diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index de130a2d..204eaa6a 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -89,5 +89,6 @@ jobs: # Run tests and save output to test.log make -j$(nproc) test-ci 2>&1 | tee curl-test.log - TEST_RESULT=$? + # Capture the test result using PIPESTATUS (Bash only) + TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} curl diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml new file mode 100644 index 00000000..c2080e3a --- /dev/null +++ b/.github/workflows/libhashkit2.yml @@ -0,0 +1,99 @@ +name: libhashkit2 Tests + +# START OF COMMON SECTION +on: + push: + branches: [ '*' ] #'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + build_wolfprovider: + uses: ./.github/workflows/build-wolfprovider.yml + with: + wolfssl_ref: ${{ matrix.wolfssl_ref }} + openssl_ref: ${{ matrix.openssl_ref }} + strategy: + matrix: + wolfssl_ref: [ 'master', 'v5.8.0-stable' ] + openssl_ref: [ 'openssl-3.5.0' ] + + test_libhashkit2: + runs-on: ubuntu-22.04 + needs: build_wolfprovider + # This should be a safe limit for the tests to run. + timeout-minutes: 20 + strategy: + matrix: + libhashkit2_ref: [ 'v1.x', '1.1.4' ] + wolfssl_ref: [ 'master', 'v5.8.0-stable' ] + openssl_ref: [ 'openssl-3.5.0' ] + force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] + exclude: + - libhashkit2_ref: 'v1.x' + force_fail: 'WOLFPROV_FORCE_FAIL=1' + steps: + - name: Checkout wolfProvider + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Retrieving wolfProvider from cache + uses: actions/cache/restore@v4 + id: wolfprov-cache-restore + with: + path: | + wolfssl-install + wolfprov-install + openssl-install/lib64 + openssl-install/include + openssl-install/bin + + key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }} + fail-on-cache-miss: true + + - name: Install libmemcached dependencies + run: | + sudo apt-get update + sudo apt-get install cmake build-essential bison flex memcached libc6 + + - name: Download libmemcached + uses: actions/checkout@v4 + with: + repository: awesomized/libmemcached + ref: ${{ matrix.libhashkit2_ref }} + path: libmemcached + fetch-depth: 1 + + - name: Build libmemcached + working-directory: libmemcached + run: | + # OPENSSL_ROOT_DIR is needed for cmake to find OpenSSL headers + export OPENSSL_ROOT_DIR=$GITHUB_WORKSPACE/openssl-install/include + # Build libmemcached with OpenSSL support + mkdir build + cd build + cmake -DBUILD_TESTING=ON -DCMAKE_BUILD_TYPE=Debug -DENABLE_OPENSSL_CRYPTO=ON .. + make + + - name: Run libhashkit2 tests + working-directory: libmemcached/build + run: | + # Set up the environment for wolfProvider + source $GITHUB_WORKSPACE/scripts/env-setup + export ${{ matrix.force_fail }} + # Run tests + make test 2>&1 | tee libhashkit2-test.log + if grep -q "(Failed)" libhashkit2-test.log; then + TEST_RESULT=1 + else + TEST_RESULT=0 + fi + echo "TEST_RESULT = $TEST_RESULT" + + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} libhashkit2 diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index fdf01166..7272c0b5 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -97,5 +97,6 @@ jobs: # Build and run tests make check 2>&1 | tee liboauth2-test.log - TEST_RESULT=$? + # Capture the test result using PIPESTATUS (Bash only) + TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} liboauth2 diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 2efb3fb5..4ccaf28c 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -83,5 +83,6 @@ jobs: autoconf --version | grep -P '2\.\d\d' -o > dist/autoconf-version make -j test TESTOPTS="-e agentxperl" | tee net-snmp-test.log - TEST_RESULT=$? + # Capture the test result using PIPESTATUS (Bash only) + TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} net-snmp diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index ad3cb756..3257ebb1 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -96,5 +96,5 @@ jobs: # Run all the tests except (t-exec) as it takes too long export ${{ matrix.force_fail }} make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test.log - TEST_RESULT=$? + TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} openssh diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 791be8da..76b20d6d 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -62,16 +62,35 @@ jobs: sudo apt-get update sudo apt-get install liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev \ linux-libc-dev man2html libcmocka-dev python3-docutils \ - libtool automake autoconf libnl-genl-3-dev libnl-genl-3-200 + iproute2 libtool automake autoconf libnl-genl-3-dev \ + libnl-genl-3-200 - - name: Build and test OpenVPN - uses: wolfSSL/actions-build-autotools-project@v1 + - name: Find ossl headers + run: | + find / -name ssl.h 2>/dev/null || true + + - name: Download OpenVPN + uses: actions/checkout@v4 with: repository: OpenVPN/openvpn path: openvpn ref: ${{ matrix.openvpn_ref }} - configure: - check: false + fetch-depth: 1 + + - name: Apply patch + working-directory: openvpn + run: | + # delete the test_des_encrypt test case, if it exists + perl -ni -e 'print unless /cmocka_unit_test\(test_des_encrypt\),/' tests/unit_tests/openvpn/test_crypto.c + # show the results of the patch + git diff + + - name: Build OpenVPN + working-directory: openvpn + run: | + autoreconf -ivf + ./configure + make -j$(nproc) - name: Test OpenVPN with wolfProvider working-directory: openvpn @@ -82,5 +101,6 @@ jobs: # Run tests and save result make check 2>&1 | tee openvpn-test.log - TEST_RESULT=$? + # Capture the test result using PIPESTATUS (Bash only) + TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} openvpn diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index c68f56f0..a4ebd2ab 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -29,7 +29,9 @@ jobs: matrix: wolfssl_ref: [ 'master', 'v5.8.0-stable' ] openssl_ref: [ 'openssl-3.5.0' ] - #Switched to v2.5.2 due to significant limitations with v2.4.9, specifically the lack of a test suite, necessary configure options, and compatibility with newer versions of openssl + # Switched to v2.5.2 due to significant limitations with v2.4.9, + # specifically the lack of a test suite, necessary configure options, + # and compatibility with newer versions of openssl ppp_ref: [ 'master', 'v2.5.2' ] force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] exclude: diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index ea2d511d..e1e36e93 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -74,6 +74,13 @@ jobs: ln -s samba-4.0/ldb_module.h /usr/include/ldb_module.h ln -s samba-4.0/ldb_version.h /usr/include/ldb_version.h + - name: Checkout OSP + uses: actions/checkout@v4 + with: + repository: wolfssl/osp + path: osp + fetch-depth: 1 + - name: Build and test sssd with wolfProvider run: | # Clone SSSD @@ -81,6 +88,9 @@ jobs: cd sssd git checkout ${{ matrix.sssd_ref }} + # Apply patch for testing + patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/sssd/sssd-${{ matrix.sssd_ref }}-wolfprov.patch + # Configure and build SSSD with wolfProvider autoreconf -ivf ./configure --without-samba --disable-cifs-idmap-plugin \ @@ -89,6 +99,7 @@ jobs: - name: Run tests working-directory: sssd + shell: bash run: | # Set environment variables export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/wolfssl-install/lib:$GITHUB_WORKSPACE/openssl-install/lib64 @@ -100,7 +111,12 @@ jobs: $GITHUB_WORKSPACE/openssl-install/bin/openssl list -providers | tee provider-list.log grep -q libwolfprov provider-list.log || (echo "ERROR: libwolfprov not found in OpenSSL providers" && exit 1) + # If force fail is enabled dont exit with error + if [ "${{ matrix.force_fail }}" == "WOLFPROV_FORCE_FAIL=1" ]; then + set +e + fi + # Run tests and save result make check 2>&1 | tee sssd-test.log - TEST_RESULT=$? + TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} sssd diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index f7ffb82e..c4d0dfb4 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -60,40 +60,106 @@ jobs: - name: Install dependencies run: | sudo apt-get update - sudo apt-get install -y build-essential autoconf automake \ - libtool pkg-config libwrap0-dev autoconf-archive \ - autotools-dev m4 + sudo apt-get install -y libwrap0-dev autoconf-archive autotools-dev m4 + + # - name: Set up Python 3.12 + # if : ${{ matrix.stunnel_ref == 'master' }} + # uses: actions/setup-python@v5 + # with: + # python-version: '3.12' + + # - name: Set up Python 3.10 + # if : ${{ matrix.stunnel_ref != 'master' }} + # uses: actions/setup-python@v5 + # with: + # python-version: '3.10' + + - name: Check Python version + run: python --version + + - name: Replace system openssl with wolfProvider build + run: sudo ln -sf $GITHUB_WORKSPACE/openssl-install/bin/openssl /usr/bin/openssl + + - name: Checkout Stunnel + uses: actions/checkout@v4 + with: + repository: mtrojnar/stunnel + ref: ${{ matrix.stunnel_ref }} + path: stunnel + fetch-depth: 1 - name: Checkout OSP uses: actions/checkout@v4 with: repository: wolfssl/osp path: osp + fetch-depth: 1 + + - name: Apply OSP patch to Stunnel + if : ${{ matrix.stunnel_ref == 'stunnel-5.67' }} + working-directory: ./stunnel + run: | + # Apply patch for WOLFPROV_FORCE_FAIL + patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/stunnel/stunnel-WPFF-5.67-wolfprov.patch - name: Build Stunnel + working-directory: ./stunnel run: | - git clone https://github.com/mtrojnar/stunnel.git - cd stunnel - git checkout ${{ matrix.stunnel_ref }} - if [ ${{ matrix.force_fail }} != '' ]; then - patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/stunnel/stunnel-WPFF-5.67-wolfprov.patch - fi autoreconf -ivf ./configure --with-ssl=$GITHUB_WORKSPACE/openssl-install/ make -j + - name: Update python cryptography module + working-directory: ./stunnel + run: | + export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/openssl-install/lib64" + export CFLAGS="-I$GITHUB_WORKSPACE/openssl-install/include" + export LDFLAGS="-L$GITHUB_WORKSPACE/openssl-install/lib -L$GITHUB_WORKSPACE/openssl-install/lib64" + + python3 -m venv myenv + source myenv/bin/activate + pip install cryptography # will use your OpenSSL if built from source + + - name: Apply patch to disable pkcs12 test + if : ${{ matrix.stunnel_ref == 'master' }} + working-directory: ./stunnel + run: | + # Bypass the Certp12Test test + perl -pe 's/^( \s*)stunnel = Certp12Test\(cfg, logger\)/$1return\n$1stunnel = Certp12Test(cfg, logger)/' -i tests/plugins/p07_p12cert.py + - name: Verify stunnel with wolfProvider working-directory: ./stunnel run: | + # Unset LD_LIBRARY_PATH after python setup + unset LD_LIBRARY_PATH + unset PKG_CONFIG_PATH + unset OPENSSL_MODULES + # Set up the environment for wolfProvider source $GITHUB_WORKSPACE/scripts/env-setup export ${{ matrix.force_fail }} + # enter venv + source myenv/bin/activate + + # Set this variable to prevent attempts to load the legacy OpenSSL + # provider, which we don't support. + # This is necessary for OpenSSL 3.0+ to avoid errors related to legacy + # algorithms that are not supported by wolfProvider. + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 + # Verify stunnel - ldd src/stunnel | grep -E '(libssl|libcrypto)' + ldd src/stunnel + ldd src/stunnel | grep -E '(libssl|libcrypto)' | grep wolfProvider ./src/stunnel -version - # Run tests and capture output - make check 2>&1 | tee stunnel-test.log - TEST_RESULT=$? + # Run tests + # Results captured in tests/logs/results.log + # Use `timeout` since the tests hang with WOLFPROV_FORCE_FAIL=1 + timeout 10 make check 2>&1 || true + + # grep for "failed: 0" in the results log, indicating success + TEST_RESULT=$(grep -c "failed: 0" tests/logs/results.log || echo 1) + echo "Test result: $TEST_RESULT" + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} stunnel diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index e44742da..879d94cf 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -100,11 +100,7 @@ jobs: # Run tests make check 2>&1 | tee tcpdump-test.log - TEST_RESULT=$? - - if [ $TEST_RESULT -ne 0 ]; then - grep -A2 -B2 "exit code\|failed\|FAILED" tcpdump-test.log || true - fi - + # Capture the test result using PIPESTATUS (Bash only) + TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} tcpdump diff --git a/scripts/env-setup b/scripts/env-setup index 58e69250..0cb26353 100755 --- a/scripts/env-setup +++ b/scripts/env-setup @@ -13,7 +13,6 @@ if [ $is_sourced -eq 0 ]; then exit 1 fi - if [ -n "$BASH_SOURCE" ]; then SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}") elif [ -n "$ZSH_VERSION" ]; then @@ -23,7 +22,6 @@ else exit 1 fi -SCRIPT_DIR="$(cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" pushd $SCRIPT_DIR REPO_ROOT="${GITHUB_WORKSPACE:-$(git rev-parse --show-toplevel)}" popd @@ -32,11 +30,14 @@ echo "SCRIPT_DIR: $SCRIPT_DIR" echo "REPO_ROOT: $REPO_ROOT" echo "PWD: $PWD" -# Detect the openssl library path based on aarch64 -if [ "$(uname -m)" = "aarch64" ]; then +# Detect the openssl library path +if [ -d $REPO_ROOT/openssl-install/lib ]; then OPENSSL_LIB_PATH=$REPO_ROOT/openssl-install/lib -else +elif [ -d $REPO_ROOT/openssl-install/lib64 ]; then OPENSSL_LIB_PATH=$REPO_ROOT/openssl-install/lib64 +else + echo "Error: Could not find OpenSSL lib directory in $REPO_ROOT/openssl-install" + exit 1 fi # Set variables with default values if not already set diff --git a/src/wp_aes_stream.c b/src/wp_aes_stream.c index 4d2adfce..8f9066ab 100644 --- a/src/wp_aes_stream.c +++ b/src/wp_aes_stream.c @@ -110,6 +110,7 @@ static const OSSL_PARAM cipher_supported_gettable_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_BLOCK_SIZE, NULL), OSSL_PARAM_int(OSSL_CIPHER_PARAM_CUSTOM_IV, NULL), OSSL_PARAM_int(OSSL_CIPHER_PARAM_HAS_RAND_KEY, NULL), + OSSL_PARAM_int(OSSL_CIPHER_PARAM_CTS, NULL), OSSL_PARAM_END }; /** @@ -136,7 +137,7 @@ static const OSSL_PARAM *wp_cipher_gettable_params( * @return 0 on failure. */ static int wp_aes_stream_get_params(OSSL_PARAM params[], unsigned int mode, - size_t kBits, size_t ivBits) + unsigned int flags, size_t kBits, size_t ivBits) { int ok = 1; OSSL_PARAM *p; @@ -175,6 +176,14 @@ static int wp_aes_stream_get_params(OSSL_PARAM params[], unsigned int mode, ok = 0; } } +#ifdef WP_HAVE_AESCTS + if (ok) { + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS); + if ((p != NULL) && (!OSSL_PARAM_set_int(p, flags & EVP_CIPH_FLAG_CTS))) { + ok = 0; + } + } +#endif /* WP_HAVE_AESCTS */ WOLFPROV_LEAVE(WP_LOG_CIPHER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok); return ok; @@ -783,9 +792,9 @@ static void wp_aes_stream_init_ctx(wp_AesStreamCtx* ctx, size_t kBits, /** Implements the get parameters API for a stream cipher. */ -#define IMPLEMENT_AES_STREAM_GET_PARAMS(lcmode, UCMODE, kBits, ivBits) \ +#define IMPLEMENT_AES_STREAM_GET_PARAMS(lcmode, UCMODE, flags, kBits, ivBits) \ /** \ - * Get the values from the AES stream context for the parameters. \ + * Get the values from the AES stream context for the parameters. \ * \ * @param [in, out] params Array of parameters to retrieve. \ * @return 1 on success. \ @@ -793,8 +802,8 @@ static void wp_aes_stream_init_ctx(wp_AesStreamCtx* ctx, size_t kBits, */ \ static int wp_aes_##kBits##_##lcmode##_get_params(OSSL_PARAM params[]) \ { \ - return wp_aes_stream_get_params(params, EVP_CIPH_##UCMODE##_MODE, kBits, \ - ivBits); \ + return wp_aes_stream_get_params(params, EVP_CIPH_##UCMODE##_MODE, flags, \ + kBits, ivBits); \ } /** Implements the new context API for a stream cipher. */ @@ -845,8 +854,8 @@ const OSSL_DISPATCH wp_aes##kBits##mode##_functions[] = { \ }; /** Implements the functions calling base functions for a stream cipher. */ -#define IMPLEMENT_AES_STREAM(lcmode, UCMODE, kBits, ivBits) \ -IMPLEMENT_AES_STREAM_GET_PARAMS(lcmode, UCMODE, kBits, ivBits) \ +#define IMPLEMENT_AES_STREAM(lcmode, UCMODE, flags, kBits, ivBits) \ +IMPLEMENT_AES_STREAM_GET_PARAMS(lcmode, UCMODE, flags, kBits, ivBits) \ IMPLEMENT_AES_STREAM_NEWCTX(lcmode, UCMODE, kBits, ivBits) \ IMPLEMENT_AES_STREAM_DISPATCH(lcmode, kBits, ivBits) @@ -855,11 +864,11 @@ IMPLEMENT_AES_STREAM_DISPATCH(lcmode, kBits, ivBits) */ #ifdef WP_HAVE_AESCTR /** wp_aes256ctr_functions */ -IMPLEMENT_AES_STREAM(ctr, CTR, 256, 128) +IMPLEMENT_AES_STREAM(ctr, CTR, 0, 256, 128) /** wp_aes192ctr_functions */ -IMPLEMENT_AES_STREAM(ctr, CTR, 192, 128) +IMPLEMENT_AES_STREAM(ctr, CTR, 0, 192, 128) /** wp_aes128ctr_functions */ -IMPLEMENT_AES_STREAM(ctr, CTR, 128, 128) +IMPLEMENT_AES_STREAM(ctr, CTR, 0, 128, 128) #endif /* WP_HAVE_AESCTR */ /* @@ -867,11 +876,11 @@ IMPLEMENT_AES_STREAM(ctr, CTR, 128, 128) */ #ifdef WP_HAVE_AESCFB /** wp_aes256cfb_functions */ -IMPLEMENT_AES_STREAM(cfb, CFB, 256, 128) +IMPLEMENT_AES_STREAM(cfb, CFB, 0, 256, 128) /** wp_aes192cfb_functions */ -IMPLEMENT_AES_STREAM(cfb, CFB, 192, 128) +IMPLEMENT_AES_STREAM(cfb, CFB, 0, 192, 128) /** wp_aes128cfb_functions */ -IMPLEMENT_AES_STREAM(cfb, CFB, 128, 128) +IMPLEMENT_AES_STREAM(cfb, CFB, 0, 128, 128) #endif /* WP_HAVE_AESCFB */ /* @@ -882,11 +891,11 @@ IMPLEMENT_AES_STREAM(cfb, CFB, 128, 128) */ #ifdef WP_HAVE_AESCTS /** wp_aes256cts_functions */ -IMPLEMENT_AES_STREAM(cts, CBC, 256, 128) +IMPLEMENT_AES_STREAM(cts, CBC, EVP_CIPH_FLAG_CTS, 256, 128) /** wp_aes192cts_functions */ -IMPLEMENT_AES_STREAM(cts, CBC, 192, 128) +IMPLEMENT_AES_STREAM(cts, CBC, EVP_CIPH_FLAG_CTS, 192, 128) /** wp_aes128cts_functions */ -IMPLEMENT_AES_STREAM(cts, CBC, 128, 128) +IMPLEMENT_AES_STREAM(cts, CBC, EVP_CIPH_FLAG_CTS, 128, 128) #endif /* WP_HAVE_AESCTS */ #endif /* WP_HAVE_AESCTR || WP_HAVE_AESCFB || WP_HAVE_AESCTS */