@@ -12,6 +12,10 @@ concurrency:
1212 cancel-in-progress : true
1313# END OF COMMON SECTION
1414
15+ # clang has better sanitizer support
16+ env :
17+ CC : clang
18+
1519jobs :
1620 build_wolfssl :
1721 name : Build wolfSSL
3135 uses : wolfSSL/actions-build-autotools-project@v1
3236 with :
3337 path : wolfssl
34- configure : --enable-nginx ${{ env.wolf_debug_flags }}
38+ configure : >-
39+ --enable-nginx --enable-curve25519 --enable-ed25519 ${{ env.wolf_debug_flags }}
3540install : true
3641
3742 - name : tar build-dir
5055 matrix :
5156 include :
5257 # in general we want to pass all tests that match *ssl*
58+ - ref : 1.28.0
59+ test-ref : 0fccfcef1278263416043e0bbb3e0116b84026e4
60+ # Following tests pass with sanitizer on
61+ sanitize-ok : >-
62+ h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t
63+ h2_ssl_verify_client.t mail_imap_ssl.t mail_ssl_session_reuse.t
64+ mail_ssl.t proxy_ssl_certificate_cache.t
65+ proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
66+ proxy_ssl_certificate_vars.t proxy_ssl_name.t ssl_cache_reload.t
67+ ssl_certificate_aux.t ssl_certificate_cache.t
68+ ssl_certificate_chain.t ssl_certificates.t ssl_certificate.t
69+ ssl_client_escaped_cert.t ssl_crl.t ssl_curve.t ssl_ocsp.t
70+ ssl_password_file.t ssl_proxy_upgrade.t ssl_reject_handshake.t
71+ ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_protocols.t
72+ ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t
73+ ssl_verify_client.t ssl_verify_client_trusted.t ssl_verify_depth.t
74+ stream_proxy_ssl_certificate_cache.t stream_proxy_ssl_certificate.t
75+ stream_proxy_ssl_certificate_vars.t
76+ stream_proxy_ssl_name_complex.t stream_proxy_ssl_name.t
77+ stream_ssl_alpn.t stream_ssl_certificate_cache.t
78+ stream_ssl_certificate.t stream_ssl_ocsp.t stream_ssl_preread_alpn.t
79+ stream_ssl_preread_protocol.t stream_ssl_preread.t
80+ stream_ssl_reject_handshake.t stream_ssl_session_reuse.t
81+ stream_ssl_sni_protocols.t stream_ssl_stapling.t stream_ssl.t
82+ stream_ssl_variables.t stream_ssl_verify_client.t
83+ stream_upstream_zone_ssl.t upstream_zone_ssl.t
84+ uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
85+ # Following tests do not pass with sanitizer on (with OpenSSL too)
86+ sanitize-not-ok : >-
87+ grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
88+ proxy_request_buffering_ssl.t proxy_ssl_conf_command.t
89+ proxy_ssl_keepalive.t proxy_ssl.t proxy_ssl_verify.t ssl_cache.t
90+ stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t
91+ stream_proxy_ssl.t stream_proxy_ssl_verify.t
92+
5393ref : 1.25.0
5494 test-ref : 5b2894ea1afd01a26c589ce11f310df118e42592
5595 # Following tests pass with sanitizer on
@@ -120,30 +160,17 @@ jobs:
120160 - name : untar build-dir
121161 run : tar -xf build-dir.tgz
122162
123- - name : Install dependencies
124- run : |
125- sudo cpan -iT Proc::Find
163+ - name : Openssl version
164+ run : openssl version -a
126165
127- # Locking in the version of SSLeay used with testing
128- - name : Download and install Net::SSLeay 1.94 manually
129- run : |
130- curl -LO https://www.cpan.org/modules/by-module/Net/CHRISN/Net-SSLeay-1.94.tar.gz
131- tar -xzf Net-SSLeay-1.94.tar.gz
132- cd Net-SSLeay-1.94
133- perl Makefile.PL
134- make
135- sudo make install
136-
137- # SSL version 2.091 changes '' return to undef causing test case to fail.
138- # Locking in the test version to use as 2.090
139- - name : Download and install IO::Socket::SSL 2.090 manually
166+ - name : Setup Perl environment
167+ uses : shogo82148/actions-setup-perl@v1
168+ with :
169+ perl-version : ' 5.38.2'
170+
171+ - name : Install dependencies
140172 run : |
141- curl -LO https://www.cpan.org/modules/by-module/IO/IO-Socket-SSL-2.090.tar.gz
142- tar -xzf IO-Socket-SSL-2.090.tar.gz
143- cd IO-Socket-SSL-2.090
144- perl Makefile.PL
145- make
146- sudo make install
173+ cpanm --notest Proc::Find Net::SSLeay@1.94 IO::Socket::SSL@2.090
147174
148175name : Checkout wolfssl-nginx
149176 uses : actions/checkout@v4
@@ -211,37 +238,31 @@ jobs:
211238 run : |
212239 echo "nginx_c_flags=-O0" >> $GITHUB_ENV
213240
214- name : workaround high-entropy ASLR
215- # not needed after either an update to llvm or runner is done
216- run : sudo sysctl vm.mmap_rnd_bits=28
217-
218241name : Build nginx with sanitizer
219242 working-directory : nginx
220243 run : |
221244 ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
222245 --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
223246 --with-http_v2_module --with-mail --with-mail_ssl_module \
224- --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
247+ --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 \
248+ ${{ env.nginx_c_flags }}' \
225249 --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
226250 make -j
227251
228252name : Confirm nginx built with wolfSSL
229253 working-directory : nginx
230254 run : ldd objs/nginx | grep wolfssl
231255
232- - if : ${{ runner.debug }}
233- name : Run nginx-tests with sanitizer (debug)
256+ - name : Create LSAN suppression file
234257 working-directory : nginx-tests
235258 run : |
236- LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
237- TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
238- TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
259+ echo "leak:ngx_worker_process_init" > lsan.supp
239260
240261if : ${{ !runner.debug }}
241262 name : Run nginx-tests with sanitizer
242263 working-directory : nginx-tests
243264 run : |
244265 LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
266+ LSAN_OPTIONS=suppressions=$GITHUB_WORKSPACE/nginx-tests/lsan.supp \
245267 TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
246268 prove ${{ matrix.sanitize-ok }}
247-
0 commit comments