Add FIPS version selection support (#294)

aidangarske · Test User · web-flow · commit 0fd5c04c1bc5 · 2025-10-02T09:34:33.000-07:00
* Add FIPS version selection support

* Fix spelling from codespell

* remove FIPS_VERSION and simply use tag and detect configure

* Add fix for CI and make tets

---------

Co-authored-by: Test User &lt;test@example.com&gt;
diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml
@@ -50,7 +50,7 @@ jobs:
       - name: Build wolfProvider with FIPS Ready Bundle
         run: |
           ./scripts/build-wolfprovider.sh --fips-bundle="$FIPS_BUNDLE_PATH" \
-          --fips-version=ready --wolfssl-ver=v${{matrix.wolfssl_bundle_ref}}-stable
+          --fips-check=ready --wolfssl-ver=v${{matrix.wolfssl_bundle_ref}}-stable
 
       - name: Run FIPS Command Tests
         run: |
diff --git a/README.md b/README.md
@@ -150,7 +150,7 @@ unzip wolfssl-fips-ready.zip
 
 Then use the following command to build wolfProvider with FIPS enabled.
 ```
-./scripts/build-wolfprovider.sh --fips-bundle="path/to/fips-bundle" --fips-version=ready --distclean
+./scripts/build-wolfprovider.sh --fips-bundle="path/to/fips-bundle" --fips-check=ready --distclean
 ```
 
 ## Testing
diff --git a/scripts/build-wolfprovider.sh b/scripts/build-wolfprovider.sh
@@ -14,10 +14,9 @@ show_help() {
   echo "  --disable-err-trace        No debug trace messages from library errors in wolfSSL"
   echo "  --openssl-ver=VER          Which version of OpenSSL to clone"
   echo "  --wolfssl-ver=VER          Which version of wolfSSL to clone"
-  echo "  --enable-fips              Build wolfProvider with a cloned FIPS bundle. Cloned FIPS bundle can be changed with --fips-check"
-  echo "  --fips-bundle=DIR          Build wolfProvider with a directory containing a wolfSSL FIPS bundle instead of cloning from GitHub. Requires a FIPS version to be given by --fips-version"
-  echo "  --fips-check=TAG           Choose a FIPS tag to clone. May require a version to be given by --fips-version"
-  echo "  --fips-version=VER         Choose the wolfSSL FIPS version"
+  echo "  --enable-fips              Build wolfProvider with a cloned FIPS bundle. Use with --fips-check to specify tag (default: v5.2.4)"
+  echo "  --fips-bundle=DIR          Build wolfProvider with a directory containing a wolfSSL FIPS bundle. Use with --fips-check to specify tag"
+  echo "  --fips-check=TAG           Choose a FIPS tag (v5.2.1, v5.2.4, linuxv5.2.1, v6.0.0, ready, etc). Automatically determines configure option"
   echo "  --debian                   Build a Debian package"
   echo "  --debian --enable-fips     Build a Debian package with FIPS support"
   echo "  --quicktest                Disable some tests for a faster testing suite"
@@ -30,8 +29,7 @@ show_help() {
   echo "  WOLFSSL_TAG                wolfSSL tag to use (e.g., v5.8.0-stable)"
   echo "  WOLFSSL_ISFIPS             If set to 1, clones a wolfSSL FIPS bundle from GitHub"
   echo "  WOLFSSL_FIPS_BUNDLE        Directory containing the wolfSSL FIPS bundle to use instead of cloning from GitHub"
-  echo "  WOLFSSL_FIPS_VERSION       Version of wolfSSL FIPS bundle (v5, v6, ready), used as an argument for --enable-fips when configuring wolfSSL"
-  echo "  WOLFSSL_FIPS_CHECK_TAG     Tag for wolfSSL FIPS bundle (linuxv5.2.1, v6.0.0, etc), used as an argument for fips-check.sh when cloning a wolfSSL FIPS version"
+  echo "  WOLFSSL_FIPS_CHECK_TAG     Tag for wolfSSL FIPS bundle (v5.2.1, v5.2.4, linuxv5.2.1, v6.0.0, ready, etc). Automatically determines configure option (default: v5.2.4)"
   echo "  WOLFPROV_CLEAN             If set to 1, run make clean in OpenSSL, wolfSSL, and wolfProvider"
   echo "  WOLFPROV_DISTCLEAN         If set to 1, remove the source and install directories of OpenSSL, wolfSSL, and wolfProvider"
   echo "  WOLFPROV_DEBUG             If set to 1, builds OpenSSL, wolfSSL, and wolfProvider with debug options enabled"
@@ -86,7 +84,6 @@ for arg in "$@"; do
             WOLFSSL_ISFIPS=1
             ;;
         --fips-bundle=*)
-            unset WOLFSSL_FIPS_CHECK_TAG
             IFS='=' read -r trash fips_bun <<< "$arg"
             if [ -z "$fips_bun" ]; then
                 echo "No directory given for --fips-bundle"
@@ -95,22 +92,13 @@ for arg in "$@"; do
             WOLFSSL_FIPS_BUNDLE="$fips_bun"
             ;;
         --fips-check=*)
-            unset WOLFSSL_FIPS_BUNDLE
             IFS='=' read -r trash fips_tag <<< "$arg"
             if [ -z "$fips_tag" ]; then
                 echo "No tag given for --fips-check"
                 args_wrong+="$arg, "
             fi
             WOLFSSL_FIPS_CHECK_TAG="$fips_tag"
             ;;
-        --fips-version=*)
-            IFS='=' read -r trash fips_ver <<< "$arg"
-            if [ -z "$fips_ver" ]; then
-                echo "No version given for --fips-version"
-                args_wrong+="$arg, "
-            fi
-            WOLFSSL_FIPS_VERSION="$fips_ver"
-            ;;
         --debian)
             build_debian=1
             ;;
diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh
@@ -26,6 +26,7 @@ WOLFSSL_TAG=${WOLFSSL_TAG:-"v5.8.2-stable"}
 WOLFSSL_SOURCE_DIR=${SCRIPT_DIR}/../wolfssl-source
 WOLFSSL_INSTALL_DIR=${SCRIPT_DIR}/../wolfssl-install
 WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS:-0}
+WOLFSSL_FIPS_VERSION=${WOLFSSL_FIPS_VERSION:-"5.2.4"}
 WOLFSSL_FIPS_CONFIG_OPTS=${WOLFSSL_CONFIG_OPTS:-'--enable-opensslcoexist '}
 WOLFSSL_FIPS_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA"}
 WOLFSSL_CONFIG_OPTS=${WOLFSSL_CONFIG_OPTS:-'--enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha'}
@@ -110,7 +111,7 @@ install_wolfssl() {
                 do_cleanup
                 exit 1
             fi
-            
+
             printf "\nSkipping wolfSSL installation - libwolfssl and libwolfssl-dev packages are already installed.\n"
             # Set WOLFSSL_INSTALL_DIR to system installation directory
             WOLFSSL_INSTALL_DIR="/usr"
@@ -141,38 +142,96 @@ install_wolfssl() {
         elif [ "$WOLFSSL_DEBUG_ASN_TEMPLATE" = "1" ] && ( [ "$WOLFSSL_ISFIPS" = "1" ] || [ -n "$WOLFSSL_FIPS_BUNDLE" ] ); then
             WOLFSSL_FIPS_CONFIG_CFLAGS+=" -DWOLFSSL_DEBUG_ASN_TEMPLATE"
         fi
-        if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then
-            if [ ! -n "$WOLFSSL_FIPS_VERSION" ]; then
-                printf "ERROR, must specify version if using FIPS bundle (v5, v6, ready)"
+        if [ -n "$WOLFSSL_FIPS_BUNDLE" ] || [ "$WOLFSSL_ISFIPS" = "1" ]; then
+            if [ -n "$WOLFSSL_FIPS_BUNDLE" ] && [ -z "$WOLFSSL_FIPS_CHECK_TAG" ]; then
+                printf "ERROR, must specify tag if using FIPS bundle (v5.2.1, v5.2.4, linuxv5.2.1, v6.0.0, ready)"
                 do_cleanup
                 exit 1
             fi
-            printf "using FIPS bundle ... "
-            CONF_ARGS+=" --enable-fips=$WOLFSSL_FIPS_VERSION"
-            WOLFSSL_CONFIG_OPTS=$WOLFSSL_FIPS_CONFIG_OPTS
-            WOLFSSL_CONFIG_CFLAGS=$WOLFSSL_FIPS_CONFIG_CFLAGS
-        elif [ "$WOLFSSL_ISFIPS" = "1" ]; then
-            printf "with FIPS ... "
-            if [ -n "$WOLFSSL_FIPS_VERSION" ]; then
-                CONF_ARGS+=" --enable-fips=$WOLFSSL_FIPS_VERSION"
+
+            # Determine FIPS tag - use FIPS_CHECK_TAG if provided, default to v5.2.4
+            local fips_tag="${WOLFSSL_FIPS_CHECK_TAG}"
+            fips_tag="${fips_tag:-v5.2.4}"
+
+            # Determine configure option from tag
+            local fips_configure_arg=""
+            case "$fips_tag" in
+                v5.2.*|v5.3.*|v5.4.*|v5.5.*|linuxv5.*)
+                    fips_configure_arg="v5"
+                    ;;
+                v6.*|linuxv6.*)
+                    fips_configure_arg="v6"
+                    ;;
+                *)
+                    # For ready, v5, v6, or other tags, use as-is
+                    fips_configure_arg="$fips_tag"
+                    ;;
+            esac
+
+            if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then
+                printf "using FIPS bundle ${fips_tag} ... "
             else
-                CONF_ARGS+=" --enable-fips=v5"
+                printf "with FIPS ${fips_tag} ... "
             fi
+            CONF_ARGS+=" --enable-fips=$fips_configure_arg"
             WOLFSSL_CONFIG_OPTS=$WOLFSSL_FIPS_CONFIG_OPTS
             WOLFSSL_CONFIG_CFLAGS=$WOLFSSL_FIPS_CONFIG_CFLAGS
-            if [ ! -e "XXX-fips-test" ]; then
-                # Sometimes the system OpenSSL is different than the one we're using. So for the 'git' commands, we'll just use whatever the system comes with
-                if [ -n "$WOLFSSL_FIPS_CHECK_TAG" ]; then
-                    LD_LIBRARY_PATH="" ./fips-check.sh "$WOLFSSL_FIPS_CHECK_TAG" keep nomakecheck >>$LOG_FILE 2>&1
+            # Only run fips-check if not using a bundle
+            if [ -z "$WOLFSSL_FIPS_BUNDLE" ] && [ ! -e "XXX-fips-test" ]; then
+                # Determine which FIPS check script to use based on tag
+                local fips_check_script=""
+                case "$fips_tag" in
+                    v5.2.*|v5.3.*|v5.4.*|v5.5.*)
+                        fips_check_script="fips-check-PILOT.sh"
+                        ;;
+                    linuxv5.*|linuxv6.*)
+                        fips_check_script="fips-check.sh"
+                        ;;
+                    *)
+                        fips_check_script="fips-check.sh"
+                        ;;
+                esac
+
+                # Copy fips-check-PILOT.sh from fips-src repo if needed
+                if [ "$fips_check_script" = "fips-check-PILOT.sh" ] && [ ! -f "$fips_check_script" ]; then
+                    if command -v git >/dev/null 2>&1; then
+                        # Try to get the script from fips-src repo
+                        if [ -d "../fips-src" ]; then
+                            cp ../fips-src/fips-check-PILOT.sh . 2>/dev/null || true
+                        fi
+                        # If we still can't find it clone it temporarily
+                        if [ ! -f "$fips_check_script" ]; then
+                            LD_LIBRARY_PATH="" git clone --depth=1 git@github.com:wolfSSL/fips-src.git fips-src >>$LOG_FILE 2>&1
+                            cp fips-src/fips-check-PILOT.sh . 2>/dev/null || true
+                            rm -rf fips-src
+                        fi
+                    fi
+                    if [ ! -f "$fips_check_script" ]; then
+                        printf "ERROR: Could not find fips-check-PILOT.sh script\n"
+                        rm -rf ${WOLFSSL_INSTALL_DIR}
+                        do_cleanup
+                        exit 1
+                    fi
+                fi
+
+                # Sometimes the system OpenSSL is different than the one we're using.
+                # So for the 'git' commands, we'll just use whatever the system comes with.
+                if [ "$fips_check_script" = "fips-check-PILOT.sh" ]; then
+                    # PILOT script has different usage: [flavor] [keep]
+                    LD_LIBRARY_PATH="" ./$fips_check_script "$fips_tag" keep >$LOG_FILE 2>&1
+                    RET_CODE=$?
                 else
-                    LD_LIBRARY_PATH="" ./fips-check.sh linuxv5.2.1 keep nomakecheck >>$LOG_FILE 2>&1
+                    # Regular fips-check.sh usage: [flavor] [keep] [nomakecheck]
+                    LD_LIBRARY_PATH="" ./$fips_check_script "$fips_tag" keep nomakecheck >$LOG_FILE 2>&1
+                    RET_CODE=$?
                 fi
-                if [ $? != 0 ]; then
-                    printf "ERROR checking out FIPS\n"
+                if [ $RET_CODE != 0 ]; then
+                    printf "ERROR checking out FIPS (return code: $RET_CODE)\n"
                     rm -rf ${WOLFSSL_INSTALL_DIR}
                     do_cleanup
                     exit 1
                 fi
+
                 (cd XXX-fips-test && ./autogen.sh && ./configure ${CONF_ARGS} ${WOLFSSL_CONFIG_OPTS} CFLAGS="${WOLFSSL_CONFIG_CFLAGS}" && make && ./fips-hash.sh) >>$LOG_FILE 2>&1
                 if [ $? != 0 ]; then
                     printf "ERROR compiling FIPS version of wolfSSL\n"
@@ -181,7 +240,10 @@ install_wolfssl() {
                     exit 1
                 fi
             fi
-            cd XXX-fips-test
+            # Change to test directory for FIPS builds
+            if [ -n "$WOLFSSL_FIPS_BUNDLE" ] || [ "$WOLFSSL_ISFIPS" = "1" ]; then
+                cd XXX-fips-test
+            fi
         fi
 
         ./configure ${CONF_ARGS} ${WOLFSSL_CONFIG_OPTS} CFLAGS="${WOLFSSL_CONFIG_CFLAGS}" >>$LOG_FILE 2>&1
@@ -215,10 +277,20 @@ install_wolfssl() {
             do_cleanup
             exit 1
         fi
+        printf "Done.\n"
+
         if [ "$WOLFSSL_ISFIPS" = "1" ]; then
+            printf "\tTesting wolfSSL FIPS ${WOLFSSL_TAG} ... "
+            make test >>$LOG_FILE 2>&1
+            if [ $? != 0 ]; then
+                printf "ERROR.\n"
+                rm -rf ${WOLFSSL_INSTALL_DIR}
+                do_cleanup
+                exit 1
+            fi
             cd ..
+            printf "Done.\n"
         fi
-        printf "Done.\n"
     fi
 
     cd ..
