Exclude crypto algorithms according to user_settings.h#11
Exclude crypto algorithms according to user_settings.h#11danielinux wants to merge 5 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Ensures that disabling individual crypto algorithms via compile-time options in user_settings.h still yields a clean build, and adds CI coverage for a build-configuration matrix.
Changes:
- Add compile-time feature guards and stricter policy/initialization checks across PSA cipher/AEAD/MAC/hash/KDF/key storage codepaths.
- Expand PSA server tests (new init test + broader negative/edge-case coverage in the main API test suite).
- Add a build-variant harness and GitHub Actions workflow to build many feature-exclusion combinations.
Reviewed changes
Copilot reviewed 18 out of 21 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
wolfpsa/psa_key_storage.h |
Exposes new test hooks for volatile key-id sequencing. |
wolfpsa.map |
Exports the new test-hook symbols from the shared library. |
test/psa_server/psa_ecc_bit_inference_test.c |
Refactors and expands ECC key-bit inference tests (incl. raw public keys). |
test/psa_server/psa_crypto_init_test.c |
Adds a standalone test for init-required behavior and psa_crypto_init error mapping via link-time wrapping. |
test/psa_server/psa_api_test.c |
Adds extensive negative/edge-case coverage for policy mismatches, error-state aborts, copy/export behavior, KDF sequencing, etc. |
test/Makefile |
Adds psa_crypto_init_test build target. |
src/psa_tls_prf.c |
Avoids compiling TLS13 PRF code when HKDF/HMAC support is excluded. |
src/psa_random.c |
Enforces psa_crypto_init() prerequisite for random generation. |
src/psa_mac.c |
Adds CMAC compile guards, stricter key-policy checks, and “fail aborts op” behavior. |
src/psa_key_storage.c |
Adds stored-length validation, ECC public-key bit inference for Montgomery/Twisted Edwards, alg2 rejection, ChaCha20 checks, and key-id wrap guard. |
src/psa_key_derivation.c |
Adds feature gating, PBKDF2 zero-cost rejection, input policy enforcement, HKDF-Extract prefix output support, and sequential output handling. |
src/psa_hash_engine.c |
Enforces init prerequisite and “fail aborts op” behavior; strengthens cleanup zeroization. |
src/psa_engine.c |
Tightens ChaCha20 key-size validation to 256-bit only. |
src/psa_crypto.c |
Implements psa_crypto_init() via wolfCrypt_Init() and tracks init state. |
src/psa_cipher.c |
Adds feature guards (ChaCha, CMAC-related, AES mode macros), extends algorithm support list, and “fail aborts op” behavior. |
src/psa_asymmetric_api.c |
Enforces that PSA_ALG_NONE policy is rejected (not treated as wildcard). |
src/psa_aead.c |
Adds compile-time algorithm gating, policy enforcement for PSA_ALG_NONE, safe handling for NULL+0 buffers, and stronger cleanup. |
build-test/user_settings.h |
Adds a matrix-harness-specific user settings file defining required invariants. |
build-test/build-variant.sh |
Adds a baseline+modifier build script for feature-matrix builds. |
.gitignore |
Ignores the new test binary and .codex. |
.github/workflows/build-config-matrix.yml |
Adds a CI job to build many feature-exclusion lanes against a sibling wolfSSL checkout. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
danielinux
force-pushed
the
exclude-crypto-alg
branch
from
3e9c0a2 to
543225c
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 17 out of 20 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
danielinux
force-pushed
the
exclude-crypto-alg
branch
from
a2e21ea to
2c4a9b8
Compare
according to user_settings.h
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 9 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 9 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #11
Scan targets checked: wolfpsa-bugs, wolfpsa-consttime, wolfpsa-defaults, wolfpsa-mutation, wolfpsa-proptest, wolfpsa-src, wolfpsa-zeroize
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 9 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #11
Scan targets checked: wolfpsa-bugs, wolfpsa-consttime, wolfpsa-defaults, wolfpsa-mutation, wolfpsa-proptest, wolfpsa-src, wolfpsa-zeroize
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
Ensure that excluding algorithms via compile-time options in
user_settings.hproduces a clean build. Added build tests excluding each and every option.Reported in zd21522