🔒 Update SSL libraries to latest versions (#235)

prince-chrismc · botovq · web-flow · commit c9a511f436ea · 2022-06-14T09:02:34.000-07:00
* Bump test SSL libraries * Fix copy paste error * fix bad spacing * Update README.md * bump again * remove libressl 3.5.3 * Update ssl.yml * put back 3.5.x for failing badge * Update action.yml * point URLs back to main since testing worked * Only publish badge on push leftover from me testing on my fork 25 days ago 😭 * Trying using 1.1 apis with libressl libressl/portable#764 (comment) Co-Authored-By: Theo Buehler <botovq@users.noreply.github.com> * Limit new APIs to required version limit change to older supported versions * Update tests for new libressl APIs Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
diff --git a/.github/actions/badge/action.yml b/.github/actions/badge/action.yml
@@ -5,7 +5,7 @@ inputs:
     description: The subfolder where to group the badges
     required: true
   label:
-    description: The label to you in the badge (this should be unqie for each badge in a category)
+    description: The label to you in the badge (this should be unique for each badge in a category)
     required: true
   github_token:
     description: The token to use to publish the changes
@@ -14,13 +14,12 @@ inputs:
 runs:
   using: composite
   steps:
-    - if: success()
+    - if: job.status == 'success'
       uses: ./.github/actions/badge/write
       with:
         category: ${{ inputs.category }}
         label: ${{ inputs.label }}
-    - if: |
-        !success()
+    - if: job.status == 'failure'
       uses: ./.github/actions/badge/write
       with:
         category: ${{ inputs.category }}
diff --git a/.github/workflows/ssl.yml b/.github/workflows/ssl.yml
@@ -12,8 +12,8 @@ jobs:
     strategy:
       matrix:
         openssl:
-          - { tag: "openssl-3.0.1", name: "3.0.1" }
-          - { tag: "OpenSSL_1_1_1m", name: "1.1.1m" }
+          - { tag: "openssl-3.0.3", name: "3.0.3" }
+          - { tag: "OpenSSL_1_1_1o", name: "1.1.1o" }
           - { tag: "OpenSSL_1_1_0i", name: "1.1.0i" } # Do not bump, there's a broken in the autoconfig script and it's not maintained
           - { tag: "OpenSSL_1_0_2u", name: "1.0.2u" }
           - { tag: "OpenSSL_1_0_1u", name: "1.0.1u" }
@@ -47,7 +47,7 @@ jobs:
       - uses: ./.github/actions/install/gtest
       - uses: ./.github/actions/install/openssl
         with:
-          version: "openssl-3.0.1"
+          version: "openssl-3.0.3"
 
       - name: configure
         run: cmake . -DJWT_BUILD_TESTS=ON -DOPENSSL_ROOT_DIR=/tmp -DCMAKE_CXX_FLAGS="-DOPENSSL_NO_DEPRECATED=1" -DCMAKE_C_FLAGS="-DOPENSSL_NO_DEPRECATED=1"
@@ -56,8 +56,9 @@ jobs:
   libressl:
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
-        libressl: ["3.4.2", "3.3.5", "3.2.7"]
+        libressl: ["3.5.3", "3.4.3", "3.3.6"]
     name: LibreSSL ${{ matrix.libressl }}
     steps:
       - uses: actions/checkout@v2
@@ -84,8 +85,9 @@ jobs:
     strategy:
       matrix:
         wolfssl:
-          - { ref: "v5.0.0-stable", name: "5.0.0" }
           - { ref: "v5.1.1-stable", name: "5.1.1"}
+          - { ref: "v5.2.0-stable", name: "5.2.0" }
+          - { ref: "v5.3.0-stable", name: "5.3.0"}
     name: wolfSSL ${{ matrix.wolfssl.name }}
     steps:
       - uses: actions/checkout@v2
diff --git a/README.md b/README.md
@@ -40,22 +40,23 @@ In the name of flexibility and extensibility, jwt-cpp supports [OpenSSL](https:/
 
 | OpenSSL           | LibreSSL       | wolfSSL        |
 |-------------------|----------------|----------------|
-| ![1.0.2u][o1.0.2] | ![3.2.7][l3.2] | ![5.0.0][w5.0] |
-| ![1.1.0i][o1.1.0] | ![3.3.5][l3.3] | ![5.1.1][w5.1] |
-| ![1.1.1m][o1.1.1] | ![3.4.2][l3.4] |                |
-| ![3.0.1][o3.0]    |                |                |
+| ![1.0.2u][o1.0.2] | ![3.3.6][l3.3] | ![5.1.1][w5.1] |
+| ![1.1.0i][o1.1.0] | ![3.4.3][l3.4] | ![5.2.0][w5.2] |
+| ![1.1.1o][o1.1.1] | ![3.5.3][l3.5] | ![5.3.0][w5.3] |
+| ![3.0.3][o3.0]    |                |                |
 
 > ℹ️ Note: A complete list of versions tested in the past can be found [here](https://github.com/Thalhammer/jwt-cpp/tree/badges).
 
 [o1.0.2]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/openssl/1.0.2u/shields.json
 [o1.1.0]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/openssl/1.1.0i/shields.json
-[o1.1.1]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/openssl/1.1.1m/shields.json
-[o3.0]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/openssl/3.0.1/shields.json
-[l3.2]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/libressl/3.2.7/shields.json
-[l3.3]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/libressl/3.3.5/shields.json
-[l3.4]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/libressl/3.4.2/shields.json
-[w5.0]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/wolfssl/5.0.0/shields.json
+[o1.1.1]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/openssl/1.1.1o/shields.json
+[o3.0]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/openssl/3.0.3/shields.json
+[l3.3]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/libressl/3.3.6/shields.json
+[l3.4]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/libressl/3.4.3/shields.json
+[l3.5]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/libressl/3.5.3/shields.json
 [w5.1]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/wolfssl/5.1.1/shields.json
+[w5.2]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/wolfssl/5.2.0/shields.json
+[w5.3]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/wolfssl/5.3.0/shields.json
 
 ## Overview
 
@@ -79,7 +80,7 @@ For your convience there are serval traits implementation which provide some pop
 [jsoncons]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/traits/danielaparker-jsoncons/shields.json
 [boostjson]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Thalhammer/jwt-cpp/badges/traits/boost-json/shields.json
 
-In order to maintain compatibility, [picojson](https://github.com/kazuho/picojson) is still used to provide a specialized `jwt::claim` along with all helpers. Defining `JWT_DISABLE_PICOJSON` will remove this optional dependency. It's possible to directly include the traits defaults for the other JSON libraries. See the [traits examples](https://github.com/prince-chrismc/jwt-cpp/tree/master/example/traits) for details.
+In order to maintain compatibility, [picojson](https://github.com/kazuho/picojson) is still used to provide a specialized `jwt::claim` along with all helpers. Defining `JWT_DISABLE_PICOJSON` will remove this optional dependency. It's possible to directly include the traits defaults for the other JSON libraries. See the [traits examples](https://github.com/Thalhammer/jwt-cpp/tree/master/example/traits) for details.
 
 As for the base64 requirements of JWTs, this libary provides `base.h` with all the required implentation; However base64 implementations are very common, with varying degrees of performance. When providing your own base64 implementation, you can define `JWT_DISABLE_BASE64` to remove the jwt-cpp implementation.
 
diff --git a/include/jwt-cpp/jwt.h b/include/jwt-cpp/jwt.h
@@ -54,8 +54,12 @@
 #endif
 
 #if defined(LIBRESSL_VERSION_NUMBER)
+#if LIBRESSL_VERSION_NUMBER >= 0x3050300fL
+#define JWT_OPENSSL_1_1_0
+#else
 #define JWT_OPENSSL_1_0_0
 #endif
+#endif
 
 #if defined(LIBWOLFSSL_VERSION_HEX)
 #define JWT_OPENSSL_1_1_1
diff --git a/tests/OpenSSLErrorTest.cpp b/tests/OpenSSLErrorTest.cpp
@@ -566,9 +566,17 @@ TEST(OpenSSLErrorTest, LoadPublicKeyCertFromStringReference) {
 }
 
 TEST(OpenSSLErrorTest, LoadPublicKeyCertFromString) {
-	std::vector<multitest_entry> mapping{{&fail_BIO_new, 1, jwt::error::rsa_error::create_mem_bio_failed},
-										 {&fail_BIO_write, 1, jwt::error::rsa_error::load_key_bio_write},
-										 {&fail_PEM_read_bio_PUBKEY, 1, jwt::error::rsa_error::load_key_bio_read}};
+	std::vector<multitest_entry> mapping {
+		{&fail_BIO_new, 1, jwt::error::rsa_error::create_mem_bio_failed},
+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x3050300fL
+			{&fail_BIO_write, 1, jwt::error::rsa_error::load_key_bio_write},
+#else
+			{&fail_BIO_write, 1, jwt::error::rsa_error::write_key_failed},
+#endif
+		{
+			&fail_PEM_read_bio_PUBKEY, 1, jwt::error::rsa_error::load_key_bio_read
+		}
+	};
 
 	run_multitest(mapping, [](std::error_code& ec) {
 		try {
@@ -579,9 +587,17 @@ TEST(OpenSSLErrorTest, LoadPublicKeyCertFromString) {
 }
 
 TEST(OpenSSLErrorTest, LoadPublicKeyCertFromStringErrorCode) {
-	std::vector<multitest_entry> mapping{{&fail_BIO_new, 1, jwt::error::rsa_error::create_mem_bio_failed},
-										 {&fail_BIO_write, 1, jwt::error::rsa_error::load_key_bio_write},
-										 {&fail_PEM_read_bio_PUBKEY, 1, jwt::error::rsa_error::load_key_bio_read}};
+	std::vector<multitest_entry> mapping {
+		{&fail_BIO_new, 1, jwt::error::rsa_error::create_mem_bio_failed},
+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x3050300fL
+			{&fail_BIO_write, 1, jwt::error::rsa_error::load_key_bio_write},
+#else
+			{&fail_BIO_write, 1, jwt::error::rsa_error::write_key_failed},
+#endif
+		{
+			&fail_PEM_read_bio_PUBKEY, 1, jwt::error::rsa_error::load_key_bio_read
+		}
+	};
 
 	run_multitest(mapping, [](std::error_code& ec) {
 		auto res = jwt::helper::load_public_key_from_string(sample_cert, "", ec);
@@ -720,15 +736,22 @@ TEST(OpenSSLErrorTest, LoadECDSAPublicKeyFromString) {
 }
 
 TEST(OpenSSLErrorTest, ECDSACertificate) {
-	std::vector<multitest_entry> mapping{{&fail_BIO_new, 1, jwt::error::ecdsa_error::create_mem_bio_failed},
-										 {&fail_BIO_write, 1, jwt::error::ecdsa_error::load_key_bio_write},
-										 {&fail_PEM_read_bio_PUBKEY, 1, jwt::error::ecdsa_error::load_key_bio_read},
-										 // extract_pubkey_from_cert
-										 {&fail_BIO_new, 2, jwt::error::rsa_error::create_mem_bio_failed},
-										 {&fail_PEM_read_bio_X509, 1, jwt::error::rsa_error::cert_load_failed},
-										 {&fail_X509_get_pubkey, 1, jwt::error::rsa_error::get_key_failed},
-										 {&fail_PEM_write_bio_PUBKEY, 1, jwt::error::rsa_error::write_key_failed},
-										 {&fail_BIO_ctrl, 1, jwt::error::rsa_error::convert_to_pem_failed}};
+	std::vector<multitest_entry> mapping {
+		{&fail_BIO_new, 1, jwt::error::ecdsa_error::create_mem_bio_failed},
+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x3050300fL
+			{&fail_BIO_write, 1, jwt::error::ecdsa_error::load_key_bio_write},
+#else
+			{&fail_BIO_write, 1, jwt::error::rsa_error::write_key_failed},
+#endif
+			{&fail_PEM_read_bio_PUBKEY, 1, jwt::error::ecdsa_error::load_key_bio_read},
+			// extract_pubkey_from_cert
+			{&fail_BIO_new, 2, jwt::error::rsa_error::create_mem_bio_failed},
+			{&fail_PEM_read_bio_X509, 1, jwt::error::rsa_error::cert_load_failed},
+			{&fail_X509_get_pubkey, 1, jwt::error::rsa_error::get_key_failed},
+			{&fail_PEM_write_bio_PUBKEY, 1, jwt::error::rsa_error::write_key_failed}, {
+			&fail_BIO_ctrl, 1, jwt::error::rsa_error::convert_to_pem_failed
+		}
+	};
 
 	run_multitest(mapping, [](std::error_code& ec) {
 		try {
