feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #6713 from ejohnstown/fips-check-exp-ver

Browse Source 
FIPS Check Script with Explicit Versioning
This commit is contained in:
JacobBarthelmeh
2023-08-18 11:20:23 -06:00
committed by GitHub
parent 033b0785e3 b9dbd86fab
commit 65217cbc70
1 changed files with 227 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

383
fips-check.sh
View File

@@ -9,27 +9,6 @@
# This should check out all the approved flavors. The command line # This should check out all the approved flavors. The command line
# option selects the flavor. The keep option keeps the output # option selects the flavor. The keep option keeps the output
# directory. # directory.
#
# Some variables may be overridden on the command line.
Usage() {
cat <<usageText
Usage: $0 [flavor] [keep]
Flavor is one of:
netbsd-selftest
marvell-linux-selftest
linuxv2 (FIPSv2, use for Win10)
wolfrand
solaris
linuxv5 (current FIPS 140-3)
fips-ready (ready FIPS 140-3)
fips-dev (dev FIPS 140-3)
Keep (default off) retains the XXX-fips-test temp dir for inspection.
Example:
$0 windows keep
usageText
}
# These variables may be overridden on the command line. # These variables may be overridden on the command line.
MAKE="${MAKE:-make}" MAKE="${MAKE:-make}"
@@ -37,90 +16,245 @@ GIT="${GIT:-git -c advice.detachedHead=false}"
TEST_DIR="${TEST_DIR:-XXX-fips-test}" TEST_DIR="${TEST_DIR:-XXX-fips-test}"
FLAVOR="${FLAVOR:-linux}" FLAVOR="${FLAVOR:-linux}"
KEEP="${KEEP:-no}" KEEP="${KEEP:-no}"
FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}"
Usage() {
cat <<usageText
Usage: $0 [flavor] [keep]
Flavor is one of:
linuxv2 (FIPSv2, use for Win10)
fipsv2-OE-ready (ready FIPSv2)
solaris
netbsd-selftest
marvell-linux-selftest
linuxv5 (current FIPS 140-3)
fips-ready (ready FIPS 140-3)
fips-dev (dev FIPS 140-3)
wolfrand
Keep (default off) retains the temp dir $TEST_DIR for inspection.
Example:
$0 windows keep
usageText
}
while [ "$1" ]; do while [ "$1" ]; do
if [ "$1" = 'keep' ]; then KEEP='yes'; else FLAVOR="$1"; fi if [ "$1" = 'keep' ]; then KEEP='yes'; else FLAVOR="$1"; fi
shift shift
done done
FIPS_REPO='git@github.com:wolfssl/fips.git'
CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH='wolfcrypt/src'
case "$FLAVOR" in case "$FLAVOR" in
linuxv2|fipsv2-OE-ready) linuxv2|fipsv2-OE-ready|solaris)
FIPS_OPTION='v2' FIPS_OPTION='v2'
FIPS_VERSION='WCv4-stable' FIPS_FILES=(
CRYPT_VERSION='WCv4-stable' 'wolfcrypt/src/fips.c:WCv4-stable'
RNG_VERSION='WCv4-rng-stable' 'wolfcrypt/src/fips_test.c:WCv4-stable'
WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') 'wolfcrypt/src/wolfcrypt_first.c:WCv4-stable'
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') 'wolfcrypt/src/wolfcrypt_last.c:WCv4-stable'
FIPS_INCS=('fips.h') 'wolfssl/wolfcrypt/fips.h:WCv4-stable'
)
WOLFCRYPT_FILES=(
'wolfcrypt/src/aes.c:WCv4-stable'
'wolfcrypt/src/aes_asm.asm:WCv4-stable'
'wolfcrypt/src/aes_asm.S:WCv4-stable'
'wolfcrypt/src/cmac.c:WCv4-stable'
'wolfcrypt/src/des3.c:WCv4-stable'
'wolfcrypt/src/dh.c:WCv4-stable'
'wolfcrypt/src/ecc.c:WCv4-stable'
'wolfcrypt/src/hmac.c:WCv4-stable'
'wolfcrypt/src/random.c:WCv4-rng-stable'
'wolfcrypt/src/rsa.c:WCv4-stable'
'wolfcrypt/src/sha.c:WCv4-stable'
'wolfcrypt/src/sha256.c:WCv4-stable'
'wolfcrypt/src/sha3.c:WCv4-stable'
'wolfcrypt/src/sha512.c:WCv4-stable'
'wolfssl/wolfcrypt/aes.h:WCv4-stable'
'wolfssl/wolfcrypt/cmac.h:WCv4-stable'
'wolfssl/wolfcrypt/des3.h:WCv4-stable'
'wolfssl/wolfcrypt/dh.h:WCv4-stable'
'wolfssl/wolfcrypt/ecc.h:WCv4-stable'
'wolfssl/wolfcrypt/hmac.h:WCv4-stable'
'wolfssl/wolfcrypt/random.h:WCv4-rng-stable'
'wolfssl/wolfcrypt/rsa.h:WCv4-stable'
'wolfssl/wolfcrypt/sha.h:WCv4-stable'
'wolfssl/wolfcrypt/sha256.h:WCv4-stable'
'wolfssl/wolfcrypt/sha3.h:WCv4-stable'
'wolfssl/wolfcrypt/sha512.h:WCv4-stable'
)
if [ "$FLAVOR" = 'solaris' ]; then MAKE='gmake'; fi
;; ;;
netbsd-selftest) netbsd-selftest)
# non-FIPS, CAVP only but pull in selftest # non-FIPS, CAVP only but pull in selftest
FIPS_OPTION='cavp-selftest' FIPS_OPTION='cavp-selftest'
FIPS_VERSION='v3.14.2b' FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
CRYPT_VERSION='v3.14.2' WOLFCRYPT_FILES=(
RNG_VERSION='v3.14.2' 'wolfcrypt/src/aes.c:v3.14.2'
WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') 'wolfcrypt/src/dh.c:v3.14.2'
FIPS_SRCS=('selftest.c') 'wolfcrypt/src/dsa.c:v3.14.2'
'wolfcrypt/src/ecc.c:v3.14.2'
'wolfcrypt/src/hmac.c:v3.14.2'
'wolfcrypt/src/random.c:v3.14.2'
'wolfcrypt/src/rsa.c:v3.14.2'
'wolfcrypt/src/sha.c:v3.14.2'
'wolfcrypt/src/sha256.c:v3.14.2'
'wolfcrypt/src/sha512.c:v3.14.2'
'wolfssl/wolfcrypt/aes.h:v3.14.2'
'wolfssl/wolfcrypt/dh.h:v3.14.2'
'wolfssl/wolfcrypt/dsa.h:v3.14.2'
'wolfssl/wolfcrypt/ecc.h:v3.14.2'
'wolfssl/wolfcrypt/hmac.h:v3.14.2'
'wolfssl/wolfcrypt/random.h:v3.14.2'
'wolfssl/wolfcrypt/rsa.h:v3.14.2'
'wolfssl/wolfcrypt/sha.h:v3.14.2'
'wolfssl/wolfcrypt/sha256.h:v3.14.2'
'wolfssl/wolfcrypt/sha512.h:v3.14.2'
)
;; ;;
marvell-linux-selftest) marvell-linux-selftest)
# non-FIPS, CAVP only but pull in selftest # non-FIPS, CAVP only but pull in selftest
FIPS_OPTION='cavp-selftest-v2' FIPS_OPTION='cavp-selftest-v2'
FIPS_VERSION='v3.14.2b' FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
CRYPT_VERSION='v4.1.0-stable' WOLFCRYPT_FILES=(
RNG_VERSION='v4.1.0-stable' 'wolfcrypt/src/aes.c:v4.1.0-stable'
WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') 'wolfcrypt/src/dh.c:v4.1.0-stable'
FIPS_SRCS=('selftest.c') 'wolfcrypt/src/dsa.c:v4.1.0-stable'
'wolfcrypt/src/ecc.c:v4.1.0-stable'
'wolfcrypt/src/hmac.c:v4.1.0-stable'
'wolfcrypt/src/random.c:v4.1.0-stable'
'wolfcrypt/src/rsa.c:v4.1.0-stable'
'wolfcrypt/src/sha.c:v4.1.0-stable'
'wolfcrypt/src/sha256.c:v4.1.0-stable'
'wolfcrypt/src/sha512.c:v4.1.0-stable'
'wolfssl/wolfcrypt/aes.h:v4.1.0-stable'
'wolfssl/wolfcrypt/dh.h:v4.1.0-stable'
'wolfssl/wolfcrypt/dsa.h:v4.1.0-stable'
'wolfssl/wolfcrypt/ecc.h:v4.1.0-stable'
'wolfssl/wolfcrypt/hmac.h:v4.1.0-stable'
'wolfssl/wolfcrypt/random.h:v4.1.0-stable'
'wolfssl/wolfcrypt/rsa.h:v4.1.0-stable'
'wolfssl/wolfcrypt/sha.h:v4.1.0-stable'
'wolfssl/wolfcrypt/sha256.h:v4.1.0-stable'
'wolfssl/wolfcrypt/sha512.h:v4.1.0-stable'
)
;; ;;
linuxv5) linuxv5)
FIPS_OPTION='v5' FIPS_OPTION='v5'
FIPS_VERSION='WCv5.0-RC12' FIPS_FILES=(
CRYPT_VERSION='WCv5.0-RC12' 'wolfcrypt/src/fips.c:WCv5.0-RC12'
RNG_VERSION='WCv5.0-RC12' 'wolfcrypt/src/fips_test.c:WCv5.0-RC12'
WC_MODS=('aes' 'aes_asm' 'cmac' 'dh' 'ecc' 'hmac' 'kdf' 'random' 'rsa' 'sha' 'sha256' 'sha256_asm' 'sha3' 'sha512' 'sha512_asm') 'wolfcrypt/src/wolfcrypt_first.c:WCv5.0-RC12'
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') 'wolfcrypt/src/wolfcrypt_last.c:WCv5.0-RC12'
FIPS_INCS=('fips.h') 'wolfssl/wolfcrypt/fips.h:WCv5.0-RC12'
COPY_DIRECT=('wolfcrypt/src/aes_gcm_asm.S') )
WOLFCRYPT_FILES=(
'wolfcrypt/src/aes.c:WCv5.0-RC12'
'wolfcrypt/src/aes_asm.asm:WCv5.0-RC12'
'wolfcrypt/src/aes_asm.S:WCv5.0-RC12'
'wolfcrypt/src/aes_gcm_asm.S:WCv5.0-RC12'
'wolfcrypt/src/cmac.c:WCv5.0-RC12'
'wolfcrypt/src/dh.c:WCv5.0-RC12'
'wolfcrypt/src/ecc.c:WCv5.0-RC12'
'wolfcrypt/src/hmac.c:WCv5.0-RC12'
'wolfcrypt/src/kdf.c:WCv5.0-RC12'
'wolfcrypt/src/random.c:WCv5.0-RC12'
'wolfcrypt/src/rsa.c:WCv5.0-RC12'
'wolfcrypt/src/sha.c:WCv5.0-RC12'
'wolfcrypt/src/sha256.c:WCv5.0-RC12'
'wolfcrypt/src/sha256_asm.S:WCv5.0-RC12'
'wolfcrypt/src/sha3.c:WCv5.0-RC12'
'wolfcrypt/src/sha512.c:WCv5.0-RC12'
'wolfcrypt/src/sha512_asm.S:WCv5.0-RC12'
'wolfssl/wolfcrypt/aes.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/cmac.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/dh.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/ecc.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/hmac.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/kdf.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/random.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/rsa.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/sha.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/sha256.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/sha3.h:WCv5.0-RC12'
'wolfssl/wolfcrypt/sha512.h:WCv5.0-RC12'
)
;; ;;
fips-ready) fips-ready|fips-dev)
FIPS_OPTION='ready' FIPS_OPTION='ready'
FIPS_VERSION='master' FIPS_FILES=(
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') 'wolfcrypt/src/fips.c:master'
FIPS_INCS=('fips.h') 'wolfcrypt/src/fips_test.c:master'
;; 'wolfcrypt/src/wolfcrypt_first.c:master'
fips-dev) 'wolfcrypt/src/wolfcrypt_last.c:master'
FIPS_OPTION='dev' 'wolfssl/wolfcrypt/fips.h:master'
FIPS_VERSION='master' )
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') WOLFCRYPT_FILES=()
FIPS_INCS=('fips.h') if [ "$FLAVOR" = 'fips-dev' ]; then FIPS_OPTION='dev'; fi
;; ;;
wolfrand) wolfrand)
FIPS_OPTION='rand' FIPS_OPTION='rand'
FIPS_VERSION='WRv4-stable' FIPS_FILES=(
CRYPT_VERSION='WCv4-stable' 'wolfcrypt/src/fips.c:WRv4-stable'
RNG_VERSION='WCv4-rng-stable' 'wolfcrypt/src/fips_test.c:WRv4-stable'
WC_MODS=('hmac' 'random' 'sha256') 'wolfcrypt/src/wolfcrypt_first.c:WRv4-stable'
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') 'wolfcrypt/src/wolfcrypt_last.c:WRv4-stable'
FIPS_INCS=('fips.h') 'wolfssl/wolfcrypt/fips.h:WRv4-stable'
;; )
solaris) WOLFCRYPT_FILES=(
FIPS_OPTION='v2' 'wolfcrypt/src/hmac.c:WCv4-stable'
FIPS_VERSION='WCv4-stable' 'wolfcrypt/src/random.c:WCv4-rng-stable'
CRYPT_VERSION='WCv4-stable' 'wolfcrypt/src/sha256.c:WCv4-stable'
RNG_VERSION='WCv4-rng-stable' 'wolfssl/wolfcrypt/hmac.h:WCv4-stable'
WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') 'wolfssl/wolfcrypt/random.h:WCv4-rng-stable'
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') 'wolfssl/wolfcrypt/sha256.h:WCv4-stable'
FIPS_INCS=('fips.h') )
MAKE='gmake'
;; ;;
*) *)
Usage Usage
exit 1 exit 1
esac esac
# checkout_files takes an array of pairs of file paths and git tags to
# checkout. It will check to see if mytag exists and if not will make that
# tag a branch.
function checkout_files() {
local name
local tag
for file_entry in "$@"
do
name=${file_entry%%:*}
tag=${file_entry#*:}
if ! $GIT rev-parse -q --verify "my$tag" >/dev/null
then
$GIT branch --no-track "my$tag" "$tag" || exit $?
fi
$GIT checkout "my$tag" -- "$name" || exit $?
done
}
# copy_fips_files takes an array of pairs of file paths and git tags to
# checkout. It will check to see if mytag exists and if now will make that
# tag a branch. It breaks the filepath apart into file name and path, then
# copies it from the file from the fips directory to the path.
function copy_fips_files() {
local name
local bname
local dname
local tag
for file_entry in "$@"
do
name=${file_entry%%:*}
tag=${file_entry#*:}
bname=$(basename "$name")
dname=$(dirname "$name")
if ! $GIT rev-parse -q --verify "my$tag" >/dev/null
then
$GIT branch --no-track "my$tag" "$tag" || exit $?
fi
$GIT checkout "my$tag" -- "$bname" || exit $?
cp "$bname" "../$dname"
done
}
if ! $GIT clone . "$TEST_DIR"; then if ! $GIT clone . "$TEST_DIR"; then
echo "fips-check: Couldn't duplicate current working directory." echo "fips-check: Couldn't duplicate current working directory."
exit 1 exit 1
@@ -128,80 +262,16 @@ fi
pushd "$TEST_DIR" || exit 2 pushd "$TEST_DIR" || exit 2
case "$FIPS_OPTION" in if ! $GIT clone "$FIPS_REPO" fips
then
*dev) echo "fips-check: Couldn't check out FIPS repository."
echo "Don't need to copy in tagged wolfCrypt files for fips-dev."
;;
*ready)
echo "Don't need to copy in tagged wolfCrypt files for FIPS Ready."
;;
cavp-selftest*|v2|rand|v5*)
$GIT branch --no-track "my$CRYPT_VERSION" "$CRYPT_VERSION" || exit $?
# Checkout the fips versions of the wolfCrypt files from the repo.
for MOD in "${WC_MODS[@]}"
do
if [ -f "$CRYPT_SRC_PATH/$MOD.c" ]; then
$GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.c" || exit $?
fi
# aes_asm.S, sha256_asm.S sha512_asm.S
if [ -f "$CRYPT_SRC_PATH/$MOD.S" ]; then
echo "Checking out asm file: $MOD.S"
$GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.S" || exit $?
fi
# aes_asm.asm
if [ -f "$CRYPT_SRC_PATH/$MOD.asm" ]; then
echo "Checking out asm file: $MOD.asm"
$GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.asm" || exit $?
fi
if [ -f "$CRYPT_INC_PATH/$MOD.h" ]; then
$GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_INC_PATH/$MOD.h" || exit $?
fi
done
for MOD in "${COPY_DIRECT[@]}"
do
$GIT checkout "my$CRYPT_VERSION" -- "$MOD" || exit $?
done
$GIT branch --no-track "myrng$RNG_VERSION" "$RNG_VERSION" || exit $?
# Checkout the fips versions of the wolfCrypt files from the repo.
$GIT checkout "myrng$RNG_VERSION" -- "$CRYPT_SRC_PATH/random.c" "$CRYPT_INC_PATH/random.h" || exit $?
;;
*)
echo "fips-check: Invalid FIPS option \"${FIPS_OPTION}\"."
exit 1
;;
esac
# clone the FIPS repository
case "$FIPS_OPTION" in
*dev)
if ! $GIT clone --depth 1 "$FIPS_REPO" fips; then
echo "fips-check: Couldn't check out the FIPS repository for fips-dev."
exit 1 exit 1
fi fi
;;
*)
if ! $GIT clone --depth 1 -b "$FIPS_VERSION" "$FIPS_REPO" fips; then
echo "fips-check: Couldn't check out ${FIPS_VERSION} from repository ${FIPS_REPO}."
exit 1
fi
;;
esac
for SRC in "${FIPS_SRCS[@]}" checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
do pushd fips || exit 2
cp "fips/$SRC" "$CRYPT_SRC_PATH" copy_fips_files "${FIPS_FILES[@]}" || exit 3
done popd || exit 2
for INC in "${FIPS_INCS[@]}"
do
cp "fips/$INC" "$CRYPT_INC_PATH"
done
# When checking out cert 3389 ready code, NIST will no longer perform # When checking out cert 3389 ready code, NIST will no longer perform
# new certifications on 140-2 modules. If we were to use the latest files from # new certifications on 140-2 modules. If we were to use the latest files from
@@ -209,11 +279,10 @@ done
# Since OE additions can still be processed for cert3389 we will call 140-2 # Since OE additions can still be processed for cert3389 we will call 140-2
# ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but # ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but
# would not be good for a new certification effort with the latest files. # would not be good for a new certification effort with the latest files.
if [ "$FLAVOR" = 'fipsv2-OE-ready' ]; then if [ "$FLAVOR" = 'fipsv2-OE-ready' ] && [ -s wolfcrypt/src/fips.c ]
OLD_VERSION=" return \"v4.0.0-alpha\";" then
OE_READY_VERSION=" return \"fipsv2-OE-ready\";" cp wolfcrypt/src/fips.c wolfcrypt/src/fips.c.bak
cp "${CRYPT_SRC_PATH}/fips.c" "${CRYPT_SRC_PATH}/fips.c.bak" sed "s/v4.0.0-alpha/fipsv2-OE-ready/" wolfcrypt/src/fips.c.bak >wolfcrypt/src/fips.c
sed "s/^${OLD_VERSION}/${OE_READY_VERSION}/" "${CRYPT_SRC_PATH}/fips.c.bak" >"${CRYPT_SRC_PATH}/fips.c"
fi fi
# run the make test # run the make test
@@ -233,29 +302,29 @@ esac
if ! $MAKE if ! $MAKE
then then
echo "fips-check: Make failed. Debris left for analysis." echo 'fips-check: Make failed. Debris left for analysis.'
exit 3 exit 3
fi fi
if [ -s "${CRYPT_SRC_PATH}/fips_test.c" ] if [ -s wolfcrypt/src/fips_test.c ]
then then
NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p') NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
if [ -n "$NEWHASH" ]; then if [ -n "$NEWHASH" ]; then
cp "${CRYPT_SRC_PATH}/fips_test.c" "${CRYPT_SRC_PATH}/fips_test.c.bak" cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
sed "s/^\".*\";/\"${NEWHASH}\";/" "${CRYPT_SRC_PATH}/fips_test.c.bak" >"${CRYPT_SRC_PATH}/fips_test.c" sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak >wolfcrypt/src/fips_test.c
make clean make clean
fi fi
fi fi
if ! $MAKE check if ! $MAKE check
then then
echo "fips-check: Test failed. Debris left for analysis." echo 'fips-check: Test failed. Debris left for analysis.'
exit 3 exit 3
fi fi
# Clean up # Clean up
popd || exit 2 popd || exit 2
if [ "$KEEP" = "no" ]; if [ "$KEEP" = 'no' ];
then then
rm -rf "$TEST_DIR" rm -rf "$TEST_DIR"
fi fi