diff options
author | Richard Levitte <levitte@openssl.org> | 2021-05-24 14:06:00 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2021-05-26 15:11:01 +0200 |
commit | a2405c5f2019707d1a4306f152faa9ccda5f4cd5 (patch) | |
tree | 528689875f29e32f651bc95a07ff9153bc50b405 /util/mk-fipsmodule-cnf.pl | |
parent | Ignore the threadstest_fips executable (diff) | |
download | openssl-a2405c5f2019707d1a4306f152faa9ccda5f4cd5.tar.xz openssl-a2405c5f2019707d1a4306f152faa9ccda5f4cd5.zip |
Rework how providers/fipsmodule.cnf is produced
First of all, we have concluded that we can calculate the integrity
checksum with a simple perl script.
Second, having the production of providers/fipsmodule.cnf as a
dependency for run_tests wasn't quite right. What we really want is
to generate it as soon as a new providers/fips.so is produced. That
required a small bit of fiddling with how diverse dependencies are
made.
Fixes #15166
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
Diffstat (limited to '')
-rw-r--r-- | util/mk-fipsmodule-cnf.pl | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl new file mode 100644 index 0000000000..6a86e06b8b --- /dev/null +++ b/util/mk-fipsmodule-cnf.pl @@ -0,0 +1,44 @@ +#! /usr/bin/env perl +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use Getopt::Long; + +my $activate = 1; +my $conditional_errors = 1; +my $security_checks = 1; +my $mac_key; +my $module_name; +my $section_name = "fips_sect"; + +GetOptions("key=s" => \$mac_key, + "module=s" => \$module_name, + "section_name=s" => \$section_name) + or die "Error when getting command line arguments"; + +my $mac_keylen = length($mac_key); + +use Digest::SHA qw(hmac_sha256_hex); +my $module_size = [ stat($module_name) ]->[7]; + +open my $fh, "<:raw", $module_name or die "Trying to open $module_name: $!"; +read $fh, my $data, $module_size or die "Trying to read $module_name: $!"; +close $fh; + +# Calculate HMAC-SHA256 in hex, and split it into a list of two character +# chunks, and join the chunks with colons. +my @module_mac + = ( uc(hmac_sha256_hex($data, pack("H$mac_keylen", $mac_key))) =~ m/../g ); +my $module_mac = join(':', @module_mac); + +print <<_____; +[$section_name] +activate = $activate +conditional-errors = $conditional_errors +security-checks = $security_checks +module-mac = $module_mac +_____ |