OWEALs
/
openssl
spogulis no git://git.openssl.org/openssl.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233
							# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

# This verifies that FIPS and legacy providers built against some earlier
# released versions continue to run against the current branch.

name: Provider compatibility across versions

on: #[pull_request]
  schedule:
    - cron: '0 15 * * *'

permissions:
  contents: read

env:
  opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib

jobs:
  fips-releases:
    strategy:
      matrix:
        release: [
          # Formally released versions should be added here.
          #     `dir' it the directory inside the tarball.
          #     `tgz' is the name of the tarball.
          #     `utl' is the download URL.
          {
            dir: openssl-3.0.0,
            tgz: openssl-3.0.0.tar.gz,
            url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz",
          },
          {
            dir: openssl-3.0.8,
            tgz: openssl-3.0.8.tar.gz,
            url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz",
          },
          {
            dir: openssl-3.0.9,
            tgz: openssl-3.0.9.tar.gz,
            url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz",
          },
          {
            dir: openssl-3.1.1,
            tgz: openssl-3.1.1.tar.gz,
            url: "https://www.openssl.org/source/openssl-3.1.1.tar.gz",
          },
        ]

    runs-on: ubuntu-latest
    steps:
      - name: create download directory
        run: mkdir downloads
      - name: download release source
        run: wget --no-verbose ${{ matrix.release.url }}
        working-directory: downloads
      - name: unpack release source
        run: tar xzf downloads/${{ matrix.release.tgz }}

      - name: localegen
        run: sudo locale-gen tr_TR.UTF-8

      - name: config release
        run: |
          ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
        working-directory: ${{ matrix.release.dir }}
      - name: config dump release
        run: ./configdata.pm --dump
        working-directory: ${{ matrix.release.dir }}

      - name: make release
        run: make -s -j4
        working-directory: ${{ matrix.release.dir }}

      - name: create release artifacts
        run: |
          tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }}

      - name: show module versions from release
        run: |
          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
                                                 -provider base             \
                                                 -provider default          \
                                                 -provider fips             \
                                                 -provider legacy           \
                                                 -providers
        working-directory: ${{ matrix.release.dir }}

      - uses: actions/upload-artifact@v3
        with:
          name: ${{ matrix.release.tgz }}
          path: ${{ matrix.release.tgz }}
          retention-days: 7

  development-branches:
    strategy:
      matrix:
        branch: [
          # Currently supported FIPS capable branches should be added here.
          #     `name' is the branch name used to checkout out.
          #     `dir' directory that will be used to build and test in.
          #     `tgz' is the name of the tarball use to keep the artifacts of
          #         the build.
          {
            name: openssl-3.0,
            dir: branch-3.0,
            tgz: branch-3.0.tar.gz,
          }, {
            name: openssl-3.1,
            dir: branch-3.1,
            tgz: branch-3.1.tar.gz,
          }, {
            name: master,
            dir: branch-master,
            tgz: branch-master.tar.gz,
          },
        ]

    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          path: ${{ matrix.branch.dir }}
          repository: openssl/openssl
          ref: ${{ matrix.branch.name }}
      - name: localegen
        run: sudo locale-gen tr_TR.UTF-8

      - name: config branch
        run: |
          ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
        working-directory: ${{ matrix.branch.dir }}
      - name: config dump current
        run: ./configdata.pm --dump
        working-directory: ${{ matrix.branch.dir }}

      - name: make branch
        run: make -s -j4
        working-directory: ${{ matrix.branch.dir }}

      - name: create branch artifacts
        run: |
          tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }}

      - name: show module versions from branch
        run: |
          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
                                                 -provider base             \
                                                 -provider default          \
                                                 -provider fips             \
                                                 -provider legacy           \
                                                 -providers
        working-directory: ${{ matrix.branch.dir }}

      - name: make test
        run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
        working-directory: ${{ matrix.branch.dir }}

      - uses: actions/upload-artifact@v3
        with:
          name: ${{ matrix.branch.tgz }}
          path: ${{ matrix.branch.tgz }}
          retention-days: 7

  cross-testing:
    needs: [fips-releases, development-branches]
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        # These can't be figured out earlier and included here as a variable
        # substitution.
        #
        # Note that releases are not used as a test environment for
        # later providers.  Problems in these situations ought to be
        # caught by cross branch testing before the release.
        tree_a: [ branch-master, branch-3.1, branch-3.0,
                  openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.1 ]
        tree_b: [ branch-master, branch-3.1, branch-3.0  ]
    steps:
      - name: early exit checks
        id: early_exit
        run: |
          if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ];           \
          then                                                              \
            echo "Skipping because both are the same version";              \
            exit 1;                                                         \
          fi
        continue-on-error: true

      - uses: actions/download-artifact@v3
        if: steps.early_exit.outcome == 'success'
        with:
          name: ${{ matrix.tree_a }}.tar.gz
      - name: unpack first build
        if: steps.early_exit.outcome == 'success'
        run: tar xzf "${{ matrix.tree_a }}.tar.gz"

      - uses: actions/download-artifact@v3
        if: steps.early_exit.outcome == 'success'
        with:
          name: ${{ matrix.tree_b }}.tar.gz
      - name: unpack second build
        if: steps.early_exit.outcome == 'success'
        run: tar xzf "${{ matrix.tree_b }}.tar.gz"

      - name: set up cross validation of FIPS from A with tree from B
        if: steps.early_exit.outcome == 'success'
        run: |
          cp providers/fips.so ../${{ matrix.tree_b }}/providers/
          cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/
        working-directory: ${{ matrix.tree_a }}

      - name: show module versions from cross validation
        if: steps.early_exit.outcome == 'success'
        run: |
          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
                                                 -provider base             \
                                                 -provider default          \
                                                 -provider fips             \
                                                 -provider legacy           \
                                                 -providers
        working-directory: ${{ matrix.tree_b }}

      - name: run cross validation tests of FIPS from A with tree from B
        if: steps.early_exit.outcome == 'success'
        run: |
          make test HARNESS_JOBS=${HARNESS_JOBS:-4}
        working-directory: ${{ matrix.tree_b }}