Skip to content

Update FIPS v3.0 draft security policy #4086

Update FIPS v3.0 draft security policy

Update FIPS v3.0 draft security policy #4086

Workflow file for this run

name: General CI Tests
on:
push:
branches: [ '*' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
env:
GOPROXY: https://proxy.golang.org,direct
SDE_MIRROR_URL: "https://downloadmirror.intel.com/831748/sde-external-9.44.0-2024-08-22-win.tar.xz"
SDE_VERSION_TAG: sde-external-9.44.0-2024-08-22-win
PACKAGE_NAME: aws-lc
# Used to enable ASAN test dimension.
AWSLC_NO_ASM_FIPS: 1
jobs:
# MacOS and Windows GHA runners are more expensive, so we do a sanity test run before proceeding.
sanity-test-run:
runs-on: ubuntu-latest
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: Sanity Test Run
run: |
sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
sudo apt-get install ninja-build
cmake -GNinja -Btest_build_dir
ninja -C test_build_dir run_tests
macOS-x86:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- "macos-14-large"
- "macos-13-large"
- "macos-12-large"
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Build ${{ env.PACKAGE_NAME }}
run: |
./tests/ci/run_posix_tests.sh
macOS-x86-FIPS:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- "macos-14-large"
- "macos-13-large"
- "macos-12-large"
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Build ${{ env.PACKAGE_NAME }} with FIPS mode
run: |
./tests/ci/run_fips_tests.sh
macOS-ARM:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- "macos-14-xlarge"
- "macos-13-xlarge"
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Build ${{ env.PACKAGE_NAME }}
run: |
./tests/ci/run_posix_tests.sh
macOS-ARM-FIPS:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- "macos-14-xlarge"
- "macos-13-xlarge"
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Build ${{ env.PACKAGE_NAME }} with FIPS mode
run: |
./tests/ci/run_fips_tests.sh
MSVC-2019:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
runs-on: aws-lc_windows-2019_8-core
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: Build Windows Dependencies
run: |
choco install ninja --version 1.9.0.20190208 -y &&
choco install nasm --version 2.14.02 -y
- name: Run Windows Tests on MSVC-2019
run: |
.\tests\ci\run_windows_tests.bat "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x64
MSVC-2022:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
runs-on: aws-lc_windows-latest_8-core
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: Build Windows Dependencies
run: |
choco install ninja --version 1.9.0.20190208 -y &&
choco install nasm --version 2.14.02 -y
- name: Run Windows Tests on MSVC-2022
run: |
.\tests\ci\run_windows_tests.bat "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat" x64
MSVC-SDE-64-bit:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
# TODO: Update this to run on windows-2022. windows-2022 (Windows 11) has phased out support for older processors.
# https://learn.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-intel-processors
runs-on: aws-lc_windows-2019_64-core
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: Build Windows Dependencies
run: |
choco install ninja --version 1.9.0.20190208 -y &&
choco install nasm --version 2.14.02 -y
- name: Install SDE simulator
run: |
curl -SL --output temp.tar.xz ${{ env.SDE_MIRROR_URL }}
7z x temp.tar.xz
7z x temp.tar
ren ${{ env.SDE_VERSION_TAG }} windows-sde
del temp.tar.xz
del temp.tar
- name: Run Windows SDE Tests for 64 bit
run: |
$env:SDEROOT = "${PWD}\windows-sde"
echo ${env:SDEROOT}
.\tests\ci\run_windows_tests.bat "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x64 true
gcc-ubuntu-2004-sanity:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
strategy:
fail-fast: false
matrix:
gccversion:
- "10"
fips:
- "0"
- "1"
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Setup CMake
uses: threeal/cmake-action@v1.3.0
with:
generator: Ninja
c-compiler: gcc-${{ matrix.gccversion }}
cxx-compiler: g++-${{ matrix.gccversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
run: cmake --build ./build --target all
- name: Run tests
run: cmake --build ./build --target run_tests
gcc-ubuntu-2204-sanity:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
strategy:
fail-fast: false
matrix:
gccversion:
- "10"
- "11"
- "12"
fips:
- "0"
- "1"
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Setup CMake
uses: threeal/cmake-action@v1.3.0
with:
generator: Ninja
c-compiler: gcc-${{ matrix.gccversion }}
cxx-compiler: g++-${{ matrix.gccversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
run: cmake --build ./build --target all
- name: Run tests
run: cmake --build ./build --target run_tests
gcc-ubuntu-2404-sanity:
if: github.repository_owner == 'aws'
needs: [ sanity-test-run ]
strategy:
fail-fast: false
matrix:
gccversion:
- "12"
- "13"
- "14"
fips:
- "0"
- "1"
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Setup CMake
uses: threeal/cmake-action@v1.3.0
with:
generator: Ninja
c-compiler: gcc-${{ matrix.gccversion }}
cxx-compiler: g++-${{ matrix.gccversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
# TODO: Re-enable gcc-14/FIPS build once delocator updated
if: ${{ !( matrix.gccversion == '14' && matrix.fips == '1' ) }}
run: cmake --build ./build --target all
- name: Run tests
# TODO: Re-enable gcc-14/FIPS build once delocator updated
if: ${{ !( matrix.gccversion == '14' && matrix.fips == '1' ) }}
run: cmake --build ./build --target run_tests
gcc-13-pedantic:
if: github.repository_owner == 'aws'
needs: [ sanity-test-run ]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- name: Setup CMake
uses: threeal/cmake-action@v1.3.0
with:
generator: Ninja
c-compiler: gcc-13
cxx-compiler: g++-13
options: CMAKE_BUILD_TYPE=Release CMAKE_C_FLAGS=-pedantic CMAKE_CXX_FLAGS=-pedantic
- name: Build Crypto
run: cmake --build ./build --target crypto
- name: Build SSL
run: cmake --build ./build --target ssl
clang-19-pedantic:
if: github.repository_owner == 'aws'
needs: [ sanity-test-run ]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- name: Install clang-19
run: |
wget https://apt.llvm.org/llvm.sh
chmod u+x llvm.sh
sudo ./llvm.sh 19
- name: Setup CMake
uses: threeal/cmake-action@v1.3.0
with:
generator: Ninja
c-compiler: clang-19
cxx-compiler: clang++-19
options: CMAKE_BUILD_TYPE=Release CMAKE_C_FLAGS=-pedantic CMAKE_CXX_FLAGS=-pedantic
- name: Build Crypto
run: cmake --build ./build --target crypto
- name: Build SSL
run: cmake --build ./build --target ssl
clang-ubuntu-2004-sanity:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
strategy:
fail-fast: false
matrix:
clangversion:
- "10"
- "11"
- "12"
fips:
- "0"
- "1"
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Setup CMake
uses: threeal/cmake-action@v1.3.0
with:
generator: Ninja
c-compiler: clang-${{ matrix.clangversion }}
cxx-compiler: clang++-${{ matrix.clangversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
run: cmake --build ./build --target all
- name: Run tests
run: cmake --build ./build --target run_tests
clang-ubuntu-2204-sanity:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
strategy:
fail-fast: false
matrix:
clangversion:
- "13"
- "14"
- "15"
fips:
- "0"
- "1"
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Setup CMake
uses: threeal/cmake-action@v1.3.0
with:
generator: Ninja
c-compiler: clang-${{ matrix.clangversion }}
cxx-compiler: clang++-${{ matrix.clangversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
run: cmake --build ./build --target all
- name: Run tests
run: cmake --build ./build --target run_tests
clang-ubuntu-2404-sanity:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
strategy:
fail-fast: false
matrix:
clangversion:
- "16"
- "17"
- "18"
fips:
- "0"
- "1"
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Setup CMake
uses: threeal/cmake-action@v1.3.0
with:
generator: Ninja
c-compiler: clang-${{ matrix.clangversion }}
cxx-compiler: clang++-${{ matrix.clangversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
run: cmake --build ./build --target all
- name: Run tests
run: cmake --build ./build --target run_tests
clang-19-sanity:
if: github.repository_owner == 'aws'
needs: [ sanity-test-run ]
strategy:
fail-fast: false
matrix:
fips:
- "0"
- "1"
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '>=1.18'
- name: Install clang-19
run: |
wget https://apt.llvm.org/llvm.sh
chmod u+x llvm.sh
sudo ./llvm.sh 19
- name: Setup CMake
uses: threeal/cmake-action@v1.3.0
with:
generator: Ninja
c-compiler: clang-19
cxx-compiler: clang++-19
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
run: cmake --build ./build --target all
- name: Run tests
run: cmake --build ./build --target run_tests
OpenBSD:
needs: [sanity-test-run]
runs-on: ubuntu-latest
name: OpenBSD ${{ matrix.version }} (${{ matrix.arch }}) test
strategy:
fail-fast: false
matrix:
arch: ["x86-64", "arm64"]
version: ["7.5", "7.6"]
steps:
- uses: actions/checkout@v3
- name: OpenBSD
uses: cross-platform-actions/action@595d543e5d1aeb6d48c0a176965028afe56c7018
env:
AWS_LC_SSL_TEST_RUNNER_PEEK_ROUNDS: 5
AWS_LC_GO_TEST_TIMEOUT: 120m
with:
environment_variables: AWS_LC_SSL_TEST_RUNNER_PEEK_ROUNDS AWS_LC_GO_TEST_TIMEOUT
operating_system: openbsd
cpu_count: 3
memory: 12G
architecture: ${{ matrix.arch }}
version: "${{ matrix.version }}"
shell: bash
run: |
set -x
sudo pkg_add cmake ninja go gmake
sudo pfctl -d
mkdir "${HOME}/bin"
ln -s /usr/local/bin/gmake "${HOME}/bin/make"
cat << EOF | sudo tee /etc/login.conf.d/unlimited
unlimited:\
:datasize-cur=infinity:\
:datasize-max=infinity:\
:stacksize-cur=infinity:\
:stacksize-max=infinity:\
:memoryuse-cur=infinity:\
:memoryuse-max=infinity:\
:maxproc-cur=infinity:\
:maxproc-max=infinity:\
:openfiles-cur=infinity:\
:openfiles-max=infinity:\
:cpuuse-cur=infinity:\
:cpuuse-max=infinity:\
:priority=0:\
:ignoretime:
EOF
sudo usermod -L unlimited runner
sudo su -c unlimited -s /usr/local/bin/bash -l runner <<EOF
set -x
export AWS_LC_SSL_TEST_RUNNER_PEEK_ROUNDS=${AWS_LC_SSL_TEST_RUNNER_PEEK_ROUNDS}
export AWS_LC_GO_TEST_TIMEOUT=${AWS_LC_GO_TEST_TIMEOUT}
cd $(pwd)
export PATH="${HOME}/bin:${PATH}"
env
tests/ci/run_bsd_tests.sh
EOF
gcc-4_8:
needs: [sanity-test-run]
runs-on: ubuntu-latest
env:
DOCKER_BUILDKIT: 1
steps:
- uses: actions/checkout@v4
- name: Build Docker Image
working-directory: .github/docker_images/gcc-4.8
run: |
docker build -t "gcc-4.8" .
- name: Build using pre-generated assembly
run: |
docker run -v "${{ github.workspace }}:/awslc" "gcc-4.8"
alpine-linux-x86:
needs: [sanity-test-run]
strategy:
fail-fast: false
matrix:
tests: [
/awslc/tests/ci/run_fips_tests.sh,
/awslc/tests/ci/run_posix_tests.sh
]
compiler: [
--build-arg CC=clang --build-arg CXX=clang++,
--build-arg CC=gcc --build-arg CXX=g++
]
runs-on: ubuntu-latest
env:
DOCKER_BUILDKIT: 1
steps:
- uses: actions/checkout@v4
- name: Build Docker Image
working-directory: .github/docker_images/alpine-linux
run: |
docker build -t alpine_linux ${{ matrix.compiler }} .
- name: Run tests
run: |
docker run -v "${{ github.workspace }}:/awslc" \
alpine_linux ${{ matrix.tests }}
# TODO: Investigate sudden hanging tests and failures in GHA runners (P114059413)
# MSVC-SDE-32-bit:
# needs: [sanity-test-run]
# runs-on: aws-lc_windows-2019_64-core
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v3
#
# - name: Build Windows Dependencies
# run: |
# choco install ninja --version 1.9.0.20190208 -y &&
# choco install nasm --version 2.14.02 -y
#
# - name: Install SDE simulator
# run: |
# curl -SL --output temp.tar.xz ${{ env.SDE_MIRROR_URL }}
# 7z x temp.tar.xz
# 7z x temp.tar
# ren ${{ env.SDE_VERSION_TAG }} windows-sde
# del temp.tar.xz
# del temp.tar
#
# - name: Run Windows SDE Tests for 32 bit
# run: |
# $env:SDEROOT = "${PWD}\windows-sde"
# echo ${env:SDEROOT}
# .\tests\ci\run_windows_tests.bat "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x86 true
#
freebsd:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
name: FreeBSD ${{ matrix.version }} (${{ matrix.arch }}) test
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
arch:
- 'x86-64'
- 'arm64'
version:
- '13.3'
- '14.1'
steps:
- uses: actions/checkout@v4
with:
submodules: 'recursive'
- name: Prepare VM
uses: cross-platform-actions/action@v0.25.0
env:
AWS_LC_SSL_TEST_RUNNER_PEEK_ROUNDS: 5
AWS_LC_GO_TEST_TIMEOUT: 90m
GOFLAGS: "-buildvcs=false"
with:
environment_variables: 'AWS_LC_SSL_TEST_RUNNER_PEEK_ROUNDS AWS_LC_GO_TEST_TIMEOUT GOFLAGS'
operating_system: freebsd
architecture: ${{ matrix.arch }}
version: ${{ matrix.version }}
shell: bash
memory: 12G
cpu_count: 3
run: |
sudo pkg install -y git gmake cmake go ninja
tests/ci/run_bsd_tests.sh