feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

changes to the script fips-check.sh

Browse Source
This commit is contained in:
John Safranek
2023-08-03 13:16:08 -07:00
parent 7f0cfcb27d
commit 4e07ebf279
1 changed files with 113 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

250
fips-check.sh
View File

@ -18,7 +18,7 @@
Usage() { Usage() {
cat <<usageText cat <<usageText
Usage: $0 flavor [keep] Usage: $0 [flavor] [keep]
Flavor is one of: Flavor is one of:
netbsd-selftest netbsd-selftest
marvell-linux-selftest marvell-linux-selftest
@ -36,152 +36,127 @@ Example:
usageText usageText
} }
MAKE='make' # These variables may be overridden on the command line.
MAKE="${MAKE:-make}"
GIT="${GIT:-git -c advice.detachedHead=false}"
TEST_DIR="${TEST_DIR:-XXX-fips-test}"
FLAVOR="${FLAVOR:-linux}"
KEEP="${KEEP:-no}"
# non-FIPS, CAVP only but pull in selftest while [ "x$1" != 'x' ]; do
# will reset above variables below in flavor switch if [ "x$1" = 'xkeep' ]; then KEEP='yes'; else FLAVOR="$1"; fi
NETBSD_FIPS_VERSION=v3.14.2b shift
NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git done
NETBSD_CRYPT_VERSION=v3.14.2
NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
# non-FIPS, CAVP only but pull in selftest
# will reset above variables below in flavor switch
MARVELL_LINUX_FIPS_VERSION=v3.14.2b
MARVELL_LINUX_FIPS_REPO=git@github.com:wolfssl/fips.git
MARVELL_LINUX_CRYPT_VERSION=v4.1.0-stable
MARVELL_LINUX_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
STM32L4_V2_FIPS_VERSION=WCv4.0.1-stable
STM32L4_V2_FIPS_REPO=git@github.com:wolfSSL/fips.git
STM32L4_V2_CRYPT_VERSION=WCv4.0.1-stable
FIPS_SRCS=( fips.c fips_test.c )
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random aes_asm )
TEST_DIR=XXX-fips-test
CRYPT_INC_PATH=undef
CRYPT_SRC_PATH=undef
RNG_VERSION=v3.6.0
FIPS_OPTION=undef
CAVP_SELFTEST_ONLY="no"
GIT="git -c advice.detachedHead=false"
if [ "$1" == "" ]; then FLAVOR="undef"; else FLAVOR="$1"; fi
if [ "$2" == "keep" ]; then KEEP="yes"; else KEEP="no"; fi
case "$FLAVOR" in case "$FLAVOR" in
linuxv2 | fipsv2-OE-ready) linuxv2 | fipsv2-OE-ready)
FIPS_VERSION=WCv4-stable FIPS_VERSION='WCv4-stable'
FIPS_REPO=git@github.com:wolfssl/fips.git FIPS_REPO='git@github.com:wolfssl/fips.git'
CRYPT_VERSION=WCv4-stable CRYPT_VERSION='WCv4-stable'
CRYPT_INC_PATH=wolfssl/wolfcrypt CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH=wolfcrypt/src CRYPT_SRC_PATH='wolfcrypt/src'
WC_MODS+=( cmac dh ecc sha3 ) WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512')
RNG_VERSION=WCv4-rng-stable RNG_VERSION='WCv4-rng-stable'
FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c ) FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=( fips.h ) FIPS_INCS=('fips.h')
FIPS_OPTION=v2 FIPS_OPTION='v2'
;; ;;
netbsd-selftest) netbsd-selftest)
FIPS_VERSION=$NETBSD_FIPS_VERSION # non-FIPS, CAVP only but pull in selftest
FIPS_REPO=$NETBSD_FIPS_REPO FIPS_VERSION='v3.14.2b'
CRYPT_VERSION=$NETBSD_CRYPT_VERSION FIPS_REPO='git@github.com:wolfssl/fips.git'
CRYPT_REPO=$NETBSD_CRYPT_REPO CRYPT_VERSION='v3.14.2'
FIPS_SRCS=( selftest.c ) CRYPT_REPO='git@github.com:wolfssl/wolfssl.git'
WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random ) FIPS_SRCS=('selftest.c')
CRYPT_INC_PATH=wolfssl/wolfcrypt WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512')
CRYPT_SRC_PATH=wolfcrypt/src CRYPT_INC_PATH='wolfssl/wolfcrypt'
CAVP_SELFTEST_ONLY="yes" CRYPT_SRC_PATH='wolfcrypt/src'
FIPS_OPTION="v1" CAVP_SELFTEST_ONLY='yes'
FIPS_OPTION='v1'
;; ;;
marvell-linux-selftest) marvell-linux-selftest)
FIPS_VERSION=$MARVELL_LINUX_FIPS_VERSION # non-FIPS, CAVP only but pull in selftest
FIPS_REPO=$MARVELL_LINUX_FIPS_REPO FIPS_VERSION='v3.14.2b'
CRYPT_VERSION=$MARVELL_LINUX_CRYPT_VERSION FIPS_REPO='git@github.com:wolfssl/fips.git'
CRYPT_REPO=$MARVELL_LINUX_CRYPT_REPO CRYPT_VERSION='v4.1.0-stable'
FIPS_SRCS=( selftest.c ) CRYPT_REPO='git@github.com:wolfssl/wolfssl.git'
WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random ) FIPS_SRCS=('selftest.c')
CRYPT_INC_PATH=wolfssl/wolfcrypt CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH=wolfcrypt/src CRYPT_SRC_PATH='wolfcrypt/src'
CAVP_SELFTEST_ONLY="yes" WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512')
CAVP_SELFTEST_OPTION=v2 CAVP_SELFTEST_ONLY='yes'
FIPS_OPTION="v1" CAVP_SELFTEST_OPTION='v2'
FIPS_OPTION='v1'
;; ;;
linuxv5) linuxv5)
FIPS_REPO="git@github.com:wolfSSL/fips.git" FIPS_REPO='git@github.com:wolfSSL/fips.git'
FIPS_VERSION="WCv5.0-RC12" FIPS_VERSION='WCv5.0-RC12'
CRYPT_REPO="git@github.com:wolfSSL/wolfssl.git" CRYPT_REPO='git@github.com:wolfSSL/wolfssl.git'
CRYPT_VERSION="WCv5.0-RC12" CRYPT_VERSION='WCv5.0-RC12'
CRYPT_INC_PATH="wolfssl/wolfcrypt" CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH="wolfcrypt/src" CRYPT_SRC_PATH='wolfcrypt/src'
WC_MODS=( aes sha sha256 sha512 rsa hmac random cmac dh ecc sha3 kdf WC_MODS=('aes' 'aes_asm' 'cmac' 'dh' 'ecc' 'hmac' 'kdf' 'random' 'rsa' 'sha' 'sha256' 'sha256_asm' 'sha3' 'sha512' 'sha512_asm')
aes_asm sha256_asm sha512_asm ) RNG_VERSION='WCv5.0-RC12'
RNG_VERSION="WCv5.0-RC12" FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c ) FIPS_INCS=('fips.h')
FIPS_INCS=( fips.h ) FIPS_OPTION='v5'
FIPS_OPTION="v5" COPY_DIRECT=('wolfcrypt/src/aes_gcm_asm.S')
COPY_DIRECT=( wolfcrypt/src/aes_gcm_asm.S )
;; ;;
fips-ready) fips-ready)
FIPS_REPO="git@github.com:wolfSSL/fips.git" FIPS_REPO='git@github.com:wolfSSL/fips.git'
FIPS_VERSION="master" FIPS_VERSION='master'
CRYPT_INC_PATH=wolfssl/wolfcrypt CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH=wolfcrypt/src CRYPT_SRC_PATH='wolfcrypt/src'
FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c ) FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=( fips.h ) FIPS_INCS=('fips.h')
FIPS_OPTION=ready FIPS_OPTION='ready'
;; ;;
fips-dev) fips-dev)
FIPS_REPO="git@github.com:wolfSSL/fips.git" FIPS_REPO='git@github.com:wolfSSL/fips.git'
FIPS_VERSION="master" FIPS_VERSION='master'
CRYPT_INC_PATH=wolfssl/wolfcrypt CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH=wolfcrypt/src CRYPT_SRC_PATH='wolfcrypt/src'
FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c ) FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=( fips.h ) FIPS_INCS=('fips.h')
FIPS_OPTION=dev FIPS_OPTION='dev'
;; ;;
stm32l4-v2) stm32l4-v2)
FIPS_VERSION=$STM32L4_V2_FIPS_VERSION FIPS_VERSION='WCv4.0.1-stable'
FIPS_REPO=$STM32L4_V2_FIPS_REPO FIPS_REPO='git@github.com:wolfSSL/fips.git'
CRYPT_VERSION=$STM32L4_V2_CRYPT_VERSION CRYPT_VERSION='WCv4.0.1-stable'
CRYPT_INC_PATH=wolfssl/wolfcrypt CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH=wolfcrypt/src CRYPT_SRC_PATH='wolfcrypt/src'
# Replace the WC_MODS list for now. Do not want to copy over random.c yet. WC_MODS=('aes' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'rsa' 'sha' 'sha256' 'sha512')
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac ) FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
WC_MODS+=( cmac dh ecc ) FIPS_INCS=('fips.h')
FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c ) FIPS_OPTION='v2'
FIPS_INCS=( fips.h )
FIPS_OPTION=v2
;; ;;
wolfrand) wolfrand)
FIPS_REPO=git@github.com:wolfssl/fips.git FIPS_REPO='git@github.com:wolfssl/fips.git'
FIPS_VERSION=WRv4-stable FIPS_VERSION='WRv4-stable'
CRYPT_REPO=git@github.com:wolfssl/wolfssl.git CRYPT_REPO='git@github.com:wolfssl/wolfssl.git'
CRYPT_VERSION=WCv4-stable CRYPT_VERSION='WCv4-stable'
CRYPT_INC_PATH=wolfssl/wolfcrypt CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH=wolfcrypt/src CRYPT_SRC_PATH='wolfcrypt/src'
RNG_VERSION=WCv4-rng-stable WC_MODS=('hmac' 'random' 'sha256')
WC_MODS=( hmac sha256 random ) RNG_VERSION='WCv4-rng-stable'
FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c ) FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=( fips.h ) FIPS_INCS=('fips.h')
FIPS_OPTION=rand FIPS_OPTION='rand'
;; ;;
solaris) solaris)
FIPS_VERSION=WCv4-stable FIPS_VERSION='WCv4-stable'
FIPS_REPO=git@github.com:wolfssl/fips.git FIPS_REPO='git@github.com:wolfssl/fips.git'
CRYPT_VERSION=WCv4-stable CRYPT_VERSION='WCv4-stable'
CRYPT_INC_PATH=wolfssl/wolfcrypt CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH=wolfcrypt/src CRYPT_SRC_PATH='wolfcrypt/src'
WC_MODS+=( cmac dh ecc sha3 ) WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512')
RNG_VERSION=WCv4-rng-stable RNG_VERSION='WCv4-rng-stable'
FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c ) FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=( fips.h ) FIPS_INCS=('fips.h')
FIPS_OPTION=v2 FIPS_OPTION='v2'
MAKE=gmake MAKE='gmake'
;; ;;
*) *)
Usage Usage
exit 1 exit 1
@ -219,7 +194,7 @@ v1)
# We are using random.c from a separate release. # We are using random.c from a separate release.
# This is forcefully overwriting any other checkout of the cyassl sources. # This is forcefully overwriting any other checkout of the cyassl sources.
# Removing this as default behavior for SGX and netos projects. # Removing this as default behavior for SGX and netos projects.
if [ "$CAVP_SELFTEST_ONLY" == "no" ] && [ "$FLAVOR" != "sgx" ] && \ if [ "x$CAVP_SELFTEST_ONLY" != "xyes" ] && [ "$FLAVOR" != 'sgx' ] && \
[ "$FLAVOR" != "netos-7.6" ]; [ "$FLAVOR" != "netos-7.6" ];
then then
pushd old-tree || exit 2 pushd old-tree || exit 2
@ -302,7 +277,7 @@ done
# Since OE additions can still be processed for cert3389 we will call 140-2 # Since OE additions can still be processed for cert3389 we will call 140-2
# ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but # ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but
# would not be good for a new certification effort with the latest files. # would not be good for a new certification effort with the latest files.
if [ "$FLAVOR" = "fipsv2-OE-ready" ]; then if [ "$FLAVOR" = 'fipsv2-OE-ready' ]; then
OLD_VERSION=" return \"v4.0.0-alpha\";" OLD_VERSION=" return \"v4.0.0-alpha\";"
OE_READY_VERSION=" return \"fipsv2-OE-ready\";" OE_READY_VERSION=" return \"fipsv2-OE-ready\";"
cp "${CRYPT_SRC_PATH}/fips.c" "${CRYPT_SRC_PATH}/fips.c.bak" cp "${CRYPT_SRC_PATH}/fips.c" "${CRYPT_SRC_PATH}/fips.c.bak"
@ -311,23 +286,24 @@ fi
# run the make test # run the make test
./autogen.sh ./autogen.sh
if [ "$CAVP_SELFTEST_ONLY" == "yes" ]; if [ "x$CAVP_SELFTEST_ONLY" = 'xyes' ];
then then
if [ "$CAVP_SELFTEST_OPTION" == "v2" ] if [ "x$CAVP_SELFTEST_OPTION" = "xv2" ]
then then
./configure --enable-selftest=v2 ./configure --enable-selftest=v2
else else
./configure --enable-selftest ./configure --enable-selftest
fi fi
else else
./configure --enable-fips=$FIPS_OPTION ./configure --enable-fips=$FIPS_OPTION
fi fi
if ! $MAKE; then if ! $MAKE; then
echo "fips-check: Make failed. Debris left for analysis." echo "fips-check: Make failed. Debris left for analysis."
exit 3 exit 3
fi fi
if [ "$CAVP_SELFTEST_ONLY" == "no" ]; if [ "x$CAVP_SELFTEST_ONLY" != 'xyes' ];
then then
NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p') NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
if [ -n "$NEWHASH" ]; then if [ -n "$NEWHASH" ]; then
@ -357,7 +333,7 @@ fi
# Clean up # Clean up
popd || exit 2 popd || exit 2
if [ "$KEEP" == "no" ]; if [ "$KEEP" = "no" ];
then then
rm -rf "$TEST_DIR" rm -rf "$TEST_DIR"
fi fi