Report FIPS module failures through wolfssl_prov_is_running() #792
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: FIPS Ready Bundle Test | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - 'LICENSE*' | |
| - '.github/ISSUE_TEMPLATE/**' | |
| - '.github/dependabot.yml' | |
| - '.gitignore' | |
| - 'AUTHORS' | |
| - 'COPYING' | |
| - 'README*' | |
| - 'CHANGELOG*' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| discover_versions: | |
| if: github.event_name != 'pull_request' || github.event.pull_request.draft == false | |
| uses: ./.github/workflows/_discover-versions.yml | |
| fips_ready_test: | |
| needs: discover_versions | |
| if: github.event_name != 'pull_request' || github.event.pull_request.draft == false | |
| name: FIPS Ready Bundle Test | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 20 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| wolfssl_bundle_ref: [ '5.8.2' ] | |
| openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_latest_ref_array) }} | |
| # force_fail collapsed into sequential runs in the test step | |
| steps: | |
| - name: Checkout wolfProvider | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Download FIPS Ready Bundle | |
| run: | | |
| # Download FIPS ready bundle from wolfSSL website | |
| BUNDLE_URL="https://www.wolfssl.com/wolfssl-${{matrix.wolfssl_bundle_ref}}-gplv3-fips-ready.zip" | |
| wget -O wolfssl-fips-ready.zip "$BUNDLE_URL" | |
| unzip wolfssl-fips-ready.zip | |
| # Find the extracted directory (build script requires directory, not zip) | |
| BUNDLE_DIR=$(find . -maxdepth 1 -type d -name "*fips-ready*" | head -n 1) | |
| if [ -z "$BUNDLE_DIR" ]; then | |
| echo "ERROR: Could not find FIPS ready bundle directory after extraction" | |
| ls -la | |
| exit 1 | |
| fi | |
| echo "FIPS_BUNDLE_PATH=$(pwd)/$BUNDLE_DIR" >> $GITHUB_ENV | |
| echo "Found FIPS bundle directory at: $BUNDLE_DIR" | |
| - name: Build wolfProvider with FIPS Ready Bundle | |
| run: | | |
| # WOLFPROV_FORCE_FIPS_FAILURE is an internal, test-only knob (no CLI | |
| # flag) that enables HAVE_FORCE_FIPS_FAILURE for the fips_status test. | |
| WOLFPROV_FORCE_FIPS_FAILURE=1 ./scripts/build-wolfprovider.sh \ | |
| --fips-bundle="$FIPS_BUNDLE_PATH" \ | |
| --fips-check=ready --wolfssl-ver=v${{matrix.wolfssl_bundle_ref}}-stable | |
| - name: Run FIPS Command Tests | |
| run: | | |
| # Run cmd tests to verify functionality | |
| export WOLFSSL_ISFIPS=1 | |
| source scripts/env-setup | |
| # --- normal mode --- | |
| ./scripts/cmd_test/do-cmd-tests.sh | |
| # --- force-fail mode --- | |
| WOLFPROV_FORCE_FAIL=1 ./scripts/cmd_test/do-cmd-tests.sh | |
| - name: Run FIPS Status Test | |
| run: | | |
| # Exercises the FIPS-status gate in wolfssl_prov_is_running(): | |
| export WOLFSSL_ISFIPS=1 | |
| source scripts/env-setup | |
| set -o pipefail | |
| ./test/standalone/tests/fips_status/run.sh 2>&1 | tee fips-status.log | |
| # The forced-failure branch must have actually run in this FIPS build; | |
| # fail if the test silently degraded to the healthy path only. | |
| grep -q "correctly rejected after FIPS failure" fips-status.log |