Restrict DH keygen to 2048 bits and above for FIPS builds (#336) #1859
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Curl Tests | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| build_wolfprovider: | |
| uses: ./.github/workflows/build-wolfprovider.yml | |
| with: | |
| wolfssl_ref: ${{ matrix.wolfssl_ref }} | |
| openssl_ref: ${{ matrix.openssl_ref }} | |
| fips_ref: ${{ matrix.fips_ref }} | |
| replace_default: ${{ matrix.replace_default }} | |
| strategy: | |
| matrix: | |
| wolfssl_ref: [ 'v5.8.4-stable' ] | |
| openssl_ref: [ 'openssl-3.5.4' ] | |
| fips_ref: [ 'FIPS', 'non-FIPS' ] | |
| replace_default: [ true ] | |
| test_curl: | |
| runs-on: ubuntu-22.04 | |
| needs: build_wolfprovider | |
| container: | |
| image: debian:bookworm | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 20 | |
| strategy: | |
| matrix: | |
| curl_ref: [ 'curl-8_4_0', 'curl-7_88_1' ] | |
| wolfssl_ref: [ 'v5.8.4-stable' ] | |
| openssl_ref: [ 'openssl-3.5.4' ] | |
| fips_ref: [ 'FIPS', 'non-FIPS' ] | |
| force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] | |
| replace_default: [ true ] | |
| env: | |
| WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages | |
| OPENSSL_PACKAGES_PATH: /tmp/openssl-packages | |
| WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages | |
| steps: | |
| - name: Checkout wolfProvider | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Download packages from build job | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: debian-packages-${{ matrix.fips_ref }}${{ matrix.replace_default && '-replace-default' || '' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }} | |
| path: /tmp | |
| - name: Install wolfSSL/OpenSSL/wolfprov packages | |
| run: | | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb | |
| - name: Verify wolfProvider is properly installed | |
| run: | | |
| $GITHUB_WORKSPACE/scripts/verify-install.sh \ | |
| ${{ matrix.replace_default && '--replace-default' || '' }} \ | |
| ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} | |
| - name: Install dependencies | |
| run: | | |
| apt-get update | |
| apt-get install -y nghttp2 libpsl5 libpsl-dev python3-impacket \ | |
| build-essential autoconf automake libtool | |
| - name: Build curl | |
| uses: wolfSSL/actions-build-autotools-project@v1 | |
| with: | |
| repository: curl/curl | |
| path: curl | |
| ref: ${{ matrix.curl_ref }} | |
| configure: --with-openssl | |
| check: false | |
| - name: Generate certificates for curl master force-fail tests | |
| run: | | |
| if [ "${{ matrix.force_fail }}" = "WOLFPROV_FORCE_FAIL=1" ] && | |
| [ "${{ matrix.curl_ref }}" = "master" ]; then | |
| cd curl/tests/certs | |
| make test-ca.cacert | |
| cd ../.. | |
| fi | |
| - name: Test curl with wolfProvider | |
| working-directory: curl | |
| shell: bash | |
| run: | | |
| set +o pipefail # ignore errors from make check | |
| export ${{ matrix.force_fail }} | |
| export CURL_REF=${{ matrix.curl_ref }} | |
| # Tests rely on $USER being set | |
| export USER=testuser | |
| # Run tests and save output to test.log | |
| make -j$(nproc) test-ci 2>&1 | tee curl-test.log | |
| # Capture the test result using PIPESTATUS (Bash only) | |
| TEST_RESULT=${PIPESTATUS[0]} | |
| $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} curl |