From e438131a3bd779c0a55f56b93f21589a6064ed93 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 19 Jan 2024 12:32:17 +0100 Subject: [PATCH 1/3] EVP_Cipher: correct parameter checking EVP_Cipher(ctx, NULL, NULL, 0) is a valid call for all algorithms. For none-AEAD it results in a no-op. --- wolfcrypt/src/evp.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index b36df7828..9972077c6 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -8118,8 +8118,12 @@ void wolfSSL_EVP_init(void) WOLFSSL_ENTER("wolfSSL_EVP_Cipher"); - if (ctx == NULL || ((src == NULL || dst == NULL) && - (TRUE + if (ctx == NULL) { + WOLFSSL_MSG("Bad argument."); + return WOLFSSL_FATAL_ERROR; + } + + if (TRUE #ifdef HAVE_AESGCM && ctx->cipherType != AES_128_GCM_TYPE && ctx->cipherType != AES_192_GCM_TYPE && @@ -8141,9 +8145,15 @@ void wolfSSL_EVP_init(void) #ifdef WOLFSSL_SM4_CCM && ctx->cipherType != SM4_CCM_TYPE #endif - ))) { - WOLFSSL_MSG("Bad argument."); - return WOLFSSL_FATAL_ERROR; + ) { + /* Not an AEAD cipher */ + /* No-op for none AEAD ciphers */ + if (src == NULL && dst == NULL && len == 0) + return 0; + if (src == NULL || dst == NULL) { + WOLFSSL_MSG("Bad argument."); + return WOLFSSL_FATAL_ERROR; + } } if (ctx->cipherType == WOLFSSL_EVP_CIPH_TYPE_INIT) { From 67700a1d70cd6fddbc2db68a0b3d99713fdf6959 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 19 Jan 2024 12:40:37 +0100 Subject: [PATCH 2/3] Add libssh2 test --- .github/workflows/libssh2.yml | 58 +++++++++++++++++++++++++++++++++++ .github/workflows/main.yml | 2 ++ 2 files changed, 60 insertions(+) create mode 100644 .github/workflows/libssh2.yml diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml new file mode 100644 index 000000000..ec82ce1da --- /dev/null +++ b/.github/workflows/libssh2.yml @@ -0,0 +1,58 @@ +name: libssh2 Tests + +on: + workflow_call: + +jobs: + build_wolfssl: + name: Build wolfSSL + # Just to keep it the same as the testing target + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 4 + steps: + - name: Build wolfSSL + uses: wolfSSL/actions-build-autotools-project@v1 + with: + path: wolfssl + configure: --enable-all + check: false # config is already tested in many other PRB's + install: true + + - name: Upload built lib + uses: actions/upload-artifact@v3 + with: + name: wolf-install-libssh2 + path: build-dir + retention-days: 1 + + libssh2_check: + strategy: + fail-fast: false + matrix: + # List of releases to test + ref: [ 1.11.0 ] + name: ${{ matrix.ref }} + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 8 + needs: build_wolfssl + steps: + - name: Download lib + uses: actions/download-artifact@v3 + with: + name: wolf-install-libssh2 + path: build-dir + + - name: Build and test libssh2 + uses: wolfSSL/actions-build-autotools-project@v1 + with: + repository: libssh2/libssh2 + ref: libssh2-${{ matrix.ref }} + path: libssh2 + configure: --with-crypto=wolfssl --with-libwolfssl-prefix=$GITHUB_WORKSPACE/build-dir + check: true + + - name: Confirm libssh2 built with wolfSSL + working-directory: ./libssh2 + run: ldd src/.libs/libssh2.so | grep wolfssl diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b1e63a32e..a813f44c9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -42,6 +42,8 @@ jobs: uses: ./.github/workflows/packaging.yml memcached: uses: ./.github/workflows/memcached.yml + libssh2: + uses: ./.github/workflows/libssh2.yml # TODO: Currently this test fails. Enable it once it becomes passing. # haproxy: # uses: ./.github/workflows/haproxy.yml From fc7143a8f4acbb73ac3bae1f56d8bae23577054d Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 22 Jan 2024 16:08:06 +0100 Subject: [PATCH 3/3] Code review --- wolfcrypt/src/evp.c | 47 +++++++++++++++++++++------------------------ 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 9972077c6..c0488430a 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -8110,6 +8110,26 @@ void wolfSSL_EVP_init(void) } #endif /* !NO_AES || !NO_DES3 */ + static int IsCipherTypeAEAD(unsigned char cipherType) + { + switch (cipherType) { + case AES_128_GCM_TYPE: + case AES_192_GCM_TYPE: + case AES_256_GCM_TYPE: + case AES_128_CCM_TYPE: + case AES_192_CCM_TYPE: + case AES_256_CCM_TYPE: + case ARIA_128_GCM_TYPE: + case ARIA_192_GCM_TYPE: + case ARIA_256_GCM_TYPE: + case SM4_GCM_TYPE: + case SM4_CCM_TYPE: + return 1; + default: + return 0; + } + } + /* Return length on ok */ int wolfSSL_EVP_Cipher(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst, byte* src, word32 len) @@ -8123,31 +8143,8 @@ void wolfSSL_EVP_init(void) return WOLFSSL_FATAL_ERROR; } - if (TRUE - #ifdef HAVE_AESGCM - && ctx->cipherType != AES_128_GCM_TYPE && - ctx->cipherType != AES_192_GCM_TYPE && - ctx->cipherType != AES_256_GCM_TYPE - #endif - #ifdef HAVE_AESCCM - && ctx->cipherType != AES_128_CCM_TYPE && - ctx->cipherType != AES_192_CCM_TYPE && - ctx->cipherType != AES_256_CCM_TYPE - #endif - #ifdef HAVE_ARIA - && ctx->cipherType != ARIA_128_GCM_TYPE && - ctx->cipherType != ARIA_192_GCM_TYPE && - ctx->cipherType != ARIA_256_GCM_TYPE - #endif - #ifdef WOLFSSL_SM4_GCM - && ctx->cipherType != SM4_GCM_TYPE - #endif - #ifdef WOLFSSL_SM4_CCM - && ctx->cipherType != SM4_CCM_TYPE - #endif - ) { - /* Not an AEAD cipher */ - /* No-op for none AEAD ciphers */ + if (!IsCipherTypeAEAD(ctx->cipherType)) { + /* No-op for non-AEAD ciphers */ if (src == NULL && dst == NULL && len == 0) return 0; if (src == NULL || dst == NULL) {