Land #752, Update CI actions

.github/workflows/macos_test.yml

@@ -6,7 +6,7 @@ jobs:
   build-native:
     strategy:
       matrix:
-        os: [macos-latest]
+        os: [macos-12, macos-11]
         compiler: [clang, gcc]
     runs-on: ${{ matrix.os }}
     continue-on-error: false

ChangeLog

@@ -28,6 +28,63 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+3.5.2 - Stable release
+
+	* Bug fixes
+	  - Avoid single byte overread in asn1_parse2().
+	  - Allow name constraints with a leading dot. From Alex Wilson.
+	  - Relax a check in x509_constraints_dirname() to allow prefixes.
+	    From Alex Wilson.
+	  - Fix NULL dereferences in openssl(1) cms option parsing.
+	  - Do not zero the computed cofactor on ec_guess_cofactor() success.
+	  - Bound cofactor in EC_GROUP_set_generator() to reduce the number of
+	    bogus groups that can be described with nonsensical parameters.
+	  - Avoid various potential segfaults in EVP_PKEY_CTX_free() in low
+	    memory conditions. Reported for HMAC by Masaru Masuda.
+	  - Plug leak in ASN1_TIME_adj_internal().
+	  - Avoid infinite loop for custom curves of order 1.
+	    Issue reported by Hanno Boeck, comments by David Benjamin.
+	  - Avoid an infinite loop on parsing DSA private keys by validating
+	    that the provided parameters conform to FIPS 186-4.
+	    Issue reported by Hanno Boeck, comments by David Benjamin.
+	* Compatibility improvements
+	  - Allow non-standard name constraints of the form @domain.com.
+	* Internal improvements
+	  - Limit OID text conversion to 64 bits per arc.
+	  - Clean up and simplify memory BIO code.
+	  - Reduce number of memmove() calls in memory BIOs.
+	  - Factor out alert handling code in the legacy stack.
+	  - Add sanity checks on p and q in old_dsa_priv_decode()
+	  - Cache the SHA-512 hash instead of the SHA-1 for CRLs.
+	  - Suppress various compiler warnings for old gcc versions.
+	  - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i().
+	  - Rework ownership handling in x509_constraints_validate().
+	  - Rework ASN1_STRING_set().
+	  - Remove const from tls1_transcript_hash_value().
+	  - Clean up and simplify ssl3_renegotiate{,_check}().
+	  - Rewrite legacy TLS and DTLS unexpected handshake message handling.
+	  - Simplify SSL_do_handshake().
+	  - Rewrite ASCII/text to ASN.1 object conversion.
+	  - Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj().
+	  - Split armv7 and aarch64 code into separate locations.
+	  - Rewrote openssl(1) ts to use the new option handling and cleaned
+	    up the C code.
+	  - Provide asn1_get_primitive().
+	  - Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
+	  - Remove the minimum record length checks from dtls1_read_bytes().
+	  - Clean up {dtls1,ssl3}_read_bytes().
+	  - Be more careful with embedded and terminating NULs in the new
+	    name constraints code.
+	  - Check EVP_Digest* return codes in openssl(1) ts
+	  - Various minor code cleanup in openssl(1) pkcs12
+	  - Use calloc() in pkey_hmac_init().
+	  - Simplify priv_key handling in d2i_ECPrivateKey().
+	* Documentation improvements
+	  - Update d2i_ASN1_OBJECT(3) documentation to reflect reality after
+	    refactoring and bug fixes.
+	  - Fixed numerous minor grammar, spelling, wording, and punctuation
+	    issues.
+
 3.5.1 - Security release
 
 	* A malicious certificate can cause an infinite loop.

apps/nc/compat/sys/socket.h

@@ -6,8 +6,7 @@
 #ifndef _WIN32
 #include_next <sys/socket.h>
 
-#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
-#define NEED_SOCKET_FLAGS
+#if defined(NEED_SOCKET_FLAGS)
 int _socket(int domain, int type, int protocol);
 #ifndef SOCKET_FLAGS_PRIV
 #define socket(d, t, p) _socket(d, t, p)

appveyor.yml

@@ -1,26 +1,26 @@
 image:
-  - Previous Visual Studio 2019
+  - Visual Studio 2019
 
 environment:
   PATH: C:\msys64\usr\bin;C:\msys64\mingw64\bin;C:\Windows\System32;C:\Windows;%PATH%
 
   matrix:
-    - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019
+    - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
       GENERATOR: Visual Studio 16 2019
       ARCHITECTURE: Win32
       CONFIG: Release
       SHARED_LIBS: ON
-    - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019
+    - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
       GENERATOR: Visual Studio 16 2019
       ARCHITECTURE: Win32
       CONFIG: Release
       SHARED_LIBS: OFF
-    - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019
+    - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
       GENERATOR: Visual Studio 16 2019
       ARCHITECTURE: x64
       CONFIG: Release
       SHARED_LIBS: ON
-    - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019
+    - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
       GENERATOR: Visual Studio 16 2019
       ARCHITECTURE: x64
       CONFIG: Release

include/compat/sys/socket.h

@@ -10,6 +10,7 @@
 #endif
 
 #if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define NEED_SOCKET_FLAGS
 #define SOCK_CLOEXEC            0x8000  /* set FD_CLOEXEC */
 #define SOCK_NONBLOCK           0x4000  /* set O_NONBLOCK */
 int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2]);

scripts/test

@@ -20,24 +20,24 @@ if [ "x$ARCH" = "xnative" ]; then
 	# test cmake and ninja
 	if [ `uname` = "Darwin" ]; then
 		cmake ..
-		make
+		make -j 4
 		make test
 
 		cd ../build-shared
 		cmake -DBUILD_SHARED_LIBS=ON ..
-		make
+		make -j 4
 		make test
 	else
 		sudo apt-get update
 		sudo apt-get install -y cmake ninja-build
 
 		cmake -GNinja ..
-		ninja
+		ninja -j 4
 		ninja test
 
 		cd ../build-shared
 		cmake -GNinja -DBUILD_SHARED_LIBS=ON ..
-		ninja
+		ninja -j 4
 		ninja test
 	fi
 
@@ -58,21 +58,21 @@ elif [ "x$ARCH" = "xmingw32" -o "x$ARCH" = "xmingw64" ]; then
 	fi
 
 	./configure --host=$CPU-w64-mingw32
-	make -j
+	make -j 4
 
 	(
 	 rm -fr build-static
 	 mkdir build-static
 	 cd build-static
 	 cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=../scripts/$CPU-w64-mingw32.cmake ..
-	 ninja
+	 ninja -j 4
 	)
 	(
 	 rm -fr build-shared
 	 mkdir build-shared
 	 cd build-shared
 	 cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=../scripts/$CPU-w64-mingw32.cmake -DBUILD_SHARED_LIBS=ON ..
-	 ninja
+	 ninja -j 4
 	)
 
 elif [ "x$ARCH" = "xarm32" -o "x$ARCH" = "xarm64" ]; then

tests/CMakeLists.txt

@@ -341,6 +341,11 @@ add_executable(mont mont.c)
 target_link_libraries(mont ${OPENSSL_TEST_LIBS})
 add_test(mont mont)
 
+# objectstest
+add_executable(objectstest objectstest.c)
+target_link_libraries(objectstest ${OPENSSL_TEST_LIBS})
+add_test(objectstest objectstest)
+
 # ocsp_test
 if(ENABLE_EXTRATESTS)
 	add_executable(ocsp_test ocsp_test.c)

tests/Makefile.am

@@ -354,6 +354,11 @@ TESTS += mont
 check_PROGRAMS += mont
 mont_SOURCES = mont.c
 
+# objectstest
+TESTS += objectstest
+check_PROGRAMS += objectstest
+objectstest_SOURCES = objectstest.c
+
 # ocsp_test
 if ENABLE_EXTRATESTS
 TESTS += ocsptest.sh