-
Notifications
You must be signed in to change notification settings - Fork 4.8k
/
boringssl_fips.genrule_cmd
executable file
·144 lines (115 loc) · 4.85 KB
/
boringssl_fips.genrule_cmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#!/usr/bin/env bash
set -eo pipefail
export CXXFLAGS=''
export LDFLAGS=''
# BoringSSL build as described in the Security Policy for BoringCrypto module (2022-05-06):
# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf
OS=`uname`
ARCH=`uname -m`
# This works only on Linux-x86_64 and Linux-aarch64.
if [[ "$OS" != "Linux" || ("$ARCH" != "x86_64" && "$ARCH" != "aarch64") ]]; then
echo "ERROR: BoringSSL FIPS is currently supported only on Linux-x86_64 and Linux-aarch64."
exit 1
fi
# Bazel magic.
# ROOT=$(dirname $(rootpath boringssl/BUILDING.md))/..
ROOT=./external/boringssl_fips
pushd "$ROOT"
export HOME="$PWD"
# Build tools requirements (from section 11 of https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4735.pdf):
# - Clang compiler version 14.0.0 (https://releases.llvm.org/download.html)
# - Go programming language version 1.18.1 (https://golang.org/dl/)
# - Ninja build system version 1.10.2 (https://github.com/ninja-build/ninja/releases)
# - Cmake version 3.22.1 (https://cmake.org/download/)
# Override $PATH for build tools, to avoid picking up anything else.
export PATH="/usr/bin:/bin"
# Clang
VERSION=14.0.0
if [[ "$ARCH" == "x86_64" ]]; then
PLATFORM="x86_64-linux-gnu-ubuntu-18.04"
SHA256=61582215dafafb7b576ea30cc136be92c877ba1f1c31ddbbd372d6d65622fef5
else
PLATFORM="aarch64-linux-gnu"
SHA256=1792badcd44066c79148ffeb1746058422cc9d838462be07e3cb19a4b724a1ee
fi
curl -sLO https://github.com/llvm/llvm-project/releases/download/llvmorg-"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
echo "$SHA256" clang+llvm-"$VERSION"-"$PLATFORM".tar.xz | sha256sum --check
tar xf clang+llvm-"$VERSION"-"$PLATFORM".tar.xz --no-same-owner
printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
export PATH="$PWD/clang+llvm-$VERSION-$PLATFORM/bin:$PATH"
if [[ `clang --version | head -1 | awk '{print $3}'` != "$VERSION" ]]; then
echo "ERROR: Clang version doesn't match."
exit 1
fi
# Go
VERSION=1.18.1
if [[ "$ARCH" == "x86_64" ]]; then
PLATFORM="linux-amd64"
SHA256=b3b815f47ababac13810fc6021eb73d65478e0b2db4b09d348eefad9581a2334
else
PLATFORM="linux-arm64"
SHA256=56a91851c97fb4697077abbca38860f735c32b38993ff79b088dac46e4735633
fi
curl -sLO https://dl.google.com/go/go"$VERSION"."$PLATFORM".tar.gz \
&& echo "$SHA256" go"$VERSION"."$PLATFORM".tar.gz | sha256sum --check
tar xf go"$VERSION"."$PLATFORM".tar.gz --no-same-owner
export GOPATH="$PWD/gopath"
export GOROOT="$PWD/go"
export PATH="$GOPATH/bin:$GOROOT/bin:$PATH"
if [[ `go version | awk '{print $3}'` != "go$VERSION" ]]; then
echo "ERROR: Go version doesn't match."
exit 1
fi
# Ninja
VERSION=1.10.2
SHA256=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed
curl -sLO https://github.com/ninja-build/ninja/archive/refs/tags/v"$VERSION".tar.gz \
&& echo "$SHA256" v"$VERSION".tar.gz | sha256sum --check
tar -xvf v"$VERSION".tar.gz --no-same-owner
cd ninja-"$VERSION"
python3 ./configure.py --bootstrap
export PATH="$PWD:$PATH"
if [[ `ninja --version` != "$VERSION" ]]; then
echo "ERROR: Ninja version doesn't match."
exit 1
fi
cd ..
# CMake
VERSION=3.22.1
if [[ "$ARCH" == "x86_64" ]]; then
PLATFORM="linux-x86_64"
SHA256=73565c72355c6652e9db149249af36bcab44d9d478c5546fd926e69ad6b43640
else
PLATFORM="linux-aarch64"
SHA256=601443375aa1a48a1a076bda7e3cca73af88400463e166fffc3e1da3ce03540b
fi
curl -sLO https://github.com/Kitware/CMake/releases/download/v"$VERSION"/cmake-"$VERSION"-"$PLATFORM".tar.gz \
&& echo "$SHA256" cmake-"$VERSION"-"$PLATFORM".tar.gz | sha256sum --check
tar xf cmake-"$VERSION"-"$PLATFORM".tar.gz --no-same-owner
export PATH="$PWD/cmake-$VERSION-$PLATFORM/bin:$PATH"
if [[ `cmake --version | head -n1` != "cmake version $VERSION" ]]; then
echo "ERROR: CMake version doesn't match."
exit 1
fi
# Clean after previous build.
rm -rf boringssl/build
# Build BoringSSL.
cd boringssl
# Setting -fPIC only affects the compilation of the non-module code in libcrypto.a,
# because the FIPS module itself is already built with -fPIC.
mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC" ..
ninja
# The `HostMatching` test contains hard-coded expired certificates and always fails due to the expiration.
# This should be removed during the next FIPS version upgrade, as the test code is fixed in later versions.
export GTEST_FILTER="-SSLTest.HostMatching"
ninja run_tests
./crypto/crypto_test
# Verify correctness of the FIPS build.
if [[ `tool/bssl isfips` != "1" ]]; then
echo "ERROR: BoringSSL tool didn't report FIPS build."
exit 1
fi
# Move compiled libraries to the expected destinations.
popd
mv $ROOT/boringssl/build/crypto/libcrypto.a $1
mv $ROOT/boringssl/build/ssl/libssl.a $2