Add ML-DSA (FIPS 204) support to PKCS#7/CMS SignedData per RFC 9882 #213
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Stack Size warnings | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'release/**' ] | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: [ '*' ] | |
| # Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs | |
| # restore: re-runs --build-only (compile only, no tests) on the | |
| # default branch. PR runs are read-only (see ccache-setup). | |
| schedule: | |
| - cron: '40 10 * * 1-5' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| # All former runner-per-config matrix entries build on one runner via | |
| # .github/scripts/parallel-make-check.py (see os-check.yml for the full | |
| # pattern): each config builds in its own out-of-tree ("VPATH") build | |
| # directory off one checkout/autogen, on a pool of one-per-CPU worker | |
| # threads, longest first. | |
| build_library: | |
| name: build library | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: ubuntu-24.04 | |
| # Generous for a cold ccache; warm reruns finish in a fraction. | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@v5 | |
| name: Checkout wolfSSL | |
| - name: Install dependencies | |
| uses: ./.github/actions/install-apt-deps | |
| with: | |
| packages: autoconf automake libtool build-essential | |
| ghcr-debs-tag: ubuntu-24.04-minimal | |
| # ccache via the cross-platform composite; the script passes the | |
| # compiler to configure as CC="ccache gcc" (or a per-config "cc"). | |
| - name: Set up ccache | |
| uses: ./.github/actions/ccache-setup | |
| with: | |
| workflow-id: smallstacksize | |
| read-only: ${{ github.event_name == 'pull_request' }} | |
| max-size: 150M | |
| # The JSON list below is the former runner-per-config matrix (the | |
| # shared base configure arguments are folded into every entry). Each | |
| # build must come out clean under -Wframe-larger-than/-Wstack-usage, | |
| # then runs testwolfcrypt under the relative-stack checker. | |
| - name: Build all configs (parallel, out-of-tree) | |
| run: | | |
| cat > "$RUNNER_TEMP/smallstacksize-configs.json" <<'EOF' | |
| [ | |
| {"name": "noasm", "minutes": 1, | |
| "configure": ["--enable-cryptonly", "--disable-cryptocb", | |
| "--disable-testcert", "--enable-smallstack", | |
| "--enable-smallstackcache", "--enable-crypttests", | |
| "--disable-benchmark", "--disable-examples", | |
| "--with-max-rsa-bits=16384", "--enable-stacksize=verbose", | |
| "CFLAGS=-Wframe-larger-than=2048 -Wstack-usage=4096 -DWOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES=8192 -DTEST_ALWAYS_RUN_TO_END", | |
| "--disable-asm"], | |
| "check": false, | |
| "run": [["./wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "noasm-pq", "minutes": 1, | |
| "configure": ["--enable-cryptonly", "--disable-cryptocb", | |
| "--disable-testcert", "--enable-smallstack", | |
| "--enable-smallstackcache", "--enable-crypttests", | |
| "--disable-benchmark", "--disable-examples", | |
| "--with-max-rsa-bits=16384", "--enable-stacksize=verbose", | |
| "CFLAGS=-Wframe-larger-than=2048 -Wstack-usage=4096 -DWOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES=8192 -DTEST_ALWAYS_RUN_TO_END", | |
| "--disable-asm", "--enable-mlkem", "--enable-lms", "--enable-xmss", | |
| "--enable-mldsa"], | |
| "check": false, | |
| "run": [["./wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "noasm-allcrypto-pq", "minutes": 1, | |
| "configure": ["--enable-cryptonly", "--disable-cryptocb", | |
| "--disable-testcert", "--enable-smallstack", | |
| "--enable-smallstackcache", "--enable-crypttests", | |
| "--disable-benchmark", "--disable-examples", | |
| "--with-max-rsa-bits=16384", "--enable-stacksize=verbose", | |
| "CFLAGS=-Wframe-larger-than=2048 -Wstack-usage=4096 -DWOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES=8192 -DTEST_ALWAYS_RUN_TO_END", | |
| "--disable-asm", "--enable-all-crypto", "--enable-mlkem", | |
| "--enable-lms", "--enable-xmss", "--enable-mldsa"], | |
| "check": false, | |
| "run": [["./wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "intelasm", "minutes": 1, | |
| "configure": ["--enable-cryptonly", "--disable-cryptocb", | |
| "--disable-testcert", "--enable-smallstack", | |
| "--enable-smallstackcache", "--enable-crypttests", | |
| "--disable-benchmark", "--disable-examples", | |
| "--with-max-rsa-bits=16384", "--enable-stacksize=verbose", | |
| "CFLAGS=-Wframe-larger-than=2048 -Wstack-usage=4096 -DWOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES=8192 -DTEST_ALWAYS_RUN_TO_END", | |
| "--enable-intelasm", "--enable-sp-asm"], | |
| "check": false, | |
| "run": [["./wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "intelasm-pq", "minutes": 1, | |
| "configure": ["--enable-cryptonly", "--disable-cryptocb", | |
| "--disable-testcert", "--enable-smallstack", | |
| "--enable-smallstackcache", "--enable-crypttests", | |
| "--disable-benchmark", "--disable-examples", | |
| "--with-max-rsa-bits=16384", "--enable-stacksize=verbose", | |
| "CFLAGS=-Wframe-larger-than=2048 -Wstack-usage=4096 -DWOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES=8192 -DTEST_ALWAYS_RUN_TO_END", | |
| "--enable-intelasm", "--enable-sp-asm", "--enable-mlkem", | |
| "--enable-lms", "--enable-xmss", "--enable-mldsa"], | |
| "check": false, | |
| "run": [["./wolfcrypt/test/testwolfcrypt"]]}, | |
| {"name": "intelasm-allcrypto-pq", "minutes": 1, | |
| "configure": ["--enable-cryptonly", "--disable-cryptocb", | |
| "--disable-testcert", "--enable-smallstack", | |
| "--enable-smallstackcache", "--enable-crypttests", | |
| "--disable-benchmark", "--disable-examples", | |
| "--with-max-rsa-bits=16384", "--enable-stacksize=verbose", | |
| "CFLAGS=-Wframe-larger-than=2048 -Wstack-usage=4096 -DWOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES=8192 -DTEST_ALWAYS_RUN_TO_END", | |
| "--enable-intelasm", "--enable-sp-asm", "--enable-all-crypto", | |
| "--enable-mlkem", "--enable-lms", "--enable-xmss", | |
| "--enable-mldsa"], | |
| "check": false, | |
| "run": [["./wolfcrypt/test/testwolfcrypt"]]} | |
| ] | |
| EOF | |
| .github/scripts/parallel-make-check.py \ | |
| ${{ github.event_name == 'schedule' && '--build-only' || '' }} \ | |
| "$RUNNER_TEMP/smallstacksize-configs.json" | |
| - name: ccache stats | |
| if: always() | |
| run: ccache -s || true | |
| - name: Upload logs on failure | |
| if: failure() | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| retention-days: 7 | |
| name: smallstacksize-logs | |
| path: | | |
| build-*/make-check.log | |
| build-*/test-suite.log | |
| build-*/config.log | |
| if-no-files-found: ignore |