Merge branch 'main' into secmem

.github/workflows/abidiff.yml

@@ -1,5 +1,7 @@
 name: ABI Diff
 on:
+  push:
+    branches: [ '*' ]
   pull_request:
     branches: [ '*' ]
 concurrency:
@@ -10,6 +12,7 @@ env:
   GOPROXY: https://proxy.golang.org,direct
 jobs:
   libs:
+    if: github.repository_owner == 'aws'
     name: libcrypto and libssl
     runs-on: ubuntu-latest
     steps:

.github/workflows/actions-ci.yml

@@ -1,12 +1,12 @@
 name: General CI Tests
 on:
+  push:
+    branches: [ '*' ]
   pull_request:
     branches: [ '*' ]
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
-
 env:
   GOPROXY: https://proxy.golang.org,direct
   SDE_MIRROR_URL: "https://downloadmirror.intel.com/813591/sde-external-9.33.0-2024-01-07-win.tar.xz"
@@ -30,6 +30,7 @@ jobs:
           ninja -C test_build_dir run_tests
 
   macOS-x86:
+    if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     runs-on: macos-latest
     steps:
@@ -39,6 +40,7 @@ jobs:
           ./tests/ci/run_posix_tests.sh
 
   macOS-x86-FIPS:
+    if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     runs-on: macos-latest
     steps:
@@ -48,6 +50,7 @@ jobs:
           ./tests/ci/run_fips_tests.sh
 
   macOS-ARM:
+    if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     runs-on: macos-latest-xlarge
     steps:
@@ -60,6 +63,7 @@ jobs:
           ./tests/ci/run_posix_tests.sh
 
   macOS-ARM-FIPS:
+    if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     runs-on: macos-latest-xlarge
     steps:
@@ -73,6 +77,7 @@ jobs:
 
 
   MSVC-2019:
+    if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     runs-on: aws-lc_windows-2019_8-core
     steps:
@@ -87,6 +92,7 @@ jobs:
           .\tests\ci\run_windows_tests.bat "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x64
 
   MSVC-2022:
+    if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     runs-on: aws-lc_windows-latest_8-core
     steps:
@@ -101,6 +107,7 @@ jobs:
           .\tests\ci\run_windows_tests.bat "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat" x64
 
   MSVC-SDE-64-bit:
+    if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     # TODO: Update this to run on windows-2022. windows-2022 (Windows 11) has phased out support for older processors.
     # https://learn.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-intel-processors

.github/workflows/aws-lc-rs.yml

@@ -9,8 +9,10 @@ concurrency:
   cancel-in-progress: true
 env:
   GOPROXY: https://proxy.golang.org,direct
+  AWS_LC_SYS_CMAKE_BUILDER: 1
 jobs:
   standard:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3

.github/workflows/cmake.yml

@@ -1,10 +1,9 @@
 name: CMake Compatability
 on:
-  pull_request:
-    branches: [ '*' ]
   push:
     branches: [ '*' ]
-
+  pull_request:
+    branches: [ '*' ]
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
@@ -13,6 +12,7 @@ env:
   GOPROXY: https://proxy.golang.org,direct
 jobs:
   cmake:
+    if: github.repository_owner == 'aws'
     name: CMake ${{ matrix.cmake.version}} build with ${{ matrix.generator}} FIPS=${{ matrix.fips }}
     strategy:
       matrix:

.github/workflows/codecov-ci.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: code-cov-${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 jobs:
   codecov-ci:

.github/workflows/cross-test.yml

@@ -5,10 +5,11 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ppc64be-${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 jobs:
   ppc64-build-test:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install qemu
@@ -19,6 +20,7 @@ jobs:
       - name: PPC64 Build/Test
         run: tests/ci/run_cross_tests.sh ppc64 powerpc64-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release" "-DCMAKE_BUILD_TYPE=Release -DFIPS=1 -DBUILD_SHARED_LIBS=1"
   ppc32-non-fips-build-test:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install qemu
@@ -29,6 +31,7 @@ jobs:
       - name: PPC32 Build/Test
         run: tests/ci/run_cross_tests.sh ppc powerpc-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release"
   ppc32-fips-build-test:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install qemu
@@ -39,6 +42,7 @@ jobs:
       - name: PPC32 Build/Test
         run: tests/ci/run_cross_tests.sh ppc powerpc-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release -DFIPS=1 -DBUILD_SHARED_LIBS=1"
   ppc64le-build-test:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install qemu
@@ -49,6 +53,7 @@ jobs:
       - name: PPC64LE Build/Test
         run: tests/ci/run_cross_tests.sh ppc64le powerpc64le-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release" "-DCMAKE_BUILD_TYPE=Release -DFIPS=1 -DBUILD_SHARED_LIBS=1"
   riscv64-non-fips-build-test:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install qemu
@@ -66,6 +71,7 @@ jobs:
           CFLAGS: "-Wno-string-compare"
         run: tests/ci/run_cross_tests.sh riscv riscv64-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release"
   armv6-non-fips-build-test:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install qemu
@@ -89,6 +95,7 @@ jobs:
 #      - name: armv6 Build/Test
 #        run: tests/ci/run_cross_tests.sh loongarch64 loongarch64-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release"
   s390x-non-fips-build-test:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install qemu

.github/workflows/integrations.yml

@@ -11,6 +11,7 @@ env:
   CC: gcc
 jobs:
   haproxy:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies
@@ -22,6 +23,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_haproxy_integration.sh
   tpm2-tss:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies
@@ -32,6 +34,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_tpm2_tss_integration.sh
   grpc:
+    if: github.repository_owner == 'aws'
     env:
       DEBIAN_FRONTEND: noninteractive
       TZ: Etc/UTC
@@ -49,6 +52,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_grpc_integration.sh
   tcpdump:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies
@@ -60,6 +64,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_tcpdump_integration.sh
   trousers:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies
@@ -71,6 +76,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_trousers_integration.sh
   ntp:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies
@@ -82,6 +88,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_ntp_integration.sh
   socat:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies
@@ -92,6 +99,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_socat_integration.sh
   python-main:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies
@@ -103,6 +111,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_python_integration.sh main
   python-releases:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies
@@ -114,6 +123,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_python_integration.sh 3.10 3.11 3.12
   bind9:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies
@@ -125,6 +135,7 @@ jobs:
         run: |
           ./tests/ci/integration/run_bind9_integration.sh
   strongswan:
+    if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
       - name: Install OS Dependencies

.github/workflows/mingw.yml → .github/workflows/windows-alt.yml

@@ -1,16 +1,15 @@
-name: MinGW
+name: Windows Alternative Compilers
 on:
-  pull_request:
-    branches: [ '*' ]
   push:
     branches: [ '*' ]
-
+  pull_request:
+    branches: [ '*' ]
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 jobs:
   mingw:
-    if: github.repository == 'aws/aws-lc'
+    if: github.repository_owner == 'aws'
     runs-on: windows-latest
     steps:
       - name: Install NASM
@@ -40,3 +39,31 @@ jobs:
         run: cmake --build ./build --target all
       - name: Run tests
         run: cmake --build ./build --target run_tests
+  clang:
+    if: github.repository_owner == 'aws'
+    runs-on: windows-latest
+    steps:
+      - name: Install NASM
+        uses: ilammy/[email protected]
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install LLVM and Clang
+        uses: KyleMayes/install-llvm-action@v2
+        id: clang
+        with:
+          version: 16
+          env: true
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: "C:/Program Files/LLVM/bin/clang.exe"
+          cxx-compiler: "C:/Program Files/LLVM/bin/clang++.exe"
+          options: |
+            CMAKE_SYSTEM_NAME=Windows \
+            CMAKE_SYSTEM_PROCESSOR=x86_64 \
+            CMAKE_BUILD_TOOL=ninja.exe \
+      - name: Build Project
+        run: cmake --build ./build --target all
+      - name: Run tests
+        run: cmake --build ./build --target run_tests

CMakeLists.txt

@@ -722,13 +722,6 @@ if(MALLOC_FAILURE_TESTING)
 endif()
 
 TEST_BIG_ENDIAN(BIG_ENDIAN)
-if(BIG_ENDIAN)
-  if(ENABLE_EXPERIMENTAL_BIG_ENDIAN_SUPPORT)
-    message(STATUS "Continuing with experimental support on big endian platform")
-  else()
-    message(FATAL_ERROR "Big Endian is not supported.")
-  endif()
-endif()
 
 if(OPENSSL_NO_SSE2_FOR_TESTING)
   add_definitions(-DOPENSSL_NO_SSE2_FOR_TESTING)
@@ -1027,6 +1020,17 @@ if(BUILD_TESTING)
       add_custom_target(fips_specific_tests_if_any)
     endif()
 
+    # Add macho parser tests if FIPS and on MacOS
+    if(FIPS AND APPLE)
+      add_custom_target(
+        macho_parser_tests
+        COMMAND ./util/fipstools/inject_hash/macho_parser/tests/test_macho_parser
+        WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
+        DEPENDS test_macho_parser
+      )
+      add_dependencies(fips_specific_tests_if_any macho_parser_tests)
+    endif()
+
     # Read util/go_tests.txt into a CMake variable.
     file(READ util/go_tests.txt GO_TESTS)
     foreach(fips_specific_test ${GO_FIPS_TESTS})

crypto/CMakeLists.txt

@@ -484,9 +484,7 @@ add_library(
   x509/x_attrib.c
   x509/x_crl.c
   x509/x_exten.c
-  x509/x_info.c
   x509/x_name.c
-  x509/x_pkey.c
   x509/x_pubkey.c
   x509/x_req.c
   x509/x_sig.c

crypto/err/x509.errordata

@@ -39,6 +39,7 @@ X509,137,SIGNATURE_ALGORITHM_MISMATCH
 X509,128,UNKNOWN_KEY_TYPE
 X509,129,UNKNOWN_NID
 X509,130,UNKNOWN_PURPOSE_ID
+X509,145,UNKNOWN_SIGID_ALGS
 X509,131,UNKNOWN_TRUST_ID
 X509,132,UNSUPPORTED_ALGORITHM
 X509,133,WRONG_LOOKUP_TYPE