Merge branch 'wolfSSL:master' into zig-pkg

kassane · Apr 8, 2024 · 1ee08a2 · 1ee08a2
2 parents 4f66a09 + d1efccd
commit 1ee08a2
Show file tree

Hide file tree

Showing 74 changed files with 3,999 additions and 1,379 deletions.
diff --git a/.cyignore b/.cyignore
@@ -0,0 +1,40 @@
+# wolfSSL folders
+$(SEARCH_wolfssl)/IDE
+$(SEARCH_wolfssl)/examples
+$(SEARCH_wolfssl)/linuxkm
+$(SEARCH_wolfssl)/mcapi
+$(SEARCH_wolfssl)/mplabx
+$(SEARCH_wolfssl)/mqx
+$(SEARCH_wolfssl)/tirtos
+$(SEARCH_wolfssl)/tests
+$(SEARCH_wolfssl)/testsuite
+$(SEARCH_wolfssl)/wolfcrypt/src/port/autosar
+$(SEARCH_wolfssl)/zephyr
+
+# wolfSSL files
+$(SEARCH_wolfssl)/wolfcrypt/src/aes_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/aes_xts_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/aes_gcm_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/aes_gcm_x86_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/chacha_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/fe_x25519_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/poly1305_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sha256_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sha512_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sha3_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sm3_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sp_x86_64_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sp_sm2_x86_64_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/wc_kyber_asm.S
+
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-aes-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-curve25519.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-sha256-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-curve25519.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-sha3-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-sha512-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-aes-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-curve25519.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-sha256-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-sha512-asm.S
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -42,11 +42,14 @@ jobs:
         uses: ./.github/workflows/packaging.yml
     memcached:
         uses: ./.github/workflows/memcached.yml
-# TODO: Currently this test fails. Enable it once it becomes passing.        
-#    libssh2:
-#        uses: ./.github/workflows/libssh2.yml
+    libssh2:
+        uses: ./.github/workflows/libssh2.yml
     openssh:
         uses: ./.github/workflows/openssh.yml
 # TODO: Currently this test fails. Enable it once it becomes passing.        
 #    haproxy:
 #        uses: ./.github/workflows/haproxy.yml
+    ocsp:
+        uses: ./.github/workflows/ocsp.yml
+    no-malloc:
+        uses: ./.github/workflows/no-malloc.yml
diff --git a/.github/workflows/no-malloc.yml b/.github/workflows/no-malloc.yml
@@ -0,0 +1,34 @@
+name: No Malloc Tests
+
+on:
+  workflow_call:
+
+jobs:
+  make_check:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          '--enable-rsa --enable-keygen --disable-dh CFLAGS="-DWOLFSSL_NO_MALLOC"',
+        ]
+    name: make check
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test wolfSSL
+        run: |
+          ./autogen.sh
+          ./configure ${{ matrix.config }}
+          make
+          ./wolfcrypt/test/testwolfcrypt
+
+      - name: Print errors 
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi
diff --git a/.github/workflows/ocsp.yml b/.github/workflows/ocsp.yml
@@ -0,0 +1,28 @@
+name: OCSP Test
+
+on:
+  workflow_call:
+
+jobs:
+  ocsp_stapling:
+    name: ocsp stapling
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+
+      - name: Build wolfSSL
+        run: autoreconf -ivf && ./configure --enable-ocsp --enable-ocspstapling && make
+
+      - name: Start OCSP responder 1
+        run: openssl ocsp -port 22221 -ndays 1000 -index certs/ocsp/index-intermediate1-ca-issued-certs.txt -rsigner certs/ocsp/ocsp-responder-cert.pem -rkey certs/ocsp/ocsp-responder-key.pem -CA certs/ocsp/intermediate1-ca-cert.pem &
+
+      - name: Start OCSP responder 2
+        run: openssl ocsp -port 22220 -ndays 1000 -index certs/ocsp/index-ca-and-intermediate-cas.txt -rsigner certs/ocsp/ocsp-responder-cert.pem -rkey certs/ocsp/ocsp-responder-key.pem -CA certs/ocsp/root-ca-cert.pem &
+
+      - name: Start TLS server
+        run: ./examples/server/server -p 11111 -c ./certs/ocsp/server1-cert.pem -k ./certs/ocsp/server1-key.pem -d &
+
+      - name: Test Look Up
+        run: ./examples/client/client -A ./certs/ocsp/root-ca-cert.pem -o
diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml
@@ -34,7 +34,7 @@ jobs:
     name: ${{ matrix.ref }}
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
-    timeout-minutes: 6
+    timeout-minutes: 10
     needs: build_wolfssl
     steps:
       - name: Download lib

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1216,6 +1216,14 @@ if(WOLFSSL_OPENSSH OR
     override_cache(WOLFSSL_DES3 "yes")
 endif()
 
+# DES3 TLS Suites
+set(WOLFSSL_DES3_TLS_SUITES_STRING "Enable DES3 TLS cipher suites (default: disabled)")
+add_option("WOLFSSL_DES3_TLS_SUITES" ${WOLFSSL_DES3_TLS_SUITES_STRING} "no" "yes;no")
+
+if(NOT WOLFSSL_DES3_TLS_SUITES)
+    list(APPEND WOLFSSL_DEFINITIONS "-DNO_DES3_TLS_SUITES")
+endif()
+
 # ARC4
 set(WOLFSSL_ARC4_HELP_STRING "Enable ARC4 (default: disabled)")
 add_option("WOLFSSL_ARC4" ${WOLFSSL_ARC4_HELP_STRING} "no" "yes;no")

diff --git a/Docker/Dockerfile b/Docker/Dockerfile
@@ -10,7 +10,7 @@ ARG DEPS_WOLFSSL="build-essential autoconf libtool clang clang-tools zlib1g-dev
 ARG DEPS_LIBOQS="astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind git"
 ARG DEPS_UDP_PROXY="wget libevent-dev"
 ARG DEPS_TESTS="abi-dumper libcurl4-openssl-dev tcpdump libpsl-dev python3-pandas python3-tabulate libnl-genl-3-dev libcap-ng-dev"
-ARG DEPS_TOOLS="ccache"
+ARG DEPS_TOOLS="ccache clang-tidy maven"
 RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y apt-utils \
                     && apt install -y ${DEPS_WOLFSSL} ${DEPS_LIBOQS} ${DEPS_UDP_PROXY} ${DEPS_TESTS} ${DEPS_TOOLS} \
                     && apt clean -y && rm -rf /var/lib/apt/lists/*

diff --git a/Docker/Dockerfile.cross-compiler b/Docker/Dockerfile.cross-compiler
@@ -3,7 +3,7 @@ FROM $DOCKER_BASE_IMAGE
 
 USER root
 
-ARG DEPS_TESTING="gcc-arm-linux-gnueabi gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu"
+ARG DEPS_TESTING="gcc-arm-linux-gnueabi gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu gcc-powerpc-linux-gnu gcc-powerpc64-linux-gnu"
 RUN DEBIAN_FRONTEND=noninteractive apt update \
                     && apt install -y ${DEPS_TESTING} \
                     && apt clean -y && rm -rf /var/lib/apt/lists/*

diff --git a/Docker/yocto/Dockerfile b/Docker/yocto/Dockerfile
@@ -19,7 +19,7 @@ WORKDIR /opt/poky
 ARG YOCTO_VERSION=kirkstone
 RUN git checkout -t origin/${YOCTO_VERSION} -b ${YOCTO_VERSION} && git pull
 
-RUN git clone --single-branch --branch=${YOCTO_VERSION} https://github.com/wolfSSL/meta-wolfssl.git && \
+RUN git clone --single-branch --branch=master https://github.com/wolfssl/meta-wolfssl.git && \
     /bin/bash -c "source oe-init-build-env" && \
     echo 'IMAGE_INSTALL:append = " wolfssl wolfclu wolfssh wolfmqtt wolftpm wolfclu "' >> /opt/poky/build/conf/local.conf && \
     sed -i '/\/opt\/poky\/meta-poky \\/a \\t/opt/poky/meta-wolfssl \\' /opt/poky/build/conf/bblayers.conf

diff --git a/IDE/Infineon/README.md b/IDE/Infineon/README.md
@@ -0,0 +1,33 @@
+# Infineon Modus Toolbox
+
+Steps for building wolfSSL/wolfTPM with the Infineon Modus Toolbox examples:
+
+1) Add Dependency:
+
+In "deps" folder add wolfssl.mtb containing:
+
+```
+https://github.com/wolfssl/wolfssl#v5.7.0-stable#$$ASSET_REPO$$/wolfssl/wolfssl-stable
+```
+
+For wolfTPM add wolftpm.mtb containing:
+
+```
+https://github.com/wolfssl/wolftpm#master#$$ASSET_REPO$$/wolftpm/wolftpm-stable
+```
+
+2) Add components:
+In `Makefile` under `COMPONENTS` add `WOLFSSL` and `WOLFTPM`.
+
+3) Add defines:
+
+Add `DEFINES+=WOLFSSL_USER_SETTINGS WOLFTPM_USER_SETTINGS` in Makefile.
+
+4) Build settings:
+
+Add a `user_settings.h` file for wolfSSL/wolfTPM build settings into `config` directory.
+A template is provided here in `IDE/Infineon/user_settings.h`.
+
+5) Ignores:
+
+The required library ignores are found in the `.cyignore` file in the wolfSSL and wolfTPM root.
diff --git a/IDE/Infineon/include.am b/IDE/Infineon/include.am
@@ -0,0 +1,7 @@
+# vim:ft=automake
+# included from Top Level Makefile.am
+# All paths should be given relative to the root
+
+EXTRA_DIST += \
+    IDE/Infineon/README.md \
+    IDE/Infineon/user_settings.h
diff --git a/IDE/Infineon/user_settings.h b/IDE/Infineon/user_settings.h
@@ -0,0 +1,168 @@
+/* user_settings.h
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Example build settings for Infineon Modus Toolbox */
+/* Enables wolfSSL TLS v1.2-v1.3 and TPM support */
+/* SHA-1, SHA-2, AES CBC/GCM, ECDHE, ECDSA, RSA, HMAC, HKDF */
+
+#ifndef WOLF_USER_SETTINGS_TPM_H
+#define WOLF_USER_SETTINGS_TPM_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Platform / Porting */
+#define NO_FILESYSTEM /* File system disable */
+#define SINGLE_THREADED /* No threading */
+#define WOLFSSL_USER_IO /* user recv/send callbacks for network IO */
+#define NO_WRITEV
+#define NO_MAIN_DRIVER
+#define WOLFSSL_IGNORE_FILE_WARN /* ignore file include warnings */
+#define WOLFSSL_SMALL_STACK /* limit stack usage */
+#define BENCH_EMBEDDED
+
+/* TLS (allow TLS v1.3 or v1.2) */
+#define WOLFSSL_TLS13
+//#define WOLFSSL_NO_TLS12
+#define NO_OLD_TLS
+#define WOLFSSL_EITHER_SIDE /* allow context to be created for either server or client */
+
+#define HAVE_TLS_EXTENSIONS
+#define HAVE_SUPPORTED_CURVES
+#define HAVE_SERVER_RENEGOTIATION_INFO
+#define HAVE_ENCRYPT_THEN_MAC
+
+#ifdef WOLFSSL_TLS13
+    #define HAVE_HKDF
+    #define WC_RSA_PSS
+    #define WOLFSSL_PSS_LONG_SALT
+#endif
+
+/* Enable crypto callbacks - for TPM offloading */
+#define WOLF_CRYPTO_CB
+
+/* Enable SP math all (sp_int.c) with multi-precision support */
+#define WOLFSSL_SP_MATH_ALL
+
+#if 1
+    /* Single Precision math for ECC 256 and RSA 2048 */
+    #define WOLFSSL_HAVE_SP_RSA
+    #define WOLFSSL_HAVE_SP_ECC
+    #define WOLFSSL_SP_SMALL
+#endif
+
+#if 0
+    /* only single precision math */
+    #define WOLFSSL_SP_MATH
+#endif
+
+/* Enable hardening (timing resistance) */
+#define TFM_TIMING_RESISTANT
+#define ECC_TIMING_RESISTANT
+#define WC_RSA_BLINDING
+
+/* Enable PRNG (SHA2-256) */
+#define HAVE_HASHDRBG
+
+/* Asymmetric */
+#if 1 /* RSA - needed to encrypt salt */
+    #undef  NO_RSA
+    #ifdef USE_LOW_RESOURCE
+        #define WOLFSSL_RSA_PUBLIC_ONLY
+        #define WOLFSSL_RSA_VERIFY_INLINE
+        #define NO_CHECK_PRIVATE_KEY
+    #endif
+#else
+    #define NO_RSA
+#endif
+
+#if 1 /* ECC - needed for encrypt ECC salt */
+    #define HAVE_ECC
+    #define ECC_USER_CURVES /* default to only SECP256R1 */
+#endif
+
+#if 0 /* DH - TPM doesn't support it */
+    #undef  NO_DH
+    #define HAVE_FFDHE_2048
+    #define HAVE_DH_DEFAULT_PARAMS
+#else
+    #define NO_DH
+#endif
+
+/* Symmetric Hash */
+#undef NO_SHA /* allow SHA-1 */
+#undef NO_SHA256 /* allow SHA2-256 */
+#define WOLFSSL_SHA384
+#define WOLFSSL_SHA512
+
+/* Symmetric Cipher */
+#define WOLFSSL_AES_CFB
+#define HAVE_AES_DECRYPT
+
+#define HAVE_AES_KEYWRAP
+#define WOLFSSL_AES_DIRECT
+#define HAVE_AESGCM
+#define GCM_TABLE_4BIT
+
+/* Features */
+#define WOLFSSL_ASN_TEMPLATE
+
+#define WOLFSSL_CERT_GEN
+#define WOLFSSL_CERT_REQ
+#define WOLFSSL_CERT_EXT
+
+#define HAVE_PKCS7
+#define HAVE_X963_KDF
+#define WOLFSSL_BASE64_ENCODE
+
+#if 1
+    #define HAVE_SESSION_TICKETS
+    #define SMALL_SESSION_CACHE
+#else
+    #define NO_SESSION_CACHE
+#endif
+
+/* Disables */
+#define NO_PKCS8
+#define NO_PKCS12
+#define NO_PWDBASED
+#define NO_DSA
+#define NO_DES3
+#define NO_RC4
+#define NO_PSK
+#define NO_MD4
+#define NO_MD5
+#define WOLFSSL_NO_SHAKE128
+#define WOLFSSL_NO_SHAKE256
+
+/* Logging */
+#ifdef ENABLE_SECURE_SOCKETS_LOGS
+    #define DEBUG_WOLFSSL
+#else
+    #define NO_ERROR_STRINGS
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* WOLF_USER_SETTINGS_TPM_H */
diff --git a/IDE/include.am b/IDE/include.am
@@ -60,6 +60,7 @@ include IDE/apple-universal/include.am
 include IDE/MPLABX16/include.am
 include IDE/MPLABX16/wolfssl.X/nbproject/include.am
 include IDE/MPLABX16/wolfcrypt_test.X/nbproject/include.am
+include IDE/Infineon/include.am
 
 EXTRA_DIST+= IDE/IAR-EWARM IDE/MDK-ARM IDE/MYSQL IDE/LPCXPRESSO IDE/HEXIWEAR IDE/Espressif
 EXTRA_DIST+= IDE/OPENSTM32/README.md