Merge branch 'main' of github.com:aws/aws-lc

.github/workflows/integrations.yml

@@ -175,7 +175,7 @@ jobs:
       - name: Run strongswan build
         run: |
           ./tests/ci/integration/run_strongswan_integration.sh
-  openvpn:
+  openvpn2-6:
     if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
@@ -187,9 +187,24 @@ jobs:
           libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
           python3-docutils
       - uses: actions/checkout@v4
-      - name: Run openvpn build
+      - name: Run openvpn build 2.6.x
         run: |
-          ./tests/ci/integration/run_openvpn_integration.sh
+          ./tests/ci/integration/run_openvpn_integration.sh release/2.6
+  openvpnMaster:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
+          sudo apt-get -y --no-install-recommends install \
+          cmake gcc ninja-build golang libnl-3-dev libnl-genl-3-dev \
+          libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
+          python3-docutils
+      - uses: actions/checkout@v4
+      - name: Run openvpn build main
+        run: |
+          ./tests/ci/integration/run_openvpn_integration.sh master
   libevent:
     if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest

CMakeLists.txt

@@ -824,6 +824,16 @@ else()
   set(ARCH "generic")
 endif()
 
+# If target ARCH is 32-bit x86, ensure SSE2 is enabled since it's used by the optimized assembly.
+# To build for targets that do not support SSE2, use the `OPENSSL_NO_ASM` flag.
+if(ARCH STREQUAL "x86" AND NOT OPENSSL_NO_SSE2_FOR_TESTING)
+  # Most compilers enable SSE2 in 32-bit x86 by default, but in some cases GCC and Clang don't.
+  # See: https://github.com/aws/aws-lc/commit/6fe8dcbe96e580ea85233fdb98a142e42951b70b
+  if(GCC OR CLANG)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -msse2")
+  endif()
+endif()
+
 if(ENABLE_DATA_INDEPENDENT_TIMING_AARCH64)
   add_definitions(-DMAKE_DIT_AVAILABLE)
 endif()

crypto/crypto_test.cc

@@ -73,6 +73,33 @@ TEST(CryptoTest, Strndup) {
   EXPECT_STREQ("", str.get());
 }
 
+TEST(CryptoTest, OPENSSL_hexstr2buf) {
+  const char *test_cases[][2] = {{"a2", "\xa2"},
+                                 {"a213", "\xa2\x13"},
+                                 {"ffeedd", "\xff\xee\xdd"},
+                                 {"10aab1c2", "\x10\xaa\xb1\xc2"}};
+
+  for (auto test_case : test_cases) {
+    const char *test_value = test_case[0];
+    const char *expected_answer = test_case[1];
+    size_t actual_answer_len = 0;
+    // The longest test case we have is currently 4 bytes long
+    size_t expected_answer_len = OPENSSL_strnlen(test_case[1], 5);
+    unsigned char *buf = OPENSSL_hexstr2buf(test_value, &actual_answer_len);
+    ASSERT_TRUE(buf != nullptr);
+    EXPECT_EQ(expected_answer_len, actual_answer_len);
+    EXPECT_EQ(0, OPENSSL_memcmp(buf, expected_answer, expected_answer_len));
+    OPENSSL_free(buf);
+  }
+
+  // Test failure modes
+  size_t actual_answer_len = 0;
+  EXPECT_FALSE(OPENSSL_hexstr2buf("a", &actual_answer_len));
+  EXPECT_FALSE(OPENSSL_hexstr2buf(NULL, &actual_answer_len));
+  EXPECT_FALSE(OPENSSL_hexstr2buf("ab", nullptr));
+  EXPECT_FALSE(OPENSSL_hexstr2buf("ag", &actual_answer_len));
+}
+
 #if defined(BORINGSSL_FIPS_COUNTERS)
 using CounterArray = size_t[fips_counter_max + 1];
 

crypto/dilithium/p_dilithium3.c

@@ -117,6 +117,7 @@ const EVP_PKEY_METHOD dilithium3_pkey_meth = {
     NULL /* derive */,
     NULL /* paramgen */,
     NULL /* ctrl */,
+    NULL /* ctrl_str */,
     NULL /* keygen deterministic */,
     NULL /* encapsulate deterministic */,
     NULL /* encapsulate */,

crypto/evp_extra/p_dh.c

@@ -129,6 +129,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
     .keygen = pkey_dh_keygen,
     .derive = pkey_dh_derive,
     .ctrl = pkey_dh_ctrl,
+    .ctrl_str = NULL
 };
 
 int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad) {

crypto/evp_extra/p_x25519.c

@@ -106,6 +106,7 @@ const EVP_PKEY_METHOD x25519_pkey_meth = {
     pkey_x25519_derive,
     NULL /* paramgen */,
     pkey_x25519_ctrl,
+    NULL, /* ctrl_str */
     NULL /* keygen deterministic */,
     NULL /* encapsulate deterministic */,
     NULL /* encapsulate */,

crypto/fipsmodule/curve25519/curve25519.c

@@ -72,6 +72,10 @@ void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH],
 void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN],
   const uint8_t seed[ED25519_SEED_LEN]) {
+  // ED25519_keypair already ensures this with the same check, and is also the
+  // function that is approved for FIPS (sets the indicator). Ensuring it here
+  // for brevity.
+  boringssl_ensure_eddsa_self_test();
 
   // Step: rfc8032 5.1.5.1
   // Compute SHA512(seed).
@@ -101,6 +105,7 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
 
 void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) {
+  boringssl_ensure_eddsa_self_test();
   SET_DIT_AUTO_DISABLE;
 
   // Ed25519 key generation: rfc8032 5.1.5
@@ -119,6 +124,13 @@ void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
 int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
                  const uint8_t *message, size_t message_len,
                  const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) {
+  boringssl_ensure_eddsa_self_test();
+  return ED25519_sign_no_self_test(out_sig, message, message_len, private_key);
+}
+
+int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN],
+                              const uint8_t *message, size_t message_len,
+                              const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) {
   // NOTE: The documentation on this function says that it returns zero on
   // allocation failure. While that can't happen with the current
   // implementation, we want to reserve the ability to allocate in this
@@ -165,7 +177,13 @@ int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
 int ED25519_verify(const uint8_t *message, size_t message_len,
                    const uint8_t signature[ED25519_SIGNATURE_LEN],
                    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
+  boringssl_ensure_eddsa_self_test();
+  return ED25519_verify_no_self_test(message, message_len, signature, public_key);
+}
 
+int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len,
+                                const uint8_t signature[ED25519_SIGNATURE_LEN],
+                                const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
   // Ed25519 verify: rfc8032 5.1.7
 
   // Step: rfc8032 5.1.7.1 (up to decoding the public key)
@@ -224,6 +242,13 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
   return res;
 }
 
+int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
+#if defined(CURVE25519_S2N_BIGNUM_CAPABLE)
+  return ed25519_check_public_key_s2n_bignum(public_key);
+#else
+  return ed25519_check_public_key_nohw(public_key);
+#endif
+}
 
 void X25519_public_from_private(
   uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN],

crypto/fipsmodule/curve25519/curve25519_nohw.c

@@ -2043,3 +2043,11 @@ int ed25519_verify_nohw(uint8_t R_computed_encoded[32],
 
   return 1;
 }
+
+int ed25519_check_public_key_nohw(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
+  ge_p3 A;
+  if (!x25519_ge_frombytes_vartime(&A, public_key)) {
+    return 0;
+  }
+  return 1;
+}

crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c

@@ -120,4 +120,12 @@ int ed25519_verify_s2n_bignum(uint8_t R_computed_encoded[32],
   return 1;
 }
 
+int ed25519_check_public_key_s2n_bignum(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
+  uint64_t A[8] = {0};
+  if (edwards25519_decode_selector(A, public_key) != 0) {
+    return 0;
+  }
+  return 1;
+}
+
 #endif

crypto/fipsmodule/curve25519/internal.h

@@ -23,6 +23,14 @@ extern "C" {
 
 #include "../../internal.h"
 
+int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN],
+                              const uint8_t *message, size_t message_len,
+                              const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]);
+
+int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len,
+                                const uint8_t signature[ED25519_SIGNATURE_LEN],
+                                const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+
 // If (1) x86_64 or aarch64, (2) linux or apple, and (3) OPENSSL_NO_ASM is not
 // set, s2n-bignum path is capable.
 #if ((defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX)) || \
@@ -185,6 +193,11 @@ void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH],
   const void *input1, size_t len1, const void *input2, size_t len2,
   const void *input3, size_t len3);
 
+
+int ed25519_check_public_key_s2n_bignum(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+int ed25519_check_public_key_nohw(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+OPENSSL_EXPORT int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+
 #if defined(__cplusplus)
 }  // extern C
 #endif

crypto/fipsmodule/evp/evp_ctx.c

@@ -643,13 +643,31 @@ int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx, uint8_t *shared_secret,
   return ret;
 }
 
-// Deprecated keygen NO-OP functions
-int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
-                            const char *value) {
-  // No-op
-  return 0;
+int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md) {
+  const EVP_MD *m;
+
+  if (md == NULL || (m = EVP_get_digestbyname(md)) == NULL) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE);
+    return 0;
+  }
+  return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, 0, (void *)m);
 }
 
+int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *name,
+                          const char *value) {
+  if (!ctx || !ctx->pmeth || !ctx->pmeth->ctrl_str) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+    return -2;
+  }
+  if (strcmp(name, "digest") == 0) {
+    OPENSSL_BEGIN_ALLOW_DEPRECATED
+    return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_MD, value);
+    OPENSSL_END_ALLOW_DEPRECATED
+  }
+  return ctx->pmeth->ctrl_str(ctx, name, value);
+}
+
+// Deprecated keygen NO-OP functions
 void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb) {
   // No-op
 }

crypto/fipsmodule/evp/internal.h

@@ -188,6 +188,17 @@ struct evp_pkey_st {
 OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
                                      int cmd, int p1, void *p2);
 
+// EVP_PKEY_CTX_md sets the message digest type for a specific operation.
+// This function is deprecated and should not be used in new code.
+//
+// |ctx| is the context to operate on.
+// |optype| is the operation type (e.g., EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_OP_KEYGEN).
+// |cmd| is the specific command (e.g., EVP_PKEY_CTRL_MD).
+// |md| is the name of the message digest algorithm to use.
+//
+// It returns 1 for success and 0 or a negative value for failure.
+OPENSSL_EXPORT int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md);
+
 // EVP_RSA_PKEY_CTX_ctrl is a wrapper of |EVP_PKEY_CTX_ctrl|.
 // Before calling |EVP_PKEY_CTX_ctrl|, a check is added to make sure
 // the |ctx->pmeth->pkey_id| is either |EVP_PKEY_RSA| or |EVP_PKEY_RSA_PSS|.
@@ -283,6 +294,8 @@ struct evp_pkey_method_st {
 
   int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
 
+  int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
+
   // Encapsulate, encapsulate_deterministic, keygen_deterministic, and
   // decapsulate are operations defined for a Key Encapsulation Mechanism (KEM).
   int (*keygen_deterministic)(EVP_PKEY_CTX *ctx,

crypto/fipsmodule/evp/p_ec.c

@@ -289,6 +289,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_ec_pkey_meth) {
     out->derive = pkey_ec_derive;
     out->paramgen = pkey_ec_paramgen;
     out->ctrl = pkey_ec_ctrl;
+    out->ctrl_str = NULL;
 }
 
 int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) {

crypto/fipsmodule/evp/p_ed25519.c

@@ -99,6 +99,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_ed25519_pkey_meth) {
   out->derive = NULL;
   out->paramgen = NULL;
   out->ctrl = NULL;
+  out->ctrl_str = NULL;
   out->keygen_deterministic = NULL;
   out->encapsulate_deterministic = NULL;
   out->encapsulate = NULL;

crypto/fipsmodule/evp/p_hkdf.c

@@ -197,6 +197,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_hkdf_pkey_meth) {
     out->derive = pkey_hkdf_derive;
     out->paramgen = NULL; /* paramgen */
     out->ctrl = pkey_hkdf_ctrl;
+    out->ctrl_str = NULL;
 }
 
 int EVP_PKEY_CTX_hkdf_mode(EVP_PKEY_CTX *ctx, int mode) {

crypto/fipsmodule/evp/p_hmac.c

@@ -124,6 +124,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_hmac_pkey_meth) {
   out->derive = NULL;
   out->paramgen = NULL;
   out->ctrl = hmac_ctrl;
+  out->ctrl_str = NULL;
 }
 
 int used_for_hmac(EVP_MD_CTX *ctx) {

crypto/fipsmodule/evp/p_kem.c

@@ -318,6 +318,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_kem_pkey_meth) {
   out->derive = pkey_hkdf_derive;
   out->paramgen = NULL;
   out->ctrl = NULL;
+  out->ctrl_str = NULL;
   out->keygen_deterministic = pkey_kem_keygen_deterministic;
   out->encapsulate_deterministic = pkey_kem_encapsulate_deterministic;
   out->encapsulate = pkey_kem_encapsulate;

crypto/fipsmodule/evp/p_rsa.c

@@ -703,6 +703,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_rsa_pkey_meth) {
     out->derive = NULL;
     out->paramgen = NULL;
     out->ctrl = pkey_rsa_ctrl;
+    out->ctrl_str = NULL;
 }
 
 DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_rsa_pss_pkey_meth) {
@@ -723,6 +724,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_rsa_pss_pkey_meth) {
     out->derive = NULL;
     out->paramgen = NULL;
     out->ctrl = pkey_rsa_ctrl;
+    out->ctrl_str = NULL;
 }
 
 int EVP_RSA_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) {

crypto/fipsmodule/ml_kem/README.md

@@ -8,7 +8,7 @@ The code was refactored in [this PR](https://github.com/aws/aws-lc/pull/1763) by
 that initialize a given structure with values corresponding to a parameter set. This structure is then passed to every function that requires it as a function argument. In addition, the following changes were made to the source code in `ml_kem_ref` directory:
 - `randombytes.{h|c}` are deleted because we are using the randomness generation functions provided by AWS-LC.
 - `kem.c`: call to randombytes function is replaced with a call to RAND_bytes and the appropriate header file is included (openssl/rand.h).
-- `fips202.{h|c}` are deleted and the ones from `crypto/kyber/pqcrystals_kyber_ref_common` directory are used.
+- `fips202.{h|c}` are deleted as all SHA3/SHAKE functionality is provided instead by AWS-LC fipsmodule/sha rather than the reference implementation.
 - `symmetric-shake.c`: unnecessary include of fips202.h is removed.
 - `api.h`: `pqcrystals` prefix substituted with `ml_kem` (to be able to build alongside `crypto/kyber`).
 - `poly.c`: the `poly_frommsg` function was modified to address the constant-time issue described [here](https://github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c).

crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c

@@ -167,24 +167,24 @@ void gen_matrix(ml_kem_params *params, polyvec *a, const uint8_t seed[KYBER_SYMB
   unsigned int ctr, i, j, k;
   unsigned int buflen, off;
   uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES+2];
-  xof_state state;
+  KECCAK1600_CTX ctx;
 
   for(i=0;i<params->k;i++) {
     for(j=0;j<params->k;j++) {
       if(transposed)
-        xof_absorb(&state, seed, i, j);
+        xof_absorb(&ctx, seed, i, j);
       else
-        xof_absorb(&state, seed, j, i);
+        xof_absorb(&ctx, seed, j, i);
 
-      xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state);
+      xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &ctx);
       buflen = GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES;
       ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen);
 
       while(ctr < KYBER_N) {
         off = buflen % 3;
         for(k = 0; k < off; k++)
           buf[k] = buf[buflen - off + k];
-        xof_squeezeblocks(buf + off, 1, &state);
+        xof_squeezeblocks(buf + off, 1, &ctx);
         buflen = off + XOF_BLOCKBYTES;
         ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen);
       }