mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-11 09:00:53 +02:00
133 lines
7.3 KiB
YAML
133 lines
7.3 KiB
YAML
name: cryptocb-only Tests
|
|
|
|
# START OF COMMON SECTION
|
|
on:
|
|
push:
|
|
branches: [ 'release/**' ]
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
branches: [ '*' ]
|
|
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
|
# restore: re-runs --build-only (compile only, no tests) on the
|
|
# default branch. PR runs are read-only (see ccache-setup).
|
|
schedule:
|
|
- cron: '12 10 * * 1-5'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
# END OF COMMON SECTION
|
|
|
|
jobs:
|
|
# All former runner-per-config matrix entries build on one runner via
|
|
# .github/scripts/parallel-make-check.py (see os-check.yml for the full
|
|
# pattern): each config in its own out-of-tree ("VPATH") build directory
|
|
# off one checkout/autogen, checks on a pool of one-per-CPU worker
|
|
# threads, longest first. bubblewrap gives every test script its own
|
|
# network namespace so concurrent checks cannot collide on TCP/UDP ports
|
|
# (do not set AM_BWRAPPED here - that would disable it).
|
|
make_check:
|
|
name: make check
|
|
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
|
|
runs-on: ubuntu-24.04
|
|
# Generous for a cold ccache; warm reruns finish in a fraction.
|
|
timeout-minutes: 15
|
|
steps:
|
|
- uses: actions/checkout@v5
|
|
name: Checkout wolfSSL
|
|
|
|
- name: Install dependencies
|
|
uses: ./.github/actions/install-apt-deps
|
|
with:
|
|
packages: autoconf automake libtool build-essential bubblewrap
|
|
ghcr-debs-tag: ubuntu-24.04-minimal
|
|
|
|
# ccache via the cross-platform composite; the script passes the
|
|
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
|
- name: Set up ccache
|
|
uses: ./.github/actions/ccache-setup
|
|
with:
|
|
workflow-id: cryptocb-only
|
|
read-only: ${{ github.event_name == 'pull_request' }}
|
|
max-size: 200M
|
|
|
|
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
|
# which would stop the test scripts from re-execing under
|
|
# bwrap --unshare-net (their port-isolation mechanism).
|
|
- name: Allow unprivileged user namespaces (for bwrap)
|
|
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
|
|
|
|
# The JSON below feeds .github/scripts/parallel-make-check.py: a shared
|
|
# "base" of the common configure flags, then one entry per ONLY_* macro
|
|
# whose "configure" (CPPFLAGS) is appended to the base. Add configs
|
|
# as new entries. "minutes" (set once in base) drives longest-first
|
|
# scheduling: refresh it from a previous run's step-summary Minutes.
|
|
- name: Build and make check all configs (parallel, out-of-tree)
|
|
run: |
|
|
cat > "$RUNNER_TEMP/cryptocb-only-configs.json" <<'EOF'
|
|
{"base": {"minutes": 2, "configure": [
|
|
"--enable-swdev", "--enable-cryptocb", "--enable-ecc",
|
|
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
|
|
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
|
|
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
|
|
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
|
|
"--enable-poly1305", "--enable-sha", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256", "--enable-blake2",
|
|
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
|
|
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
|
|
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
|
|
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
|
|
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
|
|
"--enable-certreq", "--enable-certext", "--enable-keygen",
|
|
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
|
|
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
|
|
"--enable-tls13"]},
|
|
"configs": [
|
|
{"name": "ecc",
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_ECC: strips software ECC; swdev provides the software path via cryptocb. FP_ECC / ECCSI / SAKKE / deterministic-k test / OPENSSL_EXTRA compat layer all reference stripped primitives directly, so they stay off.",
|
|
"configure": ["CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_ECC"]},
|
|
{"name": "rsa",
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_RSA: strips software RSA; swdev provides the software path via cryptocb.",
|
|
"configure": ["CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_RSA"]},
|
|
{"name": "sha256",
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_SHA256: strips software SHA-256; swdev provides the software path via cryptocb.",
|
|
"configure": ["CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_SHA256"]},
|
|
{"name": "sha512",
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_SHA512: strips software SHA-512 family (SHA-384, SHA-512/224, SHA-512/256, SHA-512); swdev handles every variant explicitly via cryptocb.",
|
|
"configure": ["CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_SHA512"]},
|
|
{"name": "sha512-via-general",
|
|
"comment": "Same as sha512 but tells swdev to refuse the SHA-384 / SHA-512/224 / SHA-512/256 variant callbacks (WOLFSSL_SWDEV_SHA512_GENERAL_ONLY). That forces the cryptocb dispatcher's fallback-to-plain-SHA-512-with-truncation path. The sha512 entry above instead has swdev handle every variant end-to-end, so the dispatcher fallback is otherwise uncovered.",
|
|
"configure": ["CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_SHA512 -DWOLFSSL_SWDEV_SHA512_GENERAL_ONLY"]},
|
|
{"name": "aes",
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_AES: strips software AES; swdev provides the software path via cryptocb.",
|
|
"configure": ["CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_AES"]},
|
|
{"name": "aes-gcm-via-ecb",
|
|
"comment": "Same as aes but tells swdev to refuse AES-GCM (SWDEV_AES_ONLYECB). That forces the parent's CB_ONLY_AES host-side GCM software path: GHASH runs on the host while AES-CTR blocks dispatch back through cryptocb ECB. The aes entry instead has swdev handle GCM end-to-end, so the host-side GCM path is otherwise uncovered.",
|
|
"configure": ["CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_AES -DSWDEV_AES_ONLYECB"]},
|
|
{"name": "all",
|
|
"comment": "All five ONLY_* macros at once: every supported software primitive is stripped and dispatched through cryptocb. Catches any cross-algorithm call that a single-strip entry would still resolve via the remaining software paths.",
|
|
"configure": ["CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA -DWOLF_CRYPTO_CB_ONLY_SHA256 -DWOLF_CRYPTO_CB_ONLY_SHA512 -DWOLF_CRYPTO_CB_ONLY_AES"]}
|
|
]}
|
|
EOF
|
|
.github/scripts/parallel-make-check.py \
|
|
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
|
--private-dir=certs \
|
|
"$RUNNER_TEMP/cryptocb-only-configs.json"
|
|
|
|
- name: ccache stats
|
|
if: always()
|
|
run: ccache -s || true
|
|
|
|
- name: Upload logs on failure
|
|
if: failure()
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
retention-days: 7
|
|
name: cryptocb-only-logs
|
|
path: |
|
|
build-*/make-check.log
|
|
build-*/test-suite.log
|
|
build-*/config.log
|
|
if-no-files-found: ignore
|