Skip to content

cmake: add more build options in line with automake#10834

Open
SparkiDev wants to merge 1 commit into
wolfSSL:masterfrom
SparkiDev:cmake_update_1
Open

cmake: add more build options in line with automake#10834
SparkiDev wants to merge 1 commit into
wolfSSL:masterfrom
SparkiDev:cmake_update_1

Conversation

@SparkiDev

Copy link
Copy Markdown
Contributor

Description

Updates

  • ~100 individual options added (ciphers, TLS features, debug/test, caches, kernel-module, key-size numerics, asm) + fixed WOLFSSL_32BIT's missing define.
  • 37 app-integration bundles (openssh, nginx, haproxy, openvpn, wpas, apachehttpd, jni, wolfclu, wolfsentry, ...) - each force-enables its sub-options and emits its defines; all build clean and match ./configure --enable-X exactly (miss=0/extra=0).
  • Each option wired in 3 places: add_option + define in CMakeLists.txt, #cmakedefine in options.h.in, source selection where needed. Verified by real libwolfssl.so builds.

Testing

None

@SparkiDev SparkiDev self-assigned this Jul 2, 2026

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10834

No scan targets match the changed files in this PR. Review skipped.

@SparkiDev

Copy link
Copy Markdown
Contributor Author

Jenkins: retest this please

@SparkiDev SparkiDev assigned wolfSSL-Bot and unassigned SparkiDev Jul 2, 2026

@Frauschi Frauschi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: APPROVE
Findings: 4 total — 3 posted, 1 skipped

Posted findings

  • [Medium] App-bundle sub-option forcing runs before options are defined, degrading cache entriesCMakeLists.txt:250-534
  • [Medium] Inconsistent WOLFSSL_LINUX_KM gating silently no-ops some kernel optionsCMakeLists.txt:2940-2960
  • [Low] Repeated empty placeholder comment blocks in options.h.incmake/options.h.in:811-817
Skipped findings
  • [Medium] New build options ship with no test/CI coverage

Review generated by Skoll via Claude/Codex

Comment thread CMakeLists.txt
Comment thread CMakeLists.txt
Comment thread cmake/options.h.in Outdated

@Frauschi Frauschi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll review (follow-up). Thanks for the earlier fixes — I confirmed all three of my previous comments are addressed (force_option via GLOBAL property preserves cache type/help; LINUXKM_PIE/BENCHMARKS now warn when WOLFSSL_LINUX_KM is off; the empty options.h.in parity headers are gone).

One blocking issue remains, plus a few suggestions/nits below.

Comment thread CMakeLists.txt
Comment thread CMakeLists.txt Outdated
Comment thread CMakeLists.txt
Comment thread CMakeLists.txt
Comment thread CMakeLists.txt
@SparkiDev SparkiDev force-pushed the cmake_update_1 branch 2 times, most recently from 0394385 to da5c186 Compare July 4, 2026 00:29
@SparkiDev

Copy link
Copy Markdown
Contributor Author

Jenkins: retest this please

@Frauschi Frauschi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: REQUEST_CHANGES
Findings: 3 total — 1 posted, 2 skipped

Posted findings

  • [High] New RC2/ASCON/SM2/SM3/SM4 options define feature macros but never compile their source filesCMakeLists.txt:2967
Skipped findings
  • [Medium] force_option silently overrides an explicit user setting with no diagnostic
  • [Low] A force_option for an option never declared via add_option silently has no effect

Review generated by Skoll via Claude/Codex

Comment thread CMakeLists.txt
@SparkiDev

Copy link
Copy Markdown
Contributor Author

Jenkins: retest this please

@SparkiDev SparkiDev assigned Frauschi and unassigned SparkiDev Jul 7, 2026
Frauschi
Frauschi previously approved these changes Jul 7, 2026
@Frauschi Frauschi assigned wolfSSL-Bot and unassigned Frauschi Jul 7, 2026

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Multi-Scan Review

Modes: review + review-securityOverall recommendation: COMMENT
Findings: 5 total — 5 posted, 0 skipped
5 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [Medium] [review+review-security] WC_32BIT_CPU emitted on compile line but missing #cmakedefine in options.h.inCMakeLists.txt:555-557 (and missing entry in cmake/options.h.in near line 242)
  • [Low] [review-security] SM2/SM3/SM4 sources selected under FIPS v2, deviating from automake !BUILD_FIPS_V2_PLUS guardcmake/functions.cmake:924-964
  • [Low] [review] Non-numeric WOLFSSL_MAX_RSA_BITS / WOLFSSL_MAX_ECC_BITS bypass range validationCMakeLists.txt:3705-3730 (Maximum key size options block)
  • [Info] [review] set_wolfssl_definitions PARENT_SCOPE change adds compile-line defines for PQC builds (confirm intent)cmake/functions.cmake:1325-1329
  • [Info] [review-security] force_option applied only via add_option; forced non-add_option options would be silently ignoredcmake/functions.cmake:18-41

Review generated by Skoll

Comment thread cmake/functions.cmake
list(APPEND LIB_SOURCES wolfcrypt/src/ascon.c)
endif()

# ShangMi SM2/SM3/SM4. The implementation files are provided by the

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] SM2/SM3/SM4 sources selected under FIPS v2, deviating from automake !BUILD_FIPS_V2_PLUS guard · Logic

The new ShangMi source-selection block guards sm2.c/sm3.c/sm4.c with only if(NOT BUILD_FIPS_V5). The accompanying comment claims 'this block is already inside NOT BUILD_FIPS_V2', but it is not: the enclosing scope is if(NOT BUILD_FIPS_RAND) opened at line 839, with no NOT BUILD_FIPS_V2 wrapper between line 839 and the SM block at 929. The authoritative automake rule in src/include.am guards all three sources with !BUILD_FIPS_V2_PLUS (excludes FIPS v2 AND v5). For a FIPS v2 build that also enables SM2/SM3/SM4, the cmake build would compile sm2.c/sm3.c/sm4.c while automake excludes them: with external wolfsm sources present this places non-FIPS crypto inside the FIPS module boundary (certification-relevant); without wolfsm the in-tree stubs #error and break the build. Also sp_sm2_arm32.c/sp_sm2_arm64.c lack the extra !BUILD_FIPS_V2 inner guards automake applies, and sp_sm2_x86_64_asm.S is gated on WOLFSSL_X86_64_BUILD_ASM whereas automake adds it unconditionally under BUILD_SP_X86_64.

Fix: Wrap the SM block in if(NOT BUILD_FIPS_V2 AND NOT BUILD_FIPS_V5) (i.e. reproduce !BUILD_FIPS_V2_PLUS) to match automake, and fix the misleading comment. Consider mirroring automake's inner !BUILD_FIPS_V2 guards on the sp_sm2_arm32/arm64 entries.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.
Changed the guard to if(NOT BUILD_FIPS_V2 AND NOT BUILD_FIPS_V5

Comment thread CMakeLists.txt
"Maximum bit size to support for ECC algorithms (112-1024)")

set(WOLFSSL_MPI_MAX_KEY_BITS "")
if(WOLFSSL_MAX_RSA_BITS)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] Non-numeric WOLFSSL_MAX_RSA_BITS / WOLFSSL_MAX_ECC_BITS bypass range validation · bug

These are raw cache STRING variables validated with if(WOLFSSL_MAX_RSA_BITS LESS 1024 OR WOLFSSL_MAX_RSA_BITS GREATER 16384). CMake's LESS/GREATER return false when either operand is not a valid integer, so a non-numeric value (e.g. -DWOLFSSL_MAX_RSA_BITS=foo) passes the range check silently and then flows straight into -DRSA_MAX_SIZE=foo on the compile line and #define RSA_MAX_SIZE foo in options.h, producing a confusing compile error deep in the crypto build rather than a clear configure-time diagnostic. The same applies to WOLFSSL_MAX_ECC_BITS (112-1024).

Fix: Add an integer-format check (e.g. MATCHES "^[0-9]+$") before the range comparison for both WOLFSSL_MAX_RSA_BITS and WOLFSSL_MAX_ECC_BITS so a malformed value fails cleanly at configure time.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed
Added NOT X MATCHES "^[0-9]+$" before the range check

Comment thread cmake/functions.cmake
@@ -1240,6 +1323,10 @@ function(set_wolfssl_definitions SEARCH_VALUE RESULT)

message(STATUS "Enabling ${SEARCH_VALUE}")
list(APPEND WOLFSSL_DEFINITIONS "-D${SEARCH_VALUE}")

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚪ [Info] set_wolfssl_definitions PARENT_SCOPE change adds compile-line defines for PQC builds (confirm intent) · question

The added set(WOLFSSL_DEFINITIONS "${WOLFSSL_DEFINITIONS}" PARENT_SCOPE) now propagates the appended -D\<SEARCH_VALUE> flag to the caller. Previously the append was confined to the function scope and lost, so macros forced through this helper (e.g. WOLFSSL_SHA3, WOLFSSL_SHAKE128/256, OPENSSL_EXTRA, HAVE_FALCON in the MLKEM/MLDSA/LMS/SLHDSA/FALCON blocks at CMakeLists.txt:936-1138) only became CMake variables (reaching options.h) but never reached the actual compile line. This is almost certainly the intended fix, but it is a behavior change: these PQC configurations now get additional -D flags on target_compile_definitions. Because the same macros may also arrive via options.h, verify there is no -Wmacro-redefined noise (-DWOLFSSL_SHA3 = 1 on the command line vs a bare #define WOLFSSL_SHA3 from options.h). Intra-list duplicates are collapsed by the later list(REMOVE_DUPLICATES), so intra-list duplication is not a concern.

Fix: Confirm the newly-added compile-line defines for MLKEM/MLDSA/LMS/SLHDSA/FALCON builds are intended and that no macro-redefinition warnings result when wolfssl/options.h is also included; if intended, no change needed.

Comment thread cmake/functions.cmake
# that add_option() call runs. This keeps the option's declared type and help
# text intact (unlike creating the cache entry early), and makes the dependency
# explicit rather than relying on cross-file cache-precedence side effects.
function(force_option NAME VALUE)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚪ [Info] force_option applied only via add_option; forced non-add_option options would be silently ignored · Logic

The force mechanism only takes effect when a later add_option(NAME ...) runs (it reads the WOLFSSL_FORCE_${NAME} global and calls override_cache). Any option a bundle forces that does NOT have a subsequent add_option() would have its force silently dropped. Every currently-forced option (WOLFSSL_AES/ARC4/CURVE25519/DES3/DSA/MD5/MD4/RIPEMD/CRL/OCSP/OCSPSTAPLING/OCSPSTAPLING_V2/OLD_TLS/DTLS/DTLS13/CRL_MONITOR/PKCALLBACKS/PKCS7/MD2/SRP) does have an add_option that runs after the bundle block, so this is currently correct. This is a latent maintenance hazard, not a present defect: a future bundle that force_option()'s an option set via plain set()/cache STRING (e.g. one of the raw-cache-STRING options) would be a no-op with no diagnostic.

Fix: Optionally add a post-configure sweep that warns if any WOLFSSL_FORCE_* global was never consumed by an add_option(), to catch future force_option targets that lack an add_option.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.
Added the sweep as suggested.

Comment thread CMakeLists.txt
add_option("WOLFSSL_32BIT"
"Enables 32-bit support (default: disabled)"
"no" "yes;no")
if(WOLFSSL_32BIT)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] WC_32BIT_CPU emitted on compile line but missing #cmakedefine in options.h.in · Logic / convention

The PR adds if(WOLFSSL_32BIT) list(APPEND WOLFSSL_DEFINITIONS "-DWC_32BIT_CPU") endif() to CMakeLists.txt so WOLFSSL_32BIT now emits -DWC_32BIT_CPU. Unlike its sibling WOLFSSL_16BIT (whose macro WC_16BIT_CPU has both #undef/#cmakedefine in cmake/options.h.in lines 242-243), there is NO #cmakedefine WC_32BIT_CPU in cmake/options.h.in. Every entry of WOLFSSL_DEFINITIONS reaches the library compile line via target_compile_definitions(... PRIVATE) AND is normally reflected into the installed wolfssl/options.h via a matching #cmakedefine. Because this one is missing, the compiled library uses WC_32BIT_CPU while the generated wolfssl/options.h does not define it. A downstream consumer that configures with -DWOLFSSL_32BIT=yes and includes wolfssl/options.h (without itself defining WC_32BIT_CPU) sees a different CPU word-size/codepath configuration than the library it links against, risking type/ABI skew (e.g. sp_int digit sizing). This also violates the PR's own stated 3-place invariant (add_option + define in CMakeLists.txt, #cmakedefine in options.h.in). Severity views differ across modes: the review mode rated this Medium, the security mode rated it Low and noted that automake's --enable-32bit likewise only puts -DWC_32BIT_CPU into AM_CFLAGS (so it is arguably faithful to automake); the stricter Medium is retained here because it is inconsistent with the cmake design where all other added defines have options.h.in entries.

Fix: Add #undef WC_32BIT_CPU / #cmakedefine WC_32BIT_CPU to cmake/options.h.in (adjacent to the existing WC_16BIT_CPU entry) so the forced-32-bit setting is reflected in the generated wolfssl/options.h and matches the 16-bit handling and the PR's 3-place invariant; or intentionally document that WC_32BIT_CPU is compile-line-only to match automake AM_CFLAGS.


Note: Referenced line (CMakeLists.txt:555-557 (and missing entry in cmake/options.h.in near line 242)) is outside the diff hunk. Comment anchored to nearest changed region.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.
Added #undef/#cmakedefine WC_32BIT_CPU next to WC_16BIT_CPU.

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work. Skoll found a few useful things
#10834 (review)

Updates
  - ~100 individual options added (ciphers, TLS features, debug/test, caches,
  kernel-module, key-size numerics, asm) + fixed WOLFSSL_32BIT's missing define.
  - 37 app-integration bundles (openssh, nginx, haproxy, openvpn, wpas,
  apachehttpd, jni, wolfclu, wolfsentry, ...) - each force-enables its
  sub-options and emits its defines; all build clean and match ./configure
  --enable-X exactly (miss=0/extra=0).
  - Each option wired in 3 places: add_option + define in CMakeLists.txt,
  #cmakedefine in options.h.in, source selection where needed. Verified by real
  libwolfssl.so builds.
@SparkiDev

Copy link
Copy Markdown
Contributor Author

Jenkins: retest this please

@SparkiDev SparkiDev assigned dgarske and unassigned SparkiDev Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants