From c7438470e20b868c5976534b4f5700908e3cc321 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Thu, 5 Dec 2024 14:39:53 -0600
Subject: [PATCH] fips-check.sh: add support for WOLFSSL_REPO and noautogen
 option; tweak git fetching to keep wolfssl and fips tags separate, fetch into
 the clones to avoid tag conflicts, and fetch all needed tags by name to
 assure availability for checkout.  also, hide stdout noise from pushd/popd.

---
 fips-check.sh | 50 +++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 43 insertions(+), 7 deletions(-)

diff --git a/fips-check.sh b/fips-check.sh
index 215a5fc6ae..db457b6b0d 100755
--- a/fips-check.sh
+++ b/fips-check.sh
@@ -18,7 +18,9 @@ FLAVOR="${FLAVOR:-linux}"
 KEEP="${KEEP:-no}"
 MAKECHECK=${MAKECHECK:-yes}
 DOCONFIGURE=${DOCONFIGURE:-yes}
+DOAUTOGEN=${DOAUTOGEN:-yes}
 FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}"
+WOLFSSL_REPO="${WOLFSSL_REPO:-origin}"
 
 Usage() {
     cat <<usageText
@@ -46,6 +48,7 @@ while [ "$1" ]; do
   if [ "$1" = 'keep' ]; then KEEP='yes';
   elif [ "$1" = 'nomakecheck' ]; then MAKECHECK='no';
   elif [ "$1" = 'nodoconfigure' ]; then DOCONFIGURE='no';
+  elif [ "$1" = 'noautogen' ]; then DOCONFIGURE='no'; DOAUTOGEN='no';
   else FLAVOR="$1"; fi
   shift
 done
@@ -432,25 +435,56 @@ function copy_fips_files() {
     done
 }
 
-# Check to make sure this is not a shallow repo
-$GIT fetch --unshallow 2>/dev/null
+declare -A FIPS_TAGS_NEEDED WOLFCRYPT_TAGS_NEEDED
+for file_entry in "${WOLFCRYPT_FILES[@]}"; do
+    WOLFCRYPT_TAGS_NEEDED["${file_entry#*:}"]=1
+done
+for file_entry in "${FIPS_FILES[@]}"; do
+    FIPS_TAGS_NEEDED["${file_entry#*:}"]=1
+done
 
 if ! $GIT clone . "$TEST_DIR"; then
     echo "fips-check: Couldn't duplicate current working directory."
     exit 1
 fi
 
-pushd "$TEST_DIR" || exit 2
+pushd "$TEST_DIR" 1>/dev/null || exit 2
 
 if ! $GIT clone "$FIPS_REPO" fips; then
     echo "fips-check: Couldn't check out FIPS repository."
     exit 1
 fi
 
+pushd fips 1>/dev/null || exit 2
+
+echo "Fetching FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
+for tag in "${!FIPS_TAGS_NEEDED[@]}"; do
+    if $GIT describe "$tag" 2>/dev/null; then
+	continue
+    fi
+    if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then
+        echo "Can't fetch FIPS tag: $tag"
+        exit 1
+    fi
+done
+
+popd 1>/dev/null || exit 2
+
+echo "Fetching wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
+for tag in "${!WOLFCRYPT_TAGS_NEEDED[@]}"; do
+    if $GIT describe "$tag" 2>/dev/null; then
+	continue
+    fi
+    if ! $GIT fetch --depth 1 "$WOLFSSL_REPO" tag "$tag"; then
+        echo "Can't fetch wolfCrypt tag: $tag"
+        exit 1
+    fi
+done
+
 checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
-pushd fips || exit 2
+pushd fips 1>/dev/null || exit 2
 copy_fips_files "${FIPS_FILES[@]}" || exit 3
-popd || exit 2
+popd 1>/dev/null || exit 2
 
 # When checking out cert 3389 ready code, NIST will no longer perform
 # new certifications on 140-2 modules. If we were to use the latest files from
@@ -464,7 +498,9 @@ if [ "$FLAVOR" = 'fipsv2-OE-ready' ] && [ -s wolfcrypt/src/fips.c ]; then
 fi
 
 # run the make test
-./autogen.sh
+if [ "$DOAUTOGEN" = "yes" ]; then
+    ./autogen.sh
+fi
 
 if [ "$DOCONFIGURE" = "yes" ]; then
     case "$FIPS_OPTION" in
@@ -502,7 +538,7 @@ if [ "$DOCONFIGURE" = "yes" ]; then
 fi
 
 # Clean up
-popd || exit 2
+popd 1>/dev/null || exit 2
 if [ "$KEEP" = 'no' ]; then
     rm -rf "$TEST_DIR"
 fi