diff --git a/.github/workflows/build_quic_interop_container.yml b/.github/workflows/build_quic_interop_container.yml deleted file mode 100644 index ae92bcbadbf02..0000000000000 --- a/.github/workflows/build_quic_interop_container.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: "Build openssl interop container from master" - -on: - schedule: - - cron: '20 0 * * *' - workflow_dispatch: - -jobs: - update_quay_container: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: "log in to quay.io" - run: | - docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io - - name: "Build container" - run: | - cd test/quic-openssl-docker/ - docker build -t quay.io/openssl-ci/openssl-quic-interop:latest . - - name: "Push to quay" - run: | - docker push quay.io/openssl-ci/openssl-quic-interop:latest - diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 60c56d7c763be..a22a7a81d8a85 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,55 +25,15 @@ env: OSSL_RUN_CI_TESTS: 1 jobs: - check_update: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - name: install unifdef - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: config - run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump - - name: make build_generated - run: make -s build_generated - - name: make update - run: make update - - name: git diff - run: git diff --exit-code - - check_docs: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} + set_global_job_id: + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: config - run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump - - name: make build_generated - run: make -s build_generated - - name: make doc-nits - run: make doc-nits - - name: make help - run: make help - - name: make md-nits + - name: capture job id run: | - sudo gem install mdl - make md-nits - - # This checks that we use ANSI C language syntax and semantics. - # We are not as strict with libraries, but rather adapt to what's - # expected to be available in a certain version of each platform. - check-ansi: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: config - run: CPPFLAGS='-ansi -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L' ./config --banner=Configured no-asm no-secure-memory no-makedepend enable-buildtest-c++ enable-fips --strict-warnings && perl configdata.pm --dump - - name: make - run: make -s -j4 + echo "GLOBAL_JOB_ID=${{ github.job }}" >> $GITHUB_ENV basic_gcc: + needs: set_global_job_id runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 @@ -89,563 +49,35 @@ jobs: run: CC=gcc ./config --banner=Configured enable-demos enable-h3demo enable-fips enable-quic --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test - - name: check fipsvendor - run: | - util/wrap.pl -fips apps/openssl list -providers | grep 'name: CI FIPS Provider for OpenSSL$' - - name: save artifacts - uses: actions/upload-artifact@v3 + - name: upload build tree + uses: actions/upload-artifact@v2 with: - name: "ci@basic-gcc" - path: artifacts.tar.gz + name: $GLOBAL_JOB_ID-basic-gcc-build + path: . + retention-days: 1 - basic_clang: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: CC=clang ./config --banner=Configured enable-demos enable-h3demo no-fips --strict-warnings && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@basic-clang" - path: artifacts.tar.gz - - self-hosted: - if: github.repository == 'openssl/openssl' - strategy: - matrix: - os: [freebsd-13.2, ubuntu-arm64-22.04] - runs-on: ${{ matrix.os }}-self-hosted - continue-on-error: true - steps: - - uses: actions/checkout@v4 - - name: config - run: ./config enable-demos enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -j4 - - name: get cpu info - run: ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@self-hosted-${{ matrix.os }}" - path: artifacts.tar.gz - - minimal: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump - - name: make - run: make -j4 # verbose, so no -s here - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@minimal" - path: artifacts.tar.gz - - no-deprecated: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-deprecated enable-fips && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test - - name: save artifacts - uses: actions/upload-artifact@v3 + basic_gcc_tests: + needs: basic_gcc + - name: download build tree + uses: actions/download-artifact@v4 with: - name: "ci@no-deprecated" - path: artifacts.tar.gz - - no-shared-ubuntu: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-shared no-fips && perl configdata.pm --dump - - name: make - run: make -s -j4 + name: $GLOBAL_JOB_ID-basic-gcc-build + path: . - name: get cpu info run: | cat /proc/cpuinfo ./util/opensslwrap.sh version -c - name: make test run: .github/workflows/make-test - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@no-shared-ubuntu" - path: artifacts.tar.gz - - no-shared-macos: - strategy: - fail-fast: false - matrix: - os: [macos-13, macos-14] - if: github.server_url == 'https://github.com' - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-shared no-fips && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - sysctl machdep.cpu - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@no-shared-${{ matrix.os }}" - path: artifacts.tar.gz - - non-caching: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Adjust ASLR for sanitizer - run: | - sudo cat /proc/sys/vm/mmap_rnd_bits - sudo sysctl -w vm.mmap_rnd_bits=28 - - name: config - run: ./config --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@non-caching" - path: artifacts.tar.gz - - address_ub_sanitizer: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Adjust ASLR for sanitizer - run: | - sudo cat /proc/sys/vm/mmap_rnd_bits - sudo sysctl -w vm.mmap_rnd_bits=28 - - name: config - run: ./config --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@address_ub_sanitizer" - path: artifacts.tar.gz - - fuzz_tests: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Adjust ASLR for sanitizer - run: | - sudo cat /proc/sys/vm/mmap_rnd_bits - sudo sysctl -w vm.mmap_rnd_bits=28 - - name: config - run: ./config --banner=Configured --debug -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method enable-nextprotoneg && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="test_fuzz*" - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@fuzz_tests" - path: artifacts.tar.gz - if-no-files-found: ignore - - memory_sanitizer: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Adjust ASLR for sanitizer - run: | - sudo cat /proc/sys/vm/mmap_rnd_bits - sudo sysctl -w vm.mmap_rnd_bits=28 - - name: config - # --debug -O1 is to produce a debug build that runs in a reasonable amount of time - run: CC=clang ./config --banner=Configured --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@memory_sanitizer" - path: artifacts.tar.gz - - threads_sanitizer: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Adjust ASLR for sanitizer - run: | - sudo cat /proc/sys/vm/mmap_rnd_bits - sudo sysctl -w vm.mmap_rnd_bits=28 - - name: config - run: CC=clang ./config --banner=Configured no-fips --strict-warnings -fsanitize=thread && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test V=1 TESTS="test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*" - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@threads_sanitizer" - path: artifacts.tar.gz - - enable_non-default_options: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: modprobe tls - run: sudo modprobe tls - - name: config - run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-egd enable-ktls enable-fips no-threads && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@enable_non-default_options" - path: artifacts.tar.gz - - full_featured: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: modprobe tls - run: sudo modprobe tls - - name: Enable sctp - run: sudo modprobe sctp - - name: Enable auth in sctp - run: sudo sysctl -w net.sctp.auth_enable=1 - - name: install extra config support - run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd - - name: config - run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-zlib enable-zstd && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@full_featured" - path: artifacts.tar.gz - - no-legacy: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-legacy enable-fips && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@no-legacy" - path: artifacts.tar.gz - - legacy: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured -Werror --debug no-afalgeng enable-demos enable-h3demo no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-fips && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info + - name: check fipsvendor run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: .github/workflows/make-test + util/wrap.pl -fips apps/openssl list -providers | grep 'name: CI FIPS Provider for OpenSSL$' - name: save artifacts uses: actions/upload-artifact@v3 with: - name: "ci@legacy" + name: "ci@basic-gcc" path: artifacts.tar.gz - - # out-of-source-and-install checks multiple things at the same time: - # - That building, testing and installing works from an out-of-source - # build tree - # - That building, testing and installing works with a read-only source - # tree - out-of-readonly-source-and-install-ubuntu: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - with: - path: ./source - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - working-directory: ./source - - name: make source read-only - run: chmod -R a-w ./source - - name: create build and install directories - run: | - mkdir ./build - mkdir ./install - - name: config - run: | - ../source/config --banner=Configured enable-demos enable-h3demo enable-fips enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) - perl configdata.pm --dump - working-directory: ./build - - name: make - run: make -s -j4 - working-directory: ./build - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - working-directory: ./build - - name: make test - run: ../source/.github/workflows/make-test - working-directory: ./build - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@out-of-readonly-source-and-install-ubuntu" - path: build/artifacts.tar.gz - - name: make install - run: make install - working-directory: ./build - - out-of-readonly-source-and-install-macos: - strategy: - fail-fast: false - matrix: - os: [macos-13, macos-14] - runs-on: ${{ matrix.os }} - if: github.server_url == 'https://github.com' - steps: - - uses: actions/checkout@v4 - with: - path: ./source - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - working-directory: ./source - - name: make source read-only - run: chmod -R a-w ./source - - name: create build and install directories - run: | - mkdir ./build - mkdir ./install - - name: config - run: | - ../source/config --banner=Configured enable-fips enable-demos enable-h3demo enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) - perl configdata.pm --dump - working-directory: ./build - - name: make - run: make -s -j4 - working-directory: ./build - - name: get cpu info - run: | - sysctl machdep.cpu - ./util/opensslwrap.sh version -c - working-directory: ./build - - name: make test - run: ../source/.github/workflows/make-test - working-directory: ./build - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "ci@out-of-readonly-source-and-install-${{ matrix.os }}" - path: build/artifacts.tar.gz - - name: make install - run: make install - working-directory: ./build - - external-tests: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - with: - submodules: recursive - - name: package installs - run: | - sudo apt-get update - sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy gdb - - name: install cpanm and Test2::V0 for gost_engine testing - uses: perl-actions/install-with-cpanm@stable - with: - install: Test2::V0 - - name: setup hostname workaround - run: sudo hostname localhost - - name: config - run: ./config --banner=Configured --strict-warnings --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests no-fips && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: test external gost-engine - run: make test TESTS="test_external_gost_engine" - - name: test external krb5 - run: make test TESTS="test_external_krb5" - - name: test external_tlsfuzzer - run: make test TESTS="test_external_tlsfuzzer" - - name: test external oqs-provider - run: make test TESTS="test_external_oqsprovider" - - name: test ability to produce debuginfo files - run: | - make debuginfo - gdb < <(echo -e "file ./libcrypto.so.3\nquit") > ./results - grep -q "Reading symbols from.*libcrypto\.so\.3\.debug" results - - external-test-pyca: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - strategy: - matrix: - RUST: - - 1.51.0 - PYTHON: - - 3.9 - steps: - - uses: actions/checkout@v4 - with: - submodules: recursive - - name: Configure OpenSSL - run: ./config --banner=Configured --strict-warnings --debug enable-external-tests && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: Setup Python - uses: actions/setup-python@v5.2.0 - with: - python-version: ${{ matrix.PYTHON }} - - uses: dtolnay/rust-toolchain@master + - name: delete build artifacts + uses: geekyeggo/delete-artifact@v5 with: - toolchain: ${{ matrix.RUST }} - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: test external pyca - run: make test TESTS="test_external_pyca" VERBOSE=1 - - external-test-cf-quiche: - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - uses: actions/checkout@v4 - with: - submodules: recursive - - name: Configure OpenSSL - run: ./config --banner=Configured --strict-warnings enable-external-tests && perl configdata.pm --dump - - name: make - run: make -s -j4 - - uses: dtolnay/rust-toolchain@stable - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: test external Cloudflare quiche - run: make test TESTS="test_external_cf_quiche" VERBOSE=1 + name: $GLOBAL_JOB_ID-basic-gcc-build diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml deleted file mode 100644 index 4b500b12f7799..0000000000000 --- a/.github/workflows/compiler-zoo.yml +++ /dev/null @@ -1,139 +0,0 @@ -# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Compiler Zoo CI - -on: [push] - -permissions: - contents: read - -jobs: - compiler: - strategy: - fail-fast: false - matrix: - zoo: [ - { - cc: gcc-7, - distro: ubuntu-20.04 - }, { - cc: gcc-8, - distro: ubuntu-20.04 - }, { - cc: gcc-9, - distro: ubuntu-20.04 - }, { - cc: gcc-10, - distro: ubuntu-20.04 - }, { - cc: gcc-11, - distro: ubuntu-22.04 - }, { - cc: gcc-12, - distro: ubuntu-22.04 - }, { - cc: gcc-13, - distro: ubuntu-22.04, - gcc-ppa-name: ubuntu-toolchain-r/test - }, { - cc: clang-6.0, - distro: ubuntu-20.04 - }, { - cc: clang-7, - distro: ubuntu-20.04 - }, { - cc: clang-8, - distro: ubuntu-20.04 - }, { - cc: clang-9, - distro: ubuntu-20.04 - }, { - cc: clang-10, - distro: ubuntu-20.04 - }, { - cc: clang-11, - distro: ubuntu-20.04 - }, { - cc: clang-12, - distro: ubuntu-20.04 - }, { - cc: clang-13, - distro: ubuntu-22.04 - }, { - cc: clang-14, - distro: ubuntu-22.04 - }, { - cc: clang-15, - distro: ubuntu-22.04, - llvm-ppa-name: jammy - }, { - cc: clang-16, - distro: ubuntu-22.04, - llvm-ppa-name: jammy - }, { - cc: clang-17, - distro: ubuntu-22.04, - llvm-ppa-name: jammy - } - ] - # We set per-compiler now to allow testing with both older and newer sets - # Often, the full range of oldest->newest compilers we want aren't available - # in a single version of Ubuntu. - runs-on: ${{ matrix.zoo.distro }} - steps: - - name: install packages - run: | - gcc_ppa_name="${{ matrix.zoo.gcc-ppa-name }}" - llvm_ppa_name="${{ matrix.zoo.llvm-ppa-name }}" - - # In the Matrix above: - # - we set gcc-ppc-name if the GCC version isn't part of the Ubuntu version we're using (see https://launchpad.net/~ubuntu-toolchain-r/+archive/ubuntu/test). - # - we set llvm-ppa-name if an LLVM version isn't part of the Ubuntu version we're using (see https://apt.llvm.org/). - # This is especially needed because even new Ubuntu LTSes aren't available - # until a while after release on Github Actions. - if [[ -n ${gcc_ppa_name} ]] ; then - sudo add-apt-repository ppa:ubuntu-toolchain-r/test - sudo apt-get update - elif [[ -n ${llvm_ppa_name} ]] ; then - wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key |\ - gpg --dearmor |\ - sudo tee /usr/share/keyrings/llvm-snapshot.gpg.key > /dev/null - - clang_version="${{ matrix.zoo.cc }}" - clang_version="${clang_version/clang-}" - - echo "deb [signed-by=/usr/share/keyrings/llvm-snapshot.gpg.key] http://apt.llvm.org/${{ matrix.zoo.llvm-ppa-name }}/ llvm-toolchain-${{ matrix.zoo.llvm-ppa-name }}-${clang_version} main" \ - | sudo tee /etc/apt/sources.list.d/llvm.list - echo "deb-src [signed-by=/usr/share/keyrings/llvm-snapshot.gpg.key] http://apt.llvm.org/${{ matrix.zoo.llvm-ppa-name }}/ llvm-toolchain-${{ matrix.zoo.llvm-ppa-name }}-${clang_version} main" \ - | sudo tee -a /etc/apt/sources.list.d/llvm.list - - cat /etc/apt/sources.list.d/llvm.list - fi - - sudo apt-get update - sudo apt-get -y install ${{ matrix.zoo.cc }} - - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - - name: config - run: | - CC=${{ matrix.zoo.cc }} ./config --banner=Configured no-shared \ - -Wall -Werror enable-fips --strict-warnings - - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml deleted file mode 100644 index 328a7573de0b5..0000000000000 --- a/.github/workflows/coveralls.yml +++ /dev/null @@ -1,90 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Coverage - -# Run once a day -on: - schedule: - - cron: '49 0 * * *' - -permissions: - contents: read - -jobs: - coverage: - permissions: - checks: write # for coverallsapp/github-action to create new checks - contents: read # for actions/checkout to fetch code - strategy: - fail-fast: false - matrix: - branches: [ - { - branch: openssl-3.3, - extra_config: no-afalgeng enable-fips enable-tfo - }, { - branch: openssl-3.2, - extra_config: no-afalgeng enable-fips enable-tfo - }, { - branch: openssl-3.1, - extra_config: no-afalgeng enable-fips - }, { - branch: openssl-3.0, - extra_config: no-afalgeng enable-fips - }, { - branch: master, - extra_config: no-afalgeng enable-fips enable-tfo - } - ] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - submodules: recursive - ref: ${{ matrix.branches.branch }} - - name: cache commit id - run: | - echo "githubid=`/usr/bin/git log -1 --format='%H'`" >>$GITHUB_ENV - - name: package installs - run: | - sudo apt-get update - sudo apt-get -yq install lcov - sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy - - name: install Test2::V0 for gost_engine testing - uses: perl-actions/install-with-cpanm@stable - with: - install: Test2::V0 - - name: setup hostname workaround - run: sudo hostname localhost - - name: config - run: CC=gcc ./config --debug --coverage ${{ matrix.branches.extra_config }} no-asm enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-buildtest-c++ enable-ssl-trace enable-trace - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test TESTS='-test_external_krb5' - - name: generate coverage info - run: lcov -d . -c - --exclude "${PWD}/test/*" - --exclude "${PWD}/test/helpers/*" - --exclude "${PWD}/test/testutil/*" - --exclude "${PWD}/fuzz/*" - --exclude "/usr/include/*" - -o ./lcov.info - - name: Coveralls upload - uses: coverallsapp/github-action@v2.3.0 - with: - github-token: ${{ secrets.github_token }} - git-branch: ${{ matrix.branches.branch }} - git-commit: ${{ env.githubid }} - path-to-lcov: ./lcov.info diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml deleted file mode 100644 index 0d0384c8e50f2..0000000000000 --- a/.github/workflows/cross-compiles.yml +++ /dev/null @@ -1,226 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Cross Compile - -on: [pull_request, push] - -permissions: - contents: read - -jobs: - cross-compilation: - strategy: - fail-fast: false - matrix: - # The platform matrix specifies: - # arch: the architecture to build for, this defines the tool-chain - # prefix {arch}- and the Debian compiler package gcc-{arch} - # name. - # libs: the Debian package for the necessary link/runtime libraries. - # target: the OpenSSL configuration target to use, this is passed - # directly to the config command line. - # fips: set to "no" to disable building FIPS, leave unset to - # build the FIPS provider. - # tests: omit this to run all the tests using QEMU, set it to "none" - # to never run the tests, otherwise its value is passed to - # the "make test" command to allow selective disabling of - # tests. - # qemucpu: optional; string that describes CPU properties. - # The string will be used to set the QEMU_CPU variable. - # opensslcapsname: optional; string that describes the postfix of the - # OpenSSL environment variable that defines CPU - # capabilities. E.g. "foo" will result in an - # environment variable with the name OPENSSL_foo. - # opensslcaps: optional; if opensslcapsname (see above) is set, then - # this string will be used as content for the OpenSSL - # capabilities variable. - # ppa: Launchpad PPA repository to download packages from. - platform: [ - { - arch: i386-pc-msdosdjgpp, - libs: libc-djgpp-dev libwatt-djgpp-dev djgpp-utils, - target: no-threads 386 DJGPP, - tests: none, - ppa: jwt27/djgpp-toolchain - }, { - arch: aarch64-linux-gnu, - libs: libc6-dev-arm64-cross, - target: linux-aarch64 - }, { - arch: alpha-linux-gnu, - libs: libc6.1-dev-alpha-cross, - target: linux-alpha-gcc - }, { - arch: arm-linux-gnueabi, - libs: libc6-dev-armel-cross, - target: linux-armv4, - tests: -test_includes -test_store -test_x509_store - }, { - arch: arm-linux-gnueabihf, - libs: libc6-dev-armhf-cross, - target: linux-armv4, - tests: -test_includes -test_store -test_x509_store - }, { - # gcc hppa seems to have some potential compiler issues - # with -O2 on this platform, reduce optimization to -01 - arch: hppa-linux-gnu, - libs: libc6-dev-hppa-cross, - target: -static -O1 linux-generic32, - fips: no, - tests: -test_includes -test_store -test_x509_store - }, { - arch: m68k-linux-gnu, - libs: libc6-dev-m68k-cross, - target: -static -m68040 linux-latomic -Wno-stringop-overflow, - fips: no, - tests: -test_includes -test_store -test_x509_store - }, { - arch: mips-linux-gnu, - libs: libc6-dev-mips-cross, - target: -static linux-mips32, - fips: no, - tests: -test_includes -test_store -test_x509_store - }, { - arch: mips64-linux-gnuabi64, - libs: libc6-dev-mips64-cross, - target: -static linux64-mips64, - fips: no - }, { - arch: mipsel-linux-gnu, - libs: libc6-dev-mipsel-cross, - target: linux-mips32, - tests: -test_includes -test_store -test_x509_store - }, { - arch: powerpc64le-linux-gnu, - libs: libc6-dev-ppc64el-cross, - # The default compiler for this platform on Ubuntu 20.04 seems - # buggy and causes test failures. Dropping the optimisation level - # resolves it. - target: -O2 linux-ppc64le - }, { - arch: riscv64-linux-gnu, - libs: libc6-dev-riscv64-cross, - target: linux64-riscv64 - }, { - arch: s390x-linux-gnu, - libs: libc6-dev-s390x-cross, - target: linux64-s390x -Wno-stringop-overflow - }, { - arch: sh4-linux-gnu, - libs: libc6-dev-sh4-cross, - target: no-async linux-latomic, - tests: -test_includes -test_store -test_x509_store - }, - - # These build with shared libraries but they crash when run - # They mirror static builds above in order to cover more of the - # code base. - { - arch: hppa-linux-gnu, - libs: libc6-dev-hppa-cross, - target: linux-generic32, - tests: none - }, { - arch: m68k-linux-gnu, - libs: libc6-dev-m68k-cross, - target: -mcfv4e -mxgot linux-latomic -Wno-stringop-overflow no-quic, - tests: none - }, { - arch: mips-linux-gnu, - libs: libc6-dev-mips-cross, - target: linux-mips32, - tests: none - }, { - arch: mips64-linux-gnuabi64, - libs: libc6-dev-mips64-cross, - target: linux64-mips64, - tests: none - }, - - # This build doesn't execute either with or without shared libraries. - { - arch: sparc64-linux-gnu, - libs: libc6-dev-sparc64-cross, - target: linux64-sparcv9, - tests: none - } - ] - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} - steps: - - name: install package repository - if: matrix.platform.ppa != '' - run: | - sudo add-apt-repository ppa:${{ matrix.platform.ppa }} - - name: install packages - run: | - sudo apt-get update - sudo apt-get -yq --force-yes install \ - gcc-${{ matrix.platform.arch }} \ - ${{ matrix.platform.libs }} - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - - name: config with FIPS - if: matrix.platform.fips != 'no' - run: | - ./config --banner=Configured --strict-warnings enable-fips \ - --cross-compile-prefix=${{ matrix.platform.arch }}- \ - ${{ matrix.platform.target }} - - name: config without FIPS - if: matrix.platform.fips == 'no' - run: | - ./config --banner=Configured --strict-warnings \ - --cross-compile-prefix=${{ matrix.platform.arch }}- \ - ${{ matrix.platform.target }} - - name: config dump - run: ./configdata.pm --dump - - - name: make - run: make -s -j4 - - - name: install qemu - if: matrix.platform.tests != 'none' - run: sudo apt-get -yq --force-yes install qemu-user - - - name: Set QEMU environment - if: matrix.platform.qemucpu != '' - run: echo "QEMU_CPU=${{ matrix.platform.qemucpu }}" >> $GITHUB_ENV - - - name: Set OpenSSL caps environment - if: matrix.platform.opensslcapsname != '' - run: echo "OPENSSL_${{ matrix.platform.opensslcapsname }}=\ - ${{ matrix.platform.opensslcaps }}" >> $GITHUB_ENV - - - name: get cpu info - run: cat /proc/cpuinfo - - - name: make all tests - if: github.event_name == 'push' && matrix.platform.tests == '' - run: | - .github/workflows/make-test \ - TESTS="-test_afalg" \ - QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} - - name: make some tests - if: github.event_name == 'push' && matrix.platform.tests != 'none' && matrix.platform.tests != '' - run: | - .github/workflows/make-test \ - TESTS="${{ matrix.platform.tests }} -test_afalg" \ - QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} - - name: make evp tests - if: github.event_name == 'pull_request' && matrix.platform.tests != 'none' - run: | - .github/workflows/make-test \ - TESTS="test_evp*" \ - QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} - - name: save artifacts - uses: actions/upload-artifact@v3 - with: - name: "cross-compiles@${{ matrix.platform.arch }}" - path: artifacts.tar.gz - if-no-files-found: ignore diff --git a/.github/workflows/deploy-docs-openssl-org.yml b/.github/workflows/deploy-docs-openssl-org.yml deleted file mode 100644 index 7b8e6838a7ead..0000000000000 --- a/.github/workflows/deploy-docs-openssl-org.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: "Trigger docs.openssl.org deployment" - -on: - push: - branches: - - "openssl-3.[0-9]+" - - "master" - paths: - - "doc/man*/**" - -jobs: - trigger: - runs-on: ubuntu-latest - steps: - - name: "Trigger deployment workflow" - run: | - gh workflow run -f branch=${{ github.ref_name }} deploy-site.yaml - sleep 3 - RUN_ID=$(gh run list -w deploy-site.yaml -L 1 --json databaseId -q ".[0].databaseId") - gh run watch ${RUN_ID} --exit-status - env: - GH_REPO: "openssl/openssl-docs" - GH_TOKEN: ${{ secrets.OPENSSL_MACHINE_TOKEN }} diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml deleted file mode 100644 index 1ea3195fc7527..0000000000000 --- a/.github/workflows/fips-checksums.yml +++ /dev/null @@ -1,119 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: FIPS Check and ABIDIFF -on: [pull_request] - -permissions: - contents: read - -jobs: - compute-checksums: - runs-on: ubuntu-latest - steps: - - name: install unifdef - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef - - name: create build dirs - run: | - mkdir ./build-pristine - mkdir ./source-pristine - mkdir ./build - mkdir ./source - mkdir ./artifact - - uses: actions/checkout@v4 - with: - repository: ${{ github.event.pull_request.base.repo.full_name }} - ref: ${{ github.event.pull_request.base.ref }} - path: source-pristine - - name: config pristine - run: ../source-pristine/config enable-fips - working-directory: ./build-pristine - - name: config pristine dump - run: ./configdata.pm --dump - working-directory: ./build-pristine - - name: make build_generated pristine - run: make -s build_generated - working-directory: ./build-pristine - - name: make fips-checksums pristine - run: make fips-checksums - working-directory: ./build-pristine - - uses: actions/checkout@v4 - with: - path: source - - name: config - run: ../source/config enable-fips - working-directory: ./build - - name: config dump - run: ./configdata.pm --dump - working-directory: ./build - - name: make build_generated - run: make -s build_generated - working-directory: ./build - - name: make fips-checksums - run: make fips-checksums - working-directory: ./build - - name: update checksums - run: | - cp -a build-pristine/providers/fips.module.sources.new source/providers/fips.module.sources - cp -a build-pristine/providers/fips-sources.checksums.new source/providers/fips-sources.checksums - cp -a build-pristine/providers/fips.checksum.new source/providers/fips.checksum - - name: make diff-fips-checksums - run: make diff-fips-checksums && touch ../artifact/fips_unchanged || ( touch ../artifact/fips_changed ; echo FIPS CHANGED ) - working-directory: ./build - - name: save PR number - run: echo ${{ github.event.number }} > ./artifact/pr_num - - name: save artifact - uses: actions/upload-artifact@v3 - with: - name: fips_checksum - path: artifact/ - - compute-abidiff: - runs-on: ubuntu-latest - env: - BUILD_OPTS: -g --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd - steps: - - name: create build dirs - run: | - mkdir ./build-pristine - mkdir ./source-pristine - mkdir ./build - mkdir ./source - mkdir ./artifact - - name: install extra config support - run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd - - uses: actions/checkout@v4 - with: - repository: ${{ github.event.pull_request.base.repo.full_name }} - ref: ${{ github.event.pull_request.base.ref }} - path: source-pristine - - name: config pristine - run: ../source-pristine/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump - working-directory: ./build-pristine - - name: make pristine - run: make -s -j4 - working-directory: ./build-pristine - - uses: actions/checkout@v4 - with: - path: source - - name: config - run: ../source/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump - working-directory: ./build - - name: make - run: make -s -j4 - working-directory: ./build - - name: abidiff - run: abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so && touch ./artifact/abi_unchanged || ( touch ./artifact/abi_changed ; echo ABI CHANGED ) - - name: save PR number - run: echo ${{ github.event.number }} > ./artifact/pr_num - - name: save artifact - uses: actions/upload-artifact@v3 - with: - name: abidiff - path: artifact/ diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml deleted file mode 100644 index 50dc087bb012a..0000000000000 --- a/.github/workflows/fips-label.yml +++ /dev/null @@ -1,141 +0,0 @@ -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: FIPS and ABI Changed Label -on: - workflow_run: - workflows: ["FIPS Check and ABIDIFF"] - types: - - completed - -permissions: - contents: read - -jobs: - apply-label: - permissions: - actions: read - pull-requests: write - runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.event == 'pull_request' }} - steps: - - name: 'Download fipscheck artifact' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v7 - with: - script: | - var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: ${{github.event.workflow_run.id }}, - }); - var matchArtifact = artifacts.data.artifacts.filter((artifact) => { - return artifact.name == "fips_checksum" - })[0]; - var download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - var fs = require('fs'); - fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data)); - - run: unzip artifact.zip - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - name: 'Check artifact and apply' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v7 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - var fs = require('fs'); - var pr_num = Number(fs.readFileSync('./pr_num')); - if ( fs.existsSync('./fips_changed') ) { - github.rest.issues.addLabels({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['severity: fips change'] - }); - } else if ( fs.existsSync('./fips_unchanged') ) { - var labels = await github.rest.issues.listLabelsOnIssue({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo - }); - - for ( var label in labels.data ) { - if (labels.data[label].name == 'severity: fips change') { - github.rest.issues.removeLabel({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo, - name: 'severity: fips change' - }); - } - } - } - - name: 'Cleanup artifact' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - run: rm artifact.zip pr_num - - - name: 'Download abidiff artifact' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v7 - with: - script: | - var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: ${{github.event.workflow_run.id }}, - }); - var matchArtifact = artifacts.data.artifacts.filter((artifact) => { - return artifact.name == "abidiff" - })[0]; - var download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - var fs = require('fs'); - fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data)); - - run: unzip artifact.zip - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - name: 'Check artifact and apply' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v7 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - var fs = require('fs'); - var pr_num = Number(fs.readFileSync('./pr_num')); - if ( fs.existsSync('./abi_changed') ) { - github.rest.issues.addLabels({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['severity: ABI change'] - }); - } else if ( fs.existsSync('./abi_unchanged') ) { - var labels = await github.rest.issues.listLabelsOnIssue({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo - }); - - for ( var label in labels.data ) { - if (labels.data[label].name == 'severity: ABI change') { - github.rest.issues.removeLabel({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo, - name: 'severity: fips change' - }); - } - } - } diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml deleted file mode 100644 index 8c8dfe80b32ae..0000000000000 --- a/.github/workflows/fuzz-checker.yml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Fuzz-checker CI - -on: [push] - -permissions: - contents: read - -jobs: - fuzz-checker: - strategy: - fail-fast: false - matrix: - fuzzy: [ - { - name: AFL, - config: enable-fuzz-afl no-module, - install: afl++-clang, - cc: afl-clang-fast - }, { - name: libFuzzer, - config: enable-fuzz-libfuzzer enable-asan enable-ubsan, - libs: --with-fuzzer-lib=/usr/lib/llvm-12/lib/libFuzzer.a --with-fuzzer-include=/usr/include/clang/12/include/fuzzer, - install: libfuzzer-12-dev, - cc: clang-12, - linker: clang++-12, - tests: -test_memleak - }, { - name: libFuzzer+, - config: enable-fuzz-libfuzzer enable-asan enable-ubsan -fsanitize-coverage=trace-cmp -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION, - libs: --with-fuzzer-lib=/usr/lib/llvm-12/lib/libFuzzer.a --with-fuzzer-include=/usr/include/clang/12/include/fuzzer, - extra: enable-fips enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg, - install: libfuzzer-12-dev, - cc: clang-12, - linker: clang++-12, - tests: -test_memleak - } - ] - runs-on: ubuntu-latest - steps: - - name: install packages - run: | - sudo apt-get update - sudo apt-get -yq --force-yes install ${{ matrix.fuzzy.install }} - - name: Adjust ASLR for sanitizer - run: | - sudo cat /proc/sys/vm/mmap_rnd_bits - sudo sysctl -w vm.mmap_rnd_bits=28 - - uses: actions/checkout@v4 - - - name: config - run: | - CC=${{ matrix.fuzzy.cc }} ./config --banner=Configured no-shared \ - ${{ matrix.fuzzy.config }} ${{ matrix.fuzzy.libs }} ${{ matrix.fuzzy.extra }} - - - name: config dump - run: ./configdata.pm --dump - - name: make with explicit linker - if: matrix.fuzzy.linker != '' - run: LDCMD=${{ matrix.fuzzy.linker }} make -s -j4 - - name: make sans explicit linker - if: matrix.fuzzy.linker == '' - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test restricted - if: matrix.fuzzy.tests != '' - run: AFL_MAP_SIZE=300000 make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS="${{ matrix.fuzzy.tests }}" - - name: make test all - if: matrix.fuzzy.tests == '' - run: AFL_MAP_SIZE=300000 make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/interop-tests.yml b/.github/workflows/interop-tests.yml deleted file mode 100644 index 20339b55445c2..0000000000000 --- a/.github/workflows/interop-tests.yml +++ /dev/null @@ -1,53 +0,0 @@ -# Notes: -# /__w/openssl is the path that github bind-mounts into the container so the ci -# filesystem for this job can be reached. Please note that any changes made to -# this job involving file system paths should be made prefixed with, or relative -# to that directory -name: Interoperability tests with GnuTLS and NSS -on: - schedule: - - cron: '0 6 * * *' -jobs: - test: - runs-on: ubuntu-22.04 - container: - image: docker.io/fedora:39 - options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 - timeout-minutes: 90 - strategy: - fail-fast: false - matrix: - COMPONENT: [gnutls, nss] - env: - COMPONENT: ${{ matrix.COMPONENT }} - steps: - - uses: actions/checkout@v4 - - name: Display environment - run: export - - name : Install needed tools - run: | - dnf -y install perl gcc rpmdevtools dnf-utils make tmt-all beakerlib \ - fips-mode-setup crypto-policies-scripts - - name: install interop tests - run: | - cd ${GITHUB_WORKSPACE} - git clone --branch=openssl-v0.1 --depth=1 https://gitlab.com/redhat-crypto/tests/interop.git - - name: build openssl as an rpm - run: | - mkdir -p /build/SPECS && cd /build && echo -e "%_topdir /build\n%_lto_cflags %{nil}" >~/.rpmmacros && rpmdev-setuptree - cd /build && cp ${GITHUB_WORKSPACE}/interop/openssl/openssl.spec SPECS/ && \ - cd SPECS/ && source ${GITHUB_WORKSPACE}/VERSION.dat && \ - sed -i "s/^Version: .*\$/Version: $MAJOR.$MINOR.$PATCH/" openssl.spec && \ - sed -i 's/^Release: .*$/Release: dev/' openssl.spec - yum-builddep -y /build/SPECS/openssl.spec # just for sure nothing is missing - mkdir -p /build/SOURCES - tar --transform "s/^__w\/openssl\/openssl/openssl-$MAJOR.$MINOR.$PATCH/" -czf /build/SOURCES/openssl-$MAJOR.$MINOR.$PATCH.tar.gz /__w/openssl/openssl/ - rpmbuild -bb /build/SPECS/openssl.spec - dnf install -y /build/RPMS/x86_64/openssl-* - cp ${GITHUB_WORKSPACE}/interop/openssl/openssl.cnf /etc/pki/tls/openssl.cnf - - name: Run interop tests - run: | - cd interop - tmt run -av plans -n interop tests -f "tag: interop-openssl & tag: interop-$COMPONENT" provision -h local execute -h tmt --interactive - openssl version - echo "Finished - important to prevent unwanted output truncating" diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 1214641901e80..0000000000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: CIFuzz -on: [pull_request, push] -permissions: - contents: read - -jobs: - Fuzzing: - runs-on: ubuntu-latest - steps: - - name: Build Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master - with: - oss-fuzz-project-name: 'openssl' - dry-run: false - - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master - with: - oss-fuzz-project-name: 'openssl' - fuzz-seconds: 600 - dry-run: false - - name: Upload Crash - uses: actions/upload-artifact@v3 - if: failure() - with: - name: artifacts - path: ./out/artifacts diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml deleted file mode 100644 index 222ac52ab819c..0000000000000 --- a/.github/workflows/os-zoo.yml +++ /dev/null @@ -1,190 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: OS Zoo CI - -on: - schedule: - - cron: '0 5 * * *' - -permissions: - contents: read - -jobs: - alpine: - strategy: - fail-fast: false - matrix: - tag: [edge, latest] - cc: [gcc, clang] - branch: [openssl-3.0, openssl-3.1, master] - runs-on: ubuntu-latest - container: - image: docker.io/library/alpine:${{ matrix.tag }} - env: - # See https://www.openwall.com/lists/musl/2022/02/16/14 - # for the reason why -Wno-sign-compare is needed with clang - # -Wno-stringop-overflow is needed to silence a bogus - # warning on new fortify-headers with gcc - EXTRA_CFLAGS: ${{ matrix.cc == 'clang' && '-Wno-sign-compare' || matrix.tag == 'edge' && '-Wno-stringop-overflow' || '' }} - CC: ${{ matrix.cc }} - steps: - - name: install packages - run: apk --no-cache add build-base perl linux-headers ${{ matrix.cc }} - - uses: actions/checkout@v4 - with: - ref: ${{ matrix.branch }} - - name: config - run: | - ./config --banner=Configured no-shared -Wall -Werror enable-fips --strict-warnings \ - ${EXTRA_CFLAGS} - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - linux: - strategy: - fail-fast: false - matrix: - branch: [openssl-3.0, openssl-3.1, master] - zoo: - - image: docker.io/library/debian:10 - install: apt-get update && apt-get install -y gcc make perl - - image: docker.io/library/debian:11 - install: apt-get update && apt-get install -y gcc make perl - - image: docker.io/library/debian:12 - install: apt-get update && apt-get install -y gcc make perl - - image: docker.io/library/ubuntu:20.04 - install: apt-get update && apt-get install -y gcc make perl - - image: docker.io/library/ubuntu:22.04 - install: apt-get update && apt-get install -y gcc make perl - - image: docker.io/library/fedora:38 - install: dnf install -y gcc make perl-core - - image: docker.io/library/fedora:39 - install: dnf install -y gcc make perl-core - - image: docker.io/library/centos:8 - install: | - sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* && \ - sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* && \ - dnf install -y gcc make perl-core - - image: docker.io/library/rockylinux:8 - install: dnf install -y gcc make perl-core - - image: docker.io/library/rockylinux:9 - install: dnf install -y gcc make perl-core - runs-on: ubuntu-latest - container: ${{ matrix.zoo.image }} - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ matrix.branch }} - - name: install packages - run: ${{ matrix.zoo.install }} - - name: config - run: ./config - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - macos: - strategy: - fail-fast: false - matrix: - branch: [openssl-3.0, openssl-3.1, master] - os: [macos-12, macos-13, macos-14] - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ matrix.branch }} - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured -Wall -Werror --strict-warnings enable-fips - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - sysctl machdep.cpu - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - windows: - strategy: - fail-fast: false - matrix: - branch: [openssl-3.0, openssl-3.1, master] - os: [windows-2019, windows-2022] - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ matrix.branch }} - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - uses: ilammy/msvc-dev-cmd@v1 - - uses: ilammy/setup-nasm@v1 - - name: prepare the build directory - run: mkdir _build - - name: config - working-directory: _build - run: perl ..\Configure --banner=Configured no-makedepend enable-fips - - name: config dump - working-directory: _build - run: ./configdata.pm --dump - - name: build - working-directory: _build - run: nmake /S - - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.6.0 - with: - url: "https://download.sysinternals.com/files/Coreinfo.zip" - target: _build/coreinfo/ - - name: get cpu info - working-directory: _build - run: | - 7z.exe x coreinfo/Coreinfo.zip - ./Coreinfo64.exe -accepteula -f - apps/openssl.exe version -c - - name: test - working-directory: _build - run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4 - - self-hosted: - strategy: - matrix: - os: [freebsd-13.2, ubuntu-arm64-22.04] - runs-on: ${{ matrix.os }}-self-hosted - continue-on-error: true - steps: - - uses: actions/checkout@v4 - - name: config - run: ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -j4 - - name: get cpu info - run: ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/prov-compat-label.yml b/.github/workflows/prov-compat-label.yml deleted file mode 100644 index d3e011f1f3225..0000000000000 --- a/.github/workflows/prov-compat-label.yml +++ /dev/null @@ -1,272 +0,0 @@ -# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -# This verifies that FIPS and legacy providers built against some earlier -# released versions continue to run against the current branch. - -name: Provider compatibility for PRs - -on: [pull_request] - -permissions: - contents: read - -env: - opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib - -jobs: - fips-releases: - if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }} - strategy: - matrix: - release: [ - # Formally released versions should be added here. - # `dir' it the directory inside the tarball. - # `tgz' is the name of the tarball. - # `url' is the download URL. - { - dir: openssl-3.0.0, - tgz: openssl-3.0.0.tar.gz, - url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", - }, - { - dir: openssl-3.0.8, - tgz: openssl-3.0.8.tar.gz, - url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", - }, - { - dir: openssl-3.0.9, - tgz: openssl-3.0.9.tar.gz, - url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz", - }, - { - dir: openssl-3.1.2, - tgz: openssl-3.1.2.tar.gz, - url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz", - }, - ] - - runs-on: ubuntu-latest - steps: - - name: create download directory - run: mkdir downloads - - name: download release source - run: wget --no-verbose ${{ matrix.release.url }} - working-directory: downloads - - name: unpack release source - run: tar xzf downloads/${{ matrix.release.tgz }} - - - name: localegen - run: sudo locale-gen tr_TR.UTF-8 - - - name: config release - run: | - ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} - working-directory: ${{ matrix.release.dir }} - - name: config dump release - run: ./configdata.pm --dump - working-directory: ${{ matrix.release.dir }} - - - name: make release - run: make -s -j4 - working-directory: ${{ matrix.release.dir }} - - - name: create release artifacts - run: | - tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }} - - - name: show module versions from release - run: | - ./util/wrap.pl -fips apps/openssl list -provider-path providers \ - -provider base \ - -provider default \ - -provider fips \ - -provider legacy \ - -providers - working-directory: ${{ matrix.release.dir }} - - - uses: actions/upload-artifact@v4 - with: - name: ${{ matrix.release.tgz }} - path: ${{ matrix.release.tgz }} - retention-days: 7 - - development-branches: - if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }} - strategy: - matrix: - branch: [ - # Currently supported FIPS capable branches should be added here. - # `name' is the branch name used to checkout out. - # `dir' directory that will be used to build and test in. - # `tgz' is the name of the tarball use to keep the artifacts of - # the build. - { - name: '', - dir: PR, - tgz: PR.tar.gz, - }, { - name: openssl-3.0, - dir: branch-3.0, - tgz: branch-3.0.tar.gz, - }, { - name: openssl-3.1, - dir: branch-3.1, - tgz: branch-3.1.tar.gz, - }, { - name: openssl-3.2, - dir: branch-3.2, - tgz: branch-3.2.tar.gz, - }, { - name: openssl-3.3, - dir: branch-3.3, - tgz: branch-3.3.tar.gz, - }, { - name: openssl-3.4, - dir: branch-3.4, - tgz: branch-3.4.tar.gz, - }, { - name: master, - dir: branch-master, - tgz: branch-master.tar.gz, - }, - ] - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - path: ${{ matrix.branch.dir }} - repository: openssl/openssl - ref: ${{ matrix.branch.name }} - - name: localegen - run: sudo locale-gen tr_TR.UTF-8 - - - name: config branch - run: | - ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} - working-directory: ${{ matrix.branch.dir }} - - name: config dump current - run: ./configdata.pm --dump - working-directory: ${{ matrix.branch.dir }} - - - name: make branch - run: make -s -j4 - working-directory: ${{ matrix.branch.dir }} - - - name: create branch artifacts - run: | - tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} - - - name: show module versions from branch - run: | - ./util/wrap.pl -fips apps/openssl list -provider-path providers \ - -provider base \ - -provider default \ - -provider fips \ - -provider legacy \ - -providers - working-directory: ${{ matrix.branch.dir }} - - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - working-directory: ${{ matrix.branch.dir }} - - - uses: actions/upload-artifact@v4 - with: - name: ${{ matrix.branch.tgz }} - path: ${{ matrix.branch.tgz }} - retention-days: 7 - - cross-testing: - if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }} - needs: [fips-releases, development-branches] - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - # These can't be figured out earlier and included here as a variable - # substitution. - # - # Note that releases are not used as a test environment for - # later providers. Problems in these situations ought to be - # caught by cross branch testing before the release. - tree_a: [ branch-3.4, branch-3.3, branch-3.2, branch-3.1, branch-3.0, - openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ] - tree_b: [ PR ] - include: - - tree_a: PR - tree_b: branch-master - - tree_a: PR - tree_b: branch-3.4 - - tree_a: PR - tree_b: branch-3.3 - - tree_a: PR - tree_b: branch-3.2 - - tree_a: PR - tree_b: branch-3.1 - - tree_a: PR - tree_b: branch-3.0 - steps: - - name: early exit checks - id: early_exit - run: | - if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \ - then \ - echo "Skipping because both are the same version"; \ - exit 1; \ - fi - continue-on-error: true - - - uses: actions/download-artifact@v4.1.8 - if: steps.early_exit.outcome == 'success' - with: - name: ${{ matrix.tree_a }}.tar.gz - - name: unpack first build - if: steps.early_exit.outcome == 'success' - run: tar xzf "${{ matrix.tree_a }}.tar.gz" - - - uses: actions/download-artifact@v4.1.8 - if: steps.early_exit.outcome == 'success' - with: - name: ${{ matrix.tree_b }}.tar.gz - - name: unpack second build - if: steps.early_exit.outcome == 'success' - run: tar xzf "${{ matrix.tree_b }}.tar.gz" - - - name: set up cross validation of FIPS from A with tree from B - if: steps.early_exit.outcome == 'success' - run: | - cp providers/fips.so ../${{ matrix.tree_b }}/providers/ - cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/ - working-directory: ${{ matrix.tree_a }} - - - name: show module versions from cross validation - if: steps.early_exit.outcome == 'success' - run: | - ./util/wrap.pl -fips apps/openssl list -provider-path providers \ - -provider base \ - -provider default \ - -provider fips \ - -provider legacy \ - -providers - working-directory: ${{ matrix.tree_b }} - - - name: get cpu info - if: steps.early_exit.outcome == 'success' - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - working-directory: ${{ matrix.tree_b }} - - - name: run cross validation tests of FIPS from A with tree from B - if: steps.early_exit.outcome == 'success' - run: | - make test HARNESS_JOBS=${HARNESS_JOBS:-4} - working-directory: ${{ matrix.tree_b }} diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml deleted file mode 100644 index 164da763da24f..0000000000000 --- a/.github/workflows/provider-compatibility.yml +++ /dev/null @@ -1,263 +0,0 @@ -# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -# This verifies that FIPS and legacy providers built against some earlier -# released versions continue to run against the current branch. - -name: Provider compatibility across versions - -# NOTE: if this is being run on pull_request, it will **not** use the pull -# request's branch. It is hardcoded to use the master branch. -# -on: #[pull_request] - schedule: - - cron: '0 15 * * *' - -permissions: - contents: read - -env: - opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib - -jobs: - fips-releases: - strategy: - matrix: - release: [ - # Formally released versions should be added here. - # `dir' it the directory inside the tarball. - # `tgz' is the name of the tarball. - # `url' is the download URL. - { - dir: openssl-3.0.0, - tgz: openssl-3.0.0.tar.gz, - url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz", - }, - { - dir: openssl-3.0.8, - tgz: openssl-3.0.8.tar.gz, - url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz", - }, - { - dir: openssl-3.0.9, - tgz: openssl-3.0.9.tar.gz, - url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz", - }, - { - dir: openssl-3.1.2, - tgz: openssl-3.1.2.tar.gz, - url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz", - }, - ] - - runs-on: ubuntu-latest - steps: - - name: create download directory - run: mkdir downloads - - name: download release source - run: wget --no-verbose ${{ matrix.release.url }} - working-directory: downloads - - name: unpack release source - run: tar xzf downloads/${{ matrix.release.tgz }} - - - name: localegen - run: sudo locale-gen tr_TR.UTF-8 - - - name: config release - run: | - ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} - working-directory: ${{ matrix.release.dir }} - - name: config dump release - run: ./configdata.pm --dump - working-directory: ${{ matrix.release.dir }} - - - name: make release - run: make -s -j4 - working-directory: ${{ matrix.release.dir }} - - - name: create release artifacts - run: | - tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }} - - - name: show module versions from release - run: | - ./util/wrap.pl -fips apps/openssl list -provider-path providers \ - -provider base \ - -provider default \ - -provider fips \ - -provider legacy \ - -providers - working-directory: ${{ matrix.release.dir }} - - - uses: actions/upload-artifact@v4 - with: - name: ${{ matrix.release.tgz }} - path: ${{ matrix.release.tgz }} - retention-days: 7 - - development-branches: - strategy: - matrix: - branch: [ - # Currently supported FIPS capable branches should be added here. - # `name' is the branch name used to checkout out. - # `dir' directory that will be used to build and test in. - # `tgz' is the name of the tarball use to keep the artifacts of - # the build. - { - name: openssl-3.0, - dir: branch-3.0, - tgz: branch-3.0.tar.gz, - }, { - name: openssl-3.1, - dir: branch-3.1, - tgz: branch-3.1.tar.gz, - }, { - name: openssl-3.2, - dir: branch-3.2, - tgz: branch-3.2.tar.gz, - }, { - name: openssl-3.3, - dir: branch-3.3, - tgz: branch-3.3.tar.gz, - }, { - name: openssl-3.4, - dir: branch-3.4, - tgz: branch-3.4.tar.gz, - }, { - name: master, - dir: branch-master, - tgz: branch-master.tar.gz, - }, - ] - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - path: ${{ matrix.branch.dir }} - repository: openssl/openssl - ref: ${{ matrix.branch.name }} - - name: localegen - run: sudo locale-gen tr_TR.UTF-8 - - - name: config branch - run: | - ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} - working-directory: ${{ matrix.branch.dir }} - - name: config dump current - run: ./configdata.pm --dump - working-directory: ${{ matrix.branch.dir }} - - - name: make branch - run: make -s -j4 - working-directory: ${{ matrix.branch.dir }} - - - name: create branch artifacts - run: | - tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }} - - - name: show module versions from branch - run: | - ./util/wrap.pl -fips apps/openssl list -provider-path providers \ - -provider base \ - -provider default \ - -provider fips \ - -provider legacy \ - -providers - working-directory: ${{ matrix.branch.dir }} - - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - working-directory: ${{ matrix.branch.dir }} - - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - working-directory: ${{ matrix.branch.dir }} - - - uses: actions/upload-artifact@v4 - with: - name: ${{ matrix.branch.tgz }} - path: ${{ matrix.branch.tgz }} - retention-days: 7 - - cross-testing: - needs: [fips-releases, development-branches] - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - # These can't be figured out earlier and included here as a variable - # substitution. - # - # Note that releases are not used as a test environment for - # later providers. Problems in these situations ought to be - # caught by cross branch testing before the release. - tree_a: [ branch-master, branch-3.4, branch-3.3, - branch-3.2, branch-3.1, branch-3.0, - openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ] - tree_b: [ branch-master, branch-3.4, branch-3.3, - branch-3.2, branch-3.1, branch-3.0 ] - steps: - - name: early exit checks - id: early_exit - run: | - if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; \ - then \ - echo "Skipping because both are the same version"; \ - exit 1; \ - fi - continue-on-error: true - - - uses: actions/download-artifact@v4.1.8 - if: steps.early_exit.outcome == 'success' - with: - name: ${{ matrix.tree_a }}.tar.gz - - name: unpack first build - if: steps.early_exit.outcome == 'success' - run: tar xzf "${{ matrix.tree_a }}.tar.gz" - - - uses: actions/download-artifact@v4.1.8 - if: steps.early_exit.outcome == 'success' - with: - name: ${{ matrix.tree_b }}.tar.gz - - name: unpack second build - if: steps.early_exit.outcome == 'success' - run: tar xzf "${{ matrix.tree_b }}.tar.gz" - - - name: set up cross validation of FIPS from A with tree from B - if: steps.early_exit.outcome == 'success' - run: | - cp providers/fips.so ../${{ matrix.tree_b }}/providers/ - cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/ - working-directory: ${{ matrix.tree_a }} - - - name: show module versions from cross validation - if: steps.early_exit.outcome == 'success' - run: | - ./util/wrap.pl -fips apps/openssl list -provider-path providers \ - -provider base \ - -provider default \ - -provider fips \ - -provider legacy \ - -providers - working-directory: ${{ matrix.tree_b }} - - - name: get cpu info - if: steps.early_exit.outcome == 'success' - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - working-directory: ${{ matrix.tree_b }} - - - name: run cross validation tests of FIPS from A with tree from B - if: steps.early_exit.outcome == 'success' - run: | - make test HARNESS_JOBS=${HARNESS_JOBS:-4} - working-directory: ${{ matrix.tree_b }} diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml deleted file mode 100644 index 04a3fc20801ff..0000000000000 --- a/.github/workflows/run-checker-ci.yml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -# Jobs run per pull request submission -name: Run-checker CI -on: [pull_request, push] -permissions: - contents: read - -env: - OSSL_RUN_CI_TESTS: 1 - -jobs: - run-checker: - strategy: - fail-fast: false - matrix: - opt: [ - no-cmp, - no-cms, - no-dgram, - no-dh, - no-dtls, - no-ec, - no-ecx, - no-http, - no-legacy, - no-sock, - enable-ssl-trace, - no-stdio, - no-threads, - no-thread-pool, - no-default-thread-pool, - no-tls, - no-tls1_2, - no-tls1_3, - enable-trace enable-fips, - no-ui, - no-quic - ] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: CC=clang ./config --banner=Configured --strict-warnings ${{ matrix.opt }} - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi - - name: Check platform symbol usage - run: ./util/checkplatformsyms.pl ./util/platform_symbols/unix-symbols.txt ./libcrypto.so ./libssl.so - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml deleted file mode 100644 index f4af3eb9a8a7a..0000000000000 --- a/.github/workflows/run-checker-daily.yml +++ /dev/null @@ -1,372 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Run-checker daily -# Jobs run daily - -on: - schedule: - - cron: '0 6 * * *' -permissions: - contents: read - -jobs: - run-checker: - strategy: - fail-fast: false - matrix: - opt: [ - 386, - no-afalgeng, - no-apps, - no-aria, - no-asan, - no-asm, - no-async, - no-atexit, - no-autoalginit, - no-autoerrinit, - no-autoload-config, - no-bf, - no-blake2, - no-buildtest-c++, - no-bulk, - no-cached-fetch, - no-camellia, - no-capieng, - no-cast, - no-chacha, - no-cmac, - no-comp, - enable-crypto-mdebug, - no-crypto-mdebug, - enable-crypto-mdebug-backtrace, - no-crypto-mdebug-backtrace, - no-deprecated, - no-des, - no-devcryptoeng, - no-docs, - no-dsa, - no-dtls1, - no-dtls1_2, - no-dtls1_2-method, - no-dtls1-method, - no-ecdh, - no-ecdsa, - enable-ec_nistp_64_gcc_128, - no-ec_nistp_64_gcc_128, - enable-egd, - no-egd, - no-engine, - no-external-tests, - enable-fips, - enable-fips enable-acvp-tests, - enable-fips no-tls1_3, - no-fuzz-afl, - no-fuzz-libfuzzer, - no-gost, - enable-heartbeats, - no-heartbeats, - no-hw, - no-hw-padlock, - no-idea, - no-makedepend, - enable-md2, - no-md2, - no-md4, - no-mdc2, - no-msan, - no-multiblock, - no-nextprotoneg, - no-ocb, - no-padlockeng, - no-pic, - no-poly1305, - no-posix-io, - no-psk, - no-rc2, - no-rc4, - enable-rc5, - no-rc5, - no-rdrand, - no-rfc3779, - no-ripemd, - no-rmd160, - no-scrypt, - no-secure-memory, - no-seed, - no-shared, - no-siphash, - no-siv, - no-sm2, - no-sm2-precomp, - no-sm3, - no-sm4, - no-sock, - no-sse2, - no-ssl, - no-ssl3, - no-ssl3-method, - no-ssl-trace, - no-static-engine no-shared, - no-tests, - enable-tfo, - no-tls1, - no-tls1_1, - no-tls1_1-method, - no-tls1_2-method, - no-tls1-method, - no-trace, - no-ubsan, - no-ui-console, - no-unit-test, - enable-unit-test, - no-uplink, - no-weak-ssl-ciphers, - no-whirlpool, - no-zlib, - enable-zlib-dynamic, - no-zlib-dynamic, - -DOPENSSL_NO_BUILTIN_OVERFLOW_CHECKING, - -DSSL3_ALIGN_PAYLOAD=4 - ] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: CC=clang ./config --banner=Configured --strict-warnings ${{ matrix.opt }} - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - run-checker-sctp: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Install Dependencies for sctp option - run: | - sudo apt-get update - sudo apt-get -yq install lksctp-tools libsctp-dev - - - name: Check SCTP and enable auth - id: sctp_auth - continue-on-error: true - run: | - checksctp - sudo sysctl -w net.sctp.auth_enable=1 - - - name: config - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: CC=clang ./config --banner=Configured --strict-warnings enable-sctp - - - name: config dump - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: ./configdata.pm --dump - - - name: make - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: make -s -j4 - - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - - name: make test - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - jitter: - runs-on: ubuntu-latest - steps: - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout jitter - uses: actions/checkout@v4 - with: - repository: smuellerDD/jitterentropy-library - ref: v3.5.0 - path: jitter - - name: build jitter - run: make -C jitter/ - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --with-rand-seed=none enable-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ -DOPENSSL_DEFAULT_SEED_SRC=JITTER && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_brotli_dynamic: - runs-on: ubuntu-latest - steps: - - name: install brotli - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config enable-comp enable-brotli enable-brotli-dynamic && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_zstd_dynamic: - runs-on: ubuntu-latest - steps: - - name: install zstd - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config enable-comp enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_brotli_and_zstd_dynamic: - runs-on: ubuntu-latest - steps: - - name: install brotli and zstd - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config enable-comp enable-brotli enable-brotli-dynamic enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_brotli_and_asan_ubsan: - runs-on: ubuntu-latest - steps: - - name: install brotli - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Adjust ASLR for sanitizer - run: | - sudo cat /proc/sys/vm/mmap_rnd_bits - sudo sysctl -w vm.mmap_rnd_bits=28 - - name: config - run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-brotli -DPEDANTIC && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 - - enable_zstd_and_asan_ubsan: - runs-on: ubuntu-latest - steps: - - name: install zstd - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Adjust ASLR for sanitizer - run: | - sudo cat /proc/sys/vm/mmap_rnd_bits - sudo sysctl -w vm.mmap_rnd_bits=28 - - name: config - run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-zstd -DPEDANTIC && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 - - enable_tfo: - strategy: - matrix: - os: [ ubuntu-latest, macos-13, macos-14 ] - runs-on: ${{matrix.os}} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: CC=gcc ./config --banner=Configured enable-tfo --strict-warnings && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_buildtest: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml deleted file mode 100644 index 98dcde18b97b9..0000000000000 --- a/.github/workflows/run-checker-merge.yml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Run-checker merge -# Jobs run per merge to master - -on: [push] -permissions: - contents: read - -jobs: - run-checker: - strategy: - fail-fast: false - matrix: - opt: [ - enable-asan enable-ubsan no-shared no-asm -DOPENSSL_SMALL_FOOTPRINT, - no-ct, - no-dso, - no-dynamic-engine, - no-ec2m, - no-engine no-shared, - no-err, - no-filenames, - enable-ubsan no-asm -DOPENSSL_SMALL_FOOTPRINT -fno-sanitize=alignment, - no-module, - no-ocsp, - no-pinshared, - no-srp, - no-srtp, - no-ts, - no-integrity-only-ciphers, - enable-weak-ssl-ciphers, - enable-zlib, - enable-pie, - ] - runs-on: ubuntu-latest - steps: - - name: Adjust ASLR for sanitizer - run: | - sudo cat /proc/sys/vm/mmap_rnd_bits - sudo sysctl -w vm.mmap_rnd_bits=28 - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: CC=clang ./config --banner=Configured --strict-warnings ${{ matrix.opt }} - - name: config dump - run: ./configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run_quic_interop.yml b/.github/workflows/run_quic_interop.yml deleted file mode 100644 index d39e6fc9b8390..0000000000000 --- a/.github/workflows/run_quic_interop.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: "Run openssl quic interop testing" - -on: - workflow_run: - workflows: ["Build openssl interop container from master"] - types: [completed] - workflow_dispatch: - -jobs: - run_quic_interop: - strategy: - matrix: - tests: [http3, transfer, handshake, retry, chacha20, resumption] - servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy] - fail-fast: false - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - repository: 'quic-interop/quic-interop-runner' - fetch-depth: 0 - - name: Install dependencies - run: | - pip install -r requirements.txt - sudo add-apt-repository ppa:wireshark-dev/stable - sudo apt-get update - sudo apt-get install -y tshark - - name: Patch implementations file - run: | - jq '.openssl = { image: "quay.io/openssl-ci/openssl-quic-interop" - , url: "https://github.com/openssl/openssl" - , role: "client" - }' ./implementations.json > ./implementations.tmp - mv ./implementations.tmp implementations.json - - name: "run interop" - run: | - python3 ./run.py -c openssl -t ${{ matrix.tests }} -s ${{ matrix.servers }} --log-dir ./logs -d - - diff --git a/.github/workflows/static-analysis-on-prem.yml b/.github/workflows/static-analysis-on-prem.yml deleted file mode 100644 index 4c920fcad4b51..0000000000000 --- a/.github/workflows/static-analysis-on-prem.yml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Static Analysis On Prem - -on: - schedule: - - cron: '20 0 * * *' - workflow_dispatch: - -permissions: - contents: read - -jobs: - coverity-analysis: - runs-on: ubuntu-latest - container: quay.io/openssl-ci/coverity-analysis:2024.3.1 - steps: - - name: Put license - run: echo ${{ secrets.COVERITY_LICENSE }} | base64 -d > /opt/coverity-analysis/bin/license.dat - - name: Put auth key file - run: | - echo ${{ secrets.COVERITY_AUTH_KEY }} | base64 -d > /auth_key_file.txt - chmod 0600 /auth_key_file.txt - - uses: actions/checkout@v4 - - name: Config - run: CC=gcc ./config --banner=Configured --debug enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC - - name: Config dump - run: ./configdata.pm --dump - - name: Make - run: cov-build --dir cov-int make -s -j4 - - name: Analyze - run: cov-analyze --dir cov-int --strip-path $(pwd) - - name: Commit defects - run: cov-commit-defects --url https://coverity.openssl.org:443 --stream OpenSSL --dir cov-int --auth-key-file /auth_key_file.txt diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml deleted file mode 100644 index 05330f02d8313..0000000000000 --- a/.github/workflows/static-analysis.yml +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Static Analysis - -#Run once a day -on: - schedule: - - cron: '20 0 * * *' - -permissions: - contents: read - -jobs: - coverity: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: tool download - run: | - wget https://scan.coverity.com/download/linux64 \ - --post-data "token=${{ secrets.COVERITY_TOKEN }}&project=openssl%2Fopenssl" \ - --progress=dot:giga -O coverity_tool.tgz - - name: config - run: CC=gcc ./config --banner=Configured --debug enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC - - name: config dump - run: ./configdata.pm --dump - - name: tool install - run: tar xzf coverity_tool.tgz - - name: make - run: ./cov-analysis*/bin/cov-build --dir cov-int make -s -j4 - - name: archive - run: tar czvf openssl.tgz cov-int - - name: Coverity upload - run: | - curl --form token="${{ secrets.COVERITY_TOKEN }}" \ - --form email=openssl-commits@openssl.org \ - --form file=@openssl.tgz \ - --form version="`date -u -I` `git rev-parse --short HEAD`" \ - --form description="analysis of `git branch --show-current`" \ - https://scan.coverity.com/builds?project=openssl%2Fopenssl diff --git a/.github/workflows/style-checks.yml b/.github/workflows/style-checks.yml deleted file mode 100644 index 69c9ca6c8ef62..0000000000000 --- a/.github/workflows/style-checks.yml +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Coding style validation - -on: [pull_request] - -env: - PR_NUMBER: ${{ github.event.number }} - GH_TOKEN: ${{ github.token }} - -permissions: - contents: read - -jobs: - check-style: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - path: openssl - - name: check style for each commit - working-directory: openssl - shell: bash - run: | - ERRORS_FOUND=0 - git fetch origin $GITHUB_BASE_REF:$GITHUB_BASE_REF - REFSTART=$(git rev-parse $GITHUB_BASE_REF) - REFEND=$(git rev-parse HEAD) - echo "Checking from $REFSTART to $REFEND" - echo "::group::Style report for commits $REFSTART..$REFEND" - set +e - ./util/check-format-commit.sh $REFSTART..$REFEND - if [ $? -ne 0 ] - then - ERRORS_FOUND=1 - fi - set -e - echo "::endgroup::" - SKIP_TEST=$(gh pr view $PR_NUMBER --json labels --jq '.labels[] | select(.name == "style: waived") | .name') - if [ -z "$SKIP_TEST" ] - then - exit $ERRORS_FOUND - else - echo "PR $PR_NUMBER is marked with style: waived, waiving style check errors" - exit 0 - fi diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml deleted file mode 100644 index ee42fc13a2379..0000000000000 --- a/.github/workflows/windows.yml +++ /dev/null @@ -1,202 +0,0 @@ -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Windows GitHub CI - -on: [pull_request, push] - -permissions: - contents: read - -jobs: - shared: - # Run a job for each of the specified target architectures: - strategy: - matrix: - platform: - - arch: win64 - os: windows-2019 - config: enable-fips - - arch: win64 - os: windows-2022 - config: enable-fips no-thread-pool no-quic - - arch: win32 - os: windows-2022 - config: --strict-warnings no-fips - runs-on: ${{ github.server_url == 'https://github.com' && matrix.platform.os || format('{0}-self-hosted', matrix.platform.os) }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - uses: ilammy/msvc-dev-cmd@v1 - with: - arch: ${{ matrix.platform.arch }} - - uses: ilammy/setup-nasm@v1 - with: - platform: ${{ matrix.platform.arch }} - - name: prepare the build directory - run: mkdir _build - - name: config - working-directory: _build - run: | - perl ..\Configure --banner=Configured no-makedepend -DOSSL_WINCTX=openssl ${{ matrix.platform.config }} - perl configdata.pm --dump - - name: build - working-directory: _build - run: nmake /S - - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.6.0 - with: - url: "https://download.sysinternals.com/files/Coreinfo.zip" - target: _build/coreinfo/ - - name: Gather openssl version info - working-directory: _build - run: | - apps/openssl.exe version -v - apps/openssl.exe version -v | %{($_ -split '\s+')[1]} - apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'} - echo "OSSL_VERSION=$(apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'})" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append - - name: Set registry keys - working-directory: _build - run: | - echo ${Env:OSSL_VERSION} - reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32 - reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v ENGINESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32 - reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32 - reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32 - - name: get cpu info - working-directory: _build - continue-on-error: true - run: | - 7z.exe x coreinfo/Coreinfo.zip - ./Coreinfo64.exe -accepteula -f - ./apps/openssl.exe version -c - - name: Check platform symbol usage - working-directory: _build - run: perl ../util/checkplatformsyms.pl ../util/platform_symbols/windows-symbols.txt libcrypto-3-x64.dll ./libssl-3-x64.dll - - name: test - working-directory: _build - run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4 - - name: install - # Run on 64 bit only as 32 bit is slow enough already - if: ${{ matrix.platform.arch == 'win64' }} - run: | - mkdir _dest - nmake install DESTDIR=_dest - working-directory: _build - plain: - strategy: - matrix: - os: -# Reducing CI footprint - windows-2019 - - windows-2022 - runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - uses: ilammy/msvc-dev-cmd@v1 - - name: prepare the build directory - run: mkdir _build - - name: config - working-directory: _build - run: | - perl ..\Configure --banner=Configured enable-demos no-makedepend no-shared no-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-crypto-mdebug -DOSSL_WINCTX=openssl VC-WIN64A-masm - perl configdata.pm --dump - - name: build - working-directory: _build - run: nmake /S - - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.6.0 - with: - url: "https://download.sysinternals.com/files/Coreinfo.zip" - target: _build/coreinfo/ - - name: get cpu info - working-directory: _build - continue-on-error: true - run: | - 7z.exe x coreinfo/Coreinfo.zip - ./Coreinfo64.exe -accepteula -f - ./apps/openssl.exe version -c - - name: test - working-directory: _build - run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4 - minimal: - strategy: - matrix: - os: - - windows-2019 -# Reducing CI footprint - windows-2022 - runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - uses: ilammy/msvc-dev-cmd@v1 - - name: prepare the build directory - run: mkdir _build - - name: config - working-directory: _build - run: | - perl ..\Configure --banner=Configured enable-demos no-makedepend no-bulk no-deprecated no-fips no-asm no-threads -DOPENSSL_SMALL_FOOTPRINT -DOSSL_WINCTX=openssl - perl configdata.pm --dump - - name: build - working-directory: _build - run: nmake # verbose, so no /S here - - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.6.0 - with: - url: "https://download.sysinternals.com/files/Coreinfo.zip" - target: _build/coreinfo/ - - name: get cpu info - working-directory: _build - continue-on-error: true - run: | - 7z.exe x coreinfo/Coreinfo.zip - ./Coreinfo64.exe -accepteula -f - ./apps/openssl.exe version -c - - name: test - working-directory: _build - run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4 - cygwin: - # Run a job for each of the specified target architectures: - strategy: - matrix: - os: - - windows-2019 -# really worth while running, too? cygwin should mask this -# - windows-2022 - platform: - - arch: win64 - config: -DCMAKE_C_COMPILER=gcc --strict-warnings enable-demos no-fips -# are we really learning sth new from win32? So let's save some CO2 for now disabling this -# - arch: win32 -# config: -DCMAKE_C_COMPILER=gcc --strict-warnings no-fips - runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }} - env: - CYGWIN_NOWINPATH: 1 - SHELLOPTS: igncr -# Don't overwhelm github CI VMs: - MAKE_PARAMS: -j 4 - steps: -# Checkout before cygwin can mess with PATH... - - uses: actions/checkout@v4 - - uses: cygwin/cygwin-install-action@master - with: - packages: perl git make gcc-core - - name: Check repo - run: cygcheck -V - - name: Full cygcheck status - run: cygcheck -s -v -r -h -# Activate this if checkout action fails: -# - name: Clone repo -# run: bash -c "pwd && git clone --branch ${{ github.ref_name }} --depth 1 https://github.com/${{ github.repository }}.git" - - name: Full build - run: bash -c "gcc --version && ./config ${{ matrix.platform.config }} && make $MAKE_PARAMS" -# Disable testing for now. TBD: Need local cygwin installation to debug . -# - name: Run openssl tests -# run: bash -c "cd openssl && make V=1 test" diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml deleted file mode 100644 index 34c5c3208b1ae..0000000000000 --- a/.github/workflows/windows_comp.yml +++ /dev/null @@ -1,137 +0,0 @@ -# Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Windows Compression GitHub CI - -on: - pull_request: - paths: - - 'crypto/comp/*.c' - - '.github/workflows/windows_comp.yml' - push: - paths: - - '**.c' - -permissions: - contents: read - -jobs: - zstd: - runs-on: windows-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - uses: ilammy/msvc-dev-cmd@v1 - - uses: ilammy/setup-nasm@v1 - - name: prepare the build directory - run: mkdir _build - - name: Get zstd - working-directory: _build - run: | - vcpkg install zstd:x64-windows - - name: config - working-directory: _build - run: | - perl ..\Configure enable-comp enable-zstd --with-zstd-include=C:\vcpkg\packages\zstd_x64-windows\include --with-zstd-lib=C:\vcpkg\packages\zstd_x64-windows\lib\zstd.lib no-makedepend -DOSSL_WINCTX=openssl VC-WIN64A - perl configdata.pm --dump - - name: build - working-directory: _build - run: nmake - - name: Gather openssl version info - working-directory: _build - run: | - $env:Path+=";C:\vcpkg\packages\zstd_x64-windows\bin" - apps/openssl.exe version -v - apps/openssl.exe version -v | %{($_ -split '\s+')[1]} - apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'} - echo "OSSL_VERSION=$(apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'})" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append - - name: Set registry keys - working-directory: _build - run: | - echo ${Env:OSSL_VERSION} - reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32 - reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v ENGINESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32 - reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32 - reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32 - - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.6.0 - with: - url: "https://download.sysinternals.com/files/Coreinfo.zip" - target: _build/coreinfo/ - - name: get cpu info - working-directory: _build - continue-on-error: true - run: | - $env:Path+=";C:\vcpkg\packages\zstd_x64-windows\bin" - 7z.exe x coreinfo/Coreinfo.zip - ./Coreinfo64.exe -accepteula -f - ./apps/openssl.exe version -c - - name: Check platform symbol usage - run: | - perl ./util/checkplatformsyms.pl ./util/platform_symbols/windows-symbols.txt libcrypto-3-x64.dll ./libssl-3-x64.dll - - name: test - working-directory: _build - run: | - $env:Path+=";C:\vcpkg\packages\zstd_x64-windows\bin" - nmake test VERBOSE_FAILURE=yes TESTS="-test_fuzz* -test_fipsload" HARNESS_JOBS=4 - brotli: - runs-on: windows-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - uses: ilammy/msvc-dev-cmd@v1 - - uses: ilammy/setup-nasm@v1 - - name: prepare the build directory - run: mkdir _build - - name: Get brotli - working-directory: _build - run: | - vcpkg install brotli:x64-windows - - name: config - working-directory: _build - run: | - perl ..\Configure enable-comp enable-brotli --with-brotli-include=C:\vcpkg\packages\brotli_x64-windows\include --with-brotli-lib=C:\vcpkg\packages\brotli_x64-windows\lib no-makedepend -DOSSL_WINCTX=openssl VC-WIN64A - perl configdata.pm --dump - - name: build - working-directory: _build - run: nmake - - name: Gather openssl version info - working-directory: _build - run: | - $env:Path+=";C:\vcpkg\packages\brotli_x64-windows\bin" - apps/openssl.exe version -v - apps/openssl.exe version -v | %{($_ -split '\s+')[1]} - apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'} - echo "OSSL_VERSION=$(apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'})" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append - - name: Set registry keys - working-directory: _build - run: | - echo ${Env:OSSL_VERSION} - reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32 - reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v ENGINESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32 - reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32 - reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32 - - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.6.0 - with: - url: "https://download.sysinternals.com/files/Coreinfo.zip" - target: _build/coreinfo/ - - name: get cpu info - working-directory: _build - continue-on-error: true - run: | - $env:Path+=";C:\vcpkg\packages\brotli_x64-windows\bin" - 7z.exe x coreinfo/Coreinfo.zip - ./Coreinfo64.exe -accepteula -f - ./apps/openssl.exe version -c - - name: test - working-directory: _build - run: | - $env:Path+=";C:\vcpkg\packages\brotli_x64-windows\bin" - nmake test VERBOSE_FAILURE=yes TESTS="-test_fuzz* -test_fipsload" HARNESS_JOBS=4 diff --git a/INSTALL.md b/INSTALL.md index 63ca4e37a5dc3..48e4cc58e73de 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -1,6 +1,9 @@ Build and Install ================= + +ADDING STUFF + This document describes installation on all supported operating systems: the Unix/Linux family (including macOS), OpenVMS, and Windows.