diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 1d0006d5..35e537ac 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -56,7 +56,6 @@ jobs: if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true' run: | WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh - make check - name: Print errors if: ${{ failure() }} diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 7eeb555c..0ecb6d72 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -56,7 +56,6 @@ jobs: if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true' run: | WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh - make check - name: Print errors if: ${{ failure() }} diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 315b1363..848145d4 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -56,7 +56,6 @@ jobs: if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true' run: | WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh - make check - name: Print errors if: ${{ failure() }} diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index 931ce7b1..44324233 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -35,7 +35,6 @@ jobs: - name: Test wolfProvider run: | ${{ matrix.config }} ./scripts/build-wolfprovider.sh - make check - name: Print errors if: ${{ failure() }} diff --git a/README.md b/README.md index 8007eab6..b0e6fba6 100644 --- a/README.md +++ b/README.md @@ -50,8 +50,17 @@ wolfProvider is a library that can be used as a Provider in OpenSSL. * TLS1 PRF ## Building -The quickest method is to use the `scripts/build-wolfprovider.sh` script. It will retreive the dependencies and compile them as necessary. To use other than the default (such as different releases) you can set various environment variables prior to calling the script. An example is: - OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.2-stable WOLFPROV_DEBUG=1 scripts/build-wolfprovider.sh +The quickest method is to use the `scripts/build-wolfprovider.sh` script as follows: + +``` +./scripts/build-wolfprovider.sh +``` + +It will retreive the dependencies and compile them as necessary. To use other than the default (such as different releases) you can set various environment variables prior to calling the script: + +``` +OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.2-stable WOLFPROV_DEBUG=1 scripts/build-wolfprovider.sh +``` Alternatively, you can manually compile each component using the following guide. diff --git a/scripts/build-wolfprovider.sh b/scripts/build-wolfprovider.sh index 278a7ed2..d9478c6e 100755 --- a/scripts/build-wolfprovider.sh +++ b/scripts/build-wolfprovider.sh @@ -6,6 +6,23 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" LOG_FILE=${SCRIPT_DIR}/build-release.log source ${SCRIPT_DIR}/utils-wolfprovider.sh +show_help() { + echo "Usage: $0" + echo "" + echo "Environment Variables:" + echo " OPENSSL_TAG OpenSSL tag to use (e.g., openssl-3.2.0)" + echo " WOLFSSL_TAG wolfSSL tag to use (e.g., v5.7.4-stable)" + echo " WOLFPROV_DEBUG If set to 1, builds OpenSSL, wolfSSL, and wolfProvider with debug options enabled" + echo " WOLFSSL_FIPS_BUNDLE Directory containing the wolfSSL FIPS bundle to use instead of cloning from GitHub" + echo " WOLFSSL_FIPS_VERSION Version of wolfSSL FIPS bundle (v5, v6, ready), used as an argument for --enable-fips when configuring wolfSSL" + echo "" +} + +if [[ "$1" == "--help" || "$1" == "-h" || "$1" == "-help" ]]; then + show_help + exit 0 +fi + echo "Using openssl: $OPENSSL_TAG, wolfssl: $WOLFSSL_TAG" init_wolfprov diff --git a/scripts/utils-wolfprovider.sh b/scripts/utils-wolfprovider.sh index 3abe3466..faf4e485 100755 --- a/scripts/utils-wolfprovider.sh +++ b/scripts/utils-wolfprovider.sh @@ -24,7 +24,7 @@ source ${SCRIPT_DIR}/utils-wolfssl.sh WOLFPROV_SOURCE_DIR=${SCRIPT_DIR}/.. WOLFPROV_INSTALL_DIR=${SCRIPT_DIR}/../wolfprov-install -if [ "$WOLFSSL_ISFIPS" -eq "1" ]; then +if [ "$WOLFSSL_ISFIPS" -eq "1" ] || [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then WOLFPROV_CONFIG=${WOLFPROV_CONFIG:-"$WOLFPROV_SOURCE_DIR/provider-fips.conf"} else WOLFPROV_CONFIG=${WOLFPROV_CONFIG:-"$WOLFPROV_SOURCE_DIR/provider.conf"} diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh index cb4a3788..f433e485 100755 --- a/scripts/utils-wolfssl.sh +++ b/scripts/utils-wolfssl.sh @@ -33,32 +33,38 @@ WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0} # Depends on OPENSSL_INSTALL_DIR clone_wolfssl() { - if [ -d ${WOLFSSL_SOURCE_DIR} ]; then - WOLFSSL_TAG_CUR=$(cd ${WOLFSSL_SOURCE_DIR} && (git describe --tags 2>/dev/null || git branch --show-current)) - if [ "${WOLFSSL_TAG_CUR}" != "${WOLFSSL_TAG}" ]; then # force a rebuild - printf "Version inconsistency. Please fix ${WOLFSSL_SOURCE_DIR} (expected: ${WOLFSSL_TAG}, got: ${WOLFSSL_TAG_CUR})\n" - do_cleanup - exit 1 + if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then + rm -rf ${WOLFSSL_SOURCE_DIR} + mkdir ${WOLFSSL_SOURCE_DIR} + cp -pr ${WOLFSSL_FIPS_BUNDLE}/* ${WOLFSSL_SOURCE_DIR}/ + else + if [ -d ${WOLFSSL_SOURCE_DIR} ]; then + WOLFSSL_TAG_CUR=$(cd ${WOLFSSL_SOURCE_DIR} && (git describe --tags 2>/dev/null || git branch --show-current)) + if [ "${WOLFSSL_TAG_CUR}" != "${WOLFSSL_TAG}" ]; then # force a rebuild + printf "Version inconsistency. Please fix ${WOLFSSL_SOURCE_DIR} (expected: ${WOLFSSL_TAG}, got: ${WOLFSSL_TAG_CUR})\n" + do_cleanup + exit 1 + fi fi - fi - if [ ! -d ${WOLFSSL_SOURCE_DIR} ]; then - printf "\tClone wolfSSL ${WOLFSSL_TAG} ... " - if [ "$WOLFPROV_DEBUG" = "1" ]; then - git clone -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \ - ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1 - RET=$? - else - git clone --depth=1 -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \ - ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1 - RET=$? - fi - if [ $RET != 0 ]; then - printf "ERROR cloning\n" - do_cleanup - exit 1 + if [ ! -d ${WOLFSSL_SOURCE_DIR} ]; then + printf "\tClone wolfSSL ${WOLFSSL_TAG} ... " + if [ "$WOLFPROV_DEBUG" = "1" ]; then + git clone -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \ + ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1 + RET=$? + else + git clone --depth=1 -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \ + ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1 + RET=$? + fi + if [ $RET != 0 ]; then + printf "ERROR cloning\n" + do_cleanup + exit 1 + fi + printf "Done.\n" fi - printf "Done.\n" fi } @@ -76,7 +82,15 @@ install_wolfssl() { CONF_ARGS+=" --enable-debug --enable-debug-trace-errcodes=backtrace --enable-keylog-export" WOLFSSL_CONFIG_CFLAGS+=" -DWOLFSSL_LOGGINGENABLED_DEFAULT=1" fi - if [ "$WOLFSSL_ISFIPS" = "1" ]; then + if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then + if [ ! -n "$WOLFSSL_FIPS_VERSION" ]; then + printf "ERROR, must specify version if using FIPS bundle (v5, v6, ready)" + do_cleanup + exit 1 + fi + printf "using FIPS bundle ... " + CONF_ARGS+=" --enable-fips=$WOLFSSL_FIPS_VERSION" + elif [ "$WOLFSSL_ISFIPS" = "1" ]; then printf "with FIPS ... " CONF_ARGS+=" --enable-fips=v5" if [ ! -e "XXX-fips-test" ]; then @@ -118,6 +132,10 @@ install_wolfssl() { fi printf "Done.\n" + if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then + ./fips-hash.sh + fi + printf "\tInstalling wolfSSL ${WOLFSSL_TAG} ... " make install >>$LOG_FILE 2>&1 if [ $? != 0 ]; then diff --git a/test/test_rsa.c b/test/test_rsa.c index 74b1659a..505bc42d 100644 --- a/test/test_rsa.c +++ b/test/test_rsa.c @@ -462,8 +462,10 @@ int test_rsa_sign_verify_x931(void *data) (void)data; +#ifndef HAVE_FIPS /* Use SHA-1 (default) for MD and MGF1 MD. */ err = test_rsa_sign_verify_pad(RSA_X931_PADDING, EVP_sha1(), NULL) == 1; +#endif #ifdef WP_HAVE_SHA256 if (err == 0) { /* Use SHA-256 for MD. */