Files
wolfssl/.github/workflows/cryptocb-only.yml
T
Juliusz Sosinowicz 3a6c31a51e CI: pool the per-config runner matrices into parallel make-check jobs
Replace the one-runner-per-configuration matrices across the
make-check workflow family with a generic pooled runner,
.github/scripts/parallel-make-check.py. Each workflow keeps its
configuration list as JSON next to the invocation; one runner (or a
small fixed set of shards, balanced by measured per-config minutes)
builds every config in its own out-of-tree (VPATH) build directory off
a single checkout/autogen, on a pool of one-per-CPU worker threads,
longest first. Concurrent checks are isolated with bubblewrap network
namespaces, compilations are cached with ccache, the first failure
aborts the rest (fail-fast, with --no-fail-fast to run everything),
and per-config timings plus pool efficiency land in the step summary.
Failure logs upload as artifacts. smoke-test.yml is likewise reworked
into a single pooled job that runs its nine configs on one runner.

Converted workflows (runner jobs per full pass):
  os-check.yml             101 -> 8  (92 Ubuntu configs -> 4 shards;
                           the macOS matrix, the user-settings jobs and
                           the standalone
                           macos-apple-native-cert-validation.yml fold
                           into one macOS runner; Windows unchanged)
  pq-all.yml                21 -> 2 shards
  disable-pk-algs.yml       15 -> 1
  wolfCrypt-Wconversion.yml 11 -> 1
  trackmemory.yml            7 -> 1
  cryptocb-only.yml          8 -> 1  (incl. the two new SHA512 entries)
  multi-compiler.yml         6 -> 1
  smallStackSize.yml         6 -> 1
  multi-arch.yml             6 -> 1
  async.yml                  5 -> 1
  psk.yml                    5 -> 1
  no-malloc.yml              3 -> 1
  wolfsm.yml                 3 -> 1
  opensslcoexist.yml         2 -> 1

Measured against current upstream passing runs (job execution time,
queue excluded): ~200 runner jobs / ~374 runner-minutes per full pass
become 23 jobs / ~168 runner-minutes, with more coverage than before.
multi-arch's old matrix combined an "include" list of four
architectures with an "opts" axis; GitHub's include-merge rules made
each arch entry overwrite the previous one, so only the armel
combinations actually ran. The pooled list restores the intended
aarch64/armhf/riscv64 coverage (23 combinations; riscv64 x sp-math is
omitted as invalid - configure rejects sp-math without SP, and
--enable-riscv-asm, unlike --enable-sp-asm, does not bring SP in).

Out-of-tree build fixes this depends on:
- Makefile.am: symlink the read-only test data (certs/, tests/ config
  files, sniffer captures and helpers, examples/crypto_policies,
  input, quit) into the build tree via a BUILT_SOURCES stamp, removed
  again in distclean-local. ChangeToWolfRoot() and the script tests
  resolve everything relative to the working directory, so out-of-tree
  make check and make distcheck now pass.
- scripts/multi-msg-record.py: locate the client binary from the build
  tree working directory rather than the script's source directory.
- configure.ac + wolfssl/include.am: run
  support/gen-debug-trace-error-codes.sh from $srcdir; it reads the
  error-code headers from the source tree and generates into the build
  tree.
- tests/swdev: a WOLFBUILD variable points the sub-make at the build
  tree for the configure-generated headers (wolfssl/options.h,
  wolfssl/version.h); the in-tree-only guards are dropped.

Portions of PR #10649 are incorporated: the cross-platform
ccache-setup composite action, repository_owner gates on check-headers
and check-source-text, the docs-only paths-ignore on os-check, and the
libspdm timeout bumps.
2026-06-12 09:47:13 +00:00

236 lines
15 KiB
YAML

name: cryptocb-only Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'release/**' ]
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
# All former runner-per-config matrix entries build on one runner via
# .github/scripts/parallel-make-check.py (see os-check.yml for the full
# pattern): each config in its own out-of-tree ("VPATH") build directory
# off one checkout/autogen, checks on a pool of one-per-CPU worker
# threads, longest first. bubblewrap gives every test script its own
# network namespace so concurrent checks cannot collide on TCP/UDP ports
# (do not set AM_BWRAPPED here - that would disable it).
make_check:
name: make check
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: ubuntu-24.04
# Generous for a cold ccache; warm reruns finish in a fraction.
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Install dependencies
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
- name: Set up ccache
uses: ./.github/actions/ccache-setup
with:
workflow-id: cryptocb-only
max-size: 200M
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
# which would stop the test scripts from re-execing under
# bwrap --unshare-net (their port-isolation mechanism).
- name: Allow unprivileged user namespaces (for bwrap)
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
# The JSON list below is the former runner-per-config matrix (the
# shared BASE_CONFIG env is folded into every entry); add new configs
# as new entries. "minutes" drives longest-first scheduling: refresh
# it from the Minutes column of a previous run's step summary.
- name: Build and make check all configs (parallel, out-of-tree)
run: |
cat > "$RUNNER_TEMP/cryptocb-only-configs.json" <<'EOF'
[
{"name": "ecc", "minutes": 2,
"comment": "WOLF_CRYPTO_CB_ONLY_ECC: strips software ECC; swdev provides the software path via cryptocb. FP_ECC / ECCSI / SAKKE / deterministic-k test / OPENSSL_EXTRA compat layer all reference stripped primitives directly, so they stay off.",
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
"--enable-poly1305", "--enable-sha", "--enable-sha3",
"--enable-shake128", "--enable-shake256", "--enable-blake2",
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
"--enable-certreq", "--enable-certext", "--enable-keygen",
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_ECC"]},
{"name": "rsa", "minutes": 2,
"comment": "WOLF_CRYPTO_CB_ONLY_RSA: strips software RSA; swdev provides the software path via cryptocb.",
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
"--enable-poly1305", "--enable-sha", "--enable-sha3",
"--enable-shake128", "--enable-shake256", "--enable-blake2",
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
"--enable-certreq", "--enable-certext", "--enable-keygen",
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_RSA"]},
{"name": "sha256", "minutes": 2,
"comment": "WOLF_CRYPTO_CB_ONLY_SHA256: strips software SHA-256; swdev provides the software path via cryptocb.",
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
"--enable-poly1305", "--enable-sha", "--enable-sha3",
"--enable-shake128", "--enable-shake256", "--enable-blake2",
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
"--enable-certreq", "--enable-certext", "--enable-keygen",
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_SHA256"]},
{"name": "sha512", "minutes": 2,
"comment": "WOLF_CRYPTO_CB_ONLY_SHA512: strips software SHA-512 family (SHA-384, SHA-512/224, SHA-512/256, SHA-512); swdev handles every variant explicitly via cryptocb.",
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
"--enable-poly1305", "--enable-sha", "--enable-sha3",
"--enable-shake128", "--enable-shake256", "--enable-blake2",
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
"--enable-certreq", "--enable-certext", "--enable-keygen",
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_SHA512"]},
{"name": "sha512-via-general", "minutes": 2,
"comment": "Same as sha512 but tells swdev to refuse the SHA-384 / SHA-512/224 / SHA-512/256 variant callbacks (WOLFSSL_SWDEV_SHA512_GENERAL_ONLY). That forces the cryptocb dispatcher's fallback-to-plain-SHA-512-with-truncation path. The sha512 entry above instead has swdev handle every variant end-to-end, so the dispatcher fallback is otherwise uncovered.",
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
"--enable-poly1305", "--enable-sha", "--enable-sha3",
"--enable-shake128", "--enable-shake256", "--enable-blake2",
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
"--enable-certreq", "--enable-certext", "--enable-keygen",
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
"--enable-tls13",
"CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_SHA512 -DWOLFSSL_SWDEV_SHA512_GENERAL_ONLY"]},
{"name": "aes", "minutes": 2,
"comment": "WOLF_CRYPTO_CB_ONLY_AES: strips software AES; swdev provides the software path via cryptocb.",
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
"--enable-poly1305", "--enable-sha", "--enable-sha3",
"--enable-shake128", "--enable-shake256", "--enable-blake2",
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
"--enable-certreq", "--enable-certext", "--enable-keygen",
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_AES"]},
{"name": "aes-gcm-via-ecb", "minutes": 2,
"comment": "Same as aes but tells swdev to refuse AES-GCM (SWDEV_AES_ONLYECB). That forces the parent's CB_ONLY_AES host-side GCM software path: GHASH runs on the host while AES-CTR blocks dispatch back through cryptocb ECB. The aes entry instead has swdev handle GCM end-to-end, so the host-side GCM path is otherwise uncovered.",
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
"--enable-poly1305", "--enable-sha", "--enable-sha3",
"--enable-shake128", "--enable-shake256", "--enable-blake2",
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
"--enable-certreq", "--enable-certext", "--enable-keygen",
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
"--enable-tls13",
"CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_AES -DSWDEV_AES_ONLYECB"]},
{"name": "all", "minutes": 2,
"comment": "All five ONLY_* macros at once: every supported software primitive is stripped and dispatched through cryptocb. Catches any cross-algorithm call that a single-strip entry would still resolve via the remaining software paths.",
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
"--enable-poly1305", "--enable-sha", "--enable-sha3",
"--enable-shake128", "--enable-shake256", "--enable-blake2",
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
"--enable-certreq", "--enable-certext", "--enable-keygen",
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
"--enable-tls13",
"CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA -DWOLF_CRYPTO_CB_ONLY_SHA256 -DWOLF_CRYPTO_CB_ONLY_SHA512 -DWOLF_CRYPTO_CB_ONLY_AES"]}
]
EOF
.github/scripts/parallel-make-check.py \
--private-dir=certs \
"$RUNNER_TEMP/cryptocb-only-configs.json"
- name: ccache stats
if: always()
run: ccache -s || true
- name: Upload logs on failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: cryptocb-only-logs
path: |
build-*/make-check.log
build-*/test-suite.log
build-*/config.log
if-no-files-found: ignore