openssl/.github/workflows/ci.yml

# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

name: GitHub CI

on: [pull_request, push]

# for some reason, this does not work:
# variables:
#   BUILDOPTS: "-j4"
#   HARNESS_JOBS: "${HARNESS_JOBS:-4}"

# for some reason, this does not work:
# before_script:
#     - make="make -s"

permissions:
  contents: read

env:
  OSSL_RUN_CI_TESTS: 1

jobs:
  check_update:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - name: install unifdef
      run: |
        sudo apt-get update
        sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: config
      run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump
    - name: make build_generated
      run: make -s build_generated
    - name: make update
      run: make update
    - name: git diff
      run: git diff --exit-code

  check_docs:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: config
      run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump
    - name: make build_generated
      run: make -s build_generated
    - name: make doc-nits
      run: make doc-nits
    - name: make help
      run: make help
    - name: make md-nits
      run: |
          sudo gem install mdl
          make md-nits

  # This checks that we use ANSI C language syntax and semantics.
  # We are not as strict with libraries, but rather adapt to what's
  # expected to be available in a certain version of each platform.
  check-ansi:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: config
      run: CPPFLAGS=-ansi ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump
    - name: make
      run: make -s -j4

  basic_gcc:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: localegen
      run: sudo locale-gen tr_TR.UTF-8
    - name: config
      # enable-quic is on by default, but we leave it here to check we're testing the explicit enable somewhere
      run: CC=gcc ./config --banner=Configured enable-demos enable-h3demo enable-fips enable-quic --strict-warnings && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@basic-gcc"
        path: artifacts/

  basic_clang:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: config
      run: CC=clang ./config --banner=Configured enable-demos enable-h3demo no-fips --strict-warnings && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@basic-clang"
        path: artifacts/

  self-hosted:
    if: github.repository == 'openssl/openssl'
    strategy:
      matrix:
        os: [freebsd-13.2, ubuntu-arm64-22.04]
    runs-on: ${{ matrix.os }}-self-hosted
    continue-on-error: true
    steps:
    - uses: actions/checkout@v4
    - name: config
      run: ./config enable-demos enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
    - name: config dump
      run: ./configdata.pm --dump
    - name: make
      run: make -j4
    - name: get cpu info
      run: ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@self-hosted-${{ matrix.os }}"
        path: artifacts/

  minimal:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: config
      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump
    - name: make
      run: make -j4 # verbose, so no -s here
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@minimal"
        path: artifacts/
        if-no-files-found: ignore

  no-deprecated:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: config
      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-deprecated enable-fips && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@no-deprecated"
        path: artifacts/

  no-shared-ubuntu:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: config
      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-shared no-fips && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@no-shared-ubuntu"
        path: artifacts/

  no-shared-macos:
    strategy:
      fail-fast: false
      matrix:
        os: [macos-13, macos-14]
    if: github.server_url == 'https://github.com'
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: config
      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-shared no-fips && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        sysctl machdep.cpu
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@no-shared-${{ matrix.os }}"
        path: artifacts/

  non-caching:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: Adjust ASLR for sanitizer
      run: |
        sudo cat /proc/sys/vm/mmap_rnd_bits
        sudo sysctl -w vm.mmap_rnd_bits=28
    - name: config
      run: ./config --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]"
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@non-caching"
        path: artifacts/

  address_ub_sanitizer:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: Adjust ASLR for sanitizer
      run: |
        sudo cat /proc/sys/vm/mmap_rnd_bits
        sudo sysctl -w vm.mmap_rnd_bits=28
    - name: config
      run: ./config --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@address_ub_sanitizer"
        path: artifacts/

  fuzz_tests:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: Adjust ASLR for sanitizer
      run: |
        sudo cat /proc/sys/vm/mmap_rnd_bits
        sudo sysctl -w vm.mmap_rnd_bits=28
    - name: config
      run: ./config --banner=Configured --debug -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method enable-nextprotoneg && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="test_fuzz*"
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@fuzz_tests"
        path: artifacts/
        if-no-files-found: ignore

  memory_sanitizer:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: Adjust ASLR for sanitizer
      run: |
        sudo cat /proc/sys/vm/mmap_rnd_bits
        sudo sysctl -w vm.mmap_rnd_bits=28
    - name: config
      # --debug -O1 is to produce a debug build that runs in a reasonable amount of time
      run: CC=clang ./config --banner=Configured --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@memory_sanitizer"
        path: artifacts/

  threads_sanitizer:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: Adjust ASLR for sanitizer
      run: |
        sudo cat /proc/sys/vm/mmap_rnd_bits
        sudo sysctl -w vm.mmap_rnd_bits=28
    - name: config
      run: CC=clang ./config --banner=Configured no-fips --strict-warnings -fsanitize=thread && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test V=1 TESTS="test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*"
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@threads_sanitizer"
        path: artifacts/

  enable_non-default_options:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: modprobe tls
      run: sudo modprobe tls
    - name: config
      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-egd enable-ktls enable-fips no-threads && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@enable_non-default_options"
        path: artifacts/

  full_featured:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: modprobe tls
      run: sudo modprobe tls
    - name: Enable sctp
      run: sudo modprobe sctp
    - name: Enable auth in sctp
      run: sudo sysctl -w net.sctp.auth_enable=1 
    - name: install extra config support
      run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd
    - name: config
      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@full_featured"
        path: artifacts/

  no-legacy:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: config
      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-legacy enable-fips && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@no-legacy"
        path: artifacts/

  legacy:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: config
      run: ./config --banner=Configured -Werror --debug no-afalgeng enable-demos enable-h3demo no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-fips && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@legacy"
        path: artifacts/

  # out-of-source-and-install checks multiple things at the same time:
  # - That building, testing and installing works from an out-of-source
  #   build tree
  # - That building, testing and installing works with a read-only source
  #   tree
  out-of-readonly-source-and-install-ubuntu:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
      with:
        path: ./source
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
      working-directory: ./source
    - name: make source read-only
      run: chmod -R a-w ./source
    - name: create build and install directories
      run: |
        mkdir ./build
        mkdir ./install
    - name: config
      run: |
        ../source/config --banner=Configured enable-demos enable-h3demo enable-fips enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
        perl configdata.pm --dump
      working-directory: ./build
    - name: make
      run: make -s -j4
      working-directory: ./build
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
      working-directory: ./build
    - name: make test
      run: ../source/.github/workflows/make-test
      working-directory: ./build
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@out-of-readonly-source-and-install-ubuntu"
        path: build/artifacts/
    - name: make install
      run: make install
      working-directory: ./build

  out-of-readonly-source-and-install-macos:
    strategy:
      fail-fast: false
      matrix:
        os: [macos-13, macos-14]
    runs-on: ${{ matrix.os }}
    if: github.server_url == 'https://github.com'
    steps:
    - uses: actions/checkout@v4
      with:
        path: ./source
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
      working-directory: ./source
    - name: make source read-only
      run: chmod -R a-w ./source
    - name: create build and install directories
      run: |
        mkdir ./build
        mkdir ./install
    - name: config
      run: |
        ../source/config --banner=Configured enable-fips enable-demos enable-h3demo enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
        perl configdata.pm --dump
      working-directory: ./build
    - name: make
      run: make -s -j4
      working-directory: ./build
    - name: get cpu info
      run: |
        sysctl machdep.cpu
        ./util/opensslwrap.sh version -c
      working-directory: ./build
    - name: make test
      run: ../source/.github/workflows/make-test
      working-directory: ./build
    - name: save artifacts
      uses: actions/upload-artifact@v3
      with:
        name: "ci@out-of-readonly-source-and-install-${{ matrix.os }}"
        path: build/artifacts/
    - name: make install
      run: make install
      working-directory: ./build

  external-tests:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
      with:
        submodules: recursive
    - name: package installs
      run: |
        sudo apt-get update
        sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy
    - name: install cpanm and Test2::V0 for gost_engine testing
      uses: perl-actions/install-with-cpanm@stable
      with:
        install: Test2::V0
    - name: setup hostname workaround
      run: sudo hostname localhost
    - name: config
      run: ./config --banner=Configured --strict-warnings --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests no-fips && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: test external gost-engine
      run: make test TESTS="test_external_gost_engine"
    - name: test external krb5
      run: make test TESTS="test_external_krb5"
    - name: test external_tlsfuzzer
      run: make test TESTS="test_external_tlsfuzzer"
    - name: test external oqs-provider
      run: make test TESTS="test_external_oqsprovider"

  external-test-pyca:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    strategy:
      matrix:
        RUST:
          - 1.51.0
        PYTHON:
          - 3.9
    steps:
    - uses: actions/checkout@v4
      with:
        submodules: recursive
    - name: Configure OpenSSL
      run: ./config --banner=Configured --strict-warnings --debug enable-external-tests && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: Setup Python
      uses: actions/setup-python@v5.1.0
      with:
        python-version: ${{ matrix.PYTHON }}
    - uses: dtolnay/rust-toolchain@master
      with:
        toolchain: ${{ matrix.RUST }}
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: test external pyca
      run: make test TESTS="test_external_pyca" VERBOSE=1

  external-test-cf-quiche:
    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
    steps:
    - uses: actions/checkout@v4
      with:
        submodules: recursive
    - name: Configure OpenSSL
      run: ./config --banner=Configured --strict-warnings enable-external-tests && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - uses: dtolnay/rust-toolchain@stable
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: test external Cloudflare quiche
      run: make test TESTS="test_external_cf_quiche" VERBOSE=1