diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index 31807a5..1098b6f 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -16,9 +16,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - openldap_ref: 'master' - use_container: true - os: ubuntu-latest openldap_ref: 'OPENLDAP_REL_ENG_2_5_13' use_container: true @@ -67,7 +64,6 @@ jobs: sudo mkdir -p /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper /opt/nettle sudo chown -R $USER:$USER /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper /opt/nettle - # ───────────── cache the wolfssl/gnutls tool-chain ───────────── - name: Restore cached gnutls-wolfssl id: cache-gnutls uses: actions/cache@v4 @@ -108,7 +104,6 @@ jobs: else GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh fi - # For native runner: also save to cache location if [[ "${{ matrix.use_container }}" == "false" ]]; then mkdir -p ~/cache sudo cp -a /opt/gnutls ~/cache/ @@ -143,11 +138,8 @@ jobs: - name: Build OpenLDAP at ${{ matrix.openldap_ref }} run: | - git clone https://git.openldap.org/openldap/openldap.git - cd openldap - if [ "${{ matrix.openldap_ref }}" != "master" ]; then - git checkout ${{ matrix.openldap_ref }} - fi + git clone --depth 1 --branch "${{ matrix.openldap_ref }}" \ + https://git.openldap.org/openldap/openldap.git - name: Configure OpenLDAP working-directory: openldap run: | @@ -196,7 +188,7 @@ jobs: working-directory: openldap run: | make depend - make + make -j$(nproc) - name: Test OpenLDAP working-directory: openldap run: | diff --git a/.github/workflows/samba-libs.yml b/.github/workflows/samba-libs.yml index 0fad180..9a7c74e 100644 --- a/.github/workflows/samba-libs.yml +++ b/.github/workflows/samba-libs.yml @@ -76,11 +76,8 @@ jobs: - name: Clone Samba run: | - git clone https://gitlab.com/samba-team/samba.git samba - cd samba - if [ "${{ matrix.samba_ref }}" != "master" ]; then - git checkout ${{ matrix.samba_ref }} - fi + git clone --depth=1 --branch "${{ matrix.samba_ref }}" \ + https://gitlab.com/samba-team/samba.git - name: Configure & build Samba-libs working-directory: samba diff --git a/.github/workflows/wget.yml b/.github/workflows/wget.yml index c9b8f96..42e95ec 100644 --- a/.github/workflows/wget.yml +++ b/.github/workflows/wget.yml @@ -62,7 +62,6 @@ jobs: libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \ wget git flex autoconf-archive libhttp-daemon-perl - # ───────────── cache the wolfssl/gnutls tool-chain ───────────── - name: Restore cached gnutls-wolfssl id: cache-gnutls uses: actions/cache@v4 @@ -174,6 +173,13 @@ jobs: run: | make -j $(nproc) # Get python 3.11 for old versions of wget + - name: Cache pyenv Python 3.11.9 + id: cache-pyenv + if: matrix.wget_ref == 'v1.21.3' || matrix.wget_ref == 'v1.21.4' + uses: actions/cache@v4 + with: + path: ~/.pyenv + key: pyenv-3.11.9-${{ matrix.os }}-${{ matrix.use_container }} - name: Install pyenv dependencies if: matrix.wget_ref == 'v1.21.3' || matrix.wget_ref == 'v1.21.4' run: | @@ -183,7 +189,7 @@ jobs: libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev \ libffi-dev liblzma-dev - name: Install pyenv - if: matrix.wget_ref == 'v1.21.3' || matrix.wget_ref == 'v1.21.4' + if: (matrix.wget_ref == 'v1.21.3' || matrix.wget_ref == 'v1.21.4') && steps.cache-pyenv.outputs.cache-hit != 'true' run: | curl https://pyenv.run | bash - name: Test wget @@ -195,7 +201,7 @@ jobs: export PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init --path)" eval "$(pyenv virtualenv-init -)" - pyenv install 3.11.9 + pyenv install -s 3.11.9 pyenv global 3.11.9 python --version fi @@ -205,5 +211,5 @@ jobs: export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:/opt/wolfssl-gnutls-wrapper/lib:$LD_LIBRARY_PATH fi export WGW_LOGGING=1 - make check + make check -j"$(nproc)" find . -name '*.log' | xargs grep wgw diff --git a/wolfssl-gnutls-wrapper/src/cipher.c b/wolfssl-gnutls-wrapper/src/cipher.c index c373ba1..df7f3bb 100644 --- a/wolfssl-gnutls-wrapper/src/cipher.c +++ b/wolfssl-gnutls-wrapper/src/cipher.c @@ -438,7 +438,7 @@ int wolfssl_cipher_setkey(void *_ctx, const void *key, size_t keysize) } #ifdef WOLFSSL_AES_XTS - if (ctx->mode == XTS && gnutls_fips140_mode_enabled()) { + if (ctx->mode == XTS) { /* XTS has two AES keys that are no allowed to be the same. */ if (XMEMCMP(key, key + exp_key_size / 2, exp_key_size / 2) == 0) { WGW_ERROR("XTS keys are the same"); diff --git a/wolfssl-gnutls-wrapper/tests/test_aesxts.c b/wolfssl-gnutls-wrapper/tests/test_aesxts.c index c676bcc..27588a3 100644 --- a/wolfssl-gnutls-wrapper/tests/test_aesxts.c +++ b/wolfssl-gnutls-wrapper/tests/test_aesxts.c @@ -1,5 +1,6 @@ #include +#include #include "test_util.h" @@ -97,15 +98,16 @@ static int test_aesxts(gnutls_cipher_algorithm_t cipher, /* Copy plaintext to a non-const buffer for GnuTLS */ memcpy(plaintext, plaintext_data, sizeof(plaintext_data)); - /* Try bad key - same data for both keys or key too small. */ - ret = gnutls_cipher_init(&encrypt_handle, cipher, &bad_key, &iv); - if (gnutls_fips140_mode_enabled() && ret == 0) { - print_gnutls_error("initializing cipher with bad key", ret); - return 1; - } - if (!gnutls_fips140_mode_enabled() && ret != 0) { - print_gnutls_error("initializing cipher with bad key", ret); - return 1; + /* Try bad key - same data for both keys. The wolfSSL provider rejects + * identical XTS key halves in all modes; native GnuTLS/Nettle (used when + * GNUTLS_NO_PROVIDER=1) accepts them in non-FIPS mode, so only enforce the + * rejection when the provider is in use. */ + if (!getenv("GNUTLS_NO_PROVIDER")) { + ret = gnutls_cipher_init(&encrypt_handle, cipher, &bad_key, &iv); + if (ret == 0) { + print_gnutls_error("initializing cipher with bad key", ret); + return 1; + } } /********** ENCRYPTION TEST **********/