Merge branch 'master' of github.com:ColtonWilley/wolfProvider into wp_rsa_x931

Author: ColtonWilley

.github/workflows/curl.yml

@@ -0,0 +1,122 @@
+name: Curl Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfprovider:
+    name: Build wolfProvider
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        wolfssl_ref: [ 'master', 'v5.7.4-stable' ]
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+
+      # Check if this version of wolfssl/wolfprovider has already been built,
+      # mark to cache these items on post if we do end up building
+      - name: Checking wolfSSL/wolfProvider in cache
+        uses: actions/cache@v4
+        id: wolfprov-cache
+        with:
+          path: |
+            wolfssl-source
+            wolfssl-install
+            wolfprov-install
+            provider.conf
+
+          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ github.sha }}
+          lookup-only: true
+
+      # If wolfssl/wolfprovider have not yet been built, pull ossl from cache
+      - name: Checking OpenSSL in cache
+        if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true'
+        uses: actions/cache@v4
+        id: openssl-cache
+        with:
+          path: |
+            openssl-source
+            openssl-install
+
+          key: ossl-depends
+
+      # If not yet built this version, build it now
+      - name: Build wolfProvider
+        if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true'
+        run: |
+          WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi
+
+  test_curl:
+    runs-on: ubuntu-22.04
+    needs: build_wolfprovider
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        curl_ref: [ 'master', 'curl-8_4_0' ]
+        wolfssl_ref: [ 'master', 'v5.7.4-stable' ]
+    steps:
+      - name: Retrieving OpenSSL from cache
+        uses: actions/cache/restore@v4
+        id: openssl-cache
+        with:
+          path: |
+            openssl-source
+            openssl-install
+
+          key: ossl-depends
+          fail-on-cache-miss: true
+
+      - name: Retrieving wolfSSL/wolfProvider from cache
+        uses: actions/cache/restore@v4
+        id: wolfprov-cache
+        with:
+          path: |
+            wolfssl-source
+            wolfssl-install
+            wolfprov-install
+            provider.conf
+
+          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ github.sha }}
+          fail-on-cache-miss: true
+
+      - name: Install curl test dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install nghttp2 libpsl5 libpsl-dev python3-impacket
+
+      - name: Build curl
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: curl/curl
+          path: curl
+          ref: ${{ matrix.curl_ref }}
+          configure: --with-openssl=$GITHUB_WORKSPACE/openssl-install/
+          check: false
+
+      - name: Test curl with wolfProvider
+        working-directory: curl
+        run: |
+          export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/wolfssl-install/lib:$GITHUB_WORKSPACE/openssl-install/lib64
+          export OPENSSL_CONF=$GITHUB_WORKSPACE/provider.conf
+          export OPENSSL_MODULES=$GITHUB_WORKSPACE/wolfprov-install/lib
+          make -j $(nproc) test-ci

.github/workflows/nginx.yml

@@ -0,0 +1,132 @@
+name: Nginx Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfprovider:
+    name: Build wolfProvider
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        wolfssl_ref: [ 'master', 'v5.7.4-stable' ]
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+
+      # Check if this version of wolfssl/wolfprovider has already been built,
+      # mark to cache these items on post if we do end up building
+      - name: Checking wolfSSL/wolfProvider in cache
+        uses: actions/cache@v4
+        id: wolfprov-cache
+        with:
+          path: |
+            wolfssl-source
+            wolfssl-install
+            wolfprov-install
+            provider.conf
+
+          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ github.sha }}
+          lookup-only: true
+
+      # If wolfssl/wolfprovider have not yet been built, pull ossl from cache
+      - name: Checking OpenSSL in cache
+        if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true'
+        uses: actions/cache@v4
+        id: openssl-cache
+        with:
+          path: |
+            openssl-source
+            openssl-install
+
+          key: ossl-depends
+
+      # If not yet built this version, build it now
+      - name: Build wolfProvider
+        if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true'
+        run: |
+          WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi
+
+  test_nginx:
+    runs-on: ubuntu-22.04
+    needs: build_wolfprovider
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        nginx_ref: [ 'master', 'release-1.27.4' ]
+        wolfssl_ref: [ 'master', 'v5.7.4-stable' ]
+    steps:
+      - name: Retrieving OpenSSL from cache
+        uses: actions/cache/restore@v4
+        id: openssl-cache
+        with:
+          path: |
+            openssl-source
+            openssl-install
+
+          key: ossl-depends
+          fail-on-cache-miss: true
+
+      - name: Retrieving wolfSSL/wolfProvider from cache
+        uses: actions/cache/restore@v4
+        id: wolfprov-cache
+        with:
+          path: |
+            wolfssl-source
+            wolfssl-install
+            wolfprov-install
+            provider.conf
+
+          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ github.sha }}
+          fail-on-cache-miss: true
+
+      - name: Install nginx dependencies
+        run: |
+          sudo cpan -iT Proc::Find Net::SSLeay IO::Socket::SSL
+
+      - name: Checkout nginx
+        uses: actions/checkout@v4
+        with:
+          repository: nginx/nginx
+          path: nginx
+          ref: ${{ matrix.nginx_ref }}
+
+      - name: Build nginx
+        working-directory: nginx
+        run: |
+          ./auto/configure --with-http_ssl_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --with-mail --with-mail_ssl_module
+          make -j
+
+      - name: Checkout nginx-tests
+        uses: actions/checkout@v4
+        with:
+          repository: nginx/nginx-tests
+          path: nginx-tests
+          ref: master
+
+      - name: Run nginx-tests with wolfProvider
+        working-directory: nginx-tests
+        run: |
+          export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/wolfssl-install/lib:$GITHUB_WORKSPACE/openssl-install/lib64
+          export OPENSSL_CONF=$GITHUB_WORKSPACE/provider.conf
+          export OPENSSL_MODULES=$GITHUB_WORKSPACE/wolfprov-install/lib
+          TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y TEST_NGINX_BINARY=../nginx/objs/nginx prove -v .

IDE/XCODE/build-wolfssl-framework.sh

@@ -29,7 +29,7 @@ SDK_OUTPUT_DIR=${OUTDIR}/xcframework
 CFLAGS_COMMON=""
 CPPFLAGS_COMMON=""
 # Base configure flags
-CONF_OPTS="--disable-shared --enable-static"
+CONF_OPTS="--disable-shared --enable-static --enable-armasm=no"
 
 helpFunction()
 {

README.md

@@ -71,7 +71,7 @@ sudo make install
 git clone https://github.com/wolfssl/wolfssl.git
 cd wolfssl
 ./autogen.sh
-./configure --enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey CPPFLAGS="-DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DHAVE_PUBLIC_FFDHE -DWOLFSSL_DH_EXTRA -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024" --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16
+./configure --enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey CPPFLAGS="-DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DWOLFSSL_DH_EXTRA -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024" --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16 --with-eccminsz=192
 make
 sudo make install
 ```
@@ -86,10 +86,14 @@ Add `--enable-pwdbased` to the configure command above if PKCS#12 is used in Ope
 
 Add to CPPFLAGS `-DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DFP_MAX_BITS=16384` to enable predefined 6144-bit and 8192-bit DH parameters.
 
+Add to `--enable-hmac-copy` if performing HMAC repeatedly with the same key to improve performance. (Available with wolfSSL 5.7.8+.)
+
 Add `--enable-sp=yes,asm' '--enable-sp-math-all'` to use SP Integer maths. Replace `-DFP_MAX_BITS=16384` with -DSP_INT_BITS=8192` when used.
 
 Remove `-DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER` and add `--enable-fips=v2` to the configure command above if building from a FIPS v2 bundle and not the git repository. Change `--enable-fips=v2` to `--enable-fips=ready` if using a FIPS Ready bundle.
 
+If '--with-eccminsz=192' is not supported by wolfSSL, add '-DECC_MIN_KEY_SZ=192' to the CPPFLAGS.
+
 ### wolfProvider
 
 ```

include/wolfprovider/alg_funcs.h

@@ -339,6 +339,7 @@ extern const OSSL_DISPATCH wp_dh_pki_decoder_functions[];
 extern const OSSL_DISPATCH wp_ecc_type_specific_decoder_functions[];
 extern const OSSL_DISPATCH wp_ecc_spki_decoder_functions[];
 extern const OSSL_DISPATCH wp_ecc_pki_decoder_functions[];
+extern const OSSL_DISPATCH wp_ecc_x9_62_decoder_functions[];
 extern const OSSL_DISPATCH wp_x25519_spki_decoder_functions[];
 extern const OSSL_DISPATCH wp_x25519_pki_decoder_functions[];
 extern const OSSL_DISPATCH wp_ed25519_spki_decoder_functions[];
@@ -378,6 +379,8 @@ extern const OSSL_DISPATCH wp_ecc_pki_der_encoder_functions[];
 extern const OSSL_DISPATCH wp_ecc_pki_pem_encoder_functions[];
 extern const OSSL_DISPATCH wp_ecc_epki_der_encoder_functions[];
 extern const OSSL_DISPATCH wp_ecc_epki_pem_encoder_functions[];
+extern const OSSL_DISPATCH wp_ecc_x9_62_der_encoder_functions[];
+extern const OSSL_DISPATCH wp_ecc_x9_62_pem_encoder_functions[];
 extern const OSSL_DISPATCH wp_x25519_spki_der_encoder_functions[];
 extern const OSSL_DISPATCH wp_x25519_spki_pem_encoder_functions[];
 extern const OSSL_DISPATCH wp_x25519_pki_der_encoder_functions[];

include/wolfprovider/internal.h

@@ -74,6 +74,8 @@
 #define WP_ENC_FORMAT_EPKI              3
 /** Type-specific encoding format. */
 #define WP_ENC_FORMAT_TYPE_SPECIFIC     4
+/** X9_62 encoding format. */
+#define WP_ENC_FORMAT_X9_62             5
 
 /* Data format. */
 /** DER - Binary encoding. */
@@ -94,6 +96,9 @@
 /** Default iterations for PKCS#12 PBKDF2. */
 #define WP_PKCS12_ITERATIONS_DEFAULT    2048
 
+/** Maximum salt length for PKCS. */
+#define WP_MAX_SALT_SIZE    64
+
 
 /* These values are taken from ssl.h.
  * Can't include this header as it re-declares OpenSSL types.
@@ -175,6 +180,8 @@ int wp_encrypt_key(WOLFPROV_CTX* provCtx, const char* cipherName,
     OSSL_PASSPHRASE_CALLBACK *pwCb, void *pwCbArg, byte** cipherInfo);
 
 int wp_read_der_bio(WOLFPROV_CTX* provCtx, OSSL_CORE_BIO *coreBio, unsigned char** data, word32* len);
+int wp_read_pem_bio(WOLFPROV_CTX *provctx, OSSL_CORE_BIO *coreBio,
+    unsigned char** data, word32* len);
 BIO* wp_corebio_get_bio(WOLFPROV_CTX* provCtx, OSSL_CORE_BIO *coreBio);
 
 byte wp_ct_byte_mask_eq(byte a, byte b);

include/wolfprovider/settings.h

@@ -114,6 +114,9 @@
 #endif
 #ifndef NO_RSA
     #define WP_HAVE_RSA
+    #if defined(WC_RSA_PSS) && LIBWOLFSSL_VERSION_HEX >= 0x05005000
+        #define WOLFSSL_RSA_PSS_ENCODING
+    #endif
 #endif
 
 #ifdef HAVE_ECC
@@ -155,6 +158,9 @@
 #ifdef HAVE_ED448
      #define WP_HAVE_ED448
 #endif
+#ifndef WP_NO_FORCE_FAIL
+    #define WP_CHECK_FORCE_FAIL
+#endif
 
 #endif /* WOLFPROV_SETTINGS_H */