.gitlab-ci: Add fedora rawhide to gitlab CI

Rawhide has openssl 3.0 support which can test the new changes.

Signed-off-by: Norbert Pocs <npocs@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

.gitlab-ci.yml

@@ -7,6 +7,7 @@ variables:
   MINGW_BUILD: buildenv-mingw
   TUMBLEWEED_BUILD: buildenv-tumbleweed
   UBUNTU_BUILD: buildenv-ubuntu
+  RAWHIDE_BUILD: buildenv-rawhide
 
 stages:
   - build
@@ -20,7 +21,7 @@ stages:
     CMAKE_BUILD_OPTIONS: "-DWITH_BLOWFISH_CIPHER=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON -DWITH_DSA=ON"
     CMAKE_TEST_OPTIONS: "-DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DWITH_BENCHMARKS=ON"
     CMAKE_OPTIONS: $CMAKE_DEFAULT_OPTIONS $CMAKE_BUILD_OPTIONS $CMAKE_TEST_OPTIONS
-  before_script:
+  before_script: &build
     - uname -a
     - cat /etc/os-release
     - mount
@@ -60,6 +61,14 @@ stages:
   variables:
     CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
 
+.fedora_rawhide:
+  extends: .fedora
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$RAWHIDE_BUILD
+  before_script:
+    - *build
+    # Legacy cp is needed for SHA1 tests to pass
+    - update-crypto-policies --set LEGACY
+
 .tumbleweed:
   extends: .tests
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
@@ -140,6 +149,49 @@ fedora/openssl_1.1.x/x86_64/minimal:
       -DWITH_GEX=OFF .. &&
       make -j$(nproc)
 
+fedora/openssl_3.0/x86_64:
+  extends: .fedora_rawhide
+
+fedora/openssl_3.0/x86_64/fips:
+  extends: .fedora_rawhide
+  before_script:
+    - echo "# userspace fips" > /etc/system-fips
+    # We do not need the kernel part, but in case we ever do:
+    # mkdir -p /var/tmp/userspace-fips
+    # echo 1 > /var/tmp/userspace-fips/fips_enabled
+    # mount --bind /var/tmp/userspace-fips/fips_enabled \
+    # /proc/sys/crypto/fips_enabled
+    - update-crypto-policies --show
+    - update-crypto-policies --set FIPS
+    - update-crypto-policies --show
+    - mkdir -p obj && cd obj && cmake
+      -DCMAKE_BUILD_TYPE=RelWithDebInfo
+      -DPICKY_DEVELOPER=ON
+      -DWITH_BLOWFISH_CIPHER=ON
+      -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+      -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON
+      -DWITH_DSA=ON
+      -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON ..
+  script:
+    - cmake $CMAKE_OPTIONS .. &&
+      make -j$(nproc) &&
+      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
+
+fedora/openssl_3.0/x86_64/minimal:
+  extends: .fedora_rawhide
+  variables:
+  script:
+    - cmake $CMAKE_DEFAULT_OPTIONS
+      -DWITH_SFTP=OFF
+      -DWITH_SERVER=OFF
+      -DWITH_ZLIB=OFF
+      -DWITH_PCAP=OFF
+      -DWITH_DSA=OFF
+      -DUNIT_TESTING=ON
+      -DCLIENT_TESTING=ON
+      -DWITH_GEX=OFF .. &&
+      make -j$(nproc)
+
 # Address sanitizer doesn't mix well with LD_PRELOAD used in the testsuite
 # so, this is only enabled for unit tests right now.
 # TODO: add -DCLIENT_TESTING=ON -DSERVER_TESTING=ON
@@ -274,6 +326,17 @@ fedora/csbuild/openssl_1.1.x:
       --color
       --print-current --print-fixed
 
+fedora/csbuild/openssl_3.0.x:
+  extends: .csbuild
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$RAWHIDE_BUILD
+  script:
+    - csbuild
+      --build-dir=obj-csbuild
+      --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_DSA=ON @SRCDIR@ && make clean && make -j$(nproc)"
+      --git-commit-range $CI_COMMIT_RANGE
+      --color
+      --print-current --print-fixed
+
 fedora/csbuild/libgcrypt:
   extends: .csbuild
   script: