CI: more smoke coverage + header self-sufficiency

- Add AddressSanitizer entry to smoke matrix (--enable-all + -fsanitize=address).
- Add check-headers workflow: 214 public wolfssl/*.h compile standalone.
- Fix quic.h, rng_bank.h, Renesas/renesas-fspsm-crypt.h to be self-sufficient.
- Remove no-tls.yml (its single config is already covered by os-check.yml).

Author: dgarske

.github/scripts/check-headers.sh

@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+#
+# check-headers.sh
+#
+# Verifies that every public-facing wolfSSL header compiles standalone
+# from a fresh consumer's perspective:
+#
+#   #include <wolfssl/options.h>
+#   #include <wolfssl/...the header...>
+#   int main(void) { return 0; }
+#
+# Catches the common breakage where a header silently relies on a
+# transitive include from an earlier `.c` file and stops compiling
+# when downstream code includes it first.
+#
+# Requires:
+#   * ./configure has been run (so wolfssl/options.h exists).
+#   * gcc and standard build env.
+#
+# Usage:
+#   .github/scripts/check-headers.sh           # scan default header set
+#   .github/scripts/check-headers.sh <files>   # scan a specific list
+
+set -u
+
+ROOT="$(git rev-parse --show-toplevel)"
+cd "$ROOT" || exit 2
+
+if [ ! -f wolfssl/options.h ]; then
+    echo "::error::wolfssl/options.h not found - run ./configure first" >&2
+    exit 2
+fi
+
+CC="${CC:-gcc}"
+GHA="${GITHUB_ACTIONS:-}"
+
+emit() {
+    local file="$1" msg="$2"
+    if [ -n "$GHA" ]; then
+        printf '::error file=%s,line=1,title=header-self-include::%s\n' "$file" "$msg"
+    else
+        printf '%s: %s\n' "$file" "$msg"
+    fi
+}
+
+# Default scope: public wolfssl headers excluding vendor/port subdirs and
+# files that are intentionally not standalone-includable.
+if [ "$#" -gt 0 ]; then
+    HEADERS=("$@")
+else
+    # Exclusions:
+    #  * generated / private / test-data headers.
+    #  * wolfcrypt math backends (tfm vs sp_int are mutually exclusive).
+    #  * port/* headers whose first-line vendor SDK include can't be
+    #    satisfied in a generic CI environment (mcapi.h, kcapi.h,
+    #    em_device.h, fsl_dcp.h, hw/inout.h, etc.) or that reference
+    #    vendor-only types. Fix the offending header's vendor #include
+    #    with an #ifdef guard and drop the exclusion in a follow-up.
+    mapfile -t HEADERS < <(
+        git ls-files 'wolfssl/*.h' 'wolfssl/wolfcrypt/*.h' \
+                     'wolfssl/wolfcrypt/port/**/*.h' 'wolfssl/openssl/*.h' \
+        | grep -vE '^wolfssl/(options|internal|certs_test|certs_test_sm|debug-trace-error-codes|debug-untrace-error-codes)\.h$' \
+        | grep -vE '^wolfssl/wolfcrypt/(fips_test|selftest|tfm)\.h$' \
+        | grep -vE '^wolfssl/wolfcrypt/port/aria/aria-crypt(ocb)?\.h$' \
+        | grep -vE '^wolfssl/wolfcrypt/port/autosar/(CryIf|Crypto)\.h$' \
+        | grep -vE '^wolfssl/wolfcrypt/port/caam/(caam_driver|caam_qnx|wolfcaam_hash)\.h$' \
+        | grep -vE '^wolfssl/wolfcrypt/port/kcapi/' \
+        | grep -vE '^wolfssl/wolfcrypt/port/nxp/(dcp_port|se050_port)\.h$' \
+        | grep -vE '^wolfssl/wolfcrypt/port/Renesas/(renesas_fspsm_internal|renesas-rx64-hw-crypt|renesas-tsip-crypt|renesas_tsip_internal)\.h$' \
+        | grep -vE '^wolfssl/wolfcrypt/port/silabs/silabs_aes\.h$'
+    )
+fi
+
+TMPDIR="$(mktemp -d)"
+trap 'rm -rf "$TMPDIR"' EXIT
+
+FAIL=0
+PASS=0
+for h in "${HEADERS[@]}"; do
+    [ -f "$h" ] || continue
+    cat > "$TMPDIR/test.c" <<EOF
+#include <wolfssl/options.h>
+#include <$h>
+int main(void) { return 0; }
+EOF
+    if out="$("$CC" -I. -c -o /dev/null "$TMPDIR/test.c" 2>&1)"; then
+        PASS=$((PASS + 1))
+    else
+        FAIL=$((FAIL + 1))
+        first_err="$(printf '%s' "$out" | grep -E 'error:' | head -1 | sed 's/.*error: //')"
+        emit "$h" "header does not compile standalone: ${first_err:-(see build log)}"
+        if [ -z "$GHA" ]; then
+            printf '%s\n' "$out" | head -8 | sed 's/^/  /'
+        fi
+    fi
+done
+
+echo "check-headers: $PASS pass, $FAIL fail"
+[ "$FAIL" -eq 0 ]

.github/workflows/check-headers.yml

@@ -0,0 +1,43 @@
+name: Check Headers
+
+# Verifies every public-facing wolfSSL header compiles standalone with
+# only wolfssl/options.h included first. Catches the common breakage
+# where a header silently relies on a transitive include from an
+# earlier .c file and stops compiling from a fresh consumer.
+#
+# Runs on drafts (fast static check).
+
+on:
+  push:
+    branches: [ master, main ]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches: [ master, main ]
+
+concurrency:
+  group: check-headers-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  check:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        uses: ./.github/actions/install-apt-deps
+        with:
+          packages: autoconf automake libtool build-essential
+
+      - name: autogen
+        run: ./autogen.sh
+
+      - name: configure --enable-all
+        run: ./configure --enable-all
+
+      - name: Run check-headers
+        run: ./.github/scripts/check-headers.sh

.github/workflows/no-tls.yml

@@ -62,6 +62,12 @@ jobs:
             args: "--enable-psk --enable-dtls --enable-dtls13 --enable-dtls-mtu --enable-aesccm --enable-opensslextra"
           - name: integration
             args: "--enable-openssh --enable-lighty --enable-stunnel --enable-opensslextra"
+          # AddressSanitizer (UBSAN excluded - current master has known
+          # left-shift UB in auto-generated SP math).
+          - name: sanitize-asan
+            args: "--enable-all"
+            cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1"
+            ldflags: "-fsanitize=address"
     env:
       MAKE_CFLAGS: "-Werror"
     steps:
@@ -111,10 +117,20 @@ jobs:
         if: steps.merge_check.outputs.skip != 'true'
         run: ./configure ${{ matrix.config.args }}
 
-      - name: make (CFLAGS=-Werror)
+      - name: make
         if: steps.merge_check.outputs.skip != 'true'
-        run: make -j$(nproc) CFLAGS="$MAKE_CFLAGS"
+        env:
+          ENTRY_CFLAGS: ${{ matrix.config.cflags }}
+          ENTRY_LDFLAGS: ${{ matrix.config.ldflags }}
+        run: |
+          FLAGS="${ENTRY_CFLAGS:-$MAKE_CFLAGS}"
+          make -j"$(nproc)" CFLAGS="$FLAGS" LDFLAGS="$ENTRY_LDFLAGS"
 
-      - name: make check (CFLAGS=-Werror)
+      - name: make check
         if: steps.merge_check.outputs.skip != 'true'
-        run: make check CFLAGS="$MAKE_CFLAGS"
+        env:
+          ENTRY_CFLAGS: ${{ matrix.config.cflags }}
+          ENTRY_LDFLAGS: ${{ matrix.config.ldflags }}
+        run: |
+          FLAGS="${ENTRY_CFLAGS:-$MAKE_CFLAGS}"
+          make check CFLAGS="$FLAGS" LDFLAGS="$ENTRY_LDFLAGS"

.github/workflows/smoke-test.yml

@@ -35,25 +35,23 @@
 #ifndef NO_STDINT_H
     #include <stdint.h>
 #endif
+#include <stddef.h>     /* size_t */
 
-/* QUIC operates on three encryption levels which determine
- * which keys/algos are used for de-/encryption. These are
- * kept separately for incoming and outgoing data and.
- * Due to the nature of UDP, more than one might be in use
- * at the same time due to resends or out-of-order arrivals.
- */
+/* Defined before ssl.h: openssl/ssl.h pulls quic.h mid-include and
+ * references WOLFSSL_ENCRYPTION_LEVEL and WOLFSSL_QUIC_METHOD. */
 typedef enum wolfssl_encryption_level_t {
     wolfssl_encryption_initial = 0,
     wolfssl_encryption_early_data,
     wolfssl_encryption_handshake,
     wolfssl_encryption_application
 } WOLFSSL_ENCRYPTION_LEVEL;
 
-
-/* All QUIC related callbacks to the application.
- */
 typedef struct wolfssl_quic_method_t WOLFSSL_QUIC_METHOD;
 
+#include <wolfssl/ssl.h>
+
+
+/* All QUIC related callbacks to the application. */
 struct wolfssl_quic_method_t {
     /**
      * Provide secrets to the QUIC stack when they become available in the SSL

wolfssl/quic.h

@@ -22,6 +22,7 @@
 #define __RENESAS_FSPSM_CRYPT_H__
 
 #include <wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-types.h>
+#include <stdint.h>     /* uint8_t */
 
 #ifdef __cplusplus
 extern "C" {

wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-crypt.h

@@ -32,6 +32,7 @@
 #define WOLF_CRYPT_RNG_BANK_H
 
 #include <wolfssl/wolfcrypt/types.h>
+#include <wolfssl/wolfcrypt/random.h>
 
 #ifdef WC_RNG_BANK_SUPPORT