL_PREMAIN} "$@"
    161. 

  161. 

  162. 	# generate signature...
    163. 

  163. 	if [ -z "${FIPS_SIG}" ]; then
    164. 

  164. 		SIG=`"${TARGET}"`
    165. 

  165. 	else
    166. 

  166. 		SIG=`"${FIPS_SIG}" -exe "${TARGET}"`
    167. 

  167. 	fi
    168. 

  168. 	/bin/rm -f "${TARGET}"
    169. 

  169. 	if [ -z "${SIG}" ]; then
    170. 

  170. 	   echo "unable to collect signature"; exit 1
    171. 

  171. 	fi
    172. 

  172. 

  173. 	# recompile with signature...
    174. 

  174. 	${CC}	${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
    175. 

  175. 		-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
    176. 

  176. 		${_WL_PREMAIN} "$@"
    177. 

  177. 	;;
    178. 

  178. esac
    179.