shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-04 12:20:42 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
2539d72b7c8d03d54538533db5b346dad52d6db3
libssh/.gitlab-ci.yml
Jakub Jelen 2539d72b7c Add support for PKCS#11 provider in OpenSSL 3.0 
The engine API in OpenSSL 3.0 is deprecated so we are in the progress of working
on a PKCS#11 provider for OpenSSL. This commit introduces a conditional build
with the pkcs11-provider support (instead of engines) with all the changes
required for the provider to work with existing code and tests.

The CI modification is only temporary before we will have the real package in
Fedora or somewhere to use.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Norbert Pocs <npocs@redhat.com>
2023-03-01 11:35:28 +01:00

566 lines
18 KiB
YAML
Raw Blame History

---
variables:
BUILD_IMAGES_PROJECT: libssh/build-images
CENTOS9_BUILD: buildenv-c9s
COVERITY_BUILD: buildenv-coverity
FEDORA_BUILD: buildenv-fedora
MINGW_BUILD: buildenv-mingw
TUMBLEWEED_BUILD: buildenv-tumbleweed
UBUNTU_BUILD: buildenv-ubuntu
ALPINE_BUILD: buildenv-alpine
stages:
- review
- build
- test
- analysis
.build:
stage: build
variables:
CMAKE_DEFAULT_OPTIONS: "-DCMAKE_BUILD_TYPE=RelWithDebInfo -DPICKY_DEVELOPER=ON"
CMAKE_BUILD_OPTIONS: "-DWITH_BLOWFISH_CIPHER=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON"
CMAKE_TEST_OPTIONS: "-DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DWITH_BENCHMARKS=ON"
CMAKE_OPTIONS: $CMAKE_DEFAULT_OPTIONS $CMAKE_BUILD_OPTIONS $CMAKE_TEST_OPTIONS
before_script: &build
- uname -a
- cat /etc/os-release
- mount
- df -h
- cat /proc/swaps
- free -h
- mkdir -p obj && cd obj
script:
- cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
make -j$(nproc) &&
make -j$(nproc) install
# Do not use after_script as it does not make the targets fail
tags:
- shared
except:
- tags
artifacts:
expire_in: 1 week
when: on_failure
paths:
- obj/
.tests:
extends: .build
stage: test
# This is needed to prevent passing artifacts from previous stages
dependencies: []
script:
- cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
make -j$(nproc) &&
ctest --output-on-failure
# Do not use after_script as it does not make the targets fail
.fedora:
extends: .tests
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
variables:
CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
.tumbleweed:
extends: .tests
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
.fips:
extends: .tests
variables:
# DSA is turned off in fips mode
CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON -DWITH_DSA=OFF
before_script:
- *build
- echo "# userspace fips" > /etc/system-fips
# We do not need the kernel part, but in case we ever do:
# mkdir -p /var/tmp/userspace-fips
# echo 1 > /var/tmp/userspace-fips/fips_enabled
# mount --bind /var/tmp/userspace-fips/fips_enabled \
# /proc/sys/crypto/fips_enabled
- update-crypto-policies --show
- update-crypto-policies --set FIPS
- update-crypto-policies --show
###############################################################################
# CentOS builds #
###############################################################################
centos9s/openssl_3.0.x/x86_64:
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS9_BUILD
extends: .tests
variables:
CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
script:
- export OPENSSL_ENABLE_SHA1_SIGNATURES=1
- cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
make -j$(nproc) &&
ctest --output-on-failure
centos9s/openssl_3.0.x/x86_64/fips:
extends: .fips
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS9_BUILD
script:
- export OPENSSL_ENABLE_SHA1_SIGNATURES=1
- cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
make -j$(nproc) &&
OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
###############################################################################
# Fedora builds #
###############################################################################
fedora/build:
extends: .build
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
fedora/docs:
extends: .build
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
script:
- cmake .. && make docs
fedora/ninja:
extends: .fedora
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
script:
- cmake -G Ninja $CMAKE_OPTIONS ../ && ninja && ninja test
fedora/coverage:
extends: .fedora
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
variables:
CMAKE_ADDITIONAL_OPTIONS: -DCMAKE_BUILD_TYPE=Coverage
script:
- cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
make -j$(nproc) &&
make coverage_xml
coverage: /^\s*lines:\s*\d+.\d+\%/
artifacts:
name: ${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
expire_in: 1 week
reports:
coverage_report:
coverage_format: cobertura
path: obj/coverage_xml.xml
fedora/openssl_3.0.x/x86_64:
extends: .fedora
fedora/openssl_3.0.x/x86_64/pkcs11-provider:
variables:
CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON -DWITH_PKCS11_PROVIDER=ON
extends: .fedora
before_script:
- dnf -y install automake libtool autoconf-archive rpm-build gnutls-utils
nss-devel nss-tools opensc openssl p11-kit-devel p11-kit-server expect
- git clone https://github.com/latchset/pkcs11-provider.git
- pushd pkcs11-provider &&
autoreconf -fiv &&
./configure &&
make dist &&
mkdir -p rpmbuild/SOURCES &&
cp pkcs11-provider*tar.gz rpmbuild/SOURCES &&
rpmbuild --define "_topdir $PWD/rpmbuild" -ba packaging/pkcs11-provider.spec &&
dnf install -y rpmbuild/RPMS/x86_64/*.rpm
- popd && mkdir -p obj && cd obj
fedora/openssl_3.0.x/x86_64/minimal:
extends: .fedora
variables:
script:
- cmake $CMAKE_DEFAULT_OPTIONS
-DWITH_SFTP=OFF
-DWITH_SERVER=OFF
-DWITH_ZLIB=OFF
-DWITH_PCAP=OFF
-DUNIT_TESTING=ON
-DCLIENT_TESTING=ON
-DWITH_GEX=OFF .. &&
make -j$(nproc)
# Address sanitizer doesn't mix well with LD_PRELOAD used in the testsuite
# so, this is only enabled for unit tests right now.
# TODO: add -DCLIENT_TESTING=ON -DSERVER_TESTING=ON
fedora/address-sanitizer:
extends: .fedora
stage: analysis
script:
- cmake
-DCMAKE_BUILD_TYPE=AddressSanitizer
-DCMAKE_C_COMPILER=clang
-DCMAKE_CXX_COMPILER=clang++
-DPICKY_DEVELOPER=ON
$CMAKE_BUILD_OPTIONS
-DUNIT_TESTING=ON
-DFUZZ_TESTING=ON .. &&
make -j$(nproc) &&
ctest --output-on-failure
# This is disabled as it report OpenSSL issues
# It also has the same issues with cwrap as AddressSanitizer
.fedora/memory-sanitizer:
extends: .fedora
stage: analysis
script:
- cmake
-DCMAKE_BUILD_TYPE=MemorySanitizer
-DCMAKE_C_COMPILER=clang
-DCMAKE_CXX_COMPILER=clang++
-DPICKY_DEVELOPER=ON
$CMAKE_BUILD_OPTIONS
-DUNIT_TESTING=ON
-DFUZZ_TESTING=ON .. &&
make -j$(nproc) &&
ctest --output-on-failure
fedora/undefined-sanitizer:
extends: .fedora
stage: analysis
script:
- cmake
-DCMAKE_BUILD_TYPE=UndefinedSanitizer
-DCMAKE_C_COMPILER=clang
-DCMAKE_CXX_COMPILER=clang++
-DPICKY_DEVELOPER=ON
$CMAKE_BUILD_OPTIONS
-DUNIT_TESTING=ON
-DFUZZ_TESTING=ON .. &&
make -j$(nproc) &&
ctest --output-on-failure
fedora/libgcrypt/x86_64:
extends: .fedora
variables:
CMAKE_ADDITIONAL_OPTIONS: "-DWITH_GCRYPT=ON -DWITH_DEBUG_CRYPTO=ON"
fedora/mbedtls/x86_64:
extends: .fedora
variables:
CMAKE_ADDITIONAL_OPTIONS: "-DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON "
# Unit testing only, no client and pkd testing, because cwrap is not available
# for MinGW
fedora/mingw64:
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
extends: .tests
script:
- export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin
- export WINEDEBUG=-all
- mingw64-cmake $CMAKE_DEFAULT_OPTIONS
-DWITH_SFTP=ON
-DWITH_SERVER=ON
-DWITH_ZLIB=ON
-DWITH_PCAP=ON
-DUNIT_TESTING=ON .. &&
make -j$(nproc) &&
ctest --output-on-failure
# Unit testing only, no client and pkd testing, because cwrap is not available
# for MinGW
fedora/mingw32:
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
extends: .tests
script:
- export WINEPATH=/usr/i686-w64-mingw32/sys-root/mingw/bin
- export WINEDEBUG=-all
- mingw32-cmake $CMAKE_DEFAULT_OPTIONS
-DWITH_SFTP=ON
-DWITH_SERVER=ON
-DWITH_ZLIB=ON
-DWITH_PCAP=ON
-DUNIT_TESTING=ON .. &&
make -j$(nproc) &&
ctest --output-on-failure
###############################################################################
# Fedora csbuild #
###############################################################################
.csbuild:
stage: analysis
variables:
GIT_DEPTH: "100"
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
before_script:
- |
if [[ -z "$CI_COMMIT_BEFORE_SHA" ]]; then
export CI_COMMIT_BEFORE_SHA=$(git rev-parse "${CI_COMMIT_SHA}~20")
fi
# Check if the commit exists in this branch
# This is not the case for a force push
git branch --contains $CI_COMMIT_BEFORE_SHA 2>/dev/null || export CI_COMMIT_BEFORE_SHA=$(git rev-parse "${CI_COMMIT_SHA}~20")
export CI_COMMIT_RANGE="$CI_COMMIT_BEFORE_SHA..$CI_COMMIT_SHA"
tags:
- shared
except:
- tags
artifacts:
expire_in: 1 week
when: on_failure
paths:
- obj-csbuild/
fedora/csbuild/openssl_3.0.x:
extends: .csbuild
script:
- csbuild
--build-dir=obj-csbuild
--build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON @SRCDIR@ && make clean && make -j$(nproc)"
--git-commit-range $CI_COMMIT_RANGE
--color
--print-current --print-fixed
fedora/csbuild/libgcrypt:
extends: .csbuild
script:
- csbuild
--build-dir=obj-csbuild
--build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_GCRYPT=ON @SRCDIR@ && make clean && make -j$(nproc)"
--git-commit-range $CI_COMMIT_RANGE
--color
--print-current --print-fixed
fedora/csbuild/mbedtls:
extends: .csbuild
script:
- csbuild
--build-dir=obj-csbuild
--build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_MBEDTLS=ON @SRCDIR@ && make clean && make -j$(nproc)"
--git-commit-range $CI_COMMIT_RANGE
--color
--print-current --print-fixed
###############################################################################
# Ubuntu builds #
###############################################################################
ubuntu/openssl_3.0.x/x86_64:
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$UBUNTU_BUILD
extends: .tests
###############################################################################
# Alpine builds #
###############################################################################
alpine/openssl_3.0.x/musl:
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BUILD
extends: .tests
script:
- cmake $CMAKE_DEFAULT_OPTIONS
-DWITH_SFTP=ON
-DWITH_SERVER=ON
-DWITH_ZLIB=ON
-DWITH_PCAP=ON
-DUNIT_TESTING=ON .. &&
make -j$(nproc) &&
ctest --output-on-failure
###############################################################################
# Tumbleweed builds #
###############################################################################
tumbleweed/openssl_1.1.x/x86_64/gcc:
extends: .tumbleweed
variables:
CMAKE_ADDITIONAL_OPTIONS: "-DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config"
tumbleweed/openssl_1.1.x/x86/gcc:
extends: .tumbleweed
script:
- cmake
-DCMAKE_TOOLCHAIN_FILE=../cmake/Toolchain-cross-m32.cmake
$CMAKE_DEFAULT_OPTIONS
-DWITH_SFTP=ON
-DWITH_SERVER=ON
-DWITH_ZLIB=ON
-DWITH_PCAP=ON
-DUNIT_TESTING=ON ..
tumbleweed/openssl_1.1.x/x86_64/gcc7:
extends: .tumbleweed
variables:
CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7 -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config"
tumbleweed/openssl_1.1.x/x86/gcc7:
extends: .tumbleweed
script:
- cmake
-DCMAKE_TOOLCHAIN_FILE=../cmake/Toolchain-cross-m32.cmake
-DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7
$CMAKE_DEFAULT_OPTIONS
-DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
-DUNIT_TESTING=ON .. &&
make -j$(nproc) &&
ctest --output-on-failure
tumbleweed/openssl_1.1.x/x86_64/clang:
extends: .tumbleweed
variables:
CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config"
tumbleweed/static-analysis:
extends: .tests
stage: analysis
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
script:
- export CCC_CC=clang
- export CCC_CXX=clang++
- scan-build cmake
-DCMAKE_BUILD_TYPE=Debug
-DCMAKE_C_COMPILER=clang
-DCMAKE_CXX_COMPILER=clang++
-DPICKY_DEVELOPER=ON
$CMAKE_BUILD_OPTIONS
$CMAKE_TEST_OPTIONS .. &&
scan-build --status-bugs -o scan make -j$(nproc)
artifacts:
expire_in: 1 week
when: on_failure
paths:
- obj/scan
###############################################################################
# FreeBSD builds #
###############################################################################
# That is a specific runner that we cannot enable universally.
# We restrict it to builds under the $BUILD_IMAGES_PROJECT project.
freebsd/openssl_1.1.1/x86_64:
image:
extends: .tests
before_script:
- mkdir -p obj && cd obj && cmake
-DCMAKE_BUILD_TYPE=RelWithDebInfo
-DPICKY_DEVELOPER=ON
-DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
-DUNIT_TESTING=ON ..
script:
- cmake $CMAKE_DEFAULT_OPTIONS
-DWITH_SFTP=ON
-DWITH_SERVER=ON
-DWITH_ZLIB=ON
-DWITH_PCAP=ON
-DUNIT_TESTING=ON .. &&
make &&
ctest --output-on-failure
tags:
- private
- freebsd
only:
- branches@libssh/libssh-mirror
- branches@cryptomilk/libssh-mirror
- branches@jjelen/libssh-mirror
- branches@marco.fortina/libssh-mirror
###############################################################################
# Visual Studio builds #
###############################################################################
.vs:
stage: test
cache:
key: vcpkg.${CI_JOB_NAME}
paths:
- .vcpkg
variables:
ErrorActionPreference: STOP
script:
- cmake --build .
- ctest --output-on-failure
tags:
- windows
- shared-windows
except:
- tags
artifacts:
expire_in: 1 week
when: on_failure
paths:
- obj/
before_script:
- choco install --no-progress -y cmake
- $env:Path += ';C:\Program Files\CMake\bin'
- If (!(test-path .vcpkg\archives)) { mkdir -p .vcpkg\archives }
- $env:VCPKG_DEFAULT_BINARY_CACHE="$PWD\.vcpkg\archives"
- echo $env:VCPKG_DEFAULT_BINARY_CACHE
- $env:VCPKG_DEFAULT_TRIPLET="$TRIPLET-windows"
- vcpkg install cmocka
- vcpkg install openssl
- vcpkg install zlib
- vcpkg integrate install
- mkdir -p obj; if ($?) {cd obj}; if (! $?) {exit 1}
- cmake
-A $PLATFORM
-DCMAKE_TOOLCHAIN_FILE=C:/vcpkg/scripts/buildsystems/vcpkg.cmake
-DPICKY_DEVELOPER=ON
-DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
-DUNIT_TESTING=ON ..
visualstudio/x86_64:
extends: .vs
variables:
PLATFORM: "x64"
TRIPLET: "x64"
visualstudio/x86:
extends: .vs
variables:
PLATFORM: "win32"
TRIPLET: "x86"
###############################################################################
# Coverity #
###############################################################################
#
# git push -o ci.variable="COVERITY_SCAN_TOKEN=XXXXXX" \
# -o ci.variable="COVERITY_SCAN_PROJECT_NAME=XXXXXX" \
# -o ci.variable="COVERITY_SCAN_EMAIL=XXXXXX" \
# -f gitlab
coverity:
stage: analysis
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$COVERITY_BUILD
script:
- mkdir obj && cd obj
- wget https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_SCAN_TOKEN&project=$COVERITY_SCAN_PROJECT_NAME" -O /tmp/coverity_tool.tgz
- tar xf /tmp/coverity_tool.tgz
- cmake -DCMAKE_BUILD_TYPE=Debug $CMAKE_BUILD_OPTIONS $CMAKE_TEST_OPTIONS ..
- cov-analysis-linux64-*/bin/cov-build --dir cov-int make -j$(nproc)
- tar czf cov-int.tar.gz cov-int
- curl
--form token=$COVERITY_SCAN_TOKEN
--form email=$COVERITY_SCAN_EMAIL
--form file=@cov-int.tar.gz
--form version="`git describe --tags`"
--form description="CI build"
https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
tags:
- shared
only:
refs:
- master
- schedules
variables:
- $COVERITY_SCAN_TOKEN != null
- $COVERITY_SCAN_PROJECT_NAME != null
- $COVERITY_SCAN_EMAIL != null
artifacts:
expire_in: 1 week
when: on_failure
paths:
- obj/cov-int/*.txt
###############################################################################
# Codespell #
###############################################################################
codespell:
stage: review
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
script:
- codespell --ignore-words-list=keypair,sorce,ned,nd,ue
tags:
- shared
Reference in New Issue View Git Blame Copy Permalink