1# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved. 2# 3# Licensed under the Apache License 2.0 (the "License"). You may not use 4# this file except in compliance with the License. You can obtain a copy 5# in the file LICENSE in the source distribution or at 6# https://www.openssl.org/source/license.html 7 8# This verifies that FIPS and legacy providers built against some earlier 9# released versions continue to run against the current branch. 10 11name: Provider compatibility across versions 12 13# NOTE: if this is being run on pull_request, it will **not** use the pull 14# request's branch. It is hardcoded to use the master branch. 15# 16on: #[pull_request] 17 schedule: 18 - cron: '0 15 * * *' 19 20permissions: 21 contents: read 22 23env: 24 opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib 25 26jobs: 27 fips-releases: 28 strategy: 29 matrix: 30 release: [ 31 # Formally released versions should be added here. 32 # `dir' it the directory inside the tarball. 33 # `tgz' is the name of the tarball. 34 # `url' is the download URL. 35 { 36 dir: openssl-3.0.0, 37 tgz: openssl-3.0.0.tar.gz, 38 url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", 39 }, 40 { 41 dir: openssl-3.0.8, 42 tgz: openssl-3.0.8.tar.gz, 43 url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", 44 }, 45 { 46 dir: openssl-3.0.9, 47 tgz: openssl-3.0.9.tar.gz, 48 url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz", 49 }, 50 { 51 dir: openssl-3.1.2, 52 tgz: openssl-3.1.2.tar.gz, 53 url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz", 54 }, 55 ] 56 57 runs-on: ubuntu-latest 58 steps: 59 - name: create download directory 60 run: mkdir downloads 61 - name: download release source 62 run: wget --no-verbose ${{ matrix.release.url }} 63 working-directory: downloads 64 - name: unpack release source 65 run: tar xzf downloads/${{ matrix.release.tgz }} 66 67 - name: localegen 68 run: sudo locale-gen tr_TR.UTF-8 69 70 - name: config release 71 run: | 72 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 73 working-directory: ${{ matrix.release.dir }} 74 - name: config dump release 75 run: ./configdata.pm --dump 76 working-directory: ${{ matrix.release.dir }} 77 78 - name: make release 79 run: make -s -j4 80 working-directory: ${{ matrix.release.dir }} 81 82 - name: create release artifacts 83 run: | 84 tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }} 85 86 - name: show module versions from release 87 run: | 88 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 89 -provider base \ 90 -provider default \ 91 -provider fips \ 92 -provider legacy \ 93 -providers 94 working-directory: ${{ matrix.release.dir }} 95 96 - uses: actions/upload-artifact@v4 97 with: 98 name: ${{ matrix.release.tgz }} 99 path: ${{ matrix.release.tgz }} 100 retention-days: 7 101 102 development-branches: 103 strategy: 104 matrix: 105 branch: [ 106 # Currently supported FIPS capable branches should be added here. 107 # `name' is the branch name used to checkout out. 108 # `dir' directory that will be used to build and test in. 109 # `tgz' is the name of the tarball use to keep the artifacts of 110 # the build. 111 { 112 name: openssl-3.0, 113 dir: branch-3.0, 114 tgz: branch-3.0.tar.gz, 115 }, { 116 name: openssl-3.1, 117 dir: branch-3.1, 118 tgz: branch-3.1.tar.gz, 119 }, { 120 name: openssl-3.2, 121 dir: branch-3.2, 122 tgz: branch-3.2.tar.gz, 123 }, { 124 name: openssl-3.3, 125 dir: branch-3.3, 126 tgz: branch-3.3.tar.gz, 127 }, { 128 name: openssl-3.4, 129 dir: branch-3.4, 130 tgz: branch-3.4.tar.gz, 131 }, { 132 name: master, 133 dir: branch-master, 134 tgz: branch-master.tar.gz, 135 }, 136 ] 137 138 runs-on: ubuntu-latest 139 steps: 140 - uses: actions/checkout@v4 141 with: 142 path: ${{ matrix.branch.dir }} 143 repository: openssl/openssl 144 ref: ${{ matrix.branch.name }} 145 - name: localegen 146 run: sudo locale-gen tr_TR.UTF-8 147 148 - name: config branch 149 run: | 150 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 151 working-directory: ${{ matrix.branch.dir }} 152 - name: config dump current 153 run: ./configdata.pm --dump 154 working-directory: ${{ matrix.branch.dir }} 155 156 - name: make branch 157 run: make -s -j4 158 working-directory: ${{ matrix.branch.dir }} 159 160 - name: create branch artifacts 161 run: | 162 tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} 163 164 - name: show module versions from branch 165 run: | 166 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 167 -provider base \ 168 -provider default \ 169 -provider fips \ 170 -provider legacy \ 171 -providers 172 working-directory: ${{ matrix.branch.dir }} 173 174 - name: get cpu info 175 run: | 176 cat /proc/cpuinfo 177 ./util/opensslwrap.sh version -c 178 working-directory: ${{ matrix.branch.dir }} 179 180 - name: make test 181 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} 182 working-directory: ${{ matrix.branch.dir }} 183 184 - uses: actions/upload-artifact@v4 185 with: 186 name: ${{ matrix.branch.tgz }} 187 path: ${{ matrix.branch.tgz }} 188 retention-days: 7 189 190 cross-testing: 191 needs: [fips-releases, development-branches] 192 runs-on: ubuntu-latest 193 strategy: 194 fail-fast: false 195 matrix: 196 # These can't be figured out earlier and included here as a variable 197 # substitution. 198 # 199 # Note that releases are not used as a test environment for 200 # later providers. Problems in these situations ought to be 201 # caught by cross branch testing before the release. 202 tree_a: [ branch-master, branch-3.4, branch-3.3, 203 branch-3.2, branch-3.1, branch-3.0, 204 openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ] 205 tree_b: [ branch-master, branch-3.4, branch-3.3, 206 branch-3.2, branch-3.1, branch-3.0 ] 207 steps: 208 - name: early exit checks 209 id: early_exit 210 run: | 211 if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \ 212 then \ 213 echo "Skipping because both are the same version"; \ 214 exit 1; \ 215 fi 216 continue-on-error: true 217 218 - uses: actions/download-artifact@v4.1.8 219 if: steps.early_exit.outcome == 'success' 220 with: 221 name: ${{ matrix.tree_a }}.tar.gz 222 - name: unpack first build 223 if: steps.early_exit.outcome == 'success' 224 run: tar xzf "${{ matrix.tree_a }}.tar.gz" 225 226 - uses: actions/download-artifact@v4.1.8 227 if: steps.early_exit.outcome == 'success' 228 with: 229 name: ${{ matrix.tree_b }}.tar.gz 230 - name: unpack second build 231 if: steps.early_exit.outcome == 'success' 232 run: tar xzf "${{ matrix.tree_b }}.tar.gz" 233 234 - name: set up cross validation of FIPS from A with tree from B 235 if: steps.early_exit.outcome == 'success' 236 run: | 237 cp providers/fips.so ../${{ matrix.tree_b }}/providers/ 238 cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/ 239 working-directory: ${{ matrix.tree_a }} 240 241 - name: show module versions from cross validation 242 if: steps.early_exit.outcome == 'success' 243 run: | 244 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 245 -provider base \ 246 -provider default \ 247 -provider fips \ 248 -provider legacy \ 249 -providers 250 working-directory: ${{ matrix.tree_b }} 251 252 - name: get cpu info 253 if: steps.early_exit.outcome == 'success' 254 run: | 255 cat /proc/cpuinfo 256 ./util/opensslwrap.sh version -c 257 working-directory: ${{ matrix.tree_b }} 258 259 - name: run cross validation tests of FIPS from A with tree from B 260 if: steps.early_exit.outcome == 'success' 261 run: | 262 make test HARNESS_JOBS=${HARNESS_JOBS:-4} 263 working-directory: ${{ matrix.tree_b }} 264
