Issue:
We recently had to revert a commit after discovering it wasn't compatible with the latest release of AWS-LC-FIPS.
Description of changes:
Add new CI check for AWS-LC-FIPS.
It checks out AWS-LC's fips-2022-11-02 branch, which they cut official FIPS releases from.
We'll need to update this whenever they switch major development branches, but that's probably less than once per year.
It builds AWS-LC in FIPS mode
It sets the new $AWS_TEST_FIPS env-var
Add special aws_cal_library_test_init() function, which...
If $AWS_TEST_FIPS env-var is set, call libcrypto's FIPS_mode_set(1)...
... then call the normal aws_cal_library_init()
Make sure every single test calls aws_cal_library_test_init().
Previously, a lot of tests weren't doing any library init
Yes, it would be better if I came up with some way for us to test FIPS in aws-c-io, aws-c-http, etc. But this is what I could throw together late one Friday afternoon.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Issue: We recently had to revert a commit after discovering it wasn't compatible with the latest release of AWS-LC-FIPS.
Description of changes:
fips-2022-11-02
branch, which they cut official FIPS releases from.$AWS_TEST_FIPS
env-varaws_cal_library_test_init()
function, which...$AWS_TEST_FIPS
env-var is set, call libcrypto'sFIPS_mode_set(1)
...aws_cal_library_init()
aws_cal_library_test_init()
.Yes, it would be better if I came up with some way for us to test FIPS in aws-c-io, aws-c-http, etc. But this is what I could throw together late one Friday afternoon.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.