Merge remote-tracking branch 'origin/master' into PQC

# Conflicts:
#	doc/dox_comments/header_files/doxygen_pages.h

Author: kojo1

.editorconfig

@@ -8,3 +8,6 @@ end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
+
+[*.{ads,adb,gpr}]
+indent_size = 3

.github/workflows/ada.yml

@@ -15,20 +15,59 @@ jobs:
     steps:
     - uses: actions/checkout@master
 
-    - name: Install gnat
+    - name: Install alire
+      uses: alire-project/setup-alire@v5
+
+    - name: Install wolfssl Ada
+      working-directory: ./wrapper/Ada
+      run: alr install
+
+    - name: Build default.gpr
+      working-directory: ./wrapper/Ada
+      run: alr exec -- gprbuild default.gpr -j$(nproc)
+
+    - name: Run Ada wrapper tests
+      working-directory: ./wrapper/Ada/tests
+      run: alr run
+
+    - name: Run Ada examples
+      id: examples
+      working-directory: ./wrapper/Ada/examples
       run: |
-        sudo apt-get update
-        sudo apt-get install -y gnat gprbuild
+        alr build
+
+        echo "Running sha256_main example..."
+        alr run sha256_main
 
-    - name: Checkout wolfssl
-      uses: actions/checkout@master
-      with:
-        repository: wolfssl/wolfssl
-        path: wolfssl
+        echo "Running aes_verify_main example..."
+        alr run aes_verify_main
 
-    - name: Build wolfssl Ada
-      working-directory: ./wolfssl/wrapper/Ada
+        echo "Running rsa_verify_main example..."
+        alr run rsa_verify_main
+
+        echo "Running TLS server/client example..."
+        alr run tls_server_main &> server.log &
+        SERVER_PID=$!
+        sleep 1
+        echo "test message" | alr run tls_client_main --args=127.0.0.1
+        kill $SERVER_PID || true
+
+    - name: show errors
+      if: ${{ failure() && steps.examples.outcome == 'failure' }}
+      run: cat ./wrapper/Ada/examples/server.log
+
+    - name: Run Ada wrapper tests (valgrind)
+      working-directory: ./wrapper/Ada/tests
       run: |
-        mkdir obj
-        gprbuild default.gpr
-        gprbuild examples.gpr
+        sudo apt-get update
+        sudo apt-get install -y valgrind
+        valgrind --leak-check=full --error-exitcode=1 \
+          --suppressions=valgrind.supp ./bin/tests
+
+    - name: Run gnatprove on wolfssl
+      working-directory: ./wrapper/Ada
+      run: alr gnatprove --level=4 -P wolfssl.gpr -j 0 --warnings=error --checks-as-errors --proof-warnings -U
+
+    - name: Run gnatprove on examples
+      working-directory: ./wrapper/Ada/examples
+      run: alr gnatprove --level=4 -P examples.gpr -j 0 --warnings=error --checks-as-errors --proof-warnings -U

.github/workflows/async-examples.yml

@@ -0,0 +1,104 @@
+name: Async Examples
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  async_examples:
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        extra_cflags:
+          - ''
+          - '-DWOLFSSL_SMALL_CERT_VERIFY'
+          - '-DWOLFSSL_STATIC_MEMORY'
+    name: Async Examples (${{ matrix.extra_cflags || 'default' }})
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Build async examples (no configure)
+        run: |
+          make -C examples/async clean
+          make -C examples/async EXTRA_CFLAGS="${{ matrix.extra_cflags }}"
+
+      - name: Run async examples
+        run: |
+          set -euo pipefail
+
+          MIN_PENDING=100
+
+          run_pair() {
+            local label="$1"
+            shift
+            local args="$*"
+            local ready="/tmp/wolfssl_async_ready_${label}"
+            rm -f "$ready"
+
+            WOLFSSL_ASYNC_READYFILE="$ready" \
+              ./examples/async/async_server $args \
+              > "/tmp/async_server_${label}.log" 2>&1 &
+            local pid=$!
+
+            WOLFSSL_ASYNC_READYFILE="$ready" \
+              ./examples/async/async_client $args 127.0.0.1 11111 \
+              > "/tmp/async_client_${label}.log" 2>&1
+            local rc=$?
+
+            kill "$pid" >/dev/null 2>&1 || true
+            wait "$pid" >/dev/null 2>&1 || true
+
+            if [ "$rc" -ne 0 ]; then
+              echo "FAIL: $label (exit=$rc)"
+              return 1
+            fi
+
+            # Validate WC_PENDING_E count is a proper value
+            local count
+            count=$(awk '/WC_PENDING_E count:/ {print $NF}' \
+              "/tmp/async_client_${label}.log")
+            if [ -z "$count" ] || [ "$count" -lt "$MIN_PENDING" ]; then
+              echo "FAIL: $label - WC_PENDING_E count too low:" \
+                "${count:-missing} (expected >= $MIN_PENDING)"
+              return 1
+            fi
+            echo "PASS: $label (WC_PENDING_E: $count)"
+            return 0
+          }
+
+          # TLS 1.3
+          run_pair ecc_tls13              --ecc
+          run_pair x25519_tls13           --x25519
+
+          # TLS 1.2
+          run_pair ecc_tls12              --tls12 --ecc
+          run_pair x25519_tls12           --tls12 --x25519
+
+          # TLS 1.3 mutual auth
+          run_pair ecc_tls13_mutual       --mutual --ecc
+          run_pair x25519_tls13_mutual    --mutual --x25519
+
+          # TLS 1.2 mutual auth
+          run_pair ecc_tls12_mutual       --mutual --tls12 --ecc
+          run_pair x25519_tls12_mutual    --mutual --tls12 --x25519
+
+
+      - name: Print async logs
+        if: ${{ failure() }}
+        run: |
+          for f in /tmp/async_server_*.log /tmp/async_client_*.log; do
+            if [ -f "$f" ]; then
+              echo "==> $f"
+              cat "$f"
+            fi
+          done

.github/workflows/async.yml

@@ -24,7 +24,7 @@ jobs:
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 6
     steps:

.github/workflows/bind.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -47,7 +47,7 @@ jobs:
         ref: [ 9.18.0, 9.18.28, 9.18.33 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
     needs: build_wolfssl

.github/workflows/cmake-autoconf.yml

@@ -0,0 +1,41 @@
+name: WolfSSL CMake Autoconf Interworking Test
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build:
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+
+    steps:
+# pull wolfSSL
+    - uses: actions/checkout@v4
+
+# install cmake and autotools
+    - name: Install cmake
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y cmake autoconf automake libtool
+
+# build and install wolfssl via autotools for CMake consumer test
+    - name: Build wolfssl with autotools
+      run: |
+        ./autogen.sh
+        ./configure --prefix="$GITHUB_WORKSPACE/install-autoconf" --enable-all
+        make -j $(nproc)
+        make install
+
+# CMake consumer test using the autotools install
+    - name: CMake consumer test (autotools install)
+      run: |
+        mkdir -p cmake/consumer/build
+        cd cmake/consumer/build
+        cmake -DCMAKE_PREFIX_PATH="$GITHUB_WORKSPACE/install-autoconf" ..
+        cmake --build .
+        ./wolfssl_consumer
+        cd ..
+        rm -rf build

.github/workflows/cmake.yml

@@ -13,32 +13,24 @@ jobs:
 
     steps:
 # pull wolfSSL
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v4
 
 # install cmake
     - name: Install cmake
       run: |
         sudo apt-get update
         sudo apt-get install -y cmake
 
-# pull wolfssl
-    - name: Checkout wolfssl
-      uses: actions/checkout@master
-      with:
-        repository: wolfssl/wolfssl
-        path: wolfssl
-
 # build wolfssl
     - name: Build wolfssl
-      working-directory: ./wolfssl
       run: |
         mkdir build
         cd build
         cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
             -DWOLFSSL_16BIT:BOOL=no -DWOLFSSL_32BIT:BOOL=no -DWOLFSSL_AES:BOOL=yes \
-            -DWOLFSSL_AESCBC:BOOL=yes -DWOLFSSL_AESCCM:BOOL=yes -DWOLFSSL_AESCFB:BOOL=yes \
+            -DWOLFSSL_AESCBC:BOOL=yes -DWOLFSSL_AESCCM:BOOL=yes -DWOLFSSL_AESCFB:BOOL=yes -DWOLFSSL_AESECB:BOOL=yes \
             -DWOLFSSL_AESCTR:BOOL=yes -DWOLFSSL_AESGCM:STRING=yes -DWOLFSSL_AESKEYWRAP:BOOL=yes \
-            -DWOLFSSL_AESOFB:BOOL=yes -DWOLFSSL_AESSIV:BOOL=yes -DWOLFSSL_ALIGN_DATA:BOOL=yes \
+            -DWOLFSSL_AESOFB:BOOL=yes -DWOLFSSL_AESCTS:BOOL=yes -DWOLFSSL_AESSIV:BOOL=yes -DWOLFSSL_ALIGN_DATA:BOOL=yes \
             -DWOLFSSL_ALPN:BOOL=ON -DWOLFSSL_ALT_CERT_CHAINS:BOOL=ON -DWOLFSSL_ARC4:BOOL=yes \
             -DWOLFSSL_ARIA:BOOL=no -DWOLFSSL_ASIO:BOOL=no -DWOLFSSL_ASM:BOOL=yes -DWOLFSSL_ASN:BOOL=yes \
             -DWOLFSSL_ASYNC_THREADS:BOOL=no -DWOLFSSL_BASE64_ENCODE:BOOL=yes -DWOLFSSL_CAAM:BOOL=no \
@@ -51,7 +43,7 @@ jobs:
             -DWOLFSSL_CURVE448:STRING=yes -DWOLFSSL_DEBUG:BOOL=yes -DWOLFSSL_DES3:BOOL=ON \
             -DWOLFSSL_DES3_TLS_SUITES:BOOL=no -DWOLFSSL_DH:STRING=yes -DWOLFSSL_DH_DEFAULT_PARAMS:BOOL=yes \
             -DWOLFSSL_DSA:BOOL=yes -DWOLFSSL_DTLS:BOOL=ON -DWOLFSSL_DTLS13:BOOL=yes \
-            -DWOLFSSL_DTLS_CID:BOOL=yes -DWOLFSSL_ECC:STRING=yes \
+            -DWOLFSSL_DTLS_CID:BOOL=yes -DWOLFSSL_DTLS_CH_FRAG:BOOL=yes -DWOLFSSL_ECC:STRING=yes \
             -DWOLFSSL_ECCCUSTCURVES:STRING=all -DWOLFSSL_ECCSHAMIR:BOOL=yes \
             -DWOLFSSL_ECH:BOOL=yes -DWOLFSSL_ED25519:BOOL=yes -DWOLFSSL_ED448:STRING=yes \
             -DWOLFSSL_ENCKEYS:BOOL=yes -DWOLFSSL_ENC_THEN_MAC:BOOL=yes -DWOLFSSL_ERROR_QUEUE:BOOL=yes \
@@ -78,8 +70,9 @@ jobs:
             -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
             -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
             -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
-            -DWOLFSSL_X963KDF:BOOL=yes \
-            -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
+            -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
+            -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
+            -DWOLFSSL_WC_RSA_DIRECT:BOOL=yes -DWOLFSSL_PUBLIC_MP:BOOL=yes \
             ..
         cmake --build .
         ctest -j $(nproc)
@@ -89,12 +82,8 @@ jobs:
         cd ..
         rm -rf build
 
-        # Kyber Cmake broken
-        # -DWOLFSSL_KYBER:BOOL=yes
-
 # build "lean-tls" wolfssl
     - name: Build wolfssl with lean-tls
-      working-directory: ./wolfssl
       run: |
         mkdir build
         cd build
@@ -107,3 +96,21 @@ jobs:
         # clean up
         cd ..
         rm -rf build
+
+# CMake build with user_settings.h
+    - name: Build wolfssl with user_settings.h
+      run: |
+        mkdir build
+        cp examples/configs/user_settings_all.h ./build/user_settings.h
+        cd build
+        cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
+            -DWOLFSSL_USER_SETTINGS=ON -DWOLFSSL_USER_SETTINGS_ASM=ON -DWOLFSSL_EXAMPLES=ON -DWOLFSSL_CRYPT_TESTS=ON \
+            -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -I ." \
+            ..
+        cmake --build .
+        ctest -j $(nproc)
+        cmake --install .
+
+        # clean up
+        cd ..
+        rm -rf build

.github/workflows/codespell.yml

@@ -14,7 +14,7 @@ concurrency:
 jobs:
   codespell:
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v4
 
@@ -23,7 +23,7 @@ jobs:
         check_filenames: true
         check_hidden: true
           # Add comma separated list of words that occur multiple times that should be ignored (sorted alphabetically, case sensitive)
-        ignore_words_list: adin,aNULL,brunch,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te,HSI,
+        ignore_words_list: adin,aNULL,brunch,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te,HSI,failT,
           # The exclude_file contains lines of code that should be ignored. This is useful for individual lines which have non-words that can safely be ignored.
         exclude_file: '.codespellexcludelines'
           # To skip files entirely from being processed, add it to the following list:

.github/workflows/coverity-scan-fixes.yml

@@ -10,7 +10,7 @@ on:
 jobs:
   coverity:
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v4
       with:

.github/workflows/curl.yml

@@ -16,7 +16,7 @@ jobs:
   build_wolfssl:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -40,7 +40,7 @@ jobs:
   test_curl:
     name: ${{ matrix.curl_ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 15
     needs: build_wolfssl