diff --git a/fips-check.sh b/fips-check.sh index 7d0e588998..1e12de3afd 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -14,13 +14,18 @@ MAKE="${MAKE:-make}" GIT="${GIT:-git -c advice.detachedHead=false}" TEST_DIR="${TEST_DIR:-XXX-fips-test}" +case "$TEST_DIR" in + /*) ;; + *) TEST_DIR="${PWD}/${TEST_DIR}" + ;; +esac FLAVOR="${FLAVOR:-linux}" KEEP="${KEEP:-no}" MAKECHECK=${MAKECHECK:-yes} DOCONFIGURE=${DOCONFIGURE:-yes} DOAUTOGEN=${DOAUTOGEN:-yes} FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}" -WOLFSSL_REPO="${WOLFSSL_REPO:-origin}" +WOLFSSL_REPO="${WOLFSSL_REPO:-git@github.com:wolfssl/wolfssl.git}" Usage() { cat </dev/null; then - continue - fi - if ! $GIT fetch --depth 1 "$WOLFSSL_REPO" tag "$tag"; then - echo "Can't fetch wolfCrypt tag: $tag" +declare -a WOLFCRYPT_TAGS_NEEDED_UNSORTED WOLFCRYPT_TAGS_NEEDED +if [ ${#WOLFCRYPT_FILES[@]} -gt 0 ]; then + for file_entry in "${WOLFCRYPT_FILES[@]}"; do + WOLFCRYPT_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}") + done + while IFS= read -r tag; do WOLFCRYPT_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${WOLFCRYPT_TAGS_NEEDED_UNSORTED[*]}") + if [ "${#WOLFCRYPT_TAGS_NEEDED[@]}" = "0" ]; then + echo "Error -- missing wolfCrypt tags." 1>&2 exit 1 fi -done +fi -if ! $GIT clone . "$TEST_DIR"; then - echo "fips-check: Couldn't duplicate current working directory." +declare -a FIPS_TAGS_NEEDED_UNSORTED FIPS_TAGS_NEEDED +for file_entry in "${FIPS_FILES[@]}"; do + FIPS_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}") +done +while IFS= read -r tag; do FIPS_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${FIPS_TAGS_NEEDED_UNSORTED[*]}") +if [ "${#FIPS_TAGS_NEEDED[@]}" = "0" ]; then + echo "Error -- missing FIPS tags." 1>&2 exit 1 fi -pushd "$TEST_DIR" 1>/dev/null || exit 2 +if [ ${#WOLFCRYPT_TAGS_NEEDED[@]} -gt 0 ]; then + echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):" + + # Only use shallow fetch if the repo already has shallow branches, to avoid + # tainting full repos with shallow objects. + if [ -f .git/shallow ]; then + shallow_args=(--depth 1) + else + shallow_args=() + fi + + for tag in "${WOLFCRYPT_TAGS_NEEDED[@]}"; do + if $GIT describe --long --exact-match "$tag" 2>/dev/null; then + continue + fi + if ! $GIT fetch "${shallow_args[@]}" "$WOLFSSL_REPO" tag "$tag"; then + echo "Can't fetch wolfCrypt tag: $tag" 1>&2 + exit 1 + fi + done +fi -if ! $GIT clone "$FIPS_REPO" fips; then - echo "fips-check: Couldn't check out FIPS repository." +if ! $GIT clone --shared . "$TEST_DIR"; then + echo "fips-check: Couldn't clone current working directory." 1>&2 exit 1 fi -pushd fips 1>/dev/null || exit 2 +# If there is a FIPS repo under the parent directory, leverage that: +if [ -d ../fips/.git ]; then + pushd ../fips 1>/dev/null || exit 2 -echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):" -for tag in "${!FIPS_TAGS_NEEDED[@]}"; do - if $GIT describe "$tag" 2>/dev/null; then - continue + # Only use shallow fetch if the repo already has shallow branches, to avoid + # tainting full repos with shallow objects. + if [ -f .git/shallow ]; then + shallow_args=(--depth 1) + else + shallow_args=() fi - if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then - echo "Can't fetch FIPS tag: $tag" + + echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):" + for tag in "${FIPS_TAGS_NEEDED[@]}"; do + # This may be a branch (master), not a tag, so we can't use + # --exact-match here. + if $GIT describe --long "$tag" 2>/dev/null; then + continue + fi + # Similarly, we can't limit the fetch to a "tag" here. + if ! $GIT fetch "${shallow_args[@]}" "$FIPS_REPO" "$tag"; then + echo "Can't fetch FIPS tag: $tag" 1>&2 + exit 1 + fi + done + + if ! $GIT clone --shared --no-checkout . "${TEST_DIR}/fips"; then + echo "fips-check: Couldn't clone current working directory." 1>&2 exit 1 fi -done -popd 1>/dev/null || exit 2 + FIPS_TAGS_CACHED_LOCALLY=y + + popd 1>/dev/null || exit 2 +fi + +pushd "$TEST_DIR" 1>/dev/null || exit 2 + +if [ ! -d fips ]; then + if ! $GIT clone --depth 1 --branch "${FIPS_TAGS_NEEDED[0]}" "$FIPS_REPO" fips; then + echo "fips-check: Couldn't check out FIPS repository." + exit 1 + fi +fi + +if [ "$FIPS_TAGS_CACHED_LOCALLY" != "y" ]; then + pushd fips 1>/dev/null || exit 2 + echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):" + for tag in "${FIPS_TAGS_NEEDED[@]}"; do + if $GIT describe --long "$tag" 2>/dev/null; then + continue + fi + # The FIPS repo here is an ephemeral clone, so we can safely use shallow + # fetch unconditionally. + if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then + echo "Can't fetch FIPS tag: $tag" 1>&2 + exit 1 + fi + done + popd 1>/dev/null || exit 2 +fi checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3 pushd fips 1>/dev/null || exit 2