1#!/bin/sh -e 2# 3# Copyright (c) 2005-2007 The OpenSSL Project. 4# 5# Depending on output file name, the script either embeds fingerprint 6# into libcrypto.so or static application. "Static" refers to static 7# libcrypto.a, not [necessarily] application per se. 8# 9# Even though this script is called fipsld, it expects C compiler 10# command line syntax and $FIPSLD_CC or $CC environment variable set 11# and can even be used to compile source files. 12 13#set -x 14 15CC=${FIPSLD_CC:-${CC}} 16[ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; } 17 18# Initially -c wasn't intended to be interpreted here, but it might 19# make life easier for those who want to build FIPS-ified applications 20# with minimal [if any] modifications to their Makefiles... 21( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done; 22 [ $# -ge 1 ] 23) && exec ${CC} "$@" 24 25TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` 26 27# If using an auto-tooled (autoconf/automake/libtool) project, 28# configure will fail when testing the compiler or even performing 29# simple checks. Pass-through to compiler directly if application is 30# is not being linked with libcrypto, allowing auto-tooled applications 31# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc 32# ./configure && make). But keep in mind[!] that if certified code 33# resides in a shared library, then fipsld *may not* be used and 34# end-developer should not modify application configuration and build 35# procedures. This is because in-core fingerprint and associated 36# procedures are already embedded into and executed in shared library 37# context. 38case `basename "${TARGET}"` in 39libcrypto*|libfips*|*.dll) ;; 40*) case "$*" in 41 *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;; 42 *) exec ${CC} "$@" ;; 43 esac 44esac 45 46[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } 47 48# Turn on debugging output? 49( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done; 50 [ $# -ge 1 ] 51) && set -x 52 53THERE="`echo $0 | sed -e 's|[^/]*$||'`".. 54 55# fipscanister.o can appear in command line 56CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)` 57if [ -z "${CANISTER_O}" ]; then 58 # If set, FIPSLIBDIR is location of installed validated FIPS module 59 if [ -n "${FIPSLIBDIR}" ]; then 60 CANISTER_O="${FIPSLIBDIR}/fipscanister.o" 61 elif [ -f "${THERE}/fips/fipscanister.o" ]; then 62 CANISTER_O="${THERE}/fips/fipscanister.o" 63 elif [ -f "${THERE}/lib/fipscanister.o" ]; then 64 CANISTER_O="${THERE}/lib/fipscanister.o" 65 fi 66 CANISTER_O_CMD="${CANISTER_O}" 67fi 68[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; } 69 70PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c 71 72HMAC_KEY="etaonrishdlcupfm" 73 74case "`(uname -s) 2>/dev/null`" in 75OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;; 76HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;; 77AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";; 78Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done; 79 [ $# -ge 1 ] 80 ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;; 81esac 82 83case "${TARGET}" in 84[!/]*) TARGET=./${TARGET} ;; 85esac 86 87case `basename "${TARGET}"` in 88lib*|*.dll) # must be linking a shared lib... 89 # Shared lib creation can be taking place in the source 90 # directory only, but fipscanister.o can reside elsewhere... 91 FINGERTYPE="${THERE}/fips/fips_standalone_sha1" 92 93 # verify fipspremain.c against its detached signature... 94 ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ 95 diff -w "${PREMAIN_C}.sha1" - || \ 96 { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } 97 # verify fipscanister.o against its detached signature... 98 ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ 99 diff -w "${CANISTER_O}.sha1" - || \ 100 { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } 101 102 # Temporarily remove fipscanister.o from libcrypto.a! 103 # We are required to use the standalone copy... 104 if [ -f "${THERE}/libcrypto.a" ]; then 105 if ar d "${THERE}/libcrypto.a" fipscanister.o; then 106 (ranlib "${THERE}/libcrypto.a") 2>/dev/null || : 107 trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}"; 108 (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :; 109 sleep 1; 110 touch -c "${TARGET}"' 0 111 fi 112 fi 113 114 /bin/rm -f "${TARGET}" 115 ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ 116 "${PREMAIN_C}" \ 117 ${_WL_PREMAIN} "$@" 118 119 # generate signature... 120 if [ -z "${FIPS_SIG}" ]; then 121 SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"` 122 else 123 SIG=`"${FIPS_SIG}" -dso "${TARGET}"` 124 fi 125 /bin/rm -f "${TARGET}" 126 if [ -z "${SIG}" ]; then 127 echo "unable to collect signature"; exit 1 128 fi 129 130 # recompile with signature... 131 ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ 132 -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ 133 ${_WL_PREMAIN} "$@" 134 ;; 135 136*) # must be linking statically... 137 # Static linking can be taking place either in the source 138 # directory or off the installed binary target destination. 139 if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then 140 FINGERTYPE="${THERE}/fips/fips_standalone_sha1" 141 else # Installed tree is expected to contain 142 # lib/fipscanister.o, lib/fipscanister.o.sha1 and 143 # lib/fips_premain.c [not to mention bin/openssl]. 144 FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" 145 fi 146 147 # verify fipscanister.o against its detached signature... 148 ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ 149 diff -w "${CANISTER_O}.sha1" - || \ 150 { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } 151 152 # verify fips_premain.c against its detached signature... 153 ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ 154 diff -w "${PREMAIN_C}.sha1" - || \ 155 { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } 156 157 /bin/rm -f "${TARGET}" 158 ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ 159 "${PREMAIN_C}" \ 160 ${_WL_PREMAIN} "$@" 161 162 # generate signature... 163 if [ -z "${FIPS_SIG}" ]; then 164 SIG=`"${TARGET}"` 165 else 166 SIG=`"${FIPS_SIG}" -exe "${TARGET}"` 167 fi 168 /bin/rm -f "${TARGET}" 169 if [ -z "${SIG}" ]; then 170 echo "unable to collect signature"; exit 1 171 fi 172 173 # recompile with signature... 174 ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ 175 -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ 176 ${_WL_PREMAIN} "$@" 177 ;; 178esac 179