Optimize CI for wolfProvider #27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sanitizers | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - 'LICENSE*' | |
| - '.github/ISSUE_TEMPLATE/**' | |
| - '.github/dependabot.yml' | |
| - '.gitignore' | |
| - 'AUTHORS' | |
| - 'COPYING' | |
| - 'README*' | |
| - 'CHANGELOG*' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| discover_versions: | |
| if: github.event_name != 'pull_request' || github.event.pull_request.draft == false | |
| uses: ./.github/workflows/_discover-versions.yml | |
| sanitizers: | |
| needs: discover_versions | |
| if: github.event_name != 'pull_request' || github.event.pull_request.draft == false | |
| name: ASan+UBSan (wolfSSL ${{ matrix.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_latest_ref }}) | |
| runs-on: ubuntu-22.04 | |
| # Sanitizers add ~2-3x to build/test time vs. a plain build. | |
| timeout-minutes: 45 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # Test master + latest-stable (resolved at run time). | |
| wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_latest_ref_array) }} | |
| env: | |
| # detect_leaks=0: OpenSSL intentionally keeps some allocations alive | |
| # for the process lifetime (provider registries, etc.). Including | |
| # them as leaks aborts `openssl list -providers` during env-setup, | |
| # which fails the entire build before any tests run. | |
| # halt_on_error=1: still abort on a real UAF / OOB. | |
| # abort_on_error=0: prefer exit() over abort() so the test runner | |
| # gets a non-zero status it can report cleanly instead of a SIGABRT. | |
| # detect_odr_violation=0: test/unit.test pulls in libwolfprov | |
| # twice (linked + dlopen'd as openssl provider), spuriously trips | |
| # ASan's ODR check. | |
| ASAN_OPTIONS: detect_leaks=0:halt_on_error=1:abort_on_error=0:print_stacktrace=1:detect_odr_violation=0 | |
| UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1 | |
| steps: | |
| - name: Checkout wolfProvider | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Install host build deps | |
| # Bare runner -- not the test-deps container -- because we're | |
| # building OpenSSL/wolfssl from source against the host toolchain. | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| build-essential autoconf automake libtool pkg-config \ | |
| git curl wget patch m4 gettext | |
| # Cache the OpenSSL + wolfssl source/install trees so we don't pay | |
| # the ~15-20 min build cost on every push when the refs haven't | |
| # changed. install_openssl()/install_wolfssl() in scripts/utils-*.sh | |
| # skip the configure/make if the install dir already exists, so a | |
| # restored cache short-circuits the build automatically. | |
| - name: Cache OpenSSL + wolfssl source/install (sanitizers) | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| openssl-source | |
| openssl-install | |
| wolfssl-source | |
| wolfssl-install | |
| key: san-${{ runner.os }}-${{ needs.discover_versions.outputs.openssl_latest_ref }}-${{ matrix.wolfssl_ref }}-${{ hashFiles('scripts/utils-openssl.sh', 'scripts/utils-wolfssl.sh', 'scripts/build-wolfprovider.sh', '.github/workflows/sanitizers.yml') }} | |
| - name: Build wolfProvider with sanitizers | |
| env: | |
| # Only wolfprov + wolfssl get sanitizers; openssl stays plain. | |
| SAN_FLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all -g" | |
| run: | | |
| # Keep this in sync with the default in scripts/utils-wolfssl.sh. | |
| OPENSSL_INSTALL_DIR="${GITHUB_WORKSPACE}/openssl-install" | |
| export WOLFSSL_CONFIG_CFLAGS="\ | |
| -I${OPENSSL_INSTALL_DIR}/include \ | |
| -DWC_RSA_NO_PADDING \ | |
| -DWOLFSSL_PUBLIC_MP \ | |
| -DHAVE_PUBLIC_FFDHE \ | |
| -DHAVE_FFDHE_6144 \ | |
| -DHAVE_FFDHE_8192 \ | |
| -DWOLFSSL_PSS_LONG_SALT \ | |
| -DWOLFSSL_PSS_SALT_LEN_DISCOVER \ | |
| -DRSA_MIN_SIZE=1024 \ | |
| -DWOLFSSL_OLD_OID_SUM \ | |
| ${SAN_FLAGS}" | |
| export WOLFPROV_CONFIG_CFLAGS="${SAN_FLAGS}" | |
| # Skip build script's internal `make test` -- run separately | |
| # below. Avoids global LD_PRELOAD=libasan which segfaults | |
| # dpkg/grep called during the build. | |
| export WOLFPROV_SKIP_TEST=1 | |
| OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_latest_ref }} \ | |
| WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \ | |
| ./scripts/build-wolfprovider.sh | |
| - name: Run wolfprov unit tests (make test) under sanitizers | |
| run: | | |
| export LD_PRELOAD="$(gcc -print-file-name=libasan.so)" | |
| source scripts/env-setup | |
| make test | |
| - name: Run cmd-tests under sanitizers | |
| run: | | |
| export LD_PRELOAD="$(gcc -print-file-name=libasan.so)" | |
| source scripts/env-setup | |
| ./scripts/cmd_test/do-cmd-tests.sh | |
| - name: Dump build/test logs on failure | |
| if: ${{ failure() }} | |
| run: | | |
| for f in test-suite.log scripts/build-release.log scripts/build-debug.log; do | |
| if [ -f "$f" ]; then | |
| echo "=== $f (last 200 lines) ===" | |
| tail -200 "$f" | |
| fi | |
| done | |
| tsan: | |
| needs: discover_versions | |
| if: github.event_name != 'pull_request' || github.event.pull_request.draft == false | |
| name: TSan (wolfSSL ${{ matrix.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_latest_ref }}) | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 45 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_latest_ref_array) }} | |
| env: | |
| TSAN_OPTIONS: halt_on_error=1:second_deadlock_stack=1:history_size=7 | |
| steps: | |
| - name: Checkout wolfProvider | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Install host build deps | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| build-essential autoconf automake libtool pkg-config \ | |
| git curl wget patch m4 gettext | |
| - name: Cache OpenSSL + wolfssl source/install (tsan) | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| openssl-source | |
| openssl-install | |
| wolfssl-source | |
| wolfssl-install | |
| key: tsan-${{ runner.os }}-${{ needs.discover_versions.outputs.openssl_latest_ref }}-${{ matrix.wolfssl_ref }}-${{ hashFiles('scripts/utils-openssl.sh', 'scripts/utils-wolfssl.sh', 'scripts/build-wolfprovider.sh', '.github/workflows/sanitizers.yml') }} | |
| - name: Build wolfProvider with TSan | |
| env: | |
| SAN_FLAGS: "-fsanitize=thread -fno-omit-frame-pointer -fno-sanitize-recover=all -g" | |
| run: | | |
| OPENSSL_INSTALL_DIR="${GITHUB_WORKSPACE}/openssl-install" | |
| export WOLFSSL_CONFIG_CFLAGS="\ | |
| -I${OPENSSL_INSTALL_DIR}/include \ | |
| -DWC_RSA_NO_PADDING \ | |
| -DWOLFSSL_PUBLIC_MP \ | |
| -DHAVE_PUBLIC_FFDHE \ | |
| -DHAVE_FFDHE_6144 \ | |
| -DHAVE_FFDHE_8192 \ | |
| -DWOLFSSL_PSS_LONG_SALT \ | |
| -DWOLFSSL_PSS_SALT_LEN_DISCOVER \ | |
| -DRSA_MIN_SIZE=1024 \ | |
| -DWOLFSSL_OLD_OID_SUM \ | |
| ${SAN_FLAGS}" | |
| export WOLFPROV_CONFIG_CFLAGS="${SAN_FLAGS}" | |
| export WOLFPROV_SKIP_TEST=1 | |
| OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_latest_ref }} \ | |
| WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \ | |
| ./scripts/build-wolfprovider.sh | |
| - name: Run wolfprov unit tests (make test) under TSan | |
| run: | | |
| export LD_PRELOAD="$(gcc -print-file-name=libtsan.so)" | |
| source scripts/env-setup | |
| make test | |
| - name: Dump build/test logs on failure | |
| if: ${{ failure() }} | |
| run: | | |
| for f in test-suite.log scripts/build-release.log scripts/build-debug.log; do | |
| if [ -f "$f" ]; then | |
| echo "=== $f (last 200 lines) ===" | |
| tail -200 "$f" | |
| fi | |
| done |