Introduce sm-cipher workflow tests

Author: gojimmypi

.github/SECURITY.md

@@ -0,0 +1,12 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a vulnerability, please report it to [email protected]
+
+ 1. Include a detailed description
+ 2. Include method to reproduce and/or method of discovery
+ 3. We will evaluate the report promptly and respond to you with findings.
+ 4. We will credit you with the report if you would like.
+
+**Please keep the vulnerability private** until a fix has been released.

.github/workflows/sm-cipher.yml

@@ -0,0 +1,246 @@
+name: SM Cipher Test (2 of 2)
+#
+# Test fetches wolfssl-examples/Arduino and uses local, latest github master branch wolfssl
+#
+# These 4 workflows across 3 repos are interdependent for the current $REPO_OWNER:
+#
+# sm-cipher CI Build 1: https://github.com/$REPO_OWNER/wolfssl      #  /.github/workflows/sm-cipher.yml
+#   - Builds SM-enabled library from local clone of wolfssl master branch
+#   - Fetches examples from https://github.com/$REPO_OWNER/wolfsm
+#
+# THIS sm-cipher CI Build 2: https://github.com/$REPO_OWNER/wolfsm  #  /.github/workflows/sm-cipher.yml
+#   - Builds SM-enabled library from fresh clone of wolfssl master branch here
+#
+#                                   ** NOTE TO MAINTAINERS **
+#
+#           Consider using winmerge or similar tool to keep the 2 sm-cipher.yml files in relative sync.
+#           Although there are some specific differences, most of the contents are otherwise identical.
+#
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ '**', 'master', 'main', 'release/**' ]
+    paths:
+      - '.github/workflows/sm-cipher.yml'
+      - 'src/**'
+      - 'wolfcrypt/**'
+      - 'wolfssl/**'
+  pull_request:
+    # Run after merge on protected branches
+    branches: [ "main", "master", "release/**" ]
+    paths:
+      - '.github/workflows/sm-cipher.yml'
+      - 'src/**'
+      - 'wolfcrypt/**'
+      - 'wolfssl/**'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build:
+    # TODO:
+    # if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    env:
+      REPO_OWNER: ${{ github.repository_owner }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Set job environment variables
+        run: |
+          # Script to assign some common environment variables after everything is installed
+
+          ICON_OK=$(printf "\xE2\x9C\x85")
+          ICON_FAIL=$(printf "\xE2\x9D\x8C")
+
+          # Show predefined summary:
+
+          # For the wolfssl repo, the GITHUB_WORKSPACE is the directory of wolfssl
+          echo "GITHUB_WORKSPACE       = $GITHUB_WORKSPACE"
+
+          # Show assigned build:env values (e.g. "wolfssl", "gojimmpi" or other owners):
+          echo "REPO_OWNER             = $REPO_OWNER"
+
+          # Update environment variables, not available here in this step yet
+          echo "GITHUB_WORK=$(realpath  "$GITHUB_WORKSPACE/../..")"       >> "$GITHUB_ENV"
+          echo "WOLFSM_ROOT=$(realpath  "$GITHUB_WORKSPACE/../wolfsm")"   >> "$GITHUB_ENV"
+          echo "WOLFSSL_ROOT=$(realpath "$GITHUB_WORKSPACE/../wolfssl")"  >> "$GITHUB_ENV"
+
+          echo "GITHUB_ENV=$GITHUB_ENV"
+
+          echo "contents..."
+          # typically "/home/runner/work/wolfssl/wolfssl" contains wolfssl source
+          pwd
+          ls
+
+      - name: Get wolfssl
+        run: |
+          # We are in wolfsm repo, fetch wolfssl code
+
+          # Show our custom values:
+          echo "GITHUB_WORK            = $GITHUB_WORK"
+
+          # WOLFSM_ROOT is the repo root for wolfsm clone
+          echo "WOLFSM_ROOT            = $WOLFSM_ROOT"
+
+          echo "Start pwd:"
+          pwd
+          # we're typically in $GITHUB_WORKSPACE=/home/runner/work/wolfssl/wolfssl
+          # goto /home/runner/work to fetch wolfsm
+
+          echo "Current pwd for wolfsm clone fetch: $(pwd)"
+          GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")
+          echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
+
+
+          pushd ../
+            echo "Updated pwd for wolfssl clone fetch: $(pwd)"
+
+            echo "clone --depth 1 https://github.com/$REPO_OWNER/wolfssl.git wolfssl"
+
+            git   clone --depth 1 https://github.com/$REPO_OWNER/wolfssl.git wolfssl
+
+            cd ./wolfssl
+            echo "Contents of this path for wolfssl = $(pwd)"
+            ls
+          popd
+
+          # ** END ** Get wolfssl
+
+      - name: Install wolfsm
+        run: |
+          # Run the local install.sh install script to install wolfsm code
+
+          echo "Current pwd for wolfsm clone fetch: $(pwd)"
+          GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")
+          echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
+
+          # Typically /home/runner/work
+          echo "GITHUB_WORK=$GITHUB_WORK"
+          pwd
+          echo "pushd $WOLFSM_ROOT"
+          pushd "$WOLFSM_ROOT"
+            pwd
+            ls
+
+            echo "wolfssl check"
+            ls ../wolfssl
+
+            echo "Call wolfsm/install.sh to install wolfsm code into $WOLFSSL_ROOT"
+            ./install.sh "$WOLFSSL_ROOT"
+          popd
+
+          echo "contents..."
+          pwd
+          ls
+
+          # Done with install wolfssl
+
+      - name: Compile wolfssl
+        run: |
+          # Compile fresh wolfSSL with wolfsm code
+
+          cd "$WOLFSSL_ROOT"
+          echo "Current directory:           $PWD"
+
+          ./autogen.sh
+          ./configure --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm --enable-sm2
+          make
+          # Done with compile wolfssl
+
+      - name: Test SM wolfcrypt
+        shell: bash
+        run: |
+          # Run client / server tests from cloned wolfssl directory
+
+          cd "$WOLFSSL_ROOT"
+          echo "Current directory:           $PWD"
+
+          set -euo pipefail
+
+          ./wolfcrypt/test/testwolfcrypt
+
+      - name: Run SM benchmark
+        shell: bash
+        run: |
+          # Run client / server tests from cloned wolfssl directory
+
+          cd "$WOLFSSL_ROOT"
+          echo "Current directory:           $PWD"
+
+          set -euo pipefail
+
+          ./wolfcrypt/benchmark/benchmark
+
+      - name: Test SM client/server (TLS 1.2 and 1.3)
+        shell: bash
+        run: |
+          # Run client / server tests from cloned wolfssl directory
+
+          cd "$WOLFSSL_ROOT"
+          echo "Current directory:           $PWD"
+
+          set -euo pipefail
+
+          # Parameterized cases
+          cases=(
+            "-v 3 -l ECDHE-ECDSA-SM4-CBC-SM3"
+            "-v 3 -l ECDHE-ECDSA-SM4-GCM-SM3"
+            "-v 3 -l ECDHE-ECDSA-SM4-CCM-SM3"
+            "-v 4 -l TLS13-SM4-GCM-SM3"
+            "-v 4 -l TLS13-SM4-CCM-SM3 "
+          )
+
+          srv_bin=./examples/server/server
+          cli_bin=./examples/client/client
+
+          srv_cert=./certs/sm2/server-sm2.pem
+          srv_key=./certs/sm2/server-sm2-priv.pem
+          cli_cert=./certs/sm2/client-sm2.pem
+          cli_key=./certs/sm2/client-sm2-priv.pem
+          ca_root=./certs/sm2/root-sm2.pem
+
+          # Use an explicit port so we can start/stop cleanly
+          port=11111
+
+          # Ensure background server is cleaned up even on failure
+          cleanup() { pkill -P $$ || true; }
+          trap cleanup EXIT
+
+          for args in "${cases[@]}"; do
+            echo "=== Testing: ${args} ==="
+
+            # Start server in background
+            "${srv_bin}" ${args} \
+              -c "${srv_cert}" -k "${srv_key}" \
+              -A "${cli_cert}" -V \
+              -p "${port}" &
+            srv_pid=$!
+
+            # Brief wait for server to bind
+            sleep 2
+
+            # Run client with a hard timeout so CI never hangs
+            set +e
+            timeout 60s "${cli_bin}" ${args} \
+              -h 127.0.0.1 -p "${port}" \
+              -c "${cli_cert}" -k "${cli_key}" \
+              -A "${ca_root}" -C
+            rc=$?
+            set -e
+
+            # Stop server and evaluate result
+            kill "${srv_pid}" || true
+            wait "${srv_pid}" || true
+
+            if [ ${rc} -ne 0 ]; then
+              echo "Client failed for: ${args} (rc=${rc})"
+              exit ${rc}
+            fi
+          done

.gitignore

@@ -0,0 +1,8 @@
+# Visual Studio
+/.vs
+
+# Visual Studio Code Workspace Files
+*.vscode
+
+# Backup files
+*.bak