wolfSSL · rizlik · Jan 22, 2026 · Jan 23, 2026 · Jan 22, 2026 · Jan 22, 2026
diff --git a/.github/workflows/cryptocb_provider.yml b/.github/workflows/cryptocb_provider.yml
@@ -0,0 +1,51 @@
+name: CryptoCB Only Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        config: [
+        # tests skipping tests in CI
+          '--enable-cryptocb CFLAGS="-DNO_SESSION_CACHE -DWOLF_CRYPTO_CB_ONLY_RSA"',
+          '--enable-cryptocb CFLAGS="-DNO_SESSION_CACHE -DWOLF_CRYPTO_CB_ONLY_ECC"',
+          '--enable-cryptocb CFLAGS="-DNO_SESSION_CACHE -DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA"',
+        # tests using external crypto device provider
+          '--enable-cryptocb --enable-cryptocb-test-provider --disable-cryptocb-sw-test CFLAGS="-DNO_SESSION_CACHE -DWOLF_CRYPTO_CB_ONLY_ECC"',
+          '--enable-cryptocb --enable-cryptocb-test-provider --disable-cryptocb-sw-test CFLAGS="-DNO_SESSION_CACHE -DWOLF_CRYPTO_CB_ONLY_RSA"',
+          '--enable-cryptocb --enable-cryptocb-test-provider --disable-cryptocb-sw-test CFLAGS="-DNO_SESSION_CACHE -DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA"',
+        ]
+    name: make check
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test wolfSSL CryptoCB Only
+        run: |
+          ./autogen.sh
+          ./configure ${{ matrix.config }}
+          make -j 4
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi
diff --git a/.gitignore b/.gitignore
@@ -470,3 +470,4 @@ wolfssl/debug-trace-error-codes.h
 wolfssl/debug-untrace-error-codes.h
 
 AGENTS.md
+tests/cryptocb-provider/libcryptocbprovider.so
diff --git a/Makefile.am b/Makefile.am
@@ -176,6 +176,7 @@ include wolfcrypt/test/include.am
 include examples/include.am
 include testsuite/include.am
 include tests/include.am
+include tests/cryptocb-provider/include.am
 include sslSniffer/sslSnifferTest/include.am
 include debian/include.am
 include rpm/include.am

diff --git a/configure.ac b/configure.ac
@@ -9598,6 +9598,21 @@ then
         AM_CFLAGS="$AM_CFLAGS -DWC_TEST_NO_CRYPTOCB_SW_TEST"
 fi
 
+# Enable building the test crypto callback provider
+AC_ARG_ENABLE([cryptocb-test-provider],
+    [AS_HELP_STRING([--enable-cryptocb-test-provider],
+        [Build the test crypto callback provider library (default: disabled)])],
+    [ ENABLED_CRYPTOCB_TEST_PROVIDER=$enableval ],
+    [ ENABLED_CRYPTOCB_TEST_PROVIDER=no ]
+)
+
+if test "x$ENABLED_CRYPTOCB_TEST_PROVIDER" = "xyes"; then
+    if test "x$ENABLED_CRYPTOCB" != "xyes"; then
+        AC_MSG_ERROR([--enable-cryptocb-test-provider requires --enable-cryptocb])
+    fi
+    AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_TEST_PROVIDER"
+fi
+
 # Crypto Callbacks Utils (Copy/Free/etc)
 AC_ARG_ENABLE([cryptocbutils],
     [AS_HELP_STRING([--enable-cryptocbutils@<:@=copy,free,...@:>@],
@@ -11169,6 +11184,7 @@ AM_CONDITIONAL([BUILD_TESTS],[test "x$ENABLED_EXAMPLES" = "xyes"])
 AM_CONDITIONAL([BUILD_THREADED_EXAMPLES],[test "x$ENABLED_SINGLETHREADED" = "xno" && test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
 AM_CONDITIONAL([BUILD_WOLFCRYPT_TESTS],[test "x$ENABLED_CRYPT_TESTS" = "xyes"])
 AM_CONDITIONAL([BUILD_WOLFCRYPT_TESTS_LIBS],[test "x$ENABLED_CRYPT_TESTS_LIBS" = "xyes"])
+AM_CONDITIONAL([BUILD_CRYPTO_CB_TEST_PROVIDER],[test "x$ENABLED_CRYPTOCB_TEST_PROVIDER" = "xyes"])
 AM_CONDITIONAL([BUILD_LIBZ],[test "x$ENABLED_LIBZ" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_PKCS11],[test "x$ENABLED_PKCS11" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_PKCS12],[test "x$ENABLED_PKCS12" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])

diff --git a/examples/client/client.c b/examples/client/client.c
@@ -56,6 +56,10 @@ static const char *wolfsentry_config_path = NULL;
 #include <examples/client/client.h>
 #include <wolfssl/error-ssl.h>
 
+#if defined(WOLF_CRYPTO_CB_TEST_PROVIDER)
+#include "tests/cryptocb-provider/cryptocb_loader.h"
+#endif
+
 #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
 
 
@@ -76,7 +80,7 @@ static const char *wolfsentry_config_path = NULL;
     #include <wolfssl/wolfcrypt/ecc.h>
 #endif
 
-#ifdef WOLFSSL_ASYNC_CRYPT
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB_TEST_PROVIDER)
     static int devId = INVALID_DEVID;
 #endif
 
@@ -3670,6 +3674,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     wolfSSL_CTX_SetDevId(ctx, devId);
 #endif /* WOLFSSL_ASYNC_CRYPT */
 
+#ifdef WOLF_CRYPTO_CB_TEST_PROVIDER
+    devId = wc_CryptoCb_InitTestCryptoCbProvider();
+    if (devId < 0) {
+        err_sys("CryptoCb provider init failed");
+    }
+    wolfSSL_CTX_SetDevId(ctx, devId);
+#endif /* WOLF_CRYPTO_CB_TEST_PROVIDER */
 #ifdef HAVE_SNI
     if (sniHostName) {
         if (wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
@@ -4945,6 +4956,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #else
         fprintf(stderr, "Client not compiled in!\n");
 #endif
+
+#ifdef WOLF_CRYPTO_CB_TEST_PROVIDER
+        wc_CryptoCb_CleanupTestCryptoCbProvider();
+#endif
         wolfSSL_Cleanup();
 
 #ifdef HAVE_WNR

diff --git a/examples/client/include.am b/examples/client/include.am
@@ -5,6 +5,9 @@ if BUILD_EXAMPLE_CLIENTS
 noinst_PROGRAMS += examples/client/client
 noinst_HEADERS += examples/client/client.h
 examples_client_client_SOURCES      = examples/client/client.c
+if BUILD_CRYPTO_CB_TEST_PROVIDER
+examples_client_client_SOURCES     += tests/cryptocb-provider/cryptocb_loader.c
+endif
 examples_client_client_LDADD        = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB)
 examples_client_client_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
 examples_client_client_CFLAGS = $(WOLFSENTRY_INCLUDE) $(AM_CFLAGS)

diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c
@@ -53,6 +53,10 @@
 
 #include <examples/echoclient/echoclient.h>
 
+#if defined(WOLF_CRYPTO_CB_TEST_PROVIDER)
+#include "tests/cryptocb-provider/cryptocb_loader.h"
+#endif
+
 #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
 
 
@@ -65,7 +69,7 @@
 #include <wolfssl/certs_test.h>
 #endif
 
-#ifdef WOLFSSL_ASYNC_CRYPT
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB_TEST_PROVIDER)
     static int devId = INVALID_DEVID;
 #endif
 
@@ -223,6 +227,14 @@ void echoclient_test(void* args)
     wolfSSL_CTX_SetDevId(ctx, devId);
 #endif /* WOLFSSL_ASYNC_CRYPT */
 
+#ifdef WOLF_CRYPTO_CB_TEST_PROVIDER
+    devId = wc_CryptoCb_InitTestCryptoCbProvider();
+    if (devId < 0) {
+        err_sys("CryptoCb provider init failed");
+    }
+    wolfSSL_CTX_SetDevId(ctx, devId);
+#endif /* WOLF_CRYPTO_CB_TEST_PROVIDER */
+
     ssl = SSL_new(ctx);
     tcp_connect(&sockfd, wolfSSLIP, port, 0, 0, ssl);
 
@@ -287,6 +299,10 @@ void echoclient_test(void* args)
     wolfAsync_DevClose(&devId);
 #endif
 
+#ifdef WOLF_CRYPTO_CB_TEST_PROVIDER
+    wc_CryptoCb_CleanupTestCryptoCbProvider();
+#endif
+
     LIBCALL_CHECK_RET(fflush(fout));
 #ifndef WOLFSSL_MDK_SHELL
     if (inCreated)  fclose(fin);

diff --git a/examples/echoclient/include.am b/examples/echoclient/include.am
@@ -7,6 +7,9 @@ if BUILD_EXAMPLE_CLIENTS
 noinst_PROGRAMS += examples/echoclient/echoclient
 noinst_HEADERS += examples/echoclient/echoclient.h
 examples_echoclient_echoclient_SOURCES      = examples/echoclient/echoclient.c
+if BUILD_CRYPTO_CB_TEST_PROVIDER
+examples_echoclient_echoclient_SOURCES     += tests/cryptocb-provider/cryptocb_loader.c
+endif
 examples_echoclient_echoclient_LDADD        = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD)
 examples_echoclient_echoclient_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
 endif

diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c
@@ -56,6 +56,10 @@
 
 #include "examples/echoserver/echoserver.h"
 
+#if defined(WOLF_CRYPTO_CB_TEST_PROVIDER)
+#include "tests/cryptocb-provider/cryptocb_loader.h"
+#endif
+
 #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS)
 
 #ifdef NO_FILESYSTEM
@@ -67,7 +71,7 @@
 #include <wolfssl/certs_test.h>
 #endif
 
-#ifdef WOLFSSL_ASYNC_CRYPT
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB_TEST_PROVIDER)
     static int devId = INVALID_DEVID;
 #endif
 
@@ -289,6 +293,14 @@ THREAD_RETURN WOLFSSL_THREAD echoserver_test(void* args)
     wolfSSL_CTX_SetDevId(ctx, devId);
 #endif /* WOLFSSL_ASYNC_CRYPT */
 
+#ifdef WOLF_CRYPTO_CB_TEST_PROVIDER
+    devId = wc_CryptoCb_InitTestCryptoCbProvider();
+    if (devId < 0) {
+        err_sys("CryptoCb provider init failed");
+    }
+    wolfSSL_CTX_SetDevId(ctx, devId);
+#endif /* WOLF_CRYPTO_CB_TEST_PROVIDER */
+
     SignalReady(args, port);
 
     while (!shutDown) {
@@ -453,6 +465,10 @@ THREAD_RETURN WOLFSSL_THREAD echoserver_test(void* args)
     wolfAsync_DevClose(&devId);
 #endif
 
+#ifdef WOLF_CRYPTO_CB_TEST_PROVIDER
+    wc_CryptoCb_CleanupTestCryptoCbProvider();
+#endif
+
     WOLFSSL_RETURN_FROM_THREAD(0);
 }
 

diff --git a/examples/echoserver/include.am b/examples/echoserver/include.am
@@ -7,6 +7,9 @@ if BUILD_EXAMPLE_SERVERS
 noinst_PROGRAMS += examples/echoserver/echoserver
 noinst_HEADERS += examples/echoserver/echoserver.h
 examples_echoserver_echoserver_SOURCES      = examples/echoserver/echoserver.c
+if BUILD_CRYPTO_CB_TEST_PROVIDER
+examples_echoserver_echoserver_SOURCES     += tests/cryptocb-provider/cryptocb_loader.c
+endif
 examples_echoserver_echoserver_LDADD        = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD)
 examples_echoserver_echoserver_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
 endif

diff --git a/examples/server/include.am b/examples/server/include.am
@@ -7,6 +7,9 @@ if BUILD_EXAMPLE_SERVERS
 noinst_PROGRAMS += examples/server/server
 noinst_HEADERS += examples/server/server.h
 examples_server_server_SOURCES      = examples/server/server.c
+if BUILD_CRYPTO_CB_TEST_PROVIDER
+examples_server_server_SOURCES     += tests/cryptocb-provider/cryptocb_loader.c
+endif
 examples_server_server_LDADD        = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB)
 examples_server_server_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
 examples_server_server_CFLAGS = $(WOLFSENTRY_INCLUDE) $(AM_CFLAGS)

diff --git a/examples/server/server.c b/examples/server/server.c
@@ -75,6 +75,10 @@ static const char *wolfsentry_config_path = NULL;
 
 #include "examples/server/server.h"
 
+#if defined(WOLF_CRYPTO_CB_TEST_PROVIDER)
+#include "tests/cryptocb-provider/cryptocb_loader.h"
+#endif
+
 #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS)
 
 #if defined(WOLFSSL_TLS13) && ( \
@@ -111,7 +115,7 @@ static struct group_info group_id_to_text[] = {
 };
 #endif /* CAN_FORCE_CURVE && HAVE_ECC */
 
-#ifdef WOLFSSL_ASYNC_CRYPT
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB_TEST_PROVIDER)
     static int devId = INVALID_DEVID;
 #endif
 
@@ -3088,6 +3092,13 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
     wolfSSL_CTX_SetDevId(ctx, devId);
 #endif /* WOLFSSL_ASYNC_CRYPT */
 
+#ifdef WOLF_CRYPTO_CB_TEST_PROVIDER
+    devId = wc_CryptoCb_InitTestCryptoCbProvider();
+    if (devId < 0) {
+        err_sys_ex(runWithErrors, "CryptoCb provider init failed");
+    }
+    wolfSSL_CTX_SetDevId(ctx, devId);
+#endif /* WOLF_CRYPTO_CB_TEST_PROVIDER */
 #ifdef WOLFSSL_TLS13
     if (noPskDheKe)
         wolfSSL_CTX_no_dhe_psk(ctx);
@@ -4110,6 +4121,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         fprintf(stderr, "Server not compiled in!\n");
 #endif
 
+#ifdef WOLF_CRYPTO_CB_TEST_PROVIDER
+        wc_CryptoCb_CleanupTestCryptoCbProvider();
+#endif
         wolfSSL_Cleanup();
         FreeTcpReady(&ready);
Original file line number	Diff line number	Diff line change
Expand Up		@@ -470,3 +470,4 @@ wolfssl/debug-trace-error-codes.h
		wolfssl/debug-untrace-error-codes.h

		AGENTS.md
		tests/cryptocb-provider/libcryptocbprovider.so