Fix new tests for FIPS, new option to build from FIPS bundle

Author: ColtonWilley

.github/workflows/fips.yml

@@ -0,0 +1,41 @@
+name: Fips simple tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  fips_make_check:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          'OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.4-stable WOLFSSL_ISFIPS=1',
+        ]
+    name: fips make check
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfProvider
+
+      - name: Test wolfProvider
+        run: |
+          ${{ matrix.config }} ./scripts/build-wolfprovider.sh
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi

README.md

@@ -50,8 +50,17 @@ wolfProvider is a library that can be used as a Provider in OpenSSL.
 * TLS1 PRF
 
 ## Building
-The quickest method is to use the `scripts/build-wolfprovider.sh` script. It will retreive the dependencies and compile them as necessary. To use other than the default (such as different releases) you can set various environment variables prior to calling the script. An example is:
-    OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.2-stable WOLFPROV_DEBUG=1 scripts/build-wolfprovider.sh
+The quickest method is to use the `scripts/build-wolfprovider.sh` script as follows:
+
+```
+./scripts/build-wolfprovider.sh
+```
+
+It will retreive the dependencies and compile them as necessary. To use other than the default (such as different releases) you can set various environment variables prior to calling the script:
+
+```
+OPENSSL_TAG=openssl-3.2.0 WOLFSSL_TAG=v5.7.2-stable WOLFPROV_DEBUG=1 scripts/build-wolfprovider.sh
+```
 
 Alternatively, you can manually compile each component using the following guide.
 

scripts/build-wolfprovider.sh

@@ -6,6 +6,23 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 LOG_FILE=${SCRIPT_DIR}/build-release.log
 source ${SCRIPT_DIR}/utils-wolfprovider.sh
 
+show_help() {
+  echo "Usage: $0"
+  echo ""
+  echo "Environment Variables:"
+  echo "  OPENSSL_TAG          OpenSSL tag to use (e.g., openssl-3.2.0)"
+  echo "  WOLFSSL_TAG          wolfSSL tag to use (e.g., v5.7.4-stable)"
+  echo "  WOLFPROV_DEBUG       If set to 1, builds OpenSSL, wolfSSL, and wolfProvider with debug options enabled"
+  echo "  WOLFSSL_FIPS_BUNDLE  Directory containing the wolfSSL FIPS bundle to use instead of cloning from GitHub"
+  echo "  WOLFSSL_FIPS_VERSION Version of wolfSSL FIPS bundle (v5, v6, ready), used as an argument for --enable-fips when configuring wolfSSL"
+  echo ""
+}
+
+if [[ "$1" == "--help" || "$1" == "-h" || "$1" == "-help" ]]; then
+  show_help
+  exit 0
+fi
+
 echo "Using openssl: $OPENSSL_TAG, wolfssl: $WOLFSSL_TAG"
 
 init_wolfprov

scripts/utils-wolfprovider.sh

@@ -24,7 +24,7 @@ source ${SCRIPT_DIR}/utils-wolfssl.sh
 
 WOLFPROV_SOURCE_DIR=${SCRIPT_DIR}/..
 WOLFPROV_INSTALL_DIR=${SCRIPT_DIR}/../wolfprov-install
-if [ "$WOLFSSL_ISFIPS" -eq "1" ]; then
+if [ "$WOLFSSL_ISFIPS" -eq "1" ] || [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then
     WOLFPROV_CONFIG=${WOLFPROV_CONFIG:-"$WOLFPROV_SOURCE_DIR/provider-fips.conf"}
 else
     WOLFPROV_CONFIG=${WOLFPROV_CONFIG:-"$WOLFPROV_SOURCE_DIR/provider.conf"}

scripts/utils-wolfssl.sh

@@ -33,32 +33,38 @@ WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0}
 
 # Depends on OPENSSL_INSTALL_DIR
 clone_wolfssl() {
-    if [ -d ${WOLFSSL_SOURCE_DIR} ]; then
-        WOLFSSL_TAG_CUR=$(cd ${WOLFSSL_SOURCE_DIR} && (git describe --tags 2>/dev/null || git branch --show-current))
-        if [ "${WOLFSSL_TAG_CUR}" != "${WOLFSSL_TAG}" ]; then # force a rebuild
-            printf "Version inconsistency. Please fix ${WOLFSSL_SOURCE_DIR} (expected: ${WOLFSSL_TAG}, got: ${WOLFSSL_TAG_CUR})\n"
-            do_cleanup
-            exit 1
+    if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then
+        rm -rf ${WOLFSSL_SOURCE_DIR}
+        mkdir ${WOLFSSL_SOURCE_DIR}
+        cp -pr ${WOLFSSL_FIPS_BUNDLE}/* ${WOLFSSL_SOURCE_DIR}/
+    else
+        if [ -d ${WOLFSSL_SOURCE_DIR} ]; then
+            WOLFSSL_TAG_CUR=$(cd ${WOLFSSL_SOURCE_DIR} && (git describe --tags 2>/dev/null || git branch --show-current))
+            if [ "${WOLFSSL_TAG_CUR}" != "${WOLFSSL_TAG}" ]; then # force a rebuild
+                printf "Version inconsistency. Please fix ${WOLFSSL_SOURCE_DIR} (expected: ${WOLFSSL_TAG}, got: ${WOLFSSL_TAG_CUR})\n"
+                do_cleanup
+                exit 1
+            fi
         fi
-    fi
 
-    if [ ! -d ${WOLFSSL_SOURCE_DIR} ]; then
-        printf "\tClone wolfSSL ${WOLFSSL_TAG} ... "
-        if [ "$WOLFPROV_DEBUG" = "1" ]; then
-            git clone -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \
-                 ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1
-            RET=$?
-        else
-            git clone --depth=1 -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \
-                 ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1
-            RET=$?
-        fi
-        if [ $RET != 0 ]; then
-            printf "ERROR cloning\n"
-            do_cleanup
-            exit 1
+        if [ ! -d ${WOLFSSL_SOURCE_DIR} ]; then
+            printf "\tClone wolfSSL ${WOLFSSL_TAG} ... "
+            if [ "$WOLFPROV_DEBUG" = "1" ]; then
+                git clone -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \
+                    ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1
+                RET=$?
+            else
+                git clone --depth=1 -b ${WOLFSSL_TAG} ${WOLFSSL_GIT} \
+                    ${WOLFSSL_SOURCE_DIR} >>$LOG_FILE 2>&1
+                RET=$?
+            fi
+            if [ $RET != 0 ]; then
+                printf "ERROR cloning\n"
+                do_cleanup
+                exit 1
+            fi
+            printf "Done.\n"
         fi
-        printf "Done.\n"
     fi
 }
 
@@ -76,7 +82,15 @@ install_wolfssl() {
             CONF_ARGS+=" --enable-debug --enable-debug-trace-errcodes=backtrace --enable-keylog-export"
             WOLFSSL_CONFIG_CFLAGS+=" -DWOLFSSL_LOGGINGENABLED_DEFAULT=1"
         fi
-        if [ "$WOLFSSL_ISFIPS" = "1" ]; then
+        if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then
+            if [ ! -n "$WOLFSSL_FIPS_VERSION" ]; then
+                printf "ERROR, must specify version if using FIPS bundle (v5, v6, ready)"
+                do_cleanup
+                exit 1
+            fi
+            printf "using FIPS bundle ... "
+            CONF_ARGS+=" --enable-fips=$WOLFSSL_FIPS_VERSION"
+        elif [ "$WOLFSSL_ISFIPS" = "1" ]; then
             printf "with FIPS ... "
             CONF_ARGS+=" --enable-fips=v5"
             if [ ! -e "XXX-fips-test" ]; then
@@ -118,6 +132,10 @@ install_wolfssl() {
         fi
         printf "Done.\n"
 
+        if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then
+            ./fips-hash.sh
+        fi
+
         printf "\tInstalling wolfSSL ${WOLFSSL_TAG} ... "
         make install >>$LOG_FILE 2>&1
         if [ $? != 0 ]; then

test/test_rsa.c

@@ -462,8 +462,10 @@ int test_rsa_sign_verify_x931(void *data)
 
     (void)data;
 
+#ifndef HAVE_FIPS
     /* Use SHA-1 (default) for MD and MGF1 MD. */
     err = test_rsa_sign_verify_pad(RSA_X931_PADDING, EVP_sha1(), NULL) == 1;
+#endif
 #ifdef WP_HAVE_SHA256
     if (err == 0) {
         /* Use SHA-256 for MD. */