Skip to content

ci: membrowse integration#10188

Closed
LinuxJedi wants to merge 16 commits intowolfSSL:masterfrom
LinuxJedi:membrowse-integration
Closed

ci: membrowse integration#10188
LinuxJedi wants to merge 16 commits intowolfSSL:masterfrom
LinuxJedi:membrowse-integration

Conversation

@LinuxJedi
Copy link
Copy Markdown
Member

@LinuxJedi LinuxJedi commented Apr 10, 2026

Summary

  • Adds Membrowse CI integration with GitHub Actions workflows (onboard, report, comment)
  • Includes multiple bug fixes: OCSP implementation, Blake2 bounds checks, EVP ECB decrypt, SECO AES GCM, ASCON big endian, SP math TOCTOU, CRL namespace collision, DTLS 1.3 oversized cert chains, and more
  • Adds corresponding tests for the fixes

Test plan

  • CI workflows pass on the fork
  • make check passes with default configuration
  • Review new Membrowse workflow files for correctness

🤖 Generated with Claude Code

julek-wolfssl and others added 16 commits April 9, 2026 17:39
@julek-wolfssl @Mrogovp
Fix multiple bugs in OCSP implementation
5b1ce50 
- wolfSSL_i2d_OCSP_REQUEST_bio: save/restore pointer before i2d call
  that advances it, preventing BIO_write from wrong offset and heap
  corruption on free
- wolfSSL_d2i_OCSP_RESPONSE: remove (unsigned char) cast that truncated
  pointer advance to 8 bits, breaking responses larger than 255 bytes
- wolfSSL_OCSP_CERTID_dup: deep-copy CertStatus to prevent double-free
  when both original and duplicate are freed
- wolfSSL_i2d_OCSP_RESPONSE: add NULL check on response parameter
- wolfSSL_i2d_OCSP_REQUEST: advance *data pointer per i2d convention
- FreeOCSP: NULL-check ocsp->cm before dereferencing for heap
- Fix WOLFSSL_LEAVE strings to match actual function names in
  wc_CheckCertOcspResponse, GetOcspEntry, GetOcspStatus,
  CheckOcspResponse, CheckOcspRequest

Add test for CERTID dup (double-free confirmed under ASAN without fix)
and pointer advancement assertions for d2i_OCSP_RESPONSE callers.

Reported in: ZD21469
@Frauschi @Mrogovp
Add bounds checks for Blake2 digest size
3a76e88
@Frauschi @Mrogovp
Make sure ECB decrypt function is called in EVP
8377f55 
This only makes an actual difference when FREESCALE_MMCAU is defined (otherwise encrypt and decrypt are the same), but better for clarity still.
@Frauschi @Mrogovp
Fix SECO AES GCM return value
ac7911f
@Frauschi @Mrogovp
Make sure ASCON is unusable on big endian
0baaae6
@Frauschi @Mrogovp
Fix TOCTOU issues in SP math code
67fc97b
@julek-wolfssl @Mrogovp
Fix namespace collision on CRL reasons
58b4f48
@julek-wolfssl @Mrogovp
Fix type casting for psk_keySz in MakePSKPreMasterSecret and initiali…
b2e4e9b 
…ze newSz in PKCS12_ConcatenateContent
@julek-wolfssl @Mrogovp
wc_EncryptedInfoGet: add AES-CTR support
19f1535
@kareem-wolfssl @Mrogovp
Exit MatchDomainName if pattern or string length reach 0.
0f38fd1
@kareem-wolfssl @Mrogovp
Rework check to avoid changing existing logic.
e0a6a6e
@embhorn @Mrogovp
Fix CertFromX509 copy length check
2c7485b
@embhorn @Mrogovp
Fix feedback from review
a8776dc
@embhorn @Mrogovp
Fix test for FIPS config
310ebe5
@gasbytes @Mrogovp
Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized c…
fa3212b 
…ertificate chains
@Mrogovp
ci: membrowse integration
2633996
Copilot AI review requested due to automatic review settings April 10, 2026 16:40
@LinuxJedi LinuxJedi closed this Apr 10, 2026
@LinuxJedi
Copy link
Copy Markdown
Member Author

LinuxJedi commented Apr 10, 2026

Claude was trying to pull a commit from a fork for me, it did a bad job.

@LinuxJedi LinuxJedi deleted the membrowse-integration branch April 10, 2026 16:44
@LinuxJedi LinuxJedi review requested due to automatic review settings April 10, 2026 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@LinuxJedi @julek-wolfssl @Frauschi @kareem-wolfssl @embhorn @gasbytes @Mrogovp