feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #8291 from douzzer/20241213-fips-check-refactor-assoc-arrays

Browse Source 
20241213-fips-check-refactor-assoc-arrays
This commit is contained in:
Kaleb Himes
2024-12-17 10:23:51 -07:00
committed by GitHub
parent 22e95081cd 7c5451c742
commit fcbea85ded
1 changed files with 127 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
fips-check.sh
View File

@@ -14,13 +14,18 @@
MAKE="${MAKE:-make}" MAKE="${MAKE:-make}"
GIT="${GIT:-git -c advice.detachedHead=false}" GIT="${GIT:-git -c advice.detachedHead=false}"
TEST_DIR="${TEST_DIR:-XXX-fips-test}" TEST_DIR="${TEST_DIR:-XXX-fips-test}"
case "$TEST_DIR" in
/*) ;;
*) TEST_DIR="${PWD}/${TEST_DIR}"
;;
esac
FLAVOR="${FLAVOR:-linux}" FLAVOR="${FLAVOR:-linux}"
KEEP="${KEEP:-no}" KEEP="${KEEP:-no}"
MAKECHECK=${MAKECHECK:-yes} MAKECHECK=${MAKECHECK:-yes}
DOCONFIGURE=${DOCONFIGURE:-yes} DOCONFIGURE=${DOCONFIGURE:-yes}
DOAUTOGEN=${DOAUTOGEN:-yes} DOAUTOGEN=${DOAUTOGEN:-yes}
FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}" FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}"
WOLFSSL_REPO="${WOLFSSL_REPO:-origin}" WOLFSSL_REPO="${WOLFSSL_REPO:-git@github.com:wolfssl/wolfssl.git}"
Usage() { Usage() {
cat <<usageText cat <<usageText
@@ -435,51 +440,139 @@ function copy_fips_files() {
done done
} }
declare -A FIPS_TAGS_NEEDED WOLFCRYPT_TAGS_NEEDED # Note, it would be cleaner to compute the tag lists using associative arrays,
for file_entry in "${WOLFCRYPT_FILES[@]}"; do # but those were introduced in bash-4. It's more important to maintain backward
WOLFCRYPT_TAGS_NEEDED["${file_entry#*:}"]=1 # compatibility here.
done
for file_entry in "${FIPS_FILES[@]}"; do
FIPS_TAGS_NEEDED["${file_entry#*:}"]=1
done
echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):" declare -a WOLFCRYPT_TAGS_NEEDED_UNSORTED WOLFCRYPT_TAGS_NEEDED
for tag in "${!WOLFCRYPT_TAGS_NEEDED[@]}"; do if [ ${#WOLFCRYPT_FILES[@]} -gt 0 ]; then
if $GIT describe --exact-match --long "$tag" 2>/dev/null; then for file_entry in "${WOLFCRYPT_FILES[@]}"; do
WOLFCRYPT_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
done
while IFS= read -r tag; do WOLFCRYPT_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${WOLFCRYPT_TAGS_NEEDED_UNSORTED[*]}")
if [ "${#WOLFCRYPT_TAGS_NEEDED[@]}" = "0" ]; then
echo "Error -- missing wolfCrypt tags." 1>&2
exit 1
fi
fi
declare -a FIPS_TAGS_NEEDED_UNSORTED FIPS_TAGS_NEEDED
for file_entry in "${FIPS_FILES[@]}"; do
FIPS_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
done
while IFS= read -r tag; do FIPS_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${FIPS_TAGS_NEEDED_UNSORTED[*]}")
if [ "${#FIPS_TAGS_NEEDED[@]}" = "0" ]; then
echo "Error -- missing FIPS tags." 1>&2
exit 1
fi
if [ ${#WOLFCRYPT_TAGS_NEEDED[@]} -gt 0 ]; then
echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
# Only use shallow fetch if the repo already has shallow branches, to avoid
# tainting full repos with shallow objects.
if [ -f .git/shallow ]; then
shallow_args=(--depth 1)
else
shallow_args=()
fi
for tag in "${WOLFCRYPT_TAGS_NEEDED[@]}"; do
if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
continue continue
fi fi
if ! $GIT fetch --depth 1 "$WOLFSSL_REPO" tag "$tag"; then if ! $GIT fetch "${shallow_args[@]}" "$WOLFSSL_REPO" tag "$tag"; then
echo "Can't fetch wolfCrypt tag: $tag" echo "Can't fetch wolfCrypt tag: $tag" 1>&2
exit 1 exit 1
fi fi
done # Make sure the tag is associated:
$GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
done
fi
if ! $GIT clone . "$TEST_DIR"; then if ! $GIT clone --shared . "$TEST_DIR"; then
echo "fips-check: Couldn't duplicate current working directory." echo "fips-check: Couldn't clone current working directory." 1>&2
exit 1 exit 1
fi fi
# If there is a FIPS repo under the parent directory, leverage that:
if [ -d ../fips/.git ]; then
pushd ../fips 1>/dev/null || exit 2
# Only use shallow fetch if the repo already has shallow branches, to avoid
# tainting full repos with shallow objects.
if [ -f .git/shallow ]; then
shallow_args=(--depth 1)
else
shallow_args=()
fi
echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
for tag in "${FIPS_TAGS_NEEDED[@]}"; do
if [ "$tag" = "master" ]; then
# master is handled specially below.
continue
fi
if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
continue
fi
if ! $GIT fetch "${shallow_args[@]}" "$FIPS_REPO" tag "$tag"; then
echo "Can't fetch FIPS tag: $tag" 1>&2
exit 1
fi
# Make sure the tag is associated:
$GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
done
# The current tooling for the FIPS tests is in the master branch and must be
# checked out here.
if ! $GIT clone --shared --branch master . "${TEST_DIR}/fips"; then
echo "fips-check: Couldn't clone current working directory." 1>&2
exit 1
fi
popd 1>/dev/null || exit 2
# Make sure master is up-to-date:
pushd "${TEST_DIR}/fips" 1>/dev/null || exit 2
if ! $GIT pull "$FIPS_REPO" master; then
echo "Can't refresh master FIPS tag" 1>&2
exit 1
fi
popd 1>/dev/null || exit 2
fi
pushd "$TEST_DIR" 1>/dev/null || exit 2 pushd "$TEST_DIR" 1>/dev/null || exit 2
if ! $GIT clone "$FIPS_REPO" fips; then if [ ! -d fips ]; then
# The current tooling for the FIPS tests is in the master branch and must be
# checked out here.
if ! $GIT clone --depth 1 --branch master "$FIPS_REPO" fips; then
echo "fips-check: Couldn't check out FIPS repository." echo "fips-check: Couldn't check out FIPS repository."
exit 1 exit 1
fi fi
pushd fips 1>/dev/null || exit 2 pushd fips 1>/dev/null || exit 2
echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):" for tag in "${FIPS_TAGS_NEEDED[@]}"; do
for tag in "${!FIPS_TAGS_NEEDED[@]}"; do if [ "$tag" = "master" ]; then
if $GIT describe "$tag" 2>/dev/null; then # master was just cloned fresh from $FIPS_REPO above.
continue continue
fi fi
if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
continue
fi
# The FIPS repo here is an ephemeral clone, so we can safely use shallow
# fetch unconditionally.
if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then
echo "Can't fetch FIPS tag: $tag" echo "Can't fetch FIPS tag: $tag" 1>&2
exit 1 exit 1
fi fi
done # Make sure the tag is associated:
$GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
popd 1>/dev/null || exit 2 done
popd 1>/dev/null || exit 2
fi
checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3 checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
pushd fips 1>/dev/null || exit 2 pushd fips 1>/dev/null || exit 2