diff --git a/.github/workflows/libjcat.yml b/.github/workflows/libjcat.yml index 230396b..5e3068b 100644 --- a/.github/workflows/libjcat.yml +++ b/.github/workflows/libjcat.yml @@ -19,7 +19,7 @@ jobs: strategy: matrix: os: [ ubuntu-latest ] - libjcat_ref: [ 'master', '0.2.3', '0.2.0' ] + libjcat_ref: [ '0.2.3', '0.2.0' ] fail-fast: false runs-on: ${{ matrix.os }} container: diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index 9a5c143..dd230ab 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -1,78 +1,112 @@ name: OpenLDAP Test - # START OF COMMON SECTION on: push: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # END OF COMMON SECTION - jobs: build_gnutls: name: Build wolfSSL, GnuTLS and provider timeout-minutes: 30 strategy: matrix: - os: [ ubuntu-latest ] - openldap_ref: [ 'master', 'OPENLDAP_REL_ENG_2_5_13', 'OPENLDAP_REL_ENG_2_6_9' ] + include: + - os: ubuntu-latest + openldap_ref: 'master' + use_container: true + - os: ubuntu-latest + openldap_ref: 'OPENLDAP_REL_ENG_2_5_13' + use_container: true + - os: ubuntu-24.04 + openldap_ref: 'OPENLDAP_REL_ENG_2_6_7' + use_container: false + - os: ubuntu-latest + openldap_ref: 'OPENLDAP_REL_ENG_2_6_9' + use_container: true fail-fast: false runs-on: ${{ matrix.os }} - container: - image: debian:bookworm - + container: ${{ matrix.use_container && 'debian:bookworm' || '' }} steps: - name: Checkout gnutls-wolfssl repository uses: actions/checkout@v4 - - - name: Ensure make available (Ubuntu only) - if: matrix.os == 'ubuntu-latest' + - name: Ensure make available + if: matrix.use_container == true run: | apt-get update apt-get install -y build-essential - - - name: Install GnuTLS dependencies (Ubuntu only) - if: matrix.os == 'ubuntu-latest' + - name: Install GnuTLS dependencies + if: matrix.use_container == true run: | apt-get install -y gnulib autopoint gperf gtk-doc-tools nettle-dev clang \ libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev sudo \ - git wget + git wget automake libtool - - name: Install OpenLDAP dependencies (Ubuntu only) - if: matrix.os == 'ubuntu-latest' + - name: Install OpenLDAP dependencies + if: matrix.use_container == true run: | sudo apt-get install -y libsasl2-dev libsasl2-modules libsasl2-modules-gssapi-mit \ libargon2-dev groff-base libltdl-dev - # ───────────── cache the wolfssl/gnutls tool-chain ───────────── + - name: Install dependencies on native Ubuntu + if: matrix.use_container == false + run: | + sudo apt-get update + sudo apt-get install -y build-essential gnulib autopoint gperf gtk-doc-tools nettle-dev clang \ + libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \ + git wget libsasl2-dev libsasl2-modules libsasl2-modules-gssapi-mit \ + libargon2-dev groff-base libltdl-dev automake libtool + + - name: Prepare cache directories (native runner) + if: matrix.use_container == false + run: | + sudo mkdir -p /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper + sudo chown -R $USER:$USER /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper + + # ───────────── cache the wolfssl/gnutls tool-chain ───────────── - name: Restore cached gnutls-wolfssl id: cache-gnutls uses: actions/cache@v4 with: path: | - /opt/gnutls - /opt/wolfssl - /opt/wolfssl-gnutls-wrapper - key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }} + ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }} + ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }} + key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}- + gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}- + + - name: Copy cache to /opt (native runner only) + if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true' + run: | + sudo mkdir -p /opt + sudo cp -a ~/cache/gnutls /opt/ + sudo cp -a ~/cache/wolfssl /opt/ + sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Running setup.sh..." GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + # For native runner: also save to cache location + if [[ "${{ matrix.use_container }}" == "false" ]]; then + mkdir -p ~/cache + sudo cp -a /opt/gnutls ~/cache/ + sudo cp -a /opt/wolfssl ~/cache/ + sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + sudo chown -R $(id -u):$(id -g) ~/cache + fi - name: Check setup.sh output directories run: | test -d /opt/wolfssl || { echo "/opt/wolfssl missing"; exit 1; } test -d /opt/gnutls || { echo "/opt/gnutls missing"; exit 1; } test -d /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib missing"; exit 1; } - - name: Build OpenLDAP at ${{ matrix.openldap_ref }} run: | git clone https://git.openldap.org/openldap/openldap.git @@ -80,13 +114,38 @@ jobs: if [ "${{ matrix.openldap_ref }}" != "master" ]; then git checkout ${{ matrix.openldap_ref }} fi - - name: Configure OpenLDAP working-directory: openldap run: | export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig export CPPFLAGS=-I/opt/gnutls/include export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib" + if [[ "${{ matrix.openldap_ref }}" = "OPENLDAP_REL_ENG_2_6_7" ]]; then + ./configure \ + ac_cv_func_memcmp_working=yes \ + lt_cv_dlopen_self=yes \ + --with-yielding-select=yes \ + --enable-dynamic \ + --enable-crypt \ + --with-tls=gnutls \ + --with-cyrus-sasl \ + --enable-otp \ + --with-argon2=libargon2 \ + --enable-argon2 \ + --enable-ppolicy \ + --enable-remoteauth \ + --prefix=/opt/openldap \ + --enable-modules \ + --enable-ipv6 \ + --enable-asyncmeta=mod \ + --enable-mdb=yes \ + --enable-ldap=mod \ + --enable-meta=mod \ + --enable-null=mod \ + --enable-passwd=mod \ + --enable-proxycache=mod \ + --enable-dnssrv=mod + else ./configure \ --with-tls=gnutls \ --with-cyrus-sasl \ @@ -97,13 +156,12 @@ jobs: --enable-remoteauth \ --prefix=/opt/openldap \ --enable-modules - + fi - name: Build OpenLDAP working-directory: openldap run: | make depend make - - name: Test OpenLDAP working-directory: openldap run: | diff --git a/.github/workflows/wget.yml b/.github/workflows/wget.yml index 73a81e8..1e4136a 100644 --- a/.github/workflows/wget.yml +++ b/.github/workflows/wget.yml @@ -18,53 +18,84 @@ jobs: timeout-minutes: 20 strategy: matrix: - os: [ ubuntu-latest ] - wget_ref: [ 'master', 'v1.21.3', 'v1.24.5' ] + include: + - os: ubuntu-latest + wget_ref: 'master' + use_container: true + - os: ubuntu-latest + wget_ref: 'v1.21.3' + use_container: true + - os: ubuntu-24.04 + wget_ref: 'v1.21.4' + use_container: false + - os: ubuntu-latest + wget_ref: 'v1.24.5' + use_container: true fail-fast: false runs-on: ${{ matrix.os }} - container: - image: debian:bookworm + container: ${{ matrix.use_container && 'debian:bookworm' || '' }} steps: - name: Checkout gnutls-wolfssl repository uses: actions/checkout@v4 - - name: Ensure make available (Ubuntu only) - if: matrix.os == 'ubuntu-latest' + - name: Ensure make available + if: matrix.use_container == true run: | apt-get update apt-get install -y build-essential - - - name: Install GnuTLS dependencies (Ubuntu only) - if: matrix.os == 'ubuntu-latest' + - name: Install GnuTLS dependencies + if: matrix.use_container == true run: | apt-get install -y gnulib autopoint gperf gtk-doc-tools nettle-dev clang \ libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \ sudo wget git flex - - - name: Install wget dependencies (Ubuntu only) - if: matrix.os == 'ubuntu-latest' + - name: Install wget dependencies + if: matrix.use_container == true run: | sudo apt-get install -y autoconf-archive libhttp-daemon-perl + - name: Install dependencies on native Ubuntu + if: matrix.use_container == false + run: | + sudo apt-get update + sudo apt-get install -y build-essential gnulib autopoint gperf gtk-doc-tools nettle-dev clang \ + libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \ + wget git flex autoconf-archive libhttp-daemon-perl - # ───────────── cache the wolfssl/gnutls tool-chain ───────────── + # ───────────── cache the wolfssl/gnutls tool-chain ───────────── - name: Restore cached gnutls-wolfssl id: cache-gnutls uses: actions/cache@v4 with: path: | - /opt/gnutls - /opt/wolfssl - /opt/wolfssl-gnutls-wrapper - key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }} + ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }} + ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }} + key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}- + gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}- + + - name: Copy cache to /opt (native runner only) + if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true' + run: | + sudo mkdir -p /opt + sudo cp -a ~/cache/gnutls /opt/ + sudo cp -a ~/cache/wolfssl /opt/ + sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Running setup.sh..." GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + # For native runner: also save to cache location + if [[ "${{ matrix.use_container }}" == "false" ]]; then + mkdir -p ~/cache + sudo cp -a /opt/gnutls ~/cache/ + sudo cp -a /opt/wolfssl ~/cache/ + sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + sudo chown -R $(id -u):$(id -g) ~/cache + fi - name: Check setup.sh output directories run: | @@ -74,7 +105,6 @@ jobs: test -d /opt/gnutls || exit 1 echo "Check for wrapper installation..." test -d /opt/wolfssl-gnutls-wrapper/lib || exit 1 - - name: Build wget at ${{ matrix.wget_ref }} uses: actions/checkout@v4 with: @@ -93,33 +123,39 @@ jobs: git clone https://github.com/coreutils/gnulib gnulib ./bootstrap autoreconf -fi - ./configure --with-ssl=gnutls --with-libgnutls-prefix=/opt/gnutls - + if [[ "${{ matrix.wget_ref }}" = "v1.21.4" ]]; then + ./configure --with-ssl=gnutls --with-libgnutls-prefix=/opt/gnutls \ + --without-libssl-prefix \ + --disable-rpath \ + --with-ssl=gnutls \ + --enable-pcre \ + --with-zlib \ + --enable-ipv6 + else + ./configure --with-ssl=gnutls --with-libgnutls-prefix=/opt/gnutls + fi - name: Make wget working-directory: wget run: | make -j $(nproc) - # Get python 3.11 for old versions of wget - name: Install pyenv dependencies - if: matrix.wget_ref == 'v1.21.3' + if: matrix.wget_ref == 'v1.21.3' || matrix.wget_ref == 'v1.21.4' run: | sudo apt-get update sudo apt-get install -y make build-essential libssl-dev zlib1g-dev \ libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm \ libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev \ libffi-dev liblzma-dev - - name: Install pyenv - if: matrix.wget_ref == 'v1.21.3' + if: matrix.wget_ref == 'v1.21.3' || matrix.wget_ref == 'v1.21.4' run: | curl https://pyenv.run | bash - - name: Test wget working-directory: wget run: | # If Python 3.11 needed, reinitialize pyenv - if [ "${{ matrix.wget_ref }}" = "v1.21.3" ]; then + if [[ "${{ matrix.wget_ref }}" = "v1.21.3" || "${{ matrix.wget_ref }}" = "v1.21.4" ]]; then export PYENV_ROOT="$HOME/.pyenv" export PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init --path)" @@ -128,5 +164,10 @@ jobs: pyenv global 3.11.9 python --version fi + # To make /opt/gnutls visible to the test binaries, LD_LIBRARY_PATH + # is needed since we disable rpath for v1.21.4. + if [[ "${{ matrix.wget_ref }}" = "v1.21.4" ]]; then + export LD_LIBRARY_PATH=/opt/gnutls/lib:/opt/wolfssl/lib:/opt/wolfssl-gnutls-wrapper/lib:$LD_LIBRARY_PATH + fi make check find . -name '*.log' | xargs grep wgw diff --git a/.github/workflows/wireshark.yml b/.github/workflows/wireshark.yml new file mode 100644 index 0000000..ab26166 --- /dev/null +++ b/.github/workflows/wireshark.yml @@ -0,0 +1,112 @@ +name: wireshark test + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + build_gnutls: + name: Build wolfSSL, GnuTLS and provider + timeout-minutes: 20 + strategy: + matrix: + os: [ ubuntu-24.04 ] + wireshark_ref: [ 'master', 'v4.2.12', 'v4.6.0' ] + fail-fast: false + runs-on: ${{ matrix.os }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install -y build-essential gnulib autopoint gperf gtk-doc-tools nettle-dev clang \ + libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \ + wget git flex autoconf-archive libhttp-daemon-perl ninja-build + + - name: Restore cached gnutls-wolfssl + id: cache-gnutls + uses: actions/cache@v4 + with: + path: | + ~/cache/gnutls + ~/cache/wolfssl + ~/cache/wolfssl-gnutls-wrapper + key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + restore-keys: | + gnutls-wolfssl-${{ runner.os }}- + + - name: Copy cache to /opt + if: steps.cache-gnutls.outputs.cache-hit == 'true' + run: | + sudo mkdir -p /opt + sudo cp -a ~/cache/gnutls /opt/ + sudo cp -a ~/cache/wolfssl /opt/ + sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + echo "Cache restored successfully" + + - name: Build GnuTLS with wolfSSL provider using setup.sh script + if: steps.cache-gnutls.outputs.cache-hit != 'true' + run: | + echo "Cache miss - running setup.sh..." + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + # Save to cache location + mkdir -p ~/cache + sudo cp -a /opt/gnutls ~/cache/ + sudo cp -a /opt/wolfssl ~/cache/ + sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + sudo chown -R $(id -u):$(id -g) ~/cache + + - name: Check setup.sh output directories + run: | + echo "Check for wolfSSL installation..." + ls -la /opt/wolfssl || { echo "/opt/wolfssl not found"; exit 1; } + echo "Check for GnuTLS installation..." + ls -la /opt/gnutls || { echo "/opt/gnutls not found"; exit 1; } + echo "Check for wrapper installation..." + ls -la /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib not found"; exit 1; } + + - name: Clone wireshark + run: | + git clone https://github.com/wireshark/wireshark.git + + - name: Setup and build wireshark + working-directory: wireshark + run: | + if [[ "${{ matrix.wireshark_ref }}" != "master" ]]; then + git checkout ${{ matrix.wireshark_ref }} + fi + sudo ./tools/debian-setup.sh + sudo ./tools/debian-setup.sh --install-deb-deps + sudo ./tools/debian-setup.sh --install-test-deps + mkdir build && cd build + export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + cmake -G Ninja .. \ + -DENABLE_PCAP=ON \ + -DENABLE_GNUTLS=ON \ + -DENABLE_CAP=ON \ + -DENABLE_SBC=ON \ + -DENABLE_NETLINK=ON \ + -DBUILD_mmdbresolve=OFF \ + -DBUILD_randpktdump=OFF \ + -DBUILD_androiddump=OFF \ + -DBUILD_dcerpcidl2wrs=OFF \ + -DENABLE_QT5=OFF \ + -DBUILD_wireshark=OFF + ninja + ninja test-programs + + - name: Test Wireshark (TLS related tests only) + working-directory: wireshark + run: | + export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + cd build + pytest ../test/suite_decryption.py -v -s diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml new file mode 100644 index 0000000..2e95c63 --- /dev/null +++ b/.github/workflows/xmlsec.yml @@ -0,0 +1,122 @@ +name: xmlsec test + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + build_gnutls: + name: Build wolfSSL, GnuTLS and provider + timeout-minutes: 20 + strategy: + matrix: + os: [ ubuntu-24.04 ] + xmlsec_ref: [ 'master', '1.3.4', '1.3.9' ] + fail-fast: false + runs-on: ${{ matrix.os }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install -y build-essential gnulib autopoint gperf gtk-doc-tools nettle-dev clang \ + libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \ + wget git flex autoconf-archive libhttp-daemon-perl ninja-build automake \ + autoconf libtool libtool-bin gcc \ + libxml2 libxml2-dev libxslt1.1 libxslt1-dev \ + help2man man2html gtk-doc-tools \ + libltdl7 libltdl-dev + + - name: Restore cached gnutls-wolfssl + id: cache-gnutls + uses: actions/cache@v4 + with: + path: | + ~/cache/gnutls + ~/cache/wolfssl + ~/cache/wolfssl-gnutls-wrapper + key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + restore-keys: | + gnutls-wolfssl-${{ runner.os }}- + + - name: Copy cache to /opt + if: steps.cache-gnutls.outputs.cache-hit == 'true' + run: | + sudo mkdir -p /opt + sudo cp -a ~/cache/gnutls /opt/ + sudo cp -a ~/cache/wolfssl /opt/ + sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + echo "Cache restored successfully" + + - name: Build GnuTLS with wolfSSL provider using setup.sh script + if: steps.cache-gnutls.outputs.cache-hit != 'true' + run: | + echo "Cache miss - running setup.sh..." + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + # Save to cache location + mkdir -p ~/cache + sudo cp -a /opt/gnutls ~/cache/ + sudo cp -a /opt/wolfssl ~/cache/ + sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + sudo chown -R $(id -u):$(id -g) ~/cache + + - name: Check setup.sh output directories + run: | + echo "Check for wolfSSL installation..." + ls -la /opt/wolfssl || { echo "/opt/wolfssl not found"; exit 1; } + echo "Check for GnuTLS installation..." + ls -la /opt/gnutls || { echo "/opt/gnutls not found"; exit 1; } + echo "Check for wrapper installation..." + ls -la /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib not found"; exit 1; } + + - name: Clone xmlsec + run: | + git clone https://github.com/lsh123/xmlsec.git + + - name: Setup and build xmlsec + working-directory: xmlsec + run: | + if [[ "${{ matrix.xmlsec_ref }}" != "master" ]]; then + git checkout ${{ matrix.xmlsec_ref }} + fi + export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + ./autogen.sh + ./configure --with-gnutls=/opt/gnutls \ + --disable-dsa \ + --enable-sha1 \ + --enable-sha224 \ + --enable-sha256 \ + --enable-sha384 \ + --enable-sha512 \ + --enable-sha3 \ + --enable-ripemd160 \ + --enable-hmac \ + --enable-rsa \ + --enable-ec \ + --enable-x509 \ + --enable-aes \ + --disable-des \ + --enable-dh \ + --enable-pbkdf2 \ + --enable-concatkdf \ + --enable-xmldsig \ + --enable-xmlenc \ + --enable-pedantic \ + --enable-debugging + make -j9 + + - name: Test xmlsec + working-directory: xmlsec + run: | + export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + make check + find /tmp -name "*.log" | xargs grep wgw diff --git a/wolfssl-gnutls-wrapper/src/cipher.c b/wolfssl-gnutls-wrapper/src/cipher.c index 99935f0..c373ba1 100644 --- a/wolfssl-gnutls-wrapper/src/cipher.c +++ b/wolfssl-gnutls-wrapper/src/cipher.c @@ -993,6 +993,13 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size, return GNUTLS_E_INVALID_REQUEST; } + /* Handle 0-byte finalization call, common in cipher APIs for flushing/padding */ + if (src_size == 0) { + WGW_LOG("Zero-byte decrypt call (finalization), returning success"); + return 0; + } + + /* Always use the decryption context for decryption operations */ ret = wc_AesCbcDecrypt(&ctx->cipher.pair.aes_dec, dst, src, src_size); if (ret != 0) { diff --git a/wolfssl-gnutls-wrapper/src/pk.c b/wolfssl-gnutls-wrapper/src/pk.c index 30db492..bb0090b 100644 --- a/wolfssl-gnutls-wrapper/src/pk.c +++ b/wolfssl-gnutls-wrapper/src/pk.c @@ -1777,6 +1777,122 @@ static int wolfssl_pk_verify_rsa_pss(const gnutls_datum_t *vdata, return 0; } +/** + * Parse DER length field. + * + * @param [in] sig_data Signature data. + * @param [in] sig_len Signature data length. + * @param [in,out] idx Current index (updated on success). + * @param [out] len Parsed length value. + * @return 0 on success. + * @return Negative on parsing error. + */ +static int parse_der_length(const byte* sig_data, word32 sig_len, + word32* idx, word32* len) +{ + if (*idx >= sig_len) + return -1; + + *len = sig_data[(*idx)++]; + + if (*len & 0x80) { + /* Long form length */ + word32 num_bytes = *len & 0x7F; + + if (num_bytes == 0 || num_bytes > 4 || *idx + num_bytes > sig_len) + return -1; + + *len = 0; + while (num_bytes--) { + *len = (*len << 8) | sig_data[(*idx)++]; + } + } + + return 0; +} + +/** + * Parse a lenient DER-encoded ECDSA signature to extract r and s. + * + * This handles potentially malformed DER where INTEGER values are raw bytes + * without proper sign-bit handling (as generated by some XML-DSig implementations). + * + * @param [in] sig_data Signature data (DER SEQUENCE). + * @param [in] sig_len Signature data length. + * @param [out] r mp_int to hold r value. + * @param [out] s mp_int to hold s value. + * @return 0 on success. + * @return Negative on parsing error. + */ +static int parse_lenient_der_ecdsa_signature(const byte* sig_data, word32 sig_len, + mp_int* r, mp_int* s) +{ + word32 idx = 0; + word32 len; + + /* Parse SEQUENCE tag */ + if (idx >= sig_len || sig_data[idx++] != 0x30) { + WGW_ERROR("Invalid DER SEQUENCE tag"); + return -1; + } + + /* Parse SEQUENCE length */ + if (parse_der_length(sig_data, sig_len, &idx, &len) != 0) + return -1; + + /* Parse first INTEGER (r) tag */ + if (idx >= sig_len || sig_data[idx++] != 0x02) { + WGW_ERROR("Invalid DER INTEGER tag for r"); + return -1; + } + + /* Parse r length */ + if (parse_der_length(sig_data, sig_len, &idx, &len) != 0) + return -1; + + /* Skip leading zero byte if present (sign byte) */ + if (len <= 0) + return -1; + + if (idx < sig_len && sig_data[idx] == 0x00) { + idx++; + len--; + } + + /* Read r value */ + if (idx + len > sig_len) return -1; + if (mp_read_unsigned_bin(r, sig_data + idx, len) != 0) { + WGW_ERROR("Failed to read r value"); + return -1; + } + idx += len; + + /* Parse second INTEGER (s) tag */ + if (idx >= sig_len || sig_data[idx++] != 0x02) { + WGW_ERROR("Invalid DER INTEGER tag for s"); + return -1; + } + + /* Parse s length */ + if (parse_der_length(sig_data, sig_len, &idx, &len) != 0) + return -1; + + /* Skip leading zero byte if present (sign byte) */ + if (len > 0 && idx < sig_len && sig_data[idx] == 0x00) { + idx++; + len--; + } + + /* Read s value */ + if (idx + len > sig_len) return -1; + if (mp_read_unsigned_bin(s, sig_data + idx, len) != 0) { + WGW_ERROR("Failed to read s value"); + return -1; + } + + return 0; +} + /** * Verify using ECDSA with public key. * @@ -1802,14 +1918,59 @@ static int wolfssl_pk_verify_ecc(const gnutls_datum_t *vdata, return ret; } - /* Verify the signature against data using ECDSA. */ + /* Try standard verification first with DER-encoded signature. */ ret = wc_ecc_verify_hash(signature->data, signature->size, vdata->data, vdata->size, &res, &ecc); + + /* If DER parsing failed (e.g., malformed DER from XML-DSig), + * try lenient parsing and verification */ + if (ret == ASN_ECC_KEY_E || ret == ASN_PARSE_E) { + mp_int r, s; + + WGW_LOG("Standard DER parsing failed (%d), trying lenient parser", ret); + + /* Initialize mp_int for r and s */ + ret = mp_init(&r); + if (ret != 0) { + wc_ecc_free(&ecc); + WGW_WOLFSSL_ERROR("mp_init(r)", ret); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } + + ret = mp_init(&s); + if (ret != 0) { + mp_clear(&r); + wc_ecc_free(&ecc); + WGW_WOLFSSL_ERROR("mp_init(s)", ret); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } + + /* Parse potentially malformed DER to extract r and s */ + ret = parse_lenient_der_ecdsa_signature(signature->data, signature->size, &r, &s); + if (ret == 0) { + /* Verify using extracted r and s */ + ret = wc_ecc_verify_hash_ex(&r, &s, vdata->data, vdata->size, &res, &ecc); + if (ret < 0) { + WGW_WOLFSSL_ERROR("wc_ecc_verify_hash_ex", ret); + } else { + WGW_LOG("Lenient parser succeeded, verification result: %d", res); + } + } else { + WGW_ERROR("Lenient DER parsing failed"); + ret = -1; + } + + /* Clean up */ + mp_clear(&r); + mp_clear(&s); + } + /* No longer need ECC key. */ wc_ecc_free(&ecc); + /* When the process fails - return signature failure. */ if (ret < 0) { - WGW_WOLFSSL_ERROR("wc_RsaSSL_Verify", ret); + WGW_WOLFSSL_ERROR("ECDSA verification failed", ret); return GNUTLS_E_PK_SIG_VERIFY_FAILED; } /* When verification result is fail - return signature failure. */