name: Ubuntu-Macos-Windows Tests # START OF COMMON SECTION on: push: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # END OF COMMON SECTION jobs: # Ubuntu config matrix. macOS is covered separately by make_check_macos # below with a curated subset; configs here either have equivalent macOS # coverage there or exercise no Darwin-specific code. make_check_linux: strategy: fail-fast: false matrix: config: [ # Add new configs here '', '--enable-all --enable-asn=template', '--enable-all --enable-asn=original', '--enable-all --enable-asn=template CPPFLAGS=-DWOLFSSL_OLD_OID_SUM', '--enable-all --enable-asn=original CPPFLAGS=-DWOLFSSL_OLD_OID_SUM', '--enable-harden-tls', '--enable-tls13 --enable-session-ticket --enable-dtls --enable-dtls13 --enable-opensslextra --enable-sessioncerts CPPFLAGS=''-DWOLFSSL_DTLS_NO_HVR_ON_RESUME -DHAVE_EXT_CACHE -DWOLFSSL_TICKET_HAVE_ID -DHAVE_EX_DATA -DSESSION_CACHE_DYNAMIC_MEM'' ', '--enable-all --enable-secure-renegotiation', '--enable-all --enable-haproxy --enable-quic', '--enable-dtls --enable-dtls13 --enable-earlydata --enable-session-ticket --enable-psk CPPFLAGS=''-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME'' ', '--enable-all --enable-dtls13 --enable-dtls-frag-ch --disable-mlkem', '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA', '--enable-she=extended --enable-cryptocb --enable-cryptocbutils CPPFLAGS=''-DWC_SHE_SW_DEFAULT'' ', '--enable-she=standard --enable-cmac', '--enable-she=extended --enable-cmac --enable-cryptocb --enable-cryptocbutils', '--enable-she=standard --enable-cmac CPPFLAGS=''-DNO_WC_SHE_IMPORT_M123'' ', '--enable-she=extended --enable-cmac --enable-cryptocb --enable-cryptocbutils CPPFLAGS=''-DNO_WC_SHE_GETUID -DNO_WC_SHE_GETCOUNTER -DNO_WC_SHE_EXPORTKEY'' ', '--enable-she=standard --enable-cmac --enable-cryptocb --enable-cryptocbutils CPPFLAGS=''-DWC_SHE_SW_DEFAULT'' ', '--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ', '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys CPPFLAGS=-DWOLFSSL_DH_EXTRA', '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch --enable-dtls-mtu CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS', '--enable-opensslall --enable-opensslextra CPPFLAGS=-DWC_RNG_SEED_CB', '--enable-opensslall --enable-opensslextra CPPFLAGS=''-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID'' ', '--enable-opensslextra CPPFLAGS=''-DWOLFSSL_NO_CA_NAMES'' ', '--enable-opensslextra=x509small', '--disable-sys-ca-certs', '--enable-all CPPFLAGS=-DWOLFSSL_DEBUG_CERTS ', '--enable-all CPPFLAGS="-DWOLFSSL_CHECK_MEM_ZERO"', '--enable-dtls --enable-dtls13 --enable-ocspstapling --enable-ocspstapling2 --enable-cert-setup-cb --enable-sessioncerts', '--enable-dtls --enable-dtls13 --enable-tls13 CPPFLAGS=-DWOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC', '--enable-all --enable-certgencache', '--enable-all --enable-dilithium --enable-cryptocb --enable-cryptocbutils --enable-pkcallbacks', '--enable-cryptocb --enable-aesgcm CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY"', '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey', '--enable-cryptocb --enable-keygen --enable-cryptocbutils CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY"', '--enable-cryptocb --enable-keygen --enable-aesgcm --enable-cryptocbutils=setkey,free CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY"', '--enable-cryptocb --enable-keygen --enable-cryptocbutils=export', '--enable-cryptocb --enable-keygen CPPFLAGS="-DWOLF_CRYPTO_CB_EXPORT_KEY"', '--enable-cryptocb --enable-keygen --enable-aesgcm --enable-cryptocbutils=setkey,free,export CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY"', '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey,export CPPFLAGS="-DWOLF_CRYPTO_CB_FIND"', 'CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH', 'CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''', 'CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''', '--enable-all CPPFLAGS=-DNO_WOLFSSL_CLIENT', '--enable-all CPPFLAGS=-DNO_WOLFSSL_SERVER', '--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH', '--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''', '--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''', '--enable-ocsp --enable-ocsp-responder --enable-ocspstapling CPPFLAGS="-DWOLFSSL_NONBLOCK_OCSP" --enable-maxfragment', '--enable-all CPPFLAGS=-DWOLFSSL_HASH_KEEP', '--enable-all --enable-writedup', '--enable-ascon --enable-experimental', '--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental', # PKCS#7 with RSA-PSS (CMS RSASSA-PSS signers) '--enable-pkcs7 CPPFLAGS=-DWC_RSA_PSS', # PKCS#7 without RSA-PSS '--enable-pkcs7', 'CPPFLAGS=''-DWOLFSSL_EXTRA'' ', '--enable-coding=no', '--disable-sni --disable-ecc --disable-tls13 --disable-secure-renegotiation-info', 'CPPFLAGS=-DWOLFSSL_BLIND_PRIVATE_KEY', '--enable-sessionexport --enable-dtls --enable-dtls13', '--enable-cryptocb --enable-aesgcm CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"', '--disable-tls --enable-cryptocb --enable-aesgcm CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"', '--enable-cryptocb --enable-keygen CPPFLAGS="-DWOLF_CRYPTO_CB_FIND"', '--disable-examples CPPFLAGS=-DWOLFSSL_NO_MALLOC', 'CPPFLAGS=-DNO_WOLFSSL_CLIENT', 'CPPFLAGS=-DNO_WOLFSSL_SERVER', '--enable-lms=small,verify-only --enable-xmss=small,verify-only', '--enable-opensslall --enable-ecc CPPFLAGS="-DWC_ALLOW_ECC_ZERO_HASH"', # Non-blocking ECC + Curve25519 + RSA + DH on the default SP word # size for the host (sp_c64.c on x86_64). RSA/DH non-block require # RSA_LOW_MEM (CRT path is not supported in non-block mode). '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-rsa=nonblock --enable-dh=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM"', # Same configuration but force SP_WORD_SIZE=32 to exercise sp_c32.c # on a 64-bit host. The two builds together cover both generated # variants of mod_exp__nb / RSA / DH wrappers. '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-rsa=nonblock --enable-dh=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM -DSP_WORD_SIZE=32"', '--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"', # Minimal DTLS 1.3 client-only build. The SHA-224/384/512/3 # disables are deliberately omitted: --disable-sha384 alone # trips a pre-existing wolfSSL bug in # test_tls13_duplicate_extension (reproducible on clean master). '--enable-dtls13 --disable-tlsv12 --disable-oldtls --disable-rsa --disable-dh --disable-aescbc --disable-aesecb --disable-md5 --disable-chacha --disable-poly1305 --disable-errorstrings --disable-asn-print --disable-eccshamir --disable-base64encode --disable-coding --disable-sni --enable-aesgcm=small --enable-sp-math --enable-sp=smallec256 --disable-sp-asm CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_TLS12 -DNO_SESSION_CACHE -DWOLFSSL_AES_NO_UNROLL -DUSE_SLOW_SHA256 -DWOLFSSL_NO_ASYNC_IO -DWOLFSSL_DTLS_ONLY'' ', 'CPPFLAGS=-DNO_VERIFY_OID', 'CPPFLAGS="-DNO_VERIFY_OID -DWOLFSSL_FPKI"', ] name: make check linux if: github.repository_owner == 'wolfssl' runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 14 steps: - name: Build and test wolfSSL uses: wolfSSL/actions-build-autotools-project@v1 with: configure: CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" ${{ matrix.config }} check: true # Curated macOS subset. Each config exists for a Darwin-specific reason; # do not add entries that only re-test platform-agnostic crypto already # covered by the corresponding Linux run. make_check_macos: strategy: fail-fast: false matrix: config: [ # Default build: --enable-sys-ca-certs is auto-on on macOS, so # this exercises Apple keychain / system trust loading in # src/ssl_load.c that has no Linux equivalent. '', # Broad key-crypto + Security.framework + opensslextra in one run # (RSA, ECC, AES, SHA-2/3, ChaCha20-Poly1305, Curve25519/448, HMAC, # sniffer, DTLS, OCSP, ...). Note: --enable-all does NOT enable # cryptocb or SHE, so those have their own entries below. '--enable-all --enable-asn=template', # Validates the configure-time auto-enable override and that the # build compiles out the Security.framework code path cleanly -- # macOS is the only OS where sys-ca-certs is auto-on by default. '--disable-sys-ca-certs', # DTLS over BSD sockets on Darwin: connection-ID, fragmented # ClientHello, secure renegotiation, PSK, AES-CCM, null cipher -- # exercises recvmsg/MTU/datagram handling that differs from Linux. '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA', # Crypto-callback dispatcher under Apple clang. Not covered by # --enable-all; verifies the cryptocb find/setkey/keygen path # compiles and runs on the macOS toolchain. '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey', ] name: make check macos if: github.repository_owner == 'wolfssl' runs-on: macos-latest # This should be a safe limit for the tests to run. timeout-minutes: 14 steps: - name: Build and test wolfSSL uses: wolfSSL/actions-build-autotools-project@v1 with: configure: CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" ${{ matrix.config }} check: true # Run on both OSes: the user_settings.h header-driven build path is # distinct from the autotools-driven --enable-all path in # make_check_linux / make_check_macos, and macOS-specific guard ordering # (e.g. WOLFSSL_SYS_CA_CERTS pulling in Security.framework) needs to be # exercised under Apple clang here. make_user_settings: strategy: fail-fast: false matrix: os: [ ubuntu-24.04, macos-latest ] user-settings: [ # Add new user_settings.h here 'examples/configs/user_settings_all.h', ] name: make user_setting.h if: github.repository_owner == 'wolfssl' runs-on: ${{ matrix.os }} # This should be a safe limit for the tests to run. timeout-minutes: 14 steps: - name: Build and test wolfSSL uses: wolfSSL/actions-build-autotools-project@v1 with: configure: --enable-usersettings check: true user-settings: ${{ matrix.user-settings }} make_user_settings_testwolfcrypt: # testwolfcrypt runs pure crypto tests with no platform-specific # features, so Linux-only is sufficient for these user_settings. strategy: fail-fast: false matrix: user-settings: [ # Add new user_settings.h here (alphabetical order) 'examples/configs/user_settings_ca.h', 'examples/configs/user_settings_dtls13.h', 'examples/configs/user_settings_EBSnet.h', 'examples/configs/user_settings_eccnonblock.h', 'examples/configs/user_settings_curve25519nonblock.h', 'examples/configs/user_settings_min_ecc.h', 'examples/configs/user_settings_openssl_compat.h', 'examples/configs/user_settings_pkcs7.h', 'examples/configs/user_settings_rsa_only.h', 'examples/configs/user_settings_template.h', 'examples/configs/user_settings_tls12.h', 'examples/configs/user_settings_tls13.h', 'examples/configs/user_settings_wolfboot_keytools.h', 'examples/configs/user_settings_wolfssh.h', 'examples/configs/user_settings_wolftpm.h', # Not included (require special setup): # - user_settings_pq.h: Requires --enable-experimental # - user_settings_baremetal.h: Requires static memory, custom platform ] name: make user_setting.h (testwolfcrypt only) if: github.repository_owner == 'wolfssl' runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 14 steps: - name: Build and test wolfSSL uses: wolfSSL/actions-build-autotools-project@v1 with: configure: --enable-usersettings --disable-examples check: false user-settings: ${{ matrix.user-settings }} - name: Run wolfcrypt/test/testwolfcrypt run: ./wolfcrypt/test/testwolfcrypt # Has to be dedicated function due to the sed call. # Platform-agnostic; --enable-all macOS coverage in make_check_macos and # the macOS user_settings_all.h run in make_user_settings already cover # the equivalent code paths on Darwin. make_user_all: name: make user_setting.h (with sed) if: github.repository_owner == 'wolfssl' runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 14 steps: - uses: actions/checkout@v4 - run: ./autogen.sh - name: user_settings_all.h with compatibility layer run: | cp ./examples/configs/user_settings_all.h user_settings.h sed -i -e "s/if 0/if 1/" user_settings.h ./configure --enable-usersettings make -j make check windows_build: name: Windows Build Test if: github.repository_owner == 'wolfssl' runs-on: windows-latest strategy: fail-fast: false matrix: arch: [ x64, Win32, ARM64 ] # This should be a safe limit for the tests to run. timeout-minutes: 6 env: # Path to the solution file relative to the root of the project. SOLUTION_FILE_PATH: wolfssl64.sln # Configuration type to build. # You can convert this to a build matrix if you need coverage of multiple configuration types. # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix BUILD_CONFIGURATION: Release steps: - uses: actions/checkout@v4 - name: Add MSBuild to PATH uses: microsoft/setup-msbuild@v2 - name: Restore NuGet packages working-directory: ${{env.GITHUB_WORKSPACE}} run: nuget restore ${{env.SOLUTION_FILE_PATH}} - name: Build working-directory: ${{env.GITHUB_WORKSPACE}} # Add additional options to the MSBuild command line here (like platform or verbosity level). # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{matrix.arch}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}} - if: ${{ matrix.arch != 'ARM64' }} name: Run Test working-directory: ${{env.GITHUB_WORKSPACE}} run: Release/${{matrix.arch}}/testsuite.exe