support for dynamic link to libwolfssl and add test case

.github/workflows/build-and-test-wolfssl-lib.yml

@@ -0,0 +1,129 @@
+name: Build with installed wolfSSL (WOLFSSL_LIB)
+
+# Exercises the WOLFSSL_LIB=1 build mode, which links wolfHSM against an
+# installed libwolfssl rather than compiling the wolfSSL sources in-tree.
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Checkout wolfssl
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    - name: Build and install wolfssl
+      # HAVE_ANONYMOUS_INLINE_AGGREGATES toggles the layout of wc_CryptoInfo
+      # (anonymous union vs named .u member). wolfHSM requires the anonymous
+      # form.
+      run: |
+        cd wolfssl
+        ./autogen.sh
+        ./configure \
+          --disable-benchmark \
+          --disable-crypttests \
+          --disable-examples \
+          --enable-all \
+          --enable-cryptocb \
+          --prefix=$HOME/wolfssl-install \
+          CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_SHA512_HASHTYPE -DWOLFSSL_PUBLIC_ASN -DHAVE_ANONYMOUS_INLINE_AGGREGATES=1 -DNO_MAIN_DRIVER"
+        make -j
+        make install
+
+    - name: Build test (WOLFSSL_LIB=1)
+      run: |
+        cd test
+        make clean
+        make -j WOLFSSL_LIB=1 \
+          WOLFSSL_DIR=$HOME/wolfssl-install/include \
+          WOLFSSL_LIBDIR=$HOME/wolfssl-install/lib
+
+    - name: Build test (WOLFSSL_LIB=1 DMA=1 ASAN=1)
+      run: |
+        cd test
+        make clean
+        make -j WOLFSSL_LIB=1 DMA=1 ASAN=1 \
+          WOLFSSL_DIR=$HOME/wolfssl-install/include \
+          WOLFSSL_LIBDIR=$HOME/wolfssl-install/lib
+
+    - name: Build test (WOLFSSL_LIB=1 SHE=1)
+      run: |
+        cd test
+        make clean
+        make -j WOLFSSL_LIB=1 SHE=1 \
+          WOLFSSL_DIR=$HOME/wolfssl-install/include \
+          WOLFSSL_LIBDIR=$HOME/wolfssl-install/lib
+
+    - name: Build test (WOLFSSL_LIB=1 AUTH=1)
+      run: |
+        cd test
+        make clean
+        make -j WOLFSSL_LIB=1 AUTH=1 \
+          WOLFSSL_DIR=$HOME/wolfssl-install/include \
+          WOLFSSL_LIBDIR=$HOME/wolfssl-install/lib
+
+    # NOCRYPTO short-circuits the wolfssl source compile entirely, but we
+    # still want to make sure WOLFSSL_LIB=1 doesn't break that path.
+    - name: Build test (WOLFSSL_LIB=1 NOCRYPTO=1)
+      run: |
+        cd test
+        make clean
+        make -j WOLFSSL_LIB=1 NOCRYPTO=1 \
+          WOLFSSL_DIR=$HOME/wolfssl-install/include \
+          WOLFSSL_LIBDIR=$HOME/wolfssl-install/lib
+
+    - name: Build benchmark (WOLFSSL_LIB=1)
+      run: |
+        cd benchmark
+        make clean
+        make -j WOLFSSL_LIB=1 \
+          WOLFSSL_DIR=$HOME/wolfssl-install/include \
+          WOLFSSL_LIBDIR=$HOME/wolfssl-install/lib
+
+    - name: Build POSIX server example (WOLFSSL_LIB=1)
+      run: |
+        cd examples/posix/wh_posix_server
+        make clean
+        make -j WOLFSSL_LIB=1 \
+          WOLFSSL_DIR=$HOME/wolfssl-install/include \
+          WOLFSSL_LIBDIR=$HOME/wolfssl-install/lib
+
+    - name: Build POSIX client example (WOLFSSL_LIB=1)
+      run: |
+        cd examples/posix/wh_posix_client
+        make clean
+        make -j WOLFSSL_LIB=1 \
+          WOLFSSL_DIR=$HOME/wolfssl-install/include \
+          WOLFSSL_LIBDIR=$HOME/wolfssl-install/lib
+
+    - name: Build whnvmtool (WOLFSSL_LIB=1)
+      run: |
+        cd tools/whnvmtool
+        make clean
+        make WOLFSSL_LIB=1 \
+          WOLFSSL_DIR=$HOME/wolfssl-install/include \
+          WOLFSSL_LIBDIR=$HOME/wolfssl-install/lib
+
+    - name: Run POSIX server/client smoke test (WOLFSSL_LIB=1)
+      run: |
+        export LD_LIBRARY_PATH=$HOME/wolfssl-install/lib:$LD_LIBRARY_PATH
+        cd examples/posix/wh_posix_server
+        ./Build/wh_posix_server.elf --type tcp &
+        SERVER_PID=$!
+        sleep 1
+        cd ../wh_posix_client
+        ./Build/wh_posix_client.elf --type tcp
+        kill $SERVER_PID || true

benchmark/Makefile

@@ -28,8 +28,14 @@ INC =	-I$(PROJECT_DIR) \
 # POSIX requires C source be defined before any header
 DEF += -D_POSIX_C_SOURCE=200809L
 
-# Library configuration defines for user-supplied settings
-DEF += -DWOLFSSL_USER_SETTINGS -DWOLFHSM_CFG
+# Library configuration defines for user-supplied settings.
+# When linking against an installed wolfSSL (WOLFSSL_LIB=1), skip
+# WOLFSSL_USER_SETTINGS so the installed library's compiled-in options.h
+# is used instead.
+DEF += -DWOLFHSM_CFG
+ifneq ($(WOLFSSL_LIB),1)
+DEF += -DWOLFSSL_USER_SETTINGS
+endif
 
 # Ensure this build uses POSIX test features
 DEF += -DWOLFHSM_CFG_TEST_POSIX
@@ -124,11 +130,22 @@ endif
 SRC_ASM +=
 
 ifneq ($(NOCRYPTO),1)
+ifeq ($(WOLFSSL_LIB),1)
+# Link against an installed wolfSSL library instead of compiling sources.
+# Set WOLFSSL_LIBDIR for a non-default install path. NO_INLINE keeps the
+# installed wolfSSL headers C90-clean.
+LIBS += -lwolfssl
+DEF += -DNO_INLINE
+ifneq ($(WOLFSSL_LIBDIR),)
+LDFLAGS += -L$(WOLFSSL_LIBDIR)
+endif
+else
 # wolfCrypt source files
 SRC_C +=  $(wildcard $(WOLFSSL_DIR)/wolfcrypt/src/*.c)
 
 # wolfSSL source files
 SRC_C +=  $(wildcard $(WOLFSSL_DIR)/src/*.c)
+endif
 
 # End of NOCRYPTO
 endif

examples/demo/client/wh_demo_client_crypto.c

@@ -1609,7 +1609,7 @@ int wh_DemoClient_CryptoCmacKdfCache(whClientContext* clientContext)
     /* Example: evict the key from cache once we are done with it */
     ret = wh_Client_KeyEvict(clientContext, keyId);
     if (ret != 0) {
-        WOLFHSM_CFG_PRINTF("Failed to wh_Client_KeyEvict %d\n", evictRet);
+        WOLFHSM_CFG_PRINTF("Failed to wh_Client_KeyEvict %d\n", ret);
     }
 
     return ret;

examples/demo/client/wh_demo_client_wcbench.c

@@ -1,7 +1,7 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_error.h"
 
-#if !defined(WOLFHSM_CFG_NO_CRYPTO)
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WH_DEMO_WCBENCH)
 #include "wolfcrypt/benchmark/benchmark.h"
 #endif
 
@@ -10,7 +10,7 @@
 int wh_DemoClient_wcBench(whClientContext* clientContext)
 {
     (void)clientContext;
-#if !defined(WOLFHSM_CFG_NO_CRYPTO)
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WH_DEMO_WCBENCH)
     return benchmark_test(NULL);
 #else
     return WH_ERROR_NOTIMPL;

examples/demo/client/wh_demo_client_wctest.c

@@ -1,7 +1,7 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_error.h"
 
-#if !defined(WOLFHSM_CFG_NO_CRYPTO)
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WH_DEMO_WCTEST)
 #include "wolfcrypt/test/test.h"
 #endif
 
@@ -10,7 +10,7 @@
 int wh_DemoClient_wcTest(whClientContext* clientContext)
 {
     (void)clientContext;
-#if !defined(WOLFHSM_CFG_NO_CRYPTO)
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WH_DEMO_WCTEST)
     return wolfcrypt_test(NULL);
 #else
     return WH_ERROR_NOTIMPL;

examples/posix/wh_posix_client/Makefile

@@ -30,8 +30,14 @@ INC =   -I$(PROJECT_DIR) \
 # POSIX requires C source be defined before any header
 DEF += -D_POSIX_C_SOURCE=200809L
 
-# Library configuration defines for user-supplied settings
-DEF += -DWOLFSSL_USER_SETTINGS -DWOLFHSM_CFG
+# Library configuration defines for user-supplied settings.
+# When linking against an installed wolfSSL (WOLFSSL_LIB=1), skip
+# WOLFSSL_USER_SETTINGS so the installed library's compiled-in options.h
+# is used instead.
+DEF += -DWOLFHSM_CFG
+ifneq ($(WOLFSSL_LIB),1)
+DEF += -DWOLFSSL_USER_SETTINGS
+endif
 
 # Architecture flags for assembler, C compiler and linker
 ARCHFLAGS ?=
@@ -96,15 +102,29 @@ endif
 SRC_ASM +=
 
 ifneq ($(NOCRYPTO),1)
+ifeq ($(WOLFSSL_LIB),1)
+# Link against an installed wolfSSL library instead of compiling sources.
+# Set WOLFSSL_LIBDIR for a non-default install path. NO_INLINE keeps the
+# installed wolfSSL headers C90-clean. Note: wolfCrypt test/benchmark
+# sources still require WOLFSSL_DIR to point at a wolfSSL checkout if
+# you want to build them in.
+LIBS += -lwolfssl
+DEF += -DNO_INLINE
+ifneq ($(WOLFSSL_LIBDIR),)
+LDFLAGS += -L$(WOLFSSL_LIBDIR)
+endif
+else
 # wolfCrypt source files
 SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/src/*.c)
 
-# wolfCrypt test/benchmark source files
-SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/test/*.c)
-SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/benchmark/*.c)
-
 # wolfSSL source files
 SRC_C += $(wildcard $(WOLFSSL_DIR)/src/*.c)
+endif
+
+# wolfCrypt test/benchmark source files (compiled even with WOLFSSL_LIB=1
+# since these are not part of libwolfssl)
+SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/test/*.c)
+SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/benchmark/*.c)
 
 # Set the default device ID for wolfCrypt tests
 ifeq ($(DMA),1)
@@ -123,10 +143,6 @@ ifeq ($(AUTH),1)
 DEF += -DWOLFHSM_CFG_ENABLE_AUTHENTICATION
 endif
 
-#wolfCrypt test/benchmark source files
-SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/test/*.c)
-SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/benchmark/*.c)
-
 else
 DEF += -DWOLFHSM_CFG_NO_CRYPTO
 endif

examples/posix/wh_posix_server/Makefile

@@ -28,8 +28,14 @@ INC =   -I$(PROJECT_DIR) \
 # POSIX requires C source be defined before any header
 DEF += -D_POSIX_C_SOURCE=200809L
 
-# Library configuration defines for user-supplied settings
-DEF += -DWOLFSSL_USER_SETTINGS -DWOLFHSM_CFG
+# Library configuration defines for user-supplied settings.
+# When linking against an installed wolfSSL (WOLFSSL_LIB=1), skip
+# WOLFSSL_USER_SETTINGS so the installed library's compiled-in options.h
+# is used instead.
+DEF += -DWOLFHSM_CFG
+ifneq ($(WOLFSSL_LIB),1)
+DEF += -DWOLFSSL_USER_SETTINGS
+endif
 
 
 # Architecture flags for assembler, C compiler and linker
@@ -113,9 +119,18 @@ SRC_ASM +=
 
 # wolfCrypt source files
 ifneq ($(NOCRYPTO),1)
+ifeq ($(WOLFSSL_LIB),1)
+# Link against an installed wolfSSL library instead of compiling sources.
+# Set WOLFSSL_LIBDIR for a non-default install path.
+LIBS += -lwolfssl
+ifneq ($(WOLFSSL_LIBDIR),)
+LDFLAGS += -L$(WOLFSSL_LIBDIR)
+endif
+else
 SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/src/*.c)
 # wolfSSL source files
 SRC_C += $(wildcard $(WOLFSSL_DIR)/src/*.c)
+endif
 else
 DEF += -DWOLFHSM_CFG_NO_CRYPTO
 endif

examples/posix/wh_posix_server/wh_posix_server.c

@@ -25,6 +25,8 @@
 #ifndef WOLFHSM_CFG_NO_CRYPTO
 /* included to print out the version of wolfSSL linked with */
 #include "wolfssl/version.h"
+#include "wolfssl/wolfcrypt/cryptocb.h"
+#include "wolfssl/wolfcrypt/error-crypt.h"
 #endif
 
 #include "wh_posix_cfg.h"

src/wh_server_cert.c

@@ -43,6 +43,24 @@
 #include "wolfssl/wolfcrypt/asn.h"
 
 
+/* Replicates GetSequence, which is WOLFSSL_LOCAL. */
+static int DerNextSequence(const uint8_t* input, uint32_t maxIdx,
+                           word32* inOutIdx, int* len)
+{
+    byte tag = 0;
+    int  rc;
+
+    rc = GetASNTag(input, inOutIdx, &tag, maxIdx);
+    if (rc < 0) {
+        return rc;
+    }
+    if (tag != (ASN_SEQUENCE | ASN_CONSTRUCTED)) {
+        return ASN_PARSE_E;
+    }
+    return GetLength(input, inOutIdx, len, maxIdx);
+}
+
+
 static int _verifyChainAgainstCmStore(whServerContext*      server,
                                       WOLFSSL_CERT_MANAGER* cm,
                                       const uint8_t* chain, uint32_t chain_len,
@@ -66,7 +84,7 @@ static int _verifyChainAgainstCmStore(whServerContext*      server,
         idx = 0;
 
         /* Get the length of the current certificate */
-        rc = GetSequence(cert_ptr, &idx, &cert_len, remaining_len);
+        rc = DerNextSequence(cert_ptr, remaining_len, &idx, &cert_len);
         if (rc < 0) {
             return rc;
         }