- add Linux jobs with old OpenSSL versions: 1.1.1, 1.1.0, 1.0.2, with
tests.
(Meaning we test these again after losing them in AppVeyor CI)
- add LibreSSL Linux job with tests.
- cache most dependency packages built from source.
(exception: wolfSSL, which would have added too much complexity
due to the multiple versions, and it's fast to build anyway.)
- change source tarball sources to GitHub for better stability and
performance.
- move dependency versions to the env.
- set `persist-credentials: false` for checkout steps for security.
- pin actions to hash for security.
- checkout repo later, right before use.
- skip building BoringSSL tests to finish quicker.
- set `fail-fast: false` in the BSD build matrix.
- cmake: move UWP workaround from GHA to `CMakeLists.txt`, making it
available for everyone.
- list installed packages in OpenBSD job.
- bump BoringSSL, mbedTLS, wolfSSL, OpenSSL.
- bump cross-platform-actions to v0.26.
- bump docker/build-push-action to v6.
- bump actions/upload-artifact to v4.
- bump NetBSD to 10.1.
- drop `--quiet 2` `apt-get` option to keep useful output.
- drop `--no-install-suggests --no-install-recommends` `apt-get`
options. They are the defaults with the `ubuntu-24.04` image.
- tidy up quotes.
Cherry-picked from #1484Closes#1528
- cmake: add support to build ossfuzz.
Enable with `-DBUILD_OSSFUZZ=ON`.
Also supports `-DLIB_FUZZING_ENGINE=` like autotools does.
- check for `__clang__` when suppressing warnings in source. Necessary
for clang-cl, which set `__clang__`, but doesn't set `__GNU__`.
- cmake: optimize out 4 picky warning option detections with gcc.
- cmake: bring `-pedantic-error`, `-Wall` use closer to curl's.
- cmake: set `-Wno-language-extension-token` for clang-cl.
- cmake: escape only the necessary `-W` options for clang-cl.
- cmake: apply picky warnings to C++.
- cmake: replace `unset(VAR)` with `set(VAR "")` for init.
- cmake: prefer dash-style MSVC options.
- cmake: simplify `MATCHES` expression.
- cmake: formatting/whitespace.
- ci/GHA: bump `actions/upload-artifact` to v4
Closes#1524
- always pass `--no-install-suggests --no-install-recommends`
to `apt-get` to avoid spending time to install packages we don't need.
(notably in the i386 Linux job.)
- drop an `apt-get` hack that's no longer necessary.
Closes#1476
- sync code between Find modules.
- wolfssl: replace `pkg-config` hints with native detection.
- libgcrypt, mbedtls: add `pkg-config`-based native detection.
- libgcrypt: add version detection.
- limit `pkg-config` use for `UNIX`, vcpkg, and non-cross MinGW builds,
and builds with no manual customization via `*_INCLUDE_DIR` or
`*_LIBRARY`.
- replace and sync Find module header comments.
- ci: delete manual mbedTLS config that's now redundant.
Based on similar work done in curl.
Second attempt at #1420Closes#1445
Also:
- add `LIBSSH2_DSA_ENABLE` to enable it explicitly.
- test the above option in CI.
- say 'deprecated' in docs and public header.
- disable DSA in the CI server config.
(OpenSSH 9.8 no longer builds with it by default)
https://www.openssh.com/txt/release-9.8
Patch-by: Jose Quaresma
- disable more DSA code when not enabled.
Fixes#1433Closes#1435
Statuses are per AppVeyor event and commit, not pull-request.
Also align permissions approach with curl, least priviledge.
Partially reverts b08cfbc99f.
Add workaround for the wolfSSL `EVP_Cipher(*p, NULL, NULL, 0)` bug to
make libssh2 work with wolfSSL v5.6.0 and older.
wolfSSL fixed this issue in v5.7.0:
https://github.com/wolfSSL/wolfssl/pull/7143b0de0a1c95
Without our local workaround:
- v5.3.0 and older fail most tests:
Ref: https://github.com/libssh2/libssh2/actions/runs/9646827522/job/26604211476#step:17:1263
- v5.4.0, v5.5.x, v5.6.0 fail these:
```
29 - test_read-aes128-cbc (Failed)
30 - test_read-aes128-ctr (Failed)
32 - test_read-aes192-cbc (Failed)
33 - test_read-aes192-ctr (Failed)
34 - test_read-aes256-cbc (Failed)
35 - test_read-aes256-ctr (Failed)
```
Ref: https://github.com/libssh2/libssh2/actions/runs/9646827522/job/26604233819#step:17:978
Oddly enough the workaround breaks OpenSSL tests, so only enable it for
the affected wolfSSL versions.
Also add new build-from-source wolfSSL CI job to test the new codepath.
wolfSSL has a build bug where `wolfssl/options.h` and
`wolfssl/version.h` are not copied to the `install` destination with
autotools. With CMake it has a different bug where `wolfcrypt/sp_int.h`
is not copied (with v5.4.0). And another with CMake where `FIPS_mode()`
remains missing (with v5.6.0 and earlier.)
Therefore use CMake with v5.5.4 and a workaround for `FIPS_mode()`.
Another option is autotools with v5.4.0 and a workaround for `install`,
but CMake builds quicker.
Regression-from 3c953c05d6#797Fixes#1020Fixes#1299
Assisted-by: Michael Buckley via #1394Closes#1394 (another attempt to fix the mentioned wolfSSL bug)
Closes#1407
Turns out these tests:
```
31 - test_read-aes128-gcm@openssh.com (Failed)
36 - test_read-aes256-gcm@openssh.com (Failed)
```
were failing because AES-GCM wasn't enabled in libssh2. This in turn
happened because the `WOLFSSL_AESGCM_STREAM` macro wasn't enabled while
building wolfSSL. Which happened because this macro isn't enabled by
any CMake-level wolfSSL option. Passing it as `CPPFLAGS` fixes it.
This allows enabling tests with wolfSSL 5.7.0.
Follow-up to d4cea53f53#1408Closes#1409
After this patch it's possible to run tests with wolfSSL 5.7.0.
wolfSSL 5.7.0 fixes this bug that affects open issues #1020 and #1299:
https://github.com/wolfSSL/wolfssl/pull/7143
`-DWOLFSSL_OPENSSLALL=ON` is necessary for `wolfSSL_FIPS_mode()`
Closes#1408
- make curl downloads less verbose.
- fix cmake warning:
```
CMake Warning:
No source or binary directory provided. Both will be assumed to be the
same as the current working directory, but note that this warning will
become a fatal error in future CMake releases.
```
Ref: https://github.com/libssh2/libssh2/actions/runs/9509866494/job/26213472410#step:5:32
- dump cmake error log on configure failure. (for cmake 3.26 and newer)
- dump `config.log` on autotools configure failure.
- convert specs filename to Windows format before passing to CMake.
- add missing quotes.
Closes#1403
For better build performance. Dependency tracking causes a build
overhead while compiling to help a subsequent build, but in CI there is
never one and the extra work is discarded.
Closes#1396
A compile-time failure is preferred over an unexpected one at
runtime.
The problem is silenced with a macro in CI and this macro will have
to be added to more platforms when mbedTLS v3.6.0 reaches them.
Follow-up to 2e4c5ec462#1349Closes#1393
autotools lib detection routine failed to extend LDFLAGS for each
detection. This could cause successful detection of a dependency, but
later failing to use it. This did not cause an issue as long as all
dependencies lived under the same prefix, but started breaking on macOS
ARM + Homebrew where this was no longer true for mbedTLS and zlib in
particular.
Follow-up to 844115393b#1381
Follow-up to ae2770de25#1377Closes#1384
- add `./configure` option `--enable-ecdsa-wincng`
- add WinCNG autotools jobs to GHA.
- enable WinCNG ECDSA in some GHA jobs (both CMake and autotools).
Follow-up to 3e72343737#1315Closes#1368
- set bash `-eu`.
- fix bash `-eu` issues.
- apply `TZ=UTC` and `LC_ALL=C` for reproducibility.
- sort `.zip` entries for reproducibility.
- zip with `--no-extra` for reproducibliity.
- use maximum zip compression.
- add the gpg sign command-line. Copied from curl.
- add CI test for `maketgz`.
Closes#1353
- bump cross-platform-actions to 0.23.0.
Ref: https://github.com/cross-platform-actions/action/releases/tag/v0.23.0
- switch to Linux runners (from macOS) for cross-platform-actions.
It's significantly faster.
- switch back FreeBSD 14 job to cross-platform-actions.
Also switch back to default shell.
- add FreeBSD 14 arm64 job.
Closes#1343
