diff --git a/.github/workflows/mosquitto.yml b/.github/workflows/mosquitto.yml new file mode 100644 index 0000000000..a960dafbc1 --- /dev/null +++ b/.github/workflows/mosquitto.yml @@ -0,0 +1,83 @@ +name: mosquitto Tests + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + build_wolfssl: + name: Build wolfSSL + # Just to keep it the same as the testing target + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 4 + steps: + - name: Build wolfSSL + uses: wolfSSL/actions-build-autotools-project@v1 + with: + path: wolfssl + configure: --enable-mosquitto CFLAGS="-DALLOW_INVALID_CERTSIGN" + install: true + + - name: Upload built lib + uses: actions/upload-artifact@v4 + with: + name: wolf-install-mosquitto + path: build-dir + retention-days: 5 + + mosquitto_check: + strategy: + fail-fast: false + matrix: + ref: [ 2.0.18 ] + name: ${{ matrix.ref }} + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 4 + needs: build_wolfssl + steps: + - name: Download lib + uses: actions/download-artifact@v4 + with: + name: wolf-install-mosquitto + path: build-dir + + - name: Checkout OSP + uses: actions/checkout@v4 + with: + repository: wolfssl/osp + path: osp + + - name: Install dependencies + run: | + export DEBIAN_FRONTEND=noninteractive + sudo apt-get update + sudo apt-get install -y build-essential libev-dev libssl-dev automake python3-docutils libcunit1 libcunit1-doc libcunit1-dev pkg-config make + sudo pip install --upgrade psutil + + - name: Checkout mosquitto + uses: actions/checkout@v4 + with: + repository: eclipse/mosquitto + ref: v${{ matrix.ref }} + path: mosquitto + + - name: Configure and build mosquitto + run: | + cd $GITHUB_WORKSPACE/mosquitto/ + patch -p1 < $GITHUB_WORKSPACE/osp/mosquitto/${{ matrix.ref }}.patch + make WITH_TLS=wolfssl WITH_CJSON=no WITH_DOCS=no WOLFSSLDIR=$GITHUB_WORKSPACE/build-dir + + - name: Run mosquitto tests + working-directory: ./mosquitto + run: | + make WITH_TLS=wolfssl WITH_CJSON=no WITH_DOCS=no WOLFSSLDIR=$GITHUB_WORKSPACE/build-dir ptest \ No newline at end of file diff --git a/configure.ac b/configure.ac index 1d8eb993b2..b008ca1aab 100644 --- a/configure.ac +++ b/configure.ac @@ -1817,6 +1817,7 @@ AC_ARG_ENABLE([mcast], # OpenLDAP (--enable-openldap) # hitch (--enable-hitch) # memcached (--enable-memcached) +# Mosquitto (--enable-mosquitto) HAVE_MOSQUITTO # Bind DNS compatibility Build AC_ARG_ENABLE([bind], @@ -1880,12 +1881,25 @@ AC_ARG_ENABLE([openldap], [ ENABLED_OPENLDAP=no ] ) +# Mosquitto support +AC_ARG_ENABLE([mosquitto], + [AS_HELP_STRING([--enable-mosquitto],[Enable Mosquitto support (default: disabled)])], + [ ENABLED_MOSQUITTO=$enableval ], + [ ENABLED_MOSQUITTO=no ] + ) + +if test "x$ENABLED_MOSQUITTO" = "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_MOSQUITTO" +fi + # lighty Support AC_ARG_ENABLE([lighty], [AS_HELP_STRING([--enable-lighty],[Enable lighttpd/lighty (default: disabled)])], [ ENABLED_LIGHTY=$enableval ], [ ENABLED_LIGHTY=no ] ) + # rsyslog Support AC_ARG_ENABLE([rsyslog], [AS_HELP_STRING([--enable-rsyslog],[Enable rsyslog (default: disabled)])], @@ -2145,7 +2159,7 @@ if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \ test "$ENABLED_OPENRESTY" = "yes" || test "$ENABLED_RSYSLOG" = "yes" || \ test "$ENABLED_KRB" = "yes" || test "$ENABLED_CHRONY" = "yes" || \ test "$ENABLED_FFMPEG" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \ - test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes" + test "$ENABLED_OPENLDAP" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes" || test "$ENABLED_HITCH" = "yes" then ENABLED_OPENSSLALL="yes" fi @@ -3742,7 +3756,7 @@ AC_ARG_ENABLE([sessioncerts], if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || \ test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" || \ - test "x$ENABLED_STRONGSWAN" = "xyes" || test "x$ENABLED_HITCH" = "xyes" + test "x$ENABLED_STRONGSWAN" = "xyes" || test "x$ENABLED_HITCH" = "xyes" || test "x$ENABLED_MOSQUITTO" = "xyes" then ENABLED_SESSIONCERTS=yes fi @@ -4226,6 +4240,11 @@ AC_ARG_ENABLE([psk], [ ENABLED_PSK=no ] ) +if test "x$ENABLED_MOSQUITTO" = "xyes" +then + ENABLED_PSK=yes +fi + # Single PSK identity AC_ARG_ENABLE([psk-one-id], [AS_HELP_STRING([--enable-psk-one-id],[Enable PSK (default: disabled)])], @@ -5851,7 +5870,8 @@ fi # OCSP -if test "x$ENABLED_OPENSSLALL" = "xyes" || test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" +if test "x$ENABLED_OPENSSLALL" = "xyes" || test "x$ENABLED_NGINX" = "xyes" || \ + test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_MOSQUITTO" = "xyes" then test "$enable_ocsp" = "" && enable_ocsp=yes fi @@ -5883,7 +5903,9 @@ AC_ARG_ENABLE([ocspstapling], [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ] ) -if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" +if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || \ + test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" || \ + test "x$ENABLED_MOSQUITTO" = "xyes" then ENABLED_CERTIFICATE_STATUS_REQUEST="yes" fi @@ -5931,9 +5953,11 @@ AC_ARG_ENABLE([crl], [ ENABLED_CRL=no ] ) -if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || \ - test "x$ENABLED_WPAS" != "xno" || test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" || \ - test "x$ENABLED_KRB" = "xyes" || test "x$ENABLED_STRONGSWAN" = "xyes" +if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || \ + test "x$ENABLED_OPENVPN" = "xyes" || test "x$ENABLED_WPAS" != "xno" || \ + test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" || \ + test "x$ENABLED_KRB" = "xyes" || test "x$ENABLED_STRONGSWAN" = "xyes" || \ + test "x$ENABLED_MOSQUITTO" = "xyes" then ENABLED_CRL=yes fi @@ -8947,7 +8971,7 @@ if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \ test "$ENABLED_LIBWEBSOCKETS" = "yes" || \ test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \ test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes" || \ - test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes" + test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes" then ENABLED_OPENSSLEXTRA="yes" fi @@ -9139,6 +9163,8 @@ AS_IF([test "x$ENABLED_STRONGSWAN" = "xyes"], AS_IF([test "x$ENABLED_OPENLDAP" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT"]) +AS_IF([test "x$ENABLED_MOSQUITTO" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"]) + if test "$ENABLED_ED25519_STREAM" != "no" && test "$ENABLED_SE050" != "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ED25519_STREAMING_VERIFY" @@ -10181,6 +10207,7 @@ echo " * strongSwan: $ENABLED_STRONGSWAN" echo " * OpenLDAP: $ENABLED_OPENLDAP" echo " * hitch: $ENABLED_HITCH" echo " * memcached: $ENABLED_MEMCACHED" +echo " * Mosquitto $ENABLED_MOSQUITTO" echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" echo " * DTLS: $ENABLED_DTLS" echo " * DTLS v1.3: $ENABLED_DTLS13" diff --git a/src/ssl.c b/src/ssl.c index 9ba891d629..ec43da4200 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -23240,6 +23240,18 @@ int wolfSSL_CTX_set_ecdh_auto(WOLFSSL_CTX* ctx, int onoff) return WOLFSSL_SUCCESS; } +/* wolfSSL_CTX_set_dh_auto is provided as compatible API with + * SSL_CTX_set_dh_auto to enable auto dh selection functionality. + * Since this functionality is enabled by default in wolfSSL, + * this API exists as a stub. + */ +int wolfSSL_CTX_set_dh_auto(WOLFSSL_CTX* ctx, int onoff) +{ + (void)ctx; + (void)onoff; + return WOLFSSL_SUCCESS; +} + /** * set security level (wolfSSL doesn't support security level) * @param ctx a pointer to WOLFSSL_EVP_PKEY_CTX structure diff --git a/tests/api.c b/tests/api.c index eafa8bbcc1..7f615162dc 100644 --- a/tests/api.c +++ b/tests/api.c @@ -3709,6 +3709,7 @@ static int test_wolfSSL_CertManagerCRL(void) wolfSSL_CertManagerLoadCRL(cm, crl2, WOLFSSL_FILETYPE_PEM, 0)); wolfSSL_CertManagerFreeCRL(cm); +#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0)); ExpectIntEQ(WOLFSSL_SUCCESS, @@ -3717,6 +3718,7 @@ static int test_wolfSSL_CertManagerCRL(void) sizeof_server_cert_der_2048), CRL_MISSING); ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, server_cert_der_2048, sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1), CRL_MISSING); +#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, sizeof(crl_buff), WOLFSSL_FILETYPE_ASN1), 1); @@ -48722,13 +48724,15 @@ static int test_wolfSSL_X509_STORE(void) #ifdef HAVE_CRL X509_STORE_CTX *storeCtx = NULL; - X509_CRL *crl = NULL; X509 *ca = NULL; X509 *cert = NULL; - const char crlPem[] = "./certs/crl/crl.revoked"; const char srvCert[] = "./certs/server-revoked-cert.pem"; const char caCert[] = "./certs/ca-cert.pem"; +#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP + X509_CRL *crl = NULL; + const char crlPem[] = "./certs/crl/crl.revoked"; XFILE fp = XBADFILE; +#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, @@ -48748,6 +48752,7 @@ static int test_wolfSSL_X509_STORE(void) X509_free(ca); ca = NULL; +#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP /* should fail to verify now after adding in CRL */ ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, @@ -48777,6 +48782,7 @@ static int test_wolfSSL_X509_STORE(void) cert = NULL; X509_free(ca); ca = NULL; +#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ #endif /* HAVE_CRL */ @@ -66996,7 +67002,8 @@ static int test_wolfSSL_X509_load_crl_file(void) { EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) && \ - !defined(NO_STDIO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) + !defined(NO_STDIO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) && \ + !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP) int i; char pem[][100] = { "./certs/crl/crl.pem", @@ -73682,7 +73689,8 @@ static int test_wolfSSL_CTX_LoadCRL(void) return EXPECT_RESULT(); } -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(HAVE_CRL) +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(HAVE_CRL) && \ + !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP) static int test_multiple_crls_same_issuer_ctx_ready(WOLFSSL_CTX* ctx) { EXPECT_DECLS; @@ -73696,7 +73704,8 @@ static int test_multiple_crls_same_issuer_ctx_ready(WOLFSSL_CTX* ctx) static int test_multiple_crls_same_issuer(void) { EXPECT_DECLS; -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(HAVE_CRL) +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(HAVE_CRL) && \ + !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP) test_ssl_cbf client_cbs, server_cbs; struct { const char* server_cert; @@ -81299,7 +81308,8 @@ static int test_certreq_sighash_algos(void) return EXPECT_RESULT(); } -#if defined(HAVE_CRL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +#if defined(HAVE_CRL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP) static int test_revoked_loaded_int_cert_ctx_ready1(WOLFSSL_CTX* ctx) { EXPECT_DECLS; @@ -81349,7 +81359,8 @@ static int test_revoked_loaded_int_cert_ctx_ready2(WOLFSSL_CTX* ctx) static int test_revoked_loaded_int_cert(void) { EXPECT_DECLS; -#if defined(HAVE_CRL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +#if defined(HAVE_CRL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP) test_ssl_cbf client_cbf; test_ssl_cbf server_cbf; struct { @@ -81389,7 +81400,6 @@ static int test_revoked_loaded_int_cert(void) break; printf("\t%s passed\n", test_params[i].certPemFile); } - #endif return EXPECT_RESULT(); } diff --git a/wolfssl/openssl/opensslv.h b/wolfssl/openssl/opensslv.h index f68b6cafb3..cca16fa8c3 100644 --- a/wolfssl/openssl/opensslv.h +++ b/wolfssl/openssl/opensslv.h @@ -35,24 +35,26 @@ defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER == 0x10100000L) ||\ defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER == 0x10001040L) /* valid version */ +#elif defined(HAVE_MOSQUITTO) + #define OPENSSL_VERSION_NUMBER 0x10100000L #elif defined(WOLFSSL_APACHE_HTTPD) || defined(HAVE_LIBEST) || \ defined(WOLFSSL_BIND) || defined(WOLFSSL_NGINX) || \ defined(WOLFSSL_RSYSLOG) || defined(WOLFSSL_KRB) || defined(HAVE_STUNNEL) || \ defined(WOLFSSL_OPENSSH) /* For Apache httpd, Use 1.1.0 compatibility */ - #define OPENSSL_VERSION_NUMBER 0x10100003L -#elif defined(WOLFSSL_QT) || defined(WOLFSSL_PYTHON) || defined(WOLFSSL_KRB) + #define OPENSSL_VERSION_NUMBER 0x10100003L +#elif defined(WOLFSSL_QT) || defined(WOLFSSL_PYTHON) /* For Qt and Python 3.8.5 compatibility */ - #define OPENSSL_VERSION_NUMBER 0x10101000L + #define OPENSSL_VERSION_NUMBER 0x10101000L #elif defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_FFMPEG) - #define OPENSSL_VERSION_NUMBER 0x1010000fL + #define OPENSSL_VERSION_NUMBER 0x1010000fL #elif defined(OPENSSL_ALL) || defined(HAVE_LIGHTY) || \ - defined(WOLFSSL_NGINX) || defined(WOLFSSL_OPENVPN) - /* version number can be increased for Lighty after compatibility for ECDH - is added */ - #define OPENSSL_VERSION_NUMBER 0x10001040L + defined(WOLFSSL_NGINX) || defined(WOLFSSL_OPENSSH) || defined(WOLFSSL_OPENVPN) + /* version number can be increased for Lighty after compatibility for ECDH + is added */ + #define OPENSSL_VERSION_NUMBER 0x10001040L #else - #define OPENSSL_VERSION_NUMBER 0x0090810fL + #define OPENSSL_VERSION_NUMBER 0x0090810fL #endif #define OPENSSL_VERSION_TEXT "wolfSSL " LIBWOLFSSL_VERSION_STRING diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 0fbf621b7d..a1c4b06e20 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -1209,7 +1209,6 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; #define SSL_R_SHORT_READ 10 #define ERR_R_PEM_LIB 9 #define SSL_CTRL_MODE 33 - #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 #define SSL_CTX_clear_chain_certs(ctx) SSL_CTX_set0_chain(ctx,NULL) @@ -1229,6 +1228,7 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; (char *)(arg)) #endif /* OPENSSL_ALL || WOLFSSL_ASIO || WOLFSSL_HAPROXY */ +#define SSL_CTX_set_dh_auto wolfSSL_CTX_set_dh_auto #define SSL_CTX_set_tmp_dh wolfSSL_CTX_set_tmp_dh #define TLSEXT_STATUSTYPE_ocsp 1 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 50d59a7f52..498de58320 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1143,6 +1143,7 @@ WOLFSSL_API int wolfSSL_CTX_up_ref(WOLFSSL_CTX* ctx); #ifdef OPENSSL_EXTRA WOLFSSL_API int wolfSSL_set_ecdh_auto(WOLFSSL* ssl, int onoff); WOLFSSL_API int wolfSSL_CTX_set_ecdh_auto(WOLFSSL_CTX* ctx, int onoff); +WOLFSSL_API int wolfSSL_CTX_set_dh_auto(WOLFSSL_CTX* ctx, int onoff); WOLFSSL_API int wolfSSL_get_signature_nid(WOLFSSL* ssl, int* nid); WOLFSSL_API int wolfSSL_get_signature_type_nid(const WOLFSSL* ssl, int* nid); WOLFSSL_API int wolfSSL_get_peer_signature_nid(WOLFSSL* ssl, int* nid);