From de5e1ad0d617ef33a8e7df397cd3913c375649a0 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Tue, 30 Sep 2025 07:37:54 -0400 Subject: [PATCH 1/6] add scan build github action --- .github/workflows/static-analysis.yml | 32 ++++++++++++++++++- Makefile | 29 +++++++++++++++++ benchmark/Makefile | 13 ++++++++ examples/demo/client/wh_demo_client_crypto.c | 3 ++ .../demo/client/wh_demo_client_keystore.c | 2 +- examples/demo/client/wh_demo_client_secboot.c | 28 ++++++++++++++++ examples/posix/wh_posix_client/Makefile | 19 ++++++++++- .../posix/wh_posix_client/wh_posix_client.c | 4 +-- examples/posix/wh_posix_server/Makefile | 17 ++++++++++ .../posix/wh_posix_server/wh_posix_server.c | 16 +++++++--- .../wh_posix_server/wh_posix_server_cfg.c | 8 ++++- test/Makefile | 13 ++++++++ tools/whnvmtool/Makefile | 26 ++++++++++++++- wolfhsm/wh_client.h | 2 ++ 14 files changed, 200 insertions(+), 12 deletions(-) diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index e0821d3d6..80a77c552 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -63,6 +63,37 @@ jobs: echo "❌ Static analysis failed - errors or warnings were found" exit 1 + scan-build: + runs-on: ubuntu-latest + + steps: + - name: Checkout wolfHSM + uses: actions/checkout@v4 + with: + path: wolfHSM + + - name: Checkout wolfssl + uses: actions/checkout@v4 + with: + repository: wolfssl/wolfssl + path: wolfssl + + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install -y clang build-essential clang-tools + + - name: Run scan-build + id: scan-build + run: + cd wolfHSM && make scan + + - name: Fail if scan-build issues found + if: steps.scan-build.outcome == 'failure' + run: | + echo "❌ scan-build analysis failed - errors or warnings were found" + exit 1 + clang-tidy: runs-on: ubuntu-latest @@ -106,7 +137,6 @@ jobs: echo "" # Show first 50 issues to avoid overwhelming output head -50 tools/static-analysis/reports/clang_tidy_summary.txt - TOTAL_ISSUES=$((ERROR_COUNT + WARNING_COUNT)) if [ "$TOTAL_ISSUES" -gt 50 ]; then echo "" diff --git a/Makefile b/Makefile index 479760479..f088ef2d0 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,35 @@ tools: examples: make -C examples +SCAN_DIR = ./scan_out + +scan_result_check: + @num=$$(grep -h -o '^[0-9]\+ warnings\? generated' ./$(SCAN_DIR)/*.log | grep -o '^[0-9]\+' | awk '{s+=$$1} END {print s}');\ + if [ -z "$$num" ]; then \ + echo "no warnings found";\ + exit 0; \ + fi; \ + if [ $$num -ne 0 ]; then \ + echo "scan-build found $$num warnings";\ + for f in $(SCAN_DIR)/*.log; do \ + echo "---- $$f ----"; \ + cat $$f; \ + echo ""; \ + done; \ + exit 1; \ + fi; + +scan: + @echo "Running scan-build static analysis" + @rm -rf $(SCAN_DIR) + @mkdir -p $(SCAN_DIR) + @make clean + -@make SCAN=1 -C test scan + -@make SCAN=1 -C benchmark scan + -@make NOCRYPTO=1 SCAN=1 -C tools/whnvmtool scan + -@make NOCRYPTO=1 SCAN=1 -C examples + @$(MAKE) scan_result_check + clean: make -C test clean make -C benchmark clean diff --git a/benchmark/Makefile b/benchmark/Makefile index 48ba9c324..45273ed9b 100644 --- a/benchmark/Makefile +++ b/benchmark/Makefile @@ -103,6 +103,12 @@ ifeq ($(NOCRYPTO),1) DEF += -DWOLFHSM_CFG_NO_CRYPTO endif +ifeq ($(SCAN),1) + SCAN_LOG = scan_benchmark.log + # Default target + .DEFAULT_GOAL := scan +endif + # Support a DMA-capable build ifeq ($(DMA),1) DEF += -DWOLFHSM_CFG_DMA @@ -161,6 +167,13 @@ build_static: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).a @echo "" $(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).a +analyze: $(OBJS_ASM) $(OBJS_C) + +scan:$(BUILD_DIR) + @echo "Running scan-build static analysis" + @mkdir -p $(WOLFHSM_DIR)/scan_out/ + @scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG) + $(BUILD_DIR): $(CMD_ECHO) mkdir -p $(BUILD_DIR) diff --git a/examples/demo/client/wh_demo_client_crypto.c b/examples/demo/client/wh_demo_client_crypto.c index 3c14132aa..8e8da5d36 100644 --- a/examples/demo/client/wh_demo_client_crypto.c +++ b/examples/demo/client/wh_demo_client_crypto.c @@ -40,6 +40,8 @@ #include "wh_demo_client_crypto.h" +#ifndef WOLFHSM_CFG_NO_CRYPTO + #if !defined(NO_RSA) /* @@ -1501,3 +1503,4 @@ int wh_DemoClient_CryptoHkdfCacheInputKey(whClientContext* clientContext) return ret; } #endif /* HAVE_HKDF */ +#endif /* WOLFHSM_CFG_NO_CRYPTO */ diff --git a/examples/demo/client/wh_demo_client_keystore.c b/examples/demo/client/wh_demo_client_keystore.c index 8acced7fe..309e611ea 100644 --- a/examples/demo/client/wh_demo_client_keystore.c +++ b/examples/demo/client/wh_demo_client_keystore.c @@ -121,7 +121,7 @@ int wh_DemoClient_KeystoreCommitKey(whClientContext* clientContext) return WH_ERROR_OK; } -#ifndef NO_AES +#if !defined(NO_AES) && !defined(WOLFHSM_CFG_NO_CRYPTO) int wh_DemoClient_KeystoreAes(whClientContext* clientContext) { int ret; diff --git a/examples/demo/client/wh_demo_client_secboot.c b/examples/demo/client/wh_demo_client_secboot.c index e06affd38..17cf5e77d 100644 --- a/examples/demo/client/wh_demo_client_secboot.c +++ b/examples/demo/client/wh_demo_client_secboot.c @@ -98,6 +98,7 @@ static int _showNvm(whClientContext* clientContext) static int _provisionMakeCommitKey(whClientContext* clientContext) { +#ifndef WOLFHSM_CFG_NO_CRYPTO int ret; /* Use the default ECC curve for 32 byte key, likely P256r1 */ @@ -112,10 +113,15 @@ static int _provisionMakeCommitKey(whClientContext* clientContext) ret = wh_Client_KeyCommit(clientContext, prov_keyId); } return ret; +#else + (void)clientContext; + return WH_ERROR_NOTIMPL; +#endif } static int _sha256File(const char* file_to_measure, uint8_t* hash) { +#ifndef WOLFHSM_CFG_NO_CRYPTO int ret = 0; int fd = open(file_to_measure, O_RDONLY); if (fd >= 0) { @@ -149,11 +155,17 @@ static int _sha256File(const char* file_to_measure, uint8_t* hash) ret = WH_ERROR_BADARGS; } return ret; +#else + (void)file_to_measure; + (void)hash; + return WH_ERROR_NOTIMPL; +#endif } static int _signHash(const uint8_t* hash, size_t hash_len, uint8_t* sig, uint16_t* sig_len) { +#ifndef WOLFHSM_CFG_NO_CRYPTO ecc_key key[1]; int ret = wc_ecc_init_ex(key, NULL, WH_DEV_ID); if (ret == 0) { @@ -169,11 +181,19 @@ static int _signHash(const uint8_t* hash, size_t hash_len, uint8_t* sig, (void)wc_ecc_free(key); } return ret; +#else + (void)hash; + (void)hash_len; + (void)sig; + (void)sig_len; + return WH_ERROR_NOTIMPL; +#endif } static int _verifyHash(const uint8_t* hash, size_t hash_len, const uint8_t* sig, uint16_t sig_len, int32_t* rc) { +#ifndef WOLFHSM_CFG_NO_CRYPTO ecc_key key[1]; int ret = wc_ecc_init_ex(key, NULL, WH_DEV_ID); if (ret == 0) { @@ -189,6 +209,14 @@ static int _verifyHash(const uint8_t* hash, size_t hash_len, const uint8_t* sig, (void)wc_ecc_free(key); } return ret; +#else + (void)hash; + (void)hash_len; + (void)sig; + (void)sig_len; + (void)rc; + return WH_ERROR_NOTIMPL; +#endif } int wh_DemoClient_SecBoot_Provision(whClientContext* clientContext) diff --git a/examples/posix/wh_posix_client/Makefile b/examples/posix/wh_posix_client/Makefile index 33c8a8101..d053deb6e 100644 --- a/examples/posix/wh_posix_client/Makefile +++ b/examples/posix/wh_posix_client/Makefile @@ -85,6 +85,7 @@ endif # Assembly source files SRC_ASM += +ifneq ($(NOCRYPTO),1) # wolfCrypt source files SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/src/*.c) @@ -108,6 +109,16 @@ endif SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/test/*.c) SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/benchmark/*.c) +else +DEF += -DWOLFHSM_CFG_NO_CRYPTO +endif + +ifeq ($(SCAN),1) +SCAN_LOG = scan_posix_client.log +# Default target +.DEFAULT_GOAL := scan +endif + # wolfHSM source files SRC_C += $(wildcard $(WOLFHSM_DIR)/src/*.c) @@ -170,6 +181,13 @@ $(BUILD_DIR)/$(BIN).a: $(OBJS_ASM) $(OBJS_C) @echo "Building static library: $(notdir $@)" $(CMD_ECHO) $(AR) -r $@ $^ +analyze: $(OBJS_ASM) $(OBJS_C) + +scan:$(BUILD_DIR) + @echo "Running scan-build static analysis" + @mkdir -p $(WOLFHSM_DIR)/scan_out/ + @scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG) + clean: @echo "Cleaning build files" @rm -f \ @@ -180,4 +198,3 @@ clean: $(BUILD_DIR)/*.a \ $(BUILD_DIR)/*.sym \ $(BUILD_DIR)/*.disasm - diff --git a/examples/posix/wh_posix_client/wh_posix_client.c b/examples/posix/wh_posix_client/wh_posix_client.c index 9e98b5da0..f884a4f55 100644 --- a/examples/posix/wh_posix_client/wh_posix_client.c +++ b/examples/posix/wh_posix_client/wh_posix_client.c @@ -124,7 +124,7 @@ static int wh_ClientTask(void* cf, const char* type, int test) break; } } - +#if defined(DWOLFHSM_CFG_NO_CRYPTO) /* Context 1: Client Local Crypto */ WC_RNG rng[1]; uint8_t buffer[128] = {0}; @@ -139,7 +139,7 @@ static int wh_ClientTask(void* cf, const char* type, int test) wc_RNG_GenerateBlock(rng, buffer, sizeof(buffer)); wc_FreeRng(rng); wh_Utils_Hexdump("Context 2: Client Remote RNG:\n", buffer, sizeof(buffer)); - +#endif (void)wh_Client_CommClose(client); (void)wh_Client_Cleanup(client); diff --git a/examples/posix/wh_posix_server/Makefile b/examples/posix/wh_posix_server/Makefile index 7765e46e7..677edcb6d 100644 --- a/examples/posix/wh_posix_server/Makefile +++ b/examples/posix/wh_posix_server/Makefile @@ -86,9 +86,19 @@ endif SRC_ASM += # wolfCrypt source files +ifneq ($(NOCRYPTO),1) SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/src/*.c) # wolfSSL source files SRC_C += $(wildcard $(WOLFSSL_DIR)/src/*.c) +else +DEF += -DWOLFHSM_CFG_NO_CRYPTO +endif + +ifeq ($(SCAN),1) +SCAN_LOG = scan_posix_server.log +# Default target +.DEFAULT_GOAL := scan +endif # wolfHSM source files SRC_C += $(wildcard $(WOLFHSM_DIR)/src/*.c) @@ -124,6 +134,13 @@ build_static: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).a @echo "" $(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).a +analyze: $(OBJS_ASM) $(OBJS_C) + +scan:$(BUILD_DIR) + @echo "Running scan-build static analysis" + @mkdir -p $(WOLFHSM_DIR)/scan_out/ + @scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG) + $(BUILD_DIR): $(CMD_ECHO) mkdir -p $(BUILD_DIR) diff --git a/examples/posix/wh_posix_server/wh_posix_server.c b/examples/posix/wh_posix_server/wh_posix_server.c index dc97c24cf..7a691fab1 100644 --- a/examples/posix/wh_posix_server/wh_posix_server.c +++ b/examples/posix/wh_posix_server/wh_posix_server.c @@ -35,8 +35,9 @@ static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId, int clientId); static void _sleepMs(long milliseconds); +#if !defined(WOLFHSM_CFG_NO_CRYPTO) static int _hardwareCryptoCb(int devId, struct wc_CryptoInfo* info, void* ctx); - +#endif static void _sleepMs(long milliseconds) { struct timespec req; @@ -217,7 +218,7 @@ static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId, } return ret; } - +#if !defined(WOLFHSM_CFG_NO_CRYPTO) static int _hardwareCryptoCb(int devId, struct wc_CryptoInfo* info, void* ctx) { (void)devId; @@ -254,7 +255,7 @@ static int _hardwareCryptoCb(int devId, struct wc_CryptoInfo* info, void* ctx) } return ret; } - +#endif static void Usage(const char* exeName) { printf("Usage: %s --key --id --client " @@ -342,7 +343,7 @@ int main(int argc, char** argv) printf("Failed to initialize NVM: %d\n", rc); return rc; } - +#if !defined(WOLFHSM_CFG_NO_CRYPTO) /* Crypto context */ whServerCryptoContext crypto[1] = {{ .devId = INVALID_DEVID, @@ -405,6 +406,11 @@ int main(int argc, char** argv) printf("Failed to wolfCrypt_Cleanup: %d\n", rc); return rc; } - +#else + (void)keyFilePath; + (void)keyId; + (void)clientId; + (void)wh_ServerTask; +#endif return rc; } diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index c694422d7..69ef58022 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -1,7 +1,13 @@ /* * Example server app using POSIX transport */ - +#if defined(WOLFHSM_CFG_NO_CRYPTO) +#include /* For printf */ +#include /* For atoi */ +#include /* For memset, memcpy, strcmp */ +#include +#include +#endif #include "wh_posix_cfg.h" #include "wh_posix_server_cfg.h" diff --git a/test/Makefile b/test/Makefile index 8ca8f65b8..987564c28 100644 --- a/test/Makefile +++ b/test/Makefile @@ -102,6 +102,12 @@ ifeq ($(NOCRYPTO),1) DEF += -DWOLFHSM_CFG_NO_CRYPTO endif +ifeq ($(SCAN),1) + SCAN_LOG = scan_test.log + # Default target + .DEFAULT_GOAL := scan +endif + # Support a DMA-capable build ifeq ($(DMA),1) DEF += -DWOLFHSM_CFG_DMA @@ -210,6 +216,13 @@ build_static: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).a @echo "" $(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).a +analyze:$(OBJS_ASM) $(OBJS_C) + +scan:$(BUILD_DIR) + @echo "Running scan-build static analysis" + @mkdir -p $(WOLFHSM_DIR)/scan_out/ + @scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG) + $(BUILD_DIR): $(CMD_ECHO) mkdir -p $(BUILD_DIR) diff --git a/tools/whnvmtool/Makefile b/tools/whnvmtool/Makefile index ec86f5751..355fdfd88 100644 --- a/tools/whnvmtool/Makefile +++ b/tools/whnvmtool/Makefile @@ -27,12 +27,22 @@ WOLFCRYPT_SRC = \ $(WOLFSSL_DIR)/wolfcrypt/src/ecc.c \ $(WOLFSSL_DIR)/wolfcrypt/src/cmac.c - +ifneq ($(NOCRYPTO),1) SRC = \ $(WOLFHSM_SRC) \ $(WOLFCRYPT_SRC) \ $(TARGET).c +else +SRC = \ + $(WOLFHSM_SRC) \ + $(TARGET).c +endif +ifeq ($(SCAN),1) +SCAN_LOG = scan_whnvmtool.log +# Default target +.DEFAULT_GOAL := scan +endif INCLUDE_DIRS = \ -I$(WOLFHSM_DIR) \ @@ -81,6 +91,20 @@ test: $(OUT) test-gen $(MAKE) -C test/ CFLAGS_EXTRA="-DFLASH_ERASED_BYTE=0x00 $(CFLAGS_EXTRA)" WOLFSSL_DIR=$$(realpath $(WOLFSSL_DIR)) cd test && ./test_whnvmtool +analyze: $(SRC) + @set -e; \ + for f in $(SRC); do \ + base=$(basename $$f .c); \ + obj=$$base.o; \ + echo "Analyzing $$f..."; \ + $(CC) $(CFLAGS) -c $$f -o $$obj;\ + done + +scan: + @echo "Running scan-build static analysis" + @mkdir -p $(WOLFHSM_DIR)/scan_out/ + @scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG) + clean: clean-test rm -f whNvmImage.bin whNvmImage.hex rm -f $(OUT) diff --git a/wolfhsm/wh_client.h b/wolfhsm/wh_client.h index 87f082ea0..7b2f58662 100644 --- a/wolfhsm/wh_client.h +++ b/wolfhsm/wh_client.h @@ -73,6 +73,8 @@ enum WH_CLIENT_DEVID_ENUM { #endif }; extern const int WH_DEV_IDS_ARRAY[WH_NUM_DEVIDS]; +#else +#define WH_DEV_ID -2 /* invalid ID for compile purpose */ #endif /** Client DMA address translation and validation */ From 978da05697d3c9b3b04c148b080cfaa924b0053d Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 2 Oct 2025 19:08:24 -0400 Subject: [PATCH 2/6] Addressed code review comments handle error --- Makefile | 18 ++++++++++++------ tools/whnvmtool/Makefile | 10 ++++------ 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index f088ef2d0..19ddd4708 100644 --- a/Makefile +++ b/Makefile @@ -18,13 +18,19 @@ examples: SCAN_DIR = ./scan_out scan_result_check: - @num=$$(grep -h -o '^[0-9]\+ warnings\? generated' ./$(SCAN_DIR)/*.log | grep -o '^[0-9]\+' | awk '{s+=$$1} END {print s}');\ - if [ -z "$$num" ]; then \ - echo "no warnings found";\ - exit 0; \ + @err=$$(grep -h -o 'error: .*' ./$(SCAN_DIR)/*.log | wc -l); \ + if [ -z "$$err" ]; then \ + err=0; \ + fi; \ + wrn=$$(grep -h -o '^[0-9]\+ warnings\? generated' ./$(SCAN_DIR)/*.log | grep -o '^[0-9]\+' | awk '{s+=$$1} END {print s}');\ + if [ -z "$$wrn" ]; then \ + wrn=0; \ fi; \ - if [ $$num -ne 0 ]; then \ - echo "scan-build found $$num warnings";\ + if [ $$err -eq 0 -a $$wrn -eq 0 ]; then \ + echo "no errors or warnings found";\ + exit 0; \ + else\ + echo "scan-build detected $$err errors and $$wrn warnings";\ for f in $(SCAN_DIR)/*.log; do \ echo "---- $$f ----"; \ cat $$f; \ diff --git a/tools/whnvmtool/Makefile b/tools/whnvmtool/Makefile index 355fdfd88..2c2570dd4 100644 --- a/tools/whnvmtool/Makefile +++ b/tools/whnvmtool/Makefile @@ -27,15 +27,13 @@ WOLFCRYPT_SRC = \ $(WOLFSSL_DIR)/wolfcrypt/src/ecc.c \ $(WOLFSSL_DIR)/wolfcrypt/src/cmac.c -ifneq ($(NOCRYPTO),1) -SRC = \ - $(WOLFHSM_SRC) \ - $(WOLFCRYPT_SRC) \ - $(TARGET).c -else SRC = \ $(WOLFHSM_SRC) \ $(TARGET).c + +ifneq ($(NOCRYPTO),1) +SRC += \ + $(WOLFCRYPT_SRC) endif ifeq ($(SCAN),1) From ebc2aed338af3dbf8a540ec94f29b16f3c3b1b13 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 9 Oct 2025 13:53:56 -0400 Subject: [PATCH 3/6] Addressed code review comment --- examples/posix/wh_posix_server/wh_posix_server_cfg.c | 8 +------- wolfhsm/wh_server.h | 4 +++- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index 69ef58022..a49561853 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -1,13 +1,7 @@ /* * Example server app using POSIX transport */ -#if defined(WOLFHSM_CFG_NO_CRYPTO) -#include /* For printf */ -#include /* For atoi */ -#include /* For memset, memcpy, strcmp */ -#include -#include -#endif +/*#if defined(WOLFHSM_CFG_NO_CRYPTO)*/ #include "wh_posix_cfg.h" #include "wh_posix_server_cfg.h" diff --git a/wolfhsm/wh_server.h b/wolfhsm/wh_server.h index 664fcd993..a27c39cb4 100644 --- a/wolfhsm/wh_server.h +++ b/wolfhsm/wh_server.h @@ -44,9 +44,11 @@ typedef struct whServerContext_t whServerContext; #include "wolfhsm/wh_dma.h" #endif /* WOLFHSM_CFG_DMA */ +/* WolfCrypt types and defines */ +#include "wolfssl/wolfcrypt/types.h" + #ifndef WOLFHSM_CFG_NO_CRYPTO #include "wolfssl/wolfcrypt/settings.h" -#include "wolfssl/wolfcrypt/types.h" #include "wolfssl/wolfcrypt/random.h" #include "wolfssl/wolfcrypt/rsa.h" #include "wolfssl/wolfcrypt/ecc.h" From b722709828dc69142ccc2762bf2c632edcf555fc Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 9 Oct 2025 14:29:08 -0400 Subject: [PATCH 4/6] fix posix tcp example with NO CRYPT --- examples/posix/wh_posix_client/wolfhsm_cfg.h | 2 ++ examples/posix/wh_posix_server/wolfhsm_cfg.h | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/posix/wh_posix_client/wolfhsm_cfg.h b/examples/posix/wh_posix_client/wolfhsm_cfg.h index 35e01b274..c699a3b27 100644 --- a/examples/posix/wh_posix_client/wolfhsm_cfg.h +++ b/examples/posix/wh_posix_client/wolfhsm_cfg.h @@ -29,6 +29,8 @@ #define WOLFHSM_CFG_ENABLE_CLIENT #define WOLFHSM_CFG_HEXDUMP #define WOLFHSM_CFG_COMM_DATA_LEN 5000 +#ifndef WOLFHSM_CFG_NO_CRYPTO #define WOLFHSM_CFG_KEYWRAP +#endif #endif /* WOLFHSM_CFG_H_ */ diff --git a/examples/posix/wh_posix_server/wolfhsm_cfg.h b/examples/posix/wh_posix_server/wolfhsm_cfg.h index 6ff18ecac..4e25024d8 100644 --- a/examples/posix/wh_posix_server/wolfhsm_cfg.h +++ b/examples/posix/wh_posix_server/wolfhsm_cfg.h @@ -47,6 +47,7 @@ #define WOLFHSM_CFG_KEYWRAP_MAX_KEY_SIZE 5000 #define XMEMFENCE() __atomic_thread_fence(__ATOMIC_SEQ_CST) +#ifndef WOLFHSM_CFG_NO_CRYPTO #define WOLFHSM_CFG_KEYWRAP - +#endif #endif /* WOLFHSM_CFG_H_ */ From aab15fe534435bb463406d563c534b38b4ae5f24 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 16 Oct 2025 15:44:07 +0900 Subject: [PATCH 5/6] fix errors on make NOCRYPTO=1 --- benchmark/bench_modules/wh_bench_mod_aes.c | 3 +-- benchmark/bench_modules/wh_bench_mod_cmac.c | 3 +-- .../bench_modules/wh_bench_mod_curve25519.c | 4 ++-- benchmark/bench_modules/wh_bench_mod_ecc.c | 5 +++-- benchmark/bench_modules/wh_bench_mod_hkdf.c | 5 ++--- benchmark/bench_modules/wh_bench_mod_hmac.c | 3 +-- benchmark/bench_modules/wh_bench_mod_mldsa.c | 4 ++-- benchmark/bench_modules/wh_bench_mod_rng.c | 5 +++-- benchmark/bench_modules/wh_bench_mod_rsa.c | 3 +-- benchmark/bench_modules/wh_bench_mod_sha2.c | 3 +-- benchmark/bench_modules/wh_bench_mod_sha3.c | 2 +- benchmark/wh_bench.c | 7 ++++--- benchmark/wh_bench_main.c | 1 + examples/demo/client/wh_demo_client_all.c | 5 +++-- examples/demo/client/wh_demo_client_crypto.c | 4 ++-- examples/demo/client/wh_demo_client_keystore.c | 2 ++ examples/demo/client/wh_demo_client_keywrap.c | 2 ++ examples/demo/client/wh_demo_client_secboot.c | 17 ++++++++++++++++- examples/demo/client/wh_demo_client_wcbench.c | 7 +++++++ examples/demo/client/wh_demo_client_wctest.c | 7 +++++++ .../posix/wh_posix_server/wh_posix_server.c | 15 ++++++++++++++- .../posix/wh_posix_server/wh_posix_server_cfg.c | 6 +++++- port/posix/posix_transport_shm.h | 2 ++ src/wh_client_crypto.c | 3 ++- src/wh_server_she.c | 4 +++- test/wh_test_cert.h | 2 +- test/wh_test_keywrap.c | 2 ++ tools/whnvmtool/Makefile | 11 +++++++---- wolfhsm/wh_client.h | 12 +++++++++--- wolfhsm/wh_server.h | 4 +--- 30 files changed, 108 insertions(+), 45 deletions(-) diff --git a/benchmark/bench_modules/wh_bench_mod_aes.c b/benchmark/bench_modules/wh_bench_mod_aes.c index 7eddee78a..fc5035639 100644 --- a/benchmark/bench_modules/wh_bench_mod_aes.c +++ b/benchmark/bench_modules/wh_bench_mod_aes.c @@ -21,10 +21,9 @@ #include "wolfhsm/wh_client.h" #include "wolfhsm/wh_client_crypto.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) #include "wolfssl/wolfcrypt/aes.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) - #if defined(WOLFHSM_CFG_DMA) && defined(WOLFHSM_CFG_TEST_POSIX) #include "port/posix/posix_transport_shm.h" #endif /* WOLFHSM_CFG_DMA && WOLFHSM_CFG_TEST_POSIX */ diff --git a/benchmark/bench_modules/wh_bench_mod_cmac.c b/benchmark/bench_modules/wh_bench_mod_cmac.c index 81f130286..6ca1c7ac8 100644 --- a/benchmark/bench_modules/wh_bench_mod_cmac.c +++ b/benchmark/bench_modules/wh_bench_mod_cmac.c @@ -21,10 +21,9 @@ #include "wolfhsm/wh_error.h" #include "wolfhsm/wh_client_crypto.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) #include "wolfssl/wolfcrypt/cmac.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) - #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) static const uint8_t key128[] = {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, diff --git a/benchmark/bench_modules/wh_bench_mod_curve25519.c b/benchmark/bench_modules/wh_bench_mod_curve25519.c index d8dd58eca..230415af1 100644 --- a/benchmark/bench_modules/wh_bench_mod_curve25519.c +++ b/benchmark/bench_modules/wh_bench_mod_curve25519.c @@ -21,12 +21,12 @@ #include "wolfhsm/wh_client.h" #include "wolfhsm/wh_client_crypto.h" + +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/random.h" #include "wolfssl/wolfcrypt/curve25519.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) - #if defined(HAVE_CURVE25519) uint8_t key1_der[] = { diff --git a/benchmark/bench_modules/wh_bench_mod_ecc.c b/benchmark/bench_modules/wh_bench_mod_ecc.c index b2d63dc1a..50d42d438 100644 --- a/benchmark/bench_modules/wh_bench_mod_ecc.c +++ b/benchmark/bench_modules/wh_bench_mod_ecc.c @@ -21,11 +21,12 @@ #include "wolfhsm/wh_client.h" #include "wolfhsm/wh_client_crypto.h" + +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) + #include "wolfssl/wolfcrypt/ecc.h" #include "wolfssl/wolfcrypt/random.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) - #if defined(HAVE_ECC) /* hardcoded DER-encoded ECC keys for benchmarking */ diff --git a/benchmark/bench_modules/wh_bench_mod_hkdf.c b/benchmark/bench_modules/wh_bench_mod_hkdf.c index 64cd07ced..774d7c939 100644 --- a/benchmark/bench_modules/wh_bench_mod_hkdf.c +++ b/benchmark/bench_modules/wh_bench_mod_hkdf.c @@ -20,12 +20,11 @@ #include "wh_bench_mod.h" #include "wolfhsm/wh_error.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) #include "wolfssl/wolfcrypt/hmac.h" #include "wolfssl/wolfcrypt/kdf.h" #include "wolfssl/wolfcrypt/sha256.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) - #if defined(HAVE_HKDF) @@ -93,4 +92,4 @@ int wh_Bench_Mod_HkdfSha256(whClientContext* client, whBenchOpContext* ctx, #endif /* defined(HAVE_HKDF) */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_hmac.c b/benchmark/bench_modules/wh_bench_mod_hmac.c index d102dc157..86ccd082b 100644 --- a/benchmark/bench_modules/wh_bench_mod_hmac.c +++ b/benchmark/bench_modules/wh_bench_mod_hmac.c @@ -19,11 +19,10 @@ #include "wh_bench_mod.h" #include "wolfhsm/wh_error.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) #include "wolfssl/wolfcrypt/hmac.h" #include "wolfssl/wolfcrypt/sha256.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) - #if !defined(NO_HMAC) #if !defined(NO_SHA256) diff --git a/benchmark/bench_modules/wh_bench_mod_mldsa.c b/benchmark/bench_modules/wh_bench_mod_mldsa.c index 36bea4079..4f023d9fd 100644 --- a/benchmark/bench_modules/wh_bench_mod_mldsa.c +++ b/benchmark/bench_modules/wh_bench_mod_mldsa.c @@ -21,11 +21,11 @@ #include "wolfhsm/wh_client.h" #include "wolfhsm/wh_client_crypto.h" + +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) #include "wolfssl/wolfcrypt/dilithium.h" #include "wolfssl/wolfcrypt/random.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) - #if defined(HAVE_DILITHIUM) #if !defined(WOLFSSL_DILITHIUM_NO_SIGN) diff --git a/benchmark/bench_modules/wh_bench_mod_rng.c b/benchmark/bench_modules/wh_bench_mod_rng.c index cb3674c4d..f95c643af 100644 --- a/benchmark/bench_modules/wh_bench_mod_rng.c +++ b/benchmark/bench_modules/wh_bench_mod_rng.c @@ -18,9 +18,10 @@ */ #include "wh_bench_mod.h" #include "wolfhsm/wh_error.h" -#include "wolfssl/wolfcrypt/random.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) + +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) +#include "wolfssl/wolfcrypt/random.h" #if !defined(WC_NO_RNG) diff --git a/benchmark/bench_modules/wh_bench_mod_rsa.c b/benchmark/bench_modules/wh_bench_mod_rsa.c index cab5b6ec5..99f6a15c7 100644 --- a/benchmark/bench_modules/wh_bench_mod_rsa.c +++ b/benchmark/bench_modules/wh_bench_mod_rsa.c @@ -21,11 +21,10 @@ #include "wolfhsm/wh_client.h" #include "wolfhsm/wh_client_crypto.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) #include "wolfssl/wolfcrypt/rsa.h" #include "wolfssl/wolfcrypt/random.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) - #if !defined(NO_RSA) /* RSA 2048-bit key in DER format for benchmarking */ diff --git a/benchmark/bench_modules/wh_bench_mod_sha2.c b/benchmark/bench_modules/wh_bench_mod_sha2.c index 32d81b7fb..2fa7d9b8c 100644 --- a/benchmark/bench_modules/wh_bench_mod_sha2.c +++ b/benchmark/bench_modules/wh_bench_mod_sha2.c @@ -21,11 +21,10 @@ #include "wolfhsm/wh_error.h" #include "wolfhsm/wh_client_crypto.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) #include "wolfssl/wolfcrypt/hash.h" #include "wolfssl/wolfcrypt/sha256.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) - #if defined(WOLFHSM_CFG_DMA) && defined(WOLFHSM_CFG_TEST_POSIX) #include "port/posix/posix_transport_shm.h" #endif /* WOLFHSM_CFG_DMA && WOLFHSM_CFG_POSIX_TRANSPORT */ diff --git a/benchmark/bench_modules/wh_bench_mod_sha3.c b/benchmark/bench_modules/wh_bench_mod_sha3.c index d657a103f..5183a2123 100644 --- a/benchmark/bench_modules/wh_bench_mod_sha3.c +++ b/benchmark/bench_modules/wh_bench_mod_sha3.c @@ -19,7 +19,7 @@ #include "wh_bench_mod.h" #include "wolfhsm/wh_error.h" -#if defined(WOLFHSM_CFG_BENCH_ENABLE) +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE) #if defined(WOLFSSL_SHA3) diff --git a/benchmark/wh_bench.c b/benchmark/wh_bench.c index 2dc4eefef..861309188 100644 --- a/benchmark/wh_bench.c +++ b/benchmark/wh_bench.c @@ -73,7 +73,7 @@ typedef struct BenchModule { * of the array will be BENCH_MODULE_IDX_COUNT */ typedef enum BenchModuleIdx { BENCH_MODULE_IDX_ECHO = 0, - +#if !defined(WOLFHSM_CFG_NO_CRYPTO) /* RNG */ #if !defined(WC_NO_RNG) BENCH_MODULE_IDX_RNG, @@ -233,7 +233,7 @@ typedef enum BenchModuleIdx { BENCH_MODULE_IDX_ML_DSA_87_KEY_GEN_DMA, #endif /* !(WOLFSSL_NO_ML_DSA_87) */ #endif /* HAVE_DILITHIUM */ - +#endif /* !(WOLFHSM_CFG_NO_CRYPTO) */ /* number of modules. This must be the last entry and will be used as the * size of the global modules array */ BENCH_MODULE_IDX_COUNT @@ -246,7 +246,7 @@ WH_UTILS_STATIC_ASSERT(MAX_BENCH_OPS > BENCH_MODULE_IDX_COUNT, /* clang-format off */ static BenchModule g_benchModules[] = { [BENCH_MODULE_IDX_ECHO] = {"ECHO", wh_Bench_Mod_Echo, BENCH_THROUGHPUT_XBPS, 0, NULL}, - +#if !defined(WOLFHSM_CFG_NO_CRYPTO) /* RNG */ #if !defined(WC_NO_RNG) [BENCH_MODULE_IDX_RNG] = {"RNG", wh_Bench_Mod_Rng, BENCH_THROUGHPUT_XBPS, 0, NULL}, @@ -402,6 +402,7 @@ static BenchModule g_benchModules[] = { [BENCH_MODULE_IDX_ML_DSA_87_KEY_GEN_DMA] = {"ML-DSA-87-KEY-GEN-DMA", wh_Bench_Mod_MlDsa87KeyGenDma, BENCH_THROUGHPUT_OPS, 0, NULL}, #endif /* !(WOLFSSL_NO_ML_DSA_87) */ #endif /* HAVE_DILITHIUM */ +#endif /* !(WOLFHSM_CFG_NO_CRYPTO) */ }; /* clang-format on */ diff --git a/benchmark/wh_bench_main.c b/benchmark/wh_bench_main.c index c36215359..6a63ef562 100644 --- a/benchmark/wh_bench_main.c +++ b/benchmark/wh_bench_main.c @@ -25,6 +25,7 @@ #include #include +#include void Usage(const char* exeName) { diff --git a/examples/demo/client/wh_demo_client_all.c b/examples/demo/client/wh_demo_client_all.c index c64cc1175..31eaa086a 100644 --- a/examples/demo/client/wh_demo_client_all.c +++ b/examples/demo/client/wh_demo_client_all.c @@ -39,7 +39,8 @@ int wh_DemoClient_All(whClientContext* clientContext) if (rc != 0) { return rc; } -#ifndef NO_AES + +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_AES) rc = wh_DemoClient_KeystoreAes(clientContext); if (rc != 0) { return rc; @@ -54,7 +55,7 @@ int wh_DemoClient_All(whClientContext* clientContext) #endif /* WOLFHSM_CFG_KEYWRAP */ /**Crypto demos */ -#ifndef NO_RSA +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_RSA) rc = wh_DemoClient_CryptoRsa(clientContext); if (rc != 0) { return rc; diff --git a/examples/demo/client/wh_demo_client_crypto.c b/examples/demo/client/wh_demo_client_crypto.c index 8e8da5d36..d970ef742 100644 --- a/examples/demo/client/wh_demo_client_crypto.c +++ b/examples/demo/client/wh_demo_client_crypto.c @@ -11,9 +11,11 @@ #include "wolfhsm/wh_client.h" #include "wolfhsm/wh_client_crypto.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/types.h" + #if !defined(WC_NO_RNG) #include "wolfssl/wolfcrypt/random.h" #endif @@ -40,8 +42,6 @@ #include "wh_demo_client_crypto.h" -#ifndef WOLFHSM_CFG_NO_CRYPTO - #if !defined(NO_RSA) /* diff --git a/examples/demo/client/wh_demo_client_keystore.c b/examples/demo/client/wh_demo_client_keystore.c index 309e611ea..b09eae82b 100644 --- a/examples/demo/client/wh_demo_client_keystore.c +++ b/examples/demo/client/wh_demo_client_keystore.c @@ -7,9 +7,11 @@ #include "wolfhsm/wh_client.h" #include "wolfhsm/wh_client_crypto.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/aes.h" #include "wolfssl/wolfcrypt/random.h" +#endif /* !WOLFHSM_CFG_NO_CRYPTO */ #include "wh_demo_client_keystore.h" diff --git a/examples/demo/client/wh_demo_client_keywrap.c b/examples/demo/client/wh_demo_client_keywrap.c index 92e1fa251..ecac3b6ee 100644 --- a/examples/demo/client/wh_demo_client_keywrap.c +++ b/examples/demo/client/wh_demo_client_keywrap.c @@ -27,9 +27,11 @@ #include "wolfhsm/wh_client.h" #include "wolfhsm/wh_client_crypto.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/aes.h" #include "wolfssl/wolfcrypt/random.h" +#endif /* !WOLFHSM_CFG_NO_CRYPTO */ #include "wh_demo_client_keywrap.h" diff --git a/examples/demo/client/wh_demo_client_secboot.c b/examples/demo/client/wh_demo_client_secboot.c index 17cf5e77d..e7e7175b8 100644 --- a/examples/demo/client/wh_demo_client_secboot.c +++ b/examples/demo/client/wh_demo_client_secboot.c @@ -13,12 +13,13 @@ #include "wolfhsm/wh_client.h" #include "wolfhsm/wh_client_crypto.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/ecc.h" #include "wolfssl/wolfcrypt/sha256.h" #include "wolfssl/wolfcrypt/error-crypt.h" #include "wh_demo_client_secboot.h" - +#endif /* !WOLFHSM_CFG_NO_CRYPTO */ /* Provisioning process: * 1. Generate a server keypair into key cache as keyId 27 @@ -221,6 +222,7 @@ static int _verifyHash(const uint8_t* hash, size_t hash_len, const uint8_t* sig, int wh_DemoClient_SecBoot_Provision(whClientContext* clientContext) { +#if !defined(WOLFHSM_CFG_NO_CRYPTO) int ret = 0; uint32_t client_id = 0; uint32_t server_id = 0; @@ -268,10 +270,17 @@ int wh_DemoClient_SecBoot_Provision(whClientContext* clientContext) } printf("Provision Client completed with ret:%d\n", ret); return ret; +#else + (void)clientContext; + (void)_signHash; + (void)_provisionMakeCommitKey; + return WH_ERROR_NOTIMPL; +#endif /* !WOLFHSM_CFG_NO_CRYPTO */ } int wh_DemoClient_SecBoot_Boot(whClientContext* clientContext) { +#if !defined(WOLFHSM_CFG_NO_CRYPTO) int ret = 0; uint32_t client_id = 0; uint32_t server_id = 0; @@ -328,6 +337,12 @@ int wh_DemoClient_SecBoot_Boot(whClientContext* clientContext) } printf("SecBoot Client completed with ret:%d\n", ret); return ret; +#else + (void)clientContext; + (void)_verifyHash; + (void)_sha256File; + return WH_ERROR_NOTIMPL; +#endif /* !WOLFHSM_CFG_NO_CRYPTO */ } int wh_DemoClient_SecBoot_Zeroize(whClientContext* clientContext) diff --git a/examples/demo/client/wh_demo_client_wcbench.c b/examples/demo/client/wh_demo_client_wcbench.c index 73c7d1c0b..9f7f82c96 100644 --- a/examples/demo/client/wh_demo_client_wcbench.c +++ b/examples/demo/client/wh_demo_client_wcbench.c @@ -1,11 +1,18 @@ #include "wolfhsm/wh_client.h" +#include "wolfhsm/wh_error.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) #include "wolfcrypt/benchmark/benchmark.h" +#endif #include "wh_demo_client_wcbench.h" int wh_DemoClient_wcBench(whClientContext* clientContext) { (void)clientContext; +#if !defined(WOLFHSM_CFG_NO_CRYPTO) return benchmark_test(NULL); +#else + return WH_ERROR_NOTIMPL; +#endif } diff --git a/examples/demo/client/wh_demo_client_wctest.c b/examples/demo/client/wh_demo_client_wctest.c index 527477450..a4869a22a 100644 --- a/examples/demo/client/wh_demo_client_wctest.c +++ b/examples/demo/client/wh_demo_client_wctest.c @@ -1,11 +1,18 @@ #include "wolfhsm/wh_client.h" +#include "wolfhsm/wh_error.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) #include "wolfcrypt/test/test.h" +#endif #include "wh_demo_client_wctest.h" int wh_DemoClient_wcTest(whClientContext* clientContext) { (void)clientContext; +#if !defined(WOLFHSM_CFG_NO_CRYPTO) return wolfcrypt_test(NULL); +#else + return WH_ERROR_NOTIMPL; +#endif } diff --git a/examples/posix/wh_posix_server/wh_posix_server.c b/examples/posix/wh_posix_server/wh_posix_server.c index 7a691fab1..952df5782 100644 --- a/examples/posix/wh_posix_server/wh_posix_server.c +++ b/examples/posix/wh_posix_server/wh_posix_server.c @@ -58,6 +58,7 @@ const char* type = "tcp"; /* default to tcp type */ static int loadAndStoreKeys(whServerContext* server, whKeyId* outKeyId, const char* keyFilePath, int keyId, int clientId) { +#if !defined(WOLFHSM_CFG_NO_CRYPTO) int ret; int keyFd; int keySz; @@ -117,6 +118,14 @@ static int loadAndStoreKeys(whServerContext* server, whKeyId* outKeyId, *outKeyId = meta.id; return ret; +#else + (void)server; + (void)outKeyId; + (void)keyFilePath; + (void)keyId; + (void)clientId; + return WH_ERROR_NOTIMPL; +#endif /* !WOLFHSM_CFG_NO_CRYPTO */ } @@ -410,7 +419,11 @@ int main(int argc, char** argv) (void)keyFilePath; (void)keyId; (void)clientId; - (void)wh_ServerTask; + rc = wh_ServerTask(s_conf, keyFilePath, keyId, clientId); + if (rc != WH_ERROR_OK) { + printf("Server task failed: %d\n", rc); + return rc; + } #endif return rc; } diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index a49561853..e39690d60 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -1,7 +1,11 @@ /* * Example server app using POSIX transport */ -/*#if defined(WOLFHSM_CFG_NO_CRYPTO)*/ +#include /* For printf */ +#include /* For atoi */ +#include /* For memset, memcpy, strcmp */ +#include /* For isspace */ + #include "wh_posix_cfg.h" #include "wh_posix_server_cfg.h" diff --git a/port/posix/posix_transport_shm.h b/port/posix/posix_transport_shm.h index e3b59fbb9..edbc50811 100644 --- a/port/posix/posix_transport_shm.h +++ b/port/posix/posix_transport_shm.h @@ -58,6 +58,8 @@ #include "wolfhsm/wh_comm.h" #include "wolfhsm/wh_transport_mem.h" +#include /* For size_t */ +#include /* For pid_t */ /** POSIX SHM configuration structure */ typedef struct { diff --git a/src/wh_client_crypto.c b/src/wh_client_crypto.c index 8c89cdc10..815b8ad15 100644 --- a/src/wh_client_crypto.c +++ b/src/wh_client_crypto.c @@ -41,7 +41,7 @@ /* Components */ #include "wolfhsm/wh_comm.h" - +#if !defined(WOLFHSM_CFG_NO_CRYPTO) #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/types.h" #include "wolfssl/wolfcrypt/error-crypt.h" @@ -56,6 +56,7 @@ #include "wolfssl/wolfcrypt/dilithium.h" #include "wolfssl/wolfcrypt/sha256.h" #include "wolfssl/wolfcrypt/sha512.h" +#endif /* Message definitions */ #include "wolfhsm/wh_message.h" diff --git a/src/wh_server_she.c b/src/wh_server_she.c index eaecd816e..b12953763 100644 --- a/src/wh_server_she.c +++ b/src/wh_server_she.c @@ -24,7 +24,7 @@ /* Pick up compile-time configuration */ #include "wolfhsm/wh_settings.h" -#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_ENABLE_SERVER) +#if defined(WOLFHSM_CFG_ENABLE_SERVER) /* System libraries */ #include @@ -36,6 +36,7 @@ #include "wolfhsm/wh_utils.h" #include "wolfhsm/wh_server.h" +#if !defined(WOLFHSM_CFG_NO_CRYPTO) #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/types.h" #include "wolfssl/wolfcrypt/error-crypt.h" @@ -43,6 +44,7 @@ #include "wolfssl/wolfcrypt/aes.h" #include "wolfssl/wolfcrypt/cmac.h" #include "wolfhsm/wh_server_keystore.h" +#endif /* !WOLFHSM_CFG_NO_CRYPTO */ #ifdef WOLFHSM_CFG_SHE_EXTENSION #include "wolfhsm/wh_she_common.h" diff --git a/test/wh_test_cert.h b/test/wh_test_cert.h index d5d002eb6..1f2d35ecd 100644 --- a/test/wh_test_cert.h +++ b/test/wh_test_cert.h @@ -43,4 +43,4 @@ int whTest_CertClientAcertDma_ClientServerTestInternal(whClientContext* client); #endif /* WOLFHSM_CFG_DMA */ #endif /* WOLFHSM_CFG_CERTIFICATE_MANAGER_ACERT */ -#endif /* !WOLFHSM_WH_TEST_CERT_H_ */ +#endif /* !WOLFHSM_WH_TEST_CERT_H_ */ \ No newline at end of file diff --git a/test/wh_test_keywrap.c b/test/wh_test_keywrap.c index a492e980e..77bac1eca 100644 --- a/test/wh_test_keywrap.c +++ b/test/wh_test_keywrap.c @@ -23,8 +23,10 @@ #include #include /* For memset, memcpy */ +#if !defined(WOLFHSM_CFG_NO_CRYPTO) #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/types.h" +#endif /* !WOLFHSM_CFG_NO_CRYPTO */ #include "wolfhsm/wh_error.h" diff --git a/tools/whnvmtool/Makefile b/tools/whnvmtool/Makefile index 2c2570dd4..37c7f6f2d 100644 --- a/tools/whnvmtool/Makefile +++ b/tools/whnvmtool/Makefile @@ -31,10 +31,6 @@ SRC = \ $(WOLFHSM_SRC) \ $(TARGET).c -ifneq ($(NOCRYPTO),1) -SRC += \ - $(WOLFCRYPT_SRC) -endif ifeq ($(SCAN),1) SCAN_LOG = scan_whnvmtool.log @@ -57,6 +53,13 @@ CFLAGS = -Wall $(INCLUDE_DIRS) CFLAGS += -DWOLFSSL_USER_SETTINGS -DWOLFHSM_CFG_ENABLE_SERVER CFLAGS += -std=c90 -D_GNU_SOURCE -Wno-cpp +ifneq ($(NOCRYPTO),1) +SRC += \ + $(WOLFCRYPT_SRC) +else +CFLAGS += -DWOLFHSM_CFG_NO_CRYPTO +endif + CFLAGS_EXTRA = # Additional CFLAGS from the command line LDFLAGS = $(LIB_DIRS) $(LIBS) OUT = $(TARGET) # Output executable name diff --git a/wolfhsm/wh_client.h b/wolfhsm/wh_client.h index 7b2f58662..cef5433bb 100644 --- a/wolfhsm/wh_client.h +++ b/wolfhsm/wh_client.h @@ -53,8 +53,6 @@ #include "wolfhsm/wh_dma.h" #endif /* WOLFHSM_CFG_DMA */ -/* WolfCrypt types and defines */ -#include "wolfssl/wolfcrypt/types.h" /* Forward declaration of the client structure so its elements can reference * itself (e.g. server argument to custom callback) */ @@ -62,6 +60,9 @@ typedef struct whClientContext_t whClientContext; #ifndef WOLFHSM_CFG_NO_CRYPTO +/* WolfCrypt types and defines */ +#include "wolfssl/wolfcrypt/types.h" + /* Device Id to be registered and passed to wolfCrypt functions */ enum WH_CLIENT_DEVID_ENUM { WH_DEV_ID = 0x5748534D, /* "WHSM" */ @@ -74,7 +75,12 @@ enum WH_CLIENT_DEVID_ENUM { }; extern const int WH_DEV_IDS_ARRAY[WH_NUM_DEVIDS]; #else -#define WH_DEV_ID -2 /* invalid ID for compile purpose */ +/* for compile purpose */ +#define WH_DEV_ID -2 /* invalid ID */ +/* cipher types */ +enum wc_CipherType { + WC_CIPHER_NONE = 0, +}; #endif /** Client DMA address translation and validation */ diff --git a/wolfhsm/wh_server.h b/wolfhsm/wh_server.h index a27c39cb4..664fcd993 100644 --- a/wolfhsm/wh_server.h +++ b/wolfhsm/wh_server.h @@ -44,11 +44,9 @@ typedef struct whServerContext_t whServerContext; #include "wolfhsm/wh_dma.h" #endif /* WOLFHSM_CFG_DMA */ -/* WolfCrypt types and defines */ -#include "wolfssl/wolfcrypt/types.h" - #ifndef WOLFHSM_CFG_NO_CRYPTO #include "wolfssl/wolfcrypt/settings.h" +#include "wolfssl/wolfcrypt/types.h" #include "wolfssl/wolfcrypt/random.h" #include "wolfssl/wolfcrypt/rsa.h" #include "wolfssl/wolfcrypt/ecc.h" From 33708db6c40e1436e80bf8e823e9dafde41646b7 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Wed, 29 Oct 2025 10:27:10 +0900 Subject: [PATCH 6/6] addressed code review --- benchmark/bench_modules/wh_bench_mod_aes.c | 2 +- benchmark/bench_modules/wh_bench_mod_cmac.c | 2 +- .../bench_modules/wh_bench_mod_curve25519.c | 2 +- benchmark/bench_modules/wh_bench_mod_ecc.c | 2 +- benchmark/bench_modules/wh_bench_mod_hmac.c | 2 +- benchmark/bench_modules/wh_bench_mod_mldsa.c | 2 +- benchmark/bench_modules/wh_bench_mod_rng.c | 2 +- benchmark/bench_modules/wh_bench_mod_rsa.c | 2 +- benchmark/bench_modules/wh_bench_mod_sha2.c | 2 +- benchmark/bench_modules/wh_bench_mod_sha3.c | 2 +- examples/demo/client/wh_demo_client_secboot.c | 46 ++----------------- 11 files changed, 13 insertions(+), 53 deletions(-) diff --git a/benchmark/bench_modules/wh_bench_mod_aes.c b/benchmark/bench_modules/wh_bench_mod_aes.c index fc5035639..a1814a305 100644 --- a/benchmark/bench_modules/wh_bench_mod_aes.c +++ b/benchmark/bench_modules/wh_bench_mod_aes.c @@ -831,4 +831,4 @@ int wh_Bench_Mod_Aes256GCMDecryptDma(whClientContext* client, #endif /* !defined(NO_AES) */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_cmac.c b/benchmark/bench_modules/wh_bench_mod_cmac.c index 6ca1c7ac8..86fe9e69f 100644 --- a/benchmark/bench_modules/wh_bench_mod_cmac.c +++ b/benchmark/bench_modules/wh_bench_mod_cmac.c @@ -183,4 +183,4 @@ int wh_Bench_Mod_CmacAes256Dma(whClientContext* client, whBenchOpContext* ctx, #endif /* WOLFSSL_CMAC && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_curve25519.c b/benchmark/bench_modules/wh_bench_mod_curve25519.c index 230415af1..230a396e3 100644 --- a/benchmark/bench_modules/wh_bench_mod_curve25519.c +++ b/benchmark/bench_modules/wh_bench_mod_curve25519.c @@ -252,4 +252,4 @@ int wh_Bench_Mod_Curve25519SharedSecret(whClientContext* client, #endif /* HAVE_CURVE25519 */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_ecc.c b/benchmark/bench_modules/wh_bench_mod_ecc.c index 50d42d438..fad069d1a 100644 --- a/benchmark/bench_modules/wh_bench_mod_ecc.c +++ b/benchmark/bench_modules/wh_bench_mod_ecc.c @@ -567,4 +567,4 @@ int wh_Bench_Mod_EccP256Ecdh(whClientContext* client, whBenchOpContext* ctx, #endif /* HAVE_ECC */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_hmac.c b/benchmark/bench_modules/wh_bench_mod_hmac.c index 86ccd082b..1b8a248e4 100644 --- a/benchmark/bench_modules/wh_bench_mod_hmac.c +++ b/benchmark/bench_modules/wh_bench_mod_hmac.c @@ -175,4 +175,4 @@ int wh_Bench_Mod_HmacSha3256Dma(whClientContext* client, whBenchOpContext* ctx, #endif /* !defined(NO_HMAC) */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_mldsa.c b/benchmark/bench_modules/wh_bench_mod_mldsa.c index 4f023d9fd..c1e31f641 100644 --- a/benchmark/bench_modules/wh_bench_mod_mldsa.c +++ b/benchmark/bench_modules/wh_bench_mod_mldsa.c @@ -1193,4 +1193,4 @@ int wh_Bench_Mod_MlDsa87KeyGenDma(whClientContext* client, #endif /* HAVE_DILITHIUM */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_rng.c b/benchmark/bench_modules/wh_bench_mod_rng.c index f95c643af..9a7651b2f 100644 --- a/benchmark/bench_modules/wh_bench_mod_rng.c +++ b/benchmark/bench_modules/wh_bench_mod_rng.c @@ -94,4 +94,4 @@ int wh_Bench_Mod_Rng(whClientContext* client, whBenchOpContext* ctx, int id, #endif /* !defined(WC_NO_RNG) */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_rsa.c b/benchmark/bench_modules/wh_bench_mod_rsa.c index 99f6a15c7..bf759f48b 100644 --- a/benchmark/bench_modules/wh_bench_mod_rsa.c +++ b/benchmark/bench_modules/wh_bench_mod_rsa.c @@ -1115,4 +1115,4 @@ int wh_Bench_Mod_Rsa4096KeyGenDma(whClientContext* client, #endif /* !(NO_RSA) */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_sha2.c b/benchmark/bench_modules/wh_bench_mod_sha2.c index 2fa7d9b8c..46bc9d8ab 100644 --- a/benchmark/bench_modules/wh_bench_mod_sha2.c +++ b/benchmark/bench_modules/wh_bench_mod_sha2.c @@ -549,4 +549,4 @@ int wh_Bench_Mod_Sha512Dma(whClientContext* client, whBenchOpContext* ctx, #endif /* WOLFSSL_SHA512 */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/benchmark/bench_modules/wh_bench_mod_sha3.c b/benchmark/bench_modules/wh_bench_mod_sha3.c index 5183a2123..22d657eb9 100644 --- a/benchmark/bench_modules/wh_bench_mod_sha3.c +++ b/benchmark/bench_modules/wh_bench_mod_sha3.c @@ -45,4 +45,4 @@ int wh_Bench_Mod_Sha3256Dma(whClientContext* client, whBenchOpContext* ctx, #endif /* WOLFSSL_SHA3 */ -#endif /* WOLFHSM_CFG_BENCH_ENABLE */ +#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */ diff --git a/examples/demo/client/wh_demo_client_secboot.c b/examples/demo/client/wh_demo_client_secboot.c index e7e7175b8..113200d6a 100644 --- a/examples/demo/client/wh_demo_client_secboot.c +++ b/examples/demo/client/wh_demo_client_secboot.c @@ -14,12 +14,12 @@ #include "wolfhsm/wh_client_crypto.h" #if !defined(WOLFHSM_CFG_NO_CRYPTO) + #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/ecc.h" #include "wolfssl/wolfcrypt/sha256.h" #include "wolfssl/wolfcrypt/error-crypt.h" #include "wh_demo_client_secboot.h" -#endif /* !WOLFHSM_CFG_NO_CRYPTO */ /* Provisioning process: * 1. Generate a server keypair into key cache as keyId 27 @@ -99,7 +99,6 @@ static int _showNvm(whClientContext* clientContext) static int _provisionMakeCommitKey(whClientContext* clientContext) { -#ifndef WOLFHSM_CFG_NO_CRYPTO int ret; /* Use the default ECC curve for 32 byte key, likely P256r1 */ @@ -114,15 +113,10 @@ static int _provisionMakeCommitKey(whClientContext* clientContext) ret = wh_Client_KeyCommit(clientContext, prov_keyId); } return ret; -#else - (void)clientContext; - return WH_ERROR_NOTIMPL; -#endif } static int _sha256File(const char* file_to_measure, uint8_t* hash) { -#ifndef WOLFHSM_CFG_NO_CRYPTO int ret = 0; int fd = open(file_to_measure, O_RDONLY); if (fd >= 0) { @@ -156,17 +150,11 @@ static int _sha256File(const char* file_to_measure, uint8_t* hash) ret = WH_ERROR_BADARGS; } return ret; -#else - (void)file_to_measure; - (void)hash; - return WH_ERROR_NOTIMPL; -#endif } static int _signHash(const uint8_t* hash, size_t hash_len, uint8_t* sig, uint16_t* sig_len) { -#ifndef WOLFHSM_CFG_NO_CRYPTO ecc_key key[1]; int ret = wc_ecc_init_ex(key, NULL, WH_DEV_ID); if (ret == 0) { @@ -182,19 +170,11 @@ static int _signHash(const uint8_t* hash, size_t hash_len, uint8_t* sig, (void)wc_ecc_free(key); } return ret; -#else - (void)hash; - (void)hash_len; - (void)sig; - (void)sig_len; - return WH_ERROR_NOTIMPL; -#endif } static int _verifyHash(const uint8_t* hash, size_t hash_len, const uint8_t* sig, uint16_t sig_len, int32_t* rc) { -#ifndef WOLFHSM_CFG_NO_CRYPTO ecc_key key[1]; int ret = wc_ecc_init_ex(key, NULL, WH_DEV_ID); if (ret == 0) { @@ -210,19 +190,10 @@ static int _verifyHash(const uint8_t* hash, size_t hash_len, const uint8_t* sig, (void)wc_ecc_free(key); } return ret; -#else - (void)hash; - (void)hash_len; - (void)sig; - (void)sig_len; - (void)rc; - return WH_ERROR_NOTIMPL; -#endif } int wh_DemoClient_SecBoot_Provision(whClientContext* clientContext) { -#if !defined(WOLFHSM_CFG_NO_CRYPTO) int ret = 0; uint32_t client_id = 0; uint32_t server_id = 0; @@ -270,17 +241,10 @@ int wh_DemoClient_SecBoot_Provision(whClientContext* clientContext) } printf("Provision Client completed with ret:%d\n", ret); return ret; -#else - (void)clientContext; - (void)_signHash; - (void)_provisionMakeCommitKey; - return WH_ERROR_NOTIMPL; -#endif /* !WOLFHSM_CFG_NO_CRYPTO */ } int wh_DemoClient_SecBoot_Boot(whClientContext* clientContext) { -#if !defined(WOLFHSM_CFG_NO_CRYPTO) int ret = 0; uint32_t client_id = 0; uint32_t server_id = 0; @@ -337,12 +301,6 @@ int wh_DemoClient_SecBoot_Boot(whClientContext* clientContext) } printf("SecBoot Client completed with ret:%d\n", ret); return ret; -#else - (void)clientContext; - (void)_verifyHash; - (void)_sha256File; - return WH_ERROR_NOTIMPL; -#endif /* !WOLFHSM_CFG_NO_CRYPTO */ } int wh_DemoClient_SecBoot_Zeroize(whClientContext* clientContext) @@ -374,3 +332,5 @@ int wh_DemoClient_SecBoot_Zeroize(whClientContext* clientContext) printf("SecBoot Zeroize Client completed with ret:%d\n", ret); return ret; } + +#endif /* !WOLFHSM_CFG_NO_CRYPTO */ \ No newline at end of file