chore(tests): bump openssl versions #927
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
pull_request: | |
paths-ignore: | |
- '*.md' | |
push: | |
branches: | |
- master | |
- release/* | |
paths-ignore: | |
- '*.md' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
tests: | |
name: Tests | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
# TODO: arm64 | |
# latest and one version older for valgrind and perf test | |
- nginx: "1.19.9" | |
openssl: "3.1.7" | |
openssl_fips: "3.0.9" | |
extras: "valgrind" | |
lua_nginx_module: "v0.10.20" | |
lua_resty_core: "v0.1.22" | |
nginx_cc_opts: "-Wno-error" | |
- nginx: "1.21.4" | |
openssl: "3.1.7" | |
openssl_fips: "3.0.9" | |
extras: "valgrind" | |
lua_nginx_module: "v0.10.25" | |
lua_resty_core: "v0.1.27" | |
nginx_cc_opts: "-Wno-error" | |
- nginx: "1.25.3" | |
openssl: "1.1.1w" | |
extras: "valgrind perf" | |
lua_nginx_module: "v0.10.26" | |
lua_resty_core: "v0.1.28" | |
- nginx: "1.25.3" | |
openssl: "3.0.15" | |
openssl_fips: "3.0.9" | |
extras: "valgrind perf lua-kong-nginx-module" | |
lua_nginx_module: "v0.10.26" | |
lua_resty_core: "v0.1.28" | |
nginx_cc_opts: "-Wno-error" | |
- nginx: "1.25.3" | |
openssl: "3.1.7" | |
openssl_fips: "3.0.9" | |
extras: "valgrind perf lua-kong-nginx-module" | |
lua_nginx_module: "v0.10.26" | |
lua_resty_core: "v0.1.28" | |
nginx_cc_opts: "-Wno-error" | |
- nginx: "1.25.3" | |
openssl: "3.2.3" | |
openssl_fips: "3.0.9" | |
extras: "valgrind perf lua-kong-nginx-module" | |
lua_nginx_module: "v0.10.26" | |
lua_resty_core: "v0.1.28" | |
nginx_cc_opts: "-Wno-error" | |
- nginx: "1.25.3" | |
openssl: "3.3.2" | |
openssl_fips: "3.0.9" | |
extras: "valgrind perf lua-kong-nginx-module" | |
lua_nginx_module: "v0.10.26" | |
lua_resty_core: "v0.1.28" | |
nginx_cc_opts: "-Wno-error" | |
- nginx: "1.25.3" | |
openssl: "3.4.0" | |
openssl_fips: "3.0.9" | |
extras: "valgrind perf lua-kong-nginx-module" | |
lua_nginx_module: "v0.10.26" | |
lua_resty_core: "v0.1.28" | |
nginx_cc_opts: "-Wno-error" | |
env: | |
JOBS: 3 | |
SH: bash | |
NGX_BUILD_JOBS: 3 | |
BASE_PATH: /home/runner/work/cache | |
LUAJIT_PREFIX: /home/runner/work/cache/luajit21 | |
LUAJIT_LIB: /home/runner/work/cache/luajit21/lib | |
LUAJIT_INC: /home/runner/work/cache/luajit21/include/luajit-2.1 | |
LUA_INCLUDE_DIR: /home/runner/work/cache/luajit21/include/luajit-2.1 | |
OPENSSL_PREFIX: /home/runner/work/cache/ssl | |
# lib64 since openssl 3.0 | |
OPENSSL_LIB: /home/runner/work/cache/ssl/lib64 | |
OPENSSL_INC: /home/runner/work/cache/ssl/include | |
TEST_NGINX_SLEEP: 0.005 | |
TEST_NGINX_RANDOMIZE: 1 | |
LUACHECK_VER: 0.21.1 | |
CC: gcc | |
NGX_BUILD_CC: gcc | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v3 | |
- name: Setup cache | |
uses: actions/cache@v3 | |
with: | |
path: | | |
/home/runner/work/cache | |
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-fips-${{ matrix.openssl_fips }} | |
- name: Setup tools | |
run: | | |
sudo apt-get update | |
sudo apt-get install -qq -y cpanminus axel ca-certificates valgrind haveged | |
mkdir -p $OPENSSL_PREFIX $LUAJIT_PREFIX | |
# perl cache | |
pushd /home/runner/work/cache | |
if [ ! -e perl ]; then sudo cpanm --notest Test::Nginx > build.log 2>&1 || (cat build.log && exit 1); cp -r /usr/local/share/perl/ .; else sudo cp -r perl /usr/local/share; fi | |
# build tools at parent directory of cache | |
cd .. | |
git clone https://github.com/openresty/openresty.git ./openresty | |
git clone https://github.com/openresty/nginx-devel-utils.git | |
git clone https://github.com/simpl/ngx_devel_kit.git ./ndk-nginx-module | |
git clone https://github.com/openresty/lua-nginx-module.git ./lua-nginx-module -b ${{ matrix.lua_nginx_module }} | |
git clone https://github.com/openresty/no-pool-nginx.git ./no-pool-nginx | |
git clone https://github.com/fffonion/lua-resty-openssl-aux-module ./lua-resty-openssl-aux-module | |
git clone https://github.com/Kong/lua-kong-nginx-module.git -b 0.12.0 ./lua-kong-nginx-module | |
# lua libraries at parent directory of current repository | |
popd | |
git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core -b ${{ matrix.lua_resty_core }} | |
git clone https://github.com/openresty/lua-resty-lrucache.git ../lua-resty-lrucache | |
git clone https://github.com/openresty/lua-resty-string ../lua-resty-string | |
- name: Build OpenSSL | |
if: matrix.boringssl == '' | |
run: | | |
T=$OPENSSL_PREFIX | |
mkdir -p $T | |
if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi | |
if [ "X$OPENSSL_HASH" = "X" ] ; then (wget https://github.com/openssl/openssl/releases/download/openssl-${{ matrix.openssl }}/openssl-${{ matrix.openssl }}.tar.gz -qO - || wget https://openssl.org/source/old/1.1.1/openssl-${{ matrix.openssl}}.tar.gz -qO -) | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi | |
if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi | |
if [ ! -e $T/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi | |
if [ ! -e $T/include ]; then make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi | |
if [ ! -e $T/lib64 ]; then sudo cp -r $T/lib $T/lib64; fi | |
mkdir -p $T/certs/ && sudo cp -r /etc/ssl/certs/* $T/certs/ | |
- name: Build OpenSSL FIPS module | |
if: matrix.openssl_fips != '' | |
run: | | |
T=${OPENSSL_PREFIX}.fips | |
mkdir -p $T | |
wget https://github.com/openssl/openssl/releases/download/openssl-${{ matrix.openssl_fips }}/openssl-${{ matrix.openssl_fips }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl_fips }} | |
if [ -e $OPENSSL_PREFIX/lib64/ossl-modules/fips.so ]; then exit 0; fi | |
./config shared -d --prefix=$T -DPURIFY enable-fips > build.log 2>&1 || (cat build.log && exit 1) | |
make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1) | |
make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1) | |
make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1) | |
cp $T/lib64/ossl-modules/fips.so $OPENSSL_PREFIX/lib64/ossl-modules/fips.so | |
mkdir -p $OPENSSL_PREFIX/ssl && cp $T/ssl/fipsmodule.cnf $OPENSSL_PREFIX/ssl/fipsmodule.cnf | |
# don't activate by default | |
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf | |
- name: Build LuaJIT | |
env: | |
LUAJIT_CC_OPTS: ${{ matrix.luajit_cc_opts }} | |
run: | | |
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then LUAJIT_CC_OPTS="$LUAJIT_CC_OPTS -DLUAJIT_NUMMODE=2 -DLUAJIT_USE_SYSMALLOC -O0"; fi | |
export | |
cd $LUAJIT_PREFIX | |
if [ ! -e luajit2 ]; then git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git; fi | |
cd luajit2 | |
make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS="-DLUA_USE_APICHECK -DLUA_USE_ASSERT -DLUAJIT_ENABLE_LUA52COMPAT ${{ matrix.luajit_cc_opts }}" > build.log 2>&1 || (cat build.log && exit 1) | |
make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1) | |
- name: Build lua-cjson | |
run: | | |
if [ ! -e lua-cjson ]; then git clone https://github.com/openresty/lua-cjson.git ./lua-cjson; fi | |
pushd ./lua-cjson && make && sudo PATH=$PATH make install && popd | |
- name: Build Nginx | |
env: | |
NGINX_CC_OPTS: ${{ matrix.nginx_cc_opts }} | |
NGINX_MODULES: "" | |
run: | | |
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then NGINX_CC_OPTS="$NGINX_CC_OPTS -O0"; fi | |
if [[ "${{ matrix.extras }}" == *lua-kong-nginx-module* ]]; then NGINX_MODULES="$NGINX_MODULES --add-module=../lua-kong-nginx-module"; fi | |
export PATH=$BASE_PATH/work/nginx/sbin:$BASE_PATH/../nginx-devel-utils:$PATH | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export NGX_LUA_LOC=$BASE_PATH/../lua-nginx-module | |
export NGX_STREAM_LUA_LOC=$BASE_PATH/../stream-lua-nginx-module | |
export | |
cd $BASE_PATH | |
if [ ! -e work ]; then ngx-build ${{ matrix.nginx }} --add-module=../ndk-nginx-module --add-module=../lua-nginx-module --add-module=../lua-resty-openssl-aux-module $NGINX_MODULES --with-http_ssl_module --with-cc-opt="-I$OPENSSL_INC $NGINX_CC_OPTS" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB" --with-debug > build.log 2>&1 || (cat build.log && exit 1); fi | |
nginx -V | |
ldd `which nginx`|grep -E 'luajit|ssl|pcre' | |
- name: Run Test | |
run: | | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export PATH=$BASE_PATH/work/nginx/sbin:$PATH | |
TEST_NGINX_TIMEOUT=20 prove -j$JOBS -r t/ 2>&1 | |
echo "Nginx SSL plain FFI" | |
export CI_SKIP_NGINX_C=1 | |
TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1 | |
export CI_SKIP_KONG_SSL_FUNCS=1 | |
TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1 | |
- name: Get changed files | |
id: changed-files | |
uses: tj-actions/changed-files@v44 | |
- name: Run Valgrind | |
if: contains(matrix.extras, 'valgrind') | |
env: | |
ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} | |
run: | | |
files_to_test="" | |
# if on master branches | |
if [ "${{ github.ref }}" == "refs/heads/master" ]; then | |
files_to_test="t" | |
else | |
for file in ${ALL_CHANGED_FILES}; do | |
mod=$(echo "$file" | grep lib/resty | sed 's|^lib/||' | sed 's|/|.|g' | sed 's|\.lua$||') | |
files_to_test="$files_to_test $(grep -l "${mod}\b" t/**/*.t 2>/dev/null | tr '\n' ' ' | sed 's/ $//')" | |
done | |
files_to_test=$(echo "$files_to_test" | tr ' ' '\n' | sort -u | tr '\n' ' ' | sed 's/ $//') | |
fi | |
echo "Files to run for valgrind: $files_to_test" | |
if [ -z "$files_to_test" ]; then return; fi | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export TEST_NGINX_USE_VALGRIND=1 TEST_NGINX_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1 | |
export TEST_NGINX_INIT_BY_LUA="debug.sethook(function () collectgarbage() end, 'l') jit.off()" | |
export PATH=$BASE_PATH/work/nginx/sbin:$PATH | |
stdbuf -o 0 -e 0 prove -j$JOBS -r $files_to_test 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log | |
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi | |
if echo "$files_to_test" | grep -q "\bt/openssl/ssl\b"; then | |
echo "Nginx SSL plain FFI" | |
export CI_SKIP_NGINX_C=1 | |
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log | |
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi | |
export CI_SKIP_KONG_SSL_FUNCS=1 | |
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log | |
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi | |
fi | |
- name: Run FIPS Test | |
run: | | |
# openssl 3.0 | |
if [ -e $OPENSSL_LIB/ossl-modules/fips.so ]; then | |
echo "FIPS for OpenSSL 3.0" | |
cp t/fixtures/openssl_fips.cnf $OPENSSL_PREFIX/openssl-fips.cnf | |
pushd openssl-${{ matrix.openssl }}/; | |
# LD_LIBRARY_PATH=$OPENSSL_LIB $OPENSSL_PREFIX/bin/openssl fipsinstall -out $OPENSSL_PREFIX/fipsmodule.cnf -module $OPENSSL_LIB/ossl-modules/fips.so | |
cat $OPENSSL_PREFIX/ssl/fipsmodule.cnf >> $OPENSSL_PREFIX/openssl-fips.cnf | |
export OPENSSL_CONF=$OPENSSL_PREFIX/openssl-fips.cnf | |
popd | |
echo "Running FIPS tests" | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export PATH=$BASE_PATH/work/nginx/sbin:$PATH | |
TEST_NGINX_FIPS=1 TEST_NGINX_TIMEOUT=10 prove -j$JOBS -r t/ 2>&1 | |
else | |
echo "FIPS tests are skipped" | |
fi | |
- name: Prepare other libraries | |
if: contains(matrix.extras, 'perf') | |
run: | | |
git clone https://github.com/spacewander/lua-resty-rsa ../lua-resty-rsa | |
wget https://luarocks.org/releases/luarocks-3.9.2.tar.gz | |
tar zxf luarocks-*.tar.gz | |
pushd luarocks-*/ | |
./configure --with-lua=$LUAJIT_PREFIX \ | |
--lua-suffix=jit \ | |
--with-lua-include=$LUAJIT_PREFIX/include/luajit-2.1 | |
make -j$(nproc) build | |
sudo make install | |
popd | |
luarocks install --local lua_pack | |
luarocks install --local openssl OPENSSL_DIR=$OPENSSL_PREFIX | |
luarocks install --local luaossl CRYPTO_DIR=$OPENSSL_PREFIX OPENSSL_DIR=$OPENSSL_PREFIX | |
cp ~/.luarocks/lib/lua/5.1/openssl_*-openssl.so ~/.luarocks/lib/lua/5.1/lua-openssl.so | |
- name: Run performance test | |
if: contains(matrix.extras, 'perf') | |
run: | | |
wget https://github.com/openresty/resty-cli/raw/master/bin/resty | |
chmod +x resty | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export PATH=$BASE_PATH/work/nginx/sbin:$PATH | |
for f in $(find examples/perf -type f -name "test_*" | sort); do | |
./resty --no-stream -I lib -I ../lua-resty-string/lib -I ../lua-resty-rsa/lib -I ~/.luarocks/lib/lua/5.1 $f | |
echo '================================================================' | |
done | |