Add CI builds

This commit is contained in:
Travis Burtrum 2019-12-27 01:00:10 -05:00
parent 643cd327f4
commit 53b1fbb689
5 changed files with 100 additions and 9 deletions

45
.ci/build.sh Executable file
View File

@ -0,0 +1,45 @@
#!/bin/sh
set -exu
# change to the directory this script is in
cd "$(dirname "$0")"
# dependencies to build+test pegh
apk add build-base clang openssl-dev openssl-libs-static bash libsodium-dev libsodium-static
#apk add build-base clang libressl-dev bash
# gcc is apparantly incapable of building a static binary, even gcc -static helloworld.c ends up linked to libc, instead of solving, use clang
make clean all PEGH_LIBSODIUM=1 CC=clang LDFLAGS="-static -lsodium" || clang pegh.c -DPEGH_LIBSODIUM -static -lsodium -O3 -o pegh
mv pegh pegh.static.libsodium
make clean all PEGH_OPENSSL=1 CC=clang LDFLAGS="-static -lcrypto" || clang pegh.c -DPEGH_OPENSSL -static -lcrypto -O3 -o pegh
mv pegh pegh.static.openssl
ls -lah pegh.static.*
strip pegh.static.*
# print out some info about this, size, and to ensure it's actually fully static
ls -lah pegh.static.*
file pegh.static.*
ldd pegh.static.* || true
# libsodium only supports AES-256-GCM on certain CPUs that have hardware instructions for it
# we can build them regardless, but we can't test them without that, pegh prints that right away
set +e
if ./pegh.static.libsodium -h 2>&1 >/dev/null | grep '^Error: libsodium'
then
echo "CPU does not have AES support so can't run libsodium version"
# no aes support
export TEST_BINS="./pegh.static.openssl ./pegh.openssl"
else
echo "CPU has AES support so can run libsodium version"
# we can test everything
export TEST_BINS="./pegh.static.openssl ./pegh.openssl ./pegh.libsodium ./pegh.static.libsodium"
fi
set -e
# compile dynamically linked versions (with gcc) to openssl and libsodium, then test all 4 against each other
./test.sh
echo "successfully built and tested static pegh against libsodium and openssl!"

19
.ci/docker_build.sh Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
DOCKER_IMAGE="$1"
shift
ARCH="$1"
BUILD_DIR=/tmp/static/
rm -rf "$BUILD_DIR"
mkdir -p "$BUILD_DIR"
cp * .ci/build.sh "$BUILD_DIR"
docker run --rm -v "$BUILD_DIR":/tmp "$DOCKER_IMAGE" /tmp/build.sh || exit 1
mv "$BUILD_DIR"pegh.static.openssl "./pegh-$ARCH-openssl"
mv "$BUILD_DIR"pegh.static.libsodium "./pegh-$ARCH-libsodium"
rm -rf "$BUILD_DIR" 2>/dev/null
exit 0

22
.travis.yml Normal file
View File

@ -0,0 +1,22 @@
language: minimal
services: docker
matrix:
include:
- env: ARCH='amd64' DOCKER_IMAGE='alpine'
- env: ARCH='i386' DOCKER_IMAGE='i386/alpine'
- env: ARCH='aarch64' DOCKER_IMAGE='alpine'
arch: arm64
script:
- ./.ci/docker_build.sh "$DOCKER_IMAGE" "$ARCH"
deploy:
api_key:
secure: $GITHUB_OAUTH
file_glob: true
file: pegh-*
on:
tags: true
provider: releases
skip_cleanup: true

5
pegh.c
View File

@ -275,7 +275,12 @@ void wipe_memory(void * const ptr, const size_t len) {
#include <sodium.h> #include <sodium.h>
/* unlike openssl, libsodium uses proper types, so we can go all the way up to the "aes-gcm-256 is still secure" limit of around 32gb */ /* unlike openssl, libsodium uses proper types, so we can go all the way up to the "aes-gcm-256 is still secure" limit of around 32gb */
/*
// actually this is breaking on x86 and aarch64 where size_t is `unsigned int` and this overflows, how to handle???
static const size_t CHUNK_SIZE_MAX = 1024UL * 1024 * 1024 * 32; static const size_t CHUNK_SIZE_MAX = 1024UL * 1024 * 1024 * 32;
// for now, 4gb will do?
*/
static const size_t CHUNK_SIZE_MAX = UINT_MAX;
/* /*
* returns 1 on success, 0 on failure * returns 1 on success, 0 on failure

18
test.sh
View File

@ -4,18 +4,18 @@ export dummy_file="$1"
shift shift
export dummy_mb="$1" export dummy_mb="$1"
[ "$dummy_file" = "" ] && export dummy_file='/dev/shm/randombytes' [ "$dummy_file" = "" ] && export dummy_file='/tmp/randombytes'
[ "$dummy_mb" = "" ] && export dummy_mb='100' [ "$dummy_mb" = "" ] && export dummy_mb='100'
set -euo pipefail [ "$TEST_BINS" = "" ] && TEST_BINS="./pegh.openssl ./pegh.libsodium"
set -euxo pipefail
# try different size files to encrypt/decrypt # try different size files to encrypt/decrypt
[ -e "$dummy_file" ] || dd if=/dev/urandom bs=1M "count=$dummy_mb" of="$dummy_file" [ -e "$dummy_file" ] || dd if=/dev/urandom bs=1M "count=$dummy_mb" of="$dummy_file"
# try make if it's installed, otherwise fall back to cc # try make if it's installed, otherwise fall back to cc
bins="./pegh.openssl ./pegh.libsodium" rm -f pegh
#bins="./pegh.libsodium ./pegh.openssl"
rm -f pegh $bins
# compile against openssl # compile against openssl
make PEGH_OPENSSL=1 || cc pegh.c -DPEGH_OPENSSL -lcrypto -O3 -o pegh make PEGH_OPENSSL=1 || cc pegh.c -DPEGH_OPENSSL -lcrypto -O3 -o pegh
@ -33,14 +33,14 @@ test () {
bin="$1" bin="$1"
bin_decrypt="${2:-$bin}" bin_decrypt="${2:-$bin}"
echo "testing bins: $bin bin_decrypt: $bin_decrypt" echo "testing binaries bin: $bin bin_decrypt: $bin_decrypt"
echo 'encrypting then decrypting with the same key should succeed' echo 'encrypting then decrypting with the same key should succeed'
"$bin" -e "$key" < "$dummy_file" | "$bin_decrypt" -d "$key" | cmp - "$dummy_file" "$bin" -e "$key" < "$dummy_file" | "$bin_decrypt" -d "$key" | cmp - "$dummy_file"
echo 'test with -s 32 requiring 2gb of ram should succeed' echo 'test with -s 32 requiring 2gb of ram should succeed'
# can send -s 32 or -m 2048 to decrypt command with identical effect # can send -s 32 or -m 2048 to decrypt command with identical effect
"$bin" -e "$key" -s 32 < "$dummy_file" | "$bin_decrypt" -d "$key" -m 2048 | cmp - "$dummy_file" #"$bin" -e "$key" -s 32 < "$dummy_file" | "$bin_decrypt" -d "$key" -m 2048 | cmp - "$dummy_file"
set +e set +e
# these should fail # these should fail
@ -58,9 +58,9 @@ test () {
set -e set -e
} }
for bin in $bins for bin in $TEST_BINS
do do
for bin_decrypt in $bins for bin_decrypt in $TEST_BINS
do do
time test $bin $bin_decrypt time test $bin $bin_decrypt
done done