fipsld 6.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
  1. #!/bin/sh -e
  2. #
  3. # Copyright (c) 2005-2007 The OpenSSL Project.
  4. #
  5. # Depending on output file name, the script either embeds fingerprint
  6. # into libcrypto.so or static application. "Static" refers to static
  7. # libcrypto.a, not [necessarily] application per se.
  8. #
  9. # Even though this script is called fipsld, it expects C compiler
  10. # command line syntax and $FIPSLD_CC or $CC environment variable set
  11. # and can even be used to compile source files.
  12. #set -x
  13. CC=${FIPSLD_CC:-${CC}}
  14. [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
  15. # Initially -c wasn't intended to be interpreted here, but it might
  16. # make life easier for those who want to build FIPS-ified applications
  17. # with minimal [if any] modifications to their Makefiles...
  18. ( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
  19. [ $# -ge 1 ]
  20. ) && exec ${CC} "$@"
  21. TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
  22. # If using an auto-tooled (autoconf/automake/libtool) project,
  23. # configure will fail when testing the compiler or even performing
  24. # simple checks. Pass-through to compiler directly if application is
  25. # is not being linked with libcrypto, allowing auto-tooled applications
  26. # to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
  27. # ./configure && make). But keep in mind[!] that if certified code
  28. # resides in a shared library, then fipsld *may not* be used and
  29. # end-developer should not modify application configuration and build
  30. # procedures. This is because in-core fingerprint and associated
  31. # procedures are already embedded into and executed in shared library
  32. # context.
  33. case `basename "${TARGET}"` in
  34. libcrypto*|libfips*|*.dll) ;;
  35. *) case "$*" in
  36. *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;;
  37. *) exec ${CC} "$@" ;;
  38. esac
  39. esac
  40. [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
  41. # Turn on debugging output?
  42. ( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
  43. [ $# -ge 1 ]
  44. ) && set -x
  45. THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
  46. # fipscanister.o can appear in command line
  47. CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
  48. if [ -z "${CANISTER_O}" ]; then
  49. # If set, FIPSLIBDIR is location of installed validated FIPS module
  50. if [ -n "${FIPSLIBDIR}" ]; then
  51. CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
  52. elif [ -f "${THERE}/fips/fipscanister.o" ]; then
  53. CANISTER_O="${THERE}/fips/fipscanister.o"
  54. elif [ -f "${THERE}/lib/fipscanister.o" ]; then
  55. CANISTER_O="${THERE}/lib/fipscanister.o"
  56. fi
  57. CANISTER_O_CMD="${CANISTER_O}"
  58. fi
  59. [ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
  60. PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
  61. HMAC_KEY="etaonrishdlcupfm"
  62. case "`(uname -s) 2>/dev/null`" in
  63. OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;;
  64. HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;;
  65. AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
  66. Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
  67. [ $# -ge 1 ]
  68. ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
  69. esac
  70. case "${TARGET}" in
  71. [!/]*) TARGET=./${TARGET} ;;
  72. esac
  73. case `basename "${TARGET}"` in
  74. lib*|*.dll) # must be linking a shared lib...
  75. # Shared lib creation can be taking place in the source
  76. # directory only, but fipscanister.o can reside elsewhere...
  77. FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
  78. # verify fipspremain.c against its detached signature...
  79. ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
  80. diff -w "${PREMAIN_C}.sha1" - || \
  81. { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
  82. # verify fipscanister.o against its detached signature...
  83. ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
  84. diff -w "${CANISTER_O}.sha1" - || \
  85. { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
  86. # Temporarily remove fipscanister.o from libcrypto.a!
  87. # We are required to use the standalone copy...
  88. if [ -f "${THERE}/libcrypto.a" ]; then
  89. if ar d "${THERE}/libcrypto.a" fipscanister.o; then
  90. (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
  91. trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
  92. (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :;
  93. sleep 1;
  94. touch -c "${TARGET}"' 0
  95. fi
  96. fi
  97. /bin/rm -f "${TARGET}"
  98. ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
  99. "${PREMAIN_C}" \
  100. ${_WL_PREMAIN} "$@"
  101. # generate signature...
  102. if [ -z "${FIPS_SIG}" ]; then
  103. SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"`
  104. else
  105. SIG=`"${FIPS_SIG}" -dso "${TARGET}"`
  106. fi
  107. /bin/rm -f "${TARGET}"
  108. if [ -z "${SIG}" ]; then
  109. echo "unable to collect signature"; exit 1
  110. fi
  111. # recompile with signature...
  112. ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
  113. -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
  114. ${_WL_PREMAIN} "$@"
  115. ;;
  116. *) # must be linking statically...
  117. # Static linking can be taking place either in the source
  118. # directory or off the installed binary target destination.
  119. if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
  120. FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
  121. else # Installed tree is expected to contain
  122. # lib/fipscanister.o, lib/fipscanister.o.sha1 and
  123. # lib/fips_premain.c [not to mention bin/openssl].
  124. FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
  125. fi
  126. # verify fipscanister.o against its detached signature...
  127. ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
  128. diff -w "${CANISTER_O}.sha1" - || \
  129. { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
  130. # verify fips_premain.c against its detached signature...
  131. ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
  132. diff -w "${PREMAIN_C}.sha1" - || \
  133. { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
  134. /bin/rm -f "${TARGET}"
  135. ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
  136. "${PREMAIN_C}" \
  137. ${_WL_PREMAIN} "$@"
  138. # generate signature...
  139. if [ -z "${FIPS_SIG}" ]; then
  140. SIG=`"${TARGET}"`
  141. else
  142. SIG=`"${FIPS_SIG}" -exe "${TARGET}"`
  143. fi
  144. /bin/rm -f "${TARGET}"
  145. if [ -z "${SIG}" ]; then
  146. echo "unable to collect signature"; exit 1
  147. fi
  148. # recompile with signature...
  149. ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
  150. -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
  151. ${_WL_PREMAIN} "$@"
  152. ;;
  153. esac