Add valgrind to librelp.yml to enable additional tests#340
Merged
Conversation
padelsbach
force-pushed
the
wp-librelp-debug
branch
from
5d6ebe5 to
64c66e1
Compare
Contributor
|
jenkins retest this please |
ColtonWilley
approved these changes
Apr 2, 2026
aidangarske
added a commit
to aidangarske/wolfProvider
that referenced
this pull request
May 27, 2026
* Orchestrate the OSP suite via a single Nightly OSP workflow (.github/workflows/nightly-osp.yml) that fans out every per-app workflow (bind9, cjose, curl, debian-package, git-ssh-dr, grpc, hostap, iperf, krb5, libcryptsetup, libeac3, libfido2, libhashkit2, libnice, liboauth2, librelp, libssh2, libtss2, libwebsockets, net-snmp, nginx, openldap, opensc, openssh, openvpn, pam-pkcs11, ppp, python3-ntp, qt5network5, rsync, socat, sscep, sssd, stunnel, systemd, tcpdump, tnftp, tpm2-tools, x11vnc, xmlsec) plus the openssl-version sweep, then aggregates results to Slack. * Resolve wolfSSL and OpenSSL versions dynamically per nightly run via .github/workflows/_discover-versions.yml so the matrix reflects what actually ships on ghcr.io and what's latest upstream rather than what was hand-bumped here. * Switch OSP test jobs to the test-deps image ghcr.io/wolfssl/wolfprovider-test-deps:bookworm with all deps pre-installed (built by .github/workflows/publish-test-deps-image.yml from docker/wolfprovider-test-deps/Dockerfile). * Drop the openssl-3.0.20 -> 3.5.4 source build from the OSP path; OSP suites now use the bookworm system OpenSSL (which is the wolfprov-replace-default .deb on ghcr). * Add a dedicated Sanitizers (ASan + UBSan) workflow that builds wolfssl + wolfprov with -fsanitize=address,undefined and runs the cmd-tests + wolfprov unit tests under that runtime. Cache openssl-source/install across runs so source-build skips when refs match. WOLFPROV_SKIP_TEST=1 lets the build step skip the internal make test (which needed LD_PRELOAD=libasan and segfaulted dpkg/grep in the build path) and run unit tests as a separate step instead. * Smoke test gate (.github/workflows/smoke-test.yml) runs on every push/PR including drafts; other PR-time workflows wait for it via .github/actions/wait-for-smoke. * PR mode runs smoke + simple + cmd-tests + multi-compiler + fips-ready + codespell + sanitizers. The full OSP matrix only runs nightly / on workflow_dispatch. * Bump every per-app OSP workflow timeout-minutes to >= 60 so flaky long-tail tests don't trip the previous 15/20/30 minute caps. This pairs with wolfssl/osp PR wolfSSL#340 which provides the 5.9.1 FIPS patches the per-app workflows reference. Once that merges these workflows will be green end-to-end.
aidangarske
added a commit
to aidangarske/wolfProvider
that referenced
this pull request
May 27, 2026
* Orchestrate the OSP suite via a single Nightly OSP workflow (.github/workflows/nightly-osp.yml) that fans out every per-app workflow (bind9, cjose, curl, debian-package, git-ssh-dr, grpc, hostap, iperf, krb5, libcryptsetup, libeac3, libfido2, libhashkit2, libnice, liboauth2, librelp, libssh2, libtss2, libwebsockets, net-snmp, nginx, openldap, opensc, openssh, openvpn, pam-pkcs11, ppp, python3-ntp, qt5network5, rsync, socat, sscep, sssd, stunnel, systemd, tcpdump, tnftp, tpm2-tools, x11vnc, xmlsec) plus the openssl-version sweep and the static-analysis suite, then aggregates results to Slack. * Resolve wolfSSL and OpenSSL versions dynamically per nightly run via .github/workflows/_discover-versions.yml so the matrix reflects what actually ships on ghcr.io and what's latest upstream rather than what was hand-bumped here. * Switch OSP test jobs to the test-deps image ghcr.io/wolfssl/wolfprovider-test-deps:bookworm with all deps pre-installed (built by .github/workflows/publish-test-deps-image.yml from docker/wolfprovider-test-deps/Dockerfile). * Drop the openssl-3.0.20 -> 3.5.4 source build from the OSP path; OSP suites now use the bookworm system OpenSSL (which is the wolfprov-replace-default .deb on ghcr). * Add a dedicated Sanitizers workflow that builds wolfssl + wolfprov with -fsanitize=address,undefined (one job) and -fsanitize=thread (separate job -- ASan and TSan can't coexist in one binary), then runs the cmd-tests + wolfprov unit tests under each. Cache openssl-source/install across runs so source-build skips when refs match. WOLFPROV_SKIP_TEST=1 lets the build step skip the internal make test (which needed LD_PRELOAD=libasan and segfaulted dpkg/grep in the build path) and run unit tests as a separate step instead. ASAN_OPTIONS=detect_odr_violation=0 suppresses a known false positive from the provider's static ASN.1 table being linked into both libwolfprov.so and the test binary. * Convert .github/workflows/static-analysis.yml (cppcheck, clang scan-build, Facebook Infer) from a standalone 2 AM cron to workflow_call so it runs in the nightly-osp fan-out alongside the OSP integrations. Single nightly cadence, single Slack summary. * Smoke test gate (.github/workflows/smoke-test.yml) runs on every push/PR including drafts; other PR-time workflows wait for it via .github/actions/wait-for-smoke. * PR mode runs smoke + simple + cmd-tests + multi-compiler + fips-ready + codespell + sanitizers. The full OSP matrix and the heavy static analyzers only run nightly / on workflow_dispatch. * Bump every per-app OSP workflow timeout-minutes to >= 60 so flaky long-tail tests don't trip the previous 15/20/30 minute caps. * Document the full CI structure in .github/README.md -- three tiers (PR/push, nightly, reusable), per-OSP inventory with the wolfprov surface each one exercises, the WOLFPROV_FORCE_FAIL XOR sanity check, the OSP workflow template, and a failure -> log-section cheat sheet. * Fix a real ASan global-buffer-overflow caught by the new sanitizer job: src/wp_aes_aead.c was using XMEMCMP(params->key, X, sizeof(X)) to compare a NUL-terminated provider parameter name against a string literal, which overreads the caller's buffer when their key is shorter than the constant (e.g. "tlsivinv" vs "tlsivfixed"). Switch to XSTRCMP for the five AEAD parameter key checks. This pairs with wolfssl/osp PR wolfSSL#340 which provides the 5.9.1 FIPS patches the per-app workflows reference. Once that merges these workflows will be green end-to-end.
aidangarske
added a commit
to aidangarske/wolfProvider
that referenced
this pull request
May 27, 2026
* Orchestrate the OSP suite via a single Nightly OSP workflow (.github/workflows/nightly-osp.yml) that fans out every per-app workflow (bind9, cjose, curl, debian-package, git-ssh-dr, grpc, hostap, iperf, krb5, libcryptsetup, libeac3, libfido2, libhashkit2, libnice, liboauth2, librelp, libssh2, libtss2, libwebsockets, net-snmp, nginx, openldap, opensc, openssh, openvpn, pam-pkcs11, ppp, python3-ntp, qt5network5, rsync, socat, sscep, sssd, stunnel, systemd, tcpdump, tnftp, tpm2-tools, x11vnc, xmlsec) plus the openssl-version sweep and the static-analysis suite, then aggregates results to Slack. * Resolve wolfSSL and OpenSSL versions dynamically per nightly run via .github/workflows/_discover-versions.yml so the matrix reflects what actually ships on ghcr.io and what's latest upstream rather than what was hand-bumped here. * Switch OSP test jobs to the test-deps image ghcr.io/wolfssl/wolfprovider-test-deps:bookworm with all deps pre-installed (built by .github/workflows/publish-test-deps-image.yml from docker/wolfprovider-test-deps/Dockerfile). * Drop the openssl-3.0.20 -> 3.5.4 source build from the OSP path; OSP suites now use the bookworm system OpenSSL (which is the wolfprov-replace-default .deb on ghcr). * Add a dedicated Sanitizers workflow that builds wolfssl + wolfprov with -fsanitize=address,undefined (one job) and -fsanitize=thread (separate job -- ASan and TSan can't coexist in one binary), then runs the cmd-tests + wolfprov unit tests under each. Cache openssl-source/install across runs so source-build skips when refs match. WOLFPROV_SKIP_TEST=1 lets the build step skip the internal make test (which needed LD_PRELOAD=libasan and segfaulted dpkg/grep in the build path) and run unit tests as a separate step instead. ASAN_OPTIONS=detect_odr_violation=0 suppresses a known false positive from the provider's static ASN.1 table being linked into both libwolfprov.so and the test binary. For TSan, the unit-test step skips LD_PRELOAD entirely -- libtsan is wired in via DT_NEEDED on the TSan-built test binary, and preloading it into make crashes the non-TSan host process. * Convert .github/workflows/static-analysis.yml (cppcheck, clang scan-build, Facebook Infer) from a standalone 2 AM cron to workflow_call so it runs in the nightly-osp fan-out alongside the OSP integrations. Single nightly cadence, single Slack summary. * Smoke test gate (.github/workflows/smoke-test.yml) runs on every push/PR including drafts; other PR-time workflows wait for it via .github/actions/wait-for-smoke. * PR mode runs smoke + simple + cmd-tests + multi-compiler + fips-ready + codespell + sanitizers. The full OSP matrix and the heavy static analyzers only run nightly / on workflow_dispatch. * Bump every per-app OSP workflow timeout-minutes to >= 60 so flaky long-tail tests don't trip the previous 15/20/30 minute caps. * Document the full CI structure in .github/README.md -- three tiers (PR/push, nightly, reusable), per-OSP inventory with the wolfprov surface each one exercises, the WOLFPROV_FORCE_FAIL XOR sanity check, the OSP workflow template, and a failure -> log-section cheat sheet. * Fix a real ASan global-buffer-overflow caught by the new sanitizer job: src/wp_aes_aead.c was using XMEMCMP(params->key, X, sizeof(X)) to compare a NUL-terminated provider parameter name against a string literal, which overreads the caller's buffer when their key is shorter than the constant (e.g. "tlsivinv" vs "tlsivfixed"). Switch to XSTRCMP for the five AEAD parameter key checks. This pairs with wolfssl/osp PR wolfSSL#340 which provides the 5.9.1 FIPS patches the per-app workflows reference. Once that merges these workflows will be green end-to-end.
aidangarske
added a commit
to aidangarske/wolfProvider
that referenced
this pull request
May 27, 2026
* Orchestrate the OSP suite via a single Nightly OSP workflow (.github/workflows/nightly-osp.yml) that fans out every per-app workflow (bind9, cjose, curl, debian-package, git-ssh-dr, grpc, hostap, iperf, krb5, libcryptsetup, libeac3, libfido2, libhashkit2, libnice, liboauth2, librelp, libssh2, libtss2, libwebsockets, net-snmp, nginx, openldap, opensc, openssh, openvpn, pam-pkcs11, ppp, python3-ntp, qt5network5, rsync, socat, sscep, sssd, stunnel, systemd, tcpdump, tnftp, tpm2-tools, x11vnc, xmlsec) plus the openssl-version sweep and the static-analysis suite, then aggregates results to Slack. * Resolve wolfSSL and OpenSSL versions dynamically per nightly run via .github/workflows/_discover-versions.yml so the matrix reflects what actually ships on ghcr.io and what's latest upstream rather than what was hand-bumped here. * Switch OSP test jobs to the test-deps image ghcr.io/wolfssl/wolfprovider-test-deps:bookworm with all deps pre-installed (built by .github/workflows/publish-test-deps-image.yml from docker/wolfprovider-test-deps/Dockerfile). * Drop the openssl-3.0.20 -> 3.5.4 source build from the OSP path; OSP suites now use the bookworm system OpenSSL (which is the wolfprov-replace-default .deb on ghcr). * Add a dedicated Sanitizers workflow that builds wolfssl + wolfprov with -fsanitize=address,undefined (one job) and -fsanitize=thread (separate job -- ASan and TSan can't coexist in one binary), then runs the cmd-tests + wolfprov unit tests under each. Cache openssl-source/install across runs so source-build skips when refs match. WOLFPROV_SKIP_TEST=1 lets the build step skip the internal make test (which needed LD_PRELOAD=libasan and segfaulted dpkg/grep in the build path) and run unit tests as a separate step instead. ASAN_OPTIONS=detect_odr_violation=0 suppresses a known false positive from the provider's static ASN.1 table being linked into both libwolfprov.so and the test binary. For TSan, the unit-test step skips LD_PRELOAD entirely -- libtsan is wired in via DT_NEEDED on the TSan-built test binary, and preloading it into make crashes the non-TSan host process. * Convert .github/workflows/static-analysis.yml (cppcheck, clang scan-build, Facebook Infer) from a standalone 2 AM cron to workflow_call so it runs in the nightly-osp fan-out alongside the OSP integrations. Single nightly cadence, single Slack summary. * Smoke test gate (.github/workflows/smoke-test.yml) runs on every push/PR including drafts; other PR-time workflows wait for it via .github/actions/wait-for-smoke. * PR mode runs smoke + simple + cmd-tests + multi-compiler + fips-ready + codespell + sanitizers. The full OSP matrix and the heavy static analyzers only run nightly / on workflow_dispatch. * Bump every per-app OSP workflow timeout-minutes to >= 60 so flaky long-tail tests don't trip the previous 15/20/30 minute caps. * Document the full CI structure in .github/README.md -- three tiers (PR/push, nightly, reusable), per-OSP inventory with the wolfprov surface each one exercises, the WOLFPROV_FORCE_FAIL XOR sanity check, the OSP workflow template, and a failure -> log-section cheat sheet. * Fix a real ASan global-buffer-overflow caught by the new sanitizer job: src/wp_aes_aead.c was using XMEMCMP(params->key, X, sizeof(X)) to compare a NUL-terminated provider parameter name against a string literal, which overreads the caller's buffer when their key is shorter than the constant (e.g. "tlsivinv" vs "tlsivfixed"). Switch to XSTRCMP for the five AEAD parameter key checks. This pairs with wolfssl/osp PR wolfSSL#340 which provides the 5.9.1 FIPS patches the per-app workflows reference. Once that merges these workflows will be green end-to-end.
aidangarske
added a commit
to aidangarske/wolfProvider
that referenced
this pull request
May 27, 2026
* Orchestrate the OSP suite via a single Nightly OSP workflow (.github/workflows/nightly-osp.yml) that fans out every per-app workflow (bind9, cjose, curl, debian-package, git-ssh-dr, grpc, hostap, iperf, krb5, libcryptsetup, libeac3, libfido2, libhashkit2, libnice, liboauth2, librelp, libssh2, libtss2, libwebsockets, net-snmp, nginx, openldap, opensc, openssh, openvpn, pam-pkcs11, ppp, python3-ntp, qt5network5, rsync, socat, sscep, sssd, stunnel, systemd, tcpdump, tnftp, tpm2-tools, x11vnc, xmlsec) plus the openssl-version sweep and the static-analysis suite, then aggregates results to Slack. * Resolve wolfSSL and OpenSSL versions dynamically per nightly run via .github/workflows/_discover-versions.yml so the matrix reflects what actually ships on ghcr.io and what's latest upstream rather than what was hand-bumped here. * Switch OSP test jobs to the test-deps image ghcr.io/wolfssl/wolfprovider-test-deps:bookworm with all deps pre-installed (built by .github/workflows/publish-test-deps-image.yml from docker/wolfprovider-test-deps/Dockerfile). * Drop the openssl-3.0.20 -> 3.5.4 source build from the OSP path; OSP suites now use the bookworm system OpenSSL (which is the wolfprov-replace-default .deb on ghcr). * Add a dedicated Sanitizers workflow that builds wolfssl + wolfprov with -fsanitize=address,undefined (one job) and -fsanitize=thread (separate job -- ASan and TSan can't coexist in one binary), then runs the cmd-tests + wolfprov unit tests under each. Cache openssl-source/install across runs so source-build skips when refs match. WOLFPROV_SKIP_TEST=1 lets the build step skip the internal make test (which needed LD_PRELOAD=libasan and segfaulted dpkg/grep in the build path) and run unit tests as a separate step instead. ASAN_OPTIONS=detect_odr_violation=0 suppresses a known false positive from the provider's static ASN.1 table being linked into both libwolfprov.so and the test binary. For TSan, the unit-test step skips LD_PRELOAD entirely -- libtsan is wired in via DT_NEEDED on the TSan-built test binary, and preloading it into make crashes the non-TSan host process. * Convert .github/workflows/static-analysis.yml (cppcheck, clang scan-build, Facebook Infer) from a standalone 2 AM cron to workflow_call so it runs in the nightly-osp fan-out alongside the OSP integrations. Single nightly cadence, single Slack summary. * Smoke test gate (.github/workflows/smoke-test.yml) runs on every push/PR including drafts; other PR-time workflows wait for it via .github/actions/wait-for-smoke. * PR mode runs smoke + simple + cmd-tests + multi-compiler + fips-ready + codespell + sanitizers. The full OSP matrix and the heavy static analyzers only run nightly / on workflow_dispatch. * Bump every per-app OSP workflow timeout-minutes to >= 60 so flaky long-tail tests don't trip the previous 15/20/30 minute caps. * Document the full CI structure in .github/README.md -- three tiers (PR/push, nightly, reusable), per-OSP inventory with the wolfprov surface each one exercises, the WOLFPROV_FORCE_FAIL XOR sanity check, the OSP workflow template, and a failure -> log-section cheat sheet. * Fix a real ASan global-buffer-overflow caught by the new sanitizer job: src/wp_aes_aead.c was using XMEMCMP(params->key, X, sizeof(X)) to compare a NUL-terminated provider parameter name against a string literal, which overreads the caller's buffer when their key is shorter than the constant (e.g. "tlsivinv" vs "tlsivfixed"). Switch to XSTRCMP for the five AEAD parameter key checks. This pairs with wolfssl/osp PR wolfSSL#340 which provides the 5.9.1 FIPS patches the per-app workflows reference. Once that merges these workflows will be green end-to-end.
aidangarske
added a commit
to aidangarske/wolfProvider
that referenced
this pull request
May 27, 2026
* Orchestrate the OSP suite via a single Nightly OSP workflow (.github/workflows/nightly-osp.yml) that fans out every per-app workflow (bind9, cjose, curl, debian-package, git-ssh-dr, grpc, hostap, iperf, krb5, libcryptsetup, libeac3, libfido2, libhashkit2, libnice, liboauth2, librelp, libssh2, libtss2, libwebsockets, net-snmp, nginx, openldap, opensc, openssh, openvpn, pam-pkcs11, ppp, python3-ntp, qt5network5, rsync, socat, sscep, sssd, stunnel, systemd, tcpdump, tnftp, tpm2-tools, x11vnc, xmlsec) plus the openssl-version sweep and the static-analysis suite, then aggregates results to Slack. * Resolve wolfSSL and OpenSSL versions dynamically per nightly run via .github/workflows/_discover-versions.yml so the matrix reflects what actually ships on ghcr.io and what's latest upstream rather than what was hand-bumped here. * Switch OSP test jobs to the test-deps image ghcr.io/wolfssl/wolfprovider-test-deps:bookworm with all deps pre-installed (built by .github/workflows/publish-test-deps-image.yml from docker/wolfprovider-test-deps/Dockerfile). * Drop the openssl-3.0.20 -> 3.5.4 source build from the OSP path; OSP suites now use the bookworm system OpenSSL (which is the wolfprov-replace-default .deb on ghcr). * Add a dedicated Sanitizers workflow that builds wolfssl + wolfprov with -fsanitize=address,undefined (one job) and -fsanitize=thread (separate job -- ASan and TSan can't coexist in one binary), then runs the cmd-tests + wolfprov unit tests under each. Cache openssl-source/install across runs so source-build skips when refs match. WOLFPROV_SKIP_TEST=1 lets the build step skip the internal make test (which needed LD_PRELOAD=libasan and segfaulted dpkg/grep in the build path) and run unit tests as a separate step instead. ASAN_OPTIONS=detect_odr_violation=0 suppresses a known false positive from the provider's static ASN.1 table being linked into both libwolfprov.so and the test binary. For TSan, the unit-test step skips LD_PRELOAD entirely -- libtsan is wired in via DT_NEEDED on the TSan-built test binary, and preloading it into make crashes the non-TSan host process. * Convert .github/workflows/static-analysis.yml (cppcheck, clang scan-build, Facebook Infer) from a standalone 2 AM cron to workflow_call so it runs in the nightly-osp fan-out alongside the OSP integrations. Single nightly cadence, single Slack summary. * Smoke test gate (.github/workflows/smoke-test.yml) runs on every push/PR including drafts; other PR-time workflows wait for it via .github/actions/wait-for-smoke. * PR mode runs smoke + simple + cmd-tests + multi-compiler + fips-ready + codespell + sanitizers. The full OSP matrix and the heavy static analyzers only run nightly / on workflow_dispatch. * Bump every per-app OSP workflow timeout-minutes to >= 60 so flaky long-tail tests don't trip the previous 15/20/30 minute caps. * Document the full CI structure in .github/README.md -- three tiers (PR/push, nightly, reusable), per-OSP inventory with the wolfprov surface each one exercises, the WOLFPROV_FORCE_FAIL XOR sanity check, the OSP workflow template, and a failure -> log-section cheat sheet. * Fix a real ASan global-buffer-overflow caught by the new sanitizer job: src/wp_aes_aead.c was using XMEMCMP(params->key, X, sizeof(X)) to compare a NUL-terminated provider parameter name against a string literal, which overreads the caller's buffer when their key is shorter than the constant (e.g. "tlsivinv" vs "tlsivfixed"). Switch to XSTRCMP for the five AEAD parameter key checks. This pairs with wolfssl/osp PR wolfSSL#340 which provides the 5.9.1 FIPS patches the per-app workflows reference. Once that merges these workflows will be green end-to-end.
aidangarske
added a commit
to aidangarske/wolfProvider
that referenced
this pull request
May 28, 2026
Brings the v5.8.4 backwards-compat plan execution into PR wolfSSL#400: - scripts/resolve-osp-patch.sh for wolfssl-version-aware patch lookup - 26 OSP workflows routed through the helper - wolfssl_refs_json input on all 42 nightly OSP workflows - nightly-osp.yml split into Wave 1 (dynamic latest stable) and Wave 2 (v5.8.4-stable pinned) with wave1-done fan-in - nightly-multi-compiler.yml gains representative v5.8.4-stable rows Depends on wolfssl/osp PR wolfSSL#340 + follow-up commit that adds -wolfssl-5.8.4- snapshot patches for libssh2, krb5, stunnel.
aidangarske
added a commit
to aidangarske/wolfProvider
that referenced
this pull request
May 28, 2026
OSP PR wolfSSL#340 review removed the duplicate stunnel-WPFF-5.67-wolfprov-fips.patch (it was identical to the non-FIPS patch). stunnel.yml no longer passes --fips so the resolver picks the single stunnel-WPFF-5.67-wolfprov.patch for both FIPS and non-FIPS rows.
aidangarske
added a commit
to aidangarske/wolfProvider
that referenced
this pull request
May 28, 2026
…P patches Temporary test scaffolding so the nightly OSP CI run can exercise the renamed/snapshot patches from osp PR wolfSSL#340 before they merge to osp master. REVERT before merging PR wolfSSL#400 - the OSP checkout must go back to wolfssl/osp (master) once osp wolfSSL#340 lands. All 26 OSP workflow checkouts repointed from wolfssl/osp to aidangarske/osp ref 5.9.1-wolfprov-patches.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.