Merge branch 'main' into s2n-bignum-alt-func-handling

crypto/CMakeLists.txt

@@ -667,7 +667,7 @@ if(BUILD_TESTING)
     message(STATUS "Generating test executable ${executable_name}.")
     add_executable(${executable_name} ${test_file})
     target_compile_definitions(${executable_name} PRIVATE BORINGSSL_IMPLEMENTATION)
-    target_link_libraries(${executable_name} test_support_lib boringssl_gtest_main crypto)
+    target_link_libraries(${executable_name} boringssl_gtest_main)
     add_dependencies(${executable_name} boringssl_prefix_symbols)
     target_include_directories(${executable_name} BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)
     add_dependencies(all_tests ${executable_name})
@@ -780,7 +780,7 @@ if(BUILD_TESTING)
   )
 
   add_dependencies(${CRYPTO_TEST_EXEC} boringssl_prefix_symbols)
-  target_link_libraries(${CRYPTO_TEST_EXEC} test_support_lib boringssl_gtest_main crypto)
+  target_link_libraries(${CRYPTO_TEST_EXEC} boringssl_gtest_main)
   target_include_directories(${CRYPTO_TEST_EXEC} BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)
   if(MSVC)
     target_link_libraries(${CRYPTO_TEST_EXEC} ws2_32)

ssl/CMakeLists.txt

@@ -69,8 +69,8 @@ if(BUILD_TESTING)
 
     $<TARGET_OBJECTS:crypto_test_data>
   )
-  target_link_libraries(${INTEGRATION_TEST_EXEC} test_support_lib
-          boringssl_gtest_main ssl crypto)
+  target_link_libraries(${INTEGRATION_TEST_EXEC}
+          boringssl_gtest_main ssl )
   target_include_directories(${INTEGRATION_TEST_EXEC} BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)
   add_dependencies(all_tests ${INTEGRATION_TEST_EXEC})
 
@@ -82,7 +82,7 @@ if(BUILD_TESTING)
     ssl_c_test.c
   )
 
-  target_link_libraries(${SSL_TEST_EXEC} test_support_lib boringssl_gtest_main ssl crypto)
+  target_link_libraries(${SSL_TEST_EXEC} boringssl_gtest_main ssl)
 
   target_include_directories(${SSL_TEST_EXEC} BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)
 

tests/ci/integration/mariadb_patch/auto-chaining.patch

@@ -0,0 +1,16 @@
+diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
+index 530872c4..235bf76f 100644
+--- a/vio/viosslfactories.c
++++ b/vio/viosslfactories.c
+@@ -354,6 +354,11 @@ new_VioSSLFd(const char *key_file, const char *cert_file, const char *ca_file,
+   }
+
+   SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options);
++  /* 
++    This reverts AWS-LC to the default OpenSSL auto-chaining behavior. Since 
++    OpenSSL enables auto-chaining by default, this is a no-op with OpenSSL.
++  */
++  SSL_CTX_clear_mode(ssl_fd->ssl_context, SSL_MODE_NO_AUTO_CHAIN);
+
+   /*
+     Set the ciphers that can be used

tests/ci/integration/mariadb_patch/ssl_crl_expect.patch

@@ -0,0 +1,12 @@
+diff --git a/mysql-test/main/ssl_crl.test b/mysql-test/main/ssl_crl.test
+index 9b475857..58d23087 100644
+--- a/mysql-test/main/ssl_crl.test
++++ b/mysql-test/main/ssl_crl.test
+@@ -8,6 +8,6 @@
+
+ --echo # try logging in with a certificate in the server's --ssl-crl : should fail
+ # OpenSSL 1.1.1a correctly rejects the certificate, but the error message is different
+---replace_regex /ERROR 2013 \(HY000\): Lost connection to server at '.*', system error: [0-9]+/ERROR 2026 (HY000): TLS\/SSL error: sslv3 alert certificate revoked/
++--replace_regex /ERROR 2013 \(HY000\): Lost connection to server at '.*', system error: [0-9]+/ERROR 2026 (HY000): TLS\/SSL error: sslv3 alert certificate revoked/ /SSLV3_ALERT_CERTIFICATE_REVOKED/sslv3 alert certificate revoked/
+ --error 1
+ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1

tests/ci/integration/run_mariadb_integration.sh

@@ -59,11 +59,8 @@ function mariadb_run_tests() {
 main.flush_logs_not_windows : query 'flush logs' succeeded - should have failed with error ER_CANT_CREATE_FILE (1004)
 main.mysql_upgrade_noengine : upgrade output order does not match the expected
 main.plugin_load : This test generates a warning in Codebuild. Skip over since this isn't relevant to AWS-LC.
-main.ssl_crl : This test is flaky in CodeBuild CI P112867839
-main.desc_index_min_max : This test is flaky in CodeBuild CI P112867839
-main.ssl_autoverify : Failing with - TLS/SSL error: unable to get local issuer certificate
-main.mysql : Failing with - TLS/SSL error: unable to get local issuer certificate
-main.ssl_fp : Failing with - TLS/SSL error: unable to get local issuer certificate"> skiplist
+main.desc_index_min_max : This test is flaky and unrelated to aws-lc.
+"> skiplist
   ./mtr --suite=main --force --parallel=auto --skip-test-list=${MARIADB_BUILD_FOLDER}/mysql-test/skiplist --retry-failure=2
   popd
 }

tests/ci/integration/run_ntp_integration.sh

@@ -15,8 +15,15 @@ source tests/ci/common_posix_setup.sh
 
 # Assumes script is executed from the root of aws-lc directory
 SCRATCH_FOLDER="${SRC_ROOT}/NTP_BUILD_ROOT"
-NTP_DOWNLOAD_URL=$(curl -s https://www.ntp.org/downloads/ | grep -oP "\"https://archive.ntp.org/ntp.*?\.tar\.gz\"" | cut -d '"' -f2)
-NTP_TAR=$(echo "$NTP_DOWNLOAD_URL" | cut -d '/' -f6)
+NTP_WEBSITE_URL="https://downloads.nwtime.org/ntp/"
+
+# - curl fetches the HTML content of the website,
+# - the first grep searches for all occurrences of href attributes in anchor tags and outputs only the URLs,
+# - sed removes the href=" and trailing " from the URLs,
+# - the second grep filters only the links ending with .tar.gz,
+# - cut strips "/ntp/" from the link and retains only the tar name.
+NTP_TAR=$(curl -s ${NTP_WEBSITE_URL} | grep -o 'href="[^"]*"' | sed 's/href="//;s/"$//' | grep '.tar.gz$' | cut -d '/' -f3)
+NTP_DOWNLOAD_URL="${NTP_WEBSITE_URL}/${NTP_TAR}"
 NTP_SRC_FOLDER="${SCRATCH_FOLDER}/ntp-src"
 NTP_PATCH_FOLDER="${SRC_ROOT}/tests/ci/integration/ntp_patch"
 AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"

util/fipstools/delocate/delocate.go

@@ -1189,6 +1189,8 @@ const (
 	instrMemoryVectorCombine
 	// instrThreeArg merges two sources into a destination in some fashion.
 	instrThreeArg
+	// instrFourArg merges three sources into a destination in some fashion.
+	instrFourArg
 	// instrCompare takes two arguments and writes outputs to the flags register.
 	instrCompare
 	instrOther
@@ -1197,7 +1199,7 @@ const (
 func (index instructionType) String() string {
 	return [...]string{"instrPush", "instrMove", "instrTransformingMove",
 		"instrJump", "instrConditionalMove", "instrCombine",
-		"instrMemoryVectorCombine", "instrThreeArg",
+		"instrMemoryVectorCombine", "instrThreeArg", "instrFourArg",
 		"instrCompare", "instrOther"}[index]
 }
 
@@ -1238,6 +1240,11 @@ func classifyInstruction(instr string, args []*node32) instructionType {
 			return instrThreeArg
 		}
 
+	case "vpinsrq":
+		if len(args) == 4 {
+			return instrFourArg
+		}
+
 	case "vpbroadcastq":
 		if len(args) == 2 {
 			return instrTransformingMove
@@ -1346,6 +1353,13 @@ func threeArgCombineOp(w stringWriter, instructionName, source1, source2, dest s
 	}
 }
 
+func fourArgCombineOp(w stringWriter, instructionName, source1, source2, source3, dest string) wrapperFunc {
+	return func(k func()) {
+		k()
+		w.WriteString("\t" + instructionName + " " + source1 + ", " + source2 + ", " + source3 + ", " + dest + "\n")
+	}
+}
+
 func memoryVectorCombineOp(w stringWriter, instructionName, source, dest string) wrapperFunc {
 	return func(k func()) {
 		k()
@@ -1484,7 +1498,7 @@ Args:
 				}
 
 				classification := classifyInstruction(instructionName, argNodes)
-				if classification != instrThreeArg && classification != instrCompare && i != 0 {
+				if classification != instrFourArg && classification != instrThreeArg && classification != instrCompare && i != 0 {
 					return nil, fmt.Errorf("GOT access must be source operand, %s", classification)
 				}
 
@@ -1565,6 +1579,29 @@ Args:
 						wrappers = append(wrappers, threeArgCombineOp(d.output, instructionName, otherSource, tempReg, targetReg))
 					}
 					targetReg = tempReg
+				case instrFourArg:
+					if n := len(argNodes); n != 4 {
+						return nil, fmt.Errorf("four-argument instruction has %d arguments", n)
+					}
+					// Only support vpinsrq where the second argument is the GOT reloc.
+					if i != 1 {
+						return nil, errors.New("GOT access must be from source operand")
+					}
+
+					// vpinsrq imm8, r64/m64, xmm2, xmm1
+					targetReg = d.contents(argNodes[3])
+					otherSource := d.contents(argNodes[2])
+					gotSource := d.contents(argNodes[1])
+					immediate := d.contents(argNodes[0])
+
+					// Choose free register and prepare stack.
+					saveRegWrapper, tempReg := saveRegister(d.output, []string{targetReg, gotSource})
+					redzoneCleared = true
+					wrappers = append(wrappers, saveRegWrapper)
+
+					// Rewrite instruction arguments to use the free register.
+					wrappers = append(wrappers, fourArgCombineOp(d.output, instructionName, immediate, tempReg, otherSource, targetReg))
+					targetReg = tempReg
 				default:
 					return nil, fmt.Errorf("Cannot rewrite GOTPCREL reference for instruction %q", instructionName)
 				}

util/fipstools/delocate/delocate_test.go

@@ -55,6 +55,7 @@ var delocateTests = []delocateTest{
 	{"x86_64-LabelRewrite", nil, []string{"in1.s", "in2.s"}, "out.s", true},
 	{"x86_64-Sections", nil, []string{"in.s"}, "out.s", true},
 	{"x86_64-ThreeArg", nil, []string{"in.s"}, "out.s", true},
+	{"x86_64-FourArg", nil, []string{"in.s"}, "out.s", true},
 	{"aarch64-Basic", nil, []string{"in.s"}, "out.s", true},
 }
 

util/fipstools/delocate/testdata/x86_64-FourArg/in.s

@@ -0,0 +1,13 @@
+	.type foo, @function
+	.globl foo
+foo:
+	movq  %rbx, %rbx # instruction allowing delocator to detect architecture
+	vpinsrq $0x08, kBoringSSLRSASqrtTwo@GOTPCREL(%rip), %xmm1, %xmm0
+	vpinsrq $1, fooExternal@GOTPCREL(%rip), %xmm14, %xmm15
+
+	.type kBoringSSLRSASqrtTwo,@object # @kBoringSSLRSASqrtTwo
+	.section  .rodata,"a",@progbits,unique,760
+	.globl  kBoringSSLRSASqrtTwo
+	.p2align  4
+kBoringSSLRSASqrtTwo:
+	.quad -2404814165548301886    # 0xdea06241f7aa81c2

util/fipstools/delocate/testdata/x86_64-FourArg/out.s

@@ -0,0 +1,85 @@
+.text
+.file 1 "inserted_by_delocate.c"
+.loc 1 1 0
+BORINGSSL_bcm_text_start:
+	.type foo, @function
+	.globl foo
+.Lfoo_local_target:
+foo:
+	movq  %rbx, %rbx # instruction allowing delocator to detect architecture
+# WAS vpinsrq $0x08, kBoringSSLRSASqrtTwo@GOTPCREL(%rip), %xmm1, %xmm0
+	leaq -128(%rsp), %rsp
+	pushq %rax
+	leaq	.LkBoringSSLRSASqrtTwo_local_target(%rip), %rax
+	vpinsrq $0x08, %rax, %xmm1, %xmm0
+	popq %rax
+	leaq 128(%rsp), %rsp
+# WAS vpinsrq $1, fooExternal@GOTPCREL(%rip), %xmm14, %xmm15
+	leaq -128(%rsp), %rsp
+	pushq %rax
+	pushf
+	leaq fooExternal_GOTPCREL_external(%rip), %rax
+	addq (%rax), %rax
+	movq (%rax), %rax
+	popf
+	vpinsrq $1, %rax, %xmm14, %xmm15
+	popq %rax
+	leaq 128(%rsp), %rsp
+
+	.type kBoringSSLRSASqrtTwo,@object # @kBoringSSLRSASqrtTwo
+# WAS .section  .rodata,"a",@progbits,unique,760
+.text
+	.globl  kBoringSSLRSASqrtTwo
+	.p2align  4
+.LkBoringSSLRSASqrtTwo_local_target:
+kBoringSSLRSASqrtTwo:
+	.quad -2404814165548301886    # 0xdea06241f7aa81c2
+.text
+.loc 1 2 0
+BORINGSSL_bcm_text_end:
+.type fooExternal_GOTPCREL_external, @object
+.size fooExternal_GOTPCREL_external, 8
+fooExternal_GOTPCREL_external:
+	.long fooExternal@GOTPCREL
+	.long 0
+.type OPENSSL_ia32cap_get, @function
+.globl OPENSSL_ia32cap_get
+.LOPENSSL_ia32cap_get_local_target:
+OPENSSL_ia32cap_get:
+	leaq OPENSSL_ia32cap_P(%rip), %rax
+	ret
+.type BORINGSSL_bcm_text_hash, @object
+.size BORINGSSL_bcm_text_hash, 32
+BORINGSSL_bcm_text_hash:
+.byte 0xae
+.byte 0x2c
+.byte 0xea
+.byte 0x2a
+.byte 0xbd
+.byte 0xa6
+.byte 0xf3
+.byte 0xec
+.byte 0x97
+.byte 0x7f
+.byte 0x9b
+.byte 0xf6
+.byte 0x94
+.byte 0x9a
+.byte 0xfc
+.byte 0x83
+.byte 0x68
+.byte 0x27
+.byte 0xcb
+.byte 0xa0
+.byte 0xa0
+.byte 0x9f
+.byte 0x6b
+.byte 0x6f
+.byte 0xde
+.byte 0x52
+.byte 0xcd
+.byte 0xe2
+.byte 0xcd
+.byte 0xff
+.byte 0x31
+.byte 0x80