add further block cipher modes and extend tests #2053
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| jobs: | |
| build: | |
| name: CI | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| runs-on: [ubuntu-24.04, ubuntu-24.04-arm] | |
| name: [fedora, debian, centos9, centos10, ubuntu, almalinux8] | |
| compiler: [gcc, clang] | |
| token: [softokn, softhsm, kryoptic] | |
| include: | |
| - name: fedora | |
| container: quay.io/fedora/fedora:rawhide | |
| - name: debian | |
| container: quay.io/opendevmirror/debian:trixie | |
| - name: centos9 | |
| container: quay.io/centos/centos:stream9 | |
| - name: centos10 | |
| container: quay.io/centos/centos:stream10 | |
| - name: ubuntu | |
| container: quay.io/opendevmirror/ubuntu:24.04 | |
| - name: almalinux8 | |
| container: quay.io/almalinuxorg/almalinux:8 | |
| exclude: | |
| # Testing EL8 on a single compler (gcc) is sufficient. | |
| - name: almalinux8 | |
| compiler: clang | |
| # For whatever reason tests fail on EL8 with SoftHSM2. | |
| - name: almalinux8 | |
| token: softhsm | |
| - name: debian | |
| token: kryoptic | |
| - name: centos9 | |
| token: kryoptic | |
| - name: centos10 | |
| token: kryoptic | |
| - name: ubuntu | |
| token: kryoptic | |
| - name: almalinux8 | |
| token: kryoptic | |
| # Test on ARM only some use cases | |
| - runs-on: ubuntu-24.04-arm | |
| name: debian | |
| - runs-on: ubuntu-24.04-arm | |
| name: centos9 | |
| - runs-on: ubuntu-24.04-arm | |
| name: centos10 | |
| - runs-on: ubuntu-24.04-arm | |
| name: ubuntu | |
| - runs-on: ubuntu-24.04-arm | |
| name: almalinux8 | |
| container: ${{ matrix.container }} | |
| steps: | |
| - name: Install Dependencies | |
| run: | | |
| if [ "${{ matrix.name }}" = "centos9" -o "${{ matrix.name }}" = "centos10" ]; then | |
| dnf_opts="--enablerepo=crb" | |
| fi | |
| if [ -f /etc/redhat-release ]; then | |
| if [ "${{ matrix.name }}" = "almalinux8" ]; then | |
| dnf -y install epel-release | |
| dnf -y install openssl3-devel openssl3 | |
| dnf_opts="--enablerepo=powertools" | |
| else | |
| dnf -y install openssl-devel openssl | |
| fi | |
| dnf -y install $dnf_opts \ | |
| git ${{ matrix.compiler }} meson which pkgconf-pkg-config \ | |
| diffutils expect valgrind opensc python3-six | |
| if [ "${{ matrix.token }}" = "softokn" ]; then | |
| dnf -y install nss-softokn nss-tools nss-softokn-devel \ | |
| nss-devel | |
| elif [ "${{ matrix.token }}" = "softhsm" ]; then | |
| dnf -y install softhsm p11-kit-devel | |
| elif [ "${{ matrix.token }}" = "kryoptic" ]; then | |
| dnf -y install kryoptic | |
| fi | |
| elif [ -f /etc/debian_version ]; then | |
| apt-get -q update | |
| apt-get -yq install git ${{ matrix.compiler }} meson \ | |
| pkg-config libssl-dev openssl expect \ | |
| valgrind procps opensc python3-six | |
| if [ "${{ matrix.token }}" = "softokn" ]; then | |
| apt-get -yq install libnss3 libnss3-tools libnss3-dev | |
| elif [ "${{ matrix.token }}" = "softhsm" ]; then | |
| apt-get -yq install softhsm2 p11-kit libp11-kit-dev \ | |
| p11-kit-modules | |
| fi | |
| fi | |
| - name: Check Cases to skip | |
| id: skip-check | |
| run: | | |
| if [ "${{ matrix.name }}" = "centos9" -o "${{ matrix.name }}" = "centos10" ]; then | |
| if [ "${{ matrix.token }}" = "softokn" ]; then | |
| NSSMINVER=`nss-config --version nss | cut -d '.' -f 2` | |
| if [ $NSSMINVER -lt 101 ]; then | |
| echo "skiptest=true" >> $GITHUB_OUTPUT | |
| fi | |
| fi | |
| fi | |
| - name: Checkout Repository | |
| if : ( steps.skip-check.outputs.skiptest != 'true' ) | |
| uses: actions/checkout@v4 | |
| - name: Setup | |
| id: setup | |
| if : ( steps.skip-check.outputs.skiptest != 'true' ) | |
| run: | | |
| if [ "${{ matrix.runs-on }}" = "ubuntu-24.04-arm" ]; then | |
| echo "cpu=ARM64" >> $GITHUB_OUTPUT | |
| else | |
| echo "cpu=X86_64" >> $GITHUB_OUTPUT | |
| fi | |
| git config --global --add safe.directory \ | |
| /__w/pkcs11-provider/pkcs11-provider | |
| git submodule update --init | |
| if [ -f /etc/redhat-release ]; then | |
| CC=${{ matrix.compiler }} meson setup builddir | |
| else | |
| CC=${{ matrix.compiler }} meson setup builddir -Denable_explicit_EC_test=true | |
| fi | |
| - name: Build and Test | |
| if : ( steps.skip-check.outputs.skiptest != 'true' ) | |
| shell: bash | |
| run: | | |
| meson_tests=() | |
| if [ "${{ matrix.name }}" = "debian" ] && [ "${{ matrix.token }}" = "softhsm" ]; then | |
| # TLS tests are currently broken on debian+softhsm so we have to | |
| # provide an explict list of test excluding tls. | |
| while IFS= read -r line; do | |
| meson_tests+=("$line") | |
| done < <(meson test -C builddir --suite ${{ matrix.token }} --list |cut -d " " -f 3 | grep -v -E 'tls') | |
| fi | |
| if [ "${{ matrix.name }}" = "ubuntu" ] && [ "${{ matrix.token }}" = "softhsm" ]; then | |
| # pem_encoder tests are currently broken on ubuntu+softhsm due to some unrelated | |
| # RNG engine issue so we have to provide an explict list of test excluding pem_encoder. | |
| while IFS= read -r line; do | |
| meson_tests+=("$line") | |
| done < <(meson test -C builddir --suite ${{ matrix.token }} --list |cut -d " " -f 3 | grep -v -E 'pem_encoder') | |
| fi | |
| meson compile -C builddir | |
| meson test --num-processes 1 -C builddir --suite ${{ matrix.token }} "${meson_tests[@]}" | |
| - uses: actions/upload-artifact@v4 | |
| if: failure() | |
| with: | |
| name: Test logs ${{ matrix.name }}, ${{ matrix.compiler }}, ${{ matrix.token }} - ${{ steps.setup.cpu }} | |
| path: | | |
| builddir/meson-logs/ | |
| builddir/tests/*.log | |
| builddir/tests/${{ matrix.token }} | |
| - name: Run tests with valgrind | |
| if : ( steps.skip-check.outputs.skiptest != 'true' && matrix.compiler == 'gcc' ) | |
| shell: bash | |
| run: | | |
| meson_tests=() | |
| if [ "${{ matrix.name }}" = "debian" ] && [ "${{ matrix.token }}" = "softhsm" ]; then | |
| # TLS tests are currently broken on debian+softhsm so we have to | |
| # provide an explict list of test excluding tls. | |
| while IFS= read -r line; do | |
| meson_tests+=("$line") | |
| done < <(meson test -C builddir --suite ${{ matrix.token }} --list |cut -d " " -f 3 | grep -v -E 'tls') | |
| fi | |
| if [ "${{ matrix.name }}" = "ubuntu" ] && [ "${{ matrix.token }}" = "softhsm" ]; then | |
| # pem_encoder tests are currently broken on ubuntu+softhsm due to some unrelated | |
| # RNG engine issue so we have to provide an explict list of test excluding pem_encoder. | |
| while IFS= read -r line; do | |
| meson_tests+=("$line") | |
| done < <(meson test -C builddir --suite ${{ matrix.token }} --list |cut -d " " -f 3 | grep -v -E 'pem_encoder') | |
| fi | |
| meson test --num-processes 1 -C builddir --setup=valgrind --suite ${{ matrix.token }} "${meson_tests[@]}" | |
| - uses: actions/upload-artifact@v4 | |
| if: failure() | |
| with: | |
| name: Test valgrind logs ${{ matrix.name }}, ${{ matrix.compiler }}, ${{ matrix.token }} - ${{ steps.setup.cpu }} | |
| path: | | |
| builddir/meson-logs/ | |
| builddir/tests/*.log | |
| builddir/tests/${{ matrix.token }}/p11prov-debug.log | |
| #- name: Run tests in FIPS Mode (on CentOS + gcc only) | |
| # if : ( steps.skip-check.outputs.skiptest != 'true' ) | |
| # run: | | |
| # if [ "${{ matrix.compiler }}" = "gcc" -a \( "${{ matrix.name }}" = "centos9" -o "${{ matrix.name }}" = "centos10" \) ]; then | |
| # PKCS11_PROVIDER_FORCE_FIPS_MODE=1 \ | |
| # meson test --num-processes 1 -C builddir | |
| # fi | |
| #- uses: actions/upload-artifact@v4 | |
| # if: failure() | |
| # with: | |
| # name: Test FIPS Mode logs ${{ matrix.name }}, ${{ matrix.compiler }}, ${{ matrix.token }} | |
| # path: | | |
| # builddir/meson-logs/ | |
| # builddir/tests/${{ matrix.token }}/p11prov-debug.log | |
| # builddir/tests/${{ matrix.token }}/testvars | |
| # builddir/tests/${{ matrix.token }}/openssl.cnf | |
| build-macos: | |
| name: CI | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [macos-14] | |
| token: [softokn] | |
| #, softhsm] | |
| steps: | |
| - name: Install Dependencies | |
| run: | | |
| brew update | |
| brew install \ | |
| meson \ | |
| openssl@3 \ | |
| opensc \ | |
| p11-kit | |
| if [ "${{ matrix.token }}" = "softokn" ]; then | |
| brew install nss | |
| elif [ "${{ matrix.token }}" = "softhsm" ]; then | |
| brew install softhsm | |
| fi | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Setup | |
| run: | | |
| git config --global --add safe.directory \ | |
| /__w/pkcs11-provider/pkcs11-provider | |
| git submodule update --init | |
| export PKG_CONFIG_PATH=$(brew --prefix openssl@3)/lib/pkgconfig | |
| export PATH=$(brew --prefix openssl@3)/bin:$PATH | |
| CC=clang meson setup builddir | |
| - name: Build and Test | |
| run: | | |
| export PATH=$(brew --prefix openssl@3)/bin:$PATH | |
| # Temporarily disable tlsfuzzer tests | |
| rm -rf tlsfuzzer | |
| meson compile -j$(sysctl -n hw.ncpu || echo 2) -C builddir | |
| meson test --num-processes 1 -C builddir | |
| - uses: actions/upload-artifact@v4 | |
| if: failure() | |
| with: | |
| name: Test logs on macOS-14 with ${{ matrix.token }} | |
| path: | | |
| builddir/meson-logs/* | |
| builddir/tests/*.log | |
| builddir/tests/${{ matrix.token }} |