fips-check.sh 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300
  1. #!/bin/bash
  2. # fips-check.sh
  3. # This script checks the current revision of the code against the
  4. # previous release of the FIPS code. While wolfSSL and wolfCrypt
  5. # may be advancing, they must work correctly with the last tested
  6. # copy of our FIPS approved code.
  7. #
  8. # This should check out all the approved versions. The command line
  9. # option selects the version.
  10. #
  11. # $ ./fips-check [version] [keep]
  12. #
  13. # - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2
  14. #
  15. # - keep: (default off) XXX-fips-test temp dir around for inspection
  16. #
  17. Usage() {
  18. cat <<usageText
  19. Usage: $0 [platform [keep]]
  20. Platform is one of:
  21. linux (default)
  22. ios
  23. android
  24. windows
  25. freertos
  26. openrtos-3.9.2
  27. linux-ecc
  28. netbsd-selftest
  29. sgx
  30. netos-7.6
  31. linuxv2 (FIPSv2, use for Win10)
  32. Keep (default off) retains the XXX-fips-test temp dir for inspection.
  33. Example:
  34. $0 windows keep
  35. usageText
  36. }
  37. LINUX_FIPS_VERSION=v3.2.6
  38. LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git
  39. LINUX_CRYPT_VERSION=v3.2.6
  40. LINUX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  41. LINUX_ECC_FIPS_VERSION=v3.10.3
  42. LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git
  43. LINUX_ECC_CRYPT_VERSION=v3.2.6
  44. LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  45. LINUXV2_FIPS_VERSION=WCv4-stable
  46. LINUXV2_FIPS_REPO=git@github.com:wolfSSL/fips.git
  47. LINUXV2_CRYPT_VERSION=WCv4-stable
  48. IOS_FIPS_VERSION=v3.4.8a
  49. IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
  50. IOS_CRYPT_VERSION=v3.4.8.fips
  51. IOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  52. ANDROID_FIPS_VERSION=v3.5.0
  53. ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git
  54. ANDROID_CRYPT_VERSION=v3.5.0
  55. ANDROID_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  56. WINDOWS_FIPS_VERSION=v3.6.6
  57. WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git
  58. WINDOWS_CRYPT_VERSION=v3.6.6
  59. WINDOWS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  60. FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS
  61. FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
  62. FREERTOS_CRYPT_VERSION=v3.6.1
  63. FREERTOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  64. OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS
  65. OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git
  66. OPENRTOS_3_9_2_CRYPT_VERSION=v3.6.1
  67. OPENRTOS_3_9_2_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  68. #NOTE: Does not include the SGX examples yet, update version once fipsv2 is
  69. # finished and merge conflicts can be resolved. This will be tagged as
  70. # v3.12.4.sgx-examples
  71. #SGX_FIPS_VERSION=v3.12.4.sgx-examples
  72. SGX_FIPS_VERSION=v3.6.6
  73. SGX_FIPS_REPO=git@github.com:wolfSSL/fips.git
  74. SGX_CRYPT_VERSION=v3.12.4
  75. SGX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  76. NETOS_7_6_FIPS_VERSION=v3.12.6
  77. NETOS_7_6_FIPS_REPO=git@github.com:wolfSSL/fips.git
  78. NETOS_7_6_CRYPT_VERSION=v3.12.4
  79. NETOS_7_6_CRYPT_REPO=git@github.com:cyassl/cyassl.git
  80. # non-FIPS, CAVP only but pull in selftest
  81. # will reset above variables below in platform switch
  82. NETBSD_FIPS_VERSION=v3.14.2a
  83. NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
  84. NETBSD_CRYPT_VERSION=v3.14.2
  85. NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
  86. FIPS_SRCS=( fips.c fips_test.c )
  87. WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
  88. TEST_DIR=XXX-fips-test
  89. CRYPT_INC_PATH=cyassl/ctaocrypt
  90. CRYPT_SRC_PATH=ctaocrypt/src
  91. FIPS_OPTION=v1
  92. CAVP_SELFTEST_ONLY="no"
  93. GIT="git -c advice.detachedHead=false"
  94. if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
  95. if [ "x$2" == "xkeep" ]; then KEEP="yes"; else KEEP="no"; fi
  96. case $PLATFORM in
  97. ios)
  98. FIPS_VERSION=$IOS_FIPS_VERSION
  99. FIPS_REPO=$IOS_FIPS_REPO
  100. CRYPT_VERSION=$IOS_CRYPT_VERSION
  101. CRYPT_REPO=$IOS_CRYPT_REPO
  102. ;;
  103. android)
  104. FIPS_VERSION=$ANDROID_FIPS_VERSION
  105. FIPS_REPO=$ANDROID_FIPS_REPO
  106. CRYPT_VERSION=$ANDROID_CRYPT_VERSION
  107. CRYPT_REPO=$ANDROID_CRYPT_REPO
  108. ;;
  109. windows)
  110. FIPS_VERSION=$WINDOWS_FIPS_VERSION
  111. FIPS_REPO=$WINDOWS_FIPS_REPO
  112. CRYPT_VERSION=$WINDOWS_CRYPT_VERSION
  113. CRYPT_REPO=$WINDOWS_CRYPT_REPO
  114. ;;
  115. freertos)
  116. FIPS_VERSION=$FREERTOS_FIPS_VERSION
  117. FIPS_REPO=$FREERTOS_FIPS_REPO
  118. CRYPT_VERSION=$FREERTOS_CRYPT_VERSION
  119. CRYPT_REPO=$FREERTOS_CRYPT_REPO
  120. ;;
  121. openrtos-3.9.2)
  122. FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION
  123. FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO
  124. CRYPT_VERSION=$OPENRTOS_3_9_2_CRYPT_VERSION
  125. CRYPT_REPO=$OPENRTOS_3_9_2_CRYPT_REPO
  126. FIPS_CONFLICTS=( aes hmac random sha256 )
  127. ;;
  128. linux)
  129. FIPS_VERSION=$LINUX_FIPS_VERSION
  130. FIPS_REPO=$LINUX_FIPS_REPO
  131. CRYPT_VERSION=$LINUX_CRYPT_VERSION
  132. CRYPT_REPO=$LINUX_CRYPT_REPO
  133. ;;
  134. linux-ecc)
  135. FIPS_VERSION=$LINUX_ECC_FIPS_VERSION
  136. FIPS_REPO=$LINUX_ECC_FIPS_REPO
  137. CRYPT_VERSION=$LINUX_ECC_CRYPT_VERSION
  138. CRYPT_REPO=$LINUX_ECC_CRYPT_REPO
  139. ;;
  140. linuxv2)
  141. FIPS_VERSION=$LINUXV2_FIPS_VERSION
  142. FIPS_REPO=$LINUXV2_FIPS_REPO
  143. CRYPT_VERSION=$LINUXV2_CRYPT_VERSION
  144. CRYPT_INC_PATH=wolfssl/wolfcrypt
  145. CRYPT_SRC_PATH=wolfcrypt/src
  146. WC_MODS+=( cmac dh ecc )
  147. FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
  148. FIPS_INCS=( fips.h )
  149. FIPS_OPTION=v2
  150. ;;
  151. netbsd-selftest)
  152. FIPS_VERSION=$NETBSD_FIPS_VERSION
  153. FIPS_REPO=$NETBSD_FIPS_REPO
  154. CRYPT_VERSION=$NETBSD_CRYPT_VERSION
  155. CRYPT_REPO=$NETBSD_CRYPT_REPO
  156. FIPS_SRCS=( selftest.c )
  157. WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
  158. CRYPT_INC_PATH=wolfssl/wolfcrypt
  159. CRYPT_SRC_PATH=wolfcrypt/src
  160. CAVP_SELFTEST_ONLY="yes"
  161. ;;
  162. sgx)
  163. FIPS_VERSION=$SGX_FIPS_VERSION
  164. FIPS_REPO=$SGX_FIPS_REPO
  165. CRYPT_VERSION=$SGX_CRYPT_VERSION
  166. CRYPT_REPO=$SGX_CRYPT_REPO
  167. ;;
  168. netos-7.6)
  169. FIPS_VERSION=$NETOS_7_6_FIPS_VERSION
  170. FIPS_REPO=$NETOS_7_6_FIPS_REPO
  171. CRYPT_VERSION=$NETOS_7_6_CRYPT_VERSION
  172. CRYPT_REPO=$NETOS_7_6_CRYPT_REPO
  173. ;;
  174. *)
  175. Usage
  176. exit 1
  177. esac
  178. if ! $GIT clone . $TEST_DIR; then
  179. echo "fips-check: Couldn't duplicate current working directory."
  180. exit 1
  181. fi
  182. pushd $TEST_DIR || exit 2
  183. if [ "x$FIPS_OPTION" == "xv1" ];
  184. then
  185. # make a clone of the last FIPS release tag
  186. if ! $GIT clone -b $CRYPT_VERSION $CRYPT_REPO old-tree; then
  187. echo "fips-check: Couldn't checkout the FIPS release."
  188. exit 1
  189. fi
  190. for MOD in "${WC_MODS[@]}"
  191. do
  192. cp "old-tree/$CRYPT_SRC_PATH/${MOD}.c" $CRYPT_SRC_PATH
  193. cp "old-tree/$CRYPT_INC_PATH/${MOD}.h" $CRYPT_INC_PATH
  194. done
  195. # The following is temporary. We are using random.c from a separate release
  196. # This is forcefully overwriting any other checkout of the cyassl sources.
  197. # Removing this as default behavior for SGX and netos projects.
  198. if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
  199. [ "x$PLATFORM" != "xnetos-7.6" ];
  200. then
  201. pushd old-tree || exit 2
  202. $GIT checkout v3.6.0
  203. popd || exit 2
  204. cp "old-tree/$CRYPT_SRC_PATH/random.c" $CRYPT_SRC_PATH
  205. cp "old-tree/$CRYPT_INC_PATH/random.h" $CRYPT_INC_PATH
  206. fi
  207. else
  208. $GIT branch --no-track "my$CRYPT_VERSION" $CRYPT_VERSION
  209. # Checkout the fips versions of the wolfCrypt files from the repo.
  210. for MOD in "${WC_MODS[@]}"
  211. do
  212. $GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.c" "$CRYPT_INC_PATH/$MOD.h"
  213. done
  214. fi
  215. # clone the FIPS repository
  216. if ! $GIT clone -b $FIPS_VERSION $FIPS_REPO fips; then
  217. echo "fips-check: Couldn't checkout the FIPS repository."
  218. exit 1
  219. fi
  220. for SRC in "${FIPS_SRCS[@]}"
  221. do
  222. cp "fips/$SRC" $CRYPT_SRC_PATH
  223. done
  224. for INC in "${FIPS_INCS[@]}"
  225. do
  226. cp "fips/$INC" $CRYPT_INC_PATH
  227. done
  228. # run the make test
  229. ./autogen.sh
  230. if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ];
  231. then
  232. ./configure --enable-selftest
  233. else
  234. ./configure --enable-fips=$FIPS_OPTION
  235. fi
  236. if ! make; then
  237. echo "fips-check: Make failed. Debris left for analysis."
  238. exit 3
  239. fi
  240. if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
  241. then
  242. NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
  243. if [ -n "$NEWHASH" ]; then
  244. sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c
  245. make clean
  246. fi
  247. fi
  248. if ! make test; then
  249. echo "fips-check: Test failed. Debris left for analysis."
  250. exit 3
  251. fi
  252. if [ ${#FIPS_CONFLICTS[@]} -ne 0 ];
  253. then
  254. echo "Due to the way this package is compiled by the customer duplicate"
  255. echo "source file names are an issue, renaming:"
  256. for FNAME in "${FIPS_CONFLICTS[@]}"
  257. do
  258. echo "wolfcrypt/src/$FNAME.c to wolfcrypt/src/wc_$FNAME.c"
  259. mv "./wolfcrypt/src/$FNAME.c" "./wolfcrypt/src/wc_$FNAME.c"
  260. done
  261. echo "Confirming files were renamed..."
  262. ls -la ./wolfcrypt/src/wc_*.c
  263. fi
  264. # Clean up
  265. popd || exit 2
  266. if [ "x$KEEP" == "xno" ];
  267. then
  268. rm -rf $TEST_DIR
  269. fi