summaryrefslogtreecommitdiffstats
path: root/util/mk-fipsmodule-cnf.pl
diff options
context:
space:
mode:
authorRichard Levitte <levitte@openssl.org>2021-05-24 14:06:00 +0200
committerRichard Levitte <levitte@openssl.org>2021-05-26 15:11:01 +0200
commita2405c5f2019707d1a4306f152faa9ccda5f4cd5 (patch)
tree528689875f29e32f651bc95a07ff9153bc50b405 /util/mk-fipsmodule-cnf.pl
parentIgnore the threadstest_fips executable (diff)
downloadopenssl-a2405c5f2019707d1a4306f152faa9ccda5f4cd5.tar.xz
openssl-a2405c5f2019707d1a4306f152faa9ccda5f4cd5.zip
Rework how providers/fipsmodule.cnf is produced
First of all, we have concluded that we can calculate the integrity checksum with a simple perl script. Second, having the production of providers/fipsmodule.cnf as a dependency for run_tests wasn't quite right. What we really want is to generate it as soon as a new providers/fips.so is produced. That required a small bit of fiddling with how diverse dependencies are made. Fixes #15166 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15436)
Diffstat (limited to '')
-rw-r--r--util/mk-fipsmodule-cnf.pl44
1 files changed, 44 insertions, 0 deletions
diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl
new file mode 100644
index 0000000000..6a86e06b8b
--- /dev/null
+++ b/util/mk-fipsmodule-cnf.pl
@@ -0,0 +1,44 @@
+#! /usr/bin/env perl
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use Getopt::Long;
+
+my $activate = 1;
+my $conditional_errors = 1;
+my $security_checks = 1;
+my $mac_key;
+my $module_name;
+my $section_name = "fips_sect";
+
+GetOptions("key=s" => \$mac_key,
+ "module=s" => \$module_name,
+ "section_name=s" => \$section_name)
+ or die "Error when getting command line arguments";
+
+my $mac_keylen = length($mac_key);
+
+use Digest::SHA qw(hmac_sha256_hex);
+my $module_size = [ stat($module_name) ]->[7];
+
+open my $fh, "<:raw", $module_name or die "Trying to open $module_name: $!";
+read $fh, my $data, $module_size or die "Trying to read $module_name: $!";
+close $fh;
+
+# Calculate HMAC-SHA256 in hex, and split it into a list of two character
+# chunks, and join the chunks with colons.
+my @module_mac
+ = ( uc(hmac_sha256_hex($data, pack("H$mac_keylen", $mac_key))) =~ m/../g );
+my $module_mac = join(':', @module_mac);
+
+print <<_____;
+[$section_name]
+activate = $activate
+conditional-errors = $conditional_errors
+security-checks = $security_checks
+module-mac = $module_mac
+_____