add .github/workflows/symbol-prefixes.yml.

configure.ac: * add ML-KEM, ML-DSA, XMSS, and LMS to --enable-all-crypto when !ENABLED_FIPS. * swap order of --enable-kyber and --enable-mlkem handler code to put mlkem first. * add --enable-mldsa hander code. * remove setup code that was adding -DWOLFSSL_NO_TLS12 and -DNO_OLD_TLS to AM_CFLAGS when ENABLED_CRYPTONLY -- NO_OLD_TLS is already defined earlier for when ENABLED_CRYPTONLY, and WOLFSSL_NO_TLS12 breaks wc_PRF_TLS(), which is inside-the-FIPS-boundary crypto. linuxkm/linuxkm_wc_port.h: * adopt the WC_SANITIZE_DISABLE and WC_SANITIZE_ENABLE setup code from settings.h (where it didn't belong). * fix FIPS remapping of wc_InitMutex&friends to InitMutex&friends -- inhibit when WOLFSSL_API_PREFIX_MAP. wolfcrypt/src/ge_operations.c: add _wc_curve25519_dummy() to fix visibility of curve25519(). wolfcrypt/src/poly1305.c: fix visibility of several unprefixed helper routines. wolfcrypt/test/test.c: fix gating on tls12_kdf_test() and prf_test() (both require !WOLFSSL_NO_TLS12). wolfssl/internal.h, wolfssl/wolfio.h: add several WOLFSSL_API_PREFIX_MAPs. wolfssl/wolfcrypt/ge_operations.h: fix visibility of several internal asm functions. wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM setup, add gates to avoid redef warnings for various settings, and remove the setup for WC_SANITIZE_{DISABLE,ENABLE} (moved to linuxkm_wc_port.h as noted above). wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_API_PREFIX_MAPs for InitMutex() and friends.
2026-02-03 23:05:05 +01:00 · 2025-10-09 15:19:43 -05:00
parent f070ae1024
commit f1d014aecd
11 changed files with 214 additions and 86 deletions
--- a/.github/workflows/symbol-prefixes.yml
+++ b/.github/workflows/symbol-prefixes.yml
@@ -0,0 +1,64 @@
+name: WOLFSSL_API_PREFIX_MAP
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_and_analyze:
+    strategy:
+      matrix:
+        config: [
+          '--enable-all CFLAGS=-DWOLFSSL_API_PREFIX_MAP'
+        ]
+    name: make and analyze
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test --enable-opensslcoexist and TEST_OPENSSL_COEXIST
+        run: |
+          ./autogen.sh || $(exit 2)
+          ./configure ${{ matrix.config }} || $(exit 3)
+          make -j 4 || $(exit 4)
+          # ignore properly prefixed symbols, and symbols associated with asm implementations (all internal) regardless of prefix:
+          readelf --symbols --wide src/.libs/libwolfssl.so | \
+          awk ' \
+          BEGIN { \
+              unprefixed_public_symbols = 0; \
+          } \
+          { \
+              if (($7 == "UND") || \
+                  ($8 ~ /^(wc_|wolf|WOLF|__pfx|fe_|sp_[a-zA-Z090-0_]*[0-9])/) || \
+                  ($8 ~ /(_avx[12]|_AVX[12]|_sse[12]|_SSE[12]|_aesni|_AESNI|_bmi2|_x64$)/)) \
+              { \
+                  next; \
+              } \
+          } \
+          { \
+              if (($4 == "FUNC") && ($5 == "GLOBAL") && ($6 == "DEFAULT")) { \
+                  ++unprefixed_public_symbols; \
+                  print; \
+              } \
+          } \
+          END { \
+              if (unprefixed_public_symbols) { \
+                  print unprefixed_public_symbols " unprefixed public symbols found." >"/dev/stderr";
+                  exit(1); \
+              } else { \
+                  print "no unprefixed public symbols found."
+                  exit(0); \
+              } \
+          }' || $(exit 5)