CRYPTOCB_ONLY: add test infra + SHA256 + AES

.github/workflows/cryptocb-only.yml

@@ -0,0 +1,95 @@
+name: cryptocb-only Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # WOLF_CRYPTO_CB_ONLY_ECC: strips software ECC; swdev provides the
+          # software path via cryptocb.  FP_ECC / ECCSI / SAKKE / deterministic-k
+          # test / OPENSSL_EXTRA compat layer all reference stripped primitives
+          # directly, so they stay off.
+          - name: ECC
+            cppflags: -DWOLF_CRYPTO_CB_ONLY_ECC
+          # WOLF_CRYPTO_CB_ONLY_RSA: strips software RSA; swdev provides the
+          # software path via cryptocb.
+          - name: RSA
+            cppflags: -DWOLF_CRYPTO_CB_ONLY_RSA
+          # WOLF_CRYPTO_CB_ONLY_SHA256: strips software SHA-256; swdev provides
+          # the software path via cryptocb.  SHA-224 piggybacks on the SHA-256
+          # software core so it is incompatible with this strip and must be
+          # explicitly disabled (it is default-on on x86_64/aarch64).
+          - name: SHA256
+            extra_config: --disable-sha224
+            cppflags: -DWOLF_CRYPTO_CB_ONLY_SHA256
+          # WOLF_CRYPTO_CB_ONLY_AES: strips software AES; swdev provides the
+          # software path via cryptocb.
+          - name: AES
+            cppflags: -DWOLF_CRYPTO_CB_ONLY_AES
+          # All four ONLY_* macros at once: every supported software primitive
+          # is stripped and dispatched through cryptocb.  Catches any cross-
+          # algorithm call that a single-strip entry would still resolve via
+          # the remaining software paths.
+          - name: ALL
+            extra_config: --disable-sha224
+            cppflags: >-
+              -DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA
+              -DWOLF_CRYPTO_CB_ONLY_SHA256 -DWOLF_CRYPTO_CB_ONLY_AES
+    name: make check (${{ matrix.name }})
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    env:
+      # Common feature set for every entry.  SHA-224 is left at the platform
+      # default (on for x86_64/aarch64); entries that need it off pass
+      # --disable-sha224 in extra_config.
+      BASE_CONFIG: >-
+        --enable-swdev --enable-cryptocb --enable-ecc --enable-rsa --enable-dh
+        --enable-aesgcm --enable-aesccm --enable-aesctr --enable-aescfb
+        --enable-aeskeywrap --enable-aessiv --enable-aesofb --enable-aesxts
+        --enable-camellia --enable-chacha --enable-poly1305
+        --enable-sha --enable-sha3 --enable-shake128 --enable-shake256
+        --enable-blake2 --enable-blake2s
+        --enable-hkdf --enable-hashdrbg --enable-hashflags
+        --enable-curve25519 --enable-ed25519 --enable-curve448 --enable-ed448
+        --enable-mlkem --enable-dilithium
+        --enable-scrypt --enable-pwdbased --enable-pkcs7 --enable-pkcs12
+        --enable-certgen --enable-certreq --enable-certext
+        --enable-keygen --enable-asn=all
+        --enable-cmac --enable-xchacha
+        --enable-crl --enable-ocsp --enable-ocspstapling --enable-ocspstapling2
+        --enable-dtls --enable-dtls13 --enable-tls13
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test wolfSSL
+        run: |
+          ./autogen.sh
+          ./configure $BASE_CONFIG ${{ matrix.extra_config }} CPPFLAGS="${{ matrix.cppflags }}"
+          make -j 4
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          for file in scripts/*.log
+          do
+              if [ -f "$file" ]; then
+                  echo "${file}:"
+                  cat "$file"
+              fi
+          done

configure.ac

@@ -10513,6 +10513,25 @@ if test "$ENABLED_CRYPTOCB_UTILS" != "no"; then
 fi
 
 
+# wc_swdev: software crypto-callback device for testing
+AC_ARG_ENABLE([swdev],
+    [AS_HELP_STRING([--enable-swdev],[Build wc_swdev software crypto-callback for tests (default: disabled). Requires --enable-cryptocb])],
+    [ ENABLED_SWDEV=$enableval ],
+    [ ENABLED_SWDEV=no ]
+)
+
+if test "$ENABLED_SWDEV" = "yes"
+then
+    if test "$ENABLED_CRYPTOCB" != "yes" && test "$enable_usersettings" != "yes"; then
+        AC_MSG_ERROR([--enable-swdev requires --enable-cryptocb (or --enable-usersettings with WOLF_CRYPTO_CB defined in user_settings.h)])
+    fi
+    if test "x$srcdir" != "x."; then
+        AC_MSG_ERROR([--enable-swdev currently supports in-tree builds only])
+    fi
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SWDEV -DWOLF_CRYPTO_CB_FIND"
+fi
+
+
 # Asynchronous Crypto
 AC_ARG_ENABLE([asynccrypt],
     [AS_HELP_STRING([--enable-asynccrypt],[Enable Asynchronous Crypto (default: disabled)])],
@@ -11770,9 +11789,14 @@ fi
 if test "x$ENABLED_USERSETTINGS" = "xyes"
 then
     # Replace all options and just use WOLFSSL_USER_SETTINGS and
-    # WOLFSSL_USER_SETTINGS_ASM.
+    # WOLFSSL_USER_SETTINGS_ASM.  Re-append build-system flags that affect
+    # preprocessor guards in test files and must survive the reset.
     AM_CFLAGS="-DWOLFSSL_USER_SETTINGS -DWOLFSSL_USER_SETTINGS_ASM"
     AM_CCASFLAGS="-DWOLFSSL_USER_SETTINGS -DWOLFSSL_USER_SETTINGS_ASM"
+    AS_IF([test "x$ENABLED_SWDEV" = "xyes"],[
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SWDEV -DWOLF_CRYPTO_CB_FIND"
+        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SWDEV -DWOLF_CRYPTO_CB_FIND"
+    ])
 
     # Generate assembly-safe user_settings_asm.h (just preprocessor directives
     # from user_settings.h).
@@ -12133,6 +12157,7 @@ AM_CONDITIONAL([BUILD_MCAPI],[test "x$ENABLED_MCAPI" = "xyes"])
 AM_CONDITIONAL([BUILD_ASYNCCRYPT],[test "x$ENABLED_ASYNCCRYPT" = "xyes"])
 AM_CONDITIONAL([BUILD_WOLFEVENT],[test "x$ENABLED_ASYNCCRYPT" = "xyes"])
 AM_CONDITIONAL([BUILD_CRYPTOCB],[test "x$ENABLED_CRYPTOCB" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
+AM_CONDITIONAL([BUILD_SWDEV],[test "x$ENABLED_SWDEV" = "xyes"])
 AM_CONDITIONAL([BUILD_PSK],[test "x$ENABLED_PSK" = "xyes"])
 AM_CONDITIONAL([BUILD_TRUST_PEER_CERT],[test "x$ENABLED_TRUSTED_PEER_CERT" = "xyes"])
 AM_CONDITIONAL([BUILD_PKI],[test "x$ENABLED_PKI" = "xyes"])

examples/client/client.c

@@ -51,6 +51,10 @@ static const char *wolfsentry_config_path = NULL;
 #include <wolfssl/test.h>
 #include <wolfssl/error-ssl.h>
 
+#ifdef WOLFSSL_SWDEV
+    #include "tests/swdev/swdev_loader.h"
+#endif
+
 #ifdef USE_FLAT_TEST_H
     #include "client.h"
 #else
@@ -5056,6 +5060,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         wolfSSL_Debugging_ON();
 #endif
         wolfSSL_Init();
+#ifdef WOLFSSL_SWDEV
+        if (wc_SwDev_Init() != 0) {
+            fprintf(stderr, "wc_SwDev_Init failed\n");
+            return EXIT_FAILURE;
+        }
+#endif
         ChangeToWolfRoot();
 
 #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
@@ -5066,6 +5076,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif
 #else
         fprintf(stderr, "Client not compiled in!\n");
+#endif
+#ifdef WOLFSSL_SWDEV
+        wc_SwDev_Cleanup();
 #endif
         wolfSSL_Cleanup();
 

examples/client/include.am

@@ -7,6 +7,11 @@ noinst_HEADERS += examples/client/client.h
 examples_client_client_SOURCES      = examples/client/client.c
 examples_client_client_LDADD        = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB)
 examples_client_client_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
+if BUILD_SWDEV
+examples_client_client_SOURCES     += tests/swdev/swdev_loader.c
+examples_client_client_LDADD       += $(top_builddir)/tests/swdev/build/swdev.o $(LIBM)
+examples_client_client_DEPENDENCIES += $(top_builddir)/tests/swdev/build/swdev.o
+endif
 examples_client_client_CFLAGS = $(WOLFSENTRY_INCLUDE) $(AM_CFLAGS)
 endif
 EXTRA_DIST += examples/client/client.sln

examples/server/include.am

@@ -9,6 +9,11 @@ noinst_HEADERS += examples/server/server.h
 examples_server_server_SOURCES      = examples/server/server.c
 examples_server_server_LDADD        = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB)
 examples_server_server_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
+if BUILD_SWDEV
+examples_server_server_SOURCES     += tests/swdev/swdev_loader.c
+examples_server_server_LDADD       += $(top_builddir)/tests/swdev/build/swdev.o $(LIBM)
+examples_server_server_DEPENDENCIES += $(top_builddir)/tests/swdev/build/swdev.o
+endif
 examples_server_server_CFLAGS = $(WOLFSENTRY_INCLUDE) $(AM_CFLAGS)
 endif
 EXTRA_DIST += examples/server/server.sln

examples/server/server.c

@@ -67,6 +67,10 @@ static const char *wolfsentry_config_path = NULL;
 #include <wolfssl/test.h>
 #include <wolfssl/error-ssl.h>
 
+#ifdef WOLFSSL_SWDEV
+    #include "tests/swdev/swdev_loader.h"
+#endif
+
 #ifdef USE_FLAT_TEST_H
     #include "server.h"
 #else
@@ -4255,6 +4259,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         wolfSSL_Init();
 #ifdef WC_RNG_SEED_CB
         wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT);
+#endif
+#ifdef WOLFSSL_SWDEV
+        if (wc_SwDev_Init() != 0) {
+            fprintf(stderr, "wc_SwDev_Init failed\n");
+            return EXIT_FAILURE;
+        }
 #endif
         ChangeToWolfRoot();
 
@@ -4268,6 +4278,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         fprintf(stderr, "Server not compiled in!\n");
 #endif
 
+#ifdef WOLFSSL_SWDEV
+        wc_SwDev_Cleanup();
+#endif
         wolfSSL_Cleanup();
         FreeTcpReady(&ready);
 

tests/api.c

@@ -65,6 +65,10 @@
 #include <tests/utils.h>
 #include <testsuite/utils.h>
 
+#ifdef WOLFSSL_SWDEV
+#include "swdev/swdev_loader.h"
+#endif
+
 /* for testing compatibility layer callbacks */
 #include "examples/server/server.h"
 
@@ -6290,7 +6294,10 @@ static void test_client_reuse_WOLFSSLobj(void* args, cbType cb,
 /* Generic TLS client / server with callbacks for API unit tests
  * Used by SNI / ALPN / crypto callback helper functions */
 #if defined(HAVE_IO_TESTS_DEPENDENCIES) && \
-    (defined(HAVE_SNI) || defined(HAVE_ALPN) || defined(WOLF_CRYPTO_CB) || \
+    (defined(HAVE_SNI) || defined(HAVE_ALPN) || \
+     (defined(WOLF_CRYPTO_CB) && \
+      !defined(WOLF_CRYPTO_CB_ONLY_RSA) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \
+      !defined(WOLF_CRYPTO_CB_ONLY_SHA256) && !defined(WOLF_CRYPTO_CB_ONLY_AES)) || \
      defined(HAVE_ALPN_PROTOS_SUPPORT)) || defined(WOLFSSL_STATIC_MEMORY)
     #define ENABLE_TLS_CALLBACK_TEST
 #endif
@@ -30461,7 +30468,9 @@ static int test_SSL_CIPHER_get_xxx(void)
     return EXPECT_RESULT();
 }
 
-#if defined(WOLF_CRYPTO_CB) && defined(HAVE_IO_TESTS_DEPENDENCIES)
+#if defined(WOLF_CRYPTO_CB) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \
+    (!defined(WOLF_CRYPTO_CB_ONLY_SHA256) && !defined(WOLF_CRYPTO_CB_ONLY_AES) && \
+     !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLF_CRYPTO_CB_ONLY_RSA))
 
 static int load_pem_key_file_as_der(const char* privKeyFile, DerBuffer** pDer,
     int* keyFormat)
@@ -31463,7 +31472,9 @@ static int test_wc_CryptoCb_TLS(int tlsVer,
 static int test_wc_CryptoCb(void)
 {
     EXPECT_DECLS;
-#ifdef WOLF_CRYPTO_CB
+#if defined(WOLF_CRYPTO_CB) && \
+    (!defined(WOLF_CRYPTO_CB_ONLY_SHA256) && !defined(WOLF_CRYPTO_CB_ONLY_AES) && \
+     !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLF_CRYPTO_CB_ONLY_RSA))
     /* TODO: Add crypto callback API tests */
 
 #ifdef HAVE_IO_TESTS_DEPENDENCIES
@@ -38973,7 +38984,7 @@ static int test_pkcs7_padding(void)
 
     /* Encode EncryptedData */
     XMEMSET(&pkcs7, 0, sizeof(pkcs7));
-    ExpectIntEQ(wc_PKCS7_Init(&pkcs7, NULL, 0), 0);
+    ExpectIntEQ(wc_PKCS7_Init(&pkcs7, NULL, INVALID_DEVID), 0);
     pkcs7.content      = plaintext;
     pkcs7.contentSz    = sizeof(plaintext);
     pkcs7.contentOID   = DATA;
@@ -39002,7 +39013,7 @@ static int test_pkcs7_padding(void)
 
         /* Decrypt modified ciphertext - must fail, not succeed */
         XMEMSET(&pkcs7, 0, sizeof(pkcs7));
-        ExpectIntEQ(wc_PKCS7_Init(&pkcs7, NULL, 0), 0);
+        ExpectIntEQ(wc_PKCS7_Init(&pkcs7, NULL, INVALID_DEVID), 0);
         pkcs7.encryptionKey   = key;
         pkcs7.encryptionKeySz = sizeof(key);
 
@@ -40127,20 +40138,24 @@ int ApiTest(void)
     printf(" Begin API Tests\n");
     fflush(stdout);
 
-    /* we must perform init and cleanup if not all tests are running */
-    if (!testAll) {
-    #ifdef WOLFCRYPT_ONLY
-        if (wolfCrypt_Init() != 0) {
-            printf("wolfCrypt Initialization failed\n");
-            res = 1;
-        }
-    #else
-        if (wolfSSL_Init() != WOLFSSL_SUCCESS) {
-            printf("wolfSSL Initialization failed\n");
-            res = 1;
-        }
-    #endif
+#ifdef WOLFCRYPT_ONLY
+    if (wolfCrypt_Init() != 0) {
+        printf("wolfCrypt Initialization failed\n");
+        res = 1;
     }
+#else
+    if (wolfSSL_Init() != WOLFSSL_SUCCESS) {
+        printf("wolfSSL Initialization failed\n");
+        res = 1;
+    }
+#endif
+
+#ifdef WOLFSSL_SWDEV
+    if (res == 0 && wc_SwDev_Init() != 0) {
+        printf("wc_SwDev_Init failed\n");
+        res = 1;
+    }
+#endif
 
     #ifdef WOLFSSL_DUMP_MEMIO_STREAM
     if (res == 0) {
@@ -40232,13 +40247,15 @@ int ApiTest(void)
     wc_ecc_fp_free();  /* free per thread cache */
 #endif
 
-    if (!testAll) {
-    #ifdef WOLFCRYPT_ONLY
-        wolfCrypt_Cleanup();
-    #else
-        wolfSSL_Cleanup();
-    #endif
-    }
+#ifdef WOLFSSL_SWDEV
+    wc_SwDev_Cleanup();
+#endif
+
+#ifdef WOLFCRYPT_ONLY
+    wolfCrypt_Cleanup();
+#else
+    wolfSSL_Cleanup();
+#endif
 
     (void)testDevId;
 

tests/api/test_ecc.c

@@ -785,9 +785,12 @@ int test_wc_ecc_import_x963(void)
 int test_wc_ecc_import_x963_off_curve(void)
 {
     EXPECT_DECLS;
+/* point-on-curve validation inside wc_ecc_import_x963 is raw math stripped
+ * by WOLF_CRYPTO_CB_ONLY_ECC; swdev cannot reach below the dispatch layer. */
 #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_IMPORT) && \
     !defined(NO_ECC256) && !defined(NO_ECC_SECP) && \
-    (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && !defined(HAVE_SELFTEST)
+    (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && !defined(HAVE_SELFTEST) && \
+    !defined(WOLF_CRYPTO_CB_ONLY_ECC)
     ecc_key pubKey;
     /* Uncompressed X9.63 P-256 point: 0x04 || Gx || Gy with the last byte
      * of Gy flipped by 1. Gx/Gy are the NIST P-256 generator coordinates;