1*8fb009dcSAndroid Build Coastguard Worker# Copyright (c) 2022, Google Inc. 2*8fb009dcSAndroid Build Coastguard Worker# 3*8fb009dcSAndroid Build Coastguard Worker# Permission to use, copy, modify, and/or distribute this software for any 4*8fb009dcSAndroid Build Coastguard Worker# purpose with or without fee is hereby granted, provided that the above 5*8fb009dcSAndroid Build Coastguard Worker# copyright notice and this permission notice appear in all copies. 6*8fb009dcSAndroid Build Coastguard Worker# 7*8fb009dcSAndroid Build Coastguard Worker# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8*8fb009dcSAndroid Build Coastguard Worker# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9*8fb009dcSAndroid Build Coastguard Worker# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10*8fb009dcSAndroid Build Coastguard Worker# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11*8fb009dcSAndroid Build Coastguard Worker# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12*8fb009dcSAndroid Build Coastguard Worker# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13*8fb009dcSAndroid Build Coastguard Worker# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14*8fb009dcSAndroid Build Coastguard Worker 15*8fb009dcSAndroid Build Coastguard Worker# This script runs test_fips repeatedly with different FIPS tests broken. It is 16*8fb009dcSAndroid Build Coastguard Worker# intended to be observed to demonstrate that the various tests are working and 17*8fb009dcSAndroid Build Coastguard Worker# thus pauses for a keystroke between tests. 18*8fb009dcSAndroid Build Coastguard Worker# 19*8fb009dcSAndroid Build Coastguard Worker# Runs in either device mode (on an attached Android device) or in a locally built 20*8fb009dcSAndroid Build Coastguard Worker# BoringSSL checkout. 21*8fb009dcSAndroid Build Coastguard Worker# 22*8fb009dcSAndroid Build Coastguard Worker# On Android static binaries are not built using FIPS mode, so in device mode each 23*8fb009dcSAndroid Build Coastguard Worker# test makes changes to libcrypto.so rather than the test binary, test_fips. 24*8fb009dcSAndroid Build Coastguard Worker 25*8fb009dcSAndroid Build Coastguard Workerset -e 26*8fb009dcSAndroid Build Coastguard Worker 27*8fb009dcSAndroid Build Coastguard Workerdie () { 28*8fb009dcSAndroid Build Coastguard Worker echo "ERROR: $@" 29*8fb009dcSAndroid Build Coastguard Worker exit 1 30*8fb009dcSAndroid Build Coastguard Worker} 31*8fb009dcSAndroid Build Coastguard Worker 32*8fb009dcSAndroid Build Coastguard Workerusage() { 33*8fb009dcSAndroid Build Coastguard Worker echo "USAGE: $0 [local|device]" 34*8fb009dcSAndroid Build Coastguard Worker exit 1 35*8fb009dcSAndroid Build Coastguard Worker} 36*8fb009dcSAndroid Build Coastguard Worker 37*8fb009dcSAndroid Build Coastguard Workerinferred_mode() { 38*8fb009dcSAndroid Build Coastguard Worker # Try and infer local or device mode based on makefiles and artifacts. 39*8fb009dcSAndroid Build Coastguard Worker if [ -f Android.bp -o -f external/boringssl/Android.bp ]; then 40*8fb009dcSAndroid Build Coastguard Worker echo device 41*8fb009dcSAndroid Build Coastguard Worker elif [ -f CMakeLists.txt -a -d build/crypto -a -d build/ssl ]; then 42*8fb009dcSAndroid Build Coastguard Worker echo local 43*8fb009dcSAndroid Build Coastguard Worker else 44*8fb009dcSAndroid Build Coastguard Worker echo "Unable to infer mode, please specify on the command line." 45*8fb009dcSAndroid Build Coastguard Worker usage 46*8fb009dcSAndroid Build Coastguard Worker fi 47*8fb009dcSAndroid Build Coastguard Worker} 48*8fb009dcSAndroid Build Coastguard Worker 49*8fb009dcSAndroid Build Coastguard WorkerMODE=`inferred_mode` 50*8fb009dcSAndroid Build Coastguard Worker# Prefer mode from command line if present. 51*8fb009dcSAndroid Build Coastguard Workerwhile [ "$1" ]; do 52*8fb009dcSAndroid Build Coastguard Worker case "$1" in 53*8fb009dcSAndroid Build Coastguard Worker local|device) 54*8fb009dcSAndroid Build Coastguard Worker MODE=$1 55*8fb009dcSAndroid Build Coastguard Worker ;; 56*8fb009dcSAndroid Build Coastguard Worker 57*8fb009dcSAndroid Build Coastguard Worker "32") 58*8fb009dcSAndroid Build Coastguard Worker TEST32BIT="true" 59*8fb009dcSAndroid Build Coastguard Worker ;; 60*8fb009dcSAndroid Build Coastguard Worker 61*8fb009dcSAndroid Build Coastguard Worker *) 62*8fb009dcSAndroid Build Coastguard Worker usage 63*8fb009dcSAndroid Build Coastguard Worker ;; 64*8fb009dcSAndroid Build Coastguard Worker esac 65*8fb009dcSAndroid Build Coastguard Worker shift 66*8fb009dcSAndroid Build Coastguard Workerdone 67*8fb009dcSAndroid Build Coastguard Worker 68*8fb009dcSAndroid Build Coastguard Workercheck_directory() { 69*8fb009dcSAndroid Build Coastguard Worker test -d "$1" || die "Directory $1 not found." 70*8fb009dcSAndroid Build Coastguard Worker} 71*8fb009dcSAndroid Build Coastguard Worker 72*8fb009dcSAndroid Build Coastguard Workercheck_file() { 73*8fb009dcSAndroid Build Coastguard Worker test -f "$1" || die "File $1 not found." 74*8fb009dcSAndroid Build Coastguard Worker} 75*8fb009dcSAndroid Build Coastguard Worker 76*8fb009dcSAndroid Build Coastguard Workerrun_test_locally() { 77*8fb009dcSAndroid Build Coastguard Worker eval "$1" || true 78*8fb009dcSAndroid Build Coastguard Worker} 79*8fb009dcSAndroid Build Coastguard Worker 80*8fb009dcSAndroid Build Coastguard Workerrun_test_on_device() { 81*8fb009dcSAndroid Build Coastguard Worker EXECFILE="$1" 82*8fb009dcSAndroid Build Coastguard Worker LIBRARY="$2" 83*8fb009dcSAndroid Build Coastguard Worker adb shell rm -rf "$DEVICE_TMP" 84*8fb009dcSAndroid Build Coastguard Worker adb shell mkdir -p "$DEVICE_TMP" 85*8fb009dcSAndroid Build Coastguard Worker adb push "$EXECFILE" "$DEVICE_TMP" > /dev/null 86*8fb009dcSAndroid Build Coastguard Worker EXECPATH=$(basename "$EXECFILE") 87*8fb009dcSAndroid Build Coastguard Worker adb push "$LIBRARY" "$DEVICE_TMP" > /dev/null 88*8fb009dcSAndroid Build Coastguard Worker adb shell "LD_LIBRARY_PATH=$DEVICE_TMP" "$DEVICE_TMP/$EXECPATH" || true 89*8fb009dcSAndroid Build Coastguard Worker} 90*8fb009dcSAndroid Build Coastguard Worker 91*8fb009dcSAndroid Build Coastguard Workerdevice_integrity_break_test() { 92*8fb009dcSAndroid Build Coastguard Worker go run "$BORINGSSL/util/fipstools/break-hash.go" "$LIBCRYPTO_BIN" ./libcrypto.so 93*8fb009dcSAndroid Build Coastguard Worker $RUN "$TEST_FIPS_BIN" ./libcrypto.so 94*8fb009dcSAndroid Build Coastguard Worker rm ./libcrypto.so 95*8fb009dcSAndroid Build Coastguard Worker} 96*8fb009dcSAndroid Build Coastguard Worker 97*8fb009dcSAndroid Build Coastguard Workerlocal_integrity_break_test() { 98*8fb009dcSAndroid Build Coastguard Worker go run $BORINGSSL/util/fipstools/break-hash.go "$TEST_FIPS_BIN" ./break-bin 99*8fb009dcSAndroid Build Coastguard Worker chmod u+x ./break-bin 100*8fb009dcSAndroid Build Coastguard Worker $RUN ./break-bin 101*8fb009dcSAndroid Build Coastguard Worker rm ./break-bin 102*8fb009dcSAndroid Build Coastguard Worker} 103*8fb009dcSAndroid Build Coastguard Worker 104*8fb009dcSAndroid Build Coastguard Workerlocal_runtime_break_test() { 105*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_FIPS_BREAK_TEST=$1 "$RUN" "$TEST_FIPS_BREAK_BIN" 106*8fb009dcSAndroid Build Coastguard Worker} 107*8fb009dcSAndroid Build Coastguard Worker 108*8fb009dcSAndroid Build Coastguard Worker# TODO(prb): make break-hash and break-kat take similar arguments to save having 109*8fb009dcSAndroid Build Coastguard Worker# separate functions for each. 110*8fb009dcSAndroid Build Coastguard Workerdevice_kat_break_test() { 111*8fb009dcSAndroid Build Coastguard Worker KAT="$1" 112*8fb009dcSAndroid Build Coastguard Worker go run "$BORINGSSL/util/fipstools/break-kat.go" "$LIBCRYPTO_BREAK_BIN" "$KAT" > ./libcrypto.so 113*8fb009dcSAndroid Build Coastguard Worker $RUN "$TEST_FIPS_BIN" ./libcrypto.so 114*8fb009dcSAndroid Build Coastguard Worker rm ./libcrypto.so 115*8fb009dcSAndroid Build Coastguard Worker} 116*8fb009dcSAndroid Build Coastguard Worker 117*8fb009dcSAndroid Build Coastguard Workerlocal_kat_break_test() { 118*8fb009dcSAndroid Build Coastguard Worker KAT="$1" 119*8fb009dcSAndroid Build Coastguard Worker go run "$BORINGSSL/util/fipstools/break-kat.go" "$TEST_FIPS_BREAK_BIN" "$KAT" > ./break-bin 120*8fb009dcSAndroid Build Coastguard Worker chmod u+x ./break-bin 121*8fb009dcSAndroid Build Coastguard Worker $RUN ./break-bin 122*8fb009dcSAndroid Build Coastguard Worker rm ./break-bin 123*8fb009dcSAndroid Build Coastguard Worker} 124*8fb009dcSAndroid Build Coastguard Worker 125*8fb009dcSAndroid Build Coastguard Workerpause () { 126*8fb009dcSAndroid Build Coastguard Worker echo -n "Press <Enter> " 127*8fb009dcSAndroid Build Coastguard Worker read 128*8fb009dcSAndroid Build Coastguard Worker} 129*8fb009dcSAndroid Build Coastguard Worker 130*8fb009dcSAndroid Build Coastguard Workerif [ "$MODE" = "local" ]; then 131*8fb009dcSAndroid Build Coastguard Worker TEST_FIPS_BIN=${TEST_FIPS_BIN:-build/util/fipstools/test_fips} 132*8fb009dcSAndroid Build Coastguard Worker TEST_FIPS_BREAK_BIN=${TEST_FIPS_BREAK_BIN:-./test_fips_break} 133*8fb009dcSAndroid Build Coastguard Worker check_file "$TEST_FIPS_BIN" 134*8fb009dcSAndroid Build Coastguard Worker check_file "$TEST_FIPS_BREAK_BIN" 135*8fb009dcSAndroid Build Coastguard Worker 136*8fb009dcSAndroid Build Coastguard Worker BORINGSSL=. 137*8fb009dcSAndroid Build Coastguard Worker RUN=run_test_locally 138*8fb009dcSAndroid Build Coastguard Worker BREAK_TEST=local_break_test 139*8fb009dcSAndroid Build Coastguard Worker INTEGRITY_BREAK_TEST=local_integrity_break_test 140*8fb009dcSAndroid Build Coastguard Worker KAT_BREAK_TEST=local_kat_break_test 141*8fb009dcSAndroid Build Coastguard Worker RUNTIME_BREAK_TEST=local_runtime_break_test 142*8fb009dcSAndroid Build Coastguard Worker if [ ! -f "$TEST_FIPS_BIN" ]; then 143*8fb009dcSAndroid Build Coastguard Worker echo "$TEST_FIPS_BIN is missing. Run this script from the top level of a" 144*8fb009dcSAndroid Build Coastguard Worker echo "BoringSSL checkout and ensure that BoringSSL has been built in" 145*8fb009dcSAndroid Build Coastguard Worker echo "build/ with -DFIPS_BREAK_TEST=TESTS passed to CMake." 146*8fb009dcSAndroid Build Coastguard Worker exit 1 147*8fb009dcSAndroid Build Coastguard Worker fi 148*8fb009dcSAndroid Build Coastguard Workerelse # Device mode 149*8fb009dcSAndroid Build Coastguard Worker test "$ANDROID_BUILD_TOP" || die "'lunch aosp_arm64-eng' first" 150*8fb009dcSAndroid Build Coastguard Worker check_directory "$ANDROID_PRODUCT_OUT" 151*8fb009dcSAndroid Build Coastguard Worker 152*8fb009dcSAndroid Build Coastguard Worker if [ "$TEST32BIT" ]; then 153*8fb009dcSAndroid Build Coastguard Worker TEST_FIPS_BIN="$ANDROID_PRODUCT_OUT/system/bin/test_fips32" 154*8fb009dcSAndroid Build Coastguard Worker LIBCRYPTO_BIN="$ANDROID_PRODUCT_OUT/system/lib/libcrypto.so" 155*8fb009dcSAndroid Build Coastguard Worker LIBCRYPTO_BREAK_BIN="$ANDROID_PRODUCT_OUT/system/lib/libcrypto_for_testing.so" 156*8fb009dcSAndroid Build Coastguard Worker else 157*8fb009dcSAndroid Build Coastguard Worker TEST_FIPS_BIN="$ANDROID_PRODUCT_OUT/system/bin/test_fips" 158*8fb009dcSAndroid Build Coastguard Worker LIBCRYPTO_BIN="$ANDROID_PRODUCT_OUT/system/lib64/libcrypto.so" 159*8fb009dcSAndroid Build Coastguard Worker LIBCRYPTO_BREAK_BIN="$ANDROID_PRODUCT_OUT/system/lib64/libcrypto_for_testing.so" 160*8fb009dcSAndroid Build Coastguard Worker fi 161*8fb009dcSAndroid Build Coastguard Worker check_file "$TEST_FIPS_BIN" 162*8fb009dcSAndroid Build Coastguard Worker check_file "$LIBCRYPTO_BIN" 163*8fb009dcSAndroid Build Coastguard Worker check_file "$LIBCRYPTO_BREAK_BIN" 164*8fb009dcSAndroid Build Coastguard Worker 165*8fb009dcSAndroid Build Coastguard Worker test "$ANDROID_SERIAL" || die "ANDROID_SERIAL not set" 166*8fb009dcSAndroid Build Coastguard Worker DEVICE_TMP=/data/local/tmp 167*8fb009dcSAndroid Build Coastguard Worker 168*8fb009dcSAndroid Build Coastguard Worker BORINGSSL="$ANDROID_BUILD_TOP/external/boringssl/src" 169*8fb009dcSAndroid Build Coastguard Worker RUN=run_test_on_device 170*8fb009dcSAndroid Build Coastguard Worker INTEGRITY_BREAK_TEST=device_integrity_break_test 171*8fb009dcSAndroid Build Coastguard Worker KAT_BREAK_TEST=device_kat_break_test 172*8fb009dcSAndroid Build Coastguard Workerfi 173*8fb009dcSAndroid Build Coastguard Worker 174*8fb009dcSAndroid Build Coastguard Worker 175*8fb009dcSAndroid Build Coastguard WorkerKATS=$(go run "$BORINGSSL/util/fipstools/break-kat.go" --list-tests) 176*8fb009dcSAndroid Build Coastguard Worker 177*8fb009dcSAndroid Build Coastguard Workerecho -e '\033[1mNormal output\033[0m' 178*8fb009dcSAndroid Build Coastguard Worker$RUN "$TEST_FIPS_BIN" "$LIBCRYPTO_BIN" 179*8fb009dcSAndroid Build Coastguard Workerpause 180*8fb009dcSAndroid Build Coastguard Worker 181*8fb009dcSAndroid Build Coastguard Workerecho 182*8fb009dcSAndroid Build Coastguard Workerecho -e '\033[1mIntegrity test failure\033[0m' 183*8fb009dcSAndroid Build Coastguard Worker$INTEGRITY_BREAK_TEST 184*8fb009dcSAndroid Build Coastguard Workerpause 185*8fb009dcSAndroid Build Coastguard Worker 186*8fb009dcSAndroid Build Coastguard Workerfor kat in $KATS; do 187*8fb009dcSAndroid Build Coastguard Worker echo 188*8fb009dcSAndroid Build Coastguard Worker echo -e "\033[1mKAT failure ${kat}\033[0m" 189*8fb009dcSAndroid Build Coastguard Worker $KAT_BREAK_TEST $kat 190*8fb009dcSAndroid Build Coastguard Worker pause 191*8fb009dcSAndroid Build Coastguard Workerdone 192*8fb009dcSAndroid Build Coastguard Worker 193*8fb009dcSAndroid Build Coastguard Workerif [ "$MODE" = "local" ]; then 194*8fb009dcSAndroid Build Coastguard Worker # TODO(prb): add support for Android devices. 195*8fb009dcSAndroid Build Coastguard Worker for runtime_test in ECDSA_PWCT RSA_PWCT CRNG; do 196*8fb009dcSAndroid Build Coastguard Worker echo 197*8fb009dcSAndroid Build Coastguard Worker echo -e "\033[1m${runtime_test} failure\033[0m" 198*8fb009dcSAndroid Build Coastguard Worker $RUNTIME_BREAK_TEST ${runtime_test} 199*8fb009dcSAndroid Build Coastguard Worker pause 200*8fb009dcSAndroid Build Coastguard Worker done 201*8fb009dcSAndroid Build Coastguard Workerfi 202