File: fipsld

package info (click to toggle)
openssl097 0.9.7k-3.1
  • links: PTS
  • area: main
  • in suites: etch-m68k
  • size: 18,564 kB
  • ctags: 24,034
  • sloc: ansic: 178,335; asm: 19,384; perl: 17,782; makefile: 13,645; cpp: 4,379; sh: 2,687; lisp: 23
file content (147 lines) | stat: -rwxr-xr-x 4,872 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/sh -e
#
# Copyright (c) 2005 The OpenSSL Project.
#
# Depending on output file name, the script either embeds fingerprint
# into libcrypto.so or static application. "Static" refers to static
# libcrypto.a, not [necessarily] application per se.
#
# Even though this script is called fipsld, it expects C compiler
# command line syntax and $FIPSLD_CC or $CC environment variable set
# and can even be used to compile source files.

#set -x

CC=${FIPSLD_CC:-${CC}}
[ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }

# Initially -c wasn't intended to be interpreted here, but it might
# make life easier for those who want to build FIPS-ified applications
# with minimal [if any] modifications to their Makefiles...
(   while [ "x$1" != "x" -a "x$1" != "x-c" ]; do shift; done;
    [ $# -ge 1 ]
) && exec ${CC} "$@"

# Turn on debugging output?
(   while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
    [ $# -ge 1 ]
) && set -x

TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }

THERE="`echo $0 | sed -e 's|[^/]*$||'`"..

# Location of installed validated FIPS module
FIPSLIBDIR=${FIPSLIBDIR:-/usr/local/ssl/lib}
# If this is a build from a validated tarball use this instead
# FIPSLIBDIR=${THERE}/fips-1.0

[ -f "${FIPSLIBDIR}/fipscanister.o" ] ||
	{ echo "fipscanister.o not found"; exit 1; }

HMAC_KEY="etaonrishdlcupfm"

case "`(uname -s) 2>/dev/null`" in
OSF1|IRIX*)	_WL_PREMAIN="-Wl,-init,FINGERPRINT_premain"	;;
HP-UX)		_WL_PREMAIN="-Wl,+init,FINGERPRINT_premain"	;;
AIX)		_WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain";;
Darwin)		(   while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
		    [ $# -ge 1 ]
		) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
esac

case "${TARGET}" in
[!/]*)	TARGET=./${TARGET} ;;
esac

case "${TARGET}" in
*libcrypto*|*.dll)	# must be linking a shared lib...
	# Shared lib creation can be taking place in the source
	# directory only!!!
	FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
	CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
	PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"

echo Canister: $CANISTER_O

	# verify fipscanister.o against its detached signature...
	${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
		diff -w "${CANISTER_O}.sha1" - || \
	{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }

	# verify fips_premain.c against its signature embedded into
	# fipscanister.o...
	SIG=`${FINGERTYPE} "${PREMAIN_C}" | sed -n "s/(.*\//(/;/^./p"`
	REF=`strings "${CANISTER_O}" | grep "HMAC-SHA1(fips_premain\\.c)"`
	[ "${SIG}" = "${REF}" ] || \
	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }

	# Temporarily remove fipscanister.o from libcrypto.a!
	# We are required to use the standalone copy...
	trap	'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
		 (ranlib "${THERE}/libcrypto.a") 2>/dev/null;
		 sleep 1;
		 touch -c "${TARGET}"' 0

	ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || :
	(ranlib "${THERE}/libcrypto.a") 2>/dev/null || :

	${CC}	"${CANISTER_O}" \
		"${PREMAIN_C}" \
		${_WL_PREMAIN} "$@"

	# generate signature...
	SIG=`("${THERE}/fips-1.0/fips_premain_dso" "${TARGET}" || rm "${TARGET}")`
	if [ -z "${SIG}" ]; then
	   echo "unable to collect signature"; exit 1
	fi

	# recompile with signature...
	${CC}	"${CANISTER_O}" \
		-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
		${_WL_PREMAIN} "$@"
	;;

*)	# must be linking statically...
	# Static linking can be taking place either in the source
	# directory or off the installed binary target destination.
	if [ -x "${THERE}/fips-1.0/sha/fips_standalone_sha1" ]; then
		FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
	else	# Installed tree is expected to contain
		# lib/fipscanister.o, lib/fipscanister.o.sha1 and
		# lib/fips_premain.c [not to mention bin/openssl].
		FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
	fi

	CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
	PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"

	# verify fipscanister.o against its detached signature...
	${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
		diff -w "${CANISTER_O}.sha1" - || \
	{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }

	# verify fips_premain.c against its signature embedded into
	# fipscanister.o...
	SIG=`${FINGERTYPE} "${PREMAIN_C}" | sed -n "s/(.*\//(/;/^./p"`
	REF=`strings "${CANISTER_O}" | grep "HMAC-SHA1(fips_premain\\.c)"`
	[ "${SIG}" = "${REF}" ] || \
	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }

	${CC}	"${CANISTER_O}" \
		"${PREMAIN_C}" \
		${_WL_PREMAIN} "$@"

	# generate signature...
	SIG=`("${TARGET}" || /bin/rm "${TARGET}")`
	if [ -z "${SIG}" ]; then
	   echo "unable to collect signature"; exit 1
	fi

	# recompile with signature...
	${CC}	"${CANISTER_O}" \
		-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
		${_WL_PREMAIN} "$@"
	;;
esac