1# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
2#
3# Licensed under the Apache License 2.0 (the "License").  You may not use
4# this file except in compliance with the License.  You can obtain a copy
5# in the file LICENSE in the source distribution or at
6# https://www.openssl.org/source/license.html
7
8name: FIPS Check and ABIDIFF
9on: [pull_request]
10
11permissions:
12  contents: read
13
14jobs:
15  compute-checksums:
16    runs-on: ubuntu-latest
17    steps:
18      - name: install unifdef
19        run: |
20            sudo apt-get update
21            sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef
22      - name: create build dirs
23        run: |
24          mkdir ./build-pristine
25          mkdir ./source-pristine
26          mkdir ./build
27          mkdir ./source
28          mkdir ./artifact
29      - uses: actions/checkout@v4
30        with:
31          repository: ${{ github.event.pull_request.base.repo.full_name }}
32          ref: ${{ github.event.pull_request.base.ref }}
33          path: source-pristine
34      - name: config pristine
35        run: ../source-pristine/config enable-fips
36        working-directory: ./build-pristine
37      - name: config pristine dump
38        run: ./configdata.pm --dump
39        working-directory: ./build-pristine
40      - name: make build_generated pristine
41        run: make -s build_generated
42        working-directory: ./build-pristine
43      - name: make fips-checksums pristine
44        run: make fips-checksums
45        working-directory: ./build-pristine
46      - uses: actions/checkout@v4
47        with:
48          path: source
49      - name: config
50        run: ../source/config enable-fips
51        working-directory: ./build
52      - name: config dump
53        run: ./configdata.pm --dump
54        working-directory: ./build
55      - name: make build_generated
56        run: make -s build_generated
57        working-directory: ./build
58      - name: make fips-checksums
59        run: make fips-checksums
60        working-directory: ./build
61      - name: update checksums
62        run: |
63          cp -a build-pristine/providers/fips.module.sources.new source/providers/fips.module.sources
64          cp -a build-pristine/providers/fips-sources.checksums.new source/providers/fips-sources.checksums
65          cp -a build-pristine/providers/fips.checksum.new source/providers/fips.checksum
66      - name: make diff-fips-checksums
67        run: make diff-fips-checksums && touch ../artifact/fips_unchanged || ( touch ../artifact/fips_changed ; echo FIPS CHANGED )
68        working-directory: ./build
69      - name: save PR number
70        run: echo ${{ github.event.number }} > ./artifact/pr_num
71      - name: save artifact
72        uses: actions/upload-artifact@v4
73        with:
74          name: fips_checksum
75          path: artifact/
76
77  compute-abidiff:
78    runs-on: ubuntu-latest
79    env:
80      BUILD_OPTS: -g --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd
81    steps:
82      - name: create build dirs
83        run: |
84          mkdir ./build-pristine
85          mkdir ./source-pristine
86          mkdir ./build
87          mkdir ./source
88          mkdir ./artifact
89      - name: install extra config support
90        run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd
91      - uses: actions/checkout@v4
92        with:
93          repository: ${{ github.event.pull_request.base.repo.full_name }}
94          ref: ${{ github.event.pull_request.base.ref }}
95          path: source-pristine
96      - name: config pristine
97        run: ../source-pristine/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump
98        working-directory: ./build-pristine
99      - name: make pristine
100        run: make -s -j4
101        working-directory: ./build-pristine
102      - uses: actions/checkout@v4
103        with:
104          path: source
105      - name: config
106        run: ../source/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump
107        working-directory: ./build
108      - name: make
109        run: make -s -j4
110        working-directory: ./build
111      - name: abidiff
112        run: abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so && touch ./artifact/abi_unchanged || ( touch ./artifact/abi_changed ; echo ABI CHANGED )
113      - name: save PR number
114        run: echo ${{ github.event.number }} > ./artifact/pr_num
115      - name: save artifact
116        uses: actions/upload-artifact@v4
117        with:
118          name: abidiff
119          path: artifact/
120