Merge branch 'ocspFix' of github.com:smittals2/aws-lc into ocspFix

.github/workflows/actions-ci.yml

@@ -24,7 +24,7 @@ jobs:
         uses: actions/checkout@v3
       - name: Sanity Test Run
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get install ninja-build
           cmake -GNinja -Btest_build_dir
           ninja -C test_build_dir run_tests

.github/workflows/aws-lc-rs.yml

@@ -32,7 +32,7 @@ jobs:
           args: rust-script
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc clang ninja-build golang
       - name: Remove aws-lc submodule from crate directory
         working-directory: ./aws-lc-rs/aws-lc-sys

.github/workflows/codecov-ci.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: Install lcov
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y install lcov
       - uses: actions/checkout@v4
       - name: Run Code Coverage Build

.github/workflows/cross-test.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Install qemu
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y install qemu-user qemu-user-binfmt
       - uses: actions/checkout@v4
       - name: PPC64 Build/Test
@@ -25,7 +25,7 @@ jobs:
     steps:
       - name: Install qemu
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y install qemu-user qemu-user-binfmt
       - uses: actions/checkout@v4
       - name: PPC32 Build/Test
@@ -36,7 +36,7 @@ jobs:
     steps:
       - name: Install qemu
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y install qemu-user qemu-user-binfmt
       - uses: actions/checkout@v4
       - name: PPC32 Build/Test
@@ -47,7 +47,7 @@ jobs:
     steps:
       - name: Install qemu
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y install qemu-user qemu-user-binfmt
       - uses: actions/checkout@v4
       - name: PPC64LE Build/Test
@@ -58,7 +58,7 @@ jobs:
     steps:
       - name: Install qemu
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y install qemu-user qemu-user-binfmt
       - uses: actions/checkout@v4
       - name: RISC-V 64 Build/Test
@@ -76,7 +76,7 @@ jobs:
     steps:
       - name: Install qemu
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y install qemu-user qemu-user-binfmt
       - uses: actions/checkout@v4
       - name: armv6 Build/Test
@@ -86,7 +86,7 @@ jobs:
     steps:
       - name: Install qemu
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y install qemu-user qemu-user-binfmt
       - uses: actions/checkout@v4
       - name: loongarch64 Build/Test
@@ -97,7 +97,7 @@ jobs:
     steps:
       - name: Install qemu
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y install qemu-user qemu-user-binfmt
       - uses: actions/checkout@v4
       - name: s390x Build/Test

.github/workflows/go.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Install OS Dependencies
         run: |
           which go
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc ninja-build make
           sudo rm -rf /usr/local/go
           sudo rm /usr/bin/go

.github/workflows/integrations.yml

@@ -16,7 +16,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make
       - uses: actions/checkout@v3
       - name: Run integration build
@@ -28,7 +28,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update && sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang autoconf-archive libcmocka0 libcmocka-dev procps iproute2 build-essential git pkg-config gcc libtool automake libssl-dev uthash-dev autoconf doxygen libjson-c-dev libini-config-dev libcurl4-openssl-dev uuid-dev libltdl-dev libusb-1.0-0-dev libftdi-dev libglib2.0-dev pandoc
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none && sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang autoconf-archive libcmocka0 libcmocka-dev procps iproute2 build-essential git pkg-config gcc libtool automake libssl-dev uthash-dev autoconf doxygen libjson-c-dev libini-config-dev libcurl4-openssl-dev uuid-dev libltdl-dev libusb-1.0-0-dev libftdi-dev libglib2.0-dev pandoc
       - uses: actions/checkout@v3
       - name: Run integration build
         run: |
@@ -45,7 +45,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          apt-get update
+          apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           apt-get -y --no-install-recommends install cmake gcc g++ ninja-build golang make python3 python3-sphinx autoconf libtool pkg-config git libc++-dev python3-six
       - uses: actions/checkout@v3
       - name: Run integration build
@@ -57,7 +57,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make libpcap-dev binutils-dev
       - uses: actions/checkout@v3
       - name: Run integration build
@@ -69,7 +69,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make
       - uses: actions/checkout@v3
       - name: Run trousers build
@@ -81,7 +81,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make
       - uses: actions/checkout@v3
       - name: Run ntp build
@@ -93,7 +93,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update && sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make autoconf pkg-config openssl
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none && sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make autoconf pkg-config openssl
       - uses: actions/checkout@v3
       - name: Run integration build
         run: |
@@ -105,7 +105,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make
       - uses: actions/checkout@v3
       - name: Build AWS-LC, build python, run tests
@@ -127,7 +127,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make
       - uses: actions/checkout@v3
       - name: Build AWS-LC, build python, run tests
@@ -143,7 +143,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make
       - uses: actions/checkout@v3
       - name: Build AWS-LC, build openldap, run tests
@@ -155,7 +155,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make python3 python3-pytest autoconf pkg-config libcmocka-dev liburcu-dev libuv1-dev libnghttp2-dev libcap-dev libprotobuf-c-dev protobuf-c-compiler libfstrm-dev libjemalloc-dev
       - uses: actions/checkout@v3
       - name: Run bind9 build
@@ -167,7 +167,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install \
           cmake gcc ninja-build golang make gperf bison flex autogen autoconf \
           pkg-config libtool gettext libgmp-dev libsystemd-dev
@@ -181,7 +181,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install \
           cmake gcc ninja-build golang libnl-3-dev libnl-genl-3-dev \
           libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
@@ -196,7 +196,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install \
           cmake gcc ninja-build golang
       - uses: actions/checkout@v4
@@ -209,7 +209,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install \
           curl gnupg build-essential lcov wget python3-pip cmake gcc ninja-build golang
           sudo pip3 install gcovr

.github/workflows/opensslcomparison.yml

@@ -12,16 +12,11 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get -y --no-install-recommends install \
             cmake gcc ninja-build golang make autoconf pkg-config openssl
-
-      - name: Make the script executable
-        run: chmod +x ./tests/ci/run_openssl_comparison_tests.sh
-
       - name: Build AWS-LC & OpenSSL and Run Comparison Tests
         run: |
             ./tests/ci/run_openssl_comparison_tests.sh

.github/workflows/windows-alt.yml

@@ -164,14 +164,14 @@ jobs:
       - name: Install Tools
         run: |
           set -ex
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get install --assume-yes --no-install-recommends  software-properties-common
           sudo add-apt-repository --yes ppa:longsleep/golang-backports
           sudo dpkg --add-architecture i386
           sudo mkdir -pm755 /etc/apt/keyrings
           sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key
           sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources
-          sudo apt-get update
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
           sudo apt-get install --assume-yes --no-install-recommends build-essential cmake golang-go nasm clang wget mingw-w64
           sudo apt-get install --assume-yes --install-recommends winehq-stable wine-binfmt
           sudo update-binfmts --display

BUILDING.md

@@ -218,7 +218,7 @@ Both sets of tests may also be run with `ninja -C build run_tests`, but CMake
 
 If your project is unable to take on a Go or Perl dependency, the AWS-LC repository
 provides generated build files. These can be used in place of the files that would
-normally be generated by these dependencies. 
+normally be generated by these dependencies.
 
 It is still recommended to have both Go and Perl installed to be able to run the full
 range of unit tests, as well as running valgrind and SDE tests. Building without Go now
@@ -228,12 +228,46 @@ More information on this can be found in [INCORPORATING.md](/INCORPORATING.md).
 
 # Snapsafe Detection
 
-AWS-LC supports Snapsafe-type uniqueness breaking event detection 
-on Linux using SysGenID (https://lkml.org/lkml/2021/3/8/677). This mechanism 
-is used for security hardening. If a SysGenID interface is not found, then the 
-mechanism is ignored. 
+AWS-LC supports Snapsafe-type uniqueness breaking event detection
+on Linux using SysGenID (https://lkml.org/lkml/2021/3/8/677). This mechanism
+is used for security hardening. If a SysGenID interface is not found, then the
+mechanism is ignored.
 
 ## Snapsafe Prerequisites
 
-Snapshots taken on active hosts can potentially be unsafe to use. 
+Snapshots taken on active hosts can potentially be unsafe to use.
 See "Snapshot Safety Prerequisites" here: https://lkml.org/lkml/2021/3/8/677
+
+# Data Independent Timing on AArch64
+
+The Data Independent Timing (DIT) flag on Arm64 processors, when
+enabled, ensures the following as per [Arm A-profile Architecture
+Registers
+Document](https://developer.arm.com/documentation/ddi0601/2023-12/AArch64-Registers/DIT--Data-Independent-Timing):
+- The timing of every load and store instruction is insensitive to the
+  value of the data being loaded or stored.
+- For certain data processing instructions, the instruction takes a
+  time which is independent of the data in the registers and the NZCV
+  flags.
+
+It is also expected to disable the Data Memory-dependent Prefetcher
+(DMP) feature of Apple M-series CPUs starting at M3 as per [this
+article](https://appleinsider.com/articles/24/03/21/apple-silicon-vulnerability-leaks-encryption-keys-and-cant-be-patched-easily).
+
+Building with the option `-DENABLE_DATA_INDEPENDENT_TIMING_AARCH64=ON`
+will enable the macro `SET_DIT_AUTO_DISABLE`. This macro is present at
+the entry of functions that process/load/store secret data to enable
+the DIT flag and then set it to its original value on entry.  With
+this build option, there is an effect on performance that varies by
+function and by processor architecture. The effect is mostly due to
+enabling and disabling the DIT flag. If it remains enabled over many
+calls, the effect can be largely mitigated. Hence, the macro can be
+inserted in the caller's application at the beginning of the code
+scope that makes repeated calls to AWS-LC cryptographic
+functions. Alternatively, the functions `armv8_enable_dit` and
+`armv8_restore_dit` can be placed at the beginning and the end of
+the code section, respectively.
+An example of that usage is present in the benchmarking function
+`Speed()` in `tool/speed.cc` when the `-dit` option is used
+
+    ./tool/bssl speed -dit

CMakeLists.txt

@@ -1,5 +1,9 @@
 cmake_minimum_required(VERSION 3.0)
 
+if(POLICY CMP0091)
+cmake_policy(SET CMP0091 NEW)
+endif()
+
 # Defer enabling C and CXX languages.
 project(AWSLC NONE)
 
@@ -27,6 +31,7 @@ option(ENABLE_DILITHIUM "Enable Dilithium signatures in the EVP API" OFF)
 option(DISABLE_PERL "Disable Perl for AWS-LC" OFF)
 option(DISABLE_GO "Disable Go for AWS-LC" OFF)
 option(ENABLE_FIPS_ENTROPY_CPU_JITTER "Enable FIPS entropy source: CPU Jitter" OFF)
+option(ENABLE_DATA_INDEPENDENT_TIMING_AARCH64 "Enable Data-Independent Timing (DIT) flag on Arm64" OFF)
 include(cmake/go.cmake)
 
 enable_language(C)
@@ -173,6 +178,9 @@ foreach(VAR CMAKE_C_FLAGS CMAKE_CXX_FLAGS CMAKE_ASM_FLAGS)
 endforeach()
 
 if(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_SYMBOLS AND GO_EXECUTABLE)
+
+  message(STATUS "Prefix build configured: building headers using prefix \"${BORINGSSL_PREFIX}\" and symbols file \"${BORINGSSL_PREFIX_SYMBOLS}\"")
+
   if(IS_ABSOLUTE ${BORINGSSL_PREFIX_SYMBOLS})
     set(BORINGSSL_PREFIX_SYMBOLS_PATH ${BORINGSSL_PREFIX_SYMBOLS})
   else()
@@ -214,6 +222,8 @@ if(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_SYMBOLS AND GO_EXECUTABLE)
   )
 elseif(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_HEADERS)
 
+  message(STATUS "Prefix build configured: performing build using prefix \"${BORINGSSL_PREFIX}\" and headers path \"${BORINGSSL_PREFIX_HEADERS}\"")
+
   if(IS_ABSOLUTE ${BORINGSSL_PREFIX_HEADERS})
     set(BORINGSSL_PREFIX_HEADERS_PATH ${BORINGSSL_PREFIX_HEADERS})
   else()
@@ -812,6 +822,10 @@ else()
   set(ARCH "generic")
 endif()
 
+if(ENABLE_DATA_INDEPENDENT_TIMING_AARCH64)
+  add_definitions(-DMAKE_DIT_AVAILABLE)
+endif()
+
 if(USE_CUSTOM_LIBCXX)
   if(NOT CLANG)
     message(FATAL_ERROR "USE_CUSTOM_LIBCXX only supported with Clang")