mirror of https://github.com/wolfSSL/wolfssl.git
Merge pull request #8291 from douzzer/20241213-fips-check-refactor-assoc-arrays
20241213-fips-check-refactor-assoc-arrayspull/8297/head
Kaleb Himes
GitHub
commit
fcbea85ded
161
fips-check.sh
161
fips-check.sh
|
|
@ -14,13 +14,18 @@
|
|||
MAKE="${MAKE:-make}"
|
||||
GIT="${GIT:-git -c advice.detachedHead=false}"
|
||||
TEST_DIR="${TEST_DIR:-XXX-fips-test}"
|
||||
case "$TEST_DIR" in
|
||||
/*) ;;
|
||||
*) TEST_DIR="${PWD}/${TEST_DIR}"
|
||||
;;
|
||||
esac
|
||||
FLAVOR="${FLAVOR:-linux}"
|
||||
KEEP="${KEEP:-no}"
|
||||
MAKECHECK=${MAKECHECK:-yes}
|
||||
DOCONFIGURE=${DOCONFIGURE:-yes}
|
||||
DOAUTOGEN=${DOAUTOGEN:-yes}
|
||||
FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}"
|
||||
WOLFSSL_REPO="${WOLFSSL_REPO:-origin}"
|
||||
WOLFSSL_REPO="${WOLFSSL_REPO:-git@github.com:wolfssl/wolfssl.git}"
|
||||
|
||||
Usage() {
|
||||
cat <<usageText
|
||||
|
|
@ -435,51 +440,139 @@ function copy_fips_files() {
|
|||
done
|
||||
}
|
||||
|
||||
declare -A FIPS_TAGS_NEEDED WOLFCRYPT_TAGS_NEEDED
|
||||
for file_entry in "${WOLFCRYPT_FILES[@]}"; do
|
||||
WOLFCRYPT_TAGS_NEEDED["${file_entry#*:}"]=1
|
||||
done
|
||||
for file_entry in "${FIPS_FILES[@]}"; do
|
||||
FIPS_TAGS_NEEDED["${file_entry#*:}"]=1
|
||||
done
|
||||
# Note, it would be cleaner to compute the tag lists using associative arrays,
|
||||
# but those were introduced in bash-4. It's more important to maintain backward
|
||||
# compatibility here.
|
||||
|
||||
echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
|
||||
for tag in "${!WOLFCRYPT_TAGS_NEEDED[@]}"; do
|
||||
if $GIT describe --exact-match --long "$tag" 2>/dev/null; then
|
||||
continue
|
||||
fi
|
||||
if ! $GIT fetch --depth 1 "$WOLFSSL_REPO" tag "$tag"; then
|
||||
echo "Can't fetch wolfCrypt tag: $tag"
|
||||
declare -a WOLFCRYPT_TAGS_NEEDED_UNSORTED WOLFCRYPT_TAGS_NEEDED
|
||||
if [ ${#WOLFCRYPT_FILES[@]} -gt 0 ]; then
|
||||
for file_entry in "${WOLFCRYPT_FILES[@]}"; do
|
||||
WOLFCRYPT_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
|
||||
done
|
||||
while IFS= read -r tag; do WOLFCRYPT_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${WOLFCRYPT_TAGS_NEEDED_UNSORTED[*]}")
|
||||
if [ "${#WOLFCRYPT_TAGS_NEEDED[@]}" = "0" ]; then
|
||||
echo "Error -- missing wolfCrypt tags." 1>&2
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if ! $GIT clone . "$TEST_DIR"; then
|
||||
echo "fips-check: Couldn't duplicate current working directory."
|
||||
declare -a FIPS_TAGS_NEEDED_UNSORTED FIPS_TAGS_NEEDED
|
||||
for file_entry in "${FIPS_FILES[@]}"; do
|
||||
FIPS_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
|
||||
done
|
||||
while IFS= read -r tag; do FIPS_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${FIPS_TAGS_NEEDED_UNSORTED[*]}")
|
||||
if [ "${#FIPS_TAGS_NEEDED[@]}" = "0" ]; then
|
||||
echo "Error -- missing FIPS tags." 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ${#WOLFCRYPT_TAGS_NEEDED[@]} -gt 0 ]; then
|
||||
echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
|
||||
|
||||
# Only use shallow fetch if the repo already has shallow branches, to avoid
|
||||
# tainting full repos with shallow objects.
|
||||
if [ -f .git/shallow ]; then
|
||||
shallow_args=(--depth 1)
|
||||
else
|
||||
shallow_args=()
|
||||
fi
|
||||
|
||||
for tag in "${WOLFCRYPT_TAGS_NEEDED[@]}"; do
|
||||
if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
|
||||
continue
|
||||
fi
|
||||
if ! $GIT fetch "${shallow_args[@]}" "$WOLFSSL_REPO" tag "$tag"; then
|
||||
echo "Can't fetch wolfCrypt tag: $tag" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
# Make sure the tag is associated:
|
||||
$GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
|
||||
done
|
||||
fi
|
||||
|
||||
if ! $GIT clone --shared . "$TEST_DIR"; then
|
||||
echo "fips-check: Couldn't clone current working directory." 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# If there is a FIPS repo under the parent directory, leverage that:
|
||||
if [ -d ../fips/.git ]; then
|
||||
pushd ../fips 1>/dev/null || exit 2
|
||||
|
||||
# Only use shallow fetch if the repo already has shallow branches, to avoid
|
||||
# tainting full repos with shallow objects.
|
||||
if [ -f .git/shallow ]; then
|
||||
shallow_args=(--depth 1)
|
||||
else
|
||||
shallow_args=()
|
||||
fi
|
||||
|
||||
echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
|
||||
for tag in "${FIPS_TAGS_NEEDED[@]}"; do
|
||||
if [ "$tag" = "master" ]; then
|
||||
# master is handled specially below.
|
||||
continue
|
||||
fi
|
||||
if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
|
||||
continue
|
||||
fi
|
||||
if ! $GIT fetch "${shallow_args[@]}" "$FIPS_REPO" tag "$tag"; then
|
||||
echo "Can't fetch FIPS tag: $tag" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
# Make sure the tag is associated:
|
||||
$GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
|
||||
done
|
||||
|
||||
# The current tooling for the FIPS tests is in the master branch and must be
|
||||
# checked out here.
|
||||
if ! $GIT clone --shared --branch master . "${TEST_DIR}/fips"; then
|
||||
echo "fips-check: Couldn't clone current working directory." 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
popd 1>/dev/null || exit 2
|
||||
|
||||
# Make sure master is up-to-date:
|
||||
pushd "${TEST_DIR}/fips" 1>/dev/null || exit 2
|
||||
if ! $GIT pull "$FIPS_REPO" master; then
|
||||
echo "Can't refresh master FIPS tag" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
popd 1>/dev/null || exit 2
|
||||
fi
|
||||
|
||||
pushd "$TEST_DIR" 1>/dev/null || exit 2
|
||||
|
||||
if ! $GIT clone "$FIPS_REPO" fips; then
|
||||
echo "fips-check: Couldn't check out FIPS repository."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
pushd fips 1>/dev/null || exit 2
|
||||
|
||||
echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
|
||||
for tag in "${!FIPS_TAGS_NEEDED[@]}"; do
|
||||
if $GIT describe "$tag" 2>/dev/null; then
|
||||
continue
|
||||
fi
|
||||
if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then
|
||||
echo "Can't fetch FIPS tag: $tag"
|
||||
if [ ! -d fips ]; then
|
||||
# The current tooling for the FIPS tests is in the master branch and must be
|
||||
# checked out here.
|
||||
if ! $GIT clone --depth 1 --branch master "$FIPS_REPO" fips; then
|
||||
echo "fips-check: Couldn't check out FIPS repository."
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
popd 1>/dev/null || exit 2
|
||||
pushd fips 1>/dev/null || exit 2
|
||||
echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
|
||||
for tag in "${FIPS_TAGS_NEEDED[@]}"; do
|
||||
if [ "$tag" = "master" ]; then
|
||||
# master was just cloned fresh from $FIPS_REPO above.
|
||||
continue
|
||||
fi
|
||||
if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
|
||||
continue
|
||||
fi
|
||||
# The FIPS repo here is an ephemeral clone, so we can safely use shallow
|
||||
# fetch unconditionally.
|
||||
if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then
|
||||
echo "Can't fetch FIPS tag: $tag" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
# Make sure the tag is associated:
|
||||
$GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
|
||||
done
|
||||
popd 1>/dev/null || exit 2
|
||||
fi
|
||||
|
||||
checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
|
||||
pushd fips 1>/dev/null || exit 2
|
||||
|
|
|
|||
Loading…
Reference in New Issue