- ECH: add bounds check on hpkePubkeyLen against HPKE_Npk_MAX to
prevent heap buffer overflow from untrusted ECH config data
- Sniffer: fix reassembly memory limit check typo, MaxRecoveryMemory -1
should be MaxRecoveryMemory != -1
- Sniffer: add bounds check in IPv6 extension header parsing loop to
prevent OOB read when next_header never matches TCP or NO_NEXT_HEADER
- Sniffer: validate tlsFragOffset + rhSize against tlsFragSize before
XMEMCPY in both TLS handshake fragment reassembly paths
- Internal: use WC_SAFE_SUM_WORD32 in GrowAnOutputBuffer to prevent
integer overflow on allocation size, matching existing pattern in
GrowOutputBuffer
Correct the logic for checking if the client and server examples are compiled
in the test scripts. The previous logic was inverted, causing the tests to
always skip if the examples *were* compiled.
The non-blocking setup for X25519 and ECC in TLS was unconditionally
setting up nbCtx, which caused functions to return FP_WOULDBLOCK. However,
with INVALID_DEVID (the default), TLS has no async loop to handle
FP_WOULDBLOCK, only WC_PENDING_E via the async framework.
The fix follows the pattern used in asn.c: only set up nbCtx when the async
device is active (devId != INVALID_DEVID). With INVALID_DEVID, the code now
uses the blocking fallback (WC_ECC_NONBLOCK_ONLY) instead.
This prevents unit test timeouts when built with --enable-curve25519=nonblock
or --enable-ecc=nonblock.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add Ada bindings for SHA-256, RSA sign/verify, and AES-CBC from
wolfCrypt. Use XMALLOC/XFREE for dynamic allocation and add GNATprove
ownership annotations to enable static leak detection.
Refactor the Ada wrapper into a base package (wolfssl.ads) and a child
package (wolfssl-full_runtime) to separate code that depends on
Interfaces.C.Strings and GNAT.Sockets from zero-footprint-compatible
code.
Add standalone examples for SHA-256 hashing, RSA signature verification,
and AES encryption under wrapper/Ada/examples/.
Add AUnit test suites for SHA-256, RSA, and AES bindings under
wrapper/Ada/tests/ with Valgrind suppressions and Alire integration.
Move TLS client/server examples into wrapper/Ada/examples/src/ and
update build files (default.gpr, examples.gpr, include.am) accordingly.
Update CI (ada.yml) to build default.gpr, run AUnit tests, run the
client-server examples, and run GNATprove.
Co-authored-by: Joakim Strandberg <joakim@mequinox.se>