Sometimes it's useful to have a look at the generated `libcurl.pc` and
`curl-config` files.
`cmp-config.pl` normalizes them before diffing, thus doesn't show their
original content.
Closes#16981
To allow making per-job variations for SSH backends.
Also:
- fix Cygwin builds to not ignore per-job `install:` items.
It worked by accident before this patch.
Follow-up to 66313cc036#16629Closes#16911
curl now has a working GnuTLS CI job, with tests, with MSYS2.
The MultiSSL build scenario is now tested on macOS.
The vcpkg GnuTLS package seems to have a deep dependency tree with large
packages that need to be rebuilt relatively frequently. Since they can't
fit into to the time limit, these cause CI failures.
To stabilize CI, drop the `shiftmedia-libgnutls` dependency.
Partial revert of e86f99824c#16623
Ref: https://github.com/curl/curl/actions/runs/14192680124/job/39760753274?pr=16902Closes#16904
In the memory and address sanitizer builds.
Verify that nothing unexpected happens.
Starting out with 60 second runs.
The script does not set any seed so it runs with a new random every
time, meaning that if it fails in a single CI run it might not fail in a
subsequent one: but it should still show the full command that failed to
enable us to reproduce it locally. We can work on improving the seed
situation later if this script turns useful.
Closes#16884
Add the last (*) missing bit for feature parity with autotools.
Also test in CI. Add a new `cmake install` step to GHA/macos.
(*) AFAIK. Let us know if there's something else missing.
Closes#16833
- move pytest from the valgrind variant of the mbedTLS and Rustls jobs
to their non-valgrind counterpart (they different in C compiler and
build tool respectively). To parallelize more and finish the workflow
faster.
- drop pytest from the valgrind variant of the two identical (other than
the build tool) 'libressl heimdal' jobs. Saves 1.5 minutes CI time.
- drop pytest from the longest valgrind job to make the workflow finish
almost 2 minutes faster. `sync-resolver` is its unique build propery.
It wasn't pytested on Azure.
- explicitly install `libnghttp2-dev` and `libldap-dev` to keep them in
jobs where pytest deps were installing them implicitly before this
patch.
Before: https://github.com/curl/curl/actions/runs/14118080563
After: https://github.com/curl/curl/actions/runs/14118903372?pr=16851Closes#16851
Before this patch the curl repository and source tarball distribution
contained test certificates as binary blobs. Used by runtests.
Drop these certificates in favor of generating them dynamically as
part of the build process. Both via autotools and CMake.
As part of this, improve certificates, the generator script and process,
file layout, and fix any issue to make it work fast and smooth both in
CI and local builds.
Note, cert generator scripts require OpenSSL >=1.0.2
(or LibreSSL >=3.1.0). Generation requires POSIX shell, also with CMake.
Without a POSIX shell tests relying on TLS (and stunnel) will fail.
Details:
- build: generate certs as part of the test run process.
- build, tests: generate certs in the build directory.
- binarycheck: drop concept of known binary files with hashes.
- binarycheck: move binary check logic into spacecheck and drop this
separate checker tool.
- build: fix to clean all cert files.
- autotools: fix to not run leaf cert generators in parallel. To avoid
confusion when updating the revocation database and counter.
- scripts: drop `scripts` subdir, merge two scripts into one,
auto-generate root cert, allow generating multiple leafs at once.
- scripts: switch to EC-256 keys (was: RSA-2048). For key size and perf.
- scripts: drop `-x` echo, text dumps, most other output. To avoid log
noise and make it quicker in CI.
- scripts: make it non-RSA-specific.
- scripts: delete unused code.
- scripts: use POSIX shell shebang. Some envs don't have bash (Alpine).
- scripts: pass test pseudo-secrets via the command-line. To avoid:
```
+ openssl genrsa -out test-ca.key -passout fd:0 2048
Invalid password argument, starting with "fd:"
```
- cmake: fix to launch generator scripts via the detected POSIX shell.
- cmake: fix `build-certs` rule to not depend on `SRPFILES`
(`srp-verifier-*`).
- cmake: drop `EXCLUDE_FROM_ALL` for the cert subdir. It makes
the Visual Studio generator miss to create the `clean-certs`,
`build-certs` targets. No target depend on them, so they don't execute
implicitly anyway. Fixes:
```
MSBUILD : error MSB1009: Project file does not exist.
Switch: clean-certs.vcxproj
```
- cmake: add `VERBATIM USES_TERMINAL` to `build-certs` target.
- GHA/linux: install openssl on Alpine, for the cert generator scripts.
Follow-up to 556f722fe3#16593
Follow-up to fa461b4eff#14486Closes#16824
Setting a server-side file read-only by `chmod 0444` has does not
prevent overwriting it via SFTP upload (as tested in CI).
Fix it by setting its MS-DOS read-only attribute in addition. It
requires the Cygwin tool `chattr`.
Also unignore in CI.
Fixes:
```
test 0615...[SFTP put remote failure]
curl returned 0, when expecting 9
615: exit FAILED
=== Start of file stderr615
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 30 0 0 100 30 0 93 --:--:-- --:--:-- --:--:-- 95
100 30 0 0 100 30 0 92 --:--:-- --:--:-- --:--:-- 92
=== End of file stderr615
```
Ref: https://github.com/curl/curl/actions/runs/14037991918/job/39300723214#step:12:1269Closes#16818
Use the `PATH` `/usr/bin` to avoid any Windows system or 3rd-party tool
installed on the runner machine that may interfere with or add undesired
dependencies to the builds and tests.
Follow-up to d838d43430#16465
Ref: #16437Closes#16814
Install on drive `D:` which has much better write performance than `C:`,
on GitHub Windows runner machines.
- It's bringing down `dl-mingw` installation steps to 5-15s per job,
from 15s-130s before this patch.
- Saving 30-90s per job in the Cygwin install step.
The before values were fluctuating, but it seems reasonable to expect
saving at least a couple of minutes for each workflow run.
Closes#16813
- on native Windows (also when using MSYS2 openssh), the group and other
permissions do not end up as requested by Perl's chmod:
```diff
--- log/8/check-expected
+++ log/8/check-generated
@@ -1,3 +1,3 @@
d????????? N U U N ??? N NN:NN asubdir[LF]
--rw?rw?rw? 1 U U 37 Jan 1 2000 plainfile.txt[LF]
+-rw?r-?r-? 1 U U 37 Jan 1 2000 plainfile.txt[LF]
-r-?r-?r-? 1 U U 47 Dec 31 2000 rofile.txt[LF]
```
Ref: https://github.com/curl/curl/actions/runs/14004029192/job/39215359241?pr=16781#step:15:1596
Fix it by ignoring group and other attributes.
- fix failing postprocess cleanup by making the read-only test file
writeable again before deleting it. Fixing:
```
Directory not empty at ../../tests/libtest/test613.pl line 83.
```
(seen on Windows with Git for Windows `perl.exe`)
- unignore in GHA/windows.
Closes#16791
It accidentally worked on all CI-tested operating systems, except on
native Windows.
Fixing:
```
=== Start of file stderr612
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
[...]
curl: (21) rm command failed: Operation failed
```
Ref: https://github.com/curl/curl/actions/runs/14004029192/job/39215359241?pr=16781#step:15:1424
Also remove this test from the ignore list in GHA/windows.
Closes#16801
SFTP/SCP tests were failing in CI with WinCNG libssh2 since we first
added such job. With `curl: (67) Authentication failure`.
The reason is that the default `ssh-keygen` RSA private key format
changed to OpenSSH (RFC4716) in 2018. libssh2 does not support this
format with some of its crypto backends.
Fix it by generating keys explicitly in PEM format as necessary via
the `-m` option. This format is universally recognized for RSA keys.
2018-08-24: https://www.openssh.com/txt/release-7.8: OpenSSH format becomes default
2010-08-23: https://www.openssh.com/txt/release-5.6: `-m` option first supported
This fixed the auth issue, just to reveal a known flakiness issue in
libssh2 + WinCNG, causing:
```
curl: (2) Failure establishing ssh session: -8, Unable to exchange encryption keys
```
Ref: https://github.com/curl/curl/actions/runs/14000494428/job/39205633258?pr=16781#step:15:1796
Tracked here: https://github.com/libssh2/libssh2/issues/804
Mitigated in libssh2 tests by retrying them.
Due to this, keep ignoring these test results.
Also:
- add an env to customize key format: `CURL_TEST_SSH_KEY_FORMAT`
- display the generated format in the log.
- GHA/linux: document the wolfSSH error code causing it to fail tests:
```
curl: (79) wolfssh SFTP connect error -1051 / WS_MATCH_KEY_ALGO_E / cannot match key algo with peer
```
Follow-up to 4911e7af11#16735
Follow-up to 0ec72c1ef8#16672
Follow-up to e53523fef0#14859
Follow-up to e26cbe20cb#13979Closes#16781
For cases when `install_steps` contains extra components.
After this patch, msh3 and rustls CM jobs skip building and running
tests, saving 2 minutes CI time, as originally intended.
Closes#16772
To have it in the coexist-capable wolfSSL local build. This allows
to test ECH combinations in MultiSSL builds with OpenSSL.
Also enable ECH in the wolfssl-opensslextra consumer job.
Closes#16773
On suspect of strain on the runtime env/pipes, disable this test, which
is flaky due to `runtests` detecting a 2009 result code from curl, while
curl is returning the expected 56:
```
test 0498...[Reject too large HTTP response headers on endless redirects]
curl returned 2009, when expecting 56
498: exit FAILED
== Contents of files in the log/5/ dir after test 498
[...]
0 0 0 0 0 0 0 0 --:--:-- 0:00:10 --:--:-- 0
curl: (56) Too large response headers: 6144086 > 6144000
```
In such cases the number of log lines for this single test is 4800. In
comparison the total number of log lines for a clear test run is 3800.
Seen with mingw, dl-mingw, msvc CI jobs.
Follow-up to 4911e7af11#16735
Ref: https://github.com/curl/curl/discussions/14854#discussioncomment-12503065Closes#16748
Skipping these tests saves time and reduces test logs from 11500 lines
to 3800.
Tests are permanently broken due to `curl: (67) Authentication failure`.
This libssh2 is built with WinCNG. Builds using libcrypto from OpenSSL
work fine.
Closes#16735
After restricting OpenSSH-Windows to a single job, and bumping it to
the pre-release version, that job started hanging then timing out with
reasonable consistency.
Since we saw similar hangs before with OpenSSH-Windows stable, in all
jobs, drop OpenSSH-Windows from CI, and replace it with MSYS openssh.
After this patch, all Windows jobs use MSYS2 or Cygwin openssh.
Follow-up to 0ec72c1ef8#16672Closes#16704
MSVC:
- switch jobs to standard openssh server. Reduce exceptions.
- make the SCP/SFTP ignore list more specific and comment with details.
- keep using OpenSSH-Windows for the OpenSSL job, and bump to the
prerelease version.
- disable `ENABLE_DEBUG` for BoringSSL to have such build tested. (This
is the first Windows non-ENABLE_DEBUG build with test runs.)
Takeaways:
- test 612 broken on Windows.
- test 613 broken on Windows with the standard openssh server.
- test 614 broken with libssh and OpenSSH-Windows.
- test 3022 broken with libssh2 and OpenSSH-Windows.
- tests broken with OpenSSH-Windows:
601 603 617 619 621 641 665 2004.
- vcpkg `libssh2[core,zlib]` broken due to:
curl: (67) Authentication failure
MSVC prep steps:
- install base msys2 package to simplify configuration, align with other
jobs and allow to use msys2 packages for tests.
- add support for msys2 openssh server. Keep OpenSSH-Windows as per-job
option. Add support for OpenSSH prerelease versions.
Prerelease does not make a difference in test results, but, stable was
last updated in 2019 (v8.0.0.1) and it seems better to use maintained
release track, with its latest from April 2024 (v9.5.0).
https://community.chocolatey.org/packages/openssh/8.0.0.1https://community.chocolatey.org/packages/opensshhttps://github.com/PowerShell/Win32-OpenSSHhttps://github.com/PowerShell/openssh-portable
- add 'libssh' to its job name.
- make `ENABLE_DEBUG` a per-job option.
msys/mingw:
- install `openssh` later and only when necessary.
- downgrade msys2 runtime later. (to follow other jobs)
- disable `CheckSpace` earlier. Also to untie it from the runtime
downgrade step, which we would hopefully drop.
Closes#16672
Replace `Cwd::abs_path()` with `File::Spec->rel2abs()`. The former
requires the file to exist, but in some cases, it's missing.
Seen in MSVC vcpkg jobs using Chocolatey OpenSSH v8.0.0.1 ending up with
`$path=/d/a/curl/curl/bld/tests/log/3/server/ssh_server.pid`, which does
not exist while converting to an absolute path (the path is already
absolute, but the conversion is done unconditionally):
```
Use of uninitialized value in subroutine entry at D:/a/curl/curl/tests/pathhelp.pm line 128.
can't convert empty path at D:/a/curl/curl/tests/pathhelp.pm line 128.
```
Ref: https://github.com/curl/curl/actions/runs/13747741797/job/38444844173#step:14:1233 (master)
Ref: https://github.com/curl/curl/actions/runs/13751862952/job/38453816737#step:14:3185 (trace)
Also ignore 3 new libssh2 jobs failing due to memleak.
Partial revert of 1bd5ac998b#16570Closes#16636
It fixes test 2302, 2303, 2307 with MSVC and clang on Windows.
GCC Windows builds were not affected.
Failure was caused by stack overflow due to a 1MB+ sized test struct on
stack. Replace it with dynamic allocation.
Also unignore affected tests in GHA/windows.
As seen under WINE with llvm-mingw:
```
$ wine64 libtests.exe lib2302 ws://127.0.0.1:59964/2302 > stdout2302 2> stderr2302
Test: lib2302
URL: ws://127.0.0.1:59964/2302
wine: Unhandled stack overflow at address 000000014007486A (thread 0024), starting debugger...
Unhandled exception: stack overflow in 64-bit code (0x000000014007486a).
```
Ref: #16629 (discovery)
Ref: 1bd5ac998b#16570Closes#16630
The GnuTLS MSVC/vcpkg build doesn't actually work on Windows. Let's
restore the build itself, to keep it fit for more testing. With disabled
tests (and examples) to keep it fast and not add to flakiness.
Also:
- enable GnuTLS in the MultiSSL job.
- limit building examples to one normal and one UWP job. It saves
6 x 1-1.5 minutes. Coverage remains the same, because example builds
only depend on the toolchain / target, not on the actual features
(except IPv6, but that's enabled for all.)
Closes#16623
- enable zstd in Cygwin and MSYS jobs.
- dl-mingw: use Ninja in the 9.5.0 (winlibs-mingw) job.
The download package is shipping with it. Saves 15s build time.
Keep testing GNU Makefiles with the two mingw-builds jobs.
- dl-mingw: split `env` prop to `env` and `ver` to aid integrating with
MSYS2.
- dl-mingw: install MSYS2 with options to make it quick (<20s).
It allows to use MSYS2 dependency packages with the downloaded
toolchains. It also makes configuration cleaner. Install libpsl.
- dl-mingw: enable mbedTLS in the 7.3.0 job.
(OpenSSL took a long time to install, wolfSSL misses features.)
Assisted-by: Jeremy Drake
Closes#16429
Add support for running pytest in GHA/macos jobs.
Experimental, with caveats:
- slow.
- `httpd` often fails to start.
- 10-15 tests (depending on C compiler) fail consistently:
02_20, 02_33, 02_34, 03_01, 03_03, 05_04, 07_42.
- Homebrew build of vsftpd misses TLS support.
- `nghttpx` temporarily disabled for pytest.
You can test pytest by adding `install_steps: pytest` to a job.
Closes#16518
