diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml new file mode 100644 index 00000000000000..1903de1fbba837 --- /dev/null +++ b/.github/workflows/provider-compatibility.yml @@ -0,0 +1,238 @@ +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# This verifies that FIPS and legacy providers built against some earlier +# released versions continue to run against the current branch. + +name: Provider compatibility across versions + +on: [pull_request] +# schedule: +# - cron: '0 7 * * *' + +permissions: + contents: read + +env: + opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib + +jobs: + fips-releases: + strategy: + matrix: + release: [ + # Formally released versions should be added here. + # `dir' it the directory inside the tarball. + # `tgz' is the name of the tarball. + # `utl' is the download URL. + # `tests' allows some tests to be skipped (e.g. if there are + # some expired certificates used). + { + dir: openssl-3.0.0, + tgz: openssl-3.0.0.tar.gz, + url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", + tests: "TESTS='-test_ct -test_ssl_new'" + }, + { + dir: openssl-3.0.8, + tgz: openssl-3.0.8.tar.gz, + url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", + }, + { + dir: openssl-3.1.0, + tgz: openssl-3.1.0.tar.gz, + url: "https://www.openssl.org/source/openssl-3.1.0.tar.gz", + }, + ] + + runs-on: ubuntu-latest + steps: + - name: create directories + run: | + mkdir downloads || echo "downloads directory already created" + - name: download release source + run: wget --no-verbose ${{ matrix.release.url }} + working-directory: downloads + - name: unpack release source + run: tar xzf downloads/${{ matrix.release.tgz }} + + - name: localegen + run: sudo locale-gen tr_TR.UTF-8 + + - name: config release + if: false + run: ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} + working-directory: ${{ matrix.release.dir }} + - name: config dump release + if: false + run: ./configdata.pm --dump + working-directory: ${{ matrix.release.dir }} + + - name: make release + if: false + run: make -s -j4 + working-directory: ${{ matrix.release.dir }} + + - name: create release artifacts + run: tar czf ${{ matrix.release.tgz }} ${{ matrix.release.dir }} + + - name: show module versions from release + if: false + run: | + ./util/wrap.pl -fips apps/openssl list -provider-path providers \ + -provider base \ + -provider default \ + -provider fips \ + -provider legacy \ + -providers + working-directory: ${{ matrix.release.dir }} + + - name: make test + if: false + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} ${{ matrix.release.tests }} + working-directory: ${{ matrix.release.dir }} + + - uses: actions/upload-artifact@v3 + with: + name: ${{ matrix.release.tgz }} + path: ${{ matrix.release.tgz }} + retention-days: 7 + + development-branches: + strategy: + matrix: + branch: [ + # Currently supported FIPS capable branches should be added here. + # `name' is the branch name used to checkout out. + # `dir' directory that will be used to build and test in. + # `tgz' is the name of the tarball use to keep the artifacts of + # the build. + { + name: openssl-3.0, + dir: branch-3.0, + tgz: branch-3.0.tar.gz, + }, { + name: openssl-3.1, + dir: branch-3.1, + tgz: branch-3.1.tar.gz, + }, { + name: master, + dir: branch-master, + tgz: branch-master.tar.gz, + }, + ] + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + path: ${{ matrix.branch.dir }} + repository: openssl/openssl + ref: ${{ matrix.branch.name }} + - name: localegen + run: sudo locale-gen tr_TR.UTF-8 + + - name: config branch + if: false + run: | + ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} + working-directory: ${{ matrix.branch.dir }} + - name: config dump current + if: false + run: ./configdata.pm --dump + working-directory: ${{ matrix.branch.dir }} + + - name: make branch + if: false + run: make -s -j4 + working-directory: ${{ matrix.branch.dir }} + + - name: create branch artifacts + run: tar czf ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} + + - name: show module versions from branch + if: false + run: | + ./util/wrap.pl -fips apps/openssl list -provider-path providers \ + -provider base \ + -provider default \ + -provider fips \ + -provider legacy \ + -providers + working-directory: ${{ matrix.branch.dir }} + + - name: test current + if: false + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + working-directory: ${{ matrix.branch.dir }} + + - uses: actions/upload-artifact@v3 + with: + name: ${{ matrix.branch.tgz }} + path: ${{ matrix.branch.tgz }} + retention-days: 7 + + cross-testing: + needs: [fips-releases, development-branches] + runs-on: ubuntu-latest + strategy: + matrix: + # These can't be figured out earlier and included here as a variable + # substitution. Thus, there need to be two copies, both identical. + # Tests of something against itself are skipped (because these are + # pointless) as are tests of releases against other realease (because + # they cannot possibly change over time). + tree_a: [ branch-master, branch-3.1, branch-3.0, + openssl-3.0.0, openssl-3.0.8, openssl-3.1.0 ] + tree_b: [ branch-master, branch-3.1, branch-3.0, + openssl-3.0.0, openssl-3.0.8, openssl-3.1.0 ] + steps: + - name: Early exit to avoid testing releases against other releases and auto-comparisons + id: early_exit + run: | + if [ echo "${{ matrix.tree_b }}" | grep "^openssl-" ) && exit 1 + if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}"; then exit 1; fi + continue-on-error: true + + - name: Remaining jobs + if: steps.early_exit.outcome == 'success' + run: echo ${{ matrix.tree_a }} ${{ matrix.tree_b }} + + - name: Create directory + if: steps.early_exit.outcome == 'success' + run: | + echo "wd=${{ matrix.tree_a }}-${{ matrix.tree_b }}" >>$GITHUB_ENV + mkdir ${{ env.wd }} + + - uses: actions/download-artifact@v3 + if: steps.early_exit.outcome == 'success' + with: + name: ${{ matrix.tree_a }}.tar.gz + path: ${{ env.wd }}/${{ matrix.tree_a }}.tar.gz + - name: ls + run: | + ls -R + echo wd: ${{ env.wd }} + - name: Unpack first build + if: steps.early_exit.outcome == 'success' + run: tar xzf "${{ matrix.tree_a }}.tar.gz" + working-directory: ${{ env.wd }} + + - uses: actions/download-artifact@v3 + if: steps.early_exit.outcome == 'success' + with: + name: ${{ matrix.tree_b }}.tar.gz + path: ${{ env.wd }}/${{ matrix.tree_b }}.tar.gz + - name: Unpack second build + if: steps.early_exit.outcome == 'success' + run: tar xzf "${{ matrix.tree_b }}.tar.gz" + working-directory: ${{ env.wd }} + + - name: Set up validation of A with tree from B" + if: false + run: cp ${{ matrix.tree_a }}/providers/fips{module.cnf,.so} ${{ matrix.tree_b }}/current/providers/ + working-directory: ${{ env.wd }}