Skip to content

20251009-more-WOLFSSL_API_PREFIX_MAP#9287

Merged
dgarske merged 3 commits intowolfSSL:masterfrom
douzzer:20251009-more-WOLFSSL_API_PREFIX_MAP
Oct 10, 2025
Merged

20251009-more-WOLFSSL_API_PREFIX_MAP#9287
dgarske merged 3 commits intowolfSSL:masterfrom
douzzer:20251009-more-WOLFSSL_API_PREFIX_MAP

Conversation

@douzzer
Copy link
Copy Markdown
Contributor

@douzzer douzzer commented Oct 9, 2025
edited
Loading

This is a mop-up second round of visibility fixes, follow on to #9282 . It adds a workflow to validate namespace hygiene when defined(WOLFSSL_API_PREFIX_MAP).

commit msg:

add .github/workflows/symbol-prefixes.yml.

configure.ac:

  • swap order of --enable-kyber and --enable-mlkem handler code to put mlkem first.
  • add --enable-mldsa hander code.
  • remove setup code that was adding -DWOLFSSL_NO_TLS12 and -DNO_OLD_TLS to
    AM_CFLAGS when ENABLED_CRYPTONLY -- NO_OLD_TLS is already defined earlier
    when ENABLED_CRYPTONLY, and WOLFSSL_NO_TLS12 breaks wc_PRF_TLS(), which is
    inside-the-FIPS-boundary crypto.

wolfssl/ssl.h: make sure WOLFSSL_NO_TLS12 is defined in the TLS layer when NO_TLS.

linuxkm/linuxkm_wc_port.h:

  • adopt the WC_SANITIZE_DISABLE and WC_SANITIZE_ENABLE setup code from
    settings.h (where it didn't belong).
  • fix FIPS remapping of wc_InitMutex&friends to InitMutex&friends -- inhibit
    when WOLFSSL_API_PREFIX_MAP.

wolfcrypt/src/ge_operations.c: add _wc_curve25519_dummy() to fix visibility of
curve25519().

wolfcrypt/src/poly1305.c: fix visibility of several unprefixed helper routines.

wolfcrypt/test/test.c: fix gating on tls12_kdf_test() and prf_test() (both
require !WOLFSSL_NO_TLS12).

wolfssl/internal.h, wolfssl/wolfio.h: add several WOLFSSL_API_PREFIX_MAPs.

wolfssl/wolfcrypt/ge_operations.h: fix visibility of several internal asm
functions.

wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM setup, add gates to avoid redef
warnings for various settings, and remove the setup for
WC_SANITIZE_{DISABLE,ENABLE} (moved to linuxkm_wc_port.h as noted above).

wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_API_PREFIX_MAPs for InitMutex() and
friends.

tested with multi-test using a new check-for-unprefixed-symbols scenario, and with a full pr-check.

final tally for f767bd2851 with build env dc4deaa494: all 51 selected checks succeeded.

@devin-ai-integration

This comment was marked as spam.

Sign in to view
douzzer added 2 commits October 9, 2025 15:34
@douzzer
add .github/workflows/symbol-prefixes.yml.
f1d014a 
configure.ac:
* add ML-KEM, ML-DSA, XMSS, and LMS to --enable-all-crypto when !ENABLED_FIPS.
* swap order of --enable-kyber and --enable-mlkem handler code to put mlkem first.
* add --enable-mldsa hander code.
* remove setup code that was adding -DWOLFSSL_NO_TLS12 and -DNO_OLD_TLS to
  AM_CFLAGS when ENABLED_CRYPTONLY -- NO_OLD_TLS is already defined earlier for
  when ENABLED_CRYPTONLY, and WOLFSSL_NO_TLS12 breaks wc_PRF_TLS(), which is
  inside-the-FIPS-boundary crypto.

linuxkm/linuxkm_wc_port.h:
* adopt the WC_SANITIZE_DISABLE and WC_SANITIZE_ENABLE setup code from
  settings.h (where it didn't belong).
* fix FIPS remapping of wc_InitMutex&friends to InitMutex&friends -- inhibit
  when WOLFSSL_API_PREFIX_MAP.

wolfcrypt/src/ge_operations.c: add _wc_curve25519_dummy() to fix visibility of
curve25519().

wolfcrypt/src/poly1305.c: fix visibility of several unprefixed helper routines.

wolfcrypt/test/test.c: fix gating on tls12_kdf_test() and prf_test() (both
  require !WOLFSSL_NO_TLS12).

wolfssl/internal.h, wolfssl/wolfio.h: add several WOLFSSL_API_PREFIX_MAPs.

wolfssl/wolfcrypt/ge_operations.h: fix visibility of several internal asm
  functions.

wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM setup, add gates to avoid redef
  warnings for various settings, and remove the setup for
  WC_SANITIZE_{DISABLE,ENABLE} (moved to linuxkm_wc_port.h as noted above).

wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_API_PREFIX_MAPs for InitMutex() and
  friends.
@douzzer
configure.ac: don't add PQC to --enable-all-crypto -- not ready yet.
d1ba8eb 
.github/workflows/symbol-prefixes.yml: count and report total_public_symbols, and use a better pattern to classify refs as defs.
@douzzer douzzer force-pushed the 20251009-more-WOLFSSL_API_PREFIX_MAP branch from 3e9c740 to d1ba8eb Compare October 9, 2025 21:39
@douzzer
.github/workflows/symbol-prefixes.yml: add PQC, --enable-acert, and -…
f767bd2 
…-with-sys-crypto-policy to configuration;

wolfssl/ssl.h: make sure WOLFSSL_NO_TLS12 is defined in the TLS layer when NO_TLS.
@douzzer
Copy link
Copy Markdown
Contributor Author

douzzer commented Oct 9, 2025

output from the new exported-symbol checker:

[check-for-unprefixed-symbols] [43 of 51] [f767bd2851]
    configure[all+pqc]...   real 0m8.612s  user 0m5.360s  sys 0m4.237s
    build...   real 0m15.946s  user 2m3.810s  sys 0m5.622s
    8218 public symbols found in libwolfssl, all OK.
    configure[all-noasm]...   real 0m8.137s  user 0m5.065s  sys 0m4.008s
    build...   real 0m15.069s  user 1m51.238s  sys 0m4.851s
    7278 public symbols found in libwolfssl, all OK.
    configure[defaults]...   real 0m4.440s  user 0m2.590s  sys 0m2.235s
    build...   real 0m2.187s  user 0m31.586s  sys 0m3.070s
    1524 public symbols found in libwolfssl, all OK.
    [targeting kernel /usr/src/linux-6.16.8-gentoo kversion 6.16.8-gentoo]
    configure[linuxkm-all]...   real 0m5.023s  user 0m2.869s  sys 0m2.607s
    build...   real 0m3.479s  user 0m19.417s  sys 0m2.045s
    1964 public symbols found in libwolfssl, all OK.
    setting up FIPS "dev"... done [fips="master" (e614fc3464), wolfCrypt=current OID under test (f767bd2851)]
    [targeting kernel /usr/src-extra/linux-6.1.73-gentoo-fortify-fips kversion 6.1.73-gentoo-fortify-fips]
    configure[linuxkm-cryptonly-all-fips-dev]...   real 0m5.934s  user 0m3.416s  sys 0m3.177s
    build...warning: the compiler differs from the one used to build the kernel
  The kernel was built by: gcc (Gentoo 14.3.0 p8) 14.3.0
  You are using:           gcc (Gentoo 14.3.1_p20250801 p4) 14.3.1 20250801
warning: the compiler differs from the one used to build the kernel
  The kernel was built by: gcc (Gentoo 14.3.0 p8) 14.3.0
  You are using:           gcc (Gentoo 14.3.1_p20250801 p4) 14.3.1 20250801
   real 0m10.231s  user 0m26.230s  sys 0m4.565s
    1161 public symbols found in libwolfssl, all OK.
    scenario started 2025-10-09T23:16:17.151991Z, real elapsed 1m20.935897s
    check-for-unprefixed-symbols OK

@douzzer
Copy link
Copy Markdown
Contributor Author

douzzer commented Oct 9, 2025

retest this please
(hoping for better luck on PRB-fipsv2-regression-and-rolling-release-v3, which failed on 1st try on wolf-linux-cloud-node-jxti9x with

Running configure script...
configure: error: unrecognized options: --with-libtool-sysroot

)

@douzzer
Copy link
Copy Markdown
Contributor Author

douzzer commented Oct 10, 2025

retest this please

@douzzer
Copy link
Copy Markdown
Contributor Author

douzzer commented Oct 10, 2025

retest this please
(PRB-fipsv2-regression-and-rolling-release-v3 is broken on gcloud nodes, but passes on boz-amd)

@dgarske dgarske merged commit 46281a2 into wolfSSL:master Oct 10, 2025
266 of 268 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgarske dgarske dgarske approved these changes

@kaleb-himes kaleb-himes Awaiting requested review from kaleb-himes

@wolfSSL-Bot wolfSSL-Bot Awaiting requested review from wolfSSL-Bot

@SparkiDev SparkiDev Awaiting requested review from SparkiDev

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@douzzer @dgarske @wolfSSL-Bot