From 9cbc890cd927d178e9a10190791c2d575f81ceb7 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Wed, 12 Mar 2025 13:47:26 -0700 Subject: [PATCH 1/3] Fix new tests for FIPS, new option to build from FIPS bundle --- .github/workflows/fips.yml | 41 ++++++++++++++++++++++ README.md | 13 +++++-- scripts/build-wolfprovider.sh | 17 +++++++++ scripts/utils-wolfprovider.sh | 2 +- scripts/utils-wolfssl.sh | 66 ++++++++++++++++++++++------------- test/test_rsa.c | 2 ++ 6 files changed, 114 insertions(+), 27 deletions(-) create mode 100644 .github/workflows/fips.yml diff --git a/.github/workflows/fips.yml b/.github/workflows/fips.yml new file mode 100644 index 00000000..5128ec36 --- /dev/null +++ b/.github/workflows/fips.yml @@ -0,0 +1,41 @@ +name: Fips simple tests + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + fips_make_check: + strategy: + matrix: + config: [ + # Add new configs here + 'OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.4-stable WOLFSSL_ISFIPS=1', + ] + name: fips make check + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + name: Checkout wolfProvider + + - name: Test wolfProvider + run: | + ${{ matrix.config }} ./scripts/build-wolfprovider.sh + make check + + - name: Print errors + if: ${{ failure() }} + run: | + if [ -f test-suite.log ] ; then + cat test-suite.log + fi diff --git a/README.md b/README.md index 8007eab6..b0e6fba6 100644 --- a/README.md +++ b/README.md @@ -50,8 +50,17 @@ wolfProvider is a library that can be used as a Provider in OpenSSL. * TLS1 PRF ## Building -The quickest method is to use the `scripts/build-wolfprovider.sh` script. It will retreive the dependencies and compile them as necessary. To use other than the default (such as different releases) you can set various environment variables prior to calling the script. An example is: - OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.2-stable WOLFPROV_DEBUG=1 scripts/build-wolfprovider.sh +The quickest method is to use the `scripts/build-wolfprovider.sh` script as follows: + +``` +./scripts/build-wolfprovider.sh +``` + +It will retreive the dependencies and compile them as necessary. To use other than the default (such as different releases) you can set various environment variables prior to calling the script: + +``` +OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.2-stable WOLFPROV_DEBUG=1 scripts/build-wolfprovider.sh +``` Alternatively, you can manually compile each component using the following guide. diff --git a/scripts/build-wolfprovider.sh b/scripts/build-wolfprovider.sh index 278a7ed2..d9478c6e 100755 --- a/scripts/build-wolfprovider.sh +++ b/scripts/build-wolfprovider.sh @@ -6,6 +6,23 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" LOG_FILE=${SCRIPT_DIR}/build-release.log source ${SCRIPT_DIR}/utils-wolfprovider.sh +show_help() { + echo "Usage: $0" + echo "" + echo "Environment Variables:" + echo " OPENSSL_TAG OpenSSL tag to use (e.g., openssl-3.2.0)" + echo " WOLFSSL_TAG wolfSSL tag to use (e.g., v5.7.4-stable)" + echo " WOLFPROV_DEBUG If set to 1, builds OpenSSL, wolfSSL, and wolfProvider with debug options enabled" + echo " WOLFSSL_FIPS_BUNDLE Directory containing the wolfSSL FIPS bundle to use instead of cloning from GitHub" + echo " WOLFSSL_FIPS_VERSION Version of wolfSSL FIPS bundle (v5, v6, ready), used as an argument for --enable-fips when configuring wolfSSL" + echo "" +} + +if [[ "$1" == "--help" || "$1" == "-h" || "$1" == "-help" ]]; then + show_help + exit 0 +fi + echo "Using openssl: $OPENSSL_TAG, wolfssl: $WOLFSSL_TAG" init_wolfprov diff --git a/scripts/utils-wolfprovider.sh b/scripts/utils-wolfprovider.sh index 3abe3466..faf4e485 100755 --- a/scripts/utils-wolfprovider.sh +++ b/scripts/utils-wolfprovider.sh @@ -24,7 +24,7 @@ source ${SCRIPT_DIR}/utils-wolfssl.sh WOLFPROV_SOURCE_DIR=${SCRIPT_DIR}/.. WOLFPROV_INSTALL_DIR=${SCRIPT_DIR}/../wolfprov-install -if [ "$WOLFSSL_ISFIPS" -eq "1" ]; then +if [ "$WOLFSSL_ISFIPS" -eq "1" ] || [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then WOLFPROV_CONFIG=${WOLFPROV_CONFIG:-"$WOLFPROV_SOURCE_DIR/provider-fips.conf"} else WOLFPROV_CONFIG=${WOLFPROV_CONFIG:-"$WOLFPROV_SOURCE_DIR/provider.conf"} diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh index cb4a3788..f433e485 100755 --- a/scripts/utils-wolfssl.sh +++ b/scripts/utils-wolfssl.sh @@ -33,32 +33,38 @@ WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0} # Depends on OPENSSL_INSTALL_DIR clone_wolfssl() { - if [ -d ${WOLFSSL_SOURCE_DIR} ]; then - WOLFSSL_TAG_CUR=$(cd ${WOLFSSL_SOURCE_DIR} && (git describe --tags 2>/dev/null || git branch --show-current)) - if [ "${WOLFSSL_TAG_CUR}" != "${WOLFSSL_TAG}" ]; then # force a rebuild - printf "Version inconsistency. Please fix ${WOLFSSL_SOURCE_DIR} (expected: ${WOLFSSL_TAG}, got: ${WOLFSSL_TAG_CUR})\n" - do_cleanup - exit 1 + if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then + rm -rf ${WOLFSSL_SOURCE_DIR} + mkdir ${WOLFSSL_SOURCE_DIR} + cp -pr ${WOLFSSL_FIPS_BUNDLE}/* ${WOLFSSL_SOURCE_DIR}/ + else + if [ -d ${WOLFSSL_SOURCE_DIR} ]; then + WOLFSSL_TAG_CUR=$(cd ${WOLFSSL_SOURCE_DIR} && (git describe --tags 2>/dev/null || git branch --show-current)) + if [ "${WOLFSSL_TAG_CUR}" != "${WOLFSSL_TAG}" ]; then # force a rebuild + printf "Version inconsistency. Please fix ${WOLFSSL_SOURCE_DIR} (expected: ${WOLFSSL_TAG}, got: ${WOLFSSL_TAG_CUR})\n" + do_cleanup + exit 1 + fi fi - fi - if [ ! -d ${WOLFSSL_SOURCE_DIR} ]; then - printf "\tClone wolfSSL ${WOLFSSL_TAG} ... " - if [ "$WOLFPROV_DEBUG" = "1" ]; then - git clone -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \ - ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1 - RET=$? - else - git clone --depth=1 -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \ - ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1 - RET=$? - fi - if [ $RET != 0 ]; then - printf "ERROR cloning\n" - do_cleanup - exit 1 + if [ ! -d ${WOLFSSL_SOURCE_DIR} ]; then + printf "\tClone wolfSSL ${WOLFSSL_TAG} ... " + if [ "$WOLFPROV_DEBUG" = "1" ]; then + git clone -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \ + ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1 + RET=$? + else + git clone --depth=1 -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \ + ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1 + RET=$? + fi + if [ $RET != 0 ]; then + printf "ERROR cloning\n" + do_cleanup + exit 1 + fi + printf "Done.\n" fi - printf "Done.\n" fi } @@ -76,7 +82,15 @@ install_wolfssl() { CONF_ARGS+=" --enable-debug --enable-debug-trace-errcodes=backtrace --enable-keylog-export" WOLFSSL_CONFIG_CFLAGS+=" -DWOLFSSL_LOGGINGENABLED_DEFAULT=1" fi - if [ "$WOLFSSL_ISFIPS" = "1" ]; then + if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then + if [ ! -n "$WOLFSSL_FIPS_VERSION" ]; then + printf "ERROR, must specify version if using FIPS bundle (v5, v6, ready)" + do_cleanup + exit 1 + fi + printf "using FIPS bundle ... " + CONF_ARGS+=" --enable-fips=$WOLFSSL_FIPS_VERSION" + elif [ "$WOLFSSL_ISFIPS" = "1" ]; then printf "with FIPS ... " CONF_ARGS+=" --enable-fips=v5" if [ ! -e "XXX-fips-test" ]; then @@ -118,6 +132,10 @@ install_wolfssl() { fi printf "Done.\n" + if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then + ./fips-hash.sh + fi + printf "\tInstalling wolfSSL ${WOLFSSL_TAG} ... " make install >>$LOG_FILE 2>&1 if [ $? != 0 ]; then diff --git a/test/test_rsa.c b/test/test_rsa.c index 74b1659a..505bc42d 100644 --- a/test/test_rsa.c +++ b/test/test_rsa.c @@ -462,8 +462,10 @@ int test_rsa_sign_verify_x931(void *data) (void)data; +#ifndef HAVE_FIPS /* Use SHA-1 (default) for MD and MGF1 MD. */ err = test_rsa_sign_verify_pad(RSA_X931_PADDING, EVP_sha1(), NULL) == 1; +#endif #ifdef WP_HAVE_SHA256 if (err == 0) { /* Use SHA-256 for MD. */ From 3e096118fecdc9ad69a4191d81f094cd43537308 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Wed, 12 Mar 2025 13:57:56 -0700 Subject: [PATCH 2/3] Only run fips tests if wolfssl is repo owner --- .github/workflows/fips.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/fips.yml b/.github/workflows/fips.yml index 5128ec36..6f870998 100644 --- a/.github/workflows/fips.yml +++ b/.github/workflows/fips.yml @@ -21,6 +21,7 @@ jobs: 'OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.4-stable WOLFSSL_ISFIPS=1', ] name: fips make check + if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 From 50f78a57d0340035f1c66a377ec98f0c6d7eb568 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Wed, 12 Mar 2025 14:11:50 -0700 Subject: [PATCH 3/3] Remove FIPS workflow, remove extra make check --- .github/workflows/curl.yml | 1 - .github/workflows/fips.yml | 42 ----------------------------------- .github/workflows/nginx.yml | 1 - .github/workflows/openvpn.yml | 1 - .github/workflows/simple.yml | 1 - 5 files changed, 46 deletions(-) delete mode 100644 .github/workflows/fips.yml diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 1d0006d5..35e537ac 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -56,7 +56,6 @@ jobs: if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true' run: | WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh - make check - name: Print errors if: ${{ failure() }} diff --git a/.github/workflows/fips.yml b/.github/workflows/fips.yml deleted file mode 100644 index 6f870998..00000000 --- a/.github/workflows/fips.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Fips simple tests - -# START OF COMMON SECTION -on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true -# END OF COMMON SECTION - -jobs: - fips_make_check: - strategy: - matrix: - config: [ - # Add new configs here - 'OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.4-stable WOLFSSL_ISFIPS=1', - ] - name: fips make check - if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-latest - # This should be a safe limit for the tests to run. - timeout-minutes: 10 - steps: - - uses: actions/checkout@v4 - name: Checkout wolfProvider - - - name: Test wolfProvider - run: | - ${{ matrix.config }} ./scripts/build-wolfprovider.sh - make check - - - name: Print errors - if: ${{ failure() }} - run: | - if [ -f test-suite.log ] ; then - cat test-suite.log - fi diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 7eeb555c..0ecb6d72 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -56,7 +56,6 @@ jobs: if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true' run: | WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh - make check - name: Print errors if: ${{ failure() }} diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 315b1363..848145d4 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -56,7 +56,6 @@ jobs: if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true' run: | WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh - make check - name: Print errors if: ${{ failure() }} diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index 931ce7b1..44324233 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -35,7 +35,6 @@ jobs: - name: Test wolfProvider run: | ${{ matrix.config }} ./scripts/build-wolfprovider.sh - make check - name: Print errors if: ${{ failure() }}