#!/bin/bash

set -e

# BoringSSL build as described in the Security Policy for BoringCrypto module (2020-07-02):
# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf

# This works only on Linux-x86_64.
if [[ `uname` != "Linux" || `uname -m` != "x86_64" ]]; then
  echo "ERROR: BoringSSL FIPS is currently supported only on Linux-x86_64."
  exit 1
fi

# Bazel magic.
ROOT=$$(dirname $(rootpath boringssl/BUILDING.md))/..
pushd $$ROOT

# Build tools requirements:
# - Clang compiler version 7.0.1 (https://releases.llvm.org/download.html)
# - Go programming language version 1.12.7 (https://golang.org/dl/)
# - Ninja build system version 1.9.0 (https://github.com/ninja-build/ninja/releases)

# Override $$PATH for build tools, to avoid picking up anything else.
export PATH="$$(dirname `which cmake`):/usr/bin:/bin"

# Clang 7.0.1
VERSION=7.0.1
SHA256=02ad925add5b2b934d64c3dd5cbd1b2002258059f7d962993ba7f16524c3089c
PLATFORM="x86_64-linux-gnu-ubuntu-16.04"

curl -sLO https://releases.llvm.org/"$$VERSION"/clang+llvm-"$$VERSION"-"$$PLATFORM".tar.xz \
  && echo "$$SHA256" clang+llvm-"$$VERSION"-"$$PLATFORM".tar.xz | sha256sum --check
tar xf clang+llvm-"$$VERSION"-"$$PLATFORM".tar.xz

export HOME="$$PWD"
printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > $${HOME}/toolchain
export PATH="$$PWD/clang+llvm-$$VERSION-$$PLATFORM/bin:$$PATH"

if [[ `clang --version | head -1 | awk '{print $$3}'` != "$$VERSION" ]]; then
  echo "ERROR: Clang version doesn't match."
  exit 1
fi

# Go 1.12.7
VERSION=1.12.7
SHA256=66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9
PLATFORM="linux-amd64"

curl -sLO https://dl.google.com/go/go"$$VERSION"."$$PLATFORM".tar.gz \
  && echo "$$SHA256" go"$$VERSION"."$$PLATFORM".tar.gz | sha256sum --check
tar xf go"$$VERSION"."$$PLATFORM".tar.gz

export GOPATH="$$PWD/gopath"
export GOROOT="$$PWD/go"
export PATH="$$GOPATH/bin:$$GOROOT/bin:$$PATH"

if [[ `go version | awk '{print $$3}'` != "go$$VERSION" ]]; then
  echo "ERROR: Go version doesn't match."
  exit 1
fi

# Ninja 1.9.0
VERSION=1.9.0
SHA256=1b1235f2b0b4df55ac6d80bbe681ea3639c9d2c505c7ff2159a3daf63d196305
PLATFORM="linux"

curl -sLO https://github.com/ninja-build/ninja/releases/download/v"$$VERSION"/ninja-"$$PLATFORM".zip \
  && echo "$$SHA256" ninja-"$$PLATFORM".zip | sha256sum --check
unzip -o ninja-"$$PLATFORM".zip

export PATH="$$PWD:$$PATH"

if [[ `ninja --version` != "$$VERSION" ]]; then
  echo "ERROR: Ninja version doesn't match."
  exit 1
fi

# Clean after previous build.
rm -rf boringssl/build

# Build BoringSSL.
cd boringssl
mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=$${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release ..
ninja
ninja run_tests

# Verify correctness of the FIPS build.
if [[ `tool/bssl isfips` != "1" ]]; then
  echo "ERROR: BoringSSL tool didn't report FIPS build."
  exit 1
fi

# Move compiled libraries to the expected destinations.
popd
mv $$ROOT/boringssl/build/crypto/libcrypto.a $(execpath crypto/libcrypto.a)
mv $$ROOT/boringssl/build/ssl/libssl.a $(execpath ssl/libssl.a)