20251226-fixes #7583
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: nginx Tests | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| build_wolfssl: | |
| name: Build wolfSSL | |
| if: github.repository_owner == 'wolfssl' | |
| # Just to keep it the same as the testing target | |
| runs-on: ubuntu-22.04 | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 4 | |
| steps: | |
| - if: ${{ runner.debug }} | |
| name: Enable wolfSSL debug logging | |
| run: | | |
| # We don't use --enable-debug since it makes the logs too loud | |
| echo "wolf_debug_flags= CFLAGS='-g3 -O0'" >> $GITHUB_ENV | |
| - name: Build wolfSSL | |
| uses: wolfSSL/actions-build-autotools-project@v1 | |
| with: | |
| path: wolfssl | |
| configure: --enable-nginx ${{ env.wolf_debug_flags }} | |
| install: true | |
| - name: tar build-dir | |
| run: tar -zcf build-dir.tgz build-dir | |
| - name: Upload built lib | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: wolf-install-nginx | |
| path: build-dir.tgz | |
| retention-days: 5 | |
| nginx_check: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # in general we want to pass all tests that match *ssl* | |
| - ref: 1.25.0 | |
| test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592 | |
| # Following tests pass with sanitizer on | |
| sanitize-ok: >- | |
| h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t | |
| mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t | |
| mail_ssl.t proxy_ssl_certificate_empty.t proxy_ssl_certificate.t | |
| proxy_ssl_certificate_vars.t proxy_ssl_conf_command.t proxy_ssl_name.t | |
| ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t | |
| ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t | |
| ssl_crl.t ssl_curve.t ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t | |
| ssl_proxy_protocol.t ssl_proxy_upgrade.t ssl_reject_handshake.t | |
| ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_reneg.t | |
| ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t ssl_verify_client.t | |
| ssl_verify_depth.t stream_proxy_ssl_certificate.t stream_proxy_ssl_certificate_vars.t | |
| stream_proxy_ssl_conf_command.t stream_proxy_ssl_name_complex.t | |
| stream_proxy_ssl_name.t stream_ssl_certificate.t stream_ssl_conf_command.t | |
| stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t stream_ssl_preread.t | |
| stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t stream_ssl_variables.t | |
| stream_ssl_verify_client.t stream_upstream_zone_ssl.t upstream_zone_ssl.t | |
| uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t uwsgi_ssl.t | |
| uwsgi_ssl_verify.t | |
| # Following tests do not pass with sanitizer on (with OpenSSL too) | |
| sanitize-not-ok: >- | |
| grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t | |
| proxy_request_buffering_ssl.t proxy_ssl_keepalive.t proxy_ssl.t | |
| proxy_ssl_verify.t stream_proxy_protocol_ssl.t stream_proxy_ssl.t | |
| stream_proxy_ssl_verify.t stream_ssl_alpn.t | |
| - ref: 1.24.0 | |
| test-ref: 212d9d003886e3a24542855fb60355a417f037de | |
| # Following tests pass with sanitizer on | |
| sanitize-ok: >- | |
| h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t | |
| mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t mail_ssl.t | |
| proxy_ssl_certificate_empty.t proxy_ssl_certificate.t proxy_ssl_certificate_vars.t | |
| proxy_ssl_name.t ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t | |
| ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t ssl_crl.t | |
| ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t ssl_proxy_protocol.t | |
| ssl_proxy_upgrade.t ssl_reject_handshake.t ssl_session_reuse.t | |
| ssl_session_ticket_key.t ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t | |
| ssl_stapling.t ssl.t ssl_verify_client.t stream_proxy_ssl_certificate.t | |
| stream_proxy_ssl_certificate_vars.t stream_proxy_ssl_name_complex.t | |
| stream_proxy_ssl_name.t stream_ssl_alpn.t stream_ssl_certificate.t | |
| stream_ssl_conf_command.t stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t | |
| stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t | |
| stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t | |
| upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t | |
| uwsgi_ssl.t uwsgi_ssl_verify.t | |
| # Following tests do not pass with sanitizer on (with OpenSSL too) | |
| sanitize-not-ok: >- | |
| grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t | |
| proxy_request_buffering_ssl.t proxy_ssl_conf_command.t proxy_ssl_keepalive.t | |
| proxy_ssl.t proxy_ssl_verify.t ssl_curve.t ssl_verify_depth.t | |
| stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t | |
| stream_proxy_ssl_verify.t | |
| name: ${{ matrix.ref }} | |
| if: github.repository_owner == 'wolfssl' | |
| runs-on: ubuntu-22.04 | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 6 | |
| needs: build_wolfssl | |
| steps: | |
| - name: Download lib | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: wolf-install-nginx | |
| - name: untar build-dir | |
| run: tar -xf build-dir.tgz | |
| - name: Install dependencies | |
| run: | | |
| sudo cpan -iT Proc::Find | |
| # Locking in the version of SSLeay used with testing | |
| - name: Download and install Net::SSLeay 1.94 manually | |
| run: | | |
| curl -LO https://www.cpan.org/modules/by-module/Net/CHRISN/Net-SSLeay-1.94.tar.gz | |
| tar -xzf Net-SSLeay-1.94.tar.gz | |
| cd Net-SSLeay-1.94 | |
| perl Makefile.PL | |
| make | |
| sudo make install | |
| # SSL version 2.091 changes '' return to undef causing test case to fail. | |
| # Locking in the test version to use as 2.090 | |
| - name: Download and install IO::Socket::SSL 2.090 manually | |
| run: | | |
| curl -LO https://www.cpan.org/modules/by-module/IO/IO-Socket-SSL-2.090.tar.gz | |
| tar -xzf IO-Socket-SSL-2.090.tar.gz | |
| cd IO-Socket-SSL-2.090 | |
| perl Makefile.PL | |
| make | |
| sudo make install | |
| - name: Checkout wolfssl-nginx | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: wolfssl/wolfssl-nginx | |
| path: wolfssl-nginx | |
| - name: Checkout nginx | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: nginx/nginx | |
| path: nginx | |
| ref: release-${{ matrix.ref }} | |
| - name: Apply nginx patch | |
| working-directory: nginx | |
| run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl.patch | |
| - if: ${{ runner.debug }} | |
| name: Apply nginx debug patch | |
| working-directory: nginx | |
| run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl-debug.patch | |
| - name: Checkout nginx-tests | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: nginx/nginx-tests | |
| path: nginx-tests | |
| ref: ${{ matrix.test-ref }} | |
| - name: Apply nginx-tests patch | |
| working-directory: nginx-tests | |
| run: patch -p1 < ../wolfssl-nginx/nginx-tests-patches/*${{ matrix.test-ref }}.patch | |
| - name: Build nginx without sanitizer | |
| working-directory: nginx | |
| run: | | |
| ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \ | |
| --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \ | |
| --with-http_v2_module --with-mail --with-mail_ssl_module | |
| make -j | |
| - name: Confirm nginx built with wolfSSL | |
| working-directory: nginx | |
| run: ldd objs/nginx | grep wolfssl | |
| - if: ${{ runner.debug }} | |
| name: Run nginx-tests without sanitizer (debug) | |
| working-directory: nginx-tests | |
| run: | | |
| LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \ | |
| TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \ | |
| TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-not-ok }} | |
| - if: ${{ !runner.debug }} | |
| name: Run nginx-tests without sanitizer | |
| working-directory: nginx-tests | |
| run: | | |
| LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \ | |
| TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \ | |
| prove ${{ matrix.sanitize-not-ok }} | |
| - if: ${{ runner.debug }} | |
| name: Enable wolfSSL debug logging | |
| run: | | |
| echo "nginx_c_flags=-O0" >> $GITHUB_ENV | |
| - name: workaround high-entropy ASLR | |
| # not needed after either an update to llvm or runner is done | |
| run: sudo sysctl vm.mmap_rnd_bits=28 | |
| - name: Build nginx with sanitizer | |
| working-directory: nginx | |
| run: | | |
| ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \ | |
| --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \ | |
| --with-http_v2_module --with-mail --with-mail_ssl_module \ | |
| --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \ | |
| --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}' | |
| make -j | |
| - name: Confirm nginx built with wolfSSL | |
| working-directory: nginx | |
| run: ldd objs/nginx | grep wolfssl | |
| - if: ${{ runner.debug }} | |
| name: Run nginx-tests with sanitizer (debug) | |
| working-directory: nginx-tests | |
| run: | | |
| LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \ | |
| TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \ | |
| TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }} | |
| - if: ${{ !runner.debug }} | |
| name: Run nginx-tests with sanitizer | |
| working-directory: nginx-tests | |
| run: | | |
| LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \ | |
| TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \ | |
| prove ${{ matrix.sanitize-ok }} | |