Skip to content

Switch to workspace, move ech-fetch to separate crate, add ECH CI coverage #1769

Switch to workspace, move ech-fetch to separate crate, add ECH CI coverage

Switch to workspace, move ech-fetch to separate crate, add ECH CI coverage #1769

Workflow file for this run

name: rustls-ffi
permissions:
contents: read
on:
push:
pull_request:
merge_group:
schedule:
- cron: '15 12 * * 3'
jobs:
build:
name: "Build+Test (${{ matrix.os }}, ${{ matrix.cc }}, ${{ matrix.rust }}, ${{ matrix.crypto }}${{ matrix.cert_compression == 'on' && ', cert compression' || '' }}${{ matrix.dyn_link == 'on' && ', dynamic linking' || '' }})"
runs-on: ${{ matrix.os }}
strategy:
matrix:
# test a bunch of toolchain and crypto providers on ubuntu
cc: [ clang, gcc ]
crypto: [ aws-lc-rs, ring ]
rust:
- stable
- beta
- nightly
# MSRV - keep in sync with what rustls and rustls-platform-verifier
# consider MSRV
- "1.73"
os: [ ubuntu-latest ]
# Include a few MacOS and cert-compression builds to ensure they're tested without
# bloating the matrix or slowing down CI.
include:
# Linux dyn link build
- os: ubuntu-latest
cc: clang
crypto: aws-lc-rs
rust: stable
dyn_link: on
# Linux cert compression build
- os: ubuntu-latest
cc: clang
crypto: aws-lc-rs
rust: stable
cert_compression: on
# MacOS standard build
- os: macos-latest
cc: clang
crypto: aws-lc-rs
rust: stable
cert_compression: off
# MacOS dyn link build
- os: macos-latest
cc: clang
crypto: aws-lc-rs
rust: stable
dyn_link: on
# MacOS cert compression build
- os: macos-latest
cc: clang
crypto: aws-lc-rs
rust: stable
cert_compression: on
steps:
- name: Checkout sources
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install ${{ matrix.rust }} toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ matrix.rust }}
- name: Install cargo-c (Ubuntu)
if: matrix.os == 'ubuntu-latest'
env:
# Version picked for MSRV compat.
LINK: https://github.com/lu-zero/cargo-c/releases/download/v0.10.0
CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz
run: |
curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin
- name: Install cargo-c (macOS)
if: matrix.os == 'macos-latest'
env:
# Version picked for MSRV compat.
LINK: https://github.com/lu-zero/cargo-c/releases/download/v0.10.0
CARGO_C_FILE: cargo-c-macos.zip
run: |
curl -L $LINK/$CARGO_C_FILE -o cargo-c-macos.zip
unzip cargo-c-macos.zip -d ~/.cargo/bin
- name: Setup cmake build
run: |
CC=${{matrix.cc}} \
CXX=${{matrix.cc}} \
cmake \
-DCRYPTO_PROVIDER=${{matrix.crypto}} \
-DCERT_COMPRESSION=${{matrix.cert_compression}} \
-DDYN_LINK=${{matrix.dyn_link}} \
-DCMAKE_BUILD_TYPE=Debug \
${{ matrix.os == 'macos-latest' && '-DCMAKE_OSX_DEPLOYMENT_TARGET=14.5' || '' }} \
-S librustls -B build
- name: Build
run: cmake --build build
- name: Platform verifier connect test
run: cmake --build build --target connect-test
- name: Integration tests
run: cmake --build build --target integration-test
- name: Verify debug builds were using ASAN
if: runner.os == 'Linux' # For 'nm'
run: |
nm build/tests/client | grep '__asan_init'
nm build/tests/server | grep '__asan_init'
- name: Build release binaries
run: |
cmake --build build -- clean
CC=${{matrix.cc}} CXX=${{matrix.cc}} cmake -S librustls -B build -DCRYPTO_PROVIDER=${{matrix.crypto}} -DCMAKE_BUILD_TYPE=Release
cmake --build build
- name: Verify release builds were not using ASAN
if: runner.os == 'Linux' # For 'nm'
run: |
! nm build/tests/client | grep '__asan_init'
! nm build/tests/server | grep '__asan_init'
- name: Run ECH connect test
if: matrix.crypto == 'aws-lc-rs' # No HPKE in ring
run: |
cmake --build build --target ech-test > ech-test.log
grep 'sni=encrypted' ech-test.log
# Our integration tests rely on a built-in provider being enabled.
# Double-check the library/unit tests work without any providers to
# support downstream use-cases that bring their own external one.
- name: Test no built-in provider build
run: cargo test --no-default-features --locked
valgrind:
name: Valgrind
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install valgrind
run: sudo apt-get update && sudo apt-get install -y valgrind
- name: Install cargo-c
env:
LINK: https://github.com/lu-zero/cargo-c/releases/latest/download
CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz
run: |
curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin
- name: Setup cmake build
run: cmake -S librustls -B build -DCMAKE_BUILD_TYPE=Release # No ASAN w/ Valgrind
- run: VALGRIND=valgrind cmake --build build --target integration-test
# TODO(@cpu): MacOS and Windows FIPS test coverage
fips:
name: FIPS
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install nightly rust toolchain
uses: dtolnay/rust-toolchain@nightly
- name: Install cargo-c
env:
LINK: https://github.com/lu-zero/cargo-c/releases/latest/download
CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz
run: |
curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin
- name: Setup cmake build
run: |
cmake \
-DFIPS=true \
-DCMAKE_BUILD_TYPE=Release \
-S librustls -B build
- name: Integration tests
run: cmake --build build --target integration-test
test-windows:
name: "Windows (${{ matrix.crypto }}, ${{ matrix.config }}${{ matrix.cert_compression == 'on' && ', cert compression' || '' }}${{ matrix.dyn_link == 'on' && ', dynamic linking' || '' }})"
runs-on: windows-latest
strategy:
matrix:
crypto: [ aws-lc-rs, ring ]
config: [ Debug, Release ]
cert_compression: [ off ]
dyn_link: [ off ]
include:
# One build with dynamic linking.
- crypto: aws-lc-rs
config: Release
dyn_link: on
# One build with cert_compression.
- crypto: aws-lc-rs
config: Release
cert_compression: on
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install nightly rust toolchain
uses: dtolnay/rust-toolchain@nightly
# For Debug builds we use ASAN, which requires a modern MSVC on $PATH
# to provide the ASAN clang_rt.asan_*.dll runtime deps or
# the built client/server binary will exit immediately with
# exit code -1073741515
- name: Setup MSVC
uses: TheMrMilchmann/setup-msvc-dev@v3
with:
arch: x64
# Note: must use cargo-c 0.10.7+ for dynamic linking support on Windows.
- name: Install cargo-c
env:
LINK: https://github.com/lu-zero/cargo-c/releases/latest/download
CARGO_C_FILE: cargo-c-windows-msvc.zip
run: |
curl -L "$env:LINK/$env:CARGO_C_FILE" -o cargo-c-windows-msvc.zip
powershell -Command "Expand-Archive -Path cargo-c-windows-msvc.zip -DestinationPath $env:USERPROFILE\\.cargo\\bin -Force"
- name: Configure CMake
run: cmake -DCRYPTO_PROVIDER="${{ matrix.crypto }}" -DCERT_COMPRESSION="${{ matrix.cert_compression }}" -DDYN_LINK="${{ matrix.dyn_link }}" -S librustls -B build
- name: Build
run: cmake --build build --config "${{ matrix.config }}"
- name: Integration test
run: cmake --build build --config "${{matrix.config}}" --target integration-test
- name: Run ECH connect test
if: matrix.crypto == 'aws-lc-rs' # No HPKE in ring
run: |
cmake --build build --target ech-test > ech-test.log
grep 'sni=encrypted' ech-test.log
ensure-header-updated:
runs-on: ubuntu-latest
defaults:
run:
working-directory: librustls
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install nightly rust toolchain
uses: dtolnay/rust-toolchain@nightly
- name: Install cbindgen
# Pin the installed version of cbindgen so that local usage can be
# reliably matched to CI. There can be non-semantic differences in
# output between point releases of cbindgen that will fail this check
# otherwise.
run: cargo install cbindgen --force --version 0.27.0
- run: touch src/lib.rs
- run: cbindgen --version
- run: cbindgen > src/rustls.h
- run: git diff --exit-code
docs:
name: Check for documentation errors
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install rust toolchain
uses: dtolnay/rust-toolchain@nightly
- name: cargo doc (all features)
run: cargo doc --all-features --no-deps --workspace
env:
RUSTDOCFLAGS: -Dwarnings
minver:
name: Check minimum versions
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install rust toolchain
uses: dtolnay/rust-toolchain@nightly
- name: cargo test (debug; default features; -Z minimal-versions)
run: cargo -Z minimal-versions test --locked
- name: cargo test (debug; ring; -Z minimal-versions)
run: cargo -Z minimal-versions test --no-default-features --features=ring --locked
format:
name: Format
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install rust toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: "1.73" # Matching MSRV
components: rustfmt
- name: Install Gersemi
run: pip install gersemi
- name: Setup cmake build
run: cmake -S librustls -B build
- name: Check formatting
run: cmake --build build --target format-check
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- name: Check clippy (default features)
# We allow unknown lints here because sometimes the nightly job
# (below) will have a new lint that we want to suppress.
# If we suppress (e.g. #![allow(clippy::arc_with_non_send_sync)]),
# we would get an unknown-lint error from older clippy versions.
run: cargo clippy --locked --workspace --all-targets -- -D warnings -A unknown-lints
- name: Check clippy (ring)
run: cargo clippy --locked --workspace --all-targets --no-default-features --features=ring -- -D warnings -A unknown-lints
clippy-nightly-optional:
name: Clippy nightly (optional)
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install rust toolchain
uses: dtolnay/rust-toolchain@nightly
with:
components: clippy
- name: Check clippy (default features)
run: cargo clippy --locked --workspace --all-targets -- -D warnings
- name: Check clippy (ring)
run: cargo clippy --locked --workspace --all-targets --no-default-features --features=ring -- -D warnings
- name: Check clippy (all features)
# We only test --all-features on nightly, because two of the features
# (read_buf, core_io_borrowed_buf) require nightly.
run: cargo clippy --locked --workspace --all-targets --all-features -- -D warnings
clang-tidy:
name: Clang Tidy
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Clang tidy
run: clang-tidy librustls/tests/*.c -- -I librustls/src/
miri:
name: Miri
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install nightly Rust
uses: dtolnay/rust-toolchain@nightly
- run: rustup override set "nightly-$(curl -s https://rust-lang.github.io/rustup-components-history/x86_64-unknown-linux-gnu/miri)"
- run: rustup component add miri
- run: cargo miri test