Skip to content

refactor(*) drop OpenSSL 1.0.2, 1.1.0 and BoringSSL support #748

refactor(*) drop OpenSSL 1.0.2, 1.1.0 and BoringSSL support

refactor(*) drop OpenSSL 1.0.2, 1.1.0 and BoringSSL support #748

Workflow file for this run

name: Tests
on:
pull_request:
paths-ignore:
- '*.md'
push:
branches:
- master
- release/*
paths-ignore:
- '*.md'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
tests:
name: Tests
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
# TODO: arm64
# latest and one version older for valgrind and perf test
- nginx: "1.19.9"
openssl: "1.1.1w"
extras: "valgrind"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
- nginx: "1.19.9"
openssl: "3.1.4"
openssl_fips: "3.0.8"
extras: "valgrind"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "1.1.1w"
extras: "valgrind perf"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
- nginx: "1.21.4"
openssl: "3.0.12"
openssl_fips: "3.0.8"
extras: "valgrind perf"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "3.1.4"
openssl_fips: "3.0.8"
extras: "valgrind perf"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "3.2.0-alpha1"
openssl_fips: "3.0.8"
extras: "valgrind perf"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
env:
JOBS: 3
SH: bash
NGX_BUILD_JOBS: 3
BASE_PATH: /home/runner/work/cache
LUAJIT_PREFIX: /home/runner/work/cache/luajit21
LUAJIT_LIB: /home/runner/work/cache/luajit21/lib
LUAJIT_INC: /home/runner/work/cache/luajit21/include/luajit-2.1
LUA_INCLUDE_DIR: /home/runner/work/cache/luajit21/include/luajit-2.1
OPENSSL_PREFIX: /home/runner/work/cache/ssl
# lib64 since openssl 3.0
OPENSSL_LIB: /home/runner/work/cache/ssl/lib64
OPENSSL_INC: /home/runner/work/cache/ssl/include
TEST_NGINX_SLEEP: 0.005
TEST_NGINX_RANDOMIZE: 1
LUACHECK_VER: 0.21.1
CC: gcc
NGX_BUILD_CC: gcc
steps:
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup cache
uses: actions/cache@v3
with:
path: |
/home/runner/work/cache
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-fips-${{ matrix.openssl_fips }}
- name: Setup tools
run: |
sudo apt-get update
sudo apt-get install -qq -y cpanminus axel ca-certificates valgrind haveged
mkdir -p $OPENSSL_PREFIX $LUAJIT_PREFIX
# perl cache
pushd /home/runner/work/cache
if [ ! -e perl ]; then sudo cpanm --notest Test::Nginx > build.log 2>&1 || (cat build.log && exit 1); cp -r /usr/local/share/perl/ .; else sudo cp -r perl /usr/local/share; fi
# build tools at parent directory of cache
cd ..
git clone https://github.com/openresty/openresty.git ./openresty
git clone https://github.com/openresty/nginx-devel-utils.git
git clone https://github.com/simpl/ngx_devel_kit.git ./ndk-nginx-module
git clone https://github.com/openresty/lua-nginx-module.git ./lua-nginx-module -b ${{ matrix.lua_nginx_module }}
git clone https://github.com/openresty/no-pool-nginx.git ./no-pool-nginx
git clone https://github.com/fffonion/lua-resty-openssl-aux-module ./lua-resty-openssl-aux-module
# lua libraries at parent directory of current repository
popd
git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core -b ${{ matrix.lua_resty_core }}
git clone https://github.com/openresty/lua-resty-lrucache.git ../lua-resty-lrucache
git clone https://github.com/jkeys089/lua-resty-hmac ../lua-resty-hmac && pushd ../lua-resty-hmac && git checkout 79a4929 && popd
git clone https://github.com/openresty/lua-resty-string ../lua-resty-string
- name: Build OpenSSL
if: matrix.boringssl == ''
run: |
T=$OPENSSL_PREFIX
mkdir -p $T
if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi
if [ "X$OPENSSL_HASH" = "X" ] ; then wget https://www.openssl.org/source/openssl-${{ matrix.openssl }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi
if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/lib64 ]; then sudo cp -r $T/lib $T/lib64; fi
mkdir -p $T/certs/ && sudo cp -r /etc/ssl/certs/* $T/certs/
- name: Build OpenSSL FIPS module
if: matrix.openssl_fips != ''
run: |
T=${OPENSSL_PREFIX}.fips
mkdir -p $T
wget https://www.openssl.org/source/openssl-${{ matrix.openssl_fips }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl_fips }}/
if [ -e $OPENSSL_PREFIX/lib64/ossl-modules/fips.so ]; then exit 0; fi
./config shared -d --prefix=$T -DPURIFY enable-fips > build.log 2>&1 || (cat build.log && exit 1)
make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1)
cp $T/lib64/ossl-modules/fips.so $OPENSSL_PREFIX/lib64/ossl-modules/fips.so
mkdir -p $OPENSSL_PREFIX/ssl && cp $T/ssl/fipsmodule.cnf $OPENSSL_PREFIX/ssl/fipsmodule.cnf
# don't activate by default
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf
- name: Build LuaJIT
env:
LUAJIT_CC_OPTS: ${{ matrix.luajit_cc_opts }}
run: |
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then LUAJIT_CC_OPTS="$LUAJIT_CC_OPTS -DLUAJIT_NUMMODE=2 -DLUAJIT_USE_SYSMALLOC -O0"; fi
export
cd $LUAJIT_PREFIX
if [ ! -e luajit2 ]; then git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git; fi
cd luajit2
make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS="-DLUA_USE_APICHECK -DLUA_USE_ASSERT -DLUAJIT_ENABLE_LUA52COMPAT ${{ matrix.luajit_cc_opts }}" > build.log 2>&1 || (cat build.log && exit 1)
make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1)
- name: Build lua-cjson
run: |
if [ ! -e lua-cjson ]; then git clone https://github.com/openresty/lua-cjson.git ./lua-cjson; fi
pushd ./lua-cjson && make && sudo PATH=$PATH make install && popd
- name: Build Nginx
env:
NGINX_CC_OPTS: ${{ matrix.nginx_cc_opts }}
run: |
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then NGINX_CC_OPTS="$NGINX_CC_OPTS -O0"; fi
export PATH=$BASE_PATH/work/nginx/sbin:$BASE_PATH/../nginx-devel-utils:$PATH
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export NGX_LUA_LOC=$BASE_PATH/../lua-nginx-module
export NGX_STREAM_LUA_LOC=$BASE_PATH/../stream-lua-nginx-module
export
cd $BASE_PATH
if [ ! -e work ]; then ngx-build ${{ matrix.nginx }} --add-module=../ndk-nginx-module --add-module=../lua-nginx-module --add-module=../lua-resty-openssl-aux-module --with-http_ssl_module --with-cc-opt="-I$OPENSSL_INC $NGINX_CC_OPTS" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB" --with-debug > build.log 2>&1 || (cat build.log && exit 1); fi
nginx -V
ldd `which nginx`|grep -E 'luajit|ssl|pcre'
- name: Run performance test
if: contains(matrix.extras, 'perf')
run: |
wget https://github.com/openresty/resty-cli/raw/master/bin/resty
chmod +x resty
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
for f in $(find examples/perf -type f -name "test_*" | sort); do
./resty --no-stream -I lib $f
echo '================================================================'
done
- name: Run Test
run: |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
TEST_NGINX_TIMEOUT=20 prove -j$JOBS -r t/ 2>&1
echo "Nginx SSL plain FFI"
export CI_SKIP_NGINX_C=1
TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1
- name: Run Valgrind
if: contains(matrix.extras, 'valgrind')
run: |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export TEST_NGINX_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
stdbuf -o 0 -e 0 prove -j$JOBS -r t/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
echo "Nginx SSL plain FFI"
export CI_SKIP_NGINX_C=1
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
- name: Run FIPS Test
run: |
# openssl 3.0
if [ -e $OPENSSL_LIB/ossl-modules/fips.so ]; then
echo "FIPS for OpenSSL 3.0"
cp t/fixtures/openssl_fips.cnf $OPENSSL_PREFIX/openssl-fips.cnf
pushd openssl-${{ matrix.openssl }}/;
# LD_LIBRARY_PATH=$OPENSSL_LIB $OPENSSL_PREFIX/bin/openssl fipsinstall -out $OPENSSL_PREFIX/fipsmodule.cnf -module $OPENSSL_LIB/ossl-modules/fips.so
cat $OPENSSL_PREFIX/ssl/fipsmodule.cnf >> $OPENSSL_PREFIX/openssl-fips.cnf
export OPENSSL_CONF=$OPENSSL_PREFIX/openssl-fips.cnf
popd
echo "Running FIPS tests"
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
TEST_NGINX_FIPS=1 TEST_NGINX_TIMEOUT=10 prove -j$JOBS -r t/ 2>&1
else
echo "FIPS tests are skipped"
fi