1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
#! /usr/bin/env perl
# Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
sub check_env
{
my @ret;
foreach (@_)
{
die "Environment variable $_ not defined!\n" unless exists $ENV{$_};
push @ret, $ENV{$_};
}
return @ret;
}
my ($fips_cc,$fips_cc_args, $fips_link,$fips_target, $fips_libdir, $sha1_exe)
= check_env("FIPS_CC", "FIPS_CC_ARGS", "FIPS_LINK", "FIPS_TARGET",
"FIPSLIB_D", "FIPS_SHA1_EXE");
if (exists $ENV{"PREMAIN_DSO_EXE"})
{
$fips_premain_dso = $ENV{"PREMAIN_DSO_EXE"};
}
else
{
$fips_premain_dso = "";
}
check_hash($sha1_exe, "fips_premain.c");
check_hash($sha1_exe, "fipscanister.lib");
print "Integrity check OK\n";
if (is_premain_linked(@ARGV)) {
print "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c\n";
system "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c";
die "First stage Compile failure" if $? != 0;
} elsif (!defined($ENV{FIPS_SIG})) {
die "no fips_premain.obj linked";
}
print "$fips_link @ARGV\n";
system "$fips_link @ARGV";
die "First stage Link failure" if $? != 0;
if (defined($ENV{FIPS_SIG})) {
print "$ENV{FIPS_SIG} $fips_target\n";
system "$ENV{FIPS_SIG} $fips_target";
die "$ENV{FIPS_SIG} $fips_target failed" if $? != 0;
exit;
}
print "$fips_premain_dso $fips_target\n";
system("$fips_premain_dso $fips_target >$fips_target.sha1");
die "Get hash failure" if $? != 0;
open my $sha1_res, '<', $fips_target.".sha1" or die "Get hash failure";
$fips_hash=<$sha1_res>;
close $sha1_res;
unlink $fips_target.".sha1";
$fips_hash =~ s|\R$||; # Better chomp
die "Get hash failure" if $? != 0;
print "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c\n";
system "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c";
die "Second stage Compile failure" if $? != 0;
print "$fips_link @ARGV\n";
system "$fips_link @ARGV";
die "Second stage Link failure" if $? != 0;
sub is_premain_linked
{
return 1 if (grep /fips_premain\.obj/,@_);
foreach (@_)
{
if (/^@(.*)/ && -f $1)
{
open FD,$1 or die "can't open $1";
my $ret = (grep /fips_premain\.obj/,<FD>)?1:0;
close FD;
return $ret;
}
}
return 0;
}
sub check_hash
{
my ($sha1_exe, $filename) = @_;
my ($hashfile, $hashval);
open(IN, "${fips_libdir}/${filename}.sha1") || die "Cannot open file hash file ${fips_libdir}/${filename}.sha1";
$hashfile = <IN>;
close IN;
$hashval = `$sha1_exe ${fips_libdir}/$filename`;
$hashfile =~ s|\R$||; # Better chomp
$hashval =~ s|\R$||; # Better chomp
$hashfile =~ s/^.*=\s+//;
$hashval =~ s/^.*=\s+//;
die "Invalid hash syntax in file" if (length($hashfile) != 40);
die "Invalid hash received for file" if (length($hashval) != 40);
die "***HASH VALUE MISMATCH FOR FILE $filename ***" if ($hashval ne $hashfile);
}
|
