CI: more smoke coverage + header self-sufficiency

- Add AddressSanitizer entry to smoke matrix (--enable-all + -fsanitize=address).
- Add check-headers workflow: 214 public wolfssl/*.h compile standalone.
- Fix quic.h, rng_bank.h, Renesas/renesas-fspsm-crypt.h to be self-sufficient.
- Remove no-tls.yml (its single config is already covered by os-check.yml).
This commit is contained in:
David Garske
2026-05-21 13:59:18 -07:00
parent 7f80896033
commit 6605060b18
7 changed files with 171 additions and 63 deletions
+99
View File
@@ -0,0 +1,99 @@
#!/usr/bin/env bash
#
# check-headers.sh
#
# Verifies that every public-facing wolfSSL header compiles standalone
# from a fresh consumer's perspective:
#
# #include <wolfssl/options.h>
# #include <wolfssl/...the header...>
# int main(void) { return 0; }
#
# Catches the common breakage where a header silently relies on a
# transitive include from an earlier `.c` file and stops compiling
# when downstream code includes it first.
#
# Requires:
# * ./configure has been run (so wolfssl/options.h exists).
# * gcc and standard build env.
#
# Usage:
# .github/scripts/check-headers.sh # scan default header set
# .github/scripts/check-headers.sh <files> # scan a specific list
set -u
ROOT="$(git rev-parse --show-toplevel)"
cd "$ROOT" || exit 2
if [ ! -f wolfssl/options.h ]; then
echo "::error::wolfssl/options.h not found - run ./configure first" >&2
exit 2
fi
CC="${CC:-gcc}"
GHA="${GITHUB_ACTIONS:-}"
emit() {
local file="$1" msg="$2"
if [ -n "$GHA" ]; then
printf '::error file=%s,line=1,title=header-self-include::%s\n' "$file" "$msg"
else
printf '%s: %s\n' "$file" "$msg"
fi
}
# Default scope: public wolfssl headers excluding vendor/port subdirs and
# files that are intentionally not standalone-includable.
if [ "$#" -gt 0 ]; then
HEADERS=("$@")
else
# Exclusions:
# * generated / private / test-data headers.
# * wolfcrypt math backends (tfm vs sp_int are mutually exclusive).
# * port/* headers whose first-line vendor SDK include can't be
# satisfied in a generic CI environment (mcapi.h, kcapi.h,
# em_device.h, fsl_dcp.h, hw/inout.h, etc.) or that reference
# vendor-only types. Fix the offending header's vendor #include
# with an #ifdef guard and drop the exclusion in a follow-up.
mapfile -t HEADERS < <(
git ls-files 'wolfssl/*.h' 'wolfssl/wolfcrypt/*.h' \
'wolfssl/wolfcrypt/port/**/*.h' 'wolfssl/openssl/*.h' \
| grep -vE '^wolfssl/(options|internal|certs_test|certs_test_sm|debug-trace-error-codes|debug-untrace-error-codes)\.h$' \
| grep -vE '^wolfssl/wolfcrypt/(fips_test|selftest|tfm)\.h$' \
| grep -vE '^wolfssl/wolfcrypt/port/aria/aria-crypt(ocb)?\.h$' \
| grep -vE '^wolfssl/wolfcrypt/port/autosar/(CryIf|Crypto)\.h$' \
| grep -vE '^wolfssl/wolfcrypt/port/caam/(caam_driver|caam_qnx|wolfcaam_hash)\.h$' \
| grep -vE '^wolfssl/wolfcrypt/port/kcapi/' \
| grep -vE '^wolfssl/wolfcrypt/port/nxp/(dcp_port|se050_port)\.h$' \
| grep -vE '^wolfssl/wolfcrypt/port/Renesas/(renesas_fspsm_internal|renesas-rx64-hw-crypt|renesas-tsip-crypt|renesas_tsip_internal)\.h$' \
| grep -vE '^wolfssl/wolfcrypt/port/silabs/silabs_aes\.h$'
)
fi
TMPDIR="$(mktemp -d)"
trap 'rm -rf "$TMPDIR"' EXIT
FAIL=0
PASS=0
for h in "${HEADERS[@]}"; do
[ -f "$h" ] || continue
cat > "$TMPDIR/test.c" <<EOF
#include <wolfssl/options.h>
#include <$h>
int main(void) { return 0; }
EOF
if out="$("$CC" -I. -c -o /dev/null "$TMPDIR/test.c" 2>&1)"; then
PASS=$((PASS + 1))
else
FAIL=$((FAIL + 1))
first_err="$(printf '%s' "$out" | grep -E 'error:' | head -1 | sed 's/.*error: //')"
emit "$h" "header does not compile standalone: ${first_err:-(see build log)}"
if [ -z "$GHA" ]; then
printf '%s\n' "$out" | head -8 | sed 's/^/ /'
fi
fi
done
echo "check-headers: $PASS pass, $FAIL fail"
[ "$FAIL" -eq 0 ]
+43
View File
@@ -0,0 +1,43 @@
name: Check Headers
# Verifies every public-facing wolfSSL header compiles standalone with
# only wolfssl/options.h included first. Catches the common breakage
# where a header silently relies on a transitive include from an
# earlier .c file and stops compiling from a fresh consumer.
#
# Runs on drafts (fast static check).
on:
push:
branches: [ master, main ]
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ master, main ]
concurrency:
group: check-headers-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
check:
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- name: Install dependencies
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential
- name: autogen
run: ./autogen.sh
- name: configure --enable-all
run: ./configure --enable-all
- name: Run check-headers
run: ./.github/scripts/check-headers.sh
-50
View File
@@ -1,50 +0,0 @@
name: --disable-tls Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'release/**' ]
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
matrix:
config: [
# Add new configs here
'--disable-tls --enable-all CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
]
name: make check
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL
run: |
./autogen.sh
./configure ${{ matrix.config }}
make -j 4
make check
- name: Print errors
if: ${{ failure() }}
run: |
for file in scripts/*.log
do
if [ -f "$file" ]; then
echo "${file}:"
cat "$file"
echo "========================================================================"
fi
done
+20 -4
View File
@@ -62,6 +62,12 @@ jobs:
args: "--enable-psk --enable-dtls --enable-dtls13 --enable-dtls-mtu --enable-aesccm --enable-opensslextra"
- name: integration
args: "--enable-openssh --enable-lighty --enable-stunnel --enable-opensslextra"
# AddressSanitizer (UBSAN excluded - current master has known
# left-shift UB in auto-generated SP math).
- name: sanitize-asan
args: "--enable-all"
cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1"
ldflags: "-fsanitize=address"
env:
MAKE_CFLAGS: "-Werror"
steps:
@@ -111,10 +117,20 @@ jobs:
if: steps.merge_check.outputs.skip != 'true'
run: ./configure ${{ matrix.config.args }}
- name: make (CFLAGS=-Werror)
- name: make
if: steps.merge_check.outputs.skip != 'true'
run: make -j$(nproc) CFLAGS="$MAKE_CFLAGS"
env:
ENTRY_CFLAGS: ${{ matrix.config.cflags }}
ENTRY_LDFLAGS: ${{ matrix.config.ldflags }}
run: |
FLAGS="${ENTRY_CFLAGS:-$MAKE_CFLAGS}"
make -j"$(nproc)" CFLAGS="$FLAGS" LDFLAGS="$ENTRY_LDFLAGS"
- name: make check (CFLAGS=-Werror)
- name: make check
if: steps.merge_check.outputs.skip != 'true'
run: make check CFLAGS="$MAKE_CFLAGS"
env:
ENTRY_CFLAGS: ${{ matrix.config.cflags }}
ENTRY_LDFLAGS: ${{ matrix.config.ldflags }}
run: |
FLAGS="${ENTRY_CFLAGS:-$MAKE_CFLAGS}"
make check CFLAGS="$FLAGS" LDFLAGS="$ENTRY_LDFLAGS"
+7 -9
View File
@@ -35,13 +35,10 @@
#ifndef NO_STDINT_H
#include <stdint.h>
#endif
#include <stddef.h> /* size_t */
/* QUIC operates on three encryption levels which determine
* which keys/algos are used for de-/encryption. These are
* kept separately for incoming and outgoing data and.
* Due to the nature of UDP, more than one might be in use
* at the same time due to resends or out-of-order arrivals.
*/
/* Defined before ssl.h: openssl/ssl.h pulls quic.h mid-include and
* references WOLFSSL_ENCRYPTION_LEVEL and WOLFSSL_QUIC_METHOD. */
typedef enum wolfssl_encryption_level_t {
wolfssl_encryption_initial = 0,
wolfssl_encryption_early_data,
@@ -49,11 +46,12 @@ typedef enum wolfssl_encryption_level_t {
wolfssl_encryption_application
} WOLFSSL_ENCRYPTION_LEVEL;
/* All QUIC related callbacks to the application.
*/
typedef struct wolfssl_quic_method_t WOLFSSL_QUIC_METHOD;
#include <wolfssl/ssl.h>
/* All QUIC related callbacks to the application. */
struct wolfssl_quic_method_t {
/**
* Provide secrets to the QUIC stack when they become available in the SSL
@@ -22,6 +22,7 @@
#define __RENESAS_FSPSM_CRYPT_H__
#include <wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-types.h>
#include <stdint.h> /* uint8_t */
#ifdef __cplusplus
extern "C" {
+1
View File
@@ -32,6 +32,7 @@
#define WOLF_CRYPT_RNG_BANK_H
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/random.h>
#ifdef WC_RNG_BANK_SUPPORT