Hitch

.github/workflows/hitch.yml

@@ -0,0 +1,90 @@
+name: hitch Tests
+
+on:
+ workflow_call:
+
+jobs:
+ build_wolfssl:
+ name: Build wolfSSL
+ # Just to keep it the same as the testing target
+ runs-on: ubuntu-latest
+ steps:
+ - name: Build wolfSSL
+ uses: wolfSSL/actions-build-autotools-project@v1
+ with:
+ path: wolfssl
+ configure: --enable-hitch
+ install: true
+
+ - name: Upload built lib
+ uses: actions/upload-artifact@v3
+ with:
+ name: wolf-install-hitch
+ path: build-dir
+ retention-days: 1
+
+ hitch_check:
+ strategy:
+ fail-fast: false
+ matrix:
+ # List of releases to test
+ include:
+ - ref: 1.7.3
+ ignore-tests: >-
+ test13-r82.sh test15-proxy-v2-npn.sh test39-client-cert-proxy.sh
+ name: ${{ matrix.ref }}
+ runs-on: ubuntu-latest
+ needs: build_wolfssl
+ steps:
+ - name: Download lib
+ uses: actions/download-artifact@v3
+ with:
+ name: wolf-install-hitch
+ path: build-dir
+
+ - name: Checkout OSP
+ uses: actions/checkout@v3
+ with:
+ repository: wolfssl/osp
+ path: osp
+
+ - name: Install dependencies
+ run: |
+ export DEBIAN_FRONTEND=noninteractive
+ sudo apt-get update
+ sudo apt-get install -y libev-dev libssl-dev automake python3-docutils flex bison pkg-config make
+
+ - name: Checkout hitch
+ uses: actions/checkout@v3
+ with:
+ repository: varnish/hitch
+ ref: 1.7.3
+ path: hitch
+
+ # Do this before configuring so that it only detects the updated list of
+ # tests
+ - if: ${{ matrix.ignore-tests }}
+ name: Remove tests that we want to ignore
+ working-directory: ./hitch/src/tests
+ run: |
+ rm ${{ matrix.ignore-tests }}
+
+ - name: Configure and build hitch
+ run: |
+ cd $GITHUB_WORKSPACE/hitch/
+ patch -p1 < $GITHUB_WORKSPACE/osp/hitch/hitch_1.7.3.patch
+ autoreconf -ivf
+ SSL_CFLAGS="-I$GITHUB_WORKSPACE/build-dir/include/ -I$GITHUB_WORKSPACE/build-dir/include/wolfssl" SSL_LIBS="-L$GITHUB_WORKSPACE/build-dir/lib -lwolfssl" ./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir/ --enable-silent-rules --enable-documentation --enable-warnings --with-lex --with-yacc --prefix=$GITHUB_WORKSPACE/build-dir
+ make -j$(nproc)
+
+ - name: Confirm hitch built with wolfSSL
+ working-directory: ./hitch
+ run: |
+ export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
+ ldd src/hitch | grep wolfssl
+
+ - name: Run hitch tests, skipping ignored tests
+ working-directory: ./hitch
+ run: |
+ export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
+ make check

.github/workflows/main.yml

@@ -30,6 +30,8 @@ jobs:
  uses: ./.github/workflows/nginx.yml
  zephyr:
  uses: ./.github/workflows/zephyr.yml
+ hitch:
+ uses: ./.github/workflows/hitch.yml
 # TODO: Currently this test fails. Enable it once it becomes passing. 
 # haproxy:
 # uses: ./.github/workflows/haproxy.yml

configure.ac

@@ -1377,6 +1377,7 @@ AC_ARG_ENABLE([mcast],
 # FFmpeg (--enable-ffmpeg) WOLFSSL_FFMPEG
 # strongSwan (--enable-strongswan)
 # OpenLDAP (--enable-openldap)
+# hitch (--enable-hitch)
 
 # Bind DNS compatibility Build
 AC_ARG_ENABLE([bind],
@@ -1580,6 +1581,13 @@ AC_ARG_ENABLE([strongswan],
  [ ENABLED_STRONGSWAN=no ]
  )
 
+# hitch support
+AC_ARG_ENABLE([hitch],
+ [AS_HELP_STRING([--enable-hitch],[Enable hitch support (default: disabled)])],
+ [ ENABLED_HITCH=$enableval ],
+ [ ENABLED_HITCH=no ]
+ )
+
 # OpenSSL Coexist
 AC_ARG_ENABLE([opensslcoexist],
  [AS_HELP_STRING([--enable-opensslcoexist],[Enable coexistence of wolfssl/openssl (default: disabled)])],
@@ -1691,7 +1699,7 @@ if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \
  test "$ENABLED_OPENRESTY" = "yes" || test "$ENABLED_RSYSLOG" = "yes" || \
  test "$ENABLED_KRB" = "yes" || test "$ENABLED_CHRONY" = "yes" || \
  test "$ENABLED_FFMPEG" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
- test "$ENABLED_OPENLDAP" = "yes"
+ test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes"
 then
  ENABLED_OPENSSLALL="yes"
 fi
@@ -3109,7 +3117,7 @@ AC_ARG_ENABLE([sessioncerts],
 
 if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || \
  test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" || \
- test "x$ENABLED_STRONGSWAN" = "xyes"
+ test "x$ENABLED_STRONGSWAN" = "xyes" || test "x$ENABLED_HITCH" = "xyes"
 then
  ENABLED_SESSIONCERTS=yes
 fi
@@ -3149,7 +3157,7 @@ AC_ARG_ENABLE([certgen],
 if test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_OPENSSH" = "yes" || \
  test "$ENABLED_BIND" = "yes" || test "$ENABLED_NTP" = "yes" || \
  test "$ENABLED_CHRONY" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
- test "$ENABLED_OPENLDAP" = "yes"
+ test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes"
 then
  ENABLED_CERTGEN=yes
 fi
@@ -5961,6 +5969,45 @@ then
  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB -DHAVE_EX_DATA -DWOLFSSL_KEY_GEN"
 fi
 
+if test "$ENABLED_HITCH" = "yes"
+then
+ # Requires opensslextra make sure on
+ if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
+ then
+ ENABLED_OPENSSLEXTRA="yes"
+ AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
+ fi
+
+ # Requires OCSP make sure on
+ if test "x$ENABLED_OCSP" = "xno"
+ then
+ ENABLED_OCSP="yes"
+ fi
+
+ # Requires ALPN
+ if test "x$ENABLED_ALPN" = "xno"
+ then
+ ENABLED_ALPN="yes"
+ AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
+ fi
+
+ if test "x$ENABLED_KEYGEN" = "xno"
+ then
+ ENABLED_KEYGEN="yes"
+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
+ fi
+
+ # Requires sessioncerts make sure on
+ if test "x$ENABLED_SESSIONCERTS" = "xno"
+ then
+ ENABLED_SESSIONCERTS="yes"
+ AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
+ fi
+
+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HITCH -DHAVE_EX_DATA -DWOLFSSL_SIGNER_DER_CERT"
+ AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS -DWOLFSSL_CIPHER_INTERNALNAME"
+fi
+
 
 if test "$ENABLED_NGINX" = "yes"|| test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes"
 then
@@ -8003,7 +8050,7 @@ if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \
  test "$ENABLED_LIBWEBSOCKETS" = "yes" || \
  test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \
  test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes" || \
- test "$ENABLED_OPENLDAP" = "yes"
+ test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes"
 then
  ENABLED_OPENSSLEXTRA="yes"
 fi
@@ -9189,6 +9236,7 @@ echo " * SIGNAL: $ENABLED_SIGNAL"
 echo " * chrony: $ENABLED_CHRONY"
 echo " * strongSwan: $ENABLED_STRONGSWAN"
 echo " * OpenLDAP: $ENABLED_OPENLDAP"
+echo " * hitch: $ENABLED_HITCH"
 echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS"
 echo " * DTLS: $ENABLED_DTLS"
 echo " * DTLS v1.3: $ENABLED_DTLS13"

src/bio.c

@@ -1155,6 +1155,32 @@ long wolfSSL_BIO_get_mem_ptr(WOLFSSL_BIO *bio, WOLFSSL_BUF_MEM **ptr)
  return ret;
 }
 
+#ifdef OPENSSL_ALL
+ int wolfSSL_BIO_set_mem_buf(WOLFSSL_BIO* bio, WOLFSSL_BUF_MEM* bufMem,
+ int closeFlag)
+ {
+ if (!bio || !bufMem ||
+ (closeFlag != BIO_NOCLOSE && closeFlag != BIO_CLOSE))
+ return BAD_FUNC_ARG;
+
+ if (bio->mem_buf)
+ if (closeFlag == BIO_CLOSE)
+ wolfSSL_BUF_MEM_free(bio->mem_buf);
+
+ bio->mem_buf = bufMem;
+ bio->shutdown = closeFlag;
+
+ bio->wrSz = (int)bio->mem_buf->length;
+ bio->wrSzReset = bio->wrSz;
+ bio->num = (int)bio->mem_buf->max;
+ bio->ptr = bio->mem_buf->data;
+ bio->wrIdx = 0;
+ bio->rdIdx = 0;
+
+ return WOLFSSL_SUCCESS;
+ }
+#endif
+
 WOLFSSL_API long wolfSSL_BIO_int_ctrl(WOLFSSL_BIO *bp, int cmd, long larg, int iarg)
 {
  (void) bp;
@@ -2334,14 +2360,13 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
  return WOLFSSL_SUCCESS;
  }
 
- WOLFSSL_BIO* wolfSSL_BIO_new_ssl_connect(WOLFSSL_CTX* ctx)
+ WOLFSSL_BIO* wolfSSL_BIO_new_ssl(WOLFSSL_CTX* ctx, int client)
  {
  WOLFSSL* ssl = NULL;
  WOLFSSL_BIO* sslBio = NULL;
- WOLFSSL_BIO* connBio = NULL;
  int err = 0;
 
- WOLFSSL_ENTER("wolfSSL_BIO_new_ssl_connect");
+ WOLFSSL_ENTER("wolfSSL_BIO_new_ssl");
 
  if (ctx == NULL) {
  WOLFSSL_MSG("ctx is NULL.");
@@ -2362,11 +2387,46 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
  err = 1;
  }
  }
+ if (err == 0) {
+ if (!client)
+ wolfSSL_set_accept_state(ssl);
+ else
+ wolfSSL_set_connect_state(ssl);
+ }
  if (err == 0 && wolfSSL_BIO_set_ssl(sslBio, ssl, BIO_CLOSE) !=
  WOLFSSL_SUCCESS) {
  WOLFSSL_MSG("Failed to set SSL pointer in BIO.");
  err = 1;
  }
+
+ if (err) {
+ wolfSSL_free(ssl);
+ wolfSSL_BIO_free(sslBio);
+ }
+
+ return sslBio;
+ }
+
+ WOLFSSL_BIO* wolfSSL_BIO_new_ssl_connect(WOLFSSL_CTX* ctx)
+ {
+ WOLFSSL_BIO* sslBio = NULL;
+ WOLFSSL_BIO* connBio = NULL;
+ int err = 0;
+
+ WOLFSSL_ENTER("wolfSSL_BIO_new_ssl_connect");
+
+ if (ctx == NULL) {
+ WOLFSSL_MSG("ctx is NULL.");
+ err = 1;
+ }
+
+ if (err == 0) {
+ sslBio = wolfSSL_BIO_new_ssl(ctx, 1);
+ if (sslBio == NULL) {
+ WOLFSSL_MSG("Failed to create SSL BIO.");
+ err = 1;
+ }
+ }
  if (err == 0) {
  connBio = wolfSSL_BIO_new(wolfSSL_BIO_s_socket());
  if (connBio == NULL) {
@@ -2379,7 +2439,6 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
  }
 
  if (err == 1) {
- wolfSSL_free(ssl);
  wolfSSL_BIO_free(sslBio);
  sslBio = NULL;
  wolfSSL_BIO_free(connBio);
@@ -3219,6 +3278,26 @@ int wolfSSL_BIO_should_retry(WOLFSSL_BIO *bio)
  return ret;
 }
 
+int wolfSSL_BIO_should_read(WOLFSSL_BIO *bio)
+{
+ int ret = 0;
+ if (bio != NULL) {
+ ret = (int)(bio->flags & WOLFSSL_BIO_FLAG_READ);
+ }
+
+ return ret;
+}
+
+int wolfSSL_BIO_should_write(WOLFSSL_BIO *bio)
+{
+ int ret = 0;
+ if (bio != NULL) {
+ ret = (int)(bio->flags & WOLFSSL_BIO_FLAG_WRITE);
+ }
+
+ return ret;
+}
+
 #endif /* OPENSSL_ALL */
 
 #endif /* WOLFSSL_BIO_INCLUDED */