Merge pull request #8331 from julek-wolfssl/bind-9.18.28

Bind 9.18.28 fixes
2025-07-31 11:17:29 +02:00 · 2025-01-24 11:37:26 -08:00
parent 2e87dfc207 829c2a022f
commit ba88a6454c
8 changed files with 141 additions and 22 deletions
--- a/.github/workflows/bind.yml
+++ b/.github/workflows/bind.yml
@ -0,0 +1,93 @@
+name: bind9 Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-bind
+          path: build-dir.tgz
+          retention-days: 5
+
+  bind_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        # List of releases to test
+        ref: [ 9.18.0, 9.18.28 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-bind
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          # hostap dependencies
+          sudo apt-get install -y libuv1-dev libnghttp2-dev libcap-dev libcmocka-dev
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout bind9
+        uses: actions/checkout@v4
+        with:
+          repository: isc-projects/bind9
+          path: bind
+          ref: v${{ matrix.ref }}
+
+      - name: Build and test bind9
+        working-directory: bind
+        run: |
+          export PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig
+          patch -p1 < $GITHUB_WORKSPACE/osp/bind9/${{ matrix.ref }}.patch
+          autoreconf -ivf
+          ./configure --with-wolfssl
+          sed -i 's/SUBDIRS = system//g' bin/tests/Makefile # remove failing tests
+          make -j V=1
+          make -j V=1 check
--- a/src/internal.c
+++ b/src/internal.c
@ -3023,7 +3023,16 @@ void FreeSSL_Ctx(WOLFSSL_CTX* ctx)

    if (isZero) {
        WOLFSSL_MSG("CTX ref count down to 0, doing full free");
-
+#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && \
+    !defined(NO_SHA256) && !defined(WC_NO_RNG)
+        if (ctx->srp != NULL) {
+            XFREE(ctx->srp_password, ctx->heap, DYNAMIC_TYPE_SRP);
+            ctx->srp_password = NULL;
+            wc_SrpTerm(ctx->srp);
+            XFREE(ctx->srp, ctx->heap, DYNAMIC_TYPE_SRP);
+            ctx->srp = NULL;
+        }
+#endif
        SSL_CtxResourceFree(ctx);
 #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \
    !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && !defined(NO_TLS)
--- a/src/pk.c
+++ b/src/pk.c
@ -12245,7 +12245,7 @@ int wolfSSL_i2o_ECPublicKey(const WOLFSSL_EC_KEY *key, unsigned char **out)
    if (ret == 1) {
    #ifdef HAVE_COMP_KEY
        /* Default to compressed form if not set */
-        form = (key->form != WC_POINT_CONVERSION_UNCOMPRESSED) ?
+        form = (key->form == WC_POINT_CONVERSION_UNCOMPRESSED) ?
               WC_POINT_CONVERSION_UNCOMPRESSED :
               WC_POINT_CONVERSION_COMPRESSED;
    #endif
--- a/src/ssl.c
+++ b/src/ssl.c
@ -1135,16 +1135,6 @@ void wolfSSL_CTX_free(WOLFSSL_CTX* ctx)
 {
    WOLFSSL_ENTER("wolfSSL_CTX_free");
    if (ctx) {
-#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) \
-&& !defined(NO_SHA256) && !defined(WC_NO_RNG)
-        if (ctx->srp != NULL) {
-            XFREE(ctx->srp_password, ctx->heap, DYNAMIC_TYPE_SRP);
-            ctx->srp_password = NULL;
-            wc_SrpTerm(ctx->srp);
-            XFREE(ctx->srp, ctx->heap, DYNAMIC_TYPE_SRP);
-            ctx->srp = NULL;
-        }
-#endif
        FreeSSL_Ctx(ctx);
    }

--- a/src/x509_str.c
+++ b/src/x509_str.c
@ -1473,13 +1473,6 @@ int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, unsigned long flag)
    return ret;
 }

-
-int wolfSSL_X509_STORE_set_default_paths(WOLFSSL_X509_STORE* store)
-{
-    (void)store;
-    return WOLFSSL_SUCCESS;
-}
-
 int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE *str,
                                        byte *buf, word32 bufLen, int type)
 {
@ -1559,6 +1552,8 @@ static int X509StoreLoadFile(WOLFSSL_X509_STORE *str,
    static_buffer_init(&content, stackBuffer, FILE_BUFFER_SIZE);
 #endif

+    WOLFSSL_MSG_EX("X509StoreLoadFile: Loading file: %s", fname);
+
    ret = X509StoreReadFile(fname, &content, &contentLen, &type);
    if (ret != WOLFSSL_SUCCESS) {
        WOLFSSL_MSG("Failed to load file");
@ -1680,6 +1675,27 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,

    return ret;
 }
+
+#if defined(XGETENV) && !defined(NO_GETENV)
+int wolfSSL_X509_STORE_set_default_paths(WOLFSSL_X509_STORE *str)
+{
+    int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
+    char* certDir = NULL;
+    char* certFile = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_X509_STORE_set_default_paths");
+
+    certFile = wc_strdup_ex(XGETENV("SSL_CERT_FILE"), DYNAMIC_TYPE_TMP_BUFFER);
+    certDir = wc_strdup_ex(XGETENV("SSL_CERT_DIR"), DYNAMIC_TYPE_TMP_BUFFER);
+
+    ret = wolfSSL_X509_STORE_load_locations(str, certFile, certDir);
+
+    XFREE(certFile, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(certDir, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    return ret;
+}
+#endif /* XGETENV && !NO_GETENV */
+
 #endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */

 int wolfSSL_X509_CA_num(WOLFSSL_X509_STORE* store)
--- a/tests/api.c
+++ b/tests/api.c
@ -62482,6 +62482,15 @@ static int test_wolfSSL_X509_STORE_load_locations(void)
    ExpectIntEQ(X509_STORE_load_locations(store, NULL, certs_path),
        WOLFSSL_SUCCESS);

+#if defined(XGETENV) && !defined(NO_GETENV) && defined(_POSIX_C_SOURCE) && \
+    _POSIX_C_SOURCE >= 200112L
+    ExpectIntEQ(wolfSSL_CTX_UnloadCAs(ctx), WOLFSSL_SUCCESS);
+    /* Test with env vars */
+    ExpectIntEQ(setenv("SSL_CERT_FILE", client_pem_file, 1), 0);
+    ExpectIntEQ(setenv("SSL_CERT_DIR", certs_path, 1), 0);
+    ExpectIntEQ(X509_STORE_set_default_paths(store), WOLFSSL_SUCCESS);
+#endif
+
 #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
    /* Clear nodes */
    ERR_clear_error();
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@ -790,6 +790,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define X509_VERIFY_PARAM_lookup        wolfSSL_X509_VERIFY_PARAM_lookup
 #define X509_VERIFY_PARAM_inherit       wolfSSL_X509_VERIFY_PARAM_inherit
 #define X509_STORE_load_locations       wolfSSL_X509_STORE_load_locations
+#define X509_STORE_set_default_paths    wolfSSL_X509_STORE_set_default_paths
 #define X509_STORE_get0_param           wolfSSL_X509_STORE_get0_param

 #define X509_LOOKUP_add_dir             wolfSSL_X509_LOOKUP_add_dir
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@ -2266,9 +2266,8 @@ WOLFSSL_API WOLFSSL_X509_STORE_CTX *wolfSSL_X509_STORE_CTX_get0_parent_ctx(
                                                   WOLFSSL_X509_STORE_CTX *ctx);
 WOLFSSL_API int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store,
                                                            unsigned long flag);
-WOLFSSL_API int          wolfSSL_X509_STORE_set_default_paths(WOLFSSL_X509_STORE* store);
-WOLFSSL_API int          wolfSSL_X509_STORE_get_by_subject(WOLFSSL_X509_STORE_CTX* ctx,
-                                   int idx, WOLFSSL_X509_NAME* name, WOLFSSL_X509_OBJECT* obj);
+WOLFSSL_API int wolfSSL_X509_STORE_get_by_subject(WOLFSSL_X509_STORE_CTX* ctx,
+                    int idx, WOLFSSL_X509_NAME* name, WOLFSSL_X509_OBJECT* obj);
 WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM *wolfSSL_X509_STORE_CTX_get0_param(
        WOLFSSL_X509_STORE_CTX *ctx);
 WOLFSSL_API int  wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx,
@ -2670,6 +2669,7 @@ enum {
 #define SSL_WRITING  WOLFSSL_WRITING
 #define SSL_READING  WOLFSSL_READING
 #define SSL_MAX_SSL_SESSION_ID_LENGTH  WOLFSSL_MAX_SSL_SESSION_ID_LENGTH
+#define SSL_MAX_SID_CTX_LENGTH  WOLFSSL_MAX_SSL_SESSION_ID_LENGTH

 #ifdef HAVE_OCSP
    /* OCSP Flags */
@ -5781,6 +5781,7 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_COMP) *WOLFSSL_COMP_get_compression_methods(vo
 #define SSL_COMP_get_compression_methods WOLFSSL_COMP_get_compression_methods
 #endif
 WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, const char *file, const char *dir);
+WOLFSSL_API int wolfSSL_X509_STORE_set_default_paths(WOLFSSL_X509_STORE *str);
 WOLFSSL_API int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *ctx, WOLFSSL_X509_CRL *x);
 WOLFSSL_API int wolfSSL_sk_SSL_CIPHER_num(const WOLF_STACK_OF(WOLFSSL_CIPHER)* p);
 WOLFSSL_API int wolfSSL_sk_SSL_CIPHER_find(