Merge pull request #1394 from cconlon/selftest

Add CAVP-only Self Test for special build

.gitignore

@@ -43,6 +43,7 @@ fips.c
 fipsv2.c
 fips_test.c
 fips
+selftest.c
 src/async.c
 wolfssl/async.h
 wolfcrypt/src/async.c

autogen.sh

@@ -21,6 +21,9 @@ if test -e .git; then
   touch ./wolfcrypt/src/fipsv2.c
   touch ./wolfssl/wolfcrypt/fips.h
 
+  # touch CAVP selftest files for non-selftest distribution
+  touch ./wolfcrypt/src/selftest.c
+
   # touch async crypt files
   touch ./wolfcrypt/src/async.c
   touch ./wolfssl/wolfcrypt/async.h

configure.ac

@@ -1991,6 +1991,20 @@ fi
 AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"])
 AM_CONDITIONAL([BUILD_FIPS_V2], [test "x$FIPS_VERSION" = "xv2"])
 
+# SELFTEST
+AC_ARG_ENABLE([selftest],
+    [AS_HELP_STRING([--enable-selftest],[Enable selftest, Will NOT work w/o CAVP selftest license (default: disabled)])],
+    [ ENABLED_SELFTEST=$enableval ],
+    [ ENABLED_SELFTEST=no ]
+    )
+
+if test "x$ENABLED_SELFTEST" == "xyes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_SELFTEST"
+fi
+
+AM_CONDITIONAL([BUILD_SELFTEST], [test "x$ENABLED_SELFTEST" = "xyes"])
+
 
 # set sha224 default
 SHA224_DEFAULT=no

fips-check.sh

@@ -18,7 +18,7 @@
 
 function Usage() {
     echo "Usage: $0 [platform] [keep]"
-    echo "Where \"platform\" is one of linux (default), ios, android, windows, freertos, openrtos-3.9.2, linux-ecc"
+    echo "Where \"platform\" is one of linux (default), ios, android, windows, freertos, openrtos-3.9.2, linux-ecc, netbsd-selftest"
     echo "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection"
 }
 
@@ -62,6 +62,15 @@ WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
 TEST_DIR=XXX-fips-test
 WC_INC_PATH=cyassl/ctaocrypt
 WC_SRC_PATH=ctaocrypt/src
+CAVP_SELFTEST_ONLY="no"
+
+# non-FIPS, CAVP only but pull in selftest
+# will reset above variables below in platform switch
+NETBSD_FIPS_VERSION=v3.14.2
+NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
+NETBSD_CTAO_VERSION=v3.14.2
+NETBSD_CTAO_REPO=git@github.com:wolfssl/wolfssl.git
+
 
 if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
 
@@ -111,6 +120,17 @@ linux-ecc)
   CTAO_VERSION=$LINUX_ECC_CTAO_VERSION
   CTAO_REPO=$LINUX_ECC_CTAO_REPO
   ;;
+netbsd-selftest)
+  FIPS_VERSION=$NETBSD_FIPS_VERSION
+  FIPS_REPO=$NETBSD_FIPS_REPO
+  CTAO_VERSION=$NETBSD_CTAO_VERSION
+  CTAO_REPO=$NETBSD_CTAO_REPO
+  FIPS_SRCS=( selftest.c )
+  WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
+  WC_INC_PATH=wolfssl/wolfcrypt
+  WC_SRC_PATH=wolfcrypt/src
+  CAVP_SELFTEST_ONLY="yes"
+  ;;
 *)
   Usage
   exit 1
@@ -132,11 +152,14 @@ do
 done
 
 # The following is temporary. We are using random.c from a separate release
-pushd old-tree
-git checkout v3.6.0
-popd
-cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH
-cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH
+if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
+then
+    pushd old-tree
+    git checkout v3.6.0
+    popd
+    cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH
+    cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH
+fi
 
 # clone the FIPS repository
 git clone -b $FIPS_VERSION $FIPS_REPO fips
@@ -149,14 +172,22 @@ done
 
 # run the make test
 ./autogen.sh
-./configure --enable-fips
+if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ];
+then
+    ./configure --enable-selftest
+else
+    ./configure --enable-fips
+fi
 make
 [ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1
 
-NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'`
-if [ -n "$NEWHASH" ]; then
-    sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c
-    make clean
+if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
+then
+    NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'`
+    if [ -n "$NEWHASH" ]; then
+        sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c
+        make clean
+    fi
 fi
 
 make test

rpm/spec.in

@@ -221,6 +221,7 @@ mkdir -p $RPM_BUILD_ROOT/
 %{_includedir}/wolfssl/wolfcrypt/random.h
 %{_includedir}/wolfssl/wolfcrypt/ripemd.h
 %{_includedir}/wolfssl/wolfcrypt/rsa.h
+%{_includedir}/wolfssl/wolfcrypt/selftest.h
 %{_includedir}/wolfssl/wolfcrypt/settings.h
 %{_includedir}/wolfssl/wolfcrypt/signature.h
 %{_includedir}/wolfssl/wolfcrypt/sha.h

src/include.am

@@ -68,6 +68,11 @@ src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c
 src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c
 endif
 
+# CAVP self test
+if BUILD_SELFTEST
+src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c
+endif
+
 src_libwolfssl_la_SOURCES += \
                wolfcrypt/src/hmac.c \
                wolfcrypt/src/hash.c \

wolfcrypt/src/coding.c

@@ -348,7 +348,7 @@ int Base64_Encode_NoNl(const byte* in, word32 inLen, byte* out, word32* outLen)
 
 
 #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) \
-                           || defined(HAVE_ECC_CDH)
+                           || defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST)
 
 static
 const byte hexDecode[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

wolfcrypt/test/test.c

@@ -107,6 +107,9 @@
 #ifdef HAVE_FIPS
     #include <wolfssl/wolfcrypt/fips_test.h>
 #endif
+#ifdef HAVE_SELFTEST
+    #include <wolfssl/wolfcrypt/selftest.h>
+#endif
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <wolfssl/wolfcrypt/async.h>
 #endif
@@ -433,6 +436,13 @@ int wolfcrypt_test(void* args)
     (void)devId;
 #endif /* WOLFSSL_ASYNC_CRYPT */
 
+#ifdef HAVE_SELFTEST
+    if ( (ret = wolfCrypt_SelfTest()) != 0)
+        return err_sys("CAVP selftest failed!\n", ret);
+    else
+        printf("CAVP selftest passed!\n");
+#endif
+
     if ( (ret = error_test()) != 0)
         return err_sys("error    test failed!\n", ret);
     else

wolfssl/wolfcrypt/coding.h

@@ -62,7 +62,7 @@ WOLFSSL_API int Base64_Decode(const byte* in, word32 inLen, byte* out,
 #endif
 
 #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) \
-                           || defined(HAVE_ECC_CDH)
+                           || defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST)
     WOLFSSL_API
     int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen);
     WOLFSSL_API

wolfssl/wolfcrypt/include.am

@@ -95,3 +95,7 @@ nobase_include_HEADERS+= wolfssl/wolfcrypt/sp.h
 nobase_include_HEADERS+= wolfssl/wolfcrypt/sp_int.h
 endif
 
+if BUILD_SELFTEST
+nobase_include_HEADERS+= wolfssl/wolfcrypt/selftest.h
+endif
+

wolfssl/wolfcrypt/selftest.h

@@ -0,0 +1,45 @@
+/* selftest.h
+ *
+ * Copyright (C) 2006-2018 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+
+#ifndef WOLFCRYPT_SELF_TEST_H
+#define WOLFCRYPT_SELF_TEST_H
+
+#include <wolfssl/wolfcrypt/types.h>
+
+
+#ifdef __cplusplus
+    extern "C" {
+#endif
+
+#ifdef HAVE_SELFTEST
+    /* wolfCrypt self test, runs CAVP KATs */
+    WOLFSSL_API int wolfCrypt_SelfTest(void);
+#endif
+
+#ifdef __cplusplus
+    } /* extern "C" */
+#endif
+
+#endif /* WOLFCRYPT_SELF_TEST_H */
+
+