#!/bin/sh -e # # Copyright (c) 2005 The OpenSSL Project. # # Depending on output file name, the script either embeds fingerprint # into libcrypto.so or static application. "Static" refers to static # libcrypto.a, not [necessarily] application per se. # # Even though this script is called fipsld, it expects C compiler # command line syntax and $FIPSLD_CC or $CC environment variable set # and can even be used to compile source files. #set -x CC=${FIPSLD_CC:-${CC}} [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; } # Initially -c wasn't intended to be interpreted here, but it might # make life easier for those who want to build FIPS-ified applications # with minimal [if any] modifications to their Makefiles... ( while [ "x$1" != "x" -a "x$1" != "x-c" ]; do shift; done; [ $# -ge 1 ] ) && exec ${CC} "$@" # If using an auto-tooled (autoconf/automake/libtool) project, # configure will fail when testing the compiler or even performing # simple checks. Pass-thru to compiler directly if not linking # to libcrypto, allowing auto-tooled applications to utilize fipsld # (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc ./configure && make ) # If FIPSLD_NPT is set never call the pass-thru: the standalone fips commands # need this because they don't link to libcrypto [ -z "$FIPSLD_NPT" -a -z "$FIPSLD_LIBFIPS" ] && { case "$*" in *libcrypto.a*) ;; *-lcrypto*) ;; *) exec ${CC} $* ;; esac } # Turn on debugging output? ( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done; [ $# -ge 1 ] ) && set -x TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } THERE="`echo $0 | sed -e 's|[^/]*$||'`".. # FIPSCANLIB is the library containing fipscanister.o by default it is # libcrypto.a FIPSCANLIB=${FIPSCANLIB:-libcrypto} # FIPSLIBDIR is location of installed validated FIPS module # if FIPSCANISTERINTERNAL="y" link against internally generated fipscanister.o if [ "x$FIPSCANISTERINTERNAL" != "xy" ]; then FIPSLIBDIR=${FIPSLIBDIR:-/usr/local/ssl/lib} else FIPSLIBDIR=${THERE}/fips-1.0 fi [ -f "${FIPSLIBDIR}/fipscanister.o" ] || { echo "fipscanister.o not found"; exit 1; } HMAC_KEY="etaonrishdlcupfm" case "`(uname -s) 2>/dev/null`" in OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;; HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;; AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";; Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done; [ $# -ge 1 ] ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;; esac case "${TARGET}" in [!/]*) TARGET=./${TARGET} ;; esac case "${TARGET}" in *${FIPSCANLIB}*|*.dll) # must be linking a shared lib... # Shared lib creation can be taking place in the source # directory only!!! FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1" CANISTER_O="${FIPSLIBDIR}/fipscanister.o" PREMAIN_C="${FIPSLIBDIR}/fips_premain.c" echo Canister: $CANISTER_O # verify fipspremain.c against its detached signature... ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ diff -w "${PREMAIN_C}.sha1" - || \ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } # Special case: if FIPSLD_LIBFIPS is asserted we are building # libfips shared library and fipscanister.o is already present # in libfips.a if [ -n "$FIPSLD_LIBFIPS" ] ; then ${CC} "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" else # verify fipscanister.o against its detached signature... ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ diff -w "${CANISTER_O}.sha1" - || \ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } # Temporarily remove fipscanister.o from library! # We are required to use the standalone copy... trap 'ar r "${THERE}/$FIPSCANLIB.a" "${CANISTER_O}"; (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null; sleep 1; touch -c "${TARGET}"' 0 ar d "${THERE}/$FIPSCANLIB.a" fipscanister.o 2>&1 > /dev/null || : (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null || : ${CC} "${CANISTER_O}" \ "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" fi # generate signature... SIG=`("${THERE}/fips-1.0/fips_premain_dso" "${TARGET}" || rm "${TARGET}")` if [ -z "${SIG}" ]; then echo "unable to collect signature"; exit 1 fi if [ -n "$FIPSLD_LIBFIPS" ] ; then ${CC} -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" else # recompile with signature... ${CC} "${CANISTER_O}" \ -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" fi ;; *) # must be linking statically... # Static linking can be taking place either in the source # directory or off the installed binary target destination. if [ -x "${THERE}/fips-1.0/sha/fips_standalone_sha1" ]; then FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1" else # Installed tree is expected to contain # lib/fipscanister.o, lib/fipscanister.o.sha1 and # lib/fips_premain.c [not to mention bin/openssl]. FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" fi CANISTER_O="${FIPSLIBDIR}/fipscanister.o" PREMAIN_C="${FIPSLIBDIR}/fips_premain.c" # verify fipscanister.o against its detached signature... ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ diff -w "${CANISTER_O}.sha1" - || \ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } # verify fips_premain.c against its detached signature... # ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ # diff -w "${PREMAIN_C}.sha1" - || \ # { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } ${CC} "${CANISTER_O}" \ "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" # generate signature... SIG=`("${TARGET}" || /bin/rm "${TARGET}")` if [ -z "${SIG}" ]; then echo "unable to collect signature"; exit 1 fi # recompile with signature... ${CC} "${CANISTER_O}" \ -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ ${_WL_PREMAIN} "$@" ;; esac