184 lines
5.1 KiB
Bash
Executable File
184 lines
5.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# fips-check.sh
|
|
# This script checks the current revision of the code against the
|
|
# previous release of the FIPS code. While wolfSSL and wolfCrypt
|
|
# may be advancing, they must work correctly with the last tested
|
|
# copy of our FIPS approved code.
|
|
#
|
|
# This should check out all the approved versions. The command line
|
|
# option selects the version.
|
|
#
|
|
# $ ./fips-check [version] [keep]
|
|
#
|
|
# - version: linux (default), ios, android, windows, freertos, linux-ecc
|
|
#
|
|
# - keep: (default off) XXX-fips-test temp dir around for inspection
|
|
#
|
|
|
|
function Usage() {
|
|
echo "Usage: $0 [platform] [keep]"
|
|
echo "Where \"platform\" is one of linux (default), ios, android, windows, freertos, openrtos-3.9.2, linux-ecc"
|
|
echo "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection"
|
|
}
|
|
|
|
LINUX_FIPS_VERSION=v3.2.6
|
|
LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
|
LINUX_CTAO_VERSION=v3.2.6
|
|
LINUX_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
|
|
|
LINUX_ECC_FIPS_VERSION=v3.10.3
|
|
LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
|
LINUX_ECC_CTAO_VERSION=v3.2.6
|
|
LINUX_ECC_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
|
|
|
IOS_FIPS_VERSION=v3.4.8a
|
|
IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
|
IOS_CTAO_VERSION=v3.4.8.fips
|
|
IOS_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
|
|
|
ANDROID_FIPS_VERSION=v3.5.0
|
|
ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
|
ANDROID_CTAO_VERSION=v3.5.0
|
|
ANDROID_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
|
|
|
WINDOWS_FIPS_VERSION=v3.6.6
|
|
WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
|
WINDOWS_CTAO_VERSION=v3.6.6
|
|
WINDOWS_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
|
|
|
FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS
|
|
FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
|
FREERTOS_CTAO_VERSION=v3.6.1
|
|
FREERTOS_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
|
|
|
OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS
|
|
OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
|
OPENRTOS_3_9_2_CTAO_VERSION=v3.6.1
|
|
OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
|
|
|
FIPS_SRCS=( fips.c fips_test.c )
|
|
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
|
|
TEST_DIR=XXX-fips-test
|
|
WC_INC_PATH=cyassl/ctaocrypt
|
|
WC_SRC_PATH=ctaocrypt/src
|
|
|
|
if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
|
|
|
|
if [ "x$2" == "xkeep" ]; then KEEP="yes"; else KEEP="no"; fi
|
|
|
|
case $PLATFORM in
|
|
ios)
|
|
FIPS_VERSION=$IOS_FIPS_VERSION
|
|
FIPS_REPO=$IOS_FIPS_REPO
|
|
CTAO_VERSION=$IOS_CTAO_VERSION
|
|
CTAO_REPO=$IOS_CTAO_REPO
|
|
;;
|
|
android)
|
|
FIPS_VERSION=$ANDROID_FIPS_VERSION
|
|
FIPS_REPO=$ANDROID_FIPS_REPO
|
|
CTAO_VERSION=$ANDROID_CTAO_VERSION
|
|
CTAO_REPO=$ANDROID_CTAO_REPO
|
|
;;
|
|
windows)
|
|
FIPS_VERSION=$WINDOWS_FIPS_VERSION
|
|
FIPS_REPO=$WINDOWS_FIPS_REPO
|
|
CTAO_VERSION=$WINDOWS_CTAO_VERSION
|
|
CTAO_REPO=$WINDOWS_CTAO_REPO
|
|
;;
|
|
freertos)
|
|
FIPS_VERSION=$FREERTOS_FIPS_VERSION
|
|
FIPS_REPO=$FREERTOS_FIPS_REPO
|
|
CTAO_VERSION=$FREERTOS_CTAO_VERSION
|
|
CTAO_REPO=$FREERTOS_CTAO_REPO
|
|
;;
|
|
openrtos-3.9.2)
|
|
FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION
|
|
FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO
|
|
CTAO_VERSION=$OPENRTOS_3_9_2_CTAO_VERSION
|
|
CTAO_REPO=$OPENRTOS_3_9_2_CTAO_REPO
|
|
FIPS_CONFLICTS=( aes hmac random sha256 )
|
|
;;
|
|
linux)
|
|
FIPS_VERSION=$LINUX_FIPS_VERSION
|
|
FIPS_REPO=$LINUX_FIPS_REPO
|
|
CTAO_VERSION=$LINUX_CTAO_VERSION
|
|
CTAO_REPO=$LINUX_CTAO_REPO
|
|
;;
|
|
linux-ecc)
|
|
FIPS_VERSION=$LINUX_ECC_FIPS_VERSION
|
|
FIPS_REPO=$LINUX_ECC_FIPS_REPO
|
|
CTAO_VERSION=$LINUX_ECC_CTAO_VERSION
|
|
CTAO_REPO=$LINUX_ECC_CTAO_REPO
|
|
;;
|
|
*)
|
|
Usage
|
|
exit 1
|
|
esac
|
|
|
|
git clone . $TEST_DIR
|
|
[ $? -ne 0 ] && echo "\n\nCouldn't duplicate current working directory.\n\n" && exit 1
|
|
|
|
pushd $TEST_DIR
|
|
|
|
# make a clone of the last FIPS release tag
|
|
git clone -b $CTAO_VERSION $CTAO_REPO old-tree
|
|
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
|
|
|
|
for MOD in ${WC_MODS[@]}
|
|
do
|
|
cp old-tree/$WC_SRC_PATH/${MOD}.c $WC_SRC_PATH
|
|
cp old-tree/$WC_INC_PATH/${MOD}.h $WC_INC_PATH
|
|
done
|
|
|
|
# The following is temporary. We are using random.c from a separate release
|
|
pushd old-tree
|
|
git checkout v3.6.0
|
|
popd
|
|
cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH
|
|
cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH
|
|
|
|
# clone the FIPS repository
|
|
git clone -b $FIPS_VERSION $FIPS_REPO fips
|
|
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS repository.\n\n" && exit 1
|
|
|
|
for SRC in ${FIPS_SRCS[@]}
|
|
do
|
|
cp fips/$SRC $WC_SRC_PATH
|
|
done
|
|
|
|
# run the make test
|
|
./autogen.sh
|
|
./configure --enable-fips
|
|
make
|
|
[ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1
|
|
|
|
NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'`
|
|
if [ -n "$NEWHASH" ]; then
|
|
sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c
|
|
make clean
|
|
fi
|
|
|
|
make test
|
|
[ $? -ne 0 ] && echo "\n\nTest failed. Debris left for analysis." && exit 1
|
|
|
|
if [ ${#FIPS_CONFLICTS[@]} -ne 0 ];
|
|
then
|
|
echo "Due to the way this package is compiled by the customer duplicate"
|
|
echo "source file names are an issue, renaming:"
|
|
for FNAME in ${FIPS_CONFLICTS[@]}
|
|
do
|
|
echo "wolfcrypt/src/$FNAME.c to wolfcrypt/src/wc_$FNAME.c"
|
|
mv ./wolfcrypt/src/$FNAME.c ./wolfcrypt/src/wc_$FNAME.c
|
|
done
|
|
echo "Confirming files were renamed..."
|
|
ls -la ./wolfcrypt/src/wc_*.c
|
|
fi
|
|
|
|
# Clean up
|
|
popd
|
|
if [ "x$KEEP" == "xno" ];
|
|
then
|
|
rm -rf $TEST_DIR
|
|
fi
|