3 # Copyright (c) 2005-2007 The OpenSSL Project.
5 # Depending on output file name, the script either embeds fingerprint
6 # into libcrypto.so or static application. "Static" refers to static
7 # libcrypto.a, not [necessarily] application per se.
9 # Even though this script is called fipsld, it expects C compiler
10 # command line syntax and $FIPSLD_CC or $CC environment variable set
11 # and can even be used to compile source files.
15 CC=${FIPSLD_CC:-${CC}}
16 [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
18 # Initially -c wasn't intended to be interpreted here, but it might
19 # make life easier for those who want to build FIPS-ified applications
20 # with minimal [if any] modifications to their Makefiles...
21 ( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
25 TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
27 # If using an auto-tooled (autoconf/automake/libtool) project,
28 # configure will fail when testing the compiler or even performing
29 # simple checks. Pass-through to compiler directly if application is
30 # is not being linked with libcrypto, allowing auto-tooled applications
31 # to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
32 # ./configure && make). But keep in mind[!] that if certified code
33 # resides in a shared library, then fipsld *may not* be used and
34 # end-developer should not modify application configuration and build
35 # procedures. This is because in-core fingerprint and associated
36 # procedures are already embedded into and executed in shared library
38 case `basename "${TARGET}"` in
39 libcrypto*|libfips*|*.dll) ;;
41 *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;;
46 [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
48 # Turn on debugging output?
49 ( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
53 THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
55 # fipscanister.o can appear in command line
56 CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
57 if [ -z "${CANISTER_O}" ]; then
58 # If set, FIPSLIBDIR is location of installed validated FIPS module
59 if [ -n "${FIPSLIBDIR}" ]; then
60 CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
61 elif [ -f "${THERE}/fips/fipscanister.o" ]; then
62 CANISTER_O="${THERE}/fips/fipscanister.o"
63 elif [ -f "${THERE}/lib/fipscanister.o" ]; then
64 CANISTER_O="${THERE}/lib/fipscanister.o"
66 CANISTER_O_CMD="${CANISTER_O}"
68 [ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
70 PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
72 HMAC_KEY="etaonrishdlcupfm"
74 case "`(uname -s) 2>/dev/null`" in
75 OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;;
76 HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;;
77 AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
78 Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
80 ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
84 [!/]*) TARGET=./${TARGET} ;;
87 case `basename "${TARGET}"` in
88 lib*|*.dll) # must be linking a shared lib...
89 # Shared lib creation can be taking place in the source
90 # directory only, but fipscanister.o can reside elsewhere...
91 FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
93 # verify fipspremain.c against its detached signature...
94 ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
95 diff -w "${PREMAIN_C}.sha1" - || \
96 { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
97 # verify fipscanister.o against its detached signature...
98 ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
99 diff -w "${CANISTER_O}.sha1" - || \
100 { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
102 # Temporarily remove fipscanister.o from libcrypto.a!
103 # We are required to use the standalone copy...
104 if [ -f "${THERE}/libcrypto.a" ]; then
105 if ar d "${THERE}/libcrypto.a" fipscanister.o; then
106 (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
107 trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
108 (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :;
110 touch -c "${TARGET}"' 0
114 /bin/rm -f "${TARGET}"
115 ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
119 # generate signature...
120 SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"`
121 /bin/rm -f "${TARGET}"
122 if [ -z "${SIG}" ]; then
123 echo "unable to collect signature"; exit 1
126 # recompile with signature...
127 ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
128 -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
132 *) # must be linking statically...
133 # Static linking can be taking place either in the source
134 # directory or off the installed binary target destination.
135 if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
136 FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
137 else # Installed tree is expected to contain
138 # lib/fipscanister.o, lib/fipscanister.o.sha1 and
139 # lib/fips_premain.c [not to mention bin/openssl].
140 FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
143 # verify fipscanister.o against its detached signature...
144 ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
145 diff -w "${CANISTER_O}.sha1" - || \
146 { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
148 # verify fips_premain.c against its detached signature...
149 ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
150 diff -w "${PREMAIN_C}.sha1" - || \
151 { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
153 /bin/rm -f "${TARGET}"
154 ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
158 # generate signature...
160 /bin/rm -f "${TARGET}"
161 if [ -z "${SIG}" ]; then
162 echo "unable to collect signature"; exit 1
165 # recompile with signature...
166 ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
167 -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \