Merge branch 'main' into openvpn

.github/workflows/actions-ci.yml

@@ -255,17 +255,57 @@ jobs:
           cxx-compiler: g++-${{ matrix.gccversion }}
           options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
       - name: Build Project
+        # TODO: Re-enable gcc-14/FIPS build once delocator updated
+        if: ${{ !( matrix.gccversion == '14' && matrix.fips == '1' ) }}
         run: cmake --build ./build --target all
       - name: Run tests
+        # TODO: Re-enable gcc-14/FIPS build once delocator updated
+        if: ${{ !( matrix.gccversion == '14' && matrix.fips == '1' ) }}
         run: cmake --build ./build --target run_tests
 
+  gcc-13-pedantic:
+    if: github.repository_owner == 'aws'
+    needs: [ sanity-test-run ]
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: gcc-13
+          cxx-compiler: g++-13
+          options: CMAKE_BUILD_TYPE=Release CMAKE_C_FLAGS=-pedantic CMAKE_CXX_FLAGS=-pedantic
+      - name: Build Crypto
+        run: cmake --build ./build --target crypto
+      - name: Build SSL
+        run: cmake --build ./build --target ssl
+
+  clang-18-pedantic:
+    if: github.repository_owner == 'aws'
+    needs: [ sanity-test-run ]
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: clang-18
+          cxx-compiler: clang++-18
+          options: CMAKE_BUILD_TYPE=Release CMAKE_C_FLAGS=-pedantic CMAKE_CXX_FLAGS=-pedantic
+      - name: Build Crypto
+        run: cmake --build ./build --target crypto
+      - name: Build SSL
+        run: cmake --build ./build --target ssl
+
   clang-ubuntu-2004-sanity:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
       fail-fast: false
       matrix:
-        gccversion:
+        clangversion:
           - "10"
           - "11"
           - "12"
@@ -282,8 +322,8 @@ jobs:
         uses: threeal/[email protected]
         with:
           generator: Ninja
-          c-compiler: clang-${{ matrix.gccversion }}
-          cxx-compiler: clang++-${{ matrix.gccversion }}
+          c-compiler: clang-${{ matrix.clangversion }}
+          cxx-compiler: clang++-${{ matrix.clangversion }}
           options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
       - name: Build Project
         run: cmake --build ./build --target all
@@ -296,7 +336,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        gccversion:
+        clangversion:
           - "13"
           - "14"
           - "15"
@@ -313,8 +353,8 @@ jobs:
         uses: threeal/[email protected]
         with:
           generator: Ninja
-          c-compiler: clang-${{ matrix.gccversion }}
-          cxx-compiler: clang++-${{ matrix.gccversion }}
+          c-compiler: clang-${{ matrix.clangversion }}
+          cxx-compiler: clang++-${{ matrix.clangversion }}
           options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
       - name: Build Project
         run: cmake --build ./build --target all
@@ -327,7 +367,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        gccversion:
+        clangversion:
           - "16"
           - "17"
           - "18"
@@ -344,8 +384,8 @@ jobs:
         uses: threeal/[email protected]
         with:
           generator: Ninja
-          c-compiler: clang-${{ matrix.gccversion }}
-          cxx-compiler: clang++-${{ matrix.gccversion }}
+          c-compiler: clang-${{ matrix.clangversion }}
+          cxx-compiler: clang++-${{ matrix.clangversion }}
           options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
       - name: Build Project
         run: cmake --build ./build --target all

.github/workflows/aws-lc-rs.yml

@@ -10,6 +10,7 @@ concurrency:
 env:
   GOPROXY: https://proxy.golang.org,direct
   AWS_LC_SYS_CMAKE_BUILDER: 1
+  RUST_NIGHTLY_TOOLCHAIN: nightly-2024-05-22
 jobs:
   standard:
     if: github.repository_owner == 'aws'
@@ -20,11 +21,11 @@ jobs:
           repository: awslabs/aws-lc-rs
           path: ./aws-lc-rs
           submodules: false
-      - uses: actions-rs/toolchain@v1
+      - uses: dtolnay/rust-toolchain@master
         with:
           # Our aws-lc-sys generation scripts require nightly.
-          toolchain: nightly
-          override: true
+          toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN }}
+      - run: rustup override set $RUST_NIGHTLY_TOOLCHAIN
       - uses: actions-rs/cargo@v1
         with:
           command: install

.github/workflows/integrations.yml

@@ -148,3 +148,16 @@ jobs:
       - name: Run strongswan build
         run: |
           ./tests/ci/integration/run_strongswan_integration.sh
+  libevent:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y --no-install-recommends install \
+          cmake gcc ninja-build golang
+      - uses: actions/checkout@v4
+      - name: Run libevent build
+        run: |
+          ./tests/ci/integration/run_libevent_integration.sh

.gitignore

@@ -41,3 +41,4 @@ symbols.txt
 .fleet/
 .cache/
 /CMakePresets.json
+/compile_commands.json

CMakeLists.txt

@@ -358,8 +358,9 @@ if(GCC OR CLANG)
       set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wall -fvisibility=hidden -fno-common")
     endif()
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wshadow")
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wwrite-strings -Wformat-security -Wunused-result")
-    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wvla -Wtype-limits -Wno-unused-parameter")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wwrite-strings -Wformat-security -Wunused-result -Wno-overlength-strings")
+    set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wno-newline-eof")
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-c11-extensions -Wvla -Wtype-limits -Wno-unused-parameter")
   endif()
   set(C_CXX_FLAGS "${C_CXX_FLAGS} -Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings")
 

crypto/asn1/a_dup.c

@@ -59,6 +59,26 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
+void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *input) {
+  if (i2d == NULL || d2i == NULL || input == NULL) {
+    OPENSSL_PUT_ERROR(ASN1, ERR_R_PASSED_NULL_PARAMETER);
+    return NULL;
+  }
+
+  // Size and allocate |buf|.
+  unsigned char *buf = NULL;
+  int buf_len = i2d(input, &buf);
+  if (buf == NULL || buf_len < 0) {
+    return NULL;
+  }
+
+  // |buf| needs to be converted to |const| to be passed in.
+  const unsigned char *temp_input = buf;
+  char *ret = d2i(NULL, &temp_input, buf_len);
+  OPENSSL_free(buf);
+  return ret;
+}
+
 // ASN1_ITEM version of dup: this follows the model above except we don't
 // need to allocate the buffer. At some point this could be rewritten to
 // directly dup the underlying structure instead of doing and encode and

crypto/asn1/a_strex.c

@@ -67,6 +67,8 @@
 #include <openssl/bytestring.h>
 #include <openssl/mem.h>
 
+#include "../bytestring/internal.h"
+#include "../internal.h"
 #include "internal.h"
 
 
@@ -256,22 +258,8 @@ static int do_dump(unsigned long flags, BIO *out, const ASN1_STRING *str) {
   // Placing the ASN1_STRING in a temporary ASN1_TYPE allows the DER encoding
   // to readily obtained.
   ASN1_TYPE t;
-  t.type = str->type;
-  // Negative INTEGER and ENUMERATED values are the only case where
-  // |ASN1_STRING| and |ASN1_TYPE| types do not match.
-  //
-  // TODO(davidben): There are also some type fields which, in |ASN1_TYPE|, do
-  // not correspond to |ASN1_STRING|. It is unclear whether those are allowed
-  // in |ASN1_STRING| at all, or what the space of allowed types is.
-  // |ASN1_item_ex_d2i| will never produce such a value so, for now, we say
-  // this is an invalid input. But this corner of the library in general
-  // should be more robust.
-  if (t.type == V_ASN1_NEG_INTEGER) {
-    t.type = V_ASN1_INTEGER;
-  } else if (t.type == V_ASN1_NEG_ENUMERATED) {
-    t.type = V_ASN1_ENUMERATED;
-  }
-  t.value.asn1_string = (ASN1_STRING *)str;
+  OPENSSL_memset(&t, 0, sizeof(ASN1_TYPE));
+  asn1_type_set0_string(&t, (ASN1_STRING *)str);
   unsigned char *der_buf = NULL;
   int der_len = i2d_ASN1_TYPE(&t, &der_buf);
   if (der_len < 0) {

crypto/asn1/a_type.c

@@ -56,7 +56,8 @@
 
 #include <openssl/asn1.h>
 
-#include <openssl/asn1t.h>
+#include <assert.h>
+
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
@@ -89,6 +90,23 @@ const void *asn1_type_value_as_pointer(const ASN1_TYPE *a) {
   }
 }
 
+void asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str) {
+  // |ASN1_STRING| types are almost the same as |ASN1_TYPE| types, except that
+  // the negative flag is not reflected into |ASN1_TYPE|.
+  int type = str->type;
+  if (type == V_ASN1_NEG_INTEGER) {
+    type = V_ASN1_INTEGER;
+  } else if (type == V_ASN1_NEG_ENUMERATED) {
+    type = V_ASN1_ENUMERATED;
+  }
+
+  // These types are not |ASN1_STRING| types and use a different
+  // representation when stored in |ASN1_TYPE|.
+  assert(type != V_ASN1_NULL && type != V_ASN1_OBJECT &&
+         type != V_ASN1_BOOLEAN);
+  ASN1_TYPE_set(a, type, str);
+}
+
 void asn1_type_cleanup(ASN1_TYPE *a) {
   switch (a->type) {
     case V_ASN1_NULL: