diff options
62 files changed, 833 insertions, 286 deletions
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e593942e2e..737995b8f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -96,7 +96,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@basic-gcc" - path: artifacts/ + path: artifacts.tar.gz basic_clang: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -118,7 +118,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@basic-clang" - path: artifacts/ + path: artifacts.tar.gz self-hosted: if: github.repository == 'openssl/openssl' @@ -143,7 +143,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@self-hosted-${{ matrix.os }}" - path: artifacts/ + path: artifacts.tar.gz minimal: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -165,8 +165,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@minimal" - path: artifacts/ - if-no-files-found: ignore + path: artifacts.tar.gz no-deprecated: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -188,7 +187,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@no-deprecated" - path: artifacts/ + path: artifacts.tar.gz no-shared-ubuntu: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -210,7 +209,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@no-shared-ubuntu" - path: artifacts/ + path: artifacts.tar.gz no-shared-macos: strategy: @@ -237,7 +236,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@no-shared-${{ matrix.os }}" - path: artifacts/ + path: artifacts.tar.gz non-caching: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -263,7 +262,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@non-caching" - path: artifacts/ + path: artifacts.tar.gz address_ub_sanitizer: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -289,7 +288,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@address_ub_sanitizer" - path: artifacts/ + path: artifacts.tar.gz fuzz_tests: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -315,7 +314,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@fuzz_tests" - path: artifacts/ + path: artifacts.tar.gz if-no-files-found: ignore memory_sanitizer: @@ -343,7 +342,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@memory_sanitizer" - path: artifacts/ + path: artifacts.tar.gz threads_sanitizer: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -369,7 +368,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@threads_sanitizer" - path: artifacts/ + path: artifacts.tar.gz enable_non-default_options: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -393,7 +392,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@enable_non-default_options" - path: artifacts/ + path: artifacts.tar.gz full_featured: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -423,7 +422,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@full_featured" - path: artifacts/ + path: artifacts.tar.gz no-legacy: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -445,7 +444,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@no-legacy" - path: artifacts/ + path: artifacts.tar.gz legacy: runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} @@ -467,7 +466,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@legacy" - path: artifacts/ + path: artifacts.tar.gz # out-of-source-and-install checks multiple things at the same time: # - That building, testing and installing works from an out-of-source @@ -509,7 +508,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@out-of-readonly-source-and-install-ubuntu" - path: build/artifacts/ + path: build/artifacts.tar.gz - name: make install run: make install working-directory: ./build @@ -554,7 +553,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: "ci@out-of-readonly-source-and-install-${{ matrix.os }}" - path: build/artifacts/ + path: build/artifacts.tar.gz - name: make install run: make install working-directory: ./build @@ -570,7 +569,7 @@ jobs: sudo apt-get update sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy - name: install cpanm and Test2::V0 for gost_engine testing - uses: perl-actions/install-with-cpanm@v1 + uses: perl-actions/install-with-cpanm@stable with: install: Test2::V0 - name: setup hostname workaround diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 6df0543e5d..ca5fa3d693 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -50,7 +50,7 @@ jobs: sudo apt-get -yq install lcov sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy - name: install Test2::V0 for gost_engine testing - uses: perl-actions/install-with-cpanm@v1 + uses: perl-actions/install-with-cpanm@stable with: install: Test2::V0 - name: setup hostname workaround @@ -76,7 +76,7 @@ jobs: --exclude "/usr/include/*" -o ./lcov.info - name: Coveralls upload - uses: coverallsapp/github-action@v2.2.3 + uses: coverallsapp/github-action@v2.3.0 with: github-token: ${{ secrets.github_token }} git-branch: ${{ matrix.branches.branch }} diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 4e5dfa45f2..5dc1b83f4e 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -220,5 +220,5 @@ jobs: uses: actions/upload-artifact@v3 with: name: "cross-compiles@${{ matrix.platform.arch }}" - path: artifacts/ + path: artifacts.tar.gz if-no-files-found: ignore diff --git a/.github/workflows/make-test b/.github/workflows/make-test index 247b4c61bd..195928e786 100755 --- a/.github/workflows/make-test +++ b/.github/workflows/make-test @@ -37,4 +37,7 @@ echo "Test suite exited with $RESULT, artifacts path is $OSSL_CI_ARTIFACTS_PATH" (cd "$OSSL_CI_ARTIFACTS_PATH"; find . -type f | sort) echo "::endgroup::" +echo "Archive artifacts" +tar -czvf artifacts.tar.gz $OSSL_CI_ARTIFACTS_PATH + exit $RESULT diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index ac30adc2c9..36ecf3b263 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -777,7 +777,14 @@ my %targets = ( asm_arch => 'aarch64', perlasm_scheme => "linux64", }, - + "linux-arm64ilp32-clang" => { # clang config abi by --target + inherit_from => [ "linux-generic32" ], + CC => "clang", + CXX => "clang++", + bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", + asm_arch => 'aarch64', + perlasm_scheme => "linux64", + }, "linux-mips32" => { # Configure script adds minimally required -march for assembly # support, if no -march was specified at command line. diff --git a/NOTES-NONSTOP.md b/NOTES-NONSTOP.md index 6cf12042d5..09085967de 100644 --- a/NOTES-NONSTOP.md +++ b/NOTES-NONSTOP.md @@ -19,9 +19,7 @@ About c99 compiler The c99 compiler is required for building OpenSSL from source. While c11 may work, it has not been broadly tested. c99 is the only compiler -prerequisite needed to build OpenSSL 3.0 on this platform. You should also -have the FLOSS package installed on your system. The ITUGLIB FLOSS package -is the only FLOSS variant that has been broadly tested. +prerequisite needed to build OpenSSL 3.0 on this platform. Threading Models ---------------- diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 47d994b9c2..00ed81dc61 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2952,11 +2952,6 @@ int raw_read_stdin(void *buf, int siz) return recv(fileno_stdin(), buf, siz, 0); } #else -# if defined(__TANDEM) -# if defined(OPENSSL_TANDEM_FLOSS) -# include <floss.h(floss_read)> -# endif -# endif int raw_read_stdin(void *buf, int siz) { return read(fileno_stdin(), buf, siz); @@ -2975,21 +2970,11 @@ int raw_write_stdout(const void *buf, int siz) } #elif defined(OPENSSL_SYS_TANDEM) && defined(OPENSSL_THREADS) \ && defined(_SPT_MODEL_) -# if defined(__TANDEM) -# if defined(OPENSSL_TANDEM_FLOSS) -# include <floss.h(floss_write)> -# endif -# endif int raw_write_stdout(const void *buf, int siz) { return write(fileno(stdout), (void *)buf, siz); } #else -# if defined(__TANDEM) -# if defined(OPENSSL_TANDEM_FLOSS) -# include <floss.h(floss_write)> -# endif -# endif int raw_write_stdout(const void *buf, int siz) { return write(fileno_stdout(), buf, siz); diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index 5fed3a9fd0..b0c8dfbb8c 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -401,9 +401,22 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut); break; case NID_id_it_rootCaCert: - rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew, - ctx->newWithOld, - ctx->oldWithNew); + { + X509 *rootcacert = NULL; + + if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert)) + return NULL; + + if (rootcacert != NULL + && X509_NAME_cmp(X509_get_subject_name(rootcacert), + X509_get_subject_name(ctx->newWithNew)) != 0) + /* The subjects do not match */ + rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL); + else + rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew, + ctx->newWithOld, + ctx->oldWithNew); + } break; default: rsp = OSSL_CMP_ITAV_dup(req); diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c index ac66a42def..4bc2012a1e 100644 --- a/apps/lib/http_server.c +++ b/apps/lib/http_server.c @@ -26,12 +26,6 @@ #include "s_apps.h" #include "log.h" -#if defined(__TANDEM) -# if defined(OPENSSL_TANDEM_FLOSS) -# include <floss.h(floss_fork)> -# endif -#endif - #define HTTP_PREFIX "HTTP/" #define HTTP_VERSION_PATT "1." /* allow 1.x */ #define HTTP_PREFIX_VERSION HTTP_PREFIX""HTTP_VERSION_PATT diff --git a/apps/lib/s_socket.c b/apps/lib/s_socket.c index ace51686ad..46c0028223 100644 --- a/apps/lib/s_socket.c +++ b/apps/lib/s_socket.c @@ -41,12 +41,6 @@ typedef unsigned int u_int; # include "s_apps.h" # include "internal/sockets.h" -# if defined(__TANDEM) -# if defined(OPENSSL_TANDEM_FLOSS) -# include <floss.h(floss_read)> -# endif -# endif - # include <openssl/bio.h> # include <openssl/err.h> diff --git a/apps/ocsp.c b/apps/ocsp.c index 17313520cf..4b682dca92 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -33,12 +33,6 @@ #include <openssl/bn.h> #include <openssl/x509v3.h> -#if defined(__TANDEM) -# if defined(OPENSSL_TANDEM_FLOSS) -# include <floss.h(floss_fork)> -# endif -#endif - #if defined(OPENSSL_SYS_VXWORKS) /* not supported */ int setpgid(pid_t pid, pid_t pgid) diff --git a/apps/speed.c b/apps/speed.c index 5a985bf7a4..a119a52fde 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -47,12 +47,6 @@ # include <unistd.h> #endif -#if defined(__TANDEM) -# if defined(OPENSSL_TANDEM_FLOSS) -# include <floss.h(floss_fork)> -# endif -#endif - #if defined(_WIN32) # include <windows.h> /* diff --git a/crypto/bio/bio_sock.c b/crypto/bio/bio_sock.c index 52b11fa8c1..05523b5e5f 100644 --- a/crypto/bio/bio_sock.c +++ b/crypto/bio/bio_sock.c @@ -26,9 +26,6 @@ static int wsa_init_done = 0; # if defined __TANDEM # include <unistd.h> # include <sys/time.h> /* select */ -# if defined(OPENSSL_TANDEM_FLOSS) -# include <floss.h(floss_select)> -# endif # elif defined _WIN32 # include <winsock.h> /* for type fd_set */ # else diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 9070647b35..cab87d9959 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -708,14 +708,29 @@ int BN_ucmp(const BIGNUM *a, const BIGNUM *b) int i; BN_ULONG t1, t2, *ap, *bp; + ap = a->d; + bp = b->d; + + if (BN_get_flags(a, BN_FLG_CONSTTIME) + && a->top == b->top) { + int res = 0; + + for (i = 0; i < b->top; i++) { + res = constant_time_select_int(constant_time_lt_bn(ap[i], bp[i]), + -1, res); + res = constant_time_select_int(constant_time_lt_bn(bp[i], ap[i]), + 1, res); + } + return res; + } + bn_check_top(a); bn_check_top(b); i = a->top - b->top; if (i != 0) return i; - ap = a->d; - bp = b->d; + for (i = a->top - 1; i >= 0; i--) { t1 = ap[i]; t2 = bp[i]; @@ -827,11 +842,10 @@ int BN_is_bit_set(const BIGNUM *a, int n) return (int)(((a->d[i]) >> j) & ((BN_ULONG)1)); } -int BN_mask_bits(BIGNUM *a, int n) +int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n) { int b, w; - bn_check_top(a); if (n < 0) return 0; @@ -845,10 +859,21 @@ int BN_mask_bits(BIGNUM *a, int n) a->top = w + 1; a->d[w] &= ~(BN_MASK2 << b); } - bn_correct_top(a); + a->flags |= BN_FLG_FIXED_TOP; return 1; } +int BN_mask_bits(BIGNUM *a, int n) +{ + int ret; + + bn_check_top(a); + ret = ossl_bn_mask_bits_fixed_top(a, n); + if (ret) + bn_correct_top(a); + return ret; +} + void BN_set_negative(BIGNUM *a, int b) { if (b && !BN_is_zero(a)) @@ -1022,6 +1047,22 @@ int BN_is_word(const BIGNUM *a, const BN_ULONG w) return BN_abs_is_word(a, w) && (!w || !a->neg); } +int ossl_bn_is_word_fixed_top(const BIGNUM *a, const BN_ULONG w) +{ + int res, i; + const BN_ULONG *ap = a->d; + + if (a->neg || a->top == 0) + return 0; + + res = constant_time_select_int(constant_time_eq_bn(ap[0], w), 1, 0); + + for (i = 1; i < a->top; i++) + res = constant_time_select_int(constant_time_is_zero_bn(ap[i]), + res, 0); + return res; +} + int BN_is_odd(const BIGNUM *a) { return (a->top > 0) && (a->d[0] & 1); diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index a94dfcecdf..650d057470 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -184,8 +184,8 @@ static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range, } else { do { /* range = 11..._2 or range = 101..._2 */ - if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, - ctx)) + if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, + strength, ctx)) return 0; if (!--count) { @@ -238,17 +238,63 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) # endif #endif +int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range, + unsigned int strength, BN_CTX *ctx) +{ + int n; + int count = 100; + + if (r == NULL) { + ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + + if (range->neg || BN_is_zero(range)) { + ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE); + return 0; + } + + n = BN_num_bits(range); /* n > 0 */ + + /* BN_is_bit_set(range, n - 1) always holds */ + + if (n == 1) { + BN_zero(r); + } else { + BN_set_flags(r, BN_FLG_CONSTTIME); + do { + if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, + strength, ctx)) + return 0; + + if (!--count) { + ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); + return 0; + } + ossl_bn_mask_bits_fixed_top(r, n); + } + while (BN_ucmp(r, range) >= 0); +#ifdef BN_DEBU |