Updates for OpenSSH 10.0p2

- random.c: use getrandom when available and fall back to direct file access
- openssh.yml: run more tests
- openssh.yml: add 10.0p2 and 9.9p2
- configure.ac: detect if `getrandom` is available on the system
- configure.ac: openssh requires WC_RNG_SEED_CB to always use `getrandom` so that the RNG doesn't get killed by SECCOMP

Author: julek-wolfssl

.github/workflows/openssh.yml

@@ -45,9 +45,31 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          # A good way to measure how much each test takes is to create a bash script
+          # in the openssh root like this (make it executable):
+          # time-measure.sh
+          #   #!/bin/bash
+          #   /usr/bin/time -a -o /tmp/LTESTS-times.txt -f '%e %C' /usr/bin/bash "$@"
+          # And invoke the openssh tests like this:
+          #   rm -f /tmp/LTESTS-times.txt && \
+          #     make tests TEST_SHELL=$(pwd)/time-measure.sh SKIP_UNIT=yes && \
+          #     grep test-exec.sh /tmp/LTESTS-times.txt
           - git_ref: 'V_9_6_P1'
             osp_ver: '9.6'
-    name: ${{ matrix.ref }}
+            SKIP_LTESTS: >-
+              exit-status rekey multiplex cert-userkey forward-control integrity
+              channel-timeout connection-timeout
+          - git_ref: 'V_9_9_P2'
+            osp_ver: '9.9p2'
+            SKIP_LTESTS: >-
+              exit-status rekey multiplex cert-userkey forward-control integrity
+              channel-timeout connection-timeout
+          - git_ref: 'V_10_0_P2'
+            osp_ver: '10.0p2'
+            SKIP_LTESTS: >-
+              exit-status rekey multiplex forward-control channel-timeout
+              connection-timeout
+    name: ${{ matrix.osp_ver }}
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-22.04
     needs: build_wolfssl
@@ -80,5 +102,4 @@ jobs:
       - name: Run tests
         working-directory: ./openssh
         run: |
-          # Run all the tests except (t-exec) as it takes too long
-          make file-tests interop-tests extra-tests unit
+          make tests SKIP_LTESTS='${{ matrix.SKIP_LTESTS }}'

configure.ac

@@ -129,7 +129,7 @@ AC_CHECK_HEADER(assert.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ASSERT_H"],[
 # check if functions of interest are linkable, but also check if
 # they're declared by the expected headers, and if not, supersede the
 # unusable positive from AC_CHECK_FUNCS().
-AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii getpid])
+AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii getpid getrandom])
 AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, isascii, getpid], [], [
 if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes"
 then
@@ -2138,6 +2138,12 @@ AC_ARG_ENABLE([openssh],
     [ENABLED_OPENSSH=$enableval],
     [ENABLED_OPENSSH=no])
 
+if test "$ENABLED_OPENSSH" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENSSH -DHAVE_EX_DATA -DWOLFSSL_BASE16"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL -DWC_RNG_SEED_CB"
+fi
+
 # OpenVPN compatibility Build
 AC_ARG_ENABLE([openvpn],
     [AS_HELP_STRING([--enable-openvpn],[Enable OpenVPN compatibility build (default: disabled)])],
@@ -2249,6 +2255,11 @@ AC_ARG_ENABLE([fortress],
     [ ENABLED_FORTRESS=no ]
     )
 
+if test "$ENABLED_OPENSSH" = "yes"
+then
+    ENABLED_FORTRESS="yes"
+fi
+
 # libwebsockets Support
 AC_ARG_ENABLE([libwebsockets],
     [AS_HELP_STRING([--enable-libwebsockets],[Enable libwebsockets (default: disabled)])],
@@ -2260,14 +2271,6 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LIBWEBSOCKETS -DHAVE_EX_DATA -DOPENSSL_NO_EC"
 fi
 
-
-if test "$ENABLED_OPENSSH" = "yes"
-then
-    ENABLED_FORTRESS="yes"
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENSSH -DHAVE_EX_DATA -DWOLFSSL_BASE16"
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL"
-fi
-
 # net-snmp Build
 AC_ARG_ENABLE([net-snmp],
     [AS_HELP_STRING([--enable-net-snmp],[Enable net-snmp (default: disabled)])],

src/ssl.c

@@ -297,13 +297,19 @@ WC_RNG* wolfssl_make_rng(WC_RNG* rng, int* local);
 WC_RNG* wolfssl_make_rng(WC_RNG* rng, int* local)
 {
     WC_RNG* ret = NULL;
+#ifdef WOLFSSL_SMALL_STACK
+    int freeRng = 0;
+#endif
 
     /* Assume not local until one created. */
     *local = 0;
 
 #ifdef WOLFSSL_SMALL_STACK
     /* Allocate RNG object . */
-    rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG);
+    if (rng == NULL) {
+        rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG);
+        freeRng = 1;
+    }
 #endif
     /* Check we have a local RNG object and initialize. */
     if ((rng != NULL) && (wc_InitRng(rng) == 0)) {
@@ -317,11 +323,10 @@ WC_RNG* wolfssl_make_rng(WC_RNG* rng, int* local)
         ret = wolfssl_make_global_rng();
     }
 
-    if (ret != rng) {
 #ifdef WOLFSSL_SMALL_STACK
+    if (freeRng)
         XFREE(rng, NULL, DYNAMIC_TYPE_RNG);
 #endif
-    }
 
     return ret;
 }

wolfcrypt/src/random.c

@@ -147,12 +147,13 @@ This library contains implementation for the random number generator.
 #elif defined(WOLFSSL_IMXRT1170_CAAM)
 #elif defined(CY_USING_HAL) && defined(COMPONENT_WOLFSSL)
     #include "cyhal_trng.h" /* Infineon/Cypress HAL RNG implementation */
-#elif defined(WOLFSSL_GETRANDOM)
-    #include <errno.h>
-    #include <sys/random.h>
 #elif defined(WOLFSSL_MAX3266X) || defined(WOLFSSL_MAX3266X_OLD)
     #include "wolfssl/wolfcrypt/port/maxim/max3266x.h"
 #else
+    #if defined(WOLFSSL_GETRANDOM) || defined(HAVE_GETRANDOM)
+        #include <errno.h>
+        #include <sys/random.h>
+    #endif
     /* include headers that may be needed to get good seed */
     #include <fcntl.h>
     #ifndef EBSNET
@@ -3971,37 +3972,6 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         return wc_MXC_TRNG_Random(output, sz);
     }
 
-#elif defined(WOLFSSL_GETRANDOM)
-
-    /* getrandom() was added to the Linux kernel in version 3.17.
-     * Added to glibc in version 2.25. */
-    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
-    {
-        int ret = 0;
-        (void)os;
-
-        while (sz) {
-            int len;
-
-            errno = 0;
-            len = (int)getrandom(output, sz, 0);
-            if (len == -1) {
-                if (errno == EINTR) {
-                    /* interrupted, call getrandom again */
-                    continue;
-                }
-                else {
-                    ret = READ_RAN_E;
-                }
-                break;
-            }
-
-            sz     -= len;
-            output += len;
-        }
-        return ret;
-    }
-
 #elif defined(CY_USING_HAL) && defined(COMPONENT_WOLFSSL)
 
     /* Infineon/Cypress HAL RNG implementation */
@@ -4137,6 +4107,43 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         }
     #endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
 
+    #if defined(WOLFSSL_GETRANDOM) || defined(HAVE_GETRANDOM)
+        {
+            word32 grSz = sz;
+            byte* grOutput = output;
+
+            while (grSz) {
+                int len;
+
+                errno = 0;
+                len = (int)getrandom(grOutput, grSz, 0);
+                if (len == -1) {
+                    if (errno == EINTR) {
+                        /* interrupted, call getrandom again */
+                        continue;
+                    }
+                    else {
+                        ret = READ_RAN_E;
+                    }
+                    break;
+                }
+
+                grSz     -= len;
+                grOutput += len;
+            }
+            if (ret == 0)
+                return ret;
+        #ifdef FORCE_FAILURE_GETRANDOM
+            /* don't fallback to /dev/urandom */
+            return ret;
+        #else
+            /* reset error and fallback to using /dev/urandom */
+            ret = 0;
+        #endif
+        }
+    #endif
+
+#ifndef NO_FILESYSTEM
     #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
         os->fd = open("/dev/urandom", O_RDONLY);
         #if defined(DEBUG_WOLFSSL)
@@ -4176,6 +4183,9 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
             }
         }
         close(os->fd);
+#else
+        ret = NOT_COMPILED_IN;
+#endif /* NO_FILESYSTEM */
 
         return ret;
     }