Merge pull request openssl#148 from baentsch/ci-updates

Shared lib testing update
mamckee · Feb 20, 2020 · b8afa32 · b8afa32
2 parents 52b31c7 + a7ac4b6
commit b8afa32
Show file tree

Hide file tree

Showing 7 changed files with 142 additions and 78 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -30,6 +30,35 @@ localCheckout: &localCheckout
     - store_test_results: # Note that this command will fail when running CircleCI locally, that is expected behaviour
         path: oqs_test/test-results
 
+.macopenssl_job: &macopenssljob
+    macos:
+       xcode: "11.3.0"
+    steps:
+        - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally
+        - run:
+            name: Install dependencies
+            command: |
+              .circleci/git_no_checkin_in_last_day.sh || (
+              brew update &&
+              brew unlink python@2 &&
+              brew install cmake ninja doxygen astyle &&
+              pip3 install --user pytest pytest-xdist nose rednose
+              )
+        - run:
+            name: Clone liboqs
+            command: .circleci/git_no_checkin_in_last_day.sh || (cd oqs_test && scripts/clone_liboqs.sh)
+        - run:
+            name: Build liboqs
+            command: .circleci/git_no_checkin_in_last_day.sh || (cd oqs_test && scripts/build_liboqs.sh)
+        - run:
+            name: Build OpenSSL
+            command: .circleci/git_no_checkin_in_last_day.sh || (cd oqs_test && scripts/build_openssl.sh)
+        - run:
+            name: Run unit tests
+            command: cd oqs_test && mkdir -p test-results && ../.circleci/git_no_checkin_in_last_day.sh || (OQS_LIBPATH="$(dirname $PWD):$(dirname $PWD)/oqs/lib" python3 -m nose --rednose --verbose --with-xunit --xunit-file=test-results/nosetests.xml)
+        - store_test_results: # Note that this command will fail when running CircleCI locally, that is expected behaviour
+            path: oqs_test/test-results
+
 jobs:
   debian-buster-amd64:
     <<: *openssljob
@@ -45,6 +74,14 @@ jobs:
       ARCH: x64
       LIBOQS: master
       OPENSSL: 111
+  ubuntu-bionic-x86_64-noconn:
+    <<: *openssljob
+    environment:
+      IMAGE: openquantumsafe/ci-ubuntu-bionic-x86_64:latest
+      ARCH: x64
+      LIBOQS: master
+      OPENSSL: 111
+      SKIP_TESTS: connection
   ubuntu-bionic-x86_64-shared:
     <<: *openssljob
     environment:
@@ -53,12 +90,27 @@ jobs:
       LIBOQS: master
       OPENSSL: 111
       LIBTYPE: shared
+  macOS-shared-noconn:
+    <<: *macopenssljob
+    environment:
+      LIBTYPE: shared
+      SKIP_TESTS: connection
+  macOS-shared:
+    <<: *macopenssljob
+    environment:
+      LIBTYPE: shared
+  macOS-static:
+    <<: *macopenssljob
+    environment:
+      LIBTYPE: no-shared
+      SKIP_TESTS: connection
 
 workflows:
   version: 2
   build:
     jobs:
-      - ubuntu-bionic-x86_64
+      - macOS-shared-noconn    
+      - ubuntu-bionic-x86_64-noconn
   nightly:
     triggers:
       - schedule:
@@ -68,6 +120,9 @@ workflows:
               only:
                 - OQS-OpenSSL_1_1_1-stable
     jobs:
+      - macOS-shared    
       - debian-buster-amd64
+      - macOS-static    
       - ubuntu-bionic-x86_64
       - ubuntu-bionic-x86_64-shared
+
diff --git a/oqs_test/run.sh b/oqs_test/run.sh
@@ -10,6 +10,7 @@
 #  - LIBOQS_REPO: which repo to check out from, default https://github.com/open-quantum-safe/liboqs.git
 #  - LIBOQS_BRANCH: which branch to check out, default master
 #  - LIBTYPE: can be either shared, in which case shared OpenSSL libraries are built, or no-shared, in which case static OpenSSL libraries are built.
+#  - SKIP_TESTS: If set contains names of nose tests NOT to be run, e.g., 'connection', 'gen_keys', 'cms'
 ###########
 
 set -exo pipefail
@@ -20,4 +21,9 @@ scripts/clone_liboqs.sh
 scripts/build_liboqs.sh
 
 scripts/build_openssl.sh
-LD_LIBRARY_PATH="$(dirname $PWD);oqs/lib" python3 -m nose --rednose --verbose
+if [ `uname` == "Darwin" ]; then
+	OQS_LIBPATH="$(dirname $PWD):$(dirname $PWD)/oqs/lib" python3 -m nose --rednose --verbose
+else
+	LD_LIBRARY_PATH="$(dirname $PWD);oqs/lib" python3 -m nose --rednose --verbose
+fi
+
diff --git a/oqs_test/scripts/build_liboqs.sh b/oqs_test/scripts/build_liboqs.sh
@@ -12,8 +12,16 @@ set -exo pipefail
 OPENSSL_DIR=${OPENSSL_DIR:-"`pwd`/../oqs"}
 
 cd tmp/liboqs
+
+# temporary cludge to avoid CPU features to be build in that executors may not have:
+# TBD XXX replace with dynamic CPU feature detection at runtime!!! XXX TBD
+if [ "x${CIRCLECI}" == "xtrue" ]; then
+sed -i -e "s/x86/t86/g" .CMake/add-cpu-extension-flags.cmake
+fi
+
 rm -rf build
 mkdir build && cd build
+
 if [ "x${LIBTYPE}" == "xshared" ]; then
     cmake -GNinja -DCMAKE_INSTALL_PREFIX=${OPENSSL_DIR} -DBUILD_SHARED_LIBS=ON ..
 else

diff --git a/oqs_test/scripts/do_genkey.sh b/oqs_test/scripts/do_genkey.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+###########
+# Run one client/server interaction in OpenSSL 1.1.1
+#
+# Environment variables:
+#  - KEXALG: key exchange algorithm to use
+#  - SIGALG: signature algorithm to use
+#  - PORT: port to run server on
+###########
+
+set -x
+
+pwd
+
+# Circumvent OSX SIP LIBPATH 'protection'
+if [ "x$OQS_LIBPATH" != "x" ]; then
+	export DYLD_LIBRARY_PATH=$OQS_LIBPATH
+fi
+echo "DLD = $DYLD_LIBRARY_PATH"
+
+if [ "x$SIGALG" == "xecdsa" ]; then
+apps/openssl ecparam -out secp384r1.pem -name secp384r1
+
+apps/openssl req -x509 -new -newkey ec:secp384r1.pem -keyout ${SIGALG}_CA.key -out ${SIGALG}_CA.crt -nodes -subj '/CN=oqstest_CA' -days 365 -config apps/openssl.cnf
+
+apps/openssl req -new -newkey ec:secp384r1.pem -keyout ${SIGALG}_srv.key -out ${SIGALG}_srv.csr -nodes -subj '/CN=oqstest_server' -config apps/openssl.cnf
+
+else
+apps/openssl req -x509 -new -newkey ${SIGALG} -keyout ${SIGALG}_CA.key -out ${SIGALG}_CA.crt -nodes -subj '/CN=oqstest_CA' -days 365 -config apps/openssl.cnf
+
+apps/openssl req -new -newkey ${SIGALG} -keyout ${SIGALG}_srv.key -out ${SIGALG}_srv.csr -nodes -subj '/CN=oqstest_server' -config apps/openssl.cnf
+fi
+apps/openssl x509 -req -in ${SIGALG}_srv.csr -out ${SIGALG}_srv.crt -CA ${SIGALG}_CA.crt -CAkey ${SIGALG}_CA.key -CAcreateserial -days 365
diff --git a/oqs_test/scripts/do_openssl-111.sh b/oqs_test/scripts/do_openssl-111.sh
@@ -11,6 +11,12 @@
 
 set -x
 
+# Circumvent OSX SIP LIBPATH 'protection'
+if [ "x$OQS_LIBPATH" != "x" ]; then
+	export DYLD_LIBRARY_PATH=$OQS_LIBPATH
+fi
+echo "DLD = $DYLD_LIBRARY_PATH"
+
 apps/openssl s_server -cert ${SIGALG}_srv.crt -key ${SIGALG}_srv.key -CAfile ${SIGALG}_CA.crt -tls1_3 -www -accept ${PORT} > s_server_${PORT}.out 2>&1 &
 SERVER_PID=$!
 sleep 1

diff --git a/oqs_test/scripts/do_openssl-cms.sh b/oqs_test/scripts/do_openssl-cms.sh
@@ -9,6 +9,12 @@
 
 set -x
 
+# Circumvent OSX SIP LIBPATH 'protection'
+if [ "x$OQS_LIBPATH" != "x" ]; then
+        export DYLD_LIBRARY_PATH=$OQS_LIBPATH
+fi
+echo "DLD = $DYLD_LIBRARY_PATH"
+
 # Abusing README.md as data to sign/verify
 rm -f result
 apps/openssl cms -in README.md -sign -signer ${SIGALG}_srv.crt -inkey ${SIGALG}_srv.key  -nodetach -outform pem -binary -out output-${SIGALG}.p7s

diff --git a/oqs_test/tests/test_openssl.py b/oqs_test/tests/test_openssl.py
@@ -28,91 +28,33 @@
 sig_algs = sig_algs_master_111
 
 def test_gen_keys():
+    try:
+        st=os.environ['SKIP_TESTS']
+    except KeyError:
+        st=""
+    if "gen_keys" in st:
+        return -1
+
     global sig_algs
     for sig_alg in sig_algs:
         yield (gen_keys, sig_alg)
 
 def gen_keys(sig_alg):
-    if sig_alg == 'ecdsa':
-        # generate curve parameters
-        helpers.run_subprocess(
-            [
-                'apps/openssl', 'ecparam',
-                '-out', 'secp384r1.pem',
-                '-name', 'secp384r1'
-            ],
-            os.path.join('..')
-        )
-        # generate CA key and cert
-        helpers.run_subprocess(
-            [
-                'apps/openssl', 'req', '-x509', '-new',
-                '-newkey', 'ec:secp384r1.pem',
-                '-keyout', '{}_CA.key'.format(sig_alg),
-                '-out', '{}_CA.crt'.format(sig_alg),
-                '-nodes',
-                '-subj', '/CN=oqstest_CA',
-                '-days', '365',
-                '-config', 'apps/openssl.cnf'
-            ],
-            os.path.join('..')
-        )
-        # generate server CSR
-        helpers.run_subprocess(
-            [
-                'apps/openssl', 'req', '-new',
-                '-newkey', 'ec:secp384r1.pem',
-                '-keyout', '{}_srv.key'.format(sig_alg),
-                '-out', '{}_srv.csr'.format(sig_alg),
-                '-nodes',
-                '-subj', '/CN=oqstest_server',
-                '-config', 'apps/openssl.cnf'
-            ],
-            os.path.join('..')
-        )
-    else:
-        # generate CA key and cert
-        helpers.run_subprocess(
-            [
-                'apps/openssl', 'req', '-x509', '-new',
-                '-newkey', sig_alg,
-                '-keyout', '{}_CA.key'.format(sig_alg),
-                '-out', '{}_CA.crt'.format(sig_alg),
-                '-nodes',
-                '-subj', '/CN=oqstest_CA',
-                '-days', '365',
-                '-config', 'apps/openssl.cnf'
-            ],
-            os.path.join('..')
-        )
-        # generate server CSR
-        helpers.run_subprocess(
-            [
-                'apps/openssl', 'req', '-new',
-                '-newkey', sig_alg,
-                '-keyout', '{}_srv.key'.format(sig_alg),
-                '-out', '{}_srv.csr'.format(sig_alg),
-                '-nodes',
-                '-subj', '/CN=oqstest_server',
-                '-config', 'apps/openssl.cnf'
-            ],
-            os.path.join('..')
-        )
-    # generate server cert
+    cmd = os.path.join('oqs_test', 'scripts', 'do_genkey.sh');
     helpers.run_subprocess(
-        [
-            'apps/openssl', 'x509', '-req',
-            '-in', '{}_srv.csr'.format(sig_alg),
-            '-out', '{}_srv.crt'.format(sig_alg),
-            '-CA', '{}_CA.crt'.format(sig_alg),
-            '-CAkey', '{}_CA.key'.format(sig_alg),
-            '-CAcreateserial',
-            '-days', '365'
-        ],
-        os.path.join('..')
+         [cmd],
+          os.path.join('..'),
+          env={'SIGALG': sig_alg}
     )
 
 def test_connection():
+    try:
+        st=os.environ['SKIP_TESTS']
+    except KeyError:
+        st=""
+    if "connection" in st:
+        return -1
+
     global sig_algs, kex_algs
     port = 23567
     for sig_alg in sig_algs:
@@ -129,6 +71,13 @@ def run_connection(sig_alg, kex_alg, port):
     )
 
 def test_cms():
+   try:
+        st=os.environ['SKIP_TESTS']
+   except KeyError:
+        st=""
+   if "cms" in st:
+        return -1
+
    global sig_algs
    for sig_alg in sig_algs:
        yield(run_cms, sig_alg)