To run more pytest sshd tests, and for more static analysis.
Also:
- drop redundant option from `openssl libssh2 ...` config.
- GHA/linux: enable pytest in the LTO job (to test libssh2).
- avoid both with local builds of OpenSSL-forks, due to crypto lib
mixups causing a mixture of build error, crashes, test failures.
Follow-up to eb39fee40b#19934Closes#19943
- cmake: automatically disable typecheck when running clang-tidy,
to avoid possible interference, and to improve performance.
- INSTALL-CMAKE: document both this, and unity=off for clang-tidy.
- GHA/linux: disable for some static analyzers CI jobs to avoid possible
interference.
- GHA/linux: disable in Fil-C job to improve build performance.
Follow-up to 9e6f1c5efb#19637
Follow-up to fd2ca2399e#17955Closes#19941
To detect mistakes made in the runtests framework that reduce
the number of test runs. Before this patch it could go undetected with
a green CI.
The minimum thresholds will need light maintenance going forward (either
bumping them periodically, or adjust if some may fell below minimums for
justified reasons). We may also make minimums tighter or looser, or more
job-specific.
Latest number of test runs for each job can be seen at Test Clutch:
https://testclutch.curl.se/static/reports/feature-matrix.html
Also:
- GHA: set minimums.
Assisted-by: Dan Fandrich
Follow-up to f2a75a14dd
Follow-up to bb1391f943#19510Closes#19942
Only the `test-ci` build target sets `--buildinfo` automatically,
since 985f39c0ce. It needs to be set
manually for other targets used in CI, such as `test-torture`,
to enable the `buildinfo.txt` dump in the runtests step.
For Test Clutch. In an attempt to re-sync `targetarch` with the rest of
macOS jobs on the feature matrix page:
https://testclutch.curl.se/static/reports/feature-matrix.html
Before this patch and possibly since the breaking update It's `aarch64e`
for torture jobs and `aarch64` for the rest
(stricly speaking `aarch64e` is the correct value for all macOS jobs, but
autotools and cmake report arm64/aarch64 without the `e`.)
Regression from 985f39c0ce#18147Closes#19601
It also means that all supported OpenSSL versions and forks support
TLSv1.3 after this patch.
It reduces `openssl.c` size by more than 10%, or 400 LOC.
Ref: #18822Closes#18330
They were disabled since these jobs ran in Zuul. The tests are 320, 321,
322, 323, 324. Of which, 323 runs in CI, the rest needs `gnutls-serv`
with SRP enabled, which is not available in current jobs and no longer
offered by Ubuntu's `gnutls-bin` package. 324 doesn't appear as
a skipped test, 323 seems to be running fine, the rest are logged as
skipped. This suggests it's safe to drop the exceptions.
Closes#19413
Build and cache LibreSSL locally with Fil-C and enable it in the Fil-C
job.
Also:
- disable test 776 in the Fil-C job. It fails consistently, and due to
flakiness seen earlier its result is disabled. In this job it seems to
be adding 1 to 9 minues to the test run step and fails consistently.
- include Fil-C version in the LibreSSL cache key to prepare for Fil-C
ABI changes.
- GHA/linux: fully quote `tflags` values to avoid breaking YAML.
Tested and confirmed working with OpenSSL too, but ended up with
LibreSSL for faster, smaller builds.
Closes#19407
Requirements for Fil-C:
- not to accidentally pick up system headers. E.g. from `/usr/include`
on Linux. It can happen when any dependency is auto-detected on this
header path. This makes Fil-C find the wrong system headers, which
in turn breaks the configuration step in subtle ways (with CMake) and
less subtle ways (autotools). Then CMake ends up running into an error
while compiling.
- build all dependencies with Fil-C too.
(this patch doesn't build any dependencies yet.)
- "unity" mode disabled. It should work, but needs a lot of memory and
slower than a standard compiler, or a Fil-C non-unity build.
- x86_64 Linux host platform when using the pre-built toolchain.
Observations on a minimal, static build made with no dependencies and
Fil-C 0.674 (based on clang 20.1.8).
- curl tool sizes:
- cmake, default, w/o -O: 30 MB (gcc 14.2.0: 1.7 MB)
- cmake, default, w/o -O, stripped: 29.6 MB (gcc: 1.4 MB)
- cmake, Release, -O3: 7.2 MB (gcc: 1 MB)
- cmake, Release, -O3, stripped: 6.8 MB (gcc: 0.93 MB)
- autotools, default, -O2: 7 MB
- libcurl.a size is 32 MB (cmake, default, w/o -O) (gcc: 2.7 MB)
- build times 3-3.5x longer (compared to system gcc 14.2.0):
- all runtests available pass OK.
- all pytests skipped due to missing features/dependencies.
- shared libcurl builds also work (cmake, default: 25 MB libcurl.so and
5.75 MB (5.6 stripped) curl tool)
- autotools works fine too, with dependencies disabled or set to avoid
`/usr/include`.
Closes#19391
The cmake build is running runtests with valgrind. The autotools one is
running scan-build.
Also:
- ignore two memleaks with GNU GSS detected by valgrind.
- add comment on support status of `GSS_C_DELEG_POLICY_FLAG`.
Closes#19008
The kerberos5 library Heimdal is one of three GSS libraries curl support.
It has a memory leak triggered by the new test in #18917 and the project
seems mostly abandoned.
Drop support and steer users to the MIT krb5 or GNU GSS libraries.
Co-authored-by: Daniel Stenberg
Ref: #18928Closes#18928Closes#18932
Build these examples when the necessary dependencies are present:
- cacertinmem, usercertinmem (OpenSSL/fork)
- multi-uv (libuv)
- multithread, threaded-ssl (pthread)
- sessioninfo (GnuTLS)
Indicate the necessary dependency via a `Required:` comment placed in
the source file. A single dependency per source is supported as of now.
The name of the dependency should match the variable used within
the cmake scripts, which in turn matches the macro used in the config
header. E.g. for GnuTLS it's `USE_GNUTLS`.
Also:
- GHA/macos: build examples in two job to test GnuTLS and pthread ones.
- GHA/linux: enable libuv to test it with examples.
Follow-up to 6bb7714032#18914Closes#18909
- http3-linux: move local nghttpx (nghttp2) build to openssl (from
quictls). Also tried LibreSSL, but it made some HTTP/2 tests fails.
- http3-linux: drop quictls ngtcp2 build.
- http3-linux: build local openssl with `no-deprecated`.
(previously tested in the quictls local build.)
- http3-linux: explicitly disable LDAP in cmake openssl jobs.
cmake builds auto-detect OpenLDAP (autotools don't), and when enabled,
linking curl fails because system `libsasl.so` requires MD5 openssl
functions, which are missing from openssl no-deprecated builds.
- macos: move options tested in quictls jobs to other ones.
- linux: drop unused quictls local build. (it was used for msh3.)
Follow-up to 91138b014d#17729
- renovate: drop quictls bump detection.
Closes#18833
To test it in GHA and catch issues at PR time. Before this patch,
Circle CI caught them after pushing to master (or non-fork PR
branches.) GHA also run runtests, pytests and static analysis on
these builds, after this patch.
- GHA/linux: enable no-verbose in an existing job.
- GHA/linux: enable no-verbose in the H3 scan-build job too.
- GHA/macos: enable no-verbose in one build (= 3 jobs with different
compilers).
- GHA/codeql: enable no-verbose in the MultiSSL Linux build.
- circleci: delete openssl no-verbose job in favor of the above.
Closes#18797
They use Linuxbrew instead of locally built components.
Linuxbrew limitations compared to the locally built components in
GHA/http3-linux:
- libngtcp2 currently supports OpenSSL only.
- wolfssl can't coexist with openssl.
- somewhat tricky configuration with autotools.
Upside is easy of use, always the latest versions (may be downside),
and availability of almost all packages.
Closes#18693
Also:
- point the source tarball to a working URL.
The GitHub release page misses the official source tarball for 4.1.1.
- GHA/linux: switch LibreSSL build to cmake (syncing with http3-linux.)
- GHA/macos: drop no longer needed LibreSSL build workaround.
Closes#18792
To avoid typos and non-existing options passed to `./configure` in CI
builds.
Also delete obsolete option `--enable-test-bundles` from Circle CI jobs.
Closes#18759
In an attempt to make `brew install` commands initialize faster.
Often this command started with 20-50 seconds of delay before this
patch. This is an attempt to make it launch faster.
Cherry-picked from #18736
- requirements.txt: shorten copyright headers.
- requirements.txt: pin packages to versions.
- GHA/windows: use `tests/requirements.txt`.
Pick a `cryptography` package version that satifies both `impacket`
and pytests dependencies.
- GHA/checksrc: move pip deps into a new `requirements.txt`.
To make Dependabot detect and bump them.
- GHA/checksrc: replace apt packages for python test deps with pip
install `tests/**/requirements.txt` to a venv.
- GHA/checksrc: use venv and drop `--break-system-packages`.
- GHA/linux: fix to actually activate venvs.
Follow-up to 2638570241#15578
- GHA/linux: fixup (did not cause an issue)
Follow-up to d75785c7de#18660
- GHA: create venvs later, simplify commands.
- GHA: sync pip command-line options, e.g. drop progress-bar,
everywhere.
Assisted-by: Dan Fandrich
Closes#18708
