Skip to content

Commit

Permalink
Merge branch 'main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@nebeid
nebeid authored Sep 11, 2024
2 parents 506dced + 3f4d2f6 commit 0dd53a1
Show file tree
Hide file tree
Showing 19 changed files with 1,544 additions and 516 deletions.
12 changes: 10 additions & 2 deletions crypto/fipsmodule/curve25519/curve25519.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,8 @@ void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
// description why this is useful.
ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
OPENSSL_cleanse(seed, ED25519_SEED_LEN);

FIPS_service_indicator_update_state();
}

int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
Expand Down Expand Up @@ -155,6 +157,8 @@ int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],

// The signature is computed from the private key, but is public.
CONSTTIME_DECLASSIFY(out_sig, 64);

FIPS_service_indicator_update_state();
return 1;
}

Expand Down Expand Up @@ -212,8 +216,12 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
#endif

// Comparison [S]B - [k]A' =? R_expected. Short-circuits if decoding failed.
return (res == 1) &&
CRYPTO_memcmp(R_computed_encoded, R_expected, sizeof(R_computed_encoded)) == 0;
res = (res == 1) && CRYPTO_memcmp(R_computed_encoded, R_expected,
sizeof(R_computed_encoded)) == 0;
if(res) {
FIPS_service_indicator_update_state();
}
return res;
}


Expand Down
4 changes: 3 additions & 1 deletion crypto/fipsmodule/evp/digestsign.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,9 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len,
data_len);
end:
FIPS_service_indicator_unlock_state();
if (ret > 0) {
if (ret > 0 && out_sig != NULL) {
// Indicator should only be set if we performed crypto, don't set if we only
// performed a size check.
EVP_DigestSign_verify_service_indicator(ctx);
}
return ret;
Expand Down
54 changes: 40 additions & 14 deletions crypto/fipsmodule/evp/evp_ctx.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -591,30 +591,56 @@ int EVP_PKEY_encapsulate_deterministic(EVP_PKEY_CTX *ctx,
seed, seed_len);
}

int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
uint8_t *ciphertext, size_t *ciphertext_len,
uint8_t *shared_secret, size_t *shared_secret_len) {
int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx, uint8_t *ciphertext,
size_t *ciphertext_len, uint8_t *shared_secret,
size_t *shared_secret_len) {
// We have to avoid potential underlying services updating the indicator
// state, so we lock the state here.
FIPS_service_indicator_lock_state();
SET_DIT_AUTO_DISABLE;
int ret = 0;
if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->encapsulate == NULL) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return 0;
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
goto end;
}

return ctx->pmeth->encapsulate(ctx, ciphertext, ciphertext_len,
shared_secret, shared_secret_len);
if (!ctx->pmeth->encapsulate(ctx, ciphertext, ciphertext_len, shared_secret,
shared_secret_len)) {
goto end;
}
ret = 1;
end:
FIPS_service_indicator_unlock_state();
if (ret && ciphertext != NULL && shared_secret != NULL) {
EVP_PKEY_encapsulate_verify_service_indicator(ctx);
}
return ret;
}

int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx,
uint8_t *shared_secret, size_t *shared_secret_len,
const uint8_t *ciphertext, size_t ciphertext_len) {
int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx, uint8_t *shared_secret,
size_t *shared_secret_len, const uint8_t *ciphertext,
size_t ciphertext_len) {
// We have to avoid potential underlying services updating the indicator
// state, so we lock the state here.
FIPS_service_indicator_lock_state();
SET_DIT_AUTO_DISABLE;
int ret = 0;
if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->decapsulate == NULL) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return 0;
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
goto end;
}

return ctx->pmeth->decapsulate(ctx, shared_secret, shared_secret_len,
ciphertext, ciphertext_len);
if (!ctx->pmeth->decapsulate(ctx, shared_secret, shared_secret_len,
ciphertext, ciphertext_len)) {
goto end;
}
ret = 1;
end:
FIPS_service_indicator_unlock_state();
if (ret && shared_secret != NULL) {
EVP_PKEY_decapsulate_verify_service_indicator(ctx);
}
return ret;
}

// Deprecated keygen NO-OP functions
Expand Down
3 changes: 2 additions & 1 deletion crypto/fipsmodule/evp/p_kem.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,10 +95,11 @@ static int pkey_kem_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
if (key == NULL ||
!KEM_KEY_init(key, kem) ||
!kem->method->keygen(key->public_key, key->secret_key) ||
!EVP_PKEY_assign(pkey, EVP_PKEY_KEM, key)) {
!EVP_PKEY_set_type(pkey, EVP_PKEY_KEM)) {
KEM_KEY_free(key);
return 0;
}
pkey->pkey.kem_key = key;

return 1;
}
Expand Down
39 changes: 38 additions & 1 deletion crypto/fipsmodule/ml_kem/ml_kem.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
#include "./ml_kem_ref/reduce.c"
#include "./ml_kem_ref/symmetric-shake.c"
#include "./ml_kem_ref/verify.c"
#include "../../internal.h"

// Note: These methods currently default to using the reference code for ML_KEM.
// In a future where AWS-LC has optimized options available, those can be
Expand All @@ -25,13 +26,21 @@
int ml_kem_512_keypair_deterministic(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */,
const uint8_t *seed /* IN */) {
boringssl_ensure_ml_kem_self_test();
return ml_kem_512_keypair_deterministic_no_self_test(public_key, secret_key, seed);
}

int ml_kem_512_keypair_deterministic_no_self_test(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */,
const uint8_t *seed /* IN */) {
ml_kem_params params;
ml_kem_512_params_init(&params);
return ml_kem_keypair_derand_ref(&params, public_key, secret_key, seed);
}

int ml_kem_512_keypair(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_512_params_init(&params);
return ml_kem_keypair_ref(&params, public_key, secret_key);
Expand All @@ -41,14 +50,24 @@ int ml_kem_512_encapsulate_deterministic(uint8_t *ciphertext /* OUT */,
uint8_t *shared_secret /* OUT */,
const uint8_t *public_key /* IN */,
const uint8_t *seed /* IN */) {
boringssl_ensure_ml_kem_self_test();
return ml_kem_512_encapsulate_deterministic_no_self_test(ciphertext, shared_secret, public_key, seed);
}

int ml_kem_512_encapsulate_deterministic_no_self_test(uint8_t *ciphertext /* OUT */,
uint8_t *shared_secret /* OUT */,
const uint8_t *public_key /* IN */,
const uint8_t *seed /* IN */) {
ml_kem_params params;
ml_kem_512_params_init(&params);
return ml_kem_enc_derand_ref(&params, ciphertext, shared_secret, public_key, seed);
return ml_kem_enc_derand_ref(&params, ciphertext, shared_secret, public_key,
seed);
}

int ml_kem_512_encapsulate(uint8_t *ciphertext /* OUT */,
uint8_t *shared_secret /* OUT */,
const uint8_t *public_key /* IN */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_512_params_init(&params);
return ml_kem_enc_ref(&params, ciphertext, shared_secret, public_key);
Expand All @@ -57,21 +76,31 @@ int ml_kem_512_encapsulate(uint8_t *ciphertext /* OUT */,
int ml_kem_512_decapsulate(uint8_t *shared_secret /* OUT */,
const uint8_t *ciphertext /* IN */,
const uint8_t *secret_key /* IN */) {
boringssl_ensure_ml_kem_self_test();
return ml_kem_512_decapsulate_no_self_test(shared_secret, ciphertext, secret_key);
}

int ml_kem_512_decapsulate_no_self_test(uint8_t *shared_secret /* OUT */,
const uint8_t *ciphertext /* IN */,
const uint8_t *secret_key /* IN */) {
ml_kem_params params;
ml_kem_512_params_init(&params);
return ml_kem_dec_ref(&params, shared_secret, ciphertext, secret_key);
}


int ml_kem_768_keypair_deterministic(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */,
const uint8_t *seed /* IN */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_768_params_init(&params);
return ml_kem_keypair_derand_ref(&params, public_key, secret_key, seed);
}

int ml_kem_768_keypair(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_768_params_init(&params);
return ml_kem_keypair_ref(&params, public_key, secret_key);
Expand All @@ -81,6 +110,7 @@ int ml_kem_768_encapsulate_deterministic(uint8_t *ciphertext /* OUT */,
uint8_t *shared_secret /* OUT */,
const uint8_t *public_key /* IN */,
const uint8_t *seed /* IN */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_768_params_init(&params);
return ml_kem_enc_derand_ref(&params, ciphertext, shared_secret, public_key, seed);
Expand All @@ -89,6 +119,7 @@ int ml_kem_768_encapsulate_deterministic(uint8_t *ciphertext /* OUT */,
int ml_kem_768_encapsulate(uint8_t *ciphertext /* OUT */,
uint8_t *shared_secret /* OUT */,
const uint8_t *public_key /* IN */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_768_params_init(&params);
return ml_kem_enc_ref(&params, ciphertext, shared_secret, public_key);
Expand All @@ -97,6 +128,7 @@ int ml_kem_768_encapsulate(uint8_t *ciphertext /* OUT */,
int ml_kem_768_decapsulate(uint8_t *shared_secret /* OUT */,
const uint8_t *ciphertext /* IN */,
const uint8_t *secret_key /* IN */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_768_params_init(&params);
return ml_kem_dec_ref(&params, shared_secret, ciphertext, secret_key);
Expand All @@ -105,13 +137,15 @@ int ml_kem_768_decapsulate(uint8_t *shared_secret /* OUT */,
int ml_kem_1024_keypair_deterministic(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */,
const uint8_t *seed /* IN */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_1024_params_init(&params);
return ml_kem_keypair_derand_ref(&params, public_key, secret_key, seed);
}

int ml_kem_1024_keypair(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_1024_params_init(&params);
return ml_kem_keypair_ref(&params, public_key, secret_key);
Expand All @@ -121,6 +155,7 @@ int ml_kem_1024_encapsulate_deterministic(uint8_t *ciphertext /* OUT */,
uint8_t *shared_secret /* OUT */,
const uint8_t *public_key /* IN */,
const uint8_t *seed /* IN */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_1024_params_init(&params);
return ml_kem_enc_derand_ref(&params, ciphertext, shared_secret, public_key, seed);
Expand All @@ -129,6 +164,7 @@ int ml_kem_1024_encapsulate_deterministic(uint8_t *ciphertext /* OUT */,
int ml_kem_1024_encapsulate(uint8_t *ciphertext /* OUT */,
uint8_t *shared_secret /* OUT */,
const uint8_t *public_key /* IN */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_1024_params_init(&params);
return ml_kem_enc_ref(&params, ciphertext, shared_secret, public_key);
Expand All @@ -137,6 +173,7 @@ int ml_kem_1024_encapsulate(uint8_t *ciphertext /* OUT */,
int ml_kem_1024_decapsulate(uint8_t *shared_secret /* OUT */,
const uint8_t *ciphertext /* IN */,
const uint8_t *secret_key /* IN */) {
boringssl_ensure_ml_kem_self_test();
ml_kem_params params;
ml_kem_1024_params_init(&params);
return ml_kem_dec_ref(&params, shared_secret, ciphertext, secret_key);
Expand Down
13 changes: 13 additions & 0 deletions crypto/fipsmodule/ml_kem/ml_kem.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ int ml_kem_512_keypair_deterministic(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */,
const uint8_t *seed /* IN */);

int ml_kem_512_keypair_deterministic_no_self_test(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */,
const uint8_t *seed /* IN */);

int ml_kem_512_keypair(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */);

Expand All @@ -40,6 +44,11 @@ int ml_kem_512_encapsulate_deterministic(uint8_t *ciphertext /* OUT */,
const uint8_t *public_key /* IN */,
const uint8_t *seed /* IN */);

int ml_kem_512_encapsulate_deterministic_no_self_test(uint8_t *ciphertext /* OUT */,
uint8_t *shared_secret /* OUT */,
const uint8_t *public_key /* IN */,
const uint8_t *seed /* IN */);

int ml_kem_512_encapsulate(uint8_t *ciphertext /* OUT */,
uint8_t *shared_secret /* OUT */,
const uint8_t *public_key /* IN */);
Expand All @@ -48,6 +57,10 @@ int ml_kem_512_decapsulate(uint8_t *shared_secret /* OUT */,
const uint8_t *ciphertext /* IN */,
const uint8_t *secret_key /* IN */);

int ml_kem_512_decapsulate_no_self_test(uint8_t *shared_secret /* OUT */,
const uint8_t *ciphertext /* IN */,
const uint8_t *secret_key /* IN */);

int ml_kem_768_keypair_deterministic(uint8_t *public_key /* OUT */,
uint8_t *secret_key /* OUT */,
const uint8_t *seed /* IN */);
Expand Down
11 changes: 6 additions & 5 deletions crypto/fipsmodule/rsa/rsa_impl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1270,11 +1270,12 @@ int RSA_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e_value,
}

int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) {
// FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit
// primes, respectively) with the prime generation method we use.
// Subsequently, IG A.14 stated that larger modulus sizes can be used and ACVP
// testing supports 4096 bits.
if (bits != 2048 && bits != 3072 && bits != 4096) {
// FIPS 186-5 Section 5.1:
// This standard specifies the use of a modulus whose bit length is an even
// integer and greater than or equal to 2048 bits. Furthermore, this standard
// specifies that p and q be of the same bit length – namely, half the bit
// length of n
if (bits < 2048 || bits % 128 != 0) {
OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
return 0;
}
Expand Down
Loading

0 comments on commit 0dd53a1

Please sign in to comment.