1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
# This verifies that FIPS and legacy providers built against some earlier
# released versions continue to run against the current branch.
name: Provider compatibility across versions
# NOTE: if this is being run on pull_request, it will **not** use the pull
# request's branch. It is hardcoded to use the master branch.
#
on: #[pull_request]
schedule:
- cron: '0 15 * * *'
permissions:
contents: read
env:
opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib
jobs:
fips-releases:
strategy:
matrix:
release: [
# Formally released versions should be added here.
# `dir' it the directory inside the tarball.
# `tgz' is the name of the tarball.
# `utl' is the download URL.
{
dir: openssl-3.0.0,
tgz: openssl-3.0.0.tar.gz,
url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz",
},
{
dir: openssl-3.0.8,
tgz: openssl-3.0.8.tar.gz,
url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz",
},
{
dir: openssl-3.0.9,
tgz: openssl-3.0.9.tar.gz,
url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz",
},
{
dir: openssl-3.1.2,
tgz: openssl-3.1.2.tar.gz,
url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz",
},
]
runs-on: ubuntu-latest
steps:
- name: create download directory
run: mkdir downloads
- name: download release source
run: wget --no-verbose ${{ matrix.release.url }}
working-directory: downloads
- name: unpack release source
run: tar xzf downloads/${{ matrix.release.tgz }}
- name: localegen
run: sudo locale-gen tr_TR.UTF-8
- name: config release
run: |
./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
working-directory: ${{ matrix.release.dir }}
- name: config dump release
run: ./configdata.pm --dump
working-directory: ${{ matrix.release.dir }}
- name: make release
run: make -s -j4
working-directory: ${{ matrix.release.dir }}
- name: create release artifacts
run: |
tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }}
- name: show module versions from release
run: |
./util/wrap.pl -fips apps/openssl list -provider-path providers \
-provider base \
-provider default \
-provider fips \
-provider legacy \
-providers
working-directory: ${{ matrix.release.dir }}
- uses: actions/upload-artifact@v3
with:
name: ${{ matrix.release.tgz }}
path: ${{ matrix.release.tgz }}
retention-days: 7
development-branches:
strategy:
matrix:
branch: [
# Currently supported FIPS capable branches should be added here.
# `name' is the branch name used to checkout out.
# `dir' directory that will be used to build and test in.
# `tgz' is the name of the tarball use to keep the artifacts of
# the build.
{
name: openssl-3.0,
dir: branch-3.0,
tgz: branch-3.0.tar.gz,
}, {
name: openssl-3.1,
dir: branch-3.1,
tgz: branch-3.1.tar.gz,
}, {
name: master,
dir: branch-master,
tgz: branch-master.tar.gz,
},
]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
path: ${{ matrix.branch.dir }}
repository: openssl/openssl
ref: ${{ matrix.branch.name }}
- name: localegen
run: sudo locale-gen tr_TR.UTF-8
- name: config branch
run: |
./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
working-directory: ${{ matrix.branch.dir }}
- name: config dump current
run: ./configdata.pm --dump
working-directory: ${{ matrix.branch.dir }}
- name: make branch
run: make -s -j4
working-directory: ${{ matrix.branch.dir }}
- name: create branch artifacts
run: |
tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }}
- name: show module versions from branch
run: |
./util/wrap.pl -fips apps/openssl list -provider-path providers \
-provider base \
-provider default \
-provider fips \
-provider legacy \
-providers
working-directory: ${{ matrix.branch.dir }}
- name: get cpu info
run: |
cat /proc/cpuinfo
./util/opensslwrap.sh version -c
working-directory: ${{ matrix.branch.dir }}
- name: make test
run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
working-directory: ${{ matrix.branch.dir }}
- uses: actions/upload-artifact@v3
with:
name: ${{ matrix.branch.tgz }}
path: ${{ matrix.branch.tgz }}
retention-days: 7
cross-testing:
needs: [fips-releases, development-branches]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
# These can't be figured out earlier and included here as a variable
# substitution.
#
# Note that releases are not used as a test environment for
# later providers. Problems in these situations ought to be
# caught by cross branch testing before the release.
tree_a: [ branch-master, branch-3.1, branch-3.0,
openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
tree_b: [ branch-master, branch-3.1, branch-3.0 ]
steps:
- name: early exit checks
id: early_exit
run: |
if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \
then \
echo "Skipping because both are the same version"; \
exit 1; \
fi
continue-on-error: true
- uses: actions/download-artifact@v4
if: steps.early_exit.outcome == 'success'
with:
name: ${{ matrix.tree_a }}.tar.gz
- name: unpack first build
if: steps.early_exit.outcome == 'success'
run: tar xzf "${{ matrix.tree_a }}.tar.gz"
- uses: actions/download-artifact@v4
if: steps.early_exit.outcome == 'success'
with:
name: ${{ matrix.tree_b }}.tar.gz
- name: unpack second build
if: steps.early_exit.outcome == 'success'
run: tar xzf "${{ matrix.tree_b }}.tar.gz"
- name: set up cross validation of FIPS from A with tree from B
if: steps.early_exit.outcome == 'success'
run: |
cp providers/fips.so ../${{ matrix.tree_b }}/providers/
cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/
working-directory: ${{ matrix.tree_a }}
- name: show module versions from cross validation
if: steps.early_exit.outcome == 'success'
run: |
./util/wrap.pl -fips apps/openssl list -provider-path providers \
-provider base \
-provider default \
-provider fips \
-provider legacy \
-providers
working-directory: ${{ matrix.tree_b }}
- name: get cpu info
if: steps.early_exit.outcome == 'success'
run: |
cat /proc/cpuinfo
./util/opensslwrap.sh version -c
working-directory: ${{ matrix.tree_b }}
- name: run cross validation tests of FIPS from A with tree from B
if: steps.early_exit.outcome == 'success'
run: |
make test HARNESS_JOBS=${HARNESS_JOBS:-4}
working-directory: ${{ matrix.tree_b }}
|
