forked from wolfSSL/wolfssl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
fips-check.sh
executable file
·165 lines (141 loc) · 4.48 KB
/
fips-check.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#!/bin/bash
# fips-check.sh
# This script checks the current revision of the code against the
# previous release of the FIPS code. While wolfSSL and wolfCrypt
# may be advancing, they must work correctly with the last tested
# copy of our FIPS approved code.
#
# This should check out all the approved versions. The command line
# option selects the version.
#
# $ ./fips-check [version]
#
# - version: linux (default), ios, android, windows, freertos
#
function Usage() {
echo "Usage: $0 [platform]"
echo "Where \"platform\" is one of linux (default), ios, android, windows, freertos, openrtos-3.9.2"
}
LINUX_FIPS_VERSION=v3.2.6
[email protected]:wolfSSL/fips.git
LINUX_CTAO_VERSION=v3.2.6
[email protected]:cyassl/cyassl.git
IOS_FIPS_VERSION=v3.4.8a
[email protected]:wolfSSL/fips.git
IOS_CTAO_VERSION=v3.4.8.fips
[email protected]:cyassl/cyassl.git
ANDROID_FIPS_VERSION=v3.5.0
[email protected]:wolfSSL/fips.git
ANDROID_CTAO_VERSION=v3.5.0
[email protected]:cyassl/cyassl.git
WINDOWS_FIPS_VERSION=v3.6.6
[email protected]:wolfSSL/fips.git
WINDOWS_CTAO_VERSION=v3.6.6
[email protected]:cyassl/cyassl.git
FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS
[email protected]:wolfSSL/fips.git
FREERTOS_CTAO_VERSION=v3.6.1
[email protected]:cyassl/cyassl.git
OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS
[email protected]:wolfSSL/fips.git
OPENRTOS_3_9_2_CTAO_VERSION=v3.6.1
[email protected]:cyassl/cyassl.git
FIPS_SRCS=( fips.c fips_test.c )
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
TEST_DIR=XXX-fips-test
WC_INC_PATH=cyassl/ctaocrypt
WC_SRC_PATH=ctaocrypt/src
if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
case $PLATFORM in
ios)
FIPS_VERSION=$IOS_FIPS_VERSION
FIPS_REPO=$IOS_FIPS_REPO
CTAO_VERSION=$IOS_CTAO_VERSION
CTAO_REPO=$IOS_CTAO_REPO
;;
android)
FIPS_VERSION=$ANDROID_FIPS_VERSION
FIPS_REPO=$ANDROID_FIPS_REPO
CTAO_VERSION=$ANDROID_CTAO_VERSION
CTAO_REPO=$ANDROID_CTAO_REPO
;;
windows)
FIPS_VERSION=$WINDOWS_FIPS_VERSION
FIPS_REPO=$WINDOWS_FIPS_REPO
CTAO_VERSION=$WINDOWS_CTAO_VERSION
CTAO_REPO=$WINDOWS_CTAO_REPO
;;
freertos)
FIPS_VERSION=$FREERTOS_FIPS_VERSION
FIPS_REPO=$FREERTOS_FIPS_REPO
CTAO_VERSION=$FREERTOS_CTAO_VERSION
CTAO_REPO=$FREERTOS_CTAO_REPO
;;
openrtos-3.9.2)
FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION
FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO
CTAO_VERSION=$OPENRTOS_3_9_2_CTAO_VERSION
CTAO_REPO=$OPENRTOS_3_9_2_CTAO_REPO
FIPS_CONFLICTS=( aes hmac random sha256 )
;;
linux)
FIPS_VERSION=$LINUX_FIPS_VERSION
FIPS_REPO=$LINUX_FIPS_REPO
CTAO_VERSION=$LINUX_CTAO_VERSION
CTAO_REPO=$LINUX_CTAO_REPO
;;
*)
Usage
exit 1
esac
git clone . $TEST_DIR
[ $? -ne 0 ] && echo "\n\nCouldn't duplicate current working directory.\n\n" && exit 1
pushd $TEST_DIR
# make a clone of the last FIPS release tag
git clone -b $CTAO_VERSION $CTAO_REPO old-tree
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
for MOD in ${WC_MODS[@]}
do
cp old-tree/$WC_SRC_PATH/${MOD}.c $WC_SRC_PATH
cp old-tree/$WC_INC_PATH/${MOD}.h $WC_INC_PATH
done
# The following is temporary. We are using random.c from a separate release
pushd old-tree
git checkout v3.6.0
popd
cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH
cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH
# clone the FIPS repository
git clone -b $FIPS_VERSION $FIPS_REPO fips
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS repository.\n\n" && exit 1
for SRC in ${FIPS_SRCS[@]}
do
cp fips/$SRC $WC_SRC_PATH
done
# run the make test
./autogen.sh
./configure --enable-fips
make
[ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1
NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'`
if [ -n "$NEWHASH" ]; then
sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c
make clean
fi
make test
[ $? -ne 0 ] && echo "\n\nTest failed. Debris left for analysis." && exit 1
if [ ${#FIPS_CONFLICTS[@]} -ne 0 ];
then
echo "Due to the way this package is compiled by the customer duplicate"
echo "source file names are an issue, renaming:"
for FNAME in ${FIPS_CONFLICTS[@]}
do
echo "wolfcrypt/src/$FNAME.c to wolfcrypt/src/wc_$FNAME.c"
mv ./wolfcrypt/src/$FNAME.c ./wolfcrypt/src/wc_$FNAME.c
done
echo "Confirming files were renamed..."
ls -la ./wolfcrypt/src/wc_*.c
fi
# Clean up
popd
rm -rf $TEST_DIR