From 9a42b04355059cac4f86b5964935b21064b95aa9 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Thu, 16 Oct 2025 11:03:22 -0700
Subject: [PATCH] Add python3 ssl tests to wolfprovider CI

---
 .github/workflows/python3-ssl.yml | 149 ++++++++++++++++++++++++++++++
 1 file changed, 149 insertions(+)
 create mode 100644 .github/workflows/python3-ssl.yml

diff --git a/.github/workflows/python3-ssl.yml b/.github/workflows/python3-ssl.yml
new file mode 100644
index 00000000..e2d67bed
--- /dev/null
+++ b/.github/workflows/python3-ssl.yml
@@ -0,0 +1,149 @@
+name: Python SSL Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfprovider:
+    uses: ./.github/workflows/build-wolfprovider.yml
+    with:
+      wolfssl_ref: ${{ matrix.wolfssl_ref }}
+      openssl_ref: ${{ matrix.openssl_ref }}
+      replace_default: ${{ matrix.replace_default }}
+    strategy:
+      matrix:
+        wolfssl_ref: [ 'v5.8.2-stable' ]
+        openssl_ref: [ 'openssl-3.5.2' ]
+        replace_default: [ true ]
+        fips: [ false ]
+
+  test_python_ssl:
+    runs-on: ubuntu-22.04
+    needs: build_wolfprovider
+    # Python build and SSL tests can take time
+    timeout-minutes: 60
+    container:
+      image: debian:bookworm
+      options: --user root
+    env:
+      DEBIAN_FRONTEND: noninteractive
+      WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
+      OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
+      WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
+    strategy:
+      fail-fast: false
+      matrix:
+        python_version: [ '3.13.7' ]
+        wolfssl_ref: [ 'v5.8.2-stable' ]
+        openssl_ref: [ 'openssl-3.5.2' ]
+        replace_default: [ true ]
+        fips: [ false ]
+        force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ]
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Checking OpenSSL/wolfProvider packages in cache
+        uses: actions/cache/restore@v4
+        id: wolfprov-cache-restore
+        with:
+          path: |
+            ${{ env.WOLFSSL_PACKAGES_PATH }}
+            ${{ env.OPENSSL_PACKAGES_PATH }}
+            ${{ env.WOLFPROV_PACKAGES_PATH }}
+          key: openssl-wolfprov-debian-packages-${{ github.sha }}${{ matrix.replace_default && '-replace-default' || '' }}
+          fail-on-cache-miss: true
+
+      - name: Install wolfSSL/OpenSSL/wolfprov packages
+        run: |
+          printf "Installing OpenSSL/wolfProvider packages:\n"
+          ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
+          ls -la ${{ env.OPENSSL_PACKAGES_PATH }}
+          ls -la ${{ env.WOLFPROV_PACKAGES_PATH }}
+
+          apt install --reinstall -y \
+            ${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb
+
+          apt install --reinstall -y \
+            ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
+            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
+            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb
+
+          apt install --reinstall -y \
+            ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
+
+      - name: Verify wolfProvider is properly installed
+        run: |
+          $GITHUB_WORKSPACE/scripts/verify-install.sh ${{ matrix.replace_default && '--replace-default' || '' }} ${{ matrix.fips && '--fips' || '' }}
+
+      - name: Install Python build dependencies
+        run: |
+          apt-get update
+          apt-get install -y build-essential wget curl patch git \
+            zlib1g-dev libbz2-dev libreadline-dev \
+            libsqlite3-dev libncurses5-dev libgdbm-dev \
+            libnss3-dev libffi-dev liblzma-dev \
+            uuid-dev tk-dev libgdbm-compat-dev
+
+      - name: Download Python ${{ matrix.python_version }}
+        run: |
+          cd /tmp
+          wget https://www.python.org/ftp/python/${{ matrix.python_version }}/Python-${{ matrix.python_version }}.tgz
+          tar -xzf Python-${{ matrix.python_version }}.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfSSL/osp
+          path: osp
+          fetch-depth: 1
+      - run: |
+          cd /tmp/Python-${{ matrix.python_version }}
+          patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/python3/python3-${{ matrix.python_version }}-wolfprov.patch
+
+      - name: Build Python ${{ matrix.python_version }}
+        working-directory: /tmp/Python-${{ matrix.python_version }}
+        run: |
+          # Configure Python to use the system OpenSSL (which has wolfProvider)
+          ./configure \
+            --prefix=/opt/python${{ matrix.python_version }} \
+            --with-openssl=/usr \
+            --with-openssl-rpath=auto \
+            --enable-optimizations
+
+          # Build Python
+          make -j$(nproc)
+          make install
+
+      - name: Run Python SSL tests with wolfProvider
+        working-directory: /tmp/Python-${{ matrix.python_version }}
+        shell: bash
+        run: |
+          export ${{ matrix.force_fail }}
+
+          # Show Python and OpenSSL info
+          echo "Python version:"
+          /opt/python${{ matrix.python_version }}/bin/python3 --version
+
+          echo "Python OpenSSL version:"
+          /opt/python${{ matrix.python_version }}/bin/python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"
+
+          echo "OpenSSL providers:"
+          openssl list -providers
+
+          # Run Python SSL test suite
+          /opt/python${{ matrix.python_version }}/bin/python3 -m test test_ssl -v 2>&1 | tee python-ssl-test.log
+          TEST_RESULT=${PIPESTATUS[0]}
+          $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} python-ssl
+