1# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved. 2# 3# Licensed under the Apache License 2.0 (the "License"). You may not use 4# this file except in compliance with the License. You can obtain a copy 5# in the file LICENSE in the source distribution or at 6# https://www.openssl.org/source/license.html 7 8# This verifies that FIPS and legacy providers built against some earlier 9# released versions continue to run against the current branch. 10 11name: Provider compatibility for PRs 12 13on: [pull_request] 14 15permissions: 16 contents: read 17 18env: 19 opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib 20 21jobs: 22 fips-releases: 23 if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }} 24 strategy: 25 matrix: 26 release: [ 27 # Formally released versions should be added here. 28 # `dir' it the directory inside the tarball. 29 # `tgz' is the name of the tarball. 30 # `url' is the download URL. 31 { 32 dir: openssl-3.0.0, 33 tgz: openssl-3.0.0.tar.gz, 34 url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", 35 }, 36 { 37 dir: openssl-3.0.8, 38 tgz: openssl-3.0.8.tar.gz, 39 url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", 40 }, 41 { 42 dir: openssl-3.0.9, 43 tgz: openssl-3.0.9.tar.gz, 44 url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz", 45 }, 46 { 47 dir: openssl-3.1.2, 48 tgz: openssl-3.1.2.tar.gz, 49 url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz", 50 }, 51 ] 52 53 runs-on: ubuntu-latest 54 steps: 55 - name: create download directory 56 run: mkdir downloads 57 - name: download release source 58 run: wget --no-verbose ${{ matrix.release.url }} 59 working-directory: downloads 60 - name: unpack release source 61 run: tar xzf downloads/${{ matrix.release.tgz }} 62 63 - name: localegen 64 run: sudo locale-gen tr_TR.UTF-8 65 66 - name: config release 67 run: | 68 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 69 working-directory: ${{ matrix.release.dir }} 70 - name: config dump release 71 run: ./configdata.pm --dump 72 working-directory: ${{ matrix.release.dir }} 73 74 - name: make release 75 run: make -s -j4 76 working-directory: ${{ matrix.release.dir }} 77 78 - name: create release artifacts 79 run: | 80 tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }} 81 82 - name: show module versions from release 83 run: | 84 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 85 -provider base \ 86 -provider default \ 87 -provider fips \ 88 -provider legacy \ 89 -providers 90 working-directory: ${{ matrix.release.dir }} 91 92 - uses: actions/upload-artifact@v4 93 with: 94 name: ${{ matrix.release.tgz }} 95 path: ${{ matrix.release.tgz }} 96 retention-days: 7 97 98 development-branches: 99 if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }} 100 strategy: 101 matrix: 102 branch: [ 103 # Currently supported FIPS capable branches should be added here. 104 # `name' is the branch name used to checkout out. 105 # `dir' directory that will be used to build and test in. 106 # `tgz' is the name of the tarball use to keep the artifacts of 107 # the build. 108 { 109 name: '', 110 dir: PR, 111 tgz: PR.tar.gz, 112 }, { 113 name: openssl-3.0, 114 dir: branch-3.0, 115 tgz: branch-3.0.tar.gz, 116 }, { 117 name: openssl-3.1, 118 dir: branch-3.1, 119 tgz: branch-3.1.tar.gz, 120 }, { 121 name: openssl-3.2, 122 dir: branch-3.2, 123 tgz: branch-3.2.tar.gz, 124 }, { 125 name: openssl-3.3, 126 dir: branch-3.3, 127 tgz: branch-3.3.tar.gz, 128 }, { 129 name: master, 130 dir: branch-master, 131 tgz: branch-master.tar.gz, 132 }, 133 ] 134 135 runs-on: ubuntu-latest 136 steps: 137 - uses: actions/checkout@v4 138 with: 139 path: ${{ matrix.branch.dir }} 140 repository: openssl/openssl 141 ref: ${{ matrix.branch.name }} 142 - name: localegen 143 run: sudo locale-gen tr_TR.UTF-8 144 145 - name: config branch 146 run: | 147 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 148 working-directory: ${{ matrix.branch.dir }} 149 - name: config dump current 150 run: ./configdata.pm --dump 151 working-directory: ${{ matrix.branch.dir }} 152 153 - name: make branch 154 run: make -s -j4 155 working-directory: ${{ matrix.branch.dir }} 156 157 - name: create branch artifacts 158 run: | 159 tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} 160 161 - name: show module versions from branch 162 run: | 163 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 164 -provider base \ 165 -provider default \ 166 -provider fips \ 167 -provider legacy \ 168 -providers 169 working-directory: ${{ matrix.branch.dir }} 170 171 - name: get cpu info 172 run: | 173 cat /proc/cpuinfo 174 ./util/opensslwrap.sh version -c 175 working-directory: ${{ matrix.branch.dir }} 176 177 - uses: actions/upload-artifact@v4 178 with: 179 name: ${{ matrix.branch.tgz }} 180 path: ${{ matrix.branch.tgz }} 181 retention-days: 7 182 183 cross-testing: 184 if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }} 185 needs: [fips-releases, development-branches] 186 runs-on: ubuntu-latest 187 strategy: 188 fail-fast: false 189 matrix: 190 # These can't be figured out earlier and included here as a variable 191 # substitution. 192 # 193 # Note that releases are not used as a test environment for 194 # later providers. Problems in these situations ought to be 195 # caught by cross branch testing before the release. 196 tree_a: [ branch-3.3, branch-3.2, branch-3.1, branch-3.0, 197 openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ] 198 tree_b: [ PR ] 199 include: 200 - tree_a: PR 201 tree_b: branch-master 202 - tree_a: PR 203 tree_b: branch-3.3 204 - tree_a: PR 205 tree_b: branch-3.2 206 - tree_a: PR 207 tree_b: branch-3.1 208 - tree_a: PR 209 tree_b: branch-3.0 210 steps: 211 - name: early exit checks 212 id: early_exit 213 run: | 214 if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \ 215 then \ 216 echo "Skipping because both are the same version"; \ 217 exit 1; \ 218 fi 219 continue-on-error: true 220 221 - uses: actions/download-artifact@v4.1.8 222 if: steps.early_exit.outcome == 'success' 223 with: 224 name: ${{ matrix.tree_a }}.tar.gz 225 - name: unpack first build 226 if: steps.early_exit.outcome == 'success' 227 run: tar xzf "${{ matrix.tree_a }}.tar.gz" 228 229 - uses: actions/download-artifact@v4.1.8 230 if: steps.early_exit.outcome == 'success' 231 with: 232 name: ${{ matrix.tree_b }}.tar.gz 233 - name: unpack second build 234 if: steps.early_exit.outcome == 'success' 235 run: tar xzf "${{ matrix.tree_b }}.tar.gz" 236 237 - name: set up cross validation of FIPS from A with tree from B 238 if: steps.early_exit.outcome == 'success' 239 run: | 240 cp providers/fips.so ../${{ matrix.tree_b }}/providers/ 241 cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/ 242 working-directory: ${{ matrix.tree_a }} 243 244 - name: show module versions from cross validation 245 if: steps.early_exit.outcome == 'success' 246 run: | 247 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 248 -provider base \ 249 -provider default \ 250 -provider fips \ 251 -provider legacy \ 252 -providers 253 working-directory: ${{ matrix.tree_b }} 254 255 - name: get cpu info 256 if: steps.early_exit.outcome == 'success' 257 run: | 258 cat /proc/cpuinfo 259 ./util/opensslwrap.sh version -c 260 working-directory: ${{ matrix.tree_b }} 261 262 - name: run cross validation tests of FIPS from A with tree from B 263 if: steps.early_exit.outcome == 'success' 264 run: | 265 make test HARNESS_JOBS=${HARNESS_JOBS:-4} 266 working-directory: ${{ matrix.tree_b }} 267