Add WOLFSSL_ASYNC_CERT_YIELD: per-certificate non-blocking yield#10738
Open
dgarske wants to merge 1 commit into
Open
Add WOLFSSL_ASYNC_CERT_YIELD: per-certificate non-blocking yield#10738dgarske wants to merge 1 commit into
dgarske wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an opt-in asynchronous handshake behavior (WOLFSSL_ASYNC_CERT_YIELD) to cooperatively yield control between peer certificate chain elements during verification, returning WC_PENDING_E after each certificate so single-threaded schedulers can regain control (e.g., to service a watchdog).
Changes:
- Add a persistent
ssl->options.certYieldPendingflag (gated onWOLFSSL_ASYNC_CRYPT && WOLFSSL_ASYNC_CERT_YIELD) to reliably distinguish “fresh entry” vs “resume after deliberate yield”. - Update
ProcessPeerCerts()to deliberately returnWC_PENDING_Eafter each chain certificate verify and once after the leaf verify, and to resume correctly on re-entry. - Extend async examples + CI to exercise multi-certificate chains (
--cert-chain) and validate the yield behavior.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/internal.h |
Adds Options.certYieldPending bit to persist deliberate-yield state across re-entry. |
src/ssl.c |
Clears certYieldPending in wolfSSL_clear() so abandoned handshakes can restart cleanly. |
src/internal.c |
Implements per-certificate WC_PENDING_E yield points in ProcessPeerCerts() and a re-entry path keyed by certYieldPending. |
README-async.md |
Documents WOLFSSL_ASYNC_CERT_YIELD, intended usage model, and the “no async event queued” caveat. |
examples/async/async_server.c |
Adds --cert-chain option and constructs a 2-cert ECC chain in-memory for testing peer chain processing. |
examples/async/async_client.c |
Adds --cert-chain option and loads the appropriate CA buffer for verifying the presented chain. |
.github/workflows/async-examples.yml |
Adds a CI job to build/run async examples with -DWOLFSSL_ASYNC_CERT_YIELD and assert expected yielding behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…yield during async TLS chain processing
dgarske
force-pushed
the
zd_ecc_nonblock_certchain
branch
from
bc00ce6 to
c431ad6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an opt-in build option,
WOLFSSL_ASYNC_CERT_YIELD, that makesProcessPeerCerts()returnWC_PENDING_Eto the caller after each certificate in the peer's chain (and after the leaf) is verified, instead of verifying the whole chain in onewolfSSL_connect()/wolfSSL_accept()call. This lets a cooperative, single-threaded scheduler regain control between certificates to service a watchdog. RequiresWOLFSSL_ASYNC_CRYPT; off by default. Independent ofWC_ECC_NONBLOCK(which subdivides each verify further).ZD 21071