test: add minimal openssl-3.0-fips test #5081
Conversation
lrstewart
force-pushed
the
openssl3fips_test
branch
4 times, most recently
from
b145415 to
87462ad
Compare
lrstewart
force-pushed
the
openssl3fips_test
branch
from
87462ad to
955690d
Compare
| * after its fork from BoringSSL. */ | ||
| * after its fork from BoringSSL. | ||
| */ |
There was a problem hiding this comment.
I'm removing a sneaky tab character here :/ I'm surprised clang-format doesn't flag tabs.
| bool s2n_libcrypto_is_openssl_fips(void); | ||
| bool s2n_libcrypto_is_awslc(); | ||
| bool s2n_libcrypto_is_awslc_fips(void); |
There was a problem hiding this comment.
These methods are just for convenience, but since we generally talk about the fips version of libcryptos like they're separate libcryptos, I think they're helpful and simplify common conditionals.
| # openssl3fips is still a work-in-progress. Not all tests pass. | ||
| - make -C build test -- ARGS="-R 's2n_build_test|s2n_fips_test'" |
There was a problem hiding this comment.
Good idea on the strategy to review this! I was worried we would need a feature branch or something.
| @@ -82,24 +83,24 @@ S2N_RESULT s2n_check_supported_libcrypto(const char *s2n_libcrypto) | |||
| { .libcrypto = "openssl-1.0.2", .is_openssl = true }, | |||
| { .libcrypto = "openssl-1.1.1", .is_openssl = true }, | |||
| { .libcrypto = "openssl-3.0", .is_openssl = true }, | |||
| { .libcrypto = "openssl-3.0-fips", .is_openssl = true, .is_opensslfips = true }, | |||
There was a problem hiding this comment.
Is is_opensslfips set to false anywhere?
There was a problem hiding this comment.
When initializing a struct this way in C, any field not specified is "0", which is false. So everywhere that doesn't set is_openssl_fips gets "false".
| -DASAN=ON \ | ||
| -DUBSAN=ON | ||
| - cmake --build ./build -- -j $(nproc) | ||
| post_build: |
There was a problem hiding this comment.
Thank you for separating build from test... we'll need to be more pedantic about this going forward...
|
My local branch was super behind main and didn't have f146f06 😅 I fixed the build test to also work for openssl-1.0.2-fips. |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Release Summary:
Resolved issues:
early version of #5036
Description of changes:
Before I start pushing out fixes to get s2n-tls to build with openssl-3.0-fips, we need to be able to test with openssl-3.0-fips. I would rather not push out one huge PR with all the openssl-3.0-fips changes, but that will mean that some of the tests will still be failing in initial PRs.
I think the solution here is to add a minimal openssl-3.0-fips test. Initially, I'm only enabling two unit tests, s2n_build_test and s2n_fips_test. As more functionality is updated, I will either add more tests or (more likely) switch from the "include" regex (-R) to the "exclude" regex (-E).
So this PR adds the buildspec for that test and minimally enables s2n-tls to detect openssl-3.0-fips as fips.
Testing:
I created a new Codebuild job with this buildspec. Here is a passing run: https://us-west-2.console.aws.amazon.com/codesuite/codebuild/024603541914/projects/Openssl3fipsWIP/build/Openssl3fipsWIP%3Acb296aa7-a6e7-41ef-ba17-b60d843f76c7?region=us-west-2
After this PR is merged, I will update that job to trigger on github events.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.