We're getting some odd errors in the lhash test on hppa. Analysis shows
that the crash is happening randomly in various places, but always
occurs during an indexed load of register r11 or r23. Root cause hasn't
been completely determined, but given that:
1) hppa is an unadopted platform
2) asan/ubsan/threadsan shows no issues with the affected code elsewhere
3) The hppa build does not have threading enabled
4) reducing the optimization level to 01 quashes the problem
The belief is that this is either a bug in gcc optimization, or an issue
in the qemu emulator we use to test.
Since this is causing CI failures, I'm proposing that we just lower the
optimization level of the build to -01 to avoid the problem, and address
it more throughly should an actual platform user encounter an error
Fixes#24272
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24318)
Some CI jobs produce a significant amount artifacts and it takes a lot
of time to upload them into GitHub artifacts storage. It will be much
faster to upload only one archive with artifacts.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24264)
Documentation Change: Line 34
Changed 'utl' to 'url' to correctly reflect the variables used in the releases in this file.
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24164)
The external nghttp3 library seems to have a linking issue on windows
(several missing symbols). Disable that build in windows for now until
its fixed
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24047)
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24047)
It has to have the same version as upload-artifact.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24065)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 3764f200f9)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23938)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23933)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23551)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23551)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23843)
Recently asan/tsan/ubsan runs have been failing randomly. It appears
that a recent runner update may have led to the Address Space Layout
Randomization setting in the linux kernel of ubuntu-latest runner
getting set to too high a value (it defaults to 30). Such a setting
leads to the possibility that a given application will have memory
mapped to an address space that the sanitizer code typically uses to do
its job. Lowering this value allows a/t/ubsan to work consistently
again
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23842)
Imitating Fedora 39 configuration in openssl.cnf with
SECLEVEL lowered to 0 in order to be able to run
TLS 1.3 tests with TLS_AES_128_CCM_8_SHA256.
In order to make updating smoother, check out specific tag rather
than the branch. This way, "old" tests can be fetched until PR
pointing to "new" tests is merged, so backwards-incompatible
changes can be done when needed.
Files specific for openssl upstream moved to separate
directory.
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23747)
The enable-unstable-qlog is enabled in windows.yml,
which is sufficient for testing it on Windows.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23550)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23517)
This fixes an issue with a mix of atexit() usage in DLL and statically linked
libcrypto that came out in the test suite on NonStop, which has slightly
different DLL unload processing semantics compared to Linux. The change
allows a build configuration to select whether to register OPENSSL_cleanup()
with atexit() or not, so avoid situations where atexit() registration causes
SIGSEGV.
INSTALL.md and CHANGES.md have been modified to include and describe this
option.
The no-atexit option has been added to .github/workflows/run-checker-daily.yml.
Fixes: #23135
Signed-of-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/23394)
actions-rs/toolchain is unmaintained and generates warnings
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23232)
Fedora has some fairly nice interoperability tests that we can leverage
to build a PR and test it against gnutls and nss libraries. This commit
adds the interop-tests.yml ci job to do that work, and run the interop
tests from beaker.
Fixes#20685
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
It was pointed out the GITHUB_WORKSPACE points to the container path of
the workspace, so we can use it instead of hardcoding the
__w/openssl/openssl path
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
Fedora has some fairly nice interoperability tests that we can leverage
to build a PR and test it against gnutls and nss libraries. This commit
adds the interop-tests.yml ci job to do that work, and run the interop
tests from beaker.
Fixes#20685
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
This also adds the configuration options 'enable-quic'.
Fixes#22907
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22908)
Added self-hosted runners for freebsd-x86_64 and ubuntu-aarch64.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Anton Arapov <anton@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22804)
This can be useful for fixing the CI if needed
without the necessity to run abidw locally.
Also rename the CI job to make its purpose clearer.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22689)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22750)
libabigail is currenly only validating symbol presence and version
information in ci. We should also be validating function parameters,
types, etc. To do this we need to build the library with -g so the
dwarf information is available for libabigail to interrogate
while we're at it, also add a script to re-generate the xml that abidiff
uses for comparison during ci runs, to make updates easier
Fixes#22712
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22713)
Those less useful should be in daily or on-push runs.
Those more likely triggering CI failure that do not
take too much time should be in main on pull request CI.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22693)
Also sync libcrypto.num and libssl.num with 3.2 branch and
fix the EVP_DigestSqueeze symbol version.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22688)
It would be nice if we could monitor the consistency of our ABI from PR to PR,
to ensure there are no inadvertent changes to the library ABI.
Introduce a new CI job that runs the libabigail tools to build an ABI
representation of the PR-built library and compares it to a stored/expected
representation, reporting any discrepancies it finds.
Fixes#22571
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22589)
We would like to be able to log and audit the symbols we use in openssl
so that we might catch when a new platform symbols is referecned
Add such a script (just on unix platforms for now) that gathers the used
symbols not belonging to libcrypto or libssl, and compare it to a prior
known set of used symbols. Error out if a new symbol is found
Add this script to the ci workflow in CI to capture newly
introduced platform symbols
Fixes#22330
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22478)
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22570)
Have a new job just to run the fuzz tests with fuzzing build mode enabled.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)
Some builds that weren't doing fuzzing were defining this which makes no
sense and is not appropriate for non-fuzzing builds.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)
Some of the non-default options that enable more
code to be built need to be enabled in one of the
Windows builds to avoid regressions.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22347)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22293)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22232)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22212)
Add a warning note to the provider cross version checks indicating that a
pull request branch will not be used if execution is set to on pull request.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21964)
Use a Github Actions expression to set value for the environment
variable.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22130)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22104)
We're (currently) intending to validate 3.1.2 against FIPS 140-3.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22088)
The plan at the moment is to validate 3.1.2 all going well.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21962)
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21393)
Errors such as this seen:
libssl.a(libssl-lib-ssl_stat.o): in function `SSL_alert_desc_string_long':
ssl_stat.c:(.text+0xab2): relocation truncated to fit: R_68K_GOT16O against `.LC157'
test/libtestutil.a(libtestutil-lib-opt.o): in function `opt_pair':
opt.c:(.text+0x10b2): relocation truncated to fit: R_68K_GOT16O against `.LC53'
test/libtestutil.a(libtestutil-lib-opt.o): in function `opt_string':
opt.c:(.text+0x113c): relocation truncated to fit: R_68K_GOT16O against `.LC53'
libcrypto.a(libcrypto-lib-decoder_lib.o): in function `OSSL_DECODER_CTX_set_construct_data':
decoder_lib.c:(.text+0x5a4): relocation truncated to fit: R_68K_GOT16O against `__func__.2'
libcrypto.a(libcrypto-lib-decoder_pkey.o): in function `ossl_decoder_ctx_setup_for_pkey':
decoder_pkey.c:(.text+0x6c2): relocation truncated to fit: R_68K_GOT16O against `decoder_construct_pkey'
libcrypto.a(libcrypto-lib-tb_dsa.o): in function `ENGINE_register_DSA':
tb_dsa.c:(.text+0x5e): relocation truncated to fit: R_68K_GOT16O against `dummy_nid'
libcrypto.a(libcrypto-lib-tb_dsa.o): in function `ENGINE_set_default_DSA':
tb_dsa.c:(.text+0xc4): relocation truncated to fit: R_68K_GOT16O against `dummy_nid'
libcrypto.a(libcrypto-lib-asymcipher.o): in function `.L18':
asymcipher.c:(.text+0x168): relocation truncated to fit: R_68K_GOT16O against `__func__.0'
asymcipher.c:(.text+0x2e8): relocation truncated to fit: R_68K_GOT16O against `__func__.0'
asymcipher.c:(.text+0x33e): relocation truncated to fit: R_68K_GOT16O against `__func__.0'
libcrypto.a(libcrypto-lib-digest.o): in function `EVP_MD_CTX_ctrl':
digest.c:(.text+0xa52): additional relocation overflows omitted from the output
collect2: error: ld returned 1 exit status
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
Ensure builds enable QUIC without explicitly having to ask for it. To
disable QUIC pass "no-quic" to Configure.
As a result we can remove all use of "enable-quic" from the various CI
runs.
We also add a CHANGES and NEWS entry for QUIC support.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
Put jobs that are more likely to fail to on pull request CI.
To compensate move some less likely to fail jobs to on push and
daily CI jobs.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21336)
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20961)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21212)
This can effectively reduce the binary size for platforms
that don't need ECX feature(~100KB).
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20781)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Anton Arapov <anton@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21131)
