netns needs bwrap; without it commands silently share the host network
namespace and parallel network tests collide on ports. Skip the check for
--list (it inspects configs, runs nothing), hard-fail on CI so a missing-
bubblewrap misconfig can't silently degrade, and locally just warn and fall
back to the shared namespace.
The socat suite is sleep-bound and slow run serially. Drive it through
parallel-make-check.py as ~6 shards per CPU, 2 running per CPU at once: each
shard runs a round-robin slice of the tests in its own bwrap network
namespace (so parallel shards don't collide on ports) and its own build-dir
copy. The work is almost all waiting, so the oversubscription just overlaps
the waits.
Install bubblewrap so the netns isolation actually happens (without it the
runner silently shares one namespace and the shards collide). Each fresh
netns is IPv4-loopback only, so re-create IPv6 loopback (CAP_NET_ADMIN) for
the ::1 / dual-stack tests, and add non-loopback placeholders (fc00::1,
192.0.2.1) so glibc's AI_ADDRCONFIG still returns both families - without
them socat's getaddrinfo fails on numeric non-loopback addresses, e.g. the
multicast tests. Relax the AppArmor unprivileged-userns restriction so the
bwrap netns + CAP_NET_ADMIN work on ubuntu-24.04.
Let any command ride the build/check pool, not just wolfSSL builds:
build false skips configure/make/check (config is just prepare+run)
netns true runs each command under 'bwrap --unshare-net --cap-add
CAP_NET_ADMIN' (its own network namespace) so parallel network
tests can't collide on ports and can configure that namespace
shards fan a config out into N instances, each with $SHARD (1..N) and
$SHARDS=N in its env and its own build-<name>-<k> dir, so a
command can split its work N ways (the pool load-balances them)
Error out, rather than silently degrade, on two misconfigurations that
otherwise surface as confusing test failures: netns requested but bwrap
missing (commands would share the host namespace and collide on ports),
and config-name collisions after shard fan-out (two jobs would share a
build dir and race).
ARM64/ARM32/Thumb2:
- Inline-asm use param names not registers.
- Return value through first parameter and not first register
- 32-bit values zero extended when loaded off stack
aes.c: Aligned-accedd GHASH for 32-bit CPUs.
test.c: #ifdef protection update.
sha3.h: make digest and block size constants defines for use in hash.h
sha512.h: internal Transform_Sha512* functions declared when only SHA-384.
sp_int.h: include WOLFSSL_SP_MATH_ALL in SP_INT_BITS selection
memory.c: fix printf format to be compatible with more platforms
With WOLFSSL_SMALL_STACK_CACHE, wc_Sha512Free and wc_Sha384Free freed the
cached W buffer as DYNAMIC_TYPE_TMP_BUFFER, but it is allocated as
DYNAMIC_TYPE_DIGEST in InitSha512_Family/InitSha384 and the Copy functions
(the in-Init error cleanup already frees it as DYNAMIC_TYPE_DIGEST).
The mismatch is flagged by the memusage test (DHE_RSA TLS1.2 reports
Errors: 2) and matters for type-bucketed static memory pools. SHA-256/224
already use DYNAMIC_TYPE_DIGEST consistently. Free W as DYNAMIC_TYPE_DIGEST.
use target native int for WC_ATOMIC_INT_ARG, add user overrideability, and
adjust WC_INIT_STATE_COUNT_BITS to depend on sizeof(WC_ATOMIC_UINT_ARG). add
a wc_static_assert to sanity-check WC_INIT_STATE_STATE_BITS, and use CHAR_BIT
opportunistically in the other wc_static_assert to sanity check that CHAR_BIT
is at least 8.
* in USE_WINDOWS_API wc_GenerateSeed(), recognize HAVE_AMD_RDSEED, and properly enforce FORCE_FAILURE_RDSEED when CPU support is missing;
* in WOLFSSL_LINUXKM wc_GenerateSeed(), initialize ret to RNG_FAILURE_E, and properly enforce FORCE_FAILURE_RDSEED when CPU support is missing;
* in WOLFSSL_BSDKM wc_GenerateSeed(), properly enforce FORCE_FAILURE_RDSEED when CPU support is missing;
The draft guard skips the job on draft PRs, but the pull_request
trigger used the default types (no ready_for_review), so marking a
draft ready did not re-run the job and it stayed skipped. Add the
standard types, matching the other workflows, so it re-runs when the
PR becomes ready.
With the cache save restricted to master, a cold-cache PR or release
run can no longer restore in the test job what the build job just built
(the per-PR cache scope is gone), so mbedtls/nss were compiled twice.
Upload the build as an artifact on a cache miss and download it in the
test job instead of recompiling, matching the handoff hostap-vm already
uses. master still restores from the shared cache, so it never uses the
artifact.