diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml index bda18f39..9790a54b 100644 --- a/.github/workflows/fips-ready.yml +++ b/.github/workflows/fips-ready.yml @@ -50,7 +50,7 @@ jobs: - name: Build wolfProvider with FIPS Ready Bundle run: | ./scripts/build-wolfprovider.sh --fips-bundle="$FIPS_BUNDLE_PATH" \ - --fips-version=ready --wolfssl-ver=v${{matrix.wolfssl_bundle_ref}}-stable + --fips-check=ready --wolfssl-ver=v${{matrix.wolfssl_bundle_ref}}-stable - name: Run FIPS Command Tests run: | diff --git a/README.md b/README.md index 7433fdc8..8fcce246 100644 --- a/README.md +++ b/README.md @@ -150,7 +150,7 @@ unzip wolfssl-fips-ready.zip Then use the following command to build wolfProvider with FIPS enabled. ``` -./scripts/build-wolfprovider.sh --fips-bundle="path/to/fips-bundle" --fips-version=ready --distclean +./scripts/build-wolfprovider.sh --fips-bundle="path/to/fips-bundle" --fips-check=ready --distclean ``` ## Testing diff --git a/scripts/build-wolfprovider.sh b/scripts/build-wolfprovider.sh index 9488c464..d4696e98 100755 --- a/scripts/build-wolfprovider.sh +++ b/scripts/build-wolfprovider.sh @@ -14,10 +14,9 @@ show_help() { echo " --disable-err-trace No debug trace messages from library errors in wolfSSL" echo " --openssl-ver=VER Which version of OpenSSL to clone" echo " --wolfssl-ver=VER Which version of wolfSSL to clone" - echo " --enable-fips Build wolfProvider with a cloned FIPS bundle. Cloned FIPS bundle can be changed with --fips-check" - echo " --fips-bundle=DIR Build wolfProvider with a directory containing a wolfSSL FIPS bundle instead of cloning from GitHub. Requires a FIPS version to be given by --fips-version" - echo " --fips-check=TAG Choose a FIPS tag to clone. May require a version to be given by --fips-version" - echo " --fips-version=VER Choose the wolfSSL FIPS version" + echo " --enable-fips Build wolfProvider with a cloned FIPS bundle. Use with --fips-check to specify tag (default: v5.2.4)" + echo " --fips-bundle=DIR Build wolfProvider with a directory containing a wolfSSL FIPS bundle. Use with --fips-check to specify tag" + echo " --fips-check=TAG Choose a FIPS tag (v5.2.1, v5.2.4, linuxv5.2.1, v6.0.0, ready, etc). Automatically determines configure option" echo " --debian Build a Debian package" echo " --debian --enable-fips Build a Debian package with FIPS support" echo " --quicktest Disable some tests for a faster testing suite" @@ -30,8 +29,7 @@ show_help() { echo " WOLFSSL_TAG wolfSSL tag to use (e.g., v5.8.0-stable)" echo " WOLFSSL_ISFIPS If set to 1, clones a wolfSSL FIPS bundle from GitHub" echo " WOLFSSL_FIPS_BUNDLE Directory containing the wolfSSL FIPS bundle to use instead of cloning from GitHub" - echo " WOLFSSL_FIPS_VERSION Version of wolfSSL FIPS bundle (v5, v6, ready), used as an argument for --enable-fips when configuring wolfSSL" - echo " WOLFSSL_FIPS_CHECK_TAG Tag for wolfSSL FIPS bundle (linuxv5.2.1, v6.0.0, etc), used as an argument for fips-check.sh when cloning a wolfSSL FIPS version" + echo " WOLFSSL_FIPS_CHECK_TAG Tag for wolfSSL FIPS bundle (v5.2.1, v5.2.4, linuxv5.2.1, v6.0.0, ready, etc). Automatically determines configure option (default: v5.2.4)" echo " WOLFPROV_CLEAN If set to 1, run make clean in OpenSSL, wolfSSL, and wolfProvider" echo " WOLFPROV_DISTCLEAN If set to 1, remove the source and install directories of OpenSSL, wolfSSL, and wolfProvider" echo " WOLFPROV_DEBUG If set to 1, builds OpenSSL, wolfSSL, and wolfProvider with debug options enabled" @@ -86,7 +84,6 @@ for arg in "$@"; do WOLFSSL_ISFIPS=1 ;; --fips-bundle=*) - unset WOLFSSL_FIPS_CHECK_TAG IFS='=' read -r trash fips_bun <<< "$arg" if [ -z "$fips_bun" ]; then echo "No directory given for --fips-bundle" @@ -95,7 +92,6 @@ for arg in "$@"; do WOLFSSL_FIPS_BUNDLE="$fips_bun" ;; --fips-check=*) - unset WOLFSSL_FIPS_BUNDLE IFS='=' read -r trash fips_tag <<< "$arg" if [ -z "$fips_tag" ]; then echo "No tag given for --fips-check" @@ -103,14 +99,6 @@ for arg in "$@"; do fi WOLFSSL_FIPS_CHECK_TAG="$fips_tag" ;; - --fips-version=*) - IFS='=' read -r trash fips_ver <<< "$arg" - if [ -z "$fips_ver" ]; then - echo "No version given for --fips-version" - args_wrong+="$arg, " - fi - WOLFSSL_FIPS_VERSION="$fips_ver" - ;; --debian) build_debian=1 ;; diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh index 2fc0c687..aa7b157e 100644 --- a/scripts/utils-wolfssl.sh +++ b/scripts/utils-wolfssl.sh @@ -26,6 +26,7 @@ WOLFSSL_TAG=${WOLFSSL_TAG:-"v5.8.2-stable"} WOLFSSL_SOURCE_DIR=${SCRIPT_DIR}/../wolfssl-source WOLFSSL_INSTALL_DIR=${SCRIPT_DIR}/../wolfssl-install WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS:-0} +WOLFSSL_FIPS_VERSION=${WOLFSSL_FIPS_VERSION:-"5.2.4"} WOLFSSL_FIPS_CONFIG_OPTS=${WOLFSSL_CONFIG_OPTS:-'--enable-opensslcoexist '} WOLFSSL_FIPS_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA"} WOLFSSL_CONFIG_OPTS=${WOLFSSL_CONFIG_OPTS:-'--enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha'} @@ -110,7 +111,7 @@ install_wolfssl() { do_cleanup exit 1 fi - + printf "\nSkipping wolfSSL installation - libwolfssl and libwolfssl-dev packages are already installed.\n" # Set WOLFSSL_INSTALL_DIR to system installation directory WOLFSSL_INSTALL_DIR="/usr" @@ -141,38 +142,96 @@ install_wolfssl() { elif [ "$WOLFSSL_DEBUG_ASN_TEMPLATE" = "1" ] && ( [ "$WOLFSSL_ISFIPS" = "1" ] || [ -n "$WOLFSSL_FIPS_BUNDLE" ] ); then WOLFSSL_FIPS_CONFIG_CFLAGS+=" -DWOLFSSL_DEBUG_ASN_TEMPLATE" fi - if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then - if [ ! -n "$WOLFSSL_FIPS_VERSION" ]; then - printf "ERROR, must specify version if using FIPS bundle (v5, v6, ready)" + if [ -n "$WOLFSSL_FIPS_BUNDLE" ] || [ "$WOLFSSL_ISFIPS" = "1" ]; then + if [ -n "$WOLFSSL_FIPS_BUNDLE" ] && [ -z "$WOLFSSL_FIPS_CHECK_TAG" ]; then + printf "ERROR, must specify tag if using FIPS bundle (v5.2.1, v5.2.4, linuxv5.2.1, v6.0.0, ready)" do_cleanup exit 1 fi - printf "using FIPS bundle ... " - CONF_ARGS+=" --enable-fips=$WOLFSSL_FIPS_VERSION" - WOLFSSL_CONFIG_OPTS=$WOLFSSL_FIPS_CONFIG_OPTS - WOLFSSL_CONFIG_CFLAGS=$WOLFSSL_FIPS_CONFIG_CFLAGS - elif [ "$WOLFSSL_ISFIPS" = "1" ]; then - printf "with FIPS ... " - if [ -n "$WOLFSSL_FIPS_VERSION" ]; then - CONF_ARGS+=" --enable-fips=$WOLFSSL_FIPS_VERSION" + + # Determine FIPS tag - use FIPS_CHECK_TAG if provided, default to v5.2.4 + local fips_tag="${WOLFSSL_FIPS_CHECK_TAG}" + fips_tag="${fips_tag:-v5.2.4}" + + # Determine configure option from tag + local fips_configure_arg="" + case "$fips_tag" in + v5.2.*|v5.3.*|v5.4.*|v5.5.*|linuxv5.*) + fips_configure_arg="v5" + ;; + v6.*|linuxv6.*) + fips_configure_arg="v6" + ;; + *) + # For ready, v5, v6, or other tags, use as-is + fips_configure_arg="$fips_tag" + ;; + esac + + if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then + printf "using FIPS bundle ${fips_tag} ... " else - CONF_ARGS+=" --enable-fips=v5" + printf "with FIPS ${fips_tag} ... " fi + CONF_ARGS+=" --enable-fips=$fips_configure_arg" WOLFSSL_CONFIG_OPTS=$WOLFSSL_FIPS_CONFIG_OPTS WOLFSSL_CONFIG_CFLAGS=$WOLFSSL_FIPS_CONFIG_CFLAGS - if [ ! -e "XXX-fips-test" ]; then - # Sometimes the system OpenSSL is different than the one we're using. So for the 'git' commands, we'll just use whatever the system comes with - if [ -n "$WOLFSSL_FIPS_CHECK_TAG" ]; then - LD_LIBRARY_PATH="" ./fips-check.sh "$WOLFSSL_FIPS_CHECK_TAG" keep nomakecheck >>$LOG_FILE 2>&1 + # Only run fips-check if not using a bundle + if [ -z "$WOLFSSL_FIPS_BUNDLE" ] && [ ! -e "XXX-fips-test" ]; then + # Determine which FIPS check script to use based on tag + local fips_check_script="" + case "$fips_tag" in + v5.2.*|v5.3.*|v5.4.*|v5.5.*) + fips_check_script="fips-check-PILOT.sh" + ;; + linuxv5.*|linuxv6.*) + fips_check_script="fips-check.sh" + ;; + *) + fips_check_script="fips-check.sh" + ;; + esac + + # Copy fips-check-PILOT.sh from fips-src repo if needed + if [ "$fips_check_script" = "fips-check-PILOT.sh" ] && [ ! -f "$fips_check_script" ]; then + if command -v git >/dev/null 2>&1; then + # Try to get the script from fips-src repo + if [ -d "../fips-src" ]; then + cp ../fips-src/fips-check-PILOT.sh . 2>/dev/null || true + fi + # If we still can't find it clone it temporarily + if [ ! -f "$fips_check_script" ]; then + LD_LIBRARY_PATH="" git clone --depth=1 git@github.com:wolfSSL/fips-src.git fips-src >>$LOG_FILE 2>&1 + cp fips-src/fips-check-PILOT.sh . 2>/dev/null || true + rm -rf fips-src + fi + fi + if [ ! -f "$fips_check_script" ]; then + printf "ERROR: Could not find fips-check-PILOT.sh script\n" + rm -rf ${WOLFSSL_INSTALL_DIR} + do_cleanup + exit 1 + fi + fi + + # Sometimes the system OpenSSL is different than the one we're using. + # So for the 'git' commands, we'll just use whatever the system comes with. + if [ "$fips_check_script" = "fips-check-PILOT.sh" ]; then + # PILOT script has different usage: [flavor] [keep] + LD_LIBRARY_PATH="" ./$fips_check_script "$fips_tag" keep >$LOG_FILE 2>&1 + RET_CODE=$? else - LD_LIBRARY_PATH="" ./fips-check.sh linuxv5.2.1 keep nomakecheck >>$LOG_FILE 2>&1 + # Regular fips-check.sh usage: [flavor] [keep] [nomakecheck] + LD_LIBRARY_PATH="" ./$fips_check_script "$fips_tag" keep nomakecheck >$LOG_FILE 2>&1 + RET_CODE=$? fi - if [ $? != 0 ]; then - printf "ERROR checking out FIPS\n" + if [ $RET_CODE != 0 ]; then + printf "ERROR checking out FIPS (return code: $RET_CODE)\n" rm -rf ${WOLFSSL_INSTALL_DIR} do_cleanup exit 1 fi + (cd XXX-fips-test && ./autogen.sh && ./configure ${CONF_ARGS} ${WOLFSSL_CONFIG_OPTS} CFLAGS="${WOLFSSL_CONFIG_CFLAGS}" && make && ./fips-hash.sh) >>$LOG_FILE 2>&1 if [ $? != 0 ]; then printf "ERROR compiling FIPS version of wolfSSL\n" @@ -181,7 +240,10 @@ install_wolfssl() { exit 1 fi fi - cd XXX-fips-test + # Change to test directory for FIPS builds + if [ -n "$WOLFSSL_FIPS_BUNDLE" ] || [ "$WOLFSSL_ISFIPS" = "1" ]; then + cd XXX-fips-test + fi fi ./configure ${CONF_ARGS} ${WOLFSSL_CONFIG_OPTS} CFLAGS="${WOLFSSL_CONFIG_CFLAGS}" >>$LOG_FILE 2>&1 @@ -215,10 +277,20 @@ install_wolfssl() { do_cleanup exit 1 fi + printf "Done.\n" + if [ "$WOLFSSL_ISFIPS" = "1" ]; then + printf "\tTesting wolfSSL FIPS ${WOLFSSL_TAG} ... " + make test >>$LOG_FILE 2>&1 + if [ $? != 0 ]; then + printf "ERROR.\n" + rm -rf ${WOLFSSL_INSTALL_DIR} + do_cleanup + exit 1 + fi cd .. + printf "Done.\n" fi - printf "Done.\n" fi cd ..