Skip to content

ci: add wycheproof vector test job#10258

Open
MarkAtwood wants to merge 2 commits into
wolfSSL:masterfrom
MarkAtwood:ci/wycheproof-integration
Open

ci: add wycheproof vector test job#10258
MarkAtwood wants to merge 2 commits into
wolfSSL:masterfrom
MarkAtwood:ci/wycheproof-integration

Conversation

@MarkAtwood
Copy link
Copy Markdown
Contributor

@MarkAtwood MarkAtwood commented Apr 17, 2026

Summary

  • Adds .github/workflows/wycheproof.yml which builds wolfSSL from the PR branch and runs it against the wolfSSL/wychcheck test suite (340+ Wycheproof JSON test files, NIST ACVP vectors, and RFC vectors covering AES-GCM, AES-EAX, AES-SIV, ChaCha20-Poly1305, RSA-PSS, RSA-OAEP, ECDH/ECDSA over all curves, X25519, ML-DSA, ML-KEM, SLH-DSA, EdDSA)
  • Guarded with if: github.repository_owner == 'wolfssl' per project convention
  • Only inits the wycheproof submodule (not acvp-server which is 900 MB)
  • Uploads JUnit XML results as a build artifact

Relationship to wychcheck

wolfSSL/wychcheck already runs nightly against wolfssl/wolfssl master (Saturday 22:00 UTC). This job adds per-PR coverage so regressions are caught before merge rather than after.

Test plan

  • Verify job appears in PR checks
  • Confirm wolfcrypt-check builds and ctest passes
  • Confirm artifact upload contains wycheproof-results/test-results.xml

Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a dedicated GitHub Actions workflow to run wolfSSL against the wolfSSL/wychcheck (Wycheproof + vector) suite on pushes and PRs, and to publish JUnit XML results as an artifact.

Changes:

  • Introduces .github/workflows/wycheproof.yml with a new wycheproof CI job.
  • Builds wolfSSL from the PR branch, builds wolfcrypt-check from wolfSSL/wychcheck, and executes ctest with JUnit output.
  • Uploads the generated JUnit XML as a workflow artifact.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/wycheproof.yml Outdated
Comment thread .github/workflows/wycheproof.yml
Comment thread .github/workflows/wycheproof.yml
Comment thread .github/workflows/wycheproof.yml Outdated
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 18, 2026
edited
Loading

MemBrowse Memory Report

No memory changes detected for:

@LinuxJedi LinuxJedi assigned wolfSSL-Bot and unassigned wolfSSL-Bot Apr 18, 2026
LinuxJedi
LinuxJedi reviewed Apr 18, 2026
View reviewed changes
Comment thread .github/workflows/wycheproof.yml Outdated
@MarkAtwood MarkAtwood force-pushed the ci/wycheproof-integration branch from cd090b5 to 2d7c9a4 Compare May 1, 2026 17:58
@dgarske dgarske assigned MarkAtwood and unassigned wolfSSL-Bot May 4, 2026
dgarske
dgarske requested changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR needs work. https://github.com/wolfSSL/wolfssl/actions/runs/25226068617/job/73969813223?pr=10258

@MarkAtwood MarkAtwood force-pushed the ci/wycheproof-integration branch from 2d7c9a4 to ff2fe91 Compare June 3, 2026 22:18
@MarkAtwood
Copy link
Copy Markdown
Contributor Author

MarkAtwood commented Jun 4, 2026

All review feedback addressed in the current commit (ff2fe91):

  • --enable-keywrap--enable-aeskeywrap (LinuxJedi's catch)
  • Explicit apt-get install step added (Copilot suggestion)
  • branches: ['**'] for PR trigger (Copilot suggestion)
  • --depth 1 on submodule init (Copilot suggestion)
  • vars.WYCHCHECK_REF for optional pinning (Copilot suggestion)

The May 1st CI failure was caused by the invalid --enable-keywrap flag, which is now fixed. Ready for re-review.

@MarkAtwood MarkAtwood requested review from LinuxJedi and dgarske June 4, 2026 22:03
MarkAtwood and others added 2 commits June 4, 2026 17:23
@MarkAtwood
ci: add wycheproof vector test workflow
6564a19 
Add GitHub Actions workflow that builds wolfSSL, checks out
wolfSSL/wychcheck, and runs Wycheproof test vectors via ctest.
Uploads JUnit XML results as artifact.
@MarkAtwood @claude
fix: pass WOLFSSL_DIR as env var, not cmake -D
fcb1619 
wychcheck's CMakeLists.txt reads WOLFSSL_DIR from the environment
($ENV{WOLFSSL_DIR}), which overwrites any -D cache variable. Pass it
as an env var so cmake picks it up correctly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@MarkAtwood MarkAtwood force-pushed the ci/wycheproof-integration branch from ff2fe91 to fcb1619 Compare June 5, 2026 00:23
@MarkAtwood
Copy link
Copy Markdown
Contributor Author

MarkAtwood commented Jun 5, 2026

Root cause: wychcheck's CMakeLists.txt reads WOLFSSL_DIR from the environment ($ENV{WOLFSSL_DIR}), which overwrites any -D cache variable. Switched to passing it as an env: block so cmake picks it up. Also rebased onto current master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dgarske dgarske Awaiting requested review from dgarske

@LinuxJedi LinuxJedi Awaiting requested review from LinuxJedi

Requested changes must be addressed to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

@MarkAtwood MarkAtwood

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@MarkAtwood @LinuxJedi @dgarske @wolfSSL-Bot