123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197 |
- #!/bin/sh -e
- #
- # Copyright (c) 2005-2011 The OpenSSL Project.
- #
- # Depending on output file name, the script either embeds fingerprint
- # into libcrypto.so or static application. "Static" refers to static
- # libcrypto.a, not [necessarily] application per se.
- #
- # Even though this script is called fipsld, it expects C compiler
- # command line syntax and $FIPSLD_CC or $CC environment variable set
- # and can even be used to compile source files.
- #set -x
- CC=${FIPSLD_CC:-${CC}}
- [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
- # Initially -c wasn't intended to be interpreted here, but it might
- # make life easier for those who want to build FIPS-ified applications
- # with minimal [if any] modifications to their Makefiles...
- ( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
- [ $# -ge 1 ]
- ) && exec ${CC} "$@"
- TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
- # If using an auto-tooled (autoconf/automake/libtool) project,
- # configure will fail when testing the compiler or even performing
- # simple checks. Pass-through to compiler directly if application is
- # is not being linked with libcrypto, allowing auto-tooled applications
- # to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
- # ./configure && make). But keep in mind[!] that if certified code
- # resides in a shared library, then fipsld *may not* be used and
- # end-developer should not modify application configuration and build
- # procedures. This is because in-core fingerprint and associated
- # procedures are already embedded into and executed in shared library
- # context.
- case `basename "${TARGET}"` in
- libcrypto*|libfips*|*.dll) ;;
- *) case "$*" in
- *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;;
- *) exec ${CC} "$@" ;;
- esac
- esac
- [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
- # Turn on debugging output?
- ( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
- [ $# -ge 1 ]
- ) && set -x
- THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
- # fipscanister.o can appear in command line
- CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
- if [ -z "${CANISTER_O}" ]; then
- # If set, FIPSLIBDIR is location of installed validated FIPS module
- if [ -n "${FIPSLIBDIR}" ]; then
- CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
- elif [ -f "${THERE}/fips/fipscanister.o" ]; then
- CANISTER_O="${THERE}/fips/fipscanister.o"
- elif [ -f "${THERE}/lib/fipscanister.o" ]; then
- CANISTER_O="${THERE}/lib/fipscanister.o"
- fi
- CANISTER_O_CMD="${CANISTER_O}"
- fi
- [ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
- PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
- HMAC_KEY="etaonrishdlcupfm"
- case "`(uname -s) 2>/dev/null`" in
- OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;;
- HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;;
- AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
- Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
- [ $# -ge 1 ]
- ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
- esac
- case "${TARGET}" in
- [!/]*) TARGET=./${TARGET} ;;
- esac
- case `basename "${TARGET}"` in
- lib*|*.dll) # must be linking a shared lib...
- # Shared lib creation can be taking place in the source
- # directory only, but fipscanister.o can reside elsewhere...
- if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
- FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
- PREMAIN_DSO="${THERE}/fips/fips_premain_dso"
- elif [ -x "${THERE}/bin/fips_standalone_sha1" ]; then
- FINGERTYPE="${THERE}/bin/fips_standalone_sha1"
- PREMAIN_DSO="./fips_premain_dso"
- fi
- # verify fipspremain.c against its detached signature...
- ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
- diff -w "${PREMAIN_C}.sha1" - || \
- { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
- # verify fipscanister.o against its detached signature...
- ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
- diff -w "${CANISTER_O}.sha1" - || \
- { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
- [ -z "${FIPSLD_LIBCRYPTO}" -a -f "${THERE}/libcrypto.a" ] && \
- FIPSLD_LIBCRYPTO="${THERE}/libcrypto.a"
-
- # Temporarily remove fipscanister.o from libcrypto.a!
- # We are required to use the standalone copy...
- if [ -n "${FIPSLD_LIBCRYPTO}" ]; then
- if ar d "${FIPSLD_LIBCRYPTO}" fipscanister.o; then
- (ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null || :
- trap 'ar r "${FIPSLD_LIBCRYPTO}" "${CANISTER_O}";
- (ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null || :;
- sleep 1;
- touch -c "${TARGET}"' 0
- fi
- fi
- /bin/rm -f "${TARGET}"
- ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
- "${PREMAIN_C}" \
- ${_WL_PREMAIN} "$@"
- if [ "x${FIPS_SIG}" != "x" ]; then
- # embed signature
- "${FIPS_SIG}" "${TARGET}"
- [ $? -ne 42 ] && exit $?
- fi
- # generate signature...
- SIG=`"${PREMAIN_DSO}" "${TARGET}"`
- /bin/rm -f "${TARGET}"
- if [ -z "${SIG}" ]; then
- echo "unable to collect signature"; exit 1
- fi
- # recompile with signature...
- ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
- -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
- ${_WL_PREMAIN} "$@"
- ;;
- *) # must be linking statically...
- # Static linking can be taking place either in the source
- # directory or off the installed binary target destination.
- if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
- FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
- elif [ -x "${THERE}/bin/fips_standalone_sha1" ]; then
- FINGERTYPE="${THERE}/bin/fips_standalone_sha1"
- else # Installed tree is expected to contain
- # lib/fipscanister.o, lib/fipscanister.o.sha1 and
- # lib/fips_premain.c [not to mention bin/openssl].
- FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
- fi
- # verify fipscanister.o against its detached signature...
- ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
- diff -w "${CANISTER_O}.sha1" - || \
- { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
- # verify fips_premain.c against its detached signature...
- ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
- diff -w "${PREMAIN_C}.sha1" - || \
- { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
- /bin/rm -f "${TARGET}"
- ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
- "${PREMAIN_C}" \
- ${_WL_PREMAIN} "$@"
- if [ "x${FIPS_SIG}" != "x" ]; then
- # embed signature
- "${FIPS_SIG}" "${TARGET}"
- [ $? -ne 42 ] && exit $?
- fi
- # generate signature...
- SIG=`"${TARGET}"`
- /bin/rm -f "${TARGET}"
- if [ -z "${SIG}" ]; then
- echo "unable to collect signature"; exit 1
- fi
- # recompile with signature...
- ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
- -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
- ${_WL_PREMAIN} "$@"
- ;;
- esac
|