Merge remote-tracking branch 'upstream/main' into ec-nistp-refactor

.github/workflows/abidiff.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   DOCKER_BUILDKIT: 1

.github/workflows/actions-ci.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   GOPROXY: https://proxy.golang.org,direct
@@ -34,6 +34,7 @@ jobs:
     needs: [sanity-test-run]
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os:
           - "macos-14-large"
@@ -53,6 +54,7 @@ jobs:
     needs: [sanity-test-run]
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os:
           - "macos-14-large"
@@ -72,6 +74,7 @@ jobs:
     needs: [sanity-test-run]
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os:
           - "macos-14-xlarge"
@@ -90,6 +93,7 @@ jobs:
     needs: [sanity-test-run]
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os:
           - "macos-14-xlarge"
@@ -168,6 +172,7 @@ jobs:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
+      fail-fast: false
       matrix:
         gccversion:
           - "9"
@@ -202,6 +207,7 @@ jobs:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
+      fail-fast: false
       matrix:
         gccversion:
           - "13"
@@ -234,6 +240,7 @@ jobs:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
+      fail-fast: false
       matrix:
         gccversion:
           - "10"

.github/workflows/aws-lc-rs.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   GOPROXY: https://proxy.golang.org,direct

.github/workflows/cmake.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   DOCKER_BUILDKIT: 1
@@ -15,6 +15,7 @@ jobs:
     if: github.repository_owner == 'aws'
     name: CMake ${{ matrix.cmake.version}} build with ${{ matrix.generator}} FIPS=${{ matrix.fips }}
     strategy:
+      fail-fast: false
       matrix:
         cmake:
           - { version: "3.2", url: "https://cmake.org/files/v3.2/cmake-3.2.3.tar.gz", hash: "a1ebcaf6d288eb4c966714ea457e3b9677cdfde78820d0f088712d7320850297" }

.github/workflows/codecov-ci.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 jobs:
   codecov-ci:
@@ -17,9 +17,13 @@ jobs:
           sudo apt-get -y install lcov
       - uses: actions/checkout@v4
       - name: Run Code Coverage Build
-        run: ./util/codecov-ci.sh ${{ runner.temp }}/build
+        run: ./util/codecov-ci.sh ./build
       - name: Upload code coverage report to Codecov
-        uses: codecov/codecov-action@v3
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-          files: "${{ runner.temp }}/build/coverage-default.info,${{ runner.temp }}/build/coverage-no-asm.info"
+          files: "./build/coverage-default.info,./build/coverage-no-asm.info"
+          verbose: true
+          fail_ci_if_error: true

.github/workflows/cross-test.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 jobs:
   ppc64-build-test:

.github/workflows/integrations.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   CC: gcc

.github/workflows/windows-alt.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 jobs:
   mingw:
@@ -69,3 +69,30 @@ jobs:
         run: cmake --build ./build --target all
       - name: Run tests
         run: cmake --build ./build --target run_tests
+  cross-mingw:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Tools
+        run: |
+          set -ex
+          sudo apt-get update
+          sudo apt-get install --assume-yes --no-install-recommends  software-properties-common
+          sudo add-apt-repository --yes ppa:longsleep/golang-backports
+          sudo dpkg --add-architecture i386
+          sudo mkdir -pm755 /etc/apt/keyrings
+          sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key
+          sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources
+          sudo apt-get update
+          sudo apt-get install --assume-yes --no-install-recommends build-essential cmake golang-go nasm clang wget mingw-w64
+          sudo apt-get install --assume-yes --install-recommends winehq-stable wine-binfmt
+          sudo update-binfmts --display
+          sudo update-binfmts --disable
+          sudo update-binfmts --enable wine
+          sudo update-binfmts --display
+          sudo rm -rf /tmp/*
+      - uses: actions/checkout@v4
+      - name: x86_64-w64-mingw32 Build/Test
+        run:
+          ./tests/ci/run_cross_mingw_tests.sh x86_64 w64-mingw32 "-DCMAKE_BUILD_TYPE=Release"
+

CMakeLists.txt

@@ -375,6 +375,13 @@ if(GCC OR CLANG)
     set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wall -fvisibility=hidden -fno-common")
   endif()
 
+  if(MINGW)
+    # Some MinGW compilers set _WIN32_WINNT to an older version (Windows Server 2003)
+    # See: https://learn.microsoft.com/en-us/cpp/porting/modifying-winver-and-win32-winnt?view=msvc-170
+    # Support Windows 7 and later.
+    add_definitions(-D_WIN32_WINNT=_WIN32_WINNT_WIN7)
+  endif()
+
   if(CLANG)
     set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wnewline-eof -fcolor-diagnostics")
   elseif(CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.1.3")

cmake/go.cmake

@@ -12,6 +12,22 @@ endif()
 
 if(NOT GO_EXECUTABLE AND NOT DISABLE_GO)
   message(FATAL_ERROR "Could not find Go")
+elseif(NOT DISABLE_GO)
+  execute_process(
+          COMMAND ${GO_EXECUTABLE} version
+          OUTPUT_VARIABLE go_version_output
+          OUTPUT_STRIP_TRAILING_WHITESPACE
+  )
+  # Example: 'go version go1.21.3 darwin/arm64' match any number of '#.' and one '#'
+  string(REGEX MATCH "([0-9]+\\.)*[0-9]+" go_version ${go_version_output})
+
+  # This should track /go.mod and /BUILDING.md
+  set(minimum_go_version "1.18")
+  if(go_version VERSION_LESS minimum_go_version)
+    message(FATAL_ERROR "Go compiler version must be at least ${minimum_go_version}. Found version ${go_version}")
+  else()
+    message(STATUS "Go compiler ${go_version} found")
+  endif()
 endif()
 
 function(go_executable dest package)

crypto/CMakeLists.txt

@@ -524,6 +524,7 @@ add_library(
   decrepit/cfb/cfb.c
   decrepit/dh/dh_decrepit.c
   decrepit/evp/evp_do_all.c
+  decrepit/obj/obj_decrepit.c
   decrepit/ripemd/ripemd.c
   decrepit/rsa/rsa_decrepit.c
   decrepit/x509/x509_decrepit.c

crypto/bio/bio.c

@@ -186,6 +186,27 @@ int BIO_read(BIO *bio, void *buf, int len) {
   return ret;
 }
 
+int BIO_read_ex(BIO *bio, void *data, size_t data_len, size_t *read_bytes) {
+  if (bio == NULL || read_bytes == NULL) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_NULL_PARAMETER);
+    return 0;
+  }
+
+  int read_len = (int)data_len;
+  if (data_len > INT_MAX) {
+    read_len = INT_MAX;
+  }
+
+  int ret = BIO_read(bio, data, read_len);
+  if (ret > 0) {
+    *read_bytes = ret;
+    return 1;
+  } else {
+    *read_bytes = 0;
+    return 0;
+  }
+}
+
 int BIO_gets(BIO *bio, char *buf, int len) {
   if (bio == NULL || bio->method == NULL || bio->method->bgets == NULL) {
     OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
@@ -236,6 +257,31 @@ int BIO_write(BIO *bio, const void *in, int inl) {
   return ret;
 }
 
+int BIO_write_ex(BIO *bio, const void *data, size_t data_len, size_t *written_bytes) {
+  if (bio == NULL) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_NULL_PARAMETER);
+    return 0;
+  }
+
+  int write_len = (int)data_len;
+  if (data_len > INT_MAX) {
+    write_len = INT_MAX;
+  }
+
+  int ret = BIO_write(bio, data, write_len);
+  if (ret > 0) {
+    if (written_bytes != NULL) {
+      *written_bytes = ret;
+    }
+    return 1;
+  } else {
+    if (written_bytes != NULL) {
+      *written_bytes = 0;
+    }
+    return 0;
+  }
+}
+
 int BIO_write_all(BIO *bio, const void *data, size_t len) {
   const uint8_t *data_u8 = data;
   while (len > 0) {

crypto/bio/bio_test.cc

@@ -89,7 +89,7 @@ class OwnedSocket {
 };
 
 struct SockaddrStorage {
-  SockaddrStorage() : storage() , len(sizeof(storage)) {}
+  SockaddrStorage() : storage(), len(sizeof(storage)) {}
 
   int family() const { return storage.ss_family; }
 
@@ -1063,3 +1063,44 @@ TEST(BIOTest, InvokeConnectCallback) {
 }  // namespace
 
 INSTANTIATE_TEST_SUITE_P(All, BIOPairTest, testing::Values(false, true));
+
+TEST(BIOTest, ReadWriteEx) {
+  bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
+  ASSERT_TRUE(bio);
+
+  // Reading from an initially empty bio should default to returning a error.
+  // Check that both |BIO_read| and |BIO_read_ex| fail.
+  char buf[32];
+  size_t read = 1;
+  EXPECT_EQ(BIO_read(bio.get(), buf, sizeof(buf)), -1);
+  EXPECT_FALSE(BIO_read_ex(bio.get(), buf, sizeof(buf), &read));
+  EXPECT_EQ(read, (size_t)0);
+
+  // Write and read normally from buffer.
+  size_t written = 1;
+  ASSERT_TRUE(BIO_write_ex(bio.get(), "abcdef", 6, &written));
+  EXPECT_EQ(written, (size_t)6);
+  ASSERT_TRUE(BIO_read_ex(bio.get(), buf, sizeof(buf), &read));
+  EXPECT_EQ(read, (size_t)6);
+  EXPECT_EQ(Bytes(buf, read), Bytes("abcdef"));
+
+  // Test NULL |written_bytes| behavior works.
+  ASSERT_TRUE(BIO_write_ex(bio.get(), "ghilmnop", 8, nullptr));
+  ASSERT_TRUE(BIO_read_ex(bio.get(), buf, sizeof(buf), &read));
+  EXPECT_EQ(read, (size_t)8);
+  EXPECT_EQ(Bytes(buf, read), Bytes("ghilmnop"));
+
+  // Test NULL |read_bytes| behavior fails.
+  ASSERT_TRUE(BIO_write_ex(bio.get(), "ghilmnop", 8, nullptr));
+  ASSERT_FALSE(BIO_read_ex(bio.get(), buf, sizeof(buf), nullptr));
+
+  // Test that |BIO_write/read_ex| align with their non-ex counterparts, when
+  // encountering NULL data. EOF in |BIO_read| is indicated by returning 0.
+  // In |BIO_read_ex| however, EOF returns a failure and sets |read| to 0.
+  EXPECT_FALSE(BIO_write(bio.get(), nullptr, 0));
+  EXPECT_FALSE(BIO_write_ex(bio.get(), nullptr, 0, &written));
+  EXPECT_EQ(written, (size_t)0);
+  EXPECT_EQ(BIO_read(bio.get(), nullptr, 0), 0);
+  EXPECT_FALSE(BIO_read_ex(bio.get(), nullptr, 0, &read));
+  EXPECT_EQ(read, (size_t)0);
+}

crypto/cipher_extra/derive_key.c

@@ -60,10 +60,9 @@
 
 #include <openssl/digest.h>
 #include <openssl/mem.h>
+#include <openssl/evp.h>
 
 
-#define PKCS5_SALT_LEN 8
-
 int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
                    const uint8_t *salt, const uint8_t *data, size_t data_len,
                    unsigned count, uint8_t *key, uint8_t *iv) {