Re-enable FIPS security checks #1675
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| pull_request: | |
| branches: ["main"] | |
| push: | |
| branches: ["main"] | |
| env: | |
| OPENSSL_FIPS_BRANCH: kryoptic_ossl40 | |
| OPENSSL_STATIC_BRANCH: master | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| name: [standard, i686, minimal, pqc, no_sha1] | |
| linking: [dynamic, static, fips] | |
| build: [debug, release] | |
| db: [sqlitedb, nssdb] | |
| exclude: | |
| - name: no_sha1 # nssdb doesn't work with no_sha1 | |
| db: nssdb | |
| - name: minimal | |
| linking: fips | |
| - name: pqc # only works with openssl 3.5.0 so exclude dynamic | |
| linking: dynamic | |
| - name: pqc # already part of normal fips tests | |
| linking: fips | |
| - name: no_sha1 # already tested in fips and dynamic build | |
| linking: static | |
| - name: no_sha1 | |
| linking: fips | |
| container: quay.io/fedora/fedora:latest | |
| steps: | |
| - name: Get Date for DNF cache entry | |
| id: get-date | |
| run: | | |
| echo "date=$(/bin/date -u "+%Y%V")" >> $GITHUB_OUTPUT | |
| shell: bash | |
| - name: Restore DNF cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| /var/cache/libdnf5 | |
| key: ${{ runner.os }}-dnf-${{ steps.get-date.outputs.date }} | |
| - name: Install Dependencies | |
| run: | | |
| dnf -y install git cargo clang-devel openssl openssl-devel \ | |
| 'perl(FindBin)' 'perl(lib)' 'perl(File::Compare)' \ | |
| 'perl(File::Copy)' 'perl(bigint)' 'perl(Time::HiRes)' \ | |
| 'perl(IPC::Cmd)' 'perl(Pod::Html)' 'perl(Digest::SHA)' \ | |
| 'perl(Module::Load::Conditional)' 'perl(File::Temp)' \ | |
| 'perl(Test::Harness)' 'perl(Test::More)' 'perl(Math::BigInt)' \ | |
| 'perl(Time::Piece)' zlib-devel sed sqlite-devel | |
| if [ "${{ matrix.name }}" = "i686" ]; then | |
| dnf -y install rust-std-static.i686 openssl-devel.i686 \ | |
| sqlite-devel.i686 | |
| if [ "${{ matrix.linking }}" != "dynamic" ]; then | |
| dnf -y install libatomic.i686 | |
| fi | |
| fi | |
| - name: Checkout Repository | |
| uses: actions/checkout@v6 | |
| - name: Setup OpenSSL (fips) | |
| if: ${{ matrix.linking == 'fips' }} | |
| id: ossl-setup-fips | |
| run: | | |
| git config --global --add safe.directory /__w/kryoptic | |
| cd .. | |
| git clone https://github.com/simo5/openssl.git \ | |
| --single-branch --branch $OPENSSL_FIPS_BRANCH openssl | |
| cd openssl | |
| echo "KRYOPTIC_OPENSSL_SOURCES=$PWD" >> "$GITHUB_ENV" | |
| OS=${{ runner.os }} | |
| if [ "${{ matrix.name }}" = "i686" ]; then | |
| OS="${OS}-i686" | |
| fi | |
| echo "cacheid=${OS}-ossl-$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" | |
| - name: Setup OpenSSL (static) | |
| if: ${{ matrix.linking == 'static' }} | |
| id: ossl-setup-static | |
| run: | | |
| git config --global --add safe.directory /__w/kryoptic | |
| cd .. | |
| git clone https://github.com/openssl/openssl.git \ | |
| --single-branch --branch $OPENSSL_STATIC_BRANCH openssl | |
| cd openssl | |
| echo "KRYOPTIC_OPENSSL_SOURCES=$PWD" >> "$GITHUB_ENV" | |
| OS=${{ runner.os }} | |
| if [ "${{ matrix.name }}" = "i686" ]; then | |
| OS="${OS}-i686" | |
| fi | |
| echo "cacheid=${OS}-ossl-$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" | |
| - name: Restore OpenSSL build (fips) | |
| if: ${{ matrix.linking == 'fips' }} | |
| uses: actions/cache/restore@v4 | |
| id: cache-fips | |
| with: | |
| path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }} | |
| key: ${{ steps.ossl-setup-fips.outputs.cacheid }} | |
| - name: Restore OpenSSL build (static) | |
| if: ${{ matrix.linking == 'static' }} | |
| uses: actions/cache/restore@v4 | |
| id: cache-static | |
| with: | |
| path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }} | |
| key: ${{ steps.ossl-setup-static.outputs.cacheid }} | |
| - name: Generate lock file | |
| run: cargo generate-lockfile | |
| - name: Cache Rust dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Build & test | |
| run: | | |
| export KRYOPTIC_TESTS_DEFAULT_DB="${{ matrix.db }}" | |
| FEATURES="${{ matrix.db }}" | |
| OPTS="--no-default-features" | |
| FEATURE_SET="standard" | |
| export CC=clang | |
| TEST_PKCS11_MODULE="${PWD}/target" | |
| if [ "${{ matrix.name }}" = "i686" ]; then | |
| # pkg-config expects a sysroot dir when cross-compiling; we have | |
| # the i686 development files in the same paths because this is an | |
| # x86_64 build machine | |
| export PKG_CONFIG_SYSROOT_DIR=/ | |
| OPTS="${OPTS} --target i686-unknown-linux-gnu" | |
| TEST_PKCS11_MODULE="${TEST_PKCS11_MODULE}/i686-unknown-linux-gnu" | |
| elif [ "${{ matrix.name }}" = "minimal" ]; then | |
| FEATURE_SET="minimal" | |
| elif [ "${{ matrix.name }}" = "pqc" ]; then | |
| FEATURES="${FEATURES},pqc,slow" | |
| elif [ "${{ matrix.name }}" = "no_sha1" ]; then | |
| FEATURES="${FEATURES},no_sha1" | |
| fi | |
| if [ "${{ matrix.linking }}" = "dynamic" ]; then | |
| FEATURES="${FEATURES},${FEATURE_SET},dynamic" | |
| elif [ "${{ matrix.linking }}" = "static" ]; then | |
| FEATURES="${FEATURES},${FEATURE_SET},ossl400" | |
| elif [ "${{ matrix.linking }}" = "fips" ]; then | |
| FEATURES="${FEATURES},fips" | |
| fi | |
| if [ "${{ matrix.build }}" = "release" ]; then | |
| OPTS="${OPTS} --release" | |
| TEST_PKCS11_MODULE="${TEST_PKCS11_MODULE}/release" | |
| else | |
| TEST_PKCS11_MODULE="${TEST_PKCS11_MODULE}/debug" | |
| fi | |
| TEST_PKCS11_MODULE="${TEST_PKCS11_MODULE}/libkryoptic_pkcs11.so" | |
| # create a bogus configuration file to make sure it is not used during tests | |
| mkdir -p ~/.config/kryoptic/ | |
| cp testdata/test.conf ~/.config/kryoptic/token.conf | |
| #BUILD | |
| cargo build -vv $OPTS --features "$FEATURES" | |
| # cargo test does not build libkryoptic_pkcs11.so and we need to make | |
| # it fips compatible in any case | |
| if [ "${{ matrix.linking }}" = "fips" ]; then | |
| ./misc/hmacify.sh "${TEST_PKCS11_MODULE}" | |
| fi | |
| export TEST_PKCS11_MODULE | |
| #TEST | |
| cargo test -vv $OPTS --features "$FEATURES" | |
| - uses: actions/upload-artifact@v4 | |
| if: failure() | |
| with: | |
| name: Build logs ${{ matrix.name }}-${{ matrix.linking }}-${{ matrix.build }}-${{ matrix.db }} | |
| path: | | |
| target/debug/build/*/output | |
| - name: Show Build configs and logs on error | |
| if: failure() | |
| run: | | |
| cd ../openssl | |
| perl configdata.pm --dump | |
| - if: ${{ matrix.linking == 'fips' && steps.cache-fips.outputs.cache-hit != 'true' }} | |
| name: Cache OpenSSL FIPS build | |
| uses: actions/cache/save@v4 | |
| with: | |
| path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }} | |
| key: ${{ steps.ossl-setup-fips.outputs.cacheid }} | |
| - if: ${{ matrix.linking == 'static' && steps.cache-static.outputs.cache-hit != 'true' }} | |
| name: Cache OpenSSL STATIC build | |
| uses: actions/cache/save@v4 | |
| with: | |
| path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }} | |
| key: ${{ steps.ossl-setup-static.outputs.cacheid }} | |
| - if: ${{ matrix.name == 'i686' && steps.cache-static.outputs.cache-hit != 'true' }} | |
| name: Store DNF cache -- the i686 has the most dependencies | |
| uses: actions/cache/save@v4 | |
| with: | |
| path: | | |
| /var/cache/libdnf5 | |
| key: ${{ runner.os }}-dnf-${{ steps.get-date.outputs.date }} |