wolfSSL · dgarske · Jun 12, 2026 · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026
diff --git a/.github/workflows/_resolve-wolfssl.yml b/.github/workflows/_resolve-wolfssl.yml
@@ -0,0 +1,63 @@
+name: Resolve wolfSSL versions
+
+on:
+  workflow_call:
+    outputs:
+      matrix:
+        description: 'JSON matrix include of wolfSSL refs (master + latest -stable), each with a pqc flag'
+        value: ${{ jobs.resolve.outputs.matrix }}
+      refs:
+        description: 'JSON array of wolfSSL refs ([latest -stable, master]) for use as a matrix axis'
+        value: ${{ jobs.resolve.outputs.refs }}
+      latest_stable:
+        description: 'Latest wolfSSL v*-stable tag resolved at run time'
+        value: ${{ jobs.resolve.outputs.latest_stable }}
+      latest_pqc:
+        description: 'true when latest -stable is strictly newer than the v5.9.1 PQC floor'
+        value: ${{ jobs.resolve.outputs.latest_pqc }}
+
+permissions:
+  contents: read
+
+jobs:
+  resolve:
+    name: Resolve wolfSSL version matrix
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      refs: ${{ steps.set-matrix.outputs.refs }}
+      latest_stable: ${{ steps.set-matrix.outputs.latest_stable }}
+      latest_pqc: ${{ steps.set-matrix.outputs.latest_pqc }}
+    steps:
+      - name: Resolve latest -stable wolfSSL tag and PQC eligibility
+        id: set-matrix
+        run: |
+          set -euo pipefail
+          LATEST=$(git ls-remote --tags --refs https://github.com/wolfSSL/wolfssl.git 'v*-stable' \
+                     | awk -F/ '{print $NF}' | sort -V | tail -n 1)
+          if [ -z "${LATEST:-}" ]; then
+            echo "::error::Could not resolve latest wolfSSL -stable tag from remote"
+            exit 1
+          fi
+          echo "Latest stable wolfSSL: $LATEST"
+          echo "latest_stable=$LATEST" >> "$GITHUB_OUTPUT"
+          # Enable PQC only when $LATEST is strictly newer than v5.9.1-stable.
+          # The wc_MlDsaKey_* API lands post-v5.9.1-stable; older stables only
+          # ship the legacy ML-DSA API.
+          PQC_FLOOR="v5.9.1-stable"
+          if [ "$(printf '%s\n%s\n' "$PQC_FLOOR" "$LATEST" | sort -V | tail -n 1)" != "$PQC_FLOOR" ]; then
+            LATEST_PQC=true
+          else
+            LATEST_PQC=false
+          fi
+          echo "latest-stable PQC eligible: $LATEST_PQC"
+          echo "latest_pqc=$LATEST_PQC" >> "$GITHUB_OUTPUT"
+          MATRIX=$(jq -nc --arg latest "$LATEST" --argjson latest_pqc "$LATEST_PQC" '{
+            include: [
+              {"wolfssl-version":$latest,"wolfssl-ref":$latest,"pqc":$latest_pqc},
+              {"wolfssl-version":"master","wolfssl-ref":"master","pqc":true}
+            ]
+          }')
+          echo "matrix=$MATRIX" >> "$GITHUB_OUTPUT"
+          REFS=$(jq -nc --arg latest "$LATEST" '[$latest, "master"]')
+          echo "refs=$REFS" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/make-test.yml b/.github/workflows/make-test.yml
@@ -10,6 +10,10 @@ on:
       make-args:
         required: false
         type: string
+      wolfssl-ref:
+        required: false
+        default: master
+        type: string
 
 jobs:
 
@@ -30,12 +34,13 @@ jobs:
       - uses: actions/checkout@master
         with:
           repository: wolfssl/wolfssl
+          ref: ${{ inputs.wolfssl-ref }}
           path: wolfssl
       - name: wolfssl build
         working-directory: ./wolfssl
         run: |
           ./autogen.sh
-          ./configure --enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys CFLAGS="-DWOLFSSL_DH_EXTRA"
+          ./configure --enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys --enable-opensslextra CFLAGS="-DWOLFSSL_DH_EXTRA"
           make
           make check
           make dist

diff --git a/.github/workflows/sanitizer.yml b/.github/workflows/sanitizer.yml
@@ -0,0 +1,79 @@
+name: wolfKeyMgr Sanitizer Build Workflow
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  # Auto-resolve the latest wolfSSL -stable tag; refs = [ latest -stable, master ].
+  resolve:
+    uses: ./.github/workflows/_resolve-wolfssl.yml
+
+  sanitizer:
+    name: ${{ matrix.sanitizer.name }} (wolfSSL ${{ matrix.wolfssl-ref }})
+    needs: resolve
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    strategy:
+      fail-fast: false
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
+        sanitizer:
+          - name: ASan
+            cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1"
+          - name: UBSan
+            cflags: "-fsanitize=undefined -fno-sanitize-recover=all -fno-omit-frame-pointer -g"
+
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libevent-dev libpcap-dev autoconf automake libtool
+
+      - name: Checkout wolfKeyMgr
+        uses: actions/checkout@v4
+
+      - name: Build wolfSSL (${{ matrix.sanitizer.name }})
+        run: |
+          git clone --depth 1 --branch ${{ matrix.wolfssl-ref }} \
+              https://github.com/wolfSSL/wolfssl.git
+          cd wolfssl
+          ./autogen.sh
+          ./configure --enable-sniffer --enable-curve25519 --enable-curve448 \
+                      --enable-enckeys --enable-opensslextra \
+                      CFLAGS="-DWOLFSSL_DH_EXTRA ${{ matrix.sanitizer.cflags }}"
+          make -j"$(nproc)"
+          sudo make install
+          sudo ldconfig
+
+      - name: Build wolfKeyMgr (${{ matrix.sanitizer.name }})
+        run: |
+          ./autogen.sh
+          ./configure CFLAGS="${{ matrix.sanitizer.cflags }}"
+          make -j"$(nproc)"
+
+      - name: make check (${{ matrix.sanitizer.name }})
+        env:
+          # detect_leaks=0: catch overflows / use-after-free now; leak
+          # detection can flag library init allocations and is left to a
+          # follow-up.
+          ASAN_OPTIONS: detect_leaks=0
+          UBSAN_OPTIONS: halt_on_error=1:print_stacktrace=1
+        run: make check
+
+      - name: Upload failure logs
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolfKeyMgr-${{ matrix.sanitizer.name }}-wolfssl-${{ matrix.wolfssl-ref }}-logs
+          path: |
+            test-suite.log
+            tests/*.log
+          retention-days: 5
diff --git a/.github/workflows/test-nightly.yml b/.github/workflows/test-nightly.yml
@@ -15,20 +15,73 @@ on:
 
 jobs:
 
+  # Auto-resolve the latest wolfSSL -stable tag so nightly tracks releases
+  # without a manual bump; refs = [ latest -stable, master ].
+  resolve:
+    uses: ./.github/workflows/_resolve-wolfssl.yml
+
   build_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
     uses: ./.github/workflows/make-test.yml
     with:
       config-args:
       make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
 
   build_debug_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
     uses: ./.github/workflows/make-test.yml
     with:
       config-args: --enable-debug
       make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
 
   build_no_vault_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
     uses: ./.github/workflows/make-test.yml
     with:
       config-args: --disable-vault
       make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
+
+  build_no_sniffer_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
+    uses: ./.github/workflows/make-test.yml
+    with:
+      config-args: --disable-sniffer
+      make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
+
+  build_vault_clear_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
+    uses: ./.github/workflows/make-test.yml
+    with:
+      config-args: --enable-vault=clear
+      make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
+
+  build_minimal_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
+    uses: ./.github/workflows/make-test.yml
+    with:
+      config-args: --disable-sniffer --disable-vault
+      make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
diff --git a/.github/workflows/test-pull.yml b/.github/workflows/test-pull.yml
@@ -8,20 +8,73 @@ on:
 
 jobs:
 
+  # Auto-resolve the latest wolfSSL -stable tag so CI tracks releases without a
+  # manual bump; refs = [ latest -stable, master ].
+  resolve:
+    uses: ./.github/workflows/_resolve-wolfssl.yml
+
   build_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
     uses: ./.github/workflows/make-test.yml
     with:
       config-args:
       make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
 
   build_debug_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
     uses: ./.github/workflows/make-test.yml
     with:
       config-args: --enable-debug
       make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
 
   build_no_vault_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
     uses: ./.github/workflows/make-test.yml
     with:
       config-args: --disable-vault
       make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
+
+  build_no_sniffer_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
+    uses: ./.github/workflows/make-test.yml
+    with:
+      config-args: --disable-sniffer
+      make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
+
+  build_vault_clear_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
+    uses: ./.github/workflows/make-test.yml
+    with:
+      config-args: --enable-vault=clear
+      make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
+
+  build_minimal_test:
+    needs: resolve
+    strategy:
+      matrix:
+        wolfssl-ref: ${{ fromJson(needs.resolve.outputs.refs) }}
+    uses: ./.github/workflows/make-test.yml
+    with:
+      config-args: --disable-sniffer --disable-vault
+      make-args:
+      wolfssl-ref: ${{ matrix.wolfssl-ref }}
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ $ ./autogen.sh
 $ git clone https://github.com/wolfssl/wolfssl
 $ cd wolfssl
 $ ./autogen.sh
-$ ./configure --enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys CFLAGS="-DWOLFSSL_DH_EXTRA"
+$ ./configure --enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys --enable-opensslextra CFLAGS="-DWOLFSSL_DH_EXTRA"
 $ make
 $ make check   # (optional, but highly recommended)
 $ sudo make install

diff --git a/configure.ac b/configure.ac
@@ -5,7 +5,7 @@
 
 AC_PREREQ(2.59)
 
-AC_INIT([wolfKeyManager],[1.1],[http://www.wolfssl.com])
+AC_INIT([wolfKeyManager],[1.2],[http://www.wolfssl.com])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADERS([wolfkeymgr/config.h])
 AC_CONFIG_MACRO_DIR(m4)
@@ -71,7 +71,7 @@ LT_PREREQ([2.2])
 LT_INIT([disable-static win32-dll])
 
 # Shared library versioning
-WOLFKM_LIBRARY_VERSION=9:0:0
+WOLFKM_LIBRARY_VERSION=9:1:0
 #                      | | |
 #               +------+ | +---+
 #               |        |     |