Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22293)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22232)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22212)
Add a warning note to the provider cross version checks indicating that a
pull request branch will not be used if execution is set to on pull request.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21964)
Use a Github Actions expression to set value for the environment
variable.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22130)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22104)
We're (currently) intending to validate 3.1.2 against FIPS 140-3.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22088)
The plan at the moment is to validate 3.1.2 all going well.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21962)
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21393)
Errors such as this seen:
libssl.a(libssl-lib-ssl_stat.o): in function `SSL_alert_desc_string_long':
ssl_stat.c:(.text+0xab2): relocation truncated to fit: R_68K_GOT16O against `.LC157'
test/libtestutil.a(libtestutil-lib-opt.o): in function `opt_pair':
opt.c:(.text+0x10b2): relocation truncated to fit: R_68K_GOT16O against `.LC53'
test/libtestutil.a(libtestutil-lib-opt.o): in function `opt_string':
opt.c:(.text+0x113c): relocation truncated to fit: R_68K_GOT16O against `.LC53'
libcrypto.a(libcrypto-lib-decoder_lib.o): in function `OSSL_DECODER_CTX_set_construct_data':
decoder_lib.c:(.text+0x5a4): relocation truncated to fit: R_68K_GOT16O against `__func__.2'
libcrypto.a(libcrypto-lib-decoder_pkey.o): in function `ossl_decoder_ctx_setup_for_pkey':
decoder_pkey.c:(.text+0x6c2): relocation truncated to fit: R_68K_GOT16O against `decoder_construct_pkey'
libcrypto.a(libcrypto-lib-tb_dsa.o): in function `ENGINE_register_DSA':
tb_dsa.c:(.text+0x5e): relocation truncated to fit: R_68K_GOT16O against `dummy_nid'
libcrypto.a(libcrypto-lib-tb_dsa.o): in function `ENGINE_set_default_DSA':
tb_dsa.c:(.text+0xc4): relocation truncated to fit: R_68K_GOT16O against `dummy_nid'
libcrypto.a(libcrypto-lib-asymcipher.o): in function `.L18':
asymcipher.c:(.text+0x168): relocation truncated to fit: R_68K_GOT16O against `__func__.0'
asymcipher.c:(.text+0x2e8): relocation truncated to fit: R_68K_GOT16O against `__func__.0'
asymcipher.c:(.text+0x33e): relocation truncated to fit: R_68K_GOT16O against `__func__.0'
libcrypto.a(libcrypto-lib-digest.o): in function `EVP_MD_CTX_ctrl':
digest.c:(.text+0xa52): additional relocation overflows omitted from the output
collect2: error: ld returned 1 exit status
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
Ensure builds enable QUIC without explicitly having to ask for it. To
disable QUIC pass "no-quic" to Configure.
As a result we can remove all use of "enable-quic" from the various CI
runs.
We also add a CHANGES and NEWS entry for QUIC support.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
Put jobs that are more likely to fail to on pull request CI.
To compensate move some less likely to fail jobs to on push and
daily CI jobs.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21336)
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20961)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21212)
This can effectively reduce the binary size for platforms
that don't need ECX feature(~100KB).
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20781)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Anton Arapov <anton@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21131)
Otherwise the fuzz/corpora won't be present.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20683)
Tests all released FIPS approved (or in progress) versions against
all development branches and each other.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20552)
This is an external test which requires recursive checkout
of the cloudflare-quiche submodule.
We simply run a client against the example quiche-server
serving HTTP/0.9 requests.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20527)
Based on kubernetes controller Makefile help.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20407)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20383)
Clang 16 will be released shortly (beginning of March).
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20346)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/19307)
This reverts commit e787c57c53.
The current CI host system is Ubuntu 22.04, which ships with QEMU 6.2.
This QEMU release is too old for the required RISC-V extensions.
We would need at least QEMU 7.1 (Aug 2022) for this patch.
Let's revert the patch.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20139)
RISC-V already has a couple of routines to accelerate cryptographic
calculations using ISA extensions. Let's add a cross-compile target
that allows the CI to test this code.
The new defined machine is a rv64gc machine with
* all Bitmanip extensions (Zb*)
* all Scalar Crypto extensions (Zk*)
This selection matches the supported RISC-V extensions in OpenSSL.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20107)
The cross-compile CI tests use cross-compilers for building
and QEMU for testing. This implies that testing of ISA extension
for HW accelerated cryptographic calculations is undefined
(it depends on arch-specific QEMU defaults and arch-specific
detection mechanisms in OpenSSL).
Let's add a mechanism to set two environment variables, that allow
to control the ISA extensions:
* QEMU_CPU: used by QEMU to specify CPU capabilities of the emulation
* OPENSSL_*: used by OpenSSL (on some architectures) to enable ISA
extensions.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20107)
ASAN otherwise fails to detect memleaks.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19860)
These warnings trigger on false positives on these platforms
with recent compiler update.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19860)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19860)
I'm not intending to add every single possible combination of distros
to compiler-zoo, but I think this one is worthwhile.
musl tends to be Different Enough (TM) to allow problems to be found,
in particular (but not limited to) its malloc implementation ("mallocng").
It's also quite a common environment, especially in containers, so
I think it's worth testing on.
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19577)
For some reason the newly introduced CI test
for sctp causes issues. It is unknown why this
seems to work when testing, but doesnt work
once it was merged.
The test has been put into its own file, with
skips on error if the setup fails..
This will need to be merged to test if this
works.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19511)
Moving it one level up so it does not confuse CI.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19515)
We have to use the PPA provided by LLVM because Clang 15 isn't
officially part of Ubuntu 22.04 (or any other Ubuntu release yet),
see https://apt.llvm.org/ for details.
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19450)
Fixes#19371
running config with 'enable-sctp' gave compiler errors.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19398)
Signed-off-by: Čestmír Kalina <ckalina@redhat.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12255)
Since cl knows what architecture it builds fore, all depending on what
the user set up, it makes sense to ask it, and use that result primarly,
and only use the POSIX::uname() MACHINE value as a fallback.
Also, this does indeed determine if cl is present or not.
We drop the explicit names in .github/workflows/windows.yml as proof
of concept.
Fixes#19281
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19285)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19201)
The default cross compiler (gcc 9.4.0) for ppc64le on Ubunut 20.04 seems
buggy and causes a seg fault in sslapitest. This doesn't impact any other
CI cross compile platforms and does not seem to impact the gcc 10.3.0 cross
compiler.
We just drop the optimisation level on that platform.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19056)
Otherwise we may get spurious results from ub sanitizer. For example we
assume we can tolerate some unaligned write without this define that ub
sanitizer will complain about.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18983)
Fixes#16721
This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally,
there would be separate polyval assembly implementation(s), but the only one
I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed.
This implementation lives only in the default provider; there is no legacy
implementation.
The code offered in #16721 is not used; that implementation sits on top of
OpenSSL, this one is embedded inside OpenSSL.
Full test vectors from RFC8452 are included, except the 0 length plaintext;
that is not supported; and I'm not sure it's worthwhile to do so.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18693)
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18766)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18606)
Notably, this might have caught #18225, as Clang 14 wasn't - and is not yet
until this commit - in OpenSSL's CI.
It makes sense to ensure CI tests compilers used in newer Linux distributions:
* Fedora 36 ships with GCC 12
* Ubuntu 22.04 ships with Clang 14
We switch from 'ubuntu-latest' (which can change meaning but currently points
to ubuntu-20.04) to ubuntu-20.04 for the older existing compilers, and
ubuntu-22.04 for the newer ones added by this commit.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18639)
Currently this configurations seem to be failing.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18634)
The afalg engine does not work when run through qemu.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17945)
Supports Linux, MacOS and FreeBSD
Disabled by default, enabled via `enabled-tfo`
Some tests
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8692)
Including running the oqsprovider external test in the
CI external test build.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17832)