diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..2bab9b6 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,12 @@ +# Security Policy + +## Reporting a Vulnerability + +If you discover a vulnerability, please report it to support@wolfssl.com + + 1. Include a detailed description + 2. Include method to reproduce and/or method of discovery + 3. We will evaluate the report promptly and respond to you with findings. + 4. We will credit you with the report if you would like. + +**Please keep the vulnerability private** until a fix has been released. diff --git a/.github/workflows/arduino.yml b/.github/workflows/arduino.yml new file mode 100644 index 0000000..1f1b669 --- /dev/null +++ b/.github/workflows/arduino.yml @@ -0,0 +1,307 @@ +name: Arduino CI Build (4 of 4) Arduino-wolfSSL + +# +# Test local Arduino examples with LATEST github master branch wolfssl +# +# These 4 workflows across 3 repos are interdependent for the current $REPO_OWNER: +# +# Arduino CI Build 1: https://github.com/$REPO_OWNER/wolfssl # /.github/workflows/arduino.yml +# - Builds Arduino library from local clone of wolfssl master branch +# - Fetches examples from https://github.com/$REPO_OWNER/wolfssl-examples +# +# Arduino CI Build 2: https://github.com/$REPO_OWNER/wolfssl-examples # /.github/workflows/arduino-release.yml +# - Tests examples based on latest published release of Arduino library, NOT latest on wolfssl github. +# - Should be identical to Arduino CI Build 3 in every way but wolfssl install. +# - Copies only compile script from wolfssl-examples +# - Builds local examples +# - No other repos used +# +# Arduino CI Build 3: https://github.com/$REPO_OWNER/wolfssl-examples # /.github/workflows/arduino.yml +# - Fetches current wolfSSL from https://github.com/$REPO_OWNER/wolfssl +# - Creates an updated Arduino library +# - Compiles local examples +# - Contains the source of `compile-all-examples.sh` and respective board-list.txt +# +# THIS Arduino CI Build 4: https://github.com/$REPO_OWNER/Arduino-wolfssl # /.github/workflows/arduino.yml +# - Assembles and installs an updated Arduino wolfssl library from LOCAL Arduino-wolfSSL repo master (main) source +# - Copies only compile script and board list from wolfssl-examples (no examples copied) +# - Builds local examples +# - No other repos used +# +# +# ** NOTE TO MAINTAINERS ** +# +# Consider using winmerge or similar tool to keep the 4 arduino[-release].yml files in relative sync. +# Although there are some specific differences, most of the contents are otherwise identical. +# +# See https://github.com/wolfSSL/Arduino-wolfSSL +# +# To test locally: +# cd [your WOLFSSL_ROOT], e.g. cd /mnt/c/workspace/wolfssl-$USER +# [optional checkout] e.g. git checkout tags/v5.8.2-stable +# pushd ./IDE/ARDUINO +# export ARDUINO_ROOT="$HOME/Arduino/libraries" +# ./wolfssl-arduino.sh INSTALL +# cd [your WOLFSSL_EXAMPLES_ROOT] e.g. /mnt/c/workspace/wolfssl-examples-$USER +# + +# START OF COMMON SECTION +on: + push: + branches: [ '**', 'master', 'main', 'release/**' ] + + pull_request: + branches: [ '**' ] + + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + build: + # if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-latest + env: + REPO_OWNER: ${{ github.repository_owner }} + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Install Arduino CLI + run: | + # Script to fetch and run install.sh from arduino/arduino-cli + + # The install script will test to see if the recently installed apps in in the path + # So set it up in advance: + mkdir -p "${PWD}/bin" + echo "${PWD}/bin" >> $GITHUB_PATH + + # Sets the install directory to a consistent path at the repo root. + ROOT_BIN="$GITHUB_WORKSPACE/bin" + + # Ensures that BINDIR exists before the installer runs + mkdir -p "$ROOT_BIN" + + # Save as a lobal environment variable + echo "$ROOT_BIN" >> "$GITHUB_PATH" + + # Download and run install script from Arduino: + # -S show errors; -L follow redirects; -v Verbose + set +e # don't abort on error + set -o pipefail + + curl -vSL --retry 5 --retry-delay 10 \ + https://raw.githubusercontent.com/arduino/arduino-cli/master/install.sh \ + | sh -x + rc=$? + c_rc=${PIPESTATUS[0]} # curl's exit code + s_rc=${PIPESTATUS[1]} # sh's exit code + + set -e # restore default abort-on-error + + # If there was a curl error, we have our own local copy that is more reliable and can add our own debugging + if [ "$rc" -ne 0 ]; then + echo "Primary install failed: curl=$c_rc, sh=$s_rc. Falling back..." >&2 + echo "Using local copy of arduino_install.sh" + pushd ./Arduino/sketches + chmod +x ./arduino_install.sh + + # Mimic curl install, does not use current directory: + BINDIR="$ROOT_BIN" sh -x ./arduino_install.sh + popd + else + echo "Alternative install script not needed." + fi + + - name: Confirm Arduino CLI install + run: arduino-cli version + + - name: Setup Arduino CLI + run: | + arduino-cli config init + arduino-cli core update-index + arduino-cli config add board_manager.additional_urls https://www.pjrc.com/teensy/package_teensy_index.json + arduino-cli core update-index + arduino-cli config add board_manager.additional_urls https://arduino.esp8266.com/stable/package_esp8266com_index.json + arduino-cli core update-index + arduino-cli core install esp32:esp32 # ESP32 + arduino-cli core install arduino:avr # Arduino Uno, Mega, Nano + arduino-cli core install arduino:sam # Arduino Due + arduino-cli core install arduino:samd # Arduino Zero + arduino-cli core install teensy:avr # PJRC Teensy + arduino-cli core install esp8266:esp8266 # ESP8266 + arduino-cli core install arduino:mbed_nano # nanorp2040connect + arduino-cli core install arduino:mbed_portenta # portenta_h7_m7 + arduino-cli core install arduino:mbed_edge + # sudo "/home/$USER/.arduino15/packages/arduino/hardware/mbed_nano/4.2.4/post_install.sh" + arduino-cli core install arduino:renesas_uno + arduino-cli lib install "ArduinoJson" # Example dependency + arduino-cli lib install "WiFiNINA" # ARDUINO_SAMD_NANO_33_IOT + arduino-cli lib install "Ethernet" # Install Ethernet library + arduino-cli lib install "Bridge" # Pseudo-network for things like arduino:samd:tian + + - name: Set job environment variables + run: | + # Script to assign some common environment variables after everything is installed + + ICON_OK=$(printf "\xE2\x9C\x85") + ICON_FAIL=$(printf "\xE2\x9D\x8C") + + echo "GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")" >> "$GITHUB_ENV" + echo "ARDUINO_ROOT=$(realpath "$HOME/Arduino/libraries")" >> "$GITHUB_ENV" + + # Show predefined summary: + echo "GITHUB_WORKSPACE = $GITHUB_WORKSPACE" + + # Show assigned build:env values (e.g. "wolfssl", "gojimmpi" or other owners): + echo "REPO_OWNER = $REPO_OWNER" + + echo "GITHUB_ENV=$GITHUB_ENV" + + # Show our custom values: + echo "GITHUB_WORK = $GITHUB_WORK" + echo "ARDUINO_ROOT = $ARDUINO_ROOT" + + # WOLFSSL_EXAMPLES_ROOT is the report root, not example location + # echo "WOLFSSL_EXAMPLES_ROOT = $WOLFSSL_EXAMPLES_ROOT" + + # - name: Show wolfssl-examples + # (not used, as wolfssl source is already here in ARduino-wolfSSL) + + # end Show wolfssl-examples + + # - name: Shallow clone wolfssl + # (not used, as wolfssl source is already here in Arduino-wolfSSL) + # + + # ** END ** Set job environment variables + + - name: Get wolfssl-examples + run: | + # The wolfSSL examples should already be installed in this Arduino-wolfssl/examples directory + + echo "Current pwd for wolfssl-examples clone fetch: $(pwd)" + echo "Examples found:" + find ./examples -type f | sort + + # ** END ** Get wolfssl-examples + + - name: Install wolfSSL Arduino library + run: | + # Script for installing wolfssl from this Arduino-wolfssl library repository + # + # Steps are equivalent of: + # + # arduino-cli lib install "wolfSSL" + # + # But using the current repo as the source: + mkdir -p "$ARDUINO_ROOT/wolfssl" + + # Methods of installing Arduino library: + # 1) arduino-cli lib install "wolfSSL" + # 2) manual copy of files (typical of the Arduino-wolfssl repo) + # 3) run ./wolfssl-arduino.sh INSTALL (typical of the wolfssl repo) + + # Copy all file in current directory as root of the wolfssl library + echo "cp [root files] \"$ARDUINO_ROOT/wolfssl/src\"" + for f in ./*; do + if [ -f "$f" ]; then + cp "$f" "$ARDUINO_ROOT/wolfssl/" + fi + done + + # Only 2 directories are needed in the Arduino library: `src` and [optional] `examples`: + echo "cp -r \"./src\" \"$ARDUINO_ROOT/wolfssl/src\"" + cp -r ./src "$ARDUINO_ROOT/wolfssl/src" + + echo "cp -r \"./examples\" \"$ARDUINO_ROOT/wolfssl/examples\"" + cp -r ./examples "$ARDUINO_ROOT/wolfssl/examples" + + # ** END ** Install wolfSSL Arduino library + + - name: List installed Arduino libraries + run: arduino-cli lib list + + - name: Get compile-all-examples.sh + run: | + # Fetch compile script FROM THE CURRENT OWNER. + # This repo is Arduino-wolfssl; we'll fetch the script from the wolfssl-examples for the same repository owner. + echo "Respository owner: $REPO_OWNER" + echo "Current directory: $PWD" + echo "Current pwd for wolfssl-examples clone fetch: $PWD" + WOLFSSL_EXAMPLES_DIRECTORY="$ARDUINO_ROOT/wolfssl/examples" + echo "WOLFSSL_EXAMPLES_DIRECTORY=$WOLFSSL_EXAMPLES_DIRECTORY" + + # Fetch script and board list into WOLFSSL_EXAMPLES_DIRECTORY + # TODO edit PR branch path: + curl -L "https://raw.githubusercontent.com/$REPO_OWNER/wolfssl-examples/examples_dev/Arduino/sketches/board_list_v5.8.2.txt" -o "$WOLFSSL_EXAMPLES_DIRECTORY/board_list.txt" + + # Check if the first line is "404: Not Found" - which would indicate the curl path above is bad. + FILE="$WOLFSSL_EXAMPLES_DIRECTORY/board_list.txt" + + # Ensure the file exists + if [[ ! -f "$FILE" ]]; then + echo "File not found: $FILE" + exit 1 + fi + + # Check if the first line is "404: Not Found" + if [[ $(head -n 1 "$FILE") == "404: Not Found" ]]; then + echo "The first line is '404: Not Found'" + exit 1 + fi + + curl -L "https://raw.githubusercontent.com/$REPO_OWNER/wolfssl-examples/examples_dev/Arduino/sketches/compile-all-examples.sh" -o "$WOLFSSL_EXAMPLES_DIRECTORY/compile-all-examples.sh" + + # Check if the first line is "404: Not Found" - which would indicate the curl path above is bad. + FILE="$WOLFSSL_EXAMPLES_DIRECTORY/compile-all-examples.sh" + + # Ensure the file exists + if [[ ! -f "$FILE" ]]; then + echo "File not found: $FILE" + exit 1 + fi + + # Check if the first line is "404: Not Found" + if [[ $(head -n 1 "$FILE") == "404: Not Found" ]]; then + echo "The first line is '404: Not Found'" + exit 1 + fi + + pushd "$WOLFSSL_EXAMPLES_DIRECTORY" + echo "Current directory: $PWD" + + echo "Current directory $PWD" + echo "Contents:" + ls -al + find ./ -type f | sort + + # ensure we can execute the script here (permissions lost during curl fetch) + chmod +x ./compile-all-examples.sh + echo "Found compile script: $(ls -al ./compile-all-examples.sh)" + popd + + # ** END ** Get compile-all-examples.sh + + # This will fail with Arduino published wolfSSL v5.7.6 and older + # as the examples moved. See https://github.com/wolfSSL/wolfssl/pull/8514 + # + - name: Compile Arduino Sketches for Various Boards + run: | + # Call the compile-all-examples.sh script to compile all the examples for each of the fqbn names in the local copy of board_list.txt + + echo "Current directory: $PWD" + echo "ARDUINO_ROOT: $ARDUINO_ROOT" + WOLFSSL_EXAMPLES_DIRECTORY="$ARDUINO_ROOT/wolfssl/examples" + echo "WOLFSSL_EXAMPLES_DIRECTORY: $WOLFSSL_EXAMPLES_DIRECTORY" + + echo "Change directory to Arduino examples..." + pushd "$WOLFSSL_EXAMPLES_DIRECTORY" + echo "Current directory: $PWD" + echo "Calling ./compile-all-examples.sh" + bash ./compile-all-examples.sh + popd + # End Compile Arduino Sketches for Various Boards diff --git a/.gitignore b/.gitignore index 436e3ed..1c295c7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,11 +1,12 @@ -################################################################################ -# This .gitignore file was automatically created by Microsoft(R) Visual Studio. -################################################################################ - -/.vs -/src/wolfcrypt/src/fips.c -/src/wolfcrypt/src/fips_test.c -/src/wolfcrypt/src/selftest.c -/src/wolfcrypt/src/wolfcrypt_first.c -/src/wolfcrypt/src/wolfcrypt_last.c -/src/wolfssl/wolfcrypt/fips.h +################################################################################ +# This .gitignore file was automatically created by Microsoft(R) Visual Studio. +################################################################################ + +/.vs +/src/wolfcrypt/src/fips.c +/src/wolfcrypt/src/fips_test.c +/src/wolfcrypt/src/selftest.c +/src/wolfcrypt/src/wolfcrypt_first.c +/src/wolfcrypt/src/wolfcrypt_last.c +/src/wolfssl/wolfcrypt/fips.h +/**/*.bak