From 0fd96be7f8f23700328f9c78aeb9115851b19f71 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 17 Aug 2023 08:05:27 -0700 Subject: [PATCH 1/6] FIPS Check Script with Explicit Versioning 1. Add a test OE for trying out the new methods. 2. Add a temporary way to trigger using the new methods. 3. Add a function to check out different versions of files in the repo, and only adding a new branch when needed. 4. Remove the old checkout code. --- fips-check.sh | 121 +++++++++++++++++++++++++++++++++++++------------- 1 file changed, 90 insertions(+), 31 deletions(-) diff --git a/fips-check.sh b/fips-check.sh index dd2029c83..300b09c16 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -39,7 +39,8 @@ FLAVOR="${FLAVOR:-linux}" KEEP="${KEEP:-no}" while [ "$1" ]; do - if [ "$1" = 'keep' ]; then KEEP='yes'; else FLAVOR="$1"; fi + if [ "$1" = 'new' ]; then DO_NEW_ACTION='yes'; else + if [ "$1" = 'keep' ]; then KEEP='yes'; else FLAVOR="$1"; fi; fi shift done @@ -85,6 +86,49 @@ linuxv5) FIPS_INCS=('fips.h') COPY_DIRECT=('wolfcrypt/src/aes_gcm_asm.S') ;; +linuxv5a) + FIPS_OPTION='v5' + FIPS_FILES=( + 'fips.c:WCv5.0-RC12' + 'fips_test.c:WCv5.0-RC12' + 'wolfcrypt_first.c:WCv5.0-RC12' + 'wolfcrypt_last.c:WCv5.0-RC12' + 'fips.h:WCv5.0-RC12' + ) + WC_C_FILES=( + 'wolfcrypt/src/aes.c:WCv5.0-RC12' + 'wolfcrypt/src/aes_asm.c:WCv5.0-RC12' + 'wolfcrypt/src/cmac.c:WCv5.0-RC12' + 'wolfcrypt/src/dh.c:WCv5.0-RC12' + 'wolfcrypt/src/ecc.c:WCv5.0-RC12' + 'wolfcrypt/src/hmac.c:WCv5.0-RC12' + 'wolfcrypt/src/kdf.c:WCv5.0-RC12' + 'wolfcrypt/src/random.c:WCv5.0-RC12' + 'wolfcrypt/src/rsa.c:WCv5.0-RC12' + 'wolfcrypt/src/sha.c:WCv5.0-RC12' + 'wolfcrypt/src/sha256.c:WCv5.0-RC12' + 'wolfcrypt/src/sha256_asm.c:WCv5.0-RC12' + 'wolfcrypt/src/sha3.c:WCv5.0-RC12' + 'wolfcrypt/src/sha512.c:WCv5.0-RC12' + 'wolfcrypt/src/sha512_asm.c:WCv5.0-RC12' + 'wolfcrypt/src/aes_gcm_asm.S:WCv5.0-RC12' + 'wolfssl/wolfcrypt/aes.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/aes_asm.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/cmac.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/dh.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/ecc.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/hmac.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/kdf.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/random.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/rsa.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/sha.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/sha256.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/sha256_asm.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/sha3.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/sha512.h:WCv5.0-RC12' + 'wolfssl/wolfcrypt/sha512_asm.h:WCv5.0-RC12' + ) + ;; fips-ready) FIPS_OPTION='ready' FIPS_VERSION='master' @@ -121,6 +165,50 @@ solaris) exit 1 esac +function checkout_tag() { + if ! $GIT branch --list | grep "my$1" + then + $GIT branch --no-track "my$1" "$1" || exit $? + fi +} + +function checkout_files() { + local repo_path="$1" + shift + pushd $repo_path + for file_entry in "$@" + do + local name=${file_entry%%:*} + local tag=${file_entry#*:} + checkout_tag "$tag" || exit $? + $GIT checkout "my$tag" -- "$name" || exit $? + done + popd +} + +function copy_files() { + local repo_path="$1" + shift + pushd $repo_path + for file_entry in "$@" + do + local name=${file_entry%%:*} + local tag=${file_entry#*:} + checkout_tag "$tag" || exit $? + $GIT checkout "my$tag" -- "$name" || exit $? + done + popd +} + +if [ "$DO_NEW_ACTION" = 'yes' ] +then + checkout_files '.' "${WC_C_FILES[@]}" + checkout_files './fips' "${FIPS_FILES[@]}" + exit +fi +echo "Escaped!" +exit + if ! $GIT clone . "$TEST_DIR"; then echo "fips-check: Couldn't duplicate current working directory." exit 1 @@ -139,36 +227,7 @@ case "$FIPS_OPTION" in ;; cavp-selftest*|v2|rand|v5*) - $GIT branch --no-track "my$CRYPT_VERSION" "$CRYPT_VERSION" || exit $? - # Checkout the fips versions of the wolfCrypt files from the repo. - for MOD in "${WC_MODS[@]}" - do - if [ -f "$CRYPT_SRC_PATH/$MOD.c" ]; then - $GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.c" || exit $? - fi - # aes_asm.S, sha256_asm.S sha512_asm.S - if [ -f "$CRYPT_SRC_PATH/$MOD.S" ]; then - echo "Checking out asm file: $MOD.S" - $GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.S" || exit $? - fi - # aes_asm.asm - if [ -f "$CRYPT_SRC_PATH/$MOD.asm" ]; then - echo "Checking out asm file: $MOD.asm" - $GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.asm" || exit $? - fi - if [ -f "$CRYPT_INC_PATH/$MOD.h" ]; then - $GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_INC_PATH/$MOD.h" || exit $? - fi - done - - for MOD in "${COPY_DIRECT[@]}" - do - $GIT checkout "my$CRYPT_VERSION" -- "$MOD" || exit $? - done - - $GIT branch --no-track "myrng$RNG_VERSION" "$RNG_VERSION" || exit $? - # Checkout the fips versions of the wolfCrypt files from the repo. - $GIT checkout "myrng$RNG_VERSION" -- "$CRYPT_SRC_PATH/random.c" "$CRYPT_INC_PATH/random.h" || exit $? + checkout_files '.' "${WC_C_FILES[@]}" ;; *) From 98c50e05a32027272419d3c825325c4c1fc3170d Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 17 Aug 2023 11:29:25 -0700 Subject: [PATCH 2/6] FIPS Check Script with Explicit Versioning 1. Add an optional initialized variable for the KEEP option and default it to 'yes' temporarily. 2. Comment out all the descriptions for all the OEs except the test OE. 3. Update the copy FIPS file list format to have the file path and add the tag to use for copying as the first item. 4. Merge the branch-creation and file checkout into one function. Remove the local path changing. 5. Update and simplify the FIPS file copying function. 6. Remove the old copying code. 7. When updating the fipsv2-OE-ready version string, also check that fips.c is non-zero. 8. Use explicit paths for files. --- fips-check.sh | 258 +++++++++++++++++++++----------------------------- 1 file changed, 109 insertions(+), 149 deletions(-) diff --git a/fips-check.sh b/fips-check.sh index 300b09c16..17da502d4 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -36,66 +36,63 @@ MAKE="${MAKE:-make}" GIT="${GIT:-git -c advice.detachedHead=false}" TEST_DIR="${TEST_DIR:-XXX-fips-test}" FLAVOR="${FLAVOR:-linux}" -KEEP="${KEEP:-no}" +#KEEP="${KEEP:-no}" +KEEP="${KEEP:-yes}" +#FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}" while [ "$1" ]; do - if [ "$1" = 'new' ]; then DO_NEW_ACTION='yes'; else - if [ "$1" = 'keep' ]; then KEEP='yes'; else FLAVOR="$1"; fi; fi + if [ "$1" = 'keep' ]; then KEEP='yes'; else FLAVOR="$1"; fi shift done -FIPS_REPO='git@github.com:wolfssl/fips.git' -CRYPT_INC_PATH='wolfssl/wolfcrypt' -CRYPT_SRC_PATH='wolfcrypt/src' - case "$FLAVOR" in -linuxv2|fipsv2-OE-ready) - FIPS_OPTION='v2' - FIPS_VERSION='WCv4-stable' - CRYPT_VERSION='WCv4-stable' - RNG_VERSION='WCv4-rng-stable' - WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') - FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') - FIPS_INCS=('fips.h') - ;; -netbsd-selftest) - # non-FIPS, CAVP only but pull in selftest - FIPS_OPTION='cavp-selftest' - FIPS_VERSION='v3.14.2b' - CRYPT_VERSION='v3.14.2' - RNG_VERSION='v3.14.2' - WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') - FIPS_SRCS=('selftest.c') - ;; -marvell-linux-selftest) - # non-FIPS, CAVP only but pull in selftest - FIPS_OPTION='cavp-selftest-v2' - FIPS_VERSION='v3.14.2b' - CRYPT_VERSION='v4.1.0-stable' - RNG_VERSION='v4.1.0-stable' - WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') - FIPS_SRCS=('selftest.c') - ;; -linuxv5) - FIPS_OPTION='v5' - FIPS_VERSION='WCv5.0-RC12' - CRYPT_VERSION='WCv5.0-RC12' - RNG_VERSION='WCv5.0-RC12' - WC_MODS=('aes' 'aes_asm' 'cmac' 'dh' 'ecc' 'hmac' 'kdf' 'random' 'rsa' 'sha' 'sha256' 'sha256_asm' 'sha3' 'sha512' 'sha512_asm') - FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') - FIPS_INCS=('fips.h') - COPY_DIRECT=('wolfcrypt/src/aes_gcm_asm.S') - ;; +#linuxv2|fipsv2-OE-ready) +# FIPS_OPTION='v2' +# FIPS_VERSION='WCv4-stable' +# CRYPT_VERSION='WCv4-stable' +# RNG_VERSION='WCv4-rng-stable' +# WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') +# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') +# FIPS_INCS=('fips.h') +# ;; +#netbsd-selftest) +# # non-FIPS, CAVP only but pull in selftest +# FIPS_OPTION='cavp-selftest' +# FIPS_VERSION='v3.14.2b' +# CRYPT_VERSION='v3.14.2' +# RNG_VERSION='v3.14.2' +# WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') +# FIPS_SRCS=('selftest.c') +# ;; +#marvell-linux-selftest) +# # non-FIPS, CAVP only but pull in selftest +# FIPS_OPTION='cavp-selftest-v2' +# FIPS_VERSION='v3.14.2b' +# CRYPT_VERSION='v4.1.0-stable' +# RNG_VERSION='v4.1.0-stable' +# WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') +# FIPS_SRCS=('selftest.c') +# ;; +#linuxv5) +# FIPS_OPTION='v5' +# FIPS_VERSION='WCv5.0-RC12' +# CRYPT_VERSION='WCv5.0-RC12' +# RNG_VERSION='WCv5.0-RC12' +# WC_MODS=('aes' 'aes_asm' 'cmac' 'dh' 'ecc' 'hmac' 'kdf' 'random' 'rsa' 'sha' 'sha256' 'sha256_asm' 'sha3' 'sha512' 'sha512_asm') +# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') +# FIPS_INCS=('fips.h') +# COPY_DIRECT=('wolfcrypt/src/aes_gcm_asm.S') +# ;; linuxv5a) FIPS_OPTION='v5' - FIPS_FILES=( - 'fips.c:WCv5.0-RC12' - 'fips_test.c:WCv5.0-RC12' - 'wolfcrypt_first.c:WCv5.0-RC12' - 'wolfcrypt_last.c:WCv5.0-RC12' - 'fips.h:WCv5.0-RC12' + FIPS_FILES=('WCv5.0-RC12' + 'wolfcrypt/src/fips.c' + 'wolfcrypt/src/fips_test.c' + 'wolfcrypt/src/wolfcrypt_first.c' + 'wolfcrypt/src/wolfcrypt_last.c' + 'wolfssl/wolfcrypt/fips.h' ) - WC_C_FILES=( + WOLFCRYPT_FILES=( 'wolfcrypt/src/aes.c:WCv5.0-RC12' 'wolfcrypt/src/aes_asm.c:WCv5.0-RC12' 'wolfcrypt/src/cmac.c:WCv5.0-RC12' @@ -129,86 +126,74 @@ linuxv5a) 'wolfssl/wolfcrypt/sha512_asm.h:WCv5.0-RC12' ) ;; -fips-ready) - FIPS_OPTION='ready' - FIPS_VERSION='master' - FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') - FIPS_INCS=('fips.h') - ;; -fips-dev) - FIPS_OPTION='dev' - FIPS_VERSION='master' - FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') - FIPS_INCS=('fips.h') - ;; -wolfrand) - FIPS_OPTION='rand' - FIPS_VERSION='WRv4-stable' - CRYPT_VERSION='WCv4-stable' - RNG_VERSION='WCv4-rng-stable' - WC_MODS=('hmac' 'random' 'sha256') - FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') - FIPS_INCS=('fips.h') - ;; -solaris) - FIPS_OPTION='v2' - FIPS_VERSION='WCv4-stable' - CRYPT_VERSION='WCv4-stable' - RNG_VERSION='WCv4-rng-stable' - WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') - FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') - FIPS_INCS=('fips.h') - MAKE='gmake' - ;; +#fips-ready) +# FIPS_OPTION='ready' +# FIPS_VERSION='master' +# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') +# FIPS_INCS=('fips.h') +# ;; +#fips-dev) +# FIPS_OPTION='dev' +# FIPS_VERSION='master' +# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') +# FIPS_INCS=('fips.h') +# ;; +#wolfrand) +# FIPS_OPTION='rand' +# FIPS_VERSION='WRv4-stable' +# CRYPT_VERSION='WCv4-stable' +# RNG_VERSION='WCv4-rng-stable' +# WC_MODS=('hmac' 'random' 'sha256') +# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') +# FIPS_INCS=('fips.h') +# ;; +#solaris) +# FIPS_OPTION='v2' +# FIPS_VERSION='WCv4-stable' +# CRYPT_VERSION='WCv4-stable' +# RNG_VERSION='WCv4-rng-stable' +# WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') +# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') +# FIPS_INCS=('fips.h') +# MAKE='gmake' +# ;; *) Usage exit 1 esac -function checkout_tag() { - if ! $GIT branch --list | grep "my$1" - then - $GIT branch --no-track "my$1" "$1" || exit $? - fi -} - +# checkout_files takes an array of pairs of file paths and git tags to checkout. +# It will check to see if mytag exists and if not will make that tag a branch. function checkout_files() { - local repo_path="$1" - shift - pushd $repo_path for file_entry in "$@" do local name=${file_entry%%:*} local tag=${file_entry#*:} - checkout_tag "$tag" || exit $? + if ! $GIT branch --list | grep "my$tag" + then + $GIT branch --no-track "my$tag" "$tag" || exit $? + fi $GIT checkout "my$tag" -- "$name" || exit $? done - popd } -function copy_files() { - local repo_path="$1" +# copy_fips_files clones the FIPS repository. It takes an array of file paths, where +# it breaks apart into file name and path, then copies it from the file from the fips +# directory to the path. The first item is the name of the tag. +function copy_fips_files() { + local tag="$1" shift - pushd $repo_path - for file_entry in "$@" + if ! $GIT clone --depth 1 -b "$tag" 'git@github.com:wolfssl/fips.git' fips + then + echo "fips-check: Couldn't check out $tag from FIPS repository." + exit 1 + fi + for file_path in "$@" do - local name=${file_entry%%:*} - local tag=${file_entry#*:} - checkout_tag "$tag" || exit $? - $GIT checkout "my$tag" -- "$name" || exit $? + cp fips/"$(basename "$file_path")" "$(dirname "$file_path")" done - popd } -if [ "$DO_NEW_ACTION" = 'yes' ] -then - checkout_files '.' "${WC_C_FILES[@]}" - checkout_files './fips' "${FIPS_FILES[@]}" - exit -fi -echo "Escaped!" -exit - if ! $GIT clone . "$TEST_DIR"; then echo "fips-check: Couldn't duplicate current working directory." exit 1 @@ -227,40 +212,16 @@ case "$FIPS_OPTION" in ;; cavp-selftest*|v2|rand|v5*) - checkout_files '.' "${WC_C_FILES[@]}" + checkout_files "${WOLFCRYPT_FILES[@]}" ;; *) - echo "fips-check: Invalid FIPS option \"${FIPS_OPTION}\"." + echo "fips-check: Invalid FIPS option ${FIPS_OPTION}." exit 1 ;; esac -# clone the FIPS repository -case "$FIPS_OPTION" in -*dev) - if ! $GIT clone --depth 1 "$FIPS_REPO" fips; then - echo "fips-check: Couldn't check out the FIPS repository for fips-dev." - exit 1 - fi - ;; -*) - if ! $GIT clone --depth 1 -b "$FIPS_VERSION" "$FIPS_REPO" fips; then - echo "fips-check: Couldn't check out ${FIPS_VERSION} from repository ${FIPS_REPO}." - exit 1 - fi - ;; -esac - -for SRC in "${FIPS_SRCS[@]}" -do - cp "fips/$SRC" "$CRYPT_SRC_PATH" -done - -for INC in "${FIPS_INCS[@]}" -do - cp "fips/$INC" "$CRYPT_INC_PATH" -done +copy_fips_files "${FIPS_FILES[@]}" # When checking out cert 3389 ready code, NIST will no longer perform # new certifications on 140-2 modules. If we were to use the latest files from @@ -268,11 +229,10 @@ done # Since OE additions can still be processed for cert3389 we will call 140-2 # ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but # would not be good for a new certification effort with the latest files. -if [ "$FLAVOR" = 'fipsv2-OE-ready' ]; then - OLD_VERSION=" return \"v4.0.0-alpha\";" - OE_READY_VERSION=" return \"fipsv2-OE-ready\";" - cp "${CRYPT_SRC_PATH}/fips.c" "${CRYPT_SRC_PATH}/fips.c.bak" - sed "s/^${OLD_VERSION}/${OE_READY_VERSION}/" "${CRYPT_SRC_PATH}/fips.c.bak" >"${CRYPT_SRC_PATH}/fips.c" +if [ "$FLAVOR" = 'fipsv2-OE-ready' ] && [ -s wolfcrypt/src/fips.c ] +then + cp wolfcrypt/src/fips.c wolfcrypt/src/fips.c.bak + sed "s/^v4.0.0-alpha/fipsv2-OE-ready/" wolfcrypt/src/fips.c.bak >wolfcrypt/src/fips.c fi # run the make test @@ -296,25 +256,25 @@ then exit 3 fi -if [ -s "${CRYPT_SRC_PATH}/fips_test.c" ] +if [ -s wolfcrypt/src/fips_test.c ] then NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p') if [ -n "$NEWHASH" ]; then - cp "${CRYPT_SRC_PATH}/fips_test.c" "${CRYPT_SRC_PATH}/fips_test.c.bak" - sed "s/^\".*\";/\"${NEWHASH}\";/" "${CRYPT_SRC_PATH}/fips_test.c.bak" >"${CRYPT_SRC_PATH}/fips_test.c" + cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak + sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak >wolfcrypt/src/fips_test.c make clean fi fi if ! $MAKE check then - echo "fips-check: Test failed. Debris left for analysis." + echo 'fips-check: Test failed. Debris left for analysis.' exit 3 fi # Clean up popd || exit 2 -if [ "$KEEP" = "no" ]; +if [ "$KEEP" = 'no' ]; then rm -rf "$TEST_DIR" fi From 87695adc82c5f0072c04110b390cd0890157b8e8 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 17 Aug 2023 11:54:02 -0700 Subject: [PATCH 3/6] FIPS Check Script with Explicit Versioning 1. Remove the demo variable presets. Actually use them in testing. 2. FIPS_REPO can be set to a local file path to speed up testing. 3. Add files missing from the demo OE checkout. 4. Add the fips-read OE files. 5. Add the quiet option to grep. --- fips-check.sh | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/fips-check.sh b/fips-check.sh index 17da502d4..1f3f17853 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -36,9 +36,8 @@ MAKE="${MAKE:-make}" GIT="${GIT:-git -c advice.detachedHead=false}" TEST_DIR="${TEST_DIR:-XXX-fips-test}" FLAVOR="${FLAVOR:-linux}" -#KEEP="${KEEP:-no}" -KEEP="${KEEP:-yes}" -#FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}" +KEEP="${KEEP:-no}" +FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}" while [ "$1" ]; do if [ "$1" = 'keep' ]; then KEEP='yes'; else FLAVOR="$1"; fi @@ -94,7 +93,8 @@ linuxv5a) ) WOLFCRYPT_FILES=( 'wolfcrypt/src/aes.c:WCv5.0-RC12' - 'wolfcrypt/src/aes_asm.c:WCv5.0-RC12' + 'wolfcrypt/src/aes_asm.S:WCv5.0-RC12' + 'wolfcrypt/src/aes_gcm_asm.S:WCv5.0-RC12' 'wolfcrypt/src/cmac.c:WCv5.0-RC12' 'wolfcrypt/src/dh.c:WCv5.0-RC12' 'wolfcrypt/src/ecc.c:WCv5.0-RC12' @@ -104,13 +104,11 @@ linuxv5a) 'wolfcrypt/src/rsa.c:WCv5.0-RC12' 'wolfcrypt/src/sha.c:WCv5.0-RC12' 'wolfcrypt/src/sha256.c:WCv5.0-RC12' - 'wolfcrypt/src/sha256_asm.c:WCv5.0-RC12' + 'wolfcrypt/src/sha256_asm.S:WCv5.0-RC12' 'wolfcrypt/src/sha3.c:WCv5.0-RC12' 'wolfcrypt/src/sha512.c:WCv5.0-RC12' - 'wolfcrypt/src/sha512_asm.c:WCv5.0-RC12' - 'wolfcrypt/src/aes_gcm_asm.S:WCv5.0-RC12' + 'wolfcrypt/src/sha512_asm.S:WCv5.0-RC12' 'wolfssl/wolfcrypt/aes.h:WCv5.0-RC12' - 'wolfssl/wolfcrypt/aes_asm.h:WCv5.0-RC12' 'wolfssl/wolfcrypt/cmac.h:WCv5.0-RC12' 'wolfssl/wolfcrypt/dh.h:WCv5.0-RC12' 'wolfssl/wolfcrypt/ecc.h:WCv5.0-RC12' @@ -120,18 +118,20 @@ linuxv5a) 'wolfssl/wolfcrypt/rsa.h:WCv5.0-RC12' 'wolfssl/wolfcrypt/sha.h:WCv5.0-RC12' 'wolfssl/wolfcrypt/sha256.h:WCv5.0-RC12' - 'wolfssl/wolfcrypt/sha256_asm.h:WCv5.0-RC12' 'wolfssl/wolfcrypt/sha3.h:WCv5.0-RC12' 'wolfssl/wolfcrypt/sha512.h:WCv5.0-RC12' - 'wolfssl/wolfcrypt/sha512_asm.h:WCv5.0-RC12' ) ;; -#fips-ready) -# FIPS_OPTION='ready' -# FIPS_VERSION='master' -# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') -# FIPS_INCS=('fips.h') -# ;; +fips-ready) + FIPS_OPTION='ready' + FIPS_FILES=('master' + 'wolfcrypt/src/fips.c' + 'wolfcrypt/src/fips_test.c' + 'wolfcrypt/src/wolfcrypt_first.c' + 'wolfcrypt/src/wolfcrypt_last.c' + 'wolfssl/wolfcrypt/fips.h' + ) + ;; #fips-dev) # FIPS_OPTION='dev' # FIPS_VERSION='master' @@ -169,7 +169,7 @@ function checkout_files() { do local name=${file_entry%%:*} local tag=${file_entry#*:} - if ! $GIT branch --list | grep "my$tag" + if ! $GIT branch --list | grep --quiet "my$tag" then $GIT branch --no-track "my$tag" "$tag" || exit $? fi @@ -183,7 +183,7 @@ function checkout_files() { function copy_fips_files() { local tag="$1" shift - if ! $GIT clone --depth 1 -b "$tag" 'git@github.com:wolfssl/fips.git' fips + if ! $GIT clone --depth 1 -b "$tag" "$FIPS_REPO" fips then echo "fips-check: Couldn't check out $tag from FIPS repository." exit 1 @@ -252,7 +252,7 @@ esac if ! $MAKE then - echo "fips-check: Make failed. Debris left for analysis." + echo 'fips-check: Make failed. Debris left for analysis.' exit 3 fi From 6724a3d005ab55d884d72b3a020c4ceb890a3174 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 17 Aug 2023 13:39:29 -0700 Subject: [PATCH 4/6] FIPS Check Script with Explicit Versioning 1. Remove the demo OE. 2. Update all OEs with the new file lists. 3. Merge OEs with same files and tags, and add a check for the difference to optionally update that. For example, solaris is the same file list and tags as linuxv2, but uses gmake instead of make. --- fips-check.sh | 178 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 114 insertions(+), 64 deletions(-) diff --git a/fips-check.sh b/fips-check.sh index 1f3f17853..7820e637c 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -45,44 +45,99 @@ while [ "$1" ]; do done case "$FLAVOR" in -#linuxv2|fipsv2-OE-ready) -# FIPS_OPTION='v2' -# FIPS_VERSION='WCv4-stable' -# CRYPT_VERSION='WCv4-stable' -# RNG_VERSION='WCv4-rng-stable' -# WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') -# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') -# FIPS_INCS=('fips.h') -# ;; -#netbsd-selftest) -# # non-FIPS, CAVP only but pull in selftest -# FIPS_OPTION='cavp-selftest' -# FIPS_VERSION='v3.14.2b' -# CRYPT_VERSION='v3.14.2' -# RNG_VERSION='v3.14.2' -# WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') -# FIPS_SRCS=('selftest.c') -# ;; -#marvell-linux-selftest) -# # non-FIPS, CAVP only but pull in selftest -# FIPS_OPTION='cavp-selftest-v2' -# FIPS_VERSION='v3.14.2b' -# CRYPT_VERSION='v4.1.0-stable' -# RNG_VERSION='v4.1.0-stable' -# WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') -# FIPS_SRCS=('selftest.c') -# ;; -#linuxv5) -# FIPS_OPTION='v5' -# FIPS_VERSION='WCv5.0-RC12' -# CRYPT_VERSION='WCv5.0-RC12' -# RNG_VERSION='WCv5.0-RC12' -# WC_MODS=('aes' 'aes_asm' 'cmac' 'dh' 'ecc' 'hmac' 'kdf' 'random' 'rsa' 'sha' 'sha256' 'sha256_asm' 'sha3' 'sha512' 'sha512_asm') -# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') -# FIPS_INCS=('fips.h') -# COPY_DIRECT=('wolfcrypt/src/aes_gcm_asm.S') -# ;; -linuxv5a) +linuxv2|fipsv2-OE-ready|solaris) + FIPS_OPTION='v2' + FIPS_FILES=('WCv4-stable' + 'wolfcrypt/src/fips.c' + 'wolfcrypt/src/fips_test.c' + 'wolfcrypt/src/wolfcrypt_first.c' + 'wolfcrypt/src/wolfcrypt_last.c' + 'wolfssl/wolfcrypt/fips.h' + ) + WOLFCRYPT_FILES=( + 'wolfcrypt/src/aes.c:WCv4-stable' + 'wolfcrypt/src/aes_asm.S:WCv4-stable' + 'wolfcrypt/src/cmac.c:WCv4-stable' + 'wolfcrypt/src/des3.c:WCv4-stable' + 'wolfcrypt/src/dh.c:WCv4-stable' + 'wolfcrypt/src/ecc.c:WCv4-stable' + 'wolfcrypt/src/hmac.c:WCv4-stable' + 'wolfcrypt/src/random.c:WCv4-rng-stable' + 'wolfcrypt/src/rsa.c:WCv4-stable' + 'wolfcrypt/src/sha.c:WCv4-stable' + 'wolfcrypt/src/sha256.c:WCv4-stable' + 'wolfcrypt/src/sha3.c:WCv4-stable' + 'wolfcrypt/src/sha512.c:WCv4-stable' + 'wolfssl/wolfcrypt/aes.h:WCv4-stable' + 'wolfssl/wolfcrypt/cmac.h:WCv4-stable' + 'wolfssl/wolfcrypt/des3.h:WCv4-stable' + 'wolfssl/wolfcrypt/dh.h:WCv4-stable' + 'wolfssl/wolfcrypt/ecc.h:WCv4-stable' + 'wolfssl/wolfcrypt/hmac.h:WCv4-stable' + 'wolfssl/wolfcrypt/random.h:WCv4-rng-stable' + 'wolfssl/wolfcrypt/rsa.h:WCv4-stable' + 'wolfssl/wolfcrypt/sha.h:WCv4-stable' + 'wolfssl/wolfcrypt/sha256.h:WCv4-stable' + 'wolfssl/wolfcrypt/sha3.h:WCv4-stable' + 'wolfssl/wolfcrypt/sha512.h:WCv4-stable' + ) + if [ "$FLAVOR" = 'solaris' ]; then MAKE='gmake'; fi + ;; +netbsd-selftest) + # non-FIPS, CAVP only but pull in selftest + FIPS_OPTION='cavp-selftest' + FIPS_FILES=('v3.14.2b' 'wolfcrypt/src/selftest.c') + WOLFCRYPT_FILES=( + 'wolfcrypt/src/aes.c:v3.14.2' + 'wolfcrypt/src/dh.c:v3.14.2' + 'wolfcrypt/src/dsa.c:v3.14.2' + 'wolfcrypt/src/ecc.c:v3.14.2' + 'wolfcrypt/src/hmac.c:v3.14.2' + 'wolfcrypt/src/random.c:v3.14.2' + 'wolfcrypt/src/rsa.c:v3.14.2' + 'wolfcrypt/src/sha.c:v3.14.2' + 'wolfcrypt/src/sha256.c:v3.14.2' + 'wolfcrypt/src/sha512.c:v3.14.2' + 'wolfssl/wolfcrypt/aes.h:v3.14.2' + 'wolfssl/wolfcrypt/dh.h:v3.14.2' + 'wolfssl/wolfcrypt/dsa.h:v3.14.2' + 'wolfssl/wolfcrypt/ecc.h:v3.14.2' + 'wolfssl/wolfcrypt/hmac.h:v3.14.2' + 'wolfssl/wolfcrypt/random.h:v3.14.2' + 'wolfssl/wolfcrypt/rsa.h:v3.14.2' + 'wolfssl/wolfcrypt/sha.h:v3.14.2' + 'wolfssl/wolfcrypt/sha256.h:v3.14.2' + 'wolfssl/wolfcrypt/sha512.h:v3.14.2' + ) + ;; +marvell-linux-selftest) + # non-FIPS, CAVP only but pull in selftest + FIPS_OPTION='cavp-selftest-v2' + FIPS_FILES=('v3.14.2b' 'wolfcrypt/src/selftest.c') + WOLFCRYPT_FILES=( + 'wolfcrypt/src/aes.c:v4.1.0-stable' + 'wolfcrypt/src/dh.c:v4.1.0-stable' + 'wolfcrypt/src/dsa.c:v4.1.0-stable' + 'wolfcrypt/src/ecc.c:v4.1.0-stable' + 'wolfcrypt/src/hmac.c:v4.1.0-stable' + 'wolfcrypt/src/random.c:v4.1.0-stable' + 'wolfcrypt/src/rsa.c:v4.1.0-stable' + 'wolfcrypt/src/sha.c:v4.1.0-stable' + 'wolfcrypt/src/sha256.c:v4.1.0-stable' + 'wolfcrypt/src/sha512.c:v4.1.0-stable' + 'wolfssl/wolfcrypt/aes.h:v4.1.0-stable' + 'wolfssl/wolfcrypt/dh.h:v4.1.0-stable' + 'wolfssl/wolfcrypt/dsa.h:v4.1.0-stable' + 'wolfssl/wolfcrypt/ecc.h:v4.1.0-stable' + 'wolfssl/wolfcrypt/hmac.h:v4.1.0-stable' + 'wolfssl/wolfcrypt/random.h:v4.1.0-stable' + 'wolfssl/wolfcrypt/rsa.h:v4.1.0-stable' + 'wolfssl/wolfcrypt/sha.h:v4.1.0-stable' + 'wolfssl/wolfcrypt/sha256.h:v4.1.0-stable' + 'wolfssl/wolfcrypt/sha512.h:v4.1.0-stable' + ) + ;; +linuxv5) FIPS_OPTION='v5' FIPS_FILES=('WCv5.0-RC12' 'wolfcrypt/src/fips.c' @@ -122,7 +177,7 @@ linuxv5a) 'wolfssl/wolfcrypt/sha512.h:WCv5.0-RC12' ) ;; -fips-ready) +fips-ready|fips-dev) FIPS_OPTION='ready' FIPS_FILES=('master' 'wolfcrypt/src/fips.c' @@ -131,32 +186,27 @@ fips-ready) 'wolfcrypt/src/wolfcrypt_last.c' 'wolfssl/wolfcrypt/fips.h' ) + WOLFCRYPT_FILES=() + if [ "$FLAVOR" = 'fips-dev' ]; then FIPS_OPTION='dev'; fi + ;; +wolfrand) + FIPS_OPTION='rand' + FIPS_FILES=('WRv4-stable' + 'wolfcrypt/src/fips.c' + 'wolfcrypt/src/fips_test.c' + 'wolfcrypt/src/wolfcrypt_first.c' + 'wolfcrypt/src/wolfcrypt_last.c' + 'wolfssl/wolfcrypt/fips.h' + ) + WOLFCRYPT_FILES=( + 'wolfcrypt/src/hmac.c:WCv4-stable' + 'wolfcrypt/src/random.c:WCv4-rng-stable' + 'wolfcrypt/src/sha256.c:WCv4-stable' + 'wolfssl/wolfcrypt/hmac.h:WCv4-stable' + 'wolfssl/wolfcrypt/random.h:WCv4-rng-stable' + 'wolfssl/wolfcrypt/sha256.h:WCv4-stable' + ) ;; -#fips-dev) -# FIPS_OPTION='dev' -# FIPS_VERSION='master' -# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') -# FIPS_INCS=('fips.h') -# ;; -#wolfrand) -# FIPS_OPTION='rand' -# FIPS_VERSION='WRv4-stable' -# CRYPT_VERSION='WCv4-stable' -# RNG_VERSION='WCv4-rng-stable' -# WC_MODS=('hmac' 'random' 'sha256') -# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') -# FIPS_INCS=('fips.h') -# ;; -#solaris) -# FIPS_OPTION='v2' -# FIPS_VERSION='WCv4-stable' -# CRYPT_VERSION='WCv4-stable' -# RNG_VERSION='WCv4-rng-stable' -# WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') -# FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') -# FIPS_INCS=('fips.h') -# MAKE='gmake' -# ;; *) Usage exit 1 From 3e93c5e253830afc93113d7c53b1b59906d89212 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 17 Aug 2023 14:18:14 -0700 Subject: [PATCH 5/6] FIPS Check Script with Explicit Versioning 1. Move the command line updatable variables to the beginning of the script. 2. Reorder the OE names in the usage list. 3. Add the missing asm files. 4. Correct the regex for the fipsv2-OE-ready version name. --- fips-check.sh | 45 +++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/fips-check.sh b/fips-check.sh index 7820e637c..dc940f72d 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -9,27 +9,6 @@ # This should check out all the approved flavors. The command line # option selects the flavor. The keep option keeps the output # directory. -# -# Some variables may be overridden on the command line. - -Usage() { - cat <wolfcrypt/src/fips.c + sed "s/v4.0.0-alpha/fipsv2-OE-ready/" wolfcrypt/src/fips.c.bak >wolfcrypt/src/fips.c fi # run the make test From b9dbd86fabdc2e1214cb53177242d37b278b3eaa Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 18 Aug 2023 09:27:53 -0700 Subject: [PATCH 6/6] FIPS Check Script with Explicit Versioning 1. Remove the case block deciding if to checkout the wolfcrypt files or not, it is redundant. Things are set up now where we don't need it. 2. Comment reflow. Changes due to peer review: 3. Change the check for the temp mytag branches to use a git command that provides an exact match, rather than a foulable grep check. 4. Change the fips repo file checkout to work the same way as the wolfcrypt files. Each file in the copy list is tagged with its revision. --- fips-check.sh | 123 +++++++++++++++++++++++++------------------------- 1 file changed, 61 insertions(+), 62 deletions(-) diff --git a/fips-check.sh b/fips-check.sh index dc940f72d..bd4d516b8 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -46,12 +46,12 @@ done case "$FLAVOR" in linuxv2|fipsv2-OE-ready|solaris) FIPS_OPTION='v2' - FIPS_FILES=('WCv4-stable' - 'wolfcrypt/src/fips.c' - 'wolfcrypt/src/fips_test.c' - 'wolfcrypt/src/wolfcrypt_first.c' - 'wolfcrypt/src/wolfcrypt_last.c' - 'wolfssl/wolfcrypt/fips.h' + FIPS_FILES=( + 'wolfcrypt/src/fips.c:WCv4-stable' + 'wolfcrypt/src/fips_test.c:WCv4-stable' + 'wolfcrypt/src/wolfcrypt_first.c:WCv4-stable' + 'wolfcrypt/src/wolfcrypt_last.c:WCv4-stable' + 'wolfssl/wolfcrypt/fips.h:WCv4-stable' ) WOLFCRYPT_FILES=( 'wolfcrypt/src/aes.c:WCv4-stable' @@ -86,7 +86,7 @@ linuxv2|fipsv2-OE-ready|solaris) netbsd-selftest) # non-FIPS, CAVP only but pull in selftest FIPS_OPTION='cavp-selftest' - FIPS_FILES=('v3.14.2b' 'wolfcrypt/src/selftest.c') + FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b') WOLFCRYPT_FILES=( 'wolfcrypt/src/aes.c:v3.14.2' 'wolfcrypt/src/dh.c:v3.14.2' @@ -113,7 +113,7 @@ netbsd-selftest) marvell-linux-selftest) # non-FIPS, CAVP only but pull in selftest FIPS_OPTION='cavp-selftest-v2' - FIPS_FILES=('v3.14.2b' 'wolfcrypt/src/selftest.c') + FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b') WOLFCRYPT_FILES=( 'wolfcrypt/src/aes.c:v4.1.0-stable' 'wolfcrypt/src/dh.c:v4.1.0-stable' @@ -139,12 +139,12 @@ marvell-linux-selftest) ;; linuxv5) FIPS_OPTION='v5' - FIPS_FILES=('WCv5.0-RC12' - 'wolfcrypt/src/fips.c' - 'wolfcrypt/src/fips_test.c' - 'wolfcrypt/src/wolfcrypt_first.c' - 'wolfcrypt/src/wolfcrypt_last.c' - 'wolfssl/wolfcrypt/fips.h' + FIPS_FILES=( + 'wolfcrypt/src/fips.c:WCv5.0-RC12' + 'wolfcrypt/src/fips_test.c:WCv5.0-RC12' + 'wolfcrypt/src/wolfcrypt_first.c:WCv5.0-RC12' + 'wolfcrypt/src/wolfcrypt_last.c:WCv5.0-RC12' + 'wolfssl/wolfcrypt/fips.h:WCv5.0-RC12' ) WOLFCRYPT_FILES=( 'wolfcrypt/src/aes.c:WCv5.0-RC12' @@ -180,24 +180,24 @@ linuxv5) ;; fips-ready|fips-dev) FIPS_OPTION='ready' - FIPS_FILES=('master' - 'wolfcrypt/src/fips.c' - 'wolfcrypt/src/fips_test.c' - 'wolfcrypt/src/wolfcrypt_first.c' - 'wolfcrypt/src/wolfcrypt_last.c' - 'wolfssl/wolfcrypt/fips.h' + FIPS_FILES=( + 'wolfcrypt/src/fips.c:master' + 'wolfcrypt/src/fips_test.c:master' + 'wolfcrypt/src/wolfcrypt_first.c:master' + 'wolfcrypt/src/wolfcrypt_last.c:master' + 'wolfssl/wolfcrypt/fips.h:master' ) WOLFCRYPT_FILES=() if [ "$FLAVOR" = 'fips-dev' ]; then FIPS_OPTION='dev'; fi ;; wolfrand) FIPS_OPTION='rand' - FIPS_FILES=('WRv4-stable' - 'wolfcrypt/src/fips.c' - 'wolfcrypt/src/fips_test.c' - 'wolfcrypt/src/wolfcrypt_first.c' - 'wolfcrypt/src/wolfcrypt_last.c' - 'wolfssl/wolfcrypt/fips.h' + FIPS_FILES=( + 'wolfcrypt/src/fips.c:WRv4-stable' + 'wolfcrypt/src/fips_test.c:WRv4-stable' + 'wolfcrypt/src/wolfcrypt_first.c:WRv4-stable' + 'wolfcrypt/src/wolfcrypt_last.c:WRv4-stable' + 'wolfssl/wolfcrypt/fips.h:WRv4-stable' ) WOLFCRYPT_FILES=( 'wolfcrypt/src/hmac.c:WCv4-stable' @@ -213,14 +213,17 @@ wolfrand) exit 1 esac -# checkout_files takes an array of pairs of file paths and git tags to checkout. -# It will check to see if mytag exists and if not will make that tag a branch. +# checkout_files takes an array of pairs of file paths and git tags to +# checkout. It will check to see if mytag exists and if not will make that +# tag a branch. function checkout_files() { + local name + local tag for file_entry in "$@" do - local name=${file_entry%%:*} - local tag=${file_entry#*:} - if ! $GIT branch --list | grep --quiet "my$tag" + name=${file_entry%%:*} + tag=${file_entry#*:} + if ! $GIT rev-parse -q --verify "my$tag" >/dev/null then $GIT branch --no-track "my$tag" "$tag" || exit $? fi @@ -228,20 +231,27 @@ function checkout_files() { done } -# copy_fips_files clones the FIPS repository. It takes an array of file paths, where -# it breaks apart into file name and path, then copies it from the file from the fips -# directory to the path. The first item is the name of the tag. +# copy_fips_files takes an array of pairs of file paths and git tags to +# checkout. It will check to see if mytag exists and if now will make that +# tag a branch. It breaks the filepath apart into file name and path, then +# copies it from the file from the fips directory to the path. function copy_fips_files() { - local tag="$1" - shift - if ! $GIT clone --depth 1 -b "$tag" "$FIPS_REPO" fips - then - echo "fips-check: Couldn't check out $tag from FIPS repository." - exit 1 - fi - for file_path in "$@" + local name + local bname + local dname + local tag + for file_entry in "$@" do - cp fips/"$(basename "$file_path")" "$(dirname "$file_path")" + name=${file_entry%%:*} + tag=${file_entry#*:} + bname=$(basename "$name") + dname=$(dirname "$name") + if ! $GIT rev-parse -q --verify "my$tag" >/dev/null + then + $GIT branch --no-track "my$tag" "$tag" || exit $? + fi + $GIT checkout "my$tag" -- "$bname" || exit $? + cp "$bname" "../$dname" done } @@ -252,27 +262,16 @@ fi pushd "$TEST_DIR" || exit 2 -case "$FIPS_OPTION" in - -*dev) - echo "Don't need to copy in tagged wolfCrypt files for fips-dev." - ;; - -*ready) - echo "Don't need to copy in tagged wolfCrypt files for FIPS Ready." - ;; - -cavp-selftest*|v2|rand|v5*) - checkout_files "${WOLFCRYPT_FILES[@]}" - ;; - -*) - echo "fips-check: Invalid FIPS option ${FIPS_OPTION}." +if ! $GIT clone "$FIPS_REPO" fips +then + echo "fips-check: Couldn't check out FIPS repository." exit 1 - ;; -esac +fi -copy_fips_files "${FIPS_FILES[@]}" +checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3 +pushd fips || exit 2 +copy_fips_files "${FIPS_FILES[@]}" || exit 3 +popd || exit 2 # When checking out cert 3389 ready code, NIST will no longer perform # new certifications on 140-2 modules. If we were to use the latest files from