Commit Graph

577 Commits

Author SHA1 Message Date
David Garske 87536214bf Merge pull request #10375 from LinuxJedi/STSAFEA120Sim
Add STSAFE A120 CI support
2026-05-05 11:53:29 -07:00
David Garske 644f6171ab Merge pull request #10290 from LinuxJedi/emnet
Fix emNET support and add tests
2026-05-05 11:46:15 -07:00
David Garske 9b1167772d Merge pull request #10350 from LinuxJedi/ATECC608Sim
Add ATECC608 CI tests
2026-05-05 11:45:45 -07:00
David Garske d793452264 Merge pull request #10353 from julek-wolfssl/dtls-13-client-only
DTLS 1.3 client-only minimum: WOLFSSL_DTLS_ONLY + autoconf cascade
2026-05-05 11:24:44 -07:00
David Garske 401e9e23a6 Merge pull request #10298 from LinuxJedi/bot-block-update
Update blocking PR check
2026-05-05 10:55:19 -07:00
David Garske f14b4e06b4 Merge pull request #10284 from ColtonWilley/security_policy_and_report_template
Publish wolfSSL Security Policy and Vulnerability Report Template
2026-05-05 10:46:49 -07:00
Daniele Lacamera 59a0ec4a94 Correctly detect expected failures 2026-05-05 15:10:56 +02:00
Daniele Lacamera d633a76de3 Properly copy wolfssl as wolfBoot lib/ submodule 2026-05-05 14:18:39 +02:00
Daniele Lacamera 8b9bb6b3c6 Migrate wolfboot integration tests to new wolfboot-ci container 2026-05-05 14:01:49 +02:00
Daniele Lacamera e8ccb5c8a2 Address more comments, pin renode to v 1.15.3 2026-05-05 13:03:42 +02:00
Daniele Lacamera cc85d5a656 Addressed copilot's comment 2026-05-05 13:03:42 +02:00
Daniele Lacamera c7684acb6c Renode docker: fixed permission 2026-05-05 13:03:42 +02:00
Daniele Lacamera 2c7bc0d1b3 Removed toLower 2026-05-05 13:03:42 +02:00
Daniele Lacamera b695dd37b4 Remove artifact upload, address copilot's, fix docker boundary 2026-05-05 13:03:42 +02:00
Daniele Lacamera b69ea6659b Add github workflow to check for wolfboot regressions 2026-05-05 13:03:41 +02:00
Andrew Hutchings a4b754ab5d Add STSAFE A120 CI support
Adds our STSAFE A120 simulator to the CI, adds STSAFE to configure.ac
and fix missing required header.
2026-05-01 07:12:55 +01:00
Andrew Hutchings 9e7c2d19c7 Add ATECC608 CI tests
Also fix issues found with ATECC608
2026-04-30 18:01:42 +01:00
Andrew Hutchings 3720a9496c Restore IP_SOCK_getsockopt emNET error lookup
Merging TranslateReturnCode into wolfSSL_LastError dropped the
IP_SOCK_getsockopt(SO_ERROR) lookup emNET integrations need to retrieve
the canonical IP_ERR_* for a failed recv/send, leaving a broken branch
that returned the raw value and mishandled the POSIX-facade convention.

Restore the historic lookup (fixing the optlen pointer-vs-int typo
along the way) and add a CI test that builds wolfSSL with
-DWOLFSSL_EMNET against a clean-room shim providing an emNET-faithful
IP_SOCK_getsockopt (SO_ERROR-then-errno fallback, since Linux does not
stash EAGAIN in SO_ERROR); recv/send fall through to glibc.
2026-04-30 18:01:16 +01:00
Andrew Hutchings bf19d548bb Fix emNET support and add tests
The emNET `wolfSSL_LastError` branches were incorrect. The second one
was never hit and would never compile. The first one inverts error codes
that should not be inverted.

This fixes that code and adds a test with a shim layer to test emNET
calls without using emNET.
2026-04-30 18:01:16 +01:00
Juliusz Sosinowicz a012a8f3ec DTLS 1.3 client-only minimum: WOLFSSL_DTLS_ONLY + autoconf cascade
* configure.ac: --enable-dtls13 auto-enables --enable-dtls and TLS 1.3,
  with a targeted error if either is explicitly --disabled, plus a
  post-finalization sanity check that errors out if a later
  prerequisite test forces ENABLED_TLS13 back to "no" while
  ENABLED_DTLS13 is yes.
* src/internal.c, src/wolfio.c, wolfssl/wolfio.h: new WOLFSSL_DTLS_ONLY
  compile-time flag elides the EmbedReceive / EmbedSend default
  callbacks. The DTLS_MAJOR runtime check stays in SetSSL_CTX so a
  TLS-method ctx in a DTLS-only build doesn't get datagram callbacks
  by default, and WriteSEQ keeps its ssl->options.dtls branch. A
  #error in settings.h refuses WOLFSSL_DTLS_ONLY without WOLFSSL_DTLS.
* wolfcrypt/src/aes.c: add HAVE_AES_DECRYPT to the inv_col_mul
  definition gate to match its only caller; without it the function is
  emitted dead under WOLFSSL_AES_DIRECT && NO_AES_DECRYPT and
  -Werror=unused-function fails the build.
* .github/workflows/os-check.yml: matrix entry for a minimal DTLS 1.3
  client-only build.
2026-04-30 11:40:22 +00:00
Daniel Pouzzner 468ee9e1be Merge pull request #10348 from Frauschi/hostap_fix
Fix race condition in hostap CI tests
2026-04-29 09:05:21 -05:00
Daniel Pouzzner 9c618177c9 Merge pull request #10347 from Frauschi/pq-all_timeout
Increase pq-all test timeout
2026-04-29 09:04:37 -05:00
Tobias Frauenschläger 46b47cb8ec Fix race conditions in hostap CI tests 2026-04-29 14:31:15 +02:00
Tobias Frauenschläger 4f3f40e1fb Increase pq-all test timeout to 10 minutes
Increase the timeout for PQC CI tests from 6 to 10 minutes. The new
SLH-DSA tests take more time than the previous tests due to the slow
signing. With the old timeout, some tests sometimes hit the timeout
before finishing successfully.
2026-04-29 09:21:14 +02:00
Andrew Hutchings c75f8bebab Update blocking PR check
Matches patterns for Devin, Codex and Copilot.
2026-04-29 07:41:57 +01:00
Tobias Frauenschläger b59ff436f3 Remove the amount of macos based tests in os-check
Reduce the number of tests running on macos in os-check.yml to the
minimum required number to cover all mac os specific features. All other
platform-agnostic configs and setups are only tested on Linux, which is
much faster in GitHub CI.
2026-04-28 19:34:05 +02:00
David Garske 3181e2bcf8 Merge pull request #10309 from JacobBarthelmeh/openvpn
remove openvpn master from CI test
2026-04-27 08:49:30 -07:00
Daniel Pouzzner caffc458af .github/workflows/: add -Wnull-dereferences to a few -pedantic scenarios missed in the first pass. 2026-04-25 11:47:25 -05:00
Daniel Pouzzner df486d8cd5 src/ssl_load.c: fix -Wnull-dereference in wolfssl_ctx_set_tmp_dh() (detected by armel build);
.github/workflows/pq-all.yml: for the --enable-sp-math scenario, --disable-quic (QUIC unit tests fail on that combo);

wolfcrypt/test/test.c: add WC_MAYBE_UNUSED to ecdsa_test_deterministic_k_rs(), to fix armel sp-math build.
2026-04-25 11:47:25 -05:00
Daniel Pouzzner d14b8f8e79 .github/workflows/:
* add "-Wnull-dereference" to all existing "-pedantic -Wdeclaration-after-statement" configs;
* add an --enable-sp-math config to .github/workflows/pq-all.yml and .github/workflows/multi-arch.yml.
2026-04-25 11:47:24 -05:00
JacobBarthelmeh 186ab8b0c3 remove openvpn master from CI test 2026-04-24 16:55:51 -06:00
JacobBarthelmeh b9514e70be Merge pull request #10148 from julek-wolfssl/openvpn-master-bn2binpad
Add BN_bn2binpad API and enable OpenVPN master CI testing
2026-04-24 13:54:06 -06:00
Juliusz Sosinowicz 5dad65c04c Remove ap_wpa2_eap_sim_sql 2026-04-24 17:07:37 +02:00
JacobBarthelmeh 20c1b91914 Merge pull request #10286 from LinuxJedi/git-action
ci: add PR commit message sanity check workflow
2026-04-23 17:16:26 -06:00
JacobBarthelmeh 6a0303e299 Merge pull request #10066 from dgarske/wc_puf
wolfCrypt SRAM PUF Support
2026-04-23 14:28:37 -06:00
JacobBarthelmeh 53e352181e Merge pull request #10058 from julek-wolfssl/hostap-ec-generate.sh
Re-enable hostap tests and remove some flaky tests
2026-04-23 14:09:09 -06:00
Andrew Hutchings 8810160da7 ci: add PR commit message sanity check workflow
Adds a GitHub Actions workflow that scans every commit in a pull
request and fails if any commit message carries a Co-authored-by
or Signed-off-by trailer pointing at noreply@anthropic.com.
2026-04-23 07:08:36 +01:00
Colton Willey c6837a96c5 Publish wolfSSL Security Policy and Vulnerability Report Template
Add SECURITY-POLICY.md and SECURITY-REPORT-TEMPLATE.md at the repository
root and replace the .github/SECURITY.md stub with a short pointer.

SECURITY-POLICY.md is intentionally terse and discretionary, matching
OpenSSL and Mbed TLS practice. It states the CVE-filing criterion,
severity tiers, categories not considered CVE-eligible, coordinated-
disclosure practice, and credit.

SECURITY-REPORT-TEMPLATE.md is a structured report template whose use is
mandatory for CVE consideration. It requires a reachability trace,
attacker model, working proof-of-concept, and a related-work check
against open pull requests and recent commits.

All reports route to support@wolfssl.com.
2026-04-22 18:53:38 -07:00
David Garske e05ce26fc9 wolfCrypt SRAM PUF Support
Add SRAM PUF (Physically Unclonable Function) support to wolfCrypt. Derives device-unique cryptographic keys from the power-on state of SRAM memory using a BCH(127,64,t=10) fuzzy extractor with HKDF key derivation.

- **wolfCrypt PUF API** (`wolfcrypt/src/puf.c`, `wolfssl/wolfcrypt/puf.h`)
  - `wc_PufInit`, `wc_PufReadSram`, `wc_PufEnroll`, `wc_PufReconstruct`
  - `wc_PufDeriveKey` (HKDF-SHA256), `wc_PufGetIdentity` (SHA-256 device fingerprint)
  - `wc_PufZeroize` (secure context cleanup)
  - `wc_PufSetTestData` (synthetic SRAM for testing without hardware)
- **BCH(127,64,t=10) error-correcting codec** - corrects up to 10 bit flips per 127-bit codeword across 16 codewords
- **`WC_PUF_SHA3` build option** - select SHA3-256 instead of SHA-256 for identity hash and HKDF (default: SHA-256)
- **Precomputed GF(2^7) tables** - `const` arrays in `.rodata` (no runtime init, thread-safe, flash-resident on embedded)
- `./configure --enable-puf` (auto-enables HKDF dependency)
- CMake: `WOLFSSL_PUF=yes`
- `WOLFSSL_USER_SETTINGS`: define `WOLFSSL_PUF` and `WOLFSSL_PUF_SRAM`
- See wolfssl-examples/puf for example implementation on STM32 NUCLEO-H563ZI (Cortex-M33, STM32H563ZI)
- Supports test mode (synthetic SRAM)
- Builds to ~13KB `.elf`
- Tested on NUCLEO-H563ZI: enrollment, noisy reconstruction, key derivation all pass
- `.github/workflows/puf.yml`: host build + test workflow for PUF feature
- Doxygen API docs for all 8 public functions
- PUF group added to `doxygen_groups.h`
2026-04-22 11:39:39 -07:00
Andrew Hutchings ddacd6b822 Move SE050 simulator under wolfSSL
The simulator is now in the simulators repo instead of LinuxJedi's
private repo.
2026-04-21 06:31:42 +01:00
Tobias Frauenschläger 0de3925207 Add RFC8773bis cert_with_extern_psk support
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.

Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
2026-04-17 15:12:04 +02:00
Brett Nicholas 4bf334c299 Merge pull request #10009 from night1rider/SHE-update
Add SHE (Secure Hardware Extension) support to wolfCrypt
2026-04-16 16:49:00 -06:00
Daniel Pouzzner 8d332778b0 wolfcrypt/test/test.c: in ed25519_test(), fix RARE_ED_BAD_ENC_E and RARE_ED_BAD_SIG_E macros to use WC_NO_ERR_TRACE() safely;
.github/workflows/trackmemory.yml: add --enable-debug-trace-errcodes to a couple scenarios.
2026-04-15 21:12:21 -05:00
David Garske 48a0347581 Merge pull request #10180 from Frauschi/dilithium-alloc-key
Add dynamic key allocation support for Dilithium
2026-04-15 10:36:14 -07:00
night1rider f081a08c5c Address comments from bigbrett and Fenrir bot. Rename she.{c,h} to wc_she.{c,h}, fix naming consistency, auto-enable CMAC/AES dependencies, add WC_SHE_SW_DEFAULT opt-inAddress PR #10009 review comments from bigbrett and Fenrir 2026-04-15 11:28:03 -06:00
night1rider ee7fe9e1b1 SHE API: remove key storage from context, add direct output params 2026-04-15 11:28:03 -06:00
night1rider eeedc470e9 Add SHE (Secure Hardware Extension) support to wolfCrypt 2026-04-15 11:27:44 -06:00
David Garske 1a67eb7223 Merge pull request #9851 from night1rider/setkey-callbacks
Setkey/Export callbacks
2026-04-15 10:17:38 -07:00
David Garske 240703c959 Merge pull request #10219 from rizlik/se050
SE050: Fixes  + NO_{RSA,ECDHE}_VERIFY options + simulator CI
2026-04-15 09:35:23 -07:00
Michael Rogov Papernov e38c88daf3 ci: preserve membrowse push-to-master runs from cancellation
Use unique concurrency group per commit for push events so that
sequential merges to master don't cancel each other's queued runs.
This ensures every master commit gets analyzed for memory tracking.
2026-04-15 11:07:41 +01:00