-
Notifications
You must be signed in to change notification settings - Fork 29
254 lines (222 loc) · 9.38 KB
/
hostap.yml
File metadata and controls
254 lines (222 loc) · 9.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
name: hostap and wpa supplicant Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**']
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfprovider:
uses: ./.github/workflows/build-wolfprovider.yml
with:
wolfssl_ref: ${{ matrix.wolfssl_ref }}
openssl_ref: ${{ matrix.openssl_ref }}
fips_ref: ${{ matrix.fips_ref }}
replace_default: ${{ matrix.replace_default }}
strategy:
matrix:
wolfssl_ref: [ 'v5.8.4-stable' ]
openssl_ref: [ 'openssl-3.5.4' ]
fips_ref: [ 'FIPS', 'non-FIPS' ]
replace_default: [ true ]
test_hostap:
runs-on: ubuntu-22.04
needs: build_wolfprovider
# Run inside Debian Bookworm with privileged access for UML
container:
image: debian:bookworm
options: --privileged --cap-add=ALL -v /dev:/dev
env:
DEBIAN_FRONTEND: noninteractive
# This should be a safe limit for the tests to run.
timeout-minutes: 90
strategy:
matrix:
hostap_ref: [ 'main' ]
wolfssl_ref: [ 'v5.8.4-stable' ]
openssl_ref: [ 'openssl-3.5.4' ]
force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ]
fips_ref: [ 'FIPS', 'non-FIPS' ]
replace_default: [ true ]
env:
WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
steps:
# Checkout the source so we can run the check-workflow-result script.
- name: Checkout wolfProvider
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Download packages from build job
uses: actions/download-artifact@v4
with:
name: debian-packages-${{ matrix.fips_ref }}${{ matrix.replace_default && '-replace-default' || '' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}
path: /tmp
- name: Install wolfSSL/OpenSSL/wolfprov packages
run: |
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
- name: Show OpenSSL version
run: |
echo "OpenSSL version:"
openssl version -a || true
- name: Test OpenSSL providers before hostap installation
run: |
echo "Testing OpenSSL providers before hostap installation..."
openssl list -providers
- name: Verify wolfProvider is properly installed
run: |
$GITHUB_WORKSPACE/scripts/verify-install.sh \
${{ matrix.replace_default && '--replace-default' || '' }} \
${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }}
- name: Install hostap dependencies
run: |
apt-get update
apt-get install -y libpcap0.8 libpcap-dev curl libcurl4-openssl-dev \
libnl-3-dev binutils-dev libiberty-dev libnl-genl-3-dev libnl-route-3-dev \
libdbus-1-dev bridge-utils tshark python3-pycryptodome libsqlite3-dev \
libzstd1 wireless-tools iw build-essential autoconf automake libtool \
pkg-config git wget ca-certificates flex bison bc libxml2-dev zlib1g-dev \
python3-pip psmisc iproute2 procps net-tools systemd kmod wireless-regdb
apt-get remove -y python3-cryptography 2>/dev/null || true
pip install --no-cache-dir --force-reinstall --break-system-packages cryptography
- name: Checkout hostap
run: |
test -d hostap || git clone https://w1.fi/hostap.git
cd hostap/tests/hwsim/vm && git checkout inside.sh 2>/dev/null || true
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
fetch-depth: 1
- name: Apply hostap patches for wolfProvider
run: |
cd hostap
patch -p1 < "$GITHUB_WORKSPACE/osp/wolfProvider/hostap/hostap-${{ matrix.hostap_ref }}-wolfprov.patch"
- name: Checkout linux
uses: actions/checkout@v4
with:
repository: torvalds/linux
path: linux
ref: master
- name: Compile linux
run: |
cp $GITHUB_WORKSPACE/hostap/tests/hwsim/vm/kernel-config.uml linux/.config
cd linux
yes "" | ARCH=um make -j $(nproc)
- name: Update config
working-directory: hostap/tests/hwsim
run: |
cat << EOF >> example-hostapd.config
CFLAGS += -I/usr/include/openssl
LDFLAGS += -L/usr/lib/x86_64-linux-gnu
LIBS += -lssl -lcrypto
EOF
cat << EOF >> example-wpa_supplicant.config
CFLAGS += -I/usr/include/openssl
LDFLAGS += -L/usr/lib/x86_64-linux-gnu
LIBS += -lssl -lcrypto
EOF
- name: Setup non-WPFF environment
working-directory: hostap/tests/hwsim
if: matrix.force_fail == ''
run: |
cd vm && git checkout inside.sh 2>/dev/null || true && cd ..
sed -i '115 r /dev/stdin' vm/inside.sh <<'ENVEOF'
cat > /tmp/bin/halt << 'HALTEOF'
#!/bin/sh
sync
exit 0
HALTEOF
chmod +x /tmp/bin/halt
OPENSSL_MODULES_PATH=$(find /usr -name "libwolfprov.so" -exec dirname {} \; 2>/dev/null | head -1)
[ -n "$OPENSSL_MODULES_PATH" ] && export OPENSSL_MODULES="$OPENSSL_MODULES_PATH"
export OPENSSL_CONF="/etc/ssl/openssl.cnf"
export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
ENVEOF
- name: Setup WPFF environment
working-directory: hostap/tests/hwsim
if: matrix.force_fail == 'WOLFPROV_FORCE_FAIL=1'
run: |
cd vm && git checkout inside.sh 2>/dev/null || true && cd ..
sed -i '115 r /dev/stdin' vm/inside.sh <<'ENVEOF'
cat > /tmp/bin/halt << 'HALTEOF'
#!/bin/sh
sync
exit 0
HALTEOF
chmod +x /tmp/bin/halt
OPENSSL_MODULES_PATH=$(find /usr -name "libwolfprov.so" -exec dirname {} \; 2>/dev/null | head -1)
[ -n "$OPENSSL_MODULES_PATH" ] && export OPENSSL_MODULES="$OPENSSL_MODULES_PATH"
export OPENSSL_CONF="/etc/ssl/openssl.cnf"
export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
export WOLFPROV_FORCE_FAIL=1
ENVEOF
- name: Update certs
working-directory: hostap/tests/hwsim/auth_serv
run: ./update.sh
- name: Build hostap and wpa_supplicant
working-directory: hostap/tests/hwsim/
run: ./build.sh
- name: Verify openssl binaries linked
working-directory: hostap
run: |
ldd hostapd/hostapd | grep ssl
ldd wpa_supplicant/wpa_supplicant | grep ssl
- name: Run focused tests
id: testing
working-directory: hostap/tests/hwsim/
continue-on-error: true
run: |
set +e
echo "KERNELDIR=$GITHUB_WORKSPACE/linux" >> vm/vm-config
# Run smoke tests
SMOKE_TESTS="ap_open ap_wpa2_psk discovery"
timeout 3m ./vm/parallel-vm.py --nocurses $(nproc) $SMOKE_TESTS || SMOKE_RES=$?
# Run EAP tests (excluding MSCHAPv2 - requires MD4/DES not in wolfSSL)
TLS_EAP_TESTS="ap_wpa2_eap_tls ap_wpa2_eap_ttls_eap_gtc ap_wpa2_eap_peap_eap_tls"
timeout 5m ./vm/parallel-vm.py --nocurses $(nproc) $TLS_EAP_TESTS || TLS_RES=$?
# Evaluate results
FINAL_RES=0
if [ "${SMOKE_RES:-0}" -ne "0" ] || [ "${TLS_RES:-0}" -ne "0" ]; then
FINAL_RES=1
fi
# Check for connection failures (common with WOLFPROV_FORCE_FAIL)
WPA_CONNECT_FAILS=$(grep -h "Could not connect to /tmp/wpas" /tmp/hwsim-test-logs/*-parallel.log 2>/dev/null | wc -l || echo "0")
# Ignore NOT-FOUND errors (test files missing/require special params)
NOT_FOUND=$(grep -h "NOT-FOUND" /tmp/hwsim-test-logs/*-parallel.log 2>/dev/null | wc -l || echo "0")
REAL_FAILS=$(grep -h "Failed:" /tmp/hwsim-test-logs/*-parallel.log 2>/dev/null | grep -v "NOT-FOUND" | wc -l || echo "0")
if [ "$FINAL_RES" -ne "0" ] && [ "$REAL_FAILS" -eq "0" ] && [ "$NOT_FOUND" -gt "0" ]; then
FINAL_RES=0
fi
# Check results based on test mode
if [ "${{ matrix.force_fail }}" = "WOLFPROV_FORCE_FAIL=1" ]; then
# With force fail, we expect failures or connection issues
if [ $FINAL_RES -ne 0 ] || [ "$WPA_CONNECT_FAILS" -gt "0" ]; then
echo "✓ EXPECTED: Tests failed/crashed with WOLFPROV_FORCE_FAIL=1"
exit 0
else
echo "✗ UNEXPECTED: Tests passed with WOLFPROV_FORCE_FAIL=1"
exit 1
fi
else
if [ $FINAL_RES -eq 0 ]; then
echo "✓ SUCCESS: wolfProvider tests passed"
exit 0
else
echo "✗ FAILURE: wolfProvider tests failed"
exit 1
fi
fi