From 1dd3cb3408f0ad92b39a1662fa333e5ad8a75780 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 8 Nov 2023 10:22:54 +0100 Subject: [PATCH 01/11] Properly limit the variable output size for BLAKE2 The upper limit of the output size is the default output size of the algorithm. Reviewed-by: Tim Hudson Reviewed-by: Shane Lontis Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22661) Signed-off-by: fly2x --- doc/man7/EVP_MD-BLAKE2.pod | 18 ++++++++++++++---- .../implementations/digests/blake2b_prov.c | 2 +- test/recipes/30-test_evp_data/evpmd_blake.txt | 5 +++++ 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/doc/man7/EVP_MD-BLAKE2.pod b/doc/man7/EVP_MD-BLAKE2.pod index ba0658206c..a490ed8ec0 100644 --- a/doc/man7/EVP_MD-BLAKE2.pod +++ b/doc/man7/EVP_MD-BLAKE2.pod @@ -32,16 +32,20 @@ in L. =head2 Settable Context Parameters -The BLAKE2B-512 implementation supports the following L entries, -settable for an B with L: +The BLAKE2B-512 implementation supports the following L entries +which are settable for an B with L or +L: =over 4 =item "size" (B) Sets a different digest length for the L output. -The value of the "size" parameter should not exceed 255 and it must be set -during the L call. +The value of the "size" parameter must not exceed the default digest length +(64 for BLAKE2B-512). The parameter must be set with the +L call to have an immediate effect. When set with +L it will have an effect only if the B +context is reinitialized. =back @@ -49,6 +53,12 @@ during the L call. L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + +The variable size support was added in OpenSSL 3.2 for BLAKE2B-512. + =head1 COPYRIGHT Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c index ee61de8a72..1917990c44 100644 --- a/providers/implementations/digests/blake2b_prov.c +++ b/providers/implementations/digests/blake2b_prov.c @@ -82,7 +82,7 @@ int ossl_blake2b_set_ctx_params(void *vctx, const OSSL_PARAM params[]) ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return 0; } - if (size < 1 || size > UINT8_MAX) { + if (size < 1 || size > BLAKE2B_OUTBYTES) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_SIZE); return 0; } diff --git a/test/recipes/30-test_evp_data/evpmd_blake.txt b/test/recipes/30-test_evp_data/evpmd_blake.txt index 474e659142..5fdb574d45 100644 --- a/test/recipes/30-test_evp_data/evpmd_blake.txt +++ b/test/recipes/30-test_evp_data/evpmd_blake.txt @@ -99,3 +99,8 @@ Digest = BLAKE2b512 Input = 61 OutputSize = 32 Output = 8928aae63c84d87ea098564d1e03ad813f107add474e56aedd286349c0c03ea4 + +Digest = BLAKE2b512 +Input = 61 +OutputSize = 65 +Result = DIGESTINIT_ERROR -- Gitee From 3fd364b4ff0e2426afee5cc9a553e49477c0903e Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 10 Nov 2023 15:31:23 -0500 Subject: [PATCH 02/11] Force Nonstop to use fcntl(F_GETFL) in BIO_sock_nbio In tracking down a hang, we found that nonstop platforms were falling into the if #ifdef FIONBIO clause in the implementation of BIO_sock_nbio. While the platform defines this macro, sockets set with this continued to operate in blocking mode. Given that the platform also support O_NONBLOCK, adjust the ifdef to have the nonstop platform use that method to ensure that sockets enter blocking mode Related-To #22588 Reviewed-by: Paul Dale Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/22696) (cherry picked from commit f63e1b48ac893dd6110452e70ed08f191547cd89) Signed-off-by: fly2x --- crypto/bio/bio_sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bio/bio_sock.c b/crypto/bio/bio_sock.c index 7aa7bdc65e..9f2ae73063 100644 --- a/crypto/bio/bio_sock.c +++ b/crypto/bio/bio_sock.c @@ -354,7 +354,7 @@ int BIO_socket_nbio(int s, int mode) int l; l = mode; -# ifdef FIONBIO +# if defined(FIONBIO) && !defined(OPENSSL_SYS_TANDEM) l = mode; ret = BIO_socket_ioctl(s, FIONBIO, &l); -- Gitee From 26cb4e6f03762d11dec743c8ece6246d19f2709a Mon Sep 17 00:00:00 2001 From: James Muir Date: Fri, 3 Nov 2023 13:15:04 -0400 Subject: [PATCH 03/11] cms demos: print signingTime attributes Add a makefile for the cms demos, and add a routine to cms_ver.c to print any signingTime attributes from the CMS_ContentInfo object. This provides an example that could be extended if an application wants to examine the purported signing times. Part of #8026 Testing: $ cd demos/cms $ make test Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22618) (cherry picked from commit 9257a89b6f25dfa5aeee7114baec8ea992fcf5e5) Signed-off-by: fly2x --- demos/cms/Makefile | 35 +++++++++++++++++++++++++++++++ demos/cms/cms_dec.c | 2 ++ demos/cms/cms_enc.c | 2 ++ demos/cms/cms_sign2.c | 2 ++ demos/cms/cms_ver.c | 48 ++++++++++++++++++++++++++++++++++++++++++- 5 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 demos/cms/Makefile diff --git a/demos/cms/Makefile b/demos/cms/Makefile new file mode 100644 index 0000000000..7c8f30d632 --- /dev/null +++ b/demos/cms/Makefile @@ -0,0 +1,35 @@ +# +# To run the demos when linked with a shared library (default) ensure that +# libcrypto is on the library path. For example, to run the +# cms_enc demo: +# +# LD_LIBRARY_PATH=../.. ./cms_enc + +TESTS = cms_comp \ + cms_ddec \ + cms_dec \ + cms_denc \ + cms_enc \ + cms_sign \ + cms_sign2 \ + cms_uncomp \ + cms_ver + +CFLAGS = -I../../include -g +LDFLAGS = -L../.. +LDLIBS = -lcrypto + +all: $(TESTS) + +clean: + $(RM) $(TESTS) *.o + +cms_%: cms_%.c + $(CC) $(CFLAGS) $(LDFLAGS) -o "$@" "$<" $(LDLIBS) + +test: all + @echo "\nCMS tests:" + LD_LIBRARY_PATH=../.. ./cms_enc + LD_LIBRARY_PATH=../.. ./cms_dec + LD_LIBRARY_PATH=../.. ./cms_sign2 + LD_LIBRARY_PATH=../.. ./cms_ver diff --git a/demos/cms/cms_dec.c b/demos/cms/cms_dec.c index ebc34a5f94..f64a68ab42 100644 --- a/demos/cms/cms_dec.c +++ b/demos/cms/cms_dec.c @@ -59,6 +59,8 @@ int main(int argc, char **argv) if (!CMS_decrypt(cms, rkey, rcert, NULL, out, 0)) goto err; + printf("Decryption Successful\n"); + ret = EXIT_SUCCESS; err: diff --git a/demos/cms/cms_enc.c b/demos/cms/cms_enc.c index a0af2c4774..1f69571a17 100644 --- a/demos/cms/cms_enc.c +++ b/demos/cms/cms_enc.c @@ -73,6 +73,8 @@ int main(int argc, char **argv) if (!SMIME_write_CMS(out, cms, in, flags)) goto err; + printf("Encryption Successful\n"); + ret = EXIT_SUCCESS; err: if (ret != EXIT_SUCCESS) { diff --git a/demos/cms/cms_sign2.c b/demos/cms/cms_sign2.c index b10043f921..61d9f8bbe8 100644 --- a/demos/cms/cms_sign2.c +++ b/demos/cms/cms_sign2.c @@ -77,6 +77,8 @@ int main(int argc, char **argv) if (!SMIME_write_CMS(out, cms, in, CMS_STREAM)) goto err; + printf("Signing Successful\n"); + ret = EXIT_SUCCESS; err: if (ret != EXIT_SUCCESS) { diff --git a/demos/cms/cms_ver.c b/demos/cms/cms_ver.c index f7d3a9bc85..43e9d09854 100644 --- a/demos/cms/cms_ver.c +++ b/demos/cms/cms_ver.c @@ -12,6 +12,49 @@ #include #include +/* + * print any signingTime attributes. + * signingTime is when each party purportedly signed the message. + */ +static void print_signingTime(CMS_ContentInfo *cms) +{ + STACK_OF(CMS_SignerInfo) *sis; + CMS_SignerInfo *si; + X509_ATTRIBUTE *attr; + ASN1_TYPE *t; + ASN1_UTCTIME *utctime; + ASN1_GENERALIZEDTIME *gtime; + BIO *b; + int i, loc; + + b = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT); + sis = CMS_get0_SignerInfos(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) { + si = sk_CMS_SignerInfo_value(sis, i); + loc = CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1); + attr = CMS_signed_get_attr(si, loc); + t = X509_ATTRIBUTE_get0_type(attr, 0); + if (t == NULL) + continue; + switch (t->type) { + case V_ASN1_UTCTIME: + utctime = t->value.utctime; + ASN1_UTCTIME_print(b, utctime); + break; + case V_ASN1_GENERALIZEDTIME: + gtime = t->value.generalizedtime; + ASN1_GENERALIZEDTIME_print(b, gtime); + break; + default: + fprintf(stderr, "unrecognized signingTime type\n"); + break; + } + BIO_printf(b, ": signingTime from SignerInfo %i\n", i); + } + BIO_free(b); + return; +} + int main(int argc, char **argv) { BIO *in = NULL, *out = NULL, *tbio = NULL, *cont = NULL; @@ -56,6 +99,8 @@ int main(int argc, char **argv) if (cms == NULL) goto err; + print_signingTime(cms); + /* File to output verified content to */ out = BIO_new_file("smver.txt", "w"); if (out == NULL) @@ -66,9 +111,10 @@ int main(int argc, char **argv) goto err; } - fprintf(stderr, "Verification Successful\n"); + printf("Verification Successful\n"); ret = EXIT_SUCCESS; + err: if (ret != EXIT_SUCCESS) { fprintf(stderr, "Error Verifying Data\n"); -- Gitee From 2b10813a5ad176117ce762f6af9411d3208afa95 Mon Sep 17 00:00:00 2001 From: "Randall S. Becker" Date: Fri, 10 Nov 2023 20:24:22 +0000 Subject: [PATCH 04/11] Correct 50-nonstop.conf to support QUIC tests under SPT threading models. This fix also separates the FLOSS from SPT configurations which should not have been conflated in the 3.0 series. Related-to: #22588 Signed-off-by: Randall S. Becker Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22697) Signed-off-by: fly2x --- Configurations/50-nonstop.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Configurations/50-nonstop.conf b/Configurations/50-nonstop.conf index 53081576cc..827a13b4ee 100644 --- a/Configurations/50-nonstop.conf +++ b/Configurations/50-nonstop.conf @@ -172,8 +172,10 @@ }, 'nonstop-model-spt' => { template => 1, + cflags => add('-Wnowarn=140'), defines => ['_SPT_MODEL_', - '_REENTRANT', '_ENABLE_FLOSS_THREADS'], + 'SPT_THREAD_AWARE_NONBLOCK', + '_REENTRANT'], ex_libs => '-lspt', }, @@ -182,7 +184,7 @@ # disable threads. 'nonstop-model-floss' => { template => 1, - defines => ['OPENSSL_TANDEM_FLOSS'], + defines => ['OPENSSL_TANDEM_FLOSS', '_ENABLE_FLOSS_THREADS'], includes => ['/usr/local/include'], ex_libs => '-lfloss', }, -- Gitee From e53d41bf90e7fbbd384d4611030a5800bce92650 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 10 Nov 2023 17:28:16 +0100 Subject: [PATCH 05/11] Rearrange some CI jobs Those less useful should be in daily or on-push runs. Those more likely triggering CI failure that do not take too much time should be in main on pull request CI. Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/22693) (cherry picked from commit 456b32ba4f85000d168230b8cc5f58571699ed63) Signed-off-by: fly2x --- .github/workflows/ci.yml | 146 --------------- .github/workflows/run-checker-ci.yml | 4 +- .github/workflows/run-checker-daily-sctp.yml | 53 ------ .github/workflows/run-checker-daily.yml | 186 ++++++++++++++++++- .github/workflows/run-checker-merge.yml | 3 +- 5 files changed, 189 insertions(+), 203 deletions(-) delete mode 100644 .github/workflows/run-checker-daily-sctp.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 815f7c61b5..c5643fbf5c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -283,117 +283,6 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - enable_brotli_dynamic: - runs-on: ubuntu-latest - steps: - - name: install brotli - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config enable-comp enable-brotli enable-brotli-dynamic && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_zstd_dynamic: - runs-on: ubuntu-latest - steps: - - name: install zstd - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config enable-comp enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_brotli_and_zstd_dynamic: - runs-on: ubuntu-latest - steps: - - name: install brotli and zstd - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config enable-comp enable-brotli enable-brotli-dynamic enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_brotli_and_asan_ubsan: - runs-on: ubuntu-latest - steps: - - name: install brotli - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-brotli -DPEDANTIC && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 - - enable_zstd_and_asan_ubsan: - runs-on: ubuntu-latest - steps: - - name: install zstd - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-zstd -DPEDANTIC && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 - no-legacy: runs-on: ubuntu-latest steps: @@ -428,41 +317,6 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - enable-tfo: - strategy: - matrix: - os: [ ubuntu-latest, macos-latest ] - runs-on: ${{matrix.os}} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: CC=gcc ./config --banner=Configured enable-tfo --strict-warnings && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - buildtest: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - out-of-source-and-install: strategy: matrix: diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 2b7ca84d86..2ef91e8029 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -23,12 +23,12 @@ jobs: no-dh, no-dtls, no-ec, - no-ec2m, no-ecx, no-http, no-legacy, no-sock, enable-ssl-trace, + no-stdio, no-threads, no-thread-pool, no-default-thread-pool, @@ -53,6 +53,6 @@ jobs: - name: get cpu info run: | cat /proc/cpuinfo - ./util/opensslwrap.sh version -c + if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-daily-sctp.yml b/.github/workflows/run-checker-daily-sctp.yml deleted file mode 100644 index ba9a5178f0..0000000000 --- a/.github/workflows/run-checker-daily-sctp.yml +++ /dev/null @@ -1,53 +0,0 @@ -# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Run-checker CI daily sctp -on: - schedule: - - cron: '0 6 * * *' -permissions: - contents: read - -jobs: - run-checker: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Install Dependencies for sctp option - run: | - sudo apt-get update - sudo apt-get -yq install lksctp-tools libsctp-dev - - - name: Check SCTP and enable auth - id: sctp_auth - continue-on-error: true - run: | - checksctp - sudo sysctl -w net.sctp.auth_enable=1 - - - name: config - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: CC=clang ./config --banner=Configured --strict-warnings enable-sctp - - - name: config dump - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: ./configdata.pm --dump - - - name: make - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: make -s -j4 - - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - - name: make test - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 0dbbac285f..157746f39f 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -112,7 +112,6 @@ jobs: no-ssl3-method, no-ssl-trace, no-static-engine no-shared, - no-stdio, no-tests, enable-tfo, no-tls1, @@ -150,3 +149,188 @@ jobs: if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + run-checker-sctp: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: Install Dependencies for sctp option + run: | + sudo apt-get update + sudo apt-get -yq install lksctp-tools libsctp-dev + + - name: Check SCTP and enable auth + id: sctp_auth + continue-on-error: true + run: | + checksctp + sudo sysctl -w net.sctp.auth_enable=1 + + - name: config + if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' + run: CC=clang ./config --banner=Configured --strict-warnings enable-sctp + + - name: config dump + if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' + run: ./configdata.pm --dump + + - name: make + if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' + run: make -s -j4 + + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + + - name: make test + if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_brotli_dynamic: + runs-on: ubuntu-latest + steps: + - name: install brotli + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config enable-comp enable-brotli enable-brotli-dynamic && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_zstd_dynamic: + runs-on: ubuntu-latest + steps: + - name: install zstd + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config enable-comp enable-zstd enable-zstd-dynamic && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_brotli_and_zstd_dynamic: + runs-on: ubuntu-latest + steps: + - name: install brotli and zstd + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config enable-comp enable-brotli enable-brotli-dynamic enable-zstd enable-zstd-dynamic && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_brotli_and_asan_ubsan: + runs-on: ubuntu-latest + steps: + - name: install brotli + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-brotli -DPEDANTIC && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 + + enable_zstd_and_asan_ubsan: + runs-on: ubuntu-latest + steps: + - name: install zstd + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-zstd -DPEDANTIC && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 + + enable_tfo: + strategy: + matrix: + os: [ ubuntu-latest, macos-latest ] + runs-on: ${{matrix.os}} + steps: + - uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: CC=gcc ./config --banner=Configured enable-tfo --strict-warnings && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_buildtest: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 461f16527d..c5958a5b99 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -22,6 +22,7 @@ jobs: no-ct, no-dso, no-dynamic-engine, + no-ec2m, no-engine no-shared, no-err, no-filenames, @@ -49,6 +50,6 @@ jobs: - name: get cpu info run: | cat /proc/cpuinfo - ./util/opensslwrap.sh version -c + if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} -- Gitee From f7c104c27e07c8b248690f60697b416cd9066a42 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Sun, 5 Nov 2023 00:18:08 +0100 Subject: [PATCH 06/11] README: add link to OpenSSL 3.2 manual pages Reviewed-by: Richard Levitte Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/22625) (cherry picked from commit 4f0172c543dd0f5582d52185bfe2c132faee9c8e) Signed-off-by: fly2x --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index aa1a233ab1..c3dac35096 100644 --- a/README.md +++ b/README.md @@ -154,6 +154,7 @@ available online. - [OpenSSL master](https://www.openssl.org/docs/manmaster) - [OpenSSL 3.0](https://www.openssl.org/docs/man3.0) - [OpenSSL 3.1](https://www.openssl.org/docs/man3.1) +- [OpenSSL 3.2](https://www.openssl.org/docs/man3.2) Demos ----- -- Gitee From 02bc4cd9432266b9c2dbacc13f7a807ac418132a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 13 Nov 2023 14:16:57 +0000 Subject: [PATCH 07/11] Keep track of connection credit as we add stream data If a single packet contains data from multiple streams we need to keep track of the cummulative connection level credit consumed across all of the streams. Once the connection level credit has been consumed we must stop adding stream data. Fixes #22706 Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22718) (cherry picked from commit e57bf6b3bfa2f0b18e5cad7fd3c5fdd7c51516b9) Signed-off-by: fly2x --- include/internal/quic_fc.h | 10 ++++++---- ssl/quic/quic_fc.c | 14 +++++++------- ssl/quic/quic_stream_map.c | 2 +- ssl/quic/quic_txp.c | 18 ++++++++++++------ test/quic_fc_test.c | 20 ++++++++++---------- 5 files changed, 36 insertions(+), 28 deletions(-) diff --git a/include/internal/quic_fc.h b/include/internal/quic_fc.h index 7a8273d542..49b448a3a4 100644 --- a/include/internal/quic_fc.h +++ b/include/internal/quic_fc.h @@ -61,16 +61,18 @@ int ossl_quic_txfc_bump_cwm(QUIC_TXFC *txfc, uint64_t cwm); * * If called on a stream-level TXFC, ossl_quic_txfc_get_credit is called on * the connection-level TXFC as well, and the lesser of the two values is - * returned. + * returned. The consumed value is the amount already consumed on the connection + * level TXFC. */ -uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc); +uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc, uint64_t consumed); /* * Like ossl_quic_txfc_get_credit(), but when called on a stream-level TXFC, * retrieves only the stream-level credit value and does not clamp it based on - * connection-level flow control. + * connection-level flow control. Any credit value is reduced by the consumed + * amount. */ -uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc); +uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc, uint64_t consumed); /* * Consume num_bytes of credit. This is the 'On TX' operation. This should be diff --git a/ssl/quic/quic_fc.c b/ssl/quic/quic_fc.c index 1a9c5890f8..750e896306 100644 --- a/ssl/quic/quic_fc.c +++ b/ssl/quic/quic_fc.c @@ -46,21 +46,21 @@ int ossl_quic_txfc_bump_cwm(QUIC_TXFC *txfc, uint64_t cwm) return 1; } -uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc) +uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc, uint64_t consumed) { - assert(txfc->swm <= txfc->cwm); - return txfc->cwm - txfc->swm; + assert((txfc->swm + consumed) <= txfc->cwm); + return txfc->cwm - (consumed + txfc->swm); } -uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc) +uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc, uint64_t consumed) { uint64_t r, conn_r; - r = ossl_quic_txfc_get_credit_local(txfc); + r = ossl_quic_txfc_get_credit_local(txfc, 0); if (txfc->parent != NULL) { assert(txfc->parent->parent == NULL); - conn_r = ossl_quic_txfc_get_credit_local(txfc->parent); + conn_r = ossl_quic_txfc_get_credit_local(txfc->parent, consumed); if (conn_r < r) r = conn_r; } @@ -71,7 +71,7 @@ uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc) int ossl_quic_txfc_consume_credit_local(QUIC_TXFC *txfc, uint64_t num_bytes) { int ok = 1; - uint64_t credit = ossl_quic_txfc_get_credit_local(txfc); + uint64_t credit = ossl_quic_txfc_get_credit_local(txfc, 0); if (num_bytes > credit) { ok = 0; diff --git a/ssl/quic/quic_stream_map.c b/ssl/quic/quic_stream_map.c index 0f41b03da5..f8278c9913 100644 --- a/ssl/quic/quic_stream_map.c +++ b/ssl/quic/quic_stream_map.c @@ -269,7 +269,7 @@ static int stream_has_data_to_send(QUIC_STREAM *s) &num_iov)) return 0; - fc_credit = ossl_quic_txfc_get_credit(&s->txfc); + fc_credit = ossl_quic_txfc_get_credit(&s->txfc, 0); fc_swm = ossl_quic_txfc_get_swm(&s->txfc); fc_limit = fc_swm + fc_credit; diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c index 5500c9b3f6..f26f1e81a1 100644 --- a/ssl/quic/quic_txp.c +++ b/ssl/quic/quic_txp.c @@ -2111,7 +2111,8 @@ static int txp_plan_stream_chunk(OSSL_QUIC_TX_PACKETISER *txp, QUIC_SSTREAM *sstream, QUIC_TXFC *stream_txfc, size_t skip, - struct chunk_info *chunk) + struct chunk_info *chunk, + uint64_t consumed) { uint64_t fc_credit, fc_swm, fc_limit; @@ -2130,7 +2131,7 @@ static int txp_plan_stream_chunk(OSSL_QUIC_TX_PACKETISER *txp, chunk->orig_len = chunk->shdr.len; /* Clamp according to connection and stream-level TXFC. */ - fc_credit = ossl_quic_txfc_get_credit(stream_txfc); + fc_credit = ossl_quic_txfc_get_credit(stream_txfc, consumed); fc_swm = ossl_quic_txfc_get_swm(stream_txfc); fc_limit = fc_swm + fc_credit; @@ -2166,7 +2167,8 @@ static int txp_generate_stream_frames(OSSL_QUIC_TX_PACKETISER *txp, QUIC_STREAM *next_stream, int *have_ack_eliciting, int *packet_full, - uint64_t *new_credit_consumed) + uint64_t *new_credit_consumed, + uint64_t conn_consumed) { int rc = 0; struct chunk_info chunks[2] = {0}; @@ -2194,7 +2196,8 @@ static int txp_generate_stream_frames(OSSL_QUIC_TX_PACKETISER *txp, * determining when we can use an implicit length in a STREAM frame. */ for (i = 0; i < 2; ++i) { - if (!txp_plan_stream_chunk(txp, h, sstream, stream_txfc, i, &chunks[i])) + if (!txp_plan_stream_chunk(txp, h, sstream, stream_txfc, i, &chunks[i], + conn_consumed)) goto err; if (i == 0 && !chunks[i].valid) { @@ -2232,7 +2235,7 @@ static int txp_generate_stream_frames(OSSL_QUIC_TX_PACKETISER *txp, if (i > 0) /* Load next chunk for lookahead. */ if (!txp_plan_stream_chunk(txp, h, sstream, stream_txfc, i + 1, - &chunks[(i + 1) % 2])) + &chunks[(i + 1) % 2], conn_consumed)) goto err; /* @@ -2382,6 +2385,7 @@ static int txp_generate_stream_related(OSSL_QUIC_TX_PACKETISER *txp, uint64_t cwm; QUIC_STREAM *stream, *snext; struct tx_helper *h = &pkt->h; + uint64_t conn_consumed = 0; for (ossl_quic_stream_iter_init(&it, txp->args.qsm, 1); it.stream != NULL;) { @@ -2517,11 +2521,13 @@ static int txp_generate_stream_related(OSSL_QUIC_TX_PACKETISER *txp, snext, have_ack_eliciting, &packet_full, - &stream->txp_txfc_new_credit_consumed)) { + &stream->txp_txfc_new_credit_consumed, + conn_consumed)) { /* Fatal error (allocation, etc.) */ txp_enlink_tmp(tmp_head, stream); return 0; } + conn_consumed += stream->txp_txfc_new_credit_consumed; if (packet_full) { txp_enlink_tmp(tmp_head, stream); diff --git a/test/quic_fc_test.c b/test/quic_fc_test.c index e624d81b73..d279766756 100644 --- a/test/quic_fc_test.c +++ b/test/quic_fc_test.c @@ -37,10 +37,10 @@ static int test_txfc(int is_stream) if (!TEST_uint64_t_eq(ossl_quic_txfc_get_cwm(txfc), 2000)) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 2000)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 2000)) goto err; - if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 2000)) goto err; @@ -50,10 +50,10 @@ static int test_txfc(int is_stream) if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 500))) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 1500)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 1500)) goto err; - if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 1500)) goto err; @@ -69,10 +69,10 @@ static int test_txfc(int is_stream) if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 600)) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 1400)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 1400)) goto err; - if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 1400)) goto err; @@ -82,10 +82,10 @@ static int test_txfc(int is_stream) if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 1400))) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 0)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 0)) goto err; - if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 0)) goto err; @@ -131,7 +131,7 @@ static int test_txfc(int is_stream) if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 2000)) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 500)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 500)) goto err; if (is_stream) @@ -144,7 +144,7 @@ static int test_txfc(int is_stream) if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), 1)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 1)) goto err; if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 1))) -- Gitee From f85fff8b88345f603326f79c826c1262a9f27e91 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 13 Nov 2023 14:39:53 +0000 Subject: [PATCH 08/11] Add some additional tests for the new fc "consumed" params Check that the "consumed" parameter is working as expected. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22718) (cherry picked from commit aa6ac60728207ba18779d7cbe71893c066bcbc28) Signed-off-by: fly2x --- test/quic_fc_test.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/test/quic_fc_test.c b/test/quic_fc_test.c index d279766756..6b2de7fdff 100644 --- a/test/quic_fc_test.c +++ b/test/quic_fc_test.c @@ -40,10 +40,17 @@ static int test_txfc(int is_stream) if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 2000)) goto err; - if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), - 2000)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 100), 1900)) goto err; + if (is_stream) { + if ( !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 2000)) + goto err; + + if ( !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 100), 1900)) + goto err; + } + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) goto err; @@ -138,6 +145,9 @@ static int test_txfc(int is_stream) ossl_quic_txfc_has_become_blocked(parent_txfc, 1); if (is_stream) { + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 400), 0)) + goto err; + if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 399))) goto err; -- Gitee From c9dd039e7e81c9f50039236241b256b9a972b72f Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 13 Nov 2023 11:27:54 +0000 Subject: [PATCH 09/11] Correct tag len check when determining how much space we have in the pkt If the available space is equal to the tag length then we have no available space for plaintext data. Fixes #22699 Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22715) (cherry picked from commit 46376fcf4b6d11ec417c2a530475037d4d09fcbf) Signed-off-by: fly2x --- ssl/quic/quic_record_tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/quic/quic_record_tx.c b/ssl/quic/quic_record_tx.c index 4f86c68e17..c01abed0d6 100644 --- a/ssl/quic/quic_record_tx.c +++ b/ssl/quic/quic_record_tx.c @@ -422,7 +422,7 @@ int ossl_qtx_calculate_plaintext_payload_len(OSSL_QTX *qtx, uint32_t enc_level, tag_len = ossl_qrl_get_suite_cipher_tag_len(el->suite_id); - if (ciphertext_len < tag_len) { + if (ciphertext_len <= tag_len) { *plaintext_len = 0; return 0; } -- Gitee From 03cbc05c8d3e8636dc8084a3fddac75635565ec5 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Fri, 27 Aug 2021 12:22:15 +0000 Subject: [PATCH 10/11] Configure: do not check for an absolute prefix in cross-builds The check is always made according to the host platform's rules, which may not be true for true when the target platform is different, e.g. when cross-building for Windows on a Linux machine. So skip this check when used together with the `--cross-compile-prefix=` option. Fixes https://github.com/openssl/openssl/issues/9520 Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22723) (cherry picked from commit 4ea752997df83c2a694fdb157aab07908303fc90) Signed-off-by: fly2x --- Configure | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Configure b/Configure index d7f5ef8ce3..cbba1749b5 100755 --- a/Configure +++ b/Configure @@ -980,8 +980,6 @@ while (@argvcopy) if (/^--prefix=(.*)$/) { $config{prefix}=$1; - die "Directory given with --prefix MUST be absolute\n" - unless file_name_is_absolute($config{prefix}); } elsif (/^--api=(.*)$/) { @@ -1440,6 +1438,11 @@ foreach (keys %useradd) { # At this point, we can forget everything about %user and %useradd, # because it's now all been merged into the corresponding $config entry +if ($config{prefix} && !$config{CROSS_COMPILE}) { + die "Directory given with --prefix MUST be absolute\n" + unless file_name_is_absolute($config{prefix}); +} + if (grep { $_ =~ /(?:^|\s)-static(?:\s|$)/ } @{$config{LDFLAGS}}) { disable('static', 'pic', 'threads'); } -- Gitee From 02d56e32dbe63a23052992b831ad866254f2e80a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:14:21 +0000 Subject: [PATCH 11/11] Bump actions/github-script from 6 to 7 Bumps [actions/github-script](https://github.com/actions/github-script) from 6 to 7. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22730) (cherry picked from commit 5f6b08e218974d4fbbd77ffedc2d94a08a194cc2) Signed-off-by: fly2x --- .github/workflows/fips-label.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml index bdc42e496d..eed1d27cd7 100644 --- a/.github/workflows/fips-label.yml +++ b/.github/workflows/fips-label.yml @@ -25,7 +25,7 @@ jobs: steps: - name: 'Download artifact' if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v6 + uses: actions/github-script@v7 with: script: | var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -48,7 +48,7 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' }} - name: 'Check artifact and apply' if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v6 + uses: actions/github-script@v7 with: github-token: ${{secrets.GITHUB_TOKEN}} script: | -- Gitee