Switch to workspace, move ech-fetch to separate crate, add ECH CI coverage #1769
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: rustls-ffi | |
permissions: | |
contents: read | |
on: | |
push: | |
pull_request: | |
merge_group: | |
schedule: | |
- cron: '15 12 * * 3' | |
jobs: | |
build: | |
name: "Build+Test (${{ matrix.os }}, ${{ matrix.cc }}, ${{ matrix.rust }}, ${{ matrix.crypto }}${{ matrix.cert_compression == 'on' && ', cert compression' || '' }}${{ matrix.dyn_link == 'on' && ', dynamic linking' || '' }})" | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
# test a bunch of toolchain and crypto providers on ubuntu | |
cc: [ clang, gcc ] | |
crypto: [ aws-lc-rs, ring ] | |
rust: | |
- stable | |
- beta | |
- nightly | |
# MSRV - keep in sync with what rustls and rustls-platform-verifier | |
# consider MSRV | |
- "1.73" | |
os: [ ubuntu-latest ] | |
# Include a few MacOS and cert-compression builds to ensure they're tested without | |
# bloating the matrix or slowing down CI. | |
include: | |
# Linux dyn link build | |
- os: ubuntu-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
dyn_link: on | |
# Linux cert compression build | |
- os: ubuntu-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
cert_compression: on | |
# MacOS standard build | |
- os: macos-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
cert_compression: off | |
# MacOS dyn link build | |
- os: macos-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
dyn_link: on | |
# MacOS cert compression build | |
- os: macos-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
cert_compression: on | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install ${{ matrix.rust }} toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: ${{ matrix.rust }} | |
- name: Install cargo-c (Ubuntu) | |
if: matrix.os == 'ubuntu-latest' | |
env: | |
# Version picked for MSRV compat. | |
LINK: https://github.com/lu-zero/cargo-c/releases/download/v0.10.0 | |
CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz | |
run: | | |
curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin | |
- name: Install cargo-c (macOS) | |
if: matrix.os == 'macos-latest' | |
env: | |
# Version picked for MSRV compat. | |
LINK: https://github.com/lu-zero/cargo-c/releases/download/v0.10.0 | |
CARGO_C_FILE: cargo-c-macos.zip | |
run: | | |
curl -L $LINK/$CARGO_C_FILE -o cargo-c-macos.zip | |
unzip cargo-c-macos.zip -d ~/.cargo/bin | |
- name: Setup cmake build | |
run: | | |
CC=${{matrix.cc}} \ | |
CXX=${{matrix.cc}} \ | |
cmake \ | |
-DCRYPTO_PROVIDER=${{matrix.crypto}} \ | |
-DCERT_COMPRESSION=${{matrix.cert_compression}} \ | |
-DDYN_LINK=${{matrix.dyn_link}} \ | |
-DCMAKE_BUILD_TYPE=Debug \ | |
${{ matrix.os == 'macos-latest' && '-DCMAKE_OSX_DEPLOYMENT_TARGET=14.5' || '' }} \ | |
-S librustls -B build | |
- name: Build | |
run: cmake --build build | |
- name: Platform verifier connect test | |
run: cmake --build build --target connect-test | |
- name: Integration tests | |
run: cmake --build build --target integration-test | |
- name: Verify debug builds were using ASAN | |
if: runner.os == 'Linux' # For 'nm' | |
run: | | |
nm build/tests/client | grep '__asan_init' | |
nm build/tests/server | grep '__asan_init' | |
- name: Build release binaries | |
run: | | |
cmake --build build -- clean | |
CC=${{matrix.cc}} CXX=${{matrix.cc}} cmake -S librustls -B build -DCRYPTO_PROVIDER=${{matrix.crypto}} -DCMAKE_BUILD_TYPE=Release | |
cmake --build build | |
- name: Verify release builds were not using ASAN | |
if: runner.os == 'Linux' # For 'nm' | |
run: | | |
! nm build/tests/client | grep '__asan_init' | |
! nm build/tests/server | grep '__asan_init' | |
- name: Run ECH connect test | |
if: matrix.crypto == 'aws-lc-rs' # No HPKE in ring | |
run: | | |
cmake --build build --target ech-test > ech-test.log | |
grep 'sni=encrypted' ech-test.log | |
# Our integration tests rely on a built-in provider being enabled. | |
# Double-check the library/unit tests work without any providers to | |
# support downstream use-cases that bring their own external one. | |
- name: Test no built-in provider build | |
run: cargo test --no-default-features --locked | |
valgrind: | |
name: Valgrind | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install valgrind | |
run: sudo apt-get update && sudo apt-get install -y valgrind | |
- name: Install cargo-c | |
env: | |
LINK: https://github.com/lu-zero/cargo-c/releases/latest/download | |
CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz | |
run: | | |
curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin | |
- name: Setup cmake build | |
run: cmake -S librustls -B build -DCMAKE_BUILD_TYPE=Release # No ASAN w/ Valgrind | |
- run: VALGRIND=valgrind cmake --build build --target integration-test | |
# TODO(@cpu): MacOS and Windows FIPS test coverage | |
fips: | |
name: FIPS | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: Install cargo-c | |
env: | |
LINK: https://github.com/lu-zero/cargo-c/releases/latest/download | |
CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz | |
run: | | |
curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin | |
- name: Setup cmake build | |
run: | | |
cmake \ | |
-DFIPS=true \ | |
-DCMAKE_BUILD_TYPE=Release \ | |
-S librustls -B build | |
- name: Integration tests | |
run: cmake --build build --target integration-test | |
test-windows: | |
name: "Windows (${{ matrix.crypto }}, ${{ matrix.config }}${{ matrix.cert_compression == 'on' && ', cert compression' || '' }}${{ matrix.dyn_link == 'on' && ', dynamic linking' || '' }})" | |
runs-on: windows-latest | |
strategy: | |
matrix: | |
crypto: [ aws-lc-rs, ring ] | |
config: [ Debug, Release ] | |
cert_compression: [ off ] | |
dyn_link: [ off ] | |
include: | |
# One build with dynamic linking. | |
- crypto: aws-lc-rs | |
config: Release | |
dyn_link: on | |
# One build with cert_compression. | |
- crypto: aws-lc-rs | |
config: Release | |
cert_compression: on | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
# For Debug builds we use ASAN, which requires a modern MSVC on $PATH | |
# to provide the ASAN clang_rt.asan_*.dll runtime deps or | |
# the built client/server binary will exit immediately with | |
# exit code -1073741515 | |
- name: Setup MSVC | |
uses: TheMrMilchmann/setup-msvc-dev@v3 | |
with: | |
arch: x64 | |
# Note: must use cargo-c 0.10.7+ for dynamic linking support on Windows. | |
- name: Install cargo-c | |
env: | |
LINK: https://github.com/lu-zero/cargo-c/releases/latest/download | |
CARGO_C_FILE: cargo-c-windows-msvc.zip | |
run: | | |
curl -L "$env:LINK/$env:CARGO_C_FILE" -o cargo-c-windows-msvc.zip | |
powershell -Command "Expand-Archive -Path cargo-c-windows-msvc.zip -DestinationPath $env:USERPROFILE\\.cargo\\bin -Force" | |
- name: Configure CMake | |
run: cmake -DCRYPTO_PROVIDER="${{ matrix.crypto }}" -DCERT_COMPRESSION="${{ matrix.cert_compression }}" -DDYN_LINK="${{ matrix.dyn_link }}" -S librustls -B build | |
- name: Build | |
run: cmake --build build --config "${{ matrix.config }}" | |
- name: Integration test | |
run: cmake --build build --config "${{matrix.config}}" --target integration-test | |
- name: Run ECH connect test | |
if: matrix.crypto == 'aws-lc-rs' # No HPKE in ring | |
run: | | |
cmake --build build --target ech-test > ech-test.log | |
grep 'sni=encrypted' ech-test.log | |
ensure-header-updated: | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: librustls | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: Install cbindgen | |
# Pin the installed version of cbindgen so that local usage can be | |
# reliably matched to CI. There can be non-semantic differences in | |
# output between point releases of cbindgen that will fail this check | |
# otherwise. | |
run: cargo install cbindgen --force --version 0.27.0 | |
- run: touch src/lib.rs | |
- run: cbindgen --version | |
- run: cbindgen > src/rustls.h | |
- run: git diff --exit-code | |
docs: | |
name: Check for documentation errors | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: cargo doc (all features) | |
run: cargo doc --all-features --no-deps --workspace | |
env: | |
RUSTDOCFLAGS: -Dwarnings | |
minver: | |
name: Check minimum versions | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: cargo test (debug; default features; -Z minimal-versions) | |
run: cargo -Z minimal-versions test --locked | |
- name: cargo test (debug; ring; -Z minimal-versions) | |
run: cargo -Z minimal-versions test --no-default-features --features=ring --locked | |
format: | |
name: Format | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: "1.73" # Matching MSRV | |
components: rustfmt | |
- name: Install Gersemi | |
run: pip install gersemi | |
- name: Setup cmake build | |
run: cmake -S librustls -B build | |
- name: Check formatting | |
run: cmake --build build --target format-check | |
clippy: | |
name: Clippy | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
components: clippy | |
- name: Check clippy (default features) | |
# We allow unknown lints here because sometimes the nightly job | |
# (below) will have a new lint that we want to suppress. | |
# If we suppress (e.g. #![allow(clippy::arc_with_non_send_sync)]), | |
# we would get an unknown-lint error from older clippy versions. | |
run: cargo clippy --locked --workspace --all-targets -- -D warnings -A unknown-lints | |
- name: Check clippy (ring) | |
run: cargo clippy --locked --workspace --all-targets --no-default-features --features=ring -- -D warnings -A unknown-lints | |
clippy-nightly-optional: | |
name: Clippy nightly (optional) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
with: | |
components: clippy | |
- name: Check clippy (default features) | |
run: cargo clippy --locked --workspace --all-targets -- -D warnings | |
- name: Check clippy (ring) | |
run: cargo clippy --locked --workspace --all-targets --no-default-features --features=ring -- -D warnings | |
- name: Check clippy (all features) | |
# We only test --all-features on nightly, because two of the features | |
# (read_buf, core_io_borrowed_buf) require nightly. | |
run: cargo clippy --locked --workspace --all-targets --all-features -- -D warnings | |
clang-tidy: | |
name: Clang Tidy | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Clang tidy | |
run: clang-tidy librustls/tests/*.c -- -I librustls/src/ | |
miri: | |
name: Miri | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly Rust | |
uses: dtolnay/rust-toolchain@nightly | |
- run: rustup override set "nightly-$(curl -s https://rust-lang.github.io/rustup-components-history/x86_64-unknown-linux-gnu/miri)" | |
- run: rustup component add miri | |
- run: cargo miri test |