Enable SCSV check unconditionally #12133
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Ubuntu-Macos-Windows Tests | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'release/**' ] | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: [ '*' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| # Ubuntu config matrix. macOS is covered separately by make_check_macos | |
| # below with a curated subset; configs here either have equivalent macOS | |
| # coverage there or exercise no Darwin-specific code. | |
| make_check_linux: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| config: [ | |
| # Add new configs here | |
| '', | |
| '--enable-all --enable-asn=template', | |
| '--enable-all --enable-asn=original', | |
| '--enable-all --enable-asn=template CPPFLAGS=-DWOLFSSL_OLD_OID_SUM', | |
| '--enable-all --enable-asn=original CPPFLAGS=-DWOLFSSL_OLD_OID_SUM', | |
| '--enable-harden-tls', | |
| '--enable-tls13 --enable-session-ticket --enable-dtls --enable-dtls13 | |
| --enable-opensslextra --enable-sessioncerts | |
| CPPFLAGS=''-DWOLFSSL_DTLS_NO_HVR_ON_RESUME -DHAVE_EXT_CACHE | |
| -DWOLFSSL_TICKET_HAVE_ID -DHAVE_EX_DATA -DSESSION_CACHE_DYNAMIC_MEM'' ', | |
| '--enable-all --enable-secure-renegotiation', | |
| '--enable-all --enable-haproxy --enable-quic', | |
| '--enable-dtls --enable-dtls13 --enable-earlydata | |
| --enable-session-ticket --enable-psk | |
| CPPFLAGS=''-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME'' ', | |
| '--enable-all --enable-dtls13 --enable-dtls-frag-ch --disable-mlkem', | |
| '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation | |
| --enable-psk --enable-aesccm --enable-nullcipher | |
| CPPFLAGS=-DWOLFSSL_STATIC_RSA', | |
| '--enable-she=extended --enable-cryptocb --enable-cryptocbutils | |
| CPPFLAGS=''-DWC_SHE_SW_DEFAULT'' ', | |
| '--enable-she=standard --enable-cmac', | |
| '--enable-she=extended --enable-cmac --enable-cryptocb --enable-cryptocbutils', | |
| '--enable-she=standard --enable-cmac CPPFLAGS=''-DNO_WC_SHE_IMPORT_M123'' ', | |
| '--enable-she=extended --enable-cmac --enable-cryptocb --enable-cryptocbutils | |
| CPPFLAGS=''-DNO_WC_SHE_GETUID -DNO_WC_SHE_GETCOUNTER -DNO_WC_SHE_EXPORTKEY'' ', | |
| '--enable-she=standard --enable-cmac --enable-cryptocb --enable-cryptocbutils | |
| CPPFLAGS=''-DWC_SHE_SW_DEFAULT'' ', | |
| '--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ', | |
| '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys | |
| CPPFLAGS=-DWOLFSSL_DH_EXTRA', | |
| '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch | |
| --enable-dtls-mtu CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS', | |
| '--enable-opensslall --enable-opensslextra CPPFLAGS=-DWC_RNG_SEED_CB', | |
| '--enable-opensslall --enable-opensslextra | |
| CPPFLAGS=''-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID'' ', | |
| '--enable-opensslextra CPPFLAGS=''-DWOLFSSL_NO_CA_NAMES'' ', | |
| '--enable-opensslextra=x509small', | |
| '--disable-sys-ca-certs', | |
| '--enable-all CPPFLAGS=-DWOLFSSL_DEBUG_CERTS ', | |
| '--enable-all CPPFLAGS="-DWOLFSSL_CHECK_MEM_ZERO"', | |
| '--enable-dtls --enable-dtls13 --enable-ocspstapling --enable-ocspstapling2 | |
| --enable-cert-setup-cb --enable-sessioncerts', | |
| '--enable-dtls --enable-dtls13 --enable-tls13 | |
| CPPFLAGS=-DWOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC', | |
| '--enable-all --enable-certgencache', | |
| '--enable-all --enable-dilithium --enable-cryptocb --enable-cryptocbutils --enable-pkcallbacks', | |
| '--enable-cryptocb --enable-aesgcm CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY"', | |
| '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey', | |
| '--enable-cryptocb --enable-keygen --enable-cryptocbutils CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY"', | |
| '--enable-cryptocb --enable-keygen --enable-aesgcm --enable-cryptocbutils=setkey,free CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY"', | |
| '--enable-cryptocb --enable-keygen --enable-cryptocbutils=export', | |
| '--enable-cryptocb --enable-keygen CPPFLAGS="-DWOLF_CRYPTO_CB_EXPORT_KEY"', | |
| '--enable-cryptocb --enable-keygen --enable-aesgcm --enable-cryptocbutils=setkey,free,export CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY"', | |
| '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey,export CPPFLAGS="-DWOLF_CRYPTO_CB_FIND"', | |
| 'CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH', | |
| 'CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''', | |
| 'CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''', | |
| '--enable-all CPPFLAGS=-DNO_WOLFSSL_CLIENT', | |
| '--enable-all CPPFLAGS=-DNO_WOLFSSL_SERVER', | |
| '--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH', | |
| '--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''', | |
| '--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''', | |
| '--enable-ocsp --enable-ocsp-responder --enable-ocspstapling CPPFLAGS="-DWOLFSSL_NONBLOCK_OCSP" --enable-maxfragment', | |
| '--enable-all CPPFLAGS=-DWOLFSSL_HASH_KEEP', | |
| '--enable-all --enable-writedup', | |
| '--enable-ascon --enable-experimental', | |
| '--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental', | |
| # PKCS#7 with RSA-PSS (CMS RSASSA-PSS signers) | |
| '--enable-pkcs7 CPPFLAGS=-DWC_RSA_PSS', | |
| # PKCS#7 without RSA-PSS | |
| '--enable-pkcs7', | |
| 'CPPFLAGS=''-DWOLFSSL_EXTRA'' ', | |
| '--enable-coding=no', | |
| '--disable-sni --disable-ecc --disable-tls13 --disable-secure-renegotiation-info', | |
| 'CPPFLAGS=-DWOLFSSL_BLIND_PRIVATE_KEY', | |
| '--enable-sessionexport --enable-dtls --enable-dtls13', | |
| '--enable-cryptocb --enable-aesgcm CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"', | |
| '--disable-tls --enable-cryptocb --enable-aesgcm CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"', | |
| '--enable-cryptocb --enable-keygen CPPFLAGS="-DWOLF_CRYPTO_CB_FIND"', | |
| '--disable-examples CPPFLAGS=-DWOLFSSL_NO_MALLOC', | |
| 'CPPFLAGS=-DNO_WOLFSSL_CLIENT', | |
| 'CPPFLAGS=-DNO_WOLFSSL_SERVER', | |
| '--enable-lms=small,verify-only --enable-xmss=small,verify-only', | |
| '--enable-opensslall --enable-ecc CPPFLAGS="-DWC_ALLOW_ECC_ZERO_HASH"', | |
| # Non-blocking ECC + Curve25519 + RSA + DH on the default SP word | |
| # size for the host (sp_c64.c on x86_64). RSA/DH non-block require | |
| # RSA_LOW_MEM (CRT path is not supported in non-block mode). | |
| '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-rsa=nonblock --enable-dh=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM"', | |
| # Same configuration but force SP_WORD_SIZE=32 to exercise sp_c32.c | |
| # on a 64-bit host. The two builds together cover both generated | |
| # variants of mod_exp_<words>_nb / RSA / DH wrappers. | |
| '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-rsa=nonblock --enable-dh=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM -DSP_WORD_SIZE=32"', | |
| '--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"', | |
| # Minimal DTLS 1.3 client-only build with the SHA-224/384/512/3 | |
| # hash families disabled. SHA-256 (used by TLS_AES_128_GCM_SHA256) | |
| # and SHA-1 remain enabled. | |
| '--enable-dtls13 --disable-tlsv12 --disable-oldtls --disable-rsa --disable-dh | |
| --disable-aescbc --disable-aesecb --disable-md5 --disable-chacha | |
| --disable-poly1305 --disable-errorstrings --disable-asn-print | |
| --disable-eccshamir --disable-base64encode --disable-coding --disable-sni | |
| --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha3 | |
| --enable-aesgcm=small --enable-sp-math --enable-sp=smallec256 --disable-sp-asm | |
| CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_TLS12 -DNO_SESSION_CACHE | |
| -DWOLFSSL_AES_NO_UNROLL -DUSE_SLOW_SHA256 -DWOLFSSL_NO_ASYNC_IO | |
| -DWOLFSSL_DTLS_ONLY'' ', | |
| '--enable-opensslextra --disable-filesystem CPPFLAGS="-DNO_BIO"', | |
| 'CPPFLAGS=-DNO_VERIFY_OID', | |
| 'CPPFLAGS="-DNO_VERIFY_OID -DWOLFSSL_FPKI"', | |
| ] | |
| name: make check linux | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: ubuntu-24.04 | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 14 | |
| steps: | |
| # Local composite actions (./.github/actions/*) need the repo on | |
| # disk before the runner can resolve them. The autotools-project | |
| # step further down does its own checkout into the workspace, so | |
| # this explicit checkout is only required for the ccache-setup | |
| # composite below. | |
| - uses: actions/checkout@v4 | |
| # tlslite-ng is consumed by scripts/multi-msg-record.test (run from | |
| # `make check`); without it that test is SKIPped. | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - run: pip install tlslite-ng | |
| # ccache cuts ~50% off rebuild time. /usr/lib/ccache is prepended to | |
| # PATH so gcc/cc invocations from the autotools action are | |
| # transparently intercepted - no other step needs to change. | |
| - name: Set up ccache | |
| uses: ./.github/actions/ccache-setup | |
| with: | |
| workflow-id: os-check-linux | |
| - name: Build and test wolfSSL | |
| uses: wolfSSL/actions-build-autotools-project@v1 | |
| with: | |
| configure: CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" ${{ matrix.config }} | |
| check: true | |
| - name: ccache stats (post-build) | |
| if: always() | |
| run: command -v ccache >/dev/null && ccache -s || echo "ccache not installed - composite likely skipped" | |
| # Curated macOS subset. Each config exists for a Darwin-specific reason; | |
| # do not add entries that only re-test platform-agnostic crypto already | |
| # covered by the corresponding Linux run. | |
| make_check_macos: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| config: [ | |
| # Default build: --enable-sys-ca-certs is auto-on on macOS, so | |
| # this exercises Apple keychain / system trust loading in | |
| # src/ssl_load.c that has no Linux equivalent. | |
| '', | |
| # Broad key-crypto + Security.framework + opensslextra in one run | |
| # (RSA, ECC, AES, SHA-2/3, ChaCha20-Poly1305, Curve25519/448, HMAC, | |
| # sniffer, DTLS, OCSP, ...). Note: --enable-all does NOT enable | |
| # cryptocb or SHE, so those have their own entries below. | |
| '--enable-all --enable-asn=template', | |
| # Validates the configure-time auto-enable override and that the | |
| # build compiles out the Security.framework code path cleanly -- | |
| # macOS is the only OS where sys-ca-certs is auto-on by default. | |
| '--disable-sys-ca-certs', | |
| # DTLS over BSD sockets on Darwin: connection-ID, fragmented | |
| # ClientHello, secure renegotiation, PSK, AES-CCM, null cipher -- | |
| # exercises recvmsg/MTU/datagram handling that differs from Linux. | |
| '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation | |
| --enable-psk --enable-aesccm --enable-nullcipher | |
| CPPFLAGS=-DWOLFSSL_STATIC_RSA', | |
| # Crypto-callback dispatcher under Apple clang. Not covered by | |
| # --enable-all; verifies the cryptocb find/setkey/keygen path | |
| # compiles and runs on the macOS toolchain. | |
| '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey', | |
| ] | |
| name: make check macos | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: macos-latest | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 14 | |
| steps: | |
| # tlslite-ng is consumed by scripts/multi-msg-record.test (run from | |
| # `make check`); without it that test is SKIPped. | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - run: pip install tlslite-ng | |
| - name: Build and test wolfSSL | |
| uses: wolfSSL/actions-build-autotools-project@v1 | |
| with: | |
| configure: CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" ${{ matrix.config }} | |
| check: true | |
| # Run on both OSes: the user_settings.h header-driven build path is | |
| # distinct from the autotools-driven --enable-all path in | |
| # make_check_linux / make_check_macos, and macOS-specific guard ordering | |
| # (e.g. WOLFSSL_SYS_CA_CERTS pulling in Security.framework) needs to be | |
| # exercised under Apple clang here. | |
| make_user_settings: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu-24.04, macos-latest ] | |
| user-settings: [ | |
| # Add new user_settings.h here | |
| 'examples/configs/user_settings_all.h', | |
| ] | |
| name: make user_setting.h | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: ${{ matrix.os }} | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 14 | |
| steps: | |
| # tlslite-ng is consumed by scripts/multi-msg-record.test (run from | |
| # `make check`); without it that test is SKIPped. | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - run: pip install tlslite-ng | |
| - name: Build and test wolfSSL | |
| uses: wolfSSL/actions-build-autotools-project@v1 | |
| with: | |
| configure: --enable-usersettings | |
| check: true | |
| user-settings: ${{ matrix.user-settings }} | |
| make_user_settings_testwolfcrypt: | |
| # testwolfcrypt runs pure crypto tests with no platform-specific | |
| # features, so Linux-only is sufficient for these user_settings. | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| user-settings: [ | |
| # Add new user_settings.h here (alphabetical order) | |
| 'examples/configs/user_settings_ca.h', | |
| 'examples/configs/user_settings_dtls13.h', | |
| 'examples/configs/user_settings_EBSnet.h', | |
| 'examples/configs/user_settings_eccnonblock.h', | |
| 'examples/configs/user_settings_curve25519nonblock.h', | |
| 'examples/configs/user_settings_min_ecc.h', | |
| 'examples/configs/user_settings_openssl_compat.h', | |
| 'examples/configs/user_settings_pkcs7.h', | |
| 'examples/configs/user_settings_rsa_only.h', | |
| 'examples/configs/user_settings_template.h', | |
| 'examples/configs/user_settings_tls12.h', | |
| 'examples/configs/user_settings_tls13.h', | |
| 'examples/configs/user_settings_wolfboot_keytools.h', | |
| 'examples/configs/user_settings_wolfssh.h', | |
| 'examples/configs/user_settings_wolftpm.h', | |
| # Not included (require special setup): | |
| # - user_settings_pq.h: Requires --enable-experimental | |
| # - user_settings_baremetal.h: Requires static memory, custom platform | |
| ] | |
| name: make user_setting.h (testwolfcrypt only) | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: ubuntu-24.04 | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 14 | |
| steps: | |
| - name: Build and test wolfSSL | |
| uses: wolfSSL/actions-build-autotools-project@v1 | |
| with: | |
| configure: --enable-usersettings --disable-examples | |
| check: false | |
| user-settings: ${{ matrix.user-settings }} | |
| - name: Run wolfcrypt/test/testwolfcrypt | |
| run: ./wolfcrypt/test/testwolfcrypt | |
| # Has to be dedicated function due to the sed call. | |
| # Platform-agnostic; --enable-all macOS coverage in make_check_macos and | |
| # the macOS user_settings_all.h run in make_user_settings already cover | |
| # the equivalent code paths on Darwin. | |
| make_user_all: | |
| name: make user_setting.h (with sed) | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: ubuntu-24.04 | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 14 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # tlslite-ng is consumed by scripts/multi-msg-record.test (run from | |
| # `make check`); without it that test is SKIPped. | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - run: pip install tlslite-ng | |
| - run: ./autogen.sh | |
| - name: user_settings_all.h with compatibility layer | |
| run: | | |
| cp ./examples/configs/user_settings_all.h user_settings.h | |
| sed -i -e "s/if 0/if 1/" user_settings.h | |
| ./configure --enable-usersettings | |
| make -j | |
| make check | |
| windows_build: | |
| name: Windows Build Test | |
| if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} | |
| runs-on: windows-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [ x64, Win32, ARM64 ] | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 6 | |
| env: | |
| # Path to the solution file relative to the root of the project. | |
| SOLUTION_FILE_PATH: wolfssl64.sln | |
| # Configuration type to build. | |
| # You can convert this to a build matrix if you need coverage of multiple configuration types. | |
| # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix | |
| BUILD_CONFIGURATION: Release | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Add MSBuild to PATH | |
| uses: microsoft/setup-msbuild@v2 | |
| - name: Restore NuGet packages | |
| working-directory: ${{env.GITHUB_WORKSPACE}} | |
| run: nuget restore ${{env.SOLUTION_FILE_PATH}} | |
| - name: Build | |
| working-directory: ${{env.GITHUB_WORKSPACE}} | |
| # Add additional options to the MSBuild command line here (like platform or verbosity level). | |
| # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference | |
| run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{matrix.arch}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}} | |
| - if: ${{ matrix.arch != 'ARM64' }} | |
| name: Run Test | |
| working-directory: ${{env.GITHUB_WORKSPACE}} | |
| run: Release/${{matrix.arch}}/testsuite.exe |