Merge pull request #8879 from julek-wolfssl/openssh-10.0p2

Updates for OpenSSH 10.0p2

.github/workflows/openssh.yml

@@ -45,9 +45,31 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          # A good way to measure how much each test takes is to create a bash script
+          # in the openssh root like this (make it executable):
+          # time-measure.sh
+          #   #!/bin/bash
+          #   /usr/bin/time -a -o /tmp/LTESTS-times.txt -f '%e %C' /usr/bin/bash "$@"
+          # And invoke the openssh tests like this:
+          #   rm -f /tmp/LTESTS-times.txt && \
+          #     make tests TEST_SHELL=$(pwd)/time-measure.sh SKIP_UNIT=yes && \
+          #     grep test-exec.sh /tmp/LTESTS-times.txt
           - git_ref: 'V_9_6_P1'
             osp_ver: '9.6'
-    name: ${{ matrix.ref }}
+            SKIP_LTESTS: >-
+              exit-status rekey multiplex cert-userkey forward-control integrity
+              channel-timeout connection-timeout
+          - git_ref: 'V_9_9_P2'
+            osp_ver: '9.9p2'
+            SKIP_LTESTS: >-
+              exit-status rekey multiplex cert-userkey forward-control integrity
+              channel-timeout connection-timeout
+          - git_ref: 'V_10_0_P2'
+            osp_ver: '10.0p2'
+            SKIP_LTESTS: >-
+              exit-status rekey multiplex forward-control channel-timeout
+              connection-timeout
+    name: ${{ matrix.osp_ver }}
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-22.04
     needs: build_wolfssl
@@ -80,5 +102,4 @@ jobs:
       - name: Run tests
         working-directory: ./openssh
         run: |
-          # Run all the tests except (t-exec) as it takes too long
-          make file-tests interop-tests extra-tests unit
+          make tests SKIP_LTESTS='${{ matrix.SKIP_LTESTS }}'

.wolfssl_known_macro_extras

@@ -205,6 +205,7 @@ ESP_PLATFORM
 ESP_TASK_MAIN_STACK
 ETHERNET_AVAILABLE
 EV_TRIGGER
+FORCE_FAILURE_GETRANDOM
 FP_ECC_CONTROL
 FREERTOS_TCP_WINSIM
 FREESCALE

configure.ac

@@ -129,7 +129,7 @@ AC_CHECK_HEADER(assert.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ASSERT_H"],[
 # check if functions of interest are linkable, but also check if
 # they're declared by the expected headers, and if not, supersede the
 # unusable positive from AC_CHECK_FUNCS().
-AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii getpid])
+AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii getpid getrandom])
 AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, isascii, getpid], [], [
 if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes"
 then
@@ -2138,6 +2138,12 @@ AC_ARG_ENABLE([openssh],
     [ENABLED_OPENSSH=$enableval],
     [ENABLED_OPENSSH=no])
 
+if test "$ENABLED_OPENSSH" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENSSH -DHAVE_EX_DATA -DWOLFSSL_BASE16"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL -DWC_RNG_SEED_CB"
+fi
+
 # OpenVPN compatibility Build
 AC_ARG_ENABLE([openvpn],
     [AS_HELP_STRING([--enable-openvpn],[Enable OpenVPN compatibility build (default: disabled)])],
@@ -2249,6 +2255,11 @@ AC_ARG_ENABLE([fortress],
     [ ENABLED_FORTRESS=no ]
     )
 
+if test "$ENABLED_OPENSSH" = "yes"
+then
+    ENABLED_FORTRESS="yes"
+fi
+
 # libwebsockets Support
 AC_ARG_ENABLE([libwebsockets],
     [AS_HELP_STRING([--enable-libwebsockets],[Enable libwebsockets (default: disabled)])],
@@ -2260,14 +2271,6 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LIBWEBSOCKETS -DHAVE_EX_DATA -DOPENSSL_NO_EC"
 fi
 
-
-if test "$ENABLED_OPENSSH" = "yes"
-then
-    ENABLED_FORTRESS="yes"
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENSSH -DHAVE_EX_DATA -DWOLFSSL_BASE16"
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL"
-fi
-
 # net-snmp Build
 AC_ARG_ENABLE([net-snmp],
     [AS_HELP_STRING([--enable-net-snmp],[Enable net-snmp (default: disabled)])],

examples/configs/user_settings_tls12.h

@@ -44,7 +44,6 @@ extern "C" {
 #define WOLFSSL_USER_IO
 #define WOLFSSL_IGNORE_FILE_WARN /* ignore file includes not required */
 //#define WOLFSSL_SMALL_STACK /* option to reduce stack size, offload to heap */
-#define NO_FILESYSTEM
 #define NO_WRITEV
 #define NO_SIG_WRAPPER
 

examples/configs/user_settings_wolfboot_keytools.h

@@ -91,7 +91,6 @@
 #define NO_DES3
 #define NO_PWDBASED
 #define NO_WRITEV
-#define NO_FILESYSTEM
 #define NO_OLD_RNGNAME
 #define NO_WOLFSSL_DIR
 #define WOLFSSL_NO_SOCK

src/ssl.c

@@ -297,30 +297,36 @@ WC_RNG* wolfssl_make_rng(WC_RNG* rng, int* local);
 WC_RNG* wolfssl_make_rng(WC_RNG* rng, int* local)
 {
     WC_RNG* ret = NULL;
-
-    /* Assume not local until one created. */
-    *local = 0;
-
 #ifdef WOLFSSL_SMALL_STACK
+    int freeRng = 0;
+
     /* Allocate RNG object . */
-    rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG);
+    if (rng == NULL) {
+        rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG);
+        freeRng = 1;
+    }
 #endif
-    /* Check we have a local RNG object and initialize. */
-    if ((rng != NULL) && (wc_InitRng(rng) == 0)) {
-        ret = rng;
-        *local = 1;
+
+    if (rng != NULL) {
+        if (wc_InitRng(rng) == 0) {
+            ret = rng;
+            *local = 1;
+        }
+        else {
+            WOLFSSL_MSG("Bad RNG Init");
+#ifdef WOLFSSL_SMALL_STACK
+            if (freeRng) {
+                XFREE(rng, NULL, DYNAMIC_TYPE_RNG);
+                rng = NULL;
+            }
+#endif
+        }
     }
     if (ret == NULL) {
-    #ifdef HAVE_GLOBAL_RNG
-        WOLFSSL_MSG("Bad RNG Init, trying global");
-    #endif
-        ret = wolfssl_make_global_rng();
-    }
-
-    if (ret != rng) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(rng, NULL, DYNAMIC_TYPE_RNG);
+#ifdef HAVE_GLOBAL_RNG
+        WOLFSSL_MSG("trying global RNG");
 #endif
+        ret = wolfssl_make_global_rng();
     }
 
     return ret;

wolfcrypt/src/random.c

@@ -147,12 +147,13 @@ This library contains implementation for the random number generator.
 #elif defined(WOLFSSL_IMXRT1170_CAAM)
 #elif defined(CY_USING_HAL) && defined(COMPONENT_WOLFSSL)
     #include "cyhal_trng.h" /* Infineon/Cypress HAL RNG implementation */
-#elif defined(WOLFSSL_GETRANDOM)
-    #include <errno.h>
-    #include <sys/random.h>
 #elif defined(WOLFSSL_MAX3266X) || defined(WOLFSSL_MAX3266X_OLD)
     #include "wolfssl/wolfcrypt/port/maxim/max3266x.h"
 #else
+    #if defined(WOLFSSL_GETRANDOM) || defined(HAVE_GETRANDOM)
+        #include <errno.h>
+        #include <sys/random.h>
+    #endif
     /* include headers that may be needed to get good seed */
     #include <fcntl.h>
     #ifndef EBSNET
@@ -306,7 +307,11 @@ This library contains implementation for the random number generator.
 
 #ifdef WC_RNG_SEED_CB
 
+#ifndef HAVE_FIPS
+static wc_RngSeed_Cb seedCb = wc_GenerateSeed;
+#else
 static wc_RngSeed_Cb seedCb = NULL;
+#endif
 
 int wc_SetSeed_Cb(wc_RngSeed_Cb cb)
 {
@@ -3971,37 +3976,6 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         return wc_MXC_TRNG_Random(output, sz);
     }
 
-#elif defined(WOLFSSL_GETRANDOM)
-
-    /* getrandom() was added to the Linux kernel in version 3.17.
-     * Added to glibc in version 2.25. */
-    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
-    {
-        int ret = 0;
-        (void)os;
-
-        while (sz) {
-            int len;
-
-            errno = 0;
-            len = (int)getrandom(output, sz, 0);
-            if (len == -1) {
-                if (errno == EINTR) {
-                    /* interrupted, call getrandom again */
-                    continue;
-                }
-                else {
-                    ret = READ_RAN_E;
-                }
-                break;
-            }
-
-            sz     -= len;
-            output += len;
-        }
-        return ret;
-    }
-
 #elif defined(CY_USING_HAL) && defined(COMPONENT_WOLFSSL)
 
     /* Infineon/Cypress HAL RNG implementation */
@@ -4137,6 +4111,43 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         }
     #endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
 
+    #if defined(WOLFSSL_GETRANDOM) || defined(HAVE_GETRANDOM)
+        {
+            word32 grSz = sz;
+            byte* grOutput = output;
+
+            while (grSz) {
+                ssize_t len;
+
+                errno = 0;
+                len = getrandom(grOutput, grSz, 0);
+                if (len == -1) {
+                    if (errno == EINTR) {
+                        /* interrupted, call getrandom again */
+                        continue;
+                    }
+                    else {
+                        ret = READ_RAN_E;
+                    }
+                    break;
+                }
+
+                grSz     -= (word32)len;
+                grOutput += len;
+            }
+            if (ret == 0)
+                return ret;
+        #ifdef FORCE_FAILURE_GETRANDOM
+            /* don't fallback to /dev/urandom */
+            return ret;
+        #else
+            /* reset error and fallback to using /dev/urandom */
+            ret = 0;
+        #endif
+        }
+    #endif
+
+#ifndef NO_FILESYSTEM
     #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
         os->fd = open("/dev/urandom", O_RDONLY);
         #if defined(DEBUG_WOLFSSL)
@@ -4176,6 +4187,9 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
             }
         }
         close(os->fd);
+#else
+        ret = NOT_COMPILED_IN;
+#endif /* NO_FILESYSTEM */
 
         return ret;
     }

wolfcrypt/test/test.c

@@ -2774,7 +2774,7 @@ static wc_test_ret_t _SaveDerAndPem(const byte* der, int derSz,
     }
 #endif
 
-#ifdef WOLFSSL_DER_TO_PEM
+#if defined(WOLFSSL_DER_TO_PEM) && !defined(NO_CERTS)
     if (filePem) {
     #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
         XFILE pemFile;