From 33637ff1765823bef584c7959a5ef84e6f7bbc9f Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Fri, 3 May 2024 16:06:08 -0400 Subject: [PATCH 1/2] Implement DEPRECATED RSA_pkey_ctx_ctrl (#1575) [AWS-LC][3] and [OpenSSL 3][4] implement various RSA control functions as concrete functions, but OpenSSL 1.1.1 [implements][1] them as macros calling `RSA_pkey_ctx_ctrl`. This commit provides an implementation of `RSA_pkey_ctx_ctrl` [directly cribbed][1] from OpenSSL 1.1.1, and identical to OpenSSL 3's implementation [today][2]. [1]: https://github.com/openssl/openssl/commit/e5e04ee3983dcf5283c99ce63f3fe37093921747 [2]: https://github.com/openssl/openssl/blob/067fbc01b9e867b31c71091d62f0f9012dc9e41a/crypto/rsa/rsa_lib.c#L734 [3]: https://github.com/aws/aws-lc/blob/2c03113451b5f84f61c8ed283b289a6db87b3397/include/openssl/evp.h#L796 [4]: https://github.com/openssl/openssl/blob/067fbc01b9e867b31c71091d62f0f9012dc9e41a/include/openssl/rsa.h#L125 --- crypto/fipsmodule/rsa/rsa.c | 11 +++++++++++ include/openssl/rsa.h | 10 ++++++++++ 2 files changed, 21 insertions(+) diff --git a/crypto/fipsmodule/rsa/rsa.c b/crypto/fipsmodule/rsa/rsa.c index f0144b7230..c34b0b2ff5 100644 --- a/crypto/fipsmodule/rsa/rsa.c +++ b/crypto/fipsmodule/rsa/rsa.c @@ -836,6 +836,17 @@ void RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa) { } } +int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) { + if (ctx != NULL && ctx->pmeth != NULL) { + if (ctx->pmeth->pkey_id == EVP_PKEY_RSA || + ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { + return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2); + } + return -1; + } + return 0; +} + // ------------- KEY CHECKING FUNCTIONS ---------------- // // Performs several checks on the public component of the given RSA key. diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index 181ebc2912..894a008e5d 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -739,6 +739,16 @@ OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); // a private exponent having blinding disabled. OPENSSL_EXPORT OPENSSL_DEPRECATED void RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa); +// RSA_pkey_ctx_ctrl is a vestigial OpenSSL function that has been obsoleted by +// the EVP interface. External callers should not use this. Internal callers +// should use |EVP_PKEY_CTX_ctrl| instead. +// +// This function directly calls |EVP_PKEY_CTX_ctrl| with some guards around the +// key's type. The key type must either be RSA or RSA-PSS, otherwise -1 is +// returned. +OPENSSL_EXPORT OPENSSL_DEPRECATED int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, + int p1, void *p2); + // RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you // should use instead. It returns NULL on error, or a newly-allocated |RSA| on // success. This function is provided for compatibility only. The |callback| From e3c74c00a5303757e122087dfb6e9722e5dcb246 Mon Sep 17 00:00:00 2001 From: Justin W Smith <103147162+justsmth@users.noreply.github.com> Date: Mon, 6 May 2024 15:19:09 -0400 Subject: [PATCH 2/2] Minor GitHub Action cleanup (#1565) ### Description of changes: * Group actions by `github.ref_name` which is applicable to both pushes and pulls. See [docs](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context). * Don't fail entire "matrix" when one job fails. See [docs](https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#handling-failures). By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. --- .github/workflows/abidiff.yml | 2 +- .github/workflows/actions-ci.yml | 9 ++++++++- .github/workflows/aws-lc-rs.yml | 2 +- .github/workflows/cmake.yml | 3 ++- .github/workflows/codecov-ci.yml | 2 +- .github/workflows/cross-test.yml | 2 +- .github/workflows/integrations.yml | 2 +- .github/workflows/windows-alt.yml | 2 +- 8 files changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/abidiff.yml b/.github/workflows/abidiff.yml index 68af3272b1..8459d5b0de 100644 --- a/.github/workflows/abidiff.yml +++ b/.github/workflows/abidiff.yml @@ -5,7 +5,7 @@ on: pull_request: branches: [ '*' ] concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true env: DOCKER_BUILDKIT: 1 diff --git a/.github/workflows/actions-ci.yml b/.github/workflows/actions-ci.yml index 95aa79c101..e8a4d96868 100644 --- a/.github/workflows/actions-ci.yml +++ b/.github/workflows/actions-ci.yml @@ -5,7 +5,7 @@ on: pull_request: branches: [ '*' ] concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true env: GOPROXY: https://proxy.golang.org,direct @@ -34,6 +34,7 @@ jobs: needs: [sanity-test-run] runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: os: - "macos-14-large" @@ -53,6 +54,7 @@ jobs: needs: [sanity-test-run] runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: os: - "macos-14-large" @@ -72,6 +74,7 @@ jobs: needs: [sanity-test-run] runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: os: - "macos-14-xlarge" @@ -90,6 +93,7 @@ jobs: needs: [sanity-test-run] runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: os: - "macos-14-xlarge" @@ -168,6 +172,7 @@ jobs: if: github.repository_owner == 'aws' needs: [sanity-test-run] strategy: + fail-fast: false matrix: gccversion: - "9" @@ -202,6 +207,7 @@ jobs: if: github.repository_owner == 'aws' needs: [sanity-test-run] strategy: + fail-fast: false matrix: gccversion: - "13" @@ -234,6 +240,7 @@ jobs: if: github.repository_owner == 'aws' needs: [sanity-test-run] strategy: + fail-fast: false matrix: gccversion: - "10" diff --git a/.github/workflows/aws-lc-rs.yml b/.github/workflows/aws-lc-rs.yml index 5d91d0dedc..ac68f8df2a 100644 --- a/.github/workflows/aws-lc-rs.yml +++ b/.github/workflows/aws-lc-rs.yml @@ -5,7 +5,7 @@ on: pull_request: branches: [ '*' ] concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true env: GOPROXY: https://proxy.golang.org,direct diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 5ab96862f3..10a108aa4b 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -5,7 +5,7 @@ on: pull_request: branches: [ '*' ] concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true env: DOCKER_BUILDKIT: 1 @@ -15,6 +15,7 @@ jobs: if: github.repository_owner == 'aws' name: CMake ${{ matrix.cmake.version}} build with ${{ matrix.generator}} FIPS=${{ matrix.fips }} strategy: + fail-fast: false matrix: cmake: - { version: "3.2", url: "https://cmake.org/files/v3.2/cmake-3.2.3.tar.gz", hash: "a1ebcaf6d288eb4c966714ea457e3b9677cdfde78820d0f088712d7320850297" } diff --git a/.github/workflows/codecov-ci.yml b/.github/workflows/codecov-ci.yml index d9fb2e9419..08dd6afa5b 100644 --- a/.github/workflows/codecov-ci.yml +++ b/.github/workflows/codecov-ci.yml @@ -5,7 +5,7 @@ on: pull_request: branches: [ '*' ] concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true jobs: codecov-ci: diff --git a/.github/workflows/cross-test.yml b/.github/workflows/cross-test.yml index 15ff4371d4..dc48877e80 100644 --- a/.github/workflows/cross-test.yml +++ b/.github/workflows/cross-test.yml @@ -5,7 +5,7 @@ on: pull_request: branches: [ '*' ] concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true jobs: ppc64-build-test: diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml index 17aabcb66c..1d6fd570d5 100644 --- a/.github/workflows/integrations.yml +++ b/.github/workflows/integrations.yml @@ -5,7 +5,7 @@ on: pull_request: branches: [ '*' ] concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true env: CC: gcc diff --git a/.github/workflows/windows-alt.yml b/.github/workflows/windows-alt.yml index b684c0889d..8d73e1fecb 100644 --- a/.github/workflows/windows-alt.yml +++ b/.github/workflows/windows-alt.yml @@ -5,7 +5,7 @@ on: pull_request: branches: [ '*' ] concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true jobs: mingw: