Fix to send record_overflow alert #12566
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Ubuntu-Macos-Windows Tests | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'release/**' ] | |
| # Docs-only changes cannot affect the build/test matrix - skip the | |
| # run for them. Keep this list narrow (markdown + doc/ only); | |
| # do not add cert/test data extensions here. | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'doc/**' | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: [ '*' ] | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'doc/**' | |
| # Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs restore: the | |
| # linux and macOS jobs re-run --build-only (compile only, no tests) on the | |
| # default branch, where their ccache writes are visible to every PR. Only | |
| # Windows is skipped on schedule (see its job `if`) - seeding the linux and | |
| # macOS shards is where the cold-cache cost lives. | |
| schedule: | |
| - cron: '0 10 * * 1-5' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| # Ubuntu config matrix. macOS is covered separately by make_check_macos | |
| # below with a curated subset; configs here either have equivalent macOS | |
| # coverage there or exercise no Darwin-specific code. | |
| # | |
| # The config list is built by a small fixed pool of shard runners: every | |
| # shard job runs the generic .github/scripts/parallel-make-check.py on | |
| # the same JSON list below with --shard K/N, which deals the configs | |
| # across the N shards greedily by their "minutes" weight so every shard | |
| # carries a similar load. Within a shard each config builds in its own | |
| # out-of-tree ("VPATH") build directory off one checkout/autogen, and | |
| # the checks run on a pool of one-per-CPU worker threads, longest first; | |
| # per-config times and thread/CPU efficiency land in each shard's step | |
| # summary (same machinery as smoke-test.yml). bubblewrap lets the script | |
| # tests re-exec under bwrap --unshare-net so concurrent checks cannot | |
| # collide on TCP/UDP ports (do not set AM_BWRAPPED here - that would | |
| # disable it). | |
| make_check_linux: | |
| name: make check linux | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| shard: [1, 2, 3, 4] | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: ubuntu-24.04 | |
| # The full set measures ~272 thread-minutes cold (~90 warm), i.e. about | |
| # 68 thread-minutes per shard / 4 worker threads: ~20 min of wall per | |
| # shard cold and well under 10 warm, plus ~2-3 min of | |
| # checkout/deps/autogen overhead. | |
| timeout-minutes: 30 | |
| env: | |
| CCACHE_MAXSIZE: 500M | |
| steps: | |
| - uses: actions/checkout@v5 | |
| # tlslite-ng is consumed by scripts/multi-msg-record.test (run from | |
| # `make check`); without it that test is SKIPped. | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.x' | |
| - run: pip install tlslite-ng | |
| - name: Install dependencies | |
| uses: ./.github/actions/install-apt-deps | |
| with: | |
| packages: autoconf automake libtool build-essential bubblewrap ccache | |
| ghcr-debs-tag: ubuntu-24.04-minimal | |
| # Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor, | |
| # which would stop the test scripts from re-execing under | |
| # bwrap --unshare-net (their port-isolation mechanism). | |
| - name: Allow unprivileged user namespaces (for bwrap) | |
| run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true | |
| # ccache's default cache dir (XDG ~/.cache/ccache) is what the | |
| # actions/cache step below saves; pin it explicitly so the two | |
| # cannot drift apart (e.g. if a later change sets CCACHE_DIR). | |
| - name: Pin ccache directory | |
| run: echo "CCACHE_DIR=$HOME/.cache/ccache" >> "$GITHUB_ENV" | |
| # PRs restore the cache the weekday seed writes but never save it, so | |
| # PR runs add no per-shard ccache entries to the Actions cache. The | |
| # seed (schedule) saves below. | |
| - name: Restore ccache | |
| uses: actions/cache/restore@v5 | |
| with: | |
| path: ~/.cache/ccache | |
| # Per-shard cache lineage: each shard compiles a distinct config | |
| # subset. Re-balancing "minutes" can move configs between shards; | |
| # that costs one rebuild of whatever moved. | |
| key: os-check-linux-ccache-${{ matrix.shard }}-${{ github.base_ref || github.ref_name }}-${{ github.sha }} | |
| restore-keys: | | |
| os-check-linux-ccache-${{ matrix.shard }}-${{ github.base_ref || github.ref_name }}- | |
| os-check-linux-ccache-${{ matrix.shard }}- | |
| os-check-linux-ccache- | |
| # On the weekday seed, force clean recompiles (CCACHE_RECACHE) so the | |
| # saved master ccache is reseeded from scratch rather than only | |
| # accumulating deltas. PR/push runs leave it unset and keep their warm hits. | |
| - name: Force fresh compiles on scheduled reseed | |
| if: github.event_name == 'schedule' | |
| run: echo "CCACHE_RECACHE=1" >> "$GITHUB_ENV" | |
| - name: autogen | |
| run: | | |
| ccache -z | |
| ./autogen.sh | |
| # The JSON list below is the former runner-per-config matrix; add new | |
| # configs here as new entries (a "comment" key is allowed for notes). | |
| # "minutes" is the expected duration driving longest-first scheduling | |
| # and shard balancing: take it from the Minutes column of a previous | |
| # run's step summary, or omit it for a new config (defaults to 1) and | |
| # refresh later - a stale value only packs the schedule worse. The | |
| # list is kept sorted by minutes for readability, but the schedule | |
| # sorts by the values, not list order. | |
| # The CFLAGS that were previously passed to configure are applied at | |
| # make time via --cflags, unchanged. --private-dir=certs gives every | |
| # build dir its own certs/ copy: crl-gen-openssl.test writes generated | |
| # CRLs under certs/crl/, which would race through the shared VPATH | |
| # certs symlink. | |
| - name: Build and make check this shard's configs (parallel, out-of-tree) | |
| run: | | |
| cat > "$RUNNER_TEMP/os-check-configs.json" <<'EOF' | |
| [ | |
| {"name": "all-no-client-auth", "minutes": 9.0, | |
| "configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH"]}, | |
| {"name": "all-dilithium-cryptocb", "minutes": 8.9, | |
| "configure": ["--enable-all", "--enable-dilithium", "--enable-cryptocb", | |
| "--enable-cryptocbutils", "--enable-pkcallbacks"]}, | |
| {"name": "all-haproxy-quic", "minutes": 8.6, | |
| "configure": ["--enable-all", "--enable-haproxy", "--enable-quic"]}, | |
| {"name": "all-asn-template", "minutes": 8.5, | |
| "configure": ["--enable-all", "--enable-asn=template"]}, | |
| {"name": "all-asn-template-old-oid-sum", "minutes": 8.5, | |
| "configure": ["--enable-all", "--enable-asn=template", "CPPFLAGS=-DWOLFSSL_OLD_OID_SUM"]}, | |
| {"name": "all-asn-original-old-oid-sum", "minutes": 8.4, | |
| "configure": ["--enable-all", "--enable-asn=original", "CPPFLAGS=-DWOLFSSL_OLD_OID_SUM"]}, | |
| {"name": "all-asn-original", "minutes": 8.3, | |
| "configure": ["--enable-all", "--enable-asn=original"]}, | |
| {"name": "all-certgencache", "minutes": 8.3, | |
| "configure": ["--enable-all", "--enable-certgencache"]}, | |
| {"name": "all-dtls13-frag-ch-no-mlkem", "minutes": 8.2, | |
| "configure": ["--enable-all", "--enable-dtls13", "--enable-dtls-frag-ch", | |
| "--disable-mlkem"]}, | |
| {"name": "all-check-mem-zero", "minutes": 7.9, | |
| "configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_CHECK_MEM_ZERO"]}, | |
| {"name": "all-secure-renegotiation", "minutes": 7.8, | |
| "configure": ["--enable-all", "--enable-secure-renegotiation"]}, | |
| {"name": "all-debug-certs", "minutes": 7.8, | |
| "configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_DEBUG_CERTS"]}, | |
| {"name": "all-hash-keep", "minutes": 7.8, | |
| "configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_HASH_KEEP"]}, | |
| {"name": "all-no-aes-192-256", "minutes": 7.5, | |
| "configure": ["--enable-all", "CPPFLAGS=-DNO_AES_192 -DNO_AES_256"]}, | |
| {"name": "all-writedup", "minutes": 6.9, | |
| "configure": ["--enable-all", "--enable-writedup"]}, | |
| {"name": "all-no-server", "minutes": 5.0, | |
| "configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_SERVER"]}, | |
| {"name": "nonblock-sp-c32", "minutes": 5.0, | |
| "comment": "Same but forcing SP_WORD_SIZE=32 to exercise sp_c32.c on a 64-bit host; the two builds together cover both generated variants of mod_exp_<words>_nb / RSA / DH wrappers.", | |
| "configure": ["--enable-curve25519=nonblock", "--enable-ecc=nonblock", | |
| "--enable-rsa=nonblock", "--enable-dh=nonblock", "--enable-sp=yes,nonblock", | |
| "CPPFLAGS=-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM -DSP_WORD_SIZE=32"]}, | |
| {"name": "all-no-server-no-client-auth", "minutes": 4.8, | |
| "configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH"]}, | |
| {"name": "all-no-client-no-client-auth", "minutes": 4.4, | |
| "configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH"]}, | |
| {"name": "all-no-client", "minutes": 4.2, | |
| "configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_CLIENT"]}, | |
| {"name": "nonblock-sp-c64", "minutes": 4.2, | |
| "comment": "Non-blocking ECC/Curve25519/RSA/DH on the host default SP word size (sp_c64.c on x86_64); RSA/DH non-block require RSA_LOW_MEM (the CRT path is not supported in non-block mode).", | |
| "configure": ["--enable-curve25519=nonblock", "--enable-ecc=nonblock", | |
| "--enable-rsa=nonblock", "--enable-dh=nonblock", "--enable-sp=yes,nonblock", | |
| "CPPFLAGS=-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM"]}, | |
| {"name": "tls13-dtls13-session-misc", "minutes": 3.3, | |
| "configure": ["--enable-tls13", "--enable-session-ticket", "--enable-dtls", | |
| "--enable-dtls13", "--enable-opensslextra", "--enable-sessioncerts", | |
| "CPPFLAGS=-DWOLFSSL_DTLS_NO_HVR_ON_RESUME -DHAVE_EXT_CACHE -DWOLFSSL_TICKET_HAVE_ID -DHAVE_EX_DATA -DSESSION_CACHE_DYNAMIC_MEM"]}, | |
| {"name": "dtls-cid-renego-psk", "minutes": 3.3, | |
| "configure": ["--enable-dtls", "--enable-dtlscid", "--enable-dtls13", | |
| "--enable-secure-renegotiation", "--enable-psk", "--enable-aesccm", | |
| "--enable-nullcipher", "CPPFLAGS=-DWOLFSSL_STATIC_RSA"]}, | |
| {"name": "dtls13-ocspstapling-cert-cb", "minutes": 3.1, | |
| "configure": ["--enable-dtls", "--enable-dtls13", "--enable-ocspstapling", | |
| "--enable-ocspstapling2", "--enable-cert-setup-cb", "--enable-sessioncerts"]}, | |
| {"name": "user-settings-all-compat", "minutes": 3.0, | |
| "comment": "user_settings_all.h with the compatibility layer enabled by flipping its \"#if 0\" block, as a build-dir copy.", | |
| "user_settings": "examples/configs/user_settings_all.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings"], "prepare": [["sed", "-i", "s/if 0/if 1/", "user_settings.h"]]}, | |
| {"name": "dtls13-earlydata-psk-no-hrr", "minutes": 2.9, | |
| "configure": ["--enable-dtls", "--enable-dtls13", "--enable-earlydata", | |
| "--enable-session-ticket", "--enable-psk", "CPPFLAGS=-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME"]}, | |
| {"name": "ocsp-responder-nonblock-maxfrag", "minutes": 2.8, | |
| "configure": ["--enable-ocsp", "--enable-ocsp-responder", "--enable-ocspstapling", | |
| "CPPFLAGS=-DWOLFSSL_NONBLOCK_OCSP", "--enable-maxfragment"]}, | |
| {"name": "dtls-records-span-datagrams", "minutes": 2.7, | |
| "configure": ["--enable-dtls", "--enable-dtls13", "--enable-dtls-frag-ch", | |
| "--enable-dtls-mtu", "CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS"]}, | |
| {"name": "opensslextra-no-ca-names", "minutes": 2.6, | |
| "configure": ["--enable-opensslextra", "CPPFLAGS=-DWOLFSSL_NO_CA_NAMES"]}, | |
| {"name": "sessionexport-dtls13", "minutes": 2.6, | |
| "configure": ["--enable-sessionexport", "--enable-dtls", "--enable-dtls13"]}, | |
| {"name": "lms-xmss-verify-only", "minutes": 2.5, | |
| "configure": ["--enable-lms=small,verify-only", "--enable-xmss=small,verify-only"]}, | |
| {"name": "opensslall-rng-seed-cb", "minutes": 2.2, | |
| "configure": ["--enable-opensslall", "--enable-opensslextra", "CPPFLAGS=-DWC_RNG_SEED_CB"]}, | |
| {"name": "opensslall-ecc-zero-hash", "minutes": 2.2, | |
| "configure": ["--enable-opensslall", "--enable-ecc", "CPPFLAGS=-DWC_ALLOW_ECC_ZERO_HASH"]}, | |
| {"name": "she-ext-cmac-no-she-misc", "minutes": 2.2, | |
| "configure": ["--enable-she=extended", "--enable-cmac", "--enable-cryptocb", | |
| "--enable-cryptocbutils", | |
| "CPPFLAGS=-DNO_WC_SHE_GETUID -DNO_WC_SHE_GETCOUNTER -DNO_WC_SHE_EXPORTKEY"]}, | |
| {"name": "she-std-cmac-cryptocb-sw-default", "minutes": 2.2, | |
| "configure": ["--enable-she=standard", "--enable-cmac", "--enable-cryptocb", | |
| "--enable-cryptocbutils", "CPPFLAGS=-DWC_SHE_SW_DEFAULT"]}, | |
| {"name": "sniffer-curves-enckeys", "minutes": 2.2, | |
| "configure": ["--enable-sniffer", "--enable-curve25519", "--enable-curve448", | |
| "--enable-enckeys", "CPPFLAGS=-DWOLFSSL_DH_EXTRA"]}, | |
| {"name": "cryptocb-keygen-utils-aes-setkey", "minutes": 2.2, | |
| "configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils", | |
| "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]}, | |
| {"name": "cryptocb-utils-setkey-free", "minutes": 2.2, | |
| "configure": ["--enable-cryptocb", "--enable-keygen", "--enable-aesgcm", | |
| "--enable-cryptocbutils=setkey,free", "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]}, | |
| {"name": "cryptocb-keygen-utils-export", "minutes": 2.2, | |
| "configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils=export"]}, | |
| {"name": "cryptocb-keygen-export-key", "minutes": 2.2, | |
| "configure": ["--enable-cryptocb", "--enable-keygen", | |
| "CPPFLAGS=-DWOLF_CRYPTO_CB_EXPORT_KEY"]}, | |
| {"name": "cryptocb-utils-setkey-export-find", "minutes": 2.2, | |
| "configure": ["--enable-cryptocb", "--enable-keygen", | |
| "--enable-cryptocbutils=setkey,export", "CPPFLAGS=-DWOLF_CRYPTO_CB_FIND"]}, | |
| {"name": "opensslall-rng-seed-cb-no-getpid", "minutes": 2.1, | |
| "configure": ["--enable-opensslall", "--enable-opensslextra", | |
| "CPPFLAGS=-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID"]}, | |
| {"name": "dtls13-ignore-pt-alert", "minutes": 2.1, | |
| "configure": ["--enable-dtls", "--enable-dtls13", "--enable-tls13", | |
| "CPPFLAGS=-DWOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC"]}, | |
| {"name": "cryptocb-utils-setkey-free-export", "minutes": 2.1, | |
| "configure": ["--enable-cryptocb", "--enable-keygen", "--enable-aesgcm", | |
| "--enable-cryptocbutils=setkey,free,export", "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]}, | |
| {"name": "cryptocb-aesgcm-setkey-free", "minutes": 2.1, | |
| "configure": ["--enable-cryptocb", "--enable-aesgcm", | |
| "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"]}, | |
| {"name": "opensslextra-x509small", "minutes": 2.0, | |
| "configure": ["--enable-opensslextra=x509small"]}, | |
| {"name": "cryptocb-keygen-find", "minutes": 2.0, | |
| "configure": ["--enable-cryptocb", "--enable-keygen", "CPPFLAGS=-DWOLF_CRYPTO_CB_FIND"]}, | |
| {"name": "user-settings-all", "minutes": 2.0, | |
| "comment": "The user_settings.h header-driven build path is distinct from the autotools-driven --enable-all path; full make check.", | |
| "user_settings": "examples/configs/user_settings_all.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings"]}, | |
| {"name": "she-ext-cryptocb-sw-default", "minutes": 1.9, | |
| "configure": ["--enable-she=extended", "--enable-cryptocb", "--enable-cryptocbutils", | |
| "CPPFLAGS=-DWC_SHE_SW_DEFAULT"]}, | |
| {"name": "cryptocb-aesgcm-aes-setkey", "minutes": 1.9, | |
| "configure": ["--enable-cryptocb", "--enable-aesgcm", | |
| "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]}, | |
| {"name": "cryptocb-keygen-utils-setkey", "minutes": 1.9, | |
| "configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils=setkey"]}, | |
| {"name": "pkcs7-rsa-pss", "minutes": 1.9, | |
| "comment": "PKCS#7 with RSA-PSS (CMS RSASSA-PSS signers)", | |
| "configure": ["--enable-pkcs7", "CPPFLAGS=-DWC_RSA_PSS"]}, | |
| {"name": "blind-private-key", "minutes": 1.9, | |
| "configure": ["CPPFLAGS=-DWOLFSSL_BLIND_PRIVATE_KEY"]}, | |
| {"name": "certgen-no-tls", "minutes": 1.9, | |
| "configure": ["--enable-certreq", "--enable-certext", "--enable-certgen", | |
| "--disable-secure-renegotiation-info", "CPPFLAGS=-DNO_TLS"]}, | |
| {"name": "no-sys-ca-certs", "minutes": 1.8, "configure": ["--disable-sys-ca-certs"]}, | |
| {"name": "no-client-auth", "minutes": 1.8, | |
| "configure": ["CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH"]}, | |
| {"name": "harden-tls", "minutes": 1.7, "configure": ["--enable-harden-tls"]}, | |
| {"name": "no-sni-ecc-tls13-scr-info", "minutes": 1.7, | |
| "configure": ["--disable-sni", "--disable-ecc", "--disable-tls13", | |
| "--disable-secure-renegotiation-info"]}, | |
| {"name": "default", "minutes": 1.6}, | |
| {"name": "no-client-no-client-auth", "minutes": 1.6, | |
| "configure": ["CPPFLAGS=-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH"]}, | |
| {"name": "ascon-experimental", "minutes": 1.6, | |
| "configure": ["--enable-ascon", "--enable-experimental"]}, | |
| {"name": "ascon-unroll-experimental", "minutes": 1.6, | |
| "configure": ["--enable-ascon", "CPPFLAGS=-DWOLFSSL_ASCON_UNROLL", | |
| "--enable-experimental"]}, | |
| {"name": "wolfssl-extra", "minutes": 1.6, "configure": ["CPPFLAGS=-DWOLFSSL_EXTRA"]}, | |
| {"name": "coding-no", "minutes": 1.5, "configure": ["--enable-coding=no"]}, | |
| {"name": "she-ext-cmac-cryptocb", "minutes": 1.3, | |
| "configure": ["--enable-she=extended", "--enable-cmac", "--enable-cryptocb", | |
| "--enable-cryptocbutils"]}, | |
| {"name": "she-std-cmac-no-import-m123", "minutes": 1.3, | |
| "configure": ["--enable-she=standard", "--enable-cmac", | |
| "CPPFLAGS=-DNO_WC_SHE_IMPORT_M123"]}, | |
| {"name": "pkcs7", "minutes": 1.3, | |
| "comment": "PKCS#7 without RSA-PSS", | |
| "configure": ["--enable-pkcs7"]}, | |
| {"name": "no-tls-cryptocb-aesgcm-setkey-free", "minutes": 1.3, | |
| "configure": ["--disable-tls", "--enable-cryptocb", "--enable-aesgcm", | |
| "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"]}, | |
| {"name": "she-std-cmac", "minutes": 1.2, | |
| "configure": ["--enable-she=standard", "--enable-cmac"]}, | |
| {"name": "no-verify-oid-fpki", "minutes": 1.2, | |
| "configure": ["CPPFLAGS=-DNO_VERIFY_OID -DWOLFSSL_FPKI"]}, | |
| {"name": "no-verify-oid", "minutes": 1.1, "configure": ["CPPFLAGS=-DNO_VERIFY_OID"]}, | |
| {"name": "no-server-no-client-auth", "minutes": 1.0, | |
| "configure": ["CPPFLAGS=-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH"]}, | |
| {"name": "no-wolfssl-client", "minutes": 1.0, | |
| "configure": ["CPPFLAGS=-DNO_WOLFSSL_CLIENT"]}, | |
| {"name": "testwolfcrypt-ca", "minutes": 1.0, | |
| "comment": "user_settings.h builds running only testwolfcrypt: pure crypto, no platform-specific features, so Linux-only coverage is sufficient. Not converted: user_settings_pq.h (requires --enable-experimental) and user_settings_baremetal.h (static memory, custom platform).", | |
| "user_settings": "examples/configs/user_settings_ca.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-dtls13", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_dtls13.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-ebsnet", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_EBSnet.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-eccnonblock", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_eccnonblock.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-curve25519nonblock", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_curve25519nonblock.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-min-ecc", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_min_ecc.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-openssl-compat", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_openssl_compat.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-pkcs7", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_pkcs7.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-rsa-only", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_rsa_only.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-template", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_template.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-tls12", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_tls12.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-tls13", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_tls13.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-wolfboot-keytools", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_wolfboot_keytools.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-wolfssh", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_wolfssh.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "testwolfcrypt-wolftpm", "minutes": 1.0, | |
| "user_settings": "examples/configs/user_settings_wolftpm.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "no-wolfssl-server", "minutes": 0.9, | |
| "configure": ["CPPFLAGS=-DNO_WOLFSSL_SERVER"]}, | |
| {"name": "dtls13-client-minimal", "minutes": 0.9, | |
| "comment": "Minimal DTLS 1.3 client-only build with the SHA-224/384/512/3 hash families disabled. SHA-256 (used by TLS_AES_128_GCM_SHA256) and SHA-1 remain enabled.", | |
| "configure": ["--enable-dtls13", "--disable-tlsv12", "--disable-oldtls", "--disable-rsa", | |
| "--disable-dh", "--disable-aescbc", "--disable-aesecb", "--disable-md5", | |
| "--disable-chacha", "--disable-poly1305", "--disable-errorstrings", | |
| "--disable-asn-print", "--disable-eccshamir", "--disable-base64encode", | |
| "--disable-coding", "--disable-sni", "--disable-sha224", "--disable-sha384", | |
| "--disable-sha512", "--disable-sha3", "--enable-aesgcm=small", "--enable-sp-math", | |
| "--enable-sp=smallec256", "--disable-sp-asm", | |
| "CPPFLAGS=-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_TLS12 -DNO_SESSION_CACHE -DWOLFSSL_AES_NO_UNROLL -DUSE_SLOW_SHA256 -DWOLFSSL_NO_ASYNC_IO -DWOLFSSL_DTLS_ONLY"]}, | |
| {"name": "opensslextra-no-filesystem-no-bio", "minutes": 0.9, | |
| "configure": ["--enable-opensslextra", "--disable-filesystem", "CPPFLAGS=-DNO_BIO"]}, | |
| {"name": "no-examples-no-malloc", "minutes": 0.8, | |
| "configure": ["--disable-examples", "CPPFLAGS=-DWOLFSSL_NO_MALLOC"]} | |
| ] | |
| EOF | |
| .github/scripts/parallel-make-check.py \ | |
| ${{ github.event_name == 'schedule' && '--build-only' || '' }} \ | |
| --shard "${{ matrix.shard }}/${{ strategy.job-total }}" \ | |
| --cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \ | |
| --private-dir=certs "$RUNNER_TEMP/os-check-configs.json" | |
| # Seed runs (schedule) refresh the master-scoped ccache that PR runs | |
| # restore above; PR/push runs never save, so PRs add nothing. | |
| - name: Save ccache (seed only) | |
| if: github.event_name == 'schedule' | |
| uses: actions/cache/save@v5 | |
| with: | |
| path: ~/.cache/ccache | |
| key: os-check-linux-ccache-${{ matrix.shard }}-${{ github.ref_name }}-${{ github.sha }} | |
| - name: ccache stats | |
| if: always() | |
| run: ccache -s || true | |
| - name: Upload logs on failure | |
| if: failure() | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| retention-days: 7 | |
| name: os-check-linux-logs-${{ matrix.shard }} | |
| path: | | |
| build-*/make-check.log | |
| build-*/test-suite.log | |
| build-*/config.log | |
| if-no-files-found: ignore | |
| # Curated macOS subset. Each config exists for a Darwin-specific reason; | |
| # do not add entries that only re-test platform-agnostic crypto already | |
| # covered by the corresponding Linux run. | |
| # | |
| # All configs build on ONE macos runner via | |
| # .github/scripts/parallel-make-check.py, each in its own out-of-tree | |
| # ("VPATH") build directory. Unlike Linux, the checks run one config at | |
| # a time (--threads 1): macOS has no bubblewrap, so concurrent make | |
| # checks would race on TCP/UDP ports. The user_settings_all.h entry is | |
| # the former macOS half of the make_user_settings job, and the | |
| # apple-native-cert-validation entry is the former standalone | |
| # macos-apple-native-cert-validation.yml workflow. | |
| make_check_macos: | |
| name: make check macos | |
| # Runs on PRs/pushes and on the weekday ccache-seed cron, where it | |
| # --build-only-seeds the macOS ccache (like the linux shards). Only | |
| # Windows is skipped on schedule (no ccache to seed). | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: macos-latest | |
| # Serial checks: roughly the sum of the per-config minutes plus | |
| # one-time setup, with headroom for a cold ccache. | |
| timeout-minutes: 45 | |
| steps: | |
| - uses: actions/checkout@v5 | |
| # tlslite-ng is consumed by scripts/multi-msg-record.test (run from | |
| # `make check`); without it that test is SKIPped. | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.x' | |
| - run: pip install tlslite-ng | |
| # The macos runner images ship without autotools (the old per-config | |
| # matrix got them via wolfSSL/actions-build-autotools-project). | |
| - name: Install autotools (brew) | |
| run: brew install autoconf automake libtool | |
| # ccache via the cross-platform composite (brew install; compiler | |
| # symlinks on PATH). The script is told --cc= so it does not also | |
| # prefix the compiler with "ccache" - the PATH masquerade already | |
| # intercepts cc/clang. | |
| - name: Set up ccache | |
| uses: ./.github/actions/ccache-setup | |
| with: | |
| workflow-id: os-check-macos | |
| max-size: 500M | |
| # PRs read the weekday-seeded macOS ccache; only the seed saves. | |
| read-only: ${{ github.event_name == 'pull_request' }} | |
| # Same JSON config format as make_check_linux above; "minutes" only | |
| # orders the serial schedule here (longest first). | |
| - name: Build and make check all configs (serial checks, out-of-tree) | |
| run: | | |
| cat > "$RUNNER_TEMP/os-check-macos-configs.json" <<'EOF' | |
| [ | |
| {"name": "all-asn-template", "minutes": 3.0, | |
| "comment": "Broad key-crypto + Security.framework + opensslextra in one run (RSA, ECC, AES, SHA-2/3, ChaCha20-Poly1305, Curve25519/448, HMAC, sniffer, DTLS, OCSP, ...). Note: --enable-all does NOT enable cryptocb or SHE, so those have their own entries.", | |
| "configure": ["--enable-all", "--enable-asn=template"]}, | |
| {"name": "dtls-cid-renego-psk", "minutes": 1.5, | |
| "comment": "DTLS over BSD sockets on Darwin: connection-ID, fragmented ClientHello, secure renegotiation, PSK, AES-CCM, null cipher - exercises recvmsg/MTU/datagram handling that differs from Linux.", | |
| "configure": ["--enable-dtls", "--enable-dtlscid", "--enable-dtls13", | |
| "--enable-secure-renegotiation", "--enable-psk", "--enable-aesccm", | |
| "--enable-nullcipher", "CPPFLAGS=-DWOLFSSL_STATIC_RSA"]}, | |
| {"name": "user-settings-all", "minutes": 1.5, | |
| "comment": "The user_settings.h header-driven build path under Apple clang: macOS-specific guard ordering (e.g. WOLFSSL_SYS_CA_CERTS pulling in Security.framework) is distinct from the autotools --enable-all path above.", | |
| "user_settings": "examples/configs/user_settings_all.h", | |
| "cflags": "", | |
| "configure": ["--enable-usersettings"]}, | |
| {"name": "apple-native-cert-validation", "minutes": 1.5, | |
| "comment": "Former macos-apple-native-cert-validation.yml workflow: WOLFSSL_APPLE_NATIVE_CERT_VALIDATION delegates chain verification to Security.framework instead of wolfSSL's verifier, and the TEST define enables its client tests in make check. CFLAGS go to configure (with \"cflags\": \"\" so the make-time --cflags do not override them), exactly like the old standalone job.", | |
| "cflags": "", | |
| "configure": ["CFLAGS=-DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION -DWOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION -DRSA_MIN_SIZE=2048 -DNO_WOLFSSL_CIPHER_SUITE_TEST"]}, | |
| {"name": "cryptocb-keygen-utils-setkey", "minutes": 1.0, | |
| "comment": "Crypto-callback dispatcher under Apple clang. Not covered by --enable-all; verifies the cryptocb find/setkey/keygen path compiles and runs on the macOS toolchain.", | |
| "configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils=setkey"]}, | |
| {"name": "default", "minutes": 0.5, | |
| "comment": "Default build: --enable-sys-ca-certs is auto-on on macOS, so this exercises Apple keychain / system trust loading in src/ssl_load.c that has no Linux equivalent.", | |
| "configure": []}, | |
| {"name": "no-sys-ca-certs", "minutes": 0.5, | |
| "comment": "Validates the configure-time auto-enable override and that the build compiles out the Security.framework code path cleanly - macOS is the only OS where sys-ca-certs is auto-on by default.", | |
| "configure": ["--disable-sys-ca-certs"]} | |
| ] | |
| EOF | |
| .github/scripts/parallel-make-check.py \ | |
| ${{ github.event_name == 'schedule' && '--build-only' || '' }} \ | |
| --threads 1 --cc= \ | |
| --cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \ | |
| --private-dir=certs "$RUNNER_TEMP/os-check-macos-configs.json" | |
| - name: ccache stats | |
| if: always() | |
| run: ccache -s || true | |
| - name: Upload logs on failure | |
| if: failure() | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| retention-days: 7 | |
| name: os-check-macos-logs | |
| path: | | |
| build-*/make-check.log | |
| build-*/test-suite.log | |
| build-*/config.log | |
| if-no-files-found: ignore | |
| windows_build: | |
| name: Windows Build Test | |
| # Skipped on the weekday ccache-seed cron: no ccache to seed here. | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'schedule') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: windows-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [ x64, Win32, ARM64 ] | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 6 | |
| env: | |
| # Path to the solution file relative to the root of the project. | |
| SOLUTION_FILE_PATH: wolfssl64.sln | |
| # Configuration type to build. | |
| # You can convert this to a build matrix if you need coverage of multiple configuration types. | |
| # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix | |
| BUILD_CONFIGURATION: Release | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Add MSBuild to PATH | |
| uses: microsoft/setup-msbuild@v3 | |
| - name: Restore NuGet packages | |
| working-directory: ${{env.GITHUB_WORKSPACE}} | |
| run: nuget restore ${{env.SOLUTION_FILE_PATH}} | |
| - name: Build | |
| working-directory: ${{env.GITHUB_WORKSPACE}} | |
| # Add additional options to the MSBuild command line here (like platform or verbosity level). | |
| # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference | |
| run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{matrix.arch}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}} | |
| - if: ${{ matrix.arch != 'ARM64' }} | |
| name: Run Test | |
| working-directory: ${{env.GITHUB_WORKSPACE}} | |
| run: Release/${{matrix.arch}}/testsuite.exe |