Skip to content

Enable building the provider with OpenSSL 4.0 #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chipitsine merged 6 commits into from
Apr 24, 2026
Merged

Enable building the provider with OpenSSL 4.0 #526

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
835a042
Remove direct access to ASN1_* fields
Mar 30, 2026
6bf7f6a
Move gost_pmeth functions impl from gost-core to engine-related trans…
Apr 7, 2026
9a79779
Move gost_ameth functions impl from gost-core to engine-related trans…
Apr 7, 2026
dc3b903
Move cmd function impl from gost-core to engine-related translation unit
Apr 17, 2026
5209f5e
Enable building the provider with OpenSSL 4.0
Apr 7, 2026
8241540
Fix setting Grasshopper MAC size > 8 via openssl-tool
Mironenko Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions .github/script.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,17 @@

PREFIX=$HOME/opt
PATH=$PREFIX/bin:$PATH
BUILD_ENGINE=${GOST_BUILD_ENGINE:+-DGOST_BUILD_ENGINE=$GOST_BUILD_ENGINE}
BUILD_PROVIDER=${GOST_BUILD_PROVIDER:+-DGOST_BUILD_PROVIDER=$GOST_BUILD_PROVIDER}

mkdir build
cd build
cmake -DTLS13_PATCHED_OPENSSL=$PATCH_OPENSSL -DOPENSSL_ROOT_DIR=$PREFIX -DOPENSSL_ENGINES_DIR=$PREFIX/engines ${ASAN-} ..
cmake -DTLS13_PATCHED_OPENSSL=$PATCH_OPENSSL -DOPENSSL_ROOT_DIR=$PREFIX \
-DOPENSSL_ENGINES_DIR=$PREFIX/engines ${ASAN-} \
$BUILD_ENGINE $BUILD_PROVIDER ..

make
make test CTEST_OUTPUT_ON_FAILURE=1
if [ -z "${ASAN-}" ]; then
make tcl_tests_engine
make tcl_tests_provider
make tcl_tests
fi
100 changes: 84 additions & 16 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,48 +12,89 @@ env:
GOST_PROVIDER_ENABLE_ONLINE_TESTS: 1

jobs:
gcc-openssl-stable:
gcc-engine-openssl-3-6-0:
runs-on: ubuntu-latest
if: ${{ github.event_name != 'schedule' }}
env:
GOST_BUILD_PROVIDER: OFF
steps:
- uses: actions/checkout@v2
with:
submodules: true
- run: .github/before_script.sh
- run: .github/script.sh

clang-engine-openssl-3-6-0:
runs-on: ubuntu-latest
if: ${{ github.event_name != 'schedule' }}
env:
CC: clang
GOST_BUILD_PROVIDER: OFF
steps:
- uses: actions/checkout@v2
with:
submodules: true
- run: .github/before_script.sh
- run: .github/script.sh

macos-engine-openssl-3-6-0:
runs-on: macos-latest
if: ${{ github.event_name != 'schedule' }}
env:
USE_RPATH:
GOST_PROVIDER_ENABLE_ONLINE_TESTS: 0 # macOS runner has no network access to infotecs TLS1.3 server
GOST_BUILD_PROVIDER: OFF
steps:
- uses: actions/checkout@v2
with:
submodules: true
- run: .github/before_script.sh
- run: .github/script.sh

gcc-provider-openssl-3-6-0-patch:
runs-on: ubuntu-latest
if: ${{ github.event_name != 'schedule' }}
env:
PATCH_OPENSSL: 1
GOST_BUILD_ENGINE: OFF
steps:
- uses: actions/checkout@v2
with:
submodules: true
- run: .github/before_script.sh
- run: .github/script.sh

clang-openssl-stable:
clang-provider-openssl-3-6-0-patch:
runs-on: ubuntu-latest
if: ${{ github.event_name != 'schedule' }}
env:
CC: clang
PATCH_OPENSSL: 1
GOST_BUILD_ENGINE: OFF
steps:
- uses: actions/checkout@v2
with:
submodules: true
- run: .github/before_script.sh
- run: .github/script.sh

macos-openssl-stable:
macos-provider-openssl-3-6-0-patch:
runs-on: macos-latest
if: ${{ github.event_name != 'schedule' }}
env:
USE_RPATH:
PATCH_OPENSSL: 1
GOST_PROVIDER_ENABLE_ONLINE_TESTS: 0 # macOS runner has no network access to infotecs TLS1.3 server
PATCH_OPENSSL: 1
GOST_BUILD_ENGINE: OFF
steps:
- uses: actions/checkout@v2
with:
submodules: true
- run: .github/before_script.sh
- run: .github/script.sh

gcc-openssl-master:
gcc-provider-openssl-master:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'schedule' }}
env:
OPENSSL_BRANCH: master
steps:
Expand All @@ -63,24 +104,37 @@ jobs:
- run: .github/before_script.sh
- run: .github/script.sh

macos-openssl-master:
clang-provider-openssl-4-0-0:
runs-on: ubuntu-latest
if: ${{ github.event_name != 'schedule' }}
env:
CC: clang
OPENSSL_BRANCH: openssl-4.0.0
steps:
- uses: actions/checkout@v2
with:
submodules: true
- run: .github/before_script.sh
- run: .github/script.sh

macos-provider-openssl-4-0-0:
runs-on: macos-latest
if: ${{ github.event_name == 'schedule' }}
if: ${{ github.event_name != 'schedule' }}
env:
OPENSSL_BRANCH: master
OPENSSL_BRANCH: openssl-4.0.0
USE_RPATH:
GOST_PROVIDER_ENABLE_ONLINE_TESTS: 0 # macOS runner has no network access to infotecs TLS1.3 server
steps:
- uses: actions/checkout@v2
with:
submodules: true
- run: .github/before_script.sh
- run: .github/script.sh

gcc-asan-openssl-master:
gcc-asan-openssl-4-0-0:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'schedule' }}
env:
OPENSSL_BRANCH: master
OPENSSL_BRANCH: openssl-4.0.0
ASAN: -DASAN=1
steps:
- uses: actions/checkout@v2
Expand All @@ -89,11 +143,10 @@ jobs:
- run: .github/before_script.sh
- run: .github/script.sh

macos-asan-openssl-master:
macos-asan-openssl-4-0-0:
runs-on: macos-latest
if: ${{ github.event_name == 'schedule' }}
env:
OPENSSL_BRANCH: master
OPENSSL_BRANCH: openssl-4.0.0
ASAN: -DASAN=1
USE_RPATH:
steps:
Expand All @@ -103,7 +156,7 @@ jobs:
- run: .github/before_script.sh
- run: .github/script.sh

gcc-openssl-stable-x86:
gcc-openssl-3-6-0-x86:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'schedule' }}
env:
Expand All @@ -119,3 +172,18 @@ jobs:
- run: .github/before_script.sh
- run: .github/script.sh

gcc-openssl-4-0-0-x86:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'schedule' }}
env:
CFLAGS: -m32
LDFLAGS: -m32
SETARCH: "setarch i386"
APT_INSTALL: gcc-multilib
OPENSSL_BRANCH: openssl-4.0.0
steps:
- uses: actions/checkout@v2
with:
submodules: true
- run: .github/before_script.sh
- run: .github/script.sh
161 changes: 155 additions & 6 deletions .github/workflows/windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ name: CI (windows)
on: [push, pull_request]

jobs:
msvc-openssl:
msvc-openssl-3-6-0-patch:
runs-on: windows-latest
outputs:
openssl-head: ${{ steps.openssl.outputs.head }}
openssl-head: ${{ steps.openssl.outputs.head }}-${{ steps.patches.outputs.id }}
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v2
Expand All @@ -16,11 +16,13 @@ jobs:
fetch-depth: 0
- run: echo "::set-output name=head::$(git -C openssl describe --always --long)"
id: openssl
- run: echo "::set-output name=id::$(git rev-parse HEAD:patches)"
id: patches
- uses: actions/cache@v4
id: cache
with:
path: openssl/_dest
key: ${{ runner.os }}-openssl-${{ steps.openssl.outputs.head }}
key: ${{ runner.os }}-openssl-${{ steps.openssl.outputs.head }}-${{ steps.patches.outputs.id }}
- name: Apply patches
run: |
git apply patches/openssl-tls1.3.patch
Expand All @@ -36,8 +38,155 @@ jobs:
nmake /S build_libs build_programs
nmake /S install_sw DESTDIR=_dest

msvc-engine:
needs: msvc-openssl
msvc-openssl-3-6-0:
runs-on: windows-latest
outputs:
openssl-head: ${{ steps.openssl.outputs.head }}
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v2
with:
repository: openssl/openssl
path: openssl
ref: openssl-3.6.0
fetch-depth: 0
- run: echo "::set-output name=head::$(git -C openssl describe --always --long)"
id: openssl
- uses: actions/cache@v4
id: cache
with:
path: openssl/_dest
key: ${{ runner.os }}-openssl-${{ steps.openssl.outputs.head }}
- uses: ilammy/msvc-dev-cmd@v1
- name: Build OpenSSL
if: steps.cache.outputs.cache-hit != 'true'
working-directory: openssl
run: |
perl Configure no-makedepend no-tests no-asm VC-WIN64A
perl configdata.pm --dump
nmake /S build_libs build_programs
nmake /S install_sw DESTDIR=_dest

msvc-openssl-4-0-0:
runs-on: windows-latest
outputs:
openssl-head: ${{ steps.openssl.outputs.head }}
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v2
with:
repository: openssl/openssl
path: openssl
ref: openssl-4.0.0
fetch-depth: 0
- run: echo "::set-output name=head::$(git -C openssl describe --always --long)"
id: openssl
- uses: actions/cache@v4
id: cache
with:
path: openssl/_dest
key: ${{ runner.os }}-openssl-${{ steps.openssl.outputs.head }}
- uses: ilammy/msvc-dev-cmd@v1
- name: Build OpenSSL
if: steps.cache.outputs.cache-hit != 'true'
working-directory: openssl
run: |
perl Configure no-makedepend no-tests no-asm VC-WIN64A
perl configdata.pm --dump
nmake /S build_libs build_programs
nmake /S install_sw DESTDIR=_dest

msvc-openssl-master:
runs-on: windows-latest
outputs:
openssl-head: ${{ steps.openssl.outputs.head }}
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v2
with:
repository: openssl/openssl
path: openssl
ref: master
fetch-depth: 0
- run: echo "::set-output name=head::$(git -C openssl describe --always --long)"
id: openssl
- uses: actions/cache@v4
id: cache
with:
path: openssl/_dest
key: ${{ runner.os }}-openssl-${{ steps.openssl.outputs.head }}
- uses: ilammy/msvc-dev-cmd@v1
- name: Build OpenSSL
if: steps.cache.outputs.cache-hit != 'true'
working-directory: openssl
run: |
perl Configure no-makedepend no-tests no-asm VC-WIN64A
perl configdata.pm --dump
nmake /S build_libs build_programs
nmake /S install_sw DESTDIR=_dest

msvc-engine-openssl-3-6-0:
needs: msvc-openssl-3-6-0
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
with:
submodules: true
- uses: actions/cache@v4
with:
path: openssl/_dest
key: ${{ runner.os }}-openssl-${{ needs.msvc-openssl-3-6-0.outputs.openssl-head }}
- run: cmake -DOPENSSL_ROOT_DIR="openssl\_dest\Program Files\OpenSSL" -DOPENSSL_ENGINES_DIR=bin -DGOST_BUILD_PROVIDER=0 .
- run: cmake --build .
- name: Run tests
run: |
$env:OPENSSL_ENGINES = "$pwd\bin\Debug"
$env:OPENSSL_MODULES = "$pwd\bin\Debug"
Copy-Item -Path "$pwd\openssl\_dest\Program Files\OpenSSL\bin\*.dll" -Destination "$pwd\bin\Debug"
ctest -C Debug --output-on-failure

msvc-provider-openssl-3-6-0-patch:
needs: msvc-openssl-3-6-0-patch
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
with:
submodules: true
- uses: actions/cache@v4
with:
path: openssl/_dest
key: ${{ runner.os }}-openssl-${{ needs.msvc-openssl-3-6-0-patch.outputs.openssl-head }}
- run: cmake -DOPENSSL_ROOT_DIR="openssl\_dest\Program Files\OpenSSL" -DOPENSSL_ENGINES_DIR=bin -DGOST_BUILD_ENGINE=OFF .
Comment on lines +155 to +159
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OpenSSL build job msvc-openssl-3-6-0-patch caches openssl/_dest with a key that includes ${{ steps.patches.outputs.id }}, but the downstream job msvc-provider-openssl-3-6-0-patch restores the cache using a key that omits that suffix. This will cause consistent cache misses (and the downstream job doesn't build OpenSSL itself), breaking the workflow when the cache is cold or when patches change. Use the exact same cache key in the consumer job (either include the patches id in the job outputs and reference it here, or revert the producer key to only use openssl-head).

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@Mironenko Mironenko Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FIxed. Nice catch. See https://github.com/gost-engine/engine/actions/runs/24907534870/job/72940762367?pr=526#step:3:10

- run: cmake --build .
- name: Run tests
run: |
$env:OPENSSL_ENGINES = "$pwd\bin\Debug"
$env:OPENSSL_MODULES = "$pwd\bin\Debug"
Copy-Item -Path "$pwd\openssl\_dest\Program Files\OpenSSL\bin\*.dll" -Destination "$pwd\bin\Debug"
ctest -C Debug --output-on-failure

msvc-provider-openssl-4-0-0:
needs: msvc-openssl-4-0-0
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
with:
submodules: true
- uses: actions/cache@v4
with:
path: openssl/_dest
key: ${{ runner.os }}-openssl-${{ needs.msvc-openssl-4-0-0.outputs.openssl-head }}
- run: cmake -DOPENSSL_ROOT_DIR="openssl\_dest\Program Files\OpenSSL" -DOPENSSL_ENGINES_DIR=bin .
- run: cmake --build .
- name: Run tests
run: |
$env:OPENSSL_ENGINES = "$pwd\bin\Debug"
$env:OPENSSL_MODULES = "$pwd\bin\Debug"
Copy-Item -Path "$pwd\openssl\_dest\Program Files\OpenSSL\bin\*.dll" -Destination "$pwd\bin\Debug"
ctest -C Debug --output-on-failure

msvc-provider-openssl-master:
needs: msvc-openssl-master
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
Expand All @@ -46,7 +195,7 @@ jobs:
- uses: actions/cache@v4
with:
path: openssl/_dest
key: ${{ runner.os }}-openssl-${{ needs.msvc-openssl.outputs.openssl-head }}
key: ${{ runner.os }}-openssl-${{ needs.msvc-openssl-master.outputs.openssl-head }}
- run: cmake -DOPENSSL_ROOT_DIR="openssl\_dest\Program Files\OpenSSL" -DOPENSSL_ENGINES_DIR=bin .
- run: cmake --build .
- name: Run tests
Expand Down
Loading
Loading