Patch CVE-2023-38545 #266
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and test | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- "v*.*.*" | |
pull_request: | |
branches: | |
- main | |
env: | |
NSS_VERSION: nss-3.77 | |
BORING_SSL_COMMIT: 1b7fdbd9101dedc3e0aa3fcf4ff74eacddb34ecc | |
jobs: | |
build-and-test: | |
name: Build curl-impersonate and run the tests | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-20.04, macos-12] | |
arch: [x86_64] | |
include: | |
- os: ubuntu-20.04 | |
arch: x86_64 | |
host: x86_64-linux-gnu | |
capture_interface: eth0 | |
make: make | |
- os: ubuntu-20.04 | |
arch: aarch64 | |
host: aarch64-linux-gnu | |
capture_interface: eth0 | |
make: make | |
- os: ubuntu-20.04 | |
arch: arm | |
host: arm-linux-gnueabihf | |
capture_interface: eth0 | |
make: make | |
- os: macos-12 | |
arch: x86_64 | |
host: x86_64-macos | |
capture_interface: en0 | |
make: gmake | |
steps: | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.10' | |
- name: Install Ubuntu dependencies | |
if: matrix.os == 'ubuntu-20.04' | |
run: | | |
sudo apt-get update | |
sudo apt-get install build-essential pkg-config cmake ninja-build curl autoconf automake libtool | |
# Chrome version dependencies | |
sudo snap install go --classic | |
# Needed to compile 'minicurl' | |
sudo apt-get install libcurl4-openssl-dev | |
# More dependencies for the tests | |
sudo apt-get install tcpdump nghttp2-server libnss3 | |
- name: Install Ubuntu cross-compile dependencies (${{ matrix.arch }}) | |
if: matrix.os == 'ubuntu-20.04' && matrix.arch != 'x86_64' | |
run: | | |
sudo apt-get install gcc-${{ matrix.host }} g++-${{ matrix.host }} | |
- name: Install macOS dependencies | |
if: matrix.os == 'macos-12' | |
run: | | |
brew install pkg-config make cmake ninja autoconf automake libtool | |
# Chrome version dependencies | |
# (Go is already installed) | |
# brew install go | |
# Needed to compile 'minicurl' | |
brew install curl | |
# More dependencies for the tests | |
brew install tcpdump nghttp2 nss | |
- name: Install common dependencies | |
run: | | |
# Firefox version dependencies | |
pip3 install gyp-next | |
- name: Check out the repo | |
uses: actions/checkout@v2 | |
- name: Install dependencies for the tests script | |
run: | | |
pip3 install -r tests/requirements.txt | |
# When cross compiling we need to build zlib first. | |
- name: Build zlib | |
run: | | |
curl -LO https://zlib.net/zlib-1.3.1.tar.gz | |
tar xf zlib-1.3.1.tar.gz | |
cd zlib-1.3.1 | |
CHOST=${{ matrix.host }} ./configure --prefix=${{ runner.temp }}/zlib | |
make | |
make install | |
# Make sure curl will link with libz.so.1 and not libz.so | |
rm -f ${{ runner.temp }}/zlib/lib/libz.so | |
- name: Run configure script | |
if: matrix.arch == 'x86_64' | |
run: | | |
mkdir ${{ runner.temp }}/install | |
./configure --prefix=${{ runner.temp }}/install \ | |
CURL_CONFIG_FLAGS="--disable-rtsp --without-libidn2 --without-zstd" | |
# When cross compiling a more complicated configuration is needed, since | |
# curl's configure script can't figure out where some files and libraries | |
# are located. The locations used here are the ones used by Ubuntu. | |
- name: Run configure script (cross compiling) | |
if: matrix.arch != 'x86_64' | |
run: | | |
mkdir ${{ runner.temp }}/install | |
./configure --prefix=${{ runner.temp }}/install \ | |
--host=${{ matrix.host }} \ | |
--with-zlib=${{ runner.temp }}/zlib \ | |
--with-ca-path=/etc/ssl/certs \ | |
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ | |
--with-libnssckbi=/usr/lib/${{ matrix.host }}/nss | |
# Cache the build of BoringSSL, which is the longest part of the build | |
# We must cache the .zip as well, otherwise the Makefile will | |
# rebuild BoringSSL. This whole thing is a bit hacky, but necessary to | |
# reduce the insanely long build times. | |
- name: Cache BoringSSL source | |
uses: actions/cache@v3 | |
with: | |
path: boringssl.zip | |
key: ${{ runner.os }}-${{ matrix.arch }}-boring-source-${{ env.BORING_SSL_COMMIT }} | |
- name: Cache BoringSSL build | |
id: cache-boringssl | |
uses: actions/cache@v3 | |
with: | |
path: boringssl/build | |
key: ${{ runner.os }}-${{ matrix.arch }}-boring-build-${{ env.BORING_SSL_COMMIT }}-${{ hashFiles('chrome/patches/boringssl*.patch') }} | |
# Trick the Makefile into skipping the BoringSSL build step | |
# if it was found in the cache. See Makefile.in | |
- name: Post BoringSSL cache restore | |
if: ${{ steps.cache-boringssl.outputs.cache-hit != false }} | |
run: | | |
touch boringssl.zip | |
touch boringssl/.patched | |
find boringssl/build -type f | xargs touch | |
- name: Build the Chrome version of curl-impersonate | |
run: | | |
${{ matrix.make }} chrome-build | |
${{ matrix.make }} chrome-checkbuild | |
${{ matrix.make }} chrome-install | |
# Cache the build of NSS, which is the longest part of the build | |
# We must cache the .tar.gz as well, otherwise the Makefile will | |
# rebuild NSS. | |
- name: Cache NSS source | |
uses: actions/cache@v3 | |
with: | |
path: ${{ env.NSS_VERSION }}.tar.gz | |
key: ${{ runner.os }}-${{ matrix.arch }}-nss-source-${{ env.NSS_VERSION }} | |
- name: Cache NSS build | |
id: cache-nss | |
uses: actions/cache@v3 | |
with: | |
path: ${{ env.NSS_VERSION }}/dist | |
key: ${{ runner.os }}-${{ matrix.arch }}-nss-build-${{ env.NSS_VERSION }} | |
# Trick the Makefile into skipping the NSS build step | |
# if it was found in the cache. | |
- name: Post NSS cache restore | |
if: ${{ steps.cache-nss.outputs.cache-hit != false }} | |
run: | | |
touch ${{ env.NSS_VERSION }}.tar.gz | |
find ${{ env.NSS_VERSION }}/dist -type f | xargs touch | |
- name: Build the Firefox version of curl-impersonate | |
run: | | |
${{ matrix.make }} firefox-build | |
${{ matrix.make }} firefox-checkbuild | |
${{ matrix.make }} firefox-install | |
- name: Prepare the tests | |
if: matrix.arch == 'x86_64' | |
run: | | |
# Compile 'minicurl' which is used by the tests | |
gcc -Wall -Werror -o ${{ runner.temp }}/install/bin/minicurl tests/minicurl.c `curl-config --libs` | |
# For now we can only run the tests when not cross compiling, since the | |
# tests run the curl-impersonate binary locally. | |
- name: Run the tests | |
if: matrix.arch == 'x86_64' | |
run: | | |
cd tests | |
# sudo is needed for capturing packets | |
python_bin=$(which python3) | |
sudo $python_bin -m pytest . --log-cli-level DEBUG --install-dir ${{ runner.temp }}/install --capture-interface ${{ matrix.capture_interface }} | |
# Upload pre-compiled binaries to GitHub releases page. | |
- name: Create tar release files for libcurl-impersonate | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
cd ${{ runner.temp }}/install/lib | |
tar -c -z -f ${{ runner.temp }}/libcurl-impersonate-${{ github.ref_name }}.${{ matrix.host }}.tar.gz libcurl-impersonate* | |
echo "release_file_lib=${{ runner.temp }}/libcurl-impersonate-${{ github.ref_name }}.${{ matrix.host }}.tar.gz" >> $GITHUB_ENV | |
- name: Clean build | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
${{ matrix.make }} chrome-clean | |
${{ matrix.make }} firefox-clean | |
rm -Rf ${{ runner.temp }}/install | |
mkdir ${{ runner.temp }}/install | |
# Recompile curl-impersonate statically when doing a release. | |
- name: Reconfigure statically | |
if: startsWith(github.ref, 'refs/tags/') && matrix.arch == 'x86_64' | |
run: | | |
./configure --prefix=${{ runner.temp }}/install --enable-static | |
- name: Reconfigure statically (cross compiling) | |
if: startsWith(github.ref, 'refs/tags/') && matrix.arch != 'x86_64' | |
run: | | |
./configure --prefix=${{ runner.temp }}/install \ | |
--enable-static \ | |
--host=${{ matrix.host }} \ | |
--with-zlib=${{ runner.temp }}/zlib \ | |
--with-ca-path=/etc/ssl/certs \ | |
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ | |
--with-libnssckbi=/usr/lib/${{ matrix.host }}/nss | |
- name: Rebuild statically | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
${{ matrix.make }} chrome-build | |
${{ matrix.make }} chrome-checkbuild | |
${{ matrix.make }} chrome-install-strip | |
${{ matrix.make }} firefox-build | |
${{ matrix.make }} firefox-checkbuild | |
${{ matrix.make }} firefox-install-strip | |
- name: Create tar release files for curl-impersonate | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
cd ${{ runner.temp }}/install/bin | |
tar -c -z -f ${{ runner.temp }}/curl-impersonate-${{ github.ref_name }}.${{ matrix.host }}.tar.gz curl-impersonate-ff curl-impersonate-chrome curl_* | |
echo "release_file_bin=${{ runner.temp }}/curl-impersonate-${{ github.ref_name }}.${{ matrix.host }}.tar.gz" >> $GITHUB_ENV | |
- name: Upload release files | |
uses: softprops/action-gh-release@v1 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
${{ env.release_file_lib }} | |
${{ env.release_file_bin }} |