fips/fipsld - third_party/openssl - Git at Google

 #!/bin/sh -e
 #
 # Copyright (c) 2005-2011 The OpenSSL Project.
 #
 # Depending on output file name, the script either embeds fingerprint
 # into libcrypto.so or static application. "Static" refers to static
 # libcrypto.a, not [necessarily] application per se.
 #
 # Even though this script is called fipsld, it expects C compiler
 # command line syntax and $FIPSLD_CC or $CC environment variable set
 # and can even be used to compile source files.

 #set -x

 CC=${FIPSLD_CC:-${CC}}
 [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }

 # Initially -c wasn't intended to be interpreted here, but it might
 # make life easier for those who want to build FIPS-ified applications
 # with minimal [if any] modifications to their Makefiles...
 (   while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
     [ $# -ge 1 ]
 ) && exec ${CC} "$@"

 TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`

 # If using an auto-tooled (autoconf/automake/libtool) project,
 # configure will fail when testing the compiler or even performing
 # simple checks. Pass-through to compiler directly if application is
 # is not being linked with libcrypto, allowing auto-tooled applications
 # to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
 # ./configure && make). But keep in mind[!] that if certified code
 # resides in a shared library, then fipsld *may not* be used and
 # end-developer should not modify application configuration and build
 # procedures. This is because in-core fingerprint and associated
 # procedures are already embedded into and executed in shared library
 # context.
 case `basename "${TARGET}"` in
 libcrypto*|libfips*|*.dll)		;;
 *)	case "$*" in
 	*libcrypto.a*|*-lcrypto*|*fipscanister.o*)	;;
 	*)	exec ${CC} "$@"		;;
 	esac
 esac

 [ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }

 # Turn on debugging output?
 (   while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
     [ $# -ge 1 ]
 ) && set -x

 THERE="`echo $0 | sed -e 's|[^/]*$||'`"..

 # fipscanister.o can appear in command line
 CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
 if [ -z "${CANISTER_O}" ]; then
 	# If set, FIPSLIBDIR is location of installed validated FIPS module
 	if [ -n "${FIPSLIBDIR}" ]; then
 		CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
 	elif [ -f "${THERE}/fips/fipscanister.o" ]; then
 		CANISTER_O="${THERE}/fips/fipscanister.o"
 	elif [ -f "${THERE}/lib/fipscanister.o" ]; then
 		CANISTER_O="${THERE}/lib/fipscanister.o"
 	fi
 	CANISTER_O_CMD="${CANISTER_O}"
 fi
 [ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }

 PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c

 HMAC_KEY="etaonrishdlcupfm"

 case "${CROSS_COMPILE:-`(uname -s) 2>/dev/null`}" in
 OSF1|IRIX*)	_WL_PREMAIN="-Wl,-init,FINGERPRINT_premain"	;;
 HP-UX)		_WL_PREMAIN="-Wl,+init,FINGERPRINT_premain"	;;
 AIX)		_WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
 Darwin)		(   while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
 		    [ $# -ge 1 ]
 		) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
 esac

 case "${TARGET}" in
 [!/]*)	TARGET=./${TARGET} ;;
 esac

 case `basename "${TARGET}"` in
 lib*|*.dll)	# must be linking a shared lib...
 	# Shared lib creation can be taking place in the source
 	# directory only, but fipscanister.o can reside elsewhere...

 	if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
 		FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
 		PREMAIN_DSO="${THERE}/fips/fips_premain_dso"
 	elif [ -x "${THERE}/bin/fips_standalone_sha1" ]; then
 		FINGERTYPE="${THERE}/bin/fips_standalone_sha1"
 		PREMAIN_DSO="./fips_premain_dso"
 	fi

 	# verify fipspremain.c against its detached signature...
 	${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
 		diff -w "${PREMAIN_C}.sha1" - || \
 	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
 	# verify fipscanister.o against its detached signature...
 	${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
 		diff -w "${CANISTER_O}.sha1" - || \
 	{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }

 	[ -z "${FIPSLD_LIBCRYPTO}" -a -f "${THERE}/libcrypto.a" ] && \
 		FIPSLD_LIBCRYPTO="${THERE}/libcrypto.a"


 	# Temporarily remove fipscanister.o from libcrypto.a!
 	# We are required to use the standalone copy...
 	if [ -n  "${FIPSLD_LIBCRYPTO}" ]; then
 	    if ${CROSS_COMPILE}ar d "${FIPSLD_LIBCRYPTO}" fipscanister.o; then
 		(${CROSS_COMPILE}ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null || :
 		trap	'${CROSS_COMPILE}ar r "${FIPSLD_LIBCRYPTO}" "${CANISTER_O}";
 			 (${CROSS_COMPILE}ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null || :;
 			 sleep 1;
 			 touch -c "${TARGET}"' 0
 	    fi
 	fi

 	/bin/rm -f "${TARGET}"
 	${CC}	${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
 		"${PREMAIN_C}" \
 		${_WL_PREMAIN} "$@"

 	if [ "x${FIPS_SIG}" != "x" ]; then
 		# embed signature
 		"${FIPS_SIG}" "${TARGET}"
 		[ $? -ne 42 ] && exit $?
 	fi

 	# generate signature...
 	SIG=`"${PREMAIN_DSO}" "${TARGET}"`

 	/bin/rm -f "${TARGET}"
 	if [ -z "${SIG}" ]; then
 	   echo "unable to collect signature"; exit 1
 	fi

 	# recompile with signature...
 	${CC}	${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
 		-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
 		${_WL_PREMAIN} "$@"
 	;;

 *)	# must be linking statically...
 	# Static linking can be taking place either in the source
 	# directory or off the installed binary target destination.
 	if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
 		FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
 	elif [ -x "${THERE}/bin/fips_standalone_sha1" ]; then
 		FINGERTYPE="${THERE}/bin/fips_standalone_sha1"
 	else	# Installed tree is expected to contain
 		# lib/fipscanister.o, lib/fipscanister.o.sha1 and
 		# lib/fips_premain.c [not to mention bin/openssl].
 		FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
 	fi

 	# verify fipscanister.o against its detached signature...
 	${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
 		diff -w "${CANISTER_O}.sha1" - || \
 	{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }

 	# verify fips_premain.c against its detached signature...
 	${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
 		diff -w "${PREMAIN_C}.sha1" - || \
 	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }

 	/bin/rm -f "${TARGET}"
 	${CC}	${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
 		"${PREMAIN_C}" \
 		${_WL_PREMAIN} "$@"

 	if [ "x${FIPS_SIG}" != "x" ]; then
 		# embed signature
 		"${FIPS_SIG}" "${TARGET}"
 		[ $? -ne 42 ] && exit $?
 	fi

 	# generate signature...
 	SIG=`"${TARGET}"`

 	/bin/rm -f "${TARGET}"
 	if [ -z "${SIG}" ]; then
 	   echo "unable to collect signature"; exit 1
 	fi

 	# recompile with signature...
 	${CC}	${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
 		-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
 		${_WL_PREMAIN} "$@"
 	;;
 esac
	#!/bin/sh -e
	#
	# Copyright (c) 2005-2011 The OpenSSL Project.
	#
	# Depending on output file name, the script either embeds fingerprint
	# into libcrypto.so or static application. "Static" refers to static
	# libcrypto.a, not [necessarily] application per se.
	#
	# Even though this script is called fipsld, it expects C compiler
	# command line syntax and $FIPSLD_CC or $CC environment variable set
	# and can even be used to compile source files.

	#set -x

	CC=${FIPSLD_CC:-${CC}}
	[ -n "${CC}" ] \|\| { echo '$CC is not defined'; exit 1; }

	# Initially -c wasn't intended to be interpreted here, but it might
	# make life easier for those who want to build FIPS-ified applications
	# with minimal [if any] modifications to their Makefiles...
	( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
	[ $# -ge 1 ]
	) && exec ${CC} "$@"

	TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`

	# If using an auto-tooled (autoconf/automake/libtool) project,
	# configure will fail when testing the compiler or even performing
	# simple checks. Pass-through to compiler directly if application is
	# is not being linked with libcrypto, allowing auto-tooled applications
	# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
	# ./configure && make). But keep in mind[!] that if certified code
	# resides in a shared library, then fipsld may not be used and
	# end-developer should not modify application configuration and build
	# procedures. This is because in-core fingerprint and associated
	# procedures are already embedded into and executed in shared library
	# context.
	case `basename "${TARGET}"` in
	libcrypto\|libfips\|*.dll) ;;
	) case "$" in
	libcrypto.a\|-lcrypto\|fipscanister.o) ;;
	*) exec ${CC} "$@" ;;
	esac
	esac

	[ -n "${TARGET}" ] \|\| { echo 'no -o specified'; exit 1; }

	# Turn on debugging output?
	( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
	[ $# -ge 1 ]
	) && set -x

	THERE="`echo $0 \| sed -e 's\|[^/]*$\|\|'`"..

	# fipscanister.o can appear in command line
	CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
	if [ -z "${CANISTER_O}" ]; then
	# If set, FIPSLIBDIR is location of installed validated FIPS module
	if [ -n "${FIPSLIBDIR}" ]; then
	CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
	elif [ -f "${THERE}/fips/fipscanister.o" ]; then
	CANISTER_O="${THERE}/fips/fipscanister.o"
	elif [ -f "${THERE}/lib/fipscanister.o" ]; then
	CANISTER_O="${THERE}/lib/fipscanister.o"
	fi
	CANISTER_O_CMD="${CANISTER_O}"
	fi
	[ -f ${CANISTER_O} ] \|\| { echo "unable to find ${CANISTER_O}"; exit 1; }

	PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c

	HMAC_KEY="etaonrishdlcupfm"

	case "${CROSS_COMPILE:-`(uname -s) 2>/dev/null`}" in
	OSF1\|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;;
	HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;;
	AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
	Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
	[ $# -ge 1 ]
	) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
	esac

	case "${TARGET}" in
	[!/]*) TARGET=./${TARGET} ;;
	esac

	case `basename "${TARGET}"` in
	lib\|.dll) # must be linking a shared lib...
	# Shared lib creation can be taking place in the source
	# directory only, but fipscanister.o can reside elsewhere...

	if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
	FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
	PREMAIN_DSO="${THERE}/fips/fips_premain_dso"
	elif [ -x "${THERE}/bin/fips_standalone_sha1" ]; then
	FINGERTYPE="${THERE}/bin/fips_standalone_sha1"
	PREMAIN_DSO="./fips_premain_dso"
	fi

	# verify fipspremain.c against its detached signature...
	${FINGERTYPE} "${PREMAIN_C}" \| sed "s/(.*\//(/" \| \
	diff -w "${PREMAIN_C}.sha1" - \|\| \
	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
	# verify fipscanister.o against its detached signature...
	${FINGERTYPE} "${CANISTER_O}" \| sed "s/(.*\//(/" \| \
	diff -w "${CANISTER_O}.sha1" - \|\| \
	{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }

	[ -z "${FIPSLD_LIBCRYPTO}" -a -f "${THERE}/libcrypto.a" ] && \
	FIPSLD_LIBCRYPTO="${THERE}/libcrypto.a"


	# Temporarily remove fipscanister.o from libcrypto.a!
	# We are required to use the standalone copy...
	if [ -n "${FIPSLD_LIBCRYPTO}" ]; then
	if ${CROSS_COMPILE}ar d "${FIPSLD_LIBCRYPTO}" fipscanister.o; then
	(${CROSS_COMPILE}ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null \|\| :
	trap '${CROSS_COMPILE}ar r "${FIPSLD_LIBCRYPTO}" "${CANISTER_O}";
	(${CROSS_COMPILE}ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null \|\| :;
	sleep 1;
	touch -c "${TARGET}"' 0
	fi
	fi

	/bin/rm -f "${TARGET}"
	${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
	"${PREMAIN_C}" \
	${_WL_PREMAIN} "$@"

	if [ "x${FIPS_SIG}" != "x" ]; then
	# embed signature
	"${FIPS_SIG}" "${TARGET}"
	[ $? -ne 42 ] && exit $?
	fi

	# generate signature...
	SIG=`"${PREMAIN_DSO}" "${TARGET}"`

	/bin/rm -f "${TARGET}"
	if [ -z "${SIG}" ]; then
	echo "unable to collect signature"; exit 1
	fi

	# recompile with signature...
	${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
	-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
	${_WL_PREMAIN} "$@"
	;;

	*) # must be linking statically...
	# Static linking can be taking place either in the source
	# directory or off the installed binary target destination.
	if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
	FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
	elif [ -x "${THERE}/bin/fips_standalone_sha1" ]; then
	FINGERTYPE="${THERE}/bin/fips_standalone_sha1"
	else # Installed tree is expected to contain
	# lib/fipscanister.o, lib/fipscanister.o.sha1 and
	# lib/fips_premain.c [not to mention bin/openssl].
	FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
	fi

	# verify fipscanister.o against its detached signature...
	${FINGERTYPE} "${CANISTER_O}" \| sed "s/(.*\//(/" \| \
	diff -w "${CANISTER_O}.sha1" - \|\| \
	{ echo "${CANISTER_O} fingerprint mismatch"; exit 1; }

	# verify fips_premain.c against its detached signature...
	${FINGERTYPE} "${PREMAIN_C}" \| sed "s/(.*\//(/" \| \
	diff -w "${PREMAIN_C}.sha1" - \|\| \
	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }

	/bin/rm -f "${TARGET}"
	${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
	"${PREMAIN_C}" \
	${_WL_PREMAIN} "$@"

	if [ "x${FIPS_SIG}" != "x" ]; then
	# embed signature
	"${FIPS_SIG}" "${TARGET}"
	[ $? -ne 42 ] && exit $?
	fi

	# generate signature...
	SIG=`"${TARGET}"`

	/bin/rm -f "${TARGET}"
	if [ -z "${SIG}" ]; then
	echo "unable to collect signature"; exit 1
	fi

	# recompile with signature...
	${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
	-DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \
	${_WL_PREMAIN} "$@"
	;;
	esac