Files
wolfssl/.github/workflows/tinytls13.yml
T

155 lines
8.6 KiB
YAML

name: Tiny TLS 1.3 Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'release/**' ]
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
schedule:
- cron: '42 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
permissions:
contents: read
jobs:
# Build + make check every --enable-tinytls13 spelling on one runner via
# .github/scripts/parallel-make-check.py (see psk.yml for the pattern).
make_check:
name: make check
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- uses: actions/checkout@v5
name: Checkout wolfSSL
- name: Install dependencies
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
ghcr-debs-tag: ubuntu-24.04-minimal
- name: Set up ccache
uses: ./.github/actions/ccache-setup
with:
workflow-id: tinytls13
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 100M
- name: Allow unprivileged user namespaces (for bwrap)
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
# Every tiny TLS 1.3 profile/adder spelling, so each is proven to build
# and pass make check (which runs the TLS handshake test suite) out of
# the box. Server is enabled where a config needs the server-side tests.
# The psk-p256 and cert-rsaverify configs strip to combinations
# (ECDHE-only ECC without certs, RSA verify only) that the OpenSSL-compat
# API unit suite (coupled to examples via BUILD_TESTS) does not gate for.
# Rather than carry test-harness edits for those, they build static with
# --disable-examples, skip make check ("check": false), and instead run
# wolfcrypt/test/testwolfcrypt plus examples/tls13/tls13_memio.c
# (a self-contained in-memory TLS 1.3 handshake) for real crypto and
# handshake verification.
- name: Build and test all tinytls13 configs
run: |
cat > "$RUNNER_TEMP/tinytls13-configs.json" <<'EOF'
[
{"name": "tinytls13-psk-x25519", "minutes": 1,
"configure": ["--enable-tinytls13=psk,server", "--disable-mlkem"]},
{"name": "tinytls13-psk-p256", "minutes": 1, "check": false,
"configure": ["--enable-tinytls13=psk,p256,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
"run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
["./tls13_memio"]]},
{"name": "tinytls13-psk-staticmem", "minutes": 1,
"configure": ["--enable-tinytls13=psk,server,staticmem", "--disable-mlkem"]},
{"name": "tinytls13-psk-mldsa", "minutes": 1,
"configure": ["--enable-tinytls13=psk,server,mldsa", "--disable-mlkem"]},
{"name": "tinytls13-psk-sha384", "minutes": 1,
"configure": ["--enable-tinytls13=psk,server,sha384", "--disable-mlkem"]},
{"name": "tinytls13-cert", "minutes": 1,
"configure": ["--enable-tinytls13=cert,server", "--disable-mlkem"]},
{"name": "tinytls13-cert-sha384", "minutes": 1,
"configure": ["--enable-tinytls13=cert,server,sha384", "--disable-mlkem"]},
{"name": "tinytls13-cert-mutualauth", "minutes": 1,
"configure": ["--enable-tinytls13=cert,mutualauth,server", "--disable-mlkem"]},
{"name": "tinytls13-cert-rsaverify", "minutes": 1, "check": false,
"configure": ["--enable-tinytls13=cert,server,rsaverify", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
"run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
["./tls13_memio"]]},
{"name": "tinytls13-cert-mldsa", "minutes": 1,
"configure": ["--enable-tinytls13=cert,server,mldsa", "--enable-static", "--disable-mlkem"],
"run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
["./tls13_memio"]]},
{"name": "tinytls13-psk-client-only", "minutes": 1,
"configure": ["--enable-tinytls13=psk", "--disable-mlkem"]},
{"name": "tinytls13-cert-client-only", "minutes": 1,
"configure": ["--enable-tinytls13=cert", "--disable-mlkem"]},
{"name": "tinytls13-psk-asm", "minutes": 1,
"configure": ["--enable-tinytls13=psk,server,asm", "--disable-mlkem"]},
{"name": "tinytls13-cert-asm", "minutes": 1,
"configure": ["--enable-tinytls13=cert,server,asm", "--disable-mlkem"]},
{"name": "tinytls13-cert-chacha", "minutes": 1, "check": false,
"configure": ["--enable-tinytls13=cert,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
"cflags": "-DHAVE_CHACHA -DHAVE_POLY1305",
"run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
["./tls13_memio", "TLS13-CHACHA20-POLY1305-SHA256"]]},
{"name": "tinytls13-cert-aes256", "minutes": 1, "check": false,
"configure": ["--enable-tinytls13=cert,server,sha384", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
"cflags": "-DWOLFSSL_AES_256",
"run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
["./tls13_memio", "TLS13-AES256-GCM-SHA384"]]},
{"name": "tinytls13-psk-mlkem", "minutes": 1,
"configure": ["--enable-tinytls13=psk,server", "--enable-static"],
"run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
["./tls13_memio", "-", "mlkem"]]},
{"name": "tinytls13-cert-staticmem", "minutes": 1, "check": false,
"configure": ["--enable-tinytls13=cert,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
"run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
["./tls13_memio"]]},
{"name": "tinytls13-nomalloc", "minutes": 1, "check": false,
"configure": ["--enable-tinytls13=psk,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests", "--disable-mlkem"],
"cflags": "-DWOLFSSL_NO_MALLOC"},
{"name": "tinytls13-combo-cert-mutualauth-sha384", "minutes": 1,
"configure": ["--enable-tinytls13=cert,mutualauth,server,sha384", "--disable-mlkem"]},
{"name": "tinytls13-combo-cert-mldsa-sha384", "minutes": 1,
"configure": ["--enable-tinytls13=cert,server,mldsa,sha384", "--enable-static", "--disable-mlkem"],
"run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
["./tls13_memio"]]},
{"name": "tinytls13-bare", "minutes": 1,
"configure": ["--enable-tinytls13", "--disable-mlkem"]},
{"name": "tinytls13-usersettings", "minutes": 1, "check": false,
"user_settings": "examples/configs/user_settings_tinytls13.h",
"configure": ["--enable-usersettings", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests"]}
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--private-dir=certs \
"$RUNNER_TEMP/tinytls13-configs.json"
- name: ccache stats
if: always()
run: ccache -s || true
- name: Upload logs on failure
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: tinytls13-logs
path: |
build-*/make-check.log
build-*/test-suite.log
build-*/config.log
if-no-files-found: ignore