aboutsummaryrefslogtreecommitdiff
path: root/openssl/fips/fipsld
diff options
context:
space:
mode:
Diffstat (limited to 'openssl/fips/fipsld')
-rw-r--r--openssl/fips/fipsld170
1 files changed, 170 insertions, 0 deletions
diff --git a/openssl/fips/fipsld b/openssl/fips/fipsld
new file mode 100644
index 000000000..c71d4d95a
--- /dev/null
+++ b/openssl/fips/fipsld
@@ -0,0 +1,170 @@
+#!/bin/sh -e
+#
+# Copyright (c) 2005-2007 The OpenSSL Project.
+#
+# Depending on output file name, the script either embeds fingerprint
+# into libcrypto.so or static application. "Static" refers to static
+# libcrypto.a, not [necessarily] application per se.
+#
+# Even though this script is called fipsld, it expects C compiler
+# command line syntax and $FIPSLD_CC or $CC environment variable set
+# and can even be used to compile source files.
+
+#set -x
+
+CC=${FIPSLD_CC:-${CC}}
+[ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
+
+# Initially -c wasn't intended to be interpreted here, but it might
+# make life easier for those who want to build FIPS-ified applications
+# with minimal [if any] modifications to their Makefiles...
+( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
+ [ $# -ge 1 ]
+) && exec ${CC} "$@"
+
+TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
+
+# If using an auto-tooled (autoconf/automake/libtool) project,
+# configure will fail when testing the compiler or even performing
+# simple checks. Pass-through to compiler directly if application is
+# is not being linked with libcrypto, allowing auto-tooled applications
+# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
+# ./configure && make). But keep in mind[!] that if certified code
+# resides in a shared library, then fipsld *may not* be used and
+# end-developer should not modify application configuration and build
+# procedures. This is because in-core fingerprint and associated
+# procedures are already embedded into and executed in shared library
+# context.
+case `basename "${TARGET}"` in
+libcrypto*|libfips*|*.dll) ;;
+*) case "$*" in
+ *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;;
+ *) exec ${CC} "$@" ;;
+ esac
+esac
+
+[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
+
+# Turn on debugging output?
+( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
+ [ $# -ge 1 ]
+) && set -x
+
+THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
+
+# fipscanister.o can appear in command line
+CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
+if [ -z "${CANISTER_O}" ]; then
+ # If set, FIPSLIBDIR is location of installed validated FIPS module
+ if [ -n "${FIPSLIBDIR}" ]; then
+ CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
+ elif [ -f "${THERE}/fips/fipscanister.o" ]; then
+ CANISTER_O="${THERE}/fips/fipscanister.o"
+ elif [ -f "${THERE}/lib/fipscanister.o" ]; then
+ CANISTER_O="${THERE}/lib/fipscanister.o"
+ fi
+ CANISTER_O_CMD="${CANISTER_O}"
+fi
+[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
+
+PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
+
+HMAC_KEY="etaonrishdlcupfm"
+
+case "`(uname -s) 2>/dev/null`" in
+OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;;
+HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;;
+AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
+Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
+ [ $# -ge 1 ]
+ ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
+esac
+
+case "${TARGET}" in
+[!/]*) TARGET=./${TARGET} ;;
+esac
+
+case `basename "${TARGET}"` in
+lib*|*.dll) # must be linking a shared lib...
+ # Shared lib creation can be taking place in the source
+ # directory only, but fipscanister.o can reside elsewhere...
+ FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
+
+ # verify fipspremain.c against its detached signature...
+ ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
+ diff -w "${PREMAIN_C}.sha1" - || \
+ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
+ # verify fipscanister.o against its detached signature...
+ ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
+ diff -w "${CANISTER_O}.sha1" - || \
+ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
+
+ # Temporarily remove fipscanister.o from libcrypto.a!
+ # We are required to use the standalone copy...
+ if [ -f "${THERE}/libcrypto.a" ]; then
+ if ar d "${THERE}/libcrypto.a" fipscanister.o; then
+ (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
+ trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
+ (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :;
+ sleep 1;
+ touch -c "${TARGET}"' 0
+ fi
+ fi
+
+ /bin/rm -f "${TARGET}"
+ ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
+ "${PREMAIN_C}" \
+ ${_WL_PREMAIN} "$@"
+
+ # generate signature...
+ SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"`
+ /bin/rm -f "${TARGET}"
+ if [ -z "${SIG}" ]; then
+ echo "unable to collect signature"; exit 1
+ fi
+
+ # recompile with signature...
+ ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
+ -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
+ ${_WL_PREMAIN} "$@"
+ ;;
+
+*) # must be linking statically...
+ # Static linking can be taking place either in the source
+ # directory or off the installed binary target destination.
+ if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
+ FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
+ else # Installed tree is expected to contain
+ # lib/fipscanister.o, lib/fipscanister.o.sha1 and
+ # lib/fips_premain.c [not to mention bin/openssl].
+ FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
+ fi
+
+ # verify fipscanister.o against its detached signature...
+ ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
+ diff -w "${CANISTER_O}.sha1" - || \
+ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
+
+ # verify fips_premain.c against its detached signature...
+ ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
+ diff -w "${PREMAIN_C}.sha1" - || \
+ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
+
+ /bin/rm -f "${TARGET}"
+ ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
+ "${PREMAIN_C}" \
+ ${_WL_PREMAIN} "$@"
+
+ # generate signature...
+ SIG=`"${TARGET}"`
+ /bin/rm -f "${TARGET}"
+ if [ -z "${SIG}" ]; then
+ echo "unable to collect signature"; exit 1
+ fi
+
+ # recompile with signature...
+ ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
+ -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
+ ${_WL_PREMAIN} "$@"
+ ;;
+esac