XMLSec1 testing (#76)

* - add lenient DER parser for ECDSA signatures when we fail with -171, so
  that we extract the r and s parameters, when the der is malformed when the integer
  values are raw bytes without proper sign-bit handling (those ders are
  used when signing/veriffing in the xmlsec1's testsuite);
- handle 0-byte cipher finalization in aes-cbc, we return -173 when data
  size = 0 when decrypting, this gets called by xmlsec1 to flush the
  buffer after decryption is done (not needed for wolfssl, but we return 0 in that case);

* - Added v1.21.4 to the wget workflow
- Added v2.6.7 to the openldap workflow

* Run wget-v1.21.4 and openldap-v2.6.7 on native ubuntu:24.04 instead of
debian:bookworm

* - extracted parsing of DER length into a separate function;
- removed accidental Tab in the wolfssl-gnutls-wrapper/src/cipher.c
  file;

* - Added proper configurations for versions in wget and openldap that are
being tested  on ubuntu 24.04.
- Wireshark workflow
- Removing master version testing from the libjcat workflow.
Uses post quantum by default, not currently supported by gnutls-wolfssl.

* xmlsec workflow

* - return statesments on new lines;
- return -1 on num_bytes = 0 (unsupported);

Author: gasbytes

.github/workflows/libjcat.yml

@@ -19,7 +19,7 @@ jobs:
     strategy:
       matrix:
         os: [ ubuntu-latest ]
-        libjcat_ref: [ 'master', '0.2.3', '0.2.0' ]
+        libjcat_ref: [ '0.2.3', '0.2.0' ]
       fail-fast: false
     runs-on: ${{ matrix.os }}
     container:

.github/workflows/openldap.yml

@@ -1,92 +1,151 @@
 name: OpenLDAP Test
-
 # START OF COMMON SECTION
 on:
   push:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 # END OF COMMON SECTION
-
 jobs:
   build_gnutls:
     name: Build wolfSSL, GnuTLS and provider
     timeout-minutes: 30
     strategy:
       matrix:
-        os: [ ubuntu-latest ]
-        openldap_ref: [ 'master', 'OPENLDAP_REL_ENG_2_5_13', 'OPENLDAP_REL_ENG_2_6_9' ]
+        include:
+          - os: ubuntu-latest
+            openldap_ref: 'master'
+            use_container: true
+          - os: ubuntu-latest
+            openldap_ref: 'OPENLDAP_REL_ENG_2_5_13'
+            use_container: true
+          - os: ubuntu-24.04
+            openldap_ref: 'OPENLDAP_REL_ENG_2_6_7'
+            use_container: false
+          - os: ubuntu-latest
+            openldap_ref: 'OPENLDAP_REL_ENG_2_6_9'
+            use_container: true
       fail-fast: false
     runs-on: ${{ matrix.os }}
-    container:
-      image: debian:bookworm
-
+    container: ${{ matrix.use_container && 'debian:bookworm' || '' }}
     steps:
       - name: Checkout gnutls-wolfssl repository
         uses: actions/checkout@v4
-
-      - name: Ensure make available (Ubuntu only)
-        if: matrix.os == 'ubuntu-latest'
+      - name: Ensure make available
+        if: matrix.use_container == true
         run: |
           apt-get update
           apt-get install -y build-essential
-
-      - name: Install GnuTLS dependencies (Ubuntu only)
-        if: matrix.os == 'ubuntu-latest'
+      - name: Install GnuTLS dependencies
+        if: matrix.use_container == true
         run: |
           apt-get install -y gnulib autopoint gperf gtk-doc-tools nettle-dev clang \
             libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev sudo \
-            git wget
+            git wget automake libtool
 
-      - name: Install OpenLDAP dependencies (Ubuntu only)
-        if: matrix.os == 'ubuntu-latest'
+      - name: Install OpenLDAP dependencies
+        if: matrix.use_container == true
         run: |
           sudo apt-get install -y libsasl2-dev libsasl2-modules libsasl2-modules-gssapi-mit \
             libargon2-dev groff-base libltdl-dev
 
-      # ───────────── cache the wolfssl/gnutls tool-chain ─────────────
+      - name: Install dependencies on native Ubuntu
+        if: matrix.use_container == false
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential gnulib autopoint gperf gtk-doc-tools nettle-dev clang \
+            libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \
+            git wget libsasl2-dev libsasl2-modules libsasl2-modules-gssapi-mit \
+            libargon2-dev groff-base libltdl-dev automake libtool
+
+      - name: Prepare cache directories (native runner)
+        if: matrix.use_container == false
+        run: |
+          sudo mkdir -p /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper
+          sudo chown -R $USER:$USER /opt/gnutls /opt/wolfssl /opt/wolfssl-gnutls-wrapper
+
+     # ───────────── cache the wolfssl/gnutls tool-chain ─────────────
       - name: Restore cached gnutls-wolfssl
         id: cache-gnutls
         uses: actions/cache@v4
         with:
           path: |
-            /opt/gnutls
-            /opt/wolfssl
-            /opt/wolfssl-gnutls-wrapper
-          key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }}
+            ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }}
+            ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }}
+            ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }}
+          key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }}
           restore-keys: |
-            gnutls-wolfssl-${{ runner.os }}-
+            gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-
+
+      - name: Copy cache to /opt (native runner only)
+        if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true'
+        run: |
+          sudo mkdir -p /opt
+          sudo cp -a ~/cache/gnutls /opt/
+          sudo cp -a ~/cache/wolfssl /opt/
+          sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/
 
       - name: Build GnuTLS with wolfSSL provider using setup.sh script
         if: steps.cache-gnutls.outputs.cache-hit != 'true'
         run: |
           echo "Running setup.sh..."
           GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh
+          # For native runner: also save to cache location
+          if [[ "${{ matrix.use_container }}" == "false" ]]; then
+            mkdir -p ~/cache
+            sudo cp -a /opt/gnutls ~/cache/
+            sudo cp -a /opt/wolfssl ~/cache/
+            sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/
+            sudo chown -R $(id -u):$(id -g) ~/cache
+          fi
 
       - name: Check setup.sh output directories
         run: |
           test -d /opt/wolfssl || { echo "/opt/wolfssl missing"; exit 1; }
           test -d /opt/gnutls || { echo "/opt/gnutls missing"; exit 1; }
           test -d /opt/wolfssl-gnutls-wrapper/lib || { echo "/opt/wolfssl-gnutls-wrapper/lib missing"; exit 1; }
-
       - name: Build OpenLDAP at ${{ matrix.openldap_ref }}
         run: |
           git clone https://git.openldap.org/openldap/openldap.git
           cd openldap
           if [ "${{ matrix.openldap_ref }}" != "master" ]; then
             git checkout ${{ matrix.openldap_ref }}
           fi
-
       - name: Configure OpenLDAP
         working-directory: openldap
         run: |
           export PKG_CONFIG_PATH=/opt/gnutls/lib/pkgconfig
           export CPPFLAGS=-I/opt/gnutls/include
           export LDFLAGS="-L/opt/gnutls/lib -Wl,-rpath,/opt/gnutls/lib"
+          if [[ "${{ matrix.openldap_ref }}" = "OPENLDAP_REL_ENG_2_6_7" ]]; then
+          ./configure \
+          ac_cv_func_memcmp_working=yes \
+          lt_cv_dlopen_self=yes \
+          --with-yielding-select=yes \
+          --enable-dynamic \
+          --enable-crypt \
+          --with-tls=gnutls \
+          --with-cyrus-sasl \
+          --enable-otp \
+          --with-argon2=libargon2 \
+          --enable-argon2 \
+          --enable-ppolicy \
+          --enable-remoteauth \
+          --prefix=/opt/openldap \
+          --enable-modules \
+          --enable-ipv6 \
+          --enable-asyncmeta=mod \
+          --enable-mdb=yes \
+          --enable-ldap=mod \
+          --enable-meta=mod \
+          --enable-null=mod \
+          --enable-passwd=mod \
+          --enable-proxycache=mod \
+          --enable-dnssrv=mod
+          else
           ./configure \
             --with-tls=gnutls \
             --with-cyrus-sasl \
@@ -97,13 +156,12 @@ jobs:
             --enable-remoteauth \
             --prefix=/opt/openldap \
             --enable-modules
-
+          fi
       - name: Build OpenLDAP
         working-directory: openldap
         run: |
           make depend
           make
-
       - name: Test OpenLDAP
         working-directory: openldap
         run: |

.github/workflows/wget.yml

@@ -18,53 +18,84 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        os: [ ubuntu-latest ]
-        wget_ref: [ 'master', 'v1.21.3', 'v1.24.5' ]
+        include:
+          - os: ubuntu-latest
+            wget_ref: 'master'
+            use_container: true
+          - os: ubuntu-latest
+            wget_ref: 'v1.21.3'
+            use_container: true
+          - os: ubuntu-24.04
+            wget_ref: 'v1.21.4'
+            use_container: false
+          - os: ubuntu-latest
+            wget_ref: 'v1.24.5'
+            use_container: true
       fail-fast: false
     runs-on: ${{ matrix.os }}
-    container:
-      image: debian:bookworm
+    container: ${{ matrix.use_container && 'debian:bookworm' || '' }}
 
     steps:
       - name: Checkout gnutls-wolfssl repository
         uses: actions/checkout@v4
 
-      - name: Ensure make available (Ubuntu only)
-        if: matrix.os == 'ubuntu-latest'
+      - name: Ensure make available
+        if: matrix.use_container == true
         run: |
           apt-get update
           apt-get install -y build-essential
-
-      - name: Install GnuTLS dependencies (Ubuntu only)
-        if: matrix.os == 'ubuntu-latest'
+      - name: Install GnuTLS dependencies
+        if: matrix.use_container == true
         run: |
           apt-get install -y gnulib autopoint gperf gtk-doc-tools nettle-dev clang \
             libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \
             sudo wget git flex
-
-      - name: Install wget dependencies (Ubuntu only)
-        if: matrix.os == 'ubuntu-latest'
+      - name: Install wget dependencies
+        if: matrix.use_container == true
         run: |
           sudo apt-get install -y autoconf-archive libhttp-daemon-perl
+      - name: Install dependencies on native Ubuntu
+        if: matrix.use_container == false
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential gnulib autopoint gperf gtk-doc-tools nettle-dev clang \
+            libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \
+            wget git flex autoconf-archive libhttp-daemon-perl
 
-      # ───────────── cache the wolfssl/gnutls tool-chain ─────────────
+     # ───────────── cache the wolfssl/gnutls tool-chain ─────────────
       - name: Restore cached gnutls-wolfssl
         id: cache-gnutls
         uses: actions/cache@v4
         with:
           path: |
-            /opt/gnutls
-            /opt/wolfssl
-            /opt/wolfssl-gnutls-wrapper
-          key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }}
+            ${{ matrix.use_container && '/opt/gnutls' || '~/cache/gnutls' }}
+            ${{ matrix.use_container && '/opt/wolfssl' || '~/cache/wolfssl' }}
+            ${{ matrix.use_container && '/opt/wolfssl-gnutls-wrapper' || '~/cache/wolfssl-gnutls-wrapper' }}
+          key: gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }}
           restore-keys: |
-            gnutls-wolfssl-${{ runner.os }}-
+            gnutls-wolfssl-${{ runner.os }}-${{ matrix.use_container }}-
+
+      - name: Copy cache to /opt (native runner only)
+        if: matrix.use_container == false && steps.cache-gnutls.outputs.cache-hit == 'true'
+        run: |
+          sudo mkdir -p /opt
+          sudo cp -a ~/cache/gnutls /opt/
+          sudo cp -a ~/cache/wolfssl /opt/
+          sudo cp -a ~/cache/wolfssl-gnutls-wrapper /opt/
 
       - name: Build GnuTLS with wolfSSL provider using setup.sh script
         if: steps.cache-gnutls.outputs.cache-hit != 'true'
         run: |
           echo "Running setup.sh..."
           GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh
+          # For native runner: also save to cache location
+          if [[ "${{ matrix.use_container }}" == "false" ]]; then
+            mkdir -p ~/cache
+            sudo cp -a /opt/gnutls ~/cache/
+            sudo cp -a /opt/wolfssl ~/cache/
+            sudo cp -a /opt/wolfssl-gnutls-wrapper ~/cache/
+            sudo chown -R $(id -u):$(id -g) ~/cache
+          fi
 
       - name: Check setup.sh output directories
         run: |
@@ -74,7 +105,6 @@ jobs:
           test -d /opt/gnutls || exit 1
           echo "Check for wrapper installation..."
           test -d /opt/wolfssl-gnutls-wrapper/lib || exit 1
-
       - name: Build wget at ${{ matrix.wget_ref }}
         uses: actions/checkout@v4
         with:
@@ -93,33 +123,39 @@ jobs:
           git clone https://github.com/coreutils/gnulib gnulib
           ./bootstrap
           autoreconf -fi
-          ./configure --with-ssl=gnutls --with-libgnutls-prefix=/opt/gnutls
-
+          if [[ "${{ matrix.wget_ref }}" = "v1.21.4" ]]; then
+            ./configure --with-ssl=gnutls --with-libgnutls-prefix=/opt/gnutls \
+            --without-libssl-prefix \
+            --disable-rpath \
+            --with-ssl=gnutls \
+            --enable-pcre \
+            --with-zlib \
+            --enable-ipv6
+          else
+            ./configure --with-ssl=gnutls --with-libgnutls-prefix=/opt/gnutls
+          fi
       - name: Make wget
         working-directory: wget
         run: |
           make -j $(nproc)
-
       # Get python 3.11 for old versions of wget
       - name: Install pyenv dependencies
-        if: matrix.wget_ref == 'v1.21.3'
+        if: matrix.wget_ref == 'v1.21.3' || matrix.wget_ref == 'v1.21.4'
         run: |
           sudo apt-get update
           sudo apt-get install -y make build-essential libssl-dev zlib1g-dev \
             libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm \
             libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev \
             libffi-dev liblzma-dev
-
       - name: Install pyenv
-        if: matrix.wget_ref == 'v1.21.3'
+        if: matrix.wget_ref == 'v1.21.3' || matrix.wget_ref == 'v1.21.4'
         run: |
           curl https://pyenv.run | bash
-
       - name: Test wget
         working-directory: wget
         run: |
           # If Python 3.11 needed, reinitialize pyenv
-          if [ "${{ matrix.wget_ref }}" = "v1.21.3" ]; then
+          if [[ "${{ matrix.wget_ref }}" = "v1.21.3" || "${{ matrix.wget_ref }}" = "v1.21.4" ]]; then
             export PYENV_ROOT="$HOME/.pyenv"
             export PATH="$PYENV_ROOT/bin:$PATH"
             eval "$(pyenv init --path)"
@@ -128,5 +164,10 @@ jobs:
             pyenv global 3.11.9
             python --version
           fi
+          # To make /opt/gnutls visible to the test binaries, LD_LIBRARY_PATH
+          # is needed since we disable rpath for v1.21.4.
+          if [[ "${{ matrix.wget_ref }}" = "v1.21.4" ]]; then
+          export LD_LIBRARY_PATH=/opt/gnutls/lib:/opt/wolfssl/lib:/opt/wolfssl-gnutls-wrapper/lib:$LD_LIBRARY_PATH
+          fi
           make check
           find . -name '*.log' | xargs grep wgw