Skip to content

Commit 1991ed9

Browse files
authored
Merge branch 'master' into vaes512_ctr_patch
2 parents e7f69c8 + b0912c2 commit 1991ed9

119 files changed

Lines changed: 2149 additions & 806 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 202 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,202 @@
1+
# Copyright 2021-2026 The OpenSSL Project Authors. All Rights Reserved.
2+
#
3+
# Licensed under the Apache License 2.0 (the "License"). You may not use
4+
# this file except in compliance with the License. You can obtain a copy
5+
# in the file LICENSE in the source distribution or at
6+
# https://www.openssl.org/source/license.html
7+
8+
name: Cross Compile for AArch64 Extensions
9+
10+
on:
11+
pull_request:
12+
types: [opened, reopened, edited, synchronize]
13+
push:
14+
schedule:
15+
- cron: '05 03 * * *'
16+
workflow_dispatch:
17+
18+
permissions:
19+
contents: read
20+
21+
jobs:
22+
cross-compilation-aarch64:
23+
# pull request title contains 'aarch64'
24+
# pull request title contains 'arm64'
25+
# pull request body contains '[aarch64 ci]'
26+
# push event commit message contains '[aarch64 ci]'
27+
# cron job
28+
# manual dispatch
29+
if: contains(github.event.pull_request.title, 'aarch64') || contains(github.event.pull_request.title, 'AArch64') || contains(github.event.pull_request.title, 'arm64') || contains(github.event.pull_request.body, '[aarch64 ci]') || contains(github.event.head_commit.message, '[aarch64 ci]') || (github.event_name == 'schedule' && github.repository == 'openssl/openssl') || github.event_name == 'workflow_dispatch'
30+
strategy:
31+
fail-fast: false
32+
matrix:
33+
# The platform matrix specifies:
34+
# arch: the architecture to build for, this defines the tool-chain
35+
# prefix {arch}- and the Debian compiler package gcc-{arch}
36+
# name.
37+
# libs: the Debian package for the necessary link/runtime libraries.
38+
# target: the OpenSSL configuration target to use, this is passed
39+
# directly to the config command line.
40+
# fips: set to "no" to disable building FIPS, leave unset to
41+
# build the FIPS provider.
42+
# tests: omit this to run all the tests using QEMU, set it to "none"
43+
# to never run the tests, otherwise its value is passed to
44+
# the "make test" command to allow selective disabling of
45+
# tests.
46+
# qemucpu: optional; string that describes CPU properties.
47+
# The string will be used to set the QEMU_CPU variable.
48+
# opensslcapsname: optional; string that describes the postfix of the
49+
# OpenSSL environment variable that defines CPU
50+
# capabilities. E.g. "foo" will result in an
51+
# environment variable with the name OPENSSL_foo.
52+
# opensslcaps: optional; if opensslcapsname (see above) is set, then
53+
# this string will be used as content for the OpenSSL
54+
# capabilities variable.
55+
# capslabel: label used for artifacts.
56+
platform: [
57+
{
58+
# Baseline Armv8 crypto extensions:
59+
# include/crypto/aes_platform.h
60+
# providers/implementations/ciphers/cipher_aes_hw_armv8.inc
61+
# crypto/sha/asm/sha1-armv8.pl
62+
# crypto/aes/asm/aes-sha256-armv8.pl
63+
arch: aarch64-linux-gnu,
64+
libs: libc6-dev-arm64-cross,
65+
target: linux-aarch64,
66+
fips: no,
67+
qemucpu: max,
68+
opensslcapsname: armcap, # OPENSSL_armcap
69+
opensslcaps: "0x1d",
70+
capslabel: armv8-crypto
71+
}, {
72+
# PMULL-enabled AES-GCM / GHASH:
73+
# include/crypto/aes_platform.h
74+
# crypto/modes/asm/aes-gcm-armv8_64.pl
75+
# crypto/modes/asm/ghashv8-armx.pl
76+
arch: aarch64-linux-gnu,
77+
libs: libc6-dev-arm64-cross,
78+
target: linux-aarch64,
79+
fips: no,
80+
qemucpu: max,
81+
opensslcapsname: armcap, # OPENSSL_armcap
82+
opensslcaps: "0x3d",
83+
capslabel: armv8-pmull
84+
}, {
85+
# SHA512 extension:
86+
# crypto/aes/asm/aes-sha512-armv8.pl
87+
arch: aarch64-linux-gnu,
88+
libs: libc6-dev-arm64-cross,
89+
target: linux-aarch64,
90+
fips: no,
91+
qemucpu: max,
92+
opensslcapsname: armcap, # OPENSSL_armcap
93+
opensslcaps: "0x7d",
94+
capslabel: armv8-sha512
95+
}, {
96+
# SHA3-accelerated path. Since OPENSSL_armcap short-circuits runtime
97+
# detection, include the derived "worth using" and unroll bits too:
98+
# crypto/sha/sha3.c
99+
# providers/implementations/digests/sha3_prov.c
100+
# providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc
101+
# providers/implementations/ciphers/cipher_aes_hw_armv8.inc
102+
arch: aarch64-linux-gnu,
103+
libs: libc6-dev-arm64-cross,
104+
target: linux-aarch64,
105+
fips: no,
106+
qemucpu: max,
107+
opensslcapsname: armcap, # OPENSSL_armcap
108+
opensslcaps: "0x1987d",
109+
capslabel: armv8-sha3
110+
}, {
111+
# SVE2 Poly1305 path. OPENSSL_armcap requires the derived
112+
# ARMV9_SVE2_POLY1305 bit to be set explicitly when capability
113+
# probing is overridden:
114+
# crypto/poly1305/asm/poly1305-armv8.pl
115+
# crypto/chacha/asm/chacha-armv8-sve.pl
116+
arch: aarch64-linux-gnu,
117+
libs: libc6-dev-arm64-cross,
118+
target: linux-aarch64,
119+
fips: no,
120+
qemucpu: max,
121+
opensslcapsname: armcap, # OPENSSL_armcap
122+
opensslcaps: "0x2601d",
123+
capslabel: armv9-sve2-poly1305
124+
}
125+
]
126+
runs-on: ubuntu-latest
127+
steps:
128+
- name: install packages
129+
run: |
130+
sudo apt-get update
131+
sudo apt-get -yq --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install \
132+
gcc-${{ matrix.platform.arch }} \
133+
${{ matrix.platform.libs }}
134+
- uses: actions/checkout@v6
135+
with:
136+
persist-credentials: false
137+
- name: checkout fuzz/corpora submodule
138+
run: git submodule update --init --depth 1 fuzz/corpora
139+
140+
- name: config with FIPS
141+
if: matrix.platform.fips != 'no'
142+
run: |
143+
./config --banner=Configured --strict-warnings enable-fips enable-lms \
144+
--cross-compile-prefix=${{ matrix.platform.arch }}- \
145+
${{ matrix.platform.target }}
146+
- name: config without FIPS
147+
if: matrix.platform.fips == 'no'
148+
run: |
149+
./config --banner=Configured --strict-warnings enable-lms \
150+
--cross-compile-prefix=${{ matrix.platform.arch }}- \
151+
${{ matrix.platform.target }}
152+
- name: config dump
153+
run: ./configdata.pm --dump
154+
155+
- name: make
156+
run: make -s -j4
157+
158+
- name: install qemu
159+
if: matrix.platform.tests != 'none'
160+
run: sudo apt-get -yq --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install qemu-user
161+
162+
- name: Set QEMU environment
163+
if: matrix.platform.qemucpu != ''
164+
run: echo "QEMU_CPU=${{ matrix.platform.qemucpu }}" >> $GITHUB_ENV
165+
166+
- name: Set OpenSSL caps environment
167+
if: matrix.platform.opensslcapsname != ''
168+
run: echo "OPENSSL_${{ matrix.platform.opensslcapsname }}=\
169+
${{ matrix.platform.opensslcaps }}" >> $GITHUB_ENV
170+
171+
- name: get cpu info
172+
run: cat /proc/cpuinfo
173+
174+
- name: get openssl cpu info
175+
if: matrix.platform.tests != 'none'
176+
run: QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} ./util/opensslwrap.sh info -cpusettings
177+
178+
- name: make all tests
179+
if: github.event_name == 'push' && matrix.platform.tests == ''
180+
run: |
181+
.github/workflows/make-test \
182+
TESTS="-test_afalg" \
183+
QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
184+
- name: make some tests
185+
if: github.event_name == 'push' && matrix.platform.tests != 'none' && matrix.platform.tests != ''
186+
run: |
187+
.github/workflows/make-test \
188+
TESTS="${{ matrix.platform.tests }} -test_afalg" \
189+
QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
190+
- name: make evp tests
191+
if: github.event_name == 'pull_request' && matrix.platform.tests != 'none'
192+
run: |
193+
.github/workflows/make-test \
194+
TESTS="test_evp*" \
195+
QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
196+
- name: save artifacts
197+
if: success() || failure()
198+
uses: actions/upload-artifact@v5
199+
with:
200+
name: "cross-compiles-aarch64@${{ matrix.platform.capslabel }}"
201+
path: artifacts.tar.gz
202+
if-no-files-found: ignore

.github/workflows/backport.yml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,6 @@ jobs:
3030
}, {
3131
branch: '3.4',
3232
cppflags: 'CPPFLAGS=-ansi'
33-
}, {
34-
branch: '3.3',
35-
cppflags: 'CPPFLAGS=-ansi',
36-
}, {
37-
branch: '3.2',
38-
cppflags: 'CPPFLAGS=-ansi'
3933
}, {
4034
branch: '3.0',
4135
cppflags: 'CPPFLAGS=-ansi'
Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
# Copyright 2026 The OpenSSL Project Authors. All Rights Reserved.
2+
#
3+
# Licensed under the Apache License 2.0 (the "License"). You may not use
4+
# this file except in compliance with the License. You can obtain a copy
5+
# in the file LICENSE in the source distribution or at
6+
# https://www.openssl.org/source/license.html
7+
8+
name: Constant-time validation (daily)
9+
# Verifies that ML-KEM and ML-DSA signing do not branch on secret data.
10+
#
11+
# The library is built with enable-ct-validation, which defines
12+
# OPENSSL_CONSTANT_TIME_VALIDATION and causes secret regions to be marked
13+
# as "uninitialised" from Valgrind memcheck's perspective. The tests are
14+
# then run via "make test" with OSSL_VALGRIND_CT=yes, which makes
15+
# OpenSSL::Test::test() wrap every test binary with:
16+
#
17+
# valgrind --tool=memcheck --track-origins=yes --error-exitcode=1
18+
#
19+
# The wrapper chain (util/wrap.pl -> util/shlib_wrap.sh) is preserved, so
20+
# LD_LIBRARY_PATH is set correctly for shared-library builds. Any
21+
# control-flow branch or memory index that depends on secret data causes
22+
# valgrind to exit with code 1, which propagates back through the test
23+
# harness and fails the job.
24+
#
25+
# See include/internal/constant_time.h for the CONSTTIME_SECRET /
26+
# CONSTTIME_DECLASSIFY macro documentation.
27+
#
28+
# Architecture note: Valgrind's memcheck supports x86_64, aarch64, s390x,
29+
# and ppc64 well. GitHub Actions provides hosted runners for x86_64
30+
# (ubuntu-latest) and aarch64 (ubuntu-24.04-arm); we test both here.
31+
# s390x and ppc64 runners are not available in the public GitHub Actions
32+
# fleet, so they are not included.
33+
#
34+
# Package note: on Debian/Ubuntu the valgrind package bundles the C headers
35+
# (valgrind/memcheck.h) — no separate -dev package is required. On Fedora
36+
# the headers are in valgrind-devel; see Configure for the full list.
37+
38+
on:
39+
schedule:
40+
- cron: '45 03 * * *'
41+
workflow_dispatch:
42+
43+
permissions:
44+
contents: read
45+
46+
jobs:
47+
ct-validation:
48+
if: github.repository == 'openssl/openssl'
49+
strategy:
50+
fail-fast: false
51+
matrix:
52+
include:
53+
- name: linux-x86_64
54+
runs-on: ubuntu-latest
55+
- name: linux-aarch64
56+
runs-on: ubuntu-24.04-arm
57+
58+
name: CT validation (${{ matrix.name }})
59+
runs-on: ${{ matrix.runs-on }}
60+
61+
steps:
62+
- uses: actions/checkout@v6
63+
with:
64+
persist-credentials: false
65+
66+
- name: Install valgrind
67+
# On Debian/Ubuntu the main 'valgrind' package includes
68+
# /usr/include/valgrind/memcheck.h — no separate -dev package needed.
69+
run: |
70+
sudo apt-get -y update
71+
sudo apt-get -y install valgrind
72+
73+
- name: Configure with CT validation enabled
74+
run: |
75+
./Configure enable-ct-validation
76+
./configdata.pm --dump
77+
78+
- name: Build
79+
run: make -j$(nproc)
80+
81+
- name: Run ML-KEM and ML-DSA CT validation under Valgrind
82+
# OSSL_VALGRIND_CT=yes causes OpenSSL::Test::test() to wrap each
83+
# test binary with valgrind --track-origins=yes --error-exitcode=1.
84+
# util/wrap.pl -> util/shlib_wrap.sh sets LD_LIBRARY_PATH first, so
85+
# the shared libraries are found correctly.
86+
run: |
87+
make TESTS="test_internal_ml_kem test_internal_ml_dsa" \
88+
OSSL_VALGRIND_CT=yes \
89+
test

.github/workflows/interop-tests.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,6 @@ jobs:
7272
{ openssl: 'openssl-3.6', openssh: 'openssl-3.6', openssl_config: 'no-docs'},
7373
{ openssl: 'openssl-3.5', openssh: 'openssl-3.5', openssl_config: 'no-docs'},
7474
{ openssl: 'openssl-3.4', openssh: 'openssl-3.4', openssl_config: 'no-docs'},
75-
{ openssl: 'openssl-3.3', openssh: 'openssl-3.3', openssl_config: 'no-docs'},
7675
{ openssl: 'openssl-3.0', openssh: 'openssl-3.0', openssl_config: ''}
7776
]
7877
runs-on: ubuntu-latest

.github/workflows/prov-compat-label.yml

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -115,11 +115,6 @@ jobs:
115115
dir: branch-3.0,
116116
tgz: branch-3.0.tar.gz,
117117
extra_config: "",
118-
}, {
119-
name: openssl-3.3,
120-
dir: branch-3.3,
121-
tgz: branch-3.3.tar.gz,
122-
extra_config: "",
123118
}, {
124119
name: openssl-3.4,
125120
dir: branch-3.4,
@@ -210,7 +205,7 @@ jobs:
210205
# Note that releases are not used as a test environment for
211206
# later providers. Problems in these situations ought to be
212207
# caught by cross branch testing before the release.
213-
tree_a: [ branch-4.0, branch-3.6, branch-3.5, branch-3.4, branch-3.3, branch-3.0,
208+
tree_a: [ branch-4.0, branch-3.6, branch-3.5, branch-3.4, branch-3.0,
214209
openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
215210
tree_b: [ PR ]
216211
include:
@@ -224,8 +219,6 @@ jobs:
224219
tree_b: branch-3.5
225220
- tree_a: PR
226221
tree_b: branch-3.4
227-
- tree_a: PR
228-
tree_b: branch-3.3
229222
- tree_a: PR
230223
tree_b: branch-3.0
231224
steps:

.github/workflows/provider-compatibility.yml

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -119,11 +119,6 @@ jobs:
119119
dir: branch-3.0,
120120
tgz: branch-3.0.tar.gz,
121121
extra_config: "",
122-
}, {
123-
name: openssl-3.3,
124-
dir: branch-3.3,
125-
tgz: branch-3.3.tar.gz,
126-
extra_config: "",
127122
}, {
128123
name: openssl-3.4,
129124
dir: branch-3.4,
@@ -219,10 +214,10 @@ jobs:
219214
# later providers. Problems in these situations ought to be
220215
# caught by cross branch testing before the release.
221216
tree_a: [ branch-master, branch-4.0, branch-3.6, branch-3.5, branch-3.4,
222-
branch-3.3, branch-3.0,
217+
branch-3.0,
223218
openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
224219
tree_b: [ branch-master, branch-4.0, branch-3.6, branch-3.5, branch-3.4,
225-
branch-3.3, branch-3.0 ]
220+
branch-3.0 ]
226221
steps:
227222
- name: early exit checks
228223
id: early_exit

0 commit comments

Comments
 (0)