4 # we utilize the images generated by the build-images project, to
5 # speed up CI runs. We also use ccache and store config.cache
6 # to speed up compilation. We include a version number in cache
7 # name to allow expiration of old caches.
10 key: "$CI_JOB_NAME-ver9"
17 - export CCACHE_BASEDIR=${PWD}
18 - export CCACHE_DIR=${PWD}/cache
19 - export CC="ccache gcc"
22 # somehow after_script looses environment
23 - export CCACHE_BASEDIR=${PWD}
24 - export CCACHE_DIR=${PWD}/cache
28 BUILD_IMAGES_PROJECT: gnutls/build-images
29 DEBIAN_BUILD: buildenv-debian
30 DEBIAN_CROSS_BUILD: buildenv-debian-cross
31 DEBIAN_X86_CROSS_BUILD: buildenv-debian-x86-cross
32 FEDORA28_BUILD: buildenv-f28
33 FEDORA_BUILD: buildenv-f30
34 ALPINE_BASE_BUILD: buildenv-alpine-base
35 CPPCHECK_OPTIONS: "--enable=warning --enable=style --enable=performance --enable=portability --std=c99 --suppressions-list=devel/cppcheck.suppressions --template='{id}:{file}:{line},{severity},{message}'"
36 GET_SOURCES_ATTEMPTS: "3"
38 ##################################################
39 # Stage 1, documentation, and advanced checks
40 ##################################################
44 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BASE_BUILD
50 - master@gnutls/gnutls
52 # do not load cache files
56 # we want $ALPINE_BASE_BUILD without git, so add it here
58 - devel/check_if_signed
63 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
65 - SUBMODULE_NOFETCH=1 ./bootstrap
66 - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode
67 - make -C doc stamp-vti && make -C doc stamp-1 && make -C doc stamp_enums && make -j$(nproc)
68 - make -C doc gnutls.html
69 - PATH="$PATH:/usr/share/sgml/docbook/xsl-stylesheets-1.79.1/epub/bin/" make -C doc gnutls.epub &&
70 make -C doc/latex gnutls.pdf
80 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
82 - SUBMODULE_NOFETCH=1 ./bootstrap
83 - CFLAGS="-g -Og" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --enable-code-coverage --disable-maintainer-mode --disable-doc
87 - make -j$(nproc) check
88 - make local-code-coverage-output || true
98 - ./gnutls-prev-abi.tmp/
103 - tests/suite/*/*.log
107 minimal.Fedora.x86_64:
108 stage: stage1-testing
109 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
111 - echo "No tools build"
113 - dash ./configure --cache-file cache/config.cache --disable-gcc-warnings --disable-full-test-suite --disable-doc --disable-guile --disable-tools --enable-tests
115 - make -j$(nproc) check
116 - echo "Minimal build"
117 - dnf remove -y libunistring-devel libtasn1-devel libidn-devel &&
118 dash ./configure --cache-file cache/config.cache --with-included-libtasn1 --enable-valgrind-tests
119 --disable-doc --disable-dtls-srtp-support --disable-alpn-support --disable-tests
120 --disable-heartbeat-support --disable-srp-authentication --disable-psk-authentication
121 --disable-anon-authentication --disable-dhe --disable-ecdhe
122 --disable-ocsp --disable-non-suiteb-curves --with-included-unistring
123 --disable-nls --disable-libdane --without-p11-kit --without-tpm
124 --disable-ssl3-support --disable-ssl2-support --disable-doc --enable-openssl-compatibility
125 --disable-gcc-warnings --with-system-priority-file=""
141 - tests/suite/*/*.log
144 # This enables SSL3.0 and SHA-1 support, and runs interop tests
145 # with openssl 1.1.0, which include legacy algorithms like DSA.
146 SSL-3.0.Fedora.x86_64:
147 stage: stage1-testing
148 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA28_BUILD
151 - mkdir -p build && cd build &&
152 dash ../configure --disable-tls13-interop --disable-gcc-warnings --cache-file ../cache/config.cache --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile &&
153 make -j$(nproc) && make check -j$(nproc)
163 - build/guile/tests/*.log
166 - build/tests/*/*.log
167 - build/tests/suite/*/*.log
170 FIPS140-2.Fedora.x86_64:
171 stage: stage1-testing
172 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
175 - mkdir -p build && cd build &&
176 dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-non-suiteb-curves --enable-fips140-mode --disable-doc --disable-full-test-suite --disable-guile
178 - mkdir -p lib/.libs/fipscheck && fipshmac -d lib/.libs/fipscheck/ -s .hmac lib/.libs/libgnutls.so*
179 - GNUTLS_FORCE_FIPS_MODE=1 make check -j$(nproc)
189 - build/guile/tests/*.log
191 - build/tests/*/*.log
194 valgrind.Fedora.x86_64:
195 stage: stage1-testing
196 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
199 - dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-guile --disable-full-test-suite --enable-valgrind-tests
201 - make check -j$(nproc)
215 # Two runs, one with normal backend and another with pkcs11 trust store
217 stage: stage1-testing
218 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
220 - SUBMODULE_NOFETCH=1 ./bootstrap
221 - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan"
222 dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile
224 - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make check -j$(nproc)
225 - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x1
226 - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x2
227 - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x4
228 - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x8
229 - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan"
230 dash ./configure --cache-file cache/config.cache --disable-doc --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM --with-default-trust-store-pkcs11="pkcs11:" --disable-guile
232 - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=.
245 - tests/suite/*/*.log
248 threadsan.Fedora.x86_64:
249 stage: stage1-testing
250 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
253 - CFLAGS="-fsanitize=thread -g -O2" CXXFLAGS=$CFLAGS
254 dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --enable-fips140-mode
256 - make -C tests check -j$(nproc) SUBDIRS=. TESTS="tls-pthread dtls-pthread fips-mode-pthread rng-pthread" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1
269 - tests/suite/*/*.log
272 static-analyzers.Fedora.x86_64:
273 stage: stage1-testing
274 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
279 - scan-build ./configure --cache-file cache/config.cache --disable-doc --disable-guile --enable-fips140-mode --enable-valgrind-tests
280 - make -j$(nproc) syntax-check gnulib_dir=$GNULIB_SRCDIR
281 - make -j$(nproc) -C gl
282 - scan-build --status-bugs -o scan-build-lib make -j$(nproc) -C lib
283 - scan-build --status-bugs -o scan-build-lib make -j$(nproc) -C libdane
284 - make -j$(nproc) -C src/gl && scan-build --status-bugs -o scan-build-lib make -j$(nproc) -C src
285 - cppcheck --force -q -Ilib/include -Igl/ -Ilib/ -I. --error-exitcode=1 lib/ -i lib/unistring -i lib/minitasn1 -i lib/nettle/backport -j$(nproc) $CPPCHECK_OPTIONS
286 - cppcheck --force -q -Ilib/include -Igl/ -Ilibdane/ -I. --error-exitcode=1 libdane/ -j$(nproc) $CPPCHECK_OPTIONS
299 - scan-build-libdane/*
303 stage: stage1-testing
304 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
306 - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc &&
307 echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
309 - export CC="ccache i686-w64-mingw32-gcc"
310 - dash ./configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-nls --disable-guile --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc
311 - mingw32-make -j$(nproc)
312 - mingw32-make -C tests check -j$(nproc)
313 # Combine generated apps and DLLs.
314 #libwinpthread is required by libgcc
315 #libffi is required by libp11-kit
316 - mkdir -p win32-build/bin && mkdir -p win32-build/lib/includes &&
317 cp lib/.libs/*.dll src/.libs/*.exe win32-build/bin &&
318 i686-w64-mingw32-strip --strip-unneeded win32-build/bin/*.dll &&
319 i686-w64-mingw32-strip win32-build/bin/*.exe &&
320 cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win32-build/bin &&
321 cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win32-build/bin &&
322 cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win32-build/bin &&
323 cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win32-build/bin &&
324 cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win32-build/bin &&
325 cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win32-build/bin &&
326 cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win32-build/bin &&
327 cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win32-build/bin &&
328 cp lib/.libs/*.a lib/*.def lib/gnutls.pc win32-build/lib &&
329 cp lib/includes/gnutls/*.h win32-build/lib/includes
336 name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}"
342 stage: stage1-testing
343 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
345 - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc &&
346 echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
348 - export CC="ccache x86_64-w64-mingw32-gcc"
349 - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc
350 - mingw64-make -j$(nproc)
351 - mingw64-make -C tests check -j$(nproc)
352 # Combine generated apps and DLLs.
353 #libwinpthread is required by libgcc
354 #libffi is required by libp11-kit
355 - mkdir -p win64-build/bin && mkdir -p win64-build/lib/includes &&
356 cp lib/.libs/*.dll src/.libs/*.exe win64-build/bin &&
357 x86_64-w64-mingw32-strip --strip-unneeded win64-build/bin/*.dll &&
358 x86_64-w64-mingw32-strip win64-build/bin/*.exe &&
359 cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win64-build/bin &&
360 cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win64-build/bin &&
361 cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win64-build/bin &&
362 cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win64-build/bin &&
363 cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win64-build/bin &&
364 cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win64-build/bin &&
365 cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win64-build/bin &&
366 cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win64-build/bin &&
367 cp lib/.libs/*.a lib/*.def lib/gnutls.pc win64-build/lib &&
368 cp lib/includes/gnutls/*.h win64-build/lib/includes
375 name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}"
381 stage: stage1-testing
382 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
385 - export CC="ccache x86_64-w64-mingw32-gcc"
386 - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc &&
387 echo ':DOSWin:M::MZ::/usr/bin/wine64:' > /proc/sys/fs/binfmt_misc/register &&
388 mkdir -p build && cd build
389 - dash ../configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc
390 # generate the certtool autogen file to check whether later compilation will modify it
391 - mingw64-make -C src certtool-args.c.bak
392 - mingw64-make -j$(nproc)
393 - mingw64-make -C tests check -j$(nproc)
395 # since we use --enable-local-libopts the generated files must equal the .bak
396 - cmp build/src/certtool-args.c build/src/certtool-args.c.bak || false
408 - build/tests/*/*.log
412 stage: stage1-testing
413 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
416 - export CC="ccache i686-w64-mingw32-gcc"
417 - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc &&
418 echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register &&
419 mkdir -p build && cd build
420 - dash ../configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc
421 - mingw32-make -j$(nproc)
422 - mingw32-make -C tests check -j$(nproc)
435 - build/tests/*/*.log
438 # That is a specific runner that we cannot enable universally.
439 # We restrict it to builds under the $BUILD_IMAGES_PROJECT project.
441 stage: stage1-testing
444 - export CC="ccache clang"
446 - LIBS="-L/usr/local/lib" ./configure --disable-full-test-suite
447 --cache-file cache/config.cache --disable-gcc-warnings --disable-guile --disable-doc && gmake -j$(sysctl hw.ncpu | awk '{print $2}') && gmake check -j$(sysctl hw.ncpu | awk '{print $2}')
451 - branches@gnutls/gnutls
463 # Two runs, one with normal backend and another with pkcs11 trust store
464 ubsan-Werror.Fedora.x86_64:
465 stage: stage1-testing
466 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
469 - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure
470 --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-full-test-suite --disable-doc
471 - grep "^LIBS=''" config.log || false
472 - make -j$(nproc) -C gl
473 - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2"
474 - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2"
475 - make -j$(nproc) -C src/gl
476 - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches"
478 - make check -j$(nproc)
479 - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure
480 --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:"
483 - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=.
496 - tests/suite/*/*.log
500 stage: stage1-testing
501 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD
504 - mkdir -p build && cd build
505 - dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile --disable-full-test-suite LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now'
507 - make check -j$(nproc)
517 - build/guile/tests/*.log
520 - build/tests/*/*.log
521 - build/tests/suite/*/*.log
524 Debian.cross.i686-linux-gnu:
525 stage: stage1-testing
526 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD
528 - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE)
529 - host=i686-linux-gnu
530 # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes
531 # config.guess to detect the target as the build platform and not activate
532 # cross-compile mode even though --build is given
533 - export CC_FOR_BUILD="ccache gcc"
534 - export CC="ccache $host-gcc"
538 # Debian's softhsm package is not multiarch yet. Missing softhsm libraries
539 # for the target will cause the test suite to fail when p11-kit is enabled.
540 - dash ../configure --build=$build --host=$host --disable-gcc-warnings
541 --cache-file ../cache/config.cache --disable-doc --disable-guile
542 --without-p11-kit --disable-full-test-suite
544 - make check -j$(nproc)
555 - build/guile/tests/*.log
558 - build/tests/*/*.log
559 - build/tests/suite/*/*.log
562 .Debian.cross.template: &Debian_cross_template
563 stage: stage1-testing
564 image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_CROSS_BUILD
566 - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE)
567 - host="${CI_JOB_NAME#*.cross.}"
568 # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes
569 # config.guess to detect the target as the build platform and not activate
570 # cross-compile mode even though --build is given
571 - export CC_FOR_BUILD="ccache gcc"
572 - export CC="ccache $host-gcc"
574 - sed -i '/errno.==.EINVAL/d' gl/tests/test-strerror.c
577 # Debian's softhsm package is not multiarch yet. Missing softhsm libraries
578 # for the target will cause the test suite to fail when p11-kit is enabled.
579 - dash ../configure --build=$build --host=$host --disable-gcc-warnings
580 --cache-file ../cache/config.cache --disable-doc --disable-guile
581 --without-p11-kit --disable-full-test-suite
583 - make check -j$(nproc)
594 - build/guile/tests/*.log
597 - build/tests/*/*.log
598 - build/tests/suite/*/*.log
601 Debian.cross.arm-linux-gnueabihf:
602 <<: *Debian_cross_template
604 Debian.cross.mips-linux-gnu:
605 <<: *Debian_cross_template
607 Debian.cross.aarch64-linux-gnu:
608 <<: *Debian_cross_template