Add WOLFCOSE_LEAN_VERIFY and ML-DSA lean build profiles

.github/workflows/lean-build.yml

@@ -0,0 +1,200 @@
+name: Lean Build
+
+on:
+  push:
+    branches: [ 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lean-verify:
+    name: Lean verify-only (WOLFCOSE_LEAN_VERIFY)
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y autoconf automake libtool
+
+    - name: Resolve wolfSSL master commit
+      id: wolfssl-rev
+      run: echo "sha=$(git ls-remote https://github.com/wolfSSL/wolfssl.git HEAD | cut -f1)" >> "$GITHUB_OUTPUT"
+
+    - name: Cache wolfSSL (ECC verify backend)
+      id: cache-wolfssl
+      uses: actions/cache@v4
+      with:
+        path: ~/wolfssl-lean
+        key: wolfssl-lean-ecc-v1-${{ steps.wolfssl-rev.outputs.sha }}
+
+    # Minimal backend for ES256 verification: ECC + SHA-256 only.
+    # No keygen and no RNG are needed to verify a COSE_Sign1.
+    - name: Build minimal wolfSSL
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
+      run: |
+        cd ~
+        git clone --depth 1 https://github.com/wolfSSL/wolfssl.git wolfssl-lean-src
+        cd wolfssl-lean-src
+        ./autogen.sh
+        ./configure --enable-cryptonly --enable-ecc \
+                    --prefix=$HOME/wolfssl-lean
+        make -j$(nproc)
+        make install
+
+    - name: Build and run the lean verify-only example
+      run: |
+        export WOLFSSL_DIR=$HOME/wolfssl-lean
+        export LD_LIBRARY_PATH=$WOLFSSL_DIR/lib
+        make lean-verify \
+          CFLAGS="-std=c11 -DHAVE_ANONYMOUS_INLINE_AGGREGATES=1 -Os -Wall -Wextra -Wpedantic -Wshadow -Wconversion -ffunction-sections -fdata-sections -I./include -isystem $WOLFSSL_DIR/include" \
+          LDFLAGS="-L$WOLFSSL_DIR/lib -lwolfssl -Wl,--gc-sections"
+
+    - name: Assert the signing API is absent from a verify-only build
+      run: |
+        BIN=examples/sign1_verify_lean
+        if nm "$BIN" | grep -E " [tT] wc_CoseSign1_Sign\b"; then
+          echo "FAIL: signing API present in a verify-only build"; exit 1
+        fi
+        if ! nm "$BIN" | grep -qE " [tT] wc_CoseSign1_Verify\b"; then
+          echo "FAIL: verify API missing from a verify build"; exit 1
+        fi
+        echo "OK: verify present, signing absent"
+
+    - name: Report lean example size
+      run: size examples/sign1_verify_lean || true
+
+  lean-compile-matrix:
+    name: Lean configs compile clean (strict)
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y autoconf automake libtool
+
+    - name: Resolve wolfSSL master commit
+      id: wolfssl-rev
+      run: echo "sha=$(git ls-remote https://github.com/wolfSSL/wolfssl.git HEAD | cut -f1)" >> "$GITHUB_OUTPUT"
+
+    - name: Cache wolfSSL
+      id: cache-wolfssl
+      uses: actions/cache@v4
+      with:
+        path: ~/wolfssl-install
+        key: wolfssl-ubuntu-latest-v3-${{ steps.wolfssl-rev.outputs.sha }}
+
+    - name: Build wolfSSL (full features)
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
+      run: |
+        cd ~
+        git clone --depth 1 https://github.com/wolfSSL/wolfssl.git
+        cd wolfssl
+        ./autogen.sh
+        ./configure --enable-ecc --enable-ed25519 --enable-ed448 \
+                    --enable-curve25519 --enable-aesgcm --enable-aesccm \
+                    --enable-sha384 --enable-sha512 --enable-keygen \
+                    --enable-rsapss --enable-chacha --enable-poly1305 \
+                    --enable-dilithium \
+                    --prefix=$HOME/wolfssl-install
+        make -j$(nproc)
+        make install
+
+    # Each lean/minimal config must compile with zero warnings under the strict
+    # flag set that backs the MISRA C:2023 job.
+    - name: Compile wolfcose.c in lean configurations (no warnings)
+      run: |
+        export WOLFSSL_DIR=$HOME/wolfssl-install
+        SF="-std=c11 -Os -Wall -Wextra -Wpedantic -Wshadow -Wconversion -Werror -DHAVE_ANONYMOUS_INLINE_AGGREGATES=1 -I./include -isystem $WOLFSSL_DIR/include"
+        echo "== default (full) =="
+        gcc $SF -c src/wolfcose.c -o /tmp/full.o
+        echo "== WOLFCOSE_LEAN_VERIFY =="
+        gcc $SF -DWOLFCOSE_LEAN_VERIFY -c src/wolfcose.c -o /tmp/lean.o
+        echo "== sign-only =="
+        gcc $SF -DWOLFCOSE_NO_SIGN1_VERIFY -DWOLFCOSE_NO_ENCRYPT0 -DWOLFCOSE_NO_MAC0 \
+            -DWOLFCOSE_NO_SIGN -DWOLFCOSE_NO_ENCRYPT -DWOLFCOSE_NO_MAC \
+            -DWOLFCOSE_NO_RECIPIENTS -c src/wolfcose.c -o /tmp/sign.o
+        echo "== WOLFCOSE_LEAN_MLDSA (sign+verify) =="
+        gcc $SF -DWOLFCOSE_LEAN_MLDSA -c src/wolfcose.c -o /tmp/mldsa.o
+        echo "== WOLFCOSE_LEAN_VERIFY_MLDSA (verify-only) =="
+        gcc $SF -DWOLFCOSE_LEAN_VERIFY_MLDSA -c src/wolfcose.c -o /tmp/mldsav.o
+        echo "All lean configurations compiled clean."
+
+  mldsa:
+    name: Post-quantum ML-DSA lean sign+verify and verify-only
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y autoconf automake libtool
+
+    - name: Resolve wolfSSL master commit
+      id: wolfssl-rev
+      run: echo "sha=$(git ls-remote https://github.com/wolfSSL/wolfssl.git HEAD | cut -f1)" >> "$GITHUB_OUTPUT"
+
+    - name: Cache wolfSSL (ML-DSA backend)
+      id: cache-wolfssl
+      uses: actions/cache@v4
+      with:
+        path: ~/wolfssl-mldsa
+        key: wolfssl-mldsa-v1-${{ steps.wolfssl-rev.outputs.sha }}
+
+    # ML-DSA (FIPS 204) backend. Dilithium pulls in SHAKE/SHA-3; RNG stays for
+    # key generation and signing in the sign+verify demo.
+    - name: Build wolfSSL with ML-DSA
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
+      run: |
+        cd ~
+        git clone --depth 1 https://github.com/wolfSSL/wolfssl.git wolfssl-mldsa-src
+        cd wolfssl-mldsa-src
+        ./autogen.sh
+        ./configure --enable-cryptonly --enable-dilithium \
+                    --prefix=$HOME/wolfssl-mldsa
+        make -j$(nproc)
+        make install
+
+    - name: Build and run the ML-DSA sign + verify example (WOLFCOSE_LEAN_MLDSA)
+      run: |
+        export WOLFSSL_DIR=$HOME/wolfssl-mldsa
+        export LD_LIBRARY_PATH=$WOLFSSL_DIR/lib
+        make mldsa-demo \
+          CFLAGS="-std=c11 -DHAVE_ANONYMOUS_INLINE_AGGREGATES=1 -Os -Wall -Wextra -Wpedantic -Wshadow -Wconversion -ffunction-sections -fdata-sections -I./include -isystem $WOLFSSL_DIR/include" \
+          LDFLAGS="-L$WOLFSSL_DIR/lib -lwolfssl -Wl,--gc-sections"
+
+    - name: Build and run the lean ML-DSA verify-only example (WOLFCOSE_LEAN_VERIFY_MLDSA)
+      run: |
+        export WOLFSSL_DIR=$HOME/wolfssl-mldsa
+        export LD_LIBRARY_PATH=$WOLFSSL_DIR/lib
+        make mldsa-verify \
+          CFLAGS="-std=c11 -DHAVE_ANONYMOUS_INLINE_AGGREGATES=1 -Os -Wall -Wextra -Wpedantic -Wshadow -Wconversion -ffunction-sections -fdata-sections -I./include -isystem $WOLFSSL_DIR/include" \
+          LDFLAGS="-L$WOLFSSL_DIR/lib -lwolfssl -Wl,--gc-sections"
+
+    - name: Assert signing API is absent from the ML-DSA verify-only build
+      run: |
+        BIN=examples/sign1_verify_mldsa
+        if nm "$BIN" | grep -E " [tT] wc_CoseSign1_Sign\b"; then
+          echo "FAIL: signing API present in a verify-only build"; exit 1
+        fi
+        if ! nm "$BIN" | grep -qE " [tT] wc_CoseSign1_Verify\b"; then
+          echo "FAIL: verify API missing from a verify build"; exit 1
+        fi
+        echo "OK: ML-DSA verify present, signing absent"
+
+    - name: Report ML-DSA example sizes
+      run: |
+        size examples/sign1_mldsa || true
+        size examples/sign1_verify_mldsa || true