From 3d0cc250b97a7bc5e649178dc99635908806ba22 Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Fri, 6 Dec 2024 16:35:21 -0600
Subject: [PATCH 1/5] Add sanity check for configuration method

---
 .wolfssl_known_macro_extras           | 1 +
 examples/echoclient/echoclient.c      | 2 +-
 sslSniffer/sslSnifferTest/snifftest.c | 3 +++
 tests/srp.c                           | 3 +++
 testsuite/testsuite.c                 | 2 +-
 wolfssl/wolfcrypt/settings.h          | 8 ++++++++
 6 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index e691433d8f..8d1f4a9951 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -599,6 +599,7 @@ WOLFSSL_CLANG_TIDY
 WOLFSSL_COMMERCIAL_LICENSE
 WOLFSSL_CONTIKI
 WOLFSSL_CRL_ALLOW_MISSING_CDP
+WOLFSSL_CUSTOM_CONFIG
 WOLFSSL_DILITHIUM_ASSIGN_KEY
 WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM
 WOLFSSL_DILITHIUM_NO_ASN1
diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c
index a7dd0ad2f9..7173963cf8 100644
--- a/examples/echoclient/echoclient.c
+++ b/examples/echoclient/echoclient.c
@@ -24,10 +24,10 @@
     #include <config.h>
 #endif
 
-#include <wolfssl/wolfcrypt/settings.h>
 #ifndef WOLFSSL_USER_SETTINGS
     #include <wolfssl/options.h>
 #endif
+#include <wolfssl/wolfcrypt/settings.h>
 
 /* Force enable the compatibility macros for this example */
 #undef TEST_OPENSSL_COEXIST
diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c
index de586f9595..f8f8cb6c54 100644
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@@ -24,6 +24,9 @@
     #include <config.h>
 #endif
 
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/wolfcrypt/types.h>
 #include <wolfssl/wolfcrypt/logging.h>
diff --git a/tests/srp.c b/tests/srp.c
index 649a86efca..36fe93e80f 100644
--- a/tests/srp.c
+++ b/tests/srp.c
@@ -24,6 +24,9 @@
     #include <config.h>
 #endif
 
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
 
 #include <tests/unit.h>
diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c
index 186a4f9e50..b85ddf66d7 100644
--- a/testsuite/testsuite.c
+++ b/testsuite/testsuite.c
@@ -24,10 +24,10 @@
     #include <config.h>
 #endif
 
-#include <wolfssl/wolfcrypt/settings.h>
 #ifndef WOLFSSL_USER_SETTINGS
     #include <wolfssl/options.h>
 #endif
+#include <wolfssl/wolfcrypt/settings.h>
 
 #undef TEST_OPENSSL_COEXIST /* can't use this option with this example */
 #undef OPENSSL_COEXIST /* can't use this option with this example */
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index d5459ae3b9..9c939da85c 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -28,6 +28,8 @@
  *
  *   ./configure CFLAGS="-DFEATURE_FLAG_TO_DEFINE -UFEATURE_FLAG_TO_CLEAR [...]"
  *
+ *   To build using a custom configuration method, define WOLFSSL_CUSTOM_CONFIG
+ *
  *   For more information see:
  *
  *   https://www.wolfssl.com/how-do-i-manage-the-build-configuration-of-wolfssl/
@@ -326,6 +328,12 @@
     /* NOTE: cyassl_nucleus_defs.h is akin to user_settings.h */
     #include "nucleus.h"
     #include "os/networking/ssl/lite/cyassl_nucleus_defs.h"
+#elif !defined(BUILDING_WOLFSSL) && !defined(WOLFSSL_OPTIONS_H) && \
+      !defined(WOLFSSL_CUSTOM_CONFIG)
+    /* This error indicates that the settings header may not be included before
+     * other wolfSSL headers. If you are using a custom configuration method,
+     * define WOLFSSL_CUSTOM_CONFIG to override this error. */
+    #error "No configuration for wolfSSL detected, check header order"
 #endif
 
 #include <wolfssl/wolfcrypt/visibility.h>

From c77bea6691ef91e6b8dbfc553794746f2c696201 Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Mon, 9 Dec 2024 12:45:54 -0600
Subject: [PATCH 2/5] Disable hitch OSP test

---
 .github/workflows/{ => disabled}/hitch.yml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename .github/workflows/{ => disabled}/hitch.yml (100%)

diff --git a/.github/workflows/hitch.yml b/.github/workflows/disabled/hitch.yml
similarity index 100%
rename from .github/workflows/hitch.yml
rename to .github/workflows/disabled/hitch.yml

From fcce09a4d31800131d5183a53a490d8badfb96cb Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Mon, 9 Dec 2024 12:59:37 -0600
Subject: [PATCH 3/5] Fix from review

---
 mcapi/crypto.c               | 3 +++
 mcapi/mcapi_test.c           | 5 ++++-
 wolfssl/wolfcrypt/settings.h | 4 ++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/mcapi/crypto.c b/mcapi/crypto.c
index aa5e430199..0a5dc85017 100644
--- a/mcapi/crypto.c
+++ b/mcapi/crypto.c
@@ -24,6 +24,9 @@
 #ifdef HAVE_CONFIG_H
     #include "config.h"
 #endif
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
 
 #ifdef MICROCHIP_MPLAB_HARMONY
diff --git a/mcapi/mcapi_test.c b/mcapi/mcapi_test.c
index 16d929749b..d92640fbbd 100644
--- a/mcapi/mcapi_test.c
+++ b/mcapi/mcapi_test.c
@@ -27,9 +27,12 @@
     #include <config.h>
 #endif
 
-/* mc api header */
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
 
+/* mc api header */
 #include "crypto.h"
 
 /* sanity test against our default implementation, wolfssl headers  */
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 9c939da85c..40c76a19a7 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -319,6 +319,10 @@
     #endif
 #endif
 
+#if defined(BUILDING_WOLFSSL) && defined(WOLFSSL_OPTIONS_H)
+    #error wolfssl/options.h included in build of library object.
+#endif
+
 #ifdef WOLFSSL_USER_SETTINGS
     #include "user_settings.h"
 #elif defined(USE_HAL_DRIVER) && !defined(HAVE_CONFIG_H)

From e248d8499a5d421956d29a68aad7f4839018e611 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Mon, 9 Dec 2024 15:02:41 -0600
Subject: [PATCH 4/5] move !defined(EXTERNAL_OPTS_OPENVPN) assert from
 src/internal.c to wolfssl/wolfcrypt/types.h with refinements; refine
 logic+message of assert in wolfssl/wolfcrypt/settings.h re "wolfssl/options.h
 included in compiled wolfssl library object..".

---
 src/internal.c               | 6 ------
 wolfssl/wolfcrypt/settings.h | 6 ++++--
 wolfssl/wolfcrypt/types.h    | 4 ++++
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index f8d014b30d..8f5babacfb 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -92,12 +92,6 @@
  *      pair
  */
 
-
-#ifdef EXTERNAL_OPTS_OPENVPN
-#error EXTERNAL_OPTS_OPENVPN should not be defined\
-    when building wolfSSL
-#endif
-
 #ifndef WOLFCRYPT_ONLY
 
 #include <wolfssl/internal.h>
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 40c76a19a7..9316a92a27 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -319,8 +319,10 @@
     #endif
 #endif
 
-#if defined(BUILDING_WOLFSSL) && defined(WOLFSSL_OPTIONS_H)
-    #error wolfssl/options.h included in build of library object.
+#if (defined(BUILDING_WOLFSSL) && defined(WOLFSSL_USE_OPTIONS_H)) || \
+    (defined(BUILDING_WOLFSSL) && defined(WOLFSSL_OPTIONS_H) &&      \
+     !defined(EXTERNAL_OPTS_OPENVPN))
+    #error wolfssl/options.h included in compiled wolfssl library object.
 #endif
 
 #ifdef WOLFSSL_USER_SETTINGS
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 5fb14b88a3..4b6dbfd744 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -34,6 +34,10 @@ decouple library dependencies with standard string, memory and so on.
     #include <wolfssl/wolfcrypt/settings.h>
     #include <wolfssl/wolfcrypt/wc_port.h>
 
+    #if defined(EXTERNAL_OPTS_OPENVPN) && defined(BUILDING_WOLFSSL)
+    #error EXTERNAL_OPTS_OPENVPN should not be defined in compiled wolfssl library files.
+    #endif
+
     #ifdef __APPLE__
         #include <AvailabilityMacros.h>
     #endif

From ba59f1af1964748d8a794fd4a91a63ba150f234d Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Mon, 9 Dec 2024 17:04:38 -0600
Subject: [PATCH 5/5] wolfssl/wolfcrypt/settings.h: use #warning, not #error,
 for "No configuration for wolfSSL detected, check header order", to avoid
 unnecessary breakage of old projects with nonstandard custom settings.

---
 wolfssl/wolfcrypt/settings.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 9316a92a27..4879680436 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -336,10 +336,10 @@
     #include "os/networking/ssl/lite/cyassl_nucleus_defs.h"
 #elif !defined(BUILDING_WOLFSSL) && !defined(WOLFSSL_OPTIONS_H) && \
       !defined(WOLFSSL_CUSTOM_CONFIG)
-    /* This error indicates that the settings header may not be included before
+    /* This warning indicates that the settings header may not be included before
      * other wolfSSL headers. If you are using a custom configuration method,
      * define WOLFSSL_CUSTOM_CONFIG to override this error. */
-    #error "No configuration for wolfSSL detected, check header order"
+    #warning "No configuration for wolfSSL detected, check header order"
 #endif
 
 #include <wolfssl/wolfcrypt/visibility.h>