Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a CI run to test all older providers against master
- Loading branch information
Showing
1 changed file
with
238 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,238 @@ | ||
# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. | ||
# | ||
# Licensed under the Apache License 2.0 (the "License"). You may not use | ||
# this file except in compliance with the License. You can obtain a copy | ||
# in the file LICENSE in the source distribution or at | ||
# https://www.openssl.org/source/license.html | ||
|
||
# This verifies that FIPS and legacy providers built against some earlier | ||
# released versions continue to run against the current branch. | ||
|
||
name: Provider compatibility across versions | ||
|
||
on: [pull_request] | ||
# schedule: | ||
# - cron: '0 7 * * *' | ||
|
||
permissions: | ||
contents: read | ||
|
||
env: | ||
opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib | ||
|
||
jobs: | ||
fips-releases: | ||
strategy: | ||
matrix: | ||
release: [ | ||
# Formally released versions should be added here. | ||
# `dir' it the directory inside the tarball. | ||
# `tgz' is the name of the tarball. | ||
# `utl' is the download URL. | ||
# `tests' allows some tests to be skipped (e.g. if there are | ||
# some expired certificates used). | ||
{ | ||
dir: openssl-3.0.0, | ||
tgz: openssl-3.0.0.tar.gz, | ||
url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", | ||
tests: "TESTS='-test_ct -test_ssl_new'" | ||
}, | ||
{ | ||
dir: openssl-3.0.8, | ||
tgz: openssl-3.0.8.tar.gz, | ||
url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", | ||
}, | ||
{ | ||
dir: openssl-3.1.0, | ||
tgz: openssl-3.1.0.tar.gz, | ||
url: "https://www.openssl.org/source/openssl-3.1.0.tar.gz", | ||
}, | ||
] | ||
|
||
runs-on: ubuntu-latest | ||
steps: | ||
- name: create directories | ||
run: | | ||
mkdir downloads || echo "downloads directory already created" | ||
- name: download release source | ||
run: wget --no-verbose ${{ matrix.release.url }} | ||
working-directory: downloads | ||
- name: unpack release source | ||
run: tar xzf downloads/${{ matrix.release.tgz }} | ||
|
||
- name: localegen | ||
run: sudo locale-gen tr_TR.UTF-8 | ||
|
||
- name: config release | ||
if: false | ||
run: ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} | ||
working-directory: ${{ matrix.release.dir }} | ||
- name: config dump release | ||
if: false | ||
run: ./configdata.pm --dump | ||
working-directory: ${{ matrix.release.dir }} | ||
|
||
- name: make release | ||
if: false | ||
run: make -s -j4 | ||
working-directory: ${{ matrix.release.dir }} | ||
|
||
- name: create release artifacts | ||
run: tar czf ${{ matrix.release.tgz }} ${{ matrix.release.dir }} | ||
|
||
- name: show module versions from release | ||
if: false | ||
run: | | ||
./util/wrap.pl -fips apps/openssl list -provider-path providers \ | ||
-provider base \ | ||
-provider default \ | ||
-provider fips \ | ||
-provider legacy \ | ||
-providers | ||
working-directory: ${{ matrix.release.dir }} | ||
|
||
- name: make test | ||
if: false | ||
run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} ${{ matrix.release.tests }} | ||
working-directory: ${{ matrix.release.dir }} | ||
|
||
- uses: actions/upload-artifact@v3 | ||
with: | ||
name: ${{ matrix.release.tgz }} | ||
path: ${{ matrix.release.tgz }} | ||
retention-days: 7 | ||
|
||
development-branches: | ||
strategy: | ||
matrix: | ||
branch: [ | ||
# Currently supported FIPS capable branches should be added here. | ||
# `name' is the branch name used to checkout out. | ||
# `dir' directory that will be used to build and test in. | ||
# `tgz' is the name of the tarball use to keep the artifacts of | ||
# the build. | ||
{ | ||
name: openssl-3.0, | ||
dir: branch-3.0, | ||
tgz: branch-3.0.tar.gz, | ||
}, { | ||
name: openssl-3.1, | ||
dir: branch-3.1, | ||
tgz: branch-3.1.tar.gz, | ||
}, { | ||
name: master, | ||
dir: branch-master, | ||
tgz: branch-master.tar.gz, | ||
}, | ||
] | ||
|
||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v2 | ||
with: | ||
path: ${{ matrix.branch.dir }} | ||
repository: openssl/openssl | ||
ref: ${{ matrix.branch.name }} | ||
- name: localegen | ||
run: sudo locale-gen tr_TR.UTF-8 | ||
|
||
- name: config branch | ||
if: false | ||
run: | | ||
./config --banner=Configured enable-shared enable-fips ${{ env.opts }} | ||
working-directory: ${{ matrix.branch.dir }} | ||
- name: config dump current | ||
if: false | ||
run: ./configdata.pm --dump | ||
working-directory: ${{ matrix.branch.dir }} | ||
|
||
- name: make branch | ||
if: false | ||
run: make -s -j4 | ||
working-directory: ${{ matrix.branch.dir }} | ||
|
||
- name: create branch artifacts | ||
run: tar czf ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} | ||
|
||
- name: show module versions from branch | ||
if: false | ||
run: | | ||
./util/wrap.pl -fips apps/openssl list -provider-path providers \ | ||
-provider base \ | ||
-provider default \ | ||
-provider fips \ | ||
-provider legacy \ | ||
-providers | ||
working-directory: ${{ matrix.branch.dir }} | ||
|
||
- name: test current | ||
if: false | ||
run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} | ||
working-directory: ${{ matrix.branch.dir }} | ||
|
||
- uses: actions/upload-artifact@v3 | ||
with: | ||
name: ${{ matrix.branch.tgz }} | ||
path: ${{ matrix.branch.tgz }} | ||
retention-days: 7 | ||
|
||
cross-testing: | ||
needs: [fips-releases, development-branches] | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
# These can't be figured out earlier and included here as a variable | ||
# substitution. Thus, there need to be two copies, both identical. | ||
# Tests of something against itself are skipped (because these are | ||
# pointless) as are tests of releases against other realease (because | ||
# they cannot possibly change over time). | ||
tree_a: [ branch-master, branch-3.1, branch-3.0, | ||
openssl-3.0.0, openssl-3.0.8, openssl-3.1.0 ] | ||
tree_b: [ branch-master, branch-3.1, branch-3.0, | ||
openssl-3.0.0, openssl-3.0.8, openssl-3.1.0 ] | ||
steps: | ||
- name: Early exit to avoid testing releases against other releases and auto-comparisons | ||
id: early_exit | ||
run: | | ||
if [ echo "${{ matrix.tree_b }}" | grep "^openssl-" ) && exit 1 | ||
if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}"; then exit 1; fi | ||
continue-on-error: true | ||
|
||
- name: Remaining jobs | ||
if: steps.early_exit.outcome == 'success' | ||
run: echo ${{ matrix.tree_a }} ${{ matrix.tree_b }} | ||
|
||
- name: Create directory | ||
if: steps.early_exit.outcome == 'success' | ||
run: | | ||
echo "wd=${{ matrix.tree_a }}-${{ matrix.tree_b }}" >>$GITHUB_ENV | ||
mkdir ${{ env.wd }} | ||
- uses: actions/download-artifact@v3 | ||
if: steps.early_exit.outcome == 'success' | ||
with: | ||
name: ${{ matrix.tree_a }}.tar.gz | ||
path: ${{ env.wd }}/${{ matrix.tree_a }}.tar.gz | ||
- name: ls | ||
run: | | ||
ls -R | ||
echo wd: ${{ env.wd }} | ||
- name: Unpack first build | ||
if: steps.early_exit.outcome == 'success' | ||
run: tar xzf "${{ matrix.tree_a }}.tar.gz" | ||
working-directory: ${{ env.wd }} | ||
|
||
- uses: actions/download-artifact@v3 | ||
if: steps.early_exit.outcome == 'success' | ||
with: | ||
name: ${{ matrix.tree_b }}.tar.gz | ||
path: ${{ env.wd }}/${{ matrix.tree_b }}.tar.gz | ||
- name: Unpack second build | ||
if: steps.early_exit.outcome == 'success' | ||
run: tar xzf "${{ matrix.tree_b }}.tar.gz" | ||
working-directory: ${{ env.wd }} | ||
|
||
- name: Set up validation of A with tree from B" | ||
if: false | ||
run: cp ${{ matrix.tree_a }}/providers/fips{module.cnf,.so} ${{ matrix.tree_b }}/current/providers/ | ||
working-directory: ${{ env.wd }} |