From dce9b2e7bd3d795224a6c96418525ad89af639ee Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 28 Oct 2024 16:17:00 +0000 Subject: [PATCH 1/9] memory: fix types in static memory functions --- wolfcrypt/src/memory.c | 13 ++++--------- wolfssl/wolfcrypt/memory.h | 10 +++++----- 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/wolfcrypt/src/memory.c b/wolfcrypt/src/memory.c index 75d03895e6..adca8b4257 100644 --- a/wolfcrypt/src/memory.c +++ b/wolfcrypt/src/memory.c @@ -669,7 +669,7 @@ static int wc_partition_static_memory(byte* buffer, word32 sz, int flag, } static int wc_init_memory_heap(WOLFSSL_HEAP* heap, unsigned int listSz, - const unsigned int* sizeList, const unsigned int* distList) + const word32 *sizeList, const word32 *distList) { unsigned int i; @@ -695,8 +695,8 @@ static int wc_init_memory_heap(WOLFSSL_HEAP* heap, unsigned int listSz, } int wc_LoadStaticMemory_ex(WOLFSSL_HEAP_HINT** pHint, - unsigned int listSz, const unsigned int* sizeList, - const unsigned int* distList, unsigned char* buf, + unsigned int listSz, const word32 *sizeList, + const word32 *distList, unsigned char *buf, unsigned int sz, int flag, int maxSz) { WOLFSSL_HEAP* heap = NULL; @@ -773,13 +773,8 @@ int wc_LoadStaticMemory_ex(WOLFSSL_HEAP_HINT** pHint, int wc_LoadStaticMemory(WOLFSSL_HEAP_HINT** pHint, unsigned char* buf, unsigned int sz, int flag, int maxSz) { -#ifdef WOLFSSL_LEAN_STATIC_PSK - word16 sizeList[WOLFMEM_DEF_BUCKETS] = { WOLFMEM_BUCKETS }; - byte distList[WOLFMEM_DEF_BUCKETS] = { WOLFMEM_DIST }; -#else word32 sizeList[WOLFMEM_DEF_BUCKETS] = { WOLFMEM_BUCKETS }; word32 distList[WOLFMEM_DEF_BUCKETS] = { WOLFMEM_DIST }; -#endif int ret = 0; WOLFSSL_ENTER("wc_LoadStaticMemory"); @@ -817,7 +812,7 @@ int wolfSSL_MemoryPaddingSz(void) /* Used to calculate memory size for optimum use with buckets. returns the suggested size rounded down to the nearest bucket. */ int wolfSSL_StaticBufferSz_ex(unsigned int listSz, - const unsigned int *sizeList, const unsigned int *distList, + const word32 *sizeList, const word32 *distList, byte* buffer, word32 sz, int flag) { word32 ava = sz; diff --git a/wolfssl/wolfcrypt/memory.h b/wolfssl/wolfcrypt/memory.h index 481f8aa796..cf883e4fcd 100644 --- a/wolfssl/wolfcrypt/memory.h +++ b/wolfssl/wolfcrypt/memory.h @@ -219,8 +219,8 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb* mf, #endif #ifdef WOLFSSL_STATIC_MEMORY_LEAN - word16 sizeList[WOLFMEM_MAX_BUCKETS];/* memory sizes in ava list */ - byte distList[WOLFMEM_MAX_BUCKETS];/* general distribution */ + word32 sizeList[WOLFMEM_MAX_BUCKETS];/* memory sizes in ava list */ + word32 distList[WOLFMEM_MAX_BUCKETS];/* general distribution */ #else word32 maxHa; /* max concurrent handshakes */ word32 curHa; @@ -258,8 +258,8 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb* mf, WOLFSSL_API void* wolfSSL_SetGlobalHeapHint(void* heap); WOLFSSL_API void* wolfSSL_GetGlobalHeapHint(void); WOLFSSL_API int wc_LoadStaticMemory_ex(WOLFSSL_HEAP_HINT** pHint, - unsigned int listSz, const unsigned int *sizeList, - const unsigned int *distList, unsigned char* buf, unsigned int sz, + unsigned int listSz, const word32 *sizeList, + const word32 *distList, unsigned char* buf, unsigned int sz, int flag, int max); #ifdef WOLFSSL_STATIC_MEMORY_DEBUG_CALLBACK #define WOLFSSL_DEBUG_MEMORY_ALLOC 0 @@ -281,7 +281,7 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb* mf, WOLFSSL_LOCAL int FreeFixedIO(WOLFSSL_HEAP* heap, wc_Memory** io); WOLFSSL_API int wolfSSL_StaticBufferSz_ex(unsigned int listSz, - const unsigned int *sizeList, const unsigned int *distList, + const word32 *sizeList, const word32 *distList, byte* buffer, word32 sz, int flag); WOLFSSL_API int wolfSSL_StaticBufferSz(byte* buffer, word32 sz, int flag); WOLFSSL_API int wolfSSL_MemoryPaddingSz(void); From a896c16ebd67fbf06d74d603fc6467a86ef85cc2 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 6 Nov 2024 17:10:54 -0700 Subject: [PATCH 2/9] fix for memory leak due to missed WOLFSSL_GENERAL_NAME capability changes --- src/x509.c | 92 +++++++++++++++++++++++++++++++++-------- tests/api.c | 5 +++ wolfssl/openssl/ssl.h | 2 +- wolfssl/wolfcrypt/asn.h | 1 + 4 files changed, 81 insertions(+), 19 deletions(-) diff --git a/src/x509.c b/src/x509.c index 274c40120a..a74f5093a8 100644 --- a/src/x509.c +++ b/src/x509.c @@ -587,6 +587,76 @@ static int wolfssl_dns_entry_othername_to_gn(DNS_entry* dns, #endif /* OPENSSL_ALL || WOLFSSL_WPAS_SMALL */ #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) +static int DNS_to_GENERAL_NAME(WOLFSSL_GENERAL_NAME* gn, DNS_entry* dns) +{ + gn->type = dns->type; + switch (gn->type) { + case WOLFSSL_GEN_OTHERNAME: + if (!wolfssl_dns_entry_othername_to_gn(dns, gn)) { + WOLFSSL_MSG("OTHERNAME set failed"); + return WOLFSSL_FAILURE; + } + break; + + case WOLFSSL_GEN_EMAIL: + case WOLFSSL_GEN_DNS: + case WOLFSSL_GEN_URI: + case WOLFSSL_GEN_IPADD: + case WOLFSSL_GEN_IA5: + gn->d.ia5->length = dns->len; + if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, + gn->d.ia5->length) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("ASN1_STRING_set failed"); + return WOLFSSL_FAILURE; + } + break; + + + case WOLFSSL_GEN_DIRNAME: + /* wolfSSL_GENERAL_NAME_new() mallocs this by default */ + wolfSSL_ASN1_STRING_free(gn->d.ia5); + gn->d.ia5 = NULL; + + gn->d.dirn = wolfSSL_X509_NAME_new();; + /* @TODO extract dir name info from DNS_entry */ + break; + +#ifdef WOLFSSL_RID_ALT_NAME + case WOLFSSL_GEN_RID: + /* wolfSSL_GENERAL_NAME_new() mallocs this by default */ + wolfSSL_ASN1_STRING_free(gn->d.ia5); + gn->d.ia5 = NULL; + + gn->d.registeredID = wolfSSL_ASN1_OBJECT_new(); + if (gn->d.registeredID == NULL) { + return WOLFSSL_FAILURE; + } + gn->d.registeredID->obj = XMALLOC(dns->len, + gn->d.registeredID->heap, DYNAMIC_TYPE_ASN1); + if (gn->d.registeredID->obj == NULL) { + /* registeredID gets free'd up by caller after failure */ + return WOLFSSL_FAILURE; + } + gn->d.registeredID->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA; + XMEMCPY((byte*)gn->d.registeredID->obj, dns->ridString, dns->len); + gn->d.registeredID->objSz = dns->len; + gn->d.registeredID->grp = oidCertExtType; + gn->d.registeredID->nid = WC_NID_registeredAddress; + break; +#endif + + case WOLFSSL_GEN_X400: + /* Unsupported: fall through */ + case WOLFSSL_GEN_EDIPARTY: + /* Unsupported: fall through */ + default: + WOLFSSL_MSG("Unsupported type conversion"); + return WOLFSSL_FAILURE; + } + return WOLFSSL_SUCCESS; +} + + static int wolfssl_x509_alt_names_to_gn(WOLFSSL_X509* x509, WOLFSSL_X509_EXTENSION* ext) { @@ -624,24 +694,10 @@ static int wolfssl_x509_alt_names_to_gn(WOLFSSL_X509* x509, goto err; } - gn->type = dns->type; - if (gn->type == WOLFSSL_GEN_OTHERNAME) { - if (!wolfssl_dns_entry_othername_to_gn(dns, gn)) { - WOLFSSL_MSG("OTHERNAME set failed"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_pop_free(sk, NULL); - goto err; - } - } - else { - gn->d.ia5->length = dns->len; - if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, - gn->d.ia5->length) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set failed"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_pop_free(sk, NULL); - goto err; - } + if (DNS_to_GENERAL_NAME(gn, dns) != WOLFSSL_SUCCESS) { + wolfSSL_GENERAL_NAME_free(gn); + wolfSSL_sk_pop_free(sk, NULL); + goto err; } if (wolfSSL_sk_GENERAL_NAME_push(sk, gn) <= 0) { diff --git a/tests/api.c b/tests/api.c index c08d0987d1..efd7af41d6 100644 --- a/tests/api.c +++ b/tests/api.c @@ -77998,6 +77998,7 @@ static int test_X509_REQ(void) #ifdef HAVE_ECC const unsigned char* ecPriv = (const unsigned char*)ecc_clikey_der_256; const unsigned char* ecPub = (unsigned char*)ecc_clikeypub_der_256; + BIO* bio = NULL; #endif ExpectNotNull(name = X509_NAME_new()); @@ -78089,6 +78090,10 @@ static int test_X509_REQ(void) /* Signature is random and may be shorter or longer. */ ExpectIntGE((len = i2d_X509_REQ(req, &der)), 245); ExpectIntLE(len, 253); + ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + ExpectIntEQ(X509_REQ_print(bio, req), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_print(bio, NULL), WOLFSSL_FAILURE); + BIO_free(bio); XFREE(der, NULL, DYNAMIC_TYPE_OPENSSL); X509_REQ_free(req); EVP_PKEY_free(pub); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 8133a42ef1..449db9b302 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -567,7 +567,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_sign wolfSSL_X509_sign #define X509_sign_ctx wolfSSL_X509_sign_ctx #define X509_print wolfSSL_X509_print -#define X509_REQ_print wolfSSL_X509_print +#define X509_REQ_print wolfSSL_X509_REQ_print #define X509_print_ex wolfSSL_X509_print_ex #define X509_print_fp wolfSSL_X509_print_fp #define X509_CRL_print wolfSSL_X509_CRL_print diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index f9d1eb79cf..d6f63ba7bb 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -912,6 +912,7 @@ extern const WOLFSSL_ObjectInfo wolfssl_object_info[]; #define WC_NID_postalCode ASN_POSTAL_CODE /* postalCode */ #define WC_NID_favouriteDrink 462 #define WC_NID_userId 458 +#define WC_NID_registeredAddress 870 #define WC_NID_emailAddress 0x30 /* emailAddress */ #define WC_NID_id_on_dnsSRV 82 /* 1.3.6.1.5.5.7.8.7 */ #define WC_NID_ms_upn 265 /* 1.3.6.1.4.1.311.20.2.3 */ From a295aef0b23c3195183dedd4db473182570e6eb0 Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Fri, 8 Nov 2024 14:34:16 -0500 Subject: [PATCH 3/9] Use only one or the other --- tests/quic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/quic.c b/tests/quic.c index f5fd2cefd1..6ca20a63fc 100644 --- a/tests/quic.c +++ b/tests/quic.c @@ -21,11 +21,11 @@ #ifdef HAVE_CONFIG_H #include -#endif - +#else #ifndef WOLFSSL_USER_SETTINGS #include #endif +#endif #include #include From cadafffb717f17f6b80e8994574021ec0ff5a5ff Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Mon, 11 Nov 2024 10:34:32 +1000 Subject: [PATCH 4/9] Kyber benchmark: allow ML-KEM and Kyber Fix benchmark to use ML-KEM/Kyber depending on how code is built. --- wolfcrypt/benchmark/benchmark.c | 41 +++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 2e3200bf62..8c29bc4329 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -3652,6 +3652,24 @@ static void* benchmarks_do(void* args) #ifdef WOLFSSL_HAVE_KYBER if (bench_all || (bench_pq_asym_algs & BENCH_KYBER)) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_KYBER512 + if (bench_all || (bench_pq_asym_algs & BENCH_KYBER512)) { + bench_kyber(WC_ML_KEM_512); + } + #endif + #ifdef WOLFSSL_KYBER768 + if (bench_all || (bench_pq_asym_algs & BENCH_KYBER768)) { + bench_kyber(WC_ML_KEM_768); + } + #endif + #ifdef WOLFSSL_KYBER1024 + if (bench_all || (bench_pq_asym_algs & BENCH_KYBER1024)) { + bench_kyber(WC_ML_KEM_1024); + } + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 if (bench_all || (bench_pq_asym_algs & BENCH_KYBER512)) { bench_kyber(KYBER512); @@ -3667,6 +3685,7 @@ static void* benchmarks_do(void* args) bench_kyber(KYBER1024); } #endif +#endif } #endif @@ -9471,6 +9490,27 @@ void bench_kyber(int type) int keySize = 0; switch (type) { +#ifndef WOLFSSL_NO_ML_KEM +#ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + name = "ML-KEM 512 "; + keySize = 128; + break; +#endif +#ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + name = "ML-KEM 768 "; + keySize = 192; + break; +#endif +#ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + name = "ML-KEM 1024 "; + keySize = 256; + break; +#endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: name = "KYBER512 "; @@ -9488,6 +9528,7 @@ void bench_kyber(int type) name = "KYBER1024"; keySize = 256; break; +#endif #endif } From ce935fddadc0958a7902576c3dcf039a99f62685 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 11 Nov 2024 09:57:33 -0700 Subject: [PATCH 5/9] cast return of XMALLOC --- src/x509.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/x509.c b/src/x509.c index a74f5093a8..0f39c21f66 100644 --- a/src/x509.c +++ b/src/x509.c @@ -631,7 +631,7 @@ static int DNS_to_GENERAL_NAME(WOLFSSL_GENERAL_NAME* gn, DNS_entry* dns) if (gn->d.registeredID == NULL) { return WOLFSSL_FAILURE; } - gn->d.registeredID->obj = XMALLOC(dns->len, + gn->d.registeredID->obj = (const unsigned char*)XMALLOC(dns->len, gn->d.registeredID->heap, DYNAMIC_TYPE_ASN1); if (gn->d.registeredID->obj == NULL) { /* registeredID gets free'd up by caller after failure */ From 56888526faa48369f42fcab1faa0e20279ad36f6 Mon Sep 17 00:00:00 2001 From: Jiri Malak Date: Tue, 12 Nov 2024 08:16:07 +0100 Subject: [PATCH 6/9] enable local build --- .github/workflows/async.yml | 2 +- .github/workflows/codespell.yml | 2 +- .github/workflows/curl.yml | 3 +- .github/workflows/cyrus-sasl.yml | 3 +- .github/workflows/delruns.yml | 66 ++++++++++++++++++++++++++ .github/workflows/disabled/haproxy.yml | 2 +- .github/workflows/disabled/hostap.yml | 3 +- .github/workflows/docker-Espressif.yml | 4 +- .github/workflows/docker-OpenWrt.yml | 3 +- .github/workflows/grpc.yml | 3 +- .github/workflows/hitch.yml | 3 +- .github/workflows/hostap-vm.yml | 4 +- .github/workflows/ipmitool.yml | 3 +- .github/workflows/jwt-cpp.yml | 3 +- .github/workflows/krb5.yml | 3 +- .github/workflows/libssh2.yml | 3 +- .github/workflows/libvncserver.yml | 3 +- .github/workflows/memcached.yml | 3 +- .github/workflows/mosquitto.yml | 3 +- .github/workflows/multi-arch.yml | 2 +- .github/workflows/multi-compiler.yml | 2 +- .github/workflows/net-snmp.yml | 3 +- .github/workflows/nginx.yml | 3 +- .github/workflows/no-malloc.yml | 2 +- .github/workflows/ntp.yml | 2 +- .github/workflows/ocsp.yml | 2 +- .github/workflows/openldap.yml | 1 + .github/workflows/openssh.yml | 3 +- .github/workflows/openvpn.yml | 3 +- .github/workflows/os-check.yml | 6 +-- .github/workflows/packaging.yml | 2 +- .github/workflows/pam-ipmi.yml | 3 +- .github/workflows/rng-tools.yml | 3 +- .github/workflows/socat.yml | 3 +- .github/workflows/softhsm.yml | 3 +- .github/workflows/sssd.yml | 3 +- .github/workflows/stunnel.yml | 3 +- .github/workflows/win-csharp-test.yml | 2 +- .github/workflows/zephyr.yml | 2 +- 39 files changed, 104 insertions(+), 68 deletions(-) create mode 100644 .github/workflows/delruns.yml diff --git a/.github/workflows/async.yml b/.github/workflows/async.yml index 3ad8e86860..a04cdb1dc8 100644 --- a/.github/workflows/async.yml +++ b/.github/workflows/async.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -23,7 +24,6 @@ jobs: '--enable-ocsp CFLAGS="-DTEST_NONBLOCK_CERTS"', ] name: make check - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 328b1ffe62..1ddae16d6c 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -5,6 +5,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -13,7 +14,6 @@ concurrency: jobs: codespell: - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index b6fe4cc2d3..12add0f2c7 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -39,7 +39,6 @@ jobs: test_curl: name: ${{ matrix.curl_ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 15 diff --git a/.github/workflows/cyrus-sasl.yml b/.github/workflows/cyrus-sasl.yml index 790d8886a7..055a363fdb 100644 --- a/.github/workflows/cyrus-sasl.yml +++ b/.github/workflows/cyrus-sasl.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -47,7 +47,6 @@ jobs: # List of releases to test ref: [ 2.1.28 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/delruns.yml b/.github/workflows/delruns.yml new file mode 100644 index 0000000000..5f6ae2181f --- /dev/null +++ b/.github/workflows/delruns.yml @@ -0,0 +1,66 @@ +name: Delete Old (Workflow Runs) +on: + workflow_dispatch: + inputs: + days: + description: 'Days-worth of runs to keep for each workflow' + required: true + default: '30' + minimum_runs: + description: 'Minimum runs to keep for each workflow' + required: true + default: '6' + delete_workflow_pattern: + description: 'Name or filename of the workflow (if not set, all workflows are targeted)' + required: false + delete_workflow_by_state_pattern: + description: 'Filter workflows by state: active, deleted, disabled_fork, disabled_inactivity, disabled_manually' + required: true + default: "ALL" + type: choice + options: + - "ALL" + - active + - deleted + - disabled_inactivity + - disabled_manually + delete_run_by_conclusion_pattern: + description: 'Remove runs based on conclusion: action_required, cancelled, failure, skipped, success' + required: true + default: "ALL" + type: choice + options: + - "ALL" + - "Unsuccessful: action_required,cancelled,failure,skipped" + - action_required + - cancelled + - failure + - skipped + - success + dry_run: + description: 'Logs simulated changes, no deletions are performed' + required: false + +jobs: + del_runs: + runs-on: ubuntu-latest + permissions: + actions: write + contents: read + steps: + - name: Delete workflow runs + uses: Mattraks/delete-workflow-runs@v2 + with: + token: ${{ github.token }} + repository: ${{ github.repository }} + retain_days: ${{ github.event.inputs.days }} + keep_minimum_runs: ${{ github.event.inputs.minimum_runs }} + delete_workflow_pattern: ${{ github.event.inputs.delete_workflow_pattern }} + delete_workflow_by_state_pattern: ${{ github.event.inputs.delete_workflow_by_state_pattern }} + delete_run_by_conclusion_pattern: >- + ${{ + startsWith(github.event.inputs.delete_run_by_conclusion_pattern, 'Unsuccessful:') + && 'action_required,cancelled,failure,skipped' + || github.event.inputs.delete_run_by_conclusion_pattern + }} + dry_run: ${{ github.event.inputs.dry_run }} diff --git a/.github/workflows/disabled/haproxy.yml b/.github/workflows/disabled/haproxy.yml index 0a92dac0c8..a7fabd6866 100644 --- a/.github/workflows/disabled/haproxy.yml +++ b/.github/workflows/disabled/haproxy.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -20,7 +21,6 @@ jobs: # List of refs to test ref: [ master ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest steps: - name: Build wolfSSL diff --git a/.github/workflows/disabled/hostap.yml b/.github/workflows/disabled/hostap.yml index 46c4131954..b1a95e4e9b 100644 --- a/.github/workflows/disabled/hostap.yml +++ b/.github/workflows/disabled/hostap.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -22,7 +23,6 @@ jobs: - build_id: hostap-build2 wolf_extra_config: --enable-brainpool --enable-wpas-dpp name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-20.04 # This should be a safe limit for the tests to run. @@ -100,7 +100,6 @@ jobs: build_id: hostap-build2 } name: hwsim test - if: github.repository_owner == 'wolfssl' # For openssl 1.1 runs-on: ubuntu-20.04 # This should be a safe limit for the tests to run. diff --git a/.github/workflows/docker-Espressif.yml b/.github/workflows/docker-Espressif.yml index 184dced8d1..8d7af2ea89 100644 --- a/.github/workflows/docker-Espressif.yml +++ b/.github/workflows/docker-Espressif.yml @@ -5,6 +5,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,7 +15,6 @@ concurrency: jobs: espressif_latest: name: latest Docker container - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 12 @@ -26,7 +26,6 @@ jobs: run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh espressif_v4_4: name: v4.4 Docker container - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest container: image: espressif/idf:release-v4.4 @@ -36,7 +35,6 @@ jobs: run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh espressif_v5_0: name: v5.0 Docker container - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest container: image: espressif/idf:release-v5.0 diff --git a/.github/workflows/docker-OpenWrt.yml b/.github/workflows/docker-OpenWrt.yml index 0a3768d613..be4ea6ae4f 100644 --- a/.github/workflows/docker-OpenWrt.yml +++ b/.github/workflows/docker-OpenWrt.yml @@ -8,6 +8,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -17,7 +18,6 @@ concurrency: jobs: build_library: name: Compile libwolfssl.so - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -41,7 +41,6 @@ jobs: retention-days: 5 compile_container: name: Compile container - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 2 diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index e8d549b7a4..e3a5d2d0ae 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -51,7 +51,6 @@ jobs: test_core_security_ssl_credentials_test test_cpp_end2end_ssl_credentials_test h2_ssl_cert_test h2_ssl_session_reuse_test name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 30 diff --git a/.github/workflows/hitch.yml b/.github/workflows/hitch.yml index 5f0b58986b..8bb0724d40 100644 --- a/.github/workflows/hitch.yml +++ b/.github/workflows/hitch.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -48,7 +48,6 @@ jobs: ignore-tests: >- test13-r82.sh test15-proxy-v2-npn.sh test39-client-cert-proxy.sh name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/hostap-vm.yml b/.github/workflows/hostap-vm.yml index 4c52175d46..11e8f1e62a 100644 --- a/.github/workflows/hostap-vm.yml +++ b/.github/workflows/hostap-vm.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -27,7 +28,6 @@ jobs: --enable-wpas-dpp --enable-brainpool --with-eccminsz=192 --enable-tlsv10 --enable-oldtls name: Build wolfSSL - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 @@ -65,7 +65,6 @@ jobs: build_uml_linux: name: Build UML (UserMode Linux) - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 @@ -142,7 +141,6 @@ jobs: } name: hwsim test # For openssl 1.1 - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 45 diff --git a/.github/workflows/ipmitool.yml b/.github/workflows/ipmitool.yml index 1dc2c18e58..d369ac8c81 100644 --- a/.github/workflows/ipmitool.yml +++ b/.github/workflows/ipmitool.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -18,7 +19,6 @@ jobs: name: Build wolfSSL # Just to keep it the same as the testing target runs-on: ubuntu-latest - if: github.repository_owner == 'wolfssl' # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -47,7 +47,6 @@ jobs: matrix: git_ref: [ c3939dac2c060651361fc71516806f9ab8c38901 ] name: ${{ matrix.git_ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest needs: build_wolfssl steps: diff --git a/.github/workflows/jwt-cpp.yml b/.github/workflows/jwt-cpp.yml index 3b8348ad77..7e75b20870 100644 --- a/.github/workflows/jwt-cpp.yml +++ b/.github/workflows/jwt-cpp.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -16,7 +17,6 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -41,7 +41,6 @@ jobs: retention-days: 5 build_pam-ipmi: - if: github.repository_owner == 'wolfssl' strategy: fail-fast: false matrix: diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 2b69761d2d..1d0d682c48 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -16,7 +17,6 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 5 @@ -49,7 +49,6 @@ jobs: # List of releases to test ref: [ 1.21.1 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 8 diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index 121595954f..c469ac022f 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -16,7 +17,6 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -46,7 +46,6 @@ jobs: # List of releases to test ref: [ 1.11.0 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 8 diff --git a/.github/workflows/libvncserver.yml b/.github/workflows/libvncserver.yml index 942b7aa3ff..addf7287d1 100644 --- a/.github/workflows/libvncserver.yml +++ b/.github/workflows/libvncserver.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -16,7 +17,6 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -46,7 +46,6 @@ jobs: matrix: ref: [ 0.9.13 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest needs: build_wolfssl steps: diff --git a/.github/workflows/memcached.yml b/.github/workflows/memcached.yml index a111e30027..a5878fdb4c 100644 --- a/.github/workflows/memcached.yml +++ b/.github/workflows/memcached.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -16,7 +17,6 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest steps: - name: Build wolfSSL @@ -47,7 +47,6 @@ jobs: include: - ref: 1.6.22 name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest needs: build_wolfssl steps: diff --git a/.github/workflows/mosquitto.yml b/.github/workflows/mosquitto.yml index 6d9961cc9e..c8efbe8c60 100644 --- a/.github/workflows/mosquitto.yml +++ b/.github/workflows/mosquitto.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -16,7 +17,6 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -44,7 +44,6 @@ jobs: matrix: ref: [ 2.0.18 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/multi-arch.yml b/.github/workflows/multi-arch.yml index 33ea970ae5..d8a5ae7a86 100644 --- a/.github/workflows/multi-arch.yml +++ b/.github/workflows/multi-arch.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -36,7 +37,6 @@ jobs: CFLAGS: -marm -DWOLFSSL_SP_ARM_ARCH=6 ARCH: armel EXTRA_OPTS: --enable-sp-asm - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/multi-compiler.yml b/.github/workflows/multi-compiler.yml index 0606833025..d78aca5e6a 100644 --- a/.github/workflows/multi-compiler.yml +++ b/.github/workflows/multi-compiler.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -46,7 +47,6 @@ jobs: - CC: clang-14 CXX: clang++-14 OS: ubuntu-latest - if: github.repository_owner == 'wolfssl' runs-on: ${{ matrix.OS }} # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 0275e0f12c..5124050455 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -47,7 +47,6 @@ jobs: - ref: 5.9.3 test_opts: -e 'agentxperl' name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index e6729f11ea..ac258c89bb 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -106,7 +106,6 @@ jobs: stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t stream_proxy_ssl_verify.t name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/no-malloc.yml b/.github/workflows/no-malloc.yml index a5888caa47..ef701c7f77 100644 --- a/.github/workflows/no-malloc.yml +++ b/.github/workflows/no-malloc.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -21,7 +22,6 @@ jobs: '--enable-rsa --enable-keygen --disable-dh CFLAGS="-DWOLFSSL_NO_MALLOC -DRSA_MIN_SIZE=1024"', ] name: make check - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/ntp.yml b/.github/workflows/ntp.yml index 89f330f9a9..9535617c2b 100644 --- a/.github/workflows/ntp.yml +++ b/.github/workflows/ntp.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. diff --git a/.github/workflows/ocsp.yml b/.github/workflows/ocsp.yml index fab41650ab..10f21d8153 100644 --- a/.github/workflows/ocsp.yml +++ b/.github/workflows/ocsp.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: ocsp_stapling: name: ocsp stapling - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest timeout-minutes: 10 steps: diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index 950435b5cc..c19bea9b6d 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 586d21edfa..27569a4b84 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -48,7 +48,6 @@ jobs: - git_ref: 'V_9_6_P1' osp_ver: '9.6' name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest needs: build_wolfssl steps: diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index b9ae65114e..632f097cc2 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -45,7 +45,6 @@ jobs: # List of refs to test ref: [ release/2.6, master ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index d4c1a8bc22..5867b61a31 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -42,7 +43,6 @@ jobs: --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA', ] name: make check - if: github.repository_owner == 'wolfssl' runs-on: ${{ matrix.os }} # This should be a safe limit for the tests to run. timeout-minutes: 14 @@ -63,7 +63,6 @@ jobs: 'examples/configs/user_settings_all.h', ] name: make user_setting.h - if: github.repository_owner == 'wolfssl' runs-on: ${{ matrix.os }} # This should be a safe limit for the tests to run. timeout-minutes: 14 @@ -89,7 +88,6 @@ jobs: 'examples/configs/user_settings_tls12.h', ] name: make user_setting.h (testwolfcrypt only) - if: github.repository_owner == 'wolfssl' runs-on: ${{ matrix.os }} # This should be a safe limit for the tests to run. timeout-minutes: 14 @@ -111,7 +109,6 @@ jobs: matrix: os: [ ubuntu-latest, macos-latest ] name: make user_setting.h (with sed) - if: github.repository_owner == 'wolfssl' runs-on: ${{ matrix.os }} # This should be a safe limit for the tests to run. timeout-minutes: 14 @@ -130,7 +127,6 @@ jobs: windows_build: name: Windows Build Test - if: github.repository_owner == 'wolfssl' runs-on: windows-latest strategy: fail-fast: false diff --git a/.github/workflows/packaging.yml b/.github/workflows/packaging.yml index 83eff907a7..09a434d8e7 100644 --- a/.github/workflows/packaging.yml +++ b/.github/workflows/packaging.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Package wolfSSL - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/pam-ipmi.yml b/.github/workflows/pam-ipmi.yml index ec254d6f3d..ca38dd175a 100644 --- a/.github/workflows/pam-ipmi.yml +++ b/.github/workflows/pam-ipmi.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -16,7 +17,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -47,7 +47,6 @@ jobs: matrix: git_ref: [ e4b13e6725abb178f62ee897fe1c0e81b06a9431 ] name: ${{ matrix.git_ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest needs: build_wolfssl steps: diff --git a/.github/workflows/rng-tools.yml b/.github/workflows/rng-tools.yml index 859c6e6bdd..f49679fcac 100644 --- a/.github/workflows/rng-tools.yml +++ b/.github/workflows/rng-tools.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -46,7 +46,6 @@ jobs: # List of releases to test ref: [ 6.16 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 270c005fc5..297944182f 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest timeout-minutes: 4 steps: @@ -38,7 +38,6 @@ jobs: socat_check: - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 30 diff --git a/.github/workflows/softhsm.yml b/.github/workflows/softhsm.yml index 1f30a7cff6..ef194b411f 100644 --- a/.github/workflows/softhsm.yml +++ b/.github/workflows/softhsm.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -46,7 +46,6 @@ jobs: # List of releases to test ref: [ 2.6.1 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 20 diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index 7ab859133a..0e0fe920b4 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,7 +15,6 @@ concurrency: jobs: build_wolfssl: - if: github.repository_owner == 'wolfssl' name: Build wolfSSL # Just to keep it the same as the testing target runs-on: ubuntu-latest @@ -40,7 +40,6 @@ jobs: retention-days: 5 sssd_check: - if: github.repository_owner == 'wolfssl' strategy: fail-fast: false matrix: diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index 0bef67a8f6..ed50959206 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,7 +16,6 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -45,7 +45,6 @@ jobs: # List of releases to test ref: [ 5.67 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/win-csharp-test.yml b/.github/workflows/win-csharp-test.yml index 12b294b6b2..31f898671d 100644 --- a/.github/workflows/win-csharp-test.yml +++ b/.github/workflows/win-csharp-test.yml @@ -5,11 +5,11 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] jobs: build: - if: github.repository_owner == 'wolfssl' runs-on: windows-latest # This should be a safe limit for the tests to run. diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml index 0582154c8f..20edf1f9a7 100644 --- a/.github/workflows/zephyr.yml +++ b/.github/workflows/zephyr.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + paths: [ '**', '!.github/**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -25,7 +26,6 @@ jobs: zephyr-sdk: 0.16.3 - zephyr-ref: v2.7.4 zephyr-sdk: 0.16.3 - if: github.repository_owner == 'wolfssl' runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 25 From b8aeaf4fa878fd9d157e774d9302b150402dc50f Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 8 Nov 2024 16:00:46 -0600 Subject: [PATCH 7/9] src/ssl.c: implement WOLFSSL_CLEANUP_THREADSAFE in wolfSSL_Init() / wolfSSL_Cleanup(). --- src/ssl.c | 57 +++++++++++++++++++++++++++++++------ wolfssl/wolfcrypt/wc_port.h | 4 +++ 2 files changed, 53 insertions(+), 8 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 5728b399ef..7fa6b6f9b4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1037,7 +1037,7 @@ static volatile WOLFSSL_GLOBAL int initRefCount = 0; static WOLFSSL_GLOBAL wolfSSL_Mutex inits_count_mutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(inits_count_mutex); #ifndef WOLFSSL_MUTEX_INITIALIZER -static WOLFSSL_GLOBAL int inits_count_mutex_valid = 0; +static WOLFSSL_GLOBAL volatile int inits_count_mutex_valid = 0; #endif /* Create a new WOLFSSL_CTX struct and return the pointer to created struct. @@ -5641,12 +5641,29 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) static int wolfSSL_RAND_InitMutex(void); #endif +#if defined(WOLFSSL_CLEANUP_THREADSAFE) && !defined(WOLFSSL_MUTEX_INITIALIZER) + #ifndef WOLFSSL_ATOMIC_OPS + #error WOLFSSL_CLEANUP_THREADSAFE with !WOLFSSL_MUTEX_INITIALIZER requires WOLFSSL_ATOMIC_OPS + #endif + /* WOLFSSL_CLEANUP_THREADSAFE depends on a wolfSSL_Atomic_Int that can + * be statically initialized. + */ + static wolfSSL_Atomic_Int inits_count_mutex_valid2 = 0; +#endif /* WOLFSSL_CLEANUP_THREADSAFE && !WOLFSSL_MUTEX_INITIALIZER */ + #if defined(OPENSSL_EXTRA) && defined(HAVE_ATEXIT) static void AtExitCleanup(void) { if (initRefCount > 0) { initRefCount = 1; (void)wolfSSL_Cleanup(); +#if defined(WOLFSSL_CLEANUP_THREADSAFE) && !defined(WOLFSSL_MUTEX_INITIALIZER) + if (inits_count_mutex_valid == 1) { + (void)wc_FreeMutex(&inits_count_mutex); + inits_count_mutex_valid = 0; + inits_count_mutex_valid2 = 0; + } +#endif } } #endif @@ -5662,13 +5679,37 @@ int wolfSSL_Init(void) WOLFSSL_ENTER("wolfSSL_Init"); #ifndef WOLFSSL_MUTEX_INITIALIZER - if (inits_count_mutex_valid == 0) { - if (wc_InitMutex(&inits_count_mutex) != 0) { - WOLFSSL_MSG("Bad Init Mutex count"); - return BAD_MUTEX_E; + if (inits_count_mutex_valid <= 0) { + #ifdef WOLFSSL_CLEANUP_THREADSAFE + int current_inits_count_mutex_valid; + if (wolfSSL_Atomic_Int_FetchAdd(&inits_count_mutex_valid2, 1) != 0) { + /* We treat inits_count_mutex_valid as a spin lock -- this may cause + * deadlocks in some runtimes. Applications can fully mitigate this + * race by calling wolfSSL_Init() and wolfSSL_Cleanup() + * consecutively at startup, uncontended. This leaves + * inits_count_mutex safely initialized, but releases all other + * resources. + */ + while ((current_inits_count_mutex_valid = inits_count_mutex_valid) == 0); + if (current_inits_count_mutex_valid < 0) { + (void)wolfSSL_Atomic_Int_FetchSub(&inits_count_mutex_valid2, 1); + return BAD_MUTEX_E; + } } - else { - inits_count_mutex_valid = 1; + else + #endif /* WOLFSSL_CLEANUP_THREADSAFE */ + { + if (wc_InitMutex(&inits_count_mutex) != 0) { + WOLFSSL_MSG("Bad Init Mutex count"); + inits_count_mutex_valid = -1; + #ifdef WOLFSSL_CLEANUP_THREADSAFE + (void)wolfSSL_Atomic_Int_FetchSub(&inits_count_mutex_valid2, 1); + #endif + return BAD_MUTEX_E; + } + else { + inits_count_mutex_valid = 1; + } } } #endif /* !WOLFSSL_MUTEX_INITIALIZER */ @@ -10422,7 +10463,7 @@ int wolfSSL_Cleanup(void) #endif #endif /* !NO_SESSION_CACHE */ -#ifndef WOLFSSL_MUTEX_INITIALIZER +#if !defined(WOLFSSL_CLEANUP_THREADSAFE) && !defined(WOLFSSL_MUTEX_INITIALIZER) if ((inits_count_mutex_valid == 1) && (wc_FreeMutex(&inits_count_mutex) != 0)) { if (ret == WOLFSSL_SUCCESS) diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index eec259ecba..49a64225af 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -320,6 +320,10 @@ #endif /* SINGLE_THREADED */ +#ifdef WOLFSSL_TEST_NO_MUTEX_INITIALIZER + #undef WOLFSSL_MUTEX_INITIALIZER +#endif + #ifdef WOLFSSL_MUTEX_INITIALIZER #define WOLFSSL_MUTEX_INITIALIZER_CLAUSE(lockname) = WOLFSSL_MUTEX_INITIALIZER(lockname) #else From 524f0f5799f0c081b63490a1bd942e391c0f45d1 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 12 Nov 2024 23:57:35 -0600 Subject: [PATCH 8/9] peer review on "WOLFSSL_CLEANUP_THREADSAFE": * add WOLFSSL_ATOMIC_INITIALIZER() to wc_port.h; * rename feature macro to WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS for clarity; * remove spin lock logic in wolfSSL_Init() and instead return DEADLOCK_AVERTED_E on contended initialization; * unless WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS is user-defined to 0, automatically enable it when appropriate. --- src/ssl.c | 78 +++++++++++++++++++------------------ wolfssl/wolfcrypt/wc_port.h | 3 ++ 2 files changed, 43 insertions(+), 38 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 7fa6b6f9b4..bf204d373e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5641,15 +5641,31 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) static int wolfSSL_RAND_InitMutex(void); #endif -#if defined(WOLFSSL_CLEANUP_THREADSAFE) && !defined(WOLFSSL_MUTEX_INITIALIZER) +/* If we don't have static mutex initializers, but we do have static atomic + * initializers, activate WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS to leverage + * the latter. + */ +#ifndef WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS + #if !defined(WOLFSSL_MUTEX_INITIALIZER) && !defined(SINGLE_THREADED) && \ + defined(WOLFSSL_ATOMIC_OPS) && defined(WOLFSSL_ATOMIC_INITIALIZER) + #define WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS 1 + #else + #define WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS 0 + #endif +#elif defined(WOLFSSL_MUTEX_INITIALIZER) || defined(SINGLE_THREADED) + #undef WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS + #define WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS 0 +#endif + +#if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS #ifndef WOLFSSL_ATOMIC_OPS - #error WOLFSSL_CLEANUP_THREADSAFE with !WOLFSSL_MUTEX_INITIALIZER requires WOLFSSL_ATOMIC_OPS + #error WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS with !WOLFSSL_MUTEX_INITIALIZER requires WOLFSSL_ATOMIC_OPS #endif - /* WOLFSSL_CLEANUP_THREADSAFE depends on a wolfSSL_Atomic_Int that can - * be statically initialized. - */ - static wolfSSL_Atomic_Int inits_count_mutex_valid2 = 0; -#endif /* WOLFSSL_CLEANUP_THREADSAFE && !WOLFSSL_MUTEX_INITIALIZER */ + #ifndef WOLFSSL_ATOMIC_INITIALIZER + #error WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS with !WOLFSSL_MUTEX_INITIALIZER requires WOLFSSL_ATOMIC_INITIALIZER + #endif + static wolfSSL_Atomic_Int inits_count_mutex_valid2 = WOLFSSL_ATOMIC_INITIALIZER(0); +#endif /* WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS && !WOLFSSL_MUTEX_INITIALIZER */ #if defined(OPENSSL_EXTRA) && defined(HAVE_ATEXIT) static void AtExitCleanup(void) @@ -5657,7 +5673,7 @@ static void AtExitCleanup(void) if (initRefCount > 0) { initRefCount = 1; (void)wolfSSL_Cleanup(); -#if defined(WOLFSSL_CLEANUP_THREADSAFE) && !defined(WOLFSSL_MUTEX_INITIALIZER) +#if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS if (inits_count_mutex_valid == 1) { (void)wc_FreeMutex(&inits_count_mutex); inits_count_mutex_valid = 0; @@ -5679,37 +5695,22 @@ int wolfSSL_Init(void) WOLFSSL_ENTER("wolfSSL_Init"); #ifndef WOLFSSL_MUTEX_INITIALIZER - if (inits_count_mutex_valid <= 0) { - #ifdef WOLFSSL_CLEANUP_THREADSAFE - int current_inits_count_mutex_valid; + if (inits_count_mutex_valid == 0) { + #if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS if (wolfSSL_Atomic_Int_FetchAdd(&inits_count_mutex_valid2, 1) != 0) { - /* We treat inits_count_mutex_valid as a spin lock -- this may cause - * deadlocks in some runtimes. Applications can fully mitigate this - * race by calling wolfSSL_Init() and wolfSSL_Cleanup() - * consecutively at startup, uncontended. This leaves - * inits_count_mutex safely initialized, but releases all other - * resources. - */ - while ((current_inits_count_mutex_valid = inits_count_mutex_valid) == 0); - if (current_inits_count_mutex_valid < 0) { - (void)wolfSSL_Atomic_Int_FetchSub(&inits_count_mutex_valid2, 1); - return BAD_MUTEX_E; - } - } - else - #endif /* WOLFSSL_CLEANUP_THREADSAFE */ - { - if (wc_InitMutex(&inits_count_mutex) != 0) { - WOLFSSL_MSG("Bad Init Mutex count"); - inits_count_mutex_valid = -1; - #ifdef WOLFSSL_CLEANUP_THREADSAFE - (void)wolfSSL_Atomic_Int_FetchSub(&inits_count_mutex_valid2, 1); + (void)wolfSSL_Atomic_Int_FetchSub(&inits_count_mutex_valid2, 1); + return DEADLOCK_AVERTED_E; + } + #endif /* WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS */ + if (wc_InitMutex(&inits_count_mutex) != 0) { + WOLFSSL_MSG("Bad Init Mutex count"); + #if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS + (void)wolfSSL_Atomic_Int_FetchSub(&inits_count_mutex_valid2, 1); #endif - return BAD_MUTEX_E; - } - else { - inits_count_mutex_valid = 1; - } + return BAD_MUTEX_E; + } + else { + inits_count_mutex_valid = 1; } } #endif /* !WOLFSSL_MUTEX_INITIALIZER */ @@ -10463,7 +10464,8 @@ int wolfSSL_Cleanup(void) #endif #endif /* !NO_SESSION_CACHE */ -#if !defined(WOLFSSL_CLEANUP_THREADSAFE) && !defined(WOLFSSL_MUTEX_INITIALIZER) +#if !defined(WOLFSSL_MUTEX_INITIALIZER) && \ + !WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS if ((inits_count_mutex_valid == 1) && (wc_FreeMutex(&inits_count_mutex) != 0)) { if (ret == WOLFSSL_SUCCESS) diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 49a64225af..002e9d4053 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -340,6 +340,7 @@ #if defined(__GNUC__) && defined(__ATOMIC_RELAXED) /* C++ using direct calls to compiler built-in functions */ typedef volatile int wolfSSL_Atomic_Int; + #define WOLFSSL_ATOMIC_INITIALIZER(x) (x) #define WOLFSSL_ATOMIC_OPS #endif #else @@ -347,6 +348,7 @@ /* Default C Implementation */ #include typedef atomic_int wolfSSL_Atomic_Int; + #define WOLFSSL_ATOMIC_INITIALIZER(x) (x) #define WOLFSSL_ATOMIC_OPS #endif /* WOLFSSL_HAVE_ATOMIC_H */ #endif @@ -358,6 +360,7 @@ #include #endif typedef volatile long wolfSSL_Atomic_Int; + #define WOLFSSL_ATOMIC_INITIALIZER(x) (x) #define WOLFSSL_ATOMIC_OPS #endif #endif /* WOLFSSL_NO_ATOMICS */ From 0ebd86d668faa45724045df0bd648dcfcc8efbce Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 13 Nov 2024 13:01:00 -0600 Subject: [PATCH 9/9] add second wolfCrypt error code span, and add DEADLOCK_AVERTED_E. --- src/internal.c | 6 ++-- src/ssl.c | 39 ++++++++++++++++++-------- support/gen-debug-trace-error-codes.sh | 10 ++++--- tests/api.c | 12 ++++---- wolfcrypt/src/error.c | 6 ++-- wolfcrypt/test/test.c | 6 ++-- wolfssl/error-ssl.h | 4 +++ wolfssl/wolfcrypt/error-crypt.h | 29 ++++++++++++++++--- 8 files changed, 81 insertions(+), 31 deletions(-) diff --git a/src/internal.c b/src/internal.c index fc0139e2ee..976602c762 100644 --- a/src/internal.c +++ b/src/internal.c @@ -25672,7 +25672,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) } /* pass to wolfCrypt */ - if (error <= WC_FIRST_E && error >= WC_LAST_E) { + if ((error <= WC_SPAN1_FIRST_E && error >= WC_SPAN1_MIN_CODE_E) || + (error <= WC_SPAN2_FIRST_E && error >= WC_SPAN2_MIN_CODE_E)) + { return wc_GetErrorString(error); } @@ -25684,7 +25686,7 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) #endif } - switch ((enum wolfSSL_ErrorCodes)error) { + switch ((enum wolfSSL_ErrorCodes)error) { /* // NOLINT(clang-analyzer-optin.core.EnumCastOutOfRange) */ case UNSUPPORTED_SUITE : return "unsupported cipher suite"; diff --git a/src/ssl.c b/src/ssl.c index bf204d373e..ded632e4f6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5644,6 +5644,8 @@ static int wolfSSL_RAND_InitMutex(void); /* If we don't have static mutex initializers, but we do have static atomic * initializers, activate WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS to leverage * the latter. + * + * See further explanation below in wolfSSL_Init(). */ #ifndef WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS #if !defined(WOLFSSL_MUTEX_INITIALIZER) && !defined(SINGLE_THREADED) && \ @@ -5659,12 +5661,13 @@ static int wolfSSL_RAND_InitMutex(void); #if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS #ifndef WOLFSSL_ATOMIC_OPS - #error WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS with !WOLFSSL_MUTEX_INITIALIZER requires WOLFSSL_ATOMIC_OPS + #error WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS requires WOLFSSL_ATOMIC_OPS #endif #ifndef WOLFSSL_ATOMIC_INITIALIZER - #error WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS with !WOLFSSL_MUTEX_INITIALIZER requires WOLFSSL_ATOMIC_INITIALIZER + #error WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS requires WOLFSSL_ATOMIC_INITIALIZER #endif - static wolfSSL_Atomic_Int inits_count_mutex_valid2 = WOLFSSL_ATOMIC_INITIALIZER(0); + static wolfSSL_Atomic_Int inits_count_mutex_atomic_initing_flag = + WOLFSSL_ATOMIC_INITIALIZER(0); #endif /* WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS && !WOLFSSL_MUTEX_INITIALIZER */ #if defined(OPENSSL_EXTRA) && defined(HAVE_ATEXIT) @@ -5677,7 +5680,7 @@ static void AtExitCleanup(void) if (inits_count_mutex_valid == 1) { (void)wc_FreeMutex(&inits_count_mutex); inits_count_mutex_valid = 0; - inits_count_mutex_valid2 = 0; + inits_count_mutex_atomic_initing_flag = 0; } #endif } @@ -5697,15 +5700,29 @@ int wolfSSL_Init(void) #ifndef WOLFSSL_MUTEX_INITIALIZER if (inits_count_mutex_valid == 0) { #if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS - if (wolfSSL_Atomic_Int_FetchAdd(&inits_count_mutex_valid2, 1) != 0) { - (void)wolfSSL_Atomic_Int_FetchSub(&inits_count_mutex_valid2, 1); + + /* Without this mitigation, if two threads enter wolfSSL_Init() at the + * same time, and both see zero inits_count_mutex_valid, then both will + * run wc_InitMutex(&inits_count_mutex), leading to process corruption + * or (best case) a resource leak. + * + * When WOLFSSL_ATOMIC_INITIALIZER() is available, we can mitigate this + * by use an atomic counting int as a mutex. + */ + + if (wolfSSL_Atomic_Int_FetchAdd(&inits_count_mutex_atomic_initing_flag, + 1) != 0) + { + (void)wolfSSL_Atomic_Int_FetchSub( + &inits_count_mutex_atomic_initing_flag, 1); return DEADLOCK_AVERTED_E; } #endif /* WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS */ if (wc_InitMutex(&inits_count_mutex) != 0) { WOLFSSL_MSG("Bad Init Mutex count"); #if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS - (void)wolfSSL_Atomic_Int_FetchSub(&inits_count_mutex_valid2, 1); + (void)wolfSSL_Atomic_Int_FetchSub( + &inits_count_mutex_atomic_initing_flag, 1); #endif return BAD_MUTEX_E; } @@ -15772,11 +15789,11 @@ int wolfSSL_ERR_GET_REASON(unsigned long err) return ASN1_R_HEADER_TOO_LONG; #endif - /* check if error value is in range of wolfSSL errors */ + /* check if error value is in range of wolfCrypt or wolfSSL errors */ ret = 0 - ret; /* setting as negative value */ - /* wolfCrypt range is less than MAX (-100) - wolfSSL range is MIN (-300) and lower */ - if ((ret <= WC_FIRST_E && ret >= WC_LAST_E) || + + if ((ret <= WC_SPAN1_FIRST_E && ret >= WC_SPAN1_LAST_E) || + (ret <= WC_SPAN2_FIRST_E && ret >= WC_SPAN2_LAST_E) || (ret <= WOLFSSL_FIRST_E && ret >= WOLFSSL_LAST_E)) { return ret; diff --git a/support/gen-debug-trace-error-codes.sh b/support/gen-debug-trace-error-codes.sh index 0b181ae38e..540a95273b 100755 --- a/support/gen-debug-trace-error-codes.sh +++ b/support/gen-debug-trace-error-codes.sh @@ -20,10 +20,12 @@ BEGIN { if ((errcode_a[1] == "MIN_CODE_E") || (errcode_a[1] == "MAX_CODE_E") || - (errcode_a[1] == "WC_FIRST_E") || - (errcode_a[1] == "WC_LAST_E") || - (errcode_a[1] == "WOLFSSL_FIRST_E") || - (errcode_a[1] == "WOLFSSL_LAST_E")) + (errcode_a[1] ~ "WC.*MIN_CODE_E") || + (errcode_a[1] ~ "WC.*MAX_CODE_E") || + (errcode_a[1] ~ "WC.*_FIRST_E") || + (errcode_a[1] ~ "WC.*_LAST_E") || + (errcode_a[1] ~ "WOLFSSL.*_FIRST_E") || + (errcode_a[1] ~ "WOLFSSL.*_LAST_E")) { next; } diff --git a/tests/api.c b/tests/api.c index 8136bdbc9b..9eb879c737 100644 --- a/tests/api.c +++ b/tests/api.c @@ -89866,9 +89866,9 @@ static int error_test(void) { -15, -17 }, { -19, -19 }, { -26, -27 }, - { -30, WC_FIRST_E+1 }, + { -30, WC_SPAN1_FIRST_E + 1 }, #else - { -9, WC_FIRST_E+1 }, + { -9, WC_SPAN1_FIRST_E + 1 }, #endif { -124, -124 }, { -166, -169 }, @@ -89879,14 +89879,15 @@ static int error_test(void) { -358, -358 }, { -384, -384 }, { -466, -499 }, - { WOLFSSL_LAST_E-1, WOLFSSL_LAST_E-1 } + { WOLFSSL_LAST_E - 1, WC_SPAN2_FIRST_E + 1 }, + { WC_SPAN2_LAST_E - 1, MIN_CODE_E } }; /* Check that all errors have a string and it's the same through the two * APIs. Check that the values that are not errors map to the unknown * string. */ - for (i = 0; i >= WOLFSSL_LAST_E-1; i--) { + for (i = 0; i >= MIN_CODE_E; i--) { int this_missing = 0; for (j = 0; j < (int)XELEM_CNT(missing); ++j) { if ((i <= missing[j].first) && (i >= missing[j].last)) { @@ -89948,8 +89949,7 @@ static int test_wolfSSL_ERR_strings(void) ExpectNotNull(err = wolfSSL_ERR_func_error_string(WC_NO_ERR_TRACE((word32)UNSUPPORTED_SUITE))); ExpectIntEQ((*err == '\0'), 1); - /* The value -MIN_CODE_E+2 is PEM_R_PROBLEMS_GETTING_PASSWORD. */ - ExpectNotNull(err = wolfSSL_ERR_lib_error_string(-MIN_CODE_E+2)); + ExpectNotNull(err = wolfSSL_ERR_lib_error_string(-WOLFSSL_PEM_R_PROBLEMS_GETTING_PASSWORD_E)); ExpectIntEQ((*err == '\0'), 1); #endif #endif diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index deedcbe1a6..a87289371c 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -642,11 +642,14 @@ const char* wc_GetErrorString(int error) case PBKDF2_KAT_FIPS_E: return "wolfCrypt FIPS PBKDF2 Known Answer Test Failure"; + case DEADLOCK_AVERTED_E: + return "Deadlock averted -- retry the call"; + case MAX_CODE_E: + case WC_SPAN1_MIN_CODE_E: case MIN_CODE_E: default: return "unknown error number"; - } } @@ -660,4 +663,3 @@ void wc_ErrorString(int error, char* buffer) buffer[WOLFSSL_MAX_ERROR_SZ-1] = 0; } #endif /* !NO_ERROR_STRINGS */ - diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 5a42966e02..0afb0422e5 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -2777,14 +2777,16 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t error_test(void) int last; } missing[] = { { -124, -124 }, - { -166, -169 } + { -166, -169 }, + { WC_SPAN1_LAST_E - 1, WC_SPAN2_FIRST_E + 1 }, + { WC_SPAN2_LAST_E - 1, WC_SPAN2_MIN_CODE_E } }; /* Check that all errors have a string and it's the same through the two * APIs. Check that the values that are not errors map to the unknown * string. */ - for (i = WC_FIRST_E; i >= WC_LAST_E; i--) { + for (i = WC_SPAN1_FIRST_E; i >= WC_SPAN2_MIN_CODE_E; i--) { int this_missing = 0; for (j = 0; j < (int)XELEM_CNT(missing); ++j) { if ((i <= missing[j].first) && (i >= missing[j].last)) { diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index fe6ee78d04..a819103da6 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -233,8 +233,12 @@ enum wolfSSL_ErrorCodes { WOLFSSL_EVP_R_PRIVATE_KEY_DECODE_ERROR = -515, WOLFSSL_LAST_E = -515 + + /* codes -1000 to -1999 are reserved for wolfCrypt. */ }; +wc_static_assert((int)WC_LAST_E <= (int)WOLFSSL_LAST_E); + /* I/O Callback default errors */ enum IOerrors { WOLFSSL_CBIO_ERR_GENERAL = -1, /* general unexpected err */ diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 3f188f7444..337443c129 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -47,8 +47,10 @@ enum wolfCrypt_ErrorCodes { * reasons of backward compatibility. */ - MAX_CODE_E = -96, /* errors -97 - -299 */ - WC_FIRST_E = -97, /* errors -97 - -299 */ + MAX_CODE_E = -96, /* WC_FIRST_E + 1, for backward compat. */ + WC_FIRST_E = -97, /* First code used for wolfCrypt */ + + WC_SPAN1_FIRST_E = -97, /* errors -97 - -300 */ MP_MEM = -97, /* MP dynamic memory allocation failed. */ MP_VAL = -98, /* MP value passed is not able to be used. */ @@ -290,13 +292,32 @@ enum wolfCrypt_ErrorCodes { SM4_GCM_AUTH_E = -298, /* SM4-GCM Authentication check failure */ SM4_CCM_AUTH_E = -299, /* SM4-CCM Authentication check failure */ - WC_LAST_E = -299, /* Update this to indicate last error */ - MIN_CODE_E = -300 /* errors -2 - -299 */ + WC_SPAN1_LAST_E = -299, /* Last used code in span 1 */ + WC_SPAN1_MIN_CODE_E = -300, /* Last usable code in span 1 */ + + WC_SPAN2_FIRST_E = -1000, + + DEADLOCK_AVERTED_E = -1000, /* Deadlock averted -- retry the call */ + + WC_SPAN2_LAST_E = -1000, /* Update to indicate last used error code */ + WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */ + + WC_LAST_E = -1000, /* the last code used either here or in + * error-ssl.h + */ + + MIN_CODE_E = -1999 /* the last code allocated either here or in + * error-ssl.h + */ /* add new companion error id strings for any new error codes wolfcrypt/src/error.c !!! */ }; +wc_static_assert((int)WC_LAST_E <= (int)WC_SPAN2_LAST_E); +wc_static_assert((int)MIN_CODE_E <= (int)WC_LAST_E); +wc_static_assert((int)MIN_CODE_E <= (int)WC_SPAN2_MIN_CODE_E); + #ifdef NO_ERROR_STRINGS #define wc_GetErrorString(error) "no support for error strings built in" #define wc_ErrorString(err, buf) \