Skip to content

Add support for enabling/disabling TLS v1.0 and 1.1 in Conscrypt. #2950

Add support for enabling/disabling TLS v1.0 and 1.1 in Conscrypt.

Add support for enabling/disabling TLS v1.0 and 1.1 in Conscrypt. #2950

Workflow file for this run

name: Continuous integration
on:
push:
pull_request:
schedule:
# Run every day at midnight UTC
- cron: '0 0 * * *'
jobs:
boringssl_clone:
# This step ensures that all builders have the same version of BoringSSL
runs-on: ubuntu-latest
steps:
- name: Clone BoringSSL repo
run: |
git clone --depth 1 --filter=blob:none --no-checkout https://github.com/google/boringssl.git "${{ runner.temp }}/boringssl"
echo Using BoringSSL commit: $(cd "${{ runner.temp }}/boringssl"; git rev-parse HEAD)
- name: Archive BoringSSL source
uses: actions/upload-artifact@v4
with:
name: boringssl-source
path: ${{ runner.temp }}/boringssl
retention-days: 1
include-hidden-files: true
if-no-files-found: error
clang_format_check:
# Only run on pull requests.
if: ${{ startsWith(github.ref, 'refs/pull/') }}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get git-clang-format
# Uses the most recent clang-format on Ubuntu.
run: |
sudo apt-get -qq update
sudo apt-get -qq install -y --no-install-recommends clang-format
- name: Run git-clang-format against source branch
run: |
git clang-format --style=file --diff origin/$GITHUB_BASE_REF '*.c' '*.h' '*.cc' '*.cpp' '*.java'
build:
needs: boringssl_clone
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, macos-latest, windows-latest]
include:
- platform: ubuntu-latest
tools_url: https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip
- platform: macos-latest
tools_url: https://dl.google.com/android/repository/commandlinetools-mac-9477386_latest.zip
- platform: windows-latest
tools_url: https://dl.google.com/android/repository/commandlinetools-win-9477386_latest.zip
runs-on: ${{ matrix.platform }}
steps:
- name: Set up JDK 11 for toolchains
uses: actions/setup-java@v4
with:
distribution: 'zulu'
java-version: 11
- name: Set runner-specific environment variables
shell: bash
run: |
echo "ANDROID_HOME=${{ runner.temp }}/android-sdk" >> $GITHUB_ENV
echo "ANDROID_SDK_ROOT=${{ runner.temp }}/android-sdk" >> $GITHUB_ENV
echo "BORINGSSL_HOME=${{ runner.temp }}/boringssl" >> $GITHUB_ENV
echo "SDKMANAGER=${{ runner.temp }}/android-sdk/cmdline-tools/bin/sdkmanager" >> $GITHUB_ENV
echo "M2_REPO=${{ runner.temp }}/m2" >> $GITHUB_ENV
- uses: actions/checkout@v4
- name: Setup Linux environment
if: runner.os == 'Linux'
run: |
echo "CC=clang" >> $GITHUB_ENV
echo "CXX=clang++" >> $GITHUB_ENV
sudo dpkg --add-architecture i386
sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt-get -qq update
sudo apt-get -qq install -y --no-install-recommends \
gcc-multilib \
g++-multilib \
ninja-build \
openjdk-11-jre-headless
- name: Setup macOS environment
if: runner.os == 'macOS'
run: |
brew update || echo update failed
brew install ninja || echo update failed
- name: Setup Windows environment
if: runner.os == 'Windows'
run: |
choco install nasm -y
choco install ninja -y
- name: Fetch BoringSSL source
uses: actions/download-artifact@v4
with:
name: boringssl-source
path: ${{ runner.temp }}/boringssl
- name: Checkout BoringSSL master branch
shell: bash
run: |
cd "$BORINGSSL_HOME"
git checkout --progress --force -B master
- name: Build BoringSSL x86 and ARM MacOS
if: runner.os == 'macOS'
env:
# For compatibility, but 10.15 target requires 16-byte stack alignment.
MACOSX_DEPLOYMENT_TARGET: 10.13
run: |
mkdir -p "$BORINGSSL_HOME/build.x86"
pushd "$BORINGSSL_HOME/build.x86"
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_OSX_ARCHITECTURES=x86_64 -GNinja ..
ninja
popd
mkdir -p "$BORINGSSL_HOME/build.arm"
pushd "$BORINGSSL_HOME/build.arm"
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_OSX_ARCHITECTURES=arm64 -GNinja ..
ninja
popd
- name: Build BoringSSL 64-bit Linux
if: runner.os == 'Linux'
run: |
mkdir -p "$BORINGSSL_HOME/build64"
pushd "$BORINGSSL_HOME/build64"
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -GNinja ..
ninja
popd
- name: Set up MSVC paths on Windows
if: runner.os == 'Windows'
uses: ilammy/msvc-dev-cmd@v1
with:
arch: x64
- name: Build BoringSSL 64-bit Windows
if: runner.os == 'Windows'
run: |
cd $Env:BORINGSSL_HOME
mkdir build64
pushd build64
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=MultiThreaded -GNinja ..
ninja
popd
- name: Setup Android environment
shell: bash
if: runner.os == 'Linux'
run: |
cd "${{ runner.temp }}"
curl -L "${{ matrix.tools_url }}" -o android-tools.zip
mkdir -p "$ANDROID_HOME"
unzip -q android-tools.zip -d "$ANDROID_HOME"
yes | "$SDKMANAGER" --sdk_root="$ANDROID_HOME" --licenses || true
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" tools
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" platform-tools
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'build-tools;30.0.3'
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'platforms;android-26'
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'extras;android;m2repository'
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'ndk;25.2.9519653'
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'cmake;3.22.1'
- name: Build with Gradle
shell: bash
run: ./gradlew assemble -PcheckErrorQueue
- name: Test with Gradle
shell: bash
timeout-minutes: 15
run: ./gradlew check -PcheckErrorQueue
- name: Publish to local Maven repo
shell: bash
run: ./gradlew publishToMavenLocal -Dmaven.repo.local="$M2_REPO"
- name: Upload Maven respository
uses: actions/upload-artifact@v4
with:
name: m2repo-${{ runner.os }}
path: ${{ runner.temp }}/m2
- name: Build test JAR with dependencies
if: runner.os == 'Linux'
shell: bash
run: ./gradlew :conscrypt-openjdk:testJar -PcheckErrorQueue
- name: Upload test JAR with dependencies
if: runner.os == 'Linux'
uses: actions/upload-artifact@v4
with:
name: testjar
path: openjdk/build/libs/conscrypt-openjdk-*-tests.jar
if-no-files-found: error
uberjar:
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Linux environment
run: |
echo "CC=clang" >> $GITHUB_ENV
echo "CXX=clang++" >> $GITHUB_ENV
sudo dpkg --add-architecture i386
sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt-get -qq update
sudo apt-get -qq install -y --no-install-recommends \
gcc-multilib \
g++-multilib \
ninja-build \
openjdk-11-jre-headless
- name: Set runner-specific environment variables
shell: bash
run: |
echo "M2_REPO=${{ runner.temp }}/m2" >> $GITHUB_ENV
echo "BORINGSSL_HOME=${{ runner.temp }}/boringssl" >> $GITHUB_ENV
- name: Fetch BoringSSL source
uses: actions/download-artifact@v4
with:
name: boringssl-source
path: ${{ runner.temp }}/boringssl
- name: Checkout BoringSSL master branch
shell: bash
run: |
cd "$BORINGSSL_HOME"
git checkout --progress --force -B master
- name: Build BoringSSL 64-bit Linux
run: |
mkdir -p "$BORINGSSL_HOME/build64"
pushd "$BORINGSSL_HOME/build64"
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -GNinja ..
ninja
popd
# TODO(prb) remove build dependency above and go back to this.
# - name: Make fake BoringSSL directories
# shell: bash
# run: |
# # TODO: remove this when the check is only performed when building.
# # BoringSSL is not needed during the UberJAR build, but the
# # assertion to check happens regardless of whether the project
# # needs it.
# mkdir -p "${{ runner.temp }}/boringssl/build64"
# mkdir -p "${{ runner.temp }}/boringssl/include"
- name: Download Maven repository for Linux
uses: actions/download-artifact@v4
with:
name: m2repo-Linux
path: ${{ runner.temp }}/m2
- name: Download Maven repository for MacOS
uses: actions/download-artifact@v4
with:
name: m2repo-macOS
path: ${{ runner.temp }}/m2
- name: Download Maven repository for Windows
uses: actions/download-artifact@v4
with:
name: m2repo-Windows
path: ${{ runner.temp }}/m2
- name: Build UberJAR with Gradle
shell: bash
run: |
./gradlew :conscrypt-openjdk-uber:build -Dorg.conscrypt.openjdk.buildUberJar=true -Dmaven.repo.local="$M2_REPO"
- name: Publish UberJAR to Maven Local
shell: bash
run: |
./gradlew :conscrypt-openjdk-uber:publishToMavenLocal -Dorg.conscrypt.openjdk.buildUberJar=true -Dmaven.repo.local="$M2_REPO"
- name: Upload Maven respository
uses: actions/upload-artifact@v4
with:
name: m2repo-uber
path: ${{ runner.temp }}/m2
openjdk-test:
needs: uberjar
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, macos-13, macos-latest, windows-latest]
java: [8, 11, 17, 21]
dist: ['temurin', 'zulu']
include:
- platform: ubuntu-latest
separator: ':'
- platform: macos-latest
separator: ':'
- platform: macos-13
separator: ':'
- platform: windows-latest
separator: ';'
exclude: # Not available on Github runners
- platform: macos-latest
java: 8
dist: 'temurin'
runs-on: ${{ matrix.platform }}
steps:
- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: ${{ matrix.dist }}
java-version: ${{ matrix.java }}
- name: Download UberJAR
uses: actions/download-artifact@v4
with:
name: m2repo-uber
path: m2
- name: Download Test JAR with Dependencies
uses: actions/download-artifact@v4
with:
name: testjar
path: testjar
- name: Download JUnit runner
shell: bash
run: mvn org.apache.maven.plugins:maven-dependency-plugin:3.8.0:copy -Dartifact=org.junit.platform:junit-platform-console-standalone:1.11.2 -DoutputDirectory=. -Dmdep.stripVersion=true
- name: Run JUnit tests
timeout-minutes: 15
shell: bash
run: |
DIR="$(find m2/org/conscrypt/conscrypt-openjdk-uber -maxdepth 1 -mindepth 1 -type d -print)"
VERSION="${DIR##*/}"
TESTJAR="$(find testjar -name '*-tests.jar')"
# SIGTERM handler, e.g. for when tests hang and time out.
# Send SIGQUIT to test process to get thread dump, give it
# a few seconds to complete and then kill it.
dump_threads() {
echo "Generating stack dump."
ps -fp "$TESTPID"
kill -QUIT "$TESTPID"
sleep 3
kill -KILL "$TESTPID"
exit 1
}
java -jar junit-platform-console-standalone.jar execute -cp "$DIR/conscrypt-openjdk-uber-$VERSION.jar${{ matrix.separator }}$TESTJAR" -n='org.conscrypt.ConscryptOpenJdkSuite' --scan-classpath --reports-dir=results --fail-if-no-tests &
case $(uname -s) in
Darwin|Linux)
trap dump_threads SIGTERM SIGINT
;;
*)
# TODO: Probably won't work on Windows but thread dumps
# work there already.
;;
esac
TESTPID=$!
wait "$TESTPID"
- name: Archive test results
if: ${{ always() }}
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.platform }}-${{ matrix.java }}-${{ matrix.dist }}
path: results