name: cryptocb-only Tests

# START OF COMMON SECTION
on:
  push:
    branches: [ 'master', 'main', 'release/**' ]
  pull_request:
    branches: [ '*' ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
# END OF COMMON SECTION

jobs:
  make_check:
    strategy:
      fail-fast: false
      matrix:
        include:
          # WOLF_CRYPTO_CB_ONLY_ECC: strips software ECC; swdev provides the
          # software path via cryptocb.  FP_ECC / ECCSI / SAKKE / deterministic-k
          # test / OPENSSL_EXTRA compat layer all reference stripped primitives
          # directly, so they stay off.
          - name: ECC
            cppflags: -DWOLF_CRYPTO_CB_ONLY_ECC
          # WOLF_CRYPTO_CB_ONLY_RSA: strips software RSA; swdev provides the
          # software path via cryptocb.
          - name: RSA
            cppflags: -DWOLF_CRYPTO_CB_ONLY_RSA
          # WOLF_CRYPTO_CB_ONLY_SHA256: strips software SHA-256; swdev provides
          # the software path via cryptocb.  SHA-224 not yet supported.
          - name: SHA256
            extra_config: --disable-sha224
            cppflags: -DWOLF_CRYPTO_CB_ONLY_SHA256
          # WOLF_CRYPTO_CB_ONLY_AES: strips software AES; swdev provides the
          # software path via cryptocb.
          - name: AES
            cppflags: -DWOLF_CRYPTO_CB_ONLY_AES
          # Same as AES but tells swdev to refuse AES-GCM (SWDEV_AES_ONLYECB).
          # That forces the parent's CB_ONLY_AES host-side GCM software path:
          # GHASH runs on the host while AES-CTR blocks dispatch back through
          # cryptocb ECB.  The AES entry above instead has swdev handle GCM
          # end-to-end, so the host-side GCM path is otherwise uncovered.
          - name: AES_GCM_via_ECB
            cppflags: -DWOLF_CRYPTO_CB_ONLY_AES -DSWDEV_AES_ONLYECB
          # All four ONLY_* macros at once: every supported software primitive
          # is stripped and dispatched through cryptocb.  Catches any cross-
          # algorithm call that a single-strip entry would still resolve via
          # the remaining software paths.
          - name: ALL
            extra_config: --disable-sha224
            cppflags: >-
              -DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA
              -DWOLF_CRYPTO_CB_ONLY_SHA256 -DWOLF_CRYPTO_CB_ONLY_AES
    name: make check (${{ matrix.name }})
    if: github.repository_owner == 'wolfssl'
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    env:
      # Common feature set for every entry.
      BASE_CONFIG: >-
        --enable-swdev --enable-cryptocb --enable-ecc --enable-rsa --enable-dh
        --enable-aesgcm --enable-aesccm --enable-aesctr --enable-aescfb
        --enable-aeskeywrap --enable-aessiv --enable-aesofb --enable-aesxts
        --enable-camellia --enable-chacha --enable-poly1305
        --enable-sha --enable-sha3 --enable-shake128 --enable-shake256
        --enable-blake2 --enable-blake2s
        --enable-hkdf --enable-hashdrbg --enable-hashflags
        --enable-curve25519 --enable-ed25519 --enable-curve448 --enable-ed448
        --enable-mlkem --enable-dilithium
        --enable-scrypt --enable-pwdbased --enable-pkcs7 --enable-pkcs12
        --enable-certgen --enable-certreq --enable-certext
        --enable-keygen --enable-asn=all
        --enable-cmac --enable-xchacha
        --enable-crl --enable-ocsp --enable-ocspstapling --enable-ocspstapling2
        --enable-dtls --enable-dtls13 --enable-tls13
    steps:
      - uses: actions/checkout@v4
        name: Checkout wolfSSL

      - name: Test wolfSSL
        run: |
          ./autogen.sh
          ./configure $BASE_CONFIG ${{ matrix.extra_config }} CPPFLAGS="${{ matrix.cppflags }}"
          make -j 4
          make check

      - name: Print errors
        if: ${{ failure() }}
        run: |
          for file in scripts/*.log
          do
              if [ -f "$file" ]; then
                  echo "${file}:"
                  cat "$file"
              fi
          done