Increase test coverage

* More PQC configurations
* More CMake setups

Added some missing feature additions to CMake to make the example
`user_settings_all.` config file work for the CI test.

Author: Frauschi

.github/workflows/cmake.yml

@@ -78,7 +78,8 @@ jobs:
             -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
             -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
             -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
-            -DWOLFSSL_X963KDF:BOOL=yes \
+            -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
+            -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
             -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
             ..
         cmake --build .
@@ -89,9 +90,6 @@ jobs:
         cd ..
         rm -rf build
 
-        # Kyber Cmake broken
-        # -DWOLFSSL_KYBER:BOOL=yes
-
 # build "lean-tls" wolfssl
     - name: Build wolfssl with lean-tls
       working-directory: ./wolfssl
@@ -107,3 +105,23 @@ jobs:
         # clean up
         cd ..
         rm -rf build
+
+# CMake build with user_settings.h
+    - name: Build wolfssl with user_settings.h
+      working-directory: ./wolfssl
+      run: |
+        mkdir build
+        cp examples/configs/user_settings_all.h ./build/user_settings.h
+        cd build
+        cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
+            -DWOLFSSL_USER_SETTINGS=ON -DWOLFSSL_USER_SETTINGS_ASM=ON -DWOLFSSL_EXAMPLES=ON -DWOLFSSL_CRYPT_TESTS=ON \
+            -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -I ." \
+            ..
+        cmake --build .
+        ctest -j $(nproc)
+        cmake --install .
+
+        # clean up
+        cd ..
+        rm -rf build
+        rm user_settings.h

.github/workflows/pq-all.yml

@@ -19,9 +19,13 @@ jobs:
         config: [
           # Add new configs here
           '--enable-intelasm --enable-sp-asm --enable-mlkem=yes,kyber,ml-kem CPPFLAGS="-DWOLFSSL_ML_KEM_USE_OLD_IDS"',
-          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
-          '--enable-smallstack --enable-smallstackcache --enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
-          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++'
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-smallstack --enable-smallstackcache --enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_BLIND_PRIVATE_KEY"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ"',
+          '--disable-intelasm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"',
+          '--disable-intelasm --enable-smallstack --enable-smallstackcache --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

CMakeLists.txt

@@ -711,11 +711,18 @@ if (WOLFSSL_EXPERIMENTAL)
         set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
 
         message(STATUS "Automatically set related requirements for Dilithium:")
-        set_wolfssl_definitions("HAVE_DILITHIUM"       RESUlT)
-        set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"       RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESUlT)
+        add_definitions("-DHAVE_DILITHIUM")
+        add_definitions("-DWOLFSSL_WC_DILITHIUM")
+        add_definitions("-DWOLFSSL_SHA3")
+        add_definitions("-DWOLFSSL_SHAKE128")
+        add_definitions("-DWOLFSSL_SHAKE256")
+
+        message(STATUS "Automatically set related requirements for Dilithium:")
+        set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
+        set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
         message(STATUS "Looking for WOLFSSL_DILITHIUM - found")
     else()
         message(STATUS "Looking for WOLFSSL_DILITHIUM - not found")
@@ -1063,6 +1070,41 @@ if(WOLFSSL_ECC)
     endif()
 endif()
 
+# ECCSI
+add_option("WOLFSSL_ECCSI"
+    "Enable ECCSI (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_ECCSI)
+    if (NOT WOLFSSL_ECC)
+        message(FATAL_ERROR "cannot enable ECCSI without enabling ECC.")
+    endif()
+
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFCRYPT_HAVE_ECCSI -DWOLFSSL_PUBLIC_MP")
+endif()
+
+# SAKKE
+add_option("WOLFSSL_SAKKE"
+    "Enable SAKKE (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_SAKKE)
+    if (NOT WOLFSSL_ECC)
+        message(FATAL_ERROR "cannot enable SAKKE without enabling ECC.")
+    endif()
+
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFCRYPT_HAVE_SAKKE")
+endif()
+
+# SipHash
+add_option("WOLFSSL_SIPHASH"
+    "Enable SipHash (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_SIPHASH)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SIPHASH")
+endif()
+
 # TODO: - Compressed key
 #       - FP ECC, fixed point cache ECC
 #       - ECC encrypt
@@ -1898,6 +1940,7 @@ add_option("WOLFSSL_PKCS11"
     "no" "yes;no")
 
 if(WOLFSSL_PKCS11 AND NOT WIN32)
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_PKCS11 -DHAVE_WOLF_BIGINT")
     list(APPEND WOLFSSL_LINK_LIBS ${CMAKE_DL_LIBS})
 endif()
 

cmake/functions.cmake

@@ -108,6 +108,15 @@ function(generate_build_flags)
     if(WOLFSSL_ECC OR WOLFSSL_USER_SETTINGS)
         set(BUILD_ECC "yes" PARENT_SCOPE)
     endif()
+    if(WOLFSSL_ECCSI OR WOLFSSL_USER_SETTINGS)
+        set(BUILD_ECCSI "yes" PARENT_SCOPE)
+    endif()
+    if(WOLFSSL_SAKKE OR WOLFSSL_USER_SETTINGS)
+        set(BUILD_SAKKE "yes" PARENT_SCOPE)
+    endif()
+    if(WOLFSSL_SIPHASH OR WOLFSSL_USER_SETTINGS)
+        set(BUILD_SIPHASH "yes" PARENT_SCOPE)
+    endif()
     if(WOLFSSL_ED25519 OR WOLFSSL_USER_SETTINGS)
         set(BUILD_ED25519 "yes" PARENT_SCOPE)
     endif()
@@ -914,6 +923,18 @@ function(generate_lib_src_list LIB_SOURCES)
             list(APPEND LIB_SOURCES wolfcrypt/src/ecc.c)
         endif()
 
+        if(BUILD_ECCSI)
+            list(APPEND LIB_SOURCES wolfcrypt/src/eccsi.c)
+        endif()
+
+        if(BUILD_SAKKE)
+            list(APPEND LIB_SOURCES wolfcrypt/src/sakke.c)
+        endif()
+
+        if(BUILD_SIPHASH)
+            list(APPEND LIB_SOURCES wolfcrypt/src/siphash.c)
+        endif()
+
         if(BUILD_CURVE25519)
             list(APPEND LIB_SOURCES wolfcrypt/src/curve25519.c)
             if(BUILD_ARMASM)
@@ -942,21 +963,17 @@ function(generate_lib_src_list LIB_SOURCES)
         endif()
 
         if(BUILD_FEMATH)
-            if(BUILD_CURVE25519_SMALL)
                 list(APPEND LIB_SOURCES wolfcrypt/src/fe_low_mem.c)
-            else()
+
                 if(BUILD_INTELASM)
                     list(APPEND LIB_SOURCES wolfcrypt/src/fe_x25519_asm.S)
                 else()
                     list(APPEND LIB_SOURCES wolfcrypt/src/fe_operations.c)
                 endif()
-            endif()
         endif()
 
         if(BUILD_GEMATH)
-            if(BUILD_ED25519_SMALL)
                 list(APPEND LIB_SOURCES wolfcrypt/src/ge_low_mem.c)
-            else()
                 list(APPEND LIB_SOURCES wolfcrypt/src/ge_operations.c)
 
                 if(NOT BUILD_FEMATH)
@@ -966,7 +983,6 @@ function(generate_lib_src_list LIB_SOURCES)
                         list(APPEND LIB_SOURCES wolfcrypt/src/fe_operations.c)
                     endif()
                 endif()
-            endif()
         endif()
 
         if(BUILD_CURVE448)

examples/configs/user_settings_all.h

@@ -216,8 +216,9 @@ extern "C" {
 #define HAVE_HASHDRBG
 #define HAVE_CURVE25519
 #define HAVE_ED25519
+#define ED25519_SMALL
 #define WOLFSSL_ED25519_STREAMING_VERIFY
-#define CURVED25519_SMALL
+#define CURVE25519_SMALL
 #define HAVE_ED448
 #define WOLFSSL_ED448_STREAMING_VERIFY
 #define HAVE_CURVE448

wolfcrypt/src/dilithium.c

@@ -8788,9 +8788,9 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
                 const byte* s2pt = s2p;
             #endif
                 sword32* cs2 = ct0;
+                byte idx = 0;
                 w0t = w0;
                 w1t = w1;
-                byte idx = 0;
 
                 for (r = 0; valid && (r < params->k); r++) {
             #ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC

wolfcrypt/src/wc_lms_impl.c

@@ -3185,9 +3185,14 @@ int wc_hss_reload_key(LmsState* state, const byte* priv_raw,
     (void)pub_root;
 
     /* Defend against undefined shifts; LmsParams* params = state->params */
-    if ((state->params->cacheBits >= 32U) || (state->params->height >= 32U)) {
+    if (state->params->height >= 32U) {
         return BAD_FUNC_ARG;
     }
+#ifndef WOLFSSL_WC_LMS_SMALL
+    if (state->params->cacheBits >= 32U) {
+        return BAD_FUNC_ARG;
+    }
+#endif
 
     wc_hss_priv_data_load(state->params, priv_key, priv_data);
 #ifndef WOLFSSL_WC_LMS_SMALL