[openssl] master update
tomas at openssl.org
tomas at openssl.org
Thu May 13 08:25:34 UTC 2021
The branch master has been updated
via 91a05d65908c2ee21920d0effbda58b8536c2768 (commit)
via 16e00da2c9a59e2e3ea774e546bdbe75b238595f (commit)
via 220927071e91667e58297d24d64e22fa06439a98 (commit)
via dea76175581ee827205bc70daa72c1de7872faf6 (commit)
via b17e79929819be3093fda576a4b8566c7fc7df70 (commit)
via 8e782e8b4f8da79713d67446ac179e87201f2a5a (commit)
via f3b1e3488cc194b0145b61dbe65b7b0b49a1abc4 (commit)
from 66ddc0759a435672f1c48b856a0968e7f6e35a82 (commit)
- Log -----------------------------------------------------------------
commit 91a05d65908c2ee21920d0effbda58b8536c2768
Author: Tomas Mraz <tomas at openssl.org>
Date: Wed May 12 16:14:01 2021 +0200
Allow diff-fips-checksums in in-tree build
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)
commit 16e00da2c9a59e2e3ea774e546bdbe75b238595f
Author: Tomas Mraz <tomas at openssl.org>
Date: Wed May 12 09:04:59 2021 +0200
Remove the severity: fips change label if fips checksum unchanged
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)
commit 220927071e91667e58297d24d64e22fa06439a98
Author: Tomas Mraz <tomas at openssl.org>
Date: Tue May 11 18:15:32 2021 +0200
Set the severity: fips change label if fips checksum changed
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)
commit dea76175581ee827205bc70daa72c1de7872faf6
Author: Tomas Mraz <tomas at openssl.org>
Date: Tue May 11 17:50:13 2021 +0200
fipsprov: Missing teardown on fips_get_params_from_core() error
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)
commit b17e79929819be3093fda576a4b8566c7fc7df70
Author: Tomas Mraz <tomas at openssl.org>
Date: Tue May 11 17:06:57 2021 +0200
Add checksums github CI action
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)
commit 8e782e8b4f8da79713d67446ac179e87201f2a5a
Author: Tomas Mraz <tomas at openssl.org>
Date: Tue May 11 16:20:51 2021 +0200
Add diff-fips-checksums target to compare BLDDIR and SRCDIR checksums
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)
commit f3b1e3488cc194b0145b61dbe65b7b0b49a1abc4
Author: Tomas Mraz <tomas at openssl.org>
Date: Tue May 11 16:07:35 2021 +0200
Compute the FIPS checksums in $(BLDDIR) and remove it from update target
Add also update-fips-checksums to update the checksums in the
$(SRCDIR) if the $(SRCDIR) and $(BLDDIR) is different.
The fips-checksums and generate_fips_sources targets are always
produced (regardless of enable-fips) as nothing else depends on them
and they are developer targets.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)
-----------------------------------------------------------------------
Summary of changes:
.github/workflows/checksums.yml | 69 +++++++++++++++++++++++++++++++++++++++
Configurations/unix-Makefile.tmpl | 45 +++++++++++++------------
providers/fips/fipsprov.c | 2 +-
3 files changed, 95 insertions(+), 21 deletions(-)
create mode 100644 .github/workflows/checksums.yml
diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml
new file mode 100644
index 0000000000..9caf49c9fb
--- /dev/null
+++ b/.github/workflows/checksums.yml
@@ -0,0 +1,69 @@
+name: FIPS Checksums
+on: [pull_request]
+jobs:
+ apply-label:
+ runs-on: ubuntu-latest
+ steps:
+ - name: install unifdef
+ run: |
+ sudo apt-get update
+ sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef
+ - uses: actions/checkout at v2
+ with:
+ ref: ${{ github.event.pull_request.base.sha }}
+ - name: create build dirs
+ run: |
+ mkdir ./build-pristine
+ mkdir ./build
+ - name: config pristine
+ run: ../config enable-fips && perl configdata.pm --dump
+ working-directory: ./build-pristine
+ - name: make build_generated pristine
+ run: make -s build_generated
+ working-directory: ./build-pristine
+ - name: make fips-checksums pristine
+ run: make fips-checksums
+ working-directory: ./build-pristine
+ - uses: actions/checkout at v2
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+ clean: false
+ - name: config
+ run: ../config enable-fips && perl configdata.pm --dump
+ working-directory: ./build
+ - name: make build_generated
+ run: make -s build_generated
+ working-directory: ./build
+ - name: make fips-checksums
+ run: make fips-checksums
+ working-directory: ./build
+ - name: update checksums pristine
+ run: make update-fips-checksums
+ working-directory: ./build-pristine
+ - name: make diff-fips-checksums
+ run: make diff-fips-checksums && echo "fips_unchanged=1" >> $GITHUB_ENV || echo "fips_changed=1" >> $GITHUB_ENV
+ working-directory: ./build
+ - name: set label
+ if: ${{ env.fips_changed }}
+ uses: actions/github-script at v4
+ with:
+ github-token: ${{secrets.GITHUB_TOKEN}}
+ script: |
+ github.issues.addLabels({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ labels: ['severity: fips change']
+ })
+ - name: remove label
+ if: ${{ env.fips_unchanged }}
+ uses: actions/github-script at v4
+ with:
+ github-token: ${{secrets.GITHUB_TOKEN}}
+ script: |
+ github.issues.removeLabel({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ name: 'severity: fips change'
+ })
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index c2a0de3a97..9dcc0b0342 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -1055,9 +1055,6 @@ uninstall_html_docs:
# It's important that generate_buildinfo comes after ordinals, as ordinals
# is sensitive to build.info changes.
update: generate errors ordinals generate_buildinfo
-{- output_off() if $disabled{fips}; "" -}
-update: fips-checksums
-{- output_on() if $disabled{fips}; "" -}
generate: generate_apps generate_crypto_bn generate_crypto_objects \
generate_crypto_conf generate_crypto_asn1 generate_fuzz_oids
@@ -1140,9 +1137,8 @@ generate_doc_buildinfo:
mv $(SRCDIR)/doc/build.info.new $(SRCDIR)/doc/build.info; \
fi )
-{- output_off() if $disabled{fips}; "" -}
-generate_fips_sources: $(SRCDIR)/providers/fips.module.sources
-$(SRCDIR)/providers/fips.module.sources: \
+generate_fips_sources: providers/fips.module.sources.new
+providers/fips.module.sources.new: \
$(SRCDIR)/Configure \
{- join(" \\\n" . ' ' x 16,
fill_lines(" ", $COLUMNS - 16,
@@ -1171,9 +1167,8 @@ $(SRCDIR)/providers/fips.module.sources: \
crypto/sha/asm/*.pl; do \
echo "$$x"; \
done \
- ) | sort | uniq > $(SRCDIR)/providers/fips.module.sources
+ ) | sort | uniq > providers/fips.module.sources.new
rm -rf sources-tmp
-{- output_on() if $disabled{fips}; "" -}
# Set to -force to force a rebuild
ERROR_REBUILD=
@@ -1269,19 +1264,29 @@ tags TAGS: FORCE
-ctags -R .
-etags `find . -name '*.[ch]' -o -name '*.pm'`
-{- output_off() if $disabled{fips}; "" -}
fips-checksums: generate_fips_sources
- if which unifdef > /dev/null; then \
- ( cd $(SRCDIR) \
- && cat providers/fips.module.sources \
- | xargs ./util/fips-checksums.sh \
- > providers/fips-sources.checksums \
- && sha256sum providers/fips-sources.checksums \
- > providers/fips.checksum ); \
- else \
- echo >&2 "WARNING: unifdef not in your \$$PATH, FIPS checksums not calculated"; \
- fi
-{- output_on() if $disabled{fips}; "" -}
+ @which unifdef > /dev/null || \
+ ( echo >&2 "ERROR: unifdef not in your \$$PATH, FIPS checksums not calculated"; \
+ false )
+ ( sources=`pwd`/providers/fips.module.sources.new; \
+ cd $(SRCDIR) \
+ && cat $$sources \
+ | xargs ./util/fips-checksums.sh ) \
+ > providers/fips-sources.checksums.new \
+ && sha256sum providers/fips-sources.checksums.new \
+ > providers/fips.checksum.new
+
+$(SRCDIR)/providers/fips.checksum: providers/fips.checksum.new
+ cp -p providers/fips.module.sources.new $(SRCDIR)/providers/fips.module.sources
+ cp -p providers/fips-sources.checksums.new $(SRCDIR)/providers/fips-sources.checksums
+ cp -p providers/fips.checksum.new $(SRCDIR)/providers/fips.checksum
+
+update-fips-checksums: $(SRCDIR)/providers/fips.checksum
+
+diff-fips-checksums: fips-checksums
+ diff -u $(SRCDIR)/providers/fips.module.sources providers/fips.module.sources.new
+ diff -u $(SRCDIR)/providers/fips-sources.checksums providers/fips-sources.checksums.new
+ diff -u $(SRCDIR)/providers/fips.checksum providers/fips.checksum.new
# Release targets (note: only available on Unix) #####################
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 7998d55d9a..c28995fc44 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -669,7 +669,7 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
if (!fips_get_params_from_core(fgbl)) {
/* Error already raised */
- return 0;
+ goto err;
}
/*
* Disable the conditional error check if it's disabled in the fips config
More information about the openssl-commits
mailing list