openssl/.github/workflows/windows.yml
Neil Horman 796e5f9648 Create a rudimentary symbol scanning script
We would like to be able to log and audit the symbols we use in openssl
so that we might catch when a new platform symbols is referecned

Add such a script (just on unix platforms for now) that gathers the used
symbols not belonging to libcrypto or libssl, and compare it to a prior
known set of used symbols.  Error out if a new symbol is found

Add this script to the ci workflow in CI to capture newly
introduced platform symbols

Fixes #22330

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22478)
2023-11-01 16:32:26 +01:00

186 lines
6.2 KiB
YAML

# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
name: Windows GitHub CI
on: [pull_request, push]
permissions:
contents: read
jobs:
shared:
# Run a job for each of the specified target architectures:
strategy:
matrix:
os:
- windows-2019
- windows-2022
platform:
- arch: win64
config: enable-fips
- arch: win32
config: --strict-warnings no-fips
runs-on: ${{matrix.os}}
steps:
- uses: actions/checkout@v4
- name: checkout fuzz/corpora submodule
run: git submodule update --init --depth 1 fuzz/corpora
- uses: ilammy/msvc-dev-cmd@v1
with:
arch: ${{ matrix.platform.arch }}
- uses: ilammy/setup-nasm@v1
with:
platform: ${{ matrix.platform.arch }}
- name: prepare the build directory
run: mkdir _build
- name: config
working-directory: _build
run: |
perl ..\Configure --banner=Configured no-makedepend ${{ matrix.platform.config }}
perl configdata.pm --dump
- name: build
working-directory: _build
run: nmake /S
- name: download coreinfo
uses: suisei-cn/actions-download-file@v1.4.0
with:
url: "https://download.sysinternals.com/files/Coreinfo.zip"
target: _build/coreinfo/
- name: get cpu info
working-directory: _build
continue-on-error: true
run: |
7z.exe x coreinfo/Coreinfo.zip
./Coreinfo64.exe -accepteula -f
./apps/openssl.exe version -c
- name: Check platform symbol usage
working-directory: _build
run: perl ../util/checkplatformsyms.pl ../util/platform_symbols/windows-symbols.txt libcrypto-3-x64.dll ./libssl-3-x64.dll
- name: test
working-directory: _build
run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4
- name: install
# Run on 64 bit only as 32 bit is slow enough already
if: $${{ matrix.platform.arch == 'win64' }}
run: |
mkdir _dest
nmake install DESTDIR=_dest
working-directory: _build
plain:
strategy:
matrix:
os:
- windows-2019
- windows-2022
runs-on: ${{matrix.os}}
steps:
- uses: actions/checkout@v4
- name: checkout fuzz/corpora submodule
run: git submodule update --init --depth 1 fuzz/corpora
- uses: ilammy/msvc-dev-cmd@v1
- name: prepare the build directory
run: mkdir _build
- name: config
working-directory: _build
run: |
perl ..\Configure --banner=Configured no-makedepend no-shared no-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-crypto-mdebug VC-WIN64A-masm
perl configdata.pm --dump
- name: build
working-directory: _build
run: nmake /S
- name: download coreinfo
uses: suisei-cn/actions-download-file@v1.4.0
with:
url: "https://download.sysinternals.com/files/Coreinfo.zip"
target: _build/coreinfo/
- name: get cpu info
working-directory: _build
continue-on-error: true
run: |
7z.exe x coreinfo/Coreinfo.zip
./Coreinfo64.exe -accepteula -f
./apps/openssl.exe version -c
- name: test
working-directory: _build
run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4
minimal:
strategy:
matrix:
os:
- windows-2019
- windows-2022
runs-on: ${{matrix.os}}
steps:
- uses: actions/checkout@v4
- name: checkout fuzz/corpora submodule
run: git submodule update --init --depth 1 fuzz/corpora
- uses: ilammy/msvc-dev-cmd@v1
- name: prepare the build directory
run: mkdir _build
- name: config
working-directory: _build
run: |
perl ..\Configure --banner=Configured no-makedepend no-bulk no-deprecated no-fips no-asm no-threads -DOPENSSL_SMALL_FOOTPRINT
perl configdata.pm --dump
- name: build
working-directory: _build
run: nmake # verbose, so no /S here
- name: download coreinfo
uses: suisei-cn/actions-download-file@v1.4.0
with:
url: "https://download.sysinternals.com/files/Coreinfo.zip"
target: _build/coreinfo/
- name: get cpu info
working-directory: _build
continue-on-error: true
run: |
7z.exe x coreinfo/Coreinfo.zip
./Coreinfo64.exe -accepteula -f
./apps/openssl.exe version -c
- name: test
working-directory: _build
run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4
cygwin:
# Run a job for each of the specified target architectures:
strategy:
matrix:
os:
- windows-2019
# really worth while running, too? cygwin should mask this
# - windows-2022
platform:
- arch: win64
config: -DCMAKE_C_COMPILER=gcc --strict-warnings no-fips
# are we really learning sth new from win32? So let's save some CO2 for now disabling this
# - arch: win32
# config: -DCMAKE_C_COMPILER=gcc --strict-warnings no-fips
runs-on: ${{matrix.os}}
env:
CYGWIN_NOWINPATH: 1
SHELLOPTS: igncr
# Don't overwhelm github CI VMs:
MAKE_PARAMS: -j 4
steps:
# Checkout before cygwin can mess with PATH...
- uses: actions/checkout@v4
- uses: cygwin/cygwin-install-action@master
with:
packages: perl git make gcc-core
- name: Check repo
run: cygcheck -V
- name: Full cygcheck status
run: cygcheck -s -v -r -h
# Activate this if checkout action fails:
# - name: Clone repo
# run: bash -c "pwd && git clone --branch ${{ github.ref_name }} --depth 1 https://github.com/${{ github.repository }}.git"
- name: Full build
run: bash -c "gcc --version && ./config ${{ matrix.platform.config }} && make $MAKE_PARAMS"
# Disable testing for now. TBD: Need local cygwin installation to debug .
# - name: Run openssl tests
# run: bash -c "cd openssl && make V=1 test"