From 2bcfff8509b9a054ce84d768c96f6fd4ca7b9d6f Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 1 Jul 2025 08:43:54 +1000 Subject: [PATCH] ci: enable LMS in a number of different builds Reviewed-by: Viktor Dukhovni Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/27885) --- .github/workflows/ci.yml | 24 +++++++++---------- .github/workflows/coveralls.yml | 2 +- .github/workflows/cross-compiles.yml | 4 ++-- .github/workflows/fuzz-checker.yml | 2 +- .github/workflows/provider-compatibility.yml | 2 +- .github/workflows/run-checker-daily.yml | 1 + .github/workflows/static-analysis-on-prem.yml | 2 +- .github/workflows/static-analysis.yml | 2 +- .github/workflows/windows.yml | 6 ++--- 9 files changed, 23 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04b2fed5218..4eb1fd13d01 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,7 +69,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: config - run: CPPFLAGS='-std=c99 -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L' ./config --strict-warnings --banner=Configured enable-sslkeylog no-asm no-secure-memory no-makedepend enable-buildtest-c++ enable-fips && perl configdata.pm --dump + run: CPPFLAGS='-std=c99 -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L' ./config --strict-warnings --banner=Configured enable-sslkeylog no-asm no-secure-memory no-makedepend enable-buildtest-c++ enable-fips enable-lms && perl configdata.pm --dump - name: make run: make -s -j4 @@ -86,7 +86,7 @@ jobs: run: echo "FIPS_VENDOR=CI" >> VERSION.dat - name: config # enable-quic is on by default, but we leave it here to check we're testing the explicit enable somewhere - run: CC=gcc ./config --strict-warnings --banner=Configured enable-demos enable-h3demo enable-sslkeylog enable-fips enable-quic && perl configdata.pm --dump + run: CC=gcc ./config --strict-warnings --banner=Configured enable-demos enable-h3demo enable-sslkeylog enable-fips enable-quic enable-lms && perl configdata.pm --dump - name: make run: make -s -j4 - name: get cpu info @@ -133,7 +133,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: config - run: ./config --strict-warnings enable-demos enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace + run: ./config --strict-warnings enable-demos enable-fips enable-lms enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace - name: config dump run: ./configdata.pm --dump - name: make @@ -163,7 +163,7 @@ jobs: shutdown_vm: false run: | sudo pkg install -y gcc perl5 - ./config --strict-warnings enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace + ./config --strict-warnings enable-fips enable-lms enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace - name: config dump uses: cross-platform-actions/action@v0.26.0 with: @@ -200,7 +200,7 @@ jobs: - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config - run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump + run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-bulk no-pic no-asm no-lms -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump - name: make run: make -j4 # verbose, so no -s here - name: get cpu info @@ -327,7 +327,7 @@ jobs: sudo cat /proc/sys/vm/mmap_rnd_bits sudo sysctl -w vm.mmap_rnd_bits=28 - name: config - run: ./config --strict-warnings --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump + run: ./config --strict-warnings --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips enable-lms && perl configdata.pm --dump - name: make run: make -s -j4 - name: get cpu info @@ -383,7 +383,7 @@ jobs: sudo sysctl -w vm.mmap_rnd_bits=28 - name: config # --debug -O1 is to produce a debug build that runs in a reasonable amount of time - run: CC=clang ./config --strict-warnings --banner=Configured --debug no-shared -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips no-slh-dsa && perl configdata.pm --dump + run: CC=clang ./config --strict-warnings --banner=Configured --debug no-shared -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips enable-lms no-slh-dsa && perl configdata.pm --dump - name: make run: make -s -j4 - name: get cpu info @@ -435,7 +435,7 @@ jobs: - name: modprobe tls run: sudo modprobe tls - name: config - run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-egd enable-ktls enable-fips no-threads && perl configdata.pm --dump + run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-egd enable-ktls enable-fips enable-lms no-threads && perl configdata.pm --dump - name: make run: make -s -j4 - name: get cpu info @@ -466,7 +466,7 @@ jobs: - name: install extra config support run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd - name: config - run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-zlib enable-zstd && perl configdata.pm --dump + run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo enable-ktls enable-fips enable-lms enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-zlib enable-zstd && perl configdata.pm --dump - name: make run: make -s -j4 - name: get cpu info @@ -489,7 +489,7 @@ jobs: - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config - run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-legacy enable-fips && perl configdata.pm --dump + run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-legacy enable-fips enable-lms && perl configdata.pm --dump - name: make run: make -s -j4 - name: get cpu info @@ -550,7 +550,7 @@ jobs: mkdir ./install - name: config run: | - ../source/config --banner=Configured enable-demos enable-h3demo enable-fips enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) + ../source/config --banner=Configured enable-demos enable-h3demo enable-fips enable-lms enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) perl configdata.pm --dump working-directory: ./build - name: make @@ -595,7 +595,7 @@ jobs: mkdir ./install - name: config run: | - ../source/config --banner=Configured enable-fips enable-demos enable-h3demo enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) + ../source/config --banner=Configured enable-fips enable-lms enable-demos enable-h3demo enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) perl configdata.pm --dump working-directory: ./build - name: make diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index c3a1069a224..9dc41080abb 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -99,7 +99,7 @@ jobs: - name: setup hostname workaround run: sudo hostname localhost - name: config - run: CC=gcc ./config --debug --coverage ${{ matrix.branches.extra_config }} no-asm enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-buildtest-c++ enable-ssl-trace enable-trace + run: CC=gcc ./config --debug --coverage ${{ matrix.branches.extra_config }} no-asm enable-lms enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-buildtest-c++ enable-ssl-trace enable-trace - name: config dump run: ./configdata.pm --dump - name: make diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 928dd30734f..c6b758ec931 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -175,13 +175,13 @@ jobs: - name: config with FIPS if: matrix.platform.fips != 'no' run: | - ./config --banner=Configured --strict-warnings enable-fips \ + ./config --banner=Configured --strict-warnings enable-fips enable-lms \ --cross-compile-prefix=${{ matrix.platform.arch }}- \ ${{ matrix.platform.target }} - name: config without FIPS if: matrix.platform.fips == 'no' run: | - ./config --banner=Configured --strict-warnings \ + ./config --banner=Configured --strict-warnings enable-lms \ --cross-compile-prefix=${{ matrix.platform.arch }}- \ ${{ matrix.platform.target }} - name: config dump diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index a280b410e5d..b7e3cf51eed 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -35,7 +35,7 @@ jobs: name: libFuzzer+, config: enable-fuzz-libfuzzer enable-asan enable-ubsan -fno-sanitize=function -fsanitize-coverage=trace-cmp -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION, libs: --with-fuzzer-lib=/usr/lib/llvm-18/lib/libFuzzer.a --with-fuzzer-include=/usr/include/clang/18/include/fuzzer, - extra: enable-fips enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg, + extra: enable-fips enable-lms enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg, install: libfuzzer-18-dev, cc: clang-18, linker: clang++-18, diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index 76ef9e1cff7..b035ac4233f 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -24,7 +24,7 @@ permissions: contents: read env: - opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib + opts: enable-lms enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib jobs: fips-releases: diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 02bc7c69628..8a2bf087138 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -76,6 +76,7 @@ jobs: no-hw, no-hw-padlock, no-idea, + enable-lms, no-makedepend, enable-md2, no-md4, diff --git a/.github/workflows/static-analysis-on-prem.yml b/.github/workflows/static-analysis-on-prem.yml index 735af6581a7..bb6a48c2d15 100644 --- a/.github/workflows/static-analysis-on-prem.yml +++ b/.github/workflows/static-analysis-on-prem.yml @@ -29,7 +29,7 @@ jobs: chmod 0600 /auth_key_file.txt - uses: actions/checkout@v4 - name: Config - run: CC=gcc ./config --strict-warnings --banner=Configured --debug enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC + run: CC=gcc ./config --strict-warnings --banner=Configured --debug enable-lms enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC - name: Config dump run: ./configdata.pm --dump - name: Make diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 7acae4ddff0..2d679f04cc2 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -28,7 +28,7 @@ jobs: --post-data "token=${{ secrets.COVERITY_TOKEN }}&project=openssl%2Fopenssl" \ --progress=dot:giga -O coverity_tool.tgz - name: config - run: CC=gcc ./config --strict-warnings --banner=Configured --debug enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC + run: CC=gcc ./config --strict-warnings --banner=Configured --debug enable-lms enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC - name: config dump run: ./configdata.pm --dump - name: tool install diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 1e62801440d..22f1fbf3c5f 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -20,13 +20,13 @@ jobs: platform: - arch: win64 os: windows-2022 - config: enable-fips + config: enable-lms enable-fips - arch: win64 os: windows-2025 - config: enable-fips no-thread-pool no-quic + config: enable-lms enable-fips no-thread-pool no-quic - arch: win32 os: windows-2025 - config: --strict-warnings no-fips + config: --strict-warnings enable-lms no-fips runs-on: ${{ matrix.platform.os }} steps: - uses: actions/checkout@v4 -- 2.47.2