Adds NVM for storing users with authentication feature

[JacobBarthelmeh]

Builds on top of (#270) with adding NVM storage for users.

[Copilot]

Pull request overview

Adds an Authentication Manager feature with a default backend that can persist the user database into NVM, and wires auth into the client/server request path (plus tests, docs, and CI knobs).

Changes:

• Introduces Auth Manager public API, message group/actions, and client/server handlers for login/logout/user management.
• Adds a base auth backend (wh_auth_base) with optional NVM-backed persistence of the user DB.
• Updates tests, examples, documentation, and CI/Makefiles to support AUTH=1 builds and auth-enabled runs.

Reviewed changes

Copilot reviewed 41 out of 43 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
wolfhsm/wh_utils.h	Declares secure zero + constant-time compare helpers used by auth.
wolfhsm/wh_server_auth.h	New server-side auth request handler API header.
wolfhsm/wh_server.h	Adds auth context pointer to server config/context.
wolfhsm/wh_message_auth.h	New auth message definitions + permissions flattening API.
wolfhsm/wh_message.h	Adds AUTH message group and auth action IDs; defines WH_NUMBER_OF_GROUPS.
wolfhsm/wh_error.h	Adds auth-specific error codes.
wolfhsm/wh_client.h	Adds client-side auth API declarations.
wolfhsm/wh_auth_base.h	Declares default auth backend with optional NVM persistence.
wolfhsm/wh_auth.h	Adds core Auth Manager API/types + permissions macros.
test/wh_test_she.c	Logs in as admin for auth-enabled test runs.
test/wh_test_posix_threadsafe_stress.c	Skips stress test on macOS due to missing barriers.
test/wh_test_keywrap.c	Logs in as admin for auth-enabled keywrap tests.
test/wh_test_crypto.c	Logs in as admin for auth-enabled crypto tests; minor formatting tweaks.
test/wh_test_common.h	Adds WH_TEST_SKIP and allows skip in WH_TEST_RETURN_ON_FAIL.
test/wh_test_clientserver.c	Logs in as admin for auth-enabled runs; explicitly disables auth in some tests.
test/wh_test_auth.h	Declares auth test entry points.
test/wh_test_auth.c	Implements auth unit tests and a memory-transport auth harness.
test/wh_test.c	Hooks auth tests into unit and TCP test flows.
test/Makefile	Adds AUTH=1 build option; tweaks coverage gcovr behavior.
src/wh_utils.c	Implements wh_Utils_ForceZero and constant-time compare.
src/wh_server_she.c	Minor formatting change.
src/wh_server_auth.c	Implements server-side auth request dispatch + zeroization of credentials.
src/wh_server.c	Enforces auth authorization checks for requests; adds auth group handling and error formatting helper.
src/wh_message_auth.c	Implements auth message translation + permissions flatten/unflatten.
src/wh_client_auth.c	Implements client auth request/response helpers and blocking wrappers.
src/wh_client.c	Minor formatting fix.
src/wh_auth_base.c	Implements default auth backend, including NVM persistence of the user DB.
src/wh_auth.c	Implements core Auth Manager wrapper logic, locking, and authorization checks.
port/posix/posix_transport_tls.c	Minor formatting + comment tweaks.
examples/posix/wh_posix_server/wh_posix_server_cfg.h	Adds auth config function declaration.
examples/posix/wh_posix_server/wh_posix_server_cfg.c	Adds default auth configuration (NVM-backed) and seeds admin user.
examples/posix/wh_posix_server/wh_posix_server.c	Initializes Auth Manager in the POSIX server example when enabled.
examples/posix/wh_posix_server/Makefile	Adds coverage flags and AUTH=1 option.
examples/posix/wh_posix_client/Makefile	Adds AUTH=1 option.
examples/demo/client/wh_demo_client_auth.h	Declares auth demo entry point.
examples/demo/client/wh_demo_client_auth.c	Adds a full auth demo (PIN + cert) and persistence check.
examples/demo/client/wh_demo_client_all.c	Runs auth demo and logs in as admin before other demos.
docs/src/chapter09.md	New documentation chapter for Authentication Manager.
Makefile	Exports AUTH to sub-makes.
.github/workflows/code-coverage.yml	Adds gcovr ignore-parse-errors option for negative hits.
.github/workflows/build-and-test.yml	Adds AUTH build/test permutations (ASAN/THREADSAFE/NOCRYPTO).
.github/workflows/build-and-test-clientonly.yml	Adds client-only AUTH testing against auth+non-auth servers.
.github/workflows/build-and-run-examples.yml	Adds matrix option to build/run examples with AUTH=1.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

wh_Auth_BasePersistToNvm() writes the magic/version headers via ((uint32_t*)buf)[0] / ((uint16_t*)(buf + 4))[0]. Since buf is a uint8_t[], these casts can trigger unaligned 16/32-bit accesses on architectures that fault on misalignment. Use memcpy to/from local uint32_t/uint16_t variables (and apply endian translation if needed) rather than casting the byte buffer to wider integer pointers.

[Copilot]

Persisting the auth DB uses wh_Nvm_AddObject() with a fixed ID each time. The NVM layer explicitly allows duplicate IDs (keeping only the most recent accessible), so repeated user updates will leave old versions behind and can exhaust NVM over time. Consider deleting previous versions (e.g., wh_Nvm_DestroyObjects(..., 1, &WH_NVM_ID_AUTH_USER_DB) before adding) and/or using wh_Nvm_AddObjectWithReclaim() to ensure compaction when space runs low.