]>
Commit | Line | Data |
---|---|---|
59f3477b DSH |
1 | #!/bin/sh -e |
2 | # | |
3 | # Copyright (c) 2005-2007 The OpenSSL Project. | |
4 | # | |
5 | # Depending on output file name, the script either embeds fingerprint | |
6 | # into libcrypto.so or static application. "Static" refers to static | |
7 | # libcrypto.a, not [necessarily] application per se. | |
8 | # | |
9 | # Even though this script is called fipsld, it expects C compiler | |
10 | # command line syntax and $FIPSLD_CC or $CC environment variable set | |
11 | # and can even be used to compile source files. | |
12 | ||
13 | #set -x | |
14 | ||
15 | CC=${FIPSLD_CC:-${CC}} | |
16 | [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; } | |
17 | ||
18 | # Initially -c wasn't intended to be interpreted here, but it might | |
19 | # make life easier for those who want to build FIPS-ified applications | |
20 | # with minimal [if any] modifications to their Makefiles... | |
21 | ( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done; | |
22 | [ $# -ge 1 ] | |
23 | ) && exec ${CC} "$@" | |
24 | ||
25 | TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` | |
26 | ||
27 | # If using an auto-tooled (autoconf/automake/libtool) project, | |
28 | # configure will fail when testing the compiler or even performing | |
29 | # simple checks. Pass-through to compiler directly if application is | |
30 | # is not being linked with libcrypto, allowing auto-tooled applications | |
31 | # to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc | |
32 | # ./configure && make). But keep in mind[!] that if certified code | |
33 | # resides in a shared library, then fipsld *may not* be used and | |
34 | # end-developer should not modify application configuration and build | |
35 | # procedures. This is because in-core fingerprint and associated | |
36 | # procedures are already embedded into and executed in shared library | |
37 | # context. | |
38 | case `basename "${TARGET}"` in | |
39 | libcrypto*|libfips*|*.dll) ;; | |
40 | *) case "$*" in | |
41 | *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;; | |
42 | *) exec ${CC} "$@" ;; | |
43 | esac | |
44 | esac | |
45 | ||
46 | [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } | |
47 | ||
48 | # Turn on debugging output? | |
49 | ( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done; | |
50 | [ $# -ge 1 ] | |
51 | ) && set -x | |
52 | ||
53 | THERE="`echo $0 | sed -e 's|[^/]*$||'`".. | |
54 | ||
55 | # fipscanister.o can appear in command line | |
56 | CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)` | |
57 | if [ -z "${CANISTER_O}" ]; then | |
58 | # If set, FIPSLIBDIR is location of installed validated FIPS module | |
59 | if [ -n "${FIPSLIBDIR}" ]; then | |
60 | CANISTER_O="${FIPSLIBDIR}/fipscanister.o" | |
61 | elif [ -f "${THERE}/fips/fipscanister.o" ]; then | |
62 | CANISTER_O="${THERE}/fips/fipscanister.o" | |
63 | elif [ -f "${THERE}/lib/fipscanister.o" ]; then | |
64 | CANISTER_O="${THERE}/lib/fipscanister.o" | |
65 | fi | |
66 | CANISTER_O_CMD="${CANISTER_O}" | |
67 | fi | |
68 | [ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; } | |
69 | ||
70 | PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c | |
71 | ||
72 | HMAC_KEY="etaonrishdlcupfm" | |
73 | ||
74 | case "`(uname -s) 2>/dev/null`" in | |
75 | OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;; | |
76 | HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;; | |
77 | AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";; | |
78 | Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done; | |
79 | [ $# -ge 1 ] | |
80 | ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;; | |
81 | esac | |
82 | ||
83 | case "${TARGET}" in | |
84 | [!/]*) TARGET=./${TARGET} ;; | |
85 | esac | |
86 | ||
87 | case `basename "${TARGET}"` in | |
88 | lib*|*.dll) # must be linking a shared lib... | |
89 | # Shared lib creation can be taking place in the source | |
90 | # directory only, but fipscanister.o can reside elsewhere... | |
91 | FINGERTYPE="${THERE}/fips/fips_standalone_sha1" | |
92 | ||
93 | # verify fipspremain.c against its detached signature... | |
94 | ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ | |
95 | diff -w "${PREMAIN_C}.sha1" - || \ | |
96 | { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } | |
97 | # verify fipscanister.o against its detached signature... | |
98 | ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ | |
99 | diff -w "${CANISTER_O}.sha1" - || \ | |
100 | { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } | |
101 | ||
102 | # Temporarily remove fipscanister.o from libcrypto.a! | |
103 | # We are required to use the standalone copy... | |
104 | if [ -f "${THERE}/libcrypto.a" ]; then | |
105 | if ar d "${THERE}/libcrypto.a" fipscanister.o; then | |
106 | (ranlib "${THERE}/libcrypto.a") 2>/dev/null || : | |
107 | trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}"; | |
108 | (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :; | |
109 | sleep 1; | |
110 | touch -c "${TARGET}"' 0 | |
111 | fi | |
112 | fi | |
113 | ||
114 | /bin/rm -f "${TARGET}" | |
115 | ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ | |
116 | "${PREMAIN_C}" \ | |
117 | ${_WL_PREMAIN} "$@" | |
118 | ||
119 | # generate signature... | |
8196257f DSH |
120 | if [ -z "${FIPS_SIG}" ]; then |
121 | SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"` | |
122 | else | |
123 | SIG=`"${FIPS_SIG}" -dso "${TARGET}"` | |
124 | fi | |
59f3477b DSH |
125 | /bin/rm -f "${TARGET}" |
126 | if [ -z "${SIG}" ]; then | |
127 | echo "unable to collect signature"; exit 1 | |
128 | fi | |
129 | ||
130 | # recompile with signature... | |
131 | ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ | |
132 | -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ | |
133 | ${_WL_PREMAIN} "$@" | |
134 | ;; | |
135 | ||
136 | *) # must be linking statically... | |
137 | # Static linking can be taking place either in the source | |
138 | # directory or off the installed binary target destination. | |
139 | if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then | |
140 | FINGERTYPE="${THERE}/fips/fips_standalone_sha1" | |
141 | else # Installed tree is expected to contain | |
142 | # lib/fipscanister.o, lib/fipscanister.o.sha1 and | |
143 | # lib/fips_premain.c [not to mention bin/openssl]. | |
144 | FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" | |
145 | fi | |
146 | ||
147 | # verify fipscanister.o against its detached signature... | |
148 | ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ | |
149 | diff -w "${CANISTER_O}.sha1" - || \ | |
150 | { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } | |
151 | ||
152 | # verify fips_premain.c against its detached signature... | |
153 | ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ | |
154 | diff -w "${PREMAIN_C}.sha1" - || \ | |
155 | { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } | |
156 | ||
157 | /bin/rm -f "${TARGET}" | |
158 | ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ | |
159 | "${PREMAIN_C}" \ | |
160 | ${_WL_PREMAIN} "$@" | |
161 | ||
162 | # generate signature... | |
8196257f DSH |
163 | if [ -z "${FIPS_SIG}" ]; then |
164 | SIG=`"${TARGET}"` | |
165 | else | |
166 | SIG=`"${FIPS_SIG}" -exe "${TARGET}"` | |
167 | fi | |
59f3477b DSH |
168 | /bin/rm -f "${TARGET}" |
169 | if [ -z "${SIG}" ]; then | |
170 | echo "unable to collect signature"; exit 1 | |
171 | fi | |
172 | ||
173 | # recompile with signature... | |
174 | ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ | |
175 | -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ | |
176 | ${_WL_PREMAIN} "$@" | |
177 | ;; | |
178 | esac |