1# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved. 2# 3# Licensed under the Apache License 2.0 (the "License"). You may not use 4# this file except in compliance with the License. You can obtain a copy 5# in the file LICENSE in the source distribution or at 6# https://www.openssl.org/source/license.html 7 8# This verifies that FIPS and legacy providers built against some earlier 9# released versions continue to run against the current branch. 10 11name: Provider compatibility for PRs 12 13on: [pull_request] 14 15permissions: 16 contents: read 17 18env: 19 opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib 20 21jobs: 22 fips-releases: 23 if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }} 24 strategy: 25 matrix: 26 release: [ 27 # Formally released versions should be added here. 28 # `dir' it the directory inside the tarball. 29 # `tgz' is the name of the tarball. 30 # `url' is the download URL. 31 { 32 dir: openssl-3.0.0, 33 tgz: openssl-3.0.0.tar.gz, 34 url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", 35 }, 36 { 37 dir: openssl-3.0.8, 38 tgz: openssl-3.0.8.tar.gz, 39 url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", 40 }, 41 { 42 dir: openssl-3.0.9, 43 tgz: openssl-3.0.9.tar.gz, 44 url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz", 45 }, 46 { 47 dir: openssl-3.1.2, 48 tgz: openssl-3.1.2.tar.gz, 49 url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz", 50 }, 51 ] 52 53 runs-on: ubuntu-latest 54 steps: 55 - name: create download directory 56 run: mkdir downloads 57 - name: download release source 58 run: wget --no-verbose ${{ matrix.release.url }} 59 working-directory: downloads 60 - name: unpack release source 61 run: tar xzf downloads/${{ matrix.release.tgz }} 62 63 - name: localegen 64 run: sudo locale-gen tr_TR.UTF-8 65 66 - name: config release 67 run: | 68 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 69 working-directory: ${{ matrix.release.dir }} 70 - name: config dump release 71 run: ./configdata.pm --dump 72 working-directory: ${{ matrix.release.dir }} 73 74 - name: make release 75 run: make -s -j4 76 working-directory: ${{ matrix.release.dir }} 77 78 - name: create release artifacts 79 run: | 80 tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }} 81 82 - name: show module versions from release 83 run: | 84 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 85 -provider base \ 86 -provider default \ 87 -provider fips \ 88 -provider legacy \ 89 -providers 90 working-directory: ${{ matrix.release.dir }} 91 92 - uses: actions/upload-artifact@v4 93 with: 94 name: ${{ matrix.release.tgz }} 95 path: ${{ matrix.release.tgz }} 96 retention-days: 7 97 98 development-branches: 99 if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }} 100 strategy: 101 matrix: 102 branch: [ 103 # Currently supported FIPS capable branches should be added here. 104 # `name' is the branch name used to checkout out. 105 # `dir' directory that will be used to build and test in. 106 # `tgz' is the name of the tarball use to keep the artifacts of 107 # the build. 108 { 109 name: '', 110 dir: PR, 111 tgz: PR.tar.gz, 112 }, { 113 name: openssl-3.0, 114 dir: branch-3.0, 115 tgz: branch-3.0.tar.gz, 116 }, { 117 name: openssl-3.1, 118 dir: branch-3.1, 119 tgz: branch-3.1.tar.gz, 120 }, { 121 name: openssl-3.2, 122 dir: branch-3.2, 123 tgz: branch-3.2.tar.gz, 124 }, { 125 name: openssl-3.3, 126 dir: branch-3.3, 127 tgz: branch-3.3.tar.gz, 128 }, { 129 name: openssl-3.4, 130 dir: branch-3.4, 131 tgz: branch-3.4.tar.gz, 132 }, { 133 name: master, 134 dir: branch-master, 135 tgz: branch-master.tar.gz, 136 }, 137 ] 138 139 runs-on: ubuntu-latest 140 steps: 141 - uses: actions/checkout@v4 142 with: 143 path: ${{ matrix.branch.dir }} 144 repository: openssl/openssl 145 ref: ${{ matrix.branch.name }} 146 - name: localegen 147 run: sudo locale-gen tr_TR.UTF-8 148 149 - name: config branch 150 run: | 151 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 152 working-directory: ${{ matrix.branch.dir }} 153 - name: config dump current 154 run: ./configdata.pm --dump 155 working-directory: ${{ matrix.branch.dir }} 156 157 - name: make branch 158 run: make -s -j4 159 working-directory: ${{ matrix.branch.dir }} 160 161 - name: create branch artifacts 162 run: | 163 tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} 164 165 - name: show module versions from branch 166 run: | 167 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 168 -provider base \ 169 -provider default \ 170 -provider fips \ 171 -provider legacy \ 172 -providers 173 working-directory: ${{ matrix.branch.dir }} 174 175 - name: get cpu info 176 run: | 177 cat /proc/cpuinfo 178 ./util/opensslwrap.sh version -c 179 working-directory: ${{ matrix.branch.dir }} 180 181 - uses: actions/upload-artifact@v4 182 with: 183 name: ${{ matrix.branch.tgz }} 184 path: ${{ matrix.branch.tgz }} 185 retention-days: 7 186 187 cross-testing: 188 if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }} 189 needs: [fips-releases, development-branches] 190 runs-on: ubuntu-latest 191 strategy: 192 fail-fast: false 193 matrix: 194 # These can't be figured out earlier and included here as a variable 195 # substitution. 196 # 197 # Note that releases are not used as a test environment for 198 # later providers. Problems in these situations ought to be 199 # caught by cross branch testing before the release. 200 tree_a: [ branch-3.4, branch-3.3, branch-3.2, branch-3.1, branch-3.0, 201 openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ] 202 tree_b: [ PR ] 203 include: 204 - tree_a: PR 205 tree_b: branch-master 206 - tree_a: PR 207 tree_b: branch-3.4 208 - tree_a: PR 209 tree_b: branch-3.3 210 - tree_a: PR 211 tree_b: branch-3.2 212 - tree_a: PR 213 tree_b: branch-3.1 214 - tree_a: PR 215 tree_b: branch-3.0 216 steps: 217 - name: early exit checks 218 id: early_exit 219 run: | 220 if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \ 221 then \ 222 echo "Skipping because both are the same version"; \ 223 exit 1; \ 224 fi 225 continue-on-error: true 226 227 - uses: actions/download-artifact@v4.1.8 228 if: steps.early_exit.outcome == 'success' 229 with: 230 name: ${{ matrix.tree_a }}.tar.gz 231 - name: unpack first build 232 if: steps.early_exit.outcome == 'success' 233 run: tar xzf "${{ matrix.tree_a }}.tar.gz" 234 235 - uses: actions/download-artifact@v4.1.8 236 if: steps.early_exit.outcome == 'success' 237 with: 238 name: ${{ matrix.tree_b }}.tar.gz 239 - name: unpack second build 240 if: steps.early_exit.outcome == 'success' 241 run: tar xzf "${{ matrix.tree_b }}.tar.gz" 242 243 - name: set up cross validation of FIPS from A with tree from B 244 if: steps.early_exit.outcome == 'success' 245 run: | 246 cp providers/fips.so ../${{ matrix.tree_b }}/providers/ 247 cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/ 248 working-directory: ${{ matrix.tree_a }} 249 250 - name: show module versions from cross validation 251 if: steps.early_exit.outcome == 'success' 252 run: | 253 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 254 -provider base \ 255 -provider default \ 256 -provider fips \ 257 -provider legacy \ 258 -providers 259 working-directory: ${{ matrix.tree_b }} 260 261 - name: get cpu info 262 if: steps.early_exit.outcome == 'success' 263 run: | 264 cat /proc/cpuinfo 265 ./util/opensslwrap.sh version -c 266 working-directory: ${{ matrix.tree_b }} 267 268 - name: run cross validation tests of FIPS from A with tree from B 269 if: steps.early_exit.outcome == 'success' 270 run: | 271 make test HARNESS_JOBS=${HARNESS_JOBS:-4} 272 working-directory: ${{ matrix.tree_b }} 273
