From 5c1ef62b01d22607e8af1d1501f82780e2720b4f Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Fri, 12 Dec 2025 12:54:48 +0100 Subject: [PATCH 1/6] - Add GnuTLS version selection (now supporting 3.8.11 too), --help flag, and FIPS bundle support to setup.sh; - Updated README.md; --- README.md | 19 ++++++- setup.sh | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 165 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 2e5b767..0b8ae77 100644 --- a/README.md +++ b/README.md @@ -6,11 +6,20 @@ Experimental port of wolfSSL into GnuTLS. One script builds everything and drops ``` git clone https://github.com/wolfssl/gnutls-wolfssl.git cd gnutls-wolfssl -# regular build +# regular build (uses default GnuTLS 3.8.9) ./setup.sh # build with FIPS 140 support ./setup.sh fips + +# build specific GnuTLS version +./setup.sh 3.8.11 + +# build specific version with FIPS 140 support +./setup.sh fips 3.8.11 + +# show help and all options +./setup.sh --help ``` On success you get: ``` @@ -26,6 +35,7 @@ If the loader can’t find the libs, add the path to LD_LIBRARY_PATH (Linux) or | WOLFSSL_INSTALL | /opt/wolfssl | install prefix | | GNUTLS_INSTALL | /opt/gnutls | install prefix | | PROVIDER_PATH | /opt/wolfssl-gnutls-wrapper/ | install prefix| +| WOLFSSL_FIPS_BUNDLE | - | path to pre-downloaded wolfSSL FIPS bundle (optional, FIPS mode only) | | GNUTLS_FORCE_FIPS_MODE | 0 | set to 1 at runtime to enforce FIPS | | WGW_LOGGING | 1 |By default wolfssl-gnutls-wrapper will show logging information. Set to 0 to turn off logging | | WGW_LOGFILE | - | By default wolfssl-gnutls-wrapper will log to stderr. This can be changed to stdout or a filename | @@ -36,10 +46,15 @@ If the loader can’t find the libs, add the path to LD_LIBRARY_PATH (Linux) or setup.sh do‑it‑all build script rebuild-gnutls.sh rebuild GnuTLS only wolfssl/ upstream clone -gnutls/ upstream clone + branch gnutls-wolfssl +gnutls/ upstream clone + branch gnutls-wolfssl-VERSION wolfssl-gnutls-wrapper/ thin shim + tests ``` +## Version support +The setup script supports building different GnuTLS versions by specifying the version number as an argument. The script will checkout the corresponding branch (e.g., `gnutls-wolfssl (3.8.9)`, `gnutls-wolfssl-3.8.11 (3.8.11)`). + +**Note:** When building GnuTLS 3.8.11 on Linux, the script automatically downloads and builds nettle 3.10, as this version requires nettle >= 3.10. + ## Tests ``` cd wolfssl-gnutls-wrapper diff --git a/setup.sh b/setup.sh index 1605b72..97c6bf5 100755 --- a/setup.sh +++ b/setup.sh @@ -1,6 +1,103 @@ #!/bin/bash set -e +# Default values +DEFAULT_GNUTLS_VERSION="3.8.9" +FIPS_MODE=0 +GNUTLS_VERSION="" + +# ============================================================================ +# Help function +# ============================================================================ +show_help() { + cat << EOF +Usage: $(basename "$0") [OPTIONS] [fips] [VERSION] + +Build script for wolfSSL and GnuTLS with optional FIPS 140 mode support. + +ARGUMENTS: + fips Enable FIPS 140 mode for the build + VERSION GnuTLS branch version (e.g., 3.8.9, 3.8.11) + The script will checkout branch: gnutls-wolfssl-VERSION + Default version: $DEFAULT_GNUTLS_VERSION + +OPTIONS: + -h, --help Show this help message and exit + +EXAMPLES: + $(basename "$0") + Build without FIPS mode, using default GnuTLS branch (gnutls-wolfssl-$DEFAULT_GNUTLS_VERSION) + + $(basename "$0") 3.8.11 + Build without FIPS mode, using GnuTLS branch gnutls-wolfssl-3.8.11 + + $(basename "$0") fips + Build with FIPS 140 mode enabled, using default GnuTLS branch (gnutls-wolfssl-$DEFAULT_GNUTLS_VERSION) + + $(basename "$0") fips 3.8.11 + Build with FIPS 140 mode enabled, using GnuTLS branch gnutls-wolfssl-3.8.11 + +ENVIRONMENT VARIABLES: + WOLFSSL_INSTALL Installation path for wolfSSL (default: /opt/wolfssl) + GNUTLS_INSTALL Installation path for GnuTLS (default: /opt/gnutls) + PROVIDER_PATH Path for wolfssl-gnutls-wrapper (default: /opt/wolfssl-gnutls-wrapper) + WOLFSSL_FIPS_BUNDLE Path to pre-downloaded wolfSSL FIPS bundle (optional, FIPS mode only) + +NOTES: + - The script automatically detects macOS or Linux and installs appropriate dependencies + - On macOS, Homebrew is required for dependency installation + - If wolfSSL is already installed system-wide (detectable via pkg-config), + the script will use it instead of building from source + - FIPS mode requires access to the wolfSSL FIPS source repository + +EOF + exit 0 +} + +# ============================================================================ +# Parse arguments +# ============================================================================ +parse_arguments() { + while [[ $# -gt 0 ]]; do + case "$1" in + -h|--help) + show_help + ;; + fips) + FIPS_MODE=1 + shift + ;; + *) + # Assume it's a version number + if [[ "$1" =~ ^[0-9]+\.[0-9]+(\.[0-9]+)?$ ]]; then + GNUTLS_VERSION="$1" + else + echo "ERROR: Unknown argument '$1'" + echo "Use --help for usage information" + exit 1 + fi + shift + ;; + esac + done + + # Set default version if not specified + if [ -z "$GNUTLS_VERSION" ]; then + GNUTLS_VERSION="$DEFAULT_GNUTLS_VERSION" + GNUTLS_BRANCH="gnutls-wolfssl" + else + GNUTLS_BRANCH="gnutls-wolfssl-$GNUTLS_VERSION" + fi +} + +# ============================================================================ +# Main script starts here +# ============================================================================ + +# Parse command line arguments +parse_arguments "$@" + +# Set installation paths with defaults if [ -z "$WOLFSSL_INSTALL" ]; then WOLFSSL_INSTALL=/opt/wolfssl fi @@ -11,14 +108,22 @@ if [ -z "$PROVIDER_PATH" ]; then PROVIDER_PATH=/opt/wolfssl-gnutls-wrapper fi -# Check if FIPS mode is enabled via command line argument -FIPS_MODE=0 -if [ "$1" = "fips" ]; then - FIPS_MODE=1 - echo "Building GnuTLS with FIPS 140 mode enabled" +# Print configuration +echo "==============================================" +echo "Build Configuration:" +echo "==============================================" +if [ $FIPS_MODE -eq 1 ]; then + echo " FIPS 140 Mode: ENABLED" else - echo "Building GnuTLS without FIPS 140 mode" + echo " FIPS 140 Mode: DISABLED" fi +echo " GnuTLS Version: $GNUTLS_VERSION" +echo " GnuTLS Branch: $GNUTLS_BRANCH" +echo " wolfSSL Install: $WOLFSSL_INSTALL" +echo " GnuTLS Install: $GNUTLS_INSTALL" +echo " Provider Path: $PROVIDER_PATH" +echo "==============================================" +echo "" get_os() { case "$(uname -s)" in @@ -137,13 +242,16 @@ fi if [ ! -d "gnutls" ]; then echo "Cloning GnuTLS repository..." git clone https://github.com/wolfssl/gnutls.git - echo "Checking out to gnutls-wolfssl..." + echo "Checking out to $GNUTLS_BRANCH..." cd ./gnutls git fetch --all - git checkout -b gnutls-wolfssl origin/gnutls-wolfssl + git checkout -b "$GNUTLS_BRANCH" "origin/$GNUTLS_BRANCH" else cd ./gnutls - make clean + echo "GnuTLS directory exists. Cleaning and switching to $GNUTLS_BRANCH..." + make clean || true + git fetch --all + git checkout "$GNUTLS_BRANCH" 2>/dev/null || git checkout -b "$GNUTLS_BRANCH" "origin/$GNUTLS_BRANCH" fi ./bootstrap @@ -178,6 +286,27 @@ else CONFIG_OPTS="$CONFIG_OPTS --enable-fips140-mode" fi + if [ "$GNUTLS_BRANCH" -eq "gnutls-wolfssl-3.8.11" ]; then + # Download nettle 3.10, since gnutls 3.8.11 requires nettle to be >= 3.10 + wget https://ftp.gnu.org/gnu/nettle/nettle-3.10.tar.gz + tar -xzf nettle-3.10.tar.gz + cd nettle-3.10 + + # Build and install + ./configure --prefix=/usr/local + make -j$(nproc) + sudo make install + + # Update library cache + sudo ldconfig + + export PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH" + export LD_LIBRARY_PATH="/usr/local/lib64:$LD_LIBRARY_PATH" + export LDFLAGS="-L/usr/local/lib64 -Wl,-rpath,/usr/local/lib64" + + cd ../ + fi + ./configure $CONFIG_OPTS 'CFLAGS=-DGNUTLS_WOLFSSL' export GNUTLS_FORCE_FIPS_MODE=1 @@ -193,4 +322,13 @@ make sudo make install PROVIDER_PATH="$PROVIDER_PATH" GNUTLS_INSTALL="$GNUTLS_INSTALL" WOLFSSL_INSTALL="$WOLFSSL_INSTALL" cd ../ -echo "Build completed successfully" +echo "" +echo "==============================================" +echo "Build completed successfully!" +echo "==============================================" +echo " FIPS Mode: $([ $FIPS_MODE -eq 1 ] && echo 'ENABLED' || echo 'DISABLED')" +echo " GnuTLS Branch: $GNUTLS_BRANCH" +echo " wolfSSL: $WOLFSSL_INSTALL" +echo " GnuTLS: $GNUTLS_INSTALL" +echo " Provider: $PROVIDER_PATH" +echo "==============================================" From 41e13e9a7d283bf4f8942c4d8424a2c89ad2600f Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Fri, 12 Dec 2025 13:31:07 +0100 Subject: [PATCH 2/6] Updated native workflows to run against gnutls 3.8.11 --- .github/workflows/openldap.yml | 105 +++++++++++++++++++------------- .github/workflows/wget.yml | 31 ++++++++-- .github/workflows/wireshark.yml | 38 ++++++------ .github/workflows/xmlsec.yml | 27 ++++++-- setup.sh | 22 +++++-- 5 files changed, 150 insertions(+), 73 deletions(-) diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index dd230ab..d0ca071 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -64,8 +64,8 @@ jobs: - name: Prepare cache directories (native runner) if: matrix.use_container == false run: | - sudo mkdir -p /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper - sudo chown -R $USER:$USER /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper + sudo mkdir -p /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper /opt/nettle + sudo chown -R $USER:$USER /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper /opt/nettle # ───────────── cache the wolfssl/gnutls tool-chain ───────────── - name: Restore cached gnutls-wolfssl @@ -76,9 +76,10 @@ jobs: ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }} ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }} ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }} - key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ${{ !matrix.use_container && '~/cache/nettle' || '' }} + key: gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}- + gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}- - name: Copy cache to /opt (native runner only) if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true' @@ -87,18 +88,35 @@ jobs: sudo cp -a ~/cache/gnutls /opt/ sudo cp -a ~/cache/wolfssl /opt/ sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + if [ -d ~/cache/nettle ]; then + sudo cp -a ~/cache/nettle /opt/ + fi + + - name: Setup nettle environment (native runner only) + if: matrix.use_container == false + run: | + # Set up environment for nettle 3.10 in /opt/nettle + echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV + echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Running setup.sh..." - GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + if [[ "${{ matrix.use_container }}" == "false" ]]; then + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11 + else + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + fi # For native runner: also save to cache location if [[ "${{ matrix.use_container }}" == "false" ]]; then mkdir -p ~/cache sudo cp -a /opt/gnutls ~/cache/ sudo cp -a /opt/wolfssl ~/cache/ sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + if [ -d /opt/nettle ]; then + sudo cp -a /opt/nettle ~/cache/ + fi sudo chown -R $(id -u):$(id -g) ~/cache fi @@ -107,6 +125,10 @@ jobs: test -d /opt/wolfssl || { echo "/opt/wolfssl missing"; exit 1; } test -d /opt/gnutls || { echo "/opt/gnutls missing"; exit 1; } test -d /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib missing"; exit 1; } + if [[ "${{ matrix.use_container }}" == "false" ]]; then + test -d /opt/nettle || { echo "/opt/nettle missing"; exit 1; } + fi + - name: Build OpenLDAP at ${{ matrix.openldap_ref }} run: | git clone https://git.openldap.org/openldap/openldap.git @@ -117,45 +139,46 @@ jobs: - name: Configure OpenLDAP working-directory: openldap run: | - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig + export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH export CPPFLAGS=-I/opt/gnutls/include - export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib" if [[ "${{ matrix.openldap_ref }}" = "OPENLDAP_REL_ENG_2_6_7" ]]; then - ./configure \ - ac_cv_func_memcmp_working=yes \ - lt_cv_dlopen_self=yes \ - --with-yielding-select=yes \ - --enable-dynamic \ - --enable-crypt \ - --with-tls=gnutls \ - --with-cyrus-sasl \ - --enable-otp \ - --with-argon2=libargon2 \ - --enable-argon2 \ - --enable-ppolicy \ - --enable-remoteauth \ - --prefix=/opt/openldap \ - --enable-modules \ - --enable-ipv6 \ - --enable-asyncmeta=mod \ - --enable-mdb=yes \ - --enable-ldap=mod \ - --enable-meta=mod \ - --enable-null=mod \ - --enable-passwd=mod \ - --enable-proxycache=mod \ - --enable-dnssrv=mod + export LDFLAGS="-L/opt/nettle/lib64 -L/opt/nettle/lib -L/opt/gnutls/lib -Wl,-rpath,/opt/nettle/lib64 -Wl,-rpath,/opt/nettle/lib -Wl,-rpath,/opt/gnutls/lib" + ./configure \ + ac_cv_func_memcmp_working=yes \ + lt_cv_dlopen_self=yes \ + --with-yielding-select=yes \ + --enable-dynamic \ + --enable-crypt \ + --with-tls=gnutls \ + --with-cyrus-sasl \ + --enable-otp \ + --with-argon2=libargon2 \ + --enable-argon2 \ + --enable-ppolicy \ + --enable-remoteauth \ + --prefix=/opt/openldap \ + --enable-modules \ + --enable-ipv6 \ + --enable-asyncmeta=mod \ + --enable-mdb=yes \ + --enable-ldap=mod \ + --enable-meta=mod \ + --enable-null=mod \ + --enable-passwd=mod \ + --enable-proxycache=mod \ + --enable-dnssrv=mod else - ./configure \ - --with-tls=gnutls \ - --with-cyrus-sasl \ - --enable-otp \ - --with-argon2=libargon2 \ - --enable-argon2 \ - --enable-ppolicy \ - --enable-remoteauth \ - --prefix=/opt/openldap \ - --enable-modules + export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib" + ./configure \ + --with-tls=gnutls \ + --with-cyrus-sasl \ + --enable-otp \ + --with-argon2=libargon2 \ + --enable-argon2 \ + --enable-ppolicy \ + --enable-remoteauth \ + --prefix=/opt/openldap \ + --enable-modules fi - name: Build OpenLDAP working-directory: openldap diff --git a/.github/workflows/wget.yml b/.github/workflows/wget.yml index 1e4136a..021a0ac 100644 --- a/.github/workflows/wget.yml +++ b/.github/workflows/wget.yml @@ -71,9 +71,10 @@ jobs: ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }} ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }} ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }} - key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ${{ !matrix.use_container && '~/cache/nettle' || '' }} + key: gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}- + gnutls-wolfssl-${{ matrix.use_container == false && '3.8.11' || '3.8.9' }}-${{ runner.os }}-${{ matrix.use_container }}- - name: Copy cache to /opt (native runner only) if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true' @@ -82,18 +83,35 @@ jobs: sudo cp -a ~/cache/gnutls /opt/ sudo cp -a ~/cache/wolfssl /opt/ sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + if [ -d ~/cache/nettle ]; then + sudo cp -a ~/cache/nettle /opt/ + fi + + - name: Setup nettle environment (native runner only) + if: matrix.use_container == false + run: | + # Set up environment for nettle 3.10 in /opt/nettle + echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV + echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Running setup.sh..." - GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + if [[ "${{ matrix.use_container }}" == "false" ]]; then + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11 + else + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + fi # For native runner: also save to cache location if [[ "${{ matrix.use_container }}" == "false" ]]; then mkdir -p ~/cache sudo cp -a /opt/gnutls ~/cache/ sudo cp -a /opt/wolfssl ~/cache/ sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + if [ -d /opt/nettle ]; then + sudo cp -a /opt/nettle ~/cache/ + fi sudo chown -R $(id -u):$(id -g) ~/cache fi @@ -105,6 +123,11 @@ jobs: test -d /opt/gnutls || exit 1 echo "Check for wrapper installation..." test -d /opt/wolfssl-gnutls-wrapper/lib || exit 1 + if [[ "${{ matrix.use_container }}" == "false" ]]; then + echo "Check for nettle installation (3.8.11)..." + test -d /opt/nettle || exit 1 + fi + - name: Build wget at ${{ matrix.wget_ref }} uses: actions/checkout@v4 with: @@ -167,7 +190,7 @@ jobs: # To make /opt/gnutls visible to the test binaries, LD_LIBRARY_PATH # is needed since we disable rpath for v1.21.4. if [[ "${{ matrix.wget_ref }}" = "v1.21.4" ]]; then - export LD_LIBRARY_PATH=/opt/gnutls/lib:/opt/wolfssl/lib:/opt/wolfssl-gnutls-wrapper/lib:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:/opt/wolfssl-gnutls-wrapper/lib:$LD_LIBRARY_PATH fi make check find . -name '*.log' | xargs grep wgw diff --git a/.github/workflows/wireshark.yml b/.github/workflows/wireshark.yml index ab26166..8a41653 100644 --- a/.github/workflows/wireshark.yml +++ b/.github/workflows/wireshark.yml @@ -1,15 +1,12 @@ name: wireshark test - on: push: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - jobs: build_gnutls: name: Build wolfSSL, GnuTLS and provider @@ -20,18 +17,15 @@ jobs: wireshark_ref: [ 'master', 'v4.2.12', 'v4.6.0' ] fail-fast: false runs-on: ${{ matrix.os }} - steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Install dependencies run: | sudo apt-get update sudo apt-get install -y build-essential gnulib autopoint gperf gtk-doc-tools nettle-dev clang \ libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \ wget git flex autoconf-archive libhttp-daemon-perl ninja-build - - name: Restore cached gnutls-wolfssl id: cache-gnutls uses: actions/cache@v4 @@ -40,10 +34,10 @@ jobs: ~/cache/gnutls ~/cache/wolfssl ~/cache/wolfssl-gnutls-wrapper - key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ~/cache/nettle + key: gnutls-wolfssl-3.8.11-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}- - + gnutls-wolfssl-3.8.11-${{ runner.os }}- - name: Copy cache to /opt if: steps.cache-gnutls.outputs.cache-hit == 'true' run: | @@ -51,20 +45,29 @@ jobs: sudo cp -a ~/cache/gnutls /opt/ sudo cp -a ~/cache/wolfssl /opt/ sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + if [ -d ~/cache/nettle ]; then + sudo cp -a ~/cache/nettle /opt/ + fi echo "Cache restored successfully" - + - name: Setup nettle environment + run: | + # Set up environment for nettle 3.10 in /opt/nettle + echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV + echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Cache miss - running setup.sh..." - GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11 # Save to cache location mkdir -p ~/cache sudo cp -a /opt/gnutls ~/cache/ sudo cp -a /opt/wolfssl ~/cache/ sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + if [ -d /opt/nettle ]; then + sudo cp -a /opt/nettle ~/cache/ + fi sudo chown -R $(id -u):$(id -g) ~/cache - - name: Check setup.sh output directories run: | echo "Check for wolfSSL installation..." @@ -73,11 +76,11 @@ jobs: ls -la /opt/gnutls || { echo "/opt/gnutls not found"; exit 1; } echo "Check for wrapper installation..." ls -la /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib not found"; exit 1; } - + echo "Check for nettle installation..." + ls -la /opt/nettle || { echo "/opt/nettle not found"; exit 1; } - name: Clone wireshark run: | git clone https://github.com/wireshark/wireshark.git - - name: Setup and build wireshark working-directory: wireshark run: | @@ -88,7 +91,8 @@ jobs: sudo ./tools/debian-setup.sh --install-deb-deps sudo ./tools/debian-setup.sh --install-test-deps mkdir build && cd build - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:$LD_LIBRARY_PATH cmake -G Ninja .. \ -DENABLE_PCAP=ON \ -DENABLE_GNUTLS=ON \ @@ -103,10 +107,10 @@ jobs: -DBUILD_wireshark=OFF ninja ninja test-programs - - name: Test Wireshark (TLS related tests only) working-directory: wireshark run: | - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:$LD_LIBRARY_PATH cd build pytest ../test/suite_decryption.py -v -s diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index 2e95c63..5da1329 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -44,9 +44,10 @@ jobs: ~/cache/gnutls ~/cache/wolfssl ~/cache/wolfssl-gnutls-wrapper - key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} + ~/cache/nettle + key: gnutls-wolfssl-3.8.11-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }} restore-keys: | - gnutls-wolfssl-${{ runner.os }}- + gnutls-wolfssl-3.8.11-${{ runner.os }}- - name: Copy cache to /opt if: steps.cache-gnutls.outputs.cache-hit == 'true' @@ -55,18 +56,30 @@ jobs: sudo cp -a ~/cache/gnutls /opt/ sudo cp -a ~/cache/wolfssl /opt/ sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/ + if [ -d ~/cache/nettle ]; then + sudo cp -a ~/cache/nettle /opt/ + fi echo "Cache restored successfully" + - name: Setup nettle environment + run: | + # Set up environment for nettle 3.10 in /opt/nettle + echo "PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV + echo "LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV + - name: Build GnuTLS with wolfSSL provider using setup.sh script if: steps.cache-gnutls.outputs.cache-hit != 'true' run: | echo "Cache miss - running setup.sh..." - GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh + GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl NETTLE_INSTALL=/opt/nettle ./setup.sh 3.8.11 # Save to cache location mkdir -p ~/cache sudo cp -a /opt/gnutls ~/cache/ sudo cp -a /opt/wolfssl ~/cache/ sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/ + if [ -d /opt/nettle ]; then + sudo cp -a /opt/nettle ~/cache/ + fi sudo chown -R $(id -u):$(id -g) ~/cache - name: Check setup.sh output directories @@ -77,6 +90,8 @@ jobs: ls -la /opt/gnutls || { echo "/opt/gnutls not found"; exit 1; } echo "Check for wrapper installation..." ls -la /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib not found"; exit 1; } + echo "Check for nettle installation..." + ls -la /opt/nettle || { echo "/opt/nettle not found"; exit 1; } - name: Clone xmlsec run: | @@ -88,7 +103,8 @@ jobs: if [[ "${{ matrix.xmlsec_ref }}" != "master" ]]; then git checkout ${{ matrix.xmlsec_ref }} fi - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:$LD_LIBRARY_PATH ./autogen.sh ./configure --with-gnutls=/opt/gnutls \ --disable-dsa \ @@ -117,6 +133,7 @@ jobs: - name: Test xmlsec working-directory: xmlsec run: | - export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export PKG_CONFIG_PATH=/opt/nettle/lib64/pkgconfig:/opt/nettle/lib/pkgconfig:/opt/gnutls/lib/pkgconfig:$PKG_CONFIG_PATH + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:$LD_LIBRARY_PATH make check find /tmp -name "*.log" | xargs grep wgw diff --git a/setup.sh b/setup.sh index 97c6bf5..f2ce6bb 100755 --- a/setup.sh +++ b/setup.sh @@ -41,12 +41,13 @@ ENVIRONMENT VARIABLES: WOLFSSL_INSTALL Installation path for wolfSSL (default: /opt/wolfssl) GNUTLS_INSTALL Installation path for GnuTLS (default: /opt/gnutls) PROVIDER_PATH Path for wolfssl-gnutls-wrapper (default: /opt/wolfssl-gnutls-wrapper) + NETTLE_INSTALL Installation path for nettle 3.10 (default: /opt/nettle, only used for GnuTLS 3.8.11+) WOLFSSL_FIPS_BUNDLE Path to pre-downloaded wolfSSL FIPS bundle (optional, FIPS mode only) NOTES: - The script automatically detects macOS or Linux and installs appropriate dependencies - On macOS, Homebrew is required for dependency installation - - If wolfSSL is already installed system-wide (detectable via pkg-config), + - If wolfSSL is already installed system-wide (detectable via pkg-config), the script will use it instead of building from source - FIPS mode requires access to the wolfSSL FIPS source repository @@ -107,6 +108,9 @@ fi if [ -z "$PROVIDER_PATH" ]; then PROVIDER_PATH=/opt/wolfssl-gnutls-wrapper fi +if [ -z "$NETTLE_INSTALL" ]; then + NETTLE_INSTALL=/opt/nettle +fi # Print configuration echo "==============================================" @@ -122,6 +126,7 @@ echo " GnuTLS Branch: $GNUTLS_BRANCH" echo " wolfSSL Install: $WOLFSSL_INSTALL" echo " GnuTLS Install: $GNUTLS_INSTALL" echo " Provider Path: $PROVIDER_PATH" +echo " Nettle Install: $NETTLE_INSTALL" echo "==============================================" echo "" @@ -286,23 +291,25 @@ else CONFIG_OPTS="$CONFIG_OPTS --enable-fips140-mode" fi - if [ "$GNUTLS_BRANCH" -eq "gnutls-wolfssl-3.8.11" ]; then + if [ "$GNUTLS_BRANCH" == "gnutls-wolfssl-3.8.11" ]; then # Download nettle 3.10, since gnutls 3.8.11 requires nettle to be >= 3.10 + echo "Installing nettle 3.10 to $NETTLE_INSTALL..." + wget https://ftp.gnu.org/gnu/nettle/nettle-3.10.tar.gz tar -xzf nettle-3.10.tar.gz cd nettle-3.10 # Build and install - ./configure --prefix=/usr/local + ./configure --prefix=$NETTLE_INSTALL make -j$(nproc) sudo make install # Update library cache sudo ldconfig - export PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH" - export LD_LIBRARY_PATH="/usr/local/lib64:$LD_LIBRARY_PATH" - export LDFLAGS="-L/usr/local/lib64 -Wl,-rpath,/usr/local/lib64" + export PKG_CONFIG_PATH="$NETTLE_INSTALL/lib64/pkgconfig:$NETTLE_INSTALL/lib/pkgconfig:$PKG_CONFIG_PATH" + export LD_LIBRARY_PATH="$NETTLE_INSTALL/lib64:$NETTLE_INSTALL/lib:$LD_LIBRARY_PATH" + export LDFLAGS="-L$NETTLE_INSTALL/lib64 -L$NETTLE_INSTALL/lib -Wl,-rpath,$NETTLE_INSTALL/lib64 -Wl,-rpath,$NETTLE_INSTALL/lib" cd ../ fi @@ -331,4 +338,7 @@ echo " GnuTLS Branch: $GNUTLS_BRANCH" echo " wolfSSL: $WOLFSSL_INSTALL" echo " GnuTLS: $GNUTLS_INSTALL" echo " Provider: $PROVIDER_PATH" +if [ "$GNUTLS_BRANCH" == "gnutls-wolfssl-3.8.11" ]; then + echo " Nettle: $NETTLE_INSTALL" +fi echo "==============================================" From 2e286d588d3dd3adf2ae4f5bab671e362f15bb6b Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Tue, 16 Dec 2025 13:06:30 +0100 Subject: [PATCH 3/6] Check version when running and testing against gnutls 3.8.11 --- .github/workflows/openldap.yml | 12 ++++++++++++ .github/workflows/wget.yml | 12 ++++++++++++ .github/workflows/wireshark.yml | 10 ++++++++++ .github/workflows/xmlsec.yml | 11 +++++++++++ 4 files changed, 45 insertions(+) diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index d0ca071..b2c8239 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -129,6 +129,18 @@ jobs: test -d /opt/nettle || { echo "/opt/nettle missing"; exit 1; } fi + - name: Verify GnuTLS version (native runner only) + if: matrix.use_container == false + run: | + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH + GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+') + echo "Detected GnuTLS version: $GNUTLS_VERSION" + if [ "$GNUTLS_VERSION" != "3.8.11" ]; then + echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION" + exit 1 + fi + echo "GnuTLS version verified: 3.8.11" + - name: Build OpenLDAP at ${{ matrix.openldap_ref }} run: | git clone https://git.openldap.org/openldap/openldap.git diff --git a/.github/workflows/wget.yml b/.github/workflows/wget.yml index 021a0ac..62718d3 100644 --- a/.github/workflows/wget.yml +++ b/.github/workflows/wget.yml @@ -128,6 +128,18 @@ jobs: test -d /opt/nettle || exit 1 fi + - name: Verify GnuTLS version (native runner only) + if: matrix.use_container == false + run: | + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH + GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+') + echo "Detected GnuTLS version: $GNUTLS_VERSION" + if [ "$GNUTLS_VERSION" != "3.8.11" ]; then + echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION" + exit 1 + fi + echo "GnuTLS version verified: 3.8.11" + - name: Build wget at ${{ matrix.wget_ref }} uses: actions/checkout@v4 with: diff --git a/.github/workflows/wireshark.yml b/.github/workflows/wireshark.yml index 8a41653..ce8584d 100644 --- a/.github/workflows/wireshark.yml +++ b/.github/workflows/wireshark.yml @@ -78,6 +78,16 @@ jobs: ls -la /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib not found"; exit 1; } echo "Check for nettle installation..." ls -la /opt/nettle || { echo "/opt/nettle not found"; exit 1; } + - name: Verify GnuTLS version + run: | + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH + GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+') + echo "Detected GnuTLS version: $GNUTLS_VERSION" + if [ "$GNUTLS_VERSION" != "3.8.11" ]; then + echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION" + exit 1 + fi + echo "GnuTLS version verified: 3.8.11" - name: Clone wireshark run: | git clone https://github.com/wireshark/wireshark.git diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index 5da1329..efd2c0c 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -93,6 +93,17 @@ jobs: echo "Check for nettle installation..." ls -la /opt/nettle || { echo "/opt/nettle not found"; exit 1; } + - name: Verify GnuTLS version + run: | + export LD_LIBRARY_PATH=/opt/nettle/lib64:/opt/nettle/lib:/opt/gnutls/lib:/opt/wolfssl/lib:$LD_LIBRARY_PATH + GNUTLS_VERSION=$(/opt/gnutls/bin/gnutls-cli --version 2>&1 | grep -oP 'gnutls-cli \K[0-9]+\.[0-9]+\.[0-9]+') + echo "Detected GnuTLS version: $GNUTLS_VERSION" + if [ "$GNUTLS_VERSION" != "3.8.11" ]; then + echo "ERROR: Expected GnuTLS 3.8.11 but got $GNUTLS_VERSION" + exit 1 + fi + echo "GnuTLS version verified: 3.8.11" + - name: Clone xmlsec run: | git clone https://github.com/lsh123/xmlsec.git From aa3ae017fd5a9d724c7f305fd05b6d4b2a698360 Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Tue, 16 Dec 2025 13:41:41 +0100 Subject: [PATCH 4/6] - Removed rebuild-gnutls.sh script - Removed macOS support (barely used and doesn't really more value or coverage) --- rebuild-gnutls.sh | 63 ----------------------------------------------- setup.sh | 37 +--------------------------- 2 files changed, 1 insertion(+), 99 deletions(-) delete mode 100755 rebuild-gnutls.sh diff --git a/rebuild-gnutls.sh b/rebuild-gnutls.sh deleted file mode 100755 index 149b030..0000000 --- a/rebuild-gnutls.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash - -set -e - -# Check if FIPS mode is enabled via command line argument -FIPS_MODE=0 -if [ "$1" = "fips" ]; then - FIPS_MODE=1 - echo "Building GnuTLS with FIPS 140 mode enabled" -else - echo "Building GnuTLS without FIPS 140 mode" -fi - -get_os() { - case "$(uname -s)" in - Darwin*) echo "macos";; - Linux*) echo "linux";; - *) echo "unknown";; - esac -} - -OS=$(get_os) -echo "Detected OS: $OS" - -cd ./gnutls - -if [ "$OS" = "macos" ]; then - echo "Configuring GnuTLS for macOS..." - autoreconf -fvi - - CONFIG_OPTS="--prefix=/opt/gnutls/ --disable-doc --disable-manpages --disable-gtk-doc --disable-full-test-suite --disable-valgrind-tests --disable-dependency-tracking --disable-gost --disable-dsa --enable-srp-authentication" - - if [ $FIPS_MODE -eq 1 ]; then - CONFIG_OPTS="$CONFIG_OPTS --enable-fips140-mode" - fi - - CFLAGS="-I$(brew --prefix libunistring)/include -I$(brew --prefix gmp)/include -I$(brew --prefix libev)/include -DGNUTLS_WOLFSSL" \ - LDFLAGS="-L$(brew --prefix libunistring)/lib -L$(brew --prefix gmp)/lib -L$(brew --prefix libev)/lib -L$(brew --prefix bison)/lib" \ - GMP_CFLAGS="-I$(brew --prefix gmp)/include" \ - GMP_LIBS="-L$(brew --prefix gmp)/lib -lgmp" \ - PKG_CONFIG_PATH="$(brew --prefix libev)/lib/pkgconfig:$(brew --prefix gmp)/lib/pkgconfig:$PKG_CONFIG_PATH" \ - CC=clang \ - ./configure $CONFIG_OPTS - - make -j$(sysctl -n hw.ncpu) - -else - echo "Configuring GnuTLS for Linux..." - autoreconf -fvi - - CONFIG_OPTS="--prefix=/opt/gnutls/ --disable-doc --disable-manpages --disable-gtk-doc --disable-gost --disable-dsa --enable-srp-authentication" - - if [ $FIPS_MODE -eq 1 ]; then - CONFIG_OPTS="$CONFIG_OPTS --enable-fips140-mode" - fi - - ./configure $CONFIG_OPTS CFLAGS=-DGNUTLS_WOLFSSL - - make -j9 -fi - -sudo make install -cd ../ diff --git a/setup.sh b/setup.sh index f2ce6bb..fa9eda3 100755 --- a/setup.sh +++ b/setup.sh @@ -45,8 +45,6 @@ ENVIRONMENT VARIABLES: WOLFSSL_FIPS_BUNDLE Path to pre-downloaded wolfSSL FIPS bundle (optional, FIPS mode only) NOTES: - - The script automatically detects macOS or Linux and installs appropriate dependencies - - On macOS, Homebrew is required for dependency installation - If wolfSSL is already installed system-wide (detectable via pkg-config), the script will use it instead of building from source - FIPS mode requires access to the wolfSSL FIPS source repository @@ -132,7 +130,6 @@ echo "" get_os() { case "$(uname -s)" in - Darwin*) echo "macos";; Linux*) echo "linux";; *) echo "unknown";; esac @@ -157,19 +154,6 @@ if detect_system_wolfssl; then : "${WOLFSSL_INSTALL:=/usr}" fi -if [ "$OS" = "macos" ]; then - echo "Installing macOS dependencies..." - brew update - for pkg in openssl autoconf automake coreutils libtool gmp nettle p11-kit libtasn1 libunistring gettext bison gtk-doc libev; do - brew install $pkg || true - done - for pkg in nettle wget p11-kit libtasn1 libunistring; do - brew upgrade $pkg || true - done - export PATH="/usr/local/opt/gettext/bin:/opt/homebrew/opt/gettext/bin:$PATH" - export PATH="/usr/local/opt/bison/bin:/opt/homebrew/opt/bison/bin:$PATH" -fi - if [ $FIPS_MODE -eq 1 ]; then if [ "$USE_SYSTEM_WOLFSSL" -eq 1 ]; then echo "Using system wolfSSL. Skipping wolfSSL build." @@ -263,26 +247,7 @@ fi autoreconf -fvi # Base configuration options for GnuTLS -if [ "$OS" = "macos" ]; then - echo "Configuring GnuTLS for macOS..." - - CONFIG_OPTS="--prefix=$GNUTLS_INSTALL/ --disable-doc --disable-manpages --disable-gtk-doc --disable-full-test-suite --disable-valgrind-tests --disable-dependency-tracking --disable-gost --disable-dsa --enable-srp-authentication" - - if [ $FIPS_MODE -eq 1 ]; then - CONFIG_OPTS="$CONFIG_OPTS --enable-fips140-mode" - fi - - CFLAGS="-I$(brew --prefix libunistring)/include -I$(brew --prefix gmp)/include -I$(brew --prefix libev)/include -DGNUTLS_WOLFSSL" \ - LDFLAGS="-L$(brew --prefix libunistring)/lib -L$(brew --prefix gmp)/lib -L$(brew --prefix libev)/lib -L$(brew --prefix bison)/lib" \ - GMP_CFLAGS="-I$(brew --prefix gmp)/include" \ - GMP_LIBS="-L$(brew --prefix gmp)/lib -lgmp" \ - PKG_CONFIG_PATH="$(brew --prefix libev)/lib/pkgconfig:$(brew --prefix gmp)/lib/pkgconfig:$PKG_CONFIG_PATH" \ - CC=clang \ - ./configure $CONFIG_OPTS - - make -j$(sysctl -n hw.ncpu) - -else +if [ "$OS" = "linux" ]; then echo "Configuring GnuTLS for Linux..." CONFIG_OPTS="--prefix=$GNUTLS_INSTALL/ --disable-doc --disable-manpages --disable-gtk-doc --disable-gost --disable-dsa --disable-full-test-suite --disable-valgrind-tests --disable-dependency-tracking --enable-srp-authentication" From f44b66594f135d111e36e9c1c2221e4a95786a5a Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Tue, 16 Dec 2025 15:25:10 +0100 Subject: [PATCH 5/6] - dirmngr updated the version pull of gpg-error (now pulls 1.56) required for master; - updated meson version for vte (1.3.2), required for master; --- .github/workflows/dirmngr.yml | 4 ++-- .github/workflows/libvte.yml | 3 ++- .github/workflows/tpm2-tools.yml | 4 +++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dirmngr.yml b/.github/workflows/dirmngr.yml index 4891e41..604cc6c 100644 --- a/.github/workflows/dirmngr.yml +++ b/.github/workflows/dirmngr.yml @@ -76,8 +76,8 @@ jobs: cd .. } - pkg-config --exists --atleast-version=1.51 gpg-error || \ - build libgpg-error 1.51 https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.51.tar.bz2 + pkg-config --exists --atleast-version=1.56 gpg-error || \ + build libgpg-error 1.56 https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.56.tar.bz2 pkg-config --exists --atleast-version=1.11.0 gcrypt || \ build libgcrypt 1.11.1 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2 diff --git a/.github/workflows/libvte.yml b/.github/workflows/libvte.yml index f9f00a2..ffb449d 100644 --- a/.github/workflows/libvte.yml +++ b/.github/workflows/libvte.yml @@ -69,7 +69,8 @@ jobs: liblz4-dev python3-pip python3-setuptools \ libglib2.0-dev libpcre2-dev libfribidi-dev \ libgtk-3-dev libicu-dev gettext git \ - libtool autoconf automake meson ninja-build pkg-config + libtool autoconf automake ninja-build pkg-config + pip3 install --break-system-packages meson>=1.3.2 - name: Checkout VTE at ${{ matrix.vte_ref }} run: | diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index e2e5412..f6a03ba 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -161,4 +161,6 @@ jobs: export WGW_LOGGING=1 export TEST_REGENERATE_OUTPUT=1 - make check + make check || rc=$? + cat test-suite.log + exit ${rc:-0} From 841c683f233ca0be41a52e7f8ef9b127f239f2f5 Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Tue, 16 Dec 2025 16:49:19 +0100 Subject: [PATCH 6/6] Pin tpm2-tss to a compatible version to tpm2-tools 5.7 instead of pulling the latest from master (prevents parsing issues, not related to TLS capabilities) --- .github/workflows/tpm2-tools.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index f6a03ba..933a53f 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -80,6 +80,7 @@ jobs: export MAKEFLAGS="-j$(nproc)" git clone https://github.com/tpm2-software/tpm2-tss cd tpm2-tss + git checkout 4.1.3 git submodule update --init --recursive ./bootstrap export PKG_CONFIG_PATH="/opt/gnutls/lib/pkgconfig:/opt/curl/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" @@ -161,6 +162,4 @@ jobs: export WGW_LOGGING=1 export TEST_REGENERATE_OUTPUT=1 - make check || rc=$? - cat test-suite.log - exit ${rc:-0} + make check