diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml new file mode 100644 index 0000000000000..9caf49c9fb26c --- /dev/null +++ b/.github/workflows/checksums.yml @@ -0,0 +1,69 @@ +name: FIPS Checksums +on: [pull_request] +jobs: + apply-label: + runs-on: ubuntu-latest + steps: + - name: install unifdef + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.base.sha }} + - name: create build dirs + run: | + mkdir ./build-pristine + mkdir ./build + - name: config pristine + run: ../config enable-fips && perl configdata.pm --dump + working-directory: ./build-pristine + - name: make build_generated pristine + run: make -s build_generated + working-directory: ./build-pristine + - name: make fips-checksums pristine + run: make fips-checksums + working-directory: ./build-pristine + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + clean: false + - name: config + run: ../config enable-fips && perl configdata.pm --dump + working-directory: ./build + - name: make build_generated + run: make -s build_generated + working-directory: ./build + - name: make fips-checksums + run: make fips-checksums + working-directory: ./build + - name: update checksums pristine + run: make update-fips-checksums + working-directory: ./build-pristine + - name: make diff-fips-checksums + run: make diff-fips-checksums && echo "fips_unchanged=1" >> $GITHUB_ENV || echo "fips_changed=1" >> $GITHUB_ENV + working-directory: ./build + - name: set label + if: ${{ env.fips_changed }} + uses: actions/github-script@v4 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.issues.addLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['severity: fips change'] + }) + - name: remove label + if: ${{ env.fips_unchanged }} + uses: actions/github-script@v4 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.issues.removeLabel({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + name: 'severity: fips change' + }) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 345c197253828..9dcc0b03420f3 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1137,8 +1137,8 @@ generate_doc_buildinfo: mv $(SRCDIR)/doc/build.info.new $(SRCDIR)/doc/build.info; \ fi ) -generate_fips_sources: providers/fips.module.sources -providers/fips.module.sources: \ +generate_fips_sources: providers/fips.module.sources.new +providers/fips.module.sources.new: \ $(SRCDIR)/Configure \ {- join(" \\\n" . ' ' x 16, fill_lines(" ", $COLUMNS - 16, @@ -1167,7 +1167,7 @@ providers/fips.module.sources: \ crypto/sha/asm/*.pl; do \ echo "$$x"; \ done \ - ) | sort | uniq > providers/fips.module.sources + ) | sort | uniq > providers/fips.module.sources.new rm -rf sources-tmp # Set to -force to force a rebuild @@ -1268,29 +1268,25 @@ fips-checksums: generate_fips_sources @which unifdef > /dev/null || \ ( echo >&2 "ERROR: unifdef not in your \$$PATH, FIPS checksums not calculated"; \ false ) - ( sources=`pwd`/providers/fips.module.sources; \ + ( sources=`pwd`/providers/fips.module.sources.new; \ cd $(SRCDIR) \ && cat $$sources \ | xargs ./util/fips-checksums.sh ) \ - > providers/fips-sources.checksums \ - && sha256sum providers/fips-sources.checksums \ - > providers/fips.checksum + > providers/fips-sources.checksums.new \ + && sha256sum providers/fips-sources.checksums.new \ + > providers/fips.checksum.new -$(SRCDIR)/providers/fips.checksum: providers/fips.checksum - cp -p providers/fips.module.sources \ - providers/fips-sources.checksums \ - providers/fips.checksum $(SRCDIR)/providers +$(SRCDIR)/providers/fips.checksum: providers/fips.checksum.new + cp -p providers/fips.module.sources.new $(SRCDIR)/providers/fips.module.sources + cp -p providers/fips-sources.checksums.new $(SRCDIR)/providers/fips-sources.checksums + cp -p providers/fips.checksum.new $(SRCDIR)/providers/fips.checksum update-fips-checksums: $(SRCDIR)/providers/fips.checksum diff-fips-checksums: fips-checksums - @if [ "$(SRCDIR)" = "$(BLDDIR)" ]; then \ - echo >&2 "Nothing to diff as the build and the source tree is the same"; \ - false; \ - fi - diff -u $(SRCDIR)/providers/fips.module.sources providers/fips.module.sources - diff -u $(SRCDIR)/providers/fips-sources.checksums providers/fips-sources.checksums - diff -u $(SRCDIR)/providers/fips.checksum providers/fips.checksum + diff -u $(SRCDIR)/providers/fips.module.sources providers/fips.module.sources.new + diff -u $(SRCDIR)/providers/fips-sources.checksums providers/fips-sources.checksums.new + diff -u $(SRCDIR)/providers/fips.checksum providers/fips.checksum.new # Release targets (note: only available on Unix) ##################### diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 841c80bab7256..8c9f3eab03cc4 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -668,7 +668,7 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, if (!fips_get_params_from_core(fgbl)) { /* Error already raised */ - return 0; + goto err; } /* * Disable the conditional error check if it's disabled in the fips config