Skip to content

20260424-fixes#10308

Merged
dgarske merged 13 commits intowolfSSL:masterfrom
douzzer:20260424-fixes
Apr 25, 2026
Merged

20260424-fixes#10308
dgarske merged 13 commits intowolfSSL:masterfrom
douzzer:20260424-fixes

Conversation

@douzzer
Copy link
Copy Markdown
Contributor

@douzzer douzzer commented Apr 24, 2026

linuxkm/lkcapi_ecdsa_glue.c: in km_ecdsa_verify(), add checks on hash_len following pattern of #10131, before calling wc_ecc_verify_hash(), for defense-in-depth.

tests/api.c: fix -Wnull-dereferences in wolfSSL_UseSecureRenegotiation().

tests/api/test_pkcs7.c: in test_wc_PKCS7_BER(), in expected-failure wc_PKCS7_DecodeEnvelopedData() in WOLFSSL_SP_MATH build, allow failure with either WC_KEY_SIZE_E or BUFFER_E, to accommodate blinding added by #10128 / 589feab.

wolfcrypt/test/test.c and wolfcrypt/test/test.h: fix gating for dsa_test() and srp_test() prototypes to avoid -Wunused-function in --enable-sp-math builds.

.github/workflows/:

  • add -Wnull-dereference to all existing -pedantic -Wdeclaration-after-statement configs;
  • add an --enable-sp-math config to .github/workflows/pq-all.yml and .github/workflows/multi-arch.yml.

wolfcrypt/test/test.c: in random_bank_test(), accommodate WOLFSSL_DRBG_SHA512 in the WC_RNG_BANK_FLAG_NO_VECTOR_OPS test;

linuxkm/lkcapi_sha_glue.c: in wc_mix_pool_bytes(), accommodate WOLFSSL_DRBG_SHA512.

wolfssl/wolfcrypt/random.h: fix "comma at end of enumerator list [-Werror=pedantic]" in enum wc_DrbgType.

configure.ac:

  • allow for fips-dev in v7|ready|dev ENABLED_SHA256_DRBG and ENABLED_SHA512_DRBG setup, and change from AC_MSG_WARN to AC_MSG_ERROR if user tries to disable outside fips-dev;
  • set ENABLED_SHA512_DRBG=no in lean-aesgcm setup;

wolfcrypt/test/test.c: suppress concurrency-mt-unsafe in myFipsCb();

.wolfssl_known_macro_extras: fix lexical order.

tested with

wolfssl-multi-test.sh ...
super-quick-check
linuxkm-legacy-6.12-insmod
quantum-safe-fips-dev-wolfssl-all-noasm-stack-sizes-linuxkm-6.12
'.*cust-kernel-2.*'
all-gcc-c99
check-source-text
all-crypt-sp-math-vector-register-access
lean-fips-dev-clang-tidy
lean-fips-dev-sanitizer
linuxkm-6.15-all-cryptonly-quantum-safe-fips-dev-intelasm-insmod-crypto-fuzzer-ksan
quantum-safe-wolfssl-all-crypto-only-intelasm-sp-asm-fips-dev-linuxkm-next-insmod

wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10308

Scan targets checked: linuxkm-bugs, linuxkm-src

No new issues found in the changed files. ✅

kaleb-himes
kaleb-himes reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kaleb-himes kaleb-himes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. configure.ac: I see, replacing the "warn then override attempt to disable drbg at configure time" with "honor the request to disable with a build error", that's actually more in line with historical patterns. Good change.

  2. I'm pretty sure WC_MIN_DIGEST_SIZE is defined for lkcapi_ecdsa_glue.c but if not in all cases I could see that causing build issues eventually. Noteworthy but not PR holdup worthy.

  3. test_pkcs7.c ~ line 4580 accepts two error conditions now, the original only expected WC_KEY_SIZE_E, could hide a regression someday with the || logic (what if WC_KEY_SIZE_E never returns in some future PR we'd lose it and not know it). Shifting error codes, note-worthy, not PR hold up worthy.

Comment thread .github/workflows/opensslcoexist.yml Outdated
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 24, 2026
edited
Loading

MemBrowse Memory Report

No memory changes detected for:

@douzzer
Copy link
Copy Markdown
Contributor Author

douzzer commented Apr 24, 2026

retest this please
(tooling glitch in Visual Studio Build Test)

@douzzer
Copy link
Copy Markdown
Contributor Author

douzzer commented Apr 25, 2026

note, hostap and OpenVPN test failures appear to be unrelated to this PR (present in master).

@douzzer
Copy link
Copy Markdown
Contributor Author

douzzer commented Apr 25, 2026

note, this PR contains critical test layer fixes for #9843

douzzer added 13 commits April 25, 2026 11:47
@douzzer
linuxkm/lkcapi_ecdsa_glue.c: in km_ecdsa_verify(), add checks on hash…
6c9e0ea 
…_len following pattern of wolfSSL#10131, before calling wc_ecc_verify_hash(), for defense-in-depth.
@douzzer
tests/api.c: fix -Wnull-dereferences in wolfSSL_UseSecureRenegotiatio…
1f1b572 
…n().
@douzzer
tests/api/test_pkcs7.c: in test_wc_PKCS7_BER(), in expected-failure w…
91f66fb 
…c_PKCS7_DecodeEnvelopedData() in WOLFSSL_SP_MATH build, allow failure with either WC_KEY_SIZE_E or BUFFER_E, to accommodate blinding added by wolfSSL#10128 / 589feab.
@douzzer
wolfcrypt/test/test.c and wolfcrypt/test/test.h: fix gating for dsa_t…
91c7c8f 
…est() and srp_test() prototypes to avoid -Wunused-function in --enable-sp-math builds.
@douzzer
.github/workflows/:
d14b8f8 
* add "-Wnull-dereference" to all existing "-pedantic -Wdeclaration-after-statement" configs;
* add an --enable-sp-math config to .github/workflows/pq-all.yml and .github/workflows/multi-arch.yml.
@douzzer
wolfcrypt/test/test.c: in random_bank_test(), accommodate WOLFSSL_DRB…
b79221a 
…G_SHA512 in the WC_RNG_BANK_FLAG_NO_VECTOR_OPS test;

linuxkm/lkcapi_sha_glue.c: in wc_mix_pool_bytes(), accommodate WOLFSSL_DRBG_SHA512.
@douzzer
wolfssl/wolfcrypt/random.h: fix "comma at end of enumerator list [-We…
72a39bf 
…rror=pedantic]" in enum wc_DrbgType.
@douzzer
configure.ac:
363bb0e 
* allow for fips-dev in v7|ready|dev ENABLED_SHA256_DRBG and ENABLED_SHA512_DRBG setup and change from AC_MSG_WARN to AC_MSG_ERROR if user tries to disable outside fips-dev;
* set ENABLED_SHA512_DRBG=no in lean-aesgcm setup;

wolfcrypt/test/test.c: suppress concurrency-mt-unsafe in myFipsCb();

 .wolfssl_known_macro_extras: fix lexical order.
@douzzer
src/ssl_load.c: fix -Wnull-dereference in wolfssl_ctx_set_tmp_dh() (d…
df486d8 
…etected by armel build);

.github/workflows/pq-all.yml: for the --enable-sp-math scenario, --disable-quic (QUIC unit tests fail on that combo);

wolfcrypt/test/test.c: add WC_MAYBE_UNUSED to ecdsa_test_deterministic_k_rs(), to fix armel sp-math build.
@douzzer
tests/api.c: fix false-positive -Wmaybe-uninitialized in test_wolfSSL…
aab90d7 
…_clear_secure_renegotiation() with --enable-all CFLAGS=-Og.
@douzzer
.github/workflows/: add -Wnull-dereferences to a few -pedantic scenar…
caffc45 
…ios missed in the first pass.
@douzzer
configure.ac: for FIPS v6 setup, explicitly set WOLFSSL_NOSHA512_224 …
0bfa206 
…and WOLFSSL_NOSHA512_256;

wolfssl/wolfcrypt/hash.h: when WOLFSSL_NOSHA512_{224,256}, gate out prototypes for wc_Sha512_{224,256}Hash[_ex](), to shift build failures from link-time to compile-time.
@douzzer
configure.ac: fix to allow SHAKE force-off FIPS lean-aesgcm setup.
6040cd7
@dgarske dgarske merged commit 6074a2d into wolfSSL:master Apr 25, 2026
461 of 463 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaleb-himes kaleb-himes kaleb-himes left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

@dgarske dgarske dgarske approved these changes

@Frauschi Frauschi Awaiting requested review from Frauschi

@philljj philljj Awaiting requested review from philljj

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@douzzer @dgarske @kaleb-himes @wolfSSL-Fenrir-bot @wolfSSL-Bot