Skip to content

Commit

Permalink
Merge branch 'main' into evppkey
Browse files Browse the repository at this point in the history
  • Loading branch information
justsmth authored Jun 5, 2024
2 parents 8309ad4 + 7735598 commit f6b8dda
Show file tree
Hide file tree
Showing 9 changed files with 154 additions and 123 deletions.
58 changes: 49 additions & 9 deletions .github/workflows/actions-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -255,17 +255,57 @@ jobs:
cxx-compiler: g++-${{ matrix.gccversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
# TODO: Re-enable gcc-14/FIPS build once delocator updated
if: ${{ !( matrix.gccversion == '14' && matrix.fips == '1' ) }}
run: cmake --build ./build --target all
- name: Run tests
# TODO: Re-enable gcc-14/FIPS build once delocator updated
if: ${{ !( matrix.gccversion == '14' && matrix.fips == '1' ) }}
run: cmake --build ./build --target run_tests

gcc-13-pedantic:
if: github.repository_owner == 'aws'
needs: [ sanity-test-run ]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- name: Setup CMake
uses: threeal/[email protected]
with:
generator: Ninja
c-compiler: gcc-13
cxx-compiler: g++-13
options: CMAKE_BUILD_TYPE=Release CMAKE_C_FLAGS=-pedantic CMAKE_CXX_FLAGS=-pedantic
- name: Build Crypto
run: cmake --build ./build --target crypto
- name: Build SSL
run: cmake --build ./build --target ssl

clang-18-pedantic:
if: github.repository_owner == 'aws'
needs: [ sanity-test-run ]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- name: Setup CMake
uses: threeal/[email protected]
with:
generator: Ninja
c-compiler: clang-18
cxx-compiler: clang++-18
options: CMAKE_BUILD_TYPE=Release CMAKE_C_FLAGS=-pedantic CMAKE_CXX_FLAGS=-pedantic
- name: Build Crypto
run: cmake --build ./build --target crypto
- name: Build SSL
run: cmake --build ./build --target ssl

clang-ubuntu-2004-sanity:
if: github.repository_owner == 'aws'
needs: [sanity-test-run]
strategy:
fail-fast: false
matrix:
gccversion:
clangversion:
- "10"
- "11"
- "12"
Expand All @@ -282,8 +322,8 @@ jobs:
uses: threeal/[email protected]
with:
generator: Ninja
c-compiler: clang-${{ matrix.gccversion }}
cxx-compiler: clang++-${{ matrix.gccversion }}
c-compiler: clang-${{ matrix.clangversion }}
cxx-compiler: clang++-${{ matrix.clangversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
run: cmake --build ./build --target all
Expand All @@ -296,7 +336,7 @@ jobs:
strategy:
fail-fast: false
matrix:
gccversion:
clangversion:
- "13"
- "14"
- "15"
Expand All @@ -313,8 +353,8 @@ jobs:
uses: threeal/[email protected]
with:
generator: Ninja
c-compiler: clang-${{ matrix.gccversion }}
cxx-compiler: clang++-${{ matrix.gccversion }}
c-compiler: clang-${{ matrix.clangversion }}
cxx-compiler: clang++-${{ matrix.clangversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
run: cmake --build ./build --target all
Expand All @@ -327,7 +367,7 @@ jobs:
strategy:
fail-fast: false
matrix:
gccversion:
clangversion:
- "16"
- "17"
- "18"
Expand All @@ -344,8 +384,8 @@ jobs:
uses: threeal/[email protected]
with:
generator: Ninja
c-compiler: clang-${{ matrix.gccversion }}
cxx-compiler: clang++-${{ matrix.gccversion }}
c-compiler: clang-${{ matrix.clangversion }}
cxx-compiler: clang++-${{ matrix.clangversion }}
options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
- name: Build Project
run: cmake --build ./build --target all
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,4 @@ symbols.txt
.fleet/
.cache/
/CMakePresets.json
/compile_commands.json
5 changes: 3 additions & 2 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -358,8 +358,9 @@ if(GCC OR CLANG)
set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wall -fvisibility=hidden -fno-common")
endif()
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wshadow")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wwrite-strings -Wformat-security -Wunused-result")
set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wvla -Wtype-limits -Wno-unused-parameter")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wwrite-strings -Wformat-security -Wunused-result -Wno-overlength-strings")
set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wno-newline-eof")
set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-c11-extensions -Wvla -Wtype-limits -Wno-unused-parameter")
endif()
set(C_CXX_FLAGS "${C_CXX_FLAGS} -Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings")

Expand Down
161 changes: 64 additions & 97 deletions crypto/fipsmodule/FIPS.md

Large diffs are not rendered by default.

16 changes: 8 additions & 8 deletions crypto/fipsmodule/hmac/hmac.c
Original file line number Diff line number Diff line change
Expand Up @@ -108,14 +108,14 @@ struct hmac_methods_st {
// The maximum number of HMAC implementations
#define HMAC_METHOD_MAX 8

MD_TRAMPOLINES_EXPLICIT(MD5, MD5_CTX, MD5_CBLOCK);
MD_TRAMPOLINES_EXPLICIT(SHA1, SHA_CTX, SHA_CBLOCK);
MD_TRAMPOLINES_EXPLICIT(SHA224, SHA256_CTX, SHA256_CBLOCK);
MD_TRAMPOLINES_EXPLICIT(SHA256, SHA256_CTX, SHA256_CBLOCK);
MD_TRAMPOLINES_EXPLICIT(SHA384, SHA512_CTX, SHA512_CBLOCK);
MD_TRAMPOLINES_EXPLICIT(SHA512, SHA512_CTX, SHA512_CBLOCK);
MD_TRAMPOLINES_EXPLICIT(SHA512_224, SHA512_CTX, SHA512_CBLOCK);
MD_TRAMPOLINES_EXPLICIT(SHA512_256, SHA512_CTX, SHA512_CBLOCK);
MD_TRAMPOLINES_EXPLICIT(MD5, MD5_CTX, MD5_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA1, SHA_CTX, SHA_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA224, SHA256_CTX, SHA256_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA256, SHA256_CTX, SHA256_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA384, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA512, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA512_224, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA512_256, SHA512_CTX, SHA512_CBLOCK)

struct hmac_method_array_st {
HmacMethods methods[HMAC_METHOD_MAX];
Expand Down
2 changes: 1 addition & 1 deletion crypto/mem.c
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ static void __asan_unpoison_memory_region(const void *addr, size_t size) {}
// implementation is statically linked with BoringSSL. So, if |sdallocx| is
// provided in, say, libc.so, we still won't use it because that's dynamically
// linked. This isn't an ideal result, but its helps in some cases.
WEAK_SYMBOL_FUNC(void, sdallocx, (void *ptr, size_t size, int flags));
WEAK_SYMBOL_FUNC(void, sdallocx, (void *ptr, size_t size, int flags))

// The following four functions can be defined to override default heap
// allocation and freeing. If defined, it is the responsibility of
Expand Down
2 changes: 2 additions & 0 deletions ssl/ssl_test.cc
Original file line number Diff line number Diff line change
Expand Up @@ -5217,12 +5217,14 @@ TEST(SSLTest, BuildCertChain) {

// Verification will fail because there is no valid root cert available.
EXPECT_FALSE(SSL_CTX_build_cert_chain(ctx.get(), 0));
ERR_clear_error();

// Should return 2 when |SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR| is set.
EXPECT_EQ(
SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR),
2);
EXPECT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_CERTIFICATE_VERIFY_FAILED));
ERR_clear_error();

// Should return 2, but with no error on the stack when
// |SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR| and |SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR|
Expand Down
13 changes: 7 additions & 6 deletions ssl/ssl_x509.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1061,12 +1061,13 @@ static int ssl_build_cert_chain(CERT *cert, X509_STORE *cert_store, int flags) {

bool ignore_error = false;
if (X509_verify_cert(store_ctx.get()) <= 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(
X509_STORE_CTX_get_error(store_ctx.get())));

// Fail if |SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR| is not set.
if(!is_flag_set(flags, SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(
X509_STORE_CTX_get_error(store_ctx.get())));
if (!is_flag_set(flags, SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)) {
return 0;
}

Expand Down Expand Up @@ -1098,7 +1099,7 @@ static int ssl_build_cert_chain(CERT *cert, X509_STORE *cert_store, int flags) {
// Anything that has passed successfully up to here is valid.
// 2 is used to indicate a verification error has happened, but was ignored
// because |SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR| was set.
if(ignore_error) {
if (ignore_error) {
return 2;
}
return 1;
Expand Down
19 changes: 19 additions & 0 deletions util/build_compilation_database.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/usr/bin/env bash

set -ex

BASE_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}/" )/.." &> /dev/null && pwd )

TMP_DIR=`mktemp -d`
echo ${TMP_DIR}
AWS_LC_BUILD="${TMP_DIR}/AWS-LC-BUILD"

MY_CMAKE_FLAGS=("-GNinja" "-DCMAKE_BUILD_TYPE=Debug" "-DCMAKE_EXPORT_COMPILE_COMMANDS=ON")

mkdir -p "${AWS_LC_BUILD}"

cmake "${BASE_DIR}" -B "${AWS_LC_BUILD}" ${MY_CMAKE_FLAGS[@]}

cmake --build "${AWS_LC_BUILD}" --target all

cp "${AWS_LC_BUILD}"/compile_commands.json "${BASE_DIR}"/

0 comments on commit f6b8dda

Please sign in to comment.