Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: improve fips mode coverage #4970

Closed
wants to merge 3 commits into from
Closed

ci: improve fips mode coverage #4970

wants to merge 3 commits into from

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Dec 11, 2024

Release Summary:

Description of changes:

Improve fips mode coverage. Unit tests enable fips mode when S2N_TEST_IN_FIPS_MODE is defined: see code.

When testing an openssl version that supports fips, this change causes the unit tests to test both fips and non-fips modes. Alternatively, we could just always test fips mode. Since we also test versions of openssl that don't support fips, that arguably wouldn't lose much coverage (although the exact version tested will always be different due to fips lagging behind). I'm curious for other opinions on what testing is sufficient.

Testing:

Existing tests pass. If you examine the output of one of the openssl-1.0.2-fips builds, you can now see both normal and "+fips" versions of each unit test.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Dec 11, 2024
@lrstewart lrstewart marked this pull request as ready for review December 11, 2024 19:15
@lrstewart lrstewart requested a review from dougch as a code owner December 11, 2024 19:15
Comment on lines 567 to +568
foreach(test_case ${UNITTESTS_SRC})
foreach(fips_mode ${TEST_FIPS_MODES})
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know there's no indentation. I think it looks better than indentation. But I'm probably wrong xD

Copy link
Contributor

@jmayclin jmayclin Dec 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ehh, I'd vote for indentation. I agree that it looks ugly, but I think we need to be honest about ugly things we're doing, lol.

# FIPS mode is optional for Openssl and must be deliberately configured
if ("$ENV{S2N_LIBCRYPTO}" MATCHES "openssl" AND "$ENV{S2N_LIBCRYPTO}" MATCHES "fips")
set(TEST_FIPS_MODES true false)
message(STATUS "Building against $ENV{S2N_LIBCRYPTO}: will test FIPS modes")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

# NAME_WE: name without extension
get_filename_component(test_case_name ${test_case} NAME_WE)

if(fips_mode)
set(test_case_name ${test_case_name}+fips)
set(target_compile_definitions(${test_case_name} PRIVATE S2N_TEST_IN_FIPS_MODE))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't figure out why this is wrapped in a set directive. Can we add a comment?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the code, it looks like there is an ifdef in s2n_test.h, so I think this compile definition also needs to be added to the testlib.

Maybe it would be neater as a PUBLIC option on the testlib? But perhaps that's a bit too magical.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s2n_test.h actually gets compiled into the individual tests, not testlib. That's how test_count works.

Comment on lines 567 to +568
foreach(test_case ${UNITTESTS_SRC})
foreach(fips_mode ${TEST_FIPS_MODES})
Copy link
Contributor

@jmayclin jmayclin Dec 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ehh, I'd vote for indentation. I agree that it looks ugly, but I think we need to be honest about ugly things we're doing, lol.

CMakeLists.txt Show resolved Hide resolved
codebuild/spec/buildspec_sanitizer.yml Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants