diff options
| author | Pauli <pauli@openssl.org> | 2023-03-22 10:42:11 +1100 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2023-04-11 12:17:22 +1000 |
| commit | 3b38f3d86923530be80e73175abfa07ad6dd2d4a (patch) | |
| tree | 6d6b5c7b935be77a35399f643bc1377002834a65 /.github | |
| parent | f309b3f6087db6c83126f8f227f1fc4984cf24b1 (diff) | |
Add action to cross validate FIPS providers
Tests all released FIPS approved (or in progress) versions against
all development branches and each other.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20552)
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/provider-compatibility.yml | 228 |
1 files changed, 228 insertions, 0 deletions
diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml new file mode 100644 index 0000000000..c6ed41f01e --- /dev/null +++ b/.github/workflows/provider-compatibility.yml @@ -0,0 +1,228 @@ +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# This verifies that FIPS and legacy providers built against some earlier +# released versions continue to run against the current branch. + +name: Provider compatibility across versions + +on: #[pull_request] + schedule: + - cron: '0 15 * * *' + +permissions: + contents: read + +env: + opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib + +jobs: + fips-releases: + strategy: + matrix: + release: [ + # Formally released versions should be added here. + # `dir' it the directory inside the tarball. + # `tgz' is the name of the tarball. + # `utl' is the download URL. + { + dir: openssl-3.0.0, + tgz: openssl-3.0.0.tar.gz, + url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", + }, + { + dir: openssl-3.0.8, + tgz: openssl-3.0.8.tar.gz, + url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", + }, + { + dir: openssl-3.1.0, + tgz: openssl-3.1.0.tar.gz, + url: "https://www.openssl.org/source/openssl-3.1.0.tar.gz", + }, + ] + + runs-on: ubuntu-latest + steps: + - name: create download directory + run: mkdir downloads + - name: download release source + run: wget --no-verbose ${{ matrix.release.url }} + working-directory: downloads + - name: unpack release source + run: tar xzf downloads/${{ matrix.release.tgz }} + + - name: localegen + run: sudo locale-gen tr_TR.UTF-8 + + - name: config release + run: | + ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} + working-directory: ${{ matrix.release.dir }} + - name: config dump release + run: ./configdata.pm --dump + working-directory: ${{ matrix.release.dir }} + + - name: make release + run: make -s -j4 + working-directory: ${{ matrix.release.dir }} + + - name: create release artifacts + run: | + tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }} + + - name: show module versions from release + run: | + ./util/wrap.pl -fips apps/openssl list -provider-path providers \ + -provider base \ + -provider default \ + -provider fips \ + -provider legacy \ + -providers + working-directory: ${{ matrix.release.dir }} + + - uses: actions/upload-artifact@v3 + with: + name: ${{ matrix.release.tgz }} + path: ${{ matrix.release.tgz }} + retention-days: 7 + + development-branches: + strategy: + matrix: + branch: [ + # Currently supported FIPS capable branches should be added here. + # `name' is the branch name used to checkout out. + # `dir' directory that will be used to build and test in. + # `tgz' is the name of the tarball use to keep the artifacts of + # the build. + { + name: openssl-3.0, + dir: branch-3.0, + tgz: branch-3.0.tar.gz, + }, { + name: openssl-3.1, + dir: branch-3.1, + tgz: branch-3.1.tar.gz, + }, { + name: master, + dir: branch-master, + tgz: branch-master.tar.gz, + }, + ] + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + path: ${{ matrix.branch.dir }} + repository: openssl/openssl + ref: ${{ matrix.branch.name }} + - name: localegen + run: sudo locale-gen tr_TR.UTF-8 + + - name: config branch + run: | + ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} + working-directory: ${{ matrix.branch.dir }} + - name: config dump current + run: ./configdata.pm --dump + working-directory: ${{ matrix.branch.dir }} + + - name: make branch + run: make -s -j4 + working-directory: ${{ matrix.branch.dir }} + + - name: create branch artifacts + run: | + tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} + + - name: show module versions from branch + run: | + ./util/wrap.pl -fips apps/openssl list -provider-path providers \ + -provider base \ + -provider default \ + -provider fips \ + -provider legacy \ + -providers + working-directory: ${{ matrix.branch.dir }} + + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + working-directory: ${{ matrix.branch.dir }} + + - uses: actions/upload-artifact@v3 + with: + name: ${{ matrix.branch.tgz }} + path: ${{ matrix.branch.tgz }} + retention-days: 7 + + cross-testing: + needs: [fips-releases, development-branches] + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + # These can't be figured out earlier and included here as a variable + # substitution. + # + # Note that releases are not used as a test environment for + # later providers. Problems in these situations ought to be + # caught by cross branch testing before the release. + tree_a: [ branch-master, branch-3.1, branch-3.0, + openssl-3.0.0, openssl-3.0.8, openssl-3.1.0 ] + tree_b: [ branch-master, branch-3.1, branch-3.0 ] + steps: + - name: early exit checks + id: early_exit + run: | + if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \ + then \ + echo "Skipping because both are the same version"; \ + exit 1; \ + fi + continue-on-error: true + + - uses: actions/download-artifact@v3 + if: steps.early_exit.outcome == 'success' + with: + name: ${{ matrix.tree_a }}.tar.gz + - name: unpack first build + if: steps.early_exit.outcome == 'success' + run: tar xzf "${{ matrix.tree_a }}.tar.gz" + + - uses: actions/download-artifact@v3 + if: steps.early_exit.outcome == 'success' + with: + name: ${{ matrix.tree_b }}.tar.gz + - name: unpack second build + if: steps.early_exit.outcome == 'success' + run: tar xzf "${{ matrix.tree_b }}.tar.gz" + + - name: set up cross validation of FIPS from A with tree from B + if: steps.early_exit.outcome == 'success' + run: | + cp providers/fips.so ../${{ matrix.tree_b }}/providers/ + cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/ + working-directory: ${{ matrix.tree_a }} + + - name: show module versions from cross validation + if: steps.early_exit.outcome == 'success' + run: | + ./util/wrap.pl -fips apps/openssl list -provider-path providers \ + -provider base \ + -provider default \ + -provider fips \ + -provider legacy \ + -providers + working-directory: ${{ matrix.tree_b }} + + - name: run cross validation tests of FIPS from A with tree from B + if: steps.early_exit.outcome == 'success' + run: | + make test HARNESS_JOBS=${HARNESS_JOBS:-4} + working-directory: ${{ matrix.tree_b }} |