Add testing infrastructure

.github/workflows/address-sanitizer.yml

@@ -0,0 +1,78 @@
+name: AddressSanitizer Build and Test
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build_asan:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-24.04 ]
+        go_version: [ '1.23' ]
+        wolfssl_configure: [
+          '--enable-all --enable-opensslall --enable-opensslextra --enable-debug',
+        ]
+    name: ${{ matrix.os }} (Go ${{ matrix.go_version }}, ASan, ${{ matrix.wolfssl_configure }})
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go_version }}
+
+      - name: Install build dependencies
+        run: sudo apt-get update && sudo apt-get install -y autoconf automake libtool
+
+      - name: Cache wolfSSL ASan build
+        id: cache-wolfssl-asan
+        uses: actions/cache@v4
+        with:
+          path: /tmp/wolfssl-install
+          key: wolfssl-asan-${{ runner.os }}-${{ hashFiles('.github/workflows/address-sanitizer.yml') }}-${{ matrix.wolfssl_configure }}
+
+      - name: Build native wolfSSL with AddressSanitizer
+        if: steps.cache-wolfssl-asan.outputs.cache-hit != 'true'
+        run: |
+          git clone --depth 1 https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl
+          cd /tmp/wolfssl
+          ./autogen.sh
+          ./configure --prefix=/tmp/wolfssl-install ${{ matrix.wolfssl_configure }} \
+              CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O1" \
+              LDFLAGS="-fsanitize=address"
+          make -j$(nproc)
+          make install
+
+      - name: Install wolfSSL system-wide
+        run: |
+          sudo cp -r /tmp/wolfssl-install/lib/* /usr/local/lib/
+          sudo cp -r /tmp/wolfssl-install/include/* /usr/local/include/
+          sudo ldconfig
+
+      - name: Run unit tests with ASan instrumentation
+        env:
+          # Propagate ASan flags through cgo so the test binary links the
+          # ASan runtime alongside libwolfssl. -I/-L paths are explicit so this
+          # doesn't depend on /usr/local being in gcc/ld's default search list.
+          CGO_CFLAGS: "-I/usr/local/include -fsanitize=address -fno-omit-frame-pointer -g -O1"
+          CGO_LDFLAGS: "-L/usr/local/lib -fsanitize=address"
+          # Detect leaks at exit; abort on any error.
+          ASAN_OPTIONS: "detect_leaks=1:halt_on_error=1:strict_string_checks=1:print_stacktrace=1"
+        run: go test -count=1 -v . ./handles ./wolftls ./wolfx509
+
+      - name: Show logs on failure
+        if: failure() || cancelled()
+        run: |
+          echo "AddressSanitizer test failed"
+          go env

.github/workflows/build.yml

@@ -21,6 +21,8 @@ jobs:
         go_version: [ '1.21', '1.22', '1.23' ]
         wolfssl_configure: [
           '--enable-all --enable-opensslall --enable-opensslextra',
+          '--enable-tls13 --enable-curve25519 --enable-chacha --enable-poly1305 --enable-opensslall --enable-opensslextra',
+          '--enable-dtls --enable-dtls13 --enable-opensslall --enable-opensslextra',
         ]
     name: ${{ matrix.os }} (Go ${{ matrix.go_version }}, ${{ matrix.wolfssl_configure}})
     if: github.repository_owner == 'wolfssl'
@@ -43,7 +45,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: /tmp/wolfssl-install
-          key: wolfssl-${{ runner.os }}-${{ hashFiles('.github/workflows/build.yml') }}
+          key: wolfssl-${{ runner.os }}-${{ hashFiles('.github/workflows/build.yml') }}-${{ matrix.wolfssl_configure }}
 
       - name: Build native wolfSSL
         if: steps.cache-wolfssl.outputs.cache-hit != 'true'
@@ -61,17 +63,20 @@ jobs:
           sudo cp -r /tmp/wolfssl-install/include/* /usr/local/include/
           sudo ldconfig
 
-      - name: Install Go dependencies
+      - name: Verify go.mod / go.sum integrity
         run: |
-          go get golang.org/x/term
-          go mod tidy
+          go mod download
+          go mod verify
 
       - name: Build go-wolfssl library
-        run: go build .
+        run: go build . ./handles ./wolftls ./wolfx509
 
       - name: Run go vet
         run: go vet .
 
+      - name: Run unit tests
+        run: go test -count=1 -timeout=120s . ./handles ./wolftls ./wolfx509
+
       - name: Build examples
         run: |
           # Each example dir has multiple main packages, so build each .go file individually

.github/workflows/lint.yml → .github/workflows/linters.yml

@@ -1,6 +1,5 @@
-name: Go Lint and Vet
+name: Linters
 
-# START OF COMMON SECTION
 on:
   push:
     branches: [ 'master', 'main', 'release/**' ]
@@ -10,21 +9,15 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-# END OF COMMON SECTION
 
 jobs:
-  go_vet:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ ubuntu-24.04 ]
-        wolfssl_configure: [
-          '--enable-all --enable-opensslall --enable-opensslextra',
-        ]
-    name: ${{ matrix.os }} go vet
+  # go vet and staticcheck need cgo to resolve wolfSSL types/symbols. examples/
+  # is excluded because it contains multiple `package main` files per directory
+  # and would produce false-positive redeclaration errors at package level.
+  vet_and_staticcheck:
+    name: go vet + staticcheck
     if: github.repository_owner == 'wolfssl'
-    runs-on: ${{ matrix.os }}
-    # This should be a safe limit for the tests to run.
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
@@ -42,15 +35,15 @@ jobs:
         uses: actions/cache@v4
         with:
           path: /tmp/wolfssl-install
-          key: wolfssl-${{ runner.os }}-${{ hashFiles('.github/workflows/lint.yml') }}
+          key: wolfssl-${{ runner.os }}-${{ hashFiles('.github/workflows/linters.yml') }}-enable-all
 
       - name: Build native wolfSSL
         if: steps.cache-wolfssl.outputs.cache-hit != 'true'
         run: |
           git clone --depth 1 https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl
           cd /tmp/wolfssl
           ./autogen.sh
-          ./configure --prefix=/tmp/wolfssl-install ${{ matrix.wolfssl_configure }}
+          ./configure --prefix=/tmp/wolfssl-install --enable-all --enable-opensslall --enable-opensslextra
           make -j$(nproc)
           make install
 
@@ -60,13 +53,18 @@ jobs:
           sudo cp -r /tmp/wolfssl-install/include/* /usr/local/include/
           sudo ldconfig
 
-      - name: Install Go dependencies
-        run: |
-          go get golang.org/x/term
-          go mod tidy
+      - name: Build
+        run: go build . ./handles ./wolftls ./wolfx509
 
       - name: Run go vet
-        run: go vet .
+        # wolftls is excluded for a pre-existing unsafe.Pointer(uintptr) pattern
+        # that's a separate cleanup ticket.
+        run: go vet . ./handles ./wolfx509
+
+      - name: Install staticcheck
+        # v0.6.1 is the last release that supports Go 1.21–1.24 natively;
+        # pinning avoids a silent toolchain auto-upgrade to Go 1.25.
+        run: go install honnef.co/go/tools/cmd/staticcheck@v0.6.1
 
-      - name: Check build
-        run: go build .
+      - name: Run staticcheck
+        run: $(go env GOPATH)/bin/staticcheck . ./handles ./wolfx509