Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

20241213-fips-check-refactor-assoc-arrays #8291

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
153 changes: 123 additions & 30 deletions fips-check.sh
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,18 @@
MAKE="${MAKE:-make}"
GIT="${GIT:-git -c advice.detachedHead=false}"
TEST_DIR="${TEST_DIR:-XXX-fips-test}"
case "$TEST_DIR" in
/*) ;;
*) TEST_DIR="${PWD}/${TEST_DIR}"
;;
esac
FLAVOR="${FLAVOR:-linux}"
KEEP="${KEEP:-no}"
MAKECHECK=${MAKECHECK:-yes}
DOCONFIGURE=${DOCONFIGURE:-yes}
DOAUTOGEN=${DOAUTOGEN:-yes}
FIPS_REPO="${FIPS_REPO:[email protected]:wolfssl/fips.git}"
WOLFSSL_REPO="${WOLFSSL_REPO:-origin}"
WOLFSSL_REPO="${WOLFSSL_REPO:-[email protected]:wolfssl/wolfssl.git}"

Usage() {
cat <<usageText
Expand Down Expand Up @@ -435,51 +440,139 @@ function copy_fips_files() {
done
}

declare -A FIPS_TAGS_NEEDED WOLFCRYPT_TAGS_NEEDED
for file_entry in "${WOLFCRYPT_FILES[@]}"; do
WOLFCRYPT_TAGS_NEEDED["${file_entry#*:}"]=1
done
for file_entry in "${FIPS_FILES[@]}"; do
FIPS_TAGS_NEEDED["${file_entry#*:}"]=1
done
# Note, it would be cleaner to compute the tag lists using associative arrays,
# but those were introduced in bash-4. It's more important to maintain backward
# compatibility here.

echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
for tag in "${!WOLFCRYPT_TAGS_NEEDED[@]}"; do
if $GIT describe --exact-match --long "$tag" 2>/dev/null; then
continue
fi
if ! $GIT fetch --depth 1 "$WOLFSSL_REPO" tag "$tag"; then
echo "Can't fetch wolfCrypt tag: $tag"
declare -a WOLFCRYPT_TAGS_NEEDED_UNSORTED WOLFCRYPT_TAGS_NEEDED
if [ ${#WOLFCRYPT_FILES[@]} -gt 0 ]; then
for file_entry in "${WOLFCRYPT_FILES[@]}"; do
WOLFCRYPT_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
done
while IFS= read -r tag; do WOLFCRYPT_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${WOLFCRYPT_TAGS_NEEDED_UNSORTED[*]}")
if [ "${#WOLFCRYPT_TAGS_NEEDED[@]}" = "0" ]; then
echo "Error -- missing wolfCrypt tags." 1>&2
exit 1
fi
done
fi

if ! $GIT clone . "$TEST_DIR"; then
echo "fips-check: Couldn't duplicate current working directory."
declare -a FIPS_TAGS_NEEDED_UNSORTED FIPS_TAGS_NEEDED
for file_entry in "${FIPS_FILES[@]}"; do
FIPS_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
done
while IFS= read -r tag; do FIPS_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${FIPS_TAGS_NEEDED_UNSORTED[*]}")
if [ "${#FIPS_TAGS_NEEDED[@]}" = "0" ]; then
echo "Error -- missing FIPS tags." 1>&2
exit 1
fi

pushd "$TEST_DIR" 1>/dev/null || exit 2
if [ ${#WOLFCRYPT_TAGS_NEEDED[@]} -gt 0 ]; then
echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"

if ! $GIT clone "$FIPS_REPO" fips; then
echo "fips-check: Couldn't check out FIPS repository."
# Only use shallow fetch if the repo already has shallow branches, to avoid
# tainting full repos with shallow objects.
if [ -f .git/shallow ]; then
shallow_args=(--depth 1)
else
shallow_args=()
fi

for tag in "${WOLFCRYPT_TAGS_NEEDED[@]}"; do
if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
continue
fi
if ! $GIT fetch "${shallow_args[@]}" "$WOLFSSL_REPO" tag "$tag"; then
echo "Can't fetch wolfCrypt tag: $tag" 1>&2
exit 1
fi
# Make sure the tag is associated:
$GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
done
fi

if ! $GIT clone --shared . "$TEST_DIR"; then
echo "fips-check: Couldn't clone current working directory." 1>&2
exit 1
fi

pushd fips 1>/dev/null || exit 2
# If there is a FIPS repo under the parent directory, leverage that:
if [ -d ../fips/.git ]; then
pushd ../fips 1>/dev/null || exit 2

# Only use shallow fetch if the repo already has shallow branches, to avoid
# tainting full repos with shallow objects.
if [ -f .git/shallow ]; then
shallow_args=(--depth 1)
else
shallow_args=()
fi

echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
for tag in "${!FIPS_TAGS_NEEDED[@]}"; do
if $GIT describe "$tag" 2>/dev/null; then
continue
echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
for tag in "${FIPS_TAGS_NEEDED[@]}"; do
if [ "$tag" = "master" ]; then
# master is handled specially below.
continue
fi
if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
continue
fi
if ! $GIT fetch "${shallow_args[@]}" "$FIPS_REPO" tag "$tag"; then
echo "Can't fetch FIPS tag: $tag" 1>&2
exit 1
fi
# Make sure the tag is associated:
$GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
done

# The current tooling for the FIPS tests is in the master branch and must be
# checked out here.
if ! $GIT clone --shared --branch master . "${TEST_DIR}/fips"; then
echo "fips-check: Couldn't clone current working directory." 1>&2
exit 1
fi
if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then
echo "Can't fetch FIPS tag: $tag"

popd 1>/dev/null || exit 2

# Make sure master is up-to-date:
pushd "${TEST_DIR}/fips" 1>/dev/null || exit 2
if ! $GIT pull "$FIPS_REPO" master; then
echo "Can't refresh master FIPS tag" 1>&2
exit 1
fi
done
popd 1>/dev/null || exit 2
fi

popd 1>/dev/null || exit 2
pushd "$TEST_DIR" 1>/dev/null || exit 2

if [ ! -d fips ]; then
# The current tooling for the FIPS tests is in the master branch and must be
# checked out here.
if ! $GIT clone --depth 1 --branch master "$FIPS_REPO" fips; then
echo "fips-check: Couldn't check out FIPS repository."
exit 1
fi

pushd fips 1>/dev/null || exit 2
echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
for tag in "${FIPS_TAGS_NEEDED[@]}"; do
if [ "$tag" = "master" ]; then
# master was just cloned fresh from $FIPS_REPO above.
continue
fi
if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
continue
fi
# The FIPS repo here is an ephemeral clone, so we can safely use shallow
# fetch unconditionally.
if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then
echo "Can't fetch FIPS tag: $tag" 1>&2
exit 1
fi
# Make sure the tag is associated:
$GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
done
popd 1>/dev/null || exit 2
fi

checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
pushd fips 1>/dev/null || exit 2
Expand Down