mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 08:00:48 +02:00
579 lines
35 KiB
YAML
579 lines
35 KiB
YAML
name: Ubuntu-Macos-Windows Tests
|
|
|
|
# START OF COMMON SECTION
|
|
on:
|
|
push:
|
|
branches: [ 'release/**' ]
|
|
# Docs-only changes cannot affect the build/test matrix - skip the
|
|
# run for them. Keep this list narrow (markdown + doc/ only);
|
|
# do not add cert/test data extensions here.
|
|
paths-ignore:
|
|
- '**/*.md'
|
|
- 'doc/**'
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
branches: [ '*' ]
|
|
paths-ignore:
|
|
- '**/*.md'
|
|
- 'doc/**'
|
|
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs restore: the
|
|
# linux and macOS jobs re-run --build-only (compile only, no tests) on the
|
|
# default branch, where their ccache writes are visible to every PR. Only
|
|
# Windows is skipped on schedule (see its job `if`) - seeding the linux and
|
|
# macOS shards is where the cold-cache cost lives.
|
|
schedule:
|
|
- cron: '0 10 * * 1-5'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
# END OF COMMON SECTION
|
|
|
|
jobs:
|
|
# Ubuntu config matrix. macOS is covered separately by make_check_macos
|
|
# below with a curated subset; configs here either have equivalent macOS
|
|
# coverage there or exercise no Darwin-specific code.
|
|
#
|
|
# The config list is built by a small fixed pool of shard runners: every
|
|
# shard job runs the generic .github/scripts/parallel-make-check.py on
|
|
# the same JSON list below with --shard K/N, which deals the configs
|
|
# across the N shards greedily by their "minutes" weight so every shard
|
|
# carries a similar load. Within a shard each config builds in its own
|
|
# out-of-tree ("VPATH") build directory off one checkout/autogen, and
|
|
# the checks run on a pool of one-per-CPU worker threads, longest first;
|
|
# per-config times and thread/CPU efficiency land in each shard's step
|
|
# summary (same machinery as smoke-test.yml). bubblewrap lets the script
|
|
# tests re-exec under bwrap --unshare-net so concurrent checks cannot
|
|
# collide on TCP/UDP ports (do not set AM_BWRAPPED here - that would
|
|
# disable it).
|
|
make_check_linux:
|
|
name: make check linux
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
shard: [1, 2, 3, 4]
|
|
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
|
|
runs-on: ubuntu-24.04
|
|
# The full set measures ~272 thread-minutes cold (~90 warm), i.e. about
|
|
# 68 thread-minutes per shard / 4 worker threads: ~20 min of wall per
|
|
# shard cold and well under 10 warm, plus ~2-3 min of
|
|
# checkout/deps/autogen overhead.
|
|
timeout-minutes: 30
|
|
env:
|
|
CCACHE_MAXSIZE: 500M
|
|
steps:
|
|
- uses: actions/checkout@v5
|
|
|
|
# tlslite-ng is consumed by scripts/multi-msg-record.test (run from
|
|
# `make check`); without it that test is SKIPped.
|
|
- uses: actions/setup-python@v6
|
|
with:
|
|
python-version: '3.x'
|
|
- run: pip install tlslite-ng
|
|
|
|
- name: Install dependencies
|
|
uses: ./.github/actions/install-apt-deps
|
|
with:
|
|
packages: autoconf automake libtool build-essential bubblewrap ccache
|
|
ghcr-debs-tag: ubuntu-24.04-minimal
|
|
|
|
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
|
# which would stop the test scripts from re-execing under
|
|
# bwrap --unshare-net (their port-isolation mechanism).
|
|
- name: Allow unprivileged user namespaces (for bwrap)
|
|
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
|
|
|
|
# ccache's default cache dir (XDG ~/.cache/ccache) is what the
|
|
# actions/cache step below saves; pin it explicitly so the two
|
|
# cannot drift apart (e.g. if a later change sets CCACHE_DIR).
|
|
- name: Pin ccache directory
|
|
run: echo "CCACHE_DIR=$HOME/.cache/ccache" >> "$GITHUB_ENV"
|
|
|
|
# PRs restore the cache the weekday seed writes but never save it, so
|
|
# PR runs add no per-shard ccache entries to the Actions cache. The
|
|
# seed (schedule) saves below.
|
|
- name: Restore ccache
|
|
uses: actions/cache/restore@v5
|
|
with:
|
|
path: ~/.cache/ccache
|
|
# Per-shard cache lineage: each shard compiles a distinct config
|
|
# subset. Re-balancing "minutes" can move configs between shards;
|
|
# that costs one rebuild of whatever moved.
|
|
key: os-check-linux-ccache-${{ matrix.shard }}-${{ github.base_ref || github.ref_name }}-${{ github.sha }}
|
|
restore-keys: |
|
|
os-check-linux-ccache-${{ matrix.shard }}-${{ github.base_ref || github.ref_name }}-
|
|
os-check-linux-ccache-${{ matrix.shard }}-
|
|
os-check-linux-ccache-
|
|
|
|
# On the weekday seed, force clean recompiles (CCACHE_RECACHE) so the
|
|
# saved master ccache is reseeded from scratch rather than only
|
|
# accumulating deltas. PR/push runs leave it unset and keep their warm hits.
|
|
- name: Force fresh compiles on scheduled reseed
|
|
if: github.event_name == 'schedule'
|
|
run: echo "CCACHE_RECACHE=1" >> "$GITHUB_ENV"
|
|
|
|
- name: autogen
|
|
run: |
|
|
ccache -z
|
|
./autogen.sh
|
|
|
|
# The JSON list below is the former runner-per-config matrix; add new
|
|
# configs here as new entries (a "comment" key is allowed for notes).
|
|
# "minutes" is the expected duration driving longest-first scheduling
|
|
# and shard balancing: take it from the Minutes column of a previous
|
|
# run's step summary, or omit it for a new config (defaults to 1) and
|
|
# refresh later - a stale value only packs the schedule worse. The
|
|
# list is kept sorted by minutes for readability, but the schedule
|
|
# sorts by the values, not list order.
|
|
# The CFLAGS that were previously passed to configure are applied at
|
|
# make time via --cflags, unchanged. --private-dir=certs gives every
|
|
# build dir its own certs/ copy: crl-gen-openssl.test writes generated
|
|
# CRLs under certs/crl/, which would race through the shared VPATH
|
|
# certs symlink.
|
|
- name: Build and make check this shard's configs (parallel, out-of-tree)
|
|
run: |
|
|
cat > "$RUNNER_TEMP/os-check-configs.json" <<'EOF'
|
|
[
|
|
{"name": "all-no-client-auth", "minutes": 9.0,
|
|
"configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH"]},
|
|
{"name": "all-dilithium-cryptocb", "minutes": 8.9,
|
|
"configure": ["--enable-all", "--enable-dilithium", "--enable-cryptocb",
|
|
"--enable-cryptocbutils", "--enable-pkcallbacks"]},
|
|
{"name": "all-haproxy-quic", "minutes": 8.6,
|
|
"configure": ["--enable-all", "--enable-haproxy", "--enable-quic"]},
|
|
{"name": "all-asn-template", "minutes": 8.5,
|
|
"configure": ["--enable-all", "--enable-asn=template"]},
|
|
{"name": "all-asn-template-old-oid-sum", "minutes": 8.5,
|
|
"configure": ["--enable-all", "--enable-asn=template", "CPPFLAGS=-DWOLFSSL_OLD_OID_SUM"]},
|
|
{"name": "all-asn-original-old-oid-sum", "minutes": 8.4,
|
|
"configure": ["--enable-all", "--enable-asn=original", "CPPFLAGS=-DWOLFSSL_OLD_OID_SUM"]},
|
|
{"name": "all-asn-original", "minutes": 8.3,
|
|
"configure": ["--enable-all", "--enable-asn=original"]},
|
|
{"name": "all-certgencache", "minutes": 8.3,
|
|
"configure": ["--enable-all", "--enable-certgencache"]},
|
|
{"name": "all-dtls13-frag-ch-no-mlkem", "minutes": 8.2,
|
|
"configure": ["--enable-all", "--enable-dtls13", "--enable-dtls-frag-ch",
|
|
"--disable-mlkem"]},
|
|
{"name": "all-check-mem-zero", "minutes": 7.9,
|
|
"configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_CHECK_MEM_ZERO"]},
|
|
{"name": "all-secure-renegotiation", "minutes": 7.8,
|
|
"configure": ["--enable-all", "--enable-secure-renegotiation"]},
|
|
{"name": "all-debug-certs", "minutes": 7.8,
|
|
"configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_DEBUG_CERTS"]},
|
|
{"name": "all-hash-keep", "minutes": 7.8,
|
|
"configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_HASH_KEEP"]},
|
|
{"name": "all-no-aes-192-256", "minutes": 7.5,
|
|
"configure": ["--enable-all", "CPPFLAGS=-DNO_AES_192 -DNO_AES_256"]},
|
|
{"name": "all-writedup", "minutes": 6.9,
|
|
"configure": ["--enable-all", "--enable-writedup"]},
|
|
{"name": "all-no-server", "minutes": 5.0,
|
|
"configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_SERVER"]},
|
|
{"name": "nonblock-sp-c32", "minutes": 5.0,
|
|
"comment": "Same but forcing SP_WORD_SIZE=32 to exercise sp_c32.c on a 64-bit host; the two builds together cover both generated variants of mod_exp_<words>_nb / RSA / DH wrappers.",
|
|
"configure": ["--enable-curve25519=nonblock", "--enable-ecc=nonblock",
|
|
"--enable-rsa=nonblock", "--enable-dh=nonblock", "--enable-sp=yes,nonblock",
|
|
"CPPFLAGS=-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM -DSP_WORD_SIZE=32"]},
|
|
{"name": "all-no-server-no-client-auth", "minutes": 4.8,
|
|
"configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH"]},
|
|
{"name": "all-no-client-no-client-auth", "minutes": 4.4,
|
|
"configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH"]},
|
|
{"name": "all-no-client", "minutes": 4.2,
|
|
"configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_CLIENT"]},
|
|
{"name": "nonblock-sp-c64", "minutes": 4.2,
|
|
"comment": "Non-blocking ECC/Curve25519/RSA/DH on the host default SP word size (sp_c64.c on x86_64); RSA/DH non-block require RSA_LOW_MEM (the CRT path is not supported in non-block mode).",
|
|
"configure": ["--enable-curve25519=nonblock", "--enable-ecc=nonblock",
|
|
"--enable-rsa=nonblock", "--enable-dh=nonblock", "--enable-sp=yes,nonblock",
|
|
"CPPFLAGS=-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM"]},
|
|
{"name": "tls13-dtls13-session-misc", "minutes": 3.3,
|
|
"configure": ["--enable-tls13", "--enable-session-ticket", "--enable-dtls",
|
|
"--enable-dtls13", "--enable-opensslextra", "--enable-sessioncerts",
|
|
"CPPFLAGS=-DWOLFSSL_DTLS_NO_HVR_ON_RESUME -DHAVE_EXT_CACHE -DWOLFSSL_TICKET_HAVE_ID -DHAVE_EX_DATA -DSESSION_CACHE_DYNAMIC_MEM"]},
|
|
{"name": "dtls-cid-renego-psk", "minutes": 3.3,
|
|
"configure": ["--enable-dtls", "--enable-dtlscid", "--enable-dtls13",
|
|
"--enable-secure-renegotiation", "--enable-psk", "--enable-aesccm",
|
|
"--enable-nullcipher", "CPPFLAGS=-DWOLFSSL_STATIC_RSA"]},
|
|
{"name": "dtls13-ocspstapling-cert-cb", "minutes": 3.1,
|
|
"configure": ["--enable-dtls", "--enable-dtls13", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-cert-setup-cb", "--enable-sessioncerts"]},
|
|
{"name": "user-settings-all-compat", "minutes": 3.0,
|
|
"comment": "user_settings_all.h with the compatibility layer enabled by flipping its \"#if 0\" block, as a build-dir copy.",
|
|
"user_settings": "examples/configs/user_settings_all.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings"], "prepare": [["sed", "-i", "s/if 0/if 1/", "user_settings.h"]]},
|
|
{"name": "dtls13-earlydata-psk-no-hrr", "minutes": 2.9,
|
|
"configure": ["--enable-dtls", "--enable-dtls13", "--enable-earlydata",
|
|
"--enable-session-ticket", "--enable-psk", "CPPFLAGS=-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME"]},
|
|
{"name": "ocsp-responder-nonblock-maxfrag", "minutes": 2.8,
|
|
"configure": ["--enable-ocsp", "--enable-ocsp-responder", "--enable-ocspstapling",
|
|
"CPPFLAGS=-DWOLFSSL_NONBLOCK_OCSP", "--enable-maxfragment"]},
|
|
{"name": "dtls-records-span-datagrams", "minutes": 2.7,
|
|
"configure": ["--enable-dtls", "--enable-dtls13", "--enable-dtls-frag-ch",
|
|
"--enable-dtls-mtu", "CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS"]},
|
|
{"name": "opensslextra-no-ca-names", "minutes": 2.6,
|
|
"configure": ["--enable-opensslextra", "CPPFLAGS=-DWOLFSSL_NO_CA_NAMES"]},
|
|
{"name": "sessionexport-dtls13", "minutes": 2.6,
|
|
"configure": ["--enable-sessionexport", "--enable-dtls", "--enable-dtls13"]},
|
|
{"name": "lms-xmss-verify-only", "minutes": 2.5,
|
|
"configure": ["--enable-lms=small,verify-only", "--enable-xmss=small,verify-only"]},
|
|
{"name": "opensslall-rng-seed-cb", "minutes": 2.2,
|
|
"configure": ["--enable-opensslall", "--enable-opensslextra", "CPPFLAGS=-DWC_RNG_SEED_CB"]},
|
|
{"name": "opensslall-ecc-zero-hash", "minutes": 2.2,
|
|
"configure": ["--enable-opensslall", "--enable-ecc", "CPPFLAGS=-DWC_ALLOW_ECC_ZERO_HASH"]},
|
|
{"name": "she-ext-cmac-no-she-misc", "minutes": 2.2,
|
|
"configure": ["--enable-she=extended", "--enable-cmac", "--enable-cryptocb",
|
|
"--enable-cryptocbutils",
|
|
"CPPFLAGS=-DNO_WC_SHE_GETUID -DNO_WC_SHE_GETCOUNTER -DNO_WC_SHE_EXPORTKEY"]},
|
|
{"name": "she-std-cmac-cryptocb-sw-default", "minutes": 2.2,
|
|
"configure": ["--enable-she=standard", "--enable-cmac", "--enable-cryptocb",
|
|
"--enable-cryptocbutils", "CPPFLAGS=-DWC_SHE_SW_DEFAULT"]},
|
|
{"name": "sniffer-curves-enckeys", "minutes": 2.2,
|
|
"configure": ["--enable-sniffer", "--enable-curve25519", "--enable-curve448",
|
|
"--enable-enckeys", "CPPFLAGS=-DWOLFSSL_DH_EXTRA"]},
|
|
{"name": "cryptocb-keygen-utils-aes-setkey", "minutes": 2.2,
|
|
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils",
|
|
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]},
|
|
{"name": "cryptocb-utils-setkey-free", "minutes": 2.2,
|
|
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-aesgcm",
|
|
"--enable-cryptocbutils=setkey,free", "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]},
|
|
{"name": "cryptocb-keygen-utils-export", "minutes": 2.2,
|
|
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils=export"]},
|
|
{"name": "cryptocb-keygen-export-key", "minutes": 2.2,
|
|
"configure": ["--enable-cryptocb", "--enable-keygen",
|
|
"CPPFLAGS=-DWOLF_CRYPTO_CB_EXPORT_KEY"]},
|
|
{"name": "cryptocb-utils-setkey-export-find", "minutes": 2.2,
|
|
"configure": ["--enable-cryptocb", "--enable-keygen",
|
|
"--enable-cryptocbutils=setkey,export", "CPPFLAGS=-DWOLF_CRYPTO_CB_FIND"]},
|
|
{"name": "cryptocb-shake", "minutes": 2.2,
|
|
"comment": "Exercises the SHAKE128/SHAKE256 crypto callback wiring (wc_CryptoCb_Shake, the sha3.c Update/Final hooks, and the dedicated offload unit tests). A normal (non-ONLY) cryptocb build keeps the host software SHA3/SHAKE present as the callbacks' offload fallback.",
|
|
"configure": ["--enable-cryptocb", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256"]},
|
|
{"name": "opensslall-rng-seed-cb-no-getpid", "minutes": 2.1,
|
|
"configure": ["--enable-opensslall", "--enable-opensslextra",
|
|
"CPPFLAGS=-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID"]},
|
|
{"name": "dtls13-ignore-pt-alert", "minutes": 2.1,
|
|
"configure": ["--enable-dtls", "--enable-dtls13", "--enable-tls13",
|
|
"CPPFLAGS=-DWOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC"]},
|
|
{"name": "cryptocb-utils-setkey-free-export", "minutes": 2.1,
|
|
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-aesgcm",
|
|
"--enable-cryptocbutils=setkey,free,export", "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]},
|
|
{"name": "cryptocb-aesgcm-setkey-free", "minutes": 2.1,
|
|
"configure": ["--enable-cryptocb", "--enable-aesgcm",
|
|
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"]},
|
|
{"name": "opensslextra-x509small", "minutes": 2.0,
|
|
"configure": ["--enable-opensslextra=x509small"]},
|
|
{"name": "cryptocb-keygen-find", "minutes": 2.0,
|
|
"configure": ["--enable-cryptocb", "--enable-keygen", "CPPFLAGS=-DWOLF_CRYPTO_CB_FIND"]},
|
|
{"name": "user-settings-all", "minutes": 2.0,
|
|
"comment": "The user_settings.h header-driven build path is distinct from the autotools-driven --enable-all path; full make check.",
|
|
"user_settings": "examples/configs/user_settings_all.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings"]},
|
|
{"name": "she-ext-cryptocb-sw-default", "minutes": 1.9,
|
|
"configure": ["--enable-she=extended", "--enable-cryptocb", "--enable-cryptocbutils",
|
|
"CPPFLAGS=-DWC_SHE_SW_DEFAULT"]},
|
|
{"name": "cryptocb-aesgcm-aes-setkey", "minutes": 1.9,
|
|
"configure": ["--enable-cryptocb", "--enable-aesgcm",
|
|
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]},
|
|
{"name": "cryptocb-keygen-utils-setkey", "minutes": 1.9,
|
|
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils=setkey"]},
|
|
{"name": "pkcs7-rsa-pss", "minutes": 1.9,
|
|
"comment": "PKCS#7 with RSA-PSS (CMS RSASSA-PSS signers)",
|
|
"configure": ["--enable-pkcs7", "CPPFLAGS=-DWC_RSA_PSS"]},
|
|
{"name": "blind-private-key", "minutes": 1.9,
|
|
"configure": ["CPPFLAGS=-DWOLFSSL_BLIND_PRIVATE_KEY"]},
|
|
{"name": "certgen-no-tls", "minutes": 1.9,
|
|
"configure": ["--enable-certreq", "--enable-certext", "--enable-certgen",
|
|
"--disable-secure-renegotiation-info", "CPPFLAGS=-DNO_TLS"]},
|
|
{"name": "no-sys-ca-certs", "minutes": 1.8, "configure": ["--disable-sys-ca-certs"]},
|
|
{"name": "no-client-auth", "minutes": 1.8,
|
|
"configure": ["CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH"]},
|
|
{"name": "harden-tls", "minutes": 1.7, "configure": ["--enable-harden-tls"]},
|
|
{"name": "no-sni-ecc-tls13-scr-info", "minutes": 1.7,
|
|
"configure": ["--disable-sni", "--disable-ecc", "--disable-tls13",
|
|
"--disable-secure-renegotiation-info"]},
|
|
{"name": "default", "minutes": 1.6},
|
|
{"name": "no-client-no-client-auth", "minutes": 1.6,
|
|
"configure": ["CPPFLAGS=-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH"]},
|
|
{"name": "ascon-experimental", "minutes": 1.6,
|
|
"configure": ["--enable-ascon", "--enable-experimental"]},
|
|
{"name": "ascon-unroll-experimental", "minutes": 1.6,
|
|
"configure": ["--enable-ascon", "CPPFLAGS=-DWOLFSSL_ASCON_UNROLL",
|
|
"--enable-experimental"]},
|
|
{"name": "wolfssl-extra", "minutes": 1.6, "configure": ["CPPFLAGS=-DWOLFSSL_EXTRA"]},
|
|
{"name": "coding-no", "minutes": 1.5, "configure": ["--enable-coding=no"]},
|
|
{"name": "she-ext-cmac-cryptocb", "minutes": 1.3,
|
|
"configure": ["--enable-she=extended", "--enable-cmac", "--enable-cryptocb",
|
|
"--enable-cryptocbutils"]},
|
|
{"name": "she-std-cmac-no-import-m123", "minutes": 1.3,
|
|
"configure": ["--enable-she=standard", "--enable-cmac",
|
|
"CPPFLAGS=-DNO_WC_SHE_IMPORT_M123"]},
|
|
{"name": "pkcs7", "minutes": 1.3,
|
|
"comment": "PKCS#7 without RSA-PSS",
|
|
"configure": ["--enable-pkcs7"]},
|
|
{"name": "no-tls-cryptocb-aesgcm-setkey-free", "minutes": 1.3,
|
|
"configure": ["--disable-tls", "--enable-cryptocb", "--enable-aesgcm",
|
|
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"]},
|
|
{"name": "she-std-cmac", "minutes": 1.2,
|
|
"configure": ["--enable-she=standard", "--enable-cmac"]},
|
|
{"name": "no-verify-oid-fpki", "minutes": 1.2,
|
|
"configure": ["CPPFLAGS=-DNO_VERIFY_OID -DWOLFSSL_FPKI"]},
|
|
{"name": "no-verify-oid", "minutes": 1.1, "configure": ["CPPFLAGS=-DNO_VERIFY_OID"]},
|
|
{"name": "no-server-no-client-auth", "minutes": 1.0,
|
|
"configure": ["CPPFLAGS=-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH"]},
|
|
{"name": "no-wolfssl-client", "minutes": 1.0,
|
|
"configure": ["CPPFLAGS=-DNO_WOLFSSL_CLIENT"]},
|
|
{"name": "testwolfcrypt-ca", "minutes": 1.0,
|
|
"comment": "user_settings.h builds running only testwolfcrypt: pure crypto, no platform-specific features, so Linux-only coverage is sufficient. Not converted: user_settings_pq.h (requires --enable-experimental) and user_settings_baremetal.h (static memory, custom platform).",
|
|
"user_settings": "examples/configs/user_settings_ca.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-dtls13", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_dtls13.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-ebsnet", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_EBSnet.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-eccnonblock", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_eccnonblock.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-curve25519nonblock", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_curve25519nonblock.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-min-ecc", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_min_ecc.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-openssl-compat", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_openssl_compat.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-pkcs7", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_pkcs7.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-rsa-only", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_rsa_only.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-template", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_template.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-tls12", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_tls12.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-tls13", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_tls13.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-wolfboot-keytools", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_wolfboot_keytools.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-wolfssh", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_wolfssh.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "testwolfcrypt-wolftpm", "minutes": 1.0,
|
|
"user_settings": "examples/configs/user_settings_wolftpm.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
|
|
{"name": "no-wolfssl-server", "minutes": 0.9,
|
|
"configure": ["CPPFLAGS=-DNO_WOLFSSL_SERVER"]},
|
|
{"name": "dtls13-client-minimal", "minutes": 0.9,
|
|
"comment": "Minimal DTLS 1.3 client-only build with the SHA-224/384/512/3 hash families disabled. SHA-256 (used by TLS_AES_128_GCM_SHA256) and SHA-1 remain enabled.",
|
|
"configure": ["--enable-dtls13", "--disable-tlsv12", "--disable-oldtls", "--disable-rsa",
|
|
"--disable-dh", "--disable-aescbc", "--disable-aesecb", "--disable-md5",
|
|
"--disable-chacha", "--disable-poly1305", "--disable-errorstrings",
|
|
"--disable-asn-print", "--disable-eccshamir", "--disable-base64encode",
|
|
"--disable-coding", "--disable-sni", "--disable-sha224", "--disable-sha384",
|
|
"--disable-sha512", "--disable-sha3", "--enable-aesgcm=small", "--enable-sp-math",
|
|
"--enable-sp=smallec256", "--disable-sp-asm",
|
|
"CPPFLAGS=-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_TLS12 -DNO_SESSION_CACHE -DWOLFSSL_AES_NO_UNROLL -DUSE_SLOW_SHA256 -DWOLFSSL_NO_ASYNC_IO -DWOLFSSL_DTLS_ONLY"]},
|
|
{"name": "opensslextra-no-filesystem-no-bio", "minutes": 0.9,
|
|
"configure": ["--enable-opensslextra", "--disable-filesystem", "CPPFLAGS=-DNO_BIO"]},
|
|
{"name": "no-examples-no-malloc", "minutes": 0.8,
|
|
"configure": ["--disable-examples", "CPPFLAGS=-DWOLFSSL_NO_MALLOC"]}
|
|
]
|
|
EOF
|
|
.github/scripts/parallel-make-check.py \
|
|
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
|
--shard "${{ matrix.shard }}/${{ strategy.job-total }}" \
|
|
--cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \
|
|
--private-dir=certs "$RUNNER_TEMP/os-check-configs.json"
|
|
|
|
# Seed runs (schedule) refresh the master-scoped ccache that PR runs
|
|
# restore above; PR/push runs never save, so PRs add nothing.
|
|
- name: Save ccache (seed only)
|
|
if: github.event_name == 'schedule'
|
|
uses: actions/cache/save@v5
|
|
with:
|
|
path: ~/.cache/ccache
|
|
key: os-check-linux-ccache-${{ matrix.shard }}-${{ github.ref_name }}-${{ github.sha }}
|
|
|
|
- name: ccache stats
|
|
if: always()
|
|
run: ccache -s || true
|
|
|
|
- name: Upload logs on failure
|
|
if: failure()
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
retention-days: 7
|
|
name: os-check-linux-logs-${{ matrix.shard }}
|
|
path: |
|
|
build-*/make-check.log
|
|
build-*/test-suite.log
|
|
build-*/config.log
|
|
if-no-files-found: ignore
|
|
|
|
# Curated macOS subset. Each config exists for a Darwin-specific reason;
|
|
# do not add entries that only re-test platform-agnostic crypto already
|
|
# covered by the corresponding Linux run.
|
|
#
|
|
# All configs build on ONE macos runner via
|
|
# .github/scripts/parallel-make-check.py, each in its own out-of-tree
|
|
# ("VPATH") build directory. Unlike Linux, the checks run one config at
|
|
# a time (--threads 1): macOS has no bubblewrap, so concurrent make
|
|
# checks would race on TCP/UDP ports. The user_settings_all.h entry is
|
|
# the former macOS half of the make_user_settings job, and the
|
|
# apple-native-cert-validation entry is the former standalone
|
|
# macos-apple-native-cert-validation.yml workflow.
|
|
make_check_macos:
|
|
name: make check macos
|
|
# Runs on PRs/pushes and on the weekday ccache-seed cron, where it
|
|
# --build-only-seeds the macOS ccache (like the linux shards). Only
|
|
# Windows is skipped on schedule (no ccache to seed).
|
|
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
|
|
runs-on: macos-latest
|
|
# Serial checks: roughly the sum of the per-config minutes plus
|
|
# one-time setup, with headroom for a cold ccache.
|
|
timeout-minutes: 45
|
|
steps:
|
|
- uses: actions/checkout@v5
|
|
|
|
# tlslite-ng is consumed by scripts/multi-msg-record.test (run from
|
|
# `make check`); without it that test is SKIPped.
|
|
- uses: actions/setup-python@v6
|
|
with:
|
|
python-version: '3.x'
|
|
- run: pip install tlslite-ng
|
|
|
|
# The macos runner images ship without autotools (the old per-config
|
|
# matrix got them via wolfSSL/actions-build-autotools-project).
|
|
- name: Install autotools (brew)
|
|
run: brew install autoconf automake libtool
|
|
|
|
# ccache via the cross-platform composite (brew install; compiler
|
|
# symlinks on PATH). The script is told --cc= so it does not also
|
|
# prefix the compiler with "ccache" - the PATH masquerade already
|
|
# intercepts cc/clang.
|
|
- name: Set up ccache
|
|
uses: ./.github/actions/ccache-setup
|
|
with:
|
|
workflow-id: os-check-macos
|
|
max-size: 500M
|
|
# PRs read the weekday-seeded macOS ccache; only the seed saves.
|
|
read-only: ${{ github.event_name == 'pull_request' }}
|
|
|
|
# Same JSON config format as make_check_linux above; "minutes" only
|
|
# orders the serial schedule here (longest first).
|
|
- name: Build and make check all configs (serial checks, out-of-tree)
|
|
run: |
|
|
cat > "$RUNNER_TEMP/os-check-macos-configs.json" <<'EOF'
|
|
[
|
|
{"name": "all-asn-template", "minutes": 3.0,
|
|
"comment": "Broad key-crypto + Security.framework + opensslextra in one run (RSA, ECC, AES, SHA-2/3, ChaCha20-Poly1305, Curve25519/448, HMAC, sniffer, DTLS, OCSP, ...). Note: --enable-all does NOT enable cryptocb or SHE, so those have their own entries.",
|
|
"configure": ["--enable-all", "--enable-asn=template"]},
|
|
{"name": "dtls-cid-renego-psk", "minutes": 1.5,
|
|
"comment": "DTLS over BSD sockets on Darwin: connection-ID, fragmented ClientHello, secure renegotiation, PSK, AES-CCM, null cipher - exercises recvmsg/MTU/datagram handling that differs from Linux.",
|
|
"configure": ["--enable-dtls", "--enable-dtlscid", "--enable-dtls13",
|
|
"--enable-secure-renegotiation", "--enable-psk", "--enable-aesccm",
|
|
"--enable-nullcipher", "CPPFLAGS=-DWOLFSSL_STATIC_RSA"]},
|
|
{"name": "user-settings-all", "minutes": 1.5,
|
|
"comment": "The user_settings.h header-driven build path under Apple clang: macOS-specific guard ordering (e.g. WOLFSSL_SYS_CA_CERTS pulling in Security.framework) is distinct from the autotools --enable-all path above.",
|
|
"user_settings": "examples/configs/user_settings_all.h",
|
|
"cflags": "",
|
|
"configure": ["--enable-usersettings"]},
|
|
{"name": "apple-native-cert-validation", "minutes": 1.5,
|
|
"comment": "Former macos-apple-native-cert-validation.yml workflow: WOLFSSL_APPLE_NATIVE_CERT_VALIDATION delegates chain verification to Security.framework instead of wolfSSL's verifier, and the TEST define enables its client tests in make check. CFLAGS go to configure (with \"cflags\": \"\" so the make-time --cflags do not override them), exactly like the old standalone job.",
|
|
"cflags": "",
|
|
"configure": ["CFLAGS=-DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION -DWOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION -DRSA_MIN_SIZE=2048 -DNO_WOLFSSL_CIPHER_SUITE_TEST"]},
|
|
{"name": "cryptocb-keygen-utils-setkey", "minutes": 1.0,
|
|
"comment": "Crypto-callback dispatcher under Apple clang. Not covered by --enable-all; verifies the cryptocb find/setkey/keygen path compiles and runs on the macOS toolchain.",
|
|
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils=setkey"]},
|
|
{"name": "default", "minutes": 0.5,
|
|
"comment": "Default build: --enable-sys-ca-certs is auto-on on macOS, so this exercises Apple keychain / system trust loading in src/ssl_load.c that has no Linux equivalent.",
|
|
"configure": []},
|
|
{"name": "no-sys-ca-certs", "minutes": 0.5,
|
|
"comment": "Validates the configure-time auto-enable override and that the build compiles out the Security.framework code path cleanly - macOS is the only OS where sys-ca-certs is auto-on by default.",
|
|
"configure": ["--disable-sys-ca-certs"]}
|
|
]
|
|
EOF
|
|
.github/scripts/parallel-make-check.py \
|
|
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
|
--threads 1 --cc= \
|
|
--cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \
|
|
--private-dir=certs "$RUNNER_TEMP/os-check-macos-configs.json"
|
|
|
|
- name: ccache stats
|
|
if: always()
|
|
run: ccache -s || true
|
|
|
|
- name: Upload logs on failure
|
|
if: failure()
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
retention-days: 7
|
|
name: os-check-macos-logs
|
|
path: |
|
|
build-*/make-check.log
|
|
build-*/test-suite.log
|
|
build-*/config.log
|
|
if-no-files-found: ignore
|
|
|
|
windows_build:
|
|
name: Windows Build Test
|
|
# Skipped on the weekday ccache-seed cron: no ccache to seed here.
|
|
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'schedule') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
|
|
runs-on: windows-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
arch: [ x64, Win32, ARM64 ]
|
|
# This should be a safe limit for the tests to run.
|
|
timeout-minutes: 6
|
|
env:
|
|
# Path to the solution file relative to the root of the project.
|
|
SOLUTION_FILE_PATH: wolfssl64.sln
|
|
|
|
# Configuration type to build.
|
|
# You can convert this to a build matrix if you need coverage of multiple configuration types.
|
|
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
|
|
BUILD_CONFIGURATION: Release
|
|
steps:
|
|
- uses: actions/checkout@v5
|
|
|
|
- name: Add MSBuild to PATH
|
|
uses: microsoft/setup-msbuild@v3
|
|
|
|
- name: Restore NuGet packages
|
|
working-directory: ${{env.GITHUB_WORKSPACE}}
|
|
run: nuget restore ${{env.SOLUTION_FILE_PATH}}
|
|
|
|
- name: Build
|
|
working-directory: ${{env.GITHUB_WORKSPACE}}
|
|
# Add additional options to the MSBuild command line here (like platform or verbosity level).
|
|
# See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
|
|
run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{matrix.arch}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
|
|
|
|
- if: ${{ matrix.arch != 'ARM64' }}
|
|
name: Run Test
|
|
working-directory: ${{env.GITHUB_WORKSPACE}}
|
|
run: Release/${{matrix.arch}}/testsuite.exe
|