#!/bin/sh -e # # Copyright (c) 2005 The OpenSSL Project. # # Depending on output file name, the script either embeds fingerprint # into libcrypto.so or static application. "Static" refers to static # libcrypto.a, not [necessarily] application per se. # # Even though this script is called fipsld, it expects C compiler # command line syntax and $FIPSLD_CC or $CC environment variable set # and can even be used to compile source files. #set -x CC=${FIPSLD_CC:-${CC}} [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; } # Initially -c wasn't intended to be interpreted here, but it might # make life easier for those who want to build FIPS-ified applications # with minimal [if any] modifications to their Makefiles... ( while [ "x$1" != "x" -a "x$1" != "x-c" ]; do shift; done; [ $# -ge 1 ] ) && exec ${CC} "$@" # Turn on debugging output? ( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done; [ $# -ge 1 ] ) && set -x TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } THERE="`echo $0 | sed -e 's|[^/]*$||'`".. # Location of installed validated FIPS module FIPSLIBDIR=${FIPSLIBDIR:-/usr/local/ssl/lib} # If this is a build from a validated tarball use this instead # FIPSLIBDIR=${THERE}/fips-1.0 [ -f "${FIPSLIBDIR}/fipscanister.o" ] || { echo "fipscanister.o not found"; exit 1; } HMAC_KEY="etaonrishdlcupfm" case "`(uname -s) 2>/dev/null`" in OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;; HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;; AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain";; Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done; [ $# -ge 1 ] ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;; esac case "${TARGET}" in [!/]*) TARGET=./${TARGET} ;; esac case "${TARGET}" in *libcrypto*|*.dll) # must be linking a shared lib... # Shared lib creation can be taking place in the source # directory only!!! FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1" CANISTER_O="${FIPSLIBDIR}/fipscanister.o" PREMAIN_C="${FIPSLIBDIR}/fips_premain.c" echo Canister: $CANISTER_O # verify fipscanister.o against its detached signature... ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ diff -w "${CANISTER_O}.sha1" - || \ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } # verify fips_premain.c against its signature embedded into # fipscanister.o... SIG=`${FINGERTYPE} "${PREMAIN_C}" | sed -n "s/(.*\//(/;/^./p"` REF=`strings "${CANISTER_O}" | grep "HMAC-SHA1(fips_premain\\.c)"` [ "${SIG}" = "${REF}" ] || \ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } # Temporarily remove fipscanister.o from libcrypto.a! # We are required to use the standalone copy... trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}"; (ranlib "${THERE}/libcrypto.a") 2>/dev/null; sleep 1; touch -c "${TARGET}"' 0 ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || : (ranlib "${THERE}/libcrypto.a") 2>/dev/null || : ${CC} "${CANISTER_O}" \ "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" # generate signature... SIG=`("${THERE}/fips-1.0/fips_premain_dso" "${TARGET}" || rm "${TARGET}")` if [ -z "${SIG}" ]; then echo "unable to collect signature"; exit 1 fi # recompile with signature... ${CC} "${CANISTER_O}" \ -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" ;; *) # must be linking statically... # Static linking can be taking place either in the source # directory or off the installed binary target destination. if [ -x "${THERE}/fips-1.0/sha/fips_standalone_sha1" ]; then FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1" else # Installed tree is expected to contain # lib/fipscanister.o, lib/fipscanister.o.sha1 and # lib/fips_premain.c [not to mention bin/openssl]. FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" fi CANISTER_O="${FIPSLIBDIR}/fipscanister.o" PREMAIN_C="${FIPSLIBDIR}/fips_premain.c" # verify fipscanister.o against its detached signature... ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ diff -w "${CANISTER_O}.sha1" - || \ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } # verify fips_premain.c against its signature embedded into # fipscanister.o... SIG=`${FINGERTYPE} "${PREMAIN_C}" | sed -n "s/(.*\//(/;/^./p"` REF=`strings "${CANISTER_O}" | grep "HMAC-SHA1(fips_premain\\.c)"` [ "${SIG}" = "${REF}" ] || \ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } ${CC} "${CANISTER_O}" \ "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" # generate signature... SIG=`("${TARGET}" || /bin/rm "${TARGET}")` if [ -z "${SIG}" ]; then echo "unable to collect signature"; exit 1 fi # recompile with signature... ${CC} "${CANISTER_O}" \ -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" ;; esac