Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 33 additions & 24 deletions .github/workflows/python-app.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,26 +18,26 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v7
- name: Set up Python 3.10
uses: actions/setup-python@v3
uses: actions/setup-python@v6
with:
python-version: "3.10"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install flake8 pytest tox
pip install -r requirements/test.txt
# Won't pass flake8 yet
# - name: Lint with flake8
# run: |
# # stop the build if there are Python syntax errors or undefined names
# flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
# # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
# flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
- name: Test with tox
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
# Install a specific version of uv.
version: "0.11.26"
- name: Build the wheel
run: uv build --wheel
- name: Install the project
run: uv sync --dev
- name: Perform static checks

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] Enabling uv run ruff check may fail CI on previously-unlinted code

The PR removes the commented-out flake8 block that carried the note # Won't pass flake8 yet and replaces it with an ACTIVE uv run ruff check step (configured rules E4,E7,E9,F,B,UP, over wolfcrypt/*.py and scripts/build_ffi.py). If that code has not been cleaned up to satisfy those rules, the build job now fails on every push/PR. The README shows passing pytest output but no ruff output, so ruff cleanliness is unverified in the diff.

Fix: Run uv run ruff check against the current tree and fix (or narrow the rule set / add # noqa) any violations before merging, so CI stays green.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The static check passes in the pipeline verification and prints a satisfying All checks passed! message.

run: uv run ruff check
- name: Run tests using the locally built wheel
run: |
tox
uv pip install dist/*.whl
uv run pytest tests

build-no-pqc:
# Regression coverage for issue #2659: INVALID_DEVID is only declared
Expand All @@ -47,13 +47,18 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v7
with:
submodules: recursive
- name: Set up Python 3.10
uses: actions/setup-python@v3
uses: actions/setup-python@v6
with:
python-version: "3.10"
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
# Install a specific version of uv.
version: "0.11.26"
- name: Install build deps
run: |
sudo apt-get update
Expand All @@ -63,7 +68,7 @@ jobs:
cd lib/wolfssl
./autogen.sh
./configure --enable-cryptonly --disable-shared \
--disable-kyber --disable-dilithium \
--disable-mlkem --disable-mldsa \
--enable-aes --enable-aesgcm --enable-aessiv \
--enable-aesctr --enable-aesgcm-stream \
--enable-des3 --enable-chacha --enable-poly1305 \
Expand All @@ -81,12 +86,16 @@ jobs:
env:
USE_LOCAL_WOLFSSL: ${{ github.workspace }}/wolfssl-install
run: |

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] build-no-pqc mixes uv pip install with uv run, risking an extension rebuild without USE_LOCAL_WOLFSSL

The install step uses uv's pip interface (uv venv + uv pip install -e .) with USE_LOCAL_WOLFSSL set so the CFFI extension builds against the locally-built no-PQC wolfSSL. The next two steps switch to uv's project interface (uv run python -c ..., uv run pytest tests). In a directory containing a [project] table, uv run performs an automatic project sync (lock + exact sync) before executing the command. If that sync rebuilds/reinstalls the wolfcrypt extension, the Import smoke step runs uv run with NO USE_LOCAL_WOLFSSL in its env, so scripts/build_ffi.py falls back to building wolfSSL from the lib/wolfssl submodule with default features (which include ML-KEM/ML-DSA). That would declare INVALID_DEVID and silently defeat the exact regression scenario this job exists to cover (issue #2659), or fail the build. Mixing the pip and project interfaces in one job is the documented footgun here.

Fix: Verify uv does not rebuild the extension between steps; if it can, add --no-sync to the uv run invocations and set USE_LOCAL_WOLFSSL on the smoke step (or convert the whole job to USE_LOCAL_WOLFSSL=... uv sync up front) so the regression coverage stays valid.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a step to verify the no-pqc doesn't have ML-DSA and ML-KEM enabled.

python -m pip install --upgrade pip
pip install -r requirements/test.txt
pip install -e .
uv venv
uv pip install -r requirements/test.txt
uv pip install -e .
- name: Check absence of ML-KEM and ML-DSA support
run: |
uv run python -c "from wolfcrypt._ffi import lib as _lib; assert _lib.ML_KEM_ENABLED == 0, 'ML-KEM should be disabled'"
uv run python -c "from wolfcrypt._ffi import lib as _lib; assert _lib.ML_DSA_ENABLED == 0, 'ML-DSA should be disabled'"
- name: Import smoke (regression for INVALID_DEVID)
run: python -c "from wolfcrypt.random import Random; Random()"
run: uv run python -c "from wolfcrypt.random import Random; Random()"
- name: Run tests
env:
USE_LOCAL_WOLFSSL: ${{ github.workspace }}/wolfssl-install
run: pytest tests/
run: uv run pytest tests
21 changes: 10 additions & 11 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -49,19 +49,21 @@ clean-test: ## remove test and coverage artifacts
rm -f .coverage
rm -fr htmlcov/

lint: ## check style with flake8
flake8 src tests
pylint src tests/*
lint: ## check style with ruff
uv run ruff check

test: install ## run tests quickly with the default Python
py.test tests
test: ## run tests quickly with the default Python
uv run py.test tests

check: test ## run tests quickly with the default Python

test-all: ## run tests on every Python version with tox
tox
test-all: ## run tests on every Python version with uv
for version in 3.10 3.11 3.12 3.13 3.14; do \
echo "=== Python $$version ==="; \
uv run --python $$version pytest; \
done

check-all: test-all ## run tests on every Python version with tox
check-all: test-all ## run tests on every Python version with uv

cov: install ## check code coverage quickly with the default Python
py.test --cov-config .coveragerc --cov=wolfcrypt tests
Expand Down Expand Up @@ -92,6 +94,3 @@ dist: clean ## builds source and wheel package

release: ## package and upload a release
twine upload dist/*

install: clean ## install the package to the active Python's site-packages
python setup.py install
67 changes: 46 additions & 21 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -21,32 +21,32 @@ Install the following on Windows:

* `CMake <https://cmake.org/download/>`_
* `Git <https://git-scm.com/download/win>`_
* `Python 3.9 <https://www.python.org/downloads/windows/>`_
* `Python 3.10 or newer <https://www.python.org/downloads/windows/>`_
* `Build Tools for Visual Studio <https://visualstudio.microsoft.com/downloads/>`_. This is in the "Tools for Visual Studio" section at the bottom of the page. The "Desktop development with C++" pack is needed from the installer.

Then from the command line install tox and CFFI using:
Then from the command line install `uv` using:

.. code-block:: sh

pip install tox cffi
pip install uv

Or by following the installation instructions on the astral web site. `<https://docs.astral.sh/uv/getting-started/installation/>`_

You can then build the source distribution packages using:

.. code-block:: sh

python setup.py sdist
uv build --sdist


Linux
^^^^^

The `setup.py` file covers most things you will need to do to build and install from source. As pre-requisites you will need to install either from your OS repository or pip. You'll also need the Python development package for your Python version:
The `setup.py` file covers most things you will need to do to build and install from source. As pre-requisites you will need to install either from your OS repository or uv. You'll also need the Python development package for your Python version:

* `cffi`
* `tox`
* `pytest`
* `uv`

To build a source package run `python setup.py sdist`, to build a wheel package run `python setup.py bdist_wheel`. To test the build run `tox`. The `tox` tests rely on Python 3.9 being installed, if you do not have this version we recommend using `pyenv` to install it.
To build a source package run `uv build --sdist`, to build a wheel package run `uv build --wheel`. To test the build run `uv run pytest`. The tests rely on Python 3.10 or later being installed.

Installation
------------
Expand All @@ -61,46 +61,71 @@ To build wolfcrypt-py against a local installation of the native C wolfSSL
library, use the USE_LOCAL_WOLFSSL variable. This variable should be

wolfcrypt-py can be built against a local version of the native wolfSSL
library by using pip with the USE_LOCAL_WOLFSSL variable. USE_LOCAL_WOLFSSL
library by using uv build --wheel with the USE_LOCAL_WOLFSSL variable. USE_LOCAL_WOLFSSL
should be set equal to the installation path for the wolfSSL library:

.. code-block:: bash

$ USE_LOCAL_WOLFSSL=/path/to/wolfssl/install pip install .
$ USE_LOCAL_WOLFSSL=/path/to/wolfssl/install uv build --wheel

If building wolfcrypt-py against a local wolfSSL library, wolfcrypt-py
will attempt to do native feature detection to enable/disable wolfcrypt-py
features based on how native wolfSSL has been compiled. It uses the
<wolfssl/options.h> header to do feature detection.

After this the local build can be installed from the locally built wheel in dist.

.. code-block:: bash

$ pip install dist/wolfcrypt*.whl

Testing
-------
.. code-block:: console

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] Malformed reStructuredText: code-block directive missing blank line

The newly added console block has no blank line between the directive header and its body. RST requires a blank line after a directive before its content; without it docutils raises Error in "code-block" directive and the snippet will not render as a code sample on PyPI/GitHub (the long_description is used as the PyPI page via setup.py). All the other code blocks in this file correctly include the blank line.

Fix: Insert a blank line between .. code-block:: console and $ uv run python3.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.


$ uv run python3

.. code-block:: python

>>> from wolfcrypt.hashes import Sha256
>>> Sha256('wolfcrypt').hexdigest()
b'96e02e7b1cbcd6f104fe1fdb4652027a5505b68652b70095c6318f9dce0d1844'

Testing ``wolfcrypt``'s source code with ``tox``
------------------------------------------------
Testing ``wolfcrypt``'s source code with ``pytest``
Comment thread
dgarske marked this conversation as resolved.
---------------------------------------------------

To run the unit tests in the source code, you'll need ``tox`` and a few other
To run the unit tests in the source code, you'll need ``uv`` and a few other
requirements.

1. Make sure that the testing requirements are installed:

.. code-block:: console

$ sudo -H pip install -r requirements/test.txt
$ uv sync --dev


2. Run ``tox``:
2. Run ``pytest``:

.. code-block:: console

$ tox
...
_________________________________ summary _________________________________
py3: commands succeeded
congratulations :)
$ uv run pytest
======================================= test session starts =======================================
platform linux -- Python 3.10.12, pytest-9.1.1, pluggy-1.6.0
rootdir: /some_directory/wolfcrypt-py
configfile: pyproject.toml
collected 165 items

tests/test_aesgcmstream.py ......... [ 5%]
tests/test_asn.py .. [ 6%]
tests/test_chacha20poly1305.py ...... [ 10%]
tests/test_ciphers.py ........................................... [ 36%]
tests/test_delete_descriptor_binding.py ................. [ 46%]
tests/test_error_string.py .... [ 49%]
tests/test_hashes.py ........................... [ 65%]
tests/test_hkdf.py ........ [ 70%]
tests/test_mldsa.py .............................. [ 88%]
tests/test_mlkem.py ............ [ 95%]
tests/test_pwdbased.py . [ 96%]
tests/test_random.py ...... [100%]

======================================= 165 passed in 7.09s =======================================
11 changes: 0 additions & 11 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -40,21 +40,10 @@ dev = [
"ruff",
"sphinx",
"sphinx-rtd-theme",
"tox >= 4",
"ty",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] tox tested a built wheel (package = "wheel"); uv run pytest tests the editable/source install

The removed [tool.tox.env_run_base] used package = "wheel", so tests ran against a freshly built wheel and thus exercised packaging (MANIFEST / package_data such as the bundled *.dll and *.pyi). The new flow runs uv run pytest against an editable/source install, which can miss packaging regressions (files that are present in the tree but not packaged into the wheel). This is a coverage change worth being deliberate about.

Fix: If packaging coverage matters, add a job/step that builds the wheel (uv build --wheel) and runs the tests against the installed wheel, in addition to the editable-install run.


Note: Referenced line (pyproject.toml:43-51 (removed [tool.tox])) is outside the diff hunk. Comment anchored to nearest changed region.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build step now explicitly builds a wheel. This wheel is subsequently used to run the tests, replacing the source tree install.

"types-cffi",
]

[tool.tox]
requires = ["tox>=4"]
env_list = ["py3"]

[tool.tox.env_run_base]
package = "wheel"
deps = ["-rrequirements/test.txt"]
commands = [["py.test", "tests/"]]


[tool.ruff]
# Exclude a variety of commonly ignored directories.
exclude = [
Expand Down
1 change: 0 additions & 1 deletion requirements/test.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
-r prod.txt
tox>=4
pytest>=8
types-cffi>=1.17
1 change: 0 additions & 1 deletion tests/test_chacha20poly1305.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

# test_chacha20poly1305.py
#
# Copyright (C) 2022 wolfSSL Inc.
Expand Down
2 changes: 0 additions & 2 deletions tests/test_chacha_iv.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# -*- coding: utf-8 -*-
#
# test_chacha_iv.py
#
# Copyright (C) 2006-2022 wolfSSL Inc.
Expand Down
2 changes: 0 additions & 2 deletions tests/test_cipher_modes.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# -*- coding: utf-8 -*-
#
# test_cipher_modes.py
#
# Copyright (C) 2006-2022 wolfSSL Inc.
Expand Down
2 changes: 0 additions & 2 deletions tests/test_hmac_copy.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# -*- coding: utf-8 -*-
#
# test_hmac_copy.py
#
# Copyright (C) 2006-2022 wolfSSL Inc.
Expand Down