1
0

fips-check.sh 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369
  1. #!/bin/bash
  2. # fips-check.sh
  3. # This script checks the current revision of the code against the
  4. # previous release of the FIPS code. While wolfSSL and wolfCrypt
  5. # may be advancing, they must work correctly with the last tested
  6. # copy of our FIPS approved code.
  7. #
  8. # This should check out all the approved flavors. The command line
  9. # option selects the flavor. The keep option keeps the output
  10. # directory.
  11. # These variables may be overridden on the command line.
  12. MAKE="${MAKE:-make}"
  13. GIT="${GIT:-git -c advice.detachedHead=false}"
  14. TEST_DIR="${TEST_DIR:-XXX-fips-test}"
  15. FLAVOR="${FLAVOR:-linux}"
  16. KEEP="${KEEP:-no}"
  17. MAKECHECK=${MAKECHECK:-yes}
  18. FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}"
  19. Usage() {
  20. cat <<usageText
  21. Usage: $0 [flavor] [keep]
  22. Flavor is one of:
  23. linuxv2 (FIPSv2, use for Win10)
  24. fipsv2-OE-ready (ready FIPSv2)
  25. solaris
  26. netbsd-selftest
  27. marvell-linux-selftest
  28. linuxv5 (current FIPS 140-3)
  29. fips-ready (ready FIPS 140-3)
  30. fips-dev (dev FIPS 140-3)
  31. wolfrand
  32. Keep (default off) retains the temp dir $TEST_DIR for inspection.
  33. Example:
  34. $0 windows keep
  35. usageText
  36. }
  37. while [ "$1" ]; do
  38. if [ "$1" = 'keep' ]; then KEEP='yes';
  39. elif [ "$1" = 'nomakecheck' ]; then MAKECHECK='no';
  40. else FLAVOR="$1"; fi
  41. shift
  42. done
  43. case "$FLAVOR" in
  44. linuxv2|fipsv2-OE-ready|solaris)
  45. FIPS_OPTION='v2'
  46. FIPS_FILES=(
  47. 'wolfcrypt/src/fips.c:WCv4-stable'
  48. 'wolfcrypt/src/fips_test.c:WCv4-stable'
  49. 'wolfcrypt/src/wolfcrypt_first.c:WCv4-stable'
  50. 'wolfcrypt/src/wolfcrypt_last.c:WCv4-stable'
  51. 'wolfssl/wolfcrypt/fips.h:WCv4-stable'
  52. )
  53. WOLFCRYPT_FILES=(
  54. 'wolfcrypt/src/aes.c:WCv4-stable'
  55. 'wolfcrypt/src/aes_asm.asm:WCv4-stable'
  56. 'wolfcrypt/src/aes_asm.S:WCv4-stable'
  57. 'wolfcrypt/src/cmac.c:WCv4-stable'
  58. 'wolfcrypt/src/des3.c:WCv4-stable'
  59. 'wolfcrypt/src/dh.c:WCv4-stable'
  60. 'wolfcrypt/src/ecc.c:WCv4-stable'
  61. 'wolfcrypt/src/hmac.c:WCv4-stable'
  62. 'wolfcrypt/src/random.c:WCv4-rng-stable'
  63. 'wolfcrypt/src/rsa.c:WCv4-stable'
  64. 'wolfcrypt/src/sha.c:WCv4-stable'
  65. 'wolfcrypt/src/sha256.c:WCv4-stable'
  66. 'wolfcrypt/src/sha3.c:WCv4-stable'
  67. 'wolfcrypt/src/sha512.c:WCv4-stable'
  68. 'wolfssl/wolfcrypt/aes.h:WCv4-stable'
  69. 'wolfssl/wolfcrypt/cmac.h:WCv4-stable'
  70. 'wolfssl/wolfcrypt/des3.h:WCv4-stable'
  71. 'wolfssl/wolfcrypt/dh.h:WCv4-stable'
  72. 'wolfssl/wolfcrypt/ecc.h:WCv4-stable'
  73. 'wolfssl/wolfcrypt/hmac.h:WCv4-stable'
  74. 'wolfssl/wolfcrypt/random.h:WCv4-rng-stable'
  75. 'wolfssl/wolfcrypt/rsa.h:WCv4-stable'
  76. 'wolfssl/wolfcrypt/sha.h:WCv4-stable'
  77. 'wolfssl/wolfcrypt/sha256.h:WCv4-stable'
  78. 'wolfssl/wolfcrypt/sha3.h:WCv4-stable'
  79. 'wolfssl/wolfcrypt/sha512.h:WCv4-stable'
  80. )
  81. if [ "$FLAVOR" = 'solaris' ]; then MAKE='gmake'; fi
  82. ;;
  83. netbsd-selftest)
  84. # non-FIPS, CAVP only but pull in selftest
  85. FIPS_OPTION='cavp-selftest'
  86. FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
  87. WOLFCRYPT_FILES=(
  88. 'wolfcrypt/src/aes.c:v3.14.2'
  89. 'wolfcrypt/src/dh.c:v3.14.2'
  90. 'wolfcrypt/src/dsa.c:v3.14.2'
  91. 'wolfcrypt/src/ecc.c:v3.14.2'
  92. 'wolfcrypt/src/hmac.c:v3.14.2'
  93. 'wolfcrypt/src/random.c:v3.14.2'
  94. 'wolfcrypt/src/rsa.c:v3.14.2'
  95. 'wolfcrypt/src/sha.c:v3.14.2'
  96. 'wolfcrypt/src/sha256.c:v3.14.2'
  97. 'wolfcrypt/src/sha512.c:v3.14.2'
  98. 'wolfssl/wolfcrypt/aes.h:v3.14.2'
  99. 'wolfssl/wolfcrypt/dh.h:v3.14.2'
  100. 'wolfssl/wolfcrypt/dsa.h:v3.14.2'
  101. 'wolfssl/wolfcrypt/ecc.h:v3.14.2'
  102. 'wolfssl/wolfcrypt/hmac.h:v3.14.2'
  103. 'wolfssl/wolfcrypt/random.h:v3.14.2'
  104. 'wolfssl/wolfcrypt/rsa.h:v3.14.2'
  105. 'wolfssl/wolfcrypt/sha.h:v3.14.2'
  106. 'wolfssl/wolfcrypt/sha256.h:v3.14.2'
  107. 'wolfssl/wolfcrypt/sha512.h:v3.14.2'
  108. )
  109. ;;
  110. marvell-linux-selftest)
  111. # non-FIPS, CAVP only but pull in selftest
  112. FIPS_OPTION='cavp-selftest-v2'
  113. FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
  114. WOLFCRYPT_FILES=(
  115. 'wolfcrypt/src/aes.c:v4.1.0-stable'
  116. 'wolfcrypt/src/dh.c:v4.1.0-stable'
  117. 'wolfcrypt/src/dsa.c:v4.1.0-stable'
  118. 'wolfcrypt/src/ecc.c:v4.1.0-stable'
  119. 'wolfcrypt/src/hmac.c:v4.1.0-stable'
  120. 'wolfcrypt/src/random.c:v4.1.0-stable'
  121. 'wolfcrypt/src/rsa.c:v4.1.0-stable'
  122. 'wolfcrypt/src/sha.c:v4.1.0-stable'
  123. 'wolfcrypt/src/sha256.c:v4.1.0-stable'
  124. 'wolfcrypt/src/sha512.c:v4.1.0-stable'
  125. 'wolfssl/wolfcrypt/aes.h:v4.1.0-stable'
  126. 'wolfssl/wolfcrypt/dh.h:v4.1.0-stable'
  127. 'wolfssl/wolfcrypt/dsa.h:v4.1.0-stable'
  128. 'wolfssl/wolfcrypt/ecc.h:v4.1.0-stable'
  129. 'wolfssl/wolfcrypt/hmac.h:v4.1.0-stable'
  130. 'wolfssl/wolfcrypt/random.h:v4.1.0-stable'
  131. 'wolfssl/wolfcrypt/rsa.h:v4.1.0-stable'
  132. 'wolfssl/wolfcrypt/sha.h:v4.1.0-stable'
  133. 'wolfssl/wolfcrypt/sha256.h:v4.1.0-stable'
  134. 'wolfssl/wolfcrypt/sha512.h:v4.1.0-stable'
  135. )
  136. ;;
  137. linuxv5)
  138. FIPS_OPTION='v5'
  139. FIPS_FILES=(
  140. 'wolfcrypt/src/fips.c:WCv5.2.0.1-RC01'
  141. 'wolfcrypt/src/fips_test.c:WCv5.0-RC12'
  142. 'wolfcrypt/src/wolfcrypt_first.c:WCv5.0-RC12'
  143. 'wolfcrypt/src/wolfcrypt_last.c:WCv5.0-RC12'
  144. 'wolfssl/wolfcrypt/fips.h:WCv5.0-RC12'
  145. )
  146. WOLFCRYPT_FILES=(
  147. 'wolfcrypt/src/aes.c:WCv5.0-RC12'
  148. 'wolfcrypt/src/aes_asm.asm:WCv5.0-RC12'
  149. 'wolfcrypt/src/aes_asm.S:WCv5.0-RC12'
  150. 'wolfcrypt/src/aes_gcm_asm.S:WCv5.0-RC12'
  151. 'wolfcrypt/src/cmac.c:WCv5.0-RC12'
  152. 'wolfcrypt/src/dh.c:WCv5.0-RC12'
  153. 'wolfcrypt/src/ecc.c:WCv5.0-RC12'
  154. 'wolfcrypt/src/hmac.c:WCv5.0-RC12'
  155. 'wolfcrypt/src/kdf.c:WCv5.0-RC12'
  156. 'wolfcrypt/src/random.c:WCv5.0-RC12'
  157. 'wolfcrypt/src/rsa.c:WCv5.0-RC12'
  158. 'wolfcrypt/src/sha.c:WCv5.0-RC12'
  159. 'wolfcrypt/src/sha256.c:WCv5.0-RC12'
  160. 'wolfcrypt/src/sha256_asm.S:WCv5.0-RC12'
  161. 'wolfcrypt/src/sha3.c:WCv5.0-RC12'
  162. 'wolfcrypt/src/sha512.c:WCv5.0-RC12'
  163. 'wolfcrypt/src/sha512_asm.S:WCv5.0-RC12'
  164. 'wolfssl/wolfcrypt/aes.h:WCv5.0-RC12'
  165. 'wolfssl/wolfcrypt/cmac.h:WCv5.0-RC12'
  166. 'wolfssl/wolfcrypt/dh.h:WCv5.0-RC12'
  167. 'wolfssl/wolfcrypt/ecc.h:WCv5.0-RC12'
  168. 'wolfssl/wolfcrypt/fips_test.h:WCv5.0-RC12'
  169. 'wolfssl/wolfcrypt/hmac.h:WCv5.0-RC12'
  170. 'wolfssl/wolfcrypt/kdf.h:WCv5.0-RC12'
  171. 'wolfssl/wolfcrypt/random.h:WCv5.0-RC12'
  172. 'wolfssl/wolfcrypt/rsa.h:WCv5.0-RC12'
  173. 'wolfssl/wolfcrypt/sha.h:WCv5.0-RC12'
  174. 'wolfssl/wolfcrypt/sha256.h:WCv5.0-RC12'
  175. 'wolfssl/wolfcrypt/sha3.h:WCv5.0-RC12'
  176. 'wolfssl/wolfcrypt/sha512.h:WCv5.0-RC12'
  177. )
  178. ;;
  179. linuxv5.2.1)
  180. FIPS_OPTION='v5'
  181. FIPS_FILES=(
  182. 'wolfcrypt/src/fips.c:v5.2.1-stable'
  183. 'wolfcrypt/src/fips_test.c:v5.2.1-stable'
  184. 'wolfcrypt/src/wolfcrypt_first.c:v5.2.1-stable'
  185. 'wolfcrypt/src/wolfcrypt_last.c:v5.2.1-stable'
  186. 'wolfssl/wolfcrypt/fips.h:v5.2.1-stable'
  187. )
  188. WOLFCRYPT_FILES=(
  189. 'wolfcrypt/src/aes.c:v5.2.1-stable'
  190. 'wolfcrypt/src/aes_asm.asm:v5.2.1-stable'
  191. 'wolfcrypt/src/aes_asm.S:v5.2.1-stable'
  192. 'wolfcrypt/src/aes_gcm_asm.S:v5.2.1-stable'
  193. 'wolfcrypt/src/cmac.c:v5.2.1-stable'
  194. 'wolfcrypt/src/dh.c:v5.2.1-stable'
  195. 'wolfcrypt/src/ecc.c:v5.2.1-stable'
  196. 'wolfcrypt/src/hmac.c:v5.2.1-stable'
  197. 'wolfcrypt/src/kdf.c:v5.2.1-stable'
  198. 'wolfcrypt/src/random.c:v5.2.1-stable'
  199. 'wolfcrypt/src/rsa.c:v5.2.1-stable'
  200. 'wolfcrypt/src/sha.c:v5.2.1-stable'
  201. 'wolfcrypt/src/sha256.c:v5.2.1-stable'
  202. 'wolfcrypt/src/sha256_asm.S:v5.2.1-stable'
  203. 'wolfcrypt/src/sha3.c:v5.2.1-stable'
  204. 'wolfcrypt/src/sha512.c:v5.2.1-stable'
  205. 'wolfcrypt/src/sha512_asm.S:v5.2.1-stable'
  206. 'wolfssl/wolfcrypt/aes.h:v5.2.1-stable'
  207. 'wolfssl/wolfcrypt/cmac.h:v5.2.1-stable'
  208. 'wolfssl/wolfcrypt/dh.h:v5.2.1-stable'
  209. 'wolfssl/wolfcrypt/ecc.h:v5.2.1-stable'
  210. 'wolfssl/wolfcrypt/fips_test.h:v5.2.1-stable'
  211. 'wolfssl/wolfcrypt/hmac.h:v5.2.1-stable'
  212. 'wolfssl/wolfcrypt/kdf.h:v5.2.1-stable'
  213. 'wolfssl/wolfcrypt/random.h:v5.2.1-stable'
  214. 'wolfssl/wolfcrypt/rsa.h:v5.2.1-stable'
  215. 'wolfssl/wolfcrypt/sha.h:v5.2.1-stable'
  216. 'wolfssl/wolfcrypt/sha256.h:v5.2.1-stable'
  217. 'wolfssl/wolfcrypt/sha3.h:v5.2.1-stable'
  218. 'wolfssl/wolfcrypt/sha512.h:v5.2.1-stable'
  219. )
  220. ;;
  221. fips-ready|fips-dev)
  222. FIPS_OPTION='ready'
  223. FIPS_FILES=(
  224. 'wolfcrypt/src/fips.c:master'
  225. 'wolfcrypt/src/fips_test.c:master'
  226. 'wolfcrypt/src/wolfcrypt_first.c:master'
  227. 'wolfcrypt/src/wolfcrypt_last.c:master'
  228. 'wolfssl/wolfcrypt/fips.h:master'
  229. )
  230. WOLFCRYPT_FILES=()
  231. if [ "$FLAVOR" = 'fips-dev' ]; then FIPS_OPTION='dev'; fi
  232. ;;
  233. wolfrand)
  234. FIPS_OPTION='rand'
  235. FIPS_FILES=(
  236. 'wolfcrypt/src/fips.c:WRv4-stable'
  237. 'wolfcrypt/src/fips_test.c:WRv4-stable'
  238. 'wolfcrypt/src/wolfcrypt_first.c:WRv4-stable'
  239. 'wolfcrypt/src/wolfcrypt_last.c:WRv4-stable'
  240. 'wolfssl/wolfcrypt/fips.h:WRv4-stable'
  241. )
  242. WOLFCRYPT_FILES=(
  243. 'wolfcrypt/src/hmac.c:WCv4-stable'
  244. 'wolfcrypt/src/random.c:WCv4-rng-stable'
  245. 'wolfcrypt/src/sha256.c:WCv4-stable'
  246. 'wolfssl/wolfcrypt/hmac.h:WCv4-stable'
  247. 'wolfssl/wolfcrypt/random.h:WCv4-rng-stable'
  248. 'wolfssl/wolfcrypt/sha256.h:WCv4-stable'
  249. )
  250. ;;
  251. *)
  252. Usage
  253. exit 1
  254. esac
  255. # checkout_files takes an array of pairs of file paths and git tags to
  256. # checkout. It will check to see if mytag exists and if not will make that
  257. # tag a branch.
  258. function checkout_files() {
  259. local name
  260. local tag
  261. for file_entry in "$@"; do
  262. name=${file_entry%%:*}
  263. tag=${file_entry#*:}
  264. if ! $GIT rev-parse -q --verify "my$tag" >/dev/null
  265. then
  266. $GIT branch --no-track "my$tag" "$tag" || exit $?
  267. fi
  268. $GIT checkout "my$tag" -- "$name" || exit $?
  269. done
  270. }
  271. # copy_fips_files takes an array of pairs of file paths and git tags to
  272. # checkout. It will check to see if mytag exists and if now will make that
  273. # tag a branch. It breaks the filepath apart into file name and path, then
  274. # copies it from the file from the fips directory to the path.
  275. function copy_fips_files() {
  276. local name
  277. local bname
  278. local dname
  279. local tag
  280. for file_entry in "$@"; do
  281. name=${file_entry%%:*}
  282. tag=${file_entry#*:}
  283. bname=$(basename "$name")
  284. dname=$(dirname "$name")
  285. if ! $GIT rev-parse -q --verify "my$tag" >/dev/null; then
  286. $GIT branch --no-track "my$tag" "$tag" || exit $?
  287. fi
  288. $GIT checkout "my$tag" -- "$bname" || exit $?
  289. cp "$bname" "../$dname"
  290. done
  291. }
  292. if ! $GIT clone . "$TEST_DIR"; then
  293. echo "fips-check: Couldn't duplicate current working directory."
  294. exit 1
  295. fi
  296. pushd "$TEST_DIR" || exit 2
  297. if ! $GIT clone "$FIPS_REPO" fips; then
  298. echo "fips-check: Couldn't check out FIPS repository."
  299. exit 1
  300. fi
  301. checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
  302. pushd fips || exit 2
  303. copy_fips_files "${FIPS_FILES[@]}" || exit 3
  304. popd || exit 2
  305. # When checking out cert 3389 ready code, NIST will no longer perform
  306. # new certifications on 140-2 modules. If we were to use the latest files from
  307. # master that would require re-cert due to changes in the module boundary.
  308. # Since OE additions can still be processed for cert3389 we will call 140-2
  309. # ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but
  310. # would not be good for a new certification effort with the latest files.
  311. if [ "$FLAVOR" = 'fipsv2-OE-ready' ] && [ -s wolfcrypt/src/fips.c ]; then
  312. cp wolfcrypt/src/fips.c wolfcrypt/src/fips.c.bak
  313. sed "s/v4.0.0-alpha/fipsv2-OE-ready/" wolfcrypt/src/fips.c.bak >wolfcrypt/src/fips.c
  314. fi
  315. # run the make test
  316. ./autogen.sh
  317. case "$FIPS_OPTION" in
  318. cavp-selftest)
  319. ./configure --enable-selftest
  320. ;;
  321. cavp-selftest-v2)
  322. ./configure --enable-selftest=v2
  323. ;;
  324. *)
  325. ./configure --enable-fips=$FIPS_OPTION
  326. ;;
  327. esac
  328. if ! $MAKE; then
  329. echo 'fips-check: Make failed. Debris left for analysis.'
  330. exit 3
  331. fi
  332. if [ -s wolfcrypt/src/fips_test.c ]; then
  333. NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
  334. if [ -n "$NEWHASH" ]; then
  335. cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
  336. sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak >wolfcrypt/src/fips_test.c
  337. make clean
  338. fi
  339. fi
  340. if [ "$MAKECHECK" = "yes" ]; then
  341. if ! $MAKE check; then
  342. echo 'fips-check: Test failed. Debris left for analysis.'
  343. exit 3
  344. fi
  345. fi
  346. # Clean up
  347. popd || exit 2
  348. if [ "$KEEP" = 'no' ]; then
  349. rm -rf "$TEST_DIR"
  350. fi