Improvements to patch testing

padelsbach · padelsbach · commit 245a5cd591a9 · 2026-02-05T21:49:53.000-08:00
diff --git a/.github/workflows/jni-patched-ci.yml b/.github/workflows/jni-patched-ci.yml
@@ -22,63 +22,154 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Resolve wolfSSL ref from patch defines
-        id: resolve
+      - name: Install prerequisites
         run: |
-          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y jq curl
 
-          # Find WOLFSSL_PR*_PATCH_APPLIED defines in wolfssl source.
-          defines="$(./scripts/find-wolfssl-pr-patch-defines.sh)"
+      - name: Find patch defines
+        id: find_defines
+        run: |
+          set -euo pipefail
+          defines=""
+          if ! defines="$(./scripts/find-wolfssl-pr-patch-defines.sh)"; then
+            echo "::warning::find-wolfssl-pr-patch-defines.sh failed; skipping patched CI."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
           if [ -z "$defines" ]; then
             echo "::warning::No WOLFSSL_PR*_PATCH_APPLIED defines found; skipping patched CI."
             echo "should_run=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
           echo "Found patch defines:"
           printf "%s\n" "$defines"
+          {
+            echo "should_run=true"
+            echo "defines<<EOF"
+            printf "%s\n" "$defines"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Evaluate PR statuses
+        id: eval_prs
+        if: steps.find_defines.outputs.should_run == 'true'
+        run: |
+          set -euo pipefail
 
-          # Find the highest PR number from the defines.
-          pr_number="$(printf "%s\n" "$defines" | sed -E 's/^WOLFSSL_PR([0-9]+)_PATCH_APPLIED$/\1/' | sort -n | tail -1)"
-          if [ -z "$pr_number" ]; then
-            echo "::warning::Failed to derive PR number from patch defines; skipping patched CI."
-            echo "should_run=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "Highest PR number from defines: $pr_number"
+          defines="${{ steps.find_defines.outputs.defines }}"
+          merged_all=true
+          open_count=0
+          open_repo=""
+          open_ref=""
+          open_pr=""
+          has_invalid=false
 
-          # Check PR status via GitHub API.
-          pr_json="$(curl -fsSL "https://api.github.com/repos/wolfSSL/wolfssl/pulls/$pr_number" || true)"
-          if [ -z "$pr_json" ]; then
-            echo "::warning::Unable to fetch PR #$pr_number from GitHub API; skipping patched CI."
-            echo "should_run=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "Fetched PR #$pr_number info from GitHub API."
+          echo "Evaluating patch defines:"
+          printf "%s\n" "$defines"
 
-          state="$(printf "%s" "$pr_json" | jq -r '.state // empty')"
-          merged_at="$(printf "%s" "$pr_json" | jq -r '.merged_at // empty')"
-          head_repo="$(printf "%s" "$pr_json" | jq -r '.head.repo.full_name // empty')"
-          head_ref="$(printf "%s" "$pr_json" | jq -r '.head.ref // empty')"
+          while read -r define; do
+            define="$(printf "%s" "$define" | tr -d '\r' | xargs)"
+            [ -z "$define" ] && continue
+            pr_number="$(printf "%s" "$define" | sed -E 's/^WOLFSSL_PR([0-9]+)_PATCH_APPLIED$/\1/')"
+            if [ -z "$pr_number" ] || [ "$pr_number" = "$define" ]; then
+              echo "::warning::Failed to derive PR number from define $define; skipping patched CI."
+              echo "should_run=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            fork_ref_status=""
+            if ! fork_ref_status="$(./scripts/find-pr-fork-branch.sh "$pr_number" --repo wolfSSL/wolfssl)"; then
+              echo "::warning::find-pr-fork-branch.sh failed for PR #$pr_number; skipping patched CI."
+              echo "should_run=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            echo "PR #$pr_number raw status: [$fork_ref_status]"
+            if [ -z "$fork_ref_status" ]; then
+              echo "::warning::Unable to resolve PR #$pr_number fork/branch; skipping patched CI."
+              echo "should_run=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            fork_ref="$(printf "%s" "$fork_ref_status" | sed -E 's/ \\([^)]*\\)$//')"
+            pr_status_raw="$(printf "%s" "$fork_ref_status" | sed -E 's/^.* \\(([^)]*)\\)$/\\1/')"
+            pr_status="$(printf "%s" "$pr_status_raw" | tr -d '\r' | tr '[:upper:]' '[:lower:]' | xargs)"
+            echo "PR #$pr_number parsed status: [$pr_status]"
+
+            head_repo="${fork_ref%/*}"
+            head_ref="${fork_ref#*/}"
+            if [ -z "$head_repo" ] || [ -z "$head_ref" ] || [ "$head_repo" = "$head_ref" ]; then
+              echo "::warning::Malformed fork/branch from helper script; skipping patched CI."
+              echo "should_run=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            case "$pr_status" in
+              merged|closed)
+                if [ "$pr_status" = "closed" ]; then
+                  echo "::warning::PR #$pr_number reports status 'closed'; treating as merged since a patch define exists."
+                fi
+                continue
+                ;;
+              open)
+                merged_all=false
+                open_count=$((open_count + 1))
+                open_repo="$head_repo"
+                open_ref="$head_ref"
+                open_pr="$pr_number"
+                ;;
+              *)
+                echo "::warning::Unknown PR status '$pr_status' for #$pr_number (raw: $fork_ref_status); skipping patched CI."
+                merged_all=false
+                has_invalid=true
+                ;;
+            esac
+          done <<EOF
+          $defines
+          EOF
+
+          {
+            echo "MERGED_ALL=$merged_all"
+            echo "OPEN_COUNT=$open_count"
+            echo "OPEN_REPO=$open_repo"
+            echo "OPEN_REF=$open_ref"
+            echo "OPEN_PR=$open_pr"
+            echo "HAS_INVALID=$has_invalid"
+          } >> "$GITHUB_ENV"
+
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
 
-          if [ -n "$merged_at" ]; then
-            echo "PR #$pr_number is merged; using wolfSSL master branch."
+      - name: Resolve wolfSSL ref from patch defines
+        id: resolve
+        if: steps.find_defines.outputs.should_run == 'true' && steps.eval_prs.outputs.should_run == 'true'
+        run: |
+          set -euo pipefail
+
+          if [ "${MERGED_ALL}" = "true" ]; then
+            echo "All PRs are merged; using wolfSSL master branch."
             echo "should_run=true" >> "$GITHUB_OUTPUT"
             echo "wolfssl_repo=wolfSSL/wolfssl" >> "$GITHUB_OUTPUT"
             echo "wolfssl_ref=master" >> "$GITHUB_OUTPUT"
-            echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+            echo "pr_number=all" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          if [ "${HAS_INVALID}" = "true" ]; then
+            echo "::warning::One or more PRs are not merged or open; skipping patched CI."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
-          if [ "$state" = "open" ] && [ -n "$head_repo" ] && [ -n "$head_ref" ]; then
+          if [ "${OPEN_COUNT}" -eq 1 ]; then
             echo "should_run=true" >> "$GITHUB_OUTPUT"
-            echo "wolfssl_repo=$head_repo" >> "$GITHUB_OUTPUT"
-            echo "wolfssl_ref=$head_ref" >> "$GITHUB_OUTPUT"
-            echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-            echo "PR #$pr_number is open; using branch $head_ref from repo $head_repo."
+            echo "wolfssl_repo=${OPEN_REPO}" >> "$GITHUB_OUTPUT"
+            echo "wolfssl_ref=${OPEN_REF}" >> "$GITHUB_OUTPUT"
+            echo "pr_number=${OPEN_PR}" >> "$GITHUB_OUTPUT"
+            echo "Exactly one PR is open (#${OPEN_PR}); using branch ${OPEN_REF} from repo ${OPEN_REPO}."
             exit 0
           fi
 
-          echo "::warning::PR #$pr_number is not merged or has no accessible branch; skipping patched CI."
+          echo "::warning::Multiple open PRs found; skipping patched CI."
           echo "should_run=false" >> "$GITHUB_OUTPUT"
 
   patched_jni_build:
@@ -126,10 +217,9 @@ jobs:
         run: |
           echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV"
 
-      - name: Build and test JNI library with all patches
+      - name: Build and test JNI library with all patches enabled
         run: |
-          make all-patched PREFIX=$GITHUB_WORKSPACE/build-dir
-          make check
+          make build check PREFIX=$GITHUB_WORKSPACE/build-dir ENABLE_PATCHES=1
 
       - name: Show logs on failure
         if: failure() || cancelled()
diff --git a/IDE/Android/app/src/main/cpp/CMakeLists.txt b/IDE/Android/app/src/main/cpp/CMakeLists.txt
@@ -252,8 +252,14 @@ aux_source_directory(${wolfssl_DIR}/src TLS_SOURCES)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/bio.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/conf.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk_ec.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk_rsa.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_bn.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_cert.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_crl_ocsp.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_pk.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_asn1.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_ech.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_certman.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_crypto.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_load.c)
@@ -268,6 +274,7 @@ if ("${WOLFSSL_PKG_TYPE}" MATCHES "normal")
         # Add crypto sources to CRYPTO_SOURCES, remove files that are included inline by other files
         aux_source_directory(${wolfssl_DIR}/wolfcrypt/src CRYPTO_SOURCES)
         list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp.c)
+        list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp_pk.c)
         list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/misc.c)
 
 elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready")
diff --git a/Makefile b/Makefile
@@ -21,7 +21,18 @@ endif
 all: build
 
 build: java.sh build.xml
-	./java.sh $(INSTALL_DIR)
+	@cflags=""; \
+	if [ "$(ENABLE_PATCHES)" = "1" ]; then \
+		defines="$$(./scripts/find-wolfssl-pr-patch-defines.sh)"; \
+		if [ -z "$$defines" ]; then \
+			echo "warning: no WOLFSSL_PR*_PATCH_APPLIED defines found; building without patches"; \
+		else \
+			for define in $$defines; do \
+				cflags="$$cflags -D$$define"; \
+			done; \
+		fi; \
+	fi; \
+	CFLAGS="$$cflags" ./java.sh $(INSTALL_DIR); \
 	ant
 
 check: build
@@ -30,21 +41,6 @@ check: build
 clean:
 	ant clean cleanjni
 
-# Enable all WOLFSSL_PR*_PATCH_APPLIED defines when building JNI.
-# Requires latest/recent wolfssl source with patches applied. This is not
-# detected automatically.
-all-patched:
-	@defines="$$(./scripts/find-wolfssl-pr-patch-defines.sh)"; \
-	if [ -z "$$defines" ]; then \
-		echo "warning: no WOLFSSL_PR*_PATCH_APPLIED defines found; skipping all-patched"; \
-		exit 0; \
-	fi; \
-	cflags=""; \
-	for define in $$defines; do \
-		cflags="$$cflags -D$$define"; \
-	done; \
-	CFLAGS="$$cflags" ./java.sh $(INSTALL_DIR); \
-	ant
 
 install:
 	$(INSTALL) -d $(INSTALL_DIR)/$(LIBDIR)
diff --git a/scripts/find-pr-fork-branch.sh b/scripts/find-pr-fork-branch.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+# Given a PR number, print the originating fork (repo full_name) and branch.
+# Default repo is wolfSSL/wolfssl. Override with --repo owner/name.
+
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage: scripts/find-pr-fork-branch.sh <pr_number> [--repo owner/name]
+
+Outputs:
+  <fork_full_name>/<branch_name> (<open|closed|merged|unknown>)
+
+Example:
+  scripts/find-pr-fork-branch.sh 9631
+  scripts/find-pr-fork-branch.sh 9631 --repo wolfSSL/wolfssl
+EOF
+}
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+if [ -z "${1:-}" ]; then
+  usage
+  exit 2
+fi
+
+pr_number="$1"
+shift
+
+repo="wolfSSL/wolfssl"
+if [ "${1:-}" = "--repo" ]; then
+  if [ -z "${2:-}" ]; then
+    echo "error: --repo requires owner/name" >&2
+    exit 2
+  fi
+  repo="$2"
+  shift 2
+fi
+
+if [ -n "${1:-}" ]; then
+  echo "error: unexpected argument: $1" >&2
+  exit 2
+fi
+
+if ! command -v jq >/dev/null 2>&1; then
+  echo "error: jq is required but not installed" >&2
+  exit 127
+fi
+
+pr_json="$(curl -fsSL "https://api.github.com/repos/${repo}/pulls/${pr_number}" || true)"
+if [ -z "$pr_json" ]; then
+  echo "error: failed to fetch PR #${pr_number} from ${repo}" >&2
+  exit 1
+fi
+
+head_repo="$(printf "%s" "$pr_json" | jq -r '.head.repo.full_name // empty')"
+head_ref="$(printf "%s" "$pr_json" | jq -r '.head.ref // empty')"
+state="$(printf "%s" "$pr_json" | jq -r '.state // empty')"
+merged_at="$(printf "%s" "$pr_json" | jq -r '.merged_at // empty')"
+
+if [ -z "$head_repo" ] || [ -z "$head_ref" ]; then
+  echo "error: PR #${pr_number} missing head repo/ref data" >&2
+  exit 1
+fi
+
+status="$state"
+if [ -n "$merged_at" ]; then
+  status="merged"
+fi
+
+if [ -z "$status" ]; then
+  status="unknown"
+fi
+
+echo "${head_repo}/${head_ref} (${status})"
