Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for running pkcs11 provider in FIPS Mode #498

Merged
merged 6 commits into from
Jan 15, 2025
Merged

Add support for running pkcs11 provider in FIPS Mode #498

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
02d6cba
provider: Add new configuration option assume_fips
Jakuje Jan 14, 2025
2cfdeec
ci: Add CentOS 10
Jakuje Jan 14, 2025
a35b36e
ci: Add newlines between steps to improve readability
Jakuje Jan 14, 2025
25c1fbe
tests: Removed needless repeated configuration change
Jakuje Jan 15, 2025
6d8c90f
tests: Adjust for FIPS support
Jakuje Jan 15, 2025
d8066f0
ci: Run the tests also in emulated FIPS mode
Jakuje Jan 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/address-sanitizer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ jobs:
steps:
- name: Checkout Repository
uses: actions/checkout@v4

- name: Install Dependencies
run: |
if [ -f /etc/fedora-release ]; then
Expand All @@ -42,6 +43,7 @@ jobs:
libp11-kit-dev p11-kit-modules gnutls-bin \
openssl-dbgsym libssl3t64-dbgsym
fi

- name: Setup
# The detection on debian works ok, but on Fedora, we get linker script,
# that is not compatible with LD_PRELOAD so we force the absolute path.
Expand All @@ -53,12 +55,14 @@ jobs:
CC=gcc \
meson setup builddir -Db_sanitize=address -Dpreload_libasan=/usr/lib/x86_64-linux-gnu/libasan.so.8.0.0
fi

- name: Build and Test
# note, that this intentionally does not initialize submodules as
# the tlsfuzzer test does not work under address sanitizer well
run: |
meson compile -C builddir
meson test --num-processes 1 -C builddir

- uses: actions/upload-artifact@v4
if: failure()
with:
Expand Down
41 changes: 37 additions & 4 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,23 +14,25 @@ jobs:
strategy:
fail-fast: false
matrix:
name: [fedora, debian, centos, ubuntu]
name: [fedora, debian, centos9, centos10, ubuntu]
compiler: [gcc, clang]
token: [softokn, softhsm]
include:
- name: fedora
container: fedora:latest
- name: debian
container: debian:sid
- name: centos
- name: centos9
container: quay.io/centos/centos:stream9
- name: centos10
container: quay.io/centos/centos:stream10
- name: ubuntu
container: ubuntu:latest
container: ${{ matrix.container }}
steps:
- name: Install Dependencies
run: |
if [ "${{ matrix.name }}" = centos ]; then
if [ "${{ matrix.name }}" = "centos9" -o "${{ matrix.name }}" = "centos10" ]; then
dnf_opts="--enablerepo=crb"
fi
if [ -f /etc/redhat-release ]; then
Expand All @@ -56,20 +58,23 @@ jobs:
p11-kit-modules
fi
fi

- name: Check NSS version
id: nss-version-check
run: |
if [ "${{ matrix.name }}" = "centos" ]; then
if [ "${{ matrix.name }}" = "centos9" -o "${{ matrix.name }}" = "centos10" ]; then
if [ "${{ matrix.token }}" = "softokn" ]; then
NSSMINVER=`nss-config --version nss | cut -d '.' -f 2`
if [ $NSSMINVER -lt 101 ]; then
echo "skiptest=true" >> $GITHUB_OUTPUT
fi
fi
fi

- name: Checkout Repository
if : ( steps.nss-version-check.outputs.skiptest != 'true' )
uses: actions/checkout@v4

- name: Setup
if : ( steps.nss-version-check.outputs.skiptest != 'true' )
run: |
Expand All @@ -81,11 +86,13 @@ jobs:
else
CC=${{ matrix.compiler }} meson setup builddir -Denable_explicit_EC_test=true
fi

- name: Build and Test
if : ( steps.nss-version-check.outputs.skiptest != 'true' )
run: |
meson compile -C builddir
meson test --num-processes 1 -C builddir

- uses: actions/upload-artifact@v4
if: failure()
with:
Expand All @@ -95,12 +102,14 @@ jobs:
builddir/tests/tmp.${{ matrix.token }}/p11prov-debug.log
builddir/tests/tmp.${{ matrix.token }}/testvars
builddir/tests/tmp.${{ matrix.token }}/openssl.cnf

- name: Run tests with valgrind
if : ( steps.nss-version-check.outputs.skiptest != 'true' )
run: |
if [ "${{ matrix.compiler }}" = "gcc" ]; then
meson test --num-processes 1 -C builddir --setup=valgrind
fi

- uses: actions/upload-artifact@v4
if: failure()
with:
Expand All @@ -110,6 +119,26 @@ jobs:
builddir/tests/tmp.${{ matrix.token }}/p11prov-debug.log
builddir/tests/tmp.${{ matrix.token }}/testvars
builddir/tests/tmp.${{ matrix.token }}/openssl.cnf

- name: Run tests in FIPS Mode (on CentOS + gcc only)
if : ( steps.nss-version-check.outputs.skiptest != 'true' )
run: |
if [ "${{ matrix.compiler }}" = "gcc" -a \( "${{ matrix.name }}" = "centos9" -o "${{ matrix.name }}" = "centos10" \) ]; then
OPENSSL_FORCE_FIPS_MODE=1 \
meson test --num-processes 1 -C builddir
fi

- uses: actions/upload-artifact@v4
if: failure()
with:
name: Test valgrind logs ${{ matrix.name }}, ${{ matrix.compiler }}, ${{ matrix.token }}
path: |
builddir/meson-logs/
builddir/tests/tmp.${{ matrix.token }}/p11prov-debug.log
builddir/tests/tmp.${{ matrix.token }}/testvars
builddir/tests/tmp.${{ matrix.token }}/openssl.cnf


build-macos:
name: CI with software token
runs-on: ${{ matrix.os }}
Expand All @@ -133,8 +162,10 @@ jobs:
elif [ "${{ matrix.token }}" = "softhsm" ]; then
brew install softhsm
fi

- name: Checkout Repository
uses: actions/checkout@v4

- name: Setup
run: |
git config --global --add safe.directory \
Expand All @@ -144,12 +175,14 @@ jobs:
export PATH=$(brew --prefix openssl@3)/bin:$PATH

CC=clang meson setup builddir

- name: Build and Test
run: |
export PATH=$(brew --prefix openssl@3)/bin:$PATH

meson compile -j$(sysctl -n hw.ncpu || echo 2) -C builddir
meson test --num-processes 1 -C builddir

- uses: actions/upload-artifact@v4
if: failure()
with:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/distcheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,20 +42,24 @@ jobs:
softhsm2 opensc p11-kit libp11-kit-dev p11-kit-modules \
gnutls-bin
fi

- name: Checkout Repository
uses: actions/checkout@v4

- name: Setup
run: |
git config --global --add safe.directory \
/__w/pkcs11-provider/pkcs11-provider
git submodule update --init
meson setup builddir

- name: Distcheck
run: |
git config --global --add safe.directory \
/__w/pkcs11-provider/pkcs11-provider
git ls-files meson.build
meson dist --no-tests -C builddir

- name: RPM Build
if: ${{ matrix.name == 'fedora' }}
run: |
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/kryoptic.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,14 +71,17 @@ jobs:
/__w/pkcs11-provider/pkcs11-provider
git submodule update --init
meson setup builddir

- name: Build
run:
meson compile -C builddir

- name: Test
env:
KRYOPTIC: ${{ steps.kryoptic_setup.outputs.KRYOPTIC }}
run:
meson test --num-processes 1 -C builddir

- uses: actions/upload-artifact@v4
if: failure()
with:
Expand Down
Loading
Loading