123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474 |
- #!/bin/bash
- # fips-check.sh
- # This script checks the current revision of the code against the
- # previous release of the FIPS code. While wolfSSL and wolfCrypt
- # may be advancing, they must work correctly with the last tested
- # copy of our FIPS approved code.
- #
- # This should check out all the approved versions. The command line
- # option selects the version.
- #
- # $ ./fips-check [version] [keep]
- #
- # - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2, fips-ready, stm32l4-v2
- #
- # - keep: (default off) XXX-fips-test temp dir around for inspection
- #
- Usage() {
- cat <<usageText
- Usage: $0 [platform [keep]]
- Platform is one of:
- linux (default)
- ios
- android
- windows
- freertos
- openrtos-3.9.2
- linux-ecc
- netbsd-selftest
- marvell-linux-selftest
- sgx
- netos-7.6
- linuxv2 (FIPSv2, use for Win10)
- fips-ready
- stm32l4-v2 (FIPSv2, use for STM32L4)
- wolfrand
- solaris
- linuxv5-RC8 (old FIPS 140-3)
- linuxv5 (current FIPS 140-3)
- linuxv5-ready (ready FIPS 140-3)
- linuxv5-RC10
- Keep (default off) retains the XXX-fips-test temp dir for inspection.
- Example:
- $0 windows keep
- usageText
- }
- MAKE=make
- LINUX_FIPS_VERSION=v3.2.6
- LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git
- LINUX_CRYPT_VERSION=v3.2.6
- LINUX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
- LINUX_ECC_FIPS_VERSION=v3.10.3
- LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git
- LINUX_ECC_CRYPT_VERSION=v3.2.6
- LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git
- IOS_FIPS_VERSION=v3.4.8a
- IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
- IOS_CRYPT_VERSION=v3.4.8.fips
- IOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
- ANDROID_FIPS_VERSION=v3.5.0
- ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git
- ANDROID_CRYPT_VERSION=v3.5.0
- ANDROID_CRYPT_REPO=git@github.com:cyassl/cyassl.git
- WINDOWS_FIPS_VERSION=v3.6.6
- WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git
- WINDOWS_CRYPT_VERSION=v3.6.6
- WINDOWS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
- FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS
- FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
- FREERTOS_CRYPT_VERSION=v3.6.1
- FREERTOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
- OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS
- OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git
- OPENRTOS_3_9_2_CRYPT_VERSION=v3.6.1
- OPENRTOS_3_9_2_CRYPT_REPO=git@github.com:cyassl/cyassl.git
- #NOTE: Does not include the SGX examples yet, update version once fipsv2 is
- # finished and merge conflicts can be resolved. This will be tagged as
- # v3.12.4.sgx-examples
- #SGX_FIPS_VERSION=v3.12.4.sgx-examples
- SGX_FIPS_VERSION=v3.6.6
- SGX_FIPS_REPO=git@github.com:wolfSSL/fips.git
- SGX_CRYPT_VERSION=v3.12.4
- SGX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
- NETOS_7_6_FIPS_VERSION=v3.12.6
- NETOS_7_6_FIPS_REPO=git@github.com:wolfSSL/fips.git
- NETOS_7_6_CRYPT_VERSION=v3.12.4
- NETOS_7_6_CRYPT_REPO=git@github.com:cyassl/cyassl.git
- # non-FIPS, CAVP only but pull in selftest
- # will reset above variables below in platform switch
- NETBSD_FIPS_VERSION=v3.14.2b
- NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
- NETBSD_CRYPT_VERSION=v3.14.2
- NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
- # non-FIPS, CAVP only but pull in selftest
- # will reset above variables below in platform switch
- MARVELL_LINUX_FIPS_VERSION=v3.14.2b
- MARVELL_LINUX_FIPS_REPO=git@github.com:wolfssl/fips.git
- MARVELL_LINUX_CRYPT_VERSION=v4.1.0-stable
- MARVELL_LINUX_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
- STM32L4_V2_FIPS_VERSION=WCv4.0.1-stable
- STM32L4_V2_FIPS_REPO=git@github.com:wolfSSL/fips.git
- STM32L4_V2_CRYPT_VERSION=WCv4.0.1-stable
- FIPS_SRCS=( fips.c fips_test.c )
- WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
- TEST_DIR=XXX-fips-test
- CRYPT_INC_PATH=cyassl/ctaocrypt
- CRYPT_SRC_PATH=ctaocrypt/src
- RNG_VERSION=v3.6.0
- FIPS_OPTION=v1
- CAVP_SELFTEST_ONLY="no"
- GIT="git -c advice.detachedHead=false"
- if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
- if [ "x$2" == "xkeep" ]; then KEEP="yes"; else KEEP="no"; fi
- case $PLATFORM in
- ios)
- FIPS_VERSION=$IOS_FIPS_VERSION
- FIPS_REPO=$IOS_FIPS_REPO
- CRYPT_VERSION=$IOS_CRYPT_VERSION
- CRYPT_REPO=$IOS_CRYPT_REPO
- ;;
- android)
- FIPS_VERSION=$ANDROID_FIPS_VERSION
- FIPS_REPO=$ANDROID_FIPS_REPO
- CRYPT_VERSION=$ANDROID_CRYPT_VERSION
- CRYPT_REPO=$ANDROID_CRYPT_REPO
- ;;
- windows)
- FIPS_VERSION=$WINDOWS_FIPS_VERSION
- FIPS_REPO=$WINDOWS_FIPS_REPO
- CRYPT_VERSION=$WINDOWS_CRYPT_VERSION
- CRYPT_REPO=$WINDOWS_CRYPT_REPO
- ;;
- freertos)
- FIPS_VERSION=$FREERTOS_FIPS_VERSION
- FIPS_REPO=$FREERTOS_FIPS_REPO
- CRYPT_VERSION=$FREERTOS_CRYPT_VERSION
- CRYPT_REPO=$FREERTOS_CRYPT_REPO
- ;;
- openrtos-3.9.2)
- FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION
- FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO
- CRYPT_VERSION=$OPENRTOS_3_9_2_CRYPT_VERSION
- CRYPT_REPO=$OPENRTOS_3_9_2_CRYPT_REPO
- FIPS_CONFLICTS=( aes hmac random sha256 )
- ;;
- linux)
- FIPS_VERSION=$LINUX_FIPS_VERSION
- FIPS_REPO=$LINUX_FIPS_REPO
- CRYPT_VERSION=$LINUX_CRYPT_VERSION
- CRYPT_REPO=$LINUX_CRYPT_REPO
- ;;
- linux-ecc)
- FIPS_VERSION=$LINUX_ECC_FIPS_VERSION
- FIPS_REPO=$LINUX_ECC_FIPS_REPO
- CRYPT_VERSION=$LINUX_ECC_CRYPT_VERSION
- CRYPT_REPO=$LINUX_ECC_CRYPT_REPO
- ;;
- linuxv2)
- FIPS_VERSION=WCv4-stable
- FIPS_REPO=git@github.com:wolfssl/fips.git
- CRYPT_VERSION=WCv4-stable
- CRYPT_INC_PATH=wolfssl/wolfcrypt
- CRYPT_SRC_PATH=wolfcrypt/src
- WC_MODS+=( cmac dh ecc sha3 )
- RNG_VERSION=WCv4-rng-stable
- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
- FIPS_INCS=( fips.h )
- FIPS_OPTION=v2
- ;;
- netbsd-selftest)
- FIPS_VERSION=$NETBSD_FIPS_VERSION
- FIPS_REPO=$NETBSD_FIPS_REPO
- CRYPT_VERSION=$NETBSD_CRYPT_VERSION
- CRYPT_REPO=$NETBSD_CRYPT_REPO
- FIPS_SRCS=( selftest.c )
- WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
- CRYPT_INC_PATH=wolfssl/wolfcrypt
- CRYPT_SRC_PATH=wolfcrypt/src
- CAVP_SELFTEST_ONLY="yes"
- ;;
- marvell-linux-selftest)
- FIPS_VERSION=$MARVELL_LINUX_FIPS_VERSION
- FIPS_REPO=$MARVELL_LINUX_FIPS_REPO
- CRYPT_VERSION=$MARVELL_LINUX_CRYPT_VERSION
- CRYPT_REPO=$MARVELL_LINUX_CRYPT_REPO
- FIPS_SRCS=( selftest.c )
- WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
- CRYPT_INC_PATH=wolfssl/wolfcrypt
- CRYPT_SRC_PATH=wolfcrypt/src
- CAVP_SELFTEST_ONLY="yes"
- CAVP_SELFTEST_OPTION=v2
- ;;
- sgx)
- FIPS_VERSION=$SGX_FIPS_VERSION
- FIPS_REPO=$SGX_FIPS_REPO
- CRYPT_VERSION=$SGX_CRYPT_VERSION
- CRYPT_REPO=$SGX_CRYPT_REPO
- ;;
- netos-7.6)
- FIPS_VERSION=$NETOS_7_6_FIPS_VERSION
- FIPS_REPO=$NETOS_7_6_FIPS_REPO
- CRYPT_VERSION=$NETOS_7_6_CRYPT_VERSION
- CRYPT_REPO=$NETOS_7_6_CRYPT_REPO
- ;;
- fips-v3-ready)
- FIPS_REPO="git@github.com:wolfssl/fips.git"
- FIPS_VERSION="v4.1.1"
- CRYPT_INC_PATH=wolfssl/wolfcrypt
- CRYPT_SRC_PATH=wolfcrypt/src
- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
- FIPS_INCS=( fips.h )
- FIPS_OPTION=v3-ready
- ;;
- fips-ready|fips-v5-ready|linuxv5-ready)
- FIPS_REPO="git@github.com:wolfSSL/fips.git"
- FIPS_VERSION="master"
- CRYPT_INC_PATH=wolfssl/wolfcrypt
- CRYPT_SRC_PATH=wolfcrypt/src
- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
- FIPS_INCS=( fips.h )
- FIPS_OPTION=v5-ready
- ;;
- stm32l4-v2)
- FIPS_VERSION=$STM32L4_V2_FIPS_VERSION
- FIPS_REPO=$STM32L4_V2_FIPS_REPO
- CRYPT_VERSION=$STM32L4_V2_CRYPT_VERSION
- CRYPT_INC_PATH=wolfssl/wolfcrypt
- CRYPT_SRC_PATH=wolfcrypt/src
- # Replace the WC_MODS list for now. Do not want to copy over random.c yet.
- WC_MODS=( aes des3 sha sha256 sha512 rsa hmac )
- WC_MODS+=( cmac dh ecc )
- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
- FIPS_INCS=( fips.h )
- FIPS_OPTION=v2
- ;;
- wolfrand)
- FIPS_REPO=git@github.com:wolfssl/fips.git
- FIPS_VERSION=WRv4-stable
- CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
- CRYPT_VERSION=WCv4-stable
- CRYPT_INC_PATH=wolfssl/wolfcrypt
- CRYPT_SRC_PATH=wolfcrypt/src
- RNG_VERSION=WCv4-rng-stable
- WC_MODS=( hmac sha256 random )
- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
- FIPS_INCS=( fips.h )
- FIPS_OPTION=rand
- ;;
- solaris)
- FIPS_VERSION=WCv4-stable
- FIPS_REPO=git@github.com:wolfssl/fips.git
- CRYPT_VERSION=WCv4-stable
- CRYPT_INC_PATH=wolfssl/wolfcrypt
- CRYPT_SRC_PATH=wolfcrypt/src
- WC_MODS+=( cmac dh ecc sha3 )
- RNG_VERSION=WCv4-rng-stable
- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
- FIPS_INCS=( fips.h )
- FIPS_OPTION=v2
- MAKE=gmake
- ;;
- linuxv5-RC8)
- FIPS_REPO="git@github.com:wolfSSL/fips.git"
- FIPS_VERSION="WCv5.0-RC8"
- CRYPT_REPO="git@github.com:wolfSSL/wolfssl.git"
- CRYPT_VERSION="WCv5.0-RC8"
- CRYPT_INC_PATH="wolfssl/wolfcrypt"
- CRYPT_SRC_PATH="wolfcrypt/src"
- WC_MODS=( aes sha sha256 sha512 rsa hmac random cmac dh ecc sha3 kdf )
- RNG_VERSION="WCv5.0-RC8"
- FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c )
- FIPS_INCS=( fips.h )
- FIPS_OPTION="v5-RC8"
- COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm
- wolfcrypt/src/sha256_asm.S wolfcrypt/src/sha512_asm.S )
- ;;
- linuxv5|linuxv5-RC9)
- FIPS_REPO="git@github.com:wolfSSL/fips.git"
- FIPS_VERSION="WCv5.0-RC9"
- CRYPT_REPO="git@github.com:wolfSSL/wolfssl.git"
- CRYPT_VERSION="WCv5.0-RC9"
- CRYPT_INC_PATH="wolfssl/wolfcrypt"
- CRYPT_SRC_PATH="wolfcrypt/src"
- WC_MODS=( aes sha sha256 sha512 rsa hmac random cmac dh ecc sha3 kdf )
- RNG_VERSION="WCv5.0-RC9"
- FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c )
- FIPS_INCS=( fips.h )
- FIPS_OPTION="v5-RC9"
- COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm
- wolfcrypt/src/sha256_asm.S wolfcrypt/src/sha512_asm.S )
- ;;
- linuxv5-RC10)
- FIPS_REPO="git@github.com:wolfSSL/fips.git"
- FIPS_VERSION="WCv5.0-RC10"
- CRYPT_REPO="git@github.com:wolfSSL/wolfssl.git"
- CRYPT_VERSION="WCv5.0-RC10"
- CRYPT_INC_PATH="wolfssl/wolfcrypt"
- CRYPT_SRC_PATH="wolfcrypt/src"
- WC_MODS=( aes sha sha256 sha512 rsa hmac random cmac dh ecc sha3 kdf )
- RNG_VERSION="WCv5.0-RC10"
- FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c )
- FIPS_INCS=( fips.h )
- FIPS_OPTION="v5-RC10"
- COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm
- wolfcrypt/src/sha256_asm.S wolfcrypt/src/sha512_asm.S )
- ;;
- *)
- Usage
- exit 1
- esac
- if ! $GIT clone . $TEST_DIR; then
- echo "fips-check: Couldn't duplicate current working directory."
- exit 1
- fi
- pushd $TEST_DIR || exit 2
- case "$FIPS_OPTION" in
- v1)
- # make a clone of the last FIPS release tag
- if ! $GIT clone --depth 1 -b $CRYPT_VERSION $CRYPT_REPO old-tree; then
- echo "fips-check: Couldn't checkout the FIPS release."
- exit 1
- fi
- for MOD in "${WC_MODS[@]}"
- do
- cp "old-tree/$CRYPT_SRC_PATH/${MOD}.c" $CRYPT_SRC_PATH
- cp "old-tree/$CRYPT_INC_PATH/${MOD}.h" $CRYPT_INC_PATH
- done
- # We are using random.c from a separate release.
- # This is forcefully overwriting any other checkout of the cyassl sources.
- # Removing this as default behavior for SGX and netos projects.
- if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
- [ "x$PLATFORM" != "xnetos-7.6" ];
- then
- pushd old-tree || exit 2
- $GIT fetch origin $RNG_VERSION || exit $?
- $GIT checkout FETCH_HEAD || exit $?
- popd || exit 2
- cp "old-tree/$CRYPT_SRC_PATH/random.c" $CRYPT_SRC_PATH
- cp "old-tree/$CRYPT_INC_PATH/random.h" $CRYPT_INC_PATH
- fi
- ;;
- v2|rand|v5-RC8|v5-RC9)
- $GIT branch --no-track "my$CRYPT_VERSION" $CRYPT_VERSION || exit $?
- # Checkout the fips versions of the wolfCrypt files from the repo.
- for MOD in "${WC_MODS[@]}"
- do
- $GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.c" "$CRYPT_INC_PATH/$MOD.h" || exit $?
- done
- for MOD in "${COPY_DIRECT[@]}"
- do
- $GIT checkout "my$CRYPT_VERSION" -- "$MOD" || exit $?
- done
- $GIT branch --no-track "myrng$RNG_VERSION" $RNG_VERSION || exit $?
- # Checkout the fips versions of the wolfCrypt files from the repo.
- $GIT checkout "myrng$RNG_VERSION" -- "$CRYPT_SRC_PATH/random.c" "$CRYPT_INC_PATH/random.h" || exit $?
- ;;
- *ready*)
- echo "Don't need to copy anything in particular for FIPS Ready."
- ;;
- *)
- echo "fips-check: Invalid FIPS option \"${FIPS_OPTION}\"."
- exit 1
- ;;
- esac
- # clone the FIPS repository
- if [ "x$FIPS_OPTION" = "xready" ]
- then
- if ! $GIT clone --depth 1 $FIPS_REPO fips; then
- echo "fips-check: Couldn't checkout the FIPS repository for FIPS Ready."
- exit 1
- fi
- else
- if ! $GIT clone --depth 1 -b $FIPS_VERSION $FIPS_REPO fips; then
- echo "fips-check: Couldn't checkout the FIPS repository."
- exit 1
- fi
- fi
- for SRC in "${FIPS_SRCS[@]}"
- do
- cp "fips/$SRC" $CRYPT_SRC_PATH
- done
- for INC in "${FIPS_INCS[@]}"
- do
- cp "fips/$INC" $CRYPT_INC_PATH
- done
- # run the make test
- ./autogen.sh
- if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ];
- then
- if [ "x$CAVP_SELFTEST_OPTION" == "xv2" ]
- then
- ./configure --enable-selftest=v2
- else
- ./configure --enable-selftest
- fi
- else
- ./configure --enable-fips=$FIPS_OPTION
- fi
- if ! $MAKE; then
- echo "fips-check: Make failed. Debris left for analysis."
- exit 3
- fi
- if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
- then
- NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
- if [ -n "$NEWHASH" ]; then
- cp $CRYPT_SRC_PATH/fips_test.c $CRYPT_SRC_PATH/fips_test.c.bak
- sed "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c.bak >$CRYPT_SRC_PATH/fips_test.c
- make clean
- fi
- fi
- if ! $MAKE test; then
- echo "fips-check: Test failed. Debris left for analysis."
- exit 3
- fi
- if [ ${#FIPS_CONFLICTS[@]} -ne 0 ];
- then
- echo "Due to the way this package is compiled by the customer duplicate"
- echo "source file names are an issue, renaming:"
- for FNAME in "${FIPS_CONFLICTS[@]}"
- do
- echo "wolfcrypt/src/$FNAME.c to wolfcrypt/src/wc_$FNAME.c"
- mv "./wolfcrypt/src/$FNAME.c" "./wolfcrypt/src/wc_$FNAME.c"
- done
- echo "Confirming files were renamed..."
- ls -la ./wolfcrypt/src/wc_*.c
- fi
- # Clean up
- popd || exit 2
- if [ "x$KEEP" == "xno" ];
- then
- rm -rf $TEST_DIR
- fi
|