Skip to content

Commit f3d09cd

Browse files
gojimmypigojimmypi
committed
Introduce sm-cipher workflow tests to wolfssl
1 parent edf3c31 commit f3d09cd

File tree

1 file changed

+258
-0
lines changed

1 file changed

+258
-0
lines changed

.github/workflows/sm-cipher.yml

Lines changed: 258 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,258 @@
1+
name: SM Cipher Test (1 of 2)
2+
#
3+
# Test fetches wolfssl-examples/Arduino and uses local, latest github master branch wolfssl
4+
#
5+
# These 4 workflows across 3 repos are interdependent for the current $REPO_OWNER:
6+
#
7+
# THIS sm-cipher CI Build 1: https://github.com/$REPO_OWNER/wolfssl # /.github/workflows/sm-cipher.yml
8+
# - Builds SM-enabled library from local clone of wolfssl master branch
9+
# - Fetches examples from https://github.com/$REPO_OWNER/wolfsm
10+
#
11+
# sm-cipher CI Build 2: https://github.com/$REPO_OWNER/wolfsm # /.github/workflows/sm-cipher.yml
12+
# - Builds SM-enabled library from fresh clone of wolfssl master branch here
13+
#
14+
# ** NOTE TO MAINTAINERS **
15+
#
16+
# Consider using winmerge or similar tool to keep the 2 sm-cipher.yml files in relative sync.
17+
# Although there are some specific differences, most of the contents are otherwise identical.
18+
#
19+
20+
# START OF COMMON SECTION
21+
on:
22+
push:
23+
branches: [ '**', 'master', 'main', 'release/**' ]
24+
paths:
25+
- '.github/workflows/sm-cipher.yml'
26+
- 'src/**'
27+
- 'wolfcrypt/**'
28+
- 'wolfssl/**'
29+
pull_request:
30+
# Run after merge on protected branches
31+
branches: [ "main", "master", "release/**" ]
32+
paths:
33+
- '.github/workflows/sm-cipher.yml'
34+
- 'src/**'
35+
- 'wolfcrypt/**'
36+
- 'wolfssl/**'
37+
workflow_dispatch:
38+
39+
concurrency:
40+
group: ${{ github.workflow }}-${{ github.ref }}
41+
cancel-in-progress: true
42+
# END OF COMMON SECTION
43+
44+
jobs:
45+
build:
46+
# TODO:
47+
# if: github.repository_owner == 'wolfssl'
48+
runs-on: ubuntu-latest
49+
env:
50+
REPO_OWNER: ${{ github.repository_owner }}
51+
steps:
52+
- name: Checkout Repository
53+
uses: actions/checkout@v4
54+
55+
- name: Set job environment variables
56+
run: |
57+
# Script to assign some common environment variables after everything is installed
58+
59+
ICON_OK=$(printf "\xE2\x9C\x85")
60+
ICON_FAIL=$(printf "\xE2\x9D\x8C")
61+
62+
# Show predefined summary:
63+
64+
# For the wolfssl repo, the GITHUB_WORKSPACE is the directory of wolfssl
65+
echo "GITHUB_WORKSPACE = $GITHUB_WORKSPACE"
66+
67+
# Show assigned build:env values (e.g. "wolfssl", "gojimmpi" or other owners):
68+
echo "REPO_OWNER = $REPO_OWNER"
69+
70+
# Update environment variables, not available here in this step yet
71+
echo "GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")" >> "$GITHUB_ENV"
72+
echo "WOLFSM_ROOT=$(realpath "$GITHUB_WORKSPACE/../wolfsm")" >> "$GITHUB_ENV"
73+
echo "WOLFSSL_ROOT=$(realpath "$GITHUB_WORKSPACE/../wolfssl")" >> "$GITHUB_ENV"
74+
75+
echo "GITHUB_ENV=$GITHUB_ENV"
76+
77+
echo "contents..."
78+
# typically "/home/runner/work/wolfssl/wolfssl" contains wolfssl source
79+
pwd
80+
ls
81+
82+
- name: Get wolfsm
83+
run: |
84+
# We are in wolfssl repo, fetch SM code from the wolfsm repo
85+
86+
# Show our custom values:
87+
echo "GITHUB_WORK = $GITHUB_WORK"
88+
89+
# WOLFSM_ROOT is the repo root for wolfsm clone
90+
echo "WOLFSM_ROOT = $WOLFSM_ROOT"
91+
92+
echo "Start pwd:"
93+
pwd
94+
# we're typically in $GITHUB_WORKSPACE=/home/runner/work/wolfssl/wolfssl
95+
# goto /home/runner/work to fetch wolfsm
96+
97+
echo "Current pwd for wolfsm clone fetch: $(pwd)"
98+
GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")
99+
echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
100+
101+
102+
pushd ../
103+
echo "Updated pwd for wolfsm clone fetch: $(pwd)"
104+
105+
echo "clone --depth 1 https://github.com/$REPO_OWNER/wolfsm.git wolfsm"
106+
107+
git clone --depth 1 https://github.com/$REPO_OWNER/wolfsm.git wolfsm
108+
109+
cd ./wolfsm
110+
echo "Contents of this path for wolfsm = $(pwd)"
111+
ls
112+
popd
113+
114+
# ** END ** Get wolfsm
115+
116+
- name: Install wolfsm
117+
run: |
118+
# Run the local install.sh install script to install wolfsm code
119+
120+
echo "Current pwd for wolfsm clone fetch: $(pwd)"
121+
GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")
122+
echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
123+
124+
# Typically /home/runner/work
125+
echo "GITHUB_WORK=$GITHUB_WORK"
126+
pwd
127+
echo "pushd $WOLFSM_ROOT"
128+
pushd "$WOLFSM_ROOT"
129+
pwd
130+
ls
131+
132+
echo "wolfssl check"
133+
ls ../wolfssl
134+
135+
echo "Call wolfsm/install.sh to install wolfsm code into $WOLFSSL_ROOT"
136+
./install.sh "$WOLFSSL_ROOT"
137+
popd
138+
139+
echo "contents..."
140+
pwd
141+
ls
142+
143+
# Done with install wolfsm
144+
145+
- name: Compile wolfssl
146+
run: |
147+
# Compile fresh wolfSSL with wolfsm code
148+
149+
# We're already in $WOLFSSL_ROOT
150+
151+
echo "Current directory: $PWD"
152+
153+
./autogen.sh
154+
./configure --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm --enable-sm2
155+
make
156+
# Done with compile wolfssl
157+
158+
- name: Test SM wolfcrypt
159+
shell: bash
160+
run: |
161+
# Run client / server tests from cloned wolfssl directory
162+
163+
cd "$WOLFSSL_ROOT"
164+
echo "Current directory: $PWD"
165+
166+
set -euo pipefail
167+
168+
./wolfcrypt/test/testwolfcrypt
169+
170+
- name: Run SM benchmark
171+
shell: bash
172+
run: |
173+
# Run client / server tests from cloned wolfssl directory
174+
175+
cd "$WOLFSSL_ROOT"
176+
echo "Current directory: $PWD"
177+
178+
set -euo pipefail
179+
180+
./wolfcrypt/benchmark/benchmark
181+
182+
- name: Test SM client/server (TLS 1.2 and 1.3)
183+
shell: bash
184+
run: |
185+
# Run client / server tests from cloned wolfssl directory
186+
187+
cd "$WOLFSSL_ROOT"
188+
echo "Current directory: $PWD"
189+
190+
set -euo pipefail
191+
192+
# Parameterized cases
193+
cases=(
194+
"-v 3 -l ECDHE-ECDSA-SM4-CBC-SM3"
195+
"-v 3 -l ECDHE-ECDSA-SM4-GCM-SM3"
196+
"-v 3 -l ECDHE-ECDSA-SM4-CCM-SM3"
197+
"-v 4 -l TLS13-SM4-GCM-SM3"
198+
"-v 4 -l TLS13-SM4-CCM-SM3 "
199+
)
200+
201+
srv_bin=./examples/server/server
202+
cli_bin=./examples/client/client
203+
204+
srv_cert=./certs/sm2/server-sm2.pem
205+
srv_key=./certs/sm2/server-sm2-priv.pem
206+
cli_cert=./certs/sm2/client-sm2.pem
207+
cli_key=./certs/sm2/client-sm2-priv.pem
208+
ca_root=./certs/sm2/root-sm2.pem
209+
210+
# Use an explicit port so we can start/stop cleanly
211+
port=11111
212+
213+
# Ensure background server is cleaned up even on failure
214+
cleanup() { pkill -P $$ >/dev/null 2>&1 || true; }
215+
trap cleanup EXIT
216+
217+
for args in "${cases[@]}"; do
218+
echo "=== Testing ${args} on port ${port} ==="
219+
220+
# Start server in background; capture PID
221+
"${srv_bin}" ${args} \
222+
-c "${srv_cert}" -k "${srv_key}" \
223+
-A "${cli_cert}" -V \
224+
-p "${port}" &
225+
srv_pid=$!
226+
227+
# Wait briefly for the server to listen
228+
if command -v ss >/dev/null 2>&1; then
229+
for _ in {1..40}; do
230+
ss -ltn | grep -q ":${port} " && break
231+
echo "Waiting for server on port ${port} ..."
232+
sleep 0.25
233+
done
234+
else
235+
sleep 2
236+
fi
237+
238+
# Run client with timeout so CI does not hang
239+
set +e
240+
timeout 60s "${cli_bin}" ${args} \
241+
-h 127.0.0.1 -p "${port}" \
242+
-c "${cli_cert}" \
243+
-k "${cli_key}" \
244+
-A "${ca_root}" -C
245+
rc=$?
246+
set -e
247+
248+
# Graceful shutdown: only kill if still running; keep quiet
249+
if kill -0 "${srv_pid}" >/dev/null 2>&1; then
250+
kill "${srv_pid}" # >/dev/null 2>&1 || true
251+
fi
252+
wait "${srv_pid}" # >/dev/null 2>&1 || true
253+
254+
if [ ${rc} -ne 0 ]; then
255+
echo "Client failed for: ${args} (rc=${rc})"
256+
exit ${rc}
257+
fi
258+
done

0 commit comments

Comments
 (0)