77# copy of our FIPS approved code.
88#
99# This should check out all the approved flavors. The command line
10- # option selects the flavor.
11- #
12- # $ ./fips-check [flavor] [keep]
13- #
14- # - flavor: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2, fipsv2-OE-ready, stm32l4-v2, linuxv5, fips-ready, fips-dev
15- #
16- # - keep: (default off) XXX-fips-test temp dir around for inspection
10+ # option selects the flavor. The keep option keeps the output
11+ # directory.
1712#
13+ # Some variables may be overridden on the command line.
1814
1915Usage () {
2016 cat << usageText
21- Usage: $0 flavor [keep]
17+ Usage: $0 [ flavor] [keep]
2218Flavor is one of:
2319 netbsd-selftest
2420 marvell-linux-selftest
2521 linuxv2 (FIPSv2, use for Win10)
26- stm32l4-v2 (FIPSv2, use for STM32L4)
2722 wolfrand
2823 solaris
2924 linuxv5 (current FIPS 140-3)
@@ -36,152 +31,91 @@ Example:
3631usageText
3732}
3833
39- MAKE=' make'
40-
41- # non-FIPS, CAVP only but pull in selftest
42- # will reset above variables below in flavor switch
43- NETBSD_FIPS_VERSION=v3.14.2b
44- NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
45- NETBSD_CRYPT_VERSION=v3.14.2
46- NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
47-
48- # non-FIPS, CAVP only but pull in selftest
49- # will reset above variables below in flavor switch
50- MARVELL_LINUX_FIPS_VERSION=v3.14.2b
51- MARVELL_LINUX_FIPS_REPO=git@github.com:wolfssl/fips.git
52- MARVELL_LINUX_CRYPT_VERSION=v4.1.0-stable
53- MARVELL_LINUX_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
54-
55- STM32L4_V2_FIPS_VERSION=WCv4.0.1-stable
56- STM32L4_V2_FIPS_REPO=git@github.com:wolfSSL/fips.git
57- STM32L4_V2_CRYPT_VERSION=WCv4.0.1-stable
34+ # These variables may be overridden on the command line.
35+ MAKE=" ${MAKE:- make} "
36+ GIT=" ${GIT:- git -c advice.detachedHead=false} "
37+ TEST_DIR=" ${TEST_DIR:- XXX-fips-test} "
38+ FLAVOR=" ${FLAVOR:- linux} "
39+ KEEP=" ${KEEP:- no} "
5840
59- FIPS_SRCS=( fips.c fips_test.c )
60- WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random aes_asm )
61- TEST_DIR=XXX-fips-test
62- CRYPT_INC_PATH=undef
63- CRYPT_SRC_PATH=undef
64- RNG_VERSION=v3.6.0
65- FIPS_OPTION=undef
66- CAVP_SELFTEST_ONLY=" no"
67- GIT=" git -c advice.detachedHead=false"
68-
69- if [ " $1 " == " " ; then FLAVOR=" undef" ; else FLAVOR=" $1 " ; fi
41+ while [ " $1 " ; do
42+ if [ " $1 " = ' keep' ; then KEEP=' yes' ; else FLAVOR=" $1 " ; fi
43+ shift
44+ done
7045
71- if [ " $2 " == " keep" ; then KEEP=" yes" ; else KEEP=" no" ; fi
46+ FIPS_REPO=' git@github.com:wolfssl/fips.git'
47+ CRYPT_INC_PATH=' wolfssl/wolfcrypt'
48+ CRYPT_SRC_PATH=' wolfcrypt/src'
7249
7350case " $FLAVOR " in
74- linuxv2 | fipsv2-OE-ready)
75- FIPS_VERSION=WCv4-stable
76- FIPS_REPO=git@github.com:wolfssl/fips.git
77- CRYPT_VERSION=WCv4-stable
78- CRYPT_INC_PATH=wolfssl/wolfcrypt
79- CRYPT_SRC_PATH=wolfcrypt/src
80- WC_MODS+=( cmac dh ecc sha3 )
81- RNG_VERSION=WCv4-rng-stable
82- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
83- FIPS_INCS=( fips.h )
84- FIPS_OPTION=v2
51+ linuxv2|fipsv2-OE-ready)
52+ FIPS_OPTION=' v2'
53+ FIPS_VERSION=' WCv4-stable'
54+ CRYPT_VERSION=' WCv4-stable'
55+ RNG_VERSION=' WCv4-rng-stable'
56+ WC_MODS=(' aes' ' aes_asm' ' cmac' ' des3' ' dh' ' ecc' ' hmac' ' random' ' rsa' ' sha' ' sha256' ' sha3' ' sha512'
57+ FIPS_SRCS=(' fips.c' ' fips_test.c' ' wolfcrypt_first.c' ' wolfcrypt_last.c'
58+ FIPS_INCS=(' fips.h'
8559 ;;
8660netbsd-selftest)
87- FIPS_VERSION=$NETBSD_FIPS_VERSION
88- FIPS_REPO=$NETBSD_FIPS_REPO
89- CRYPT_VERSION=$NETBSD_CRYPT_VERSION
90- CRYPT_REPO=$NETBSD_CRYPT_REPO
91- FIPS_SRCS=( selftest.c )
92- WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
93- CRYPT_INC_PATH=wolfssl/wolfcrypt
94- CRYPT_SRC_PATH=wolfcrypt/src
95- CAVP_SELFTEST_ONLY=" yes"
96- FIPS_OPTION=" v1"
61+ # non-FIPS, CAVP only but pull in selftest
62+ FIPS_OPTION=' cavp-selftest'
63+ FIPS_VERSION=' v3.14.2b'
64+ CRYPT_VERSION=' v3.14.2'
65+ RNG_VERSION=' v3.14.2'
66+ WC_MODS=(' aes' ' dh' ' dsa' ' ecc' ' hmac' ' random' ' rsa' ' sha' ' sha256' ' sha512'
67+ FIPS_SRCS=(' selftest.c'
9768 ;;
9869marvell-linux-selftest)
99- FIPS_VERSION=$MARVELL_LINUX_FIPS_VERSION
100- FIPS_REPO=$MARVELL_LINUX_FIPS_REPO
101- CRYPT_VERSION=$MARVELL_LINUX_CRYPT_VERSION
102- CRYPT_REPO=$MARVELL_LINUX_CRYPT_REPO
103- FIPS_SRCS=( selftest.c )
104- WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
105- CRYPT_INC_PATH=wolfssl/wolfcrypt
106- CRYPT_SRC_PATH=wolfcrypt/src
107- CAVP_SELFTEST_ONLY=" yes"
108- CAVP_SELFTEST_OPTION=v2
109- FIPS_OPTION=" v1"
70+ # non-FIPS, CAVP only but pull in selftest
71+ FIPS_OPTION=' cavp-selftest-v2'
72+ FIPS_VERSION=' v3.14.2b'
73+ CRYPT_VERSION=' v4.1.0-stable'
74+ RNG_VERSION=' v4.1.0-stable'
75+ WC_MODS=(' aes' ' dh' ' dsa' ' ecc' ' hmac' ' random' ' rsa' ' sha' ' sha256' ' sha512'
76+ FIPS_SRCS=(' selftest.c'
11077 ;;
11178linuxv5)
112- FIPS_REPO=" git@github.com:wolfSSL/fips.git"
113- FIPS_VERSION=" WCv5.0-RC12"
114- CRYPT_REPO=" git@github.com:wolfSSL/wolfssl.git"
115- CRYPT_VERSION=" WCv5.0-RC12"
116- CRYPT_INC_PATH=" wolfssl/wolfcrypt"
117- CRYPT_SRC_PATH=" wolfcrypt/src"
118- WC_MODS=( aes sha sha256 sha512 rsa hmac random cmac dh ecc sha3 kdf
119- aes_asm sha256_asm sha512_asm )
120- RNG_VERSION=" WCv5.0-RC12"
121- FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c )
122- FIPS_INCS=( fips.h )
123- FIPS_OPTION=" v5"
124- COPY_DIRECT=( wolfcrypt/src/aes_gcm_asm.S )
79+ FIPS_OPTION=' v5'
80+ FIPS_VERSION=' WCv5.0-RC12'
81+ CRYPT_VERSION=' WCv5.0-RC12'
82+ RNG_VERSION=' WCv5.0-RC12'
83+ WC_MODS=(' aes' ' aes_asm' ' cmac' ' dh' ' ecc' ' hmac' ' kdf' ' random' ' rsa' ' sha' ' sha256' ' sha256_asm' ' sha3' ' sha512' ' sha512_asm'
84+ FIPS_SRCS=(' fips.c' ' fips_test.c' ' wolfcrypt_first.c' ' wolfcrypt_last.c'
85+ FIPS_INCS=(' fips.h'
86+ COPY_DIRECT=(' wolfcrypt/src/aes_gcm_asm.S'
12587 ;;
12688fips-ready)
127- FIPS_REPO=" git@github.com:wolfSSL/fips.git"
128- FIPS_VERSION=" master"
129- CRYPT_INC_PATH=wolfssl/wolfcrypt
130- CRYPT_SRC_PATH=wolfcrypt/src
131- FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c )
132- FIPS_INCS=( fips.h )
133- FIPS_OPTION=ready
89+ FIPS_OPTION=' ready'
90+ FIPS_VERSION=' master'
91+ FIPS_SRCS=(' fips.c' ' fips_test.c' ' wolfcrypt_first.c' ' wolfcrypt_last.c'
92+ FIPS_INCS=(' fips.h'
13493 ;;
13594fips-dev)
136- FIPS_REPO=" git@github.com:wolfSSL/fips.git"
137- FIPS_VERSION=" master"
138- CRYPT_INC_PATH=wolfssl/wolfcrypt
139- CRYPT_SRC_PATH=wolfcrypt/src
140- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
141- FIPS_INCS=( fips.h )
142- FIPS_OPTION=dev
143- ;;
144-
145- stm32l4-v2)
146- FIPS_VERSION=$STM32L4_V2_FIPS_VERSION
147- FIPS_REPO=$STM32L4_V2_FIPS_REPO
148- CRYPT_VERSION=$STM32L4_V2_CRYPT_VERSION
149- CRYPT_INC_PATH=wolfssl/wolfcrypt
150- CRYPT_SRC_PATH=wolfcrypt/src
151- # Replace the WC_MODS list for now. Do not want to copy over random.c yet.
152- WC_MODS=( aes des3 sha sha256 sha512 rsa hmac )
153- WC_MODS+=( cmac dh ecc )
154- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
155- FIPS_INCS=( fips.h )
156- FIPS_OPTION=v2
95+ FIPS_OPTION=' dev'
96+ FIPS_VERSION=' master'
97+ FIPS_SRCS=(' fips.c' ' fips_test.c' ' wolfcrypt_first.c' ' wolfcrypt_last.c'
98+ FIPS_INCS=(' fips.h'
15799 ;;
158100wolfrand)
159- FIPS_REPO=git@github.com:wolfssl/fips.git
160- FIPS_VERSION=WRv4-stable
161- CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
162- CRYPT_VERSION=WCv4-stable
163- CRYPT_INC_PATH=wolfssl/wolfcrypt
164- CRYPT_SRC_PATH=wolfcrypt/src
165- RNG_VERSION=WCv4-rng-stable
166- WC_MODS=( hmac sha256 random )
167- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
168- FIPS_INCS=( fips.h )
169- FIPS_OPTION=rand
101+ FIPS_OPTION=' rand'
102+ FIPS_VERSION=' WRv4-stable'
103+ CRYPT_VERSION=' WCv4-stable'
104+ RNG_VERSION=' WCv4-rng-stable'
105+ WC_MODS=(' hmac' ' random' ' sha256'
106+ FIPS_SRCS=(' fips.c' ' fips_test.c' ' wolfcrypt_first.c' ' wolfcrypt_last.c'
107+ FIPS_INCS=(' fips.h'
170108 ;;
171109solaris)
172- FIPS_VERSION=WCv4-stable
173- FIPS_REPO=git@github.com:wolfssl/fips.git
174- CRYPT_VERSION=WCv4-stable
175- CRYPT_INC_PATH=wolfssl/wolfcrypt
176- CRYPT_SRC_PATH=wolfcrypt/src
177- WC_MODS+=( cmac dh ecc sha3 )
178- RNG_VERSION=WCv4-rng-stable
179- FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
180- FIPS_INCS=( fips.h )
181- FIPS_OPTION=v2
182- MAKE=gmake
110+ FIPS_OPTION=' v2'
111+ FIPS_VERSION=' WCv4-stable'
112+ CRYPT_VERSION=' WCv4-stable'
113+ RNG_VERSION=' WCv4-rng-stable'
114+ WC_MODS=(' aes' ' aes_asm' ' cmac' ' des3' ' dh' ' ecc' ' hmac' ' random' ' rsa' ' sha' ' sha256' ' sha3' ' sha512'
115+ FIPS_SRCS=(' fips.c' ' fips_test.c' ' wolfcrypt_first.c' ' wolfcrypt_last.c'
116+ FIPS_INCS=(' fips.h'
117+ MAKE=' gmake'
183118 ;;
184-
185119* )
186120 Usage
187121 exit 1
@@ -203,35 +137,8 @@ case "$FIPS_OPTION" in
203137* ready)
204138 echo " Don't need to copy in tagged wolfCrypt files for FIPS Ready."
205139 ;;
206- v1)
207- # make a clone of the last FIPS release tag
208- if ! $GIT clone --depth 1 -b " $CRYPT_VERSION " " $CRYPT_REPO " ; then
209- echo " fips-check: Couldn't checkout the FIPS release."
210- exit 1
211- fi
212-
213- for MOD in " ${WC_MODS[@]} "
214- do
215- cp " old-tree/$CRYPT_SRC_PATH /${MOD} .c" " $CRYPT_SRC_PATH "
216- cp " old-tree/$CRYPT_INC_PATH /${MOD} .h" " $CRYPT_INC_PATH "
217- done
218-
219- # We are using random.c from a separate release.
220- # This is forcefully overwriting any other checkout of the cyassl sources.
221- # Removing this as default behavior for SGX and netos projects.
222- if [ " $CAVP_SELFTEST_ONLY " == " no" && [ " $FLAVOR " != " sgx" && \
223- [ " $FLAVOR " != " netos-7.6" ;
224- then
225- pushd old-tree || exit 2
226- $GIT fetch origin " $RNG_VERSION " || exit $?
227- $GIT checkout FETCH_HEAD || exit $?
228- popd || exit 2
229- cp " old-tree/$CRYPT_SRC_PATH /random.c" " $CRYPT_SRC_PATH "
230- cp " old-tree/$CRYPT_INC_PATH /random.h" " $CRYPT_INC_PATH "
231- fi
232- ;;
233140
234- v2|rand|v5* )
141+ cavp-selftest * | v2|rand|v5* )
235142 $GIT branch --no-track " my$CRYPT_VERSION " " $CRYPT_VERSION " || exit $?
236143 # Checkout the fips versions of the wolfCrypt files from the repo.
237144 for MOD in " ${WC_MODS[@]} "
@@ -272,18 +179,18 @@ esac
272179
273180# clone the FIPS repository
274181case " $FIPS_OPTION " in
275- * dev)
276- if ! $GIT clone --depth 1 " $FIPS_REPO " ; then
277- echo " fips-check: Couldn't check out the FIPS repository for fips-dev."
278- exit 1
279- fi
280- ;;
281- * )
282- if ! $GIT clone --depth 1 -b " $FIPS_VERSION " " $FIPS_REPO " ; then
283- echo " fips-check: Couldn't check out ${FIPS_VERSION} from repository ${FIPS_REPO} ."
284- exit 1
285- fi
286- ;;
182+ * dev)
183+ if ! $GIT clone --depth 1 " $FIPS_REPO " ; then
184+ echo " fips-check: Couldn't check out the FIPS repository for fips-dev."
185+ exit 1
186+ fi
187+ ;;
188+ * )
189+ if ! $GIT clone --depth 1 -b " $FIPS_VERSION " " $FIPS_REPO " ; then
190+ echo " fips-check: Couldn't check out ${FIPS_VERSION} from repository ${FIPS_REPO} ."
191+ exit 1
192+ fi
193+ ;;
287194esac
288195
289196for SRC in " ${FIPS_SRCS[@]} "
302209# Since OE additions can still be processed for cert3389 we will call 140-2
303210# ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but
304211# would not be good for a new certification effort with the latest files.
305- if [ " $FLAVOR " = " fipsv2-OE-ready" ; then
212+ if [ " $FLAVOR " = ' fipsv2-OE-ready' ; then
306213 OLD_VERSION=" return \" v4.0.0-alpha\" ;"
307214 OE_READY_VERSION=" return \" fipsv2-OE-ready\" ;"
308215 cp " ${CRYPT_SRC_PATH} /fips.c" " ${CRYPT_SRC_PATH} /fips.c.bak"
311218
312219# run the make test
313220./autogen.sh
314- if [ " $CAVP_SELFTEST_ONLY " == " yes " ] ;
315- then
316- if [ " $CAVP_SELFTEST_OPTION " == " v2 " ]
317- then
318- ./configure --enable-selftest=v2
319- else
320- ./configure --enable-selftest
321- fi
322- else
221+
222+ case " $FIPS_OPTION " in
223+ cavp-selftest)
224+ ./configure --enable-selftest
225+ ;;
226+ cavp-selftest-v2)
227+ ./configure --enable-selftest=v2
228+ ;;
229+ * )
323230 ./configure --enable-fips=$FIPS_OPTION
324- fi
325- if ! $MAKE ; then
231+ ;;
232+ esac
233+
234+ if ! $MAKE
235+ then
326236 echo " fips-check: Make failed. Debris left for analysis."
327237 exit 3
328238fi
329239
330- if [ " $CAVP_SELFTEST_ONLY " == " no " ] ;
240+ if [ -s " ${CRYPT_SRC_PATH} /fips_test.c " ]
331241then
332242 NEWHASH=$( ./wolfcrypt/test/testwolfcrypt | sed -n ' s/hash = \(.*\)/\1/p' )
333243 if [ -n " $NEWHASH " ; then
@@ -337,27 +247,15 @@ then
337247 fi
338248fi
339249
340- if ! $MAKE test ; then
250+ if ! $MAKE check
251+ then
341252 echo " fips-check: Test failed. Debris left for analysis."
342253 exit 3
343254fi
344255
345- if [ ${# FIPS_CONFLICTS[@]} -ne 0 ];
346- then
347- echo " Due to the way this package is compiled by the customer duplicate"
348- echo " source file names are an issue, renaming:"
349- for FNAME in " ${FIPS_CONFLICTS[@]} "
350- do
351- echo " wolfcrypt/src/$FNAME .c to wolfcrypt/src/wc_$FNAME .c"
352- mv " ./wolfcrypt/src/$FNAME .c" " ./wolfcrypt/src/wc_$FNAME .c"
353- done
354- echo " Confirming files were renamed..."
355- ls -la ./wolfcrypt/src/wc_* .c
356- fi
357-
358256# Clean up
359257popd || exit 2
360- if [ " $KEEP " == " no" ;
258+ if [ " $KEEP " = " no" ;
361259then
362260 rm -rf " $TEST_DIR "
363261fi
0 commit comments