Improvements to patch testing

Author: padelsbach

.github/workflows/jni-patched-ci.yml

@@ -15,71 +15,109 @@ jobs:
   resolve_wolfssl_ref:
     runs-on: ubuntu-latest
     outputs:
-      should_run: ${{ steps.resolve.outputs.should_run }}
-      wolfssl_repo: ${{ steps.resolve.outputs.wolfssl_repo }}
-      wolfssl_ref: ${{ steps.resolve.outputs.wolfssl_ref }}
-      pr_number: ${{ steps.resolve.outputs.pr_number }}
+      should_run: ${{ steps.eval_prs.outputs.should_run }}
+      wolfssl_repo: ${{ steps.eval_prs.outputs.wolfssl_repo }}
+      wolfssl_ref: ${{ steps.eval_prs.outputs.wolfssl_ref }}
     steps:
       - uses: actions/checkout@v4
 
-      - name: Resolve wolfSSL ref from patch defines
-        id: resolve
+      - name: Install prerequisites
         run: |
-          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y jq curl
 
-          # Find WOLFSSL_PR*_PATCH_APPLIED defines in wolfssl source.
-          defines="$(./scripts/find-wolfssl-pr-patch-defines.sh)"
+      - name: Find patch defines
+        id: find_defines
+        run: |
+          set -euo pipefail
+          defines=""
+          if ! defines="$(./scripts/find-wolfssl-pr-patch-defines.sh)"; then
+            echo "::warning::find-wolfssl-pr-patch-defines.sh failed; skipping patched CI."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
           if [ -z "$defines" ]; then
             echo "::warning::No WOLFSSL_PR*_PATCH_APPLIED defines found; skipping patched CI."
             echo "should_run=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
           echo "Found patch defines:"
           printf "%s\n" "$defines"
+          {
+            echo "should_run=true"
+            echo "defines<<EOF"
+            printf "%s\n" "$defines"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Evaluate PR statuses
+        id: eval_prs
+        if: steps.find_defines.outputs.should_run == 'true'
+        run: |
+          set -euo pipefail
 
-          # Find the highest PR number from the defines.
-          pr_number="$(printf "%s\n" "$defines" | sed -E 's/^WOLFSSL_PR([0-9]+)_PATCH_APPLIED$/\1/' | sort -n | tail -1)"
-          if [ -z "$pr_number" ]; then
-            echo "::warning::Failed to derive PR number from patch defines; skipping patched CI."
-            echo "should_run=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "Highest PR number from defines: $pr_number"
-
-          # Check PR status via GitHub API.
-          pr_json="$(curl -fsSL "https://api.github.com/repos/wolfSSL/wolfssl/pulls/$pr_number" || true)"
-          if [ -z "$pr_json" ]; then
-            echo "::warning::Unable to fetch PR #$pr_number from GitHub API; skipping patched CI."
-            echo "should_run=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "Fetched PR #$pr_number info from GitHub API."
-
-          state="$(printf "%s" "$pr_json" | jq -r '.state // empty')"
-          merged_at="$(printf "%s" "$pr_json" | jq -r '.merged_at // empty')"
-          head_repo="$(printf "%s" "$pr_json" | jq -r '.head.repo.full_name // empty')"
-          head_ref="$(printf "%s" "$pr_json" | jq -r '.head.ref // empty')"
-
-          if [ -n "$merged_at" ]; then
-            echo "PR #$pr_number is merged; using wolfSSL master branch."
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-            echo "wolfssl_repo=wolfSSL/wolfssl" >> "$GITHUB_OUTPUT"
-            echo "wolfssl_ref=master" >> "$GITHUB_OUTPUT"
-            echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
+          defines="${{ steps.find_defines.outputs.defines }}"
+          should_run=true
+          wolfssl_repo="wolfSSL/wolfssl"
+          wolfssl_ref="master"
+          found_open=false
 
-          if [ "$state" = "open" ] && [ -n "$head_repo" ] && [ -n "$head_ref" ]; then
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-            echo "wolfssl_repo=$head_repo" >> "$GITHUB_OUTPUT"
-            echo "wolfssl_ref=$head_ref" >> "$GITHUB_OUTPUT"
-            echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-            echo "PR #$pr_number is open; using branch $head_ref from repo $head_repo."
-            exit 0
-          fi
+          echo "Evaluating patch defines:"
+          printf "%s\n" "$defines"
 
-          echo "::warning::PR #$pr_number is not merged or has no accessible branch; skipping patched CI."
-          echo "should_run=false" >> "$GITHUB_OUTPUT"
+          while read -r define; do
+            define="$(printf "%s" "$define" | tr -d '\r' | xargs)"
+            [ -z "$define" ] && continue
+            pr_number="$(printf "%s" "$define" | sed -E 's/^WOLFSSL_PR([0-9]+)_PATCH_APPLIED$/\1/')"
+            if [ -z "$pr_number" ] || [ "$pr_number" = "$define" ]; then
+              echo "::warning::Failed to derive PR number from define $define; skipping patched CI."
+              echo "should_run=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            fork_ref_status=""
+            if ! fork_ref_status="$(./scripts/find-pr-fork-branch.sh "$pr_number" --repo wolfSSL/wolfssl)"; then
+              echo "::warning::find-pr-fork-branch.sh failed for PR #$pr_number; skipping patched CI."
+              echo "should_run=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            if [ -z "$fork_ref_status" ]; then
+              echo "::warning::Unable to resolve PR #$pr_number fork/branch; skipping patched CI."
+              echo "should_run=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            echo "PR #$pr_number raw status: [$fork_ref_status]"
+
+            case "$fork_ref_status" in
+              *" (merged)")
+                continue
+                ;;
+              *" (open)")
+                if [ "$found_open" = "false" ]; then
+                  full_ref="${fork_ref_status%% *}"
+                  wolfssl_repo="${full_ref%/*}"
+                  wolfssl_ref="${full_ref##*/}"
+                  found_open=true
+                  echo "PR #$pr_number is open; using fork ref $wolfssl_repo/$wolfssl_ref for wolfSSL source"
+                else
+                  echo "::warning::Found multiple PRs with patch defines; unable to determine which one to use; skipping patched CI."
+                  should_run=false
+                  break
+                fi
+                ;;
+              *)
+                echo "::warning::PR #$pr_number is in unexpected state: $fork_ref_status; skipping patched CI."
+                should_run=false
+                break
+                ;;
+            esac
+          done <<EOF
+          $defines
+          EOF
+
+          echo "should_run=$should_run" >> "$GITHUB_OUTPUT"
+          echo "wolfssl_repo=$wolfssl_repo" >> "$GITHUB_OUTPUT"
+          echo "wolfssl_ref=$wolfssl_ref" >> "$GITHUB_OUTPUT"
 
   patched_jni_build:
     needs: resolve_wolfssl_ref
@@ -126,10 +164,9 @@ jobs:
         run: |
           echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV"
 
-      - name: Build and test JNI library with all patches
+      - name: Build and test JNI library with all patches enabled
         run: |
-          make all-patched PREFIX=$GITHUB_WORKSPACE/build-dir
-          make check
+          make build check PREFIX=$GITHUB_WORKSPACE/build-dir ENABLE_PATCHES=1
 
       - name: Show logs on failure
         if: failure() || cancelled()

IDE/Android/app/src/main/cpp/CMakeLists.txt

@@ -252,8 +252,14 @@ aux_source_directory(${wolfssl_DIR}/src TLS_SOURCES)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/bio.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/conf.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk_ec.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk_rsa.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_bn.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_cert.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_crl_ocsp.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_pk.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_asn1.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_ech.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_certman.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_crypto.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_load.c)
@@ -268,6 +274,7 @@ if ("${WOLFSSL_PKG_TYPE}" MATCHES "normal")
         # Add crypto sources to CRYPTO_SOURCES, remove files that are included inline by other files
         aux_source_directory(${wolfssl_DIR}/wolfcrypt/src CRYPTO_SOURCES)
         list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp.c)
+        list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp_pk.c)
         list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/misc.c)
 
 elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready")

Makefile

@@ -21,7 +21,18 @@ endif
 all: build
 
 build: java.sh build.xml
-	./java.sh $(INSTALL_DIR)
+	@cflags=""; \
+	if [ "$(ENABLE_PATCHES)" = "1" ]; then \
+		defines="$$(./scripts/find-wolfssl-pr-patch-defines.sh)"; \
+		if [ -z "$$defines" ]; then \
+			echo "warning: no WOLFSSL_PR*_PATCH_APPLIED defines found; building without patches"; \
+		else \
+			for define in $$defines; do \
+				cflags="$$cflags -D$$define"; \
+			done; \
+		fi; \
+	fi; \
+	CFLAGS="$$cflags" ./java.sh $(INSTALL_DIR); \
 	ant
 
 check: build
@@ -30,21 +41,6 @@ check: build
 clean:
 	ant clean cleanjni
 
-# Enable all WOLFSSL_PR*_PATCH_APPLIED defines when building JNI.
-# Requires latest/recent wolfssl source with patches applied. This is not
-# detected automatically.
-all-patched:
-	@defines="$$(./scripts/find-wolfssl-pr-patch-defines.sh)"; \
-	if [ -z "$$defines" ]; then \
-		echo "warning: no WOLFSSL_PR*_PATCH_APPLIED defines found; skipping all-patched"; \
-		exit 0; \
-	fi; \
-	cflags=""; \
-	for define in $$defines; do \
-		cflags="$$cflags -D$$define"; \
-	done; \
-	CFLAGS="$$cflags" ./java.sh $(INSTALL_DIR); \
-	ant
 
 install:
 	$(INSTALL) -d $(INSTALL_DIR)/$(LIBDIR)

scripts/find-pr-fork-branch.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+# Given a PR number, print the originating fork (repo full_name) and branch.
+# Default repo is wolfSSL/wolfssl. Override with --repo owner/name.
+
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage: scripts/find-pr-fork-branch.sh <pr_number> [--repo owner/name]
+
+Outputs:
+  <fork_full_name>/<branch_name> (<open|closed|merged|unknown>)
+
+Example:
+  scripts/find-pr-fork-branch.sh 9631
+  scripts/find-pr-fork-branch.sh 9631 --repo wolfSSL/wolfssl
+EOF
+}
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+if [ -z "${1:-}" ]; then
+  usage
+  exit 2
+fi
+
+pr_number="$1"
+shift
+
+repo="wolfSSL/wolfssl"
+if [ "${1:-}" = "--repo" ]; then
+  if [ -z "${2:-}" ]; then
+    echo "error: --repo requires owner/name" >&2
+    exit 2
+  fi
+  repo="$2"
+  shift 2
+fi
+
+if [ -n "${1:-}" ]; then
+  echo "error: unexpected argument: $1" >&2
+  exit 2
+fi
+
+if ! command -v jq >/dev/null 2>&1; then
+  echo "error: jq is required but not installed" >&2
+  exit 127
+fi
+
+pr_json="$(curl -fsSL "https://api.github.com/repos/${repo}/pulls/${pr_number}" || true)"
+if [ -z "$pr_json" ]; then
+  echo "error: failed to fetch PR #${pr_number} from ${repo}" >&2
+  exit 1
+fi
+
+head_repo="$(printf "%s" "$pr_json" | jq -r '.head.repo.full_name // empty')"
+head_ref="$(printf "%s" "$pr_json" | jq -r '.head.ref // empty')"
+state="$(printf "%s" "$pr_json" | jq -r '.state // empty')"
+merged_at="$(printf "%s" "$pr_json" | jq -r '.merged_at // empty')"
+
+if [ -z "$head_repo" ] || [ -z "$head_ref" ]; then
+  echo "error: PR #${pr_number} missing head repo/ref data" >&2
+  exit 1
+fi
+
+status="$state"
+if [ -n "$merged_at" ]; then
+  status="merged"
+fi
+
+if [ -z "$status" ]; then
+  status="unknown"
+fi
+
+echo "${head_repo}/${head_ref} (${status})"