From dfb448307108e799fb007c031bea29a375b3763f Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 16 Jun 2026 16:51:18 -0700 Subject: [PATCH 1/4] Prevent command injection in includedir/libdir in configure.ac. Thanks to NVIDIA Project Vanessa for the report. --- configure.ac | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/configure.ac b/configure.ac index 2a58545fcc..f9432b4b67 100644 --- a/configure.ac +++ b/configure.ac @@ -12489,6 +12489,16 @@ if test "x$WOLFSSL_EXEC_PREFIX_ABS" = "xNONE"; then fi prefix=$WOLFSSL_PREFIX_ABS exec_prefix=$WOLFSSL_EXEC_PREFIX_ABS +# The eval calls below expand ${prefix}/${exec_prefix} references embedded in +# the libdir/includedir values. eval would, however, also execute any shell +# command substitution contained in a --libdir/--includedir value (e.g. +# --libdir='$(cmd)/lib'), running arbitrary commands during configure. +# Reject values that contain command substitution before the eval. +case "$libdir $includedir" in + *'`'* | *'$('*) + AC_MSG_ERROR([--libdir and --includedir must not contain shell command substitution]) + ;; +esac eval WOLFSSL_LIBDIR_ABS=\"$libdir\" eval WOLFSSL_INCLUDEDIR_ABS=\"$includedir\" AC_SUBST([WOLFSSL_PREFIX_ABS]) From a8c4613161443ab55b6bb770a854596a5aba9980 Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 16 Jun 2026 16:58:52 -0700 Subject: [PATCH 2/4] Enable curve25519 support in lighttpd builds by default to enable PQC by default in lighttpd. Fixes #10679. --- configure.ac | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/configure.ac b/configure.ac index f9432b4b67..4848ba8e31 100644 --- a/configure.ac +++ b/configure.ac @@ -5118,6 +5118,11 @@ then ENABLED_CURVE25519="yes" fi +if test "$ENABLED_CURVE25519" = "no" && test "$ENABLED_LIGHTY" = "yes" && test "x$ENABLED_FIPS" = "xno" +then + ENABLED_CURVE25519="yes" +fi + # ED25519 AC_ARG_ENABLE([ed25519], From 414c0dec928270d1026f37bde3b784567a98eee0 Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 16 Jun 2026 17:12:07 -0700 Subject: [PATCH 3/4] Error or warn users trying to build SP math assembly for MinGW as this is currently unsupported and will fail. Fixes #10690. --- configure.ac | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/configure.ac b/configure.ac index 4848ba8e31..252da98bcf 100644 --- a/configure.ac +++ b/configure.ac @@ -10485,6 +10485,23 @@ if test "$ENABLED_SP_MATH_ALL" = "yes" && test "$ENABLED_ASM" != "no"; then fi +if test "$ENABLED_SP_ASM" = "yes" && test "$ENABLED_SP" = "yes"; then + case $host_cpu in + *x86_64* | *amd64*) + case $host_os in + *mingw* | *cygwin* | *msys*) + if test "$enable_sp_asm" = "yes"; then + AC_MSG_ERROR([--enable-sp-asm is not supported for x86_64 Windows hosts (MinGW/Cygwin). Reconfigure without --enable-sp-asm to use the C SP implementation.]) + else + AC_MSG_WARN([x86_64 SP assembly is not supported for Windows hosts (MinGW/Cygwin); disabling SP assembly and using the C implementation.]) + ENABLED_SP_ASM=no + fi + ;; + esac + ;; + esac +fi + if test "$ENABLED_SP_ASM" = "yes" && test "$ENABLED_SP" = "yes"; then if test "$ENABLED_SP_NONBLOCK" = "yes"; then AC_MSG_ERROR([SP non-blocking not supported with sp-asm]) From 85bb45118d5371169046bb447053e895403bebb6 Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 26 Jun 2026 07:04:52 -0700 Subject: [PATCH 4/4] Code review feedback: reject additional shell metacharacters. --- configure.ac | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index 252da98bcf..f0adef7c4a 100644 --- a/configure.ac +++ b/configure.ac @@ -12512,13 +12512,13 @@ fi prefix=$WOLFSSL_PREFIX_ABS exec_prefix=$WOLFSSL_EXEC_PREFIX_ABS # The eval calls below expand ${prefix}/${exec_prefix} references embedded in -# the libdir/includedir values. eval would, however, also execute any shell -# command substitution contained in a --libdir/--includedir value (e.g. -# --libdir='$(cmd)/lib'), running arbitrary commands during configure. -# Reject values that contain command substitution before the eval. +# the libdir/includedir values. eval would, however, also execute or be +# subverted by shell metacharacters in a --libdir/--includedir value (command +# substitution, quote breakout, command separators, etc.), running arbitrary +# commands during configure. Reject such values before the eval. case "$libdir $includedir" in - *'`'* | *'$('*) - AC_MSG_ERROR([--libdir and --includedir must not contain shell command substitution]) + *'`'* | *'$('* | *'"'* | *"'"* | *';'* | *'&'* | *'|'* | *'<'* | *'>'* | *'\'* ) + AC_MSG_ERROR([--libdir and --includedir must not contain shell metacharacters]) ;; esac eval WOLFSSL_LIBDIR_ABS=\"$libdir\"