From 19e8bb05f33b74209243510d2d20e4cb30eef1c0 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Thu, 5 May 2022 15:54:31 -0500
Subject: [PATCH 1/2] wolfcrypt/src/aes.c: fix shiftTooManyBitsSigned in
 AES_GCM_decrypt_C().

---
 wolfcrypt/src/aes.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 34fc62d56..2594fa941 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -8246,9 +8246,15 @@ int WARN_UNUSED_RESULT AES_GCM_decrypt_C(
         XMEMCPY(p, scratch, partial);
     }
 
-    /* ConstantCompare returns XOR of bytes. */
+    /* ConstantCompare returns cumulative or of the bytewise XOR. */
     res = ConstantCompare(authTag, Tprime, authTagSz);
-    res = (0 - res) >> 31;
+    /* convert positive retval from ConstantCompare() to all-1s word, in
+     * constant time.
+     */
+    res = 0 - (sword32)(((word32)(0 - res)) >> 31U);
+    /* now use res as a mask for constant time return of ret, unless tag
+     * mismatch, whereupon AES_GCM_AUTH_E is returned.
+     */
     ret = (ret & ~res) | (res & AES_GCM_AUTH_E);
 
     return ret;

From 4d4145e6a0fb646e98d5bf3486e149fac5ce29cf Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Thu, 5 May 2022 15:59:11 -0500
Subject: [PATCH 2/2] add support for $NETWORK_UNSHARE_HELPER to the relevant
 scripts/.

---
 scripts/crl-revoked.test                        | 7 ++++++-
 scripts/ocsp-stapling-with-ca-as-responder.test | 7 ++++++-
 scripts/ocsp-stapling2.test                     | 7 ++++++-
 scripts/openssl.test                            | 7 ++++++-
 scripts/pkcallbacks.test                        | 7 ++++++-
 scripts/psk.test                                | 7 ++++++-
 scripts/resume.test                             | 7 ++++++-
 scripts/sniffer-testsuite.test                  | 7 ++++++-
 scripts/tls13.test                              | 7 ++++++-
 scripts/trusted_peer.test                       | 7 ++++++-
 scripts/unit.test.in                            | 4 +++-
 11 files changed, 63 insertions(+), 11 deletions(-)

diff --git a/scripts/crl-revoked.test b/scripts/crl-revoked.test
index ba16db02e..d15b3c69f 100755
--- a/scripts/crl-revoked.test
+++ b/scripts/crl-revoked.test
@@ -4,7 +4,12 @@
 CERT_DIR=certs
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test
index 8f6b29b7c..6bff2db1b 100755
--- a/scripts/ocsp-stapling-with-ca-as-responder.test
+++ b/scripts/ocsp-stapling-with-ca-as-responder.test
@@ -5,7 +5,12 @@
 SCRIPT_DIR="$(dirname "$0")"
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test
index 33d07522a..7c81788e7 100755
--- a/scripts/ocsp-stapling2.test
+++ b/scripts/ocsp-stapling2.test
@@ -6,7 +6,12 @@
 SCRIPT_DIR="$(dirname "$0")"
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/openssl.test b/scripts/openssl.test
index ea1fc7646..19fddd9fa 100755
--- a/scripts/openssl.test
+++ b/scripts/openssl.test
@@ -14,7 +14,12 @@ if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
 fi
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/pkcallbacks.test b/scripts/pkcallbacks.test
index c0ac1c364..7fcb697f0 100755
--- a/scripts/pkcallbacks.test
+++ b/scripts/pkcallbacks.test
@@ -3,7 +3,12 @@
 #pkcallbacks.test
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/psk.test b/scripts/psk.test
index 5dc2e821c..baeca0210 100755
--- a/scripts/psk.test
+++ b/scripts/psk.test
@@ -4,7 +4,12 @@
 # copyright wolfSSL 2016
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/resume.test b/scripts/resume.test
index a76202851..1198437b3 100755
--- a/scripts/resume.test
+++ b/scripts/resume.test
@@ -3,7 +3,12 @@
 #resume.test
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/sniffer-testsuite.test b/scripts/sniffer-testsuite.test
index d0d520d74..24ce5ecda 100755
--- a/scripts/sniffer-testsuite.test
+++ b/scripts/sniffer-testsuite.test
@@ -3,7 +3,12 @@
 #sniffer-testsuite.test
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/tls13.test b/scripts/tls13.test
index 9dbcfbf63..5880db53a 100755
--- a/scripts/tls13.test
+++ b/scripts/tls13.test
@@ -4,7 +4,12 @@
 # Copyright wolfSSL 2016-2021
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/trusted_peer.test b/scripts/trusted_peer.test
index a6104d01c..3936e79de 100755
--- a/scripts/trusted_peer.test
+++ b/scripts/trusted_peer.test
@@ -4,7 +4,12 @@
 # copyright wolfSSL 2016
 
 # if we can, isolate the network namespace to eliminate port collisions.
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+         export NETWORK_UNSHARE_HELPER_CALLED=yes
+         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
+     fi
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         export AM_BWRAPPED=yes
diff --git a/scripts/unit.test.in b/scripts/unit.test.in
index 8e5e4f02f..580aec4ab 100644
--- a/scripts/unit.test.in
+++ b/scripts/unit.test.in
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-if [ "${AM_BWRAPPED-}" != "yes" ]; then
+if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+    exec "${NETWORK_UNSHARE_HELPER}" "@builddir@/tests/unit.test" "$@" || exit $?
+elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     bwrap_path="$(command -v bwrap)"
     if [ -n "$bwrap_path" ]; then
         exec "$bwrap_path" --unshare-net --dev-bind / / "@builddir@/tests/unit.test" "$@"