Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd21204

Author: kareem-wolfssl

.github/workflows/arduino.yml

@@ -94,11 +94,9 @@ jobs:
           - arduino:avr:nano
           - arduino:avr:uno
           - arduino:avr:yun
-          - arduino:samd:mkrwifi1010
           - arduino:samd:mkr1000
           - arduino:samd:mkrfox1200
           - arduino:mbed_edge:edge_control
-          - arduino:mbed_nano:nanorp2040connect
           - arduino:mbed_portenta:envie_m7
           - arduino:mbed_portenta:portenta_x8
           - arduino:renesas_uno:unor4wifi

.github/workflows/bind.yml

@@ -44,7 +44,7 @@ jobs:
       fail-fast: false
       matrix:
         # List of releases to test
-        ref: [ 9.18.0, 9.18.28, 9.18.33 ]
+        ref: [ 9.18.0, 9.18.28, 9.18.33, 9.20.11 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-24.04
@@ -66,7 +66,7 @@ jobs:
           export DEBIAN_FRONTEND=noninteractive
           sudo apt-get update
           # hostap dependencies
-          sudo apt-get install -y libuv1-dev libnghttp2-dev libcap-dev libcmocka-dev
+          sudo apt-get install -y libuv1-dev libnghttp2-dev libcap-dev libcmocka-dev liburcu-dev
 
       - name: Checkout OSP
         uses: actions/checkout@v4

.github/workflows/msmtp.yml

@@ -0,0 +1,108 @@
+name: msmtp Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    # Just to keep it the same as the testing target
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-opensslextra --enable-opensslall
+          install: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-msmtp
+          path: build-dir.tgz
+          retention-days: 5
+
+  msmtp_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        ref: [ 1.8.28 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-msmtp
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            autoconf automake libtool pkg-config gettext \
+            libidn2-dev libsecret-1-dev autopoint
+
+      - name: Checkout msmtp
+        uses: actions/checkout@v4
+        with:
+          repository: marlam/msmtp
+          ref: msmtp-${{ matrix.ref }}
+          path: msmtp-${{ matrix.ref }}
+
+      - name: Apply wolfSSL patch
+        working-directory: msmtp-${{ matrix.ref }}
+        run: patch -p1 < $GITHUB_WORKSPACE/osp/msmtp/${{ matrix.ref }}/wolfssl-msmtp-${{ matrix.ref }}.patch
+
+      - name: Regenerate build system
+        working-directory: msmtp-${{ matrix.ref }}
+        run: autoreconf -ivf
+
+      - name: Configure msmtp with wolfSSL
+        working-directory: msmtp-${{ matrix.ref }}
+        run: |
+          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
+            ./configure --with-tls=wolfssl
+
+      - name: Build msmtp
+        working-directory: msmtp-${{ matrix.ref }}
+        run: make -j$(nproc)
+
+      - name: Run msmtp tests
+        working-directory: msmtp-${{ matrix.ref }}
+        run: LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib make check
+
+      - name: Confirm msmtp built with wolfSSL
+        run: ldd msmtp-${{ matrix.ref }}/src/msmtp | grep wolfssl
+
+      - name: Print test logs on failure
+        if: ${{ failure() }}
+        run: tail -n +1 msmtp-${{ matrix.ref }}/tests/*.log

.github/workflows/nginx.yml

@@ -12,6 +12,10 @@ concurrency:
   cancel-in-progress: true
 # END OF COMMON SECTION
 
+# clang has better sanitizer support
+env:
+  CC: clang
+
 jobs:
   build_wolfssl:
     name: Build wolfSSL
@@ -31,7 +35,8 @@ jobs:
         uses: wolfSSL/actions-build-autotools-project@v1
         with:
           path: wolfssl
-          configure: --enable-nginx ${{ env.wolf_debug_flags }}
+          configure: >-
+            --enable-nginx --enable-curve25519 --enable-ed25519 ${{ env.wolf_debug_flags }}
           install: true
 
       - name: tar build-dir
@@ -50,6 +55,41 @@ jobs:
       matrix:
         include:
           # in general we want to pass all tests that match *ssl*
+          - ref: 1.28.1
+            test-ref: 0fccfcef1278263416043e0bbb3e0116b84026e4
+            # Following tests pass with sanitizer on
+            sanitize-ok: >-
+              h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t
+              h2_ssl_verify_client.t mail_imap_ssl.t mail_ssl_session_reuse.t
+              mail_ssl.t proxy_ssl_certificate_cache.t
+              proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
+              proxy_ssl_certificate_vars.t proxy_ssl_name.t ssl_cache_reload.t
+              ssl_certificate_aux.t ssl_certificate_cache.t
+              ssl_certificate_chain.t ssl_certificates.t ssl_certificate.t
+              ssl_client_escaped_cert.t ssl_crl.t ssl_curve.t ssl_ocsp.t
+              ssl_password_file.t ssl_proxy_upgrade.t ssl_reject_handshake.t
+              ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_protocols.t
+              ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t
+              ssl_verify_client.t ssl_verify_client_trusted.t ssl_verify_depth.t
+              stream_proxy_ssl_certificate_cache.t stream_proxy_ssl_certificate.t
+              stream_proxy_ssl_certificate_vars.t
+              stream_proxy_ssl_name_complex.t stream_proxy_ssl_name.t
+              stream_ssl_alpn.t stream_ssl_certificate_cache.t
+              stream_ssl_certificate.t stream_ssl_ocsp.t stream_ssl_preread_alpn.t
+              stream_ssl_preread_protocol.t stream_ssl_preread.t
+              stream_ssl_reject_handshake.t stream_ssl_session_reuse.t
+              stream_ssl_sni_protocols.t stream_ssl_stapling.t stream_ssl.t
+              stream_ssl_variables.t stream_ssl_verify_client.t
+              stream_upstream_zone_ssl.t upstream_zone_ssl.t
+              uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
+            # Following tests do not pass with sanitizer on (with OpenSSL too)
+            sanitize-not-ok: >-
+              grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
+              proxy_request_buffering_ssl.t proxy_ssl_conf_command.t
+              proxy_ssl_keepalive.t proxy_ssl.t proxy_ssl_verify.t ssl_cache.t
+              stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t
+              stream_proxy_ssl.t stream_proxy_ssl_verify.t
+
           - ref: 1.25.0
             test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
             # Following tests pass with sanitizer on
@@ -120,30 +160,19 @@ jobs:
       - name: untar build-dir
         run: tar -xf build-dir.tgz
 
-      - name: Install dependencies
-        run: |
-          sudo cpan -iT Proc::Find
+      - name: Openssl version
+        run: openssl version -a
 
-      # Locking in the version of SSLeay used with testing
-      - name: Download and install Net::SSLeay 1.94 manually
-        run: |
-          curl -LO https://www.cpan.org/modules/by-module/Net/CHRISN/Net-SSLeay-1.94.tar.gz
-          tar -xzf Net-SSLeay-1.94.tar.gz
-          cd Net-SSLeay-1.94
-          perl Makefile.PL
-          make
-          sudo make install
+      - name: Setup Perl environment
+        uses: shogo82148/actions-setup-perl@v1
+        with:
+          perl-version: '5.38.2'
 
       # SSL version 2.091 changes '' return to undef causing test case to fail.
       # Locking in the test version to use as 2.090
-      - name: Download and install IO::Socket::SSL 2.090 manually
+      - name: Install dependencies
         run: |
-          curl -LO https://www.cpan.org/modules/by-module/IO/IO-Socket-SSL-2.090.tar.gz
-          tar -xzf IO-Socket-SSL-2.090.tar.gz
-          cd IO-Socket-SSL-2.090
-          perl Makefile.PL
-          make
-          sudo make install
+          cpanm --notest Proc::Find Net::SSLeay@1.94 IO::Socket::SSL@2.090
 
       - name: Checkout wolfssl-nginx
         uses: actions/checkout@v4
@@ -211,10 +240,6 @@ jobs:
         run: |
           echo "nginx_c_flags=-O0" >> $GITHUB_ENV
 
-      - name: workaround high-entropy ASLR
-        # not needed after either an update to llvm or runner is done
-        run: sudo sysctl vm.mmap_rnd_bits=28
-
       - name: Build nginx with sanitizer
         working-directory: nginx
         run: |
@@ -229,19 +254,16 @@ jobs:
         working-directory: nginx
         run: ldd objs/nginx | grep wolfssl
 
-      - if: ${{ runner.debug }}
-        name: Run nginx-tests with sanitizer (debug)
+      - name: Create LSAN suppression file
         working-directory: nginx-tests
         run: |
-          LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
-          TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
-          TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
+          echo "leak:ngx_worker_process_init" > lsan.supp
 
       - if: ${{ !runner.debug }}
         name: Run nginx-tests with sanitizer
         working-directory: nginx-tests
         run: |
           LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
+            LSAN_OPTIONS=suppressions=$GITHUB_WORKSPACE/nginx-tests/lsan.supp \
             TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
             prove ${{ matrix.sanitize-ok }}
-

.github/workflows/no-malloc.yml

@@ -19,6 +19,8 @@ jobs:
         config: [
           # Add new configs here
           '--enable-rsa --enable-keygen --disable-dh CFLAGS="-DWOLFSSL_NO_MALLOC -DRSA_MIN_SIZE=1024 -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-ecc --enable-rsa --enable-keygen --enable-ed25519 --enable-curve25519 --enable-ed448 --enable-curve448 --enable-mlkem CFLAGS="-DWOLFSSL_NO_MALLOC -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-ecc --enable-rsa --enable-keygen --enable-ed25519 --enable-curve25519 --enable-ed448 --enable-curve448 --enable-mlkem --enable-staticmemory CFLAGS="-DWOLFSSL_NO_MALLOC -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

.github/workflows/os-check.yml

@@ -53,6 +53,8 @@ jobs:
           '--enable-opensslall --enable-opensslextra CPPFLAGS=-DWC_RNG_SEED_CB',
           '--enable-opensslall --enable-opensslextra
             CPPFLAGS=''-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID'' ',
+          # PKCS#7 with RSA-PSS (CMS RSASSA-PSS signers)
+          '--enable-pkcs7 CPPFLAGS=-DWC_RSA_PSS',
           '--enable-opensslextra CPPFLAGS=''-DWOLFSSL_NO_CA_NAMES'' ',
           '--enable-opensslextra=x509small',
           'CPPFLAGS=''-DWOLFSSL_EXTRA'' ',

.github/workflows/rust-wrapper.yml

@@ -38,6 +38,7 @@ jobs:
           # Add new configs here
           '',
           '--enable-all',
+          '--enable-all --enable-dilithium',
           '--enable-cryptonly --disable-examples',
           '--enable-cryptonly --disable-examples --disable-aes --disable-aesgcm',
           '--enable-cryptonly --disable-examples --disable-aescbc',

.github/workflows/socat.yml

@@ -23,7 +23,7 @@ jobs:
         uses: wolfSSL/actions-build-autotools-project@v1
         with:
           path: wolfssl
-          configure: --enable-maxfragment --enable-opensslall --enable-opensslextra --enable-dtls --enable-oldtls --enable-tlsv10 --enable-ipv6 'CPPFLAGS=-DWOLFSSL_NO_DTLS_SIZE_CHECK -DOPENSSL_COMPATIBLE_DEFAULTS'
+          configure: --enable-all --enable-oldtls --enable-tlsv10 --enable-ipv6 'CPPFLAGS=-DWOLFSSL_NO_DTLS_SIZE_CHECK -DOPENSSL_COMPATIBLE_DEFAULTS'
           install: true
 
       - name: tar build-dir
@@ -43,6 +43,14 @@ jobs:
     # This should be a safe limit for the tests to run.
     timeout-minutes: 30
     needs: build_wolfssl
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - socat_version: "1.8.0.0"
+            expect_fail: "36,64,146,216,309,310,386,399,402,403,459,460,467,468,475,478,491,492,528"
+          - socat_version: "1.8.0.3"
+            expect_fail: "146,386,399,402,459,460,467,468,475,478,491,492,495,528"
     steps:
       - name: Install prereqs
         run:
@@ -57,7 +65,7 @@ jobs:
         run: tar -xf build-dir.tgz
 
       - name: Download socat
-        run: curl -O http://www.dest-unreach.org/socat/download/socat-1.8.0.0.tar.gz && tar xvf socat-1.8.0.0.tar.gz
+        run: curl -O http://www.dest-unreach.org/socat/download/socat-${{ matrix.socat_version }}.tar.gz && tar xvf socat-${{ matrix.socat_version }}.tar.gz
 
       - name: Checkout OSP
         uses: actions/checkout@v4
@@ -66,16 +74,16 @@ jobs:
           path: osp
 
       - name: Build socat
-        working-directory: ./socat-1.8.0.0
+        working-directory: ./socat-${{ matrix.socat_version }}
         run: |
-          patch -p1 < ../osp/socat/1.8.0.0/socat-1.8.0.0.patch
+          patch -p1 < ../osp/socat/${{ matrix.socat_version }}/socat-${{ matrix.socat_version }}.patch
           autoreconf -vfi
           ./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --enable-default-ipv=4
           make
 
       - name: Run socat tests
-        working-directory: ./socat-1.8.0.0
+        working-directory: ./socat-${{ matrix.socat_version }}
         run: |
           export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
           export SHELL=/bin/bash
-          SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh -t 0.5 --expect-fail 36,64,146,214,216,217,309,310,386,399,402,403,459,460,467,468,475,478,492,528,530
+          SOCAT=$GITHUB_WORKSPACE/socat-${{ matrix.socat_version }}/socat ./test.sh -t 0.5 --expect-fail ${{ matrix.expect_fail }}

.github/workflows/sssd.yml

@@ -44,7 +44,7 @@ jobs:
       fail-fast: false
       matrix:
         # List of releases to test
-        ref: [ 2.9.1 ]
+        ref: [ 2.9.1, 2.10.2 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-24.04
@@ -61,7 +61,8 @@ jobs:
           # Don't prompt for anything
           export DEBIAN_FRONTEND=noninteractive
           sudo apt-get update
-          sudo apt-get install -y build-essential autoconf libldb-dev libldb2 python3-ldb bc
+          sudo apt-get install -y build-essential autoconf libldb-dev \
+            libldb2 python3-ldb bc libcap-dev
 
       - name: Setup env
         run: |

.wolfssl_known_macro_extras

@@ -220,6 +220,7 @@ ENABLED_BSDKM_REGISTER
 ENABLE_SECURE_SOCKETS_LOGS
 ESP32
 ESP8266
+ESPIPE
 ESP_ENABLE_WOLFSSH
 ESP_IDF_VERSION
 ESP_IDF_VERSION_MAJOR
@@ -367,6 +368,7 @@ NO_ASM
 NO_ASN_OLD_TYPE_NAMES
 NO_CAMELLIA_CBC
 NO_CERT
+NO_CERT_IN_TICKET
 NO_CIPHER_SUITE_ALIASES
 NO_CLIENT_CACHE
 NO_CLOCK_SPEEDUP
@@ -1094,6 +1096,7 @@ __clang_major__
 __cplusplus
 __ghc__
 __ghs__
+__has_attribute
 __hpux__
 __i386
 __i386__