github: Run charon-tkm tests

Use a Debian-based Docker container to run the unit tests for charon-tkm,
once without and once with TKM running.  The container can also be used
locally to run the tests (see comments in the Dockerfile).

diff --git a/.github/workflows/tkm.yml b/.github/workflows/tkm.yml
new file mode 100644 (file)
index 0000000..10f9094
--- /dev/null
+++ b/.github/workflows/tkm.yml
@@ -0,0 +1,71 @@
+name: TKM
+
+on: [push, pull_request]
+
+env:
+  CCACHE_DIR: ${{ github.workspace }}/.ccache
+  CCACHE_CONTAINER: /root/.ccache
+  CCACHE_COMPILERCHECK: content
+  CCACHE_COMPRESS: true
+  CCACHE_MAXSIZE: 200M
+
+jobs:
+  pre-check:
+    runs-on: ubuntu-latest
+    outputs:
+      should_skip: ${{ steps.skip-check.outputs.should_skip }}
+    steps:
+      - id: skip-check
+        uses: fkirc/skip-duplicate-actions@master
+        with:
+          concurrent_skipping: 'same_content'
+
+  tkm:
+    needs: pre-check
+    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
+    runs-on: ubuntu-latest
+    env:
+      TEST: tkm
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ${{ env.CCACHE_DIR }}
+          key: ccache-tkm-${{ github.sha }}
+          restore-keys: |
+            ccache-tkm-
+      - name: Build Docker Image
+        run: docker build -t strongswan-tkm -f testing/tkm/Dockerfile testing
+      - name: Run Tests in Container
+        uses: addnab/docker-run-action@v3
+        with:
+          image: strongswan-tkm
+          shell: bash
+          options: |
+            --cap-add net_admin
+            -v ${{ github.workspace }}:/strongswan
+            -v ${{ env.CCACHE_DIR }}:${{ env.CCACHE_CONTAINER }}
+            -e CCACHE_DIR=${{ env.CCACHE_CONTAINER }}
+            -e CCACHE_COMPILERCHECK
+            -e CCACHE_COMPRESS
+            -e CCACHE_MAXSIZE
+          run: |
+            ccache -z
+            autoreconf -i /strongswan || exit 1
+            CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror" \
+            /strongswan/configure --disable-defaults --enable-silent-rules \
+              --enable-ikev2 --enable-kernel-netlink --enable-openssl \
+              --enable-pem --enable-socket-default --enable-swanctl \
+              --enable-tkm || exit 1
+            # run tests without TKM first
+            make -j check TESTS_RUNNERS=tkm || exit 1
+
+            # generate TKM config
+            /usr/local/share/tkm/generate-config.sh
+
+            # start TKM in the background
+            tkm_keymanager -c tkm.conf -k key.der -r ca.der:1 >/tmp/tkm.log &
+            # run the tests against TKM and get TKM log
+            make -j check TESTS_RUNNERS=tkm TESTS_TKM=1 || exit 1
+            cat /tmp/tkm.log
+            ccache -s

diff --git a/testing/tkm/Dockerfile b/testing/tkm/Dockerfile
new file mode 100644 (file)
index 0000000..ea70643
--- /dev/null
+++ b/testing/tkm/Dockerfile
@@ -0,0 +1,59 @@
+# Container for TKM testing
+#
+# Build and usage (called from repository root):
+#
+#   docker build -t strongswan-tkm -f testing/tkm/Dockerfile testing
+#
+#   docker run -it --rm --cap-add net_admin -v $PWD:/strongswan strongswan-tkm
+#
+# In the container, this may be used to configure strongSwan with TKM support:
+#
+#   /strongswan/configure --disable-defaults --enable-silent-rules --enable-ikev2 --enable-kernel-netlink --enable-openssl --enable-pem --enable-socket-default --enable-swanctl --enable-tkm
+#
+# The following script can be used to generate private key, CA cert and example
+# config for TKM:
+#
+#   /usr/local/share/tkm/generate-config.sh
+#
+# Run TKM in the background with:
+#
+#   tkm_keymanager -c tkm.conf -k key.der -r ca.der:1 >/tmp/tkm.log &
+#
+# Then tests for charon-tkm can be run against TKM:
+#
+#   make -j check TESTS_RUNNERS=tkm TESTS_TKM=1
+
+FROM debian:bullseye
+
+ARG packages="autoconf automake bison build-essential ca-certificates ccache \
+flex gettext git gperf libssl-dev libtool pkg-config \
+gnat gprbuild libahven9-dev libxmlada-schema10-dev libgmpada10-dev \
+libalog6-dev"
+
+RUN apt-get update && \
+  DEBIAN_FRONTEND=noninteractive apt-get install -qq -y \
+  --no-install-recommends \
+  $packages \
+  && rm -rf /var/lib/apt/lists/*
+
+COPY scripts/recipes/*.mk /tmp/recipes/
+
+RUN cd /tmp/recipes \
+  && make -f 004_spark-crypto.mk \
+  && make -f 005_anet.mk \
+  && make -f 006_tkm-rpc.mk \
+  && make -f 007_x509-ada.mk \
+  && make -f 008_xfrm-ada.mk \
+  && make -f 009_xfrm-proxy.mk \
+  && make -f 010_tkm.mk \
+  && rm -rf /tmp/recipes
+
+ENV ADA_PROJECT_PATH /usr/local/ada/lib/gnat
+ENV PATH /usr/lib/ccache:$PATH
+
+COPY tkm/generate-config.sh /usr/local/share/tkm/
+COPY tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf /usr/local/share/tkm/
+
+WORKDIR /build
+
+CMD [ "bash" ]

diff --git a/testing/tkm/generate-config.sh b/testing/tkm/generate-config.sh
new file mode 100755 (executable)
index 0000000..1c12f84
--- /dev/null
+++ b/testing/tkm/generate-config.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+openssl genrsa -out key.pem 2048
+openssl rsa -in key.pem -outform der -out key.der
+
+openssl req -x509 -nodes -newkey rsa:4096 -keyout cakey.pem -outform der \
+       -out ca.der -sha256 -subj "/CN=CA" -addext basicConstraints=critical,CA:TRUE
+
+tkm_cfgtool -c /usr/local/share/tkm/tkm.conf -i swanctl.conf \
+       -t tkm.conf -s /usr/local/share/tkm/tkmconfig.xsd