From fadd8b42445dfab5deac1102552bdb2d0fd03adc Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Fri, 27 Jul 2018 15:38:36 -0700 Subject: [PATCH] Add script for showing FIPS self-test failures. Change-Id: I6e98a518ea9a29d9de7691a430fbbbd2a504c08d Reviewed-on: https://boringssl-review.googlesource.com/30124 Reviewed-by: Adam Langley --- util/fipstools/break-tests.sh | 53 +++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 util/fipstools/break-tests.sh diff --git a/util/fipstools/break-tests.sh b/util/fipstools/break-tests.sh new file mode 100644 index 00000000..5b1cd211 --- /dev/null +++ b/util/fipstools/break-tests.sh @@ -0,0 +1,53 @@ +# Copyright (c) 2018, Google Inc. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION +# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN +# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +# This script exists to exercise breaking each of the FIPS tests. It builds +# BoringSSL differently for each test and that can take a long time. Thus it's +# run twice: once, from a BoringSSL source tree, with "build" as the sole +# argument to run the builds, and then (from the same location) with no +# arguments to run each script. +# +# Run it with /bin/bash, not /bin/sh, otherwise "read" may fail. + +set -x + +TESTS="NONE ECDSA_PWCT CRNG RSA_PWCT AES_CBC AES_GCM DES SHA_1 SHA_256 SHA_512 RSA_SIG DRBG ECDSA_SIG" + +if [ "x$1" = "xbuild" ]; then + for test in $TESTS; do + rm -Rf build-$test + mkdir build-$test + pushd build-$test + cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DFIPS_BREAK_TEST=${test} -DCMAKE_BUILD_TYPE=Release .. + ninja test_fips + popd + done + + exit 0 +fi + +for test in $TESTS; do + pushd build-$test + printf "\n\n\\x1b[1m$test\\x1b[0m\n" + ./fipstools/test_fips + echo "Waiting for keypress..." + read + popd +done + +pushd build-NONE +printf "\\x1b[1mIntegrity\\x1b[0m\n" +go run ../util/fipstools/break-hash.go ./fipstools/test_fips ./fipstools/test_fips_broken +./fipstools/test_fips_broken +popd