refactor(*) drop OpenSSL 1.0.2, 1.1.0 and BoringSSL support #748
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
pull_request: | |
paths-ignore: | |
- '*.md' | |
push: | |
branches: | |
- master | |
- release/* | |
paths-ignore: | |
- '*.md' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
tests: | |
name: Tests | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
# TODO: arm64 | |
# latest and one version older for valgrind and perf test | |
- nginx: "1.19.9" | |
openssl: "1.1.1w" | |
extras: "valgrind" | |
lua_nginx_module: "v0.10.20" | |
lua_resty_core: "v0.1.22" | |
- nginx: "1.19.9" | |
openssl: "3.1.4" | |
openssl_fips: "3.0.8" | |
extras: "valgrind" | |
lua_nginx_module: "v0.10.20" | |
lua_resty_core: "v0.1.22" | |
nginx_cc_opts: "-Wno-error" | |
- nginx: "1.21.4" | |
openssl: "1.1.1w" | |
extras: "valgrind perf" | |
lua_nginx_module: "v0.10.25" | |
lua_resty_core: "v0.1.27" | |
- nginx: "1.21.4" | |
openssl: "3.0.12" | |
openssl_fips: "3.0.8" | |
extras: "valgrind perf" | |
lua_nginx_module: "v0.10.25" | |
lua_resty_core: "v0.1.27" | |
nginx_cc_opts: "-Wno-error" | |
- nginx: "1.21.4" | |
openssl: "3.1.4" | |
openssl_fips: "3.0.8" | |
extras: "valgrind perf" | |
lua_nginx_module: "v0.10.25" | |
lua_resty_core: "v0.1.27" | |
nginx_cc_opts: "-Wno-error" | |
- nginx: "1.21.4" | |
openssl: "3.2.0-alpha1" | |
openssl_fips: "3.0.8" | |
extras: "valgrind perf" | |
lua_nginx_module: "v0.10.25" | |
lua_resty_core: "v0.1.27" | |
nginx_cc_opts: "-Wno-error" | |
env: | |
JOBS: 3 | |
SH: bash | |
NGX_BUILD_JOBS: 3 | |
BASE_PATH: /home/runner/work/cache | |
LUAJIT_PREFIX: /home/runner/work/cache/luajit21 | |
LUAJIT_LIB: /home/runner/work/cache/luajit21/lib | |
LUAJIT_INC: /home/runner/work/cache/luajit21/include/luajit-2.1 | |
LUA_INCLUDE_DIR: /home/runner/work/cache/luajit21/include/luajit-2.1 | |
OPENSSL_PREFIX: /home/runner/work/cache/ssl | |
# lib64 since openssl 3.0 | |
OPENSSL_LIB: /home/runner/work/cache/ssl/lib64 | |
OPENSSL_INC: /home/runner/work/cache/ssl/include | |
TEST_NGINX_SLEEP: 0.005 | |
TEST_NGINX_RANDOMIZE: 1 | |
LUACHECK_VER: 0.21.1 | |
CC: gcc | |
NGX_BUILD_CC: gcc | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v3 | |
- name: Setup cache | |
uses: actions/cache@v3 | |
with: | |
path: | | |
/home/runner/work/cache | |
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-fips-${{ matrix.openssl_fips }} | |
- name: Setup tools | |
run: | | |
sudo apt-get update | |
sudo apt-get install -qq -y cpanminus axel ca-certificates valgrind haveged | |
mkdir -p $OPENSSL_PREFIX $LUAJIT_PREFIX | |
# perl cache | |
pushd /home/runner/work/cache | |
if [ ! -e perl ]; then sudo cpanm --notest Test::Nginx > build.log 2>&1 || (cat build.log && exit 1); cp -r /usr/local/share/perl/ .; else sudo cp -r perl /usr/local/share; fi | |
# build tools at parent directory of cache | |
cd .. | |
git clone https://github.com/openresty/openresty.git ./openresty | |
git clone https://github.com/openresty/nginx-devel-utils.git | |
git clone https://github.com/simpl/ngx_devel_kit.git ./ndk-nginx-module | |
git clone https://github.com/openresty/lua-nginx-module.git ./lua-nginx-module -b ${{ matrix.lua_nginx_module }} | |
git clone https://github.com/openresty/no-pool-nginx.git ./no-pool-nginx | |
git clone https://github.com/fffonion/lua-resty-openssl-aux-module ./lua-resty-openssl-aux-module | |
# lua libraries at parent directory of current repository | |
popd | |
git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core -b ${{ matrix.lua_resty_core }} | |
git clone https://github.com/openresty/lua-resty-lrucache.git ../lua-resty-lrucache | |
git clone https://github.com/jkeys089/lua-resty-hmac ../lua-resty-hmac && pushd ../lua-resty-hmac && git checkout 79a4929 && popd | |
git clone https://github.com/openresty/lua-resty-string ../lua-resty-string | |
- name: Build OpenSSL | |
if: matrix.boringssl == '' | |
run: | | |
T=$OPENSSL_PREFIX | |
mkdir -p $T | |
if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi | |
if [ "X$OPENSSL_HASH" = "X" ] ; then wget https://www.openssl.org/source/openssl-${{ matrix.openssl }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi | |
if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi | |
if [ ! -e $T/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi | |
if [ ! -e $T/include ]; then make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi | |
if [ ! -e $T/lib64 ]; then sudo cp -r $T/lib $T/lib64; fi | |
mkdir -p $T/certs/ && sudo cp -r /etc/ssl/certs/* $T/certs/ | |
- name: Build OpenSSL FIPS module | |
if: matrix.openssl_fips != '' | |
run: | | |
T=${OPENSSL_PREFIX}.fips | |
mkdir -p $T | |
wget https://www.openssl.org/source/openssl-${{ matrix.openssl_fips }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl_fips }}/ | |
if [ -e $OPENSSL_PREFIX/lib64/ossl-modules/fips.so ]; then exit 0; fi | |
./config shared -d --prefix=$T -DPURIFY enable-fips > build.log 2>&1 || (cat build.log && exit 1) | |
make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1) | |
make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1) | |
make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1) | |
cp $T/lib64/ossl-modules/fips.so $OPENSSL_PREFIX/lib64/ossl-modules/fips.so | |
mkdir -p $OPENSSL_PREFIX/ssl && cp $T/ssl/fipsmodule.cnf $OPENSSL_PREFIX/ssl/fipsmodule.cnf | |
# don't activate by default | |
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf | |
- name: Build LuaJIT | |
env: | |
LUAJIT_CC_OPTS: ${{ matrix.luajit_cc_opts }} | |
run: | | |
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then LUAJIT_CC_OPTS="$LUAJIT_CC_OPTS -DLUAJIT_NUMMODE=2 -DLUAJIT_USE_SYSMALLOC -O0"; fi | |
export | |
cd $LUAJIT_PREFIX | |
if [ ! -e luajit2 ]; then git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git; fi | |
cd luajit2 | |
make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS="-DLUA_USE_APICHECK -DLUA_USE_ASSERT -DLUAJIT_ENABLE_LUA52COMPAT ${{ matrix.luajit_cc_opts }}" > build.log 2>&1 || (cat build.log && exit 1) | |
make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1) | |
- name: Build lua-cjson | |
run: | | |
if [ ! -e lua-cjson ]; then git clone https://github.com/openresty/lua-cjson.git ./lua-cjson; fi | |
pushd ./lua-cjson && make && sudo PATH=$PATH make install && popd | |
- name: Build Nginx | |
env: | |
NGINX_CC_OPTS: ${{ matrix.nginx_cc_opts }} | |
run: | | |
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then NGINX_CC_OPTS="$NGINX_CC_OPTS -O0"; fi | |
export PATH=$BASE_PATH/work/nginx/sbin:$BASE_PATH/../nginx-devel-utils:$PATH | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export NGX_LUA_LOC=$BASE_PATH/../lua-nginx-module | |
export NGX_STREAM_LUA_LOC=$BASE_PATH/../stream-lua-nginx-module | |
export | |
cd $BASE_PATH | |
if [ ! -e work ]; then ngx-build ${{ matrix.nginx }} --add-module=../ndk-nginx-module --add-module=../lua-nginx-module --add-module=../lua-resty-openssl-aux-module --with-http_ssl_module --with-cc-opt="-I$OPENSSL_INC $NGINX_CC_OPTS" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB" --with-debug > build.log 2>&1 || (cat build.log && exit 1); fi | |
nginx -V | |
ldd `which nginx`|grep -E 'luajit|ssl|pcre' | |
- name: Run performance test | |
if: contains(matrix.extras, 'perf') | |
run: | | |
wget https://github.com/openresty/resty-cli/raw/master/bin/resty | |
chmod +x resty | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export PATH=$BASE_PATH/work/nginx/sbin:$PATH | |
for f in $(find examples/perf -type f -name "test_*" | sort); do | |
./resty --no-stream -I lib $f | |
echo '================================================================' | |
done | |
- name: Run Test | |
run: | | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export PATH=$BASE_PATH/work/nginx/sbin:$PATH | |
TEST_NGINX_TIMEOUT=20 prove -j$JOBS -r t/ 2>&1 | |
echo "Nginx SSL plain FFI" | |
export CI_SKIP_NGINX_C=1 | |
TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1 | |
- name: Run Valgrind | |
if: contains(matrix.extras, 'valgrind') | |
run: | | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export TEST_NGINX_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1 | |
export PATH=$BASE_PATH/work/nginx/sbin:$PATH | |
stdbuf -o 0 -e 0 prove -j$JOBS -r t/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log | |
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi | |
echo "Nginx SSL plain FFI" | |
export CI_SKIP_NGINX_C=1 | |
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log | |
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi | |
- name: Run FIPS Test | |
run: | | |
# openssl 3.0 | |
if [ -e $OPENSSL_LIB/ossl-modules/fips.so ]; then | |
echo "FIPS for OpenSSL 3.0" | |
cp t/fixtures/openssl_fips.cnf $OPENSSL_PREFIX/openssl-fips.cnf | |
pushd openssl-${{ matrix.openssl }}/; | |
# LD_LIBRARY_PATH=$OPENSSL_LIB $OPENSSL_PREFIX/bin/openssl fipsinstall -out $OPENSSL_PREFIX/fipsmodule.cnf -module $OPENSSL_LIB/ossl-modules/fips.so | |
cat $OPENSSL_PREFIX/ssl/fipsmodule.cnf >> $OPENSSL_PREFIX/openssl-fips.cnf | |
export OPENSSL_CONF=$OPENSSL_PREFIX/openssl-fips.cnf | |
popd | |
echo "Running FIPS tests" | |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH | |
export PATH=$BASE_PATH/work/nginx/sbin:$PATH | |
TEST_NGINX_FIPS=1 TEST_NGINX_TIMEOUT=10 prove -j$JOBS -r t/ 2>&1 | |
else | |
echo "FIPS tests are skipped" | |
fi | |