Skip to content

chore(tests): add openssl 3.2.2 #922

chore(tests): add openssl 3.2.2

chore(tests): add openssl 3.2.2 #922

Workflow file for this run

name: Tests
on:
pull_request:
paths-ignore:
- '*.md'
push:
branches:
- master
- release/*
paths-ignore:
- '*.md'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
tests:
name: Tests
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
# TODO: arm64
# latest and one version older for valgrind and perf test
- nginx: "1.19.9"
openssl: "3.1.5"
openssl_fips: "3.0.9"
extras: "valgrind"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "3.1.5"
openssl_fips: "3.0.9"
extras: "valgrind"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
- nginx: "1.25.3"
openssl: "1.1.1w"
extras: "valgrind perf"
lua_nginx_module: "v0.10.26"
lua_resty_core: "v0.1.28"
- nginx: "1.25.3"
openssl: "3.0.13"
openssl_fips: "3.0.9"
extras: "valgrind perf lua-kong-nginx-module"
lua_nginx_module: "v0.10.26"
lua_resty_core: "v0.1.28"
nginx_cc_opts: "-Wno-error"
- nginx: "1.25.3"
openssl: "3.1.5"
openssl_fips: "3.0.9"
extras: "valgrind perf lua-kong-nginx-module"
lua_nginx_module: "v0.10.26"
lua_resty_core: "v0.1.28"
nginx_cc_opts: "-Wno-error"
- nginx: "1.25.3"
openssl: "3.2.2"
openssl_fips: "3.0.9"
extras: "valgrind perf lua-kong-nginx-module"
lua_nginx_module: "v0.10.26"
lua_resty_core: "v0.1.28"
nginx_cc_opts: "-Wno-error"
- nginx: "1.25.3"
openssl: "3.3.0"
openssl_fips: "3.0.9"
extras: "valgrind perf lua-kong-nginx-module"
lua_nginx_module: "v0.10.26"
lua_resty_core: "v0.1.28"
nginx_cc_opts: "-Wno-error"
env:
JOBS: 3
SH: bash
NGX_BUILD_JOBS: 3
BASE_PATH: /home/runner/work/cache
LUAJIT_PREFIX: /home/runner/work/cache/luajit21
LUAJIT_LIB: /home/runner/work/cache/luajit21/lib
LUAJIT_INC: /home/runner/work/cache/luajit21/include/luajit-2.1
LUA_INCLUDE_DIR: /home/runner/work/cache/luajit21/include/luajit-2.1
OPENSSL_PREFIX: /home/runner/work/cache/ssl
# lib64 since openssl 3.0
OPENSSL_LIB: /home/runner/work/cache/ssl/lib64
OPENSSL_INC: /home/runner/work/cache/ssl/include
TEST_NGINX_SLEEP: 0.005
TEST_NGINX_RANDOMIZE: 1
LUACHECK_VER: 0.21.1
CC: gcc
NGX_BUILD_CC: gcc
steps:
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup cache
uses: actions/cache@v3
with:
path: |
/home/runner/work/cache
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-fips-${{ matrix.openssl_fips }}
- name: Setup tools
run: |
sudo apt-get update
sudo apt-get install -qq -y cpanminus axel ca-certificates valgrind haveged
mkdir -p $OPENSSL_PREFIX $LUAJIT_PREFIX
# perl cache
pushd /home/runner/work/cache
if [ ! -e perl ]; then sudo cpanm --notest Test::Nginx > build.log 2>&1 || (cat build.log && exit 1); cp -r /usr/local/share/perl/ .; else sudo cp -r perl /usr/local/share; fi
# build tools at parent directory of cache
cd ..
git clone https://github.com/openresty/openresty.git ./openresty
git clone https://github.com/openresty/nginx-devel-utils.git
git clone https://github.com/simpl/ngx_devel_kit.git ./ndk-nginx-module
git clone https://github.com/openresty/lua-nginx-module.git ./lua-nginx-module -b ${{ matrix.lua_nginx_module }}
git clone https://github.com/openresty/no-pool-nginx.git ./no-pool-nginx
git clone https://github.com/fffonion/lua-resty-openssl-aux-module ./lua-resty-openssl-aux-module
git clone https://github.com/Kong/lua-kong-nginx-module.git ./lua-kong-nginx-module
# lua libraries at parent directory of current repository
popd
git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core -b ${{ matrix.lua_resty_core }}
git clone https://github.com/openresty/lua-resty-lrucache.git ../lua-resty-lrucache
git clone https://github.com/openresty/lua-resty-string ../lua-resty-string
- name: Build OpenSSL
if: matrix.boringssl == ''
run: |
T=$OPENSSL_PREFIX
mkdir -p $T
if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi
if [ "X$OPENSSL_HASH" = "X" ] ; then (wget https://github.com/openssl/openssl/releases/download/openssl-${{ matrix.openssl }}/openssl-${{ matrix.openssl }}.tar.gz -qO - || wget https://openssl.org/source/old/1.1.1/openssl-${{ matrix.openssl}}.tar.gz -qO -) | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi
if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/lib64 ]; then sudo cp -r $T/lib $T/lib64; fi
mkdir -p $T/certs/ && sudo cp -r /etc/ssl/certs/* $T/certs/
- name: Build OpenSSL FIPS module
if: matrix.openssl_fips != ''
run: |
T=${OPENSSL_PREFIX}.fips
mkdir -p $T
wget https://github.com/openssl/openssl/releases/download/openssl-${{ matrix.openssl_fips }}/openssl-${{ matrix.openssl_fips }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl_fips }}
if [ -e $OPENSSL_PREFIX/lib64/ossl-modules/fips.so ]; then exit 0; fi
./config shared -d --prefix=$T -DPURIFY enable-fips > build.log 2>&1 || (cat build.log && exit 1)
make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1)
cp $T/lib64/ossl-modules/fips.so $OPENSSL_PREFIX/lib64/ossl-modules/fips.so
mkdir -p $OPENSSL_PREFIX/ssl && cp $T/ssl/fipsmodule.cnf $OPENSSL_PREFIX/ssl/fipsmodule.cnf
# don't activate by default
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf
- name: Build LuaJIT
env:
LUAJIT_CC_OPTS: ${{ matrix.luajit_cc_opts }}
run: |
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then LUAJIT_CC_OPTS="$LUAJIT_CC_OPTS -DLUAJIT_NUMMODE=2 -DLUAJIT_USE_SYSMALLOC -O0"; fi
export
cd $LUAJIT_PREFIX
if [ ! -e luajit2 ]; then git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git; fi
cd luajit2
make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS="-DLUA_USE_APICHECK -DLUA_USE_ASSERT -DLUAJIT_ENABLE_LUA52COMPAT ${{ matrix.luajit_cc_opts }}" > build.log 2>&1 || (cat build.log && exit 1)
make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1)
- name: Build lua-cjson
run: |
if [ ! -e lua-cjson ]; then git clone https://github.com/openresty/lua-cjson.git ./lua-cjson; fi
pushd ./lua-cjson && make && sudo PATH=$PATH make install && popd
- name: Build Nginx
env:
NGINX_CC_OPTS: ${{ matrix.nginx_cc_opts }}
NGINX_MODULES: ""
run: |
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then NGINX_CC_OPTS="$NGINX_CC_OPTS -O0"; fi
if [[ "${{ matrix.extras }}" == *lua-kong-nginx-module* ]]; then NGINX_MODULES="$NGINX_MODULES --add-module=../lua-kong-nginx-module"; fi
export PATH=$BASE_PATH/work/nginx/sbin:$BASE_PATH/../nginx-devel-utils:$PATH
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export NGX_LUA_LOC=$BASE_PATH/../lua-nginx-module
export NGX_STREAM_LUA_LOC=$BASE_PATH/../stream-lua-nginx-module
export
cd $BASE_PATH
if [ ! -e work ]; then ngx-build ${{ matrix.nginx }} --add-module=../ndk-nginx-module --add-module=../lua-nginx-module --add-module=../lua-resty-openssl-aux-module $NGINX_MODULES --with-http_ssl_module --with-cc-opt="-I$OPENSSL_INC $NGINX_CC_OPTS" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB" --with-debug > build.log 2>&1 || (cat build.log && exit 1); fi
nginx -V
ldd `which nginx`|grep -E 'luajit|ssl|pcre'
- name: Run Test
run: |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
TEST_NGINX_TIMEOUT=20 prove -j$JOBS -r t/ 2>&1
echo "Nginx SSL plain FFI"
export CI_SKIP_NGINX_C=1
TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1
export CI_SKIP_KONG_SSL_FUNCS=1
TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v44
- name: Run Valgrind
if: contains(matrix.extras, 'valgrind')
env:
ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
run: |
files_to_test=""
# if on master branches
if [ "${{ github.ref }}" == "refs/heads/master" ]; then
files_to_test="t"
else
for file in ${ALL_CHANGED_FILES}; do
mod=$(echo "$file" | grep lib/resty | sed 's|^lib/||' | sed 's|/|.|g' | sed 's|\.lua$||')
files_to_test="$files_to_test $(grep -l "${mod}\b" t/**/*.t 2>/dev/null | tr '\n' ' ' | sed 's/ $//')"
done
files_to_test=$(echo "$files_to_test" | tr ' ' '\n' | sort -u | tr '\n' ' ' | sed 's/ $//')
fi
echo "Files to run for valgrind: $files_to_test"
if [ -z "$files_to_test" ]; then return; fi
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export TEST_NGINX_USE_VALGRIND=1 TEST_NGINX_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1
export TEST_NGINX_INIT_BY_LUA="debug.sethook(function () collectgarbage() end, 'l') jit.off()"
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
stdbuf -o 0 -e 0 prove -j$JOBS -r $files_to_test 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
if echo "$files_to_test" | grep -q "\bt/openssl/ssl\b"; then
echo "Nginx SSL plain FFI"
export CI_SKIP_NGINX_C=1
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
export CI_SKIP_KONG_SSL_FUNCS=1
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
fi
- name: Run FIPS Test
run: |
# openssl 3.0
if [ -e $OPENSSL_LIB/ossl-modules/fips.so ]; then
echo "FIPS for OpenSSL 3.0"
cp t/fixtures/openssl_fips.cnf $OPENSSL_PREFIX/openssl-fips.cnf
pushd openssl-${{ matrix.openssl }}/;
# LD_LIBRARY_PATH=$OPENSSL_LIB $OPENSSL_PREFIX/bin/openssl fipsinstall -out $OPENSSL_PREFIX/fipsmodule.cnf -module $OPENSSL_LIB/ossl-modules/fips.so
cat $OPENSSL_PREFIX/ssl/fipsmodule.cnf >> $OPENSSL_PREFIX/openssl-fips.cnf
export OPENSSL_CONF=$OPENSSL_PREFIX/openssl-fips.cnf
popd
echo "Running FIPS tests"
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
TEST_NGINX_FIPS=1 TEST_NGINX_TIMEOUT=10 prove -j$JOBS -r t/ 2>&1
else
echo "FIPS tests are skipped"
fi
- name: Prepare other libraries
if: contains(matrix.extras, 'perf')
run: |
git clone https://github.com/spacewander/lua-resty-rsa ../lua-resty-rsa
wget https://luarocks.org/releases/luarocks-3.9.2.tar.gz
tar zxf luarocks-*.tar.gz
pushd luarocks-*/
./configure --with-lua=$LUAJIT_PREFIX \
--lua-suffix=jit \
--with-lua-include=$LUAJIT_PREFIX/include/luajit-2.1
make -j$(nproc) build
sudo make install
popd
luarocks install --local lua_pack
luarocks install --local openssl OPENSSL_DIR=$OPENSSL_PREFIX
luarocks install --local luaossl CRYPTO_DIR=$OPENSSL_PREFIX OPENSSL_DIR=$OPENSSL_PREFIX
cp ~/.luarocks/lib/lua/5.1/openssl_*-openssl.so ~/.luarocks/lib/lua/5.1/lua-openssl.so
- name: Run performance test
if: contains(matrix.extras, 'perf')
run: |
wget https://github.com/openresty/resty-cli/raw/master/bin/resty
chmod +x resty
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
for f in $(find examples/perf -type f -name "test_*" | sort); do
./resty --no-stream -I lib -I ../lua-resty-string/lib -I ../lua-resty-rsa/lib -I ~/.luarocks/lib/lua/5.1 $f
echo '================================================================'
done