From 7c8f2345bd48908b558d5ec57c61dbca450e6974 Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Fri, 13 Jun 2025 13:00:55 +0000 Subject: [PATCH 1/2] Network Manager workflows --- .github/workflows/networkmanager.yml | 111 +++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 .github/workflows/networkmanager.yml diff --git a/.github/workflows/networkmanager.yml b/.github/workflows/networkmanager.yml new file mode 100644 index 0000000..a35b848 --- /dev/null +++ b/.github/workflows/networkmanager.yml @@ -0,0 +1,111 @@ +name: NetworkManager • wolfSSL / GnuTLS CI + +on: + push: + branches: [ master, main ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + nm-wolfssl-gnutls: + runs-on: ubuntu-22.04 + timeout-minutes: 60 + + strategy: + fail-fast: false + matrix: + nm_version: [ master, "1.52.0", "1.42.4" ] + + steps: + # ────────────────────────── checkout + packages ───────────────────────── + - name: Checkout repo + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install build dependencies + run: | + sudo apt-get update -qq + sudo apt-get install --yes --no-install-recommends \ + autoconf automake libtool m4 pkg-config build-essential git \ + meson ninja-build gettext clang gperf gnulib autopoint gtk-doc-tools \ + nettle-dev libtasn1-bin libtasn1-6-dev libunistring-dev \ + libp11-kit-dev libunbound-dev bison python3-yaml \ + debhelper debugedit dh-autoreconf dh-strip-nondeterminism dwz intltool \ + libbluetooth-dev libcurl4-gnutls-dev libdebhelper-perl \ + libfile-stripnondeterminism-perl libglib2.0-doc libgnutls28-dev \ + libnewt-dev libnl-3-dev libnl-cli-3-200 libnl-nf-3-200 libnvme-dev \ + libpolkit-agent-1-dev libslang2-dev libsub-override-perl \ + libteam-dev libteam5 libyaml-perl po-debconf + + - name: Build forked GnuTLS stack + run: | + LOGGING=0 GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + test -d /opt/gnutls && test -d /opt/wolfssl + + - name: Build curl 7.88.1 (GnuTLS backend) + run: | + git clone --branch curl-7_88_1 https://github.com/curl/curl + cd curl + autoreconf -fi + ./configure --with-gnutls=/opt/gnutls --prefix=/usr/local \ + --disable-static --enable-shared + make -j"$(nproc)" + sudo make install + sudo ldconfig + + - name: Clone NetworkManager ${{ matrix.nm_version }} + run: | + git clone https://github.com/NetworkManager/NetworkManager + cd NetworkManager + if [ "${{ matrix.nm_version }}" != "master" ]; then + git checkout "${{ matrix.nm_version }}" + fi + + - name: Configure & build NetworkManager + working-directory: NetworkManager + run: | + export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH" + export CPPFLAGS="-I/opt/gnutls/include -I/usr/local/include $CPPFLAGS" + export LDFLAGS="-L/opt/gnutls/lib -L/usr/local/lib -Wl,-rpath,/opt/gnutls/lib:/usr/local/lib $LDFLAGS" + export LD_LIBRARY_PATH="/opt/gnutls/lib:/usr/local/lib:$LD_LIBRARY_PATH" + + meson setup build-gnutls \ + -Dcrypto=gnutls \ + -Dtests=yes \ + -Dsystemd_journal=true \ + -Dmore_logging=true \ + -Dqt=false + ninja -C build-gnutls -j"$(nproc)" + + # ───────────────────── verify linkage (before tests) ──────────────────── + - name: Verify linkage to /opt/gnutls + working-directory: NetworkManager/build-gnutls + run: | + BIN=src/nmcli/nmcli + LIB=$(find src/libnm-client-impl -name 'libnm.so*' -type f | head -n1) + for obj in "$BIN" "$LIB"; do + echo "::group::ldd $obj" + ldd "$obj" | grep -E 'lib(curl|gnutls)' + echo "::endgroup::" + ldd "$obj" | grep -q '/opt/gnutls/lib/libgnutls.so.30' || exit 1 + done + + # ────────────────────────── run test-suite ────────────────────────────── + - name: Run NetworkManager tests + working-directory: NetworkManager + run: | + export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH" + export CPPFLAGS="-I/opt/gnutls/include -I/usr/local/include $CPPFLAGS" + export LDFLAGS="-L/opt/gnutls/lib -L/usr/local/lib -Wl,-rpath,/opt/gnutls/lib:/usr/local/lib $LDFLAGS" + export LD_LIBRARY_PATH="/opt/gnutls/lib:/usr/local/lib:$LD_LIBRARY_PATH" + + if [ "${{ matrix.nm_version }}" = "1.42.4" ]; then + ninja -C build-gnutls meson-test -- --skip platform/test-link-linux --skip config/test-config + else + ninja -C build-gnutls test + fi From e5d60c1851066f6c831bad1485baecddca144cd2 Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Fri, 13 Jun 2025 14:32:45 +0000 Subject: [PATCH 2/2] - Updated README.md; - Added missing dependencies; - Reworked tpm2-tools to point to the new dir /opt/curl instead of /usr/local --- .github/workflows/networkmanager.yml | 67 +++++++++++++++++---------- .github/workflows/tpm2-tools.yml | 32 +++++++------ README.md | 69 +++++++++++++++++++++++++++- 3 files changed, 129 insertions(+), 39 deletions(-) diff --git a/.github/workflows/networkmanager.yml b/.github/workflows/networkmanager.yml index a35b848..1ba957a 100644 --- a/.github/workflows/networkmanager.yml +++ b/.github/workflows/networkmanager.yml @@ -33,14 +33,14 @@ jobs: sudo apt-get install --yes --no-install-recommends \ autoconf automake libtool m4 pkg-config build-essential git \ meson ninja-build gettext clang gperf gnulib autopoint gtk-doc-tools \ - nettle-dev libtasn1-bin libtasn1-6-dev libunistring-dev \ + nettle-dev libtasn1-bin libtasn1-6-dev libunistring-dev libnvme-dev \ libp11-kit-dev libunbound-dev bison python3-yaml \ debhelper debugedit dh-autoreconf dh-strip-nondeterminism dwz intltool \ - libbluetooth-dev libcurl4-gnutls-dev libdebhelper-perl \ - libfile-stripnondeterminism-perl libglib2.0-doc libgnutls28-dev \ - libnewt-dev libnl-3-dev libnl-cli-3-200 libnl-nf-3-200 libnvme-dev \ - libpolkit-agent-1-dev libslang2-dev libsub-override-perl \ - libteam-dev libteam5 libyaml-perl po-debconf + libbluetooth-dev libdebhelper-perl libndp-dev \ + libfile-stripnondeterminism-perl libglib2.0-doc \ + libnewt-dev libnl-3-dev libnl-cli-3-200 libnl-nf-3-200 libgirepository1.0-dev \ + libpolkit-agent-1-dev libslang2-dev libsub-override-perl libdbus-1-dev ppp ppp-dev mobile-broadband-provider-info \ + libteam-dev libteam5 libyaml-perl po-debconf libaudit-dev libudev-dev libsystemd-dev libmm-glib-dev libjansson-dev dhcpcd5 dnsmasq-base libpsl-dev libreadline-dev valac - name: Build forked GnuTLS stack run: | @@ -52,7 +52,7 @@ jobs: git clone --branch curl-7_88_1 https://github.com/curl/curl cd curl autoreconf -fi - ./configure --with-gnutls=/opt/gnutls --prefix=/usr/local \ + ./configure --with-gnutls=/opt/gnutls --prefix=/opt/curl \ --disable-static --enable-shared make -j"$(nproc)" sudo make install @@ -69,17 +69,28 @@ jobs: - name: Configure & build NetworkManager working-directory: NetworkManager run: | - export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH" - export CPPFLAGS="-I/opt/gnutls/include -I/usr/local/include $CPPFLAGS" - export LDFLAGS="-L/opt/gnutls/lib -L/usr/local/lib -Wl,-rpath,/opt/gnutls/lib:/usr/local/lib $LDFLAGS" - export LD_LIBRARY_PATH="/opt/gnutls/lib:/usr/local/lib:$LD_LIBRARY_PATH" + export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/opt/curl/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" + export CPPFLAGS="-I/opt/gnutls/include -I/opt/curl/include${CPPFLAGS:+ $CPPFLAGS}" + export LDFLAGS="-L/opt/gnutls/lib -L/opt/curl/lib -Wl,-rpath,/opt/gnutls/lib:/opt/curl/lib${LDFLAGS:+ $LDFLAGS}" + export LD_LIBRARY_PATH="/opt/gnutls/lib:/opt/curl/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" + + if [ "${{ matrix.nm_version }}" != "master" ]; then + meson setup build-gnutls \ + -Dcrypto=gnutls \ + -Dtests=yes \ + -Dsystemd_journal=true \ + -Dmore_logging=true \ + -Dqt=false + else + meson setup build-gnutls \ + -Dcrypto=gnutls \ + -Dtests=yes \ + -Dsystemd_journal=true \ + -Dmore_logging=true \ + -Dqt=false \ + -Dnbft=false + fi - meson setup build-gnutls \ - -Dcrypto=gnutls \ - -Dtests=yes \ - -Dsystemd_journal=true \ - -Dmore_logging=true \ - -Dqt=false ninja -C build-gnutls -j"$(nproc)" # ───────────────────── verify linkage (before tests) ──────────────────── @@ -99,13 +110,21 @@ jobs: - name: Run NetworkManager tests working-directory: NetworkManager run: | - export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH" - export CPPFLAGS="-I/opt/gnutls/include -I/usr/local/include $CPPFLAGS" - export LDFLAGS="-L/opt/gnutls/lib -L/usr/local/lib -Wl,-rpath,/opt/gnutls/lib:/usr/local/lib $LDFLAGS" - export LD_LIBRARY_PATH="/opt/gnutls/lib:/usr/local/lib:$LD_LIBRARY_PATH" + export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/opt/curl/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" + export CPPFLAGS="-I/opt/gnutls/include -I/opt/curl/include${CPPFLAGS:+ $CPPFLAGS}" + export LDFLAGS="-L/opt/gnutls/lib -L/opt/curl/lib -Wl,-rpath,/opt/gnutls/lib:/opt/curl/lib${LDFLAGS:+ $LDFLAGS}" + export LD_LIBRARY_PATH="/opt/gnutls/lib:/opt/curl/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" + export NM_TEST_REGENERATE=1 - if [ "${{ matrix.nm_version }}" = "1.42.4" ]; then - ninja -C build-gnutls meson-test -- --skip platform/test-link-linux --skip config/test-config - else + if [ "${{ matrix.nm_version }}" != "1.42.4" ]; then ninja -C build-gnutls test + else + # Skipped on CI because the GitHub Actions kernel lacks the VRF/Team modules and QoS-mapping support that platform/test-link-linux expects, so the test aborts with “Unknown device type / xgress QoS mapping assertion. + # Doesn't test any TLS/Crypto capabilities. + cd build-gnutls + all_tests=$(meson test --list 2>/dev/null) + test_list=$(printf '%s\n' "$all_tests" \ + | grep -v -E '^(platform/test-link-linux)$' \ + | tr '\n' ' ') + meson test $test_list --print-errorlogs fi diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index 4e76c3a..22a804a 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -64,7 +64,7 @@ jobs: git clone --branch curl-8_4_0 https://github.com/curl/curl cd curl autoreconf -fi - ./configure --with-gnutls=/opt/gnutls --prefix=/usr/local + ./configure --with-gnutls=/opt/gnutls --prefix=/opt/curl make sudo make install sudo ldconfig @@ -76,9 +76,10 @@ jobs: cd tpm2-tss git submodule update --init --recursive ./bootstrap - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH - export CPPFLAGS="-I/opt/gnutls/include $CPPFLAGS" - export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib $LDFLAGS" + export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/opt/curl/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" + export CPPFLAGS="-I/opt/gnutls/include -I/opt/curl/include${CPPFLAGS:+ $CPPFLAGS}" + export LDFLAGS="-L/opt/gnutls/lib -L/opt/curl/lib -Wl,-rpath,/opt/gnutls/lib:/opt/curl/lib${LDFLAGS:+ $LDFLAGS}" + export LD_LIBRARY_PATH="/opt/gnutls/lib:/opt/curl/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" ./configure --prefix=/usr/local --disable-hardening make sudo make install @@ -90,9 +91,10 @@ jobs: git clone https://github.com/tpm2-software/tpm2-abrmd cd tpm2-abrmd ./bootstrap - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH - export CPPFLAGS="-I/opt/gnutls/include $CPPFLAGS" - export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib $LDFLAGS" + export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/opt/curl/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" + export CPPFLAGS="-I/opt/gnutls/include -I/opt/curl/include${CPPFLAGS:+ $CPPFLAGS}" + export LDFLAGS="-L/opt/gnutls/lib -L/opt/curl/lib -Wl,-rpath,/opt/gnutls/lib:/opt/curl/lib${LDFLAGS:+ $LDFLAGS}" + export LD_LIBRARY_PATH="/opt/gnutls/lib:/opt/curl/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" ./configure --prefix=/usr/local \ --with-dbuspolicydir=/etc/dbus-1/system.d \ --with-systemdsystemunitdir=/lib/systemd/system @@ -122,9 +124,10 @@ jobs: fi ./bootstrap - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH - export CPPFLAGS="-I/opt/gnutls/include $CPPFLAGS" - export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib $LDFLAGS" + export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/opt/curl/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" + export CPPFLAGS="-I/opt/gnutls/include -I/opt/curl/include${CPPFLAGS:+ $CPPFLAGS}" + export LDFLAGS="-L/opt/gnutls/lib -L/opt/curl/lib -Wl,-rpath,/opt/gnutls/lib:/opt/curl/lib${LDFLAGS:+ $LDFLAGS}" + export LD_LIBRARY_PATH="/opt/gnutls/lib:/opt/curl/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" ./configure --prefix=/usr/local --enable-unit=abrmd make sudo make install @@ -136,7 +139,7 @@ jobs: echo "::group::ldd $bin" ldd "$bin" | grep -E "lib(curl|gnutls)" echo "::endgroup::" - ldd "$bin" | grep -q "libcurl.so.4 => /usr/local/lib/libcurl.so.4" && + ldd "$bin" | grep -q "libcurl.so.4 => /opt/curl/lib/libcurl.so.4" && ldd "$bin" | grep -q "libgnutls.so.30 => /opt/gnutls/lib/libgnutls.so.30" || { echo "❌ Wrong linkage detected in $bin"; exit 1; } done @@ -144,9 +147,10 @@ jobs: - name: Run complete test-suite run: | cd tpm2-tools - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH - export CPPFLAGS="-I/opt/gnutls/include $CPPFLAGS" - export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib $LDFLAGS" + export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/opt/curl/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" + export CPPFLAGS="-I/opt/gnutls/include -I/opt/curl/include${CPPFLAGS:+ $CPPFLAGS}" + export LDFLAGS="-L/opt/gnutls/lib -L/opt/curl/lib -Wl,-rpath,/opt/gnutls/lib:/opt/curl/lib${LDFLAGS:+ $LDFLAGS}" + export LD_LIBRARY_PATH="/opt/gnutls/lib:/opt/curl/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" export GNUTLS_DEBUG_LEVEL=5 export WGW_LOGGING=1 export TEST_REGENERATE_OUTPUT=1 diff --git a/README.md b/README.md index c1474ef..fd1f91e 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,70 @@ # gnutls-wolfssl -Experimental port of wolfSSL into gnutls +Experimental port of wolfSSL into GnuTLS. One script builds everything and drops the bits under /opt. + +## Quick start +``` +git clone https://github.com/YOURORG/gnutls-wolfssl.git +cd gnutls-wolfssl +# regular build +./setup.sh + +# build with FIPS 140 support +./setup.sh fips +``` +On success you get: +``` +/opt/wolfssl wolfSSL +/opt/gnutls GnuTLS built on wolfSSL +/opt/wolfssl-gnutls-wrapper runtime shim +``` +If the loader can’t find the libs, add the path to LD_LIBRARY_PATH (Linux) or DYLD_LIBRARY_PATH (macOS). + +## Environment variables +| var | default | note | +|-----|---------|------| +| WOLFSSL_INSTALL | /opt/wolfssl | install prefix | +| GNUTLS_INSTALL | /opt/gnutls | install prefix | +| GNUTLS_FORCE_FIPS_MODE | – | set at runtime to enforce FIPS | + +## Directory layout (after setup.sh has been run) +``` +setup.sh do‑it‑all build script +rebuild-gnutls.sh rebuild GnuTLS only +wolfssl/ upstream clone +gnutls/ upstream clone + branch gnutls-wolfssl +wolfssl-gnutls-wrapper/ thin shim + tests +``` + +## Tests +``` +cd wolfssl-gnutls-wrapper + +# build wrapper +make + +# full suite +make test + +# fast run of the test suite +make test_fast + +# test fips (only if ./setup.sh was run in fips mode) +make test_fips +``` +Each test prints ✔️/❌ and a summary. + +## Using in your project +``` +cc app.c \ + -I/opt/gnutls/include -I/opt/wolfssl/include \ + -L/opt/gnutls/lib -lgnutls \ + -L/opt/wolfssl/lib -lwolfssl \ + -L/opt/wolfssl-gnutls-wrapper/lib -lgnutls-wolfssl-wrapper +``` +Make sure the wrapper comes after gnutls on the linker line. + +## Clean up +``` +sudo rm -rf /opt/wolfssl /opt/gnutls /opt/wolfssl-gnutls-wrapper +```