[openssl] master update

tomas at openssl.org tomas at openssl.org
Thu May 13 08:25:34 UTC 2021


The branch master has been updated
       via  91a05d65908c2ee21920d0effbda58b8536c2768 (commit)
       via  16e00da2c9a59e2e3ea774e546bdbe75b238595f (commit)
       via  220927071e91667e58297d24d64e22fa06439a98 (commit)
       via  dea76175581ee827205bc70daa72c1de7872faf6 (commit)
       via  b17e79929819be3093fda576a4b8566c7fc7df70 (commit)
       via  8e782e8b4f8da79713d67446ac179e87201f2a5a (commit)
       via  f3b1e3488cc194b0145b61dbe65b7b0b49a1abc4 (commit)
      from  66ddc0759a435672f1c48b856a0968e7f6e35a82 (commit)


- Log -----------------------------------------------------------------
commit 91a05d65908c2ee21920d0effbda58b8536c2768
Author: Tomas Mraz <tomas at openssl.org>
Date:   Wed May 12 16:14:01 2021 +0200

    Allow diff-fips-checksums in in-tree build
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15229)

commit 16e00da2c9a59e2e3ea774e546bdbe75b238595f
Author: Tomas Mraz <tomas at openssl.org>
Date:   Wed May 12 09:04:59 2021 +0200

    Remove the severity: fips change label if fips checksum unchanged
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15229)

commit 220927071e91667e58297d24d64e22fa06439a98
Author: Tomas Mraz <tomas at openssl.org>
Date:   Tue May 11 18:15:32 2021 +0200

    Set the severity: fips change label if fips checksum changed
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15229)

commit dea76175581ee827205bc70daa72c1de7872faf6
Author: Tomas Mraz <tomas at openssl.org>
Date:   Tue May 11 17:50:13 2021 +0200

    fipsprov: Missing teardown on fips_get_params_from_core() error
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15229)

commit b17e79929819be3093fda576a4b8566c7fc7df70
Author: Tomas Mraz <tomas at openssl.org>
Date:   Tue May 11 17:06:57 2021 +0200

    Add checksums github CI action
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15229)

commit 8e782e8b4f8da79713d67446ac179e87201f2a5a
Author: Tomas Mraz <tomas at openssl.org>
Date:   Tue May 11 16:20:51 2021 +0200

    Add diff-fips-checksums target to compare BLDDIR and SRCDIR checksums
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15229)

commit f3b1e3488cc194b0145b61dbe65b7b0b49a1abc4
Author: Tomas Mraz <tomas at openssl.org>
Date:   Tue May 11 16:07:35 2021 +0200

    Compute the FIPS checksums in $(BLDDIR) and remove it from update target
    
    Add also update-fips-checksums to update the checksums in the
    $(SRCDIR) if the $(SRCDIR) and $(BLDDIR) is different.
    
    The fips-checksums and generate_fips_sources targets are always
    produced (regardless of enable-fips) as nothing else depends on them
    and they are developer targets.
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15229)

-----------------------------------------------------------------------

Summary of changes:
 .github/workflows/checksums.yml   | 69 +++++++++++++++++++++++++++++++++++++++
 Configurations/unix-Makefile.tmpl | 45 +++++++++++++------------
 providers/fips/fipsprov.c         |  2 +-
 3 files changed, 95 insertions(+), 21 deletions(-)
 create mode 100644 .github/workflows/checksums.yml

diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml
new file mode 100644
index 0000000000..9caf49c9fb
--- /dev/null
+++ b/.github/workflows/checksums.yml
@@ -0,0 +1,69 @@
+name: FIPS Checksums
+on: [pull_request]
+jobs:
+  apply-label:
+    runs-on: ubuntu-latest
+    steps:
+      - name: install unifdef
+        run: |
+            sudo apt-get update
+            sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef
+      - uses: actions/checkout at v2
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+      - name: create build dirs
+        run: |
+          mkdir ./build-pristine
+          mkdir ./build
+      - name: config pristine
+        run: ../config enable-fips && perl configdata.pm --dump
+        working-directory: ./build-pristine
+      - name: make build_generated pristine
+        run: make -s build_generated
+        working-directory: ./build-pristine
+      - name: make fips-checksums pristine
+        run: make fips-checksums
+        working-directory: ./build-pristine
+      - uses: actions/checkout at v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          clean: false
+      - name: config
+        run: ../config enable-fips && perl configdata.pm --dump
+        working-directory: ./build
+      - name: make build_generated
+        run: make -s build_generated
+        working-directory: ./build
+      - name: make fips-checksums
+        run: make fips-checksums
+        working-directory: ./build
+      - name: update checksums pristine
+        run: make update-fips-checksums
+        working-directory: ./build-pristine
+      - name: make diff-fips-checksums
+        run: make diff-fips-checksums && echo "fips_unchanged=1" >> $GITHUB_ENV || echo "fips_changed=1" >> $GITHUB_ENV
+        working-directory: ./build
+      - name: set label
+        if: ${{ env.fips_changed }}
+        uses: actions/github-script at v4
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.issues.addLabels({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: ['severity: fips change']
+            })
+      - name: remove label
+        if: ${{ env.fips_unchanged }}
+        uses: actions/github-script at v4
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.issues.removeLabel({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              name: 'severity: fips change'
+            })
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index c2a0de3a97..9dcc0b0342 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -1055,9 +1055,6 @@ uninstall_html_docs:
 # It's important that generate_buildinfo comes after ordinals, as ordinals
 # is sensitive to build.info changes.
 update: generate errors ordinals generate_buildinfo
-{- output_off() if $disabled{fips}; "" -}
-update: fips-checksums
-{- output_on() if $disabled{fips}; "" -}
 
 generate: generate_apps generate_crypto_bn generate_crypto_objects \
           generate_crypto_conf generate_crypto_asn1 generate_fuzz_oids
@@ -1140,9 +1137,8 @@ generate_doc_buildinfo:
                 mv $(SRCDIR)/doc/build.info.new $(SRCDIR)/doc/build.info; \
           fi )
 
-{- output_off() if $disabled{fips}; "" -}
-generate_fips_sources: $(SRCDIR)/providers/fips.module.sources
-$(SRCDIR)/providers/fips.module.sources: \
+generate_fips_sources: providers/fips.module.sources.new
+providers/fips.module.sources.new: \
                 $(SRCDIR)/Configure \
                 {- join(" \\\n" . ' ' x 16,
                         fill_lines(" ", $COLUMNS - 16,
@@ -1171,9 +1167,8 @@ $(SRCDIR)/providers/fips.module.sources: \
 		   crypto/sha/asm/*.pl; do \
 	    echo "$$x"; \
 	  done \
-	) | sort | uniq > $(SRCDIR)/providers/fips.module.sources
+	) | sort | uniq > providers/fips.module.sources.new
 	rm -rf sources-tmp
-{- output_on() if $disabled{fips}; "" -}
 
 # Set to -force to force a rebuild
 ERROR_REBUILD=
@@ -1269,19 +1264,29 @@ tags TAGS: FORCE
 	-ctags -R .
 	-etags `find . -name '*.[ch]' -o -name '*.pm'`
 
-{- output_off() if $disabled{fips}; "" -}
 fips-checksums: generate_fips_sources
-	if which unifdef > /dev/null; then \
-	    ( cd $(SRCDIR) \
-	      && cat providers/fips.module.sources \
-	             | xargs ./util/fips-checksums.sh \
-	             > providers/fips-sources.checksums \
-	      && sha256sum providers/fips-sources.checksums \
-	             > providers/fips.checksum ); \
-	else \
-	    echo >&2 "WARNING: unifdef not in your \$$PATH, FIPS checksums not calculated"; \
-	fi
-{- output_on() if $disabled{fips}; "" -}
+	@which unifdef > /dev/null || \
+	( echo >&2 "ERROR: unifdef not in your \$$PATH, FIPS checksums not calculated"; \
+	  false )
+	( sources=`pwd`/providers/fips.module.sources.new; \
+	  cd $(SRCDIR) \
+	  && cat $$sources \
+	         | xargs ./util/fips-checksums.sh ) \
+	         > providers/fips-sources.checksums.new \
+	&& sha256sum providers/fips-sources.checksums.new \
+	     > providers/fips.checksum.new
+
+$(SRCDIR)/providers/fips.checksum: providers/fips.checksum.new
+	cp -p providers/fips.module.sources.new $(SRCDIR)/providers/fips.module.sources
+	cp -p providers/fips-sources.checksums.new $(SRCDIR)/providers/fips-sources.checksums
+	cp -p providers/fips.checksum.new $(SRCDIR)/providers/fips.checksum
+
+update-fips-checksums: $(SRCDIR)/providers/fips.checksum
+
+diff-fips-checksums: fips-checksums
+	diff -u $(SRCDIR)/providers/fips.module.sources providers/fips.module.sources.new
+	diff -u $(SRCDIR)/providers/fips-sources.checksums providers/fips-sources.checksums.new
+	diff -u $(SRCDIR)/providers/fips.checksum providers/fips.checksum.new
 
 # Release targets (note: only available on Unix) #####################
 
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 7998d55d9a..c28995fc44 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -669,7 +669,7 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
 
     if (!fips_get_params_from_core(fgbl)) {
         /* Error already raised */
-        return 0;
+        goto err;
     }
     /*
      * Disable the conditional error check if it's disabled in the fips config


More information about the openssl-commits mailing list