fips-check.sh 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402
  1. #!/bin/bash
  2. # fips-check.sh
  3. # This script checks the current revision of the code against the
  4. # previous release of the FIPS code. While wolfSSL and wolfCrypt
  5. # may be advancing, they must work correctly with the last tested
  6. # copy of our FIPS approved code.
  7. #
  8. # This should check out all the approved versions. The command line
  9. # option selects the version.
  10. #
  11. # $ ./fips-check [version] [keep]
  12. #
  13. # - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2, fips-ready, stm32l4-v2
  14. #
  15. # - keep: (default off) XXX-fips-test temp dir around for inspection
  16. #
  17. Usage() {
  18. cat <<usageText
  19. Usage: $0 [platform [keep]]
  20. Platform is one of:
  21. linux (default)
  22. ios
  23. android
  24. windows
  25. freertos
  26. openrtos-3.9.2
  27. linux-ecc
  28. netbsd-selftest
  29. marvell-linux-selftest
  30. sgx
  31. netos-7.6
  32. linuxv2 (FIPSv2, use for Win10)
  33. fips-ready
  34. stm32l4-v2 (FIPSv2, use for STM32L4)
  35. wolfrand
  36. solaris
  37. Keep (default off) retains the XXX-fips-test temp dir for inspection.
  38. Example:
  39. $0 windows keep
  40. usageText
  41. }
  42. MAKE=make
  43. LINUX_FIPS_VERSION=v3.2.6
  44. LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git
  45. LINUX_CRYPT_VERSION=v3.2.6
  46. LINUX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  47. LINUX_ECC_FIPS_VERSION=v3.10.3
  48. LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git
  49. LINUX_ECC_CRYPT_VERSION=v3.2.6
  50. LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  51. IOS_FIPS_VERSION=v3.4.8a
  52. IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
  53. IOS_CRYPT_VERSION=v3.4.8.fips
  54. IOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  55. ANDROID_FIPS_VERSION=v3.5.0
  56. ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git
  57. ANDROID_CRYPT_VERSION=v3.5.0
  58. ANDROID_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  59. WINDOWS_FIPS_VERSION=v3.6.6
  60. WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git
  61. WINDOWS_CRYPT_VERSION=v3.6.6
  62. WINDOWS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  63. FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS
  64. FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
  65. FREERTOS_CRYPT_VERSION=v3.6.1
  66. FREERTOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  67. OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS
  68. OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git
  69. OPENRTOS_3_9_2_CRYPT_VERSION=v3.6.1
  70. OPENRTOS_3_9_2_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  71. #NOTE: Does not include the SGX examples yet, update version once fipsv2 is
  72. # finished and merge conflicts can be resolved. This will be tagged as
  73. # v3.12.4.sgx-examples
  74. #SGX_FIPS_VERSION=v3.12.4.sgx-examples
  75. SGX_FIPS_VERSION=v3.6.6
  76. SGX_FIPS_REPO=git@github.com:wolfSSL/fips.git
  77. SGX_CRYPT_VERSION=v3.12.4
  78. SGX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  79. NETOS_7_6_FIPS_VERSION=v3.12.6
  80. NETOS_7_6_FIPS_REPO=git@github.com:wolfSSL/fips.git
  81. NETOS_7_6_CRYPT_VERSION=v3.12.4
  82. NETOS_7_6_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  83. # non-FIPS, CAVP only but pull in selftest
  84. # will reset above variables below in platform switch
  85. NETBSD_FIPS_VERSION=v3.14.2b
  86. NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
  87. NETBSD_CRYPT_VERSION=v3.14.2
  88. NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
  89. # non-FIPS, CAVP only but pull in selftest
  90. # will reset above variables below in platform switch
  91. MARVELL_LINUX_FIPS_VERSION=v3.14.2b
  92. MARVELL_LINUX_FIPS_REPO=git@github.com:wolfssl/fips.git
  93. MARVELL_LINUX_CRYPT_VERSION=v4.1.0-stable
  94. MARVELL_LINUX_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
  95. STM32L4_V2_FIPS_VERSION=WCv4.0.1-stable
  96. STM32L4_V2_FIPS_REPO=git@github.com:wolfSSL/fips.git
  97. STM32L4_V2_CRYPT_VERSION=WCv4.0.1-stable
  98. FIPS_SRCS=( fips.c fips_test.c )
  99. WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
  100. TEST_DIR=XXX-fips-test
  101. CRYPT_INC_PATH=cyassl/ctaocrypt
  102. CRYPT_SRC_PATH=ctaocrypt/src
  103. RNG_VERSION=v3.6.0
  104. FIPS_OPTION=v1
  105. CAVP_SELFTEST_ONLY="no"
  106. GIT="git -c advice.detachedHead=false"
  107. if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
  108. if [ "x$2" == "xkeep" ]; then KEEP="yes"; else KEEP="no"; fi
  109. case $PLATFORM in
  110. ios)
  111. FIPS_VERSION=$IOS_FIPS_VERSION
  112. FIPS_REPO=$IOS_FIPS_REPO
  113. CRYPT_VERSION=$IOS_CRYPT_VERSION
  114. CRYPT_REPO=$IOS_CRYPT_REPO
  115. ;;
  116. android)
  117. FIPS_VERSION=$ANDROID_FIPS_VERSION
  118. FIPS_REPO=$ANDROID_FIPS_REPO
  119. CRYPT_VERSION=$ANDROID_CRYPT_VERSION
  120. CRYPT_REPO=$ANDROID_CRYPT_REPO
  121. ;;
  122. windows)
  123. FIPS_VERSION=$WINDOWS_FIPS_VERSION
  124. FIPS_REPO=$WINDOWS_FIPS_REPO
  125. CRYPT_VERSION=$WINDOWS_CRYPT_VERSION
  126. CRYPT_REPO=$WINDOWS_CRYPT_REPO
  127. ;;
  128. freertos)
  129. FIPS_VERSION=$FREERTOS_FIPS_VERSION
  130. FIPS_REPO=$FREERTOS_FIPS_REPO
  131. CRYPT_VERSION=$FREERTOS_CRYPT_VERSION
  132. CRYPT_REPO=$FREERTOS_CRYPT_REPO
  133. ;;
  134. openrtos-3.9.2)
  135. FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION
  136. FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO
  137. CRYPT_VERSION=$OPENRTOS_3_9_2_CRYPT_VERSION
  138. CRYPT_REPO=$OPENRTOS_3_9_2_CRYPT_REPO
  139. FIPS_CONFLICTS=( aes hmac random sha256 )
  140. ;;
  141. linux)
  142. FIPS_VERSION=$LINUX_FIPS_VERSION
  143. FIPS_REPO=$LINUX_FIPS_REPO
  144. CRYPT_VERSION=$LINUX_CRYPT_VERSION
  145. CRYPT_REPO=$LINUX_CRYPT_REPO
  146. ;;
  147. linux-ecc)
  148. FIPS_VERSION=$LINUX_ECC_FIPS_VERSION
  149. FIPS_REPO=$LINUX_ECC_FIPS_REPO
  150. CRYPT_VERSION=$LINUX_ECC_CRYPT_VERSION
  151. CRYPT_REPO=$LINUX_ECC_CRYPT_REPO
  152. ;;
  153. linuxv2)
  154. FIPS_VERSION=WCv4-stable
  155. FIPS_REPO=git@github.com:wolfssl/fips.git
  156. CRYPT_VERSION=WCv4-stable
  157. CRYPT_INC_PATH=wolfssl/wolfcrypt
  158. CRYPT_SRC_PATH=wolfcrypt/src
  159. WC_MODS+=( cmac dh ecc sha3 )
  160. RNG_VERSION=WCv4-rng-stable
  161. FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
  162. FIPS_INCS=( fips.h )
  163. FIPS_OPTION=v2
  164. ;;
  165. netbsd-selftest)
  166. FIPS_VERSION=$NETBSD_FIPS_VERSION
  167. FIPS_REPO=$NETBSD_FIPS_REPO
  168. CRYPT_VERSION=$NETBSD_CRYPT_VERSION
  169. CRYPT_REPO=$NETBSD_CRYPT_REPO
  170. FIPS_SRCS=( selftest.c )
  171. WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
  172. CRYPT_INC_PATH=wolfssl/wolfcrypt
  173. CRYPT_SRC_PATH=wolfcrypt/src
  174. CAVP_SELFTEST_ONLY="yes"
  175. ;;
  176. marvell-linux-selftest)
  177. FIPS_VERSION=$MARVELL_LINUX_FIPS_VERSION
  178. FIPS_REPO=$MARVELL_LINUX_FIPS_REPO
  179. CRYPT_VERSION=$MARVELL_LINUX_CRYPT_VERSION
  180. CRYPT_REPO=$MARVELL_LINUX_CRYPT_REPO
  181. FIPS_SRCS=( selftest.c )
  182. WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
  183. CRYPT_INC_PATH=wolfssl/wolfcrypt
  184. CRYPT_SRC_PATH=wolfcrypt/src
  185. CAVP_SELFTEST_ONLY="yes"
  186. CAVP_SELFTEST_OPTION=v2
  187. ;;
  188. sgx)
  189. FIPS_VERSION=$SGX_FIPS_VERSION
  190. FIPS_REPO=$SGX_FIPS_REPO
  191. CRYPT_VERSION=$SGX_CRYPT_VERSION
  192. CRYPT_REPO=$SGX_CRYPT_REPO
  193. ;;
  194. netos-7.6)
  195. FIPS_VERSION=$NETOS_7_6_FIPS_VERSION
  196. FIPS_REPO=$NETOS_7_6_FIPS_REPO
  197. CRYPT_VERSION=$NETOS_7_6_CRYPT_VERSION
  198. CRYPT_REPO=$NETOS_7_6_CRYPT_REPO
  199. ;;
  200. fips-ready)
  201. FIPS_REPO="git@github.com:wolfssl/fips.git"
  202. CRYPT_REPO="git@github.com:wolfssl/wolfssl.git"
  203. CRYPT_INC_PATH=wolfssl/wolfcrypt
  204. CRYPT_SRC_PATH=wolfcrypt/src
  205. FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
  206. FIPS_INCS=( fips.h )
  207. FIPS_OPTION=ready
  208. ;;
  209. stm32l4-v2)
  210. FIPS_VERSION=$STM32L4_V2_FIPS_VERSION
  211. FIPS_REPO=$STM32L4_V2_FIPS_REPO
  212. CRYPT_VERSION=$STM32L4_V2_CRYPT_VERSION
  213. CRYPT_INC_PATH=wolfssl/wolfcrypt
  214. CRYPT_SRC_PATH=wolfcrypt/src
  215. # Replace the WC_MODS list for now. Do not want to copy over random.c yet.
  216. WC_MODS=( aes des3 sha sha256 sha512 rsa hmac )
  217. WC_MODS+=( cmac dh ecc )
  218. FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
  219. FIPS_INCS=( fips.h )
  220. FIPS_OPTION=v2
  221. ;;
  222. wolfrand)
  223. FIPS_REPO=git@github.com:wolfssl/fips.git
  224. FIPS_VERSION=WRv4-stable
  225. CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
  226. CRYPT_VERSION=WCv4-stable
  227. CRYPT_INC_PATH=wolfssl/wolfcrypt
  228. CRYPT_SRC_PATH=wolfcrypt/src
  229. RNG_VERSION=WCv4-rng-stable
  230. WC_MODS=( hmac sha256 random )
  231. FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
  232. FIPS_INCS=( fips.h )
  233. FIPS_OPTION=rand
  234. ;;
  235. solaris)
  236. FIPS_VERSION=WCv4-stable
  237. FIPS_REPO=git@github.com:wolfssl/fips.git
  238. CRYPT_VERSION=WCv4-stable
  239. CRYPT_INC_PATH=wolfssl/wolfcrypt
  240. CRYPT_SRC_PATH=wolfcrypt/src
  241. WC_MODS+=( cmac dh ecc sha3 )
  242. RNG_VERSION=WCv4-rng-stable
  243. FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
  244. FIPS_INCS=( fips.h )
  245. FIPS_OPTION=v2
  246. MAKE=gmake
  247. ;;
  248. *)
  249. Usage
  250. exit 1
  251. esac
  252. if ! $GIT clone . $TEST_DIR; then
  253. echo "fips-check: Couldn't duplicate current working directory."
  254. exit 1
  255. fi
  256. pushd $TEST_DIR || exit 2
  257. if [ "x$FIPS_OPTION" == "xv1" ];
  258. then
  259. # make a clone of the last FIPS release tag
  260. if ! $GIT clone --depth 1 -b $CRYPT_VERSION $CRYPT_REPO old-tree; then
  261. echo "fips-check: Couldn't checkout the FIPS release."
  262. exit 1
  263. fi
  264. for MOD in "${WC_MODS[@]}"
  265. do
  266. cp "old-tree/$CRYPT_SRC_PATH/${MOD}.c" $CRYPT_SRC_PATH
  267. cp "old-tree/$CRYPT_INC_PATH/${MOD}.h" $CRYPT_INC_PATH
  268. done
  269. # We are using random.c from a separate release.
  270. # This is forcefully overwriting any other checkout of the cyassl sources.
  271. # Removing this as default behavior for SGX and netos projects.
  272. if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
  273. [ "x$PLATFORM" != "xnetos-7.6" ];
  274. then
  275. pushd old-tree || exit 2
  276. $GIT fetch origin $RNG_VERSION
  277. $GIT checkout FETCH_HEAD
  278. popd || exit 2
  279. cp "old-tree/$CRYPT_SRC_PATH/random.c" $CRYPT_SRC_PATH
  280. cp "old-tree/$CRYPT_INC_PATH/random.h" $CRYPT_INC_PATH
  281. fi
  282. elif [ "x$FIPS_OPTION" == "xv2" ] || [ "x$FIPS_OPTION" == "xrand" ]
  283. then
  284. $GIT branch --no-track "my$CRYPT_VERSION" $CRYPT_VERSION
  285. # Checkout the fips versions of the wolfCrypt files from the repo.
  286. for MOD in "${WC_MODS[@]}"
  287. do
  288. $GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.c" "$CRYPT_INC_PATH/$MOD.h"
  289. done
  290. $GIT branch --no-track "my$RNG_VERSION" $RNG_VERSION
  291. # Checkout the fips versions of the wolfCrypt files from the repo.
  292. $GIT checkout "my$RNG_VERSION" -- "$CRYPT_SRC_PATH/random.c" "$CRYPT_INC_PATH/random.h"
  293. elif [ "x$FIPS_OPTION" == "xready" ]
  294. then
  295. echo "Don't need to copy anything in particular for FIPS Ready."
  296. else
  297. echo "fips-check: Invalid FIPS option."
  298. exit 1
  299. fi
  300. # clone the FIPS repository
  301. if [ "x$FIPS_OPTION" != "xready" ]
  302. then
  303. if ! $GIT clone --depth 1 -b $FIPS_VERSION $FIPS_REPO fips; then
  304. echo "fips-check: Couldn't checkout the FIPS repository."
  305. exit 1
  306. fi
  307. else
  308. if ! $GIT clone --depth 1 $FIPS_REPO fips; then
  309. echo "fips-check: Couldn't checkout the FIPS repository."
  310. exit 1
  311. fi
  312. fi
  313. for SRC in "${FIPS_SRCS[@]}"
  314. do
  315. cp "fips/$SRC" $CRYPT_SRC_PATH
  316. done
  317. for INC in "${FIPS_INCS[@]}"
  318. do
  319. cp "fips/$INC" $CRYPT_INC_PATH
  320. done
  321. # run the make test
  322. ./autogen.sh
  323. if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ];
  324. then
  325. if [ "x$CAVP_SELFTEST_OPTION" == "xv2" ]
  326. then
  327. ./configure --enable-selftest=v2
  328. else
  329. ./configure --enable-selftest
  330. fi
  331. else
  332. ./configure --enable-fips=$FIPS_OPTION
  333. fi
  334. if ! $MAKE; then
  335. echo "fips-check: Make failed. Debris left for analysis."
  336. exit 3
  337. fi
  338. if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
  339. then
  340. NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
  341. if [ -n "$NEWHASH" ]; then
  342. cp $CRYPT_SRC_PATH/fips_test.c $CRYPT_SRC_PATH/fips_test.c.bak
  343. sed "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c.bak >$CRYPT_SRC_PATH/fips_test.c
  344. make clean
  345. fi
  346. fi
  347. if ! $MAKE test; then
  348. echo "fips-check: Test failed. Debris left for analysis."
  349. exit 3
  350. fi
  351. if [ ${#FIPS_CONFLICTS[@]} -ne 0 ];
  352. then
  353. echo "Due to the way this package is compiled by the customer duplicate"
  354. echo "source file names are an issue, renaming:"
  355. for FNAME in "${FIPS_CONFLICTS[@]}"
  356. do
  357. echo "wolfcrypt/src/$FNAME.c to wolfcrypt/src/wc_$FNAME.c"
  358. mv "./wolfcrypt/src/$FNAME.c" "./wolfcrypt/src/wc_$FNAME.c"
  359. done
  360. echo "Confirming files were renamed..."
  361. ls -la ./wolfcrypt/src/wc_*.c
  362. fi
  363. # Clean up
  364. popd || exit 2
  365. if [ "x$KEEP" == "xno" ];
  366. then
  367. rm -rf $TEST_DIR
  368. fi