wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 12:14:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

FIPS Check Script with Explicit Versioning

Browse Source 
1. Add an optional initialized variable for the KEEP option and default
   it to 'yes' temporarily.
2. Comment out all the descriptions for all the OEs except the test OE.
3. Update the copy FIPS file list format to have the file path and add
   the tag to use for copying as the first item.
4. Merge the branch-creation and file checkout into one function. Remove
   the local path changing.
5. Update and simplify the FIPS file copying function.
6. Remove the old copying code.
7. When updating the fipsv2-OE-ready version string, also check that
   fips.c is non-zero.
8. Use explicit paths for files.
This commit is contained in:
John Safranek
2023-08-17 11:29:25 -07:00
parent 0fd96be7f8
commit 98c50e05a3
1 changed files with 109 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

258
fips-check.sh
View File

@@ -36,66 +36,63 @@ MAKE="${MAKE:-make}"
GIT="${GIT:-git -c advice.detachedHead=false}" GIT="${GIT:-git -c advice.detachedHead=false}"
TEST_DIR="${TEST_DIR:-XXX-fips-test}" TEST_DIR="${TEST_DIR:-XXX-fips-test}"
FLAVOR="${FLAVOR:-linux}" FLAVOR="${FLAVOR:-linux}"
KEEP="${KEEP:-no}" #KEEP="${KEEP:-no}"
KEEP="${KEEP:-yes}"
#FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}"
while [ "$1" ]; do while [ "$1" ]; do
if [ "$1" = 'new' ]; then DO_NEW_ACTION='yes'; else if [ "$1" = 'keep' ]; then KEEP='yes'; else FLAVOR="$1"; fi
if [ "$1" = 'keep' ]; then KEEP='yes'; else FLAVOR="$1"; fi; fi
shift shift
done done
FIPS_REPO='git@github.com:wolfssl/fips.git'
CRYPT_INC_PATH='wolfssl/wolfcrypt'
CRYPT_SRC_PATH='wolfcrypt/src'
case "$FLAVOR" in case "$FLAVOR" in
linuxv2|fipsv2-OE-ready) #linuxv2|fipsv2-OE-ready)
FIPS_OPTION='v2' # FIPS_OPTION='v2'
FIPS_VERSION='WCv4-stable' # FIPS_VERSION='WCv4-stable'
CRYPT_VERSION='WCv4-stable' # CRYPT_VERSION='WCv4-stable'
RNG_VERSION='WCv4-rng-stable' # RNG_VERSION='WCv4-rng-stable'
WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') # WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512')
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') # FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=('fips.h') # FIPS_INCS=('fips.h')
;; # ;;
netbsd-selftest) #netbsd-selftest)
# non-FIPS, CAVP only but pull in selftest # # non-FIPS, CAVP only but pull in selftest
FIPS_OPTION='cavp-selftest' # FIPS_OPTION='cavp-selftest'
FIPS_VERSION='v3.14.2b' # FIPS_VERSION='v3.14.2b'
CRYPT_VERSION='v3.14.2' # CRYPT_VERSION='v3.14.2'
RNG_VERSION='v3.14.2' # RNG_VERSION='v3.14.2'
WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') # WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512')
FIPS_SRCS=('selftest.c') # FIPS_SRCS=('selftest.c')
;; # ;;
marvell-linux-selftest) #marvell-linux-selftest)
# non-FIPS, CAVP only but pull in selftest # # non-FIPS, CAVP only but pull in selftest
FIPS_OPTION='cavp-selftest-v2' # FIPS_OPTION='cavp-selftest-v2'
FIPS_VERSION='v3.14.2b' # FIPS_VERSION='v3.14.2b'
CRYPT_VERSION='v4.1.0-stable' # CRYPT_VERSION='v4.1.0-stable'
RNG_VERSION='v4.1.0-stable' # RNG_VERSION='v4.1.0-stable'
WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512') # WC_MODS=('aes' 'dh' 'dsa' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha512')
FIPS_SRCS=('selftest.c') # FIPS_SRCS=('selftest.c')
;; # ;;
linuxv5) #linuxv5)
FIPS_OPTION='v5' # FIPS_OPTION='v5'
FIPS_VERSION='WCv5.0-RC12' # FIPS_VERSION='WCv5.0-RC12'
CRYPT_VERSION='WCv5.0-RC12' # CRYPT_VERSION='WCv5.0-RC12'
RNG_VERSION='WCv5.0-RC12' # RNG_VERSION='WCv5.0-RC12'
WC_MODS=('aes' 'aes_asm' 'cmac' 'dh' 'ecc' 'hmac' 'kdf' 'random' 'rsa' 'sha' 'sha256' 'sha256_asm' 'sha3' 'sha512' 'sha512_asm') # WC_MODS=('aes' 'aes_asm' 'cmac' 'dh' 'ecc' 'hmac' 'kdf' 'random' 'rsa' 'sha' 'sha256' 'sha256_asm' 'sha3' 'sha512' 'sha512_asm')
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') # FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=('fips.h') # FIPS_INCS=('fips.h')
COPY_DIRECT=('wolfcrypt/src/aes_gcm_asm.S') # COPY_DIRECT=('wolfcrypt/src/aes_gcm_asm.S')
;; # ;;
linuxv5a) linuxv5a)
FIPS_OPTION='v5' FIPS_OPTION='v5'
FIPS_FILES=( FIPS_FILES=('WCv5.0-RC12'
'fips.c:WCv5.0-RC12' 'wolfcrypt/src/fips.c'
'fips_test.c:WCv5.0-RC12' 'wolfcrypt/src/fips_test.c'
'wolfcrypt_first.c:WCv5.0-RC12' 'wolfcrypt/src/wolfcrypt_first.c'
'wolfcrypt_last.c:WCv5.0-RC12' 'wolfcrypt/src/wolfcrypt_last.c'
'fips.h:WCv5.0-RC12' 'wolfssl/wolfcrypt/fips.h'
) )
WC_C_FILES=( WOLFCRYPT_FILES=(
'wolfcrypt/src/aes.c:WCv5.0-RC12' 'wolfcrypt/src/aes.c:WCv5.0-RC12'
'wolfcrypt/src/aes_asm.c:WCv5.0-RC12' 'wolfcrypt/src/aes_asm.c:WCv5.0-RC12'
'wolfcrypt/src/cmac.c:WCv5.0-RC12' 'wolfcrypt/src/cmac.c:WCv5.0-RC12'
@@ -129,86 +126,74 @@ linuxv5a)
'wolfssl/wolfcrypt/sha512_asm.h:WCv5.0-RC12' 'wolfssl/wolfcrypt/sha512_asm.h:WCv5.0-RC12'
) )
;; ;;
fips-ready) #fips-ready)
FIPS_OPTION='ready' # FIPS_OPTION='ready'
FIPS_VERSION='master' # FIPS_VERSION='master'
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') # FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=('fips.h') # FIPS_INCS=('fips.h')
;; # ;;
fips-dev) #fips-dev)
FIPS_OPTION='dev' # FIPS_OPTION='dev'
FIPS_VERSION='master' # FIPS_VERSION='master'
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') # FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=('fips.h') # FIPS_INCS=('fips.h')
;; # ;;
wolfrand) #wolfrand)
FIPS_OPTION='rand' # FIPS_OPTION='rand'
FIPS_VERSION='WRv4-stable' # FIPS_VERSION='WRv4-stable'
CRYPT_VERSION='WCv4-stable' # CRYPT_VERSION='WCv4-stable'
RNG_VERSION='WCv4-rng-stable' # RNG_VERSION='WCv4-rng-stable'
WC_MODS=('hmac' 'random' 'sha256') # WC_MODS=('hmac' 'random' 'sha256')
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') # FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=('fips.h') # FIPS_INCS=('fips.h')
;; # ;;
solaris) #solaris)
FIPS_OPTION='v2' # FIPS_OPTION='v2'
FIPS_VERSION='WCv4-stable' # FIPS_VERSION='WCv4-stable'
CRYPT_VERSION='WCv4-stable' # CRYPT_VERSION='WCv4-stable'
RNG_VERSION='WCv4-rng-stable' # RNG_VERSION='WCv4-rng-stable'
WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512') # WC_MODS=('aes' 'aes_asm' 'cmac' 'des3' 'dh' 'ecc' 'hmac' 'random' 'rsa' 'sha' 'sha256' 'sha3' 'sha512')
FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c') # FIPS_SRCS=('fips.c' 'fips_test.c' 'wolfcrypt_first.c' 'wolfcrypt_last.c')
FIPS_INCS=('fips.h') # FIPS_INCS=('fips.h')
MAKE='gmake' # MAKE='gmake'
;; # ;;
*) *)
Usage Usage
exit 1 exit 1
esac esac
function checkout_tag() { # checkout_files takes an array of pairs of file paths and git tags to checkout.
if ! $GIT branch --list | grep "my$1" # It will check to see if mytag exists and if not will make that tag a branch.
then
$GIT branch --no-track "my$1" "$1" || exit $?
fi
}
function checkout_files() { function checkout_files() {
local repo_path="$1"
shift
pushd $repo_path
for file_entry in "$@" for file_entry in "$@"
do do
local name=${file_entry%%:*} local name=${file_entry%%:*}
local tag=${file_entry#*:} local tag=${file_entry#*:}
checkout_tag "$tag" || exit $? if ! $GIT branch --list | grep "my$tag"
then
$GIT branch --no-track "my$tag" "$tag" || exit $?
fi
$GIT checkout "my$tag" -- "$name" || exit $? $GIT checkout "my$tag" -- "$name" || exit $?
done done
popd
} }
function copy_files() { # copy_fips_files clones the FIPS repository. It takes an array of file paths, where
local repo_path="$1" # it breaks apart into file name and path, then copies it from the file from the fips
# directory to the path. The first item is the name of the tag.
function copy_fips_files() {
local tag="$1"
shift shift
pushd $repo_path if ! $GIT clone --depth 1 -b "$tag" 'git@github.com:wolfssl/fips.git' fips
for file_entry in "$@" then
echo "fips-check: Couldn't check out $tag from FIPS repository."
exit 1
fi
for file_path in "$@"
do do
local name=${file_entry%%:*} cp fips/"$(basename "$file_path")" "$(dirname "$file_path")"
local tag=${file_entry#*:}
checkout_tag "$tag" || exit $?
$GIT checkout "my$tag" -- "$name" || exit $?
done done
popd
} }
if [ "$DO_NEW_ACTION" = 'yes' ]
then
checkout_files '.' "${WC_C_FILES[@]}"
checkout_files './fips' "${FIPS_FILES[@]}"
exit
fi
echo "Escaped!"
exit
if ! $GIT clone . "$TEST_DIR"; then if ! $GIT clone . "$TEST_DIR"; then
echo "fips-check: Couldn't duplicate current working directory." echo "fips-check: Couldn't duplicate current working directory."
exit 1 exit 1
@@ -227,40 +212,16 @@ case "$FIPS_OPTION" in
;; ;;
cavp-selftest*|v2|rand|v5*) cavp-selftest*|v2|rand|v5*)
checkout_files '.' "${WC_C_FILES[@]}" checkout_files "${WOLFCRYPT_FILES[@]}"
;; ;;
*) *)
echo "fips-check: Invalid FIPS option \"${FIPS_OPTION}\"." echo "fips-check: Invalid FIPS option ${FIPS_OPTION}."
exit 1 exit 1
;; ;;
esac esac
# clone the FIPS repository copy_fips_files "${FIPS_FILES[@]}"
case "$FIPS_OPTION" in
*dev)
if ! $GIT clone --depth 1 "$FIPS_REPO" fips; then
echo "fips-check: Couldn't check out the FIPS repository for fips-dev."
exit 1
fi
;;
*)
if ! $GIT clone --depth 1 -b "$FIPS_VERSION" "$FIPS_REPO" fips; then
echo "fips-check: Couldn't check out ${FIPS_VERSION} from repository ${FIPS_REPO}."
exit 1
fi
;;
esac
for SRC in "${FIPS_SRCS[@]}"
do
cp "fips/$SRC" "$CRYPT_SRC_PATH"
done
for INC in "${FIPS_INCS[@]}"
do
cp "fips/$INC" "$CRYPT_INC_PATH"
done
# When checking out cert 3389 ready code, NIST will no longer perform # When checking out cert 3389 ready code, NIST will no longer perform
# new certifications on 140-2 modules. If we were to use the latest files from # new certifications on 140-2 modules. If we were to use the latest files from
@@ -268,11 +229,10 @@ done
# Since OE additions can still be processed for cert3389 we will call 140-2 # Since OE additions can still be processed for cert3389 we will call 140-2
# ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but # ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but
# would not be good for a new certification effort with the latest files. # would not be good for a new certification effort with the latest files.
if [ "$FLAVOR" = 'fipsv2-OE-ready' ]; then if [ "$FLAVOR" = 'fipsv2-OE-ready' ] && [ -s wolfcrypt/src/fips.c ]
OLD_VERSION=" return \"v4.0.0-alpha\";" then
OE_READY_VERSION=" return \"fipsv2-OE-ready\";" cp wolfcrypt/src/fips.c wolfcrypt/src/fips.c.bak
cp "${CRYPT_SRC_PATH}/fips.c" "${CRYPT_SRC_PATH}/fips.c.bak" sed "s/^v4.0.0-alpha/fipsv2-OE-ready/" wolfcrypt/src/fips.c.bak >wolfcrypt/src/fips.c
sed "s/^${OLD_VERSION}/${OE_READY_VERSION}/" "${CRYPT_SRC_PATH}/fips.c.bak" >"${CRYPT_SRC_PATH}/fips.c"
fi fi
# run the make test # run the make test
@@ -296,25 +256,25 @@ then
exit 3 exit 3
fi fi
if [ -s "${CRYPT_SRC_PATH}/fips_test.c" ] if [ -s wolfcrypt/src/fips_test.c ]
then then
NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p') NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
if [ -n "$NEWHASH" ]; then if [ -n "$NEWHASH" ]; then
cp "${CRYPT_SRC_PATH}/fips_test.c" "${CRYPT_SRC_PATH}/fips_test.c.bak" cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
sed "s/^\".*\";/\"${NEWHASH}\";/" "${CRYPT_SRC_PATH}/fips_test.c.bak" >"${CRYPT_SRC_PATH}/fips_test.c" sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak >wolfcrypt/src/fips_test.c
make clean make clean
fi fi
fi fi
if ! $MAKE check if ! $MAKE check
then then
echo "fips-check: Test failed. Debris left for analysis." echo 'fips-check: Test failed. Debris left for analysis.'
exit 3 exit 3
fi fi
# Clean up # Clean up
popd || exit 2 popd || exit 2
if [ "$KEEP" = "no" ]; if [ "$KEEP" = 'no' ];
then then
rm -rf "$TEST_DIR" rm -rf "$TEST_DIR"
fi fi