diff --git a/.gitignore b/.gitignore index a4d0f1422..f5e254412 100644 --- a/.gitignore +++ b/.gitignore @@ -43,6 +43,7 @@ fips.c fipsv2.c fips_test.c fips +selftest.c src/async.c wolfssl/async.h wolfcrypt/src/async.c diff --git a/autogen.sh b/autogen.sh index 861a90509..d9a234a88 100755 --- a/autogen.sh +++ b/autogen.sh @@ -21,6 +21,9 @@ if test -e .git; then touch ./wolfcrypt/src/fipsv2.c touch ./wolfssl/wolfcrypt/fips.h + # touch CAVP selftest files for non-selftest distribution + touch ./wolfcrypt/src/selftest.c + # touch async crypt files touch ./wolfcrypt/src/async.c touch ./wolfssl/wolfcrypt/async.h diff --git a/configure.ac b/configure.ac index f0410bb33..b2cc58389 100644 --- a/configure.ac +++ b/configure.ac @@ -1991,6 +1991,20 @@ fi AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"]) AM_CONDITIONAL([BUILD_FIPS_V2], [test "x$FIPS_VERSION" = "xv2"]) +# SELFTEST +AC_ARG_ENABLE([selftest], + [AS_HELP_STRING([--enable-selftest],[Enable selftest, Will NOT work w/o CAVP selftest license (default: disabled)])], + [ ENABLED_SELFTEST=$enableval ], + [ ENABLED_SELFTEST=no ] + ) + +if test "x$ENABLED_SELFTEST" == "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_SELFTEST" +fi + +AM_CONDITIONAL([BUILD_SELFTEST], [test "x$ENABLED_SELFTEST" = "xyes"]) + # set sha224 default SHA224_DEFAULT=no diff --git a/fips-check.sh b/fips-check.sh index d6d88375c..ff112703a 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -18,7 +18,7 @@ function Usage() { echo "Usage: $0 [platform] [keep]" - echo "Where \"platform\" is one of linux (default), ios, android, windows, freertos, openrtos-3.9.2, linux-ecc" + echo "Where \"platform\" is one of linux (default), ios, android, windows, freertos, openrtos-3.9.2, linux-ecc, netbsd-selftest" echo "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection" } @@ -62,6 +62,15 @@ WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random ) TEST_DIR=XXX-fips-test WC_INC_PATH=cyassl/ctaocrypt WC_SRC_PATH=ctaocrypt/src +CAVP_SELFTEST_ONLY="no" + +# non-FIPS, CAVP only but pull in selftest +# will reset above variables below in platform switch +NETBSD_FIPS_VERSION=v3.14.2 +NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git +NETBSD_CTAO_VERSION=v3.14.2 +NETBSD_CTAO_REPO=git@github.com:wolfssl/wolfssl.git + if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi @@ -111,6 +120,17 @@ linux-ecc) CTAO_VERSION=$LINUX_ECC_CTAO_VERSION CTAO_REPO=$LINUX_ECC_CTAO_REPO ;; +netbsd-selftest) + FIPS_VERSION=$NETBSD_FIPS_VERSION + FIPS_REPO=$NETBSD_FIPS_REPO + CTAO_VERSION=$NETBSD_CTAO_VERSION + CTAO_REPO=$NETBSD_CTAO_REPO + FIPS_SRCS=( selftest.c ) + WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random ) + WC_INC_PATH=wolfssl/wolfcrypt + WC_SRC_PATH=wolfcrypt/src + CAVP_SELFTEST_ONLY="yes" + ;; *) Usage exit 1 @@ -132,11 +152,14 @@ do done # The following is temporary. We are using random.c from a separate release -pushd old-tree -git checkout v3.6.0 -popd -cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH -cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH +if [ "x$CAVP_SELFTEST_ONLY" == "xno" ]; +then + pushd old-tree + git checkout v3.6.0 + popd + cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH + cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH +fi # clone the FIPS repository git clone -b $FIPS_VERSION $FIPS_REPO fips @@ -149,14 +172,22 @@ done # run the make test ./autogen.sh -./configure --enable-fips +if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ]; +then + ./configure --enable-selftest +else + ./configure --enable-fips +fi make [ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1 -NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'` -if [ -n "$NEWHASH" ]; then - sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c - make clean +if [ "x$CAVP_SELFTEST_ONLY" == "xno" ]; +then + NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'` + if [ -n "$NEWHASH" ]; then + sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c + make clean + fi fi make test diff --git a/rpm/spec.in b/rpm/spec.in index a6cd2fa25..d21befc87 100644 --- a/rpm/spec.in +++ b/rpm/spec.in @@ -221,6 +221,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/wolfssl/wolfcrypt/random.h %{_includedir}/wolfssl/wolfcrypt/ripemd.h %{_includedir}/wolfssl/wolfcrypt/rsa.h +%{_includedir}/wolfssl/wolfcrypt/selftest.h %{_includedir}/wolfssl/wolfcrypt/settings.h %{_includedir}/wolfssl/wolfcrypt/signature.h %{_includedir}/wolfssl/wolfcrypt/sha.h diff --git a/src/include.am b/src/include.am index 70ea200b7..89f953beb 100644 --- a/src/include.am +++ b/src/include.am @@ -68,6 +68,11 @@ src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c endif +# CAVP self test +if BUILD_SELFTEST +src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c +endif + src_libwolfssl_la_SOURCES += \ wolfcrypt/src/hmac.c \ wolfcrypt/src/hash.c \ diff --git a/wolfcrypt/src/coding.c b/wolfcrypt/src/coding.c index 6e5f443dc..fd3cb57e1 100644 --- a/wolfcrypt/src/coding.c +++ b/wolfcrypt/src/coding.c @@ -348,7 +348,7 @@ int Base64_Encode_NoNl(const byte* in, word32 inLen, byte* out, word32* outLen) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) \ - || defined(HAVE_ECC_CDH) + || defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST) static const byte hexDecode[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index f54cbee9b..341a5826e 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -107,6 +107,9 @@ #ifdef HAVE_FIPS #include #endif +#ifdef HAVE_SELFTEST + #include +#endif #ifdef WOLFSSL_ASYNC_CRYPT #include #endif @@ -433,6 +436,13 @@ int wolfcrypt_test(void* args) (void)devId; #endif /* WOLFSSL_ASYNC_CRYPT */ +#ifdef HAVE_SELFTEST + if ( (ret = wolfCrypt_SelfTest()) != 0) + return err_sys("CAVP selftest failed!\n", ret); + else + printf("CAVP selftest passed!\n"); +#endif + if ( (ret = error_test()) != 0) return err_sys("error test failed!\n", ret); else diff --git a/wolfssl/wolfcrypt/coding.h b/wolfssl/wolfcrypt/coding.h index 1415b05c4..43bd284bc 100644 --- a/wolfssl/wolfcrypt/coding.h +++ b/wolfssl/wolfcrypt/coding.h @@ -62,7 +62,7 @@ WOLFSSL_API int Base64_Decode(const byte* in, word32 inLen, byte* out, #endif #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) \ - || defined(HAVE_ECC_CDH) + || defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST) WOLFSSL_API int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen); WOLFSSL_API diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index 3af7fa64d..c81bdd138 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -95,3 +95,7 @@ nobase_include_HEADERS+= wolfssl/wolfcrypt/sp.h nobase_include_HEADERS+= wolfssl/wolfcrypt/sp_int.h endif +if BUILD_SELFTEST +nobase_include_HEADERS+= wolfssl/wolfcrypt/selftest.h +endif + diff --git a/wolfssl/wolfcrypt/selftest.h b/wolfssl/wolfcrypt/selftest.h new file mode 100644 index 000000000..ff118c909 --- /dev/null +++ b/wolfssl/wolfcrypt/selftest.h @@ -0,0 +1,45 @@ +/* selftest.h + * + * Copyright (C) 2006-2018 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + + +#ifndef WOLFCRYPT_SELF_TEST_H +#define WOLFCRYPT_SELF_TEST_H + +#include + + +#ifdef __cplusplus + extern "C" { +#endif + +#ifdef HAVE_SELFTEST + /* wolfCrypt self test, runs CAVP KATs */ + WOLFSSL_API int wolfCrypt_SelfTest(void); +#endif + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* WOLFCRYPT_SELF_TEST_H */ + +