Merge pull request #22 from crocs-muni/fix/libressl-build

Try to fix LibreSSL build.

.github/workflows/build.yml

@@ -91,12 +91,15 @@ jobs:
         java: [ "11", "17", "21" ]
     env:
       # ffs: https://github.com/adoptium/adoptium-support/issues/485 !!!
-      LD_LIBRARY_PATH: "/usr/lib/x86_64-linux-gnu/"
+      # also, add the wolfcrypt JNI path
+      LD_LIBRARY_PATH: "/usr/lib/x86_64-linux-gnu/:${{github.workspace}}/ext/wolfcrypt-jni/lib/"
     name: Build standalone on Java ${{ matrix.java }}
     steps:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+          fetch-tags: true
+          fetch-depth: -1
 
       - name: Set up JDK
         uses: actions/setup-java@v4
@@ -110,22 +113,24 @@ jobs:
       - name: Setup libraries
         run: |
           sudo apt update
-          sudo apt install libmbedtls-dev libtomcrypt-dev libtommath-dev libssl-dev libcrypto++-dev libgcrypt20-dev nettle-dev libbotan-2-dev libwolfssl-dev nasm
-          echo "BORINGSSL_VERSION=$(git submodule status ext/boringssl | cut -f2 -d' ')" >> $GITHUB_ENV
-          echo "LIBRESSL_VERSION=$(git submodule status ext/libressl | cut -f2 -d' ')" >> $GITHUB_ENV
-          echo "IPPCP_VERSION=$(git submodule status ext/ipp-crypto | cut -f2 -d' ')" >> $GITHUB_ENV
-          echo "WOLFCRYPT_VERSION=$(git submodule status ext/wolfcrypt-jni | cut -f2 -d' ')" >> $GITHUB_ENV
+          sudo apt install libtomcrypt-dev libtommath-dev libssl-dev libcrypto++-dev libgcrypt20-dev nettle-dev libbotan-2-dev libwolfssl-dev nasm
+          echo "BORINGSSL_VERSION=$(git submodule status ext/boringssl | cut -f2 -d' ' | cut -c1-10)" >> $GITHUB_ENV
+          echo "LIBRESSL_VERSION=$(git submodule status ext/libressl | cut -f2 -d' ' | cut -c1-10)" >> $GITHUB_ENV
+          echo "IPPCP_VERSION=$(git submodule status ext/ipp-crypto | cut -f2 -d' ' | cut -c1-10)" >> $GITHUB_ENV
+          echo "MBEDTLS_VERSION=$(git submodule status ext/mbedtls | cut -f2 -d' ' | cut -c1-10)" >> $GITHUB_ENV
+          echo "WOLFCRYPT_VERSION=$(git submodule status ext/wolfcrypt-jni | cut -f2 -d' ' | cut -c1-10)" >> $GITHUB_ENV
           echo "WOLFSSL_VERSION=$(dpkg -s libwolfssl-dev | grep 'Version' | cut -f2 -d' ')" >> $GITHUB_ENV
 
       - name: Cache libs
         uses: actions/cache@v4
         id: cache-libs
         with:
-          key: libs-${{ env.BORINGSSL_VERSION }}-${{ env.LIBRESSL_VERSION }}-${{ env.IPPCP_VERSION }}-${{ env.WOLFCRYPT_VERSION }}-${{ env.WOLFSSL_VERSION }}-${{ matrix.java }}
+          key: libs-${{ env.BORINGSSL_VERSION }}-${{ env.LIBRESSL_VERSION }}-${{ env.LIBRESSL_VERSION }}-${{ env.IPPCP_VERSION }}-${{ env.WOLFCRYPT_VERSION }}-${{ env.WOLFSSL_VERSION }}-${{ hashFiles('.github/workflows/build.yml') }}-${{ matrix.java }}
           path: |
-            ext/boringssl/build/crypto/libcrypto.so
-            ext/libressl/build/crypto/libcrypto.so
-            ext/ipp-crypto/build/.build/RELEASE/lib/libippcp.so
+            ext/boringssl/build/
+            ext/libressl/build/
+            ext/ipp-crypto/build/
+            ext/mbedtls/build/
             ext/wolfcrypt-jni/lib/wolfcrypt-jni.jar
             ext/wolfcrypt-jni/lib/libwolfcryptjni.so
 
@@ -158,6 +163,15 @@ jobs:
           wget -P junit/ https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jar
           make -j4 -f makefile.linux
           env JUNIT_HOME=junit/ ant build-jce-release
+          cd ../..
+          # ------------ Build mbedTLS ------------
+          cd ext/mbedtls
+          python -m venv virt
+          . virt/bin/activate
+          pip install -r scripts/basic.requirements.txt
+          cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On -Bbuild -G "Unix Makefiles"
+          cd build
+          make -j4
           cd ../../..
 
       - name: Build standalone

.gitmodules

@@ -19,3 +19,6 @@
 [submodule "ext/wolfcrypt-jni"]
 	path = ext/wolfcrypt-jni
 	url = https://github.com/wolfSSL/wolfcrypt-jni
+[submodule "ext/mbedtls"]
+	path = ext/mbedtls
+	url = https://github.com/Mbed-TLS/mbedtls.git

applet/build.gradle.kts

@@ -48,7 +48,11 @@ dependencies {
     // Include plugin as it has bundled GP & other tools.
     // Alternative: include GP manually, but the included
     // version has to be compatible with the plugin.
-    runtimeOnly("com.klinec:gradle-javacard:1.8.0")
+    runtimeOnly("com.klinec:gradle-javacard:1.8.0") {
+        // Exclude old BouncyCastle (we have newer).
+        exclude(group = "org.bouncycastle", module="bcpkix-jdk15on")
+    }
+    runtimeOnly("org.bouncycastle:bcpkix-jdk18on:1.77")
 }
 
 java {

docs/LIBS.md

@@ -108,11 +108,6 @@ ninja
     - Uses comb method for short Weierstrass curves, using (randomized) Jacobian coordinates.
     - <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2>
     - Uses Montgomery ladder with xz coordinates for Montgomery curves.
- - [MatrixSSL](https://github.com/matrixssl/matrixssl)
-    - C
-    - Only supports prime field curves.
-    - Uses 4 bit sliding window.
-    - Uses projective coordinates.
  - [Intel Performance Primitives](https://software.intel.com/en-us/ipp-crypto-reference-2019)
     - C
     - Only supports prime field curves.

reader/build.gradle.kts

@@ -61,6 +61,6 @@ tasks.register<Jar>("uberJar") {
 
     dependsOn(configurations.runtimeClasspath)
     from({
-        configurations.runtimeClasspath.get().filter { it.name.endsWith("jar") }.map { zipTree(it).matching { exclude("META-INF/*.DSA", "META-INF/*.SF", "META-INF/*.RSA", "META-INF/versions/*/module-info.class") } }
+        configurations.runtimeClasspath.get().filter { it.name.endsWith("jar") }.map { zipTree(it).matching { exclude("META-INF/*.DSA", "META-INF/*.SF", "META-INF/*.RSA", "META-INF/versions/*/module-info.class", "apdu4j/*") } }
     })
 }

standalone/build.gradle.kts

@@ -82,6 +82,9 @@ tasks.register<Jar>("uberJar") {
 
     manifest {
         attributes["Main-Class"] = application.mainClass
+        if (JavaVersion.current() > JavaVersion.VERSION_1_8) {
+            attributes["Add-Exports"] = "jdk.crypto.ec/sun.security.ec"
+        }
     }
 
     dependsOn(configurations.runtimeClasspath)

standalone/src/main/java/cz/crcs/ectester/standalone/ECTesterStandalone.java

@@ -121,7 +121,6 @@ private void run(String[] args) {
                     WolfCryptLib.class,
                     MbedTLSLib.class,
                     IppcpLib.class,
-                    MatrixsslLib.class,
                     NettleLib.class,
                     LibresslLib.class};
             for (Class<?> c : libClasses) {

standalone/src/main/java/cz/crcs/ectester/standalone/libs/MbedTLSLib.java

@@ -9,7 +9,7 @@
 public class MbedTLSLib extends NativeECLibrary {
 
     public MbedTLSLib() {
-        super("mbedtls_provider", "mbedcrypto");
+        super("mbedtls_provider", "lib_mbedtls.so");
     }
 
     @Override

standalone/src/main/java/cz/crcs/ectester/standalone/libs/jni/NativeECPrivateKey.java

@@ -119,13 +119,6 @@ public Ippcp(byte[] keyData, ECParameterSpec params) {
         }
     }
 
-    @SuppressWarnings("serial")
-    public static class Matrixssl extends Raw {
-        public Matrixssl(byte[] keyData, ECParameterSpec params) {
-            super(keyData, params);
-        }
-    }
-
     @SuppressWarnings("serial")
     public static class Libressl extends Raw {
         public Libressl(byte[] keyData, ECParameterSpec params) {

standalone/src/main/java/cz/crcs/ectester/standalone/libs/jni/NativeECPublicKey.java

@@ -120,13 +120,6 @@ public Ippcp(byte[] keyData, ECParameterSpec params) {
         }
     }
 
-    @SuppressWarnings("serial")
-    public static class Matrixssl extends ANSIX962 {
-        public Matrixssl(byte[] keyData, ECParameterSpec params) {
-            super(keyData, params);
-        }
-    }
-
     @SuppressWarnings("serial")
     public static class Libressl extends ANSIX962 {
         public Libressl(byte[] keyData, ECParameterSpec params) {

standalone/src/main/java/cz/crcs/ectester/standalone/libs/jni/NativeKeyAgreementSpi.java

@@ -354,26 +354,6 @@ public IppcpECDH() {
         }
     }
 
-    public abstract static class Matrixssl extends SimpleKeyAgreementSpi {
-        private final String type;
-
-        public Matrixssl(String type) {
-            this.type = type;
-        }
-
-        @Override
-        native byte[] generateSecret(byte[] pubkey, byte[] privkey, ECParameterSpec params);
-
-        @Override
-        native SecretKey generateSecret(byte[] pubkey, byte[] privkey, ECParameterSpec params, String algorithm);
-    }
-
-    public static class MatrixsslECDH extends Matrixssl {
-        public MatrixsslECDH() {
-            super("ECDH");
-        }
-    }
-
     public abstract static class Libressl extends SimpleKeyAgreementSpi {
         private final String type;
 

standalone/src/main/java/cz/crcs/ectester/standalone/libs/jni/NativeKeyPairGeneratorSpi.java

@@ -293,25 +293,6 @@ public Ippcp() {
         @Override
         native KeyPair generate(AlgorithmParameterSpec params, SecureRandom random);
     }
-
-    public static class Matrixssl extends NativeKeyPairGeneratorSpi {
-
-        public Matrixssl() {
-            initialize(256, new SecureRandom());
-        }
-
-        @Override
-        native boolean keysizeSupported(int keysize);
-
-        @Override
-        native boolean paramsSupported(AlgorithmParameterSpec params);
-
-        @Override
-        native KeyPair generate(int keysize, SecureRandom random);
-
-        @Override
-        native KeyPair generate(AlgorithmParameterSpec params, SecureRandom random);
-    }
 
     public static class Libressl extends NativeKeyPairGeneratorSpi {
 

standalone/src/main/java/cz/crcs/ectester/standalone/libs/jni/NativeProvider.java

@@ -124,17 +124,6 @@ public Ippcp(String name, double version, String info) {
         native void setup();
     }
 
-    @SuppressWarnings("serial")
-    public static class Matrixssl extends NativeProvider {
-
-        public Matrixssl(String name, double version, String info) {
-            super(name, version, info);
-        }
-
-        @Override
-        native void setup();
-    }
-
     @SuppressWarnings("serial")
     public static class Libressl extends NativeProvider {
 

standalone/src/main/java/cz/crcs/ectester/standalone/libs/jni/NativeSignatureSpi.java

@@ -505,27 +505,6 @@ public LibresslECDSAwithNONE() {
         }
     }
 
-    public abstract static class Matrixssl extends SimpleSignatureSpi {
-        private final String type;
-
-        public Matrixssl(String type) {
-            this.type = type;
-        }
-
-        @Override
-        native byte[] sign(byte[] data, byte[] privkey, ECParameterSpec params);
-
-        @Override
-        native boolean verify(byte[] signature, byte[] data, byte[] pubkey, ECParameterSpec params);
-    }
-
-    public static class MatrixsslECDSAwithNONE extends Matrixssl {
-
-        public MatrixsslECDSAwithNONE() {
-            super("NONEwithECDSA");
-        }
-    }
-
     public abstract static class Mscng extends ExtendedSignatureSpi {
         private final String type;
 

standalone/src/main/resources/cz/crcs/ectester/standalone/libs/jni/.gitignore

@@ -1,6 +1,3 @@
-libcore_s.a
-libcrypt_s.a
-matrixssl/
 *.o
 *.so
 

standalone/src/main/resources/cz/crcs/ectester/standalone/libs/jni/Makefile

@@ -5,8 +5,8 @@ CC?=gcc
 CXX?=g++
 
 LFLAGS+=-fPIC -shared
-CFLAGS+=-fPIC -I"$(JNI_INCLUDEDIR)" -I"$(JNI_PLATFORMINCLUDEDIR)" -I.
-CXXFLAGS+=-fPIC -I"$(JNI_INCLUDEDIR)" -I"$(JNI_PLATFORMINCLUDEDIR)" -I.
+CFLAGS+=-fPIC -I"$(JNI_INCLUDEDIR)" -I"$(JNI_PLATFORMINCLUDEDIR)" -I. -Wno-deprecated-declarations
+CXXFLAGS+=-fPIC -I"$(JNI_INCLUDEDIR)" -I"$(JNI_PLATFORMINCLUDEDIR)" -I. -Wno-deprecated-declarations
 
 DEBUG ?= 0
 PROJECT_ROOT_PATH ?= ../../../../../../../../../..
@@ -59,7 +59,7 @@ JNI_PLATFORMINCLUDEDIR ?= $(JNI_INCLUDEDIR)/$(JNI_PLATFORM)
 ###############################################################################
 ## Targets.
 
-all: tomcrypt botan cryptopp openssl boringssl gcrypt mbedtls ippcp matrixssl nettle libressl
+all: tomcrypt botan cryptopp openssl boringssl gcrypt mbedtls ippcp nettle libressl
 
 # Common utils
 c_utils.o: c_utils.c
@@ -142,11 +142,14 @@ cryptopp.o: cryptopp.cpp
 # mbedTLS shim
 mbedtls: mbedtls_provider.so
 
-mbedtls_provider.so: mbedtls.o c_utils.o | lib_timing.so
-	$(CC) $(LFLAGS) -o $@ -Wl,-rpath,'$$ORIGIN/lib' $^ -L. -lmbedcrypto -l:lib_timing.so
+lib_mbedtls.so:
+	cp $(PROJECT_ROOT_PATH)/ext/mbedtls/build/library/libmbedcrypto.so lib_mbedtls.so
+
+mbedtls_provider.so: mbedtls.o c_utils.o | lib_timing.so lib_mbedtls.so
+	$(CC) $(LFLAGS) -o $@ -Wl,-rpath,'$$ORIGIN/lib' $^ -L. lib_mbedtls.so -l:lib_timing.so
 
 mbedtls.o: mbedtls.c
-	$(CC) $(CFLAGS) -c $<
+	$(CC) -I$(PROJECT_ROOT_PATH)/ext/mbedtls/build/include/ $(CFLAGS) -c $<
 
 
 # Intel Performance Primitives crypto shim
@@ -162,16 +165,6 @@ ippcp.o: ippcp.c
 	$(CC) -I$(PROJECT_ROOT_PATH)/ext/ipp-crypto/build/.build/RELEASE/include/ $(CFLAGS) -c $<
 
 
-# MatrixSSL shim
-matrixssl: matrixssl_provider.so
-
-matrixssl_provider.so: matrixssl.o c_utils.o | lib_timing.so
-	$(CC) $(LFLAGS) -o $@ -Wl,-rpath,'$$ORIGIN/lib' -L. $^ libcrypt_s.a libcore_s.a -l:lib_timing.so
-
-matrixssl.o: matrixssl.c
-	$(CC) $(CFLAGS) -Imatrixssl/ -c $<
-
-
 # Nettle shim
 nettle: nettle_provider.so
 
@@ -192,7 +185,7 @@ libressl_provider.so: libressl.o c_utils.o | lib_timing.so lib_libressl.so
 	$(CC) $(LFLAGS) -o $@ -Wl,-rpath,'$$ORIGIN/lib' $^ -L. lib_libressl.so -l:lib_timing.so
 
 libressl.o: libressl.c
-	$(CC) -I$(PROJECT_ROOT_PATH)/ext/libressl/include/ $(CFLAGS) -c $<
+	$(CC) -I$(PROJECT_ROOT_PATH)/ext/libressl/build/include/ $(CFLAGS) -c $<
 
 
 help:
@@ -206,7 +199,6 @@ help:
 	@echo "    - cryptopp"
 	@echo "    - mbedtls"
 	@echo "    - ippcp"
-	@echo "    - matrixssl"
 	@echo "    - nettle"
 	@echo "    - libressl"
 
@@ -215,4 +207,4 @@ clean:
 	rm -rf *.o
 	rm -rf *.so
 
-.PHONY: all help clean openssl boringssl gcrypt tomcrypt botan cryptopp mbedtls ippcp matrixssl nettle libressl
+.PHONY: all help clean openssl boringssl gcrypt tomcrypt botan cryptopp mbedtls ippcp nettle libressl

standalone/src/main/resources/cz/crcs/ectester/standalone/libs/jni/libressl.c

@@ -1,7 +1,6 @@
 #include "native.h"
 #include <string.h>
 
-#include <openssl/conf.h>
 #include <openssl/opensslv.h>
 #include <openssl/objects.h>
 #include <openssl/obj_mac.h>