1
0

fips-check.sh 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505
  1. #!/usr/bin/env bash
  2. # fips-check.sh
  3. # This script checks the current revision of the code against the
  4. # previous release of the FIPS code. While wolfSSL and wolfCrypt
  5. # may be advancing, they must work correctly with the last tested
  6. # copy of our FIPS approved code.
  7. #
  8. # This should check out all the approved flavors. The command line
  9. # option selects the flavor. The keep option keeps the output
  10. # directory.
  11. # These variables may be overridden on the command line.
  12. MAKE="${MAKE:-make}"
  13. GIT="${GIT:-git -c advice.detachedHead=false}"
  14. TEST_DIR="${TEST_DIR:-XXX-fips-test}"
  15. FLAVOR="${FLAVOR:-linux}"
  16. KEEP="${KEEP:-no}"
  17. MAKECHECK=${MAKECHECK:-yes}
  18. DOCONFIGURE=${DOCONFIGURE:-yes}
  19. FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}"
  20. Usage() {
  21. cat <<usageText
  22. Usage: $0 [flavor] [keep]
  23. Flavor is one of:
  24. linuxv2 (FIPSv2, use for Win10)
  25. fipsv2-OE-ready (ready FIPSv2)
  26. solaris
  27. netbsd-selftest
  28. marvell-linux-selftest
  29. linuxv5 (current FIPS 140-3)
  30. fips-ready (ready FIPS 140-3)
  31. fips-dev (dev FIPS 140-3)
  32. wolfrand
  33. wolfentropy
  34. v6.0.0
  35. Keep (default off) retains the temp dir $TEST_DIR for inspection.
  36. Example:
  37. $0 windows keep
  38. usageText
  39. }
  40. while [ "$1" ]; do
  41. if [ "$1" = 'keep' ]; then KEEP='yes';
  42. elif [ "$1" = 'nomakecheck' ]; then MAKECHECK='no';
  43. elif [ "$1" = 'nodoconfigure' ]; then DOCONFIGURE='no';
  44. else FLAVOR="$1"; fi
  45. shift
  46. done
  47. case "$FLAVOR" in
  48. linuxv2|fipsv2-OE-ready|solaris)
  49. FIPS_OPTION='v2'
  50. FIPS_FILES=(
  51. 'wolfcrypt/src/fips.c:WCv4-stable'
  52. 'wolfcrypt/src/fips_test.c:WCv4-stable'
  53. 'wolfcrypt/src/wolfcrypt_first.c:WCv4-stable'
  54. 'wolfcrypt/src/wolfcrypt_last.c:WCv4-stable'
  55. 'wolfssl/wolfcrypt/fips.h:WCv4-stable'
  56. )
  57. WOLFCRYPT_FILES=(
  58. 'wolfcrypt/src/aes.c:WCv4-stable'
  59. 'wolfcrypt/src/aes_asm.asm:WCv4-stable'
  60. 'wolfcrypt/src/aes_asm.S:WCv4-stable'
  61. 'wolfcrypt/src/cmac.c:WCv4-stable'
  62. 'wolfcrypt/src/des3.c:WCv4-stable'
  63. 'wolfcrypt/src/dh.c:WCv4-stable'
  64. 'wolfcrypt/src/ecc.c:WCv4-stable'
  65. 'wolfcrypt/src/hmac.c:WCv4-stable'
  66. 'wolfcrypt/src/random.c:WCv4-rng-stable'
  67. 'wolfcrypt/src/rsa.c:WCv4-stable'
  68. 'wolfcrypt/src/sha.c:WCv4-stable'
  69. 'wolfcrypt/src/sha256.c:WCv4-stable'
  70. 'wolfcrypt/src/sha3.c:WCv4-stable'
  71. 'wolfcrypt/src/sha512.c:WCv4-stable'
  72. 'wolfssl/wolfcrypt/aes.h:WCv4-stable'
  73. 'wolfssl/wolfcrypt/cmac.h:WCv4-stable'
  74. 'wolfssl/wolfcrypt/des3.h:WCv4-stable'
  75. 'wolfssl/wolfcrypt/dh.h:WCv4-stable'
  76. 'wolfssl/wolfcrypt/ecc.h:WCv4-stable'
  77. 'wolfssl/wolfcrypt/hmac.h:WCv4-stable'
  78. 'wolfssl/wolfcrypt/random.h:WCv4-rng-stable'
  79. 'wolfssl/wolfcrypt/rsa.h:WCv4-stable'
  80. 'wolfssl/wolfcrypt/sha.h:WCv4-stable'
  81. 'wolfssl/wolfcrypt/sha256.h:WCv4-stable'
  82. 'wolfssl/wolfcrypt/sha3.h:WCv4-stable'
  83. 'wolfssl/wolfcrypt/sha512.h:WCv4-stable'
  84. )
  85. if [ "$FLAVOR" = 'solaris' ]; then MAKE='gmake'; fi
  86. ;;
  87. netbsd-selftest)
  88. # non-FIPS, CAVP only but pull in selftest
  89. FIPS_OPTION='cavp-selftest'
  90. FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
  91. WOLFCRYPT_FILES=(
  92. 'wolfcrypt/src/aes.c:v3.14.2'
  93. 'wolfcrypt/src/dh.c:v3.14.2'
  94. 'wolfcrypt/src/dsa.c:v3.14.2'
  95. 'wolfcrypt/src/ecc.c:v3.14.2'
  96. 'wolfcrypt/src/hmac.c:v3.14.2'
  97. 'wolfcrypt/src/random.c:v3.14.2'
  98. 'wolfcrypt/src/rsa.c:v3.14.2'
  99. 'wolfcrypt/src/sha.c:v3.14.2'
  100. 'wolfcrypt/src/sha256.c:v3.14.2'
  101. 'wolfcrypt/src/sha512.c:v3.14.2'
  102. 'wolfssl/wolfcrypt/aes.h:v3.14.2'
  103. 'wolfssl/wolfcrypt/dh.h:v3.14.2'
  104. 'wolfssl/wolfcrypt/dsa.h:v3.14.2'
  105. 'wolfssl/wolfcrypt/ecc.h:v3.14.2'
  106. 'wolfssl/wolfcrypt/hmac.h:v3.14.2'
  107. 'wolfssl/wolfcrypt/random.h:v3.14.2'
  108. 'wolfssl/wolfcrypt/rsa.h:v3.14.2'
  109. 'wolfssl/wolfcrypt/sha.h:v3.14.2'
  110. 'wolfssl/wolfcrypt/sha256.h:v3.14.2'
  111. 'wolfssl/wolfcrypt/sha512.h:v3.14.2'
  112. )
  113. ;;
  114. marvell-linux-selftest)
  115. # non-FIPS, CAVP only but pull in selftest
  116. FIPS_OPTION='cavp-selftest-v2'
  117. FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
  118. WOLFCRYPT_FILES=(
  119. 'wolfcrypt/src/aes.c:v4.1.0-stable'
  120. 'wolfcrypt/src/dh.c:v4.1.0-stable'
  121. 'wolfcrypt/src/dsa.c:v4.1.0-stable'
  122. 'wolfcrypt/src/ecc.c:v4.1.0-stable'
  123. 'wolfcrypt/src/hmac.c:v4.1.0-stable'
  124. 'wolfcrypt/src/random.c:v4.1.0-stable'
  125. 'wolfcrypt/src/rsa.c:v4.1.0-stable'
  126. 'wolfcrypt/src/sha.c:v4.1.0-stable'
  127. 'wolfcrypt/src/sha256.c:v4.1.0-stable'
  128. 'wolfcrypt/src/sha512.c:v4.1.0-stable'
  129. 'wolfssl/wolfcrypt/aes.h:v4.1.0-stable'
  130. 'wolfssl/wolfcrypt/dh.h:v4.1.0-stable'
  131. 'wolfssl/wolfcrypt/dsa.h:v4.1.0-stable'
  132. 'wolfssl/wolfcrypt/ecc.h:v4.1.0-stable'
  133. 'wolfssl/wolfcrypt/hmac.h:v4.1.0-stable'
  134. 'wolfssl/wolfcrypt/random.h:v4.1.0-stable'
  135. 'wolfssl/wolfcrypt/rsa.h:v4.1.0-stable'
  136. 'wolfssl/wolfcrypt/sha.h:v4.1.0-stable'
  137. 'wolfssl/wolfcrypt/sha256.h:v4.1.0-stable'
  138. 'wolfssl/wolfcrypt/sha512.h:v4.1.0-stable'
  139. )
  140. ;;
  141. linuxv5)
  142. FIPS_OPTION='v5'
  143. FIPS_FILES=(
  144. 'wolfcrypt/src/fips.c:WCv5.2.0.1-RC01'
  145. 'wolfcrypt/src/fips_test.c:WCv5.0-RC12'
  146. 'wolfcrypt/src/wolfcrypt_first.c:WCv5.0-RC12'
  147. 'wolfcrypt/src/wolfcrypt_last.c:WCv5.0-RC12'
  148. 'wolfssl/wolfcrypt/fips.h:WCv5.0-RC12'
  149. )
  150. WOLFCRYPT_FILES=(
  151. 'wolfcrypt/src/aes.c:WCv5.0-RC12'
  152. 'wolfcrypt/src/aes_asm.asm:WCv5.0-RC12'
  153. 'wolfcrypt/src/aes_asm.S:WCv5.0-RC12'
  154. 'wolfcrypt/src/aes_gcm_asm.S:WCv5.0-RC12'
  155. 'wolfcrypt/src/cmac.c:WCv5.0-RC12'
  156. 'wolfcrypt/src/dh.c:WCv5.0-RC12'
  157. 'wolfcrypt/src/ecc.c:WCv5.0-RC12'
  158. 'wolfcrypt/src/hmac.c:WCv5.0-RC12'
  159. 'wolfcrypt/src/kdf.c:WCv5.0-RC12'
  160. 'wolfcrypt/src/random.c:WCv5.0-RC12'
  161. 'wolfcrypt/src/rsa.c:WCv5.0-RC12'
  162. 'wolfcrypt/src/sha.c:WCv5.0-RC12'
  163. 'wolfcrypt/src/sha256.c:WCv5.0-RC12'
  164. 'wolfcrypt/src/sha256_asm.S:WCv5.0-RC12'
  165. 'wolfcrypt/src/sha3.c:WCv5.0-RC12'
  166. 'wolfcrypt/src/sha512.c:WCv5.0-RC12'
  167. 'wolfcrypt/src/sha512_asm.S:WCv5.0-RC12'
  168. 'wolfssl/wolfcrypt/aes.h:WCv5.0-RC12'
  169. 'wolfssl/wolfcrypt/cmac.h:WCv5.0-RC12'
  170. 'wolfssl/wolfcrypt/dh.h:WCv5.0-RC12'
  171. 'wolfssl/wolfcrypt/ecc.h:WCv5.0-RC12'
  172. 'wolfssl/wolfcrypt/fips_test.h:WCv5.0-RC12'
  173. 'wolfssl/wolfcrypt/hmac.h:WCv5.0-RC12'
  174. 'wolfssl/wolfcrypt/kdf.h:WCv5.0-RC12'
  175. 'wolfssl/wolfcrypt/random.h:WCv5.0-RC12'
  176. 'wolfssl/wolfcrypt/rsa.h:WCv5.0-RC12'
  177. 'wolfssl/wolfcrypt/sha.h:WCv5.0-RC12'
  178. 'wolfssl/wolfcrypt/sha256.h:WCv5.0-RC12'
  179. 'wolfssl/wolfcrypt/sha3.h:WCv5.0-RC12'
  180. 'wolfssl/wolfcrypt/sha512.h:WCv5.0-RC12'
  181. )
  182. ;;
  183. linuxv5.2.1)
  184. FIPS_OPTION='v5'
  185. FIPS_FILES=(
  186. 'wolfcrypt/src/fips.c:v5.2.1-stable'
  187. 'wolfcrypt/src/fips_test.c:v5.2.1-stable'
  188. 'wolfcrypt/src/wolfcrypt_first.c:v5.2.1-stable'
  189. 'wolfcrypt/src/wolfcrypt_last.c:v5.2.1-stable'
  190. 'wolfssl/wolfcrypt/fips.h:v5.2.1-stable-OS_Seed-HdrOnly'
  191. )
  192. WOLFCRYPT_FILES=(
  193. 'wolfcrypt/src/aes.c:v5.2.1-stable'
  194. 'wolfcrypt/src/aes_asm.asm:v5.2.1-stable'
  195. 'wolfcrypt/src/aes_asm.S:v5.2.1-stable'
  196. 'wolfcrypt/src/aes_gcm_asm.S:v5.2.1-stable'
  197. 'wolfcrypt/src/cmac.c:v5.2.1-stable'
  198. 'wolfcrypt/src/dh.c:v5.2.1-stable'
  199. 'wolfcrypt/src/ecc.c:v5.2.1-stable'
  200. 'wolfcrypt/src/hmac.c:v5.2.1-stable'
  201. 'wolfcrypt/src/kdf.c:v5.2.1-stable'
  202. 'wolfcrypt/src/random.c:v5.2.1-stable'
  203. 'wolfcrypt/src/rsa.c:v5.2.1-stable'
  204. 'wolfcrypt/src/sha.c:v5.2.1-stable'
  205. 'wolfcrypt/src/sha256.c:v5.2.1-stable'
  206. 'wolfcrypt/src/sha256_asm.S:v5.2.1-stable'
  207. 'wolfcrypt/src/sha3.c:v5.2.1-stable'
  208. 'wolfcrypt/src/sha512.c:v5.2.1-stable'
  209. 'wolfcrypt/src/sha512_asm.S:v5.2.1-stable'
  210. 'wolfssl/wolfcrypt/aes.h:v5.2.1-stable'
  211. 'wolfssl/wolfcrypt/cmac.h:v5.2.1-stable'
  212. 'wolfssl/wolfcrypt/dh.h:v5.2.1-stable'
  213. 'wolfssl/wolfcrypt/ecc.h:v5.2.1-stable'
  214. 'wolfssl/wolfcrypt/fips_test.h:v5.2.1-stable'
  215. 'wolfssl/wolfcrypt/hmac.h:v5.2.1-stable'
  216. 'wolfssl/wolfcrypt/kdf.h:v5.2.1-stable'
  217. 'wolfssl/wolfcrypt/random.h:v5.2.1-stable-OS_Seed-HdrOnly'
  218. 'wolfssl/wolfcrypt/rsa.h:v5.2.1-stable'
  219. 'wolfssl/wolfcrypt/sha.h:v5.2.1-stable'
  220. 'wolfssl/wolfcrypt/sha256.h:v5.2.1-stable'
  221. 'wolfssl/wolfcrypt/sha3.h:v5.2.1-stable'
  222. 'wolfssl/wolfcrypt/sha512.h:v5.2.1-stable'
  223. )
  224. ;;
  225. v6.0.0)
  226. WOLF_REPO_TAG='WCv6.0.0-RC1'
  227. FIPS_REPO_TAG='WCv6.0.0-RC1'
  228. ASM_PICKUPS_TAG='WCv6.0.0-RC2'
  229. FIPS_OPTION='v6'
  230. FIPS_FILES=(
  231. "wolfcrypt/src/fips.c:${FIPS_REPO_TAG}"
  232. "wolfcrypt/src/fips_test.c:${FIPS_REPO_TAG}"
  233. "wolfcrypt/src/wolfcrypt_first.c:${FIPS_REPO_TAG}"
  234. "wolfcrypt/src/wolfcrypt_last.c:${FIPS_REPO_TAG}"
  235. "wolfssl/wolfcrypt/fips.h:${FIPS_REPO_TAG}"
  236. )
  237. WOLFCRYPT_FILES=(
  238. "wolfcrypt/src/aes_asm.asm:${WOLF_REPO_TAG}"
  239. "wolfcrypt/src/aes_asm.S:${WOLF_REPO_TAG}"
  240. "wolfcrypt/src/aes_gcm_asm.S:${WOLF_REPO_TAG}"
  241. "wolfcrypt/src/aes_gcm_x86_asm.S:${WOLF_REPO_TAG}"
  242. "wolfcrypt/src/aes_xts_asm.S:${WOLF_REPO_TAG}"
  243. "wolfcrypt/src/aes.c:${WOLF_REPO_TAG}"
  244. "wolfcrypt/src/port/arm/armv8-32-aes-asm_c.c:${ASM_PICKUPS_TAG}"
  245. "wolfcrypt/src/port/arm/armv8-32-aes-asm.S:${WOLF_REPO_TAG}"
  246. "wolfcrypt/src/port/arm/armv8-32-curve25519_c.c:${ASM_PICKUPS_TAG}"
  247. "wolfcrypt/src/port/arm/armv8-32-curve25519.S:${WOLF_REPO_TAG}"
  248. "wolfcrypt/src/port/arm/armv8-32-sha256-asm_c.c:${ASM_PICKUPS_TAG}"
  249. "wolfcrypt/src/port/arm/armv8-32-sha256-asm.S:${WOLF_REPO_TAG}"
  250. "wolfcrypt/src/port/arm/armv8-32-sha512-asm_c.c:${ASM_PICKUPS_TAG}"
  251. "wolfcrypt/src/port/arm/armv8-32-sha512-asm.S:${WOLF_REPO_TAG}"
  252. "wolfcrypt/src/port/arm/armv8-aes.c:${ASM_PICKUPS_TAG}"
  253. "wolfcrypt/src/port/arm/armv8-curve25519_c.c:${ASM_PICKUPS_TAG}"
  254. "wolfcrypt/src/port/arm/armv8-curve25519.S:${WOLF_REPO_TAG}"
  255. "wolfcrypt/src/port/arm/armv8-sha256.c:${WOLF_REPO_TAG}"
  256. "wolfcrypt/src/port/arm/armv8-sha3-asm_c.c:${ASM_PICKUPS_TAG}"
  257. "wolfcrypt/src/port/arm/armv8-sha3-asm.S:${ASM_PICKUPS_TAG}"
  258. "wolfcrypt/src/port/arm/armv8-sha512-asm_c.c:${ASM_PICKUPS_TAG}"
  259. "wolfcrypt/src/port/arm/armv8-sha512-asm.S:${WOLF_REPO_TAG}"
  260. "wolfcrypt/src/port/arm/armv8-sha512.c:${WOLF_REPO_TAG}"
  261. "wolfcrypt/src/cmac.c:${WOLF_REPO_TAG}"
  262. "wolfcrypt/src/curve25519.c:${WOLF_REPO_TAG}"
  263. "wolfcrypt/src/curve448.c:${WOLF_REPO_TAG}"
  264. "wolfcrypt/src/dh.c:${WOLF_REPO_TAG}"
  265. "wolfcrypt/src/ecc.c:${WOLF_REPO_TAG}"
  266. "wolfcrypt/src/ed25519.c:${WOLF_REPO_TAG}"
  267. "wolfcrypt/src/ed448.c:${WOLF_REPO_TAG}"
  268. "wolfcrypt/src/hmac.c:${WOLF_REPO_TAG}"
  269. "wolfcrypt/src/kdf.c:${WOLF_REPO_TAG}"
  270. "wolfcrypt/src/pwdbased.c:${WOLF_REPO_TAG}"
  271. "wolfcrypt/src/random.c:${WOLF_REPO_TAG}"
  272. "wolfcrypt/src/rsa.c:${WOLF_REPO_TAG}"
  273. "wolfcrypt/src/sha.c:${WOLF_REPO_TAG}"
  274. "wolfcrypt/src/sha256_asm.S:${WOLF_REPO_TAG}"
  275. "wolfcrypt/src/sha256.c:${WOLF_REPO_TAG}"
  276. "wolfcrypt/src/sha3.c:${WOLF_REPO_TAG}"
  277. "wolfcrypt/src/sha3_asm.S:${WOLF_REPO_TAG}"
  278. "wolfcrypt/src/sha512_asm.S:${WOLF_REPO_TAG}"
  279. "wolfcrypt/src/sha512.c:${WOLF_REPO_TAG}"
  280. "wolfcrypt/src/sp_arm32.c:${ASM_PICKUPS_TAG}"
  281. "wolfcrypt/src/sp_arm64.c:${ASM_PICKUPS_TAG}"
  282. "wolfcrypt/src/sp_armthumb.c:${ASM_PICKUPS_TAG}"
  283. "wolfcrypt/src/sp_c32.c:${ASM_PICKUPS_TAG}"
  284. "wolfcrypt/src/sp_c64.c:${ASM_PICKUPS_TAG}"
  285. "wolfcrypt/src/sp_cortexm.c:${ASM_PICKUPS_TAG}"
  286. "wolfcrypt/src/sp_x86_64_asm.asm:${WOLF_REPO_TAG}"
  287. "wolfcrypt/src/sp_x86_64_asm.S:${WOLF_REPO_TAG}"
  288. "wolfcrypt/src/sp_x86_64.c:${ASM_PICKUPS_TAG}"
  289. "wolfcrypt/src/port/arm/thumb2-aes-asm_c.c:${WOLF_REPO_TAG}"
  290. "wolfcrypt/src/port/arm/thumb2-aes-asm.S:${WOLF_REPO_TAG}"
  291. "wolfcrypt/src/port/arm/thumb2-curve25519_c.c:${WOLF_REPO_TAG}"
  292. "wolfcrypt/src/port/arm/thumb2-curve25519.S:${WOLF_REPO_TAG}"
  293. "wolfcrypt/src/port/arm/thumb2-sha256-asm_c.c:${WOLF_REPO_TAG}"
  294. "wolfcrypt/src/port/arm/thumb2-sha256-asm.S:${WOLF_REPO_TAG}"
  295. "wolfcrypt/src/port/arm/thumb2-sha512-asm_c.c:${WOLF_REPO_TAG}"
  296. "wolfcrypt/src/port/arm/thumb2-sha512-asm.S:${WOLF_REPO_TAG}"
  297. "wolfssl/wolfcrypt/aes.h:${WOLF_REPO_TAG}"
  298. "wolfssl/wolfcrypt/cmac.h:${WOLF_REPO_TAG}"
  299. "wolfssl/wolfcrypt/curve25519.h:${WOLF_REPO_TAG}"
  300. "wolfssl/wolfcrypt/curve448.h:${WOLF_REPO_TAG}"
  301. "wolfssl/wolfcrypt/dh.h:${WOLF_REPO_TAG}"
  302. "wolfssl/wolfcrypt/ecc.h:${WOLF_REPO_TAG}"
  303. "wolfssl/wolfcrypt/ed25519.h:${WOLF_REPO_TAG}"
  304. "wolfssl/wolfcrypt/ed448.h:${WOLF_REPO_TAG}"
  305. "wolfssl/wolfcrypt/fips_test.h:${WOLF_REPO_TAG}"
  306. "wolfssl/wolfcrypt/hmac.h:${WOLF_REPO_TAG}"
  307. "wolfssl/wolfcrypt/kdf.h:${WOLF_REPO_TAG}"
  308. "wolfssl/wolfcrypt/pwdbased.h:${WOLF_REPO_TAG}"
  309. "wolfssl/wolfcrypt/random.h:${WOLF_REPO_TAG}"
  310. "wolfssl/wolfcrypt/rsa.h:${WOLF_REPO_TAG}"
  311. "wolfssl/wolfcrypt/sha.h:${WOLF_REPO_TAG}"
  312. "wolfssl/wolfcrypt/sha256.h:${WOLF_REPO_TAG}"
  313. "wolfssl/wolfcrypt/sha3.h:${WOLF_REPO_TAG}"
  314. "wolfssl/wolfcrypt/sha512.h:${WOLF_REPO_TAG}"
  315. )
  316. ;;
  317. fips-ready|fips-dev)
  318. FIPS_OPTION='ready'
  319. FIPS_FILES=(
  320. 'wolfcrypt/src/fips.c:master'
  321. 'wolfcrypt/src/fips_test.c:master'
  322. 'wolfcrypt/src/wolfcrypt_first.c:master'
  323. 'wolfcrypt/src/wolfcrypt_last.c:master'
  324. 'wolfssl/wolfcrypt/fips.h:master'
  325. )
  326. WOLFCRYPT_FILES=()
  327. if [ "$FLAVOR" = 'fips-dev' ]; then FIPS_OPTION='dev'; fi
  328. ;;
  329. wolfrand)
  330. FIPS_OPTION='rand'
  331. FIPS_FILES=(
  332. 'wolfcrypt/src/fips.c:WRv4-stable'
  333. 'wolfcrypt/src/fips_test.c:WRv4-stable'
  334. 'wolfcrypt/src/wolfcrypt_first.c:WRv4-stable'
  335. 'wolfcrypt/src/wolfcrypt_last.c:WRv4-stable'
  336. 'wolfssl/wolfcrypt/fips.h:WRv4-stable'
  337. )
  338. WOLFCRYPT_FILES=(
  339. 'wolfcrypt/src/hmac.c:WCv4-stable'
  340. 'wolfcrypt/src/random.c:WCv4-rng-stable'
  341. 'wolfcrypt/src/sha256.c:WCv4-stable'
  342. 'wolfssl/wolfcrypt/hmac.h:WCv4-stable'
  343. 'wolfssl/wolfcrypt/random.h:WCv4-rng-stable'
  344. 'wolfssl/wolfcrypt/sha256.h:WCv4-stable'
  345. )
  346. ;;
  347. wolfentropy)
  348. FIPS_OPTION='v6'
  349. FIPS_FILES=(
  350. 'wolfcrypt/src/fips.c:wolfEntropy1'
  351. 'wolfcrypt/src/fips_test.c:wolfEntropy1'
  352. 'wolfcrypt/src/wolfcrypt_first.c:wolfEntropy1'
  353. 'wolfcrypt/src/wolfcrypt_last.c:wolfEntropy1'
  354. 'wolfssl/wolfcrypt/fips.h:wolfEntropy1'
  355. )
  356. WOLFCRYPT_FILES=(
  357. 'wolfcrypt/src/aes.c:wolfEntropy1'
  358. 'wolfcrypt/src/aes_asm.asm:wolfEntropy1'
  359. 'wolfcrypt/src/aes_asm.S:wolfEntropy1'
  360. 'wolfcrypt/src/aes_gcm_asm.S:wolfEntropy1'
  361. 'wolfcrypt/src/ecc.c:wolfEntropy1'
  362. 'wolfcrypt/src/hmac.c:wolfEntropy1'
  363. 'wolfcrypt/src/kdf.c:wolfEntropy1'
  364. 'wolfcrypt/src/random.c:wolfEntropy1'
  365. 'wolfcrypt/src/sha256.c:wolfEntropy1'
  366. 'wolfcrypt/src/sha256_asm.S:wolfEntropy1'
  367. 'wolfcrypt/src/sha3.c:wolfEntropy1'
  368. 'wolfcrypt/src/sha512.c:wolfEntropy1'
  369. 'wolfcrypt/src/sha512_asm.S:wolfEntropy1'
  370. 'wolfssl/wolfcrypt/aes.h:wolfEntropy1'
  371. 'wolfssl/wolfcrypt/ecc.h:wolfEntropy1'
  372. 'wolfssl/wolfcrypt/fips_test.h:wolfEntropy1'
  373. 'wolfssl/wolfcrypt/hmac.h:wolfEntropy1'
  374. 'wolfssl/wolfcrypt/kdf.h:wolfEntropy1'
  375. 'wolfssl/wolfcrypt/random.h:wolfEntropy1'
  376. 'wolfssl/wolfcrypt/sha256.h:wolfEntropy1'
  377. 'wolfssl/wolfcrypt/sha3.h:wolfEntropy1'
  378. 'wolfssl/wolfcrypt/sha512.h:wolfEntropy1'
  379. )
  380. ;;
  381. *)
  382. Usage
  383. exit 1
  384. esac
  385. # checkout_files takes an array of pairs of file paths and git tags to
  386. # checkout. It will check to see if mytag exists and if not will make that
  387. # tag a branch.
  388. function checkout_files() {
  389. local name
  390. local tag
  391. for file_entry in "$@"; do
  392. name=${file_entry%%:*}
  393. tag=${file_entry#*:}
  394. if ! $GIT rev-parse -q --verify "my$tag" >/dev/null
  395. then
  396. $GIT branch --no-track "my$tag" "$tag" || exit $?
  397. fi
  398. $GIT checkout "my$tag" -- "$name" || exit $?
  399. done
  400. }
  401. # copy_fips_files takes an array of pairs of file paths and git tags to
  402. # checkout. It will check to see if mytag exists and if now will make that
  403. # tag a branch. It breaks the filepath apart into file name and path, then
  404. # copies it from the file from the fips directory to the path.
  405. function copy_fips_files() {
  406. local name
  407. local bname
  408. local dname
  409. local tag
  410. for file_entry in "$@"; do
  411. name=${file_entry%%:*}
  412. tag=${file_entry#*:}
  413. bname=$(basename "$name")
  414. dname=$(dirname "$name")
  415. if ! $GIT rev-parse -q --verify "my$tag" >/dev/null; then
  416. $GIT branch --no-track "my$tag" "$tag" || exit $?
  417. fi
  418. $GIT checkout "my$tag" -- "$bname" || exit $?
  419. cp "$bname" "../$dname"
  420. done
  421. }
  422. # Check to make sure this is not a shallow repo
  423. $GIT fetch --unshallow 2>/dev/null
  424. if ! $GIT clone . "$TEST_DIR"; then
  425. echo "fips-check: Couldn't duplicate current working directory."
  426. exit 1
  427. fi
  428. pushd "$TEST_DIR" || exit 2
  429. if ! $GIT clone "$FIPS_REPO" fips; then
  430. echo "fips-check: Couldn't check out FIPS repository."
  431. exit 1
  432. fi
  433. checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
  434. pushd fips || exit 2
  435. copy_fips_files "${FIPS_FILES[@]}" || exit 3
  436. popd || exit 2
  437. # When checking out cert 3389 ready code, NIST will no longer perform
  438. # new certifications on 140-2 modules. If we were to use the latest files from
  439. # master that would require re-cert due to changes in the module boundary.
  440. # Since OE additions can still be processed for cert3389 we will call 140-2
  441. # ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but
  442. # would not be good for a new certification effort with the latest files.
  443. if [ "$FLAVOR" = 'fipsv2-OE-ready' ] && [ -s wolfcrypt/src/fips.c ]; then
  444. cp wolfcrypt/src/fips.c wolfcrypt/src/fips.c.bak
  445. sed "s/v4.0.0-alpha/fipsv2-OE-ready/" wolfcrypt/src/fips.c.bak >wolfcrypt/src/fips.c
  446. fi
  447. # run the make test
  448. ./autogen.sh
  449. if [ "$DOCONFIGURE" = "yes" ]; then
  450. case "$FIPS_OPTION" in
  451. cavp-selftest)
  452. ./configure --enable-selftest
  453. ;;
  454. cavp-selftest-v2)
  455. ./configure --enable-selftest=v2
  456. ;;
  457. *)
  458. ./configure --enable-fips=$FIPS_OPTION
  459. ;;
  460. esac
  461. if ! $MAKE; then
  462. echo 'fips-check: Make failed. Debris left for analysis.'
  463. exit 3
  464. fi
  465. if [ -s wolfcrypt/src/fips_test.c ]; then
  466. NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
  467. if [ -n "$NEWHASH" ]; then
  468. cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
  469. sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak >wolfcrypt/src/fips_test.c
  470. make clean
  471. fi
  472. fi
  473. if [ "$MAKECHECK" = "yes" ]; then
  474. if ! $MAKE check; then
  475. echo 'fips-check: Test failed. Debris left for analysis.'
  476. exit 3
  477. fi
  478. fi
  479. fi
  480. # Clean up
  481. popd || exit 2
  482. if [ "$KEEP" = 'no' ]; then
  483. rm -rf "$TEST_DIR"
  484. fi