Merge branch 'main' into docker-updates

aws · Jan 31, 2025 · d502580 · d502580
2 parents 9eb68a7 + 35da9fe
commit d502580
Show file tree

Hide file tree

Showing 70 changed files with 2,369 additions and 744 deletions.
diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
@@ -395,6 +395,7 @@ add_library(
   cipher_extra/e_rc4.c
   cipher_extra/e_tls.c
   cipher_extra/tls_cbc.c
+  curve25519_extra/curve25519_extra.c
   conf/conf.c
   crypto.c
   des/des.c
@@ -474,9 +475,7 @@ add_library(
   rand_extra/deterministic.c
   rand_extra/entropy_passive.c
   rand_extra/forkunsafe.c
-  rand_extra/fuchsia.c
   rand_extra/rand_extra.c
-  rand_extra/trusty.c
   rand_extra/windows.c
   rc4/rc4.c
   refcount_c11.c

diff --git a/crypto/curve25519_extra/curve25519_extra.c b/crypto/curve25519_extra/curve25519_extra.c
@@ -0,0 +1,154 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#include "../fipsmodule/service_indicator/internal.h"
+#include "../fipsmodule/curve25519/internal.h"
+#include "internal.h"
+
+int ED25519ctx_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
+                    const uint8_t *message, size_t message_len,
+                    const uint8_t private_key[ED25519_PRIVATE_KEY_LEN],
+                    const uint8_t *context, size_t context_len) {
+  FIPS_service_indicator_lock_state();
+  boringssl_ensure_eddsa_self_test();
+  int res = ED25519ctx_sign_no_self_test(out_sig, message, message_len,
+                                         private_key, context, context_len);
+  FIPS_service_indicator_unlock_state();
+  return res;
+}
+
+int ED25519ctx_sign_no_self_test(
+    uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message,
+    size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN],
+    const uint8_t *context, size_t context_len) {
+  return ed25519_sign_internal(ED25519CTX_ALG, out_sig, message, message_len,
+                               private_key, context, context_len);
+}
+
+int ED25519ctx_verify(const uint8_t *message, size_t message_len,
+                      const uint8_t signature[ED25519_SIGNATURE_LEN],
+                      const uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
+                      const uint8_t *context, size_t context_len) {
+  FIPS_service_indicator_lock_state();
+  boringssl_ensure_eddsa_self_test();
+  int res = ED25519ctx_verify_no_self_test(message, message_len, signature,
+                                           public_key, context, context_len);
+  FIPS_service_indicator_unlock_state();
+  return res;
+}
+
+int ED25519ctx_verify_no_self_test(
+    const uint8_t *message, size_t message_len,
+    const uint8_t signature[ED25519_SIGNATURE_LEN],
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context,
+    size_t context_len) {
+  return ed25519_verify_internal(ED25519CTX_ALG, message, message_len,
+                                 signature, public_key, context, context_len);
+}
+
+int ED25519ph_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
+                   const uint8_t *message, size_t message_len,
+                   const uint8_t private_key[ED25519_PRIVATE_KEY_LEN],
+                   const uint8_t *context, size_t context_len) {
+  FIPS_service_indicator_lock_state();
+  boringssl_ensure_hasheddsa_self_test();
+  int res = ED25519ph_sign_no_self_test(out_sig, message, message_len,
+                                        private_key, context, context_len);
+  FIPS_service_indicator_unlock_state();
+  if (res) {
+    FIPS_service_indicator_update_state();
+  }
+  return res;
+}
+
+int ED25519ph_sign_no_self_test(
+    uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message,
+    size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN],
+    const uint8_t *context, size_t context_len) {
+  uint8_t digest[SHA512_DIGEST_LENGTH] = {0};
+  SHA512_CTX ctx;
+  SHA512_Init(&ctx);
+  SHA512_Update(&ctx, message, message_len);
+  SHA512_Final(digest, &ctx);
+  return ED25519ph_sign_digest_no_self_test(out_sig, digest, private_key,
+                                            context, context_len);
+}
+
+int ED25519ph_sign_digest(uint8_t out_sig[ED25519_SIGNATURE_LEN],
+                          const uint8_t digest[SHA512_DIGEST_LENGTH],
+                          const uint8_t private_key[ED25519_PRIVATE_KEY_LEN],
+                          const uint8_t *context, size_t context_len) {
+  FIPS_service_indicator_lock_state();
+  boringssl_ensure_hasheddsa_self_test();
+  FIPS_service_indicator_unlock_state();
+  int res = ED25519ph_sign_digest_no_self_test(out_sig, digest, private_key,
+                                               context, context_len);
+  if (res) {
+    FIPS_service_indicator_update_state();
+  }
+  return res;
+}
+
+int ED25519ph_sign_digest_no_self_test(
+    uint8_t out_sig[ED25519_SIGNATURE_LEN],
+    const uint8_t digest[SHA512_DIGEST_LENGTH],
+    const uint8_t private_key[ED25519_PRIVATE_KEY_LEN],
+    const uint8_t *context, size_t context_len) {
+  return ed25519_sign_internal(ED25519PH_ALG, out_sig, digest,
+                               SHA512_DIGEST_LENGTH, private_key, context,
+                               context_len);
+}
+
+int ED25519ph_verify(const uint8_t *message, size_t message_len,
+                     const uint8_t signature[ED25519_SIGNATURE_LEN],
+                     const uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
+                     const uint8_t *context, size_t context_len) {
+  FIPS_service_indicator_lock_state();
+  boringssl_ensure_hasheddsa_self_test();
+  int res = ED25519ph_verify_no_self_test(message, message_len, signature,
+                                          public_key, context, context_len);
+  FIPS_service_indicator_unlock_state();
+  if (res) {
+    FIPS_service_indicator_update_state();
+  }
+  return res;
+}
+
+int ED25519ph_verify_no_self_test(
+    const uint8_t *message, size_t message_len,
+    const uint8_t signature[ED25519_SIGNATURE_LEN],
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context,
+    size_t context_len) {
+  uint8_t digest[SHA512_DIGEST_LENGTH] = {0};
+  SHA512_CTX ctx;
+  SHA512_Init(&ctx);
+  SHA512_Update(&ctx, message, message_len);
+  SHA512_Final(digest, &ctx);
+  return ED25519ph_verify_digest_no_self_test(digest, signature, public_key,
+                                              context, context_len);
+}
+
+int ED25519ph_verify_digest(const uint8_t digest[SHA512_DIGEST_LENGTH],
+                            const uint8_t signature[ED25519_SIGNATURE_LEN],
+                            const uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
+                            const uint8_t *context, size_t context_len) {
+  FIPS_service_indicator_lock_state();
+  boringssl_ensure_hasheddsa_self_test();
+  int res = ED25519ph_verify_digest_no_self_test(
+      digest, signature, public_key, context, context_len);
+  FIPS_service_indicator_unlock_state();
+  if(res) {
+    FIPS_service_indicator_update_state();
+  }
+  return res;
+}
+
+int ED25519ph_verify_digest_no_self_test(
+    const uint8_t digest[SHA512_DIGEST_LENGTH],
+    const uint8_t signature[ED25519_SIGNATURE_LEN],
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context,
+    size_t context_len) {
+  return ed25519_verify_internal(ED25519PH_ALG, digest,
+                                 SHA512_DIGEST_LENGTH, signature, public_key,
+                                 context, context_len);
+}
diff --git a/crypto/curve25519_extra/internal.h b/crypto/curve25519_extra/internal.h
@@ -0,0 +1,54 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#ifndef OPENSSL_HEADER_CURVE25519_EXTRA_INTERNAL_H
+#define OPENSSL_HEADER_CURVE25519_EXTRA_INTERNAL_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <openssl/base.h>
+#include <openssl/curve25519.h>
+
+int ED25519ctx_sign_no_self_test(
+    uint8_t out_sig[ED25519_SIGNATURE_LEN],
+    const uint8_t *message, size_t message_len,
+    const uint8_t private_key[ED25519_PRIVATE_KEY_LEN],
+    const uint8_t *context, size_t context_len);
+
+int ED25519ctx_verify_no_self_test(
+    const uint8_t *message, size_t message_len,
+    const uint8_t signature[ED25519_SIGNATURE_LEN],
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
+    const uint8_t *context, size_t context_len);
+
+int ED25519ph_sign_no_self_test(
+    uint8_t out_sig[ED25519_SIGNATURE_LEN],
+    const uint8_t *message, size_t message_len,
+    const uint8_t private_key[ED25519_PRIVATE_KEY_LEN],
+    const uint8_t *context, size_t context_len);
+
+int ED25519ph_sign_digest_no_self_test(
+    uint8_t out_sig[ED25519_SIGNATURE_LEN],
+    const uint8_t digest[SHA512_DIGEST_LENGTH],
+    const uint8_t private_key[ED25519_PRIVATE_KEY_LEN],
+    const uint8_t *context, size_t context_len);
+
+int ED25519ph_verify_no_self_test(
+    const uint8_t *message, size_t message_len,
+    const uint8_t signature[ED25519_SIGNATURE_LEN],
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
+    const uint8_t *context, size_t context_len);
+
+int ED25519ph_verify_digest_no_self_test(
+    const uint8_t digest[SHA512_DIGEST_LENGTH],
+    const uint8_t signature[ED25519_SIGNATURE_LEN],
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
+    const uint8_t *context, size_t context_len);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif  // OPENSSL_HEADER_CURVE25519_EXTRA_INTERNAL_H
diff --git a/crypto/evp_extra/p_pqdsa_asn1.c b/crypto/evp_extra/p_pqdsa_asn1.c
@@ -144,12 +144,38 @@ static int pqdsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey)
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
-  // set the pqdsa params on the fresh pkey
+
+  // Set the pqdsa params on the fresh pkey
   if (!EVP_PKEY_pqdsa_set_params(out, OBJ_cbs2nid(params))) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
-  return PQDSA_KEY_set_raw_private_key(out->pkey.pqdsa_key,CBS_data(key));
+
+  // Set the private key
+  if (!PQDSA_KEY_set_raw_private_key(out->pkey.pqdsa_key, CBS_data(key))) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
+  // Create buffers to store public key based on size
+  size_t pk_len = out->pkey.pqdsa_key->pqdsa->public_key_len;
+  uint8_t *public_key = OPENSSL_malloc(pk_len);
+
+  if (public_key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  // Construct the public key from the private key
+  if (!out->pkey.pqdsa_key->pqdsa->method->pqdsa_pack_pk_from_sk(public_key, CBS_data(key))) {
+    OPENSSL_free(public_key);
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
+  out->pkey.pqdsa_key->public_key = public_key;
+
+  return 1;
 }
 
 static int pqdsa_priv_encode(CBB *out, const EVP_PKEY *pkey) {

diff --git a/crypto/evp_extra/p_pqdsa_test.cc b/crypto/evp_extra/p_pqdsa_test.cc
@@ -967,6 +967,8 @@ struct PQDSATestVector {
                 const uint8_t *sig, size_t sig_len,
                 const uint8_t *message, size_t message_len,
                 const uint8_t *pre, size_t pre_len);
+
+  int (*pack_key)(uint8_t *public_key, const uint8_t *private_key);
 };
 
 
@@ -1004,7 +1006,8 @@ static const struct PQDSATestVector parameterSet[] = {
     1334,
     ml_dsa_44_keypair_internal,
     ml_dsa_44_sign_internal,
-    ml_dsa_44_verify_internal
+    ml_dsa_44_verify_internal,
+    ml_dsa_44_pack_pk_from_sk,
   },
   {
     "MLDSA65",
@@ -1018,7 +1021,8 @@ static const struct PQDSATestVector parameterSet[] = {
     1974,
     ml_dsa_65_keypair_internal,
     ml_dsa_65_sign_internal,
-    ml_dsa_65_verify_internal
+    ml_dsa_65_verify_internal,
+    ml_dsa_65_pack_pk_from_sk
   },
   {
     "MLDSA87",
@@ -1032,7 +1036,8 @@ static const struct PQDSATestVector parameterSet[] = {
     2614,
     ml_dsa_87_keypair_internal,
     ml_dsa_87_sign_internal,
-    ml_dsa_87_verify_internal
+    ml_dsa_87_verify_internal,
+    ml_dsa_87_pack_pk_from_sk
   },
 };
 
@@ -1392,6 +1397,17 @@ TEST_P(PQDSAParameterTest, MarshalParse) {
   ASSERT_TRUE(priv_pkey_from_der);
   EXPECT_EQ(Bytes(priv_pkey_from_der->pkey.pqdsa_key->private_key, GetParam().private_key_len),
             Bytes(pkey->pkey.pqdsa_key->private_key, GetParam().private_key_len));
+
+  // When importing a PQDSA private key, the public key will be calculated and
+  // used to populate the public key. To test the calculated key is correct,
+  // we first check that the public key has been populated, then test for equality
+  // with the expected public key:
+  ASSERT_NE(priv_pkey_from_der, nullptr);
+  EXPECT_NE(priv_pkey_from_der->pkey.pqdsa_key->public_key, nullptr);
+  EXPECT_NE(priv_pkey_from_der->pkey.pqdsa_key->private_key, nullptr);
+
+  EXPECT_EQ(Bytes(priv_pkey_from_der->pkey.pqdsa_key->public_key, GetParam().public_key_len),
+            Bytes(pkey->pkey.pqdsa_key->public_key, GetParam().public_key_len));
 }
 
 TEST_P(PQDSAParameterTest, SIGOperations) {
@@ -1516,6 +1532,31 @@ TEST_P(PQDSAParameterTest, ParsePublicKey) {
   ASSERT_TRUE(pkey_from_der);
 }
 
+TEST_P(PQDSAParameterTest, KeyConsistencyTest) {
+  // This test: generates a random PQDSA key pair extracts the private key, and
+  // runs the public key calculator function to populate the coresponding public key.
+  // The test is sucessful when the calculated public key is equal to the original
+  // public key generated.
+
+  // ---- 1. Setup phase: generate a key and key buffers ----
+  int nid = GetParam().nid;
+  size_t pk_len = GetParam().public_key_len;
+  size_t sk_len = GetParam().private_key_len;
+
+  std::vector<uint8_t> pk(pk_len);
+  std::vector<uint8_t> sk(sk_len);
+  bssl::UniquePtr<EVP_PKEY> pkey(generate_key_pair(nid));
+
+  // ---- 2. Extract raw private key from the generated PKEY ----
+  EVP_PKEY_get_raw_private_key(pkey.get(), sk.data(), &sk_len);
+
+  // ---- 3. Generate a raw public key from the raw private key ----
+  ASSERT_TRUE(GetParam().pack_key(pk.data(), sk.data()));
+
+  // ---- 4. Generate a raw public key from the raw private key ----
+  CMP_VEC_AND_PKEY_PUBLIC(pk, pkey, pk_len);
+}
+
 // ML-DSA specific test framework to test pre-hash modes only applicable to ML-DSA
 struct KnownMLDSA {
   const char name[20];

diff --git a/crypto/fipsmodule/aes/asm/aesni-xts-avx512.pl b/crypto/fipsmodule/aes/asm/aesni-xts-avx512.pl
@@ -1598,7 +1598,7 @@
   vmovdqu8 	 %zmm1,($output)
   vmovdqu 	 %xmm2,0x40($output)
   add 	 \$0x50,$output
-  movdqa 	 %xmm2,%xmm8
+  vmovdqa 	 %xmm2,%xmm8
   vextracti32x4 	 \$0x1,%zmm10,%xmm0
   and 	 \$0xf,$length
   je 	 .L_ret_${rndsuffix}

diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
@@ -76,7 +76,6 @@
 #include "cpucap/cpu_aarch64_sysreg.c"
 #include "cpucap/cpu_aarch64_apple.c"
 #include "cpucap/cpu_aarch64_freebsd.c"
-#include "cpucap/cpu_aarch64_fuchsia.c"
 #include "cpucap/cpu_aarch64_linux.c"
 #include "cpucap/cpu_aarch64_openbsd.c"
 #include "cpucap/cpu_aarch64_win.c"