Enforce minimum key sizes in FIPS mode.
[oweals/openssl.git] / fips-1.0 / fipsld
1 #!/bin/sh -e
2 #
3 # Copyright (c) 2005-2007 The OpenSSL Project.
4 #
5 # Depending on output file name, the script either embeds fingerprint
6 # into libcrypto.so or static application. "Static" refers to static
7 # libcrypto.a, not [necessarily] application per se.
8 #
9 # Even though this script is called fipsld, it expects C compiler
10 # command line syntax and $FIPSLD_CC or $CC environment variable set
11 # and can even be used to compile source files.
12
13 #set -x
14
15 CC=${FIPSLD_CC:-${CC}}
16 [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
17
18 # Initially -c wasn't intended to be interpreted here, but it might
19 # make life easier for those who want to build FIPS-ified applications
20 # with minimal [if any] modifications to their Makefiles...
21 (   while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
22     [ $# -ge 1 ]
23 ) && exec ${CC} "$@"
24
25 TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
26
27 # If using an auto-tooled (autoconf/automake/libtool) project,
28 # configure will fail when testing the compiler or even performing
29 # simple checks. Pass-through to compiler directly if application is
30 # is not being linked with libcrypto, allowing auto-tooled applications
31 # to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
32 # ./configure && make). But keep in mind[!] that if certified code
33 # resides in a shared library, then fipsld *may not* be used and
34 # end-developer should not modify application configuration and build
35 # procedures. This is because in-core fingerprint and associated
36 # procedures are already embedded into and executed in shared library
37 # context.
38 case `basename "${TARGET}"` in
39 libcrypto*|libfips*|*.dll)              ;;
40 *)      case "$*" in
41         *libcrypto.a*|*-lcrypto*)       ;;
42         *)      exec ${CC} "$@"         ;;
43         esac
44 esac
45
46 [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
47
48 # Turn on debugging output?
49 (   while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
50     [ $# -ge 1 ]
51 ) && set -x
52
53 THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
54
55 # If set, FIPSLIBDIR is location of installed validated FIPS module
56 if [ -n "${FIPSLIBDIR}" ]; then
57         CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
58 elif [ -f "${THERE}/fips-1.0/fipscanister.o" ]; then
59         CANISTER_O="${THERE}/fips-1.0/fipscanister.o"
60 elif [ -f "${THERE}/lib/fipscanister.o" ]; then
61         CANISTER_O="${THERE}/lib/fipscanister.o"
62 fi
63 [ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
64
65 PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
66
67 HMAC_KEY="etaonrishdlcupfm"
68
69 case "`(uname -s) 2>/dev/null`" in
70 OSF1|IRIX*)     _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain"     ;;
71 HP-UX)          _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain"     ;;
72 AIX)            _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
73 Darwin)         (   while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
74                     [ $# -ge 1 ]
75                 ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
76 esac
77
78 case "${TARGET}" in
79 [!/]*)  TARGET=./${TARGET} ;;
80 esac
81
82 case `basename "${TARGET}"` in
83 libfips*|*fips.dll)
84         # libfips.so creation can be taking place in the source
85         # directory only!!!
86         FINGERTYPE="${THERE}/fips-1.0/fips_standalone_sha1"
87         # fipscanister.o should be specified on command line...
88         CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
89         [ -n "$CANISTER_O" ] || { echo "fipscanister.o is not found"; exit 1; }
90         PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
91
92         # verify fipspremain.c against its detached signature...
93         ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
94                 diff -w "${PREMAIN_C}.sha1" - || \
95         { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
96         # verify fipscanister.o against its detached signature...
97         ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
98                 diff -w "${CANISTER_O}.sha1" - || \
99         { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
100
101         /bin/rm -f "${TARGET}"
102         ${CC} "${PREMAIN_C}" ${_WL_PREMAIN} "$@"
103
104         # generate signature...
105         SIG=`"${THERE}/fips-1.0/fips_premain_dso" "${TARGET}"`
106         /bin/rm -f "${TARGET}"
107         if [ -z "${SIG}" ]; then
108            echo "unable to collect signature"; exit 1
109         fi
110
111         # recompile with signature...
112         ${CC} -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" ${_WL_PREMAIN} "$@"
113         ;;
114 libcrypto*|*.dll)       # must be linking a shared lib...
115         # Shared lib creation can be taking place in the source
116         # directory only, but fipscanister.o can reside elsewhere...
117         FINGERTYPE="${THERE}/fips-1.0/fips_standalone_sha1"
118
119         # verify fipspremain.c against its detached signature...
120         ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
121                 diff -w "${PREMAIN_C}.sha1" - || \
122         { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
123         # verify fipscanister.o against its detached signature...
124         ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
125                 diff -w "${CANISTER_O}.sha1" - || \
126         { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
127
128         # Temporarily remove fipscanister.o from libcrypto.a!
129         # We are required to use the standalone copy...
130         trap    'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
131                  (ranlib "${THERE}/libcrypto.a") 2>/dev/null;
132                  sleep 1;
133                  touch -c "${TARGET}"' 0
134
135         ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || :
136         (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
137
138         /bin/rm -f "${TARGET}"
139         ${CC}   "${CANISTER_O}" \
140                 "${PREMAIN_C}" \
141                 ${_WL_PREMAIN} "$@"
142
143         # generate signature...
144         SIG=`"${THERE}/fips-1.0/fips_premain_dso" "${TARGET}"`
145         /bin/rm -f "${TARGET}"
146         if [ -z "${SIG}" ]; then
147            echo "unable to collect signature"; exit 1
148         fi
149
150         # recompile with signature...
151         ${CC}   "${CANISTER_O}" \
152                 -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
153                 ${_WL_PREMAIN} "$@"
154         ;;
155
156 *)      # must be linking statically...
157         # Static linking can be taking place either in the source
158         # directory or off the installed binary target destination.
159         if [ -x "${THERE}/fips-1.0/fips_standalone_sha1" ]; then
160                 FINGERTYPE="${THERE}/fips-1.0/fips_standalone_sha1"
161         else    # Installed tree is expected to contain
162                 # lib/fipscanister.o, lib/fipscanister.o.sha1 and
163                 # lib/fips_premain.c [not to mention bin/openssl].
164                 FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
165         fi
166
167         # verify fipscanister.o against its detached signature...
168         ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
169                 diff -w "${CANISTER_O}.sha1" - || \
170         { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
171
172         # verify fips_premain.c against its detached signature...
173         ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
174                 diff -w "${PREMAIN_C}.sha1" - || \
175         { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
176
177         /bin/rm -f "${TARGET}"
178         ${CC}   "${CANISTER_O}" \
179                 "${PREMAIN_C}" \
180                 ${_WL_PREMAIN} "$@"
181
182         # generate signature...
183         SIG=`"${TARGET}"`
184         /bin/rm -f "${TARGET}"
185         if [ -z "${SIG}" ]; then
186            echo "unable to collect signature"; exit 1
187         fi
188
189         # recompile with signature...
190         ${CC}   "${CANISTER_O}" \
191                 -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
192                 ${_WL_PREMAIN} "$@"
193         ;;
194 esac