projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 59f3477b DSH |
1 | #!/bin/sh -e |
| 2 | # | |
| 3 | # Copyright (c) 2005-2007 The OpenSSL Project. | |
| 4 | # | |
| 5 | # Depending on output file name, the script either embeds fingerprint | |
| 6 | # into libcrypto.so or static application. "Static" refers to static | |
| 7 | # libcrypto.a, not [necessarily] application per se. | |
| 8 | # | |
| 9 | # Even though this script is called fipsld, it expects C compiler | |
| 10 | # command line syntax and $FIPSLD_CC or $CC environment variable set | |
| 11 | # and can even be used to compile source files. | |
| 12 | ||
| 13 | #set -x | |
| 14 | ||
| 15 | CC=${FIPSLD_CC:-${CC}} | |
| 16 | [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; } | |
| 17 | ||
| 18 | # Initially -c wasn't intended to be interpreted here, but it might | |
| 19 | # make life easier for those who want to build FIPS-ified applications | |
| 20 | # with minimal [if any] modifications to their Makefiles... | |
| 21 | ( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done; | |
| 22 | [ $# -ge 1 ] | |
| 23 | ) && exec ${CC} "$@" | |
| 24 | ||
| 25 | TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` | |
| 26 | ||
| 27 | # If using an auto-tooled (autoconf/automake/libtool) project, | |
| 28 | # configure will fail when testing the compiler or even performing | |
| 29 | # simple checks. Pass-through to compiler directly if application is | |
| 30 | # is not being linked with libcrypto, allowing auto-tooled applications | |
| 31 | # to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc | |
| 32 | # ./configure && make). But keep in mind[!] that if certified code | |
| 33 | # resides in a shared library, then fipsld *may not* be used and | |
| 34 | # end-developer should not modify application configuration and build | |
| 35 | # procedures. This is because in-core fingerprint and associated | |
| 36 | # procedures are already embedded into and executed in shared library | |
| 37 | # context. | |
| 38 | case `basename "${TARGET}"` in | |
| 39 | libcrypto*|libfips*|*.dll) ;; | |
| 40 | *) case "$*" in | |
| 41 | *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;; | |
| 42 | *) exec ${CC} "$@" ;; | |
| 43 | esac | |
| 44 | esac | |
| 45 | ||
| 46 | [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } | |
| 47 | ||
| 48 | # Turn on debugging output? | |
| 49 | ( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done; | |
| 50 | [ $# -ge 1 ] | |
| 51 | ) && set -x | |
| 52 | ||
| 53 | THERE="`echo $0 | sed -e 's|[^/]*$||'`".. | |
| 54 | ||
| 55 | # fipscanister.o can appear in command line | |
| 56 | CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)` | |
| 57 | if [ -z "${CANISTER_O}" ]; then | |
| 58 | # If set, FIPSLIBDIR is location of installed validated FIPS module | |
| 59 | if [ -n "${FIPSLIBDIR}" ]; then | |
| 60 | CANISTER_O="${FIPSLIBDIR}/fipscanister.o" | |
| 61 | elif [ -f "${THERE}/fips/fipscanister.o" ]; then | |
| 62 | CANISTER_O="${THERE}/fips/fipscanister.o" | |
| 63 | elif [ -f "${THERE}/lib/fipscanister.o" ]; then | |
| 64 | CANISTER_O="${THERE}/lib/fipscanister.o" | |
| 65 | fi | |
| 66 | CANISTER_O_CMD="${CANISTER_O}" | |
| 67 | fi | |
| 68 | [ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; } | |
| 69 | ||
| 70 | PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c | |
| 71 | ||
| 72 | HMAC_KEY="etaonrishdlcupfm" | |
| 73 | ||
| 74 | case "`(uname -s) 2>/dev/null`" in | |
| 75 | OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;; | |
| 76 | HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;; | |
| 77 | AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";; | |
| 78 | Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done; | |
| 79 | [ $# -ge 1 ] | |
| 80 | ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;; | |
| 81 | esac | |
| 82 | ||
| 83 | case "${TARGET}" in | |
| 84 | [!/]*) TARGET=./${TARGET} ;; | |
| 85 | esac | |
| 86 | ||
| 87 | case `basename "${TARGET}"` in | |
| 88 | lib*|*.dll) # must be linking a shared lib... | |
| 89 | # Shared lib creation can be taking place in the source | |
| 90 | # directory only, but fipscanister.o can reside elsewhere... | |
| 91 | FINGERTYPE="${THERE}/fips/fips_standalone_sha1" | |
| 92 | ||
| 93 | # verify fipspremain.c against its detached signature... | |
| 94 | ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ | |
| 95 | diff -w "${PREMAIN_C}.sha1" - || \ | |
| 96 | { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } | |
| 97 | # verify fipscanister.o against its detached signature... | |
| 98 | ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ | |
| 99 | diff -w "${CANISTER_O}.sha1" - || \ | |
| 100 | { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } | |
| 101 | ||
| 102 | # Temporarily remove fipscanister.o from libcrypto.a! | |
| 103 | # We are required to use the standalone copy... | |
| 104 | if [ -f "${THERE}/libcrypto.a" ]; then | |
| 105 | if ar d "${THERE}/libcrypto.a" fipscanister.o; then | |
| 106 | (ranlib "${THERE}/libcrypto.a") 2>/dev/null || : | |
| 107 | trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}"; | |
| 108 | (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :; | |
| 109 | sleep 1; | |
| 110 | touch -c "${TARGET}"' 0 | |
| 111 | fi | |
| 112 | fi | |
| 113 | ||
| 114 | /bin/rm -f "${TARGET}" | |
| 115 | ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ | |
| 116 | "${PREMAIN_C}" \ | |
| 117 | ${_WL_PREMAIN} "$@" | |
| 118 | ||
| 119 | # generate signature... | |
| 8196257f DSH |
120 | if [ -z "${FIPS_SIG}" ]; then |
| 121 | SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"` | |
| 122 | else | |
| 123 | SIG=`"${FIPS_SIG}" -dso "${TARGET}"` | |
| 124 | fi | |
| 59f3477b DSH |
125 | /bin/rm -f "${TARGET}" |
| 126 | if [ -z "${SIG}" ]; then | |
| 127 | echo "unable to collect signature"; exit 1 | |
| 128 | fi | |
| 129 | ||
| 130 | # recompile with signature... | |
| 131 | ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ | |
| 132 | -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ | |
| 133 | ${_WL_PREMAIN} "$@" | |
| 134 | ;; | |
| 135 | ||
| 136 | *) # must be linking statically... | |
| 137 | # Static linking can be taking place either in the source | |
| 138 | # directory or off the installed binary target destination. | |
| 139 | if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then | |
| 140 | FINGERTYPE="${THERE}/fips/fips_standalone_sha1" | |
| 141 | else # Installed tree is expected to contain | |
| 142 | # lib/fipscanister.o, lib/fipscanister.o.sha1 and | |
| 143 | # lib/fips_premain.c [not to mention bin/openssl]. | |
| 144 | FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" | |
| 145 | fi | |
| 146 | ||
| 147 | # verify fipscanister.o against its detached signature... | |
| 148 | ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ | |
| 149 | diff -w "${CANISTER_O}.sha1" - || \ | |
| 150 | { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } | |
| 151 | ||
| 152 | # verify fips_premain.c against its detached signature... | |
| 153 | ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ | |
| 154 | diff -w "${PREMAIN_C}.sha1" - || \ | |
| 155 | { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } | |
| 156 | ||
| 157 | /bin/rm -f "${TARGET}" | |
| 158 | ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ | |
| 159 | "${PREMAIN_C}" \ | |
| 160 | ${_WL_PREMAIN} "$@" | |
| 161 | ||
| 162 | # generate signature... | |
| 8196257f DSH |
163 | if [ -z "${FIPS_SIG}" ]; then |
| 164 | SIG=`"${TARGET}"` | |
| 165 | else | |
| 166 | SIG=`"${FIPS_SIG}" -exe "${TARGET}"` | |
| 167 | fi | |
| 59f3477b DSH |
168 | /bin/rm -f "${TARGET}" |
| 169 | if [ -z "${SIG}" ]; then | |
| 170 | echo "unable to collect signature"; exit 1 | |
| 171 | fi | |
| 172 | ||
| 173 | # recompile with signature... | |
| 174 | ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ | |
| 175 | -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ | |
| 176 | ${_WL_PREMAIN} "$@" | |
| 177 | ;; | |
| 178 | esac |