1#!/bin/bash 2# Copyright 2020 Google LLC 3# 4# Licensed under the Apache License, Version 2.0 (the "License"); 5# you may not use this file except in compliance with the License. 6# You may obtain a copy of the License at 7# 8# http://www.apache.org/licenses/LICENSE-2.0 9# 10# Unless required by applicable law or agreed to in writing, software 11# distributed under the License is distributed on an "AS IS" BASIS, 12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13# See the License for the specific language governing permissions and 14# limitations under the License. 15################################################################################ 16 17 18# This script builds BoringSSL as described in the security policy 19# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf 20 21set -e 22 23if [[ "$(uname)" != "Linux" ]]; then 24 echo "ERROR: BoringSSL only supports FIPS mode in Linux." 25 exit 1 26fi 27 28# Install required build tools 29# 30# Clang 7.0.1 31CLANG_PLATFORM="x86_64-linux-gnu-ubuntu-16.04" 32CLANG_SHA256SUM=02ad925add5b2b934d64c3dd5cbd1b2002258059f7d962993ba7f16524c3089c 33curl -OLsS https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-"${CLANG_PLATFORM}".tar.xz 34echo "${CLANG_SHA256SUM}" clang+llvm-7.0.1-"${CLANG_PLATFORM}".tar.xz | sha256sum --check 35 36tar -xf clang+llvm-7.0.1-"${CLANG_PLATFORM}".tar.xz 37rm clang+llvm-7.0.1-"${CLANG_PLATFORM}".tar.xz 38 39export HOME="${PWD}" 40printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > "${HOME}/toolchain" 41export PATH="${PWD}/clang+llvm-7.0.1-${CLANG_PLATFORM}/bin:${PATH}" 42 43 44# Go 1.12.7 45GO_PLATFORM="linux-amd64" 46GO_SHA256SUM="66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" 47curl -OLsS https://dl.google.com/go/go1.12.7."${GO_PLATFORM}".tar.gz 48echo "${GO_SHA256SUM}" go1.12.7."${GO_PLATFORM}".tar.gz | sha256sum --check 49tar -xf go1.12.7."${GO_PLATFORM}".tar.gz 50rm go1.12.7."${GO_PLATFORM}".tar.gz 51 52export PATH="${PWD}/go/bin:${PATH}" 53 54# Ninja 1.9.0 55NINJA_SHA256SUM="1b1235f2b0b4df55ac6d80bbe681ea3639c9d2c505c7ff2159a3daf63d196305" 56curl -OLsS https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip 57echo "${NINJA_SHA256SUM}" ninja-linux.zip | sha256sum --check 58 59unzip ninja-linux.zip 60rm ninja-linux.zip 61 62export PATH="${PWD}:${PATH}" 63 64 65 66# Download BoringSSL and verify 67BORINGSSL_SHA256SUM="3b5fdf23274d4179c2077b5e8fa625d9debd7a390aac1d165b7e47234f648bb8" 68 69# Download archive and verify checksum 70curl -OLsS https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-ae223d6138807a13006342edfeef32e813246b39.tar.xz 71echo "${BORINGSSL_SHA256SUM}" boringssl-ae223d6138807a13006342edfeef32e813246b39.tar.xz | sha256sum --check 72 73tar -xf boringssl-ae223d6138807a13006342edfeef32e813246b39.tar.xz 74rm boringssl-ae223d6138807a13006342edfeef32e813246b39.tar.xz 75 76# Build BoringSSL 77( 78 cd boringssl 79 mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. 80 ninja 81 ninja run_tests 82 83 if [[ "$(tool/bssl isfips)" != "1" ]]; then 84 echo "ERROR: BoringSSL FIPS build check failed." 85 exit 1 86 fi 87) 88 89# Cleanup build tools 90rm -rf clang+llvm-7.0.1-"${CLANG_PLATFORM}" 91rm -rf go 92rm ninja 93rm toolchain 94