diff options
Diffstat (limited to 'openssl/fips/fipsld')
| -rw-r--r-- | openssl/fips/fipsld | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/openssl/fips/fipsld b/openssl/fips/fipsld new file mode 100644 index 000000000..c71d4d95a --- /dev/null +++ b/openssl/fips/fipsld @@ -0,0 +1,170 @@ +#!/bin/sh -e +# +# Copyright (c) 2005-2007 The OpenSSL Project. +# +# Depending on output file name, the script either embeds fingerprint +# into libcrypto.so or static application. "Static" refers to static +# libcrypto.a, not [necessarily] application per se. +# +# Even though this script is called fipsld, it expects C compiler +# command line syntax and $FIPSLD_CC or $CC environment variable set +# and can even be used to compile source files. + +#set -x + +CC=${FIPSLD_CC:-${CC}} +[ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; } + +# Initially -c wasn't intended to be interpreted here, but it might +# make life easier for those who want to build FIPS-ified applications +# with minimal [if any] modifications to their Makefiles... +( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done; + [ $# -ge 1 ] +) && exec ${CC} "$@" + +TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` + +# If using an auto-tooled (autoconf/automake/libtool) project, +# configure will fail when testing the compiler or even performing +# simple checks. Pass-through to compiler directly if application is +# is not being linked with libcrypto, allowing auto-tooled applications +# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc +# ./configure && make). But keep in mind[!] that if certified code +# resides in a shared library, then fipsld *may not* be used and +# end-developer should not modify application configuration and build +# procedures. This is because in-core fingerprint and associated +# procedures are already embedded into and executed in shared library +# context. +case `basename "${TARGET}"` in +libcrypto*|libfips*|*.dll) ;; +*) case "$*" in + *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;; + *) exec ${CC} "$@" ;; + esac +esac + +[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } + +# Turn on debugging output? +( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done; + [ $# -ge 1 ] +) && set -x + +THERE="`echo $0 | sed -e 's|[^/]*$||'`".. + +# fipscanister.o can appear in command line +CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)` +if [ -z "${CANISTER_O}" ]; then + # If set, FIPSLIBDIR is location of installed validated FIPS module + if [ -n "${FIPSLIBDIR}" ]; then + CANISTER_O="${FIPSLIBDIR}/fipscanister.o" + elif [ -f "${THERE}/fips/fipscanister.o" ]; then + CANISTER_O="${THERE}/fips/fipscanister.o" + elif [ -f "${THERE}/lib/fipscanister.o" ]; then + CANISTER_O="${THERE}/lib/fipscanister.o" + fi + CANISTER_O_CMD="${CANISTER_O}" +fi +[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; } + +PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c + +HMAC_KEY="etaonrishdlcupfm" + +case "`(uname -s) 2>/dev/null`" in +OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;; +HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;; +AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";; +Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done; + [ $# -ge 1 ] + ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;; +esac + +case "${TARGET}" in +[!/]*) TARGET=./${TARGET} ;; +esac + +case `basename "${TARGET}"` in +lib*|*.dll) # must be linking a shared lib... + # Shared lib creation can be taking place in the source + # directory only, but fipscanister.o can reside elsewhere... + FINGERTYPE="${THERE}/fips/fips_standalone_sha1" + + # verify fipspremain.c against its detached signature... + ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ + diff -w "${PREMAIN_C}.sha1" - || \ + { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } + # verify fipscanister.o against its detached signature... + ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ + diff -w "${CANISTER_O}.sha1" - || \ + { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } + + # Temporarily remove fipscanister.o from libcrypto.a! + # We are required to use the standalone copy... + if [ -f "${THERE}/libcrypto.a" ]; then + if ar d "${THERE}/libcrypto.a" fipscanister.o; then + (ranlib "${THERE}/libcrypto.a") 2>/dev/null || : + trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}"; + (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :; + sleep 1; + touch -c "${TARGET}"' 0 + fi + fi + + /bin/rm -f "${TARGET}" + ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ + "${PREMAIN_C}" \ + ${_WL_PREMAIN} "$@" + + # generate signature... + SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"` + /bin/rm -f "${TARGET}" + if [ -z "${SIG}" ]; then + echo "unable to collect signature"; exit 1 + fi + + # recompile with signature... + ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ + -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ + ${_WL_PREMAIN} "$@" + ;; + +*) # must be linking statically... + # Static linking can be taking place either in the source + # directory or off the installed binary target destination. + if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then + FINGERTYPE="${THERE}/fips/fips_standalone_sha1" + else # Installed tree is expected to contain + # lib/fipscanister.o, lib/fipscanister.o.sha1 and + # lib/fips_premain.c [not to mention bin/openssl]. + FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" + fi + + # verify fipscanister.o against its detached signature... + ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ + diff -w "${CANISTER_O}.sha1" - || \ + { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } + + # verify fips_premain.c against its detached signature... + ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ + diff -w "${PREMAIN_C}.sha1" - || \ + { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } + + /bin/rm -f "${TARGET}" + ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ + "${PREMAIN_C}" \ + ${_WL_PREMAIN} "$@" + + # generate signature... + SIG=`"${TARGET}"` + /bin/rm -f "${TARGET}" + if [ -z "${SIG}" ]; then + echo "unable to collect signature"; exit 1 + fi + + # recompile with signature... + ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ + -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ + ${_WL_PREMAIN} "$@" + ;; +esac |