1# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved. 2# 3# Licensed under the Apache License 2.0 (the "License"). You may not use 4# this file except in compliance with the License. You can obtain a copy 5# in the file LICENSE in the source distribution or at 6# https://www.openssl.org/source/license.html 7 8# This verifies that FIPS and legacy providers built against some earlier 9# released versions continue to run against the current branch. 10 11name: Provider compatibility across versions 12 13# Please note there is no point in running this job on PR as the tests 14# will always run against the tips of the branches in the main repository 15# and not the branch from the PR. 16# Use the `extended tests` label to run provider compatibility checks 17# on PRs. 18on: 19 schedule: 20 - cron: '10 02 * * *' 21 workflow_dispatch: 22 23permissions: 24 contents: read 25 26env: 27 opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib 28 29jobs: 30 fips-releases: 31 strategy: 32 matrix: 33 release: [ 34 # Formally released versions should be added here. 35 # `dir' it the directory inside the tarball. 36 # `tgz' is the name of the tarball. 37 # `url' is the download URL. 38 { 39 dir: openssl-3.0.0, 40 tgz: openssl-3.0.0.tar.gz, 41 url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", 42 }, 43 { 44 dir: openssl-3.0.8, 45 tgz: openssl-3.0.8.tar.gz, 46 url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", 47 }, 48 { 49 dir: openssl-3.0.9, 50 tgz: openssl-3.0.9.tar.gz, 51 url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz", 52 }, 53 { 54 dir: openssl-3.1.2, 55 tgz: openssl-3.1.2.tar.gz, 56 url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz", 57 }, 58 ] 59 60 runs-on: ubuntu-latest 61 steps: 62 - name: create download directory 63 run: mkdir downloads 64 - name: download release source 65 run: wget --no-verbose ${{ matrix.release.url }} 66 working-directory: downloads 67 - name: unpack release source 68 run: tar xzf downloads/${{ matrix.release.tgz }} 69 70 - name: localegen 71 run: sudo locale-gen tr_TR.UTF-8 72 73 - name: config release 74 run: | 75 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 76 working-directory: ${{ matrix.release.dir }} 77 - name: config dump release 78 run: ./configdata.pm --dump 79 working-directory: ${{ matrix.release.dir }} 80 81 - name: make release 82 run: make -s -j4 83 working-directory: ${{ matrix.release.dir }} 84 85 - name: create release artifacts 86 run: | 87 tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }} 88 89 - name: show module versions from release 90 run: | 91 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 92 -provider base \ 93 -provider default \ 94 -provider fips \ 95 -provider legacy \ 96 -providers 97 working-directory: ${{ matrix.release.dir }} 98 99 - uses: actions/upload-artifact@v4 100 with: 101 name: ${{ matrix.release.tgz }} 102 path: ${{ matrix.release.tgz }} 103 retention-days: 7 104 105 development-branches: 106 strategy: 107 matrix: 108 branch: [ 109 # Currently supported FIPS capable branches should be added here. 110 # `name' is the branch name used to checkout out. 111 # `dir' directory that will be used to build and test in. 112 # `tgz' is the name of the tarball use to keep the artifacts of 113 # the build. 114 { 115 name: openssl-3.0, 116 dir: branch-3.0, 117 tgz: branch-3.0.tar.gz, 118 }, { 119 name: openssl-3.1, 120 dir: branch-3.1, 121 tgz: branch-3.1.tar.gz, 122 }, { 123 name: openssl-3.2, 124 dir: branch-3.2, 125 tgz: branch-3.2.tar.gz, 126 }, { 127 name: openssl-3.3, 128 dir: branch-3.3, 129 tgz: branch-3.3.tar.gz, 130 }, { 131 name: openssl-3.4, 132 dir: branch-3.4, 133 tgz: branch-3.4.tar.gz, 134 }, { 135 name: master, 136 dir: branch-master, 137 tgz: branch-master.tar.gz, 138 }, 139 ] 140 141 runs-on: ubuntu-latest 142 steps: 143 - uses: actions/checkout@v4 144 with: 145 path: ${{ matrix.branch.dir }} 146 repository: openssl/openssl 147 ref: ${{ matrix.branch.name }} 148 - name: localegen 149 run: sudo locale-gen tr_TR.UTF-8 150 151 - name: config branch 152 run: | 153 ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} 154 working-directory: ${{ matrix.branch.dir }} 155 - name: config dump current 156 run: ./configdata.pm --dump 157 working-directory: ${{ matrix.branch.dir }} 158 159 - name: make branch 160 run: make -s -j4 161 working-directory: ${{ matrix.branch.dir }} 162 163 - name: create branch artifacts 164 run: | 165 tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} 166 167 - name: show module versions from branch 168 run: | 169 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 170 -provider base \ 171 -provider default \ 172 -provider fips \ 173 -provider legacy \ 174 -providers 175 working-directory: ${{ matrix.branch.dir }} 176 177 - name: get cpu info 178 run: | 179 cat /proc/cpuinfo 180 ./util/opensslwrap.sh version -c 181 working-directory: ${{ matrix.branch.dir }} 182 183 - name: make test 184 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} 185 working-directory: ${{ matrix.branch.dir }} 186 187 - uses: actions/upload-artifact@v4 188 with: 189 name: ${{ matrix.branch.tgz }} 190 path: ${{ matrix.branch.tgz }} 191 retention-days: 7 192 193 cross-testing: 194 needs: [fips-releases, development-branches] 195 runs-on: ubuntu-latest 196 strategy: 197 fail-fast: false 198 matrix: 199 # These can't be figured out earlier and included here as a variable 200 # substitution. 201 # 202 # Note that releases are not used as a test environment for 203 # later providers. Problems in these situations ought to be 204 # caught by cross branch testing before the release. 205 tree_a: [ branch-master, branch-3.4, branch-3.3, 206 branch-3.2, branch-3.1, branch-3.0, 207 openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ] 208 tree_b: [ branch-master, branch-3.4, branch-3.3, 209 branch-3.2, branch-3.1, branch-3.0 ] 210 steps: 211 - name: early exit checks 212 id: early_exit 213 run: | 214 if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \ 215 then \ 216 echo "Skipping because both are the same version"; \ 217 exit 1; \ 218 fi 219 continue-on-error: true 220 221 - uses: actions/download-artifact@v4.1.8 222 if: steps.early_exit.outcome == 'success' 223 with: 224 name: ${{ matrix.tree_a }}.tar.gz 225 - name: unpack first build 226 if: steps.early_exit.outcome == 'success' 227 run: tar xzf "${{ matrix.tree_a }}.tar.gz" 228 229 - uses: actions/download-artifact@v4.1.8 230 if: steps.early_exit.outcome == 'success' 231 with: 232 name: ${{ matrix.tree_b }}.tar.gz 233 - name: unpack second build 234 if: steps.early_exit.outcome == 'success' 235 run: tar xzf "${{ matrix.tree_b }}.tar.gz" 236 237 - name: set up cross validation of FIPS from A with tree from B 238 if: steps.early_exit.outcome == 'success' 239 run: | 240 cp providers/fips.so ../${{ matrix.tree_b }}/providers/ 241 cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/ 242 working-directory: ${{ matrix.tree_a }} 243 244 - name: show module versions from cross validation 245 if: steps.early_exit.outcome == 'success' 246 run: | 247 ./util/wrap.pl -fips apps/openssl list -provider-path providers \ 248 -provider base \ 249 -provider default \ 250 -provider fips \ 251 -provider legacy \ 252 -providers 253 working-directory: ${{ matrix.tree_b }} 254 255 - name: get cpu info 256 if: steps.early_exit.outcome == 'success' 257 run: | 258 cat /proc/cpuinfo 259 ./util/opensslwrap.sh version -c 260 working-directory: ${{ matrix.tree_b }} 261 262 - name: run cross validation tests of FIPS from A with tree from B 263 if: steps.early_exit.outcome == 'success' 264 run: | 265 make test HARNESS_JOBS=${HARNESS_JOBS:-4} 266 working-directory: ${{ matrix.tree_b }} 267
