Skip to content

Commit b9dbd86

Browse files
ejohnstownejohnstown
committed
FIPS Check Script with Explicit Versioning
1. Remove the case block deciding if to checkout the wolfcrypt files or not, it is redundant. Things are set up now where we don't need it. 2. Comment reflow. Changes due to peer review: 3. Change the check for the temp mytag branches to use a git command that provides an exact match, rather than a foulable grep check. 4. Change the fips repo file checkout to work the same way as the wolfcrypt files. Each file in the copy list is tagged with its revision.
1 parent 3e93c5e commit b9dbd86

1 file changed

Lines changed: 61 additions & 62 deletions

File tree

fips-check.sh

Lines changed: 61 additions & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -46,12 +46,12 @@ done
4646
case "$FLAVOR" in
4747
linuxv2|fipsv2-OE-ready|solaris)
4848
FIPS_OPTION='v2'
49-
FIPS_FILES=('WCv4-stable'
50-
'wolfcrypt/src/fips.c'
51-
'wolfcrypt/src/fips_test.c'
52-
'wolfcrypt/src/wolfcrypt_first.c'
53-
'wolfcrypt/src/wolfcrypt_last.c'
54-
'wolfssl/wolfcrypt/fips.h'
49+
FIPS_FILES=(
50+
'wolfcrypt/src/fips.c:WCv4-stable'
51+
'wolfcrypt/src/fips_test.c:WCv4-stable'
52+
'wolfcrypt/src/wolfcrypt_first.c:WCv4-stable'
53+
'wolfcrypt/src/wolfcrypt_last.c:WCv4-stable'
54+
'wolfssl/wolfcrypt/fips.h:WCv4-stable'
5555
)
5656
WOLFCRYPT_FILES=(
5757
'wolfcrypt/src/aes.c:WCv4-stable'
@@ -86,7 +86,7 @@ linuxv2|fipsv2-OE-ready|solaris)
8686
netbsd-selftest)
8787
# non-FIPS, CAVP only but pull in selftest
8888
FIPS_OPTION='cavp-selftest'
89-
FIPS_FILES=('v3.14.2b' 'wolfcrypt/src/selftest.c')
89+
FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
9090
WOLFCRYPT_FILES=(
9191
'wolfcrypt/src/aes.c:v3.14.2'
9292
'wolfcrypt/src/dh.c:v3.14.2'
@@ -113,7 +113,7 @@ netbsd-selftest)
113113
marvell-linux-selftest)
114114
# non-FIPS, CAVP only but pull in selftest
115115
FIPS_OPTION='cavp-selftest-v2'
116-
FIPS_FILES=('v3.14.2b' 'wolfcrypt/src/selftest.c')
116+
FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
117117
WOLFCRYPT_FILES=(
118118
'wolfcrypt/src/aes.c:v4.1.0-stable'
119119
'wolfcrypt/src/dh.c:v4.1.0-stable'
@@ -139,12 +139,12 @@ marvell-linux-selftest)
139139
;;
140140
linuxv5)
141141
FIPS_OPTION='v5'
142-
FIPS_FILES=('WCv5.0-RC12'
143-
'wolfcrypt/src/fips.c'
144-
'wolfcrypt/src/fips_test.c'
145-
'wolfcrypt/src/wolfcrypt_first.c'
146-
'wolfcrypt/src/wolfcrypt_last.c'
147-
'wolfssl/wolfcrypt/fips.h'
142+
FIPS_FILES=(
143+
'wolfcrypt/src/fips.c:WCv5.0-RC12'
144+
'wolfcrypt/src/fips_test.c:WCv5.0-RC12'
145+
'wolfcrypt/src/wolfcrypt_first.c:WCv5.0-RC12'
146+
'wolfcrypt/src/wolfcrypt_last.c:WCv5.0-RC12'
147+
'wolfssl/wolfcrypt/fips.h:WCv5.0-RC12'
148148
)
149149
WOLFCRYPT_FILES=(
150150
'wolfcrypt/src/aes.c:WCv5.0-RC12'
@@ -180,24 +180,24 @@ linuxv5)
180180
;;
181181
fips-ready|fips-dev)
182182
FIPS_OPTION='ready'
183-
FIPS_FILES=('master'
184-
'wolfcrypt/src/fips.c'
185-
'wolfcrypt/src/fips_test.c'
186-
'wolfcrypt/src/wolfcrypt_first.c'
187-
'wolfcrypt/src/wolfcrypt_last.c'
188-
'wolfssl/wolfcrypt/fips.h'
183+
FIPS_FILES=(
184+
'wolfcrypt/src/fips.c:master'
185+
'wolfcrypt/src/fips_test.c:master'
186+
'wolfcrypt/src/wolfcrypt_first.c:master'
187+
'wolfcrypt/src/wolfcrypt_last.c:master'
188+
'wolfssl/wolfcrypt/fips.h:master'
189189
)
190190
WOLFCRYPT_FILES=()
191191
if [ "$FLAVOR" = 'fips-dev' ]; then FIPS_OPTION='dev'; fi
192192
;;
193193
wolfrand)
194194
FIPS_OPTION='rand'
195-
FIPS_FILES=('WRv4-stable'
196-
'wolfcrypt/src/fips.c'
197-
'wolfcrypt/src/fips_test.c'
198-
'wolfcrypt/src/wolfcrypt_first.c'
199-
'wolfcrypt/src/wolfcrypt_last.c'
200-
'wolfssl/wolfcrypt/fips.h'
195+
FIPS_FILES=(
196+
'wolfcrypt/src/fips.c:WRv4-stable'
197+
'wolfcrypt/src/fips_test.c:WRv4-stable'
198+
'wolfcrypt/src/wolfcrypt_first.c:WRv4-stable'
199+
'wolfcrypt/src/wolfcrypt_last.c:WRv4-stable'
200+
'wolfssl/wolfcrypt/fips.h:WRv4-stable'
201201
)
202202
WOLFCRYPT_FILES=(
203203
'wolfcrypt/src/hmac.c:WCv4-stable'
@@ -213,35 +213,45 @@ wolfrand)
213213
exit 1
214214
esac
215215

216-
# checkout_files takes an array of pairs of file paths and git tags to checkout.
217-
# It will check to see if mytag exists and if not will make that tag a branch.
216+
# checkout_files takes an array of pairs of file paths and git tags to
217+
# checkout. It will check to see if mytag exists and if not will make that
218+
# tag a branch.
218219
function checkout_files() {
220+
local name
221+
local tag
219222
for file_entry in "$@"
220223
do
221-
local name=${file_entry%%:*}
222-
local tag=${file_entry#*:}
223-
if ! $GIT branch --list | grep --quiet "my$tag"
224+
name=${file_entry%%:*}
225+
tag=${file_entry#*:}
226+
if ! $GIT rev-parse -q --verify "my$tag" >/dev/null
224227
then
225228
$GIT branch --no-track "my$tag" "$tag" || exit $?
226229
fi
227230
$GIT checkout "my$tag" -- "$name" || exit $?
228231
done
229232
}
230233

231-
# copy_fips_files clones the FIPS repository. It takes an array of file paths, where
232-
# it breaks apart into file name and path, then copies it from the file from the fips
233-
# directory to the path. The first item is the name of the tag.
234+
# copy_fips_files takes an array of pairs of file paths and git tags to
235+
# checkout. It will check to see if mytag exists and if now will make that
236+
# tag a branch. It breaks the filepath apart into file name and path, then
237+
# copies it from the file from the fips directory to the path.
234238
function copy_fips_files() {
235-
local tag="$1"
236-
shift
237-
if ! $GIT clone --depth 1 -b "$tag" "$FIPS_REPO" fips
238-
then
239-
echo "fips-check: Couldn't check out $tag from FIPS repository."
240-
exit 1
241-
fi
242-
for file_path in "$@"
239+
local name
240+
local bname
241+
local dname
242+
local tag
243+
for file_entry in "$@"
243244
do
244-
cp fips/"$(basename "$file_path")" "$(dirname "$file_path")"
245+
name=${file_entry%%:*}
246+
tag=${file_entry#*:}
247+
bname=$(basename "$name")
248+
dname=$(dirname "$name")
249+
if ! $GIT rev-parse -q --verify "my$tag" >/dev/null
250+
then
251+
$GIT branch --no-track "my$tag" "$tag" || exit $?
252+
fi
253+
$GIT checkout "my$tag" -- "$bname" || exit $?
254+
cp "$bname" "../$dname"
245255
done
246256
}
247257

@@ -252,27 +262,16 @@ fi
252262

253263
pushd "$TEST_DIR" || exit 2
254264

255-
case "$FIPS_OPTION" in
256-
257-
*dev)
258-
echo "Don't need to copy in tagged wolfCrypt files for fips-dev."
259-
;;
260-
261-
*ready)
262-
echo "Don't need to copy in tagged wolfCrypt files for FIPS Ready."
263-
;;
264-
265-
cavp-selftest*|v2|rand|v5*)
266-
checkout_files "${WOLFCRYPT_FILES[@]}"
267-
;;
268-
269-
*)
270-
echo "fips-check: Invalid FIPS option ${FIPS_OPTION}."
265+
if ! $GIT clone "$FIPS_REPO" fips
266+
then
267+
echo "fips-check: Couldn't check out FIPS repository."
271268
exit 1
272-
;;
273-
esac
269+
fi
274270

275-
copy_fips_files "${FIPS_FILES[@]}"
271+
checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
272+
pushd fips || exit 2
273+
copy_fips_files "${FIPS_FILES[@]}" || exit 3
274+
popd || exit 2
276275

277276
# When checking out cert 3389 ready code, NIST will no longer perform
278277
# new certifications on 140-2 modules. If we were to use the latest files from

0 commit comments

Comments
 (0)