Files
wolfssl/.github/workflows/cryptocb-only.yml
T
David Garske 7f80896033 CI optimizations
- Skip CI for draft PRs and redundant master-push re-runs; membrowse nightly.
- Add smoke test (8 configs, CFLAGS=-Werror, post-merge tree, fail-fast on conflicts).
- Add wait-for-smoke composite action for downstream CI gating.
- Add check-source-text + bash -n + shellcheck workflow (script in make dist).
- Cache apt-get update in install-apt-deps composite on cache hit.
2026-05-21 13:19:29 -07:00

100 lines
4.0 KiB
YAML

name: cryptocb-only Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'release/**' ]
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
fail-fast: false
matrix:
include:
# WOLF_CRYPTO_CB_ONLY_ECC: strips software ECC; swdev provides the
# software path via cryptocb. FP_ECC / ECCSI / SAKKE / deterministic-k
# test / OPENSSL_EXTRA compat layer all reference stripped primitives
# directly, so they stay off.
- name: ECC
cppflags: -DWOLF_CRYPTO_CB_ONLY_ECC
# WOLF_CRYPTO_CB_ONLY_RSA: strips software RSA; swdev provides the
# software path via cryptocb.
- name: RSA
cppflags: -DWOLF_CRYPTO_CB_ONLY_RSA
# WOLF_CRYPTO_CB_ONLY_SHA256: strips software SHA-256; swdev provides
# the software path via cryptocb. SHA-224 not yet supported.
- name: SHA256
extra_config: --disable-sha224
cppflags: -DWOLF_CRYPTO_CB_ONLY_SHA256
# WOLF_CRYPTO_CB_ONLY_AES: strips software AES; swdev provides the
# software path via cryptocb.
- name: AES
cppflags: -DWOLF_CRYPTO_CB_ONLY_AES
# Same as AES but tells swdev to refuse AES-GCM (SWDEV_AES_ONLYECB).
# That forces the parent's CB_ONLY_AES host-side GCM software path:
# GHASH runs on the host while AES-CTR blocks dispatch back through
# cryptocb ECB. The AES entry above instead has swdev handle GCM
# end-to-end, so the host-side GCM path is otherwise uncovered.
- name: AES_GCM_via_ECB
cppflags: -DWOLF_CRYPTO_CB_ONLY_AES -DSWDEV_AES_ONLYECB
# All four ONLY_* macros at once: every supported software primitive
# is stripped and dispatched through cryptocb. Catches any cross-
# algorithm call that a single-strip entry would still resolve via
# the remaining software paths.
- name: ALL
extra_config: --disable-sha224
cppflags: >-
-DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA
-DWOLF_CRYPTO_CB_ONLY_SHA256 -DWOLF_CRYPTO_CB_ONLY_AES
name: make check (${{ matrix.name }})
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: ubuntu-24.04
timeout-minutes: 10
env:
# Common feature set for every entry.
BASE_CONFIG: >-
--enable-swdev --enable-cryptocb --enable-ecc --enable-rsa --enable-dh
--enable-aesgcm --enable-aesccm --enable-aesctr --enable-aescfb
--enable-aeskeywrap --enable-aessiv --enable-aesofb --enable-aesxts
--enable-camellia --enable-chacha --enable-poly1305
--enable-sha --enable-sha3 --enable-shake128 --enable-shake256
--enable-blake2 --enable-blake2s
--enable-hkdf --enable-hashdrbg --enable-hashflags
--enable-curve25519 --enable-ed25519 --enable-curve448 --enable-ed448
--enable-mlkem --enable-dilithium
--enable-scrypt --enable-pwdbased --enable-pkcs7 --enable-pkcs12
--enable-certgen --enable-certreq --enable-certext
--enable-keygen --enable-asn=all
--enable-cmac --enable-xchacha
--enable-crl --enable-ocsp --enable-ocspstapling --enable-ocspstapling2
--enable-dtls --enable-dtls13 --enable-tls13
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL
run: |
./autogen.sh
./configure $BASE_CONFIG ${{ matrix.extra_config }} CPPFLAGS="${{ matrix.cppflags }}"
make -j 4
make check
- name: Print errors
if: ${{ failure() }}
run: |
for file in scripts/*.log
do
if [ -f "$file" ]; then
echo "${file}:"
cat "$file"
fi
done