diff options
Diffstat (limited to 'openssl/fips/fipsld')
| -rw-r--r-- | openssl/fips/fipsld | 170 |
1 files changed, 0 insertions, 170 deletions
diff --git a/openssl/fips/fipsld b/openssl/fips/fipsld deleted file mode 100644 index c71d4d95a..000000000 --- a/openssl/fips/fipsld +++ /dev/null @@ -1,170 +0,0 @@ -#!/bin/sh -e -# -# Copyright (c) 2005-2007 The OpenSSL Project. -# -# Depending on output file name, the script either embeds fingerprint -# into libcrypto.so or static application. "Static" refers to static -# libcrypto.a, not [necessarily] application per se. -# -# Even though this script is called fipsld, it expects C compiler -# command line syntax and $FIPSLD_CC or $CC environment variable set -# and can even be used to compile source files. - -#set -x - -CC=${FIPSLD_CC:-${CC}} -[ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; } - -# Initially -c wasn't intended to be interpreted here, but it might -# make life easier for those who want to build FIPS-ified applications -# with minimal [if any] modifications to their Makefiles... -( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done; - [ $# -ge 1 ] -) && exec ${CC} "$@" - -TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` - -# If using an auto-tooled (autoconf/automake/libtool) project, -# configure will fail when testing the compiler or even performing -# simple checks. Pass-through to compiler directly if application is -# is not being linked with libcrypto, allowing auto-tooled applications -# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc -# ./configure && make). But keep in mind[!] that if certified code -# resides in a shared library, then fipsld *may not* be used and -# end-developer should not modify application configuration and build -# procedures. This is because in-core fingerprint and associated -# procedures are already embedded into and executed in shared library -# context. -case `basename "${TARGET}"` in -libcrypto*|libfips*|*.dll) ;; -*) case "$*" in - *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;; - *) exec ${CC} "$@" ;; - esac -esac - -[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } - -# Turn on debugging output? -( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done; - [ $# -ge 1 ] -) && set -x - -THERE="`echo $0 | sed -e 's|[^/]*$||'`".. - -# fipscanister.o can appear in command line -CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)` -if [ -z "${CANISTER_O}" ]; then - # If set, FIPSLIBDIR is location of installed validated FIPS module - if [ -n "${FIPSLIBDIR}" ]; then - CANISTER_O="${FIPSLIBDIR}/fipscanister.o" - elif [ -f "${THERE}/fips/fipscanister.o" ]; then - CANISTER_O="${THERE}/fips/fipscanister.o" - elif [ -f "${THERE}/lib/fipscanister.o" ]; then - CANISTER_O="${THERE}/lib/fipscanister.o" - fi - CANISTER_O_CMD="${CANISTER_O}" -fi -[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; } - -PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c - -HMAC_KEY="etaonrishdlcupfm" - -case "`(uname -s) 2>/dev/null`" in -OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;; -HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;; -AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";; -Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done; - [ $# -ge 1 ] - ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;; -esac - -case "${TARGET}" in -[!/]*) TARGET=./${TARGET} ;; -esac - -case `basename "${TARGET}"` in -lib*|*.dll) # must be linking a shared lib... - # Shared lib creation can be taking place in the source - # directory only, but fipscanister.o can reside elsewhere... - FINGERTYPE="${THERE}/fips/fips_standalone_sha1" - - # verify fipspremain.c against its detached signature... - ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ - diff -w "${PREMAIN_C}.sha1" - || \ - { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } - # verify fipscanister.o against its detached signature... - ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ - diff -w "${CANISTER_O}.sha1" - || \ - { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } - - # Temporarily remove fipscanister.o from libcrypto.a! - # We are required to use the standalone copy... - if [ -f "${THERE}/libcrypto.a" ]; then - if ar d "${THERE}/libcrypto.a" fipscanister.o; then - (ranlib "${THERE}/libcrypto.a") 2>/dev/null || : - trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}"; - (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :; - sleep 1; - touch -c "${TARGET}"' 0 - fi - fi - - /bin/rm -f "${TARGET}" - ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ - "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - - # generate signature... - SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"` - /bin/rm -f "${TARGET}" - if [ -z "${SIG}" ]; then - echo "unable to collect signature"; exit 1 - fi - - # recompile with signature... - ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ - -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - ;; - -*) # must be linking statically... - # Static linking can be taking place either in the source - # directory or off the installed binary target destination. - if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then - FINGERTYPE="${THERE}/fips/fips_standalone_sha1" - else # Installed tree is expected to contain - # lib/fipscanister.o, lib/fipscanister.o.sha1 and - # lib/fips_premain.c [not to mention bin/openssl]. - FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" - fi - - # verify fipscanister.o against its detached signature... - ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ - diff -w "${CANISTER_O}.sha1" - || \ - { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } - - # verify fips_premain.c against its detached signature... - ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ - diff -w "${PREMAIN_C}.sha1" - || \ - { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } - - /bin/rm -f "${TARGET}" - ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ - "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - - # generate signature... - SIG=`"${TARGET}"` - /bin/rm -f "${TARGET}" - if [ -z "${SIG}" ]; then - echo "unable to collect signature"; exit 1 - fi - - # recompile with signature... - ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ - -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - ;; -esac |