| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249 |
- # Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
- #
- # Licensed under the Apache License 2.0 (the "License"). You may not use
- # this file except in compliance with the License. You can obtain a copy
- # in the file LICENSE in the source distribution or at
- # https://www.openssl.org/source/license.html
- # This verifies that FIPS and legacy providers built against some earlier
- # released versions continue to run against the current branch.
- name: Provider compatibility across versions
- # NOTE: if this is being run on pull_request, it will **not** use the pull
- # request's branch. It is hardcoded to use the master branch.
- #
- on: #[pull_request]
- schedule:
- - cron: '0 15 * * *'
- permissions:
- contents: read
- env:
- opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib
- jobs:
- fips-releases:
- strategy:
- matrix:
- release: [
- # Formally released versions should be added here.
- # `dir' it the directory inside the tarball.
- # `tgz' is the name of the tarball.
- # `url' is the download URL.
- {
- dir: openssl-3.0.0,
- tgz: openssl-3.0.0.tar.gz,
- url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz",
- },
- {
- dir: openssl-3.0.8,
- tgz: openssl-3.0.8.tar.gz,
- url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz",
- },
- {
- dir: openssl-3.0.9,
- tgz: openssl-3.0.9.tar.gz,
- url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz",
- },
- {
- dir: openssl-3.1.2,
- tgz: openssl-3.1.2.tar.gz,
- url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz",
- },
- ]
- runs-on: ubuntu-latest
- steps:
- - name: create download directory
- run: mkdir downloads
- - name: download release source
- run: wget --no-verbose ${{ matrix.release.url }}
- working-directory: downloads
- - name: unpack release source
- run: tar xzf downloads/${{ matrix.release.tgz }}
- - name: localegen
- run: sudo locale-gen tr_TR.UTF-8
- - name: config release
- run: |
- ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
- working-directory: ${{ matrix.release.dir }}
- - name: config dump release
- run: ./configdata.pm --dump
- working-directory: ${{ matrix.release.dir }}
- - name: make release
- run: make -s -j4
- working-directory: ${{ matrix.release.dir }}
- - name: create release artifacts
- run: |
- tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }}
- - name: show module versions from release
- run: |
- ./util/wrap.pl -fips apps/openssl list -provider-path providers \
- -provider base \
- -provider default \
- -provider fips \
- -provider legacy \
- -providers
- working-directory: ${{ matrix.release.dir }}
- - uses: actions/upload-artifact@v3
- with:
- name: ${{ matrix.release.tgz }}
- path: ${{ matrix.release.tgz }}
- retention-days: 7
- development-branches:
- strategy:
- matrix:
- branch: [
- # Currently supported FIPS capable branches should be added here.
- # `name' is the branch name used to checkout out.
- # `dir' directory that will be used to build and test in.
- # `tgz' is the name of the tarball use to keep the artifacts of
- # the build.
- {
- name: openssl-3.0,
- dir: branch-3.0,
- tgz: branch-3.0.tar.gz,
- }, {
- name: openssl-3.1,
- dir: branch-3.1,
- tgz: branch-3.1.tar.gz,
- }, {
- name: master,
- dir: branch-master,
- tgz: branch-master.tar.gz,
- },
- ]
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- with:
- path: ${{ matrix.branch.dir }}
- repository: openssl/openssl
- ref: ${{ matrix.branch.name }}
- - name: localegen
- run: sudo locale-gen tr_TR.UTF-8
- - name: config branch
- run: |
- ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
- working-directory: ${{ matrix.branch.dir }}
- - name: config dump current
- run: ./configdata.pm --dump
- working-directory: ${{ matrix.branch.dir }}
- - name: make branch
- run: make -s -j4
- working-directory: ${{ matrix.branch.dir }}
- - name: create branch artifacts
- run: |
- tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }}
- - name: show module versions from branch
- run: |
- ./util/wrap.pl -fips apps/openssl list -provider-path providers \
- -provider base \
- -provider default \
- -provider fips \
- -provider legacy \
- -providers
- working-directory: ${{ matrix.branch.dir }}
- - name: get cpu info
- run: |
- cat /proc/cpuinfo
- ./util/opensslwrap.sh version -c
- working-directory: ${{ matrix.branch.dir }}
- - name: make test
- run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
- working-directory: ${{ matrix.branch.dir }}
- - uses: actions/upload-artifact@v3
- with:
- name: ${{ matrix.branch.tgz }}
- path: ${{ matrix.branch.tgz }}
- retention-days: 7
- cross-testing:
- needs: [fips-releases, development-branches]
- runs-on: ubuntu-latest
- strategy:
- fail-fast: false
- matrix:
- # These can't be figured out earlier and included here as a variable
- # substitution.
- #
- # Note that releases are not used as a test environment for
- # later providers. Problems in these situations ought to be
- # caught by cross branch testing before the release.
- tree_a: [ branch-master, branch-3.1, branch-3.0,
- openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
- tree_b: [ branch-master, branch-3.1, branch-3.0 ]
- steps:
- - name: early exit checks
- id: early_exit
- run: |
- if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \
- then \
- echo "Skipping because both are the same version"; \
- exit 1; \
- fi
- continue-on-error: true
- - uses: actions/download-artifact@v3
- if: steps.early_exit.outcome == 'success'
- with:
- name: ${{ matrix.tree_a }}.tar.gz
- - name: unpack first build
- if: steps.early_exit.outcome == 'success'
- run: tar xzf "${{ matrix.tree_a }}.tar.gz"
- - uses: actions/download-artifact@v3
- if: steps.early_exit.outcome == 'success'
- with:
- name: ${{ matrix.tree_b }}.tar.gz
- - name: unpack second build
- if: steps.early_exit.outcome == 'success'
- run: tar xzf "${{ matrix.tree_b }}.tar.gz"
- - name: set up cross validation of FIPS from A with tree from B
- if: steps.early_exit.outcome == 'success'
- run: |
- cp providers/fips.so ../${{ matrix.tree_b }}/providers/
- cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/
- working-directory: ${{ matrix.tree_a }}
- - name: show module versions from cross validation
- if: steps.early_exit.outcome == 'success'
- run: |
- ./util/wrap.pl -fips apps/openssl list -provider-path providers \
- -provider base \
- -provider default \
- -provider fips \
- -provider legacy \
- -providers
- working-directory: ${{ matrix.tree_b }}
- - name: get cpu info
- if: steps.early_exit.outcome == 'success'
- run: |
- cat /proc/cpuinfo
- ./util/opensslwrap.sh version -c
- working-directory: ${{ matrix.tree_b }}
- - name: run cross validation tests of FIPS from A with tree from B
- if: steps.early_exit.outcome == 'success'
- run: |
- make test HARNESS_JOBS=${HARNESS_JOBS:-4}
- working-directory: ${{ matrix.tree_b }}
|
