d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
40498371e8
freebsd-skq/crypto/openssl/fips/fipsld
simon 0d816bbd98 Merge OpenSSL 0.9.8m into head. 
This also "reverts" some FreeBSD local changes so we should now
be back to using entirely stock OpenSSL.  The local changes were
simple $FreeBSD$ lines additions, which were required in the CVS
days, and the patch for FreeBSD-SA-09:15.ssl which has been
superseded with OpenSSL 0.9.8m's RFC5746 'TLS renegotiation
extension' support.

MFC after:	3 weeks
2010-03-13 19:22:41 +00:00

179 lines
6.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh -e
#
# Copyright (c) 2005-2007 The OpenSSL Project.
#
# Depending on output file name, the script either embeds fingerprint
# into libcrypto.so or static application. "Static" refers to static
# libcrypto.a, not [necessarily] application per se.
#
# Even though this script is called fipsld, it expects C compiler
# command line syntax and $FIPSLD_CC or $CC environment variable set
# and can even be used to compile source files.
#set -x
CC=${FIPSLD_CC:-${CC}}
[ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
# Initially -c wasn't intended to be interpreted here, but it might
# make life easier for those who want to build FIPS-ified applications
# with minimal [if any] modifications to their Makefiles...
( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
[ $# -ge 1 ]
) && exec ${CC} "$@"
TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
# If using an auto-tooled (autoconf/automake/libtool) project,
# configure will fail when testing the compiler or even performing
# simple checks. Pass-through to compiler directly if application is
# is not being linked with libcrypto, allowing auto-tooled applications
# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
# ./configure && make). But keep in mind[!] that if certified code
# resides in a shared library, then fipsld *may not* be used and
# end-developer should not modify application configuration and build
# procedures. This is because in-core fingerprint and associated
# procedures are already embedded into and executed in shared library
# context.
case `basename "${TARGET}"` in
libcrypto*|libfips*|*.dll) ;;
*) case "$*" in
*libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;;
*) exec ${CC} "$@" ;;
esac
esac
[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
# Turn on debugging output?
( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
[ $# -ge 1 ]
) && set -x
THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
# fipscanister.o can appear in command line
CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
if [ -z "${CANISTER_O}" ]; then
# If set, FIPSLIBDIR is location of installed validated FIPS module
if [ -n "${FIPSLIBDIR}" ]; then
CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
elif [ -f "${THERE}/fips/fipscanister.o" ]; then
CANISTER_O="${THERE}/fips/fipscanister.o"
elif [ -f "${THERE}/lib/fipscanister.o" ]; then
CANISTER_O="${THERE}/lib/fipscanister.o"
fi
CANISTER_O_CMD="${CANISTER_O}"
fi
[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
HMAC_KEY="etaonrishdlcupfm"
case "`(uname -s) 2>/dev/null`" in
OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;;
HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;;
AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
[ $# -ge 1 ]
) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
esac
case "${TARGET}" in
[!/]*) TARGET=./${TARGET} ;;
esac
case `basename "${TARGET}"` in
lib*|*.dll) # must be linking a shared lib...
# Shared lib creation can be taking place in the source
# directory only, but fipscanister.o can reside elsewhere...
FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
# verify fipspremain.c against its detached signature...
${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
diff -w "${PREMAIN_C}.sha1" - || \
{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
# verify fipscanister.o against its detached signature...
${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
diff -w "${CANISTER_O}.sha1" - || \
{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
# Temporarily remove fipscanister.o from libcrypto.a!
# We are required to use the standalone copy...
if [ -f "${THERE}/libcrypto.a" ]; then
if ar d "${THERE}/libcrypto.a" fipscanister.o; then
(ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
(ranlib "${THERE}/libcrypto.a") 2>/dev/null || :;
sleep 1;
touch -c "${TARGET}"' 0
fi
fi
/bin/rm -f "${TARGET}"
${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
"${PREMAIN_C}" \
${_WL_PREMAIN} "$@"
# generate signature...
if [ -z "${FIPS_SIG}" ]; then
SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"`
else
SIG=`"${FIPS_SIG}" -dso "${TARGET}"`
fi
/bin/rm -f "${TARGET}"
if [ -z "${SIG}" ]; then
echo "unable to collect signature"; exit 1
fi
# recompile with signature...
${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
${_WL_PREMAIN} "$@"
;;
*) # must be linking statically...
# Static linking can be taking place either in the source
# directory or off the installed binary target destination.
if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
else # Installed tree is expected to contain
# lib/fipscanister.o, lib/fipscanister.o.sha1 and
# lib/fips_premain.c [not to mention bin/openssl].
FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
fi
# verify fipscanister.o against its detached signature...
${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
diff -w "${CANISTER_O}.sha1" - || \
{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
# verify fips_premain.c against its detached signature...
${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
diff -w "${PREMAIN_C}.sha1" - || \
{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
/bin/rm -f "${TARGET}"
${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
"${PREMAIN_C}" \
${_WL_PREMAIN} "$@"
# generate signature...
if [ -z "${FIPS_SIG}" ]; then
SIG=`"${TARGET}"`
else
SIG=`"${FIPS_SIG}" -exe "${TARGET}"`
fi
/bin/rm -f "${TARGET}"
if [ -z "${SIG}" ]; then
echo "unable to collect signature"; exit 1
fi
# recompile with signature...
${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
${_WL_PREMAIN} "$@"
;;
esac
Reference in New Issue View Git Blame Copy Permalink