kryoptic/.github/workflows/build.yml at e2d71b98030572bcc4e2903e7c1996f1a59f8835 · latchset/kryoptic · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
name: Build

on:
  pull_request:
    branches: ["main"]
  push:
    branches: ["main"]

env:
  OPENSSL_FIPS_BRANCH: kryoptic_ossl40
  OPENSSL_STATIC_BRANCH: master

jobs:
  build:
    name: Build
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
        name: [standard, i686, minimal, pqc, no_sha1]
        linking: [dynamic, static, fips]
        build: [debug, release]
        db: [sqlitedb, nssdb]
        exclude:
          - name: no_sha1 # nssdb doesn't work with no_sha1
            db: nssdb
          - name: minimal
            linking: fips
          - name: pqc # only works with openssl 3.5.0 so exclude dynamic
            linking: dynamic
          - name: pqc # already part of normal fips tests
            linking: fips
          - name: no_sha1 # already tested in fips and dynamic build
            linking: static
          - name: no_sha1
            linking: fips
    container: quay.io/fedora/fedora:latest
    steps:
      - name: Get Date for DNF cache entry
        id: get-date
        run: |
          echo "date=$(/bin/date -u "+%Y%V")" >> $GITHUB_OUTPUT
        shell: bash

      - name: Restore DNF cache
        uses: actions/cache/restore@v4
        with:
          path: |
            /var/cache/libdnf5
          key: ${{ runner.os }}-dnf-${{ steps.get-date.outputs.date }}

      - name: Install Dependencies
        run: |
          dnf -y install git cargo clang-devel openssl openssl-devel \
            'perl(FindBin)' 'perl(lib)' 'perl(File::Compare)' \
            'perl(File::Copy)' 'perl(bigint)' 'perl(Time::HiRes)' \
            'perl(IPC::Cmd)' 'perl(Pod::Html)' 'perl(Digest::SHA)' \
            'perl(Module::Load::Conditional)' 'perl(File::Temp)' \
            'perl(Test::Harness)' 'perl(Test::More)' 'perl(Math::BigInt)' \
            'perl(Time::Piece)' zlib-devel sed sqlite-devel
          if [ "${{ matrix.name }}" = "i686" ]; then
            dnf -y install rust-std-static.i686 openssl-devel.i686 \
              sqlite-devel.i686
            if [ "${{ matrix.linking }}" != "dynamic" ]; then
              dnf -y install libatomic.i686
            fi
          fi

      - name: Checkout Repository
        uses: actions/checkout@v6

      - name: Setup OpenSSL (fips)
        if: ${{ matrix.linking == 'fips' }}
        id: ossl-setup-fips
        run: |
          git config --global --add safe.directory /__w/kryoptic
          cd ..
          git clone https://github.com/simo5/openssl.git \
                    --single-branch --branch $OPENSSL_FIPS_BRANCH openssl
          cd openssl
          echo "KRYOPTIC_OPENSSL_SOURCES=$PWD" >> "$GITHUB_ENV"
          OS=${{ runner.os }}
          if [ "${{ matrix.name }}" = "i686" ]; then
              OS="${OS}-i686"
          fi
          echo "cacheid=${OS}-ossl-$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"

      - name: Setup OpenSSL (static)
        if: ${{ matrix.linking == 'static' }}
        id: ossl-setup-static
        run: |
          git config --global --add safe.directory /__w/kryoptic
          cd ..
          git clone https://github.com/openssl/openssl.git \
                    --single-branch --branch $OPENSSL_STATIC_BRANCH openssl
          cd openssl
          echo "KRYOPTIC_OPENSSL_SOURCES=$PWD" >> "$GITHUB_ENV"
          OS=${{ runner.os }}
          if [ "${{ matrix.name }}" = "i686" ]; then
              OS="${OS}-i686"
          fi
          echo "cacheid=${OS}-ossl-$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"

      - name: Restore OpenSSL build (fips)
        if: ${{ matrix.linking == 'fips' }}
        uses: actions/cache/restore@v4
        id: cache-fips
        with:
          path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }}
          key: ${{ steps.ossl-setup-fips.outputs.cacheid }}

      - name: Restore OpenSSL build (static)
        if: ${{ matrix.linking == 'static' }}
        uses: actions/cache/restore@v4
        id: cache-static
        with:
          path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }}
          key: ${{ steps.ossl-setup-static.outputs.cacheid }}

      - name: Generate lock file
        run: cargo generate-lockfile

      - name: Cache Rust dependencies
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}

      - name: Build & test
        run: |
          export KRYOPTIC_TESTS_DEFAULT_DB="${{ matrix.db }}"
          FEATURES="${{ matrix.db }}"
          OPTS="--no-default-features"
          FEATURE_SET="standard"
          export CC=clang

          TEST_PKCS11_MODULE="${PWD}/target"

          if [ "${{ matrix.name }}" = "i686" ]; then
            # pkg-config expects a sysroot dir when cross-compiling; we have
            # the i686 development files in the same paths because this is an
            # x86_64 build machine
            export PKG_CONFIG_SYSROOT_DIR=/
            OPTS="${OPTS} --target i686-unknown-linux-gnu"
            TEST_PKCS11_MODULE="${TEST_PKCS11_MODULE}/i686-unknown-linux-gnu"
          elif [ "${{ matrix.name }}" = "minimal" ]; then
            FEATURE_SET="minimal"
          elif [ "${{ matrix.name }}" = "pqc" ]; then
            FEATURES="${FEATURES},pqc,slow"
          elif [ "${{ matrix.name }}" = "no_sha1" ]; then
            FEATURES="${FEATURES},no_sha1"
          fi

          if [ "${{ matrix.linking }}" = "dynamic" ]; then
            FEATURES="${FEATURES},${FEATURE_SET},dynamic"
          elif [ "${{ matrix.linking }}" = "static" ]; then
            FEATURES="${FEATURES},${FEATURE_SET},ossl400"
          elif [ "${{ matrix.linking }}" = "fips" ]; then
            FEATURES="${FEATURES},fips"
          fi

          if [ "${{ matrix.build }}" = "release" ]; then
            OPTS="${OPTS} --release"
            TEST_PKCS11_MODULE="${TEST_PKCS11_MODULE}/release"
          else
            TEST_PKCS11_MODULE="${TEST_PKCS11_MODULE}/debug"
          fi

          TEST_PKCS11_MODULE="${TEST_PKCS11_MODULE}/libkryoptic_pkcs11.so"

          # create a bogus configuration file to make sure it is not used during tests
          mkdir -p ~/.config/kryoptic/
          cp testdata/test.conf ~/.config/kryoptic/token.conf

          #BUILD
          cargo build -vv $OPTS --features "$FEATURES"

          # cargo test does not build libkryoptic_pkcs11.so and we need to make
          # it fips compatible in any case
          if [ "${{ matrix.linking }}" = "fips" ]; then
            ./misc/hmacify.sh "${TEST_PKCS11_MODULE}"
          fi
          export TEST_PKCS11_MODULE

          #TEST
          cargo test -vv $OPTS --features "$FEATURES"

      - uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: Build logs ${{ matrix.name }}-${{ matrix.linking }}-${{ matrix.build }}-${{ matrix.db }}
          path: |
            target/debug/build/*/output

      - name: Show Build configs and logs on error
        if: failure()
        run: |
          cd ../openssl
          perl configdata.pm --dump

      - if: ${{ matrix.linking == 'fips' && steps.cache-fips.outputs.cache-hit != 'true' }}
        name: Cache OpenSSL FIPS build
        uses: actions/cache/save@v4
        with:
          path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }}
          key: ${{ steps.ossl-setup-fips.outputs.cacheid }}

      - if: ${{ matrix.linking == 'static' && steps.cache-static.outputs.cache-hit != 'true' }}
        name: Cache OpenSSL STATIC build
        uses: actions/cache/save@v4
        with:
          path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }}
          key: ${{ steps.ossl-setup-static.outputs.cacheid }}

      - if: ${{ matrix.name == 'i686' && steps.cache-static.outputs.cache-hit != 'true' }}
        name: Store DNF cache -- the i686 has the most dependencies
        uses: actions/cache/save@v4
        with:
          path: |
            /var/cache/libdnf5
          key: ${{ runner.os }}-dnf-${{ steps.get-date.outputs.date }}