From 65c0dd4f8a5a4683d4a6a83d8220c6ef2404b9ed Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 19 Nov 2014 12:00:04 -0800 Subject: [PATCH] Added fips-check script when running commit-tests. --- .gitignore | 1 + autogen.sh | 11 ++++++++++ commit-tests.sh | 8 +++++++ fips-check.sh | 56 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100755 fips-check.sh diff --git a/.gitignore b/.gitignore index e40a82164..1e6909bdf 100644 --- a/.gitignore +++ b/.gitignore @@ -33,6 +33,7 @@ cyassl-config cyassl.sublime* fips.c fips_test.c +fips ctaocrypt/benchmark/benchmark ctaocrypt/test/testctaocrypt examples/client/client diff --git a/autogen.sh b/autogen.sh index 1a41d8942..9698b0e0f 100755 --- a/autogen.sh +++ b/autogen.sh @@ -11,6 +11,17 @@ if test -d .git; then ln -s -f ../../pre-commit.sh .git/hooks/pre-commit fi +# Set HAVE_FIPS_SOURCE to 1 in your .profile if you have access to the FIPS +# repository. (Hint: If you don't work for us, you don't. This will fail.) +if test $HAVE_FIPS_SOURCE -a ! -d ./fips; then + git clone git@github.com:wolfSSL/fips.git + SAVEDIR=`pwd` + cd ./ctaocrypt/src + ln -sf ../../fips/fips.c + ln -sf ../../fips/fips_test.c + cd $SAVEDIR +fi + # If this is a source checkout then call autoreconf with error as well if test -d .git; then WARNINGS="all,error" diff --git a/commit-tests.sh b/commit-tests.sh index 066f1d0d5..44b54d873 100755 --- a/commit-tests.sh +++ b/commit-tests.sh @@ -31,4 +31,12 @@ make -j 8 test; RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nFull config make test failed" && exit 1 +if [ $HAVE_FIPS_SOURCE ]; +then + echo -e "\n\nTesting with FIPS release code...\n\n" + ./fips-check.sh + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\n\nFIPS build test failed" && exit 1 +fi + exit 0 diff --git a/fips-check.sh b/fips-check.sh new file mode 100755 index 000000000..282e0d86e --- /dev/null +++ b/fips-check.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# fips-check.sh +# This script checks the current revision of the code against the +# previous release of the FIPS code. While wolfSSL and wolfCrypt +# may be advancing, they must work correctly with the last tested +# copy of our FIPS approved code. + +FIPS_VERSION=v3.2.6 +FIPS_REPO=git@github.com:wolfSSL/fips.git +FIPS_SRCS=( fips.c fips_test.c ) +WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random ) +TEST_DIR=XXX-fips-test +WC_INC_PATH=cyassl/ctaocrypt +WC_SRC_PATH=ctaocrypt/src + +git clone . $TEST_DIR +[ $? -ne 0 ] && echo -e "\n\nCouldn't duplicate current working directory.\n\n" && exit 1 + +pushd $TEST_DIR + +# make a clone of the last FIPS release tag +git clone -b $FIPS_VERSION . old-tree +[ $? -ne 0 ] && echo -e "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1 + +for MOD in ${WC_MODS[@]} +do + cp old-tree/$WC_SRC_PATH/${MOD}.c $WC_SRC_PATH + cp old-tree/$WC_INC_PATH/${MOD}.h $WC_INC_PATH +done + +# clone the FIPS repository +git clone -b $FIPS_VERSION $FIPS_REPO fips +[ $? -ne 0 ] && echo -e "\n\nCouldn't checkout the FIPS repository.\n\n" && exit 1 + +for SRC in ${FIPS_SRCS[@]} +do + cp fips/$SRC $WC_SRC_PATH +done + +# run the make test +./autogen.sh +./configure --enable-fips +make +[ $? -ne 0 ] && echo -e "\n\nMake failed. Debris left for analysis." && exit 1 + +NEWHASH=`./ctaocrypt/test/testctaocrypt | sed -n 's/hash = \(.*\)/\1/p'` +sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c + +make test +[ $? -ne 0 ] && echo -e "\n\nTest failed. Debris left for analysis." && exit 1 + +# Clean up +popd +rm -rf $TEST_DIR +