Add OpenSSL 3.5 support to provider build and CI#333
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the OpenSSL provider build/test tooling so the repository can build and run provider integration tests against both OpenSSL 3.0.3 and 3.5.0, including CI matrix coverage and local xtask support.
Changes:
- Add an OpenSSL-version selector to
cargo xtask integration-testsand parameterize OpenSSL auto-install/build paths. - Update provider integration test harnesses/scripts to reliably load the intended OpenSSL shared libraries (especially for CAPI tests).
- Expand GitHub Actions CI to matrix-test provider integration against OpenSSL 3.0.3 and 3.5.0 (3.5 allowed to fail while stabilizing), plus documentation updates.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
xtask/src/precheck.rs |
Passes an explicit OpenSSL version into the integration-test xtask when running full precheck. |
xtask/src/openssl_install.rs |
Generalizes OpenSSL auto-install to accept a version string and parameterizes install/cache paths. |
xtask/src/integration_tests.rs |
Adds --openssl-version CLI flag and wires it into OpenSSL resolution for integration tests. |
xtask/README.md |
Documents the new integration-tests command and --openssl-version usage. |
plugins/ossl_prov/integration-tests/openssl-cli/testfiles/env.sh |
Adds shell helpers to skip tests when OpenSSL is below a required version. |
plugins/ossl_prov/integration-tests/openssl-capi/cpp/openssl_capi_integration_tests.rs |
Ensures OpenSSL subprocesses use the correct OpenSSL shared libs by setting LD_LIBRARY_PATH. |
plugins/ossl_prov/README.md |
Documents supported OpenSSL versions and adds a comprehensive integration testing guide. |
.github/workflows/rust.yml |
Adds OpenSSL version matrix for provider integration testing and wires env vars for each version. |
jenstopp
force-pushed
the
azihsm-sdk-ossl-3-5
branch
from
f320a96 to
ae7cc25
Compare
jenstopp
force-pushed
the
azihsm-sdk-ossl-3-5
branch
from
ae7cc25 to
e34011b
Compare
jenstopp
force-pushed
the
azihsm-sdk-ossl-3-5
branch
from
0a0b521 to
6865a76
Compare
Enable the provider to be built and tested against both OpenSSL 3.0.3 and 3.5.0 in parallel. No new provider features — this lays the structural groundwork for upcoming 3.5-only functionality. The provider's existing version guards (#if OPENSSL_VERSION_MINOR == 0) already handle the polyfill exclusion correctly on 3.5. All 69 integration tests (27 CLI + 42 CAPI) pass on both versions. Key changes: - CI matrix on provider_integration job (3.0.3 + 3.5.0) - xtask --openssl-version flag for local multi-version testing - Fix: CAPI harness now sets LD_LIBRARY_PATH on openssl subprocesses (was relying on system libs being ABI-compatible — breaks on 3.5) - Version gating helpers for future 3.5-only tests (C++ preprocessor guards, shell skip_below_ossl_3_5 helper) Signed-off-by: Jens Topp <jens.topp@9elements.com>
Signed-off-by: Jens Topp <jens.topp@9elements.com>
Signed-off-by: Jens Topp <jens.topp@9elements.com>
jenstopp
force-pushed
the
azihsm-sdk-ossl-3-5
branch
from
9cc2083 to
8ea8242
Compare
Signed-off-by: Jens Topp <jens.topp@9elements.com>
Comment on lines
+229
to
+232
| integration_tests::IntegrationTest { | ||
| openssl_version: "3.0.3".to_string(), | ||
| } | ||
| .run(ctx.clone())?; |
There was a problem hiding this comment.
This duplicates the default OpenSSL version already declared on the IntegrationTest CLI struct (default_value = \"3.0.3\"). To avoid drift if the default changes later, prefer constructing via a shared constant/default (e.g., a DEFAULT_OPENSSL_VERSION constant or impl Default for IntegrationTest).
Suggested change
| integration_tests::IntegrationTest { | |
| openssl_version: "3.0.3".to_string(), | |
| } | |
| .run(ctx.clone())?; | |
| integration_tests::IntegrationTest::parse_from(["integration-test"]) | |
| .run(ctx.clone())?; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
LD_LIBRARY_PATHbug in the CAPI test harnessMotivation
OpenSSL 3.5 brings features we need for new features of the HSH lib.
This PR prepares the build and test infrastructure so that 3.5-specific
provider features can be added incrementally without breaking 3.0 support.
What changed
CI (
.github/workflows/rust.yml)provider_integrationjob usesmatrix.openssl-version: ['3.0.3', '3.5.0']continue-on-errorwhile stabilisingOPENSSL_DIR,OPENSSL_BIN,OPENSSL_LIB) parameterisedOPENSSL_LIBto the CAPI test step (was the onlystep without it — masked on 3.0 because system libs are ABI-compatible)
CAPI test harness (
openssl_capi_integration_tests.rs)find_openssl_lib_dir()to resolve the OpenSSL shared library pathCommand::new(&openssl)calls insetup_keymat()now setLD_LIBRARY_PATHso the correctlibcrypto.so.3is found regardlessof what the system provides
xtask
openssl_install.rs: parameterised to accept a version stringintegration_tests.rs: added--openssl-versionCLI argument(default
3.0.3; ignored whenOPENSSL_DIRis already set)Version gating (for future 3.5-only tests)
require_ossl_version+skip_below_ossl_3_5helpers inenv.sh#if OPENSSL_VERSION_MINOR >= 5pattern (matches provider code)Documentation (
plugins/ossl_prov/README.md,xtask/README.md)