New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS module checksums: add scripts and Makefile rule #8871
Conversation
fae606d
to
adcea0f
Compare
Ping @mattcaswell, @t-j-h, @paulidale |
adcea0f
to
e67641c
Compare
FWIW: I was able to build unifdef using Microsoft Visual Studio Professional 2019. After cloning,
you need to run the reversion.sh script (e.g. using git bash) as follows,
before building the solution
otherwise Visual Studio will complain about a missing version.h file. |
e67641c
to
11eba1e
Compare
11eba1e
to
566ed74
Compare
I've done a major rework of this branch. Instead of magically figuring out the source files for any configuration, we only collect source files for the default and the no-asm configuration and calculates checksums over those files, period. This should be more or less done at this point. I'll watch the CIs for confirmation, then I'll make this non-WIP. |
Hmmm...the "make update" CI failure in fips-sources.checksums is presumably because of changes in the master branch?? |
Ah! I was wondering what was going on... |
614bd7b
to
3a1245f
Compare
BTW, how come we have some sources from ssl/ in the FIPS module? |
Rebasing wasn't enough, of course, I should have re-generated the checksums [facepalm] |
3a1245f
to
f9b333a
Compare
Yay, check-update much happier now. Quick, approve before master changes again! 😉 |
Because there is now some "padding" related code which we now do provider side. Partly for the reason that it needs to be inside the FIPS boundary. However we can't entirely remove the same code from libssl, e.g. for backwards compatibility in case we are using an engine and no provider is involved. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose we do not want to merge this earlier than just before the beta1 release. Otherwise we would have to update the checksums whenever we touch the fips module code, which still can commonly happen in PRs before beta1.
Is that really too much of a burden? I'd prefer to get this in as soon as possible. |
I'm ambivalent. After all, it's not a bad idea to exercise this a few times before things go to stillness... |
ba096fa
to
d7c0012
Compare
OpenSSL::Config::Query is a configuration querying tool that's meant to make it easier to query the diverse configuration data for info. That's much easier than to dig through all the parts of %unified_info.
This file will be the basis for the FIPS module checksum calculation
This adds the following scripts: util/lang-compress.pl: Compress source code, which language is determined by the first argument. For the moment, we know 'perl' (perlasm source code), 'C' (C source code) and 'S' (Assembler with C preprocessor directives). This removes comments and empty lines, and compresses series of horizontal spaces to one single space in the languages where that's appropriate. util/fips-checksums.sh: Takes source file names as arguments, pushes them through util/lang-compress.pl and unifdef with FIPS_MODE defined, and calculates the checksum on the result.
This is required for 'make update' and fips checksums
d7c0012
to
9613054
Compare
LGTM. I would wait with merging this at least for discussion in OTC as any two PRs touching the FIPS source files will inevitably have merge conflict. |
OpenSSL::Config::Query is a configuration querying tool that's meant to make it easier to query the diverse configuration data for info. That's much easier than to dig through all the parts of %unified_info. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #8871)
This file will be the basis for the FIPS module checksum calculation Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #8871)
This adds the following scripts: util/lang-compress.pl: Compress source code, which language is determined by the first argument. For the moment, we know 'perl' (perlasm source code), 'C' (C source code) and 'S' (Assembler with C preprocessor directives). This removes comments and empty lines, and compresses series of horizontal spaces to one single space in the languages where that's appropriate. util/fips-checksums.sh: Takes source file names as arguments, pushes them through util/lang-compress.pl and unifdef with FIPS_MODE defined, and calculates the checksum on the result. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #8871)
This is required for 'make update' and fips checksums Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #8871)
Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #8871)
Merged 841a438 Add OpenSSL::Config::Query and use it in configdata.pm |
Perhaps one of the most august 3.0 PRs merged 🥳 |
OpenSSL::Config::Query is a configuration querying tool that's meant to make it easier to query the diverse configuration data for info. That's much easier than to dig through all the parts of %unified_info. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#8871)
This file will be the basis for the FIPS module checksum calculation Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#8871)
This adds the following scripts: util/lang-compress.pl: Compress source code, which language is determined by the first argument. For the moment, we know 'perl' (perlasm source code), 'C' (C source code) and 'S' (Assembler with C preprocessor directives). This removes comments and empty lines, and compresses series of horizontal spaces to one single space in the languages where that's appropriate. util/fips-checksums.sh: Takes source file names as arguments, pushes them through util/lang-compress.pl and unifdef with FIPS_MODE defined, and calculates the checksum on the result. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#8871)
This is required for 'make update' and fips checksums Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#8871)
Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#8871)
This adds the following scripts:
util/lang-compress.pl:
Compress source code, which language is determined by the first argument.
For the moment, we know 'perl' (perlasm source code), 'C' (C source code)
and 'S' (Assembler with C preprocessor directives).
This removes comments and empty lines, and compresses series of horizontal
spaces to one single space in the languages where that's appropriate.
util/fips-checksums.sh:
Takes source file names as arguments, pushes them through
util/lang-compress.pl and unifdef with FIPS_MODE defined, and calculates
the checksum on the result.
Fixes #13130