Merge pull request #36 from danielinux/tcp_timestamp_negotiation

TCP: fix timestamp negotiation, RFC6298 compliance, TCP zero-window probe

Author: gasbytes

.github/workflows/linux.yml

@@ -9,6 +9,7 @@ on:
 jobs:
   linux_test:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - uses: actions/checkout@v4
@@ -27,37 +28,50 @@ jobs:
           make
 
       - name: Run standalone "event loop" test
+        timeout-minutes: 5
         run: |
-          sudo ./build/test-evloop
+          set -euo pipefail
+          timeout --preserve-status 5m sudo ./build/test-evloop
           sudo killall tcpdump || true
 
       - name: Run standalone "IPsec esp" test
+        timeout-minutes: 7
         run: |
-          sudo ./tools/ip-xfrm/rfc4106 128
-          sudo ./build/test-esp -m 0
+          set -euo pipefail
+          sudo ./tools/ip-xfrm/delete_all || true
+          timeout --preserve-status 7m sudo ./tools/ip-xfrm/rfc4106 128
+          timeout --preserve-status 7m sudo ./build/test-esp -m 0
           sudo killall tcpdump || true
-          sudo ./tools/ip-xfrm/delete_all
-          sudo ./tools/ip-xfrm/cbc_auth sha256 128
-          sudo ./build/test-esp -m 1
+          sudo ./tools/ip-xfrm/delete_all || true
+          timeout --preserve-status 7m sudo ./tools/ip-xfrm/cbc_auth sha256 128
+          timeout --preserve-status 7m sudo ./build/test-esp -m 1
           sudo killall tcpdump || true
-          sudo ./tools/ip-xfrm/delete_all
+          sudo ./tools/ip-xfrm/delete_all || true
 
       - name: Run standalone wolfssl test
+        timeout-minutes: 5
         run: |
-          sudo ./build/test-wolfssl
+          set -euo pipefail
+          timeout --preserve-status 5m sudo ./build/test-wolfssl
           sudo killall tcpdump || true
 
       - name: Run standalone forwarding test
+        timeout-minutes: 5
         run: |
-          sudo ./build/test-wolfssl-forwarding
+          set -euo pipefail
+          timeout --preserve-status 5m sudo ./build/test-wolfssl-forwarding
 
       - name: Run standalone TTL expired test
+        timeout-minutes: 5
         run: |
-          ./build/test-ttl-expired
+          set -euo pipefail
+          timeout --preserve-status 5m ./build/test-ttl-expired
 
       - name: Testing ICMP socket by stealing system calls in ping
+        timeout-minutes: 2
         run: |
-          sudo LD_PRELOAD=$PWD/libwolfip.so ping -c 5 10.10.10.1
+          set -euo pipefail
+          timeout --preserve-status 2m sudo LD_PRELOAD=$PWD/libwolfip.so ping -c 5 10.10.10.1
 
       - name: Install check
         run: |
@@ -68,5 +82,13 @@ jobs:
           make unit
 
       - name: Run unit tests
+        timeout-minutes: 5
         run: |
-          build/test/unit
+          set -euo pipefail
+          timeout --preserve-status 5m build/test/unit
+
+      - name: Cleanup IPsec state
+        if: always()
+        run: |
+          sudo ./tools/ip-xfrm/delete_all || true
+          sudo killall tcpdump || true

.github/workflows/wolfip-autocov.yml

@@ -0,0 +1,63 @@
+name: wolfIP Autocov
+
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+
+jobs:
+  autocov:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential check gcovr libwolfssl-dev
+
+      - name: Run autocov
+        run: make clean autocov
+
+      - name: Generate coverage JSON
+        run: |
+          gcovr -r . --exclude "src/test/unit/unit.c" --json -o build/coverage/coverage.json
+
+      - name: Enforce 100% function coverage for src/wolfip.c
+        run: |
+          python3 - <<'PY'
+          import json
+          import sys
+
+          with open("build/coverage/coverage.json", "r", encoding="utf-8") as f:
+              data = json.load(f)
+
+          target = None
+          for file_entry in data.get("files", []):
+              if file_entry.get("file", "").endswith("src/wolfip.c"):
+                  target = file_entry
+                  break
+
+          if target is None:
+              print("ERROR: src/wolfip.c not found in coverage JSON")
+              sys.exit(1)
+
+          functions = target.get("functions", [])
+          if not functions:
+              print("ERROR: No function coverage data for src/wolfip.c")
+              sys.exit(1)
+
+          total = len(functions)
+          covered = sum(1 for fn in functions if fn.get("execution_count", 0) > 0)
+          pct = (covered * 100.0) / total
+          print(f"src/wolfip.c function coverage: {covered}/{total} ({pct:.2f}%)")
+
+          if covered != total:
+              print("ERROR: src/wolfip.c function coverage must be 100%")
+              sys.exit(1)
+          PY

Makefile

@@ -355,13 +355,21 @@ cov: unit $(COV_UNIT)
 	@gcovr -r . --exclude "src/test/unit/unit.c" --html-details -o build/coverage/index.html
 	@$(OPEN_CMD) build/coverage/index.html
 
+autocov: unit $(COV_UNIT)
+	@echo "[RUN] unit (coverage)"
+	@rm -f $(COV_DIR)/*.gcda
+	@$(COV_UNIT)
+	@echo "[COV] gcovr html"
+	@mkdir -p build/coverage
+	@gcovr -r . --exclude "src/test/unit/unit.c" --html-details -o build/coverage/index.html
+
 # Install dynamic library to re-link linux applications
 #
 install:
 	install libwolfip.so $(PREFIX)/lib
 	ldconfig
 
-.PHONY: clean all static cppcheck cov
+.PHONY: clean all static cppcheck cov autocov
 
 cppcheck:
 	$(CPPCHECK) $(CPPCHECK_FLAGS) src/ 2>cppcheck_results.xml

README.md

@@ -31,7 +31,7 @@ A single network interface can be associated with the device.
 | **Transport** | TCP | Connection management, reliable delivery | [RFC 793](https://datatracker.ietf.org/doc/html/rfc793), [RFC 9293](https://datatracker.ietf.org/doc/html/rfc9293) |
 | **Transport** | TCP | Maximum Segment Size negotiation | [RFC 793](https://datatracker.ietf.org/doc/html/rfc793) |
 | **Transport** | TCP | TCP Timestamps, RTT measurement, PAWS, Window Scaling | [RFC 7323](https://datatracker.ietf.org/doc/html/rfc7323) |
-| **Transport** | TCP | Retransmission timeout (RTO) computation | [RFC 6298](https://datatracker.ietf.org/doc/html/rfc6298) |
+| **Transport** | TCP | Retransmission timeout (RTO) computation | [RFC 6298](https://datatracker.ietf.org/doc/html/rfc6298), [RFC 5681](https://datatracker.ietf.org/doc/html/rfc5681) |
 | **Transport** | TCP | TCP SACK | [RFC 2018](https://datatracker.ietf.org/doc/html/rfc2018), [RFC 2883](https://datatracker.ietf.org/doc/html/rfc2883), [RFC 6675](https://datatracker.ietf.org/doc/html/rfc6675) |
 | **Transport** | TCP | Congestion Control: Slow start, congestion avoidance | [RFC 5681](https://datatracker.ietf.org/doc/html/rfc5681) |
 | **Transport** | TCP | Fast Retransmit, triple duplicate ACK detection | [RFC 5681](https://datatracker.ietf.org/doc/html/rfc5681) |

src/test/esp/test_esp.c

@@ -39,7 +39,7 @@
 
 static void __attribute__((noreturn)) print_usage_and_die(void);
 
-#define TEST_SIZE (12 * 1024)
+#define TEST_SIZE (8 * 1024)
 #define BUFFER_SIZE TEST_SIZE
 
 static int disable_ipsec = 0;