Skip to content

validate ECDH keys #1067

validate ECDH keys

validate ECDH keys #1067

Workflow file for this run

on: [push, pull_request]
name: Test
jobs:
test:
strategy:
fail-fast: false
matrix:
go-version: [1.22.x, 1.23.x]
openssl-version: [1.0.2, 1.1.0, 1.1.1, 3.0.1, 3.0.13, 3.1.5, 3.2.1, 3.3.0, 3.3.1]
runs-on: ubuntu-20.04
steps:
- name: Install build tools
run: sudo apt-get install -y build-essential
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v4
- name: Install OpenSSL
run: sudo sh ./scripts/openssl.sh ${{ matrix.openssl-version }}
- name: Check headers
working-directory: ./cmd/checkheader
run: go run . --ossl-include /usr/local/src/openssl-${{ matrix.openssl-version }}/include -shim ../../shims.h
- name: Set OpenSSL config and prove FIPS
run: |
sudo cp ./scripts/openssl-3.cnf /usr/local/ssl/openssl.cnf
go test -v -count 0 . | grep -q "FIPS enabled: true"
if: ${{ matrix.openssl-version == '3.0.1' }}
env:
GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
- name: Run Test
# Run each test 10 times so the garbage collector chimes in
# and exercises the multiple finalizers we use.
# This can detect use-after-free and double-free issues.
run: go test -gcflags=all=-d=checkptr -count 10 -v ./...
env:
GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
- name: Run Test with address sanitizer
run: |
ok=true
for t in $(go test ./... -list=. | grep '^Test'); do
go test ./... -gcflags=all=-d=checkptr -asan -run ^$t$ -v || ok=false
done
$ok
env:
GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
wintest:
runs-on: windows-2022
strategy:
fail-fast: false
matrix:
go-version: [1.22.x, 1.23.x]
openssl-version: [libcrypto-1_1-x64.dll, libcrypto-3-x64.dll]
steps:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v4
- name: Run Test
run: go test -gcflags=all=-d=checkptr -count 10 -v ./...
env:
GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
mactest:
strategy:
fail-fast: false
matrix:
go-version: [1.22.x, 1.23.x]
openssl-version: [libcrypto.3.dylib]
runs-on: macos-12
steps:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v4
- name: Run Test
run: go test -gcflags=all=-d=checkptr -count 10 -v ./...
env:
GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
azurelinux:
runs-on: ubuntu-latest
container: mcr.microsoft.com/oss/go/microsoft/golang:1.23-azurelinux3.0
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run Test
run: go test -v ./...
mariner2:
runs-on: ubuntu-latest
container: mcr.microsoft.com/oss/go/microsoft/golang:1.23.1-3-cbl-mariner2.0
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run Test
run: go test -v ./...
# Verify that golang-fips/openssl builds successfully without cgo enabled.
#
# A project can avoid attempting to build the openssl package by only
# importing it from Go files with a cgo build tag. However, this isn't always
# reasonable. In that case, we can help by making sure the openssl package
# builds successfully even without cgo.
#
# For example, the Microsoft Go toolset fork builds this module without cgo
# for a cross-platform build.
#
# The golang-fips/openssl module can't do any crypto when built without cgo,
# but it exports a few simple functions and types.
cgolessbuild:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run Build
run: CGO_ENABLED=0 go build ./...