CRYPTOCB_ONLY: add test infra + SHA256 + AES#10351
Open
rizlik wants to merge 6 commits intowolfSSL:masterfrom
Open
CRYPTOCB_ONLY: add test infra + SHA256 + AES#10351rizlik wants to merge 6 commits intowolfSSL:masterfrom
rizlik wants to merge 6 commits intowolfSSL:masterfrom
Conversation
Add a software crypto-callback device (wc_swdev) that lets the wolfcrypt test suite run under WOLF_CRYPTO_CB_ONLY_* flags without per-test devId plumbing. The bundle is a separately-compiled second copy of wolfcrypt (software implementations enabled, WOLF_CRYPTO_CB_ONLY_* stripped) linked into testwolfcrypt as a single relocatable object; every symbol is demoted to local via objcopy --keep-global-symbol except wc_SwDev_Callback, so there is no collision with the main libwolfssl. A find callback routes unbound operations (devId == INVALID_DEVID) to the swdev while letting real device IDs pass through. wc_SwDev_Init / wc_SwDev_Cleanup hooks are wired into wolfcrypt/test/test.c. cryptocb_test's WOLF_CRYPTO_CB_FIND and WOLF_CRYPTO_CB_ONLY_RSA blocks are gated off under WOLFSSL_SWDEV. Enable via --enable-swdev (requires --enable-cryptocb).
Extend the swdev callback to handle ECC operations: keygen, ECDH, sign, verify, get-size, get-sig-size. Relax WOLF_CRYPTO_CB_ONLY_ECC guards in the test suite so that tests run under swdev, and wire wc_SwDev_Init/Cleanup into testsuite, client, and server. Two tests are intentionally kept excluded even with swdev because they call raw ECC math primitives (wc_ecc_mulmod, on-curve validation in wc_ecc_import_x963) that are stripped below the cryptocb dispatch layer: - ecc_mulmod_test (wolfcrypt/test/test.c) - test_wc_ecc_import_x963_off_curve (tests/api/test_ecc.c)
Extend the swdev callback to handle RSA operations: public/private encrypt and decrypt, plus key generation.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a wc_swdev software CryptoCb “device” intended to let existing test programs run in WOLF_CRYPTO_CB_ONLY_* configurations (no in-tree software implementation for selected algorithms) without external hardware, and extends CB_ONLY support to SHA-256 and AES.
Changes:
- Add
--enable-swdev(Autotools) and build/link infrastructure to buildtests/swdev/swdev.oand link it into test/example binaries. - Implement
WOLF_CRYPTO_CB_ONLY_SHA256andWOLF_CRYPTO_CB_ONLY_AESgating (settings/header checks, CryptoCb AES-ECB plumbing, and stripped software fallbacks for SHA-256/AES). - Update tests/examples to initialize and use swdev so CB_ONLY builds can still execute crypto operations through CryptoCb dispatch.
Reviewed changes
Copilot reviewed 30 out of 30 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfssl/wolfcrypt/sha256.h | Disables raw SHA-256 state access when CB_ONLY_SHA256 strips the software transform. |
| wolfssl/wolfcrypt/settings.h | Ensures AES “direct” entry points exist as shims under CB_ONLY_AES; adds config incompatibility checks and CB_ONLY_* requires WOLF_CRYPTO_CB errors. |
| wolfssl/wolfcrypt/cryptocb.h | Exposes AES-ECB callback plumbing under AES_DIRECT/CB_ONLY_AES so CB_ONLY builds can still dispatch per-block operations. |
| wolfcrypt/test/test.h | Allows ECC buffer tests when CB_ONLY_ECC is paired with swdev. |
| wolfcrypt/test/test.c | Adds swdev init/cleanup in test runner and extends CB_ONLY test gating; adjusts various CB_ONLY conditions and PKCS7 devId usage. |
| wolfcrypt/test/include.am | Adds BUILD_SWDEV rules to build/link swdev.o into testwolfcrypt and clean build artifacts. |
| wolfcrypt/src/sha256.c | Implements CB_ONLY_SHA256 stripping behavior (no software transform; return NO_VALID_DEVID) and blocks SHA-224 when incompatible. |
| wolfcrypt/src/cryptocb.c | Documents new CB_ONLY_SHA256/CB_ONLY_AES options and builds AES-ECB CryptoCb entry points under AES_DIRECT/CB_ONLY_AES. |
| wolfcrypt/src/aes.c | Implements CB_ONLY_AES behavior (ECB shim, no software fallback paths, SetKey handling under CB_FIND, early returns for ECB routines). |
| testsuite/testsuite.c | Adds swdev init/cleanup and loosens CB_ONLY RSA/ECC gates when swdev is enabled. |
| testsuite/include.am | Links swdev loader/object into testsuite binary when enabled. |
| tests/unit.c | Adds swdev init/cleanup around wolfcrypt tests and around SuiteTest execution. |
| tests/swdev/user_settings.h | New: swdev build config that inherits wolfssl/options.h but undefines CB_ONLY gates to keep software implementations. |
| tests/swdev/swdev_loader.h | New: public loader API for registering/unregistering swdev into the main build’s CryptoCb table. |
| tests/swdev/swdev_loader.c | New: registers the swdev callback device and installs a CryptoCb find callback. |
| tests/swdev/swdev.h | New: swdev’s exported callback symbol definition. |
| tests/swdev/swdev.c | New: swdev CryptoCb callback implementation delegating to software primitives with state shadowing for SHA-256/AES. |
| tests/swdev/Makefile | New: standalone/invoked build to compile a mirrored source set into swdev.o and enforce symbol visibility. |
| tests/swdev/.gitignore | New: ignores swdev build artifacts. |
| tests/suites.c | Allows suite execution in CB_ONLY RSA/ECC configurations when swdev is enabled. |
| tests/include.am | Links swdev loader/object into unit test binary when enabled. |
| tests/api/test_pkcs7.c | Uses testDevId consistently when creating/initializing PKCS7 structures. |
| tests/api/test_ecc.c | Skips an off-curve import test when CB_ONLY_ECC strips required raw math. |
| tests/api.c | Adds swdev init/cleanup to API test harness and adjusts CB_ONLY gating for CryptoCb tests/IO-dependent sections. |
| examples/server/server.c | Adds swdev init/cleanup inside server_test when enabled. |
| examples/server/include.am | Links swdev loader/object into server example when enabled. |
| examples/client/include.am | Links swdev loader/object into client example when enabled. |
| examples/client/client.c | Adds swdev init/cleanup inside client_test when enabled. |
| configure.ac | Adds --enable-swdev configure option; forces WOLFSSL_SWDEV and WOLF_CRYPTO_CB_FIND when enabled; defines BUILD_SWDEV automake conditional. |
| .github/workflows/cryptocb-only.yml | New CI workflow to run make check across CB_ONLY_* matrices using swdev. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+20
to
+27
| /* always re-register: cryptocb table is wiped by wolfCrypt_Cleanup */ | ||
| ret = wc_CryptoCb_RegisterDevice(WC_SWDEV_ID, wc_SwDev_Callback, NULL); | ||
| if (ret != 0) | ||
| return ret; | ||
|
|
||
| #ifdef WOLF_CRYPTO_CB_FIND | ||
| wc_CryptoCb_SetDeviceFindCb(wc_SwDev_FindCb); | ||
| #endif |
Comment on lines
+33
to
+44
| void wc_SwDev_Cleanup(void) | ||
| { | ||
| if (!swdev_registered) | ||
| return; | ||
|
|
||
| #ifdef WOLF_CRYPTO_CB_FIND | ||
| wc_CryptoCb_SetDeviceFindCb(NULL); | ||
| #endif | ||
|
|
||
| wc_CryptoCb_UnRegisterDevice(WC_SWDEV_ID); | ||
| swdev_registered = 0; | ||
| } |
Comment on lines
+4266
to
+4270
| #ifdef WOLFSSL_SWDEV | ||
| if (wc_SwDev_Init() != 0) { | ||
| fprintf(stderr, "wc_SwDev_Init failed\n"); | ||
| return EXIT_FAILURE; | ||
| } |
Comment on lines
+5061
to
+5066
| #ifdef WOLFSSL_SWDEV | ||
| if (wc_SwDev_Init() != 0) { | ||
| fprintf(stderr, "wc_SwDev_Init failed\n"); | ||
| return EXIT_FAILURE; | ||
| } | ||
| #endif |
Comment on lines
37716
to
+37720
| static void TestSetup(void) | ||
| { | ||
| /* Stub, for now. Add common test setup code here. */ | ||
| #ifdef WOLFSSL_SWDEV | ||
| (void)wc_SwDev_Init(); | ||
| #endif |
Comment on lines
68090
to
68091
| if (check) { | ||
| FREE(check, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); |
…wdev Add WOLF_CRYPTO_CB_ONLY_SHA256: when set, the SHA-256 software. wc_Sha256FinalRaw is reduced to a stub returning NO_VALID_DEVID, and sha256.h force-defines WOLFSSL_NO_HASH_RAW so the constant-time TLS HMAC path falls back to its backend-opaque variant. Incompatible with WOLFSSL_SHA224, which aliases the SHA-256 statics; #error guard added. Add wc_swdev support for SHA-256 for testing.
Modes (CTR, GCM, CCM, etc.) can be supported either directly or fallback to invoking the crypto callback with a "direct" (ECB) mode. Software implementation and AES tables are stripped under CB_ONLY_AES. wc_swdev gains AES support so WOLF_CRYPTO_CB_ONLY_AES builds can be tested. crypto find cb support added to wc_AesSetKey in order to support current CI tests that use INVALID_DEVID.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds
wc_swdev, a software CryptoCb device used by the test programs to exerciseWOLF_CRYPTO_CB_ONLY_*builds without requiring external hardware.swdevmirrors the parentlibwolfSSL source set and build flags, while undefining the
WOLF_CRYPTO_CB_ONLY_*gates internally so itcan provide the software implementation behind the CryptoCb dispatch layer.
The PR also add
CRYPTO_CB_ONLY_AESandCRYPTO_CB_ONLY_SHA256 support