Merge branch 'main' into sha3_batched

aws · Mar 7, 2025 · 64675e4 · 64675e4
2 parents e1ebb0e + 51c6c84
commit 64675e4
Show file tree

Hide file tree

Showing 22 changed files with 692 additions and 233 deletions.
diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml
@@ -34,4 +34,18 @@ jobs:
       - uses: actions/checkout@v4
       - name: Run libevent build
         run: |
-          ./tests/ci/integration/run_libevent_integration.sh
+          ./tests/ci/integration/run_libevent_integration.sh
+  librdkafka:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
+          sudo apt-get -y --no-install-recommends install \
+          cmake gcc ninja-build golang
+      - uses: actions/checkout@v4
+      - name: Run librdkafka build
+        run: |
+          ./tests/ci/integration/run_librdkafka_integration.sh
+          
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -751,9 +751,6 @@ if(FIPS)
   endif ()
 
   add_definitions(-DBORINGSSL_FIPS)
-  if(FIPS_BREAK_TEST)
-    add_definitions("-DBORINGSSL_FIPS_BREAK_${FIPS_BREAK_TEST}=1")
-  endif()
   # The FIPS integrity check does not work for ASan and MSan builds.
   if(NOT ASAN AND NOT MSAN)
     if(BUILD_SHARED_LIBS)

diff --git a/crypto/bio/bio_mem.c b/crypto/bio/bio_mem.c
@@ -296,6 +296,10 @@ int BIO_mem_contents(const BIO *bio, const uint8_t **out_contents,
   return 1;
 }
 
+long BIO_get_mem_data(BIO *bio, char **contents) {
+  return BIO_ctrl(bio, BIO_CTRL_INFO, 0, contents);
+}
+
 int BIO_get_mem_ptr(BIO *bio, BUF_MEM **out) {
   return (int)BIO_ctrl(bio, BIO_C_GET_BUF_MEM_PTR, 0, out);
 }

diff --git a/crypto/fips_callback_test.cc b/crypto/fips_callback_test.cc
diff --git a/crypto/fipsmodule/FIPS.md b/crypto/fipsmodule/FIPS.md
@@ -39,7 +39,7 @@ The AWS-LC-FIPS v2.0 module uses passive entropy by default and the specific ent
 
 ## Breaking known-answer and continuous tests
 
-Each known-answer test (KAT) uses a unique, random input value. `util/fipstools/break-kat.go` contains a listing of those values and can be used to corrupt a given test in a binary. Since changes to the KAT input values will invalidate the integrity test, `BORINGSSL_FIPS_BREAK_TESTS` can be defined in `fips_break_tests.h` to disable it for the purposes of testing.
+Each known-answer test (KAT) uses a unique, random input value. `util/fipstools/break-kat.go` contains a listing of those values and can be used to corrupt a given test in a binary. Since changes to the KAT input values will invalidate the integrity test, `BORINGSSL_FIPS_BREAK_TESTS` can be defined using CMake CMAKE_C_FLAGS to disable it for the purposes of testing.
 
 Some FIPS tests cannot be broken by replacing a known string in the binary. For those, when `BORINGSSL_FIPS_BREAK_TESTS` is defined, the environment variable `BORINGSSL_FIPS_BREAK_TEST` can be set to one of a number of values in order to break the corresponding test:
 

diff --git a/crypto/fipsmodule/bn/bn.c b/crypto/fipsmodule/bn/bn.c
@@ -231,6 +231,10 @@ unsigned BN_num_bytes(const BIGNUM *bn) {
   return (BN_num_bits(bn) + 7) / 8;
 }
 
+int BN_get_minimal_width(const BIGNUM *bn) {
+  return bn_minimal_width(bn);
+}
+
 void BN_zero(BIGNUM *bn) {
   bn->width = bn->neg = 0;
 }

diff --git a/crypto/fipsmodule/curve25519/curve25519.c b/crypto/fipsmodule/curve25519/curve25519.c
@@ -32,6 +32,12 @@
 #include "../cpucap/internal.h"
 #include "internal.h"
 
+#if defined(NDEBUG)
+#define CHECK(x) (void) (x)
+#else
+#define CHECK(x) assert(x)
+#endif
+
 const uint8_t RFC8032_DOM2_PREFIX[DOM2_PREFIX_SIZE] = {
     'S', 'i', 'g', 'E', 'd', '2', '5', '5', '1', '9', ' ',
     'n', 'o', ' ', 'E', 'd', '2', '5', '5', '1', '9', ' ',
@@ -112,7 +118,7 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
     ED25519_PUBLIC_KEY_LEN);
 }
 
-static void ed25519_keypair_pct(uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
+static int ed25519_keypair_pct(uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
   uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) {
 #if defined(AWSLC_FIPS)
   uint8_t msg[16] = {16};
@@ -121,17 +127,20 @@ static void ed25519_keypair_pct(uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
     // This should never happen and static analysis will say that ED25519_sign_no_self_test
     // always returns 1
     AWS_LC_FIPS_failure("Ed25519 keygen PCT failed");
+    return 0;
   }
   if (boringssl_fips_break_test("EDDSA_PWCT")) {
     msg[0] = ~msg[0];
   }
   if (ED25519_verify_no_self_test(msg, 16, out_sig, public_key) != 1) {
     AWS_LC_FIPS_failure("Ed25519 keygen PCT failed");
+    return 0;
   }
 #endif
+  return 1;
 }
 
-void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
+int ED25519_keypair_internal(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) {
   // We have to avoid the self tests and digest function in ed25519_keypair_pct
   // from updating the service indicator.
@@ -149,10 +158,21 @@ void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
   OPENSSL_cleanse(seed, ED25519_SEED_LEN);
 
-  ed25519_keypair_pct(out_public_key, out_private_key);
+  int result = ed25519_keypair_pct(out_public_key, out_private_key);
 
   FIPS_service_indicator_unlock_state();
-  FIPS_service_indicator_update_state();
+  if (result) {
+    FIPS_service_indicator_update_state();
+  }
+  return result;
+}
+
+void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
+  uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) {
+  // The existing public function is void, ED25519_keypair_internal can only
+  // fail if the PWCT fails and we're in a callback build where AWS_LC_FIPS_failure
+  // doesn't abort on FIPS failure.
+  CHECK(ED25519_keypair_internal(out_public_key, out_private_key));
 }
 
 int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],

diff --git a/crypto/fipsmodule/curve25519/internal.h b/crypto/fipsmodule/curve25519/internal.h
@@ -40,6 +40,10 @@ typedef enum {
 #define MAX_DOM2_SIZE \
   (DOM2_PREFIX_SIZE + DOM2_F_SIZE + DOM2_C_SIZE + MAX_DOM2_CONTEXT_SIZE)
 
+int ED25519_keypair_internal(
+    uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
+    uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]);
+
 int ed25519_sign_internal(
     ed25519_algorithm_t alg,
     uint8_t out_sig[ED25519_SIGNATURE_LEN],

diff --git a/crypto/fipsmodule/evp/p_ed25519.c b/crypto/fipsmodule/evp/p_ed25519.c
@@ -19,6 +19,7 @@
 #include <openssl/mem.h>
 
 #include "internal.h"
+#include "../curve25519/internal.h"
 
 
 // Ed25519 has no parameters to copy.
@@ -33,12 +34,14 @@ static int pkey_ed25519_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
   evp_pkey_set_method(pkey, &ed25519_asn1_meth);
 
   uint8_t pubkey_unused[32];
-  ED25519_keypair(pubkey_unused, key->key);
-  key->has_private = 1;
+  int result = ED25519_keypair_internal(pubkey_unused, key->key);
+  if (result) {
+    key->has_private = 1;
+    OPENSSL_free(pkey->pkey.ptr);
+    pkey->pkey.ptr = key;
+  }
 
-  OPENSSL_free(pkey->pkey.ptr);
-  pkey->pkey.ptr = key;
-  return 1;
+  return result;
 }
 
 static int pkey_ed25519_sign_message(EVP_PKEY_CTX *ctx, uint8_t *sig,