Bump version to 0.2.5.

* rsaKeygenGetDefault test

* add ubuntu 24 and gcc 14 to ci

* use PrngClassPointerConst for rsa keygen

* fix test_brssl

* add comment about ubuntu 24

* define and use ConstPtrPtrHashClass

* remove previous ecKeygen

* remove previous x509NoanchorInit

* improve test

* add ecKeygen test

* add x509NoanchorInit test

* remove commented code

* rename target to linux-gcc-14

* test already exists

* fix tests

.github/workflows/ci.yml

@@ -18,22 +18,32 @@ jobs:
         target:
           - os: linux
             cpu: amd64
+          - os: linux-gcc-14 # this is to use ubuntu 24 and install gcc 14. Must be removed when ubuntu-latest is 24.04
+            cpu: amd64
           - os: linux
             cpu: i386
           - os: macos
             cpu: amd64
+          - os: macos
+            cpu: arm64
           - os: windows
             cpu: amd64
-          #- os: windows
-            #cpu: i386
         branch: [version-1-6, version-2-0, devel]
         include:
           - target:
               os: linux
-            builder: ubuntu-20.04
+            builder: ubuntu-latest
+          - target:
+              os: linux-gcc-14 # this is to use ubuntu 24 and install gcc 14. Must be removed when ubuntu-latest is 24.04
+            builder: ubuntu-24.04
           - target:
               os: macos
-            builder: macos-12
+              cpu: amd64
+            builder: macos-13
+          - target:
+              os: macos
+              cpu: arm64
+            builder: macos-latest
           - target:
               os: windows
             builder: windows-latest
@@ -47,7 +57,7 @@ jobs:
     continue-on-error: ${{ matrix.branch == 'devel' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -74,7 +84,7 @@ jobs:
       - name: Restore llvm-mingw (Windows) from cache
         if: runner.os == 'Windows'
         id: windows-mingw-cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: external/mingw-${{ matrix.target.cpu }}
           key: 'mingw-llvm-17-${{ matrix.target.cpu }}'
@@ -100,7 +110,7 @@ jobs:
       - name: Restore Nim DLLs dependencies (Windows) from cache
         if: runner.os == 'Windows'
         id: windows-dlls-cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: external/dlls-${{ matrix.target.cpu }}
           key: 'dlls-${{ matrix.target.cpu }}'
@@ -125,6 +135,8 @@ jobs:
         run: |
           if [[ '${{ matrix.target.cpu }}' == 'amd64' ]]; then
             PLATFORM=x64
+          elif [[ '${{ matrix.target.cpu }}' == 'arm64' ]]; then
+            PLATFORM=arm64
           else
             PLATFORM=x86
           fi
@@ -156,10 +168,20 @@ jobs:
             bash build_nim.sh nim csources dist/nimble NimBinaries
           echo '${{ github.workspace }}/nim/bin' >> $GITHUB_PATH
 
+      - name: Use gcc 14
+        if : ${{ matrix.target.os == 'linux-gcc-14' }}
+        run: |
+          # Add GCC-14 to alternatives
+          sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-14 14
+
+          # Set GCC-14 as the default
+          sudo update-alternatives --set gcc /usr/bin/gcc-14
+
       - name: Run tests
         run: |
           nim --version
           nimble --version
+          gcc --version
           nimble install -y --depsOnly
           env NIMLANG=c nimble test
           # C++ support requires fixing const pointer proc assignments

bearssl.nimble

@@ -1,7 +1,7 @@
 mode = ScriptMode.Verbose
 
 packageName   = "bearssl"
-version       = "0.2.2"
+version       = "0.2.5"
 author        = "Status Research & Development GmbH"
 description   = "BearSSL wrapper"
 license       = "MIT or Apache License 2.0"
@@ -24,9 +24,9 @@ proc build(args, path: string) =
   exec nimc & " " & lang & " " & cfg & " " & flags & " " & args & " " & path
 
 proc run(args, path: string) =
-  build args & " -r", path
+  build args & " --mm:refc -r", path
   if (NimMajor, NimMinor) > (1, 6):
-    build args & " --mm:refc -r", path
+    build args & " --mm:orc -r", path
 
 from std/strutils import endsWith
 

bearssl/abi/bearssl_ec.nim

@@ -325,10 +325,14 @@ const
   EC_KBUF_PUB_MAX_SIZE* = 145
 
 
-proc ecKeygen*(rngCtx: ptr ptr PrngClass; impl: ptr EcImpl; sk: ptr EcPrivateKey;
+proc ecKeygen*(rngCtx: PrngClassPointerConst; impl: ptr EcImpl; sk: ptr EcPrivateKey;
               kbuf: pointer; curve: cint): uint {.importcFunc, importc: "br_ec_keygen",
     header: "bearssl_ec.h".}
 
+proc ecKeygen*(rngCtx: ptr ptr PrngClass; impl: ptr EcImpl; sk: ptr EcPrivateKey;
+              kbuf: pointer; curve: cint): uint =
+  ecKeygen(PrngClassPointerConst(rngCtx), impl, sk, kbuf, curve)
+
 proc ecComputePub*(impl: ptr EcImpl; pk: ptr EcPublicKey; kbuf: pointer;
                   sk: ptr EcPrivateKey): uint {.importcFunc,
     importc: "br_ec_compute_pub", header: "bearssl_ec.h".}

bearssl/abi/bearssl_hash.nim

@@ -23,19 +23,20 @@ const
 {.compile: bearHashPath & "sha2small.c".}
 
 type
+  ConstPtrPtrHashClass* {.importc: "const br_hash_class**", header: "bearssl_hash.h", bycopy.} = pointer
+
   HashClass* {.importc: "br_hash_class", header: "bearssl_hash.h", bycopy.} = object
     contextSize* {.importc: "context_size".}: uint
     desc* {.importc: "desc".}: uint32
-    init* {.importc: "init".}: proc (ctx: ptr ptr HashClass) {.importcFunc.}
+    init* {.importc: "init".}: proc (ctx: ConstPtrPtrHashClass) {.importcFunc.}
-    update* {.importc: "update".}: proc (ctx: ptr ptr HashClass; data: pointer;
+    update* {.importc: "update".}: proc (ctx: ConstPtrPtrHashClass; data: pointer;
                                      len: uint) {.importcFunc.}
-    `out`* {.importc: "out".}: proc (ctx: ptr ptr HashClass; dst: pointer) {.importcFunc.}
+    `out`* {.importc: "out".}: proc (ctx: ConstPtrPtrHashClass; dst: pointer) {.importcFunc.}
-    state* {.importc: "state".}: proc (ctx: ptr ptr HashClass; dst: pointer): uint64 {.
+    state* {.importc: "state".}: proc (ctx: ConstPtrPtrHashClass; dst: pointer): uint64 {.
         importcFunc.}
-    setState* {.importc: "set_state".}: proc (ctx: ptr ptr HashClass; stb: pointer;
+    setState* {.importc: "set_state".}: proc (ctx: ConstPtrPtrHashClass; stb: pointer;
         count: uint64) {.importcFunc.}
 
-
 template hashdesc_Id*(id: untyped): untyped =
   ((uint32)(id) shl hashdesc_Id_Off)
 

bearssl/abi/bearssl_rand.nim

@@ -21,6 +21,7 @@ type
     update* {.importc: "update".}: proc (ctx: ptr ptr PrngClass; seed: pointer;
                                      seedLen: uint) {.importcFunc.}
 
+  PrngClassPointerConst* {.importc: "const br_prng_class**", header: "bearssl_rand.h", bycopy.} = pointer
 
 
 type
@@ -51,10 +52,10 @@ proc hmacDrbgGetHash*(ctx: var HmacDrbgContext): ptr HashClass {.inline.} =
 
 
 type
-  PrngSeeder* {.importc: "br_prng_seeder".} = proc (ctx: ptr ptr PrngClass): cint {.importcFunc.}
+  PrngSeeder* {.importc: "br_prng_seeder".} = proc (ctx: PrngClassPointerConst): cint {.importcFunc.}
+  constCstringArray* {.importc: "const char**", nodecl.} = pointer
 
-
+proc prngSeederSystem*(name: constCstringArray): PrngSeeder {.importcFunc,
-proc prngSeederSystem*(name: cstringArray): PrngSeeder {.importcFunc,
     importc: "br_prng_seeder_system", header: "bearssl_rand.h".}
 
 # type

bearssl/abi/bearssl_rsa.nim

@@ -357,20 +357,20 @@ template rsaKbufPubSize*(size: untyped): untyped =
 
 
 type
-  RsaKeygen* {.importc: "br_rsa_keygen".} = proc (rngCtx: ptr ptr PrngClass; sk: ptr RsaPrivateKey; kbufPriv: pointer;
+  RsaKeygen* {.importc: "br_rsa_keygen".} = proc (rngCtx: PrngClassPointerConst; sk: ptr RsaPrivateKey; kbufPriv: pointer;
                   pk: ptr RsaPublicKey; kbufPub: pointer; size: cuint; pubexp: uint32): uint32 {.
       importcFunc.}
 
 
-proc rsaI15Keygen*(rngCtx: ptr ptr PrngClass; sk: ptr RsaPrivateKey; kbufPriv: pointer;
+proc rsaI15Keygen*(rngCtx: PrngClassPointerConst; sk: ptr RsaPrivateKey; kbufPriv: pointer;
                   pk: ptr RsaPublicKey; kbufPub: pointer; size: cuint; pubexp: uint32): uint32 {.
     importcFunc, importc: "br_rsa_i15_keygen", header: "bearssl_rsa.h".}
 
-proc rsaI31Keygen*(rngCtx: ptr ptr PrngClass; sk: ptr RsaPrivateKey; kbufPriv: pointer;
+proc rsaI31Keygen*(rngCtx: PrngClassPointerConst; sk: ptr RsaPrivateKey; kbufPriv: pointer;
                   pk: ptr RsaPublicKey; kbufPub: pointer; size: cuint; pubexp: uint32): uint32 {.
     importcFunc, importc: "br_rsa_i31_keygen", header: "bearssl_rsa.h".}
 
-proc rsaI62Keygen*(rngCtx: ptr ptr PrngClass; sk: ptr RsaPrivateKey; kbufPriv: pointer;
+proc rsaI62Keygen*(rngCtx: PrngClassPointerConst; sk: ptr RsaPrivateKey; kbufPriv: pointer;
                   pk: ptr RsaPublicKey; kbufPub: pointer; size: cuint; pubexp: uint32): uint32 {.
     importcFunc, importc: "br_rsa_i62_keygen", header: "bearssl_rsa.h".}
 

bearssl/abi/bearssl_ssl.nim

@@ -544,7 +544,7 @@ type
     alert* {.importc: "alert".}: byte
     closeReceived* {.importc: "close_received".}: byte
     mhash* {.importc: "mhash".}: MultihashContext
-    x509ctx* {.importc: "x509ctx".}: ptr ptr X509Class
+    x509ctx* {.importc: "x509ctx".}: X509ClassPointerConst
     chain* {.importc: "chain".}: ptr X509Certificate
     chainLen* {.importc: "chain_len".}: uint
     certCur* {.importc: "cert_cur".}: ptr byte
@@ -612,9 +612,12 @@ proc sslEngineSetSuites*(cc: var SslEngineContext; suites: ptr uint16;
                         suitesNum: uint) {.importcFunc,
     importc: "br_ssl_engine_set_suites", header: "bearssl_ssl.h".}
 
-proc sslEngineSetX509*(cc: var SslEngineContext; x509ctx: ptr ptr X509Class) {.inline.} =
+proc sslEngineSetX509*(cc: var SslEngineContext;
+                       x509ctx: X509ClassPointerConst) =
   cc.x509ctx = x509ctx
 
+proc sslEngineSetX509*(cc: var SslEngineContext; x509ctx: ptr ptr X509Class) =
+  cc.x509ctx = X509ClassPointerConst(x509ctx)
 
 proc sslEngineSetProtocolNames*(ctx: var SslEngineContext; names: cstringArray;
                                num: uint) {.inline.} =
@@ -1077,6 +1080,7 @@ type
                                  params: ptr SslSessionParameters): cint {.importcFunc.}
 
 
+  SslSessionCacheClassPointerConst* {.importc: "const br_ssl_session_cache_class**", header: "bearssl_ssl.h", bycopy.} = pointer
 
 
   SslSessionCacheLru* {.importc: "br_ssl_session_cache_lru",
@@ -1104,7 +1108,7 @@ type
                      bycopy.} = object
     eng* {.importc: "eng".}: SslEngineContext
     clientMaxVersion* {.importc: "client_max_version".}: uint16
-    cacheVtable* {.importc: "cache_vtable".}: ptr ptr SslSessionCacheClass
+    cacheVtable* {.importc: "cache_vtable".}: SslSessionCacheClassPointerConst
     clientSuites* {.importc: "client_suites".}: array[MAX_CIPHER_SUITES,
         SuiteTranslated]
     clientSuitesNum* {.importc: "client_suites_num".}: byte
@@ -1222,7 +1226,7 @@ proc sslServerSetTrustAnchorNamesAlt*(cc: var SslServerContext;
 
 
 proc sslServerSetCache*(cc: var SslServerContext;
-                       vtable: ptr ptr SslSessionCacheClass) {.inline.} =
+                        vtable: SslSessionCacheClassPointerConst) {.inline.} =
   cc.cacheVtable = vtable
 
 

bearssl/abi/bearssl_x509.nim

@@ -200,7 +200,7 @@ type
     getPkey* {.importc: "get_pkey".}: proc (ctx: ptr ptr X509Class; usages: ptr cuint): ptr X509Pkey {.
         importcFunc.}
 
-
+  X509ClassPointerConst* {.importc: "const br_x509_class**", header: "bearssl_x509.h", bycopy.} = pointer
 
 type
   X509KnownkeyContext* {.importc: "br_x509_knownkey_context",

bearssl/abi/brssl.nim

@@ -18,8 +18,11 @@ type
     vtable* {.importc: "vtable".}: ptr X509Class
     inner* {.importc: "inner".}: ptr ptr X509Class
 
-proc x509NoanchorInit*(xwc: var X509NoanchorContext; inner: ptr ptr X509Class) {.importcFunc,
+proc x509NoanchorInit*(xwc: var X509NoanchorContext; inner: X509ClassPointerConst) {.importcFunc,
     importc: "x509_noanchor_init", header: "brssl_cpp.h".}
 
+proc x509NoanchorInit*(xwc: var X509NoanchorContext; inner: ptr ptr X509Class) =
+  x509NoanchorInit(xwc, X509ClassPointerConst(inner))
+
 proc initNoAnchor*(xwc: var X509NoanchorContext, inner: ptr ptr X509Class) {.
      importcFunc, importc: "x509_noanchor_init", header: "brssl_cpp.h", deprecated: "x509NoanchorInit".}

bearssl/certs/cacert.nim

@@ -20,9 +20,9 @@
 import ../abi/csources
 from ../abi/bearssl_x509 import X509TrustAnchor
 
-{.compile: bearPath & "/../certs/cacert20221116.c".}
+{.compile: bearPath & "/../certs/cacert20240311.c".}
 
-const MozillaTrustAnchorsCount* = 142 # TAs_NUM
+const MozillaTrustAnchorsCount* = 147 # TAs_NUM
 
 var MozillaTrustAnchors* {.importc: "TAs".}: array[
   MozillaTrustAnchorsCount, X509TrustAnchor]

bearssl/rand.nim

@@ -32,14 +32,14 @@ proc new*(T: type HmacDrbgContext): ref HmacDrbgContext =
   ##
   ## The context is seeded with randomness from the OS / system.
   ## Returns `nil` if the OS / system has no randomness API.
-  let seeder = prngSeederSystem(nil)
+  let seeder = prngSeederSystem(constCstringArray(nil))
   if seeder == nil:
     return nil
 
   let rng = (ref HmacDrbgContext)()
   hmacDrbgInit(rng[], addr sha256Vtable, nil, 0)
 
-  if seeder(addr rng.vtable) == 0:
+  if seeder(PrngClassPointerConst(addr rng.vtable)) == 0:
     return nil
 
   rng

tests/test_brssl.nim

@@ -9,4 +9,4 @@ suite "x509":
     var x509: X509MinimalContext
 
     x509MinimalInit(x509, nil, nil, 0)
-    x509NoanchorInit(xwc, addr x509.vtable)
+    x509NoanchorInit(xwc, X509ClassPointerConst(addr x509.vtable))

tests/test_ec.nim

@@ -0,0 +1,20 @@
+import
+  unittest2,
+  ../bearssl/[rand, ec]
+
+{.used.}
+
+type
+  EcPrivateKey* = ref object
+    buffer*: array[EC_KBUF_PRIV_MAX_SIZE, byte]
+    key*: ec.EcPrivateKey
+
+suite "ec":
+  test "test ecKeygen interface":
+    let rng = HmacDrbgContext.new()
+
+    var ecimp = ecGetDefault()
+    var res = new EcPrivateKey
+    check ecKeygen(
+      PrngClassPointerConst(addr rng.vtable), ecimp, addr res.key, addr res.buffer[0], cint(EC_secp256r1)
+    ) != 0

tests/test_rand.nim

@@ -20,7 +20,7 @@ suite "random":
       v2 != default(array[1024, byte]) # probable
 
     for i in 0..<1000:
-      doAssert cast[int](rng[].generate(bool)) in [0, 1]
+      doAssert int(rng[].generate(bool)) in [0, 1]
 
     var bools: array[64 * 1024, bool]
     rng[].generate(bools)

tests/test_rsa.nim

@@ -0,0 +1,41 @@
+import
+  unittest2,
+  ../bearssl/[rand, rsa]
+
+{.used.}
+
+const
+  DefaultKeySize* = 3072 ## Default RSA key size in bits.
+  DefaultPublicExponent* = 65537'u32
+
+type
+  RsaPrivateKey* = ref object
+    buffer*: seq[byte]
+    seck*: rsa.RsaPrivateKey
+    pubk*: rsa.RsaPublicKey
+    pexp*: ptr byte
+    pexplen*: uint
+
+suite "rsa":
+  test "test rsaKeygenGetDefault interface":
+    let rng = HmacDrbgContext.new()
+
+    let
+      sko = 0
+      pko = rsaKbufPrivSize(DefaultKeySize)
+      eko = pko + rsaKbufPubSize(DefaultKeySize)
+      length = eko + ((DefaultKeySize + 7) shr 3)
+
+    let res = new RsaPrivateKey
+    res.buffer = newSeq[byte](length)
+
+    var keygen = rsaKeygenGetDefault()
+    check keygen(
+      addr rng.vtable,
+      addr res.seck,
+      addr res.buffer[sko],
+      addr res.pubk,
+      addr res.buffer[pko],
+      cuint(DefaultKeySize),
+      DefaultPublicExponent,
+    ) != 0