wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

FIPS Check Script with Explicit Versioning

Browse Source 
1. Remove the case block deciding if to checkout the wolfcrypt files or
   not, it is redundant. Things are set up now where we don't need it.
2. Comment reflow.
Changes due to peer review:
3. Change the check for the temp mytag branches to use a git command
   that provides an exact match, rather than a foulable grep check.
4. Change the fips repo file checkout to work the same way as the
   wolfcrypt files. Each file in the copy list is tagged with its
   revision.
This commit is contained in:
John Safranek
2023-08-18 09:27:53 -07:00
parent 3e93c5e253
commit b9dbd86fab
1 changed files with 61 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
fips-check.sh
View File

@ -46,12 +46,12 @@ done
case "$FLAVOR" in case "$FLAVOR" in
linuxv2|fipsv2-OE-ready|solaris) linuxv2|fipsv2-OE-ready|solaris)
FIPS_OPTION='v2' FIPS_OPTION='v2'
FIPS_FILES=('WCv4-stable' FIPS_FILES=(
'wolfcrypt/src/fips.c' 'wolfcrypt/src/fips.c:WCv4-stable'
'wolfcrypt/src/fips_test.c' 'wolfcrypt/src/fips_test.c:WCv4-stable'
'wolfcrypt/src/wolfcrypt_first.c' 'wolfcrypt/src/wolfcrypt_first.c:WCv4-stable'
'wolfcrypt/src/wolfcrypt_last.c' 'wolfcrypt/src/wolfcrypt_last.c:WCv4-stable'
'wolfssl/wolfcrypt/fips.h' 'wolfssl/wolfcrypt/fips.h:WCv4-stable'
) )
WOLFCRYPT_FILES=( WOLFCRYPT_FILES=(
'wolfcrypt/src/aes.c:WCv4-stable' 'wolfcrypt/src/aes.c:WCv4-stable'
@ -86,7 +86,7 @@ linuxv2|fipsv2-OE-ready|solaris)
netbsd-selftest) netbsd-selftest)
# non-FIPS, CAVP only but pull in selftest # non-FIPS, CAVP only but pull in selftest
FIPS_OPTION='cavp-selftest' FIPS_OPTION='cavp-selftest'
FIPS_FILES=('v3.14.2b' 'wolfcrypt/src/selftest.c') FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
WOLFCRYPT_FILES=( WOLFCRYPT_FILES=(
'wolfcrypt/src/aes.c:v3.14.2' 'wolfcrypt/src/aes.c:v3.14.2'
'wolfcrypt/src/dh.c:v3.14.2' 'wolfcrypt/src/dh.c:v3.14.2'
@ -113,7 +113,7 @@ netbsd-selftest)
marvell-linux-selftest) marvell-linux-selftest)
# non-FIPS, CAVP only but pull in selftest # non-FIPS, CAVP only but pull in selftest
FIPS_OPTION='cavp-selftest-v2' FIPS_OPTION='cavp-selftest-v2'
FIPS_FILES=('v3.14.2b' 'wolfcrypt/src/selftest.c') FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
WOLFCRYPT_FILES=( WOLFCRYPT_FILES=(
'wolfcrypt/src/aes.c:v4.1.0-stable' 'wolfcrypt/src/aes.c:v4.1.0-stable'
'wolfcrypt/src/dh.c:v4.1.0-stable' 'wolfcrypt/src/dh.c:v4.1.0-stable'
@ -139,12 +139,12 @@ marvell-linux-selftest)
;; ;;
linuxv5) linuxv5)
FIPS_OPTION='v5' FIPS_OPTION='v5'
FIPS_FILES=('WCv5.0-RC12' FIPS_FILES=(
'wolfcrypt/src/fips.c' 'wolfcrypt/src/fips.c:WCv5.0-RC12'
'wolfcrypt/src/fips_test.c' 'wolfcrypt/src/fips_test.c:WCv5.0-RC12'
'wolfcrypt/src/wolfcrypt_first.c' 'wolfcrypt/src/wolfcrypt_first.c:WCv5.0-RC12'
'wolfcrypt/src/wolfcrypt_last.c' 'wolfcrypt/src/wolfcrypt_last.c:WCv5.0-RC12'
'wolfssl/wolfcrypt/fips.h' 'wolfssl/wolfcrypt/fips.h:WCv5.0-RC12'
) )
WOLFCRYPT_FILES=( WOLFCRYPT_FILES=(
'wolfcrypt/src/aes.c:WCv5.0-RC12' 'wolfcrypt/src/aes.c:WCv5.0-RC12'
@ -180,24 +180,24 @@ linuxv5)
;; ;;
fips-ready|fips-dev) fips-ready|fips-dev)
FIPS_OPTION='ready' FIPS_OPTION='ready'
FIPS_FILES=('master' FIPS_FILES=(
'wolfcrypt/src/fips.c' 'wolfcrypt/src/fips.c:master'
'wolfcrypt/src/fips_test.c' 'wolfcrypt/src/fips_test.c:master'
'wolfcrypt/src/wolfcrypt_first.c' 'wolfcrypt/src/wolfcrypt_first.c:master'
'wolfcrypt/src/wolfcrypt_last.c' 'wolfcrypt/src/wolfcrypt_last.c:master'
'wolfssl/wolfcrypt/fips.h' 'wolfssl/wolfcrypt/fips.h:master'
) )
WOLFCRYPT_FILES=() WOLFCRYPT_FILES=()
if [ "$FLAVOR" = 'fips-dev' ]; then FIPS_OPTION='dev'; fi if [ "$FLAVOR" = 'fips-dev' ]; then FIPS_OPTION='dev'; fi
;; ;;
wolfrand) wolfrand)
FIPS_OPTION='rand' FIPS_OPTION='rand'
FIPS_FILES=('WRv4-stable' FIPS_FILES=(
'wolfcrypt/src/fips.c' 'wolfcrypt/src/fips.c:WRv4-stable'
'wolfcrypt/src/fips_test.c' 'wolfcrypt/src/fips_test.c:WRv4-stable'
'wolfcrypt/src/wolfcrypt_first.c' 'wolfcrypt/src/wolfcrypt_first.c:WRv4-stable'
'wolfcrypt/src/wolfcrypt_last.c' 'wolfcrypt/src/wolfcrypt_last.c:WRv4-stable'
'wolfssl/wolfcrypt/fips.h' 'wolfssl/wolfcrypt/fips.h:WRv4-stable'
) )
WOLFCRYPT_FILES=( WOLFCRYPT_FILES=(
'wolfcrypt/src/hmac.c:WCv4-stable' 'wolfcrypt/src/hmac.c:WCv4-stable'
@ -213,14 +213,17 @@ wolfrand)
exit 1 exit 1
esac esac
# checkout_files takes an array of pairs of file paths and git tags to checkout. # checkout_files takes an array of pairs of file paths and git tags to
# It will check to see if mytag exists and if not will make that tag a branch. # checkout. It will check to see if mytag exists and if not will make that
# tag a branch.
function checkout_files() { function checkout_files() {
local name
local tag
for file_entry in "$@" for file_entry in "$@"
do do
local name=${file_entry%%:*} name=${file_entry%%:*}
local tag=${file_entry#*:} tag=${file_entry#*:}
if ! $GIT branch --list | grep --quiet "my$tag" if ! $GIT rev-parse -q --verify "my$tag" >/dev/null
then then
$GIT branch --no-track "my$tag" "$tag" || exit $? $GIT branch --no-track "my$tag" "$tag" || exit $?
fi fi
@ -228,20 +231,27 @@ function checkout_files() {
done done
} }
# copy_fips_files clones the FIPS repository. It takes an array of file paths, where # copy_fips_files takes an array of pairs of file paths and git tags to
# it breaks apart into file name and path, then copies it from the file from the fips # checkout. It will check to see if mytag exists and if now will make that
# directory to the path. The first item is the name of the tag. # tag a branch. It breaks the filepath apart into file name and path, then
# copies it from the file from the fips directory to the path.
function copy_fips_files() { function copy_fips_files() {
local tag="$1" local name
shift local bname
if ! $GIT clone --depth 1 -b "$tag" "$FIPS_REPO" fips local dname
then local tag
echo "fips-check: Couldn't check out $tag from FIPS repository." for file_entry in "$@"
exit 1
fi
for file_path in "$@"
do do
cp fips/"$(basename "$file_path")" "$(dirname "$file_path")" name=${file_entry%%:*}
tag=${file_entry#*:}
bname=$(basename "$name")
dname=$(dirname "$name")
if ! $GIT rev-parse -q --verify "my$tag" >/dev/null
then
$GIT branch --no-track "my$tag" "$tag" || exit $?
fi
$GIT checkout "my$tag" -- "$bname" || exit $?
cp "$bname" "../$dname"
done done
} }
@ -252,27 +262,16 @@ fi
pushd "$TEST_DIR" || exit 2 pushd "$TEST_DIR" || exit 2
case "$FIPS_OPTION" in if ! $GIT clone "$FIPS_REPO" fips
then
*dev) echo "fips-check: Couldn't check out FIPS repository."
echo "Don't need to copy in tagged wolfCrypt files for fips-dev."
;;
*ready)
echo "Don't need to copy in tagged wolfCrypt files for FIPS Ready."
;;
cavp-selftest*|v2|rand|v5*)
checkout_files "${WOLFCRYPT_FILES[@]}"
;;
*)
echo "fips-check: Invalid FIPS option ${FIPS_OPTION}."
exit 1 exit 1
;; fi
esac
copy_fips_files "${FIPS_FILES[@]}" checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
pushd fips || exit 2
copy_fips_files "${FIPS_FILES[@]}" || exit 3
popd || exit 2
# When checking out cert 3389 ready code, NIST will no longer perform # When checking out cert 3389 ready code, NIST will no longer perform
# new certifications on 140-2 modules. If we were to use the latest files from # new certifications on 140-2 modules. If we were to use the latest files from