5baf3f4dc7
Wireshark's built-in HSMS dissector — written by network-protocol authors who don't know us, didn't talk to us, and don't share implementation details with secsgem-py — is a third independent codec for our framing. If they parse our pcap without warnings, our HSMS framing is wire-correct independently of both our internal tests and the secsgem-py interop path. interop/tshark_validate.sh: - Boots secs_server on 127.0.0.1:5099 (away from the demo port) - Captures the loopback wire traffic with tcpdump - Runs secs_client through ~24 transactions plus Separate.req + TCP FIN - Parses the pcap with tshark -V using the HSMS dissector - Asserts: no "Malformed Packet", no "Dissector bug", at least one HSMS frame, expected tokens present (Select.req/rsp, Separate.req, Data message), reports histogram (count by control type + distinct S/F pairs) Result against the demo: 69 HSMS frames dissected, 49 distinct S/F pairs (S01F01..S16F28), all clean. Dockerfile gains tshark + tcpdump. .gitea/workflows/ci.yml gains a `tshark-dissector` job that runs this validator as part of every push to main. README proof table grows to 6 commands. VERIFICATION.md §1a documents a follow-up: round-trip the KAT fixtures through secsgem-py to corroborate that the format codes we used match an independent implementation. Strengthens the KAT proof from "internally consistent" to "confirmed by a second implementer who read the spec without talking to us." Plan: VERIFICATION.md §2. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
124 lines
3.6 KiB
YAML
124 lines
3.6 KiB
YAML
name: tests
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
|
|
jobs:
|
|
build-and-test:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: ubuntu:24.04
|
|
steps:
|
|
# actions/checkout@v4 is a Node-based action; the bare ubuntu:24.04
|
|
# runner image has no node, so checkout fails with
|
|
# `exitcode '127': command not found`. Install node + git BEFORE
|
|
# checkout, then install the rest of the toolchain after.
|
|
- name: Bootstrap (node + git for actions/checkout)
|
|
run: |
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends \
|
|
git \
|
|
ca-certificates \
|
|
nodejs
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install C++ toolchain
|
|
run: |
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get install -y --no-install-recommends \
|
|
build-essential \
|
|
cmake \
|
|
ninja-build \
|
|
libasio-dev \
|
|
libyaml-cpp-dev \
|
|
python3 \
|
|
python3-yaml
|
|
|
|
- name: Configure (Release)
|
|
run: cmake -S . -B build -G Ninja -DCMAKE_BUILD_TYPE=Release
|
|
|
|
- name: Build (Release)
|
|
run: cmake --build build
|
|
|
|
- name: Unit tests (Release)
|
|
run: build/secsgem_tests
|
|
|
|
thread-sanitizer:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: ubuntu:24.04
|
|
steps:
|
|
- name: Bootstrap (node + git for actions/checkout)
|
|
run: |
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends \
|
|
git ca-certificates nodejs
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install C++ toolchain
|
|
run: |
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get install -y --no-install-recommends \
|
|
build-essential cmake ninja-build \
|
|
libasio-dev libyaml-cpp-dev \
|
|
python3 python3-yaml
|
|
|
|
# Debug + -fsanitize=thread. Catches data races in the
|
|
# io_context strand contract documented in INTEGRATION.md §3.
|
|
# halt_on_error=1 makes TSan-flagged races fail the job, not
|
|
# just print a warning.
|
|
- name: Configure (TSan)
|
|
run: cmake -S . -B build-tsan -G Ninja
|
|
-DCMAKE_BUILD_TYPE=Debug
|
|
-DSECSGEM_TSAN=ON
|
|
|
|
- name: Build (TSan)
|
|
run: cmake --build build-tsan
|
|
|
|
- name: Unit tests (TSan)
|
|
env:
|
|
TSAN_OPTIONS: halt_on_error=1
|
|
run: build-tsan/secsgem_tests
|
|
|
|
tshark-dissector:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: ubuntu:24.04
|
|
steps:
|
|
- name: Bootstrap (node + git for actions/checkout)
|
|
run: |
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends \
|
|
git ca-certificates nodejs
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install C++ toolchain + tshark
|
|
run: |
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get install -y --no-install-recommends \
|
|
build-essential cmake ninja-build \
|
|
libasio-dev libyaml-cpp-dev \
|
|
python3 python3-yaml \
|
|
tshark tcpdump
|
|
|
|
- name: Build
|
|
run: |
|
|
cmake -S . -B build -G Ninja -DCMAKE_BUILD_TYPE=Release
|
|
cmake --build build
|
|
|
|
# Capture pcap of the demo flow, dissect with Wireshark's HSMS
|
|
# dissector (independent third codec), assert no malformed
|
|
# packets and that every expected control + data frame parses.
|
|
- name: tshark HSMS dissector validation
|
|
run: bash interop/tshark_validate.sh
|
|
env:
|
|
PORT: "5099"
|