Commit Graph

14 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 3a6c31a51e CI: pool the per-config runner matrices into parallel make-check jobs
Replace the one-runner-per-configuration matrices across the
make-check workflow family with a generic pooled runner,
.github/scripts/parallel-make-check.py. Each workflow keeps its
configuration list as JSON next to the invocation; one runner (or a
small fixed set of shards, balanced by measured per-config minutes)
builds every config in its own out-of-tree (VPATH) build directory off
a single checkout/autogen, on a pool of one-per-CPU worker threads,
longest first. Concurrent checks are isolated with bubblewrap network
namespaces, compilations are cached with ccache, the first failure
aborts the rest (fail-fast, with --no-fail-fast to run everything),
and per-config timings plus pool efficiency land in the step summary.
Failure logs upload as artifacts. smoke-test.yml is likewise reworked
into a single pooled job that runs its nine configs on one runner.

Converted workflows (runner jobs per full pass):
  os-check.yml             101 -> 8  (92 Ubuntu configs -> 4 shards;
                           the macOS matrix, the user-settings jobs and
                           the standalone
                           macos-apple-native-cert-validation.yml fold
                           into one macOS runner; Windows unchanged)
  pq-all.yml                21 -> 2 shards
  disable-pk-algs.yml       15 -> 1
  wolfCrypt-Wconversion.yml 11 -> 1
  trackmemory.yml            7 -> 1
  cryptocb-only.yml          8 -> 1  (incl. the two new SHA512 entries)
  multi-compiler.yml         6 -> 1
  smallStackSize.yml         6 -> 1
  multi-arch.yml             6 -> 1
  async.yml                  5 -> 1
  psk.yml                    5 -> 1
  no-malloc.yml              3 -> 1
  wolfsm.yml                 3 -> 1
  opensslcoexist.yml         2 -> 1

Measured against current upstream passing runs (job execution time,
queue excluded): ~200 runner jobs / ~374 runner-minutes per full pass
become 23 jobs / ~168 runner-minutes, with more coverage than before.
multi-arch's old matrix combined an "include" list of four
architectures with an "opts" axis; GitHub's include-merge rules made
each arch entry overwrite the previous one, so only the armel
combinations actually ran. The pooled list restores the intended
aarch64/armhf/riscv64 coverage (23 combinations; riscv64 x sp-math is
omitted as invalid - configure rejects sp-math without SP, and
--enable-riscv-asm, unlike --enable-sp-asm, does not bring SP in).

Out-of-tree build fixes this depends on:
- Makefile.am: symlink the read-only test data (certs/, tests/ config
  files, sniffer captures and helpers, examples/crypto_policies,
  input, quit) into the build tree via a BUILT_SOURCES stamp, removed
  again in distclean-local. ChangeToWolfRoot() and the script tests
  resolve everything relative to the working directory, so out-of-tree
  make check and make distcheck now pass.
- scripts/multi-msg-record.py: locate the client binary from the build
  tree working directory rather than the script's source directory.
- configure.ac + wolfssl/include.am: run
  support/gen-debug-trace-error-codes.sh from $srcdir; it reads the
  error-code headers from the source tree and generates into the build
  tree.
- tests/swdev: a WOLFBUILD variable points the sub-make at the build
  tree for the configure-generated headers (wolfssl/options.h,
  wolfssl/version.h); the in-tree-only guards are dropped.

Portions of PR #10649 are incorporated: the cross-platform
ccache-setup composite action, repository_owner gates on check-headers
and check-source-text, the docs-only paths-ignore on os-check, and the
libspdm timeout bumps.
2026-06-12 09:47:13 +00:00
Marco Oliverio 0314b3fed2 cryptocb: support WOLF_CRYPTO_CB_ONLY_SHA512 2026-06-04 20:21:50 +02:00
Marco Oliverio 0c8cabedff crpytocb: support SHA224 under WOLF_CRYPTO_CB_ONLY_SHA256 2026-05-19 10:22:06 +02:00
rizlik 6c2040adba swdev: add README.md 2026-05-13 16:18:52 +02:00
rizlik e03bc94742 swdev: add AES-ECB only testing option 2026-05-13 16:18:52 +02:00
rizlik 71819bcb44 swdev: pair internal wolfCrypt_Init() with wolfCrypt_Cleanup() 2026-05-13 16:18:52 +02:00
rizlik 799f7d438b swdev: support user_settings.h based main library builds 2026-05-13 16:18:52 +02:00
rizlik c926aafa1b swdev: add copyright headers 2026-05-13 16:18:52 +02:00
rizlik df2fd4ec06 swdev: refcount swdev Init/Cleanup 2026-05-13 16:18:52 +02:00
rizlik c5ef060139 WOLF_CRYPTO_CB_ONLY_AES: add support + swdev for testing
Modes (CTR, GCM, CCM, etc.) can be supported either directly or fallback
to invoking the crypto callback with a "direct" (ECB) mode.
Software implementation and AES tables are stripped under CB_ONLY_AES.

wc_swdev gains AES support so WOLF_CRYPTO_CB_ONLY_AES builds can be
tested.

crypto find cb support added to wc_AesSetKey in order to support current
CI tests that use INVALID_DEVID.
2026-05-13 16:18:52 +02:00
rizlik 61bfff1dac WOLF_CRYPTO_CB_ONLY_SHA256: strip software SHA-256 and dispatch via swdev
Add WOLF_CRYPTO_CB_ONLY_SHA256: when set, the SHA-256 software.
wc_Sha256FinalRaw is reduced to a stub returning NO_VALID_DEVID, and
sha256.h force-defines WOLFSSL_NO_HASH_RAW so the constant-time TLS HMAC
path falls back to its backend-opaque variant.

Incompatible with
WOLFSSL_SHA224, which aliases the SHA-256 statics; #error guard added.

Add wc_swdev support for SHA-256 for testing.
2026-05-13 16:18:51 +02:00
rizlik 8f0d4db7d9 tests/swdev: add RSA support to wc_swdev
Extend the swdev callback to handle RSA operations: public/private encrypt
and decrypt, plus key generation.
2026-05-13 16:18:51 +02:00
rizlik 6fb617aba9 tests/swdev: add ECC support to wc_swdev
Extend the swdev callback to handle ECC operations: keygen, ECDH, sign,
verify, get-size, get-sig-size.

Relax WOLF_CRYPTO_CB_ONLY_ECC guards in the test suite so that tests run
under swdev, and wire wc_SwDev_Init/Cleanup into testsuite, client, and
server.  Two tests are intentionally kept excluded even with swdev because
they call raw ECC math primitives (wc_ecc_mulmod, on-curve validation in
wc_ecc_import_x963) that are stripped below the cryptocb dispatch layer:

  - ecc_mulmod_test (wolfcrypt/test/test.c)
  - test_wc_ecc_import_x963_off_curve (tests/api/test_ecc.c)
2026-05-13 16:18:51 +02:00
rizlik 0f82b9e5fb tests/swdev: add scaffolding for WOLF_CRYPTO_CB_ONLY_* testing
Add a software crypto-callback device (wc_swdev) that lets the wolfcrypt
test suite run under WOLF_CRYPTO_CB_ONLY_* flags without per-test devId
plumbing.  The bundle is a separately-compiled second copy of wolfcrypt
(software implementations enabled, WOLF_CRYPTO_CB_ONLY_* stripped) linked
into testwolfcrypt as a single relocatable object; every symbol is demoted
to local via objcopy --keep-global-symbol except wc_SwDev_Callback, so there
is no collision with the main libwolfssl.

A find callback routes unbound operations (devId == INVALID_DEVID) to the
swdev while letting real device IDs pass through.

wc_SwDev_Init / wc_SwDev_Cleanup hooks are wired into wolfcrypt/test/test.c.
cryptocb_test's WOLF_CRYPTO_CB_FIND and WOLF_CRYPTO_CB_ONLY_RSA blocks are
gated off under WOLFSSL_SWDEV.

Enable via --enable-swdev (requires --enable-cryptocb).
2026-05-13 16:18:51 +02:00