Merge pull request #9287 from douzzer/20251009-more-WOLFSSL_API_PREFIX_MAP

20251009-more-WOLFSSL_API_PREFIX_MAP

Author: dgarske

.github/workflows/symbol-prefixes.yml

@@ -0,0 +1,70 @@
+name: WOLFSSL_API_PREFIX_MAP
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_and_analyze:
+    strategy:
+      matrix:
+        config: [
+          '--enable-all --enable-mlkem --enable-mldsa --enable-xmss --enable-lms --enable-acert --with-sys-crypto-policy CFLAGS=-DWOLFSSL_API_PREFIX_MAP'
+        ]
+    name: make and analyze
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test --enable-opensslcoexist and TEST_OPENSSL_COEXIST
+        run: |
+          ./autogen.sh || $(exit 2)
+          ./configure ${{ matrix.config }} || $(exit 3)
+          make -j 4 || $(exit 4)
+          # ignore properly prefixed symbols, and symbols associated with asm implementations (all internal) regardless of prefix:
+          readelf --symbols --wide src/.libs/libwolfssl.so | \
+          awk '
+          BEGIN {
+              total_public_symbols = 0;
+              unprefixed_public_symbols = 0;
+          }
+          {
+              if (($5 == "GLOBAL") && ($6 != "HIDDEN") && ($7 ~ /^[0-9]+$/)) {
+                  ++total_public_symbols;
+              }
+          }
+          {
+              if (($7 !~ /^[0-9]+$/) ||
+                  ($8 ~ /^(wc_|wolf|WOLF|__pfx|fe_|sp_[a-zA-Z090-0_]*[0-9])/) ||
+                  ($8 ~ /(_avx[12]|_AVX[12]|_sse[12]|_SSE[12]|_aesni|_AESNI|_bmi2|_x64$)/))
+              {
+                  next;
+              }
+          }
+          {
+              if (($4 == "FUNC") && ($5 == "GLOBAL") && ($6 == "DEFAULT")) {
+                  ++unprefixed_public_symbols;
+                  print;
+              }
+          }
+          END {
+              if (unprefixed_public_symbols) {
+                  print unprefixed_public_symbols " unprefixed public symbols found, of " total_public_symbols " total." >"/dev/stderr";
+                  exit(1);
+              } else {
+                  print total_public_symbols " public symbols found in libwolfssl, all OK.";
+                  exit(0);
+              }
+          }' || $(exit 5)

configure.ac

@@ -1503,14 +1503,14 @@ AC_ARG_WITH([liboqs],
 # MLKEM
 # Used:
 #  - SHA3, Shake128 and Shake256
-AC_ARG_ENABLE([kyber],
-    [AS_HELP_STRING([--enable-kyber],[Enable Kyber/MLKEM (default: disabled)])],
+AC_ARG_ENABLE([mlkem],
+    [AS_HELP_STRING([--enable-mlkem],[Enable MLKEM (default: disabled)])],
     [ ENABLED_MLKEM=$enableval ],
     [ ENABLED_MLKEM=no ]
     )
-# note, inherits default from "kyber" clause above.
-AC_ARG_ENABLE([mlkem],
-    [AS_HELP_STRING([--enable-mlkem],[Enable MLKEM (default: disabled)])],
+# note, inherits default from "mlkem" clause above.
+AC_ARG_ENABLE([kyber],
+    [AS_HELP_STRING([--enable-kyber],[Enable Kyber/MLKEM (default: disabled)])],
     [ ENABLED_MLKEM=$enableval ]
     )
 
@@ -1639,11 +1639,16 @@ fi
 
 # Dilithium
 #  - SHA3, Shake128, Shake256 and AES-CTR
-AC_ARG_ENABLE([dilithium],
-    [AS_HELP_STRING([--enable-dilithium],[Enable DILITHIUM (default: disabled)])],
+AC_ARG_ENABLE([mldsa],
+    [AS_HELP_STRING([--enable-mldsa],[Enable MLDSA (default: disabled)])],
     [ ENABLED_DILITHIUM=$enableval ],
     [ ENABLED_DILITHIUM=no ]
     )
+# note, inherits default from "mldsa" clause above.
+AC_ARG_ENABLE([dilithium],
+    [AS_HELP_STRING([--enable-dilithium],[Enable Dilithium/MLDSA (default: disabled)])],
+    [ ENABLED_DILITHIUM=$enableval ]
+    )
 
 ENABLED_DILITHIUM_OPTS=$ENABLED_DILITHIUM
 ENABLED_DILITHIUM_MAKE_KEY=no
@@ -4924,15 +4929,6 @@ AC_ARG_ENABLE([tlsv12],
     [ ENABLED_TLSV12=yes ]
     )
 
-if test "$ENABLED_CRYPTONLY" = "yes"
-then
-    ENABLED_TLSV12=no
-fi
-if test "$ENABLED_TLSV12" = "no"
-then
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_TLS12 -DNO_OLD_TLS"
-fi
-
 # STACK SIZE info for testwolfcrypt and examples
 AC_ARG_ENABLE([stacksize],
     [AS_HELP_STRING([--enable-stacksize],[Enable stack size info on examples (default: disabled)])],

linuxkm/linuxkm_wc_port.h

@@ -228,6 +228,15 @@
 
     #include <linux/kconfig.h>
 
+    #ifdef CONFIG_KASAN
+        #ifndef WC_SANITIZE_DISABLE
+            #define WC_SANITIZE_DISABLE() kasan_disable_current()
+        #endif
+        #ifndef WC_SANITIZE_ENABLE
+            #define WC_SANITIZE_ENABLE() kasan_enable_current()
+        #endif
+    #endif
+
     #if defined(CONFIG_FORTIFY_SOURCE) && \
         !defined(WC_FORCE_LINUXKM_FORTIFY_SOURCE) && \
         (defined(HAVE_LINUXKM_PIE_SUPPORT) || \
@@ -1286,12 +1295,13 @@
         #endif /* WOLFSSL_USE_SAVE_VECTOR_REGISTERS */
     #endif /* !BUILDING_WOLFSSL */
 
-    /* Copied from wc_port.h: For FIPS keep the function names the same */
-    #ifdef HAVE_FIPS
-    #define wc_InitMutex   InitMutex
-    #define wc_FreeMutex   FreeMutex
-    #define wc_LockMutex   LockMutex
-    #define wc_UnLockMutex UnLockMutex
+    /* Copied from wc_port.h */
+    #if defined(HAVE_FIPS) && !defined(WOLFSSL_API_PREFIX_MAP)
+        /* For FIPS keep the function names the same */
+        #define wc_InitMutex   InitMutex
+        #define wc_FreeMutex   FreeMutex
+        #define wc_LockMutex   LockMutex
+        #define wc_UnLockMutex UnLockMutex
     #endif /* HAVE_FIPS */
 
     #ifdef WOLFSSL_LINUXKM_USE_MUTEXES

wolfcrypt/src/ge_operations.c

@@ -9817,4 +9817,17 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h)
 }
 
 #endif /* !ED25519_SMALL */
+
+/* if HAVE_ED25519 but not HAVE_CURVE25519, and an asm implementation is built,
+ * then curve25519() won't get its WOLFSSL_LOCAL attribute unless we dummy-call
+ * it here.
+ */
+#if defined(WOLFSSL_API_PREFIX_MAP) && !defined(HAVE_CURVE25519) && \
+    !defined(FREESCALE_LTC_ECC)
+WOLFSSL_LOCAL void _wc_curve25519_dummy(void);
+WOLFSSL_LOCAL void _wc_curve25519_dummy(void) {
+    (void)curve25519((byte *)0, (byte *)0, (const byte *)0);
+}
+#endif
+
 #endif /* HAVE_ED25519 */

wolfcrypt/src/poly1305.c

@@ -139,29 +139,29 @@ static cpuid_flags_t intel_flags = WC_CPUID_INITIALIZER;
  * ctx  Poly1305 context.
  * m    One block of message data.
  */
-extern void poly1305_block_avx(Poly1305* ctx, const unsigned char *m);
+WOLFSSL_LOCAL void poly1305_block_avx(Poly1305* ctx, const unsigned char *m);
 /* Process multiple blocks (n * 16 bytes) of data.
  *
  * ctx    Poly1305 context.
  * m      Blocks of message data.
  * bytes  The number of bytes to process.
  */
-extern void poly1305_blocks_avx(Poly1305* ctx, const unsigned char* m,
+WOLFSSL_LOCAL void poly1305_blocks_avx(Poly1305* ctx, const unsigned char* m,
                                 size_t bytes);
 /* Set the key to use when processing data.
  * Initialize the context.
  *
  * ctx  Poly1305 context.
  * key  The key data (16 bytes).
  */
-extern void poly1305_setkey_avx(Poly1305* ctx, const byte* key);
+WOLFSSL_LOCAL void poly1305_setkey_avx(Poly1305* ctx, const byte* key);
 /* Calculate the final result - authentication data.
  * Zeros out the private data in the context.
  *
  * ctx  Poly1305 context.
  * mac  Buffer to hold 16 bytes.
  */
-extern void poly1305_final_avx(Poly1305* ctx, byte* mac);
+WOLFSSL_LOCAL void poly1305_final_avx(Poly1305* ctx, byte* mac);
 #endif
 
 #ifdef HAVE_INTEL_AVX2
@@ -171,29 +171,29 @@ extern void poly1305_final_avx(Poly1305* ctx, byte* mac);
  * m      Blocks of message data.
  * bytes  The number of bytes to process.
  */
-extern void poly1305_blocks_avx2(Poly1305* ctx, const unsigned char* m,
+WOLFSSL_LOCAL void poly1305_blocks_avx2(Poly1305* ctx, const unsigned char* m,
                                  size_t bytes);
 /* Calculate R^1, R^2, R^3 and R^4 and store them in the context.
  *
  * ctx    Poly1305 context.
  */
-extern void poly1305_calc_powers_avx2(Poly1305* ctx);
+WOLFSSL_LOCAL void poly1305_calc_powers_avx2(Poly1305* ctx);
 /* Set the key to use when processing data.
  * Initialize the context.
  * Calls AVX set key function as final function calls AVX code.
  *
  * ctx  Poly1305 context.
  * key  The key data (16 bytes).
  */
-extern void poly1305_setkey_avx2(Poly1305* ctx, const byte* key);
+WOLFSSL_LOCAL void poly1305_setkey_avx2(Poly1305* ctx, const byte* key);
 /* Calculate the final result - authentication data.
  * Zeros out the private data in the context.
  * Calls AVX final function to quickly process last blocks.
  *
  * ctx  Poly1305 context.
  * mac  Buffer to hold 16 bytes - authentication data.
  */
-extern void poly1305_final_avx2(Poly1305* ctx, byte* mac);
+WOLFSSL_LOCAL void poly1305_final_avx2(Poly1305* ctx, byte* mac);
 #endif
 
 #ifdef __cplusplus

wolfcrypt/test/test.c

@@ -608,14 +608,12 @@ static                  wc_test_ret_t  hkdf_test(void);
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  hkdf_test(void);
 #endif
 #endif /* HAVE_HKDF && ! NO_HMAC */
-#ifdef WOLFSSL_HAVE_PRF
-#if defined(HAVE_HKDF) && !defined(NO_HMAC)
-#ifdef WOLFSSL_BASE16
+#if defined(WOLFSSL_HAVE_PRF) && defined(HAVE_HKDF) && !defined(NO_HMAC) && \
+    defined(WOLFSSL_BASE16) && !defined(WOLFSSL_NO_TLS12)
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  tls12_kdf_test(void);
-#endif /* WOLFSSL_BASE16 */
-#endif /* WOLFSSL_HAVE_HKDF && !NO_HMAC */
-#endif /* WOLFSSL_HAVE_PRF */
-#if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC) && defined(WOLFSSL_SHA384)
+#endif
+#if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC) && \
+    defined(WOLFSSL_SHA384) && !defined(WOLFSSL_NO_TLS12)
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  prf_test(void);
 #endif
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  sshkdf_test(void);
@@ -1921,27 +1919,26 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\
     PRIVATE_KEY_LOCK();
 #endif /* WOLFSSL_WOLFSSH */
 
-#if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC) && defined(WOLFSSL_SHA384)
+#if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC) && \
+    defined(WOLFSSL_SHA384) && !defined(WOLFSSL_NO_TLS12)
     PRIVATE_KEY_UNLOCK();
     if ( (ret = prf_test()) != 0)
         TEST_FAIL("PRF         test failed!\n", ret);
     else
         TEST_PASS("PRF         test passed!\n");
     PRIVATE_KEY_LOCK();
-#endif
+#endif /* WOLFSSL_HAVE_PRF && !NO_HMAC && WOLFSSL_SHA384 && !WOLFSSL_NO_TLS12 */
 
-#ifdef WOLFSSL_HAVE_PRF
-#if defined (HAVE_HKDF) && !defined(NO_HMAC)
-#ifdef WOLFSSL_BASE16
+#if defined(WOLFSSL_HAVE_PRF) && defined(HAVE_HKDF) && !defined(NO_HMAC) && \
+    defined(WOLFSSL_BASE16) && !defined(WOLFSSL_NO_TLS12)
     PRIVATE_KEY_UNLOCK();
     if ( (ret = tls12_kdf_test()) != 0)
         TEST_FAIL("TLSv1.2 KDF test failed!\n", ret);
     else
         TEST_PASS("TLSv1.2 KDF test passed!\n");
     PRIVATE_KEY_LOCK();
-#endif /* WOLFSSL_BASE16 */
-#endif /* WOLFSSL_HAVE_HKDF && !NO_HMAC */
-#endif /* WOLFSSL_HAVE_PRF */
+#endif /* WOLFSSL_HAVE_PRF && HAVE_HKDF && !NO_HMAC && */
+       /* WOLFSSL_BASE16 && !WOLFSSL_NO_TLS12 */
 
 #ifdef WOLFSSL_TLS13
     PRIVATE_KEY_UNLOCK();
@@ -28154,7 +28151,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t sshkdf_test(void)
 
 #endif /* WOLFSSL_WOLFSSH */
 
-#if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC) && defined(WOLFSSL_SHA384)
+#if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC) && \
+    defined(WOLFSSL_SHA384) && !defined(WOLFSSL_NO_TLS12)
 #define DIGL 12
 #define SECL 48
 #define LBSL 63
@@ -28203,11 +28201,10 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t prf_test(void)
 
     return 0;
 }
-#endif /* WOLFSSL_HAVE_PRF && !NO_HMAC */
+#endif /* WOLFSSL_HAVE_PRF && !NO_HMAC && WOLFSSL_SHA384 && !WOLFSSL_NO_TLS12 */
 
-#ifdef WOLFSSL_HAVE_PRF
-#if defined(HAVE_HKDF) && !defined(NO_HMAC)
-#ifdef WOLFSSL_BASE16
+#if defined(WOLFSSL_HAVE_PRF) && defined(HAVE_HKDF) && !defined(NO_HMAC) && \
+    defined(WOLFSSL_BASE16) && !defined(WOLFSSL_NO_TLS12)
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t tls12_kdf_test(void)
 {
     const char* preMasterSecret = "D06F9C19BFF49B1E91E4EFE97345D089"
@@ -28252,16 +28249,15 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t tls12_kdf_test(void)
         if (ret == WC_NO_ERR_TRACE(FIPS_PRIVATE_KEY_LOCKED_E)) {
             printf("    wc_PRF_TLSv12: Private key locked.\n");
         }
-        return WC_TEST_RET_ENC_NC;
+        return WC_TEST_RET_ENC_EC(ret);
     }
 
     if (XMEMCMP(result, ms, msSz) != 0)
         return WC_TEST_RET_ENC_NC;
     return 0;
 }
-#endif /* WOLFSSL_BASE16 */
-#endif /* WOLFSSL_HAVE_HKDF && !NO_HMAC */
-#endif /* WOLFSSL_HAVE_PRF */
+#endif /* WOLFSSL_HAVE_PRF && HAVE_HKDF && !NO_HMAC && */
+       /* WOLFSSL_BASE16 && !WOLFSSL_NO_TLS12 */
 
 #ifdef WOLFSSL_TLS13
 

wolfssl/internal.h

@@ -7000,6 +7000,12 @@ WOLFSSL_LOCAL void DtlsSetSeqNumForReply(WOLFSSL* ssl);
 #endif
 
 #ifdef WOLFSSL_DTLS13
+    #ifdef WOLFSSL_API_PREFIX_MAP
+        #define Dtls13GetEpoch wolfSSL_Dtls13GetEpoch
+        #define Dtls13CheckEpoch wolfSSL_Dtls13CheckEpoch
+        #define Dtls13WriteAckMessage wolfSSL_Dtls13WriteAckMessage
+        #define Dtls13RtxAddAck wolfSSL_Dtls13RtxAddAck
+    #endif
 
 WOLFSSL_TEST_VIS struct Dtls13Epoch* Dtls13GetEpoch(WOLFSSL* ssl,
     w64wrapper epochNumber);
@@ -7096,6 +7102,9 @@ typedef struct CRYPTO_EX_cb_ctx {
 } CRYPTO_EX_cb_ctx;
 
 WOLFSSL_TEST_VIS extern CRYPTO_EX_cb_ctx* crypto_ex_cb_ctx_session;
+#ifdef WOLFSSL_API_PREFIX_MAP
+    #define crypto_ex_cb_free wolfSSL_crypto_ex_cb_free
+#endif
 WOLFSSL_TEST_VIS void crypto_ex_cb_free(CRYPTO_EX_cb_ctx* cb_ctx);
 WOLFSSL_LOCAL void crypto_ex_cb_setup_new_data(void *new_obj,
         CRYPTO_EX_cb_ctx* cb_ctx, WOLFSSL_CRYPTO_EX_DATA* ex_data);

wolfssl/ssl.h

@@ -45,6 +45,14 @@
 #include "wolfssl/wolfcrypt/asn.h"
 #endif
 
+#if defined(NO_TLS) && !defined(WOLFSSL_NO_TLS12)
+    /* in NO_TLS builds, WOLFSSL_NO_TLS12 must be defined in the TLS layer, but
+     * must not be defined in the crypto layer, to allow building the TLS12
+     * KDFs.
+     */
+    #define WOLFSSL_NO_TLS12
+#endif
+
 /* For the types */
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 #include <wolfssl/openssl/compat_types.h>