diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 83b122773..adbf82081 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -45,9 +45,31 @@ jobs: fail-fast: false matrix: include: + # A good way to measure how much each test takes is to create a bash script + # in the openssh root like this (make it executable): + # time-measure.sh + # #!/bin/bash + # /usr/bin/time -a -o /tmp/LTESTS-times.txt -f '%e %C' /usr/bin/bash "$@" + # And invoke the openssh tests like this: + # rm -f /tmp/LTESTS-times.txt && \ + # make tests TEST_SHELL=$(pwd)/time-measure.sh SKIP_UNIT=yes && \ + # grep test-exec.sh /tmp/LTESTS-times.txt - git_ref: 'V_9_6_P1' osp_ver: '9.6' - name: ${{ matrix.ref }} + SKIP_LTESTS: >- + exit-status rekey multiplex cert-userkey forward-control integrity + channel-timeout connection-timeout + - git_ref: 'V_9_9_P2' + osp_ver: '9.9p2' + SKIP_LTESTS: >- + exit-status rekey multiplex cert-userkey forward-control integrity + channel-timeout connection-timeout + - git_ref: 'V_10_0_P2' + osp_ver: '10.0p2' + SKIP_LTESTS: >- + exit-status rekey multiplex forward-control channel-timeout + connection-timeout + name: ${{ matrix.osp_ver }} if: github.repository_owner == 'wolfssl' runs-on: ubuntu-22.04 needs: build_wolfssl @@ -80,5 +102,4 @@ jobs: - name: Run tests working-directory: ./openssh run: | - # Run all the tests except (t-exec) as it takes too long - make file-tests interop-tests extra-tests unit + make tests SKIP_LTESTS='${{ matrix.SKIP_LTESTS }}' diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 1eab34183..4d465e6e6 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -205,6 +205,7 @@ ESP_PLATFORM ESP_TASK_MAIN_STACK ETHERNET_AVAILABLE EV_TRIGGER +FORCE_FAILURE_GETRANDOM FP_ECC_CONTROL FREERTOS_TCP_WINSIM FREESCALE diff --git a/configure.ac b/configure.ac index a6765405c..b6dc6d358 100644 --- a/configure.ac +++ b/configure.ac @@ -129,7 +129,7 @@ AC_CHECK_HEADER(assert.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ASSERT_H"],[ # check if functions of interest are linkable, but also check if # they're declared by the expected headers, and if not, supersede the # unusable positive from AC_CHECK_FUNCS(). -AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii getpid]) +AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii getpid getrandom]) AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, isascii, getpid], [], [ if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes" then @@ -2138,6 +2138,12 @@ AC_ARG_ENABLE([openssh], [ENABLED_OPENSSH=$enableval], [ENABLED_OPENSSH=no]) +if test "$ENABLED_OPENSSH" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENSSH -DHAVE_EX_DATA -DWOLFSSL_BASE16" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL -DWC_RNG_SEED_CB" +fi + # OpenVPN compatibility Build AC_ARG_ENABLE([openvpn], [AS_HELP_STRING([--enable-openvpn],[Enable OpenVPN compatibility build (default: disabled)])], @@ -2249,6 +2255,11 @@ AC_ARG_ENABLE([fortress], [ ENABLED_FORTRESS=no ] ) +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_FORTRESS="yes" +fi + # libwebsockets Support AC_ARG_ENABLE([libwebsockets], [AS_HELP_STRING([--enable-libwebsockets],[Enable libwebsockets (default: disabled)])], @@ -2260,14 +2271,6 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LIBWEBSOCKETS -DHAVE_EX_DATA -DOPENSSL_NO_EC" fi - -if test "$ENABLED_OPENSSH" = "yes" -then - ENABLED_FORTRESS="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENSSH -DHAVE_EX_DATA -DWOLFSSL_BASE16" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL" -fi - # net-snmp Build AC_ARG_ENABLE([net-snmp], [AS_HELP_STRING([--enable-net-snmp],[Enable net-snmp (default: disabled)])], diff --git a/examples/configs/user_settings_tls12.h b/examples/configs/user_settings_tls12.h index 69a7b95b8..7af30fd7b 100644 --- a/examples/configs/user_settings_tls12.h +++ b/examples/configs/user_settings_tls12.h @@ -44,7 +44,6 @@ extern "C" { #define WOLFSSL_USER_IO #define WOLFSSL_IGNORE_FILE_WARN /* ignore file includes not required */ //#define WOLFSSL_SMALL_STACK /* option to reduce stack size, offload to heap */ -#define NO_FILESYSTEM #define NO_WRITEV #define NO_SIG_WRAPPER diff --git a/examples/configs/user_settings_wolfboot_keytools.h b/examples/configs/user_settings_wolfboot_keytools.h index 7c921390a..60cea642d 100644 --- a/examples/configs/user_settings_wolfboot_keytools.h +++ b/examples/configs/user_settings_wolfboot_keytools.h @@ -91,7 +91,6 @@ #define NO_DES3 #define NO_PWDBASED #define NO_WRITEV -#define NO_FILESYSTEM #define NO_OLD_RNGNAME #define NO_WOLFSSL_DIR #define WOLFSSL_NO_SOCK diff --git a/src/ssl.c b/src/ssl.c index 80589ad5c..f7932a8b1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -297,30 +297,36 @@ WC_RNG* wolfssl_make_rng(WC_RNG* rng, int* local); WC_RNG* wolfssl_make_rng(WC_RNG* rng, int* local) { WC_RNG* ret = NULL; - - /* Assume not local until one created. */ - *local = 0; - #ifdef WOLFSSL_SMALL_STACK + int freeRng = 0; + /* Allocate RNG object . */ - rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); + if (rng == NULL) { + rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); + freeRng = 1; + } #endif - /* Check we have a local RNG object and initialize. */ - if ((rng != NULL) && (wc_InitRng(rng) == 0)) { - ret = rng; - *local = 1; + + if (rng != NULL) { + if (wc_InitRng(rng) == 0) { + ret = rng; + *local = 1; + } + else { + WOLFSSL_MSG("Bad RNG Init"); +#ifdef WOLFSSL_SMALL_STACK + if (freeRng) { + XFREE(rng, NULL, DYNAMIC_TYPE_RNG); + rng = NULL; + } +#endif + } } if (ret == NULL) { - #ifdef HAVE_GLOBAL_RNG - WOLFSSL_MSG("Bad RNG Init, trying global"); - #endif - ret = wolfssl_make_global_rng(); - } - - if (ret != rng) { -#ifdef WOLFSSL_SMALL_STACK - XFREE(rng, NULL, DYNAMIC_TYPE_RNG); +#ifdef HAVE_GLOBAL_RNG + WOLFSSL_MSG("trying global RNG"); #endif + ret = wolfssl_make_global_rng(); } return ret; diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index f8c77f641..a6bb24dab 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -147,12 +147,13 @@ This library contains implementation for the random number generator. #elif defined(WOLFSSL_IMXRT1170_CAAM) #elif defined(CY_USING_HAL) && defined(COMPONENT_WOLFSSL) #include "cyhal_trng.h" /* Infineon/Cypress HAL RNG implementation */ -#elif defined(WOLFSSL_GETRANDOM) - #include - #include #elif defined(WOLFSSL_MAX3266X) || defined(WOLFSSL_MAX3266X_OLD) #include "wolfssl/wolfcrypt/port/maxim/max3266x.h" #else + #if defined(WOLFSSL_GETRANDOM) || defined(HAVE_GETRANDOM) + #include + #include + #endif /* include headers that may be needed to get good seed */ #include #ifndef EBSNET @@ -306,7 +307,11 @@ This library contains implementation for the random number generator. #ifdef WC_RNG_SEED_CB +#ifndef HAVE_FIPS +static wc_RngSeed_Cb seedCb = wc_GenerateSeed; +#else static wc_RngSeed_Cb seedCb = NULL; +#endif int wc_SetSeed_Cb(wc_RngSeed_Cb cb) { @@ -3971,37 +3976,6 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) return wc_MXC_TRNG_Random(output, sz); } -#elif defined(WOLFSSL_GETRANDOM) - - /* getrandom() was added to the Linux kernel in version 3.17. - * Added to glibc in version 2.25. */ - int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) - { - int ret = 0; - (void)os; - - while (sz) { - int len; - - errno = 0; - len = (int)getrandom(output, sz, 0); - if (len == -1) { - if (errno == EINTR) { - /* interrupted, call getrandom again */ - continue; - } - else { - ret = READ_RAN_E; - } - break; - } - - sz -= len; - output += len; - } - return ret; - } - #elif defined(CY_USING_HAL) && defined(COMPONENT_WOLFSSL) /* Infineon/Cypress HAL RNG implementation */ @@ -4137,6 +4111,43 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) } #endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */ + #if defined(WOLFSSL_GETRANDOM) || defined(HAVE_GETRANDOM) + { + word32 grSz = sz; + byte* grOutput = output; + + while (grSz) { + ssize_t len; + + errno = 0; + len = getrandom(grOutput, grSz, 0); + if (len == -1) { + if (errno == EINTR) { + /* interrupted, call getrandom again */ + continue; + } + else { + ret = READ_RAN_E; + } + break; + } + + grSz -= (word32)len; + grOutput += len; + } + if (ret == 0) + return ret; + #ifdef FORCE_FAILURE_GETRANDOM + /* don't fallback to /dev/urandom */ + return ret; + #else + /* reset error and fallback to using /dev/urandom */ + ret = 0; + #endif + } + #endif + +#ifndef NO_FILESYSTEM #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */ os->fd = open("/dev/urandom", O_RDONLY); #if defined(DEBUG_WOLFSSL) @@ -4176,6 +4187,9 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) } } close(os->fd); +#else + ret = NOT_COMPILED_IN; +#endif /* NO_FILESYSTEM */ return ret; } diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 6b6f4e361..2aa67a4c0 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -2774,7 +2774,7 @@ static wc_test_ret_t _SaveDerAndPem(const byte* der, int derSz, } #endif -#ifdef WOLFSSL_DER_TO_PEM +#if defined(WOLFSSL_DER_TO_PEM) && !defined(NO_CERTS) if (filePem) { #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) XFILE pemFile;