--- /dev/null
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+# This verifies that FIPS and legacy providers built against some earlier
+# released versions continue to run against the current branch.
+
+name: Provider compatibility across versions
+
+on: #[pull_request]
+ schedule:
+ - cron: '0 15 * * *'
+
+permissions:
+ contents: read
+
+env:
+ opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib
+
+jobs:
+ fips-releases:
+ strategy:
+ matrix:
+ release: [
+ # Formally released versions should be added here.
+ # `dir' it the directory inside the tarball.
+ # `tgz' is the name of the tarball.
+ # `utl' is the download URL.
+ {
+ dir: openssl-3.0.0,
+ tgz: openssl-3.0.0.tar.gz,
+ url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz",
+ },
+ {
+ dir: openssl-3.0.8,
+ tgz: openssl-3.0.8.tar.gz,
+ url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz",
+ },
+ {
+ dir: openssl-3.1.0,
+ tgz: openssl-3.1.0.tar.gz,
+ url: "https://www.openssl.org/source/openssl-3.1.0.tar.gz",
+ },
+ ]
+
+ runs-on: ubuntu-latest
+ steps:
+ - name: create download directory
+ run: mkdir downloads
+ - name: download release source
+ run: wget --no-verbose ${{ matrix.release.url }}
+ working-directory: downloads
+ - name: unpack release source
+ run: tar xzf downloads/${{ matrix.release.tgz }}
+
+ - name: localegen
+ run: sudo locale-gen tr_TR.UTF-8
+
+ - name: config release
+ run: |
+ ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
+ working-directory: ${{ matrix.release.dir }}
+ - name: config dump release
+ run: ./configdata.pm --dump
+ working-directory: ${{ matrix.release.dir }}
+
+ - name: make release
+ run: make -s -j4
+ working-directory: ${{ matrix.release.dir }}
+
+ - name: create release artifacts
+ run: |
+ tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }}
+
+ - name: show module versions from release
+ run: |
+ ./util/wrap.pl -fips apps/openssl list -provider-path providers \
+ -provider base \
+ -provider default \
+ -provider fips \
+ -provider legacy \
+ -providers
+ working-directory: ${{ matrix.release.dir }}
+
+ - uses: actions/upload-artifact@v3
+ with:
+ name: ${{ matrix.release.tgz }}
+ path: ${{ matrix.release.tgz }}
+ retention-days: 7
+
+ development-branches:
+ strategy:
+ matrix:
+ branch: [
+ # Currently supported FIPS capable branches should be added here.
+ # `name' is the branch name used to checkout out.
+ # `dir' directory that will be used to build and test in.
+ # `tgz' is the name of the tarball use to keep the artifacts of
+ # the build.
+ {
+ name: openssl-3.0,
+ dir: branch-3.0,
+ tgz: branch-3.0.tar.gz,
+ }, {
+ name: openssl-3.1,
+ dir: branch-3.1,
+ tgz: branch-3.1.tar.gz,
+ }, {
+ name: master,
+ dir: branch-master,
+ tgz: branch-master.tar.gz,
+ },
+ ]
+
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ path: ${{ matrix.branch.dir }}
+ repository: openssl/openssl
+ ref: ${{ matrix.branch.name }}
+ - name: localegen
+ run: sudo locale-gen tr_TR.UTF-8
+
+ - name: config branch
+ run: |
+ ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
+ working-directory: ${{ matrix.branch.dir }}
+ - name: config dump current
+ run: ./configdata.pm --dump
+ working-directory: ${{ matrix.branch.dir }}
+
+ - name: make branch
+ run: make -s -j4
+ working-directory: ${{ matrix.branch.dir }}
+
+ - name: create branch artifacts
+ run: |
+ tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }}
+
+ - name: show module versions from branch
+ run: |
+ ./util/wrap.pl -fips apps/openssl list -provider-path providers \
+ -provider base \
+ -provider default \
+ -provider fips \
+ -provider legacy \
+ -providers
+ working-directory: ${{ matrix.branch.dir }}
+
+ - name: make test
+ run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+ working-directory: ${{ matrix.branch.dir }}
+
+ - uses: actions/upload-artifact@v3
+ with:
+ name: ${{ matrix.branch.tgz }}
+ path: ${{ matrix.branch.tgz }}
+ retention-days: 7
+
+ cross-testing:
+ needs: [fips-releases, development-branches]
+ runs-on: ubuntu-latest
+ strategy:
+ fail-fast: false
+ matrix:
+ # These can't be figured out earlier and included here as a variable
+ # substitution.
+ #
+ # Note that releases are not used as a test environment for
+ # later providers. Problems in these situations ought to be
+ # caught by cross branch testing before the release.
+ tree_a: [ branch-master, branch-3.1, branch-3.0,
+ openssl-3.0.0, openssl-3.0.8, openssl-3.1.0 ]
+ tree_b: [ branch-master, branch-3.1, branch-3.0 ]
+ steps:
+ - name: early exit checks
+ id: early_exit
+ run: |
+ if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \
+ then \
+ echo "Skipping because both are the same version"; \
+ exit 1; \
+ fi
+ continue-on-error: true
+
+ - uses: actions/download-artifact@v3
+ if: steps.early_exit.outcome == 'success'
+ with:
+ name: ${{ matrix.tree_a }}.tar.gz
+ - name: unpack first build
+ if: steps.early_exit.outcome == 'success'
+ run: tar xzf "${{ matrix.tree_a }}.tar.gz"
+
+ - uses: actions/download-artifact@v3
+ if: steps.early_exit.outcome == 'success'
+ with:
+ name: ${{ matrix.tree_b }}.tar.gz
+ - name: unpack second build
+ if: steps.early_exit.outcome == 'success'
+ run: tar xzf "${{ matrix.tree_b }}.tar.gz"
+
+ - name: set up cross validation of FIPS from A with tree from B
+ if: steps.early_exit.outcome == 'success'
+ run: |
+ cp providers/fips.so ../${{ matrix.tree_b }}/providers/
+ cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/
+ working-directory: ${{ matrix.tree_a }}
+
+ - name: show module versions from cross validation
+ if: steps.early_exit.outcome == 'success'
+ run: |
+ ./util/wrap.pl -fips apps/openssl list -provider-path providers \
+ -provider base \
+ -provider default \
+ -provider fips \
+ -provider legacy \
+ -providers
+ working-directory: ${{ matrix.tree_b }}
+
+ - name: run cross validation tests of FIPS from A with tree from B
+ if: steps.early_exit.outcome == 'success'
+ run: |
+ make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+ working-directory: ${{ matrix.tree_b }}