123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210 |
- name: nginx Tests
- on:
- workflow_call:
- jobs:
- build_wolfssl:
- name: Build wolfSSL
- # Just to keep it the same as the testing target
- runs-on: ubuntu-latest
- # This should be a safe limit for the tests to run.
- timeout-minutes: 4
- steps:
- - if: ${{ runner.debug }}
- name: Enable wolfSSL debug logging
- run: |
- # We don't use --enable-debug since it makes the logs too loud
- echo "wolf_debug_flags= CFLAGS='-g3 -O0'" >> $GITHUB_ENV
- - name: Build wolfSSL
- uses: wolfSSL/actions-build-autotools-project@v1
- with:
- path: wolfssl
- configure: --enable-nginx ${{ env.wolf_debug_flags }}
- install: true
- - name: Upload built lib
- uses: actions/upload-artifact@v4
- with:
- name: wolf-install-nginx
- path: build-dir
- retention-days: 5
- nginx_check:
- strategy:
- fail-fast: false
- matrix:
- include:
- # in general we want to pass all tests that match *ssl*
- - ref: 1.25.0
- test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
- # Following tests pass with sanitizer on
- sanitize-ok: >-
- h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
- mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t
- mail_ssl.t proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
- proxy_ssl_certificate_vars.t proxy_ssl_conf_command.t proxy_ssl_name.t
- ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
- ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t
- ssl_crl.t ssl_curve.t ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t
- ssl_proxy_protocol.t ssl_proxy_upgrade.t ssl_reject_handshake.t
- ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_reneg.t
- ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t ssl_verify_client.t
- ssl_verify_depth.t stream_proxy_ssl_certificate.t stream_proxy_ssl_certificate_vars.t
- stream_proxy_ssl_conf_command.t stream_proxy_ssl_name_complex.t
- stream_proxy_ssl_name.t stream_ssl_certificate.t stream_ssl_conf_command.t
- stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t stream_ssl_preread.t
- stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t stream_ssl_variables.t
- stream_ssl_verify_client.t stream_upstream_zone_ssl.t upstream_zone_ssl.t
- uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t uwsgi_ssl.t
- uwsgi_ssl_verify.t
- # Following tests do not pass with sanitizer on (with OpenSSL too)
- sanitize-not-ok: >-
- grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
- proxy_request_buffering_ssl.t proxy_ssl_keepalive.t proxy_ssl.t
- proxy_ssl_verify.t stream_proxy_protocol_ssl.t stream_proxy_ssl.t
- stream_proxy_ssl_verify.t stream_ssl_alpn.t
- - ref: 1.24.0
- test-ref: 212d9d003886e3a24542855fb60355a417f037de
- # Following tests pass with sanitizer on
- sanitize-ok: >-
- h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
- mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t mail_ssl.t
- proxy_ssl_certificate_empty.t proxy_ssl_certificate.t proxy_ssl_certificate_vars.t
- proxy_ssl_name.t ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
- ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t ssl_crl.t
- ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t ssl_proxy_protocol.t
- ssl_proxy_upgrade.t ssl_reject_handshake.t ssl_session_reuse.t
- ssl_session_ticket_key.t ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t
- ssl_stapling.t ssl.t ssl_verify_client.t stream_proxy_ssl_certificate.t
- stream_proxy_ssl_certificate_vars.t stream_proxy_ssl_name_complex.t
- stream_proxy_ssl_name.t stream_ssl_alpn.t stream_ssl_certificate.t
- stream_ssl_conf_command.t stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t
- stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t
- stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t
- upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
- uwsgi_ssl.t uwsgi_ssl_verify.t
- # Following tests do not pass with sanitizer on (with OpenSSL too)
- sanitize-not-ok: >-
- grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
- proxy_request_buffering_ssl.t proxy_ssl_conf_command.t proxy_ssl_keepalive.t
- proxy_ssl.t proxy_ssl_verify.t ssl_curve.t ssl_verify_depth.t
- stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t
- stream_proxy_ssl_verify.t
- name: ${{ matrix.ref }}
- runs-on: ubuntu-latest
- # This should be a safe limit for the tests to run.
- timeout-minutes: 6
- needs: build_wolfssl
- steps:
- - name: Download lib
- uses: actions/download-artifact@v4
- with:
- name: wolf-install-nginx
- path: build-dir
- - name: Install dependencies
- run: |
- sudo cpan -iT Proc::Find Net::SSLeay IO::Socket::SSL
- - name: Checkout wolfssl-nginx
- uses: actions/checkout@v4
- with:
- repository: wolfssl/wolfssl-nginx
- path: wolfssl-nginx
- - name: Checkout nginx
- uses: actions/checkout@v4
- with:
- repository: nginx/nginx
- path: nginx
- ref: release-${{ matrix.ref }}
- - name: Apply nginx patch
- working-directory: nginx
- run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl.patch
- - if: ${{ runner.debug }}
- name: Apply nginx debug patch
- working-directory: nginx
- run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl-debug.patch
- - name: Checkout nginx-tests
- uses: actions/checkout@v4
- with:
- repository: nginx/nginx-tests
- path: nginx-tests
- ref: ${{ matrix.test-ref }}
- - name: Apply nginx-tests patch
- working-directory: nginx-tests
- run: patch -p1 < ../wolfssl-nginx/nginx-tests-patches/*${{ matrix.test-ref }}.patch
- - name: Build nginx without sanitizer
- working-directory: nginx
- run: |
- ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
- --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
- --with-http_v2_module --with-mail --with-mail_ssl_module
- make -j
- - name: Confirm nginx built with wolfSSL
- working-directory: nginx
- run: ldd objs/nginx | grep wolfssl
- - if: ${{ runner.debug }}
- name: Run nginx-tests without sanitizer (debug)
- working-directory: nginx-tests
- run: |
- LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
- TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
- TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-not-ok }}
- - if: ${{ !runner.debug }}
- name: Run nginx-tests without sanitizer
- working-directory: nginx-tests
- run: |
- LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
- TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
- prove ${{ matrix.sanitize-not-ok }}
- - if: ${{ runner.debug }}
- name: Enable wolfSSL debug logging
- run: |
- echo "nginx_c_flags=-O0" >> $GITHUB_ENV
- - name: workaround high-entropy ASLR
- # not needed after either an update to llvm or runner is done
- run: sudo sysctl vm.mmap_rnd_bits=28
- - name: Build nginx with sanitizer
- working-directory: nginx
- run: |
- ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
- --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
- --with-http_v2_module --with-mail --with-mail_ssl_module \
- --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
- --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
- make -j
- - name: Confirm nginx built with wolfSSL
- working-directory: nginx
- run: ldd objs/nginx | grep wolfssl
- - if: ${{ runner.debug }}
- name: Run nginx-tests with sanitizer (debug)
- working-directory: nginx-tests
- run: |
- LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
- TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
- TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
- - if: ${{ !runner.debug }}
- name: Run nginx-tests with sanitizer
- working-directory: nginx-tests
- run: |
- LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
- TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
- prove ${{ matrix.sanitize-ok }}
-
|