-
Notifications
You must be signed in to change notification settings - Fork 29
156 lines (133 loc) · 5.1 KB
/
stunnel.yml
File metadata and controls
156 lines (133 loc) · 5.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: Stunnel Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfprovider:
uses: ./.github/workflows/build-wolfprovider.yml
with:
wolfssl_ref: ${{ matrix.wolfssl_ref }}
openssl_ref: ${{ matrix.openssl_ref }}
fips_ref: ${{ matrix.fips_ref }}
replace_default: ${{ matrix.replace_default }}
strategy:
matrix:
wolfssl_ref: [ 'v5.8.4-stable' ]
openssl_ref: [ 'openssl-3.5.4' ]
fips_ref: [ 'FIPS', 'non-FIPS' ]
replace_default: [ true ]
test_stunnel:
runs-on: ubuntu-22.04
needs: build_wolfprovider
container:
image: debian:bookworm
env:
DEBIAN_FRONTEND: noninteractive
# This should be a safe limit for the tests to run.
timeout-minutes: 10
strategy:
matrix:
stunnel_ref: [ 'stunnel-5.67' ]
wolfssl_ref: [ 'v5.8.4-stable' ]
openssl_ref: [ 'openssl-3.5.4' ]
fips_ref: [ 'FIPS', 'non-FIPS' ]
force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
replace_default: [ true ]
env:
WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
steps:
- name: Checkout wolfProvider
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Download packages from build job
uses: actions/download-artifact@v4
with:
name: debian-packages-${{ matrix.fips_ref }}${{ matrix.replace_default && '-replace-default' || '' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}
path: /tmp
- name: Install wolfSSL/OpenSSL/wolfprov packages
run: |
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
- name: Verify wolfProvider is properly installed
run: |
$GITHUB_WORKSPACE/scripts/verify-install.sh \
${{ matrix.replace_default && '--replace-default' || '' }} \
${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }}
- name: Install dependencies
run: |
apt-get update
apt-get install -y build-essential autoconf automake \
autoconf-archive libtool libwrap0-dev pkg-config python3-venv \
python3-cryptography patch git
- name: Check Python version
run: python3 --version
- name: Checkout Stunnel
uses: actions/checkout@v4
with:
repository: mtrojnar/stunnel
ref: ${{ matrix.stunnel_ref }}
path: stunnel
fetch-depth: 1
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
fetch-depth: 1
- name: Apply OSP patch to Stunnel
if : ${{ matrix.stunnel_ref == 'stunnel-5.67' }}
working-directory: ./stunnel
run: |
# Apply patch for WOLFPROV_FORCE_FAIL
patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/stunnel/stunnel-WPFF-5.67-wolfprov.patch
- name: Build Stunnel
working-directory: ./stunnel
run: |
autoreconf -ivf
./configure
make -j
- name: Update python cryptography module
working-directory: ./stunnel
shell: bash
run: |
python3 -m venv myenv
source myenv/bin/activate
- name: Verify stunnel with wolfProvider
working-directory: ./stunnel
shell: bash
run: |
set +o pipefail # ignore errors from make check
export ${{ matrix.force_fail }}
# enter venv
source myenv/bin/activate
# Set this variable to prevent attempts to load the legacy OpenSSL
# provider, which we don't support.
# This is necessary for OpenSSL 3.0+ to avoid errors related to legacy
# algorithms that are not supported by wolfProvider.
export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
# Verify stunnel
./src/stunnel -version
# Run tests
# Results captured in tests/logs/results.log
# Use `timeout` since the tests hang with WOLFPROV_FORCE_FAIL=1
timeout 10 make check 2>&1 || true
# grep for "failed: 0" in the results log, indicating success
TEST_RESULT=$(grep -c "failed: 0" tests/logs/results.log || echo 1)
echo "Test result: $TEST_RESULT"
$GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} stunnel