Merge pull request #6653 from julek-wolfssl/kerberos-update

Updates for Kerberos 5 1.21.1

.github/workflows/curl.yml

@@ -1,7 +1,6 @@
 name: curl Test
 
 on:
- push:
  workflow_call:
 
 jobs:

.github/workflows/krb5.yml

@@ -0,0 +1,84 @@
+name: Kerberos 5 Tests
+
+on:
+ workflow_call:
+ # TODO remove push when opening the PR
+ push:
+
+jobs:
+ build_wolfssl:
+ name: Build wolfSSL
+ # Just to keep it the same as the testing target
+ runs-on: ubuntu-latest
+ # This should be a safe limit for the tests to run.
+ timeout-minutes: 5
+ steps:
+ - name: Build wolfSSL
+ uses: wolfSSL/actions-build-autotools-project@v1
+ with:
+ path: wolfssl
+ configure: --enable-krb CFLAGS='-fsanitize=address'
+ install: true
+
+ - name: Upload built lib
+ uses: actions/upload-artifact@v3
+ with:
+ name: wolf-install-krb5
+ path: build-dir
+ retention-days: 1
+
+ krb5_check:
+ strategy:
+ fail-fast: false
+ matrix:
+ # List of releases to test
+ ref: [ 1.21.1 ]
+ name: ${{ matrix.ref }}
+ runs-on: ubuntu-latest
+ # This should be a safe limit for the tests to run.
+ timeout-minutes: 8
+ needs: build_wolfssl
+ steps:
+ - name: Download lib
+ uses: actions/download-artifact@v3
+ with:
+ name: wolf-install-krb5
+ path: build-dir
+
+ - name: Checkout OSP
+ uses: actions/checkout@v3
+ with:
+ # TODO revert repo to wolfssl on merge
+ repository: julek-wolfssl/osp
+ # TODO remove ref on merge
+ ref: krb5-1.21.1
+ path: osp
+
+ - name: Checkout krb5
+ uses: actions/checkout@v3
+ with:
+ repository: krb5/krb5
+ ref: krb5-${{ matrix.ref }}-final
+ path: krb5
+
+ - name: Apply patch
+ working-directory: ./krb5
+ run: |
+ patch -p1 < $GITHUB_WORKSPACE/osp/krb5/Patch-for-Kerberos-5-${{ matrix.ref }}.patch
+
+ - name: Build krb5
+ working-directory: ./krb5/src
+ run: |
+ autoreconf -ivf
+ # Using rpath because LD_LIBRARY_PATH is overwritten during testing
+ export WOLFSSL_CFLAGS="-I$GITHUB_WORKSPACE/build-dir/include -I$GITHUB_WORKSPACE/build-dir/include/wolfssl -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib"
+ export WOLFSSL_LIBS="-lwolfssl -L$GITHUB_WORKSPACE/build-dir/lib -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib"
+ ./configure --with-crypto-impl=wolfssl --with-tls-impl=wolfssl --disable-pkinit \
+ CFLAGS='-fsanitize=address' LDFLAGS='-fsanitize=address'
+ CFLAGS='-fsanitize=address' LDFLAGS='-fsanitize=address' make -j
+
+ - name: Run tests
+ working-directory: ./krb5/src
+ run: |
+ CFLAGS='-fsanitize=address' LDFLAGS='-fsanitize=address' make -j check
+

.github/workflows/main.yml

@@ -34,6 +34,8 @@ jobs:
  uses: ./.github/workflows/hitch.yml
  curl:
  uses: ./.github/workflows/curl.yml
+ krb5:
+ uses: ./.github/workflows/krb5.yml
 # TODO: Currently this test fails. Enable it once it becomes passing. 
 # haproxy:
 # uses: ./.github/workflows/haproxy.yml

.github/workflows/nginx.yml

@@ -1,7 +1,6 @@
 name: nginx Tests
 
 on:
- push:
  workflow_call:
 
 jobs:

configure.ac

@@ -3526,7 +3526,7 @@ AC_ARG_ENABLE([compkey],
  [ ENABLED_COMPKEY=no ]
  )
 
-if test "$ENABLED_WPAS" = "yes"
+if test "$ENABLED_WPAS" = "yes" || test "$ENABLED_OPENSSLALL" = "yes"
 then
  ENABLED_COMPKEY=yes
 fi

src/pk.c

@@ -9711,27 +9711,27 @@ void wolfSSL_EC_POINT_dump(const char *msg, const WOLFSSL_EC_POINT *point)
 
  WOLFSSL_ENTER("wolfSSL_EC_POINT_dump");
 
- /* Only print when debugging on and logging callback set. */
- if (WOLFSSL_IS_DEBUG_ON() && (wolfSSL_GetLoggingCb() == NULL)) {
+ /* Only print when debugging on. */
+ if (WOLFSSL_IS_DEBUG_ON()) {
  if (point == NULL) {
  /* No point passed in so just put out "NULL". */
- XFPRINTF(stderr, "%s = NULL\n", msg);
+ WOLFSSL_MSG_EX("%s = NULL\n", msg);
  }
  else {
  /* Put out message and status of internal/external data set. */
- XFPRINTF(stderr, "%s:\n\tinSet=%d, exSet=%d\n", msg, point->inSet,
+ WOLFSSL_MSG_EX("%s:\n\tinSet=%d, exSet=%d\n", msg, point->inSet,
  point->exSet);
  /* Get x-ordinate as a hex string and print. */
  num = wolfSSL_BN_bn2hex(point->X);
- XFPRINTF(stderr, "\tX = %s\n", num);
+ WOLFSSL_MSG_EX("\tX = %s\n", num);
  XFREE(num, NULL, DYNAMIC_TYPE_OPENSSL);
  /* Get x-ordinate as a hex string and print. */
  num = wolfSSL_BN_bn2hex(point->Y);
- XFPRINTF(stderr, "\tY = %s\n", num);
+ WOLFSSL_MSG_EX("\tY = %s\n", num);
  XFREE(num, NULL, DYNAMIC_TYPE_OPENSSL);
  /* Get z-ordinate as a hex string and print. */
  num = wolfSSL_BN_bn2hex(point->Z);
- XFPRINTF(stderr, "\tZ = %s\n", num);
+ WOLFSSL_MSG_EX("\tZ = %s\n", num);
  XFREE(num, NULL, DYNAMIC_TYPE_OPENSSL);
  }
  }
@@ -9922,6 +9922,8 @@ int wolfSSL_ECPoint_d2i(const unsigned char *in, unsigned int len,
  const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *point)
 {
  int ret = 1;
+ WOLFSSL_BIGNUM* x = NULL;
+ WOLFSSL_BIGNUM* y = NULL;
 
  WOLFSSL_ENTER("wolfSSL_ECPoint_d2i");
 
@@ -9958,17 +9960,49 @@ int wolfSSL_ECPoint_d2i(const unsigned char *in, unsigned int len,
  #endif
  }
 
+ if (ret == 1)
+ point->inSet = 1;
+
  /* Set new external point. */
- if ((ret == 1) && (ec_point_external_set(point) != 1)) {
+ if (ret == 1 && ec_point_external_set(point) != 1) {
  WOLFSSL_MSG("ec_point_external_set failed");
  ret = 0;
  }
 
+ if (ret == 1 && !wolfSSL_BN_is_one(point->Z)) {
+#if !defined(WOLFSSL_SP_MATH) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+ x = wolfSSL_BN_new();
+ y = wolfSSL_BN_new();
+ if (x == NULL || y == NULL)
+ ret = 0;
+
+ if (ret == 1 && wolfSSL_EC_POINT_get_affine_coordinates_GFp(group,
+ point, x, y, NULL) != 1) {
+ WOLFSSL_MSG("wolfSSL_EC_POINT_get_affine_coordinates_GFp failed");
+ ret = 0;
+ }
+
+ /* wolfSSL_EC_POINT_set_affine_coordinates_GFp check that the point is
+ * on the curve. */
+ if (ret == 1 && wolfSSL_EC_POINT_set_affine_coordinates_GFp(group,
+ point, x, y, NULL) != 1) {
+ WOLFSSL_MSG("wolfSSL_EC_POINT_set_affine_coordinates_GFp failed");
+ ret = 0;
+ }
+#else
+ WOLFSSL_MSG("Importing non-affine point. This may cause issues in math "
+ "operations later on.");
+#endif
+ }
+
  if (ret == 1) {
  /* Dump new point. */
  wolfSSL_EC_POINT_dump("d2i p", point);
  }
 
+ wolfSSL_BN_free(x);
+ wolfSSL_BN_free(y);
+
  return ret;
 }
 
@@ -10060,6 +10094,14 @@ size_t wolfSSL_EC_POINT_point2oct(const WOLFSSL_EC_GROUP *group,
  }
  }
 
+#if defined(DEBUG_WOLFSSL)
+ if (!err) {
+ wolfSSL_EC_POINT_dump("wolfSSL_EC_POINT_point2oct point", point);
+ WOLFSSL_MSG("\twolfSSL_EC_POINT_point2oct output:");
+ WOLFSSL_BUFFER(buf, enc_len);
+ }
+#endif
+
  /* On error, return encoding length of 0. */
  if (err) {
  enc_len = 0;
@@ -10209,7 +10251,7 @@ int wolfSSL_EC_POINT_is_on_curve(const WOLFSSL_EC_GROUP *group,
  * @return 1 on success.
  * @return 0 on error.
  */
-static int ec_point_convert_to_affine(const WOLFSSL_EC_GROUP *group,
+int ec_point_convert_to_affine(const WOLFSSL_EC_GROUP *group,
  WOLFSSL_EC_POINT *point)
 {
  int err = 0;
@@ -10606,6 +10648,20 @@ int wolfSSL_EC_POINT_add(const WOLFSSL_EC_GROUP* group, WOLFSSL_EC_POINT* r,
  ret = 0;
  }
 
+#ifdef DEBUG_WOLFSSL
+ if (ret == 1) {
+ int nid = wolfSSL_EC_GROUP_get_curve_name(group);
+ const char* curve = wolfSSL_OBJ_nid2ln(nid);
+ const char* nistName = wolfSSL_EC_curve_nid2nist(nid);
+ wolfSSL_EC_POINT_dump("wolfSSL_EC_POINT_add p1", p1);
+ wolfSSL_EC_POINT_dump("wolfSSL_EC_POINT_add p2", p2);
+ if (curve != NULL)
+ WOLFSSL_MSG_EX("curve name: %s", curve);
+ if (nistName != NULL)
+ WOLFSSL_MSG_EX("nist curve name: %s", nistName);
+ }
+#endif
+
  if (ret == 1) {
  /* Add points using wolfCrypt objects. */
  ret = wolfssl_ec_point_add(group->curve_idx, (ecc_point*)r->internal,
@@ -10618,6 +10674,12 @@ int wolfSSL_EC_POINT_add(const WOLFSSL_EC_GROUP* group, WOLFSSL_EC_POINT* r,
  ret = 0;
  }
 
+#ifdef DEBUG_WOLFSSL
+ if (ret == 1) {
+ wolfSSL_EC_POINT_dump("wolfSSL_EC_POINT_add result", r);
+ }
+#endif
+
  return ret;
 }
 
@@ -10779,7 +10841,7 @@ static int wolfssl_ec_point_mul(int curveIdx, ecc_point* r, mp_int* n,
 
  if ((ret == 1) && (n != NULL) && (q != NULL) && (m != NULL)) {
  /* r = base point * n + q * m */
- ec_mul2add(r, r, m, q, n, a, prime);
+ ret = ec_mul2add(r, r, n, q, m, a, prime);
  }
  /* Not all values present, see if we are only doing base point * n. */
  else if ((ret == 1) && (n != NULL)) {
@@ -10852,6 +10914,26 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r,
  ret = 0;
  }
 
+#ifdef DEBUG_WOLFSSL
+ if (ret == 1) {
+ int nid = wolfSSL_EC_GROUP_get_curve_name(group);
+ const char* curve = wolfSSL_OBJ_nid2ln(nid);
+ const char* nistName = wolfSSL_EC_curve_nid2nist(nid);
+ char* num;
+ wolfSSL_EC_POINT_dump("wolfSSL_EC_POINT_mul input q", q);
+ num = wolfSSL_BN_bn2hex(n);
+ WOLFSSL_MSG_EX("\tn = %s", num);
+ XFREE(num, NULL, DYNAMIC_TYPE_OPENSSL);
+ num = wolfSSL_BN_bn2hex(m);
+ WOLFSSL_MSG_EX("\tm = %s", num);
+ XFREE(num, NULL, DYNAMIC_TYPE_OPENSSL);
+ if (curve != NULL)
+ WOLFSSL_MSG_EX("curve name: %s", curve);
+ if (nistName != NULL)
+ WOLFSSL_MSG_EX("nist curve name: %s", nistName);
+ }
+#endif
+
  if (ret == 1) {
  mp_int* ni = (n != NULL) ? (mp_int*)n->internal : NULL;
  ecc_point* qi = (q != NULL) ? (ecc_point*)q->internal : NULL;
@@ -10872,6 +10954,12 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r,
  ret = 0;
  }
 
+#ifdef DEBUG_WOLFSSL
+ if (ret == 1) {
+ wolfSSL_EC_POINT_dump("wolfSSL_EC_POINT_mul result", r);
+ }
+#endif
+
  return ret;
 }
 #endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A && !HAVE_SELFTEST &&
@@ -10960,6 +11048,30 @@ int wolfSSL_EC_POINT_invert(const WOLFSSL_EC_GROUP *group,
  ret = 0;
  }
 
+#ifdef DEBUG_WOLFSSL
+ if (ret == 1) {
+ int nid = wolfSSL_EC_GROUP_get_curve_name(group);
+ const char* curve = wolfSSL_OBJ_nid2ln(nid);
+ const char* nistName = wolfSSL_EC_curve_nid2nist(nid);
+ wolfSSL_EC_POINT_dump("wolfSSL_EC_POINT_invert input", point);
+ if (curve != NULL)
+ WOLFSSL_MSG_EX("curve name: %s", curve);
+ if (nistName != NULL)
+ WOLFSSL_MSG_EX("nist curve name: %s", nistName);
+
+ }
+#endif
+
+ if (ret == 1 && !wolfSSL_BN_is_one(point->Z)) {
+#if !defined(WOLFSSL_SP_MATH) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+ if (ec_point_convert_to_affine(group, point) != 0)
+ ret = 0;
+#else
+ WOLFSSL_MSG("wolfSSL_EC_POINT_invert called on non-affine point");
+ ret = 0;
+#endif
+ }
+
  if (ret == 1) {
  /* Perform inversion using wolfCrypt objects. */
  ret = wolfssl_ec_point_invert(group->curve_idx,
@@ -10972,6 +11084,12 @@ int wolfSSL_EC_POINT_invert(const WOLFSSL_EC_GROUP *group,
  ret = 0;
  }
 
+#ifdef DEBUG_WOLFSSL
+ if (ret == 1) {
+ wolfSSL_EC_POINT_dump("wolfSSL_EC_POINT_invert result", point);
+ }
+#endif
+
  return ret;
 }