wolfSSL · padelsbach · May 1, 2026
diff --git a/.github/workflows/build-and-test-refactor.yml b/.github/workflows/build-and-test-refactor.yml
@@ -0,0 +1,97 @@
+name: Build and Test Refactor
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    # List host CPU info
+    - name: Host CPU info
+      run: cat /proc/cpuinfo
+
+    # List compiler version
+    - name: List compiler version
+      run: gcc --version
+
+    # pull and build wolfssl
+    - name: Checkout wolfssl
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    # Build and test standard build
+    - name: Build and test refactor
+      run: cd test-refactor/posix && make clean && make -j WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test standard build, with DMA and ASAN enabled
+    - name: Build and test refactor DMA ASAN
+      run: cd test-refactor/posix && make clean && make -j DMA=1 ASAN=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test ASAN build, with wolfCrypt tests enabled.
+    - name: Build and test refactor ASAN TESTWOLFCRYPT
+      run: cd test-refactor/posix && make clean && make -j ASAN=1 TESTWOLFCRYPT=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test ASAN build, with wolfCrypt tests enabled and using the DMA devId.
+    - name: Build and test refactor ASAN TESTWOLFCRYPT TESTWOLFCRYPT_DMA
+      run: cd test-refactor/posix && make clean && make -j ASAN=1 TESTWOLFCRYPT=1 TESTWOLFCRYPT_DMA=1 DMA=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test debug build with ASAN and NOCRYPTO
+    - name: Build and test refactor ASAN DEBUG NOCRYPTO
+      run: cd test-refactor/posix && make clean && make -j DEBUG=1 ASAN=1 NOCRYPTO=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test debug build with ASAN and DMA
+    - name: Build and test refactor ASAN DEBUG DMA
+      run: cd test-refactor/posix && make clean && make -j DEBUG=1 ASAN=1 DMA=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test with SHE and ASAN
+    - name: Build and test refactor ASAN SHE
+      run: cd test-refactor/posix && make clean && make -j SHE=1 ASAN=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test with DEBUG=1
+    - name: Build and test refactor with DEBUG
+      run: cd test-refactor/posix && make clean && make -j DEBUG=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test with DEBUG_VERBOSE=1 (includes DEBUG)
+    - name: Build and test refactor with DEBUG_VERBOSE
+      run: cd test-refactor/posix && make clean && make -j DEBUG_VERBOSE=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test in multithreaded mode with everything enabled
+    - name: Build and test refactor with THREADSAFE and everything
+      run: cd test-refactor/posix && make clean && make -j THREADSAFE=1 DMA=1 SHE=1 ASAN=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test in multithreaded mode with everything enabled and wolfCrypt tests
+    - name: Build and test refactor with THREADSAFE and TESTWOLFCRYPT and everything
+      run: cd test-refactor/posix && make clean && make -j THREADSAFE=1 TESTWOLFCRYPT=1 DMA=1 SHE=1 ASAN=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test in multithreaded mode with everything enabled and wolfCrypt tests with dma
+    - name: Build and test refactor with THREADSAFE and TESTWOLFCRYPT with DMA
+      run: cd test-refactor/posix && make clean && make -j THREADSAFE=1 TESTWOLFCRYPT=1 TESTWOLFCRYPT_DMA=1 DMA=1 SHE=1 ASAN=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test with AUTH=1
+    - name: Build and test refactor with AUTH
+      run: cd test-refactor/posix && make clean && make -j AUTH=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test with AUTH=1 and ASAN
+    - name: Build and test refactor with AUTH ASAN
+      run: cd test-refactor/posix && make clean && make -j AUTH=1 ASAN=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test with AUTH=1 and THREADSAFE
+    - name: Build and test refactor with AUTH THREADSAFE ASAN
+      run: cd test-refactor/posix && make clean && make -j AUTH=1 THREADSAFE=1 ASAN=1 WOLFSSL_DIR=../../wolfssl && make run
+
+    # Build and test with AUTH=1 and NOCRYPTO=1 (auth on, crypto off)
+    - name: Build and test refactor with AUTH NOCRYPTO
+      run: cd test-refactor/posix && make clean && make -j AUTH=1 NOCRYPTO=1 WOLFSSL_DIR=../../wolfssl && make run
diff --git a/.github/workflows/code-coverage-refactor.yml b/.github/workflows/code-coverage-refactor.yml
@@ -0,0 +1,89 @@
+name: Code Coverage Refactor
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+permissions:
+  contents: read
+
+jobs:
+  coverage:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: base
+            flags: ""
+          - name: dma
+            flags: "DMA=1"
+          - name: threadsafe
+            flags: "THREADSAFE=1"
+          - name: she
+            flags: "SHE=1"
+          - name: auth
+            flags: "AUTH=1"
+          - name: nocrypto
+            flags: "NOCRYPTO=1"
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install gcovr
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcovr
+
+      - name: Checkout wolfssl
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/wolfssl
+          path: wolfssl
+
+      - name: Build, run, and emit tracefile (${{ matrix.name }})
+        run: |
+          cd test-refactor/posix && make coverage-json \
+            OUT=$GITHUB_WORKSPACE/cov-json/refactor-${{ matrix.name }}.json \
+            WOLFSSL_DIR=../../wolfssl ${{ matrix.flags }}
+
+      - name: Upload tracefile
+        uses: actions/upload-artifact@v4
+        with:
+          name: refactor-tracefile-${{ matrix.name }}
+          path: cov-json/refactor-${{ matrix.name }}.json
+          retention-days: 7
+
+  merge:
+    needs: coverage
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install gcovr
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcovr
+
+      - name: Download refactor tracefiles
+        uses: actions/download-artifact@v4
+        with:
+          pattern: refactor-tracefile-*
+          path: cov-json
+          merge-multiple: true
+
+      - name: Merge tracefiles into HTML report
+        run: |
+          mkdir -p coverage-refactor-merged
+          gcovr \
+            $(for f in cov-json/refactor-*.json; do echo --add-tracefile $f; done) \
+            --html-details coverage-refactor-merged/index.html \
+            --print-summary
+
+      - name: Upload merged coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-refactor-report
+          path: coverage-refactor-merged/
+          retention-days: 30
diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml
@@ -12,46 +12,78 @@ permissions:
 jobs:
   coverage:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: base
+            flags: ""
+          - name: dma
+            flags: "DMA=1"
+          - name: threadsafe
+            flags: "THREADSAFE=1"
+          - name: she
+            flags: "SHE=1"
+          - name: auth
+            flags: "AUTH=1"
+          - name: nocrypto
+            flags: "NOCRYPTO=1"
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install gcovr
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcovr
+
+      - name: Checkout wolfssl
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/wolfssl
+          path: wolfssl
+
+      - name: Build, run, and emit tracefile (${{ matrix.name }})
+        run: |
+          cd test && make coverage-json \
+            OUT=$GITHUB_WORKSPACE/cov-json/legacy-${{ matrix.name }}.json \
+            WOLFSSL_DIR=../wolfssl ${{ matrix.flags }}
+
+      - name: Upload tracefile
+        uses: actions/upload-artifact@v4
+        with:
+          name: legacy-tracefile-${{ matrix.name }}
+          path: cov-json/legacy-${{ matrix.name }}.json
+          retention-days: 7
 
+  merge:
+    needs: coverage
+    runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-
-    # List compiler version
-    - name: List compiler and gcov version
-      run: |
-        gcc --version
-        gcov --version
-
-    # Install gcovr for coverage report generation
-    - name: Install gcovr
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y gcovr
-
-    # Checkout wolfssl
-    - name: Checkout wolfssl
-      uses: actions/checkout@v4
-      with:
-        repository: wolfssl/wolfssl
-        path: wolfssl
-
-    # Run coverage
-    - name: Build and run tests with coverage
-      run: cd test && make coverage WOLFSSL_DIR=../wolfssl
-
-    # Display coverage summary in the action log
-    # Using gcov-ignore-parse-errors to avoid (GCC bug #68080)
-    - name: Display coverage summary
-      run: |
-        echo "=== Coverage Summary ==="
-        cd test
-        gcovr Build --root .. --gcov-ignore-parse-errors=negative_hits.warn_once_per_file --filter '\.\./src/.*' --filter '\.\./wolfhsm/.*' --print-summary
-
-    # Upload coverage report as artifact
-    - name: Upload coverage report
-      uses: actions/upload-artifact@v4
-      with:
-        name: coverage-report
-        path: coverage/
-        retention-days: 30
+      - uses: actions/checkout@v4
+
+      - name: Install gcovr
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcovr
+
+      - name: Download legacy tracefiles
+        uses: actions/download-artifact@v4
+        with:
+          pattern: legacy-tracefile-*
+          path: cov-json
+          merge-multiple: true
+
+      - name: Merge tracefiles into HTML report
+        run: |
+          mkdir -p coverage-merged
+          gcovr \
+            $(for f in cov-json/legacy-*.json; do echo --add-tracefile $f; done) \
+            --html-details coverage-merged/index.html \
+            --print-summary
 
+      - name: Upload merged coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage-merged/
+          retention-days: 30
diff --git a/.gitignore b/.gitignore
@@ -21,3 +21,6 @@ tools/static-analysis/reports/
 *.gcno
 coverage/
 scan_out/*
+
+# Test output
+test-suite.log
diff --git a/test-refactor/Makefile b/test-refactor/Makefile
@@ -0,0 +1,10 @@
+## Top-level forwarder for the test-refactor suite.
+## Delegates to the POSIX port Makefile so tests can be run with
+## `cd test-refactor && make check` instead of navigating into posix/.
+
+.DEFAULT_GOAL := check
+
+.PHONY: check run build_app clean
+
+check run build_app clean:
+	$(MAKE) -C posix $@