Commit Graph

724 Commits

Author SHA1 Message Date
David Garske fdfba83c38 Merge pull request #10788 from aidangarske/fenrir-tls-batch-2026-06
Various hardening fixes across sniffer, QUIC, PKCS#11, TLS and tooling
2026-07-08 13:58:14 -07:00
David Garske 1e6f266e47 Merge pull request #10760 from Frauschi/pkcs7-server-encode
PKCS#7 improvements
2026-07-08 13:55:52 -07:00
David Garske a6ee818b27 Merge pull request #10781 from julek-wolfssl/parallel-make-check-status-emoji
.github/scripts/parallel-make-check.py: emit literal status emoji, not :shortcodes:
2026-07-08 10:25:29 -07:00
David Garske 59e942b07a Merge pull request #10844 from SparkiDev/windows_arm64_1
ARM64 Windows: Add assembly
2026-07-08 09:28:41 -07:00
Tobias Frauenschläger 673d8d00bb Merge pull request #10778 from SparkiDev/time_stamp_protocol
Time-Stamp Protocol (RFC 3161)
2026-07-08 17:43:38 +02:00
David Garske b19f00a736 Merge pull request #10807 from SparkiDev/aes_gcm_siv_asm
AES-GCM-SIV: Add implementation in C and assembly
2026-07-08 08:30:02 -07:00
David Garske 7f441a687a Merge pull request #10748 from night1rider/AES-Callbacks
AES callbacks for CFB and OFB
2026-07-08 08:25:23 -07:00
Tobias Frauenschläger 366000eec2 PKCS#7: support degenerate certs-only encode and harden signed-attribute handling
Server-side PKCS#7 encode improvements that let downstream EST/SCEP enrollment
code (wolfCert) drive the existing encoder through the public API rather than
hand-rolling DER. Everything is gated under the existing HAVE_PKCS7 — no new
build options and no new public functions; the convenience wrappers live
caller-side.

Allow degenerate (certs-only) SignedData encode
  Relax the hashOID != 0 requirement in PKCS7_EncodeSigned() when
  sidType == DEGENERATE_SID, so a caller can produce a certs-only bundle (no
  signer, attributes, or eContent — the form used by EST /cacerts and SCEP
  GetCACert) by selecting DEGENERATE_SID via wc_PKCS7_SetSignerIdentifierType()
  and calling wc_PKCS7_EncodeSignedData(). The output round-trips through
  wc_PKCS7_VerifySignedData().

Size the signed-attribute array to the actual count
  The SignerInfo attribute working array is now sized to the real attribute
  count instead of a fixed [7] array. An inline buffer (sized
  MAX_SIGNED_ATTRIBS_SZ, the historical footprint) covers the common
  allocation-free case; a heap buffer is used only when the count exceeds it.
  The default-attribute count comes from a single helper
  (wc_PKCS7_GetDefaultSignedAttribCount) so the sizing matches the emission
  logic exactly, and the canned-attribute write is bound-checked against the
  array capacity. This also fixes a latent overflow where the backing array was
  hardcoded [7] while the bound check used MAX_SIGNED_ATTRIBS_SZ. The macro is
  retained for source compatibility but no longer caps the count.

Document the decoded-attribute value shape
  Documented the stable shape of PKCS7DecodedAttrib.value (the contents of the
  SET OF AttributeValue, outer SET tag stripped) so callers can rely on it. No
  behavior change.

Fix multi-certificate decode in non-streaming builds
  Bound the additional-certificate loop in wc_PKCS7_VerifySignedData against the
  absolute end of the certificate set (idx + length) rather than the relative
  length. In NO_PKCS7_STREAM builds the old bound dropped trailing certificates
  (all but the first when a large eContent preceded the set), failing
  verification when the signer cert was among those dropped. Streaming builds
  were unaffected.

Tests
  Added coverage in pkcs7signed_test: degenerate certs-only encode via the
  public API, nine-attribute encode (beyond the inline capacity), decoded
  attribute value shape for PrintableString and OCTET STRING, and a
  multi-certificate decode regression with large content that triggers the
  bound bug under NO_PKCS7_STREAM. Added a signed-attribute selection
  round-trip covering a messageDigest-only subset and the no-attributes case
  via wc_PKCS7_SetDefaultSignedAttribs/wc_PKCS7_NoDefaultSignedAttribs, a
  WOLFSSL_NO_MALLOC over-capacity case that must return BUFFER_E instead of
  overrunning the inline buffer, and a malformed certificate-set length that
  exercises the certSetEnd clamp in the verifier. Config-sensitive cases are
  guarded.
2026-07-08 12:33:38 +02:00
Tobias Frauenschläger dcc2b23b1a Merge pull request #10852 from stenslae/fix-mldsa-privkeydecode-no-asn1
Fix ML-DSA level auto-detection in WOLFSSL_MLDSA_NO_ASN1 builds
2026-07-08 10:03:34 +02:00
Sean Parkinson ae023a5643 Time-Stamp Protocol (RFC 3161)
Implementation in wolfCrypt
OpenSSL compatibility layer in wolfSSL
Added tests, certificates, examples.
2026-07-08 09:33:47 +10:00
Sean Parkinson af3befef80 ARM66 Windows: Add assembly
Add assembly generated for Windows ARM64.
Add build option to project files.
Add CI loops.
2026-07-08 07:53:53 +10:00
David Garske 7dd7ae86c0 Merge pull request #10770 from embhorn/zd22032
Fix wolfSSL_BUF_MEM_grow_ex with WOLFSSL_NO_REALLOC
2026-07-07 14:48:29 -07:00
Sean Parkinson 2c0e235bd1 AES-GCM-SIV: Add implementation in C and assembly
Added assembly for Intel x64, ARM64, ARM32, Thumb2.
2026-07-08 07:15:26 +10:00
night1rider d09803154b Adding callbacks for AES mode OFB and CFB, along with callback testing/coverage for the callback paths 2026-07-07 14:20:26 -06:00
Emma Stensland 8407359792 fix ml-dsa level auto detection in no asn1 builds 2026-07-06 16:08:58 -06:00
Sean Parkinson bcef8f4f6d Add Windows assembly files to the build
Windows ASM files generated along side the ATT assembly files.
Adding them to the build so they can be used.
2026-07-07 08:02:20 +10:00
JacobBarthelmeh f1b700180c Merge pull request #10738 from dgarske/zd_ecc_nonblock_certchain
Add WOLFSSL_ASYNC_CERT_YIELD: per-certificate non-blocking yield
2026-07-06 14:21:08 -06:00
Yosuke Shimizu b87edc2040 certs: re-sign orphaned rsapss/mldsa leaves and add chain guard 2026-07-02 10:34:06 +09:00
JacobBarthelmeh 64a4c7a7ae Merge pull request #10750 from night1rider/SHAKE-Callbacks
SHAKE 128/256 callback wiring and tests, along with fix to devCTX initialization
2026-07-01 10:53:57 -06:00
Tobias Frauenschläger 9e71da21ac Merge pull request #10751 from aidangarske/tinytls13
Add --enable-tinytls13 TLS 1.3-only footprint profile.

Merging with PRB-master-job failing. Failures are unrelated to this PR.
2026-07-01 15:21:04 +02:00
David Garske 0cecccdf6e Merge pull request #10756 from SparkiDev/aes_asm_ymm_zmm
Intel x64 ASM: Add new assembly for AES
2026-06-25 21:41:17 -07:00
aidan garske 46edfa8997 F-6279 - Pin membrowse-action to commit SHA and drop persisted creds in zephyr report workflow 2026-06-25 15:07:33 -07:00
aidan garske 5bd8fc5b47 Move tinytls13 smoke test to examples/tls13/tls13_memio.c and restore WOLFSSL_MLKEM_DYNAMIC_KEYS macro 2026-06-25 14:32:33 -07:00
Juliusz Sosinowicz 3a0d31a050 .github/scripts/parallel-make-check.py: emit literal status emoji, not :shortcodes:
The summary table is printed to plain stdout (the Actions console log and
local terminals) in addition to the GitHub step summary. GitHub emoji
:shortcodes: like  only expand on GitHub's Markdown
surfaces, so in the console log they appeared as literal text. Emit the
Unicode emoji directly, via \N{...} escapes so the source stays ASCII; the
glyphs match what the shortcodes mapped to, leaving the step summary
unchanged.
2026-06-25 15:37:45 +00:00
Juliusz Sosinowicz 044a477378 parallel-make-check.py: only require bwrap for an actual netns run
netns needs bwrap; without it commands silently share the host network
namespace and parallel network tests collide on ports. Skip the check for
--list (it inspects configs, runs nothing), hard-fail on CI so a missing-
bubblewrap misconfig can't silently degrade, and locally just warn and fall
back to the shared namespace.
2026-06-25 13:05:35 +00:00
Juliusz Sosinowicz f2fa741bad socat CI: run the test suite as parallel netns shards
The socat suite is sleep-bound and slow run serially. Drive it through
parallel-make-check.py as ~6 shards per CPU, 2 running per CPU at once: each
shard runs a round-robin slice of the tests in its own bwrap network
namespace (so parallel shards don't collide on ports) and its own build-dir
copy. The work is almost all waiting, so the oversubscription just overlaps
the waits.

Install bubblewrap so the netns isolation actually happens (without it the
runner silently shares one namespace and the shards collide). Each fresh
netns is IPv4-loopback only, so re-create IPv6 loopback (CAP_NET_ADMIN) for
the ::1 / dual-stack tests, and add non-loopback placeholders (fc00::1,
192.0.2.1) so glibc's AI_ADDRCONFIG still returns both families - without
them socat's getaddrinfo fails on numeric non-loopback addresses, e.g. the
multicast tests. Relax the AppArmor unprivileged-userns restriction so the
bwrap netns + CAP_NET_ADMIN work on ubuntu-24.04.
2026-06-25 09:35:13 +00:00
Juliusz Sosinowicz c9d71d52f8 parallel-make-check.py: add generic pool extensions for arbitrary commands
Let any command ride the build/check pool, not just wolfSSL builds:
  build  false skips configure/make/check (config is just prepare+run)
  netns  true runs each command under 'bwrap --unshare-net --cap-add
         CAP_NET_ADMIN' (its own network namespace) so parallel network
         tests can't collide on ports and can configure that namespace
  shards fan a config out into N instances, each with $SHARD (1..N) and
         $SHARDS=N in its env and its own build-<name>-<k> dir, so a
         command can split its work N ways (the pool load-balances them)

Error out, rather than silently degrade, on two misconfigurations that
otherwise surface as confusing test failures: netns requested but bwrap
missing (commands would share the host namespace and collide on ports),
and config-name collisions after shard fan-out (two jobs would share a
build dir and race).
2026-06-25 09:35:13 +00:00
Eric Blankenhorn 3360eeb74b Fix wolfSSL_BUF_MEM_grow_ex with WOLFSSL_NO_REALLOC 2026-06-24 13:56:02 -05:00
Sean Parkinson a342eba578 Intel x64 ASM: Add new assembly for AES
Support AES-XTS AVX512/VAES
Support AES-GCM AVX512/VAES
Support AES-ECB/CBC/CTR AVX512/VAES/AVX1/AES-NI.
Remove code from aes_asm.S/aes_asm.asm
Add CPU defines for AVX512 and VAES
Updated ASM files with new defines for AVX512.
Added support for printing out the new CPU Id flags in benchmark.
Added new files to Windows projects.
aes.c: Supports ECB/CBC/CTR in assembly. Supports calling AVX512/VAES assembly.
2026-06-23 20:54:59 +10:00
night1rider fed375fcea SHAKE 128/256 callback wiring and tests, along with fix to devCTX initialization. 2026-06-22 13:35:37 -06:00
Aidan Garske 41fad5f307 Fix and expand tinytls13 footprint profile across CI configs
Make every --enable-tinytls13 spelling build and pass locally, and grow the
CI matrix to cover them. These are fixes found while testing the configs the
CI workflow had not actually exercised.

- internal.h, internal.c, ssl_load.c: include ML-DSA and Falcon in the
  pkCurveOID member and producer guards so the PSK plus ML-DSA build compiles.
- tls13.c: gate the DoTls13CertificateVerify definition on NO_CERTS to match
  its call site.
- settings.h: let the AES-256 adder survive the floor, default the
  user_settings path to the SHA-256 floor, make WOLFSSL_NO_MALLOC opt-in so
  the test suite still runs, and keep ML-DSA ASN.1 for the cert profile.
- configure.ac: drive ENABLED_ASM and emit WOLFSSL_NO_ASM for the small C
  floor, restrict SP math to P-256, strip ML-DSA ASN.1 only on the PSK floor,
  and print a notice for the reduced security cert verify.
- examples: guard the cert loading paths for NO_CERTS and treat NO_CERTS as
  PSK mode in echoserver and echoclient.
- Add examples/configs/tinytls13_smoke.c, an in memory TLS 1.3 handshake test
  that drives PSK, ECDSA, ML-DSA-65 and RSA-PSS chain verify, plus forced
  cipher suites, for builds with no example or unit test harness.
- certs: add ECDSA leaves signed by the ML-DSA-65 and RSA-PSS CAs so the cert
  profiles drive a real PQC and PSS chain verify in CI.
- .github/workflows/tinytls13.yml: cover every profile and adder, run the
  smoke handshake on the build verified configs, and least privilege the
  workflow token.
2026-06-22 12:08:58 -07:00
aidan garske 8bce9f0ead Add --enable-tinytls13 TLS 1.3-only footprint profile (PSK+ECDHE floor + minimal X.509) 2026-06-19 15:22:59 -07:00
David Garske c431ad63bd Add WOLFSSL_ASYNC_CERT_YIELD opt-in for per-certificate WC_PENDING_E yield during async TLS chain processing 2026-06-18 16:51:25 -07:00
David Garske c2a8f77f38 Merge pull request #10731 from julek-wolfssl/ci-cache-save-on-master
CI: only save dependency caches on master, restore on PRs
2026-06-18 08:51:14 -07:00
David Garske 6fcf188aba Merge pull request #10700 from julek-wolfssl/parallel-make-check-annotation-link
.github: link parallel-make-check.py annotations to the workflow file
2026-06-18 08:48:52 -07:00
Juliusz Sosinowicz 84d27741d5 CI: run PIC32MZ simulator test on ready_for_review
The draft guard skips the job on draft PRs, but the pull_request
trigger used the default types (no ready_for_review), so marking a
draft ready did not re-run the job and it stayed skipped. Add the
standard types, matching the other workflows, so it re-runs when the
PR becomes ready.
2026-06-18 14:21:35 +00:00
Juliusz Sosinowicz 708837a599 CI: skip PIC32MZ simulator test on draft PRs
Add the same draft-PR guard the other workflows use so the job does
not run while a pull request is still a draft.
2026-06-18 13:04:41 +00:00
Juliusz Sosinowicz 3dd04c818c CI: hand off mbedtls/nss build via artifact on cache miss
With the cache save restricted to master, a cold-cache PR or release
run can no longer restore in the test job what the build job just built
(the per-PR cache scope is gone), so mbedtls/nss were compiled twice.

Upload the build as an artifact on a cache miss and download it in the
test job instead of recompiling, matching the handoff hostap-vm already
uses. master still restores from the shared cache, so it never uses the
artifact.
2026-06-18 12:53:57 +00:00
Juliusz Sosinowicz 058f506407 CI: factor threadx NetXDuo version into NETXDUO_REF env var
The v6.4.3_rel version was repeated in the cache path, cache key,
download URL and extract command. Define it once as a workflow-level
env var and reference it everywhere.
2026-06-18 12:30:24 +00:00
Juliusz Sosinowicz 6c211be5b9 CI: only save dependency caches on master, restore on PRs
GitHub Actions caches are branch-scoped: an entry written by a
pull_request run lives under refs/pull/<N>/merge and is invisible to
other PRs. The haproxy, mbedtls, nss, ntp, threadx and hostap-vm
workflows used combined actions/cache with fixed keys, so every PR
re-saved its own copy of the same dependency, yielding one duplicate
cache entry per PR.

Split each into actions/cache/restore (always) plus actions/cache/save
gated to refs/heads/master, and add a daily schedule so a master run
reseeds the single shared entry that all PRs restore. mbedtls/nss save
in their build job only; the test jobs restore-only.

Disable the setup-msys2 package cache: the action only toggles caching
on/off and cannot save on master while restoring on PRs.
2026-06-18 11:37:29 +00:00
Juliusz Sosinowicz 611bf688f8 CI: harden ci-deps-image downloads against stalled mirror connections
A single stalled apt mirror connection hung the ubuntu-24.04-full /
ubuntu-22.04-full download for ~20 min (they normally finish in a few),
tripping the 20-min job timeout and leaving those tags stale. The per-package
retry() only re-runs on a non-zero exit, so a hang never tripped it.

- apt drops a stalled connection after 30s and retries it
  (Acquire::http/https::Timeout, Acquire::Retries).
- each apt-get is wrapped in `timeout` so a wedged process is hard-killed and
  retry() re-runs it from scratch.
- raise the build job timeout 20 -> 60 min as a final backstop.
2026-06-18 10:52:52 +00:00
Juliusz Sosinowicz d3659c74fd CI: move Arduino cores from actions/cache to ghcr bundles
arduino.yml's per-core actions/cache layer stored the installed cores and
toolchains (~/.arduino15) - several GB, dominated by the esp32 and mbed
cores - in the 10 GB Actions cache. For esp32 it was also ineffective: the
disk-cleanup step deletes the esp32 toolchain before actions/cache saves it,
so esp32 re-downloaded every run anyway.

- New arduino-cores-image workflow resolves each of the 9 distinct cores and
  publishes a tar of ~/.arduino15 + ~/Arduino/libraries to
  ghcr.io/<owner>/wolfssl-ci-arduino:<core>. It runs monthly: esp32, the
  fastest-moving core, releases ~monthly and the rest far less often.
- New install-arduino-core composite action restores that bundle offline and
  verifies the core is present, falling back to `arduino-cli core install`
  when the bundle is unavailable - so nothing breaks until the image is first
  published and made public.
- arduino.yml calls the action in place of the inline core install and the
  actions/cache step.

This takes the flaky espressif / esp8266.com / pjrc.com downloads off the PR
critical path and frees the Actions cache of the largest binaries it held.
2026-06-17 09:29:48 +00:00
Juliusz Sosinowicz 94a671bed8 CI: disable setup-alire's cache in the Ada workflow
setup-alire@v5 caches the gnat_native+gprbuild toolchain via actions/cache
(key alr[1][2.1.0][...]), holding ~1.26 GiB - 3x the 428 MiB toolchain, one
copy per ref - against the repo's 10 GiB cache cap. On a miss the toolchain
is only a ~17s pull from github.com (alire-project releases), so the cache
saved ~20-30s on a ~6.5min Ada job (dominated by gnatprove). Not worth the
space; install it fresh each run.
2026-06-17 09:29:48 +00:00
Juliusz Sosinowicz cfbfecb1bc CI: fail the linuxkm bundle build on any download error
Addresses PR review feedback. The kernel-tracking linuxkm bundle treated a
failed --download-only as a warning and still published, so a transient
mirror error could ship a partial bundle. Because the daily job skips
rebuilds while the kernel label matches, such a partial bundle would
persist until the kernel next changes (~monthly), forcing consumers to fall
back to apt the whole time.

The linuxkm set is small and entirely required, so resolve it as one
closure and let a failure fail the job; we push only on success, so the
last good bundle stays in place. The static -full/-minimal bundles keep
their per-package skip-and-warn - they serve many independent consumer
subsets and rebuild weekly, so maximizing coverage is the right trade-off
there.
2026-06-16 16:33:12 +00:00
Juliusz Sosinowicz 06e4ec9fe3 CI: install all apt deps from ghcr bundles
Extends the ghcr offline-install path to every install-apt-deps consumer
that was still on plain apt, and publishes the bundles they need.

New bundles built by ci-deps-image:
- ubuntu-24.04-embedded: the membrowse ARM cross-toolchain (~0.5 GB), kept
  out of -full so it does not bloat the interop workflows' pull.
- ubuntu-24.04-linuxkm: linux-headers-$(uname -r) + the kernel-module build
  toolchain. linux-headers tracks the runner's running kernel, so a daily
  job rebuilds it only when uname -r changed (recorded as an image label);
  a mismatch during a runner-image rollout just falls back to apt.

Consumers now passing ghcr-debs-tag:
- sssd -> ubuntu-24.04-full (its deps added to that list)
- hostap-vm -> ubuntu-22.04-full (its deps added to that list)
- membrowse targets -> ubuntu-24.04-embedded; the two linuxkm targets ->
  ubuntu-24.04-linuxkm (new per-target matrix.ghcr_tag)
- linuxkm.yml -> ubuntu-24.04-linuxkm (pinned to ubuntu-24.04 so the
  bundle's headers match the runner kernel)

Each consumer still falls back to apt when its bundle is unavailable, so
nothing breaks until ci-deps-image first publishes the new tags.
2026-06-16 15:22:36 +00:00
Juliusz Sosinowicz dd861af06f .github: link parallel-make-check.py annotations to the workflow file
A ::warning::/::error:: emitted with no file= property is pinned by GitHub
to the .github directory, whose blob URL is a directory listing - so the
stale-"minutes" annotations rendered with a dead source link and a line
number that points at nothing.

Derive the workflow file path from GITHUB_WORKFLOW_REF (owner/repo/path@ref)
and pass it as file= so the annotations link to the real workflow that
embeds the config list. Falls back to the previous fileless form off-CI or
when the ref is unavailable.
2026-06-16 14:53:35 +00:00
Juliusz Sosinowicz 2f50f8c968 CI: drop actions/cache apt-deps layer from install-apt-deps
The ci-cache-offload work added a ghcr .deb bundle path to
install-apt-deps, making the actions/cache apt-archive layer redundant.
Remove it so no apt-deps-* cache entries are produced. Apt packages now
install either offline from the ghcr bundle (when ghcr-debs-tag is set)
or via plain apt-get with the existing retry/backoff.

- Strip the Compute/Restore/Pre-seed/Collect/Save cache steps and the
  cache-hit fast path; drop the now-unused 'cache' input.
- Update callers that passed 'cache': membrowse-onboard, membrowse-report
  (and the apt_cache matrix key in membrowse-targets.json), and sssd.

The ghcr offline path and the ccache actions/cache usage are untouched.
2026-06-16 10:52:07 +00:00
Juliusz Sosinowicz 634ac9b6da CI: align branch-introduced actions with master's Node.js 24 bump
Rebasing onto master (which migrated JS actions to Node.js 24 runtimes)
left a few action refs that this branch added in new steps still on the
old major versions. Bring them in line with master:

- ccache-setup read-only restore:   actions/cache/restore@v4 -> @v5
- smoke-test / os-check ccache save: actions/cache/save@v4    -> @v5
- ci-deps-image checkout:            actions/checkout@v4       -> @v5
2026-06-15 22:39:56 +00:00
Juliusz Sosinowicz b8c008f3ac CI: address Skoll review (reseed coverage, ghcr owner, restore key)
- os-check.yml linux shard: add a schedule-gated CCACHE_RECACHE=1 step so
  the weekday seed reseeds from clean compiles rather than only accumulating
  deltas. This shard manages ccache directly (its own restore/save) and so
  was not covered by the ccache-setup composite's reseed.
- install-apt-deps: hardcode the ghcr bundle owner to wolfssl. The bundle is
  only published under ghcr.io/wolfssl by ci-deps-image, so fork PRs now read
  the public upstream image instead of a nonexistent ghcr.io/<fork>/wolfssl-ci-debs.
- ccache-setup: document that the read-only restore key reuses the save
  key shape for symmetry and is never an exact hit by design.

Skoll F3 (a packages-subset-of-bundle CI guard) is deferred to a follow-up;
F4 (release-branch ccache saves) is left as the intended seed-on-schedule /
everything-else-reads model.
2026-06-15 22:36:35 +00:00
Juliusz Sosinowicz 80a3e67ba3 CI: clarify ccache/apt-deps offload comments (Copilot review)
Tighten three pieces of documentation to match the implementation; no
behaviour change:

- install-apt-deps (ghcr-debs-tag description): the apt mirror is avoided
  only on the successful offline path. The offline install is a single
  --no-download install of the whole package set, so any miss (bundle
  absent/private/incomplete) falls back to the apt path.
- ci-deps-image header: each bundle is every requested package plus the
  dependencies not already present on the matching runner image - tied to
  that runner, not a portable/self-contained .deb closure.
- ci-deps-image schedule note: a package missing from the bundle fails the
  whole offline install (it is not per-package), falling back to the full
  apt path.
2026-06-15 22:36:35 +00:00