Skip to content

Commit

Permalink
Merge branch 'main' of github.com:aws/aws-lc
Browse files Browse the repository at this point in the history
  • Loading branch information
pittma committed Sep 16, 2024
2 parents 0dd53a1 + 9d21f38 commit f3715bb
Show file tree
Hide file tree
Showing 56 changed files with 4,131 additions and 878 deletions.
21 changes: 18 additions & 3 deletions .github/workflows/integrations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ jobs:
- name: Run strongswan build
run: |
./tests/ci/integration/run_strongswan_integration.sh
openvpn:
openvpn2-6:
if: github.repository_owner == 'aws'
runs-on: ubuntu-latest
steps:
Expand All @@ -187,9 +187,24 @@ jobs:
libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
python3-docutils
- uses: actions/checkout@v4
- name: Run openvpn build
- name: Run openvpn build 2.6.x
run: |
./tests/ci/integration/run_openvpn_integration.sh
./tests/ci/integration/run_openvpn_integration.sh release/2.6
openvpnMaster:
if: github.repository_owner == 'aws'
runs-on: ubuntu-latest
steps:
- name: Install OS Dependencies
run: |
sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
sudo apt-get -y --no-install-recommends install \
cmake gcc ninja-build golang libnl-3-dev libnl-genl-3-dev \
libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
python3-docutils
- uses: actions/checkout@v4
- name: Run openvpn build main
run: |
./tests/ci/integration/run_openvpn_integration.sh master
libevent:
if: github.repository_owner == 'aws'
runs-on: ubuntu-latest
Expand Down
10 changes: 10 additions & 0 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -824,6 +824,16 @@ else()
set(ARCH "generic")
endif()

# If target ARCH is 32-bit x86, ensure SSE2 is enabled since it's used by the optimized assembly.
# To build for targets that do not support SSE2, use the `OPENSSL_NO_ASM` flag.
if(ARCH STREQUAL "x86" AND NOT OPENSSL_NO_SSE2_FOR_TESTING)
# Most compilers enable SSE2 in 32-bit x86 by default, but in some cases GCC and Clang don't.
# See: https://github.com/aws/aws-lc/commit/6fe8dcbe96e580ea85233fdb98a142e42951b70b
if(GCC OR CLANG)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -msse2")
endif()
endif()

if(ENABLE_DATA_INDEPENDENT_TIMING_AARCH64)
add_definitions(-DMAKE_DIT_AVAILABLE)
endif()
Expand Down
27 changes: 27 additions & 0 deletions crypto/crypto_test.cc
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,33 @@ TEST(CryptoTest, Strndup) {
EXPECT_STREQ("", str.get());
}

TEST(CryptoTest, OPENSSL_hexstr2buf) {
const char *test_cases[][2] = {{"a2", "\xa2"},
{"a213", "\xa2\x13"},
{"ffeedd", "\xff\xee\xdd"},
{"10aab1c2", "\x10\xaa\xb1\xc2"}};

for (auto test_case : test_cases) {
const char *test_value = test_case[0];
const char *expected_answer = test_case[1];
size_t actual_answer_len = 0;
// The longest test case we have is currently 4 bytes long
size_t expected_answer_len = OPENSSL_strnlen(test_case[1], 5);
unsigned char *buf = OPENSSL_hexstr2buf(test_value, &actual_answer_len);
ASSERT_TRUE(buf != nullptr);
EXPECT_EQ(expected_answer_len, actual_answer_len);
EXPECT_EQ(0, OPENSSL_memcmp(buf, expected_answer, expected_answer_len));
OPENSSL_free(buf);
}

// Test failure modes
size_t actual_answer_len = 0;
EXPECT_FALSE(OPENSSL_hexstr2buf("a", &actual_answer_len));
EXPECT_FALSE(OPENSSL_hexstr2buf(NULL, &actual_answer_len));
EXPECT_FALSE(OPENSSL_hexstr2buf("ab", nullptr));
EXPECT_FALSE(OPENSSL_hexstr2buf("ag", &actual_answer_len));
}

#if defined(BORINGSSL_FIPS_COUNTERS)
using CounterArray = size_t[fips_counter_max + 1];

Expand Down
1 change: 1 addition & 0 deletions crypto/dilithium/p_dilithium3.c
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ const EVP_PKEY_METHOD dilithium3_pkey_meth = {
NULL /* derive */,
NULL /* paramgen */,
NULL /* ctrl */,
NULL /* ctrl_str */,
NULL /* keygen deterministic */,
NULL /* encapsulate deterministic */,
NULL /* encapsulate */,
Expand Down
1 change: 1 addition & 0 deletions crypto/evp_extra/p_dh.c
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
.keygen = pkey_dh_keygen,
.derive = pkey_dh_derive,
.ctrl = pkey_dh_ctrl,
.ctrl_str = NULL
};

int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad) {
Expand Down
1 change: 1 addition & 0 deletions crypto/evp_extra/p_x25519.c
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ const EVP_PKEY_METHOD x25519_pkey_meth = {
pkey_x25519_derive,
NULL /* paramgen */,
pkey_x25519_ctrl,
NULL, /* ctrl_str */
NULL /* keygen deterministic */,
NULL /* encapsulate deterministic */,
NULL /* encapsulate */,
Expand Down
25 changes: 25 additions & 0 deletions crypto/fipsmodule/curve25519/curve25519.c
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH],
void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN],
const uint8_t seed[ED25519_SEED_LEN]) {
// ED25519_keypair already ensures this with the same check, and is also the
// function that is approved for FIPS (sets the indicator). Ensuring it here
// for brevity.
boringssl_ensure_eddsa_self_test();

// Step: rfc8032 5.1.5.1
// Compute SHA512(seed).
Expand Down Expand Up @@ -101,6 +105,7 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],

void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) {
boringssl_ensure_eddsa_self_test();
SET_DIT_AUTO_DISABLE;

// Ed25519 key generation: rfc8032 5.1.5
Expand All @@ -119,6 +124,13 @@ void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
const uint8_t *message, size_t message_len,
const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) {
boringssl_ensure_eddsa_self_test();
return ED25519_sign_no_self_test(out_sig, message, message_len, private_key);
}

int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN],
const uint8_t *message, size_t message_len,
const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) {
// NOTE: The documentation on this function says that it returns zero on
// allocation failure. While that can't happen with the current
// implementation, we want to reserve the ability to allocate in this
Expand Down Expand Up @@ -165,7 +177,13 @@ int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
int ED25519_verify(const uint8_t *message, size_t message_len,
const uint8_t signature[ED25519_SIGNATURE_LEN],
const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
boringssl_ensure_eddsa_self_test();
return ED25519_verify_no_self_test(message, message_len, signature, public_key);
}

int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len,
const uint8_t signature[ED25519_SIGNATURE_LEN],
const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
// Ed25519 verify: rfc8032 5.1.7

// Step: rfc8032 5.1.7.1 (up to decoding the public key)
Expand Down Expand Up @@ -224,6 +242,13 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
return res;
}

int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
#if defined(CURVE25519_S2N_BIGNUM_CAPABLE)
return ed25519_check_public_key_s2n_bignum(public_key);
#else
return ed25519_check_public_key_nohw(public_key);
#endif
}

void X25519_public_from_private(
uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN],
Expand Down
8 changes: 8 additions & 0 deletions crypto/fipsmodule/curve25519/curve25519_nohw.c
Original file line number Diff line number Diff line change
Expand Up @@ -2043,3 +2043,11 @@ int ed25519_verify_nohw(uint8_t R_computed_encoded[32],

return 1;
}

int ed25519_check_public_key_nohw(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
ge_p3 A;
if (!x25519_ge_frombytes_vartime(&A, public_key)) {
return 0;
}
return 1;
}
8 changes: 8 additions & 0 deletions crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c
Original file line number Diff line number Diff line change
Expand Up @@ -120,4 +120,12 @@ int ed25519_verify_s2n_bignum(uint8_t R_computed_encoded[32],
return 1;
}

int ed25519_check_public_key_s2n_bignum(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
uint64_t A[8] = {0};
if (edwards25519_decode_selector(A, public_key) != 0) {
return 0;
}
return 1;
}

#endif
13 changes: 13 additions & 0 deletions crypto/fipsmodule/curve25519/internal.h
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ extern "C" {

#include "../../internal.h"

int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN],
const uint8_t *message, size_t message_len,
const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]);

int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len,
const uint8_t signature[ED25519_SIGNATURE_LEN],
const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);

// If (1) x86_64 or aarch64, (2) linux or apple, and (3) OPENSSL_NO_ASM is not
// set, s2n-bignum path is capable.
#if ((defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX)) || \
Expand Down Expand Up @@ -185,6 +193,11 @@ void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH],
const void *input1, size_t len1, const void *input2, size_t len2,
const void *input3, size_t len3);


int ed25519_check_public_key_s2n_bignum(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
int ed25519_check_public_key_nohw(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
OPENSSL_EXPORT int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);

#if defined(__cplusplus)
} // extern C
#endif
Expand Down
28 changes: 23 additions & 5 deletions crypto/fipsmodule/evp/evp_ctx.c
Original file line number Diff line number Diff line change
Expand Up @@ -643,13 +643,31 @@ int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx, uint8_t *shared_secret,
return ret;
}

// Deprecated keygen NO-OP functions
int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
const char *value) {
// No-op
return 0;
int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md) {
const EVP_MD *m;

if (md == NULL || (m = EVP_get_digestbyname(md)) == NULL) {
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE);
return 0;
}
return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, 0, (void *)m);
}

int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *name,
const char *value) {
if (!ctx || !ctx->pmeth || !ctx->pmeth->ctrl_str) {
OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
return -2;
}
if (strcmp(name, "digest") == 0) {
OPENSSL_BEGIN_ALLOW_DEPRECATED
return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_MD, value);
OPENSSL_END_ALLOW_DEPRECATED
}
return ctx->pmeth->ctrl_str(ctx, name, value);
}

// Deprecated keygen NO-OP functions
void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb) {
// No-op
}
Expand Down
13 changes: 13 additions & 0 deletions crypto/fipsmodule/evp/internal.h
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,17 @@ struct evp_pkey_st {
OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
int cmd, int p1, void *p2);

// EVP_PKEY_CTX_md sets the message digest type for a specific operation.
// This function is deprecated and should not be used in new code.
//
// |ctx| is the context to operate on.
// |optype| is the operation type (e.g., EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_OP_KEYGEN).
// |cmd| is the specific command (e.g., EVP_PKEY_CTRL_MD).
// |md| is the name of the message digest algorithm to use.
//
// It returns 1 for success and 0 or a negative value for failure.
OPENSSL_EXPORT int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md);

// EVP_RSA_PKEY_CTX_ctrl is a wrapper of |EVP_PKEY_CTX_ctrl|.
// Before calling |EVP_PKEY_CTX_ctrl|, a check is added to make sure
// the |ctx->pmeth->pkey_id| is either |EVP_PKEY_RSA| or |EVP_PKEY_RSA_PSS|.
Expand Down Expand Up @@ -283,6 +294,8 @@ struct evp_pkey_method_st {

int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2);

int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);

// Encapsulate, encapsulate_deterministic, keygen_deterministic, and
// decapsulate are operations defined for a Key Encapsulation Mechanism (KEM).
int (*keygen_deterministic)(EVP_PKEY_CTX *ctx,
Expand Down
1 change: 1 addition & 0 deletions crypto/fipsmodule/evp/p_ec.c
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_ec_pkey_meth) {
out->derive = pkey_ec_derive;
out->paramgen = pkey_ec_paramgen;
out->ctrl = pkey_ec_ctrl;
out->ctrl_str = NULL;
}

int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) {
Expand Down
1 change: 1 addition & 0 deletions crypto/fipsmodule/evp/p_ed25519.c
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_ed25519_pkey_meth) {
out->derive = NULL;
out->paramgen = NULL;
out->ctrl = NULL;
out->ctrl_str = NULL;
out->keygen_deterministic = NULL;
out->encapsulate_deterministic = NULL;
out->encapsulate = NULL;
Expand Down
1 change: 1 addition & 0 deletions crypto/fipsmodule/evp/p_hkdf.c
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_hkdf_pkey_meth) {
out->derive = pkey_hkdf_derive;
out->paramgen = NULL; /* paramgen */
out->ctrl = pkey_hkdf_ctrl;
out->ctrl_str = NULL;
}

int EVP_PKEY_CTX_hkdf_mode(EVP_PKEY_CTX *ctx, int mode) {
Expand Down
1 change: 1 addition & 0 deletions crypto/fipsmodule/evp/p_hmac.c
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_hmac_pkey_meth) {
out->derive = NULL;
out->paramgen = NULL;
out->ctrl = hmac_ctrl;
out->ctrl_str = NULL;
}

int used_for_hmac(EVP_MD_CTX *ctx) {
Expand Down
1 change: 1 addition & 0 deletions crypto/fipsmodule/evp/p_kem.c
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_kem_pkey_meth) {
out->derive = pkey_hkdf_derive;
out->paramgen = NULL;
out->ctrl = NULL;
out->ctrl_str = NULL;
out->keygen_deterministic = pkey_kem_keygen_deterministic;
out->encapsulate_deterministic = pkey_kem_encapsulate_deterministic;
out->encapsulate = pkey_kem_encapsulate;
Expand Down
2 changes: 2 additions & 0 deletions crypto/fipsmodule/evp/p_rsa.c
Original file line number Diff line number Diff line change
Expand Up @@ -703,6 +703,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_rsa_pkey_meth) {
out->derive = NULL;
out->paramgen = NULL;
out->ctrl = pkey_rsa_ctrl;
out->ctrl_str = NULL;
}

DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_rsa_pss_pkey_meth) {
Expand All @@ -723,6 +724,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_rsa_pss_pkey_meth) {
out->derive = NULL;
out->paramgen = NULL;
out->ctrl = pkey_rsa_ctrl;
out->ctrl_str = NULL;
}

int EVP_RSA_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) {
Expand Down
2 changes: 1 addition & 1 deletion crypto/fipsmodule/ml_kem/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The code was refactored in [this PR](https://github.com/aws/aws-lc/pull/1763) by
that initialize a given structure with values corresponding to a parameter set. This structure is then passed to every function that requires it as a function argument. In addition, the following changes were made to the source code in `ml_kem_ref` directory:
- `randombytes.{h|c}` are deleted because we are using the randomness generation functions provided by AWS-LC.
- `kem.c`: call to randombytes function is replaced with a call to RAND_bytes and the appropriate header file is included (openssl/rand.h).
- `fips202.{h|c}` are deleted and the ones from `crypto/kyber/pqcrystals_kyber_ref_common` directory are used.
- `fips202.{h|c}` are deleted as all SHA3/SHAKE functionality is provided instead by AWS-LC fipsmodule/sha rather than the reference implementation.
- `symmetric-shake.c`: unnecessary include of fips202.h is removed.
- `api.h`: `pqcrystals` prefix substituted with `ml_kem` (to be able to build alongside `crypto/kyber`).
- `poly.c`: the `poly_frommsg` function was modified to address the constant-time issue described [here](https://github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c).
Expand Down
10 changes: 5 additions & 5 deletions crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c
Original file line number Diff line number Diff line change
Expand Up @@ -167,24 +167,24 @@ void gen_matrix(ml_kem_params *params, polyvec *a, const uint8_t seed[KYBER_SYMB
unsigned int ctr, i, j, k;
unsigned int buflen, off;
uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES+2];
xof_state state;
KECCAK1600_CTX ctx;

for(i=0;i<params->k;i++) {
for(j=0;j<params->k;j++) {
if(transposed)
xof_absorb(&state, seed, i, j);
xof_absorb(&ctx, seed, i, j);
else
xof_absorb(&state, seed, j, i);
xof_absorb(&ctx, seed, j, i);

xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state);
xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &ctx);
buflen = GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES;
ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen);

while(ctr < KYBER_N) {
off = buflen % 3;
for(k = 0; k < off; k++)
buf[k] = buf[buflen - off + k];
xof_squeezeblocks(buf + off, 1, &state);
xof_squeezeblocks(buf + off, 1, &ctx);
buflen = off + XOF_BLOCKBYTES;
ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen);
}
Expand Down
Loading

0 comments on commit f3715bb

Please sign in to comment.