wolfSSL · SparkiDev · Dec 16, 2025 · Dec 12, 2025 · Dec 12, 2025 · Dec 16, 2025
diff --git a/.github/workflows/dirmngr.yml b/.github/workflows/dirmngr.yml
@@ -76,8 +76,8 @@ jobs:
             cd ..
           }
 
-          pkg-config --exists --atleast-version=1.51 gpg-error || \
-            build libgpg-error 1.51 https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.51.tar.bz2
+          pkg-config --exists --atleast-version=1.56 gpg-error || \
+            build libgpg-error 1.56 https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.56.tar.bz2
 
           pkg-config --exists --atleast-version=1.11.0 gcrypt || \
             build libgcrypt 1.11.1 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2

diff --git a/.github/workflows/libvte.yml b/.github/workflows/libvte.yml
@@ -69,7 +69,8 @@ jobs:
             liblz4-dev python3-pip python3-setuptools \
             libglib2.0-dev libpcre2-dev libfribidi-dev \
             libgtk-3-dev libicu-dev gettext git \
-            libtool autoconf automake meson ninja-build pkg-config
+            libtool autoconf automake ninja-build pkg-config
+          pip3 install --break-system-packages meson>=1.3.2
 
       - name: Checkout VTE at ${{ matrix.vte_ref }}
         run: |

diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml
@@ -64,8 +64,8 @@ jobs:
       - name: Prepare cache directories (native runner)
         if: matrix.use_container == false
         run: |
-          sudo mkdir -p /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper
-          sudo chown -R $USER:$USER /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper
+          sudo mkdir -p /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper /opt/nettle
+          sudo chown -R $USER:$USER /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper /opt/nettle
 
      # ───────────── cache the wolfssl/gnutls tool-chain ─────────────
       - name: Restore cached gnutls-wolfssl
@@ -76,9 +76,10 @@ jobs:
             ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }}
             ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }}
             ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }}
-          key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }}
+            ${{ !matrix.use_container && '~/cache/nettle' || '' }}
+          key: gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }}
           restore-keys: |
-            gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-
+            gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}-
 
       - name: Copy cache to /opt (native runner only)
         if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true'
@@ -87,18 +88,35 @@ jobs:
           sudo cp -a ~/cache/gnutls /opt/
           sudo cp -a ~/cache/wolfssl /opt/
           sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/
+          if [ -d ~/cache/nettle ]; then
+            sudo cp -a ~/cache/nettle /opt/
+          fi
+
+      - name: Setup nettle environment (native runner only)
+        if: matrix.use_container == false
+        run: |
+          # Set up environment for nettle 3.10 in /opt/nettle
+          echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV
+          echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV
 
       - name: Build GnuTLS with wolfSSL provider using setup.sh script
         if: steps.cache-gnutls.outputs.cache-hit != 'true'
         run: |
           echo "Running setup.sh..."
-          GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh
+          if [[ "${{ matrix.use_container }}" == "false" ]]; then
+            GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11
+          else
+            GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh
+          fi
           # For native runner: also save to cache location
           if [[ "${{ matrix.use_container }}" == "false" ]]; then
             mkdir -p ~/cache
             sudo cp -a /opt/gnutls ~/cache/
             sudo cp -a /opt/wolfssl ~/cache/
             sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/
+            if [ -d /opt/nettle ]; then
+              sudo cp -a /opt/nettle ~/cache/
+            fi
             sudo chown -R $(id -u):$(id -g) ~/cache
           fi
 
@@ -107,6 +125,22 @@ jobs:
           test -d /opt/wolfssl || { echo "/opt/wolfssl missing"; exit 1; }
           test -d /opt/gnutls || { echo "/opt/gnutls missing"; exit 1; }
           test -d /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib missing"; exit 1; }
+          if [[ "${{ matrix.use_container }}" == "false" ]]; then
+            test -d /opt/nettle || { echo "/opt/nettle missing"; exit 1; }
+          fi
+
+      - name: Verify GnuTLS version (native runner only)
+        if: matrix.use_container == false
+        run: |
+          export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH
+          GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+')
+          echo "Detected GnuTLS version: $GNUTLS_VERSION"
+          if [ "$GNUTLS_VERSION" != "3.8.11" ]; then
+            echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION"
+            exit 1
+          fi
+          echo "GnuTLS version verified: 3.8.11"
+
       - name: Build OpenLDAP at ${{ matrix.openldap_ref }}
         run: |
           git clone https://git.openldap.org/openldap/openldap.git
@@ -117,45 +151,46 @@ jobs:
       - name: Configure OpenLDAP
         working-directory: openldap
         run: |
-          export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig
+          export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH
           export CPPFLAGS=-I/opt/gnutls/include
-          export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib"
           if [[ "${{ matrix.openldap_ref }}" = "OPENLDAP_REL_ENG_2_6_7" ]]; then
-          ./configure \
-          ac_cv_func_memcmp_working=yes \
-          lt_cv_dlopen_self=yes \
-          --with-yielding-select=yes \
-          --enable-dynamic \
-          --enable-crypt \
-          --with-tls=gnutls \
-          --with-cyrus-sasl \
-          --enable-otp \
-          --with-argon2=libargon2 \
-          --enable-argon2 \
-          --enable-ppolicy \
-          --enable-remoteauth \
-          --prefix=/opt/openldap \
-          --enable-modules \
-          --enable-ipv6 \
-          --enable-asyncmeta=mod \
-          --enable-mdb=yes \
-          --enable-ldap=mod \
-          --enable-meta=mod \
-          --enable-null=mod \
-          --enable-passwd=mod \
-          --enable-proxycache=mod \
-          --enable-dnssrv=mod
+            export LDFLAGS="-L/opt/nettle/lib64 -L/opt/nettle/lib -L/opt/gnutls/lib -Wl,-rpath,/opt/nettle/lib64 -Wl,-rpath,/opt/nettle/lib -Wl,-rpath,/opt/gnutls/lib"
+            ./configure \
+              ac_cv_func_memcmp_working=yes \
+              lt_cv_dlopen_self=yes \
+              --with-yielding-select=yes \
+              --enable-dynamic \
+              --enable-crypt \
+              --with-tls=gnutls \
+              --with-cyrus-sasl \
+              --enable-otp \
+              --with-argon2=libargon2 \
+              --enable-argon2 \
+              --enable-ppolicy \
+              --enable-remoteauth \
+              --prefix=/opt/openldap \
+              --enable-modules \
+              --enable-ipv6 \
+              --enable-asyncmeta=mod \
+              --enable-mdb=yes \
+              --enable-ldap=mod \
+              --enable-meta=mod \
+              --enable-null=mod \
+              --enable-passwd=mod \
+              --enable-proxycache=mod \
+              --enable-dnssrv=mod
           else
-          ./configure \
-            --with-tls=gnutls \
-            --with-cyrus-sasl \
-            --enable-otp \
-            --with-argon2=libargon2 \
-            --enable-argon2 \
-            --enable-ppolicy \
-            --enable-remoteauth \
-            --prefix=/opt/openldap \
-            --enable-modules
+            export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib"
+            ./configure \
+              --with-tls=gnutls \
+              --with-cyrus-sasl \
+              --enable-otp \
+              --with-argon2=libargon2 \
+              --enable-argon2 \
+              --enable-ppolicy \
+              --enable-remoteauth \
+              --prefix=/opt/openldap \
+              --enable-modules
           fi
       - name: Build OpenLDAP
         working-directory: openldap

diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml
@@ -80,6 +80,7 @@ jobs:
           export MAKEFLAGS="-j$(nproc)"
           git clone https://github.com/tpm2-software/tpm2-tss
           cd tpm2-tss
+          git checkout 4.1.3
           git submodule update --init --recursive
           ./bootstrap
           export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/opt/curl/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}"

diff --git a/.github/workflows/wget.yml b/.github/workflows/wget.yml
@@ -71,9 +71,10 @@ jobs:
             ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }}
             ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }}
             ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }}
-          key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }}
+            ${{ !matrix.use_container && '~/cache/nettle' || '' }}
+          key: gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }}
           restore-keys: |
-            gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-
+            gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}-
 
       - name: Copy cache to /opt (native runner only)
         if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true'
@@ -82,18 +83,35 @@ jobs:
           sudo cp -a ~/cache/gnutls /opt/
           sudo cp -a ~/cache/wolfssl /opt/
           sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/
+          if [ -d ~/cache/nettle ]; then
+            sudo cp -a ~/cache/nettle /opt/
+          fi
+
+      - name: Setup nettle environment (native runner only)
+        if: matrix.use_container == false
+        run: |
+          # Set up environment for nettle 3.10 in /opt/nettle
+          echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV
+          echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV
 
       - name: Build GnuTLS with wolfSSL provider using setup.sh script
         if: steps.cache-gnutls.outputs.cache-hit != 'true'
         run: |
           echo "Running setup.sh..."
-          GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh
+          if [[ "${{ matrix.use_container }}" == "false" ]]; then
+            GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11
+          else
+            GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh
+          fi
           # For native runner: also save to cache location
           if [[ "${{ matrix.use_container }}" == "false" ]]; then
             mkdir -p ~/cache
             sudo cp -a /opt/gnutls ~/cache/
             sudo cp -a /opt/wolfssl ~/cache/
             sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/
+            if [ -d /opt/nettle ]; then
+              sudo cp -a /opt/nettle ~/cache/
+            fi
             sudo chown -R $(id -u):$(id -g) ~/cache
           fi
 
@@ -105,6 +123,23 @@ jobs:
           test -d /opt/gnutls || exit 1
           echo "Check for wrapper installation..."
           test -d /opt/wolfssl-gnutls-wrapper/lib || exit 1
+          if [[ "${{ matrix.use_container }}" == "false" ]]; then
+            echo "Check for nettle installation (3.8.11)..."
+            test -d /opt/nettle || exit 1
+          fi
+
+      - name: Verify GnuTLS version (native runner only)
+        if: matrix.use_container == false
+        run: |
+          export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH
+          GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+')
+          echo "Detected GnuTLS version: $GNUTLS_VERSION"
+          if [ "$GNUTLS_VERSION" != "3.8.11" ]; then
+            echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION"
+            exit 1
+          fi
+          echo "GnuTLS version verified: 3.8.11"
+
       - name: Build wget at ${{ matrix.wget_ref }}
         uses: actions/checkout@v4
         with:
@@ -167,7 +202,7 @@ jobs:
           # To make /opt/gnutls visible to the test binaries, LD_LIBRARY_PATH
           # is needed since we disable rpath for v1.21.4.
           if [[ "${{ matrix.wget_ref }}" = "v1.21.4" ]]; then
-          export LD_LIBRARY_PATH=/opt/gnutls/lib:/opt/wolfssl/lib:/opt/wolfssl-gnutls-wrapper/lib:$LD_LIBRARY_PATH
+            export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:/opt/wolfssl-gnutls-wrapper/lib:$LD_LIBRARY_PATH
           fi
           make check
           find . -name '*.log' | xargs grep wgw