1 # Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
3 # Licensed under the Apache License 2.0 (the "License"). You may not use
4 # this file except in compliance with the License. You can obtain a copy
5 # in the file LICENSE in the source distribution or at
6 # https://www.openssl.org/source/license.html
10 on: [pull_request, push]
12 # for some reason, this does not work:
15 # HARNESS_JOBS: "${HARNESS_JOBS:-4}"
17 # for some reason, this does not work:
29 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
31 - name: install unifdef
34 sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef
35 - uses: actions/checkout@v4
39 run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump
40 - name: make build_generated
41 run: make -s build_generated
45 run: git diff --exit-code
48 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
50 - uses: actions/checkout@v4
52 run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump
53 - name: make build_generated
54 run: make -s build_generated
64 # This checks that we use ANSI C language syntax and semantics.
65 # We are not as strict with libraries, but rather adapt to what's
66 # expected to be available in a certain version of each platform.
68 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
70 - uses: actions/checkout@v4
72 run: CPPFLAGS=-ansi ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump
77 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
79 - uses: actions/checkout@v4
80 - name: checkout fuzz/corpora submodule
81 run: git submodule update --init --depth 1 fuzz/corpora
83 run: sudo locale-gen tr_TR.UTF-8
85 # enable-quic is on by default, but we leave it here to check we're testing the explicit enable somewhere
86 run: CC=gcc ./config --banner=Configured enable-fips enable-quic enable-unstable-qlog --strict-warnings && perl configdata.pm --dump
92 ./util/opensslwrap.sh version -c
94 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
97 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
99 - uses: actions/checkout@v4
100 - name: checkout fuzz/corpora submodule
101 run: git submodule update --init --depth 1 fuzz/corpora
103 run: CC=clang ./config --banner=Configured no-fips enable-unstable-qlog --strict-warnings && perl configdata.pm --dump
109 ./util/opensslwrap.sh version -c
111 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
116 os: [freebsd-13.2, ubuntu-arm64-22.04]
117 runs-on: ${{ matrix.os }}-self-hosted
118 continue-on-error: true
120 - uses: actions/checkout@v4
122 run: ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace enable-unstable-qlog
124 run: ./configdata.pm --dump
128 run: ./util/opensslwrap.sh version -c
130 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
133 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
135 - uses: actions/checkout@v4
136 - name: checkout fuzz/corpora submodule
137 run: git submodule update --init --depth 1 fuzz/corpora
139 run: ./config --banner=Configured --strict-warnings no-bulk no-pic no-asm enable-unstable-qlog -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump
141 run: make -j4 # verbose, so no -s here
145 ./util/opensslwrap.sh version -c
147 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
150 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
152 - uses: actions/checkout@v4
153 - name: checkout fuzz/corpora submodule
154 run: git submodule update --init --depth 1 fuzz/corpora
156 run: ./config --banner=Configured --strict-warnings no-deprecated enable-fips enable-unstable-qlog && perl configdata.pm --dump
162 ./util/opensslwrap.sh version -c
164 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
167 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
169 - uses: actions/checkout@v4
170 - name: checkout fuzz/corpora submodule
171 run: git submodule update --init --depth 1 fuzz/corpora
173 run: ./config --banner=Configured --strict-warnings no-shared no-fips enable-unstable-qlog && perl configdata.pm --dump
179 ./util/opensslwrap.sh version -c
181 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
184 runs-on: macos-latest
185 if: github.server_url == 'https://github.com'
187 - uses: actions/checkout@v4
188 - name: checkout fuzz/corpora submodule
189 run: git submodule update --init --depth 1 fuzz/corpora
191 run: ./config --banner=Configured --strict-warnings no-shared no-fips enable-unstable-qlog && perl configdata.pm --dump
197 ./util/opensslwrap.sh version -c
199 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
202 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
204 - uses: actions/checkout@v4
205 - name: checkout fuzz/corpora submodule
206 run: git submodule update --init --depth 1 fuzz/corpora
208 run: ./config --banner=Configured --debug enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async enable-unstable-qlog && perl configdata.pm --dump
214 ./util/opensslwrap.sh version -c
216 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]"
218 address_ub_sanitizer:
219 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
221 - uses: actions/checkout@v4
222 - name: checkout fuzz/corpora submodule
223 run: git submodule update --init --depth 1 fuzz/corpora
225 run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips enable-unstable-qlog && perl configdata.pm --dump
231 ./util/opensslwrap.sh version -c
233 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0
236 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
238 - uses: actions/checkout@v4
239 - name: checkout fuzz/corpora submodule
240 run: git submodule update --init --depth 1 fuzz/corpora
242 run: ./config --banner=Configured --debug -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method enable-nextprotoneg enable-unstable-qlog && perl configdata.pm --dump
248 ./util/opensslwrap.sh version -c
250 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="test_fuzz*"
253 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
255 - uses: actions/checkout@v4
256 - name: checkout fuzz/corpora submodule
257 run: git submodule update --init --depth 1 fuzz/corpora
259 # --debug -O1 is to produce a debug build that runs in a reasonable amount of time
260 run: CC=clang ./config --banner=Configured --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips enable-unstable-qlog && perl configdata.pm --dump
266 ./util/opensslwrap.sh version -c
268 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0
271 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
273 - uses: actions/checkout@v4
274 - name: checkout fuzz/corpora submodule
275 run: git submodule update --init --depth 1 fuzz/corpora
277 run: CC=clang ./config --banner=Configured no-fips enable-unstable-qlog --strict-warnings -fsanitize=thread && perl configdata.pm --dump
283 ./util/opensslwrap.sh version -c
285 run: make V=1 TESTS="test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*" test HARNESS_JOBS=${HARNESS_JOBS:-4}
287 enable_non-default_options:
288 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
290 - uses: actions/checkout@v4
291 - name: checkout fuzz/corpora submodule
292 run: git submodule update --init --depth 1 fuzz/corpora
294 run: sudo modprobe tls
296 run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-egd enable-ktls enable-fips no-threads enable-unstable-qlog && perl configdata.pm --dump
302 ./util/opensslwrap.sh version -c
304 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
307 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
309 - uses: actions/checkout@v4
310 - name: checkout fuzz/corpora submodule
311 run: git submodule update --init --depth 1 fuzz/corpora
313 run: sudo modprobe tls
315 run: sudo modprobe sctp
316 - name: Enable auth in sctp
317 run: sudo sysctl -w net.sctp.auth_enable=1
318 - name: install extra config support
319 run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd
321 run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd enable-unstable-qlog && perl configdata.pm --dump
327 ./util/opensslwrap.sh version -c
329 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
332 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
334 - uses: actions/checkout@v4
335 - name: checkout fuzz/corpora submodule
336 run: git submodule update --init --depth 1 fuzz/corpora
338 run: ./config --banner=Configured --strict-warnings no-legacy enable-fips enable-unstable-qlog && perl configdata.pm --dump
344 ./util/opensslwrap.sh version -c
346 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
349 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
351 - uses: actions/checkout@v4
352 - name: checkout fuzz/corpora submodule
353 run: git submodule update --init --depth 1 fuzz/corpora
355 run: ./config --banner=Configured -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-fips enable-unstable-qlog && perl configdata.pm --dump
361 ./util/opensslwrap.sh version -c
363 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
365 # out-of-source-and-install checks multiple things at the same time:
366 # - That building, testing and installing works from an out-of-source
368 # - That building, testing and installing works with a read-only source
370 out-of-readonly-source-and-install-ubuntu:
371 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
373 - uses: actions/checkout@v4
376 - name: checkout fuzz/corpora submodule
377 run: git submodule update --init --depth 1 fuzz/corpora
378 working-directory: ./source
379 - name: make source read-only
380 run: chmod -R a-w ./source
381 - name: create build and install directories
387 ../source/config --banner=Configured enable-fips enable-quic enable-unstable-qlog enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
388 perl configdata.pm --dump
389 working-directory: ./build
392 working-directory: ./build
396 ./util/opensslwrap.sh version -c
397 working-directory: ./build
399 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
400 working-directory: ./build
403 working-directory: ./build
405 out-of-readonly-source-and-install-macos:
406 runs-on: macos-latest
407 if: github.server_url == 'https://github.com'
409 - uses: actions/checkout@v4
412 - name: checkout fuzz/corpora submodule
413 run: git submodule update --init --depth 1 fuzz/corpora
414 working-directory: ./source
415 - name: make source read-only
416 run: chmod -R a-w ./source
417 - name: create build and install directories
423 ../source/config --banner=Configured enable-fips enable-quic enable-unstable-qlog enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
424 perl configdata.pm --dump
425 working-directory: ./build
428 working-directory: ./build
432 ./util/opensslwrap.sh version -c
433 working-directory: ./build
435 run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
436 working-directory: ./build
439 working-directory: ./build
442 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
444 - uses: actions/checkout@v4
446 submodules: recursive
447 - name: package installs
450 sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy
451 - name: install cpanm and Test2::V0 for gost_engine testing
452 uses: perl-actions/install-with-cpanm@v1
455 - name: setup hostname workaround
456 run: sudo hostname localhost
458 run: ./config --banner=Configured --strict-warnings --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests no-fips && perl configdata.pm --dump
464 ./util/opensslwrap.sh version -c
465 - name: test external gost-engine
466 run: make test TESTS="test_external_gost_engine"
467 - name: test external krb5
468 run: make test TESTS="test_external_krb5"
469 - name: test external_tlsfuzzer
470 run: make test TESTS="test_external_tlsfuzzer"
471 - name: test external oqs-provider
472 run: make test TESTS="test_external_oqsprovider"
475 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
483 - uses: actions/checkout@v4
485 submodules: recursive
486 - name: Configure OpenSSL
487 run: ./config --banner=Configured --strict-warnings --debug enable-external-tests && perl configdata.pm --dump
491 uses: actions/setup-python@v5.0.0
493 python-version: ${{ matrix.PYTHON }}
494 - uses: dtolnay/rust-toolchain@master
496 toolchain: ${{ matrix.RUST }}
500 ./util/opensslwrap.sh version -c
501 - name: test external pyca
502 run: make test TESTS="test_external_pyca" VERBOSE=1
504 external-test-cf-quiche:
505 runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
507 - uses: actions/checkout@v4
509 submodules: recursive
510 - name: Configure OpenSSL
511 run: ./config --banner=Configured --strict-warnings enable-external-tests && perl configdata.pm --dump
514 - uses: dtolnay/rust-toolchain@stable
518 ./util/opensslwrap.sh version -c
519 - name: test external Cloudflare quiche
520 run: make test TESTS="test_external_cf_quiche" VERBOSE=1