Merge pull request #269 from aidangarske/fips-ready-ci

Initial support for fips ready CI testing

Author: ColtonWilley

.github/workflows/cmdline.yml

@@ -44,14 +44,14 @@ jobs:
             openssl-install/bin
 
           key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
-                    # Normally we would fail on cache miss, but we rebuild below 
+          # Normally we would fail on cache miss, but we rebuild below 
           # for the DEBUG build.
           fail-on-cache-miss: false
 
       # If not yet built this version, build it now
       - name: Build wolfProvider
         # Only run the test for a cache miss. On hit, we've already run the test.
-        if: steps.wolfprov-cache-restore.cache-hit != 'true'
+        if: steps.wolfprov-cache.outputs.cache-hit != 'true'
         run: |
           ${{ matrix.debug }} OPENSSL_TAG=${{ matrix.openssl_ref }} WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh
 

.github/workflows/fips-ready.yml

@@ -0,0 +1,61 @@
+name: FIPS Ready Bundle Test
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  fips_ready_test:
+    name: FIPS Ready Bundle Test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        wolfssl_bundle_ref: [ '5.8.2' ]
+        openssl_ref: [ 'openssl-3.5.0' ]
+        force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Download FIPS Ready Bundle
+        run: |
+          # Download FIPS ready bundle from wolfSSL website
+          BUNDLE_URL="https://www.wolfssl.com/wolfssl-${{matrix.wolfssl_bundle_ref}}-gplv3-fips-ready.zip"
+          
+          wget -O wolfssl-fips-ready.zip "$BUNDLE_URL"
+          unzip wolfssl-fips-ready.zip
+
+          # Find the extracted directory (build script requires directory, not zip)
+          BUNDLE_DIR=$(find . -maxdepth 1 -type d -name "*fips-ready*" | head -n 1)
+          if [ -z "$BUNDLE_DIR" ]; then
+            echo "ERROR: Could not find FIPS ready bundle directory after extraction"
+            ls -la
+            exit 1
+          fi
+
+          echo "FIPS_BUNDLE_PATH=$(pwd)/$BUNDLE_DIR" >> $GITHUB_ENV
+          echo "Found FIPS bundle directory at: $BUNDLE_DIR"
+
+      - name: Build wolfProvider with FIPS Ready Bundle
+        run: |
+          ./scripts/build-wolfprovider.sh --fips-bundle="$FIPS_BUNDLE_PATH" \
+          --fips-version=ready --wolfssl-ver=v${{matrix.wolfssl_bundle_ref}}-stable
+
+      - name: Run FIPS Command Tests
+        run: |
+          # Run cmd tests to verify functionality
+          export WOLFSSL_ISFIPS=1
+          export ${{matrix.force_fail}}
+
+          ${{ matrix.force_fail }} ./scripts/cmd_test/do-cmd-tests.sh

README.md

@@ -136,6 +136,23 @@ export LD_LIBRARY_PATH=/usr/local/ssl/lib
 make check
 ```
 
+## Building with FIPS
+
+To build and test with our prebuilt FIPS bundle, use the following command to build wolfProvider with FIPS enabled. You can refer to `.github/workflows/fips-ready.yml` for the workflow that does this.
+
+Go to our website to download the FIPS bundle. [here](https://www.wolfssl.com/download/) and select  wolfssl-5.8.2-gplv3-fips-ready.zip.
+
+or you can use wget to download the FIPS bundle like so:
+```
+wget -O wolfssl-fips-ready.zip https://www.wolfssl.com/wolfssl-5.8.2-gplv3-fips-ready.zip
+unzip wolfssl-fips-ready.zip
+```
+
+Then use the following command to build wolfProvider with FIPS enabled.
+```
+./scripts/build-wolfprovider.sh --fips-bundle="path/to/fips-bundle" --fips-version=ready --distclean
+```
+
 ## Testing
 
 ### Unit Tests
@@ -153,8 +170,6 @@ To run the command tests:
 To run the cipher suite testing:
 * `./scripts/test-wp-cs.sh`
 
-
 ## Debugging
 
 To enable wolfProvider debug logging, build with `--debug` which enables exit messages, error messages, and informational messages. If you want to filter logging a certain way or increase detail level, set `WOLFPROV_LOG_LEVEL_FILTER` and `WOLFPROV_LOG_COMPONENTS_FILTER` in `include/wolfprovider/wp_logging.h` as needed. See comments in that file for examples.
-