Commit Graph

650 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 742a0267f2 trackmemory: raise timeout to 40 min for wolfEntropy runtime variance 2026-06-12 14:12:56 +02:00
Juliusz Sosinowicz 85d3bc2380 parallel-make-check: drop the --jobs option
wolfSSL's configure enables make's jobserver by default
(AX_AM_JOBSERVER([yes]) -> AM_MAKEFLAGS += -j<nproc+1> in aminclude.am),
and automake passes that explicit -j to every recursive sub-make, where
it overrides the invoking make's job limit. The script's -j therefore
only ever scheduled the outermost recursion hop: --jobs was inert.

Measured on a 4-CPU host with 10 build-only configs oversaturating the
worker pool, the jobserver default is also the better policy: capping
sub-makes via --disable-jobserver and -j2 dropped CPU utilization from
96% to 89% and lengthened the wall time, because configs' serial
phases (configure, link) stopped being backfilled by other configs'
compile jobs. So make is now invoked with no -j at all - parallelism
within a config comes from the configure-default jobserver - and the
misleading knob is gone, including the macOS job's --jobs 3.
2026-06-12 09:47:14 +00:00
Juliusz Sosinowicz 12597308de smoke-test, os-check: pin CCACHE_DIR to the cached path
The two jobs that manage their ccache cache manually rely on ccache's
XDG default (~/.cache/ccache) matching the actions/cache path. That
holds today, but nothing enforces it: a later change that sets
CCACHE_DIR (e.g. adopting the ccache-setup composite, which uses
~/.ccache) would silently decouple the build's cache from the
saved/restored directory. Pin CCACHE_DIR explicitly to the cached
path so the pairing is visible and cannot drift.
2026-06-12 09:47:13 +00:00
Juliusz Sosinowicz a62884599b CI review fixes: JSON validation, log volume, rm -rf, flag spelling
Address the Copilot review:
- parallel-make-check.py: validate "configure" (list of strings) and
  cflags/ldflags (strings) so a malformed entry fails the load instead
  of exploding a string into per-character configure arguments; print
  a single line for passing configs instead of dumping their full
  make-check.log into the CI log (failure dumps unchanged; the logs
  remain in build-<name>/ for the failure artifacts).
- Makefile.am: use rm -rf for the certs/input/quit setup and distclean
  cleanup. A --private-dir run replaces the certs symlink with a
  private directory copy that rm -f cannot remove (verified: make
  distclean in a build dir with a privatized certs/ now succeeds and
  removes it).
- psk.yml, disable-pk-algs.yml: normalize the single-dash tokens
  (-disable-rsa, -disable-ecc, -disable-aescbc, -enable-cryptonly)
  carried verbatim from the old matrices to the canonical double-dash
  form. No coverage change: configure honors single-dash spellings
  (verified -disable-rsa sets NO_RSA with no unrecognized-option
  warning), so these were always in effect; both touched configs
  re-validated end-to-end.

The --cc default stays "ccache gcc": ccache resolves the compiler
through its own masquerade symlinks (verified: no recursion and normal
cache hits with /usr/lib/ccache prepended to PATH), and the explicit
CC= also covers jobs that use ccache without the PATH masquerade.
2026-06-12 09:47:13 +00:00
Juliusz Sosinowicz 3a6c31a51e CI: pool the per-config runner matrices into parallel make-check jobs
Replace the one-runner-per-configuration matrices across the
make-check workflow family with a generic pooled runner,
.github/scripts/parallel-make-check.py. Each workflow keeps its
configuration list as JSON next to the invocation; one runner (or a
small fixed set of shards, balanced by measured per-config minutes)
builds every config in its own out-of-tree (VPATH) build directory off
a single checkout/autogen, on a pool of one-per-CPU worker threads,
longest first. Concurrent checks are isolated with bubblewrap network
namespaces, compilations are cached with ccache, the first failure
aborts the rest (fail-fast, with --no-fail-fast to run everything),
and per-config timings plus pool efficiency land in the step summary.
Failure logs upload as artifacts. smoke-test.yml is likewise reworked
into a single pooled job that runs its nine configs on one runner.

Converted workflows (runner jobs per full pass):
  os-check.yml             101 -> 8  (92 Ubuntu configs -> 4 shards;
                           the macOS matrix, the user-settings jobs and
                           the standalone
                           macos-apple-native-cert-validation.yml fold
                           into one macOS runner; Windows unchanged)
  pq-all.yml                21 -> 2 shards
  disable-pk-algs.yml       15 -> 1
  wolfCrypt-Wconversion.yml 11 -> 1
  trackmemory.yml            7 -> 1
  cryptocb-only.yml          8 -> 1  (incl. the two new SHA512 entries)
  multi-compiler.yml         6 -> 1
  smallStackSize.yml         6 -> 1
  multi-arch.yml             6 -> 1
  async.yml                  5 -> 1
  psk.yml                    5 -> 1
  no-malloc.yml              3 -> 1
  wolfsm.yml                 3 -> 1
  opensslcoexist.yml         2 -> 1

Measured against current upstream passing runs (job execution time,
queue excluded): ~200 runner jobs / ~374 runner-minutes per full pass
become 23 jobs / ~168 runner-minutes, with more coverage than before.
multi-arch's old matrix combined an "include" list of four
architectures with an "opts" axis; GitHub's include-merge rules made
each arch entry overwrite the previous one, so only the armel
combinations actually ran. The pooled list restores the intended
aarch64/armhf/riscv64 coverage (23 combinations; riscv64 x sp-math is
omitted as invalid - configure rejects sp-math without SP, and
--enable-riscv-asm, unlike --enable-sp-asm, does not bring SP in).

Out-of-tree build fixes this depends on:
- Makefile.am: symlink the read-only test data (certs/, tests/ config
  files, sniffer captures and helpers, examples/crypto_policies,
  input, quit) into the build tree via a BUILT_SOURCES stamp, removed
  again in distclean-local. ChangeToWolfRoot() and the script tests
  resolve everything relative to the working directory, so out-of-tree
  make check and make distcheck now pass.
- scripts/multi-msg-record.py: locate the client binary from the build
  tree working directory rather than the script's source directory.
- configure.ac + wolfssl/include.am: run
  support/gen-debug-trace-error-codes.sh from $srcdir; it reads the
  error-code headers from the source tree and generates into the build
  tree.
- tests/swdev: a WOLFBUILD variable points the sub-make at the build
  tree for the configure-generated headers (wolfssl/options.h,
  wolfssl/version.h); the in-tree-only guards are dropped.

Portions of PR #10649 are incorporated: the cross-platform
ccache-setup composite action, repository_owner gates on check-headers
and check-source-text, the docs-only paths-ignore on os-check, and the
libspdm timeout bumps.
2026-06-12 09:47:13 +00:00
night1rider aa7b7defba Switch to use merge branch for PR testing instead of HEAD Branch 2026-06-11 15:57:29 -06:00
Tobias Frauenschläger c73afe67a5 Fixes for Zephyr 4.4 2026-06-11 13:33:27 +02:00
Tobias Frauenschläger 0278d3a72e Reduce flash size for Arduino examples 2026-06-09 15:41:27 +02:00
David Garske bbace5a1cc Merge pull request #10494 from LinuxJedi/STM32MP13-SHAKE
Fix SHAKE with STM32MP13 and add simulator
2026-06-08 15:45:30 -07:00
Daniel Pouzzner 1943a6f33a Merge pull request #10550 from rizlik/sha512_only
add support for WOLF_CRYPTO_CB_ONLY_SHA512
2026-06-08 15:20:08 -05:00
Daniel Pouzzner 8fca95ce65 Merge pull request #10532 from rlm2002/zd21800
Remove chain walk for OCSP responder
2026-06-05 16:27:00 -05:00
Michael Rogov Papernov 5d810f4625 fix membrowse report group 2026-06-04 21:04:16 +01:00
Marco Oliverio 0314b3fed2 cryptocb: support WOLF_CRYPTO_CB_ONLY_SHA512 2026-06-04 20:21:50 +02:00
Daniel Pouzzner 3bf1ae36a7 Merge pull request #10539 from julek-wolfssl/misc/20260527
Guard test_wrong_cs_downgrade on SHA-384 cipher suite; enable SHA disables in minimal DTLS os-check build
2026-06-03 22:50:57 -05:00
Daniel Pouzzner df9f3e4cf9 Merge pull request #10377 from jackctj117/DTLS13-Kernel
docs(linuxkm): document DTLS 1.3 configure flags
2026-06-03 17:58:25 -05:00
Andrew Hutchings 61a77e2dd6 Add lots more membrowse platforms
Lots more ARM Cortex, RiscV, AArch64, linuxkm and some Zephyr
2026-06-03 11:21:35 +01:00
Ruby Martin 5c3100ed5c Remove non-RFC-compliant OCSP responder chain walk. The chain walk
authorized any responder issued by an ancestor of the target's issuer;
  RFC 6960 4.2.2.2 requires direct issuance by the CA identified in the
  request.

    - Remove CheckOcspResponderChain() and WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK.
    - Drop now-unused vp parameter from CheckOcspResponder() and the
      OcspRespCheck() helper; cascade through template and non-template
      paths.

  OCSP test blobs:

    - Re-sign resp_server1_cert with intermediate1-ca (CA-direct path).
    - Add resp_server1_cert_ancestor_responder for the negative test.
    - Embed server1_cert_pem[] in test_ocsp_test_blobs.h so the new test
      runs under NO_FILESYSTEM; matching entry added to
      create_ocsp_test_blobs.py.
    - Regenerate response[] in test_certman.c with intermediate1-ca as
      signer; recipe switched from Wireshark export to openssl -respout
      + xxd -i for reproducibility.
    - Fix self-XOR in test_wolfSSL_CertManagerCheckOCSPResponse so the
      serial byte actually flips (^= 0xFF).

  Live OCSP coverage:

    - Add ocsp-responder-int1 (delegated responder issued directly by
      intermediate1-ca, with id-kp-OCSPSigning EKU) for the
      responder->intermediate->root chain.
    - scripts/ocsp-stapling.test: intermediate1 responder switched to
      ocsp-responder-int1 (delegated path).
    - scripts/ocsp-stapling2.test, scripts/ocsp-stapling_tls13multi.test:
      intermediate2 and intermediate3 sign their OCSP responses with
      their own CA keys (CA-direct path); root block unchanged
      (ocsp-responder-cert is still RFC-compliant for root-issued certs).
    - .github/workflows/ocsp.yml: server1 OCSP responder switched to
      ocsp-responder-int1 to match the cert chain.
    - New test_ocsp_ancestor_responder_rejected confirms the
      ancestor-issued response is rejected with OCSP_LOOKUP_FAIL.
2026-06-02 16:20:37 -06:00
Juliusz Sosinowicz 2703458535 ci: don't run membrowse workflows on forks
Forks with Actions enabled would otherwise run the membrowse build matrix on push/workflow_dispatch and report fork builds to the membrowse backend. Guard the jobs in both workflows with github.repository_owner == 'wolfssl' (combined with the existing draft check in the report workflow), matching tls-anvil.yml and coverity-scan-fixes.yml.

Also default the analyze/onboard matrix to '[]' so strategy expansion does not error when load-targets is skipped on forks or draft PRs.
2026-06-01 18:08:37 +02:00
JacobBarthelmeh f6f27652dd Merge pull request #10495 from LinuxJedi/PIC32MZ-Sim
Add PIC32MZ emulator tests
2026-05-29 16:21:15 -06:00
Juliusz Sosinowicz aff7885baf Guard test_wrong_cs_downgrade on SHA-384 cipher suite; enable SHA disables in minimal DTLS os-check build 2026-05-28 19:36:19 +00:00
Michael Rogov Papernov bddf76d4d1 fix memory report and add path filter 2026-05-27 19:18:00 +01:00
David Garske 08022ffebf CI: cache compiler output in os-check Ubuntu matrix
- Add .github/actions/ccache-setup composite (ccache + PATH intercept).
- Wire into os-check.yml make_check_linux; macOS unchanged for now.
- Measured on master --enable-all: cold 11.6s -> warm 1.1s (~10x), 100% hit.
2026-05-26 10:36:49 -07:00
David Garske a3f5260260 Merge pull request #10500 from rizlik/sha224_only
crpytocb: support SHA224 under WOLF_CRYPTO_CB_ONLY_SHA256
2026-05-26 08:05:47 -07:00
Tobias Frauenschläger 637c07798a Finalize ML-DSA renaming 2026-05-26 14:54:30 +02:00
David Garske b0d2b10c6b GH Actions: retrigger Jenkins PRB when draft PR is marked ready 2026-05-22 15:14:50 -07:00
David Garske 6605060b18 CI: more smoke coverage + header self-sufficiency
- Add AddressSanitizer entry to smoke matrix (--enable-all + -fsanitize=address).
- Add check-headers workflow: 214 public wolfssl/*.h compile standalone.
- Fix quic.h, rng_bank.h, Renesas/renesas-fspsm-crypt.h to be self-sufficient.
- Remove no-tls.yml (its single config is already covered by os-check.yml).
2026-05-21 14:37:11 -07:00
David Garske 7f80896033 CI optimizations
- Skip CI for draft PRs and redundant master-push re-runs; membrowse nightly.
- Add smoke test (8 configs, CFLAGS=-Werror, post-merge tree, fail-fast on conflicts).
- Add wait-for-smoke composite action for downstream CI gating.
- Add check-source-text + bash -n + shellcheck workflow (script in make dist).
- Cache apt-get update in install-apt-deps composite on cache hit.
2026-05-21 13:19:29 -07:00
Marco Oliverio 0c8cabedff crpytocb: support SHA224 under WOLF_CRYPTO_CB_ONLY_SHA256 2026-05-19 10:22:06 +02:00
David Garske 145a4fac69 Merge pull request #10449 from LinuxJedi/TropicSim
Add TROPIC01 simulator
2026-05-18 16:34:25 -07:00
David Garske ec101bae98 Merge pull request #10149 from julek-wolfssl/refactor-middle-padding
Refactor record padding handling to eliminate middle padding pattern
2026-05-18 16:34:10 -07:00
Andrew Hutchings ecdf170a91 Fix SHAKE with STM32MP13 and add simulator
This fixes the fact that you can't compile SHAKE when SHA-3 hardware
acceleration is enabled for STM32. It also adds the STM32MP13 emulator
with hardware support from the simulators repo.
2026-05-18 14:56:53 -07:00
Andrew Hutchings f60dc63dad Add PIC32MZ emulator tests
Adds PIC32MZ EC / EF emulators with hardware acceleration. Also fix a
stack pointer free bug in the PIC32 hardware acceleration code.
2026-05-18 14:48:30 -07:00
David Garske 9096bcc8fa Merge pull request #10393 from JacobBarthelmeh/opensslextra
support build --enable-opensslextra with NO_BIO and NO_FILESYSTEM
2026-05-17 22:33:23 -07:00
David Garske 156c088f3c Merge pull request #10475 from julek-wolfssl/ci-apt-cache
ci: switch direct apt usage to install-apt-deps action
2026-05-17 22:19:43 -07:00
David Garske e0f1ae2af8 Merge pull request #10477 from Frauschi/arduino
Improve Arduino CI test
2026-05-17 22:19:31 -07:00
JacobBarthelmeh 3bca71be0b add test case for NO_BIO and NO_FILESYSTEM build with opensslextra 2026-05-15 10:38:24 -06:00
David Garske 460a87119e Merge pull request #10351 from rizlik/cryptocbonly
CRYPTOCB_ONLY: add test infra + SHA256 + AES
2026-05-14 10:37:39 -07:00
Juliusz Sosinowicz b9fad30bee Install tlslite-ng in os-check workflow so multi-msg-record test runs 2026-05-14 13:10:13 +02:00
Sean Parkinson 81cce394db Merge pull request #10440 from JeremiahM37/gh10423
fix NO_VERIFY_OID build in GetOID
2026-05-14 20:02:06 +10:00
Tobias Frauenschläger 97183e873a Improve Arduino CI test
* Remove test platforms not required for test coverage
* Install only required dependencies
* Make flaky configs "continue-on-error"
2026-05-13 20:59:35 +02:00
rizlik e03bc94742 swdev: add AES-ECB only testing option 2026-05-13 16:18:52 +02:00
rizlik b1a3d72854 github ci: minor rewording 2026-05-13 16:18:52 +02:00
rizlik c5ef060139 WOLF_CRYPTO_CB_ONLY_AES: add support + swdev for testing
Modes (CTR, GCM, CCM, etc.) can be supported either directly or fallback
to invoking the crypto callback with a "direct" (ECB) mode.
Software implementation and AES tables are stripped under CB_ONLY_AES.

wc_swdev gains AES support so WOLF_CRYPTO_CB_ONLY_AES builds can be
tested.

crypto find cb support added to wc_AesSetKey in order to support current
CI tests that use INVALID_DEVID.
2026-05-13 16:18:52 +02:00
rizlik 61bfff1dac WOLF_CRYPTO_CB_ONLY_SHA256: strip software SHA-256 and dispatch via swdev
Add WOLF_CRYPTO_CB_ONLY_SHA256: when set, the SHA-256 software.
wc_Sha256FinalRaw is reduced to a stub returning NO_VALID_DEVID, and
sha256.h force-defines WOLFSSL_NO_HASH_RAW so the constant-time TLS HMAC
path falls back to its backend-opaque variant.

Incompatible with
WOLFSSL_SHA224, which aliases the SHA-256 statics; #error guard added.

Add wc_swdev support for SHA-256 for testing.
2026-05-13 16:18:51 +02:00
rizlik 0f82b9e5fb tests/swdev: add scaffolding for WOLF_CRYPTO_CB_ONLY_* testing
Add a software crypto-callback device (wc_swdev) that lets the wolfcrypt
test suite run under WOLF_CRYPTO_CB_ONLY_* flags without per-test devId
plumbing.  The bundle is a separately-compiled second copy of wolfcrypt
(software implementations enabled, WOLF_CRYPTO_CB_ONLY_* stripped) linked
into testwolfcrypt as a single relocatable object; every symbol is demoted
to local via objcopy --keep-global-symbol except wc_SwDev_Callback, so there
is no collision with the main libwolfssl.

A find callback routes unbound operations (devId == INVALID_DEVID) to the
swdev while letting real device IDs pass through.

wc_SwDev_Init / wc_SwDev_Cleanup hooks are wired into wolfcrypt/test/test.c.
cryptocb_test's WOLF_CRYPTO_CB_FIND and WOLF_CRYPTO_CB_ONLY_RSA blocks are
gated off under WOLFSSL_SWDEV.

Enable via --enable-swdev (requires --enable-cryptocb).
2026-05-13 16:18:51 +02:00
Tobias Frauenschläger 61e7e07720 Move membrowse CI workflows to install-apt-deps action 2026-05-13 15:49:32 +02:00
Juliusz Sosinowicz f2bfa1b932 ci: switch direct apt usage to install-apt-deps action
multi-arch.yml and linuxkm.yml were installing apt packages with inline
shell commands. Replace them with the install-apt-deps composite action
for consistent retry behavior and caching.
2026-05-13 11:26:33 +00:00
Tobias Frauenschläger d11b5cd648 Add timeout to membrowse CI tests 2026-05-13 12:07:03 +02:00
JeremiahM37 cb1f8002df ci: add NO_VERIFY_OID os-check matrix entries 2026-05-12 20:40:58 +00:00
Andrew Hutchings 90359f90e1 Add STM32 emulator from simulators repo
This tests a lot more than the Renode STM32H753 test, so this PR removes
that and adds our own emulator for STM32H753 and STM32U585. This
includes testing the v1 and v2 HAL CRYP / HASH / PKA functionality.
2026-05-12 20:17:11 +02:00