mbedtls: no longer use MBEDTLS_SSL_VERIFY_OPTIONAL #77
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (C) Daniel Stenberg, <[email protected]>, et al. | |
# | |
# SPDX-License-Identifier: curl | |
name: Linux | |
on: | |
push: | |
branches: | |
- master | |
- '*/ci' | |
- '*/ci-pytest' | |
paths-ignore: | |
- '**/*.md' | |
- '.azure-pipelines.yml' | |
- '.circleci/**' | |
- 'appveyor.*' | |
- 'packages/**' | |
- 'plan9/**' | |
- 'projects/**' | |
- 'winbuild/**' | |
pull_request: | |
branches: | |
- master | |
paths-ignore: | |
- '**/*.md' | |
- '.azure-pipelines.yml' | |
- '.circleci/**' | |
- 'appveyor.*' | |
- 'packages/**' | |
- 'plan9/**' | |
- 'projects/**' | |
- 'winbuild/**' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} | |
cancel-in-progress: true | |
permissions: {} | |
env: | |
MAKEFLAGS: -j 5 | |
# unhandled | |
bearssl-version: 0.6 | |
# renovate: datasource=github-tags depName=libressl-portable/portable versioning=semver registryUrl=https://github.com | |
libressl-version: 3.9.2 | |
# renovate: datasource=github-tags depName=ARMmbed/mbedtls versioning=semver registryUrl=https://github.com | |
mbedtls-version: 3.6.0 | |
# renovate: datasource=github-tags depName=icing/mod_h2 versioning=semver registryUrl=https://github.com | |
mod_h2-version: 2.0.29 | |
# renovate: datasource=github-tags depName=nibanks/msh3 versioning=semver registryUrl=https://github.com | |
msh3-version: 0.6.0 | |
# handled in renovate.json | |
openssl3-version: openssl-3.1.3 | |
# unhandled | |
quictls-version: 3.1.4+quic | |
# renovate: datasource=github-tags depName=rustls/rustls-ffi versioning=semver registryUrl=https://github.com | |
rustls-version: 0.13.0 | |
jobs: | |
linux: | |
name: ${{ matrix.build.generate && 'CM' || 'AM' }} ${{ matrix.build.name }} | |
runs-on: 'ubuntu-latest' | |
container: ${{ matrix.build.container }} | |
timeout-minutes: 90 | |
strategy: | |
fail-fast: false | |
matrix: | |
build: | |
- name: bearssl | |
install_packages: zlib1g-dev valgrind | |
install_steps: bearssl pytest | |
configure: LDFLAGS="-Wl,-rpath,$HOME/bearssl/lib" --with-bearssl=$HOME/bearssl --enable-debug | |
singleuse: --unit | |
- name: bearssl-clang | |
install_packages: zlib1g-dev clang | |
install_steps: bearssl | |
configure: CC=clang LDFLAGS="-Wl,-rpath,$HOME/bearssl/lib" --with-bearssl=$HOME/bearssl --enable-debug | |
singleuse: --unit | |
- name: libressl heimdal | |
install_packages: zlib1g-dev heimdal-dev valgrind | |
install_steps: libressl pytest | |
configure: LDFLAGS="-Wl,-rpath,$HOME/libressl/lib" --with-openssl=$HOME/libressl --with-gssapi --enable-debug | |
singleuse: --unit | |
- name: libressl heimdal | |
install_packages: zlib1g-dev heimdal-dev valgrind | |
install_steps: libressl pytest | |
generate: -DOPENSSL_ROOT_DIR=$HOME/libressl -DCURL_USE_GSSAPI=ON -DENABLE_DEBUG=ON -DCURL_LIBCURL_VERSIONED_SYMBOLS=ON | |
singleuse: --unit | |
- name: libressl-clang | |
install_packages: zlib1g-dev clang | |
install_steps: libressl | |
configure: CC=clang LDFLAGS="-Wl,-rpath,$HOME/libressl/lib" --with-openssl=$HOME/libressl --enable-debug | |
singleuse: --unit | |
- name: mbedtls | |
install_packages: libnghttp2-dev valgrind | |
install_steps: mbedtls pytest | |
configure: LDFLAGS="-Wl,-rpath,$HOME/mbedtls/lib" --with-mbedtls=$HOME/mbedtls --enable-debug | |
singleuse: --unit | |
- name: mbedtls-clang | |
install_packages: libnghttp2-dev clang | |
install_steps: mbedtls | |
configure: CC=clang LDFLAGS="-Wl,-rpath,$HOME/mbedtls/lib" --with-mbedtls=$HOME/mbedtls --enable-debug | |
singleuse: --unit | |
- name: msh3 | |
install_packages: zlib1g-dev valgrind | |
install_steps: quictls msh3 | |
configure: LDFLAGS="-Wl,-rpath,$HOME/msh3/lib -Wl,-rpath,$HOME/quictls/lib" --with-msh3=$HOME/msh3 --with-openssl=$HOME/quictls --enable-debug | |
singleuse: --unit | |
- name: openssl3 | |
install_packages: zlib1g-dev valgrind | |
install_steps: gcc-11 openssl3 pytest | |
configure: CFLAGS=-std=gnu89 LDFLAGS="-Wl,-rpath,$HOME/openssl3/lib" --with-openssl=$HOME/openssl3 --enable-debug --enable-websockets | |
singleuse: --unit | |
- name: openssl3-O3 | |
install_packages: zlib1g-dev valgrind | |
install_steps: gcc-11 openssl3 | |
configure: CPPFLAGS=-DCURL_WARN_SIGN_CONVERSION CFLAGS=-O3 LDFLAGS="-Wl,-rpath,$HOME/openssl3/lib" --with-openssl=$HOME/openssl3 --enable-debug --enable-websockets | |
singleuse: --unit | |
- name: openssl3-clang krb5 | |
install_packages: zlib1g-dev libkrb5-dev clang | |
install_steps: openssl3 | |
configure: CC=clang LDFLAGS="-Wl,-rpath,$HOME/openssl3/lib" --with-openssl=$HOME/openssl3 --with-gssapi --enable-debug --enable-websockets | |
singleuse: --unit | |
- name: openssl3-clang krb5 | |
install_packages: zlib1g-dev libkrb5-dev clang | |
install_steps: openssl3 | |
generate: -DOPENSSL_ROOT_DIR=$HOME/openssl3 -DCURL_USE_GSSAPI=ON -DENABLE_DEBUG=ON -DENABLE_WEBSOCKETS=ON | |
singleuse: --unit | |
- name: address-sanitizer | |
install_packages: zlib1g-dev libssh2-1-dev clang libssl-dev libubsan1 libasan8 libtsan2 | |
install_steps: pytest | |
configure: > | |
CC=clang | |
CFLAGS="-fsanitize=address,undefined,signed-integer-overflow -fno-sanitize-recover=undefined,integer -Wformat -Werror=format-security -Werror=array-bounds -g" | |
LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=undefined,integer" | |
LIBS="-ldl -lubsan" | |
--with-openssl --enable-debug --enable-websockets | |
singleuse: --unit | |
- name: memory-sanitizer | |
install_packages: clang | |
install_steps: | |
configure: > | |
CC=clang | |
CFLAGS="-fsanitize=memory -Wformat -Werror=format-security -Werror=array-bounds -g" | |
LDFLAGS="-fsanitize=memory" | |
LIBS="-ldl" | |
--without-ssl --without-zlib --without-brotli --without-zstd --without-libpsl --without-nghttp2 --enable-debug --enable-websockets | |
singleuse: --unit | |
- name: event-based | |
install_packages: libssh-dev valgrind | |
configure: --enable-debug --disable-shared --disable-threaded-resolver --with-libssh --with-openssl | |
tflags: -n -e '!TLS-SRP' | |
singleuse: --unit | |
- name: hyper | |
install_steps: rust hyper valgrind | |
configure: LDFLAGS="-Wl,-rpath,$HOME/hyper/target/debug" --with-openssl --with-hyper=$HOME/hyper --enable-debug --enable-websockets | |
singleuse: --unit | |
- name: rustls | |
install_steps: rust rustls pytest valgrind libpsl-dev | |
configure: --with-rustls=$HOME/rustls --enable-debug | |
singleuse: --unit | |
- name: Intel compiler - without SSL | |
install_packages: zlib1g-dev valgrind | |
install_steps: intel | |
configure: CC=icc --enable-debug --without-ssl | |
singleuse: --unit | |
- name: Intel compiler - OpenSSL | |
install_packages: zlib1g-dev libssl-dev valgrind | |
install_steps: intel | |
configure: CC=icc --enable-debug --with-openssl | |
singleuse: --unit | |
- name: Slackware-openssl-with-gssapi-gcc | |
# These are essentially the same flags used to build the curl Slackware package | |
# https://ftpmirror.infania.net/slackware/slackware64-current/source/n/curl/curl.SlackBuild | |
configure: --with-openssl --with-libssh2 --with-gssapi --enable-ares --enable-static=no --without-ca-bundle --with-ca-path=/etc/ssl/certs | |
# Docker Hub image that `container-job` executes in | |
container: 'andy5995/slackware-build-essential:15.0' | |
- name: Alpine MUSL | |
configure: --enable-debug --enable-websockets --with-ssl --with-libssh2 --with-libidn2 --with-gssapi --enable-ldap --with-libpsl | |
container: 'alpine:3.18' | |
singleuse: --unit | |
steps: | |
- if: matrix.build.container == null | |
run: | | |
sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list | |
sudo apt-get update | |
sudo apt-get install libtool autoconf automake pkg-config stunnel4 libpsl-dev libbrotli-dev libzstd-dev ${{ matrix.build.install_packages }} | |
sudo python3 -m pip install impacket | |
name: 'install prereqs and impacket' | |
- if: startsWith(matrix.build.container, 'alpine') | |
run: | | |
apk add --no-cache build-base autoconf automake libtool perl openssl-dev libssh2-dev zlib-dev brotli-dev zstd-dev libidn2-dev openldap-dev heimdal-dev libpsl-dev py3-impacket py3-asn1 py3-six py3-pycryptodomex perl-time-hires openssh stunnel sudo git | |
name: 'install dependencies' | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
- name: Fix kernel mmap rnd bits | |
# Asan in llvm 14 provided in ubuntu 22.04 is incompatible with | |
# high-entropy ASLR in much newer kernels that GitHub runners are | |
# using leading to random crashes: https://reviews.llvm.org/D148280 | |
# See https://github.com/actions/runner-images/issues/9491 | |
continue-on-error: true | |
run: sudo sysctl vm.mmap_rnd_bits=28 | |
- if: contains(matrix.build.install_steps, 'gcc-11') | |
run: | | |
sudo add-apt-repository ppa:ubuntu-toolchain-r/ppa | |
sudo apt-get update | |
sudo apt-get install gcc-11 | |
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-11 100 | |
sudo update-alternatives --set gcc /usr/bin/gcc-11 | |
gcc --version | |
name: 'install gcc-11' | |
- name: cache bearssl | |
if: contains(matrix.build.install_steps, 'bearssl') | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 | |
id: cache-bearssl | |
env: | |
cache-name: cache-bearssl | |
with: | |
path: /home/runner/bearssl | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-bearssl-${{ env.bearssl-version }} | |
- name: 'build bearssl' | |
if: contains(matrix.build.install_steps, 'bearssl') && steps.cache-bearssl.outputs.cache-hit != 'true' | |
run: | | |
curl -LOsSf --retry 6 --retry-connrefused --max-time 999 https://bearssl.org/bearssl-${{ env.bearssl-version }}.tar.gz | |
tar -xzf bearssl-${{ env.bearssl-version }}.tar.gz | |
cd bearssl-${{ env.bearssl-version }} | |
make | |
mkdir -p $HOME/bearssl/lib $HOME/bearssl/include | |
cp inc/*.h $HOME/bearssl/include | |
cp build/libbearssl.* $HOME/bearssl/lib | |
- name: cache libressl | |
if: contains(matrix.build.install_steps, 'libressl') | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 | |
id: cache-libressl | |
env: | |
cache-name: cache-libressl | |
with: | |
path: /home/runner/libressl | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-libressl-${{ env.libressl-version }} | |
- name: 'build libressl' | |
if: contains(matrix.build.install_steps, 'libressl') && steps.cache-libressl.outputs.cache-hit != 'true' | |
run: | | |
git clone --quiet --depth=1 -b v${{ env.libressl-version }} https://github.com/libressl-portable/portable.git libressl-git | |
cd libressl-git | |
./autogen.sh | |
./configure --disable-dependency-tracking --prefix=$HOME/libressl | |
make install | |
- name: cache mbedtls | |
if: contains(matrix.build.install_steps, 'mbedtls') | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 | |
id: cache-mbedtls | |
env: | |
cache-name: cache-mbedtls | |
with: | |
path: /home/runner/mbedtls | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-mbedtls-${{ env.mbedtls-version }} | |
- name: 'build mbedtls' | |
if: contains(matrix.build.install_steps, 'mbedtls') && steps.cache-mbedtls.outputs.cache-hit != 'true' | |
run: | | |
git clone --quiet --depth=1 -b v${{ env.mbedtls-version }} https://github.com/ARMmbed/mbedtls | |
cd mbedtls | |
git submodule update --init | |
make DESTDIR=$HOME/mbedtls install | |
- name: cache openssl3 | |
if: contains(matrix.build.install_steps, 'openssl3') | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 | |
id: cache-openssl3 | |
env: | |
cache-name: cache-openssl3 | |
with: | |
path: /home/runner/openssl3 | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.openssl3-version }} | |
- name: 'install openssl3' | |
if: contains(matrix.build.install_steps, 'openssl3') && steps.cache-openssl3.outputs.cache-hit != 'true' | |
run: | | |
git clone --quiet --depth=1 -b ${{ env.openssl3-version }} https://github.com/openssl/openssl | |
cd openssl | |
./config --prefix=$HOME/openssl3 --libdir=lib | |
make -j1 install_sw | |
- name: cache quictls | |
if: contains(matrix.build.install_steps, 'quictls') | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 | |
id: cache-quictls | |
env: | |
cache-name: cache-quictls | |
with: | |
path: /home/runner/quictls | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-quictls-${{ env.quictls-version }} | |
- name: 'build quictls' | |
if: contains(matrix.build.install_steps, 'quictls') && steps.cache-quictls.outputs.cache-hit != 'true' | |
run: | | |
git clone --quiet --depth=1 -b openssl-${{ env.quictls-version }} https://github.com/quictls/openssl | |
cd openssl | |
./config --prefix=$HOME/quictls --libdir=lib | |
make -j1 install_sw | |
- name: cache msh3 | |
if: contains(matrix.build.install_steps, 'msh3') | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 | |
id: cache-msh3 | |
env: | |
cache-name: cache-msh3 | |
with: | |
path: /home/runner/msh3 | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-msh3-${{ env.msh3-version }} | |
- name: 'build msh3' | |
if: contains(matrix.build.install_steps, 'msh3') && steps.cache-msh3.outputs.cache-hit != 'true' | |
run: | | |
git clone --quiet -b v${{ env.msh3-version }} --depth=1 --recursive https://github.com/nibanks/msh3 | |
cd msh3 && mkdir build && cd build | |
cmake -G 'Unix Makefiles' -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_INSTALL_PREFIX=$HOME/msh3 .. | |
cmake --build . | |
cmake --install . | |
- if: contains(matrix.build.install_steps, 'rust') | |
run: | | |
cd $HOME | |
curl -sSf --compressed https://sh.rustup.rs/ | sh -s -- -y | |
source $HOME/.cargo/env | |
rustup toolchain install nightly | |
name: 'install rust' | |
- name: cache rustls | |
if: contains(matrix.build.install_steps, 'rustls') | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 | |
id: cache-rustls | |
env: | |
cache-name: cache-rustls | |
with: | |
path: /home/runner/rustls | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-rustls-${{ env.rustls-version }} | |
- name: 'build rustls' | |
if: contains(matrix.build.install_steps, 'rustls') && steps.cache-rustls.outputs.cache-hit != 'true' | |
run: | | |
git clone --quiet --depth=1 -b v${{ env.rustls-version }} --recursive https://github.com/rustls/rustls-ffi.git | |
cd rustls-ffi | |
make DESTDIR=$HOME/rustls install | |
- if: contains(matrix.build.install_steps, 'hyper') | |
run: | | |
cd $HOME | |
git clone --quiet --depth=1 https://github.com/hyperium/hyper.git | |
cd $HOME/hyper | |
RUSTFLAGS="--cfg hyper_unstable_ffi" cargo +nightly rustc --features client,http1,http2,ffi -Z unstable-options --crate-type cdylib | |
echo "LD_LIBRARY_PATH=$HOME/hyper/target/debug:/usr/local/lib" >> $GITHUB_ENV | |
name: 'install hyper' | |
- if: contains(matrix.build.install_steps, 'intel') | |
run: | | |
cd /tmp | |
curl -sSf --compressed https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB | sudo apt-key add - | |
sudo add-apt-repository "deb https://apt.repos.intel.com/oneapi all main" | |
sudo apt install --no-install-recommends intel-oneapi-compiler-dpcpp-cpp-and-cpp-classic | |
source /opt/intel/oneapi/setvars.sh | |
printenv >> $GITHUB_ENV | |
name: 'install Intel compilers' | |
- if: contains(matrix.build.install_steps, 'pytest') | |
run: | | |
sudo apt-get install apache2 apache2-dev libnghttp2-dev vsftpd | |
sudo python3 -m pip install -r tests/http/requirements.txt | |
name: 'install pytest and apach2-dev' | |
- name: cache mod_h2 | |
if: contains(matrix.build.install_steps, 'pytest') | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 | |
id: cache-mod_h2 | |
env: | |
cache-name: cache-mod_h2 | |
with: | |
path: /home/runner/mod_h2 | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.mod_h2-version }} | |
- name: 'build mod_h2' | |
if: contains(matrix.build.install_steps, 'pytest') && steps.cache-mod_h2.outputs.cache-hit != 'true' | |
run: | | |
cd $HOME | |
git clone --quiet --depth=1 -b v${{ env.mod_h2-version }} https://github.com/icing/mod_h2 | |
cd mod_h2 | |
autoreconf -fi | |
./configure | |
make | |
- name: 'install mod_h2' | |
if: contains(matrix.build.install_steps, 'pytest') | |
run: | | |
cd $HOME/mod_h2 | |
sudo make install | |
- run: autoreconf -fi | |
if: ${{ matrix.build.configure }} | |
name: 'autoreconf' | |
- run: ./configure --disable-dependency-tracking --enable-warnings --enable-werror ${{ matrix.build.configure }} | |
if: ${{ matrix.build.configure }} | |
name: 'configure (autotools)' | |
- run: | | |
cmake . \ | |
-DCMAKE_C_COMPILER_TARGET=$(uname -m)-pc-linux-gnu -DBUILD_STATIC_LIBS=ON \ | |
-DCMAKE_UNITY_BUILD=ON -DCURL_WERROR=ON \ | |
-DBUILD_EXAMPLES=ON \ | |
-DCURL_BROTLI=ON -DCURL_ZSTD=ON \ | |
${{ matrix.build.generate }} | |
if: ${{ matrix.build.generate }} | |
name: 'configure (cmake)' | |
- name: 'configure log' | |
if: ${{ !cancelled() }} | |
run: cat config.log CMakeFiles/CMakeConfigureLog.yaml 2>/dev/null || true | |
- name: 'test configs' | |
run: | | |
cat tests/config || true | |
cat tests/http/config.ini || true | |
- run: make V=1 VERBOSE=1 | |
name: 'make' | |
- run: | | |
git config --global --add safe.directory "*" | |
if [ -n '${{ matrix.build.generate }}' ]; then | |
libcurla=lib/libcurl.a | |
else | |
libcurla=lib/.libs/libcurl.a | |
fi | |
./scripts/singleuse.pl ${{ matrix.build.singleuse }} ${libcurla} | |
name: single-use function check | |
- run: ./src/curl -V | |
name: 'check curl -V output' | |
- run: make V=1 examples | |
if: ${{ matrix.build.configure }} | |
name: 'make examples' | |
- run: make V=1 -C tests | |
if: ${{ matrix.build.configure }} | |
name: 'make tests (autotools)' | |
- run: make VERBOSE=1 testdeps | |
if: ${{ matrix.build.generate }} | |
name: 'make tests (cmake)' | |
- name: 'run tests' | |
if: false | |
run: | | |
export TFLAGS='${{ matrix.build.tflags }}' | |
if [[ '${{ matrix.build.install_packages }}' = *'heimdal-dev'* ]]; then | |
TFLAGS+=' ~2077 ~2078' # valgrind errors | |
fi | |
make V=1 VERBOSE=1 test-ci | |
- if: contains(matrix.build.install_steps, 'pytest') | |
# run for `tests` directory, so pytest does not pick up any other | |
# packages we might have built here | |
run: | |
pytest -v tests | |
name: 'run pytest' | |
env: | |
TFLAGS: "${{ matrix.build.tflags }}" | |
CURL_CI: github |