137 lines
4.5 KiB
Bash
Executable File
137 lines
4.5 KiB
Bash
Executable File
#!/bin/sh -e
|
|
#
|
|
# Copyright (c) 2005 The OpenSSL Project.
|
|
#
|
|
# Depending on output file name, the script either embeds fingerprint
|
|
# into libcrypto.so or static application. "Static" refers to static
|
|
# libcrypto.a, not [necessarily] application per se.
|
|
#
|
|
# Even though this script is called fipsld, it expects C compiler
|
|
# command line syntax and $FIPSLD_CC or $CC environment variable set
|
|
# and can even be used to compile source files.
|
|
|
|
CC=${FIPSLD_CC:-${CC}}
|
|
[ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
|
|
|
|
# Initially -c wasn't intended to be interpreted here, but it might
|
|
# make life easier for those who want to build FIPS-ified applications
|
|
# with minimal [if any] modifications to their Makefiles...
|
|
( while [ "x$1" != "x" -a "x$1" != "x-c" ]; do shift; done;
|
|
[ $# -ge 1 ]
|
|
) && exec ${CC} "$@"
|
|
|
|
# Turn on debugging output?
|
|
( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
|
|
[ $# -ge 1 ]
|
|
) && set -x
|
|
|
|
TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
|
|
[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
|
|
|
|
THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
|
|
|
|
HMAC_KEY="etaonrishdlcupfm"
|
|
|
|
case "`(uname -s) 2>/dev/null`" in
|
|
OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;;
|
|
HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;;
|
|
AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain";;
|
|
Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
|
|
[ $# -ge 1 ]
|
|
) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
|
|
esac
|
|
|
|
case "${TARGET}" in
|
|
[!/]*) TARGET=./${TARGET} ;;
|
|
esac
|
|
|
|
case "${TARGET}" in
|
|
*libcrypto*|*.dll) # must be linking a shared lib...
|
|
# Shared lib creation can be taking place in the source
|
|
# directory only!!!
|
|
FINGERTYPE="${THERE}/fips/sha/fips_standalone_sha1"
|
|
CANISTER_O="${THERE}/fips/fipscanister.o"
|
|
PREMAIN_C="${THERE}/fips/fips_premain.c"
|
|
|
|
# verify fipscanister.o against its detached signature...
|
|
${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
|
|
diff -w "${CANISTER_O}.sha1" - || \
|
|
{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
|
|
|
|
# verify fips_premain.c against its signature embedded into
|
|
# fipscanister.o...
|
|
SIG=`${FINGERTYPE} "${PREMAIN_C}" | sed -n "s/(.*\//(/;/^./p"`
|
|
REF=`strings "${CANISTER_O}" | grep "HMAC-SHA1(fips_premain\\.c)"`
|
|
[ "${SIG}" = "${REF}" ] || \
|
|
{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
|
|
|
|
# Temporarily remove fipscanister.o from libcrypto.a!
|
|
# We are required to use the standalone copy...
|
|
trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
|
|
(ranlib "${THERE}/libcrypto.a") 2>/dev/null;
|
|
sleep 1;
|
|
touch -c "${TARGET}"' 0
|
|
|
|
ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || :
|
|
(ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
|
|
|
|
${CC} "${CANISTER_O}" \
|
|
"${PREMAIN_C}" \
|
|
${_WL_PREMAIN} "$@"
|
|
|
|
# generate signature...
|
|
SIG=`("${THERE}/fips/fips_premain_dso" "${TARGET}" || rm "${TARGET}")`
|
|
if [ -z "${SIG}" ]; then
|
|
echo "unable to collect signature"; exit 1
|
|
fi
|
|
|
|
# recompile with signature...
|
|
${CC} "${CANISTER_O}" \
|
|
-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
|
|
${_WL_PREMAIN} "$@"
|
|
;;
|
|
|
|
*) # must be linking statically...
|
|
# Static linking can be taking place either in the source
|
|
# directory or off the installed binary target destination.
|
|
if [ -x "${THERE}/fips/sha/fips_standalone_sha1" ]; then
|
|
FINGERTYPE="${THERE}/fips/sha/fips_standalone_sha1"
|
|
CANISTER_O="${THERE}/fips/fipscanister.o"
|
|
PREMAIN_C="${THERE}/fips/fips_premain.c"
|
|
else # Installed tree is expected to contain
|
|
# lib/fipscanister.o, lib/fipscanister.o.sha1 and
|
|
# lib/fips_premain.c [not to mention bin/openssl].
|
|
FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
|
|
CANISTER_O="${THERE}/lib/fipscanister.o"
|
|
PREMAIN_C="${THERE}/lib/fips_premain.c"
|
|
fi
|
|
|
|
# verify fipscanister.o against its detached signature...
|
|
${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
|
|
diff -w "${CANISTER_O}.sha1" - || \
|
|
{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
|
|
|
|
# verify fips_premain.c against its signature embedded into
|
|
# fipscanister.o...
|
|
SIG=`${FINGERTYPE} "${PREMAIN_C}" | sed -n "s/(.*\//(/;/^./p"`
|
|
REF=`strings "${CANISTER_O}" | grep "HMAC-SHA1(fips_premain\\.c)"`
|
|
[ "${SIG}" = "${REF}" ] || \
|
|
{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
|
|
|
|
${CC} "${CANISTER_O}" \
|
|
"${PREMAIN_C}" \
|
|
${_WL_PREMAIN} "$@"
|
|
|
|
# generate signature...
|
|
SIG=`("${TARGET}" || /bin/rm "${TARGET}")`
|
|
if [ -z "${SIG}" ]; then
|
|
echo "unable to collect signature"; exit 1
|
|
fi
|
|
|
|
# recompile with signature...
|
|
${CC} "${CANISTER_O}" \
|
|
-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
|
|
${_WL_PREMAIN} "$@"
|
|
;;
|
|
esac
|