1# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved. 2# 3# Licensed under the Apache License 2.0 (the "License"). You may not use 4# this file except in compliance with the License. You can obtain a copy 5# in the file LICENSE in the source distribution or at 6# https://www.openssl.org/source/license.html 7 8# This verifies that FIPS and legacy providers built against some earlier 9# released versions continue to run against the current branch. 10 11name: Provider compatibility across versions 12 13# NOTE: if this is being run on pull_request, it will **not** use the pull 14# request's branch. It is hardcoded to use the master branch. 15# 16on: #[pull_request] 17 schedule: 18 - cron: '0 15 * * *' 19 20permissions: 21 contents: read 22 23env: 24 opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib 25 26jobs: 27 fips-releases: 28 strategy: 29 matrix: 30 release: [ 31 # Formally released versions should be added here. 32 # `dir' it the directory inside the tarball. 33 # `tgz' is the name of the tarball. 34 # `url' is the download URL. 35 { 36 dir: openssl-3.0.0, 37 tgz: openssl-3.0.0.tar.gz, 38 url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", 39 }, 40 { 41 dir: openssl-3.0.8, 42 tgz: openssl-3.0.8.tar.gz, 43 url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", 44 }, 45 { 46 dir: openssl-3.0.9, 47 tgz: openssl-3.0.9.tar.gz, 48 url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz", 49 }, 50 { 51 dir: openssl-3.1.2, 52 tgz: openssl-3.1.2.tar.gz, 53 url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz", 54 }, 55 ] 56 57 runs-on: ubuntu-latest 58 steps: 59 - name: create download directory 60 run: mkdir downloads 61 - name: download release source 62 run: wget --no-verbose ${{ matrix.release.url }} 63 working-directory: downloads 64 - name: unpack release source 65 run: tar xzf downloads/${{ matrix.release.tgz }} 66 67 - name: localegen 68 run: sudo locale-gen tr_TR.UTF-8 69 70 - name: config release 71 run: | 72 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 73 working-directory: ${{ matrix.release.dir }} 74 - name: config dump release 75 run: ./configdata.pm --dump 76 working-directory: ${{ matrix.release.dir }} 77 78 - name: make release 79 run: make -s -j4 80 working-directory: ${{ matrix.release.dir }} 81 82 - name: create release artifacts 83 run: | 84 tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }} 85 86 - name: show module versions from release 87 run: | 88 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 89 -provider base \ 90 -provider default \ 91 -provider fips \ 92 -provider legacy \ 93 -providers 94 working-directory: ${{ matrix.release.dir }} 95 96 - uses: actions/upload-artifact@v4 97 with: 98 name: ${{ matrix.release.tgz }} 99 path: ${{ matrix.release.tgz }} 100 retention-days: 7 101 102 development-branches: 103 strategy: 104 matrix: 105 branch: [ 106 # Currently supported FIPS capable branches should be added here. 107 # `name' is the branch name used to checkout out. 108 # `dir' directory that will be used to build and test in. 109 # `tgz' is the name of the tarball use to keep the artifacts of 110 # the build. 111 { 112 name: openssl-3.0, 113 dir: branch-3.0, 114 tgz: branch-3.0.tar.gz, 115 }, { 116 name: openssl-3.1, 117 dir: branch-3.1, 118 tgz: branch-3.1.tar.gz, 119 }, { 120 name: openssl-3.2, 121 dir: branch-3.2, 122 tgz: branch-3.2.tar.gz, 123 }, { 124 name: openssl-3.3, 125 dir: branch-3.3, 126 tgz: branch-3.3.tar.gz, 127 }, { 128 name: master, 129 dir: branch-master, 130 tgz: branch-master.tar.gz, 131 }, 132 ] 133 134 runs-on: ubuntu-latest 135 steps: 136 - uses: actions/checkout@v4 137 with: 138 path: ${{ matrix.branch.dir }} 139 repository: openssl/openssl 140 ref: ${{ matrix.branch.name }} 141 - name: localegen 142 run: sudo locale-gen tr_TR.UTF-8 143 144 - name: config branch 145 run: | 146 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 147 working-directory: ${{ matrix.branch.dir }} 148 - name: config dump current 149 run: ./configdata.pm --dump 150 working-directory: ${{ matrix.branch.dir }} 151 152 - name: make branch 153 run: make -s -j4 154 working-directory: ${{ matrix.branch.dir }} 155 156 - name: create branch artifacts 157 run: | 158 tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} 159 160 - name: show module versions from branch 161 run: | 162 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 163 -provider base \ 164 -provider default \ 165 -provider fips \ 166 -provider legacy \ 167 -providers 168 working-directory: ${{ matrix.branch.dir }} 169 170 - name: get cpu info 171 run: | 172 cat /proc/cpuinfo 173 ./util/opensslwrap.sh version -c 174 working-directory: ${{ matrix.branch.dir }} 175 176 - name: make test 177 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} 178 working-directory: ${{ matrix.branch.dir }} 179 180 - uses: actions/upload-artifact@v4 181 with: 182 name: ${{ matrix.branch.tgz }} 183 path: ${{ matrix.branch.tgz }} 184 retention-days: 7 185 186 cross-testing: 187 needs: [fips-releases, development-branches] 188 runs-on: ubuntu-latest 189 strategy: 190 fail-fast: false 191 matrix: 192 # These can't be figured out earlier and included here as a variable 193 # substitution. 194 # 195 # Note that releases are not used as a test environment for 196 # later providers. Problems in these situations ought to be 197 # caught by cross branch testing before the release. 198 tree_a: [ branch-master, branch-3.3, branch-3.2, branch-3.1, branch-3.0, 199 openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ] 200 tree_b: [ branch-master, branch-3.3, branch-3.2, branch-3.1, 201 branch-3.0 ] 202 steps: 203 - name: early exit checks 204 id: early_exit 205 run: | 206 if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \ 207 then \ 208 echo "Skipping because both are the same version"; \ 209 exit 1; \ 210 fi 211 continue-on-error: true 212 213 - uses: actions/download-artifact@v4.1.8 214 if: steps.early_exit.outcome == 'success' 215 with: 216 name: ${{ matrix.tree_a }}.tar.gz 217 - name: unpack first build 218 if: steps.early_exit.outcome == 'success' 219 run: tar xzf "${{ matrix.tree_a }}.tar.gz" 220 221 - uses: actions/download-artifact@v4.1.8 222 if: steps.early_exit.outcome == 'success' 223 with: 224 name: ${{ matrix.tree_b }}.tar.gz 225 - name: unpack second build 226 if: steps.early_exit.outcome == 'success' 227 run: tar xzf "${{ matrix.tree_b }}.tar.gz" 228 229 - name: set up cross validation of FIPS from A with tree from B 230 if: steps.early_exit.outcome == 'success' 231 run: | 232 cp providers/fips.so ../${{ matrix.tree_b }}/providers/ 233 cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/ 234 working-directory: ${{ matrix.tree_a }} 235 236 - name: show module versions from cross validation 237 if: steps.early_exit.outcome == 'success' 238 run: | 239 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 240 -provider base \ 241 -provider default \ 242 -provider fips \ 243 -provider legacy \ 244 -providers 245 working-directory: ${{ matrix.tree_b }} 246 247 - name: get cpu info 248 if: steps.early_exit.outcome == 'success' 249 run: | 250 cat /proc/cpuinfo 251 ./util/opensslwrap.sh version -c 252 working-directory: ${{ matrix.tree_b }} 253 254 - name: run cross validation tests of FIPS from A with tree from B 255 if: steps.early_exit.outcome == 'success' 256 run: | 257 make test HARNESS_JOBS=${HARNESS_JOBS:-4} 258 working-directory: ${{ matrix.tree_b }} 259