diff --git a/.github/workflows/dirmngr.yml b/.github/workflows/dirmngr.yml index 4891e41..604cc6c 100644 --- a/.github/workflows/dirmngr.yml +++ b/.github/workflows/dirmngr.yml @@ -76,8 +76,8 @@ jobs: cd .. } - pkg-config --exists --atleast-version=1.51 gpg-error || \ - build libgpg-error 1.51 https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.51.tar.bz2 + pkg-config --exists --atleast-version=1.56 gpg-error || \ + build libgpg-error 1.56 https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.56.tar.bz2 pkg-config --exists --atleast-version=1.11.0 gcrypt || \ build libgcrypt 1.11.1 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2 diff --git a/.github/workflows/libvte.yml b/.github/workflows/libvte.yml index f9f00a2..ffb449d 100644 --- a/.github/workflows/libvte.yml +++ b/.github/workflows/libvte.yml @@ -69,7 +69,8 @@ jobs: liblz4-dev python3-pip python3-setuptools \ libglib2.0-dev libpcre2-dev libfribidi-dev \ libgtk-3-dev libicu-dev gettext git \ - libtool autoconf automake meson ninja-build pkg-config + libtool autoconf automake ninja-build pkg-config + pip3 install --break-system-packages meson>=1.3.2 - name: Checkout VTE at ${{ matrix.vte_ref }} run: | diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index dd230ab..b2c8239 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -64,8 +64,8 @@ jobs: - name: Prepare cache directories (native runner) if: matrix.use_container == false run: | - sudo mkdir -p /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper - sudo chown -R $USER:$USER /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper + sudo mkdir -p /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper /opt/nettle + sudo chown -R $USER:$USER /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper /opt/nettle # ───────────── cache the wolfssl/gnutls tool-chain ───────────── - name: Restore cached gnutls-wolfssl @@ -76,9 +76,10 @@ jobs: ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }} ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }} ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }} - key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ${{ !matrix.use_container && '~/cache/nettle' || '' }} + key: gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}- + gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}- - name: Copy cache to /opt (native runner only) if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true' @@ -87,18 +88,35 @@ jobs: sudo cp -a ~/cache/gnutls /opt/ sudo cp -a ~/cache/wolfssl /opt/ sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + if [ -d ~/cache/nettle ]; then + sudo cp -a ~/cache/nettle /opt/ + fi + + - name: Setup nettle environment (native runner only) + if: matrix.use_container == false + run: | + # Set up environment for nettle 3.10 in /opt/nettle + echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV + echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Running setup.sh..." - GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + if [[ "${{ matrix.use_container }}" == "false" ]]; then + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11 + else + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + fi # For native runner: also save to cache location if [[ "${{ matrix.use_container }}" == "false" ]]; then mkdir -p ~/cache sudo cp -a /opt/gnutls ~/cache/ sudo cp -a /opt/wolfssl ~/cache/ sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + if [ -d /opt/nettle ]; then + sudo cp -a /opt/nettle ~/cache/ + fi sudo chown -R $(id -u):$(id -g) ~/cache fi @@ -107,6 +125,22 @@ jobs: test -d /opt/wolfssl || { echo "/opt/wolfssl missing"; exit 1; } test -d /opt/gnutls || { echo "/opt/gnutls missing"; exit 1; } test -d /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib missing"; exit 1; } + if [[ "${{ matrix.use_container }}" == "false" ]]; then + test -d /opt/nettle || { echo "/opt/nettle missing"; exit 1; } + fi + + - name: Verify GnuTLS version (native runner only) + if: matrix.use_container == false + run: | + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH + GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+') + echo "Detected GnuTLS version: $GNUTLS_VERSION" + if [ "$GNUTLS_VERSION" != "3.8.11" ]; then + echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION" + exit 1 + fi + echo "GnuTLS version verified: 3.8.11" + - name: Build OpenLDAP at ${{ matrix.openldap_ref }} run: | git clone https://git.openldap.org/openldap/openldap.git @@ -117,45 +151,46 @@ jobs: - name: Configure OpenLDAP working-directory: openldap run: | - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig + export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH export CPPFLAGS=-I/opt/gnutls/include - export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib" if [[ "${{ matrix.openldap_ref }}" = "OPENLDAP_REL_ENG_2_6_7" ]]; then - ./configure \ - ac_cv_func_memcmp_working=yes \ - lt_cv_dlopen_self=yes \ - --with-yielding-select=yes \ - --enable-dynamic \ - --enable-crypt \ - --with-tls=gnutls \ - --with-cyrus-sasl \ - --enable-otp \ - --with-argon2=libargon2 \ - --enable-argon2 \ - --enable-ppolicy \ - --enable-remoteauth \ - --prefix=/opt/openldap \ - --enable-modules \ - --enable-ipv6 \ - --enable-asyncmeta=mod \ - --enable-mdb=yes \ - --enable-ldap=mod \ - --enable-meta=mod \ - --enable-null=mod \ - --enable-passwd=mod \ - --enable-proxycache=mod \ - --enable-dnssrv=mod + export LDFLAGS="-L/opt/nettle/lib64 -L/opt/nettle/lib -L/opt/gnutls/lib -Wl,-rpath,/opt/nettle/lib64 -Wl,-rpath,/opt/nettle/lib -Wl,-rpath,/opt/gnutls/lib" + ./configure \ + ac_cv_func_memcmp_working=yes \ + lt_cv_dlopen_self=yes \ + --with-yielding-select=yes \ + --enable-dynamic \ + --enable-crypt \ + --with-tls=gnutls \ + --with-cyrus-sasl \ + --enable-otp \ + --with-argon2=libargon2 \ + --enable-argon2 \ + --enable-ppolicy \ + --enable-remoteauth \ + --prefix=/opt/openldap \ + --enable-modules \ + --enable-ipv6 \ + --enable-asyncmeta=mod \ + --enable-mdb=yes \ + --enable-ldap=mod \ + --enable-meta=mod \ + --enable-null=mod \ + --enable-passwd=mod \ + --enable-proxycache=mod \ + --enable-dnssrv=mod else - ./configure \ - --with-tls=gnutls \ - --with-cyrus-sasl \ - --enable-otp \ - --with-argon2=libargon2 \ - --enable-argon2 \ - --enable-ppolicy \ - --enable-remoteauth \ - --prefix=/opt/openldap \ - --enable-modules + export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib" + ./configure \ + --with-tls=gnutls \ + --with-cyrus-sasl \ + --enable-otp \ + --with-argon2=libargon2 \ + --enable-argon2 \ + --enable-ppolicy \ + --enable-remoteauth \ + --prefix=/opt/openldap \ + --enable-modules fi - name: Build OpenLDAP working-directory: openldap diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index e2e5412..933a53f 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -80,6 +80,7 @@ jobs: export MAKEFLAGS="-j$(nproc)" git clone https://github.com/tpm2-software/tpm2-tss cd tpm2-tss + git checkout 4.1.3 git submodule update --init --recursive ./bootstrap export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/opt/curl/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" diff --git a/.github/workflows/wget.yml b/.github/workflows/wget.yml index 1e4136a..62718d3 100644 --- a/.github/workflows/wget.yml +++ b/.github/workflows/wget.yml @@ -71,9 +71,10 @@ jobs: ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }} ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }} ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }} - key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ${{ !matrix.use_container && '~/cache/nettle' || '' }} + key: gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}- + gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}- - name: Copy cache to /opt (native runner only) if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true' @@ -82,18 +83,35 @@ jobs: sudo cp -a ~/cache/gnutls /opt/ sudo cp -a ~/cache/wolfssl /opt/ sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + if [ -d ~/cache/nettle ]; then + sudo cp -a ~/cache/nettle /opt/ + fi + + - name: Setup nettle environment (native runner only) + if: matrix.use_container == false + run: | + # Set up environment for nettle 3.10 in /opt/nettle + echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV + echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Running setup.sh..." - GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + if [[ "${{ matrix.use_container }}" == "false" ]]; then + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11 + else + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + fi # For native runner: also save to cache location if [[ "${{ matrix.use_container }}" == "false" ]]; then mkdir -p ~/cache sudo cp -a /opt/gnutls ~/cache/ sudo cp -a /opt/wolfssl ~/cache/ sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + if [ -d /opt/nettle ]; then + sudo cp -a /opt/nettle ~/cache/ + fi sudo chown -R $(id -u):$(id -g) ~/cache fi @@ -105,6 +123,23 @@ jobs: test -d /opt/gnutls || exit 1 echo "Check for wrapper installation..." test -d /opt/wolfssl-gnutls-wrapper/lib || exit 1 + if [[ "${{ matrix.use_container }}" == "false" ]]; then + echo "Check for nettle installation (3.8.11)..." + test -d /opt/nettle || exit 1 + fi + + - name: Verify GnuTLS version (native runner only) + if: matrix.use_container == false + run: | + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH + GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+') + echo "Detected GnuTLS version: $GNUTLS_VERSION" + if [ "$GNUTLS_VERSION" != "3.8.11" ]; then + echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION" + exit 1 + fi + echo "GnuTLS version verified: 3.8.11" + - name: Build wget at ${{ matrix.wget_ref }} uses: actions/checkout@v4 with: @@ -167,7 +202,7 @@ jobs: # To make /opt/gnutls visible to the test binaries, LD_LIBRARY_PATH # is needed since we disable rpath for v1.21.4. if [[ "${{ matrix.wget_ref }}" = "v1.21.4" ]]; then - export LD_LIBRARY_PATH=/opt/gnutls/lib:/opt/wolfssl/lib:/opt/wolfssl-gnutls-wrapper/lib:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:/opt/wolfssl-gnutls-wrapper/lib:$LD_LIBRARY_PATH fi make check find . -name '*.log' | xargs grep wgw diff --git a/.github/workflows/wireshark.yml b/.github/workflows/wireshark.yml index ab26166..ce8584d 100644 --- a/.github/workflows/wireshark.yml +++ b/.github/workflows/wireshark.yml @@ -1,15 +1,12 @@ name: wireshark test - on: push: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - jobs: build_gnutls: name: Build wolfSSL, GnuTLS and provider @@ -20,18 +17,15 @@ jobs: wireshark_ref: [ 'master', 'v4.2.12', 'v4.6.0' ] fail-fast: false runs-on: ${{ matrix.os }} - steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Install dependencies run: | sudo apt-get update sudo apt-get install -y build-essential gnulib autopoint gperf gtk-doc-tools nettle-dev clang \ libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \ wget git flex autoconf-archive libhttp-daemon-perl ninja-build - - name: Restore cached gnutls-wolfssl id: cache-gnutls uses: actions/cache@v4 @@ -40,10 +34,10 @@ jobs: ~/cache/gnutls ~/cache/wolfssl ~/cache/wolfssl-gnutls-wrapper - key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ~/cache/nettle + key: gnutls-wolfssl-3.8.11-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}- - + gnutls-wolfssl-3.8.11-${{ runner.os }}- - name: Copy cache to /opt if: steps.cache-gnutls.outputs.cache-hit == 'true' run: | @@ -51,20 +45,29 @@ jobs: sudo cp -a ~/cache/gnutls /opt/ sudo cp -a ~/cache/wolfssl /opt/ sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + if [ -d ~/cache/nettle ]; then + sudo cp -a ~/cache/nettle /opt/ + fi echo "Cache restored successfully" - + - name: Setup nettle environment + run: | + # Set up environment for nettle 3.10 in /opt/nettle + echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV + echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Cache miss - running setup.sh..." - GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11 # Save to cache location mkdir -p ~/cache sudo cp -a /opt/gnutls ~/cache/ sudo cp -a /opt/wolfssl ~/cache/ sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + if [ -d /opt/nettle ]; then + sudo cp -a /opt/nettle ~/cache/ + fi sudo chown -R $(id -u):$(id -g) ~/cache - - name: Check setup.sh output directories run: | echo "Check for wolfSSL installation..." @@ -73,11 +76,21 @@ jobs: ls -la /opt/gnutls || { echo "/opt/gnutls not found"; exit 1; } echo "Check for wrapper installation..." ls -la /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib not found"; exit 1; } - + echo "Check for nettle installation..." + ls -la /opt/nettle || { echo "/opt/nettle not found"; exit 1; } + - name: Verify GnuTLS version + run: | + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH + GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+') + echo "Detected GnuTLS version: $GNUTLS_VERSION" + if [ "$GNUTLS_VERSION" != "3.8.11" ]; then + echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION" + exit 1 + fi + echo "GnuTLS version verified: 3.8.11" - name: Clone wireshark run: | git clone https://github.com/wireshark/wireshark.git - - name: Setup and build wireshark working-directory: wireshark run: | @@ -88,7 +101,8 @@ jobs: sudo ./tools/debian-setup.sh --install-deb-deps sudo ./tools/debian-setup.sh --install-test-deps mkdir build && cd build - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:$LD_LIBRARY_PATH cmake -G Ninja .. \ -DENABLE_PCAP=ON \ -DENABLE_GNUTLS=ON \ @@ -103,10 +117,10 @@ jobs: -DBUILD_wireshark=OFF ninja ninja test-programs - - name: Test Wireshark (TLS related tests only) working-directory: wireshark run: | - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:$LD_LIBRARY_PATH cd build pytest ../test/suite_decryption.py -v -s diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index 2e95c63..efd2c0c 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -44,9 +44,10 @@ jobs: ~/cache/gnutls ~/cache/wolfssl ~/cache/wolfssl-gnutls-wrapper - key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ~/cache/nettle + key: gnutls-wolfssl-3.8.11-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}- + gnutls-wolfssl-3.8.11-${{ runner.os }}- - name: Copy cache to /opt if: steps.cache-gnutls.outputs.cache-hit == 'true' @@ -55,18 +56,30 @@ jobs: sudo cp -a ~/cache/gnutls /opt/ sudo cp -a ~/cache/wolfssl /opt/ sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + if [ -d ~/cache/nettle ]; then + sudo cp -a ~/cache/nettle /opt/ + fi echo "Cache restored successfully" + - name: Setup nettle environment + run: | + # Set up environment for nettle 3.10 in /opt/nettle + echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV + echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV + - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Cache miss - running setup.sh..." - GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11 # Save to cache location mkdir -p ~/cache sudo cp -a /opt/gnutls ~/cache/ sudo cp -a /opt/wolfssl ~/cache/ sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + if [ -d /opt/nettle ]; then + sudo cp -a /opt/nettle ~/cache/ + fi sudo chown -R $(id -u):$(id -g) ~/cache - name: Check setup.sh output directories @@ -77,6 +90,19 @@ jobs: ls -la /opt/gnutls || { echo "/opt/gnutls not found"; exit 1; } echo "Check for wrapper installation..." ls -la /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib not found"; exit 1; } + echo "Check for nettle installation..." + ls -la /opt/nettle || { echo "/opt/nettle not found"; exit 1; } + + - name: Verify GnuTLS version + run: | + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH + GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+') + echo "Detected GnuTLS version: $GNUTLS_VERSION" + if [ "$GNUTLS_VERSION" != "3.8.11" ]; then + echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION" + exit 1 + fi + echo "GnuTLS version verified: 3.8.11" - name: Clone xmlsec run: | @@ -88,7 +114,8 @@ jobs: if [[ "${{ matrix.xmlsec_ref }}" != "master" ]]; then git checkout ${{ matrix.xmlsec_ref }} fi - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:$LD_LIBRARY_PATH ./autogen.sh ./configure --with-gnutls=/opt/gnutls \ --disable-dsa \ @@ -117,6 +144,7 @@ jobs: - name: Test xmlsec working-directory: xmlsec run: | - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:$LD_LIBRARY_PATH make check find /tmp -name "*.log" | xargs grep wgw diff --git a/README.md b/README.md index 2e5b767..0b8ae77 100644 --- a/README.md +++ b/README.md @@ -6,11 +6,20 @@ Experimental port of wolfSSL into GnuTLS. One script builds everything and drops ``` git clone https://github.com/wolfssl/gnutls-wolfssl.git cd gnutls-wolfssl -# regular build +# regular build (uses default GnuTLS 3.8.9) ./setup.sh # build with FIPS 140 support ./setup.sh fips + +# build specific GnuTLS version +./setup.sh 3.8.11 + +# build specific version with FIPS 140 support +./setup.sh fips 3.8.11 + +# show help and all options +./setup.sh --help ``` On success you get: ``` @@ -26,6 +35,7 @@ If the loader can’t find the libs, add the path to LD_LIBRARY_PATH (Linux) or | WOLFSSL_INSTALL | /opt/wolfssl | install prefix | | GNUTLS_INSTALL | /opt/gnutls | install prefix | | PROVIDER_PATH | /opt/wolfssl-gnutls-wrapper/ | install prefix| +| WOLFSSL_FIPS_BUNDLE | - | path to pre-downloaded wolfSSL FIPS bundle (optional, FIPS mode only) | | GNUTLS_FORCE_FIPS_MODE | 0 | set to 1 at runtime to enforce FIPS | | WGW_LOGGING | 1 |By default wolfssl-gnutls-wrapper will show logging information. Set to 0 to turn off logging | | WGW_LOGFILE | - | By default wolfssl-gnutls-wrapper will log to stderr. This can be changed to stdout or a filename | @@ -36,10 +46,15 @@ If the loader can’t find the libs, add the path to LD_LIBRARY_PATH (Linux) or setup.sh do‑it‑all build script rebuild-gnutls.sh rebuild GnuTLS only wolfssl/ upstream clone -gnutls/ upstream clone + branch gnutls-wolfssl +gnutls/ upstream clone + branch gnutls-wolfssl-VERSION wolfssl-gnutls-wrapper/ thin shim + tests ``` +## Version support +The setup script supports building different GnuTLS versions by specifying the version number as an argument. The script will checkout the corresponding branch (e.g., `gnutls-wolfssl (3.8.9)`, `gnutls-wolfssl-3.8.11 (3.8.11)`). + +**Note:** When building GnuTLS 3.8.11 on Linux, the script automatically downloads and builds nettle 3.10, as this version requires nettle >= 3.10. + ## Tests ``` cd wolfssl-gnutls-wrapper diff --git a/rebuild-gnutls.sh b/rebuild-gnutls.sh deleted file mode 100755 index 149b030..0000000 --- a/rebuild-gnutls.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash - -set -e - -# Check if FIPS mode is enabled via command line argument -FIPS_MODE=0 -if [ "$1" = "fips" ]; then - FIPS_MODE=1 - echo "Building GnuTLS with FIPS 140 mode enabled" -else - echo "Building GnuTLS without FIPS 140 mode" -fi - -get_os() { - case "$(uname -s)" in - Darwin*) echo "macos";; - Linux*) echo "linux";; - *) echo "unknown";; - esac -} - -OS=$(get_os) -echo "Detected OS: $OS" - -cd ./gnutls - -if [ "$OS" = "macos" ]; then - echo "Configuring GnuTLS for macOS..." - autoreconf -fvi - - CONFIG_OPTS="--prefix=/opt/gnutls/ --disable-doc --disable-manpages --disable-gtk-doc --disable-full-test-suite --disable-valgrind-tests --disable-dependency-tracking --disable-gost --disable-dsa --enable-srp-authentication" - - if [ $FIPS_MODE -eq 1 ]; then - CONFIG_OPTS="$CONFIG_OPTS --enable-fips140-mode" - fi - - CFLAGS="-I$(brew --prefix libunistring)/include -I$(brew --prefix gmp)/include -I$(brew --prefix libev)/include -DGNUTLS_WOLFSSL" \ - LDFLAGS="-L$(brew --prefix libunistring)/lib -L$(brew --prefix gmp)/lib -L$(brew --prefix libev)/lib -L$(brew --prefix bison)/lib" \ - GMP_CFLAGS="-I$(brew --prefix gmp)/include" \ - GMP_LIBS="-L$(brew --prefix gmp)/lib -lgmp" \ - PKG_CONFIG_PATH="$(brew --prefix libev)/lib/pkgconfig:$(brew --prefix gmp)/lib/pkgconfig:$PKG_CONFIG_PATH" \ - CC=clang \ - ./configure $CONFIG_OPTS - - make -j$(sysctl -n hw.ncpu) - -else - echo "Configuring GnuTLS for Linux..." - autoreconf -fvi - - CONFIG_OPTS="--prefix=/opt/gnutls/ --disable-doc --disable-manpages --disable-gtk-doc --disable-gost --disable-dsa --enable-srp-authentication" - - if [ $FIPS_MODE -eq 1 ]; then - CONFIG_OPTS="$CONFIG_OPTS --enable-fips140-mode" - fi - - ./configure $CONFIG_OPTS CFLAGS=-DGNUTLS_WOLFSSL - - make -j9 -fi - -sudo make install -cd ../ diff --git a/setup.sh b/setup.sh index 1605b72..fa9eda3 100755 --- a/setup.sh +++ b/setup.sh @@ -1,6 +1,102 @@ #!/bin/bash set -e +# Default values +DEFAULT_GNUTLS_VERSION="3.8.9" +FIPS_MODE=0 +GNUTLS_VERSION="" + +# ============================================================================ +# Help function +# ============================================================================ +show_help() { + cat << EOF +Usage: $(basename "$0") [OPTIONS] [fips] [VERSION] + +Build script for wolfSSL and GnuTLS with optional FIPS 140 mode support. + +ARGUMENTS: + fips Enable FIPS 140 mode for the build + VERSION GnuTLS branch version (e.g., 3.8.9, 3.8.11) + The script will checkout branch: gnutls-wolfssl-VERSION + Default version: $DEFAULT_GNUTLS_VERSION + +OPTIONS: + -h, --help Show this help message and exit + +EXAMPLES: + $(basename "$0") + Build without FIPS mode, using default GnuTLS branch (gnutls-wolfssl-$DEFAULT_GNUTLS_VERSION) + + $(basename "$0") 3.8.11 + Build without FIPS mode, using GnuTLS branch gnutls-wolfssl-3.8.11 + + $(basename "$0") fips + Build with FIPS 140 mode enabled, using default GnuTLS branch (gnutls-wolfssl-$DEFAULT_GNUTLS_VERSION) + + $(basename "$0") fips 3.8.11 + Build with FIPS 140 mode enabled, using GnuTLS branch gnutls-wolfssl-3.8.11 + +ENVIRONMENT VARIABLES: + WOLFSSL_INSTALL Installation path for wolfSSL (default: /opt/wolfssl) + GNUTLS_INSTALL Installation path for GnuTLS (default: /opt/gnutls) + PROVIDER_PATH Path for wolfssl-gnutls-wrapper (default: /opt/wolfssl-gnutls-wrapper) + NETTLE_INSTALL Installation path for nettle 3.10 (default: /opt/nettle, only used for GnuTLS 3.8.11+) + WOLFSSL_FIPS_BUNDLE Path to pre-downloaded wolfSSL FIPS bundle (optional, FIPS mode only) + +NOTES: + - If wolfSSL is already installed system-wide (detectable via pkg-config), + the script will use it instead of building from source + - FIPS mode requires access to the wolfSSL FIPS source repository + +EOF + exit 0 +} + +# ============================================================================ +# Parse arguments +# ============================================================================ +parse_arguments() { + while [[ $# -gt 0 ]]; do + case "$1" in + -h|--help) + show_help + ;; + fips) + FIPS_MODE=1 + shift + ;; + *) + # Assume it's a version number + if [[ "$1" =~ ^[0-9]+\.[0-9]+(\.[0-9]+)?$ ]]; then + GNUTLS_VERSION="$1" + else + echo "ERROR: Unknown argument '$1'" + echo "Use --help for usage information" + exit 1 + fi + shift + ;; + esac + done + + # Set default version if not specified + if [ -z "$GNUTLS_VERSION" ]; then + GNUTLS_VERSION="$DEFAULT_GNUTLS_VERSION" + GNUTLS_BRANCH="gnutls-wolfssl" + else + GNUTLS_BRANCH="gnutls-wolfssl-$GNUTLS_VERSION" + fi +} + +# ============================================================================ +# Main script starts here +# ============================================================================ + +# Parse command line arguments +parse_arguments "$@" + +# Set installation paths with defaults if [ -z "$WOLFSSL_INSTALL" ]; then WOLFSSL_INSTALL=/opt/wolfssl fi @@ -10,19 +106,30 @@ fi if [ -z "$PROVIDER_PATH" ]; then PROVIDER_PATH=/opt/wolfssl-gnutls-wrapper fi +if [ -z "$NETTLE_INSTALL" ]; then + NETTLE_INSTALL=/opt/nettle +fi -# Check if FIPS mode is enabled via command line argument -FIPS_MODE=0 -if [ "$1" = "fips" ]; then - FIPS_MODE=1 - echo "Building GnuTLS with FIPS 140 mode enabled" +# Print configuration +echo "==============================================" +echo "Build Configuration:" +echo "==============================================" +if [ $FIPS_MODE -eq 1 ]; then + echo " FIPS 140 Mode: ENABLED" else - echo "Building GnuTLS without FIPS 140 mode" + echo " FIPS 140 Mode: DISABLED" fi +echo " GnuTLS Version: $GNUTLS_VERSION" +echo " GnuTLS Branch: $GNUTLS_BRANCH" +echo " wolfSSL Install: $WOLFSSL_INSTALL" +echo " GnuTLS Install: $GNUTLS_INSTALL" +echo " Provider Path: $PROVIDER_PATH" +echo " Nettle Install: $NETTLE_INSTALL" +echo "==============================================" +echo "" get_os() { case "$(uname -s)" in - Darwin*) echo "macos";; Linux*) echo "linux";; *) echo "unknown";; esac @@ -47,19 +154,6 @@ if detect_system_wolfssl; then : "${WOLFSSL_INSTALL:=/usr}" fi -if [ "$OS" = "macos" ]; then - echo "Installing macOS dependencies..." - brew update - for pkg in openssl autoconf automake coreutils libtool gmp nettle p11-kit libtasn1 libunistring gettext bison gtk-doc libev; do - brew install $pkg || true - done - for pkg in nettle wget p11-kit libtasn1 libunistring; do - brew upgrade $pkg || true - done - export PATH="/usr/local/opt/gettext/bin:/opt/homebrew/opt/gettext/bin:$PATH" - export PATH="/usr/local/opt/bison/bin:/opt/homebrew/opt/bison/bin:$PATH" -fi - if [ $FIPS_MODE -eq 1 ]; then if [ "$USE_SYSTEM_WOLFSSL" -eq 1 ]; then echo "Using system wolfSSL. Skipping wolfSSL build." @@ -137,45 +231,52 @@ fi if [ ! -d "gnutls" ]; then echo "Cloning GnuTLS repository..." git clone https://github.com/wolfssl/gnutls.git - echo "Checking out to gnutls-wolfssl..." + echo "Checking out to $GNUTLS_BRANCH..." cd ./gnutls git fetch --all - git checkout -b gnutls-wolfssl origin/gnutls-wolfssl + git checkout -b "$GNUTLS_BRANCH" "origin/$GNUTLS_BRANCH" else cd ./gnutls - make clean + echo "GnuTLS directory exists. Cleaning and switching to $GNUTLS_BRANCH..." + make clean || true + git fetch --all + git checkout "$GNUTLS_BRANCH" 2>/dev/null || git checkout -b "$GNUTLS_BRANCH" "origin/$GNUTLS_BRANCH" fi ./bootstrap autoreconf -fvi # Base configuration options for GnuTLS -if [ "$OS" = "macos" ]; then - echo "Configuring GnuTLS for macOS..." +if [ "$OS" = "linux" ]; then + echo "Configuring GnuTLS for Linux..." - CONFIG_OPTS="--prefix=$GNUTLS_INSTALL/ --disable-doc --disable-manpages --disable-gtk-doc --disable-full-test-suite --disable-valgrind-tests --disable-dependency-tracking --disable-gost --disable-dsa --enable-srp-authentication" + CONFIG_OPTS="--prefix=$GNUTLS_INSTALL/ --disable-doc --disable-manpages --disable-gtk-doc --disable-gost --disable-dsa --disable-full-test-suite --disable-valgrind-tests --disable-dependency-tracking --enable-srp-authentication" if [ $FIPS_MODE -eq 1 ]; then CONFIG_OPTS="$CONFIG_OPTS --enable-fips140-mode" fi - CFLAGS="-I$(brew --prefix libunistring)/include -I$(brew --prefix gmp)/include -I$(brew --prefix libev)/include -DGNUTLS_WOLFSSL" \ - LDFLAGS="-L$(brew --prefix libunistring)/lib -L$(brew --prefix gmp)/lib -L$(brew --prefix libev)/lib -L$(brew --prefix bison)/lib" \ - GMP_CFLAGS="-I$(brew --prefix gmp)/include" \ - GMP_LIBS="-L$(brew --prefix gmp)/lib -lgmp" \ - PKG_CONFIG_PATH="$(brew --prefix libev)/lib/pkgconfig:$(brew --prefix gmp)/lib/pkgconfig:$PKG_CONFIG_PATH" \ - CC=clang \ - ./configure $CONFIG_OPTS + if [ "$GNUTLS_BRANCH" == "gnutls-wolfssl-3.8.11" ]; then + # Download nettle 3.10, since gnutls 3.8.11 requires nettle to be >= 3.10 + echo "Installing nettle 3.10 to $NETTLE_INSTALL..." - make -j$(sysctl -n hw.ncpu) + wget https://ftp.gnu.org/gnu/nettle/nettle-3.10.tar.gz + tar -xzf nettle-3.10.tar.gz + cd nettle-3.10 -else - echo "Configuring GnuTLS for Linux..." + # Build and install + ./configure --prefix=$NETTLE_INSTALL + make -j$(nproc) + sudo make install - CONFIG_OPTS="--prefix=$GNUTLS_INSTALL/ --disable-doc --disable-manpages --disable-gtk-doc --disable-gost --disable-dsa --disable-full-test-suite --disable-valgrind-tests --disable-dependency-tracking --enable-srp-authentication" + # Update library cache + sudo ldconfig - if [ $FIPS_MODE -eq 1 ]; then - CONFIG_OPTS="$CONFIG_OPTS --enable-fips140-mode" + export PKG_CONFIG_PATH="$NETTLE_INSTALL/lib64/pkgconfig:$NETTLE_INSTALL/lib/pkgconfig:$PKG_CONFIG_PATH" + export LD_LIBRARY_PATH="$NETTLE_INSTALL/lib64:$NETTLE_INSTALL/lib:$LD_LIBRARY_PATH" + export LDFLAGS="-L$NETTLE_INSTALL/lib64 -L$NETTLE_INSTALL/lib -Wl,-rpath,$NETTLE_INSTALL/lib64 -Wl,-rpath,$NETTLE_INSTALL/lib" + + cd ../ fi ./configure $CONFIG_OPTS 'CFLAGS=-DGNUTLS_WOLFSSL' @@ -193,4 +294,16 @@ make sudo make install PROVIDER_PATH="$PROVIDER_PATH" GNUTLS_INSTALL="$GNUTLS_INSTALL" WOLFSSL_INSTALL="$WOLFSSL_INSTALL" cd ../ -echo "Build completed successfully" +echo "" +echo "==============================================" +echo "Build completed successfully!" +echo "==============================================" +echo " FIPS Mode: $([ $FIPS_MODE -eq 1 ] && echo 'ENABLED' || echo 'DISABLED')" +echo " GnuTLS Branch: $GNUTLS_BRANCH" +echo " wolfSSL: $WOLFSSL_INSTALL" +echo " GnuTLS: $GNUTLS_INSTALL" +echo " Provider: $PROVIDER_PATH" +if [ "$GNUTLS_BRANCH" == "gnutls-wolfssl-3.8.11" ]; then + echo " Nettle: $NETTLE_INSTALL" +fi +echo "=============================================="