diff --git a/CMakeLists.txt b/CMakeLists.txt index b5444450..670e836b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -37,7 +37,6 @@ find_package(Threads REQUIRED) set(BUILD_CLASSPATH "" CACHE STRING "Classpath to JARs to be included at build time") set(TEST_CLASSPATH "" CACHE STRING "Classpath to be included at test build and test execution time") set(SIGNED_JAR "" CACHE STRING "Path to a pre-signed JAR file, to be used instead of compiling the java source") -set(DIEHARDER_EXECUTABLE "dieharder" CACHE STRING "Path to the dieharder executable") set(ENABLE_NATIVE_TEST_HOOKS NO CACHE BOOL "Enable debugging hooks in the RNG. Disable for production use.") set(TEST_DATA_DIR ${PROJECT_SOURCE_DIR}/test-data/ CACHE STRING "Path to directory containing test data") set(ORIG_SRCROOT ${PROJECT_SOURCE_DIR} CACHE STRING "Path to root of original package") @@ -803,65 +802,6 @@ add_custom_target(check-integration set_target_properties(check-integration PROPERTIES EXCLUDE_FROM_ALL 1) -if (CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64") - -add_custom_target(run-dieharder-libcrypto-rng - COMMAND ${TEST_JAVA_EXECUTABLE} -cp $:$:${TEST_CLASSPATH} - ${EXTERNAL_LIB_PROPERTY} - ${REGISTER_RNG_PROPERTY} - com.amazon.corretto.crypto.provider.test.SecureRandomGenerator 'LibCryptoRng' 8192 1 | - ${DIEHARDER_EXECUTABLE} -a -g 200 -Y 1 -k 2 | - tee dieharder-results-libcrypto-rng.txt - - DEPENDS accp-jar tests-jar) - -add_custom_target(run-dieharder-libcrypto-rng-tail - COMMAND ${TEST_JAVA_EXECUTABLE} -cp $:$:${TEST_CLASSPATH} - ${EXTERNAL_LIB_PROPERTY} - ${REGISTER_RNG_PROPERTY} - com.amazon.corretto.crypto.provider.test.SecureRandomGenerator 'LibCryptoRng' 31 1 | - ${DIEHARDER_EXECUTABLE} -d 15 -g 200 -Y 1 -k 2 | - tee dieharder-results-libcrypto-rng-tail.txt - - DEPENDS accp-jar tests-jar) - -add_custom_target(run-dieharder-libcrypto-rng-threads - COMMAND ${TEST_JAVA_EXECUTABLE} -cp $:$:${TEST_CLASSPATH} - ${EXTERNAL_LIB_PROPERTY} - ${REGISTER_RNG_PROPERTY} - com.amazon.corretto.crypto.provider.test.SecureRandomGenerator 'LibCryptoRng' 128 4 | - ${DIEHARDER_EXECUTABLE} -a -g 200 -Y 1 -k 2 | - tee dieharder-results-libcrypto-rng-threads.txt - - DEPENDS accp-jar tests-jar) - -add_custom_target(run-dieharder-libcrypto-rng-threads-tail - COMMAND ${TEST_JAVA_EXECUTABLE} -cp $:$:${TEST_CLASSPATH} - ${EXTERNAL_LIB_PROPERTY} - ${REGISTER_RNG_PROPERTY} - com.amazon.corretto.crypto.provider.test.SecureRandomGenerator 'LibCryptoRng' 31 4 | - ${DIEHARDER_EXECUTABLE} -d 15 -g 200 -Y 1 -k 2 | - tee dieharder-results-libcrypto-rng-threads-tail.txt - - DEPENDS accp-jar tests-jar) - - add_custom_target(check-dieharder - COMMAND ! grep -l FAIL dieharder-results-libcrypto-rng.txt - COMMAND grep PASSED dieharder-results-libcrypto-rng.txt - COMMAND ! grep -l FAIL dieharder-results-libcrypto-rng-tail.txt - COMMAND grep PASSED dieharder-results-libcrypto-rng-tail.txt - - DEPENDS run-dieharder-libcrypto-rng run-dieharder-libcrypto-rng-tail) - -add_custom_target(check-dieharder-threads - COMMAND ! grep -l FAIL dieharder-results-libcrypto-rng-threads.txt - COMMAND grep PASSED dieharder-results-libcrypto-rng-threads.txt - COMMAND ! grep -l FAIL dieharder-results-libcrypto-rng-threads-tail.txt - COMMAND grep PASSED dieharder-results-libcrypto-rng-threads-tail.txt - - DEPENDS run-dieharder-libcrypto-rng-threads run-dieharder-libcrypto-rng-threads-tail) -endif() # End of Dieharder targets - # Add a target to assert that the libaccp shared object's rpath meets 2 conditions: # 1. rpath contains only a single entry # 2. that entry is set to $ORIGIN on linux or @loader_path on mac diff --git a/Dockerfile.dev b/Dockerfile.dev index 4829fd93..b97bd43d 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -26,7 +26,6 @@ RUN echo 'export JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto/' >> /home/.bash # required dependencies for building/testing RUN apt-get install -y build-essential \ cmake \ - dieharder \ lcov \ python3-pip diff --git a/README.md b/README.md index 421c862a..d6463871 100644 --- a/README.md +++ b/README.md @@ -7,18 +7,11 @@ As of 2.0.0, algorithms exposed by ACCP are primarily backed by [AWS-LC](https:/ [Security issue notifications](./CONTRIBUTING.md#security-issue-notifications) ## Build Status -Please be aware that both "Overkill" and "Dieharder" tests are known to be flakey. -Both of these tests are flakey because they include entropy generation tests -(specificaly, the [Dieharder tests](http://webhome.phy.duke.edu/~rgb/General/dieharder.php)). -Entropy tests are unavoidably flakey because there is always a possibility that a high-quality -random number generator will output data which looks non-random. -(For example, even a fair coin will come up heads ten times in a row about one in a thousand trials.) | Build Name | `main` branch | | ---------- |---------------| | Linux x86_64 | ![](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiRW4zZUhmeHlJbHRVQnNBZGZEbVJUa0pOK0J0MmtnNVB2dVZZSWhLbUtaNWYxNG96WWg4emN1SjJKL3VSUk9obFl0MnBtajBxejlVWDFiR3ppZGd3U1lrPSIsIml2UGFyYW1ldGVyU3BlYyI6IkFsUkpiMDRkRjZQb1U3Ly8iLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main) | | Linux aarch64 | ![](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiMEVNSXhZYmdEOWFrcE1HdE9nQmdwVlZFZXRYVnloc05TMXhoZ0tTVUQ1ZlMzeWRrZTArSUxUdzY2RVJRbUtXak5zU2ZCamJBS3JxUEFxZFJ2ZVNkcGVNPSIsIml2UGFyYW1ldGVyU3BlYyI6Ii80UEZpYWc2RjJZLzZDQ0wiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main) | -| Overkill/Dieharder | ![](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiRU14ZXM3ZkE4TGduVGV6dkxxWitxbkk3Ump2TnF3elkvYVRzcnkwQ3l4czl1OGRkc3NWblQ2Q0hxQkM2OWJ4VGdmL0x0Y01WYVVkWTdKYXNvbUpvS01VPSIsIml2UGFyYW1ldGVyU3BlYyI6Ilk3Y1NzbGNEZXZXY05CN2IiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main) | ## Supported Algorithms MessageDigest algorithms: @@ -197,7 +190,6 @@ Building this provider requires a 64 bit Linux or MacOS build system with the fo * C++ build chain * [lcov](http://ltp.sourceforge.net/coverage/lcov.php) for coverage metrics * [gcovr](https://gcovr.com/en/stable/) for reporting coverage metrics in CodeBuild -* [dieharder](http://webhome.phy.duke.edu/~rgb/General/dieharder.php) for entropy tests 1. Download the repository via `git clone --recurse-submodules` 2. Run `./gradlew release` @@ -223,9 +215,6 @@ When changing between FIPS and non-FIPS builds, be sure to do a full `clean` of * test_extra_checks: Run unit tests with extra (slow) cryptographic checks enabled * test_integration: Run integration tests * test_integration_extra_checks: Run integration tests with extra (slow) cryptographic checks enabled -* dieharder: Run entropy tests -* dieharder_threads: Run entropy threads specifically checking for leaking state across threads (very slow) -* dieharder_all: Run all dieharder checks (both dieharder and dieharder_threads) * coverage: Run target `test` and collect both Java and C++ coverage metrics (saved in `build/reports`) * release: **Default target** depends on build, test, and coverage * overkill: Run **all** tests (no coverage) diff --git a/build.gradle b/build.gradle index a2d2cd67..9a462254 100644 --- a/build.gradle +++ b/build.gradle @@ -443,22 +443,6 @@ task test_integration_extra_checks(type: Exec) { commandLine 'make', 'check-integration-extra-checks' } -task dieharder(type: Exec) { - dependsOn executeCmake - workingDir "${buildDir}/cmake" - commandLine 'make', 'check-dieharder' -} - -task dieharder_threads(type: Exec) { - dependsOn executeCmake - workingDir "${buildDir}/cmake" - commandLine 'make', 'check-dieharder-threads' -} - -task dieharder_all { - dependsOn dieharder, dieharder_threads -} - task coverage_clean(type: Delete) { delete fileTree("${buildDir}/cmake-coverage") { include '**/*.gcda' @@ -565,7 +549,7 @@ task release { } task overkill { - dependsOn test, test_extra_checks, test_integration, test_integration_extra_checks, dieharder_all + dependsOn test, test_extra_checks, test_integration, test_integration_extra_checks } task fakePublish { diff --git a/tests/ci/README.md b/tests/ci/README.md index c29e7f20..48bc2d75 100644 --- a/tests/ci/README.md +++ b/tests/ci/README.md @@ -52,13 +52,12 @@ CodeBuild|gcc 7|corretto 17|aarch|Ubuntu 20.04|FIPS/non-FIPS (macOS CI dimension is currently disabled, go to the Actions tab in the main repo to enable it when its ready.) -### Dieharder & Overkill tests +### Overkill tests Runs tests for: * test_extra_checks * test_integration_extra_checks -* dieharder_threads CI Tool|C Compiler|Java Compiler|CPU platform|OS|Dimensions ------------ | -------------| -------------| -------------|-------------|------------- CodeBuild|gcc 7|corretto 11|x86-64|Ubuntu 20.04|both FIPS/non-FIPS -CodeBuild|gcc 7|corretto 11|aarch|Ubuntu 20.04|both FIPS/non-FIPS, no dieharder +CodeBuild|gcc 7|corretto 11|aarch|Ubuntu 20.04|both FIPS/non-FIPS diff --git a/tests/ci/cdk/app.py b/tests/ci/cdk/app.py index 9fa66ab1..fd1f3011 100644 --- a/tests/ci/cdk/app.py +++ b/tests/ci/cdk/app.py @@ -33,8 +33,6 @@ ACCPGitHubCIStack(app, "accp-ci-pr-integration-linux-x86", LINUX_ECR_REPO, x86_build_spec_file, env=env) arm_build_spec_file = "./cdk/codebuild/pr_integration_linux_arm_omnibus.yaml" ACCPGitHubCIStack(app, "accp-ci-pr-integration-linux-arm", LINUX_ECR_REPO, arm_build_spec_file, env=env) -extra_build_spec_file = "./cdk/codebuild/dieharder_overkill_omnibus.yaml" -ACCPGitHubCIStack(app, "accp-ci-overkill-dieharder", LINUX_ECR_REPO, extra_build_spec_file, env=env) # TODO: Renable the code below when ACCP adds support for Windows. # Issue: https://github.com/corretto/amazon-corretto-crypto-provider/issues/48 diff --git a/tests/ci/cdk/cdk/codebuild/dieharder_overkill_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/dieharder_overkill_omnibus.yaml deleted file mode 100644 index 8bc062fd..00000000 --- a/tests/ci/cdk/cdk/codebuild/dieharder_overkill_omnibus.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -version: 0.2 - -# Doc for batch https://docs.aws.amazon.com/codebuild/latest/userguide/batch-build-buildspec.html#build-spec.batch.build-list -batch: - build-list: - - identifier: ubuntu2004_gcc7x_corretto_dieharder_x86 - buildspec: ./tests/ci/codebuild/run_accp_dieharder.yml - env: - type: LINUX_CONTAINER - privileged-mode: false - compute-type: BUILD_GENERAL1_LARGE - image: ECR_REPO_PLACEHOLDER:ubuntu-20.04_gcc-7x_corretto_x86_latest - - - identifier: ubuntu2004_gcc7x_corretto_overkill_x86 - buildspec: ./tests/ci/codebuild/run_accp_overkill.yml - env: - type: LINUX_CONTAINER - privileged-mode: false - compute-type: BUILD_GENERAL1_LARGE - image: ECR_REPO_PLACEHOLDER:ubuntu-20.04_gcc-7x_corretto_x86_latest - - # Dieharder tests are not supported on ARM for now. - # - identifier: ubuntu2004_gcc7x_corretto_dieharder_arm - # buildspec: ./tests/ci/codebuild/run_accp_dieharder.yml - # env: - # type: ARM_CONTAINER - # privileged-mode: false - # compute-type: BUILD_GENERAL1_LARGE - # image: ECR_REPO_PLACEHOLDER:ubuntu-20.04_gcc-7x_corretto_arm_latest - - - identifier: ubuntu2004_gcc7x_corretto_overkill_arm - buildspec: ./tests/ci/codebuild/run_accp_overkill.yml - env: - type: ARM_CONTAINER - privileged-mode: false - compute-type: BUILD_GENERAL1_LARGE - image: ECR_REPO_PLACEHOLDER:ubuntu-20.04_gcc-7x_corretto_arm_latest - - # ACCP FIPS dimensions. - - identifier: ubuntu2004_gcc7x_corretto_dieharder_x86_fips - buildspec: ./tests/ci/codebuild/run_accp_dieharder_fips.yml - env: - type: LINUX_CONTAINER - privileged-mode: false - compute-type: BUILD_GENERAL1_LARGE - image: ECR_REPO_PLACEHOLDER:ubuntu-20.04_gcc-7x_corretto_x86_latest - - - identifier: ubuntu2004_gcc7x_corretto_overkill_x86_fips - buildspec: ./tests/ci/codebuild/run_accp_overkill_fips.yml - env: - type: LINUX_CONTAINER - privileged-mode: false - compute-type: BUILD_GENERAL1_LARGE - image: ECR_REPO_PLACEHOLDER:ubuntu-20.04_gcc-7x_corretto_x86_latest - - - identifier: ubuntu2004_gcc7x_corretto_overkill_arm_fips - buildspec: ./tests/ci/codebuild/run_accp_overkill_fips.yml - env: - type: ARM_CONTAINER - privileged-mode: false - compute-type: BUILD_GENERAL1_LARGE - image: ECR_REPO_PLACEHOLDER:ubuntu-20.04_gcc-7x_corretto_arm_latest diff --git a/tests/ci/codebuild/release/al2_aarch64_test.yml b/tests/ci/codebuild/release/al2_aarch64_test.yml deleted file mode 100644 index b56cb8ac..00000000 --- a/tests/ci/codebuild/release/al2_aarch64_test.yml +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -version: 0.2 - -env: - variables: - GO_TAG: go1.18.3 -phases: - # TODO: Everything in the install section should be moved into a prebuilt image - install: - runtime-versions: - java: corretto11 - commands: - - yum -y update - - yum -y group install 'Development Tools' - - yum -y install cmake3 - - yum -y install gsl-devel wget - - mkdir go_tmp - - cd go_tmp - - wget https://dl.google.com/go/$GO_TAG.linux-arm64.tar.gz - - tar -xvf $GO_TAG.linux-arm64.tar.gz - - mv go ../go_root - - cd .. - build: - commands: - # TODO: Move this to the docker image also - - export GOROOT=$(pwd)/go_root - - export GO111MODULE=on - - export PATH=$GOROOT/bin:$PATH - # TODO: Can we move the recursive pull logic upstream? - - git submodule update --init --recursive - - pwd - - ls - # TODO: Do we want to reintroduce dieharder for some configurations? - - ./gradlew -DFIPS=${FIPS} -DstagingProperties=true test test_extra_checks test_integration test_integration_extra_checks - - ./gradlew -DFIPS=${FIPS} -DTEST_JAVA_HOME=$JAVA_8_HOME -DTEST_JAVA_MAJOR_VERSION=8 -DstagingProperties=true minimal_clean test test_extra_checks test_integration test_integration_extra_checks -artifacts: - files: - - 'lib/**/*' - discard-paths: no - base-directory: 'build' - name: $(date --iso-8601=s) -reports: - unit-tests: - files: - - 'build/reports/unit-tests/**' - discard-paths: yes - file-format: JunitXml - integration-tests: - files: - - 'build/reports/integration-tests/**' - discard-paths: yes - file-format: JunitXml diff --git a/tests/ci/codebuild/release/al2_x64_test.yml b/tests/ci/codebuild/release/al2_x64_test.yml deleted file mode 100644 index 805d0603..00000000 --- a/tests/ci/codebuild/release/al2_x64_test.yml +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -version: 0.2 - -env: - variables: - GO_TAG: go1.18.3 -phases: - # TODO: Everything in the install section should be moved into a prebuilt image - install: - runtime-versions: - java: corretto11 - commands: - - yum -y update - - yum -y group install 'Development Tools' - - curl -L -O https://downloads.sourceforge.net/ltp/lcov-1.14-1.noarch.rpm - - yum -y install cmake3 - - yum -y install gsl-devel wget - - mkdir go_tmp - - cd go_tmp - - wget https://dl.google.com/go/$GO_TAG.linux-amd64.tar.gz - - tar -xvf $GO_TAG.linux-amd64.tar.gz - - mv go ../go_root - - cd .. - build: - commands: - # TODO: Move this to the docker image also - - export GOROOT=$(pwd)/go_root - - export GO111MODULE=on - - export PATH=$GOROOT/bin:$PATH - # TODO: Can we move the recursive pull logic upstream? - - git submodule update --init --recursive - - pwd - - find ${CODEBUILD_SRC_DIR_Stage_FIPS} -follow - - find ${CODEBUILD_SRC_DIR_Stage} -follow - # TODO: Do we want to reintroduce dieharder for some configurations? - - ./gradlew -DFIPS=${FIPS} -DTEST_JAVA_HOME=$JAVA_8_HOME -DTEST_JAVA_MAJOR_VERSION=8 -DstagingProperties=true test test_extra_checks test_integration test_integration_extra_checks - - ./gradlew -DFIPS=${FIPS} -DstagingProperties=true minimal_clean test test_extra_checks test_integration test_integration_extra_checks -artifacts: - files: - - 'lib/**/*' - discard-paths: no - base-directory: 'build' - name: $(date --iso-8601=s) -reports: - unit-tests: - files: - - 'build/reports/unit-tests/**' - discard-paths: yes - file-format: JunitXml - integration-tests: - files: - - 'build/reports/integration-tests/**' - discard-paths: yes - file-format: JunitXml diff --git a/tests/ci/codebuild/release/linux_aarch64_build.yml b/tests/ci/codebuild/release/linux_aarch64_build.yml deleted file mode 100644 index 3d6b3af7..00000000 --- a/tests/ci/codebuild/release/linux_aarch64_build.yml +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -version: 0.2 - -env: - variables: - GO_TAG: go1.18.3 -phases: - # TODO: Everything in the install section should be moved into a prebuilt image - install: - runtime-versions: - java: corretto11 - commands: - - yum -y update - - yum -y group install 'Development Tools' - - curl -L -O https://downloads.sourceforge.net/ltp/lcov-1.14-1.noarch.rpm - - yum -y install cmake3 - - yum -y install gsl-devel wget - - mkdir go_tmp - - cd go_tmp - - wget https://dl.google.com/go/$GO_TAG.linux-arm64.tar.gz - - tar -xf $GO_TAG.linux-arm64.tar.gz - - mv go ../go_root - - cd .. - build: - commands: - # TODO: Move this to the docker image also - - export GOROOT=$(pwd)/go_root - - export GO111MODULE=on - - export PATH=$GOROOT/bin:$PATH - # TODO: Can we move the recursive pull logic upstream? - - git submodule update --init --recursive - - pwd - - ls - # Todo: Readd coverage for slower build but higher test coverage - - ./gradlew -DFIPS=${FIPS} build src_jar javadoc test test_integration -artifacts: - files: - - 'lib/**/*' - discard-paths: no - base-directory: 'build' - name: $(date --iso-8601=s) -reports: - unit-tests: - files: - - 'build/reports/unit-tests/**' - discard-paths: yes - file-format: JunitXml - integration-tests: - files: - - 'build/reports/integration-tests/**' - discard-paths: yes - file-format: JunitXml diff --git a/tests/ci/codebuild/release/linux_x64_build.yml b/tests/ci/codebuild/release/linux_x64_build.yml deleted file mode 100644 index 453905f7..00000000 --- a/tests/ci/codebuild/release/linux_x64_build.yml +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -version: 0.2 - -env: - variables: - GO_TAG: go1.18.3 -phases: - # TODO: Everything in the install section should be moved into a prebuilt image - install: - runtime-versions: - java: corretto11 - commands: - - yum -y update - - yum -y group install 'Development Tools' - - curl -L -O https://downloads.sourceforge.net/ltp/lcov-1.14-1.noarch.rpm - - yum -y install cmake3 - - yum -y install gsl-devel wget - - mkdir go_tmp - - cd go_tmp - - wget https://dl.google.com/go/$GO_TAG.linux-amd64.tar.gz - - tar -xf $GO_TAG.linux-amd64.tar.gz - - mv go ../go_root - - cd .. - build: - commands: - # TODO: Move this to the docker image also - - export GOROOT=$(pwd)/go_root - - export GO111MODULE=on - - export PATH=$GOROOT/bin:$PATH - # TODO: Can we move the recursive pull logic upstream? - - git submodule update --init --recursive - - pwd - - ls - # Todo: Readd coverage for slower build but higher test coverage - - ./gradlew -DFIPS=${FIPS} build src_jar javadoc test test_integration -artifacts: - files: - - 'lib/**/*' - discard-paths: no - base-directory: 'build' - name: $(date --iso-8601=s) -reports: - unit-tests: - files: - - 'build/reports/unit-tests/**' - discard-paths: yes - file-format: JunitXml - integration-tests: - files: - - 'build/reports/integration-tests/**' - discard-paths: yes - file-format: JunitXml diff --git a/tests/ci/codebuild/release/release.yml b/tests/ci/codebuild/release/release.yml deleted file mode 100644 index a82df9ed..00000000 --- a/tests/ci/codebuild/release/release.yml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -version: 0.2 - -env: - variables: - GO_TAG: go1.18.3 -phases: - # TODO: Everything in the install section should be moved into a prebuilt image - install: - runtime-versions: - java: corretto11 - commands: - - yum -y update - - yum -y group install 'Development Tools' - - curl -L -O https://downloads.sourceforge.net/ltp/lcov-1.14-1.noarch.rpm - - yum -y install cmake3 - - yum -y install gsl-devel wget - - mkdir go_tmp - - cd go_tmp - - wget https://dl.google.com/go/$GO_TAG.linux-amd64.tar.gz - - tar -xf $GO_TAG.linux-amd64.tar.gz - - mv go ../go_root - - cd .. - build: - commands: - # TODO: Move this to the docker image also - - export GOROOT=$(pwd)/go_root - - export GO111MODULE=on - - export PATH=$GOROOT/bin:$PATH - # TODO: Can we move the recursive pull logic upstream? - - git submodule update --init --recursive - - pwd - - ls - # TODO: Uncomment next line to actually release - # - ./gradlew -DFIPS=${FIPS} -DstagingProperties=true releaseSonatypeStagingRepository - # This next no-op task is just a place holder so that we can execute this file safely without releasing - - ./gradlew -DFIPS=${FIPS} -DstagingProperties=true tasks diff --git a/tests/ci/codebuild/release/stage.yml b/tests/ci/codebuild/release/stage.yml deleted file mode 100644 index cd200f74..00000000 --- a/tests/ci/codebuild/release/stage.yml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -version: 0.2 - -env: - variables: - GO_TAG: go1.18.3 -phases: - # TODO: Everything in the install section should be moved into a prebuilt image - install: - runtime-versions: - java: corretto11 - python: 3.9 - commands: - build: - commands: - # TODO: Sign jars here - # TODO: Uncomment the following lines once configured - - pip install awscli aws-encryption-sdk-cli - # Debugging only - - aws sts get-caller-identity - # Retrieve encrypted configuration from S3 - - aws s3 cp s3://${CONFIG_PREFIX}/${JKS_FILENAME}.enc $HOME/${JKS_FILENAME}.enc - - aws s3 cp s3://${CONFIG_PREFIX}/${GPG_FILENAME}.enc $HOME/${GPG_FILENAME}.enc - - aws s3 cp s3://${CONFIG_PREFIX}/${PROPERTIES_FILENAME}.enc $HOME/${PROPERTIES_FILENAME}.enc - # Decrypt configuration - - mkdir -p $HOME/.gradle - - aws-encryption-cli --decrypt -S --wrapping-keys key=${KMS_ARN} --commitment-policy require-encrypt-allow-decrypt -i $HOME/${JKS_FILENAME}.enc -o $HOME/.gradle/${JKS_FILENAME} --encryption-context filename=${JKS_FILENAME} - - aws-encryption-cli --decrypt -S --wrapping-keys key=${KMS_ARN} --commitment-policy require-encrypt-allow-decrypt -i $HOME/${GPG_FILENAME}.enc -o $HOME/${GPG_FILENAME} --encryption-context filename=${GPG_FILENAME} - - aws-encryption-cli --decrypt -S --wrapping-keys key=${KMS_ARN} --commitment-policy require-encrypt-allow-decrypt -i $HOME/${PROPERTIES_FILENAME}.enc -o $HOME/.gradle/gradle.properties --encryption-context filename=${PROPERTIES_FILENAME} - - tar -xzvpf $HOME/${GPG_FILENAME} - # Next two lines are for debugging only. They can be removed but are helpful. - - ./gradlew --info -DFIPS=${FIPS} fakePublish - - find build/fake_maven/ - - ./gradlew --info -DFIPS=${FIPS} fakePublish publishToSonatype closeSonatypeStagingRepository -artifacts: - files: - - 'fake_maven/**/*' - base-directory: 'build' - discard-paths: no - name: $(date --iso-8601=s) diff --git a/tests/ci/codebuild/run_accp_dieharder.yml b/tests/ci/codebuild/run_accp_dieharder.yml deleted file mode 100644 index 4120176e..00000000 --- a/tests/ci/codebuild/run_accp_dieharder.yml +++ /dev/null @@ -1,9 +0,0 @@ -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -version: 0.2 - -phases: - build: - commands: - - ./tests/ci/run_accp_dieharder.sh diff --git a/tests/ci/codebuild/run_accp_dieharder_fips.yml b/tests/ci/codebuild/run_accp_dieharder_fips.yml deleted file mode 100644 index d02dbfe8..00000000 --- a/tests/ci/codebuild/run_accp_dieharder_fips.yml +++ /dev/null @@ -1,9 +0,0 @@ -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -version: 0.2 - -phases: - build: - commands: - - ./tests/ci/run_accp_dieharder.sh --fips diff --git a/tests/ci/docker_images/linux-arm/ubuntu-20.04_accp_base/Dockerfile b/tests/ci/docker_images/linux-arm/ubuntu-20.04_accp_base/Dockerfile index a7ec0b0d..d49aebfa 100644 --- a/tests/ci/docker_images/linux-arm/ubuntu-20.04_accp_base/Dockerfile +++ b/tests/ci/docker_images/linux-arm/ubuntu-20.04_accp_base/Dockerfile @@ -14,7 +14,6 @@ RUN apt-get install -y curl RUN apt-get install -y gnupg RUN apt-get install -y build-essential RUN apt-get install -y cmake -RUN apt-get install -y dieharder RUN apt-get install -y lcov RUN apt-get install -y wget RUN apt-get install -y clang-format diff --git a/tests/ci/docker_images/linux-x86/ubuntu-20.04_accp_base/Dockerfile b/tests/ci/docker_images/linux-x86/ubuntu-20.04_accp_base/Dockerfile index c3129f80..297496e0 100644 --- a/tests/ci/docker_images/linux-x86/ubuntu-20.04_accp_base/Dockerfile +++ b/tests/ci/docker_images/linux-x86/ubuntu-20.04_accp_base/Dockerfile @@ -14,7 +14,6 @@ RUN apt-get install -y curl RUN apt-get install -y gnupg RUN apt-get install -y build-essential RUN apt-get install -y cmake -RUN apt-get install -y dieharder RUN apt-get install -y lcov RUN apt-get install -y wget RUN apt-get install -y clang-format diff --git a/tests/ci/run_accp_dieharder.sh b/tests/ci/run_accp_dieharder.sh deleted file mode 100755 index 08afd426..00000000 --- a/tests/ci/run_accp_dieharder.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -set -exo pipefail -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -# Testing non-FIPS is the default. -testing_fips=false -while [[ $# -gt 0 ]]; do - case ${1} in - --fips) - testing_fips=true - ;; - *) - echo "${1} is not supported." - exit 1 - ;; - esac - # Check next option -- key/value. - shift -done - -echo "Testing ACCP dieharder tests." -./gradlew -DFIPS=$testing_fips dieharder diff --git a/tests/ci/run_accp_overkill.sh b/tests/ci/run_accp_overkill.sh deleted file mode 100755 index 2c760d88..00000000 --- a/tests/ci/run_accp_overkill.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -set -exo pipefail -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -# Testing non-FIPS is the default. -testing_fips=false -while [[ $# -gt 0 ]]; do - case ${1} in - --fips) - testing_fips=true - ;; - *) - echo "${1} is not supported." - exit 1 - ;; - esac - # Check next option -- key/value. - shift -done - -echo "Testing ACCP overkill tests." - -# dieharder_threads are not supported on ARM for now. -if [[ ("$(uname -p)" == 'aarch64'*) || ("$(uname -p)" == 'arm'*) ]]; then - ./gradlew -DFIPS=$testing_fips test_extra_checks test_integration_extra_checks -else - ./gradlew -DFIPS=$testing_fips test_extra_checks test_integration_extra_checks dieharder_threads -fi diff --git a/tst/com/amazon/corretto/crypto/provider/test/SecureRandomGenerator.java b/tst/com/amazon/corretto/crypto/provider/test/SecureRandomGenerator.java deleted file mode 100644 index 0939db47..00000000 --- a/tst/com/amazon/corretto/crypto/provider/test/SecureRandomGenerator.java +++ /dev/null @@ -1,133 +0,0 @@ -// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 -package com.amazon.corretto.crypto.provider.test; - -import com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider; -import java.io.IOException; -import java.security.GeneralSecurityException; -import java.security.Provider; -import java.security.Provider.Service; -import java.security.SecureRandom; -import java.security.Security; -import java.util.concurrent.ArrayBlockingQueue; -import java.util.concurrent.CountDownLatch; -import java.util.function.Consumer; -import java.util.function.Function; - -@SuppressWarnings("overloads") -public class SecureRandomGenerator { - public static void main(final String[] args) throws GeneralSecurityException, IOException { - AmazonCorrettoCryptoProvider.install(); - if (args.length < 3) { - printUsage(); - return; - } - boolean useSeed = false; - if (args.length > 3) { - if ("--seed".equals(args[3])) { - System.err.println("Using generateSeed()"); - useSeed = true; - } else { - printUsage(); - return; - } - } - final String algorithm = args[0]; - final int chunkSize = Integer.parseInt(args[1]); - final int threads = Integer.parseInt(args[2]); - - final ArrayBlockingQueue queue = new ArrayBlockingQueue<>(threads * 4); - final ThrowingSupplier coreGetRandom; - - final SecureRandom rnd = SecureRandom.getInstance(algorithm); - if (useSeed) { - coreGetRandom = () -> rnd.generateSeed(chunkSize); - } else { - coreGetRandom = convert((Consumer) rnd::nextBytes, chunkSize); - } - - final ThrowingSupplier getRandom; - if (threads == 1) { - getRandom = coreGetRandom; - } else { - CountDownLatch latch = new CountDownLatch(threads); - for (int t = 0; t < threads; t++) { - SupplierThread st = new SupplierThread(coreGetRandom, queue, latch); - st.setDaemon(true); - st.setName("SecureRandom-" + t); - st.start(); - } - getRandom = queue::take; - } - - while (!System.out.checkError()) { - try { - System.out.write(getRandom.get()); - } catch (final InterruptedException ex) { - // Ignore this - } - } - } - - private static void printUsage() { - System.out.println("CMD [--seed]"); - System.out.println(); - System.out.println("Algorithms:"); - for (final Provider p : Security.getProviders()) { - for (final Service s : p.getServices()) { - if (s.getType().equals("SecureRandom")) { - System.out.println(s.getAlgorithm()); - } - } - } - } - - private static ThrowingSupplier convert(Function delegate, int size) { - return () -> { - final byte[] buffer = new byte[size]; - if (!delegate.apply(buffer)) { - throw new RuntimeException("Call to delegate failed"); - } - return buffer; - }; - } - - private static ThrowingSupplier convert(Consumer delegate, final int size) { - return () -> { - final byte[] buffer = new byte[size]; - delegate.accept(buffer); - return buffer; - }; - } - - @FunctionalInterface - private interface ThrowingSupplier { - byte[] get() throws InterruptedException; - } - - private static final class SupplierThread extends Thread { - private final ThrowingSupplier supplier; - private final CountDownLatch latch; - private final ArrayBlockingQueue queue; - - public SupplierThread( - ThrowingSupplier supplier, ArrayBlockingQueue queue, CountDownLatch latch) { - this.supplier = supplier; - this.queue = queue; - this.latch = latch; - } - - @Override - public void run() { - try { - latch.countDown(); - latch.await(); - while (true) { - queue.put(supplier.get()); - } - } catch (InterruptedException e) { - throw new RuntimeException(e); - } - } - } -}