misc: enable WolfSSL debugging and add he_enable_debugging function

3rd_party_deps.yml

@@ -11,6 +11,7 @@
       --disable-dilithium
       --enable-aes-bitsliced
       --enable-curve25519
+      --enable-debug
       --enable-dtls
       --enable-dtls13
       --enable-dtls-frag-ch

ios/autotools-ios-helper.sh

@@ -66,7 +66,9 @@ build() {
         --enable-aes-bitsliced \
         --enable-experimental \
         --enable-sha3 \
-        --enable-kyber=all,original,ml-kem
+        --enable-kyber=all,original,ml-kem \
+        --enable-debug
+
     make clean
     mkdir -p "${EXEC_PREFIX}"
     make V=1 -j"${MAKE_JOBS}" --debug=j

public/he.h

@@ -644,6 +644,14 @@ he_return_code_t he_init(void);
  */
 he_return_code_t he_cleanup(void);
 
+typedef void (*he_log_cb_t)(const int log_level, const char *const log_msg);
+
+/**
+ * @brief Enable WolfSSL debug logging and set the log callback
+ * @return HE_SUCCESS on success, HE_ERR_FAILED on any error.
+ */
+he_return_code_t he_enable_debugging(he_log_cb_t log_cb);
+
 /**
  * @brief Checks whether the client context has the basic configuration to allow Helium to connect.
  * @param ctx A pointer to a valid SSL context configuration

src/he/ssl_ctx.c

@@ -52,6 +52,19 @@ he_return_code_t he_cleanup() {
   return HE_SUCCESS;
 }
 
+he_return_code_t he_enable_debugging(he_log_cb_t log_cb) {
+  int rc = wolfSSL_Debugging_ON();
+  if(rc) {
+    return HE_ERR_FAILED;
+  }
+  if(log_cb) {
+    if(wolfSSL_SetLoggingCb(log_cb)) {
+      return HE_ERR_FAILED;
+    }
+  };
+  return HE_SUCCESS;
+}
+
 static he_return_code_t he_ssl_ctx_is_valid_common(he_ssl_ctx_t *ctx) {
   if(!ctx) {
     return HE_ERR_NULL_POINTER;

src/he/ssl_ctx.h

@@ -55,6 +55,14 @@ he_return_code_t he_init(void);
  */
 he_return_code_t he_cleanup(void);
 
+typedef void (*he_log_cb_t)(const int log_level, const char *const log_msg);
+
+/**
+ * @brief Enable WolfSSL debug logging and set the log callback
+ * @return HE_SUCCESS on success, HE_ERR_FAILED on any error.
+ */
+he_return_code_t he_enable_debugging(he_log_cb_t log_cb);
+
 /**
  * @brief Checks whether the client context has the basic configuration to allow Helium to connect.
  * @param ctx A pointer to a valid SSL context configuration

windows/wolfssl-user_settings-common.h

@@ -209,4 +209,8 @@
 #undef WOLFSSL_SHAKE256
 #define WOLFSSL_SHAKE256
 
+// Turn on debugging
+#undef DEBUG_WOLFSSL
+#define DEBUG_WOLFSSL
+
 #endif /* _WIN_USER_SETTINGS_COMMON_H_ */

windows_32.yml

@@ -21,6 +21,8 @@
         - git apply ../../wolfssl/0007-fix-kyber-prf-non-avx2.patch
         - git apply ../../wolfssl/0008-intel-illegal-instruction.patch
         - git apply ../../wolfssl/0009-reverse-only-with-avx12.patch
+        - git apply ../../wolfssl/0010-rng-move-debug-messages-while-preserving-semantics.patch
+        - git apply ../../wolfssl/0011-random-allow-rdseed-to-fallback-on-windows.patch
         - "cp ../../windows/wolfssl-user_settings-common.h wolfssl/user_settings.h"
         - "cat ../../windows/wolfssl-user_settings-32.h >> wolfssl/user_settings.h"
         - "cp -f wolfssl/user_settings.h IDE/WIN/user_settings.h"

windows_64.yml

@@ -21,6 +21,8 @@
         - git apply ../../wolfssl/0007-fix-kyber-prf-non-avx2.patch
         - git apply ../../wolfssl/0008-intel-illegal-instruction.patch
         - git apply ../../wolfssl/0009-reverse-only-with-avx12.patch
+        - git apply ../../wolfssl/0010-rng-move-debug-messages-while-preserving-semantics.patch
+        - git apply ../../wolfssl/0011-random-allow-rdseed-to-fallback-on-windows.patch
         - "cp ../../windows/wolfssl-user_settings-common.h wolfssl/user_settings.h"
         - "cat ../../windows/wolfssl-user_settings-64.h >> wolfssl/user_settings.h"
         - "cp -f wolfssl/user_settings.h IDE/WIN/user_settings.h"

windows_64_multithread.yml

@@ -21,6 +21,8 @@
         - git apply ../../wolfssl/0007-fix-kyber-prf-non-avx2.patch
         - git apply ../../wolfssl/0008-intel-illegal-instruction.patch
         - git apply ../../wolfssl/0009-reverse-only-with-avx12.patch
+        - git apply ../../wolfssl/0010-rng-move-debug-messages-while-preserving-semantics.patch
+        - git apply ../../wolfssl/0011-random-allow-rdseed-to-fallback-on-windows.patch
         - "cp ../../windows/wolfssl-user_settings-common.h wolfssl/user_settings.h"
         - "cat ../../windows/wolfssl-user_settings-64.h >> wolfssl/user_settings.h"
         - "cat ../../windows/wolfssl-user_settings-multithread.h >> wolfssl/user_settings.h"

wolfssl/0010-rng-move-debug-messages-while-preserving-semantics.patch

@@ -0,0 +1,42 @@
+From bb11833d885eb4867fe9ec0f73fb65d5a26412f7 Mon Sep 17 00:00:00 2001
+From: Raihaan Shouhell <[email protected]>
+Date: Mon, 17 Mar 2025 20:55:57 +0800
+Subject: [PATCH] rng: move debug messages while preserving semantics
+
+---
+ wolfcrypt/src/random.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
+index 278e2d72c..7c32cc024 100644
+--- a/wolfcrypt/src/random.c
++++ b/wolfcrypt/src/random.c
+@@ -1719,15 +1719,21 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
+ #else
+             ret = wc_GenerateSeed(&rng->seed, seed, seedSz);
+ #endif /* WC_RNG_SEED_CB */
+-            if (ret == 0)
+-                ret = wc_RNG_TestSeed(seed, seedSz);
+-            else {
++            if (ret != 0) {
+     #if defined(DEBUG_WOLFSSL)
+-                WOLFSSL_MSG_EX("wc_RNG_TestSeed failed... %d", ret);
++                WOLFSSL_MSG_EX("Seed generation failed... %d", ret);
+     #endif
+                 ret = DRBG_FAILURE;
+                 rng->status = DRBG_FAILED;
+             }
++            if (ret == 0)
++                ret = wc_RNG_TestSeed(seed, seedSz);
++
++    #if defined(DEBUG_WOLFSSL)
++            if (ret != 0) {
++                WOLFSSL_MSG_EX("wc_RNG_TestSeed failed... %d", ret);
++            }
++    #endif
+
+             if (ret == DRBG_SUCCESS)
+                 ret = Hash_DRBG_Instantiate((DRBG_internal *)rng->drbg,
+-- 
+2.48.1
+

wolfssl/0011-random-allow-rdseed-to-fallback-on-windows.patch

@@ -0,0 +1,54 @@
+From b84924d610c609673e00f61630e53039ae209a61 Mon Sep 17 00:00:00 2001
+From: Raihaan Shouhell <[email protected]>
+Date: Tue, 18 Mar 2025 13:09:33 +0800
+Subject: [PATCH] random: allow rdseed to fallback on windows
+
+---
+ wolfcrypt/src/random.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
+index 7c32cc024..cdd7eb73a 100644
+--- a/wolfcrypt/src/random.c
++++ b/wolfcrypt/src/random.c
+@@ -2695,17 +2695,31 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+
+     #ifdef HAVE_INTEL_RDSEED
+         if (IS_INTEL_RDSEED(intel_flags)) {
+-             if (!wc_GenerateSeed_IntelRD(NULL, output, sz)) {
+-                 /* success, we're done */
+-                 return 0;
+-             }
++            #if defined(DEBUG_WOLFSSL)
++                WOLFSSL_MSG_EX("Using RDSEED");
++            #endif
++            if (!wc_GenerateSeed_IntelRD(NULL, output, sz)) {
++                if (wc_RNG_TestSeed(output, sz) == 0) {
++                    /* success, we're done */
++                    return 0;
++                }
++            #if defined(DEBUG_WOLFSSL)
++                else {
++                    WOLFSSL_MSG_EX("Using RDSEED returned bad data");
++                }
++            #endif
++            }
+         #ifdef FORCE_FAILURE_RDSEED
+-             /* don't fall back to CryptoAPI */
+-             return READ_RAN_E;
++            /* don't fall back to CryptoAPI */
++            return READ_RAN_E;
+         #endif
+         }
+     #endif /* HAVE_INTEL_RDSEED */
+
++    #if defined(DEBUG_WOLFSSL)
++        WOLFSSL_MSG_EX("Using WinCryptRandom");
++    #endif
++
+     if(!CryptAcquireContext(&os->handle, 0, 0, PROV_RSA_FULL,
+                             CRYPT_VERIFYCONTEXT))
+         return WINCRYPT_E;
+-- 
+2.48.1
+