From 8fb3fdca5afcbab76ef3a607f7b465e57889bee8 Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 16 Jun 2026 16:51:18 -0700 Subject: [PATCH 1/3] Prevent command injection in includedir/libdir in configure.ac. Thanks to NVIDIA Project Vanessa for the report. --- configure.ac | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/configure.ac b/configure.ac index bdf5d3df29..122b0e7c79 100644 --- a/configure.ac +++ b/configure.ac @@ -12489,6 +12489,16 @@ if test "x$WOLFSSL_EXEC_PREFIX_ABS" = "xNONE"; then fi prefix=$WOLFSSL_PREFIX_ABS exec_prefix=$WOLFSSL_EXEC_PREFIX_ABS +# The eval calls below expand ${prefix}/${exec_prefix} references embedded in +# the libdir/includedir values. eval would, however, also execute any shell +# command substitution contained in a --libdir/--includedir value (e.g. +# --libdir='$(cmd)/lib'), running arbitrary commands during configure. +# Reject values that contain command substitution before the eval. +case "$libdir $includedir" in + *'`'* | *'$('*) + AC_MSG_ERROR([--libdir and --includedir must not contain shell command substitution]) + ;; +esac eval WOLFSSL_LIBDIR_ABS=\"$libdir\" eval WOLFSSL_INCLUDEDIR_ABS=\"$includedir\" AC_SUBST([WOLFSSL_PREFIX_ABS]) From 6f4b1fbb7848f97ce891b3c8aba9d1503b7ae3fb Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 16 Jun 2026 16:58:52 -0700 Subject: [PATCH 2/3] Enable curve25519 support in lighttpd builds by default to enable PQC by default in lighttpd. Fixes #10679. --- configure.ac | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/configure.ac b/configure.ac index 122b0e7c79..f683773f84 100644 --- a/configure.ac +++ b/configure.ac @@ -5118,6 +5118,11 @@ then ENABLED_CURVE25519="yes" fi +if test "$ENABLED_CURVE25519" = "no" && test "$ENABLED_LIGHTY" = "yes" && test "x$ENABLED_FIPS" = "xno" +then + ENABLED_CURVE25519="yes" +fi + # ED25519 AC_ARG_ENABLE([ed25519], From 1ca5e2403a489d0840440e7c76940a187e33ba0b Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 16 Jun 2026 17:12:07 -0700 Subject: [PATCH 3/3] Error or warn users trying to build SP math assembly for MinGW as this is currently unsupported and will fail. Fixes #10690. --- configure.ac | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/configure.ac b/configure.ac index f683773f84..35618f62ca 100644 --- a/configure.ac +++ b/configure.ac @@ -10485,6 +10485,23 @@ if test "$ENABLED_SP_MATH_ALL" = "yes" && test "$ENABLED_ASM" != "no"; then fi +if test "$ENABLED_SP_ASM" = "yes" && test "$ENABLED_SP" = "yes"; then + case $host_cpu in + *x86_64* | *amd64*) + case $host_os in + *mingw* | *cygwin* | *msys*) + if test "$enable_sp_asm" = "yes"; then + AC_MSG_ERROR([--enable-sp-asm is not supported for x86_64 Windows hosts (MinGW/Cygwin). Reconfigure without --enable-sp-asm to use the C SP implementation.]) + else + AC_MSG_WARN([x86_64 SP assembly is not supported for Windows hosts (MinGW/Cygwin); disabling SP assembly and using the C implementation.]) + ENABLED_SP_ASM=no + fi + ;; + esac + ;; + esac +fi + if test "$ENABLED_SP_ASM" = "yes" && test "$ENABLED_SP" = "yes"; then if test "$ENABLED_SP_NONBLOCK" = "yes"; then AC_MSG_ERROR([SP non-blocking not supported with sp-asm])