wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 10:47:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

FIPS Revalidation (acceptance fixes)

Browse Source 
1. Update the fips-check script to pull the FIPSv2 code from the main repositories.
2. Script cleanup.
3. Disable the api.test check of wc_ecc_mulmod() when WOLFSSL_VALIDATE_ECC_IMPORT is enabled.
This commit is contained in:
John Safranek
2018-06-08 10:36:28 -07:00
parent 391d1953fa
commit df6fe0b07c
2 changed files with 65 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
fips-check.sh
View File

@ -16,25 +16,26 @@
# - keep: (default off) XXX-fips-test temp dir around for inspection # - keep: (default off) XXX-fips-test temp dir around for inspection
# #
function Usage() { Usage() {
printf '\n%s\n' "Usage: $0 [platform] [keep]" cat <<usageText
printf '%s\n\n' "Where \"platform\" is one of:" Usage: $0 [platform [keep]]
printf '\t%s\n' "linux (default)" Platform is one of:
printf '\t%s\n' "ios" linux (default)
printf '\t%s\n' "android" ios
printf '\t%s\n' "windows" android
printf '\t%s\n' "freertos" windows
printf '\t%s\n' "openrtos-3.9.2" freertos
printf '\t%s\n' "linux-ecc" openrtos-3.9.2
printf '\t%s\n' "netbsd-selftest" linux-ecc
printf '\t%s\n' "sgx" netbsd-selftest
printf '\t%s\n' "netos-7.6" sgx
printf '\t%s\n' "linuxv2" netos-7.6
printf '\n%s\n\n' "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection" linuxv2
printf '%s\n' "EXAMPLE:" Keep (default off) retains the XXX-fips-test temp dir for inspection.
printf '%s\n' "---------------------------------"
printf '%s\n' "./fips-check.sh windows keep" Example:
printf '%s\n\n' "---------------------------------" $0 windows keep
usageText
} }
LINUX_FIPS_VERSION=v3.2.6 LINUX_FIPS_VERSION=v3.2.6
@ -47,9 +48,9 @@ LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git
LINUX_ECC_CRYPT_VERSION=v3.2.6 LINUX_ECC_CRYPT_VERSION=v3.2.6
LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git
LINUXV2_FIPS_VERSION=fipsv2 LINUXV2_FIPS_VERSION=WCv4-stable
LINUXV2_FIPS_REPO=git@github.com:ejohnstown/fips.git LINUXV2_FIPS_REPO=git@github.com:wolfSSL/fips.git
LINUXV2_CRYPT_VERSION=fipsv2 LINUXV2_CRYPT_VERSION=WCv4-stable
IOS_FIPS_VERSION=v3.4.8a IOS_FIPS_VERSION=v3.4.8a
IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
@ -104,6 +105,7 @@ CRYPT_INC_PATH=cyassl/ctaocrypt
CRYPT_SRC_PATH=ctaocrypt/src CRYPT_SRC_PATH=ctaocrypt/src
FIPS_OPTION=v1 FIPS_OPTION=v1
CAVP_SELFTEST_ONLY="no" CAVP_SELFTEST_ONLY="no"
GIT="git -c advice.detachedHead=false"
if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
@ -192,21 +194,25 @@ netos-7.6)
exit 1 exit 1
esac esac
git clone . $TEST_DIR if ! $GIT clone . $TEST_DIR; then
[ $? -ne 0 ] && echo "\n\nCouldn't duplicate current working directory.\n\n" && exit 1 echo "fips-check: Couldn't duplicate current working directory."
exit 1
fi
pushd $TEST_DIR pushd $TEST_DIR || exit 2
if [ "x$FIPS_OPTION" == "xv1" ]; if [ "x$FIPS_OPTION" == "xv1" ];
then then
# make a clone of the last FIPS release tag # make a clone of the last FIPS release tag
git clone -b $CRYPT_VERSION $CRYPT_REPO old-tree if ! $GIT clone -b $CRYPT_VERSION $CRYPT_REPO old-tree; then
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1 echo "fips-check: Couldn't checkout the FIPS release."
exit 1
fi
for MOD in ${WC_MODS[@]} for MOD in "${WC_MODS[@]}"
do do
cp old-tree/$CRYPT_SRC_PATH/${MOD}.c $CRYPT_SRC_PATH cp "old-tree/$CRYPT_SRC_PATH/${MOD}.c" $CRYPT_SRC_PATH
cp old-tree/$CRYPT_INC_PATH/${MOD}.h $CRYPT_INC_PATH cp "old-tree/$CRYPT_INC_PATH/${MOD}.h" $CRYPT_INC_PATH
done done
# The following is temporary. We are using random.c from a separate release # The following is temporary. We are using random.c from a separate release
@ -215,33 +221,35 @@ then
if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \ if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
[ "x$PLATFORM" != "xnetos-7.6" ]; [ "x$PLATFORM" != "xnetos-7.6" ];
then then
pushd old-tree pushd old-tree || exit 2
git checkout v3.6.0 $GIT checkout v3.6.0
popd popd || exit 2
cp old-tree/$CRYPT_SRC_PATH/random.c $CRYPT_SRC_PATH cp "old-tree/$CRYPT_SRC_PATH/random.c" $CRYPT_SRC_PATH
cp old-tree/$CRYPT_INC_PATH/random.h $CRYPT_INC_PATH cp "old-tree/$CRYPT_INC_PATH/random.h" $CRYPT_INC_PATH
fi fi
else else
git branch --track $CRYPT_VERSION origin/$CRYPT_VERSION $GIT branch --no-track "my$CRYPT_VERSION" $CRYPT_VERSION
# Checkout the fips versions of the wolfCrypt files from the repo. # Checkout the fips versions of the wolfCrypt files from the repo.
for MOD in ${WC_MODS[@]} for MOD in "${WC_MODS[@]}"
do do
git checkout $CRYPT_VERSION -- $CRYPT_SRC_PATH/$MOD.c $CRYPT_INC_PATH/$MOD.h $GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.c" "$CRYPT_INC_PATH/$MOD.h"
done done
fi fi
# clone the FIPS repository # clone the FIPS repository
git clone -b $FIPS_VERSION $FIPS_REPO fips if ! $GIT clone -b $FIPS_VERSION $FIPS_REPO fips; then
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS repository.\n\n" && exit 1 echo "fips-check: Couldn't checkout the FIPS repository."
exit 1
fi
for SRC in ${FIPS_SRCS[@]} for SRC in "${FIPS_SRCS[@]}"
do do
cp fips/$SRC $CRYPT_SRC_PATH cp "fips/$SRC" $CRYPT_SRC_PATH
done done
for INC in ${FIPS_INCS[@]} for INC in "${FIPS_INCS[@]}"
do do
cp fips/$INC $CRYPT_INC_PATH cp "fips/$INC" $CRYPT_INC_PATH
done done
# run the make test # run the make test
@ -252,36 +260,40 @@ then
else else
./configure --enable-fips=$FIPS_OPTION ./configure --enable-fips=$FIPS_OPTION
fi fi
make if ! make; then
[ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1 echo "fips-check: Make failed. Debris left for analysis."
exit 3
fi
if [ "x$CAVP_SELFTEST_ONLY" == "xno" ]; if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
then then
NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'` NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
if [ -n "$NEWHASH" ]; then if [ -n "$NEWHASH" ]; then
sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c
make clean make clean
fi fi
fi fi
make test if ! make test; then
[ $? -ne 0 ] && echo "\n\nTest failed. Debris left for analysis." && exit 1 echo "fips-check: Test failed. Debris left for analysis."
exit 3
fi
if [ ${#FIPS_CONFLICTS[@]} -ne 0 ]; if [ ${#FIPS_CONFLICTS[@]} -ne 0 ];
then then
echo "Due to the way this package is compiled by the customer duplicate" echo "Due to the way this package is compiled by the customer duplicate"
echo "source file names are an issue, renaming:" echo "source file names are an issue, renaming:"
for FNAME in ${FIPS_CONFLICTS[@]} for FNAME in "${FIPS_CONFLICTS[@]}"
do do
echo "wolfcrypt/src/$FNAME.c to wolfcrypt/src/wc_$FNAME.c" echo "wolfcrypt/src/$FNAME.c to wolfcrypt/src/wc_$FNAME.c"
mv ./wolfcrypt/src/$FNAME.c ./wolfcrypt/src/wc_$FNAME.c mv "./wolfcrypt/src/$FNAME.c" "./wolfcrypt/src/wc_$FNAME.c"
done done
echo "Confirming files were renamed..." echo "Confirming files were renamed..."
ls -la ./wolfcrypt/src/wc_*.c ls -la ./wolfcrypt/src/wc_*.c
fi fi
# Clean up # Clean up
popd popd || exit 2
if [ "x$KEEP" == "xno" ]; if [ "x$KEEP" == "xno" ];
then then
rm -rf $TEST_DIR rm -rf $TEST_DIR

2
tests/api.c
View File

@ -14025,7 +14025,7 @@ static int test_wc_ecc_mulmod (void)
{ {
int ret = 0; int ret = 0;
#if defined(HAVE_ECC) #if defined(HAVE_ECC) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT)
ecc_key key1, key2, key3; ecc_key key1, key2, key3;
WC_RNG rng; WC_RNG rng;