fips-check.sh: add support for WOLFSSL_REPO and noautogen option; twe…

…ak git fetching to keep wolfssl and fips tags distinct, and fetch all needed tags by name to assure availability for checkout. also, hide stdout noise from pushd/popd.
wolfSSL · Dec 6, 2024 · 447d5ea · 447d5ea
1 parent aec0345
commit 447d5ea
Showing 1 changed file with 43 additions and 7 deletions.
diff --git a/fips-check.sh b/fips-check.sh
@@ -18,7 +18,9 @@ FLAVOR="${FLAVOR:-linux}"
 KEEP="${KEEP:-no}"
 MAKECHECK=${MAKECHECK:-yes}
 DOCONFIGURE=${DOCONFIGURE:-yes}
+DOAUTOGEN=${DOAUTOGEN:-yes}
 FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}"
+WOLFSSL_REPO="${WOLFSSL_REPO:-origin}"
 
 Usage() {
     cat <<usageText
@@ -46,6 +48,7 @@ while [ "$1" ]; do
   if [ "$1" = 'keep' ]; then KEEP='yes';
   elif [ "$1" = 'nomakecheck' ]; then MAKECHECK='no';
   elif [ "$1" = 'nodoconfigure' ]; then DOCONFIGURE='no';
+  elif [ "$1" = 'noautogen' ]; then DOCONFIGURE='no'; DOAUTOGEN='no';
   else FLAVOR="$1"; fi
   shift
 done
@@ -432,25 +435,56 @@ function copy_fips_files() {
     done
 }
 
-# Check to make sure this is not a shallow repo
-$GIT fetch --unshallow 2>/dev/null
+declare -A FIPS_TAGS_NEEDED WOLFCRYPT_TAGS_NEEDED
+for file_entry in "${WOLFCRYPT_FILES[@]}"; do
+    WOLFCRYPT_TAGS_NEEDED["${file_entry#*:}"]=1
+done
+for file_entry in "${FIPS_FILES[@]}"; do
+    FIPS_TAGS_NEEDED["${file_entry#*:}"]=1
+done
+
+echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
+for tag in "${!WOLFCRYPT_TAGS_NEEDED[@]}"; do
+    if $GIT describe --exact-match --long "$tag" 2>/dev/null; then
+        continue
+    fi
+    if ! $GIT fetch --depth 1 "$WOLFSSL_REPO" tag "$tag"; then
+        echo "Can't fetch wolfCrypt tag: $tag"
+        exit 1
+    fi
+done
 
 if ! $GIT clone . "$TEST_DIR"; then
     echo "fips-check: Couldn't duplicate current working directory."
     exit 1
 fi
 
-pushd "$TEST_DIR" || exit 2
+pushd "$TEST_DIR" 1>/dev/null || exit 2
 
 if ! $GIT clone "$FIPS_REPO" fips; then
     echo "fips-check: Couldn't check out FIPS repository."
     exit 1
 fi
 
+pushd fips 1>/dev/null || exit 2
+
+echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
+for tag in "${!FIPS_TAGS_NEEDED[@]}"; do
+    if $GIT describe "$tag" 2>/dev/null; then
+        continue
+    fi
+    if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then
+        echo "Can't fetch FIPS tag: $tag"
+        exit 1
+    fi
+done
+
+popd 1>/dev/null || exit 2
+
 checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
-pushd fips || exit 2
+pushd fips 1>/dev/null || exit 2
 copy_fips_files "${FIPS_FILES[@]}" || exit 3
-popd || exit 2
+popd 1>/dev/null || exit 2
 
 # When checking out cert 3389 ready code, NIST will no longer perform
 # new certifications on 140-2 modules. If we were to use the latest files from
@@ -464,7 +498,9 @@ if [ "$FLAVOR" = 'fipsv2-OE-ready' ] && [ -s wolfcrypt/src/fips.c ]; then
 fi
 
 # run the make test
-./autogen.sh
+if [ "$DOAUTOGEN" = "yes" ]; then
+    ./autogen.sh
+fi
 
 if [ "$DOCONFIGURE" = "yes" ]; then
     case "$FIPS_OPTION" in
@@ -502,7 +538,7 @@ if [ "$DOCONFIGURE" = "yes" ]; then
 fi
 
 # Clean up
-popd || exit 2
+popd 1>/dev/null || exit 2
 if [ "$KEEP" = 'no' ]; then
     rm -rf "$TEST_DIR"
 fi