util/checkhash.pl

   1 #!/usr/bin/env perl -w
   2
   3 my $package = caller;
   4
   5 if (!(defined $package))
   6         {
   7         my $retval = check_hashes(@ARGV);
   8         exit $retval;
   9         }
  10
  11 1;
  12
  13 sub check_hashes
  14         {
  15
  16         my @args = @_;
  17
  18         my $change_dir = "";
  19         my $check_program = "sha/fips_standalone_sha1";
  20
  21         my $verbose = 0;
  22         my $badfiles = 0;
  23         my $rebuild = 0;
  24         my $force_rewrite = 0;
  25         my $hash_file = "fipshashes.c";
  26         my $recurse = 0;
  27
  28         my @fingerprint_files;
  29
  30         while (@args)
  31                 {
  32                 my $arg = $args[0];
  33                 if ($arg eq "-chdir")
  34                         {
  35                         shift @args;
  36                         $change_dir = shift @args;
  37                         }
  38                 elsif ($arg eq "-rebuild")
  39                         {
  40                         shift @args;
  41                         $rebuild = 1;
  42                         }
  43                 elsif ($arg eq "-verbose")
  44                         {
  45                         shift @args;
  46                         $verbose = 1;
  47                         }
  48                 elsif ($arg eq "-force-rewrite")
  49                         {
  50                         shift @args;
  51                         $force_rewrite = 1;
  52                         }
  53                 elsif ($arg eq "-hash_file")
  54                         {
  55                         shift @args;
  56                         $hash_file = shift @args;
  57                         }
  58                 elsif ($arg eq "-recurse")
  59                         {
  60                         shift @args;
  61                         $recurse = 1;
  62                         }
  63                 elsif ($arg eq "-program_path")
  64                         {
  65                         shift @args;
  66                         $check_program = shift @args;
  67                         }
  68                 else
  69                         {
  70                         print STDERR "Unknown Option $arg";
  71                         return 1;
  72                         }
  73
  74                 }
  75
  76         chdir $change_dir if $change_dir ne "";
  77
  78         if ($recurse)
  79                 {
  80                 @fingerprint_files = ("fingerprint.sha1",
  81                                         <*/fingerprint.sha1>);
  82                 }
  83         else
  84                 {
  85                 push @fingerprint_files, $hash_file;
  86                 }
  87
  88         foreach $fp (@fingerprint_files)
  89                 {
  90                 if (!open(IN, "$fp"))
  91                         {
  92                         print STDERR "Can't open file $fp";
  93                         return 1;
  94                         }
  95                 print STDERR "Opening Fingerprint file $fp\n" if $verbose;
  96                 my $dir = $fp;
  97                 $dir =~ s/[^\/]*$//;
  98                 while (<IN>)
  99                         {
 100                         chomp;
 101                         if (!(($file, $hash) = /^\"HMAC-SHA1\((.*)\)\s*=\s*(\w*)\",$/))
 102                                 {
 103                                 /^\"/ || next;
 104                                 print STDERR "FATAL: Invalid syntax in file $fp\n";
 105                                 print STDERR "Line:\n$_\n";
 106                                 fatal_error();
 107                                 return 1;
 108                                 }
 109                         if (!$rebuild && length($hash) != 40)
 110                                 {
 111                                 print STDERR "FATAL: Invalid hash length in $fp for file $file\n";
 112                                 fatal_error();
 113                                 return 1;
 114                                 }
 115                         push @hashed_files, "$dir$file";
 116                         if (exists $hashes{"$dir$file"})
 117                                 {
 118                                 print STDERR "FATAL: Duplicate Hash file $dir$file\n";
 119                                 fatal_error();
 120                                 return 1;
 121                                 }
 122                         if (! -r "$dir$file")
 123                                 {
 124                                 print STDERR "FATAL: Can't access $dir$file\n";
 125                                 fatal_error();
 126                                 return 1;
 127                                 }
 128                         $hashes{"$dir$file"} = $hash;
 129                         }
 130                 close IN;
 131                 }
 132
 133         @checked_hashes = `$check_program @hashed_files`;
 134
 135         if ($? != 0)
 136                 {
 137                 print STDERR "Error running hash program $check_program\n";
 138                 fatal_error();
 139                 return 1;
 140                 }
 141
 142         if (@checked_hashes != @hashed_files)
 143                 {
 144                 print STDERR "FATAL: hash count incorrect\n";
 145                 fatal_error();
 146                 return 1;
 147                 }
 148
 149         foreach (@checked_hashes)
 150                 {
 151                 chomp;
 152                 if (!(($file, $hash) = /^HMAC-SHA1\((.*)\)\s*=\s*(\w*)$/))
 153                         {
 154                         print STDERR "FATAL: Invalid syntax in file $fp\n";
 155                         print STDERR "Line:\n$_\n";
 156                         fatal_error();
 157                         return 1;
 158                         }
 159                 if (length($hash) != 40)
 160                         {
 161                         print STDERR "FATAL: Invalid hash length for file $file\n";
 162                         fatal_error();
 163                         return 1;
 164                         }
 165                 if ($hash ne $hashes{$file})
 166                         {
 167                         if ($rebuild)
 168                                 {
 169                                 print STDERR "Updating hash on file $file\n";
 170                                 $hashes{$file} = $hash;
 171                                 }
 172                         else
 173                                 {
 174                                 print STDERR "Hash check failed for file $file\n";
 175                                 }
 176                         $badfiles++;
 177                         }
 178                 elsif ($verbose)
 179                         { print "Hash Check OK for $file\n";}
 180                 }
 181
 182
 183         if ($badfiles && !$rebuild)
 184                 {
 185                 print STDERR "FATAL: hash mismatch on $badfiles files\n";
 186                 fatal_error();
 187                 return 1;
 188                 }
 189
 190         if ($badfiles || $force_rewrite)
 191                 {
 192                 print "Updating Hash file $hash_file\n";
 193                 if (!open(OUT, ">$hash_file"))
 194                         {
 195                         print STDERR "Error rewriting $hash_file";
 196                         return 1;
 197                         }
 198                 print OUT "const char * const FIPS_source_hashes[] = {\n";
 199                 foreach (@hashed_files)
 200                         {
 201                         print OUT "\"HMAC-SHA1($_)= $hashes{$_}\",\n";
 202                         }
 203                 print OUT "};\n";
 204                 close OUT;
 205                 }
 206
 207         if (!$badfiles)
 208                 {
 209                 print "FIPS hash check successful\n";
 210                 }
 211
 212         return 0;
 213
 214         }
 215
 216
 217 sub fatal_error
 218         {
 219         print STDERR "*** Your source code does not match the FIPS validated source ***\n";
 220         }
 221
 222