- fix listen socket descrution on SYN_RCVD ctrl-RTO expirty:

revert to TCP_LISTEN instead of close_socket()
- add missing esp encapsulation to icmp tx path in wolfip_poll()
- add alignment guard to tcp ts option fit-check in tcp_send_syn(), matching ws and sack patterns
- add missing esp encapsulation to icmp echo reply path in icmp_input()
- add missing esp encapsulation to icmp port unreachable pathh in wolfip_send_port_unreachable()
- add rfc 9293 compliant rst handling for tcp syn__sent state
- add sequence number validation of rst segments in tcp syn_rcvd state per rfc 9293
- add source ip  validation in ip_recv() to drop broadcast, multicast and zero-address packets per rfc 1122
- validate arp request sender ip before caching to prevent cache poisoningg from spoofed sources
- validate dhcp ack server identifier matches the server commiteed during offer phase
- add coverage tests for icmp port unreachable suppression on broadcast/multicast source and destination
- add coverage tests for tcp rst suppression on broadcast and multicast destination addresses
- add coverage test for dhcp renewing to rebinding state transition at rebind deadline boundary
- add coverage test for icmp echo reply suppression on multicast destination addresses
- validate arp * fields in arp_recv and update existing tests to set them correctly
- Use wc_ForceZero for ESP SA key material clearing and update CI workflows to build wolfSSL from source with --enable-md5
- add missing esp encapsulation to icmp ttl exceeded path in wolfip_send_ttl_exceeded()
- send rst in response to syn-ack with invalid ack in syn_sent state per rfc 9293
- send rst in response to aunnaccetable ack in syn_rcvd state per rfc 9293
- drop segments without ack flag in synchronized tcp states per rfc 9293
- drop ip packets with source routine options (lsrr/ssrr) per rfc 7126

Author: gasbytes

.github/workflows/freebsd.yml

@@ -21,9 +21,16 @@ jobs:
           prepare: |
             set -ex
             env IGNORE_OSVERSION=yes pkg update -f
-            env IGNORE_OSVERSION=yes pkg install -y gmake gcc wolfssl check vim
+            env IGNORE_OSVERSION=yes pkg install -y gmake gcc check vim autoconf automake libtool
             kldload if_tap || true
             sysctl net.link.tap.up_on_open=1 || true
+            git clone --depth=1 https://github.com/wolfssl/wolfssl --branch nightly-snapshot /tmp/wolfssl
+            cd /tmp/wolfssl
+            ./autogen.sh
+            ./configure --enable-md5
+            gmake -j$(sysctl -n hw.ncpu)
+            gmake install
+            ldconfig
           run: |
             set -ex
             cd "${GITHUB_WORKSPACE:-/root/work/github/workspace}"

.github/workflows/linux.yml

@@ -16,12 +16,22 @@ jobs:
         with:
           submodules: true
 
-      - name: Update repo
+      - name: Install dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y libwolfssl-dev
+          sudo apt-get install -y build-essential autoconf automake libtool pkg-config
           sudo modprobe tun
 
+      - name: Clone and build wolfSSL from nightly-snapshot
+        run: |
+          git clone --depth=1 https://github.com/wolfssl/wolfssl --branch nightly-snapshot /tmp/wolfssl
+          cd /tmp/wolfssl
+          ./autogen.sh
+          ./configure --enable-md5
+          make -j$(nproc)
+          sudo make install
+          sudo ldconfig
+
       - name: Build linux tests
         run: |
           mkdir -p build/port

.github/workflows/macos.yml

@@ -18,7 +18,16 @@ jobs:
       - name: Install dependencies
         run: |
           brew update
-          brew install make wolfssl check
+          brew install make check autoconf automake libtool
+
+      - name: Clone and build wolfSSL from nightly-snapshot
+        run: |
+          git clone --depth=1 https://github.com/wolfssl/wolfssl --branch nightly-snapshot /tmp/wolfssl
+          cd /tmp/wolfssl
+          ./autogen.sh
+          ./configure --enable-md5
+          make -j$(sysctl -n hw.ncpu)
+          sudo make install
 
       - name: Build tests
         run: |

.github/workflows/multi-compiler.yml

@@ -39,9 +39,19 @@ jobs:
 
       - name: Install dependencies
         run: |
-          sudo apt-get install -y libwolfssl-dev check
+          sudo apt-get install -y autoconf automake libtool pkg-config check
           sudo modprobe tun
 
+      - name: Clone and build wolfSSL from nightly-snapshot
+        run: |
+          git clone --depth=1 https://github.com/wolfssl/wolfssl --branch nightly-snapshot /tmp/wolfssl
+          cd /tmp/wolfssl
+          ./autogen.sh
+          ./configure --enable-md5
+          make -j$(nproc)
+          sudo make install
+          sudo ldconfig
+
       - name: Build wolfIP with ${{ matrix.cc }}
         run: |
           mkdir -p build/port

.github/workflows/sanitizers.yml

@@ -44,9 +44,19 @@ jobs:
       - name: Install dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y libwolfssl-dev check
+          sudo apt-get install -y build-essential autoconf automake libtool pkg-config check
           sudo modprobe tun
 
+      - name: Clone and build wolfSSL from nightly-snapshot
+        run: |
+          git clone --depth=1 https://github.com/wolfssl/wolfssl --branch nightly-snapshot /tmp/wolfssl
+          cd /tmp/wolfssl
+          ./autogen.sh
+          ./configure --enable-md5
+          make -j$(nproc)
+          sudo make install
+          sudo ldconfig
+
       - name: Build wolfIP with ${{ matrix.name }}
         run: |
           mkdir -p build/port

src/test/unit/unit.c

@@ -208,6 +208,26 @@ Suite *wolf_suite(void)
     tcase_add_test(tc_utils, test_sock_accept_synack_retransmission);
     tcase_add_test(tc_utils, test_sock_accept_synack_window_not_scaled);
     tcase_add_test(tc_utils, test_sock_accept_ack_transitions_to_established);
+    tcase_add_test(tc_utils, test_listen_socket_survives_synrcvd_rto_expiry);
+    tcase_add_test(tc_utils, test_accepted_socket_destroyed_on_synrcvd_rto_expiry);
+    tcase_add_test(tc_utils, test_tcp_send_syn_options_aligned_small_mtu);
+    tcase_add_test(tc_utils, test_syn_sent_bare_rst_dropped);
+    tcase_add_test(tc_utils, test_syn_rcvd_rst_bad_seq_dropped);
+    tcase_add_test(tc_utils, test_ip_recv_drops_broadcast_source);
+    tcase_add_test(tc_utils, test_arp_recv_rejects_broadcast_sender);
+    tcase_add_test(tc_utils, test_dhcp_ack_rejects_mismatched_server_id);
+    tcase_add_test(tc_utils, test_udp_no_icmp_unreachable_for_broadcast_src);
+    tcase_add_test(tc_utils, test_udp_no_icmp_unreachable_for_multicast_src);
+    tcase_add_test(tc_utils, test_udp_no_icmp_unreachable_for_broadcast_dst);
+    tcase_add_test(tc_utils, test_udp_no_icmp_unreachable_for_multicast_dst);
+    tcase_add_test(tc_utils, test_tcp_no_rst_for_broadcast_dst);
+    tcase_add_test(tc_utils, test_tcp_no_rst_for_multicast_dst);
+    tcase_add_test(tc_utils, test_dhcp_renewing_transitions_to_rebinding);
+    tcase_add_test(tc_utils, test_arp_recv_rejects_wrong_htype);
+    tcase_add_test(tc_utils, test_syn_sent_bad_ack_synack_sends_rst);
+    tcase_add_test(tc_utils, test_syn_rcvd_bad_ack_sends_rst);
+    tcase_add_test(tc_utils, test_established_fin_without_ack_dropped);
+    tcase_add_test(tc_utils, test_ip_recv_drops_source_routed_packet);
     tcase_add_test(tc_utils, test_sock_sendto_error_paths);
     tcase_add_test(tc_utils, test_sock_sendto_null_buf_or_len_zero);
     tcase_add_test(tc_utils, test_sock_sendto_tcp_not_established);
@@ -712,6 +732,7 @@ Suite *wolf_suite(void)
     tcase_add_test(tc_proto, test_icmp_input_echo_request_dhcp_running_no_reply);
     tcase_add_test(tc_proto, test_icmp_input_echo_request_broadcast_no_reply);
     tcase_add_test(tc_proto, test_icmp_input_echo_request_directed_broadcast_no_reply);
+    tcase_add_test(tc_proto, test_icmp_input_echo_request_multicast_no_reply);
     tcase_add_test(tc_proto, test_icmp_input_echo_request_filter_drop);
     tcase_add_test(tc_proto, test_icmp_input_echo_request_ip_filter_drop);
     tcase_add_test(tc_proto, test_icmp_input_echo_request_eth_filter_drop);