Perl script that checks or rebuilds FIPS hash files. This works on

both Unix and Windows.

Merge all FIPS hash files into a single hash file fips/fips.sha1

2 files changed, 210 insertions, 0 deletions

diff --git a/fips/fipshashes.sha1 b/fips/fipshashes.sha1
new file mode 100644
index 0000000000..8c43b003aa
--- /dev/null
+++ b/fips/fipshashes.sha1
@@ -0,0 +1,29 @@
+HMAC-SHA1(fips.c)= 4eef19c535c1f3deacdf93eb806479ea3b374115
+HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898
+HMAC-SHA1(fips.h)= 9a7c66b93923f83dc0a9c4acd03506059ddafe5f
+HMAC-SHA1(fips_err.h)= 03468e3b593f7528fd934e49bf052c23cc98d301
+HMAC-SHA1(aes/fips_aes_core.c)= b70bbbd675efe0613da0d57055310926a0104d55
+HMAC-SHA1(aes/fips_aes_selftest.c)= 98b01502221e7fe529fd981222f2cbb52eb4cbe0
+HMAC-SHA1(aes/fips_aes_locl.h)= a98eb0aa449f1d95b8064e261b2ac2b1f328685e
+HMAC-SHA1(des/fips_des_enc.c)= 9527f8ea81602358f1aa11348237fdb1e9eeff32
+HMAC-SHA1(des/asm/fips-dx86-elf.s)= 2f85e8e86806c92ee4c12cf5354e19eccf6ed47d
+HMAC-SHA1(des/fips_des_selftest.c)= 3bc574e51647c5f5ab45d1007b2cf461d67764a9
+HMAC-SHA1(des/fips_set_key.c)= 2858450d3d9c8d4ab8edea683baa54fa34f3a605
+HMAC-SHA1(des/fips_des_locl.h)= 7053848e884df47f06de9f2248380b92e58ef4e5
+HMAC-SHA1(dh/fips_dh_check.c)= 63347e2007e224381d4a7b6d871633889de72cf3
+HMAC-SHA1(dh/fips_dh_gen.c)= 93fe69b758ca9d70d70cda1c57fff4eb5c668e85
+HMAC-SHA1(dh/fips_dh_key.c)= 7bf23b329a776953bbe7c30ebd7f9faf5249ddbe
+HMAC-SHA1(dsa/fips_dsa_ossl.c)= d5f718695397fe56d6bb46f7c410794cb895e206
+HMAC-SHA1(dsa/fips_dsa_gen.c)= c252db14699f3ff641db052311da7d7521569c53
+HMAC-SHA1(dsa/fips_dsa_selftest.c)= 4bfc5d3a6b977527b053f3a03d0760a822a26135
+HMAC-SHA1(rand/fips_rand.c)= 5dc4aa11c0377a049bee01d427e5b0bc3dd9f10f
+HMAC-SHA1(rand/fips_rand.h)= 0567b1fe9b0efe034a537f335659b0b681809791
+HMAC-SHA1(rsa/fips_rsa_eay.c)= eabab59a2f11f3da4c21e1144efe1684f5e8f1ec
+HMAC-SHA1(rsa/fips_rsa_gen.c)= 4bbc0afcade1ac53f469aaa89f84c413678254bf
+HMAC-SHA1(rsa/fips_rsa_selftest.c)= 70553a5212e86f65b068564946d39b738a201e22
+HMAC-SHA1(sha1/fips_sha1dgst.c)= 10575600a9540eb15188a7d3b0b031e60aedbc18
+HMAC-SHA1(sha1/fips_standalone_sha1.c)= 93203c569097189b47a0085bc9fc55193867d4ce
+HMAC-SHA1(sha1/fips_sha1_selftest.c)= 98910a0c85eff1688bd7adb23e738dc75b39546e
+HMAC-SHA1(sha1/asm/sx86-elf.s)= ae66fb23ab8e1a2287e87a0a2dd30a4b9039fe63
+HMAC-SHA1(sha1/fips_sha_locl.h)= c1b4c82eec5f0ee119658456690f3ea9d77ed1c5
+HMAC-SHA1(sha1/fips_md32_common.h)= 08a057a7b94acf5df4301ea6c894ce14082e1ec4
diff --git a/util/checkhash.pl b/util/checkhash.pl
new file mode 100644
index 0000000000..c7c8a6dd63
--- /dev/null
+++ b/util/checkhash.pl
@@ -0,0 +1,181 @@
+#!/usr/local/bin/perl -w
+
+my $change_dir = "";
+my $check_program = "sha1/fips_standalone_sha1";
+
+my $verbose = 0;
+my $badfiles = 0;
+my $rebuild = 0;
+my $force_rewrite = 0;
+my $hash_file = "fipshashes.sha1";
+my $recurse = 0;
+
+my @fingerprint_files;
+
+while (@ARGV)
+	{
+	my $arg = $ARGV[0];
+	if ($arg eq "-chdir")
+		{
+		shift @ARGV;
+		$change_dir = shift @ARGV;
+		}
+	elsif ($arg eq "-rebuild")
+		{
+		shift @ARGV;
+		$rebuild = 1;
+		}
+	elsif ($arg eq "-verbose")
+		{
+		shift @ARGV;
+		$verbose = 1;
+		}
+	elsif ($arg eq "-force-rewrite")
+		{
+		shift @ARGV;
+		$force_rewrite = 1;
+		}
+	elsif ($arg eq "-hash_file")
+		{
+		shift @ARGV;
+		$hash_file = shift @ARGV;
+		}
+	elsif ($arg eq "-recurse")
+		{
+		shift @ARGV;
+		$recurse = 1;
+		}
+	elsif ($arg eq "-program_path")
+		{
+		shift @ARGV;
+		$check_program = shift @ARGV;
+		}
+	else
+		{
+		die "Unknown Option $arg";
+		}
+
+	}
+
+chdir $change_dir if $change_dir ne "";
+
+if ($recurse)
+	{
+	@fingerprint_files = ("fingerprint.sha1",
+				<*/fingerprint.sha1>);
+	}
+else
+	{
+	push @fingerprint_files, $hash_file;
+	}
+
+foreach $fp (@fingerprint_files)
+	{
+	open(IN, "$fp") || die "Can't open file $fp";
+	print STDERR "Opening Fingerprint file $fp\n" if $verbose;
+	my $dir = $fp;
+	$dir =~ s/[^\/]*$//;
+	while (<IN>)
+		{
+		chomp;
+		if (!(($file, $hash) = /^HMAC-SHA1\((.*)\)\s*=\s*(\w*)$/))
+			{
+			print STDERR "FATAL: Invalid syntax in file $fp\n";
+			print STDERR "Line:\n$_\n";
+			fatal_error();
+			}
+		if (!$rebuild && length($hash) != 40)
+			{
+			print STDERR "FATAL: Invalid hash length in $fp for file $file\n";
+			fatal_error();
+			}
+		push @hashed_files, "$dir$file";
+		if (exists $hashes{"$dir$file"})
+			{
+			print STDERR "FATAL: Duplicate Hash file $dir$file\n";
+			fatal_error();
+			}
+		if (! -r "$dir$file")
+			{
+			print STDERR "FATAL: Can't access $dir$file\n";
+			fatal_error();
+			}
+		$hashes{"$dir$file"} = $hash;
+		}
+	close IN;
+	}
+
+@checked_hashes = `$check_program @hashed_files`;
+
+if ($? != 0)
+	{
+	print STDERR "Error running hash program $check_program\n";
+	fatal_error();
+	}
+
+if (@checked_hashes != @hashed_files)
+	{
+	print STDERR "FATAL: hash count incorrect\n";
+	fatal_error();
+	}
+
+foreach (@checked_hashes)
+	{
+	chomp;
+	if (!(($file, $hash) = /^HMAC-SHA1\((.*)\)\s*=\s*(\w*)$/))
+		{
+		print STDERR "FATAL: Invalid syntax in file $fp\n";
+		print STDERR "Line:\n$_\n";
+		fatal_error();
+		}
+	if (length($hash) != 40)
+		{
+		print STDERR "FATAL: Invalid hash length for file $file\n";
+		fatal_error();
+		}
+	if ($hash ne $hashes{$file})
+		{
+		if ($rebuild)
+			{
+			print STDERR "Updating hash on file $file\n";
+			$hashes{$file} = $hash;
+			}
+		else
+			{
+			print STDERR "Hash check failed for file $file\n";
+			}
+		$badfiles++;
+		}
+	elsif ($verbose)
+		{ print "Hash Check OK for $file\n";}
+	}
+	
+
+if ($badfiles && !$rebuild)
+	{
+	print STDERR "FATAL: hash mismatch on $badfiles files\n";
+	fatal_error();
+	}
+
+if ($badfiles || $force_rewrite)
+	{
+	print "Updating Hash file $hash_file\n";
+	open OUT, ">$hash_file" || die "Error rewriting $hash_file";
+	foreach (@hashed_files)
+		{
+		print OUT "HMAC-SHA1($_)= $hashes{$_}\n";
+		}
+	close OUT;
+	}
+
+if (!$badfiles)
+	{
+	print "FIPS hash check successful\n";
+	}
+
+
+sub fatal_error
+	{
+	print STDERR "*** Your source code does not match the FIPS validated source ***\n";
+	exit 1;
+	}