diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index 23729d579c..3aed47cbe9 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -395,6 +395,7 @@ add_library( cipher_extra/e_rc4.c cipher_extra/e_tls.c cipher_extra/tls_cbc.c + curve25519_extra/curve25519_extra.c conf/conf.c crypto.c des/des.c @@ -474,9 +475,7 @@ add_library( rand_extra/deterministic.c rand_extra/entropy_passive.c rand_extra/forkunsafe.c - rand_extra/fuchsia.c rand_extra/rand_extra.c - rand_extra/trusty.c rand_extra/windows.c rc4/rc4.c refcount_c11.c diff --git a/crypto/curve25519_extra/curve25519_extra.c b/crypto/curve25519_extra/curve25519_extra.c new file mode 100644 index 0000000000..c7c1f7a2cc --- /dev/null +++ b/crypto/curve25519_extra/curve25519_extra.c @@ -0,0 +1,154 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 OR ISC + +#include "../fipsmodule/service_indicator/internal.h" +#include "../fipsmodule/curve25519/internal.h" +#include "internal.h" + +int ED25519ctx_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len) { + FIPS_service_indicator_lock_state(); + boringssl_ensure_eddsa_self_test(); + int res = ED25519ctx_sign_no_self_test(out_sig, message, message_len, + private_key, context, context_len); + FIPS_service_indicator_unlock_state(); + return res; +} + +int ED25519ctx_sign_no_self_test( + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len) { + return ed25519_sign_internal(ED25519CTX_ALG, out_sig, message, message_len, + private_key, context, context_len); +} + +int ED25519ctx_verify(const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *context, size_t context_len) { + FIPS_service_indicator_lock_state(); + boringssl_ensure_eddsa_self_test(); + int res = ED25519ctx_verify_no_self_test(message, message_len, signature, + public_key, context, context_len); + FIPS_service_indicator_unlock_state(); + return res; +} + +int ED25519ctx_verify_no_self_test( + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, + size_t context_len) { + return ed25519_verify_internal(ED25519CTX_ALG, message, message_len, + signature, public_key, context, context_len); +} + +int ED25519ph_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len) { + FIPS_service_indicator_lock_state(); + boringssl_ensure_hasheddsa_self_test(); + int res = ED25519ph_sign_no_self_test(out_sig, message, message_len, + private_key, context, context_len); + FIPS_service_indicator_unlock_state(); + if (res) { + FIPS_service_indicator_update_state(); + } + return res; +} + +int ED25519ph_sign_no_self_test( + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len) { + uint8_t digest[SHA512_DIGEST_LENGTH] = {0}; + SHA512_CTX ctx; + SHA512_Init(&ctx); + SHA512_Update(&ctx, message, message_len); + SHA512_Final(digest, &ctx); + return ED25519ph_sign_digest_no_self_test(out_sig, digest, private_key, + context, context_len); +} + +int ED25519ph_sign_digest(uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t digest[SHA512_DIGEST_LENGTH], + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len) { + FIPS_service_indicator_lock_state(); + boringssl_ensure_hasheddsa_self_test(); + FIPS_service_indicator_unlock_state(); + int res = ED25519ph_sign_digest_no_self_test(out_sig, digest, private_key, + context, context_len); + if (res) { + FIPS_service_indicator_update_state(); + } + return res; +} + +int ED25519ph_sign_digest_no_self_test( + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t digest[SHA512_DIGEST_LENGTH], + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len) { + return ed25519_sign_internal(ED25519PH_ALG, out_sig, digest, + SHA512_DIGEST_LENGTH, private_key, context, + context_len); +} + +int ED25519ph_verify(const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *context, size_t context_len) { + FIPS_service_indicator_lock_state(); + boringssl_ensure_hasheddsa_self_test(); + int res = ED25519ph_verify_no_self_test(message, message_len, signature, + public_key, context, context_len); + FIPS_service_indicator_unlock_state(); + if (res) { + FIPS_service_indicator_update_state(); + } + return res; +} + +int ED25519ph_verify_no_self_test( + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, + size_t context_len) { + uint8_t digest[SHA512_DIGEST_LENGTH] = {0}; + SHA512_CTX ctx; + SHA512_Init(&ctx); + SHA512_Update(&ctx, message, message_len); + SHA512_Final(digest, &ctx); + return ED25519ph_verify_digest_no_self_test(digest, signature, public_key, + context, context_len); +} + +int ED25519ph_verify_digest(const uint8_t digest[SHA512_DIGEST_LENGTH], + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *context, size_t context_len) { + FIPS_service_indicator_lock_state(); + boringssl_ensure_hasheddsa_self_test(); + int res = ED25519ph_verify_digest_no_self_test( + digest, signature, public_key, context, context_len); + FIPS_service_indicator_unlock_state(); + if(res) { + FIPS_service_indicator_update_state(); + } + return res; +} + +int ED25519ph_verify_digest_no_self_test( + const uint8_t digest[SHA512_DIGEST_LENGTH], + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, + size_t context_len) { + return ed25519_verify_internal(ED25519PH_ALG, digest, + SHA512_DIGEST_LENGTH, signature, public_key, + context, context_len); +} diff --git a/crypto/curve25519_extra/internal.h b/crypto/curve25519_extra/internal.h new file mode 100644 index 0000000000..1f08bef58e --- /dev/null +++ b/crypto/curve25519_extra/internal.h @@ -0,0 +1,54 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 OR ISC + +#ifndef OPENSSL_HEADER_CURVE25519_EXTRA_INTERNAL_H +#define OPENSSL_HEADER_CURVE25519_EXTRA_INTERNAL_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include + +int ED25519ctx_sign_no_self_test( + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len); + +int ED25519ctx_verify_no_self_test( + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *context, size_t context_len); + +int ED25519ph_sign_no_self_test( + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len); + +int ED25519ph_sign_digest_no_self_test( + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t digest[SHA512_DIGEST_LENGTH], + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len); + +int ED25519ph_verify_no_self_test( + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *context, size_t context_len); + +int ED25519ph_verify_digest_no_self_test( + const uint8_t digest[SHA512_DIGEST_LENGTH], + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *context, size_t context_len); + +#if defined(__cplusplus) +} +#endif + +#endif // OPENSSL_HEADER_CURVE25519_EXTRA_INTERNAL_H diff --git a/crypto/evp_extra/p_pqdsa_asn1.c b/crypto/evp_extra/p_pqdsa_asn1.c index 20db8a913a..b809407005 100644 --- a/crypto/evp_extra/p_pqdsa_asn1.c +++ b/crypto/evp_extra/p_pqdsa_asn1.c @@ -144,12 +144,38 @@ static int pqdsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } - // set the pqdsa params on the fresh pkey + + // Set the pqdsa params on the fresh pkey if (!EVP_PKEY_pqdsa_set_params(out, OBJ_cbs2nid(params))) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } - return PQDSA_KEY_set_raw_private_key(out->pkey.pqdsa_key,CBS_data(key)); + + // Set the private key + if (!PQDSA_KEY_set_raw_private_key(out->pkey.pqdsa_key, CBS_data(key))) { + OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); + return 0; + } + + // Create buffers to store public key based on size + size_t pk_len = out->pkey.pqdsa_key->pqdsa->public_key_len; + uint8_t *public_key = OPENSSL_malloc(pk_len); + + if (public_key == NULL) { + OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE); + return 0; + } + + // Construct the public key from the private key + if (!out->pkey.pqdsa_key->pqdsa->method->pqdsa_pack_pk_from_sk(public_key, CBS_data(key))) { + OPENSSL_free(public_key); + OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); + return 0; + } + + out->pkey.pqdsa_key->public_key = public_key; + + return 1; } static int pqdsa_priv_encode(CBB *out, const EVP_PKEY *pkey) { diff --git a/crypto/evp_extra/p_pqdsa_test.cc b/crypto/evp_extra/p_pqdsa_test.cc index 5eac273f7c..590107705c 100644 --- a/crypto/evp_extra/p_pqdsa_test.cc +++ b/crypto/evp_extra/p_pqdsa_test.cc @@ -967,6 +967,8 @@ struct PQDSATestVector { const uint8_t *sig, size_t sig_len, const uint8_t *message, size_t message_len, const uint8_t *pre, size_t pre_len); + + int (*pack_key)(uint8_t *public_key, const uint8_t *private_key); }; @@ -1004,7 +1006,8 @@ static const struct PQDSATestVector parameterSet[] = { 1334, ml_dsa_44_keypair_internal, ml_dsa_44_sign_internal, - ml_dsa_44_verify_internal + ml_dsa_44_verify_internal, + ml_dsa_44_pack_pk_from_sk, }, { "MLDSA65", @@ -1018,7 +1021,8 @@ static const struct PQDSATestVector parameterSet[] = { 1974, ml_dsa_65_keypair_internal, ml_dsa_65_sign_internal, - ml_dsa_65_verify_internal + ml_dsa_65_verify_internal, + ml_dsa_65_pack_pk_from_sk }, { "MLDSA87", @@ -1032,7 +1036,8 @@ static const struct PQDSATestVector parameterSet[] = { 2614, ml_dsa_87_keypair_internal, ml_dsa_87_sign_internal, - ml_dsa_87_verify_internal + ml_dsa_87_verify_internal, + ml_dsa_87_pack_pk_from_sk }, }; @@ -1392,6 +1397,17 @@ TEST_P(PQDSAParameterTest, MarshalParse) { ASSERT_TRUE(priv_pkey_from_der); EXPECT_EQ(Bytes(priv_pkey_from_der->pkey.pqdsa_key->private_key, GetParam().private_key_len), Bytes(pkey->pkey.pqdsa_key->private_key, GetParam().private_key_len)); + + // When importing a PQDSA private key, the public key will be calculated and + // used to populate the public key. To test the calculated key is correct, + // we first check that the public key has been populated, then test for equality + // with the expected public key: + ASSERT_NE(priv_pkey_from_der, nullptr); + EXPECT_NE(priv_pkey_from_der->pkey.pqdsa_key->public_key, nullptr); + EXPECT_NE(priv_pkey_from_der->pkey.pqdsa_key->private_key, nullptr); + + EXPECT_EQ(Bytes(priv_pkey_from_der->pkey.pqdsa_key->public_key, GetParam().public_key_len), + Bytes(pkey->pkey.pqdsa_key->public_key, GetParam().public_key_len)); } TEST_P(PQDSAParameterTest, SIGOperations) { @@ -1516,6 +1532,31 @@ TEST_P(PQDSAParameterTest, ParsePublicKey) { ASSERT_TRUE(pkey_from_der); } +TEST_P(PQDSAParameterTest, KeyConsistencyTest) { + // This test: generates a random PQDSA key pair extracts the private key, and + // runs the public key calculator function to populate the coresponding public key. + // The test is sucessful when the calculated public key is equal to the original + // public key generated. + + // ---- 1. Setup phase: generate a key and key buffers ---- + int nid = GetParam().nid; + size_t pk_len = GetParam().public_key_len; + size_t sk_len = GetParam().private_key_len; + + std::vector pk(pk_len); + std::vector sk(sk_len); + bssl::UniquePtr pkey(generate_key_pair(nid)); + + // ---- 2. Extract raw private key from the generated PKEY ---- + EVP_PKEY_get_raw_private_key(pkey.get(), sk.data(), &sk_len); + + // ---- 3. Generate a raw public key from the raw private key ---- + ASSERT_TRUE(GetParam().pack_key(pk.data(), sk.data())); + + // ---- 4. Generate a raw public key from the raw private key ---- + CMP_VEC_AND_PKEY_PUBLIC(pk, pkey, pk_len); +} + // ML-DSA specific test framework to test pre-hash modes only applicable to ML-DSA struct KnownMLDSA { const char name[20]; diff --git a/crypto/fipsmodule/aes/asm/aesni-xts-avx512.pl b/crypto/fipsmodule/aes/asm/aesni-xts-avx512.pl index 5190c9894c..2d8bfda7ad 100644 --- a/crypto/fipsmodule/aes/asm/aesni-xts-avx512.pl +++ b/crypto/fipsmodule/aes/asm/aesni-xts-avx512.pl @@ -1598,7 +1598,7 @@ vmovdqu8 %zmm1,($output) vmovdqu %xmm2,0x40($output) add \$0x50,$output - movdqa %xmm2,%xmm8 + vmovdqa %xmm2,%xmm8 vextracti32x4 \$0x1,%zmm10,%xmm0 and \$0xf,$length je .L_ret_${rndsuffix} diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c index 6c610cbf34..31eabded4c 100644 --- a/crypto/fipsmodule/bcm.c +++ b/crypto/fipsmodule/bcm.c @@ -76,7 +76,6 @@ #include "cpucap/cpu_aarch64_sysreg.c" #include "cpucap/cpu_aarch64_apple.c" #include "cpucap/cpu_aarch64_freebsd.c" -#include "cpucap/cpu_aarch64_fuchsia.c" #include "cpucap/cpu_aarch64_linux.c" #include "cpucap/cpu_aarch64_openbsd.c" #include "cpucap/cpu_aarch64_win.c" diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64_fuchsia.c b/crypto/fipsmodule/cpucap/cpu_aarch64_fuchsia.c deleted file mode 100644 index 4757015a8a..0000000000 --- a/crypto/fipsmodule/cpucap/cpu_aarch64_fuchsia.c +++ /dev/null @@ -1,57 +0,0 @@ -/* Copyright (c) 2018, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include "internal.h" - -#if defined(OPENSSL_AARCH64) && defined(OPENSSL_FUCHSIA) && \ - !defined(OPENSSL_STATIC_ARMCAP) - -#include -#include -#include - -#include - - -void OPENSSL_cpuid_setup(void) { - uint32_t hwcap; - zx_status_t rc = zx_system_get_features(ZX_FEATURE_KIND_CPU, &hwcap); - if (rc != ZX_OK || (hwcap & ZX_ARM64_FEATURE_ISA_ASIMD) == 0) { - // If NEON/ASIMD is missing, don't report other features either. This - // matches OpenSSL, and the other features depend on SIMD registers. - return; - } - - OPENSSL_armcap_P |= ARMV7_NEON; - - if (hwcap & ZX_ARM64_FEATURE_ISA_AES) { - OPENSSL_armcap_P |= ARMV8_AES; - } - if (hwcap & ZX_ARM64_FEATURE_ISA_PMULL) { - OPENSSL_armcap_P |= ARMV8_PMULL; - } - if (hwcap & ZX_ARM64_FEATURE_ISA_SHA1) { - OPENSSL_armcap_P |= ARMV8_SHA1; - } - if (hwcap & ZX_ARM64_FEATURE_ISA_SHA256) { - OPENSSL_armcap_P |= ARMV8_SHA256; - } - if (hwcap & ZX_ARM64_FEATURE_ISA_SHA512) { - OPENSSL_armcap_P |= ARMV8_SHA512; - } - - OPENSSL_cpucap_initialized = 1; -} - -#endif // OPENSSL_AARCH64 && OPENSSL_FUCHSIA && !OPENSSL_STATIC_ARMCAP diff --git a/crypto/fipsmodule/curve25519/curve25519.c b/crypto/fipsmodule/curve25519/curve25519.c index c36468cf28..de468abc17 100644 --- a/crypto/fipsmodule/curve25519/curve25519.c +++ b/crypto/fipsmodule/curve25519/curve25519.c @@ -23,13 +23,19 @@ #include +#include #include #include #include -#include "internal.h" #include "../../internal.h" #include "../cpucap/internal.h" +#include "internal.h" + +const uint8_t RFC8032_DOM2_PREFIX[DOM2_PREFIX_SIZE] = { + 'S', 'i', 'g', 'E', 'd', '2', '5', '5', '1', '9', ' ', + 'n', 'o', ' ', 'E', 'd', '2', '5', '5', '1', '9', ' ', + 'c', 'o', 'l', 'l', 'i', 's', 'i', 'o', 'n', 's'}; // X25519 [1] and Ed25519 [2] is an ECDHE protocol and signature scheme, // respectively. This file contains an implementation of both using two @@ -53,10 +59,10 @@ // For Ed25519, dom2(F,C) is the empty string and PH the identify function, // cf. rfc8032 5.1. -void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH], - const void *input1, size_t len1, const void *input2, size_t len2, - const void *input3, size_t len3) { - +void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH], const void *input1, + size_t len1, const void *input2, size_t len2, + const void *input3, size_t len3, const void *input4, + size_t len4) { SHA512_CTX hash_ctx; SHA512_Init(&hash_ctx); SHA512_Update(&hash_ctx, input1, len1); @@ -64,6 +70,9 @@ void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH], if (len3 != 0) { SHA512_Update(&hash_ctx, input3, len3); } + if (len4 != 0) { + SHA512_Update(&hash_ctx, input4, len4); + } SHA512_Final(out, &hash_ctx); } @@ -138,13 +147,76 @@ void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) { + FIPS_service_indicator_lock_state(); boringssl_ensure_eddsa_self_test(); - return ED25519_sign_no_self_test(out_sig, message, message_len, private_key); + int res = + ED25519_sign_no_self_test(out_sig, message, message_len, private_key); + FIPS_service_indicator_unlock_state(); + if (res) { + FIPS_service_indicator_update_state(); + } + return res; } -int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) { +int ED25519_sign_no_self_test( + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) { + return ed25519_sign_internal(ED25519_ALG, out_sig, message, message_len, + private_key, NULL, 0); +} + +static int dom2(ed25519_algorithm_t alg, uint8_t buffer[MAX_DOM2_SIZE], + size_t *buffer_len, const uint8_t *context, + size_t context_len) { + GUARD_PTR(buffer_len); + *buffer_len = 0; + + uint8_t phflag = 0; + + switch (alg) { + case ED25519_ALG: + // Per rfc8032: + // For Ed25519, dom2(f,c) is the empty string. The phflag value is + // irrelevant. The context (if present at all) MUST be empty. + return context_len == 0; + case ED25519CTX_ALG: + // Per rfc8032: + // For Ed25519ctx, phflag=0. The context input SHOULD NOT be empty. + if (context_len == 0) { + return 0; + } + phflag = 0; + break; + case ED25519PH_ALG: + // For Ed25519ph, phflag=1 + phflag = 1; + break; + default: + // Should never happen unless we missed a ed25519_algorithm_t enum variant + // case in this switch statement + abort(); + } + + OPENSSL_memcpy(buffer, RFC8032_DOM2_PREFIX, DOM2_PREFIX_SIZE); + buffer[DOM2_F_OFFSET] = phflag; + buffer[DOM2_C_OFFSET] = context_len; + if (context_len > 0) { + GUARD_PTR(context); + if (context_len > MAX_DOM2_CONTEXT_SIZE) { + return 0; + } + OPENSSL_memcpy(&buffer[DOM2_CONTEXT_OFFSET], context, context_len); + } + *buffer_len = DOM2_PREFIX_SIZE + DOM2_F_SIZE + DOM2_C_SIZE + context_len; + return 1; +} + +int ed25519_sign_internal( + ed25519_algorithm_t alg, + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *ctx, size_t ctx_len) { // NOTE: The documentation on this function says that it returns zero on // allocation failure. While that can't happen with the current // implementation, we want to reserve the ability to allocate in this @@ -166,38 +238,72 @@ int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN], az[31] &= 63; // 00111111_2 az[31] |= 64; // 01000000_2 - // Step: rfc8032 5.1.6.2 - // Compute r = SHA512(prefix || message). uint8_t r[SHA512_DIGEST_LENGTH]; - ed25519_sha512(r, az + ED25519_PRIVATE_KEY_SEED_LEN, - ED25519_PRIVATE_KEY_SEED_LEN, message, message_len, NULL, 0); + uint8_t dom2_buffer[MAX_DOM2_SIZE] = {0}; + size_t dom2_buffer_len = 0; + + if (!dom2(alg, dom2_buffer, &dom2_buffer_len, ctx, ctx_len)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_CRYPTO_LIB); + return 0; + } + + // Step: rfc8032 5.1.6.2 + if (dom2_buffer_len > 0) { + // Compute r = SHA512(dom2(phflag, context) || prefix || message). + ed25519_sha512(r, dom2_buffer, dom2_buffer_len, + az + ED25519_PRIVATE_KEY_SEED_LEN, + ED25519_PRIVATE_KEY_SEED_LEN, message, message_len, NULL, 0); + } else { + // Compute r = SHA512(prefix || message). + ed25519_sha512(r, az + ED25519_PRIVATE_KEY_SEED_LEN, + ED25519_PRIVATE_KEY_SEED_LEN, message, message_len, NULL, 0, + NULL, 0); + } // Step: rfc8032 5.1.6.[3,5,6,7] #if defined(CURVE25519_S2N_BIGNUM_CAPABLE) ed25519_sign_s2n_bignum(out_sig, r, az, - private_key + ED25519_PRIVATE_KEY_SEED_LEN, message, message_len); + private_key + ED25519_PRIVATE_KEY_SEED_LEN, message, + message_len, dom2_buffer, dom2_buffer_len); #else - ed25519_sign_nohw(out_sig, r, az, - private_key + ED25519_PRIVATE_KEY_SEED_LEN, message, message_len); + ed25519_sign_nohw(out_sig, r, az, private_key + ED25519_PRIVATE_KEY_SEED_LEN, + message, message_len, dom2_buffer, dom2_buffer_len); #endif // The signature is computed from the private key, but is public. CONSTTIME_DECLASSIFY(out_sig, 64); - FIPS_service_indicator_update_state(); return 1; } int ED25519_verify(const uint8_t *message, size_t message_len, const uint8_t signature[ED25519_SIGNATURE_LEN], const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { + FIPS_service_indicator_lock_state(); boringssl_ensure_eddsa_self_test(); - return ED25519_verify_no_self_test(message, message_len, signature, public_key); + int res = + ED25519_verify_no_self_test(message, message_len, signature, public_key); + FIPS_service_indicator_unlock_state(); + if(res) { + FIPS_service_indicator_update_state(); + } + return res; +} + +int ED25519_verify_no_self_test( + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { + return ed25519_verify_internal(ED25519_ALG, message, message_len, signature, + public_key, NULL, 0); } -int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len, - const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { +int ed25519_verify_internal( + ed25519_algorithm_t alg, + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *ctx, size_t ctx_len) { // Ed25519 verify: rfc8032 5.1.7 // Step: rfc8032 5.1.7.1 (up to decoding the public key) @@ -235,25 +341,29 @@ int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len, } } + uint8_t dom2_buffer[MAX_DOM2_SIZE] = {0}; + size_t dom2_buffer_len = 0; + if (!dom2(alg, dom2_buffer, &dom2_buffer_len, ctx, ctx_len)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_CRYPTO_LIB); + return 0; + } + // Step: rfc8032 5.1.7.[1,2,3] // Verification works by computing [S]B - [k]A' and comparing against R_expected. int res = 0; uint8_t R_computed_encoded[32]; #if defined(CURVE25519_S2N_BIGNUM_CAPABLE) res = ed25519_verify_s2n_bignum(R_computed_encoded, public_key, R_expected, S, - message, message_len); + message, message_len, dom2_buffer, + dom2_buffer_len); #else res = ed25519_verify_nohw(R_computed_encoded, public_key, R_expected, S, - message, message_len); + message, message_len, dom2_buffer, dom2_buffer_len); #endif // Comparison [S]B - [k]A' =? R_expected. Short-circuits if decoding failed. - res = (res == 1) && CRYPTO_memcmp(R_computed_encoded, R_expected, - sizeof(R_computed_encoded)) == 0; - if(res) { - FIPS_service_indicator_update_state(); - } - return res; + return (res == 1) && CRYPTO_memcmp(R_computed_encoded, R_expected, + sizeof(R_computed_encoded)) == 0; } int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { diff --git a/crypto/fipsmodule/curve25519/curve25519_nohw.c b/crypto/fipsmodule/curve25519/curve25519_nohw.c index d163ada6c0..04200bc40b 100644 --- a/crypto/fipsmodule/curve25519/curve25519_nohw.c +++ b/crypto/fipsmodule/curve25519/curve25519_nohw.c @@ -1983,7 +1983,7 @@ void ed25519_public_key_from_hashed_seed_nohw( void ed25519_sign_nohw(uint8_t out_sig[ED25519_SIGNATURE_LEN], uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, const uint8_t *A, - const void *message, size_t message_len) { + const void *message, size_t message_len, const uint8_t* dom2, size_t dom2_len) { // Reduce r modulo the order of the base-point B. x25519_sc_reduce(r); @@ -1992,10 +1992,17 @@ void ed25519_sign_nohw(uint8_t out_sig[ED25519_SIGNATURE_LEN], x25519_ge_scalarmult_base(&R, r); ge_p3_tobytes(out_sig, &R); - // Compute k = SHA512(R || A || message) // R is of length 32 octets uint8_t k[SHA512_DIGEST_LENGTH]; - ed25519_sha512(k, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, message_len); + if (dom2_len > 0) { + // Compute k = SHA512(dom2(phflag, context) || R || A || message) + ed25519_sha512(k, dom2, dom2_len, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, + message_len); + } else { + // Compute k = SHA512(R || A || message) + ed25519_sha512(k, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, + message_len, NULL, 0); + } // Reduce k modulo the order of the base-point B. x25519_sc_reduce(k); @@ -2006,7 +2013,7 @@ void ed25519_sign_nohw(uint8_t out_sig[ED25519_SIGNATURE_LEN], int ed25519_verify_nohw(uint8_t R_computed_encoded[32], const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], uint8_t R_expected[32], - uint8_t S[32], const uint8_t *message, size_t message_len) { + uint8_t S[32], const uint8_t *message, size_t message_len, const uint8_t *dom2, size_t dom2_len) { // Decode public key as A'. ge_p3 A; @@ -2015,10 +2022,16 @@ int ed25519_verify_nohw(uint8_t R_computed_encoded[32], } // Step: rfc8032 5.1.7.2 - // Compute k = SHA512(R_expected || public_key || message). uint8_t k[SHA512_DIGEST_LENGTH]; - ed25519_sha512(k, R_expected, 32, public_key, ED25519_PUBLIC_KEY_LEN, message, - message_len); + if(dom2_len > 0) { + // Compute k = SHA512(dom2(phflag, context) || R_expected || public_key || message). + ed25519_sha512(k, dom2, dom2_len, R_expected, 32, public_key, + ED25519_PUBLIC_KEY_LEN, message, message_len); + } else { + // Compute k = SHA512(R_expected || public_key || message). + ed25519_sha512(k, R_expected, 32, public_key, ED25519_PUBLIC_KEY_LEN, + message, message_len, NULL, 0); + } // Reduce k modulo the order of the base-point B. Saves compute in the // subsequent scalar multiplication. diff --git a/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c b/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c index 50e52f02c1..af225f6784 100644 --- a/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c +++ b/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c @@ -51,7 +51,7 @@ void ed25519_public_key_from_hashed_seed_s2n_bignum( void ed25519_sign_s2n_bignum(uint8_t out_sig[ED25519_SIGNATURE_LEN], uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, const uint8_t *A, - const void *message, size_t message_len) { + const void *message, size_t message_len, const uint8_t *dom2, size_t dom2_len) { uint8_t k[SHA512_DIGEST_LENGTH] = {0}; uint64_t R[8] = {0}; @@ -69,10 +69,16 @@ void ed25519_sign_s2n_bignum(uint8_t out_sig[ED25519_SIGNATURE_LEN], edwards25519_scalarmulbase_selector(R, uint64_r); edwards25519_encode(out_sig, R); - // Compute k = SHA512(R || A || message) // R is of length 32 octets - ed25519_sha512(k, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, - message_len); + if (dom2_len > 0) { + // Compute k = SHA512(dom2(phflag, context) || R || A || message) + ed25519_sha512(k, dom2, dom2_len, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, + message_len); + } else { + // Compute k = SHA512(R || A || message) + ed25519_sha512(k, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, + message_len, NULL, 0); + } OPENSSL_memcpy(uint64_k, k, SHA512_DIGEST_LENGTH); bignum_mod_n25519(uint64_k, 8, uint64_k); @@ -84,7 +90,7 @@ void ed25519_sign_s2n_bignum(uint8_t out_sig[ED25519_SIGNATURE_LEN], int ed25519_verify_s2n_bignum(uint8_t R_computed_encoded[32], const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], uint8_t R_expected[32], - uint8_t S[32], const uint8_t *message, size_t message_len) { + uint8_t S[32], const uint8_t *message, size_t message_len, const uint8_t *dom2, size_t dom2_len) { uint8_t k[SHA512_DIGEST_LENGTH] = {0}; uint64_t uint64_k[8] = {0}; @@ -98,9 +104,15 @@ int ed25519_verify_s2n_bignum(uint8_t R_computed_encoded[32], } // Step: rfc8032 5.1.7.2 - // Compute k = SHA512(R_expected || public_key || message). - ed25519_sha512(k, R_expected, 32, public_key, ED25519_PUBLIC_KEY_LEN, message, - message_len); + if(dom2_len > 0) { + // Compute k = SHA512(dom2(phflag, context) || R_expected || public_key || message). + ed25519_sha512(k, dom2, dom2_len, R_expected, 32, public_key, + ED25519_PUBLIC_KEY_LEN, message, message_len); + } else { + // Compute k = SHA512(R_expected || public_key || message). + ed25519_sha512(k, R_expected, 32, public_key, ED25519_PUBLIC_KEY_LEN, + message, message_len, NULL, 0); + } OPENSSL_memcpy(uint64_k, k, SHA512_DIGEST_LENGTH); bignum_mod_n25519(uint64_k, 8, uint64_k); diff --git a/crypto/fipsmodule/curve25519/ed25519_test.cc b/crypto/fipsmodule/curve25519/ed25519_test.cc index 5a657ebdd8..932f96bfe4 100644 --- a/crypto/fipsmodule/curve25519/ed25519_test.cc +++ b/crypto/fipsmodule/curve25519/ed25519_test.cc @@ -130,3 +130,96 @@ TEST(Ed25519Test, KeypairFromSeed) { EXPECT_EQ(Bytes(public_key1), Bytes(public_key2)); EXPECT_EQ(Bytes(private_key1), Bytes(private_key2)); } + +TEST(Ed25519phTest, TestVectors) { + FileTestGTest("crypto/fipsmodule/curve25519/ed25519ph_tests.txt", [](FileTest *t) { + std::vector seed, q, message, context, expected_signature; + ASSERT_TRUE(t->GetBytes(&seed, "SEED")); + ASSERT_EQ(32u, seed.size()); + ASSERT_TRUE(t->GetBytes(&q, "Q")); + ASSERT_EQ(32u, q.size()); + ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); + ASSERT_TRUE(t->GetBytes(&expected_signature, "SIGNATURE")); + ASSERT_EQ(64u, expected_signature.size()); + + if (t->HasAttribute("CONTEXT")) { + t->GetBytes(&context, "CONTEXT"); + } else { + context = std::vector(); + } + + uint8_t private_key[ED25519_PRIVATE_KEY_LEN] = {0}; + uint8_t public_key[ED25519_PUBLIC_KEY_LEN] = {0}; + + ED25519_keypair_from_seed(public_key, private_key, seed.data()); + ASSERT_EQ(Bytes(q), Bytes(public_key)); + + // Signing should not leak the private key or the message. + CONSTTIME_SECRET(&private_key[0], sizeof(private_key)); + CONSTTIME_SECRET(message.data(), message.size()); + CONSTTIME_SECRET(context.data(), context.size()); + uint8_t signature[64]; + ASSERT_TRUE(ED25519ph_sign(signature, message.data(), message.size(), + private_key, context.data(), context.size())); + CONSTTIME_DECLASSIFY(signature, sizeof(signature)); + CONSTTIME_DECLASSIFY(message.data(), message.size()); + CONSTTIME_DECLASSIFY(context.data(), context.size()); + + EXPECT_EQ(Bytes(expected_signature), Bytes(signature)); + EXPECT_TRUE(ED25519ph_verify(message.data(), message.size(), signature, + public_key, context.data(), context.size())); + }); +} + +TEST(Ed25519ctxTest, TestVectors) { + FileTestGTest("crypto/fipsmodule/curve25519/ed25519ctx_tests.txt", [](FileTest *t) { + std::vector seed, q, message, context, expected_signature; + ASSERT_TRUE(t->GetBytes(&seed, "SEED")); + ASSERT_EQ(32u, seed.size()); + ASSERT_TRUE(t->GetBytes(&q, "Q")); + ASSERT_EQ(32u, q.size()); + ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); + ASSERT_TRUE(t->GetBytes(&expected_signature, "SIGNATURE")); + ASSERT_EQ(64u, expected_signature.size()); + + if (t->HasAttribute("CONTEXT")) { + t->GetBytes(&context, "CONTEXT"); + } else { + context = std::vector(); + } + + uint8_t private_key[ED25519_PRIVATE_KEY_LEN] = {0}; + uint8_t public_key[ED25519_PUBLIC_KEY_LEN] = {0}; + + ED25519_keypair_from_seed(public_key, private_key, seed.data()); + ASSERT_EQ(Bytes(q), Bytes(public_key)); + + // Signing should not leak the private key or the message. + CONSTTIME_SECRET(&private_key[0], sizeof(private_key)); + CONSTTIME_SECRET(message.data(), message.size()); + CONSTTIME_SECRET(context.data(), context.size()); + uint8_t signature[64]; + ASSERT_TRUE(ED25519ctx_sign(signature, message.data(), message.size(), + private_key, context.data(), context.size())); + CONSTTIME_DECLASSIFY(signature, sizeof(signature)); + CONSTTIME_DECLASSIFY(message.data(), message.size()); + CONSTTIME_DECLASSIFY(context.data(), context.size()); + + EXPECT_EQ(Bytes(expected_signature), Bytes(signature)); + EXPECT_TRUE(ED25519ctx_verify(message.data(), message.size(), signature, + public_key, context.data(), context.size())); + }); +} + +TEST(Ed25519ctxTest, EmptyContext) { + uint8_t private_key[ED25519_PRIVATE_KEY_LEN] = {0}; + uint8_t public_key[ED25519_PUBLIC_KEY_LEN] = {0}; + uint8_t signature[ED25519_SIGNATURE_LEN] = {0}; + const uint8_t message[3] = {'f', 'o', 'o'}; + + ED25519_keypair(public_key, private_key); + + EXPECT_FALSE(ED25519ctx_sign(signature, message, sizeof(message), private_key, NULL, 0)); + EXPECT_FALSE(ED25519ctx_verify(message, sizeof(message), signature, public_key, NULL, 0)); +} + diff --git a/crypto/fipsmodule/curve25519/ed25519ctx_tests.txt b/crypto/fipsmodule/curve25519/ed25519ctx_tests.txt new file mode 100644 index 0000000000..717078eb09 --- /dev/null +++ b/crypto/fipsmodule/curve25519/ed25519ctx_tests.txt @@ -0,0 +1,29 @@ +# Test Cases from rfc8032 + +# foo +SEED = 0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6 +Q = dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292 +MESSAGE = f726936d19c800494e3fdaff20b276a8 +CONTEXT = 666f6f +SIGNATURE = 55a4cc2f70a54e04288c5f4cd1e45a7bb520b36292911876cada7323198dd87a8b36950b95130022907a7fb7c4e9b2d5f6cca685a587b4b21f4b888e4e7edb0d + +# bar +SEED = 0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6 +Q = dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292 +MESSAGE = f726936d19c800494e3fdaff20b276a8 +CONTEXT = 626172 +SIGNATURE = fc60d5872fc46b3aa69f8b5b4351d5808f92bcc044606db097abab6dbcb1aee3216c48e8b3b66431b5b186d1d28f8ee15a5ca2df6668346291c2043d4eb3e90d + +# foo2 +SEED = 0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6 +Q = dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292 +MESSAGE = 508e9e6882b979fea900f62adceaca35 +CONTEXT = 666f6f +SIGNATURE = 8b70c1cc8310e1de20ac53ce28ae6e7207f33c3295e03bb5c0732a1d20dc64908922a8b052cf99b7c4fe107a5abb5b2c4085ae75890d02df26269d8945f84b0b + +# foo3 +SEED = ab9c2853ce297ddab85c993b3ae14bcad39b2c682beabc27d6d4eb20711d6560 +Q = 0f1d1274943b91415889152e893d80e93275a1fc0b65fd71b4b0dda10ad7d772 +MESSAGE = f726936d19c800494e3fdaff20b276a8 +CONTEXT = 666f6f +SIGNATURE = 21655b5f1aa965996b3f97b3c849eafba922a0a62992f73b3d1b73106a84ad85e9b86a7b6005ea868337ff2d20a7f5fbd4cd10b0be49a68da2b2e0dc0ad8960f diff --git a/crypto/fipsmodule/curve25519/ed25519ph_tests.txt b/crypto/fipsmodule/curve25519/ed25519ph_tests.txt new file mode 100644 index 0000000000..c0d217de15 --- /dev/null +++ b/crypto/fipsmodule/curve25519/ed25519ph_tests.txt @@ -0,0 +1,304 @@ +# Section: HashEdDSA ED-25519 AFT + +# Case: 11 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = d166757cff86483638d0c573c10cec2a15b03b7f8bb069fa291ae132b55a6e37b33262d3b4de9863e2661df1933d93a0f02a3699a4f02a3439295b97ea2b9c55c258b155acdd544b4adf70b5e5a32484b2cb5d52b0309065870fb00929e243531c0294b7c2466b4d7de6ca3456b143ea33857a2d7eb958560f749b182ad23215 +SIGNATURE = a202ff71641c7923e965fa245136a053b306686b2b1c84ae5492cbcb818d167ab9a5bdce649cbd0781544853918c007b1a00628367555ddaf362c6c14cc2980e + +# Case: 12 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = 8f199eaf2104a0fa04870c011dec2fc7f11a026fb487d9ef8e142c939f9471889193cf63d52c04b73be8df585f192c3929b9b4b9d0b2bc5f7c73dc25bbdbe2e3df6b1b49265981a6d4d22270e656636a3ae86e827850f3acddf5bd56d3d8895d59c5aec2836621983c2d0ac45f995439caaffd45393ca98d2e9faf47f2bdd3de +CONTEXT = cb8311771de502ec83791b3d2b6e632b44c6171e358490a90c7636744fd0e4cf89bfd612e68929b29ea40ae47e469a50356a1e8877ec70a296f8014797a1918e5e9a84c6bf9895624e8f0aa52627a20dbdcd16e15f42690d8596ab7cec7741a94a310b2054581e4b4b7dcae1f9f5384274edbed94adbbf69bbd81edee4e1df1870039a5f6916fb7ca760bd1eac24e5a3748f5dcc90b2ace59174374fd4c6ac089c7605df99add1d2b94f8cf7c050def327f3a590ea7c8f76e3330d3ae9b5cb33587e6f8a170d961a2048482028 +SIGNATURE = 58e6d7146d6a0b45744081dd258dcfa06d6483dc94ddeba24802480f835557bbe0664b43bcef169f37a8beb4af5a8ec0df4133ade2896d32ae548414cdca6809 + +# Case: 13 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = 41f267008fd5e584fd996f2bbc9574e0eea2cbb7596867408416a89f0452e321a3e4ba26066b09e49ede8b5d3df59a3eb863549c45f8d8fb186d6c99ba846388f7ad2156d32c43433f10af31637faef1af622367dbdacfc53b8e5349ae48f54e10efddece749a0dcca307714bd14896bb71be2afd27378d49908a074080e73b6 +CONTEXT = 97005f15ba817ba53ebdef2556a3917e708420fc8023edfcc25fdeac7071dccb1c40418327bcfefed9a373ba38ff5b81ece8a862652675d98387d2b9805549b1772824b1257d6718e78523f6fc718395195e02b92354f3 +SIGNATURE = a581544f3bb8af069545652021687cf9d0e5024bd8e2ad954c7c18dd503d53b6394707d5e7094d2770504b821e7adf57e073c1b216bbed35b29946516964d007 + +# Case: 14 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = 55e99d2c17d548ef3c3943f25264ed469b66062f5715765692d2505c2dcd3fb9ea3754c1073bc993c49c480da2c4d3fae92545402cea3ca9aba567e1690c8b8547e5b7255fd66be0a6331994be22fcfab3ba69b953879fa25cb398731b6fc7dd3007309fbf86b452df98c7cc8c995c4318835031eabc8d778576ac14294a786d +CONTEXT = 88a78bdc438e623dc21992b5f242fb182461957dd08d31a2690eba4f4eb6959864f40a8ce7963a6c9628305a77dcda0432609486647f37933473727dfbf965f3730a92cc462e78b8e8f9fc07206615dc8bb548b3aa09a2f7c051bb604e2266932f51c08db966ba7b133e900676f7e4efd3c1a0628c944533974b3201a98cf7780073ff05 +SIGNATURE = 81515b76cdcf96d32e60c45910c058aa67bc0a530267f88ac4c034d1d9b8fe063f25001c025708e265a56f7b447ae16e7684cd9b2c05065aed064fa4962cc00c + +# Case: 15 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = 1e18ae6a5e067703fe4bb540afad441f9c915b6100f370b8bffa2e75b50cb006ad0ff3f32521e0cf723b2ac581c925a47bff4e875f3f3f120cd38b3ed6ea3e28103609d551c01feb18bba140057c8b4a38045ff334c03db7e445b3440cf98b137b2f420d145ea8daf383489df72458bf17983861fdba5753441d33fa9a136f60 +CONTEXT = 4913c73d3cf914bf10cdf213a9039f532e625c9bf01094047c1793280200c315a4531aea218caa99cecc59aa03e7c7652db6ef7d00952d64fde9c9e793e28b6977f6fa7169cc091de05c301d7591ed46fe260b8d693b0c9fc483b62baa8bf6ffe9ce3cf12dc68b384458b90c34f1e8b414737289e27538b4e82837f4044d769968650f5d4502ba71b0ed03a2eff4c7fb78bb7920245f64f92c81f4e7373b2547faa800fced616f8d9496e8466e6536dc0f6e302a9571426962fcbfb48f4f079934720725d0d76aa9e50e9266c8c7f6ec3683363fd45ab902ced0d4580a549c27fdb10e65516c5f46ae05844f74113a3654c9092b76054a42d7599230 +SIGNATURE = 219dd2319627264bc1f75b3a447007d61753bd2f582f356566c5ea6e3a40e40f492282d896fa60b030f2a65f1b5dd0b39bf09f0df4fe180d537e220b7b6c360c + +# Case: 16 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = 35077e31b64ab06293565dd145fe43f08928ed8cf122d813b7fb474d7e27102063b10b62116850f8899074d7619cdc57a378efb8d29a80416a9099064239f2082ebe6d2256e76979e0c027726442a350028a86702f3edfd0d3624a7ae130b8b002d81a04ecdee22ae91ff6b26b54a4b40b7a37fbe9f4e148c35a0138115299d6 +CONTEXT = 9e52ff4ee4e00f56fac8a7b137ce +SIGNATURE = b575f19db5c70ad14decc4571f4eeb403c270ffc9d500258c2b799c641ec4ee0dd131df23ffb12feacbf561bc2c4e21e4f3b9a79c7a4610d24d1d0acf432600f + +# Case: 17 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = b50cb3bce1f8dc503185db1921cfb77ed4e0b54b7c022336e8ad9c17bca14261f119d1f042b2ba645694d12feab90f42f3d11226264dc686fdf56f9b5d33e402b5c6d33111aa50e606db994389212c5749fa4aa0a4f728c44ae29b9299c140f0d85a511711583c3d72b61d4f1211699988095d9e23bc5c06dde5894de8c29d24 +CONTEXT = 7299486aee6c1cd65469f248ce9485a53ff64feac46797648ed7bf7edfb18e3f6f5eb9fa33a1ab0a3ad12dccf4c2d721aa7a14adc855722c937b0b997757a78236e70aa6b5302054a3173f37932ae0997036d58733c4277a056f2a53f64e227a08c1f7d55c485880024872f0cf779bbece01e89ad1b0432dbd66ee0eb0229d15070eae2fe9af9b59d1a73876f2e4e1f37dda7593642a89b7f0e085f7a129273abe64d5b06b199944944dc45a68330d425e9038d85d5b79dcbf1a4882f430a69501a0a9ff273f84b6b3d2eede0748d23862792747bf29db6864fcf0efcf4c17832bcca33a6c70bc85d7f70239c4ded9af0a17ce0bb4d162a5db1570e4c55cad +SIGNATURE = 17aa9f850ab3decb3d0e914e07100f6a3dfe19d1c0826fb8032ced67b2b567a3bf178252440b94f88a2186e71d0b5082fe24eadf90b3a34714c0d9276378050b + +# Case: 18 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = 7ca86d4026fd4d0c33148c2dbdbe272314a53515be1544cfc27e3afd09bd36a1e9418181dc7adef856ac712c26d4b28530e00163e344f4fd2a4abb05f5a3b9a440b202704358031508195ab2136e197d832fa1c3617753ebb1c5dae090e711b15f849a405235b5d1a363da3730a5c3042b4bec06541829dbf254a5f92aa778e3 +CONTEXT = f6e0a0f950656c96bfce87e2c24cf590dc0d82d9ba092da02eb84eb4d9ed3b0b1ed72b341b8973f54dcf79f3b90b999c6182573db0fc892215bb83c35ab96638c241ee5ce85712344a32d6442c425bb2 +SIGNATURE = 0a323c94b77dad00d94de35b4ad72ef0c2679c5e87d4b2ee983a534c2e61ed18aa87157a309f9df5eb5a5eb9265e53138e5aaf9b0491f907dddbca90a00f850a + +# Case: 19 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = 04177fb5ecd0778f8b271ca91240ef32cf40fcb1292adaf95742b51a7cb0cb9ae2a49df5a0a75d9da730721a49eb6d98170431ebcc1c9da20d205d496e1ec0fe4166947fd80637012cc8cec6cde719b48b24393dae0c01772376fcd7a8896676f73f01639ff8bc5042e0f8cd93c0190af805d2d595b83e43c93378955779e224 +CONTEXT = bba8ff5055d35903b12169f62111619a11f0a41877ca7eb067c286b52265e1bcb024abfe12c288fcd67dd6227dd6f3d4fd589a5d7bb30066a71212decf2f818843e7cc14e65ef3ab4e20cb783025c279a156e5a3ed24a47d39925d056dd71ca1f507483f50942be2fc87811f3139f8 +SIGNATURE = 1f0572c891491c6ea979371687d1bae08be97454a0f5a3d0988b8a5a7581ef86653ad6eb85e23669468d4a31262c726f7775c8b2efc6105a54bd4a5f018a9108 + +# Case: 20 +SEED = c3537a4f315ec58f5de4c28dc5327c79fb407cb670be05f11b0f700640702127 +Q = 6336a615df2de93b8dab78e97b827b2d5cebebd7faa77e3d97eaf36b12f722e3 +MESSAGE = a75be1caf70b4fcce44307e89c29e2153ab282d16100bb3a4f6cbe1cca1bb4d02ac72e6f8aa8eb76bd163ecbfbbad1240e5cba1edbb952d5ca6b72e2820de2230e02a36d4ef172f4d15d8ab3d686a6c24e4029ad3fc3d3cd357d60fc9dbcd448ca1451a17d20653709fae1ae8787532a68109e5655ac3860a3208db4287befb3 +CONTEXT = 37f377b691eb2ab79b6ae6903c82c3f4419bf1d3f07caadde5ae67e5efb3259467f9404e5ea2ce6c5bbe176217a633477e37c3f0839b487841d65860588575b2ccfe3770c9412b048c746e38f4ecb43e0fc06a6466f2929e6a0a8f8a +SIGNATURE = d305196ad295ababdcfe04352761307b3a2efff5e55da6ac219e0f9e28e9aa20cf9c1de392bee46a800b36871e4543a75bbdade1d42a77fd557b7f235d8dfa01 + +# Section: HashEdDSA ED-25519 BFT + +# Case: 53 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff94ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 6e1d5271fa5c0f9ea1fc60a84c705400a29c933c29a2f7eb9de99a9f4e981c8c68c5af3f31970af288d45672b1325251e7b7a236fafadd1de29ed909cac12606 + +# Case: 54 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff9eef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = d45d98d609e3b611f18dc3dac2fd7471b8aae12ceec559e2092f322e082a63c2c0d9c8c07b39817934b560be5a0daa1ab73987c208fd7802ade023a44e9b5e03 + +# Case: 55 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff86ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 3bc37c5d7b428dc9dc6cfcae3ca0f5043dfd606f9a6214262374d81b704c93f9907dc71ac594bebac027758a5bec35adc5edd11b4d649fc603aafb9b81a1d906 + +# Case: 56 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff16ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = f43a61a000a5a011e2b61a62ef9372336d41226b15f801200000a04a12d0be425359fa4c867a015a096dfc9d2064e937a35055025d3591900f2af91b97ed5a04 + +# Case: 57 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7afd96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = e766682fd1ef51e4dbd682fbfb13b849ca5b0828e86d158d463f53e9b01e0855b8eff923ac24f19440564a1c65c227bf72e9db3220a09207f2c0ba52d513850e + +# Case: 58 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7af796ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 0632ab1674f0060df0aaee350b4fa871f4d6a7e1e56c9d833fd52a752a6a6a273cc83b4a5a4487ca8145c97e83d71a128633fc6f7b225d54a0bcfbfc3485e20f + +# Case: 59 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7abf96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 9766f0543f467cc3a6164d9d679243da150b3f0e68013a3bb57a639715feaf85adacd73dbd4377921f32031334b8ef40ae294faa0ba2cc6327fda388c1275901 + +# Case: 60 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7a7f96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 1493cfa9e02aaf517c698d2dcdba5af40f7a39ade15dddd7dddf202317a5c8f6c58239ed889584a0e8372b4f2c7b277e1de0db07b394b44add506852e61f3004 + +# Case: 61 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 78ff96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 28542ad5ab612c5b6c11eb33d12d38ca39c3acb8cd03ab8929fae37827e88c13291745358bf62ceb996461b667a9cf3f462071b3c8f0a32b04638c725a246908 + +# Case: 62 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 72ff96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 784ca96a108f43d8022fa3bdb86654c1851ffe7e9c2ddb23a13d06365827c94e2ba96d428039226087dd998fe56839d02bab52c1dc94739a5386e55283ce5601 + +# Case: 63 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 5aff96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 1c27457241a109cda8ac24de0567e727285458e5a182216b80f0ebf6846de991206ecc3bdfedf0e4947a12f98084ffd5f56a2e58efef4b2144063533afee1103 + +# Case: 64 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 3aff96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 17671be470bec6a9da1d9afb097ffb7d0e3cd9ce07c3a95626e0075c63ef1d550194ac4d6a5b97e115f867da7171b598d615d4bff881fe1445f1d967ecf9ca00 + +# Case: 65 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 6aff96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = baf64f39e07040d0fef0dcb72ce8543394c8201696bf053cdf06780937e010faad3592d13bbf60c48b5d425bf1575577befdc4792a779fd8ef3551e326469a06 + +# Case: 66 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7eff96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = fdaad4a8327e5a367a4a7bfc43caa8c083535ae378bcd9016e8243f2cfc0be8d499a7e6cb3a29d6d3bf3c3d0aa54d82b8c5a048f362294e028646c0f943f5107 + +# Case: 67 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7bff96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 19aacd8b004d30a0d135d0222305b4ec5a3ff64fa6569ce16c9aac4deedcf3750f543f204ea26549b6d2b3cc070cd4e5a8a243b0ff778384dee4434653253f06 + +# Case: 68 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7adf96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = f8af75cd2ce8779a36127ac104433990bc7d2ef26621fd9703ff33840c0d8120cfb1a26ef273638b1e65eaa132c2d1198b7607dca310609b4388c9d61c71800d + +# Case: 69 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aef96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 997f8e99282705359abf2d60636a58f600295f84702c128de7cd21f842318a4a94bb2cdbf86e1e5eed1d83abd931f1bc33556a816684ccb70c6dd6049e426901 + +# Case: 70 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7afb96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 1e8d201c452ff7a9daf9cf8f2c9bd5a07bcafc7dc935c66310366c37692e8c0c15870b6f565914a10d1b9887d8b0d42d4cd8228efb01293c434e3d6221523d0f + +# Case: 71 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7afe96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = bd0b975a874735e0eb9b2365ac425bb55b4be2a206f1fe2eba2ee97fe7559fbb919647781af82482fa946b23647c3eff5aebf8221bf1abf5a4e141487cf4f70e + +# Case: 72 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7affd6ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 84811f6277a2dcace32f9497c44293852c8c5ed2b674c086b335c461c0d29c0e6319663d0d5e6680f2892cd732ed62cb56a9fa91dd5b1d936b7b0084472f4d0c + +# Case: 73 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7affb6ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 5456ffd1be2f7f7d964e9d35586904a3c4245201b50b58ad02398aaf6e79f708ab495ddf4deebdafa1c57710730e2cd04c297087fcf8efc0d3637857e6973a07 + +# Case: 74 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff92ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 273c2cfbca4251909d2f59c3f0f62616e597897955454a892670237f06dcdebd02b4a433b4d556f2777be354a2e79adc9af79f11fad76a51d5245a886c9a020f + +# Case: 75 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff97ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = d0f96395970e60bcc1a1c3ed5eede4b701914a16ea04297afba196714a14fa2b7937f16561827f5eb34b19408411d75d4558316f844dd09f9a91af1c5297980e + +# Case: 76 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff966f +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 9e0da02f1ca9d04a4efccce52cbcc4fc00d568acadeeca39573dadadf931086f5d62970b78efe8527513e13ec531ba823fa7b6b05a053dc24ab6a9d66114ff0d + +# Case: 77 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff96af +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = b2f66439c3f52ad55323993a27eb8e97671ce87a58cec2baf17040e3db011ad123382e376fa320fe4cfc6dfca72ce37fbefa11dedfd223e2c26df17de6079501 + +# Case: 78 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff96cf +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 1cadb46d153bb4c869d8cf74ceaafa83ce329a07580a632cfbdcc2b551860f61f1a258d2362599cf45147cf07a7836aed1ebd6c20493a802562e7c52f19c7505 + +# Case: 79 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff96ff +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 9dda07f7e49ff2833fce53e5f781a3986f11996c26c85b564bb4725c8c4e820d33d52a2b4f8ebb9d9283d3c1a0be8eb4779f01be54ad0a1d0c96a547f976ca05 + +# Case: 80 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff96e7 +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = a3b3910e7ad1ba767222784125e59861e06c28b489d9112be8ea599f5288ed9191d795890c083840ee1c8c97f212ceaf91c47e5b02064cb506487e11482ecd0e + +# Case: 81 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff96eb +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 9dead197272aee364c123b38ee9b97ff07a764bc8dbffdfd394ba7246f6bc82e067877aa39693cc0b25626d8a091e5b286cfde3869e4183297157a05bdd36303 + +# Case: 82 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff96ed +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = f75ffe6599c8718df227193bead857cd7c918694edb862c11aaac53ca29202060b388de4c2fd48a50176c8f37b30c0ec9dc39110ed59830778c0d03161bc9c01 + +# Case: 83 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff96ee +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 309fc584e01f33f8a53e6ce320a50ead1f3b2f9d3f9142dfd1ba6909681ac929db139b8dcd816f1f6b2ec888c8048a19b44331ee43ae8f3585f635debd87940c + +# Case: 84 +SEED = 6afc33676b87054e31e55d43280188208d4d14f50d09eaa1a88a25a6b413483a +Q = 72140fb23abcc43663b441b31684215b08572628cbf7623b242b3ec127bcc403 +MESSAGE = 7aff96ef +CONTEXT = 9801f4d8771bfc2b274d3d +SIGNATURE = 3c8a61a058f43e852daedff7ff4200ecaf4a5a2b1654affe13507505d9f062210c0d7af2a91a0ef0f20138cbb43d65dc843219ad962cdf417635f315ff159d07 + +# Section: RFC 8032 Test Vectors for Ed25519ph + +# Case: abc +SEED = 833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42 +Q = ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf +MESSAGE = 616263 +SIGNATURE = 98a70222f0b8121aa9d30f813d683f809e462b469c7ff87639499bb94e6dae4131f85042463c2a355a2003d062adf5aaa10b8c61e636062aaad11c2a26083406 diff --git a/crypto/fipsmodule/curve25519/internal.h b/crypto/fipsmodule/curve25519/internal.h index 159d6cb036..42e68d82c9 100644 --- a/crypto/fipsmodule/curve25519/internal.h +++ b/crypto/fipsmodule/curve25519/internal.h @@ -20,16 +20,49 @@ extern "C" { #endif #include +#include #include "../../internal.h" -int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]); - -int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len, - const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); +typedef enum { + ED25519_ALG, + ED25519CTX_ALG, + ED25519PH_ALG, +} ed25519_algorithm_t; + +#define DOM2_PREFIX_SIZE 32 +#define DOM2_F_SIZE 1 +#define DOM2_C_SIZE 1 +#define DOM2_F_OFFSET DOM2_PREFIX_SIZE +#define DOM2_C_OFFSET (DOM2_F_OFFSET + DOM2_F_SIZE) +#define DOM2_CONTEXT_OFFSET (DOM2_C_OFFSET + DOM2_C_SIZE) +#define MAX_DOM2_CONTEXT_SIZE 255 +#define MAX_DOM2_SIZE \ + (DOM2_PREFIX_SIZE + DOM2_F_SIZE + DOM2_C_SIZE + MAX_DOM2_CONTEXT_SIZE) + +int ed25519_sign_internal( + ed25519_algorithm_t alg, + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *ctx, size_t ctx_len); + +int ed25519_verify_internal( + ed25519_algorithm_t alg, + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *ctx, size_t ctx_len); + +int ED25519_sign_no_self_test( + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]); + +int ED25519_verify_no_self_test( + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); // If (1) x86_64 or aarch64, (2) linux or apple, and (3) OPENSSL_NO_ASM is not // set, s2n-bignum path is capable. @@ -167,31 +200,39 @@ void ed25519_public_key_from_hashed_seed_nohw( // |ED25519_PRIVATE_KEY_SEED_LEN| and |A| must have length // |ED25519_PUBLIC_KEY_LEN|. void ed25519_sign_s2n_bignum(uint8_t out_sig[ED25519_SIGNATURE_LEN], - uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, const uint8_t *A, - const void *message, size_t message_len); + uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, + const uint8_t *A, + const void *message, size_t message_len, + const uint8_t *dom2, size_t dom2_len); void ed25519_sign_nohw(uint8_t out_sig[ED25519_SIGNATURE_LEN], - uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, const uint8_t *A, - const void *message, size_t message_len); + uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, + const uint8_t *A, + const void *message, size_t message_len, + const uint8_t *dom2, size_t dom2_len); // ed25519_verify_[s2n_bignum,nohw] handles steps rfc8032 5.1.7.[1,2,3]. // Computes [S]B - [k]A' and returns the result in |R_computed_encoded|. Returns // 1 on success and 0 otherwise. The failure case occurs if decoding of the // public key |public_key| fails. int ed25519_verify_s2n_bignum(uint8_t R_computed_encoded[32], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], uint8_t R_expected[32], - uint8_t S[32], const uint8_t *message, size_t message_len); + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t R_expected[32], uint8_t S[32], + const uint8_t *message, size_t message_len, + const uint8_t *dom2, size_t dom2_len); int ed25519_verify_nohw(uint8_t R_computed_encoded[32], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], uint8_t R_expected[32], - uint8_t S[32], const uint8_t *message, size_t message_len); - -// Computes the SHA512 function of three input pairs: (|input1|, |len1|), -// (|input2|, |len2|), (|input3|, |len3|). Specifically, the hash is computed -// over the concatenation: |input1| || |input2| || |input3|. -// The final pair might have |len3| == 0, meaning this input will be ignored. -// The result is written to |out|. + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t R_expected[32], uint8_t S[32], + const uint8_t *message, size_t message_len, + const uint8_t *dom2, size_t dom2_len); + +// Computes the SHA512 function of up to four input pairs: (|input1|, |len1|), +// (|input2|, |len2|), (|input3|, |len3|), (|input4|, |len4|). Specifically, the +// hash is computed over the concatenation: |input1| || |input2| || |input3| || +// |input4|. The final two pairs may have |len3| == 0 or |len4| == 0, meaning +// those input values will be ignored. The result is written to |out|. void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH], const void *input1, size_t len1, const void *input2, size_t len2, - const void *input3, size_t len3); + const void *input3, size_t len3, const void *input4, size_t len4); int ed25519_check_public_key_s2n_bignum(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); diff --git a/crypto/fipsmodule/digest/digests.c b/crypto/fipsmodule/digest/digests.c index 648278c6d0..88b45d2e5f 100644 --- a/crypto/fipsmodule/digest/digests.c +++ b/crypto/fipsmodule/digest/digests.c @@ -326,7 +326,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) { static void sha3_224_init(EVP_MD_CTX *ctx) { - CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_224_DIGEST_BITLENGTH)); + CHECK(SHA3_Init(ctx->md_data, SHA3_224_DIGEST_BITLENGTH)); } static void sha3_224_update(EVP_MD_CTX *ctx, const void *data, size_t count) { @@ -351,7 +351,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha3_224) { static void sha3_256_init(EVP_MD_CTX *ctx) { - CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_256_DIGEST_BITLENGTH)); + CHECK(SHA3_Init(ctx->md_data, SHA3_256_DIGEST_BITLENGTH)); } static void sha3_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) { @@ -376,7 +376,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha3_256) { static void sha3_384_init(EVP_MD_CTX *ctx) { - CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_384_DIGEST_BITLENGTH)); + CHECK(SHA3_Init(ctx->md_data, SHA3_384_DIGEST_BITLENGTH)); } static void sha3_384_update(EVP_MD_CTX *ctx, const void *data, size_t count) { @@ -401,7 +401,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha3_384) { static void sha3_512_init(EVP_MD_CTX *ctx) { - CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_512_DIGEST_BITLENGTH)); + CHECK(SHA3_Init(ctx->md_data, SHA3_512_DIGEST_BITLENGTH)); } static void sha3_512_update(EVP_MD_CTX *ctx, const void *data, size_t count) { diff --git a/crypto/fipsmodule/evp/digestsign.c b/crypto/fipsmodule/evp/digestsign.c index 3441949a01..794e452301 100644 --- a/crypto/fipsmodule/evp/digestsign.c +++ b/crypto/fipsmodule/evp/digestsign.c @@ -363,3 +363,15 @@ void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx) { ctx->flags &= ~EVP_MD_CTX_FLAG_KEEP_PKEY_CTX; } } + +EVP_PKEY_CTX *EVP_MD_CTX_get_pkey_ctx(const EVP_MD_CTX *ctx) { + SET_DIT_AUTO_RESET; + if(ctx == NULL) { + return NULL; + } + return ctx->pctx; +} + +EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx) { + return EVP_MD_CTX_get_pkey_ctx(ctx); +} diff --git a/crypto/fipsmodule/md5/asm/md5-armv8.pl b/crypto/fipsmodule/md5/asm/md5-armv8.pl index 108cbe6298..274976a232 100644 --- a/crypto/fipsmodule/md5/asm/md5-armv8.pl +++ b/crypto/fipsmodule/md5/asm/md5-armv8.pl @@ -216,165 +216,165 @@ add w9, w9, w13 // Add constant 0x49b40821 add w9, w9, w6 // Add aux function result ror w9, w9, #10 // Rotate left s=22 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 1 B=FF(B, C, D, A, 0x49b40821, s=22, M[15]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x2562 // Load lower half of constant 0xf61e2562 movk x13, #0xf61e, lsl #16 // Load upper half of constant 0xf61e2562 add w4, w4, w20 // Add dest value add w4, w4, w13 // Add constant 0xf61e2562 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xf61e2562, s=5, M[1]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xb340 // Load lower half of constant 0xc040b340 movk x13, #0xc040, lsl #16 // Load upper half of constant 0xc040b340 add w17, w17, w7 // Add dest value add w17, w17, w13 // Add constant 0xc040b340 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc040b340, s=9, M[6]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x5a51 // Load lower half of constant 0x265e5a51 movk x13, #0x265e, lsl #16 // Load upper half of constant 0x265e5a51 add w8, w8, w25 // Add dest value add w8, w8, w13 // Add constant 0x265e5a51 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x265e5a51, s=14, M[11]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xc7aa // Load lower half of constant 0xe9b6c7aa movk x13, #0xe9b6, lsl #16 // Load upper half of constant 0xe9b6c7aa add w9, w9, w15 // Add dest value add w9, w9, w13 // Add constant 0xe9b6c7aa - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe9b6c7aa, s=20, M[0]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x105d // Load lower half of constant 0xd62f105d movk x13, #0xd62f, lsl #16 // Load upper half of constant 0xd62f105d add w4, w4, w22 // Add dest value add w4, w4, w13 // Add constant 0xd62f105d - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xd62f105d, s=5, M[5]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x1453 // Load lower half of constant 0x2441453 movk x13, #0x244, lsl #16 // Load upper half of constant 0x2441453 add w17, w17, w16 // Add dest value add w17, w17, w13 // Add constant 0x2441453 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0x2441453, s=9, M[10]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xe681 // Load lower half of constant 0xd8a1e681 movk x13, #0xd8a1, lsl #16 // Load upper half of constant 0xd8a1e681 add w8, w8, w27 // Add dest value add w8, w8, w13 // Add constant 0xd8a1e681 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xd8a1e681, s=14, M[15]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xfbc8 // Load lower half of constant 0xe7d3fbc8 movk x13, #0xe7d3, lsl #16 // Load upper half of constant 0xe7d3fbc8 add w9, w9, w14 // Add dest value add w9, w9, w13 // Add constant 0xe7d3fbc8 - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe7d3fbc8, s=20, M[4]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xcde6 // Load lower half of constant 0x21e1cde6 movk x13, #0x21e1, lsl #16 // Load upper half of constant 0x21e1cde6 add w4, w4, w24 // Add dest value add w4, w4, w13 // Add constant 0x21e1cde6 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0x21e1cde6, s=5, M[9]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x7d6 // Load lower half of constant 0xc33707d6 movk x13, #0xc337, lsl #16 // Load upper half of constant 0xc33707d6 add w17, w17, w12 // Add dest value add w17, w17, w13 // Add constant 0xc33707d6 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc33707d6, s=9, M[14]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xd87 // Load lower half of constant 0xf4d50d87 movk x13, #0xf4d5, lsl #16 // Load upper half of constant 0xf4d50d87 add w8, w8, w21 // Add dest value add w8, w8, w13 // Add constant 0xf4d50d87 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xf4d50d87, s=14, M[3]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x14ed // Load lower half of constant 0x455a14ed movk x13, #0x455a, lsl #16 // Load upper half of constant 0x455a14ed add w9, w9, w5 // Add dest value add w9, w9, w13 // Add constant 0x455a14ed - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0x455a14ed, s=20, M[8]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xe905 // Load lower half of constant 0xa9e3e905 movk x13, #0xa9e3, lsl #16 // Load upper half of constant 0xa9e3e905 add w4, w4, w26 // Add dest value add w4, w4, w13 // Add constant 0xa9e3e905 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xa9e3e905, s=5, M[13]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xa3f8 // Load lower half of constant 0xfcefa3f8 movk x13, #0xfcef, lsl #16 // Load upper half of constant 0xfcefa3f8 add w17, w17, w3 // Add dest value add w17, w17, w13 // Add constant 0xfcefa3f8 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xfcefa3f8, s=9, M[2]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x2d9 // Load lower half of constant 0x676f02d9 movk x13, #0x676f, lsl #16 // Load upper half of constant 0x676f02d9 add w8, w8, w23 // Add dest value add w8, w8, w13 // Add constant 0x676f02d9 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x676f02d9, s=14, M[7]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x4c8a // Load lower half of constant 0x8d2a4c8a movk x13, #0x8d2a, lsl #16 // Load upper half of constant 0x8d2a4c8a add w9, w9, w11 // Add dest value add w9, w9, w13 // Add constant 0x8d2a4c8a - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) eor x6, x8, x17 // Begin aux function round 3 H(x,y,z)=(x^y^z) ror w9, w9, #12 // Rotate left s=20 bits movz x10, #0x3942 // Load lower half of constant 0xfffa3942 diff --git a/crypto/fipsmodule/md5/asm/md5-x86_64.pl b/crypto/fipsmodule/md5/asm/md5-x86_64.pl index c10e5c3b94..eb48c0ff0a 100644 --- a/crypto/fipsmodule/md5/asm/md5-x86_64.pl +++ b/crypto/fipsmodule/md5/asm/md5-x86_64.pl @@ -39,7 +39,6 @@ sub round1_step # %r10d = X[k_next] # %r11d = z' (copy of z for the next step) # %r12d = z' (copy of z for the next step) -# Each round2_step() takes about 5.4 clocks (11 instructions, 2.0 IPC) sub round2_step { my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_; @@ -52,9 +51,9 @@ sub round2_step and $x, %r12d /* x & z */ and $y, %r11d /* y & (not z) */ mov $k_next*4(%rsi),%r10d /* (NEXT STEP) X[$k_next] */ - or %r11d, %r12d /* (y & (not z)) | (x & z) */ + add %r11d, $dst /* dst += (y & (not z)) */ mov $y, %r11d /* (NEXT STEP) z' = $y */ - add %r12d, $dst /* dst += ... */ + add %r12d, $dst /* dst += (x & z) */ mov $y, %r12d /* (NEXT STEP) z' = $y */ rol \$$s, $dst /* dst <<< s */ add $x, $dst /* dst += x */ diff --git a/crypto/fipsmodule/rand/fork_detect.c b/crypto/fipsmodule/rand/fork_detect.c index e600a786d7..536737ebd3 100644 --- a/crypto/fipsmodule/rand/fork_detect.c +++ b/crypto/fipsmodule/rand/fork_detect.c @@ -155,7 +155,7 @@ void CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing(void) { *g_ignore_madv_wipeonfork_bss_get() = 1; } -#elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY) +#elif defined(OPENSSL_WINDOWS) // These platforms are guaranteed not to fork, and therefore do not require // fork detection support. Returning a constant non zero value makes BoringSSL diff --git a/crypto/fipsmodule/rand/internal.h b/crypto/fipsmodule/rand/internal.h index aec460203b..ab8fbd3d07 100644 --- a/crypto/fipsmodule/rand/internal.h +++ b/crypto/fipsmodule/rand/internal.h @@ -28,10 +28,6 @@ extern "C" { #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) #define OPENSSL_RAND_DETERMINISTIC -#elif defined(OPENSSL_FUCHSIA) -#define OPENSSL_RAND_FUCHSIA -#elif defined(OPENSSL_TRUSTY) -#define OPENSSL_RAND_TRUSTY #elif defined(OPENSSL_WINDOWS) #define OPENSSL_RAND_WINDOWS #else diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c index d238e09c50..f4a85458c8 100644 --- a/crypto/fipsmodule/self_check/self_check.c +++ b/crypto/fipsmodule/self_check/self_check.c @@ -43,6 +43,7 @@ #include "../ml_kem/ml_kem.h" #include "../rand/internal.h" #include "../rsa/internal.h" +#include "../../curve25519_extra/internal.h" static void hexdump(const uint8_t *in, size_t len) { for (size_t i = 0; i < len; i++) { @@ -1507,6 +1508,7 @@ static int boringssl_self_test_eddsa(void) { OPENSSL_memcpy(ed25519_private_key + ED25519_PRIVATE_KEY_SEED_LEN, kEd25519PublicKey, ED25519_PUBLIC_KEY_LEN); uint8_t ed25519_out_sig[ED25519_SIGNATURE_LEN] = {0}; + if (!ED25519_sign_no_self_test(&ed25519_out_sig[0], &kEd25519Message[0], sizeof(kEd25519Message), ed25519_private_key) || @@ -1526,6 +1528,86 @@ static int boringssl_self_test_eddsa(void) { return ret; } +static int boringssl_self_test_hasheddsa(void) { + int ret = 0; + + const uint8_t kEd25519PrivateKey[ED25519_PRIVATE_KEY_SEED_LEN] = { + 0xc3, 0x53, 0x7a, 0x4f, 0x31, 0x5e, 0xc5, 0x8f, 0x5d, 0xe4, 0xc2, + 0x8d, 0xc5, 0x32, 0x7c, 0x79, 0xfb, 0x40, 0x7c, 0xb6, 0x70, 0xbe, + 0x05, 0xf1, 0x1b, 0x0f, 0x70, 0x06, 0x40, 0x70, 0x21, 0x27 + }; + const uint8_t kEd25519PublicKey[ED25519_PUBLIC_KEY_LEN] = { + 0x63, 0x36, 0xa6, 0x15, 0xdf, 0x2d, 0xe9, 0x3b, 0x8d, 0xab, 0x78, + 0xe9, 0x7b, 0x82, 0x7b, 0x2d, 0x5c, 0xeb, 0xeb, 0xd7, 0xfa, 0xa7, + 0x7e, 0x3d, 0x97, 0xea, 0xf3, 0x6b, 0x12, 0xf7, 0x22, 0xe3 + }; + const uint8_t kEd25519Signature[ED25519_SIGNATURE_LEN] = { + 0x58, 0xe6, 0xd7, 0x14, 0x6d, 0x6a, 0x0b, 0x45, 0x74, 0x40, 0x81, + 0xdd, 0x25, 0x8d, 0xcf, 0xa0, 0x6d, 0x64, 0x83, 0xdc, 0x94, 0xdd, + 0xeb, 0xa2, 0x48, 0x02, 0x48, 0x0f, 0x83, 0x55, 0x57, 0xbb, 0xe0, + 0x66, 0x4b, 0x43, 0xbc, 0xef, 0x16, 0x9f, 0x37, 0xa8, 0xbe, 0xb4, + 0xaf, 0x5a, 0x8e, 0xc0, 0xdf, 0x41, 0x33, 0xad, 0xe2, 0x89, 0x6d, + 0x32, 0xae, 0x54, 0x84, 0x14, 0xcd, 0xca, 0x68, 0x09 + }; + const uint8_t kEd25519Message[128] = { + 0x8f, 0x19, 0x9e, 0xaf, 0x21, 0x04, 0xa0, 0xfa, 0x04, 0x87, 0x0c, 0x01, + 0x1d, 0xec, 0x2f, 0xc7, 0xf1, 0x1a, 0x02, 0x6f, 0xb4, 0x87, 0xd9, 0xef, + 0x8e, 0x14, 0x2c, 0x93, 0x9f, 0x94, 0x71, 0x88, 0x91, 0x93, 0xcf, 0x63, + 0xd5, 0x2c, 0x04, 0xb7, 0x3b, 0xe8, 0xdf, 0x58, 0x5f, 0x19, 0x2c, 0x39, + 0x29, 0xb9, 0xb4, 0xb9, 0xd0, 0xb2, 0xbc, 0x5f, 0x7c, 0x73, 0xdc, 0x25, + 0xbb, 0xdb, 0xe2, 0xe3, 0xdf, 0x6b, 0x1b, 0x49, 0x26, 0x59, 0x81, 0xa6, + 0xd4, 0xd2, 0x22, 0x70, 0xe6, 0x56, 0x63, 0x6a, 0x3a, 0xe8, 0x6e, 0x82, + 0x78, 0x50, 0xf3, 0xac, 0xdd, 0xf5, 0xbd, 0x56, 0xd3, 0xd8, 0x89, 0x5d, + 0x59, 0xc5, 0xae, 0xc2, 0x83, 0x66, 0x21, 0x98, 0x3c, 0x2d, 0x0a, 0xc4, + 0x5f, 0x99, 0x54, 0x39, 0xca, 0xaf, 0xfd, 0x45, 0x39, 0x3c, 0xa9, 0x8d, + 0x2e, 0x9f, 0xaf, 0x47, 0xf2, 0xbd, 0xd3, 0xde + }; + const uint8_t kEd25519Context[205] = { + 0xcb, 0x83, 0x11, 0x77, 0x1d, 0xe5, 0x02, 0xec, 0x83, 0x79, 0x1b, 0x3d, + 0x2b, 0x6e, 0x63, 0x2b, 0x44, 0xc6, 0x17, 0x1e, 0x35, 0x84, 0x90, 0xa9, + 0x0c, 0x76, 0x36, 0x74, 0x4f, 0xd0, 0xe4, 0xcf, 0x89, 0xbf, 0xd6, 0x12, + 0xe6, 0x89, 0x29, 0xb2, 0x9e, 0xa4, 0x0a, 0xe4, 0x7e, 0x46, 0x9a, 0x50, + 0x35, 0x6a, 0x1e, 0x88, 0x77, 0xec, 0x70, 0xa2, 0x96, 0xf8, 0x01, 0x47, + 0x97, 0xa1, 0x91, 0x8e, 0x5e, 0x9a, 0x84, 0xc6, 0xbf, 0x98, 0x95, 0x62, + 0x4e, 0x8f, 0x0a, 0xa5, 0x26, 0x27, 0xa2, 0x0d, 0xbd, 0xcd, 0x16, 0xe1, + 0x5f, 0x42, 0x69, 0x0d, 0x85, 0x96, 0xab, 0x7c, 0xec, 0x77, 0x41, 0xa9, + 0x4a, 0x31, 0x0b, 0x20, 0x54, 0x58, 0x1e, 0x4b, 0x4b, 0x7d, 0xca, 0xe1, + 0xf9, 0xf5, 0x38, 0x42, 0x74, 0xed, 0xbe, 0xd9, 0x4a, 0xdb, 0xbf, 0x69, + 0xbb, 0xd8, 0x1e, 0xde, 0xe4, 0xe1, 0xdf, 0x18, 0x70, 0x03, 0x9a, 0x5f, + 0x69, 0x16, 0xfb, 0x7c, 0xa7, 0x60, 0xbd, 0x1e, 0xac, 0x24, 0xe5, 0xa3, + 0x74, 0x8f, 0x5d, 0xcc, 0x90, 0xb2, 0xac, 0xe5, 0x91, 0x74, 0x37, 0x4f, + 0xd4, 0xc6, 0xac, 0x08, 0x9c, 0x76, 0x05, 0xdf, 0x99, 0xad, 0xd1, 0xd2, + 0xb9, 0x4f, 0x8c, 0xf7, 0xc0, 0x50, 0xde, 0xf3, 0x27, 0xf3, 0xa5, 0x90, + 0xea, 0x7c, 0x8f, 0x76, 0xe3, 0x33, 0x0d, 0x3a, 0xe9, 0xb5, 0xcb, 0x33, + 0x58, 0x7e, 0x6f, 0x8a, 0x17, 0x0d, 0x96, 0x1a, 0x20, 0x48, 0x48, 0x20, + 0x28 + }; + uint8_t ed25519_private_key[ED25519_PRIVATE_KEY_LEN] = {0}; + OPENSSL_memcpy(ed25519_private_key, kEd25519PrivateKey, + ED25519_PRIVATE_KEY_SEED_LEN); + OPENSSL_memcpy(ed25519_private_key + ED25519_PRIVATE_KEY_SEED_LEN, + kEd25519PublicKey, ED25519_PUBLIC_KEY_LEN); + uint8_t ed25519_out_sig[ED25519_SIGNATURE_LEN] = {0}; + + if (!ED25519ph_sign_no_self_test( + &ed25519_out_sig[0], &kEd25519Message[0], sizeof(kEd25519Message), + ed25519_private_key, &kEd25519Context[0], sizeof(kEd25519Context)) || + !check_test(&kEd25519Signature[0], &ed25519_out_sig[0], + ED25519_SIGNATURE_LEN, "ED25519 sign")) { + fprintf(stderr, "ED25519ph sign failed.\n"); + goto err; + } + if (!ED25519ph_verify_no_self_test(&kEd25519Message[0], sizeof(kEd25519Message), + ed25519_out_sig, kEd25519PublicKey, &kEd25519Context[0], sizeof(kEd25519Context))) { + fprintf(stderr, "ED25519ph verify failed.\n"); + goto err; + } + + ret = 1; +err: + return ret; +} + #if defined(BORINGSSL_FIPS) static void run_self_test_rsa(void) { @@ -1588,6 +1670,18 @@ void boringssl_ensure_eddsa_self_test(void) { CRYPTO_once(g_self_test_once_eddsa_bss_get(), run_self_test_eddsa); } +static void run_self_test_hasheddsa(void) { + if (!boringssl_self_test_hasheddsa()) { + BORINGSSL_FIPS_abort(); + } +} + +DEFINE_STATIC_ONCE(g_self_test_once_hasheddsa); + +void boringssl_ensure_hasheddsa_self_test(void) { + CRYPTO_once(g_self_test_once_hasheddsa_bss_get(), run_self_test_hasheddsa); +} + #endif // BORINGSSL_FIPS @@ -2053,7 +2147,8 @@ int BORINGSSL_self_test(void) { !boringssl_self_test_ecc() || !boringssl_self_test_ffdh() || !boringssl_self_test_ml_kem() || - !boringssl_self_test_eddsa()) { + !boringssl_self_test_eddsa() || + !boringssl_self_test_hasheddsa()) { return 0; } diff --git a/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/crypto/fipsmodule/service_indicator/service_indicator_test.cc index 522c14f37d..d6e01f9620 100644 --- a/crypto/fipsmodule/service_indicator/service_indicator_test.cc +++ b/crypto/fipsmodule/service_indicator/service_indicator_test.cc @@ -5200,6 +5200,15 @@ TEST(ServiceIndicatorTest, ED25519KeyGen) { TEST(ServiceIndicatorTest, ED25519SigGenVerify) { const uint8_t MESSAGE[15] = {'E', 'D', '2', '5', '5', '1', '9', ' ', 'M', 'E', 'S', 'S', 'A', 'G', 'E'}; + const uint8_t CONTEXT[6] = {'A', 'W', 'S', '-', 'L', 'C'}; + uint8_t digest[SHA512_DIGEST_LENGTH] = { + 0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd, 0xf1, 0x54, 0x28, + 0x50, 0xd6, 0x6d, 0x80, 0x07, 0xd6, 0x20, 0xe4, 0x05, 0x0b, 0x57, + 0x15, 0xdc, 0x83, 0xf4, 0xa9, 0x21, 0xd3, 0x6c, 0xe9, 0xce, 0x47, + 0xd0, 0xd1, 0x3c, 0x5d, 0x85, 0xf2, 0xb0, 0xff, 0x83, 0x18, 0xd2, + 0x87, 0x7e, 0xec, 0x2f, 0x63, 0xb9, 0x31, 0xbd, 0x47, 0x41, 0x7a, + 0x81, 0xa5, 0x38, 0x32, 0x7a, 0xf9, 0x27, 0xda, 0x3e}; // sha512 of empty + // string uint8_t private_key[ED25519_PRIVATE_KEY_LEN] = {0}; uint8_t public_key[ED25519_PUBLIC_KEY_LEN] = {0}; uint8_t signature[ED25519_SIGNATURE_LEN] = {0}; @@ -5217,6 +5226,47 @@ TEST(ServiceIndicatorTest, ED25519SigGenVerify) { signature, public_key))); ASSERT_EQ(AWSLC_APPROVED, approved); + approved = AWSLC_NOT_APPROVED; + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(ED25519ctx_sign(&signature[0], &MESSAGE[0], sizeof(MESSAGE), + private_key, &CONTEXT[0], sizeof(CONTEXT)))); + ASSERT_EQ(AWSLC_NOT_APPROVED, approved); + + approved = AWSLC_NOT_APPROVED; + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(ED25519ctx_verify(&MESSAGE[0], sizeof(MESSAGE), signature, + public_key, &CONTEXT[0], sizeof(CONTEXT)))); + ASSERT_EQ(AWSLC_NOT_APPROVED, approved); + + approved = AWSLC_NOT_APPROVED; + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(ED25519ph_sign(&signature[0], &MESSAGE[0], sizeof(MESSAGE), + private_key, &CONTEXT[0], sizeof(CONTEXT)))); + ASSERT_EQ(AWSLC_APPROVED, approved); + + approved = AWSLC_NOT_APPROVED; + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(ED25519ph_verify(&MESSAGE[0], sizeof(MESSAGE), signature, + public_key, &CONTEXT[0], sizeof(CONTEXT)))); + ASSERT_EQ(AWSLC_APPROVED, approved); + + approved = AWSLC_NOT_APPROVED; + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(ED25519ph_sign_digest(&signature[0], digest, + private_key, &CONTEXT[0], sizeof(CONTEXT)))); + ASSERT_EQ(AWSLC_APPROVED, approved); + + approved = AWSLC_NOT_APPROVED; + CALL_SERVICE_AND_CHECK_APPROVED(approved, ASSERT_TRUE(ED25519ph_verify_digest( + digest, signature, public_key, + &CONTEXT[0], sizeof(CONTEXT)))); + ASSERT_EQ(AWSLC_APPROVED, approved); + bssl::UniquePtr pkey(EVP_PKEY_new_raw_private_key( EVP_PKEY_ED25519, NULL, &private_key[0], ED25519_PRIVATE_KEY_SEED_LEN)); @@ -5246,7 +5296,7 @@ TEST(ServiceIndicatorTest, ED25519SigGenVerify) { // Since this is running in FIPS mode it should end in FIPS // Update this when the AWS-LC version number is modified TEST(ServiceIndicatorTest, AWSLCVersionString) { - ASSERT_STREQ(awslc_version_string(), "AWS-LC FIPS 1.42.0"); + ASSERT_STREQ(awslc_version_string(), "AWS-LC FIPS 1.43.0"); } #else @@ -5289,6 +5339,6 @@ TEST(ServiceIndicatorTest, BasicTest) { // Since this is not running in FIPS mode it shouldn't end in FIPS // Update this when the AWS-LC version number is modified TEST(ServiceIndicatorTest, AWSLCVersionString) { - ASSERT_STREQ(awslc_version_string(), "AWS-LC 1.42.0"); + ASSERT_STREQ(awslc_version_string(), "AWS-LC 1.43.0"); } #endif // AWSLC_FIPS diff --git a/crypto/fipsmodule/sha/internal.h b/crypto/fipsmodule/sha/internal.h index 2a42d6aa8a..3a0a1c37ce 100644 --- a/crypto/fipsmodule/sha/internal.h +++ b/crypto/fipsmodule/sha/internal.h @@ -408,7 +408,7 @@ int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len); void SHA3_Reset(KECCAK1600_CTX *ctx); // SHA3_Init initialises |ctx| fields and returns 1 on success and 0 on failure. -OPENSSL_EXPORT int SHA3_Init(KECCAK1600_CTX *ctx, uint8_t pad, size_t bitlen); +OPENSSL_EXPORT int SHA3_Init(KECCAK1600_CTX *ctx, size_t bitlen); // SHA3_Update processes all data blocks that don't need pad through // |Keccak1600_Absorb| and returns 1 and 0 on failure. diff --git a/crypto/fipsmodule/sha/sha3.c b/crypto/fipsmodule/sha/sha3.c index c08f99e744..708d554a6d 100644 --- a/crypto/fipsmodule/sha/sha3.c +++ b/crypto/fipsmodule/sha/sha3.c @@ -14,7 +14,7 @@ uint8_t *SHA3_224(const uint8_t *data, size_t len, uint8_t out[SHA3_224_DIGEST_LENGTH]) { FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; - int ok = (SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_224_DIGEST_BITLENGTH) && + int ok = (SHA3_Init(&ctx, SHA3_224_DIGEST_BITLENGTH) && SHA3_Update(&ctx, data, len) && SHA3_Final(out, &ctx)); @@ -31,7 +31,7 @@ uint8_t *SHA3_256(const uint8_t *data, size_t len, uint8_t out[SHA3_256_DIGEST_LENGTH]) { FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; - int ok = (SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_256_DIGEST_BITLENGTH) && + int ok = (SHA3_Init(&ctx, SHA3_256_DIGEST_BITLENGTH) && SHA3_Update(&ctx, data, len) && SHA3_Final(out, &ctx)); @@ -48,7 +48,7 @@ uint8_t *SHA3_384(const uint8_t *data, size_t len, uint8_t out[SHA3_384_DIGEST_LENGTH]) { FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; - int ok = (SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_384_DIGEST_BITLENGTH) && + int ok = (SHA3_Init(&ctx, SHA3_384_DIGEST_BITLENGTH) && SHA3_Update(&ctx, data, len) && SHA3_Final(out, &ctx)); @@ -65,7 +65,7 @@ uint8_t *SHA3_512(const uint8_t *data, size_t len, uint8_t out[SHA3_512_DIGEST_LENGTH]) { FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; - int ok = (SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_512_DIGEST_BITLENGTH) && + int ok = (SHA3_Init(&ctx, SHA3_512_DIGEST_BITLENGTH) && SHA3_Update(&ctx, data, len) && SHA3_Final(out, &ctx)); @@ -109,49 +109,43 @@ uint8_t *SHAKE256(const uint8_t *data, const size_t in_len, uint8_t *out, size_t return out; } -int SHAKE_Init(KECCAK1600_CTX *ctx, size_t block_size) { - // The SHAKE block size depends on the security level of the algorithm only - // It is independent of the output size - ctx->block_size = block_size; - return SHA3_Init(ctx, SHAKE_PAD_CHAR, 0); +// FIPS202 APIs manage internal input/output buffer on top of Keccak1600 API layer +static void FIPS202_Reset(KECCAK1600_CTX *ctx) { + memset(ctx->A, 0, sizeof(ctx->A)); + ctx->buf_load = 0; + ctx->padded=0; } - -int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) { - ctx->md_size = len; - return SHA3_Final(md, ctx); +static int FIPS202_Init(KECCAK1600_CTX *ctx, uint8_t pad, size_t block_size, size_t bit_len) { + if (pad != SHA3_PAD_CHAR && + pad != SHAKE_PAD_CHAR) { + return 0; + } + + if (block_size <= sizeof(ctx->buf)) { + FIPS202_Reset(ctx); + ctx->block_size = block_size; + ctx->md_size = bit_len / 8; + ctx->pad = pad; + return 1; + } + return 0; } +// SHA3 APIs implement SHA3 functionalities on top of FIPS202 API layer void SHA3_Reset(KECCAK1600_CTX *ctx) { memset(ctx->A, 0, sizeof(ctx->A)); ctx->buf_load = 0; ctx->padded = 0; } -int SHA3_Init(KECCAK1600_CTX *ctx, uint8_t pad, size_t bit_len) { - size_t block_size; - - // The block size is computed differently depending on which algorithm - // is calling |SHA3_Init|: - // - for SHA3 we compute it by calling SHA3_BLOCKSIZE(bit_len) - // because the block size depends on the digest bit-length, - // - for SHAKE we take the block size from the context. - // We use the given padding character to differentiate between SHA3 and SHAKE. - if (pad == SHA3_PAD_CHAR) { - block_size = SHA3_BLOCKSIZE(bit_len); - } else if (pad == SHAKE_PAD_CHAR) { - block_size = ctx->block_size; - } else { - return 0; - } - ctx->padded = 0; - - if (block_size <= sizeof(ctx->buf)) { - SHA3_Reset(ctx); - ctx->block_size = block_size; - ctx->md_size = bit_len / 8; - ctx->pad = pad; - return 1; +int SHA3_Init(KECCAK1600_CTX *ctx, size_t bit_len) { + if (bit_len == SHA3_224_DIGEST_BITLENGTH || + bit_len == SHA3_256_DIGEST_BITLENGTH || + bit_len == SHA3_384_DIGEST_BITLENGTH || + bit_len == SHA3_512_DIGEST_BITLENGTH) { + // |block_size| depends on the SHA3 |bit_len| output (digest) length + return FIPS202_Init(ctx, SHA3_PAD_CHAR, SHA3_BLOCKSIZE(bit_len), bit_len); } return 0; } @@ -230,3 +224,19 @@ int SHA3_Final(uint8_t *md, KECCAK1600_CTX *ctx) { return 1; } + +// SHAKE APIs implement SHAKE functionalities on top of FIPS202 API layer +int SHAKE_Init(KECCAK1600_CTX *ctx, size_t block_size) { + if (block_size == SHAKE128_BLOCKSIZE || + block_size == SHAKE256_BLOCKSIZE) { + // |block_size| depends on the SHAKE security level + // The output length |bit_len| is initialized to 0 + return FIPS202_Init(ctx, SHAKE_PAD_CHAR, block_size, 0); + } + return 0; +} + +int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) { + ctx->md_size = len; + return SHA3_Final(md, ctx); +} diff --git a/crypto/fipsmodule/sha/sha3_test.cc b/crypto/fipsmodule/sha/sha3_test.cc index 23cba17886..9e45ddf7d1 100644 --- a/crypto/fipsmodule/sha/sha3_test.cc +++ b/crypto/fipsmodule/sha/sha3_test.cc @@ -208,7 +208,7 @@ TEST(KeccakInternalTest, SqueezeOutputBufferOverflow) { const size_t out_lens[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, (1 << 5), (1 << 16) + 1}; for (auto out_len : out_lens) { - EXPECT_TRUE(SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_384_DIGEST_BITLENGTH)); + EXPECT_TRUE(SHA3_Init(&ctx, SHA3_384_DIGEST_BITLENGTH)); out.resize(out_len + canary.size()); std::copy(canary.begin(), canary.end(), out.end() - canary.size()); Keccak1600_Squeeze(ctx.A, out.data(), out_len, ctx.block_size, 1); diff --git a/crypto/internal.h b/crypto/internal.h index 6658284788..09f772f1ca 100644 --- a/crypto/internal.h +++ b/crypto/internal.h @@ -1301,11 +1301,16 @@ void boringssl_ensure_ffdh_self_test(void); // address space if unsuccessful. void boringssl_ensure_ml_kem_self_test(void); -// boringssl_ensure_eddsa_self_test checks whether the EDDSA self-test +// boringssl_ensure_eddsa_self_test checks whether the EdDSA self-test // has been run in this address space. If not, it runs it and crashes the // address space if unsuccessful. void boringssl_ensure_eddsa_self_test(void); +// boringssl_ensure_hasheddsa_self_test checks whether the HashEdDSA self-test +// has been run in this address space. If not, it runs it and crashes the +// address space if unsuccessful. +void boringssl_ensure_hasheddsa_self_test(void); + #else // Outside of FIPS mode, the lazy tests are no-ops. @@ -1315,6 +1320,7 @@ OPENSSL_INLINE void boringssl_ensure_ecc_self_test(void) {} OPENSSL_INLINE void boringssl_ensure_ffdh_self_test(void) {} OPENSSL_INLINE void boringssl_ensure_ml_kem_self_test(void) {} OPENSSL_INLINE void boringssl_ensure_eddsa_self_test(void) {} +OPENSSL_INLINE void boringssl_ensure_hasheddsa_self_test(void) {} #endif // FIPS diff --git a/crypto/ml_dsa/ml_dsa.c b/crypto/ml_dsa/ml_dsa.c index 75d2930543..fc38186391 100644 --- a/crypto/ml_dsa/ml_dsa.c +++ b/crypto/ml_dsa/ml_dsa.c @@ -30,6 +30,14 @@ int ml_dsa_44_keypair(uint8_t *public_key /* OUT */, return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } +int ml_dsa_44_pack_pk_from_sk(uint8_t *public_key /* OUT */, + const uint8_t *private_key /* IN */) { + + ml_dsa_params params; + ml_dsa_44_params_init(¶ms); + return ml_dsa_pack_pk_from_sk(¶ms, public_key, private_key) == 0; +} + int ml_dsa_44_keypair_internal(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */, const uint8_t *seed /* IN */) { @@ -145,6 +153,14 @@ int ml_dsa_65_keypair(uint8_t *public_key /* OUT */, return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } +int ml_dsa_65_pack_pk_from_sk(uint8_t *public_key /* OUT */, + const uint8_t *private_key /* IN */) { + + ml_dsa_params params; + ml_dsa_65_params_init(¶ms); + return ml_dsa_pack_pk_from_sk(¶ms, public_key, private_key) == 0; +} + int ml_dsa_65_keypair_internal(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */, const uint8_t *seed /* IN */) { @@ -260,6 +276,14 @@ int ml_dsa_87_keypair(uint8_t *public_key /* OUT */, return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } +int ml_dsa_87_pack_pk_from_sk(uint8_t *public_key /* OUT */, + const uint8_t *private_key /* IN */) { + + ml_dsa_params params; + ml_dsa_87_params_init(¶ms); + return ml_dsa_pack_pk_from_sk(¶ms, public_key, private_key) == 0; +} + int ml_dsa_87_keypair_internal(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */, const uint8_t *seed /* IN */) { @@ -367,4 +391,3 @@ int ml_dsa_extmu_87_verify_internal(const uint8_t *public_key /* IN */, return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, pre, pre_len, public_key, 1) == 0; } - diff --git a/crypto/ml_dsa/ml_dsa.h b/crypto/ml_dsa/ml_dsa.h index 6755ccd243..f75670b24f 100644 --- a/crypto/ml_dsa/ml_dsa.h +++ b/crypto/ml_dsa/ml_dsa.h @@ -33,6 +33,9 @@ extern "C" { OPENSSL_EXPORT int ml_dsa_44_keypair(uint8_t *public_key, uint8_t *secret_key); +OPENSSL_EXPORT int ml_dsa_44_pack_pk_from_sk(uint8_t *public_key, + const uint8_t *private_key); + OPENSSL_EXPORT int ml_dsa_44_keypair_internal(uint8_t *public_key, uint8_t *private_key, const uint8_t *seed); @@ -80,6 +83,9 @@ OPENSSL_EXPORT int ml_dsa_extmu_44_verify_internal(const uint8_t *public_key, OPENSSL_EXPORT int ml_dsa_65_keypair(uint8_t *public_key, uint8_t *secret_key); +OPENSSL_EXPORT int ml_dsa_65_pack_pk_from_sk(uint8_t *public_key, + const uint8_t *private_key); + OPENSSL_EXPORT int ml_dsa_65_keypair_internal(uint8_t *public_key, uint8_t *private_key, const uint8_t *seed); @@ -127,6 +133,9 @@ OPENSSL_EXPORT int ml_dsa_extmu_65_verify_internal(const uint8_t *public_key, OPENSSL_EXPORT int ml_dsa_87_keypair(uint8_t *public_key, uint8_t *secret_key); +OPENSSL_EXPORT int ml_dsa_87_pack_pk_from_sk(uint8_t *public_key, + const uint8_t *private_key); + OPENSSL_EXPORT int ml_dsa_87_keypair_internal(uint8_t *public_key, uint8_t *private_key, const uint8_t *seed); diff --git a/crypto/ml_dsa/ml_dsa_ref/packing.c b/crypto/ml_dsa/ml_dsa_ref/packing.c index 5ee0b62529..7a2f78b366 100644 --- a/crypto/ml_dsa/ml_dsa_ref/packing.c +++ b/crypto/ml_dsa/ml_dsa_ref/packing.c @@ -2,6 +2,63 @@ #include "packing.h" #include "polyvec.h" #include "poly.h" +#include "../../fipsmodule/sha/internal.h" + +/************************************************* +* Name: ml_dsa_pack_pk_from_sk +* +* Description: Takes a private key and constructs the corresponding public key. +* The hash of the contructed public key is then compared with +* the value of tr unpacked from the provided private key. +* +* Arguments: - ml_dsa_params: parameter struct +* - uint8_t pk: pointer to output byte array +* - const uint8_t sk: pointer to byte array containing bit-packed sk +* +* Returns 0 (when SHAKE256 hash of constructed pk matches tr) +**************************************************/ +int ml_dsa_pack_pk_from_sk(ml_dsa_params *params, + uint8_t *pk, + const uint8_t *sk) +{ + uint8_t rho[ML_DSA_SEEDBYTES]; + uint8_t tr[ML_DSA_TRBYTES]; + uint8_t tr_validate[ML_DSA_TRBYTES]; + uint8_t key[ML_DSA_SEEDBYTES]; + polyvecl mat[ML_DSA_K_MAX]; + polyvecl s1; + polyveck s2, t1, t0; + + //unpack sk + ml_dsa_unpack_sk(params, rho, tr, key, &t0, &s1, &s2, sk); + + // generate matrix A + ml_dsa_polyvec_matrix_expand(params, mat, rho); + + // convert s1 into ntt representation + ml_dsa_polyvecl_ntt(params, &s1); + + // construct t1 = A * s1 + ml_dsa_polyvec_matrix_pointwise_montgomery(params, &t1, mat, &s1); + + // reduce t1 modulo field + ml_dsa_polyveck_reduce(params, &t1); + + // take t1 out of ntt representation + ml_dsa_polyveck_invntt_tomont(params, &t1); + + // construct t1 = A * s1 + s2 + ml_dsa_polyveck_add(params, &t1, &t1, &s2); + + // cxtract t1 and write public key + ml_dsa_polyveck_caddq(params, &t1); + ml_dsa_polyveck_power2round(params, &t1, &t0, &t1); + ml_dsa_pack_pk(params, pk, rho, &t1); + + // we hash pk to reproduce tr, check it with unpacked value to verify + SHAKE256(pk, params->public_key_bytes, tr_validate, ML_DSA_TRBYTES); + return OPENSSL_memcmp(tr_validate, tr, ML_DSA_TRBYTES); +} /************************************************* * Name: ml_dsa_pack_pk @@ -122,12 +179,12 @@ void ml_dsa_pack_sk(ml_dsa_params *params, * Unpack secret key sk = (rho, tr, key, t0, s1, s2). * * Arguments: - ml_dsa_params: parameter struct -* - const uint8_t rho[]: output byte array for rho -* - const uint8_t tr[]: output byte array for tr -* - const uint8_t key[]: output byte array for key -* - const polyveck *t0: pointer to output vector t0 -* - const polyvecl *s1: pointer to output vector s1 -* - const polyveck *s2: pointer to output vector s2 +* - uint8_t rho[]: output byte array for rho +* - uint8_t tr[]: output byte array for tr +* - uint8_t key[]: output byte array for key +* - polyveck *t0: pointer to output vector t0 +* - polyvecl *s1: pointer to output vector s1 +* - polyveck *s2: pointer to output vector s2 * - uint8_t sk[]: pointer to byte array containing bit-packed sk **************************************************/ void ml_dsa_unpack_sk(ml_dsa_params *params, diff --git a/crypto/ml_dsa/ml_dsa_ref/packing.h b/crypto/ml_dsa/ml_dsa_ref/packing.h index a8d525d3d0..2e02932eb0 100644 --- a/crypto/ml_dsa/ml_dsa_ref/packing.h +++ b/crypto/ml_dsa/ml_dsa_ref/packing.h @@ -5,6 +5,10 @@ #include "params.h" #include "polyvec.h" +int ml_dsa_pack_pk_from_sk(ml_dsa_params *params, + uint8_t *pk, + const uint8_t *sk); + void ml_dsa_pack_pk(ml_dsa_params *params, uint8_t *pk, const uint8_t rho[ML_DSA_SEEDBYTES], diff --git a/crypto/ml_dsa/ml_dsa_ref/params.h b/crypto/ml_dsa/ml_dsa_ref/params.h index 633de6accd..8fe92013af 100644 --- a/crypto/ml_dsa/ml_dsa_ref/params.h +++ b/crypto/ml_dsa/ml_dsa_ref/params.h @@ -1,6 +1,10 @@ #ifndef ML_DSA_PARAMS_H #define ML_DSA_PARAMS_H +#if defined(__cplusplus) +extern "C" { +#endif + // The only defined parameters are those that don't depend // on the parameter set. All other parameters are specified // in ml_dsa_params structure that is unique for each parameter @@ -44,8 +48,11 @@ typedef struct { #define ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_BLOCKSIZE - 1)/SHAKE256_BLOCKSIZE) #define ML_DSA_POLYZ_PACKEDBYTES_MAX (576) -void ml_dsa_44_params_init(ml_dsa_params *params); -void ml_dsa_65_params_init(ml_dsa_params *params); -void ml_dsa_87_params_init(ml_dsa_params *params); +OPENSSL_EXPORT void ml_dsa_44_params_init(ml_dsa_params *params); +OPENSSL_EXPORT void ml_dsa_65_params_init(ml_dsa_params *params); +OPENSSL_EXPORT void ml_dsa_87_params_init(ml_dsa_params *params); +#if defined(__cplusplus) +} +#endif #endif diff --git a/crypto/pqdsa/internal.h b/crypto/pqdsa/internal.h index 4e2b00a114..3ecd5334b5 100644 --- a/crypto/pqdsa/internal.h +++ b/crypto/pqdsa/internal.h @@ -42,6 +42,9 @@ typedef struct { size_t sig_len, const uint8_t *digest, size_t digest_len); + + int (*pqdsa_pack_pk_from_sk)(uint8_t *public_key, + const uint8_t *private_key); } PQDSA_METHOD; // PQDSA structure and helper functions. diff --git a/crypto/pqdsa/pqdsa.c b/crypto/pqdsa/pqdsa.c index ff805eeb2a..b32dae90f6 100644 --- a/crypto/pqdsa/pqdsa.c +++ b/crypto/pqdsa/pqdsa.c @@ -89,7 +89,8 @@ static const PQDSA_METHOD sig_ml_dsa_44_method = { ml_dsa_44_sign, ml_dsa_extmu_44_sign, ml_dsa_44_verify, - ml_dsa_extmu_44_verify + ml_dsa_extmu_44_verify, + ml_dsa_44_pack_pk_from_sk }; static const PQDSA_METHOD sig_ml_dsa_65_method = { @@ -97,7 +98,8 @@ static const PQDSA_METHOD sig_ml_dsa_65_method = { ml_dsa_65_sign, ml_dsa_extmu_65_sign, ml_dsa_65_verify, - ml_dsa_extmu_65_verify + ml_dsa_extmu_65_verify, + ml_dsa_65_pack_pk_from_sk }; static const PQDSA_METHOD sig_ml_dsa_87_method = { @@ -105,7 +107,8 @@ static const PQDSA_METHOD sig_ml_dsa_87_method = { ml_dsa_87_sign, ml_dsa_extmu_87_sign, ml_dsa_87_verify, - ml_dsa_extmu_87_verify + ml_dsa_extmu_87_verify, + ml_dsa_87_pack_pk_from_sk }; static const PQDSA sig_ml_dsa_44 = { diff --git a/crypto/rand_extra/fuchsia.c b/crypto/rand_extra/fuchsia.c deleted file mode 100644 index 99c8500563..0000000000 --- a/crypto/rand_extra/fuchsia.c +++ /dev/null @@ -1,38 +0,0 @@ -/* Copyright (c) 2017, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#if !defined(_DEFAULT_SOURCE) -#define _DEFAULT_SOURCE // Needed for getentropy on musl and glibc -#endif - -#include - -#include "../fipsmodule/rand/internal.h" - -#if defined(OPENSSL_RAND_FUCHSIA) - -#include -#include - -#include - -void CRYPTO_sysrand(uint8_t *out, size_t requested) { - zx_cprng_draw(out, requested); -} - -void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { - CRYPTO_sysrand(out, requested); -} - -#endif // OPENSSL_RAND_FUCHSIA diff --git a/crypto/rand_extra/getentropy_test.cc b/crypto/rand_extra/getentropy_test.cc index 7f0c43ac7c..a2d5fd26ec 100644 --- a/crypto/rand_extra/getentropy_test.cc +++ b/crypto/rand_extra/getentropy_test.cc @@ -26,7 +26,7 @@ #include -#if defined(OPENSSL_MACOS) || defined(OPENSSL_FUCHSIA) +#if defined(OPENSSL_MACOS) #include #endif diff --git a/crypto/rand_extra/rand_test.cc b/crypto/rand_extra/rand_test.cc index 8c3246218d..aa48bdc948 100644 --- a/crypto/rand_extra/rand_test.cc +++ b/crypto/rand_extra/rand_test.cc @@ -65,7 +65,7 @@ TEST(RandTest, NotObviouslyBroken) { } #if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_IOS) && \ - !defined(OPENSSL_FUCHSIA) && !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) + !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) static bool ForkAndRand(bssl::Span out, bool fork_unsafe_buffering) { int pipefds[2]; if (pipe(pipefds) < 0) { @@ -174,7 +174,7 @@ TEST(RandTest, Fork) { } } #endif // !OPENSSL_WINDOWS && !OPENSSL_IOS && - // !OPENSSL_FUCHSIA && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE + // !BORINGSSL_UNSAFE_DETERMINISTIC_MODE #if defined(OPENSSL_THREADS) static void RunConcurrentRands(size_t num_threads) { diff --git a/crypto/rand_extra/trusty.c b/crypto/rand_extra/trusty.c deleted file mode 100644 index d5b82e95b3..0000000000 --- a/crypto/rand_extra/trusty.c +++ /dev/null @@ -1,38 +0,0 @@ -/* Copyright (c) 2023, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include - -#include "../fipsmodule/rand/internal.h" - -#if defined(OPENSSL_RAND_TRUSTY) -#include -#include - -#include -#include - -#include - -void CRYPTO_sysrand(uint8_t *out, size_t requested) { - if (trusty_rng_hw_rand(out, requested) != NO_ERROR) { - abort(); - } -} - -void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { - CRYPTO_sysrand(out, requested); -} - -#endif // OPENSSL_RAND_TRUSTY diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c index 1721da5d99..ebce685914 100644 --- a/crypto/x509/x509_def.c +++ b/crypto/x509/x509_def.c @@ -58,11 +58,7 @@ // TODO(fork): cleanup -#if defined(OPENSSL_FUCHSIA) -#define OPENSSLDIR "/config/ssl" -#else #define OPENSSLDIR "/etc/ssl" -#endif #define X509_CERT_AREA OPENSSLDIR #define X509_CERT_DIR OPENSSLDIR "/certs" diff --git a/generated-src/crypto_test_data.cc.tar.bz2 b/generated-src/crypto_test_data.cc.tar.bz2 index 5b2553c12b..660e8d6a85 100644 Binary files a/generated-src/crypto_test_data.cc.tar.bz2 and b/generated-src/crypto_test_data.cc.tar.bz2 differ diff --git a/generated-src/ios-aarch64/crypto/fipsmodule/md5-armv8.S b/generated-src/ios-aarch64/crypto/fipsmodule/md5-armv8.S index 18547ce3bf..b2315c7a39 100644 --- a/generated-src/ios-aarch64/crypto/fipsmodule/md5-armv8.S +++ b/generated-src/ios-aarch64/crypto/fipsmodule/md5-armv8.S @@ -192,165 +192,165 @@ md5_blocks_loop: add w9, w9, w13 // Add constant 0x49b40821 add w9, w9, w6 // Add aux function result ror w9, w9, #10 // Rotate left s=22 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 1 B=FF(B, C, D, A, 0x49b40821, s=22, M[15]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x2562 // Load lower half of constant 0xf61e2562 movk x13, #0xf61e, lsl #16 // Load upper half of constant 0xf61e2562 add w4, w4, w20 // Add dest value add w4, w4, w13 // Add constant 0xf61e2562 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xf61e2562, s=5, M[1]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xb340 // Load lower half of constant 0xc040b340 movk x13, #0xc040, lsl #16 // Load upper half of constant 0xc040b340 add w17, w17, w7 // Add dest value add w17, w17, w13 // Add constant 0xc040b340 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc040b340, s=9, M[6]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x5a51 // Load lower half of constant 0x265e5a51 movk x13, #0x265e, lsl #16 // Load upper half of constant 0x265e5a51 add w8, w8, w25 // Add dest value add w8, w8, w13 // Add constant 0x265e5a51 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x265e5a51, s=14, M[11]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xc7aa // Load lower half of constant 0xe9b6c7aa movk x13, #0xe9b6, lsl #16 // Load upper half of constant 0xe9b6c7aa add w9, w9, w15 // Add dest value add w9, w9, w13 // Add constant 0xe9b6c7aa - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe9b6c7aa, s=20, M[0]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x105d // Load lower half of constant 0xd62f105d movk x13, #0xd62f, lsl #16 // Load upper half of constant 0xd62f105d add w4, w4, w22 // Add dest value add w4, w4, w13 // Add constant 0xd62f105d - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xd62f105d, s=5, M[5]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x1453 // Load lower half of constant 0x2441453 movk x13, #0x244, lsl #16 // Load upper half of constant 0x2441453 add w17, w17, w16 // Add dest value add w17, w17, w13 // Add constant 0x2441453 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0x2441453, s=9, M[10]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xe681 // Load lower half of constant 0xd8a1e681 movk x13, #0xd8a1, lsl #16 // Load upper half of constant 0xd8a1e681 add w8, w8, w27 // Add dest value add w8, w8, w13 // Add constant 0xd8a1e681 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xd8a1e681, s=14, M[15]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xfbc8 // Load lower half of constant 0xe7d3fbc8 movk x13, #0xe7d3, lsl #16 // Load upper half of constant 0xe7d3fbc8 add w9, w9, w14 // Add dest value add w9, w9, w13 // Add constant 0xe7d3fbc8 - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe7d3fbc8, s=20, M[4]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xcde6 // Load lower half of constant 0x21e1cde6 movk x13, #0x21e1, lsl #16 // Load upper half of constant 0x21e1cde6 add w4, w4, w24 // Add dest value add w4, w4, w13 // Add constant 0x21e1cde6 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0x21e1cde6, s=5, M[9]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x7d6 // Load lower half of constant 0xc33707d6 movk x13, #0xc337, lsl #16 // Load upper half of constant 0xc33707d6 add w17, w17, w12 // Add dest value add w17, w17, w13 // Add constant 0xc33707d6 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc33707d6, s=9, M[14]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xd87 // Load lower half of constant 0xf4d50d87 movk x13, #0xf4d5, lsl #16 // Load upper half of constant 0xf4d50d87 add w8, w8, w21 // Add dest value add w8, w8, w13 // Add constant 0xf4d50d87 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xf4d50d87, s=14, M[3]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x14ed // Load lower half of constant 0x455a14ed movk x13, #0x455a, lsl #16 // Load upper half of constant 0x455a14ed add w9, w9, w5 // Add dest value add w9, w9, w13 // Add constant 0x455a14ed - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0x455a14ed, s=20, M[8]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xe905 // Load lower half of constant 0xa9e3e905 movk x13, #0xa9e3, lsl #16 // Load upper half of constant 0xa9e3e905 add w4, w4, w26 // Add dest value add w4, w4, w13 // Add constant 0xa9e3e905 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xa9e3e905, s=5, M[13]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xa3f8 // Load lower half of constant 0xfcefa3f8 movk x13, #0xfcef, lsl #16 // Load upper half of constant 0xfcefa3f8 add w17, w17, w3 // Add dest value add w17, w17, w13 // Add constant 0xfcefa3f8 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xfcefa3f8, s=9, M[2]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x2d9 // Load lower half of constant 0x676f02d9 movk x13, #0x676f, lsl #16 // Load upper half of constant 0x676f02d9 add w8, w8, w23 // Add dest value add w8, w8, w13 // Add constant 0x676f02d9 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x676f02d9, s=14, M[7]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x4c8a // Load lower half of constant 0x8d2a4c8a movk x13, #0x8d2a, lsl #16 // Load upper half of constant 0x8d2a4c8a add w9, w9, w11 // Add dest value add w9, w9, w13 // Add constant 0x8d2a4c8a - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) eor x6, x8, x17 // Begin aux function round 3 H(x,y,z)=(x^y^z) ror w9, w9, #12 // Rotate left s=20 bits movz x10, #0x3942 // Load lower half of constant 0xfffa3942 diff --git a/generated-src/linux-aarch64/crypto/fipsmodule/md5-armv8.S b/generated-src/linux-aarch64/crypto/fipsmodule/md5-armv8.S index daf814ec61..1a354086a1 100644 --- a/generated-src/linux-aarch64/crypto/fipsmodule/md5-armv8.S +++ b/generated-src/linux-aarch64/crypto/fipsmodule/md5-armv8.S @@ -192,165 +192,165 @@ md5_blocks_loop: add w9, w9, w13 // Add constant 0x49b40821 add w9, w9, w6 // Add aux function result ror w9, w9, #10 // Rotate left s=22 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 1 B=FF(B, C, D, A, 0x49b40821, s=22, M[15]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x2562 // .Load lower half of constant 0xf61e2562 movk x13, #0xf61e, lsl #16 // .Load upper half of constant 0xf61e2562 add w4, w4, w20 // Add dest value add w4, w4, w13 // Add constant 0xf61e2562 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xf61e2562, s=5, M[1]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xb340 // .Load lower half of constant 0xc040b340 movk x13, #0xc040, lsl #16 // .Load upper half of constant 0xc040b340 add w17, w17, w7 // Add dest value add w17, w17, w13 // Add constant 0xc040b340 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc040b340, s=9, M[6]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x5a51 // .Load lower half of constant 0x265e5a51 movk x13, #0x265e, lsl #16 // .Load upper half of constant 0x265e5a51 add w8, w8, w25 // Add dest value add w8, w8, w13 // Add constant 0x265e5a51 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x265e5a51, s=14, M[11]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xc7aa // .Load lower half of constant 0xe9b6c7aa movk x13, #0xe9b6, lsl #16 // .Load upper half of constant 0xe9b6c7aa add w9, w9, w15 // Add dest value add w9, w9, w13 // Add constant 0xe9b6c7aa - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe9b6c7aa, s=20, M[0]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x105d // .Load lower half of constant 0xd62f105d movk x13, #0xd62f, lsl #16 // .Load upper half of constant 0xd62f105d add w4, w4, w22 // Add dest value add w4, w4, w13 // Add constant 0xd62f105d - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xd62f105d, s=5, M[5]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x1453 // .Load lower half of constant 0x2441453 movk x13, #0x244, lsl #16 // .Load upper half of constant 0x2441453 add w17, w17, w16 // Add dest value add w17, w17, w13 // Add constant 0x2441453 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0x2441453, s=9, M[10]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xe681 // .Load lower half of constant 0xd8a1e681 movk x13, #0xd8a1, lsl #16 // .Load upper half of constant 0xd8a1e681 add w8, w8, w27 // Add dest value add w8, w8, w13 // Add constant 0xd8a1e681 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xd8a1e681, s=14, M[15]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xfbc8 // .Load lower half of constant 0xe7d3fbc8 movk x13, #0xe7d3, lsl #16 // .Load upper half of constant 0xe7d3fbc8 add w9, w9, w14 // Add dest value add w9, w9, w13 // Add constant 0xe7d3fbc8 - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe7d3fbc8, s=20, M[4]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xcde6 // .Load lower half of constant 0x21e1cde6 movk x13, #0x21e1, lsl #16 // .Load upper half of constant 0x21e1cde6 add w4, w4, w24 // Add dest value add w4, w4, w13 // Add constant 0x21e1cde6 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0x21e1cde6, s=5, M[9]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x7d6 // .Load lower half of constant 0xc33707d6 movk x13, #0xc337, lsl #16 // .Load upper half of constant 0xc33707d6 add w17, w17, w12 // Add dest value add w17, w17, w13 // Add constant 0xc33707d6 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc33707d6, s=9, M[14]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xd87 // .Load lower half of constant 0xf4d50d87 movk x13, #0xf4d5, lsl #16 // .Load upper half of constant 0xf4d50d87 add w8, w8, w21 // Add dest value add w8, w8, w13 // Add constant 0xf4d50d87 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xf4d50d87, s=14, M[3]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x14ed // .Load lower half of constant 0x455a14ed movk x13, #0x455a, lsl #16 // .Load upper half of constant 0x455a14ed add w9, w9, w5 // Add dest value add w9, w9, w13 // Add constant 0x455a14ed - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0x455a14ed, s=20, M[8]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xe905 // .Load lower half of constant 0xa9e3e905 movk x13, #0xa9e3, lsl #16 // .Load upper half of constant 0xa9e3e905 add w4, w4, w26 // Add dest value add w4, w4, w13 // Add constant 0xa9e3e905 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xa9e3e905, s=5, M[13]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xa3f8 // .Load lower half of constant 0xfcefa3f8 movk x13, #0xfcef, lsl #16 // .Load upper half of constant 0xfcefa3f8 add w17, w17, w3 // Add dest value add w17, w17, w13 // Add constant 0xfcefa3f8 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xfcefa3f8, s=9, M[2]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x2d9 // .Load lower half of constant 0x676f02d9 movk x13, #0x676f, lsl #16 // .Load upper half of constant 0x676f02d9 add w8, w8, w23 // Add dest value add w8, w8, w13 // Add constant 0x676f02d9 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x676f02d9, s=14, M[7]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x4c8a // .Load lower half of constant 0x8d2a4c8a movk x13, #0x8d2a, lsl #16 // .Load upper half of constant 0x8d2a4c8a add w9, w9, w11 // Add dest value add w9, w9, w13 // Add constant 0x8d2a4c8a - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) eor x6, x8, x17 // Begin aux function round 3 H(x,y,z)=(x^y^z) ror w9, w9, #12 // Rotate left s=20 bits movz x10, #0x3942 // .Load lower half of constant 0xfffa3942 diff --git a/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S b/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S index b2e31bd9e8..337ab64d52 100644 --- a/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +++ b/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S @@ -428,7 +428,7 @@ aes_hw_xts_encrypt_avx512: vmovdqu8 %zmm1,(%rsi) vmovdqu %xmm2,64(%rsi) addq $0x50,%rsi - movdqa %xmm2,%xmm8 + vmovdqa %xmm2,%xmm8 vextracti32x4 $0x1,%zmm10,%xmm0 andq $0xf,%rdx je .L_ret_hEgxyDlCngwrfFe diff --git a/generated-src/linux-x86_64/crypto/fipsmodule/md5-x86_64.S b/generated-src/linux-x86_64/crypto/fipsmodule/md5-x86_64.S index 43a786cb9a..0a09a27c30 100644 --- a/generated-src/linux-x86_64/crypto/fipsmodule/md5-x86_64.S +++ b/generated-src/linux-x86_64/crypto/fipsmodule/md5-x86_64.S @@ -210,7 +210,7 @@ _CET_ENDBR andl %ebx,%r12d andl %ecx,%r11d movl 24(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%eax movl %ecx,%r11d addl %r12d,%eax movl %ecx,%r12d @@ -221,7 +221,7 @@ _CET_ENDBR andl %eax,%r12d andl %ebx,%r11d movl 44(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%edx movl %ebx,%r11d addl %r12d,%edx movl %ebx,%r12d @@ -232,7 +232,7 @@ _CET_ENDBR andl %edx,%r12d andl %eax,%r11d movl 0(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ecx movl %eax,%r11d addl %r12d,%ecx movl %eax,%r12d @@ -243,7 +243,7 @@ _CET_ENDBR andl %ecx,%r12d andl %edx,%r11d movl 20(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ebx movl %edx,%r11d addl %r12d,%ebx movl %edx,%r12d @@ -254,7 +254,7 @@ _CET_ENDBR andl %ebx,%r12d andl %ecx,%r11d movl 40(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%eax movl %ecx,%r11d addl %r12d,%eax movl %ecx,%r12d @@ -265,7 +265,7 @@ _CET_ENDBR andl %eax,%r12d andl %ebx,%r11d movl 60(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%edx movl %ebx,%r11d addl %r12d,%edx movl %ebx,%r12d @@ -276,7 +276,7 @@ _CET_ENDBR andl %edx,%r12d andl %eax,%r11d movl 16(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ecx movl %eax,%r11d addl %r12d,%ecx movl %eax,%r12d @@ -287,7 +287,7 @@ _CET_ENDBR andl %ecx,%r12d andl %edx,%r11d movl 36(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ebx movl %edx,%r11d addl %r12d,%ebx movl %edx,%r12d @@ -298,7 +298,7 @@ _CET_ENDBR andl %ebx,%r12d andl %ecx,%r11d movl 56(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%eax movl %ecx,%r11d addl %r12d,%eax movl %ecx,%r12d @@ -309,7 +309,7 @@ _CET_ENDBR andl %eax,%r12d andl %ebx,%r11d movl 12(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%edx movl %ebx,%r11d addl %r12d,%edx movl %ebx,%r12d @@ -320,7 +320,7 @@ _CET_ENDBR andl %edx,%r12d andl %eax,%r11d movl 32(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ecx movl %eax,%r11d addl %r12d,%ecx movl %eax,%r12d @@ -331,7 +331,7 @@ _CET_ENDBR andl %ecx,%r12d andl %edx,%r11d movl 52(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ebx movl %edx,%r11d addl %r12d,%ebx movl %edx,%r12d @@ -342,7 +342,7 @@ _CET_ENDBR andl %ebx,%r12d andl %ecx,%r11d movl 8(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%eax movl %ecx,%r11d addl %r12d,%eax movl %ecx,%r12d @@ -353,7 +353,7 @@ _CET_ENDBR andl %eax,%r12d andl %ebx,%r11d movl 28(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%edx movl %ebx,%r11d addl %r12d,%edx movl %ebx,%r12d @@ -364,7 +364,7 @@ _CET_ENDBR andl %edx,%r12d andl %eax,%r11d movl 48(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ecx movl %eax,%r11d addl %r12d,%ecx movl %eax,%r12d @@ -375,7 +375,7 @@ _CET_ENDBR andl %ecx,%r12d andl %edx,%r11d movl 0(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ebx movl %edx,%r11d addl %r12d,%ebx movl %edx,%r12d diff --git a/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S b/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S index 08a62439ad..b5e0977866 100644 --- a/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +++ b/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S @@ -428,7 +428,7 @@ L$_remaining_num_blocks_is_5_hEgxyDlCngwrfFe: vmovdqu8 %zmm1,(%rsi) vmovdqu %xmm2,64(%rsi) addq $0x50,%rsi - movdqa %xmm2,%xmm8 + vmovdqa %xmm2,%xmm8 vextracti32x4 $0x1,%zmm10,%xmm0 andq $0xf,%rdx je L$_ret_hEgxyDlCngwrfFe diff --git a/generated-src/mac-x86_64/crypto/fipsmodule/md5-x86_64.S b/generated-src/mac-x86_64/crypto/fipsmodule/md5-x86_64.S index 9170682312..2ccd8caf12 100644 --- a/generated-src/mac-x86_64/crypto/fipsmodule/md5-x86_64.S +++ b/generated-src/mac-x86_64/crypto/fipsmodule/md5-x86_64.S @@ -205,7 +205,7 @@ L$loop: andl %ebx,%r12d andl %ecx,%r11d movl 24(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%eax movl %ecx,%r11d addl %r12d,%eax movl %ecx,%r12d @@ -216,7 +216,7 @@ L$loop: andl %eax,%r12d andl %ebx,%r11d movl 44(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%edx movl %ebx,%r11d addl %r12d,%edx movl %ebx,%r12d @@ -227,7 +227,7 @@ L$loop: andl %edx,%r12d andl %eax,%r11d movl 0(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ecx movl %eax,%r11d addl %r12d,%ecx movl %eax,%r12d @@ -238,7 +238,7 @@ L$loop: andl %ecx,%r12d andl %edx,%r11d movl 20(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ebx movl %edx,%r11d addl %r12d,%ebx movl %edx,%r12d @@ -249,7 +249,7 @@ L$loop: andl %ebx,%r12d andl %ecx,%r11d movl 40(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%eax movl %ecx,%r11d addl %r12d,%eax movl %ecx,%r12d @@ -260,7 +260,7 @@ L$loop: andl %eax,%r12d andl %ebx,%r11d movl 60(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%edx movl %ebx,%r11d addl %r12d,%edx movl %ebx,%r12d @@ -271,7 +271,7 @@ L$loop: andl %edx,%r12d andl %eax,%r11d movl 16(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ecx movl %eax,%r11d addl %r12d,%ecx movl %eax,%r12d @@ -282,7 +282,7 @@ L$loop: andl %ecx,%r12d andl %edx,%r11d movl 36(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ebx movl %edx,%r11d addl %r12d,%ebx movl %edx,%r12d @@ -293,7 +293,7 @@ L$loop: andl %ebx,%r12d andl %ecx,%r11d movl 56(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%eax movl %ecx,%r11d addl %r12d,%eax movl %ecx,%r12d @@ -304,7 +304,7 @@ L$loop: andl %eax,%r12d andl %ebx,%r11d movl 12(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%edx movl %ebx,%r11d addl %r12d,%edx movl %ebx,%r12d @@ -315,7 +315,7 @@ L$loop: andl %edx,%r12d andl %eax,%r11d movl 32(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ecx movl %eax,%r11d addl %r12d,%ecx movl %eax,%r12d @@ -326,7 +326,7 @@ L$loop: andl %ecx,%r12d andl %edx,%r11d movl 52(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ebx movl %edx,%r11d addl %r12d,%ebx movl %edx,%r12d @@ -337,7 +337,7 @@ L$loop: andl %ebx,%r12d andl %ecx,%r11d movl 8(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%eax movl %ecx,%r11d addl %r12d,%eax movl %ecx,%r12d @@ -348,7 +348,7 @@ L$loop: andl %eax,%r12d andl %ebx,%r11d movl 28(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%edx movl %ebx,%r11d addl %r12d,%edx movl %ebx,%r12d @@ -359,7 +359,7 @@ L$loop: andl %edx,%r12d andl %eax,%r11d movl 48(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ecx movl %eax,%r11d addl %r12d,%ecx movl %eax,%r12d @@ -370,7 +370,7 @@ L$loop: andl %ecx,%r12d andl %edx,%r11d movl 0(%rsi),%r10d - orl %r11d,%r12d + addl %r11d,%ebx movl %edx,%r11d addl %r12d,%ebx movl %edx,%r12d diff --git a/generated-src/win-aarch64/crypto/fipsmodule/md5-armv8.S b/generated-src/win-aarch64/crypto/fipsmodule/md5-armv8.S index b90a880853..102520965e 100644 --- a/generated-src/win-aarch64/crypto/fipsmodule/md5-armv8.S +++ b/generated-src/win-aarch64/crypto/fipsmodule/md5-armv8.S @@ -192,165 +192,165 @@ md5_blocks_loop: add w9, w9, w13 // Add constant 0x49b40821 add w9, w9, w6 // Add aux function result ror w9, w9, #10 // Rotate left s=22 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 1 B=FF(B, C, D, A, 0x49b40821, s=22, M[15]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x2562 // Load lower half of constant 0xf61e2562 movk x13, #0xf61e, lsl #16 // Load upper half of constant 0xf61e2562 add w4, w4, w20 // Add dest value add w4, w4, w13 // Add constant 0xf61e2562 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xf61e2562, s=5, M[1]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xb340 // Load lower half of constant 0xc040b340 movk x13, #0xc040, lsl #16 // Load upper half of constant 0xc040b340 add w17, w17, w7 // Add dest value add w17, w17, w13 // Add constant 0xc040b340 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc040b340, s=9, M[6]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x5a51 // Load lower half of constant 0x265e5a51 movk x13, #0x265e, lsl #16 // Load upper half of constant 0x265e5a51 add w8, w8, w25 // Add dest value add w8, w8, w13 // Add constant 0x265e5a51 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x265e5a51, s=14, M[11]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xc7aa // Load lower half of constant 0xe9b6c7aa movk x13, #0xe9b6, lsl #16 // Load upper half of constant 0xe9b6c7aa add w9, w9, w15 // Add dest value add w9, w9, w13 // Add constant 0xe9b6c7aa - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe9b6c7aa, s=20, M[0]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x105d // Load lower half of constant 0xd62f105d movk x13, #0xd62f, lsl #16 // Load upper half of constant 0xd62f105d add w4, w4, w22 // Add dest value add w4, w4, w13 // Add constant 0xd62f105d - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xd62f105d, s=5, M[5]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x1453 // Load lower half of constant 0x2441453 movk x13, #0x244, lsl #16 // Load upper half of constant 0x2441453 add w17, w17, w16 // Add dest value add w17, w17, w13 // Add constant 0x2441453 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0x2441453, s=9, M[10]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xe681 // Load lower half of constant 0xd8a1e681 movk x13, #0xd8a1, lsl #16 // Load upper half of constant 0xd8a1e681 add w8, w8, w27 // Add dest value add w8, w8, w13 // Add constant 0xd8a1e681 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xd8a1e681, s=14, M[15]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xfbc8 // Load lower half of constant 0xe7d3fbc8 movk x13, #0xe7d3, lsl #16 // Load upper half of constant 0xe7d3fbc8 add w9, w9, w14 // Add dest value add w9, w9, w13 // Add constant 0xe7d3fbc8 - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe7d3fbc8, s=20, M[4]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xcde6 // Load lower half of constant 0x21e1cde6 movk x13, #0x21e1, lsl #16 // Load upper half of constant 0x21e1cde6 add w4, w4, w24 // Add dest value add w4, w4, w13 // Add constant 0x21e1cde6 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0x21e1cde6, s=5, M[9]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x7d6 // Load lower half of constant 0xc33707d6 movk x13, #0xc337, lsl #16 // Load upper half of constant 0xc33707d6 add w17, w17, w12 // Add dest value add w17, w17, w13 // Add constant 0xc33707d6 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc33707d6, s=9, M[14]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xd87 // Load lower half of constant 0xf4d50d87 movk x13, #0xf4d5, lsl #16 // Load upper half of constant 0xf4d50d87 add w8, w8, w21 // Add dest value add w8, w8, w13 // Add constant 0xf4d50d87 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xf4d50d87, s=14, M[3]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x14ed // Load lower half of constant 0x455a14ed movk x13, #0x455a, lsl #16 // Load upper half of constant 0x455a14ed add w9, w9, w5 // Add dest value add w9, w9, w13 // Add constant 0x455a14ed - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) ror w9, w9, #12 // Rotate left s=20 bits - bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x8, x17 // Aux function round 2 (~z & y) add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0x455a14ed, s=20, M[8]) - and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xe905 // Load lower half of constant 0xa9e3e905 movk x13, #0xa9e3, lsl #16 // Load upper half of constant 0xa9e3e905 add w4, w4, w26 // Add dest value add w4, w4, w13 // Add constant 0xa9e3e905 - add w4, w4, w6 // Add aux function result + and x13, x9, x17 // Aux function round 2 (x & z) + add w4, w4, w6 // Add (~z & y) + add w4, w4, w13 // Add (x & z) ror w4, w4, #27 // Rotate left s=5 bits - bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x9, x8 // Aux function round 2 (~z & y) add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xa9e3e905, s=5, M[13]) - and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0xa3f8 // Load lower half of constant 0xfcefa3f8 movk x13, #0xfcef, lsl #16 // Load upper half of constant 0xfcefa3f8 add w17, w17, w3 // Add dest value add w17, w17, w13 // Add constant 0xfcefa3f8 - add w17, w17, w6 // Add aux function result + and x13, x4, x8 // Aux function round 2 (x & z) + add w17, w17, w6 // Add (~z & y) + add w17, w17, w13 // Add (x & z) ror w17, w17, #23 // Rotate left s=9 bits - bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x4, x9 // Aux function round 2 (~z & y) add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xfcefa3f8, s=9, M[2]) - and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x2d9 // Load lower half of constant 0x676f02d9 movk x13, #0x676f, lsl #16 // Load upper half of constant 0x676f02d9 add w8, w8, w23 // Add dest value add w8, w8, w13 // Add constant 0x676f02d9 - add w8, w8, w6 // Add aux function result + and x13, x17, x9 // Aux function round 2 (x & z) + add w8, w8, w6 // Add (~z & y) + add w8, w8, w13 // Add (x & z) ror w8, w8, #18 // Rotate left s=14 bits - bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + bic x6, x17, x4 // Aux function round 2 (~z & y) add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x676f02d9, s=14, M[7]) - and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) - orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) movz x13, #0x4c8a // Load lower half of constant 0x8d2a4c8a movk x13, #0x8d2a, lsl #16 // Load upper half of constant 0x8d2a4c8a add w9, w9, w11 // Add dest value add w9, w9, w13 // Add constant 0x8d2a4c8a - add w9, w9, w6 // Add aux function result + and x13, x8, x4 // Aux function round 2 (x & z) + add w9, w9, w6 // Add (~z & y) + add w9, w9, w13 // Add (x & z) eor x6, x8, x17 // Begin aux function round 3 H(x,y,z)=(x^y^z) ror w9, w9, #12 // Rotate left s=20 bits movz x10, #0x3942 // Load lower half of constant 0xfffa3942 diff --git a/generated-src/win-x86_64/crypto/fipsmodule/aesni-xts-avx512.asm b/generated-src/win-x86_64/crypto/fipsmodule/aesni-xts-avx512.asm index 039f0c7ac2..749c0042da 100644 --- a/generated-src/win-x86_64/crypto/fipsmodule/aesni-xts-avx512.asm +++ b/generated-src/win-x86_64/crypto/fipsmodule/aesni-xts-avx512.asm @@ -447,7 +447,7 @@ $L$_remaining_num_blocks_is_5_hEgxyDlCngwrfFe: vmovdqu8 ZMMWORD[rdx],zmm1 vmovdqu XMMWORD[64+rdx],xmm2 add rdx,0x50 - movdqa xmm8,xmm2 + vmovdqa xmm8,xmm2 vextracti32x4 xmm0,zmm10,0x1 and r8,0xf je NEAR $L$_ret_hEgxyDlCngwrfFe diff --git a/generated-src/win-x86_64/crypto/fipsmodule/md5-x86_64.asm b/generated-src/win-x86_64/crypto/fipsmodule/md5-x86_64.asm index 492d6884e0..4cc846f33a 100644 --- a/generated-src/win-x86_64/crypto/fipsmodule/md5-x86_64.asm +++ b/generated-src/win-x86_64/crypto/fipsmodule/md5-x86_64.asm @@ -219,7 +219,7 @@ $L$loop: and r12d,ebx and r11d,ecx mov r10d,DWORD[24+rsi] - or r12d,r11d + add eax,r11d mov r11d,ecx add eax,r12d mov r12d,ecx @@ -230,7 +230,7 @@ $L$loop: and r12d,eax and r11d,ebx mov r10d,DWORD[44+rsi] - or r12d,r11d + add edx,r11d mov r11d,ebx add edx,r12d mov r12d,ebx @@ -241,7 +241,7 @@ $L$loop: and r12d,edx and r11d,eax mov r10d,DWORD[rsi] - or r12d,r11d + add ecx,r11d mov r11d,eax add ecx,r12d mov r12d,eax @@ -252,7 +252,7 @@ $L$loop: and r12d,ecx and r11d,edx mov r10d,DWORD[20+rsi] - or r12d,r11d + add ebx,r11d mov r11d,edx add ebx,r12d mov r12d,edx @@ -263,7 +263,7 @@ $L$loop: and r12d,ebx and r11d,ecx mov r10d,DWORD[40+rsi] - or r12d,r11d + add eax,r11d mov r11d,ecx add eax,r12d mov r12d,ecx @@ -274,7 +274,7 @@ $L$loop: and r12d,eax and r11d,ebx mov r10d,DWORD[60+rsi] - or r12d,r11d + add edx,r11d mov r11d,ebx add edx,r12d mov r12d,ebx @@ -285,7 +285,7 @@ $L$loop: and r12d,edx and r11d,eax mov r10d,DWORD[16+rsi] - or r12d,r11d + add ecx,r11d mov r11d,eax add ecx,r12d mov r12d,eax @@ -296,7 +296,7 @@ $L$loop: and r12d,ecx and r11d,edx mov r10d,DWORD[36+rsi] - or r12d,r11d + add ebx,r11d mov r11d,edx add ebx,r12d mov r12d,edx @@ -307,7 +307,7 @@ $L$loop: and r12d,ebx and r11d,ecx mov r10d,DWORD[56+rsi] - or r12d,r11d + add eax,r11d mov r11d,ecx add eax,r12d mov r12d,ecx @@ -318,7 +318,7 @@ $L$loop: and r12d,eax and r11d,ebx mov r10d,DWORD[12+rsi] - or r12d,r11d + add edx,r11d mov r11d,ebx add edx,r12d mov r12d,ebx @@ -329,7 +329,7 @@ $L$loop: and r12d,edx and r11d,eax mov r10d,DWORD[32+rsi] - or r12d,r11d + add ecx,r11d mov r11d,eax add ecx,r12d mov r12d,eax @@ -340,7 +340,7 @@ $L$loop: and r12d,ecx and r11d,edx mov r10d,DWORD[52+rsi] - or r12d,r11d + add ebx,r11d mov r11d,edx add ebx,r12d mov r12d,edx @@ -351,7 +351,7 @@ $L$loop: and r12d,ebx and r11d,ecx mov r10d,DWORD[8+rsi] - or r12d,r11d + add eax,r11d mov r11d,ecx add eax,r12d mov r12d,ecx @@ -362,7 +362,7 @@ $L$loop: and r12d,eax and r11d,ebx mov r10d,DWORD[28+rsi] - or r12d,r11d + add edx,r11d mov r11d,ebx add edx,r12d mov r12d,ebx @@ -373,7 +373,7 @@ $L$loop: and r12d,edx and r11d,eax mov r10d,DWORD[48+rsi] - or r12d,r11d + add ecx,r11d mov r11d,eax add ecx,r12d mov r12d,eax @@ -384,7 +384,7 @@ $L$loop: and r12d,ecx and r11d,edx mov r10d,DWORD[rsi] - or r12d,r11d + add ebx,r11d mov r11d,edx add ebx,r12d mov r12d,edx diff --git a/include/openssl/base.h b/include/openssl/base.h index 1d26ac9182..15a7d9e1fa 100644 --- a/include/openssl/base.h +++ b/include/openssl/base.h @@ -122,7 +122,7 @@ extern "C" { // ServiceIndicatorTest.AWSLCVersionString // Note: there are two versions of this test. Only one test is compiled // depending on FIPS mode. -#define AWSLC_VERSION_NUMBER_STRING "1.42.0" +#define AWSLC_VERSION_NUMBER_STRING "1.43.0" #if defined(BORINGSSL_SHARED_LIBRARY) diff --git a/include/openssl/curve25519.h b/include/openssl/curve25519.h index 6c79228c11..430ec09f27 100644 --- a/include/openssl/curve25519.h +++ b/include/openssl/curve25519.h @@ -78,31 +78,90 @@ OPENSSL_EXPORT void X25519_public_from_private( // ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly // generated, public–private key pair. -OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[32], - uint8_t out_private_key[64]); +OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]); // ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from // |message| using |private_key|. It returns one on success or zero on // allocation failure. -OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message, - size_t message_len, - const uint8_t private_key[64]); +OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]); // ED25519_verify returns one iff |signature| is a valid signature, by // |public_key| of |message_len| bytes from |message|. It returns zero // otherwise. OPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[64], - const uint8_t public_key[32]); + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); + +// ED25519ctx_sign sets |out_sig| to be a Ed25519ctx (RFC 8032) pure signature +// of |message_len| bytes from |message| using |private_key|, and the provided +// |context_len| bytes for |context|. |context_len| must be greater than zero, +// but no more than 255. It returns one on success or zero on failure. +OPENSSL_EXPORT int ED25519ctx_sign( + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len); + +// ED25519ctx_verify returns one iff |signature| is a valid Ed25519ctx pure +// signature, by |public_key| of |message_len| bytes from |message|, and +// |context_len| bytes from |context|. |context_len| must be greater than zero, +// but no more than 255. It returns zero otherwise. +OPENSSL_EXPORT int ED25519ctx_verify(const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *context, size_t context_len); + +// ED25519ph_sign sets |out_sig| to be a Ed25519ph (RFC 8032) / HashEdDSA +// signature of |message_len| bytes from |message| using |private_key|, and the +// provided |context_len| bytes for |context|. |context_len| may be zero, but no +// more than 255. It returns one on success or zero on failure. +OPENSSL_EXPORT int ED25519ph_sign( + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len); + +// ED25519ph_verify returns one iff |signature| is a valid Ed25519ph (RFC 8032) +// / HashEdDSA signature, by |public_key| of |message_len| bytes from |message|, +// and |context_len| bytes from |context|. |context_len| may be zero, but no +// more than 255. It returns zero otherwise. +OPENSSL_EXPORT int ED25519ph_verify(const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *context, size_t context_len); + +// ED25519ph_sign_digest sets |out_sig| to be a Ed25519ph (RFC 8032) / HashEdDSA +// signature of a pre-computed SHA-512 message digest |digest| using +// |private_key|, and the provided |context_len| bytes for |context|. +// |context_len| may be zero, but no more than 255. +// It returns one on success or zero on failure. +OPENSSL_EXPORT int ED25519ph_sign_digest( + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t digest[64], + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *context, size_t context_len); + +// ED25519ph_verify_digest returns one iff |signature| is a valid Ed25519ph (RFC +// 8032) / HashEdDSA signature, by |public_key| of a pre-computed SHA-512 +// message digest |digest|, and |context_len| bytes from |context|. +// |context_len| may be zero, but no more than 255. +// It returns zero otherwise. +OPENSSL_EXPORT int ED25519ph_verify_digest(const uint8_t digest[64], + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *context, size_t context_len); // ED25519_keypair_from_seed calculates a public and private key from an // Ed25519 “seed”. Seed values are not exposed by this API (although they // happen to be the first 32 bytes of a private key) so this function is for // interoperating with systems that may store just a seed instead of a full // private key. -OPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[32], - uint8_t out_private_key[64], - const uint8_t seed[32]); +OPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t seed[ED25519_SEED_LEN]); // SPAKE2. diff --git a/include/openssl/digest.h b/include/openssl/digest.h index 8aeea40085..83d4189b71 100644 --- a/include/openssl/digest.h +++ b/include/openssl/digest.h @@ -318,6 +318,12 @@ OPENSSL_EXPORT int EVP_MD_nid(const EVP_MD *md); OPENSSL_EXPORT void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); +// EVP_MD_CTX_get_pkey_ctx returns the pointer of |ctx|'s |EVP_PKEY_CTX|. +OPENSSL_EXPORT EVP_PKEY_CTX *EVP_MD_CTX_get_pkey_ctx(const EVP_MD_CTX *ctx); + +// EVP_MD_CTX_pkey_ctx is a legacy alias of |EVP_MD_CTX_get_pkey_ctx|. +OPENSSL_EXPORT EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx); + struct evp_md_pctx_ops; struct env_md_ctx_st { diff --git a/include/openssl/target.h b/include/openssl/target.h index 35f1add1aa..a3582c0f18 100644 --- a/include/openssl/target.h +++ b/include/openssl/target.h @@ -55,6 +55,10 @@ #elif defined(__MIPSEL__) && defined(__LP64__) #define OPENSSL_64_BIT #define OPENSSL_MIPS64 +#elif defined(__MIPSEB__) && !defined(__LP64__) +#define OPENSSL_32_BIT +#define OPENSSL_MIPS +#define OPENSSL_BIG_ENDIAN #elif defined(__riscv) && __SIZEOF_POINTER__ == 8 #define OPENSSL_64_BIT #define OPENSSL_RISCV64 @@ -86,7 +90,7 @@ #define OPENSSL_WINDOWS #endif -// Trusty and Android baremetal aren't Linux but currently define __linux__. +// Android baremetal aren't Linux but currently define __linux__. // As a workaround, we exclude them here. // We also exclude nanolibc/CrOS EC/Zephyr. nanolibc/CrOS EC/Zephyr // sometimes build for a non-Linux target (which should not define __linux__), @@ -94,32 +98,14 @@ // userspace, this lacks all the libc APIs we'd normally expect on Linux, so we // treat it as a non-Linux target. // -// TODO(b/169780122): Remove this workaround once Trusty no longer defines it. // TODO(b/291101350): Remove this workaround once Android baremetal no longer // defines it. -#if defined(__linux__) && !defined(__TRUSTY__) && \ +#if defined(__linux__) && \ !defined(ANDROID_BAREMETAL) && !defined(OPENSSL_NANOLIBC) && \ !defined(CROS_EC) && !defined(CROS_ZEPHYR) #define OPENSSL_LINUX #endif -#if defined(__Fuchsia__) -#define OPENSSL_FUCHSIA -#endif - -// Trusty is Android's TEE target. See -// https://source.android.com/docs/security/features/trusty -// -// Defining this on any other platform is not supported. Other embedded -// platforms must introduce their own defines. -#if defined(__TRUSTY__) -#define OPENSSL_TRUSTY -#define OPENSSL_NO_FILESYSTEM -#define OPENSSL_NO_POSIX_IO -#define OPENSSL_NO_SOCK -#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED -#endif - // nanolibc is a particular minimal libc implementation. Defining this on any // other platform is not supported. Other embedded platforms must introduce // their own defines. diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 688be12e8e..185d29b9d8 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -2731,6 +2731,11 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_cert(X509_STORE_CTX *c, X509 *x); #define X509_V_ERR_INVALID_CALL 65 #define X509_V_ERR_STORE_LOOKUP 66 #define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 +// The following error codes are related to security levels in OpenSSL and are +// unused in AWS-LC. See |SSL_CTX_set_security_level|. +#define X509_V_ERR_EE_KEY_TOO_SMALL 68 +#define X509_V_ERR_CA_KEY_TOO_SMALL 69 +#define X509_V_ERR_CA_MD_TOO_WEAK 70 // X509_STORE_CTX_get_error, after |X509_verify_cert| returns, returns // |X509_V_OK| if verification succeeded or an |X509_V_ERR_*| describing why diff --git a/sources.cmake b/sources.cmake index ea3e796fc3..305db66cb8 100644 --- a/sources.cmake +++ b/sources.cmake @@ -73,6 +73,8 @@ set( crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt crypto/fipsmodule/curve25519/ed25519_tests.txt + crypto/fipsmodule/curve25519/ed25519ctx_tests.txt + crypto/fipsmodule/curve25519/ed25519ph_tests.txt crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt crypto/fipsmodule/ec/large_x_coordinate_points.txt crypto/fipsmodule/ec/p256-nistz_tests.txt diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-master.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-master.patch deleted file mode 100644 index 39c47b59bc..0000000000 --- a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-master.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c -index fbd38f3d..b4a37d42 100644 ---- a/src/openvpn/crypto_openssl.c -+++ b/src/openvpn/crypto_openssl.c -@@ -1397,7 +1397,7 @@ out: - - return ret; - } --#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) -+#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(OPENSSL_IS_AWSLC) - bool - ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, - int secret_len, uint8_t *output, int output_len) -@@ -1443,6 +1443,13 @@ out: - EVP_PKEY_CTX_free(pctx); - return ret; - } -+#elif defined(OPENSSL_IS_AWSLC) -+bool -+ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, -+ int slen, uint8_t *out1, int olen) -+{ -+ CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0); -+} - #else /* if defined(LIBRESSL_VERSION_NUMBER) */ - /* LibreSSL and wolfSSL do not expose a TLS 1.0/1.1 PRF via the same APIs as - * OpenSSL does. As result they will only be able to support -diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h -index 95417b22..61b632dd 100644 ---- a/src/openvpn/openssl_compat.h -+++ b/src/openvpn/openssl_compat.h -@@ -75,7 +75,7 @@ X509_OBJECT_free(X509_OBJECT *obj) - #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT - #endif - --#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL -+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL || defined(OPENSSL_IS_AWSLC) - #define SSL_get_peer_tmp_key SSL_get_server_tmp_key - #endif - -diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c -index 0d845f4a..c47a0c5d 100644 ---- a/src/openvpn/ssl_openssl.c -+++ b/src/openvpn/ssl_openssl.c -@@ -1631,7 +1631,11 @@ tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey) - - /* Among init methods, we only need the finish method */ - EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL); -+#ifdef OPENSSL_IS_AWSLC -+ EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, NULL, ecdsa_sign_sig); -+#else - EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig); -+#endif - - ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey)); - if (!ec) -@@ -1857,9 +1861,11 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, - } - sk_X509_INFO_pop_free(info_stack, X509_INFO_free); - } -- -+ -+ int cnum; - if (tls_server) - { -+ cnum = sk_X509_NAME_num(cert_names); - SSL_CTX_set_client_CA_list(ctx->ctx, cert_names); - } - -@@ -1872,7 +1878,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, - - if (tls_server) - { -- int cnum = sk_X509_NAME_num(cert_names); - if (cnum != added) - { - crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d " -@@ -2520,7 +2525,7 @@ show_available_tls_ciphers_list(const char *cipher_list, - crypto_msg(M_FATAL, "Cannot create SSL object"); - } - --#if OPENSSL_VERSION_NUMBER < 0x1010000fL -+#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC) - STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); - #else - STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl); diff --git a/tests/ci/integration/run_openvpn_integration.sh b/tests/ci/integration/run_openvpn_integration.sh index d64c5e3d18..95f216caac 100755 --- a/tests/ci/integration/run_openvpn_integration.sh +++ b/tests/ci/integration/run_openvpn_integration.sh @@ -41,6 +41,7 @@ function openvpn_build() { OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" \ OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib -lssl -lcrypto" \ + LDFLAGS="-Wl,-rpath=/${AWS_LC_INSTALL_FOLDER}/lib" \ ./configure \ --prefix="$OPENVPN_BUILD_PREFIX" \ --exec-prefix="$OPENVPN_BUILD_EPREFIX" \ @@ -49,36 +50,21 @@ function openvpn_build() { make -j install - export LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib" - local openvpn_executable="${OPENVPN_SRC_FOLDER}/build/exec-install/sbin/openvpn" ldd ${openvpn_executable} \ | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1 } -# TODO: Remove this when we make an upstream contribution. function openvpn_patch_build() { - case "$BRANCH_NAME" in - "release/2.6") - patchfile="${OPENVPN_PATCH_BUILD_FOLDER}/aws-lc-openvpn2-6-x.patch" - ;; - "master") - patchfile="${OPENVPN_PATCH_BUILD_FOLDER}/aws-lc-openvpn-master.patch" - ;; - *) - echo "No specific patch file for branch: $BRANCH_NAME" - exit 1 - ;; - esac - - echo "Apply patch $patchfile..." - patch -p1 --quiet -i "$patchfile" + if [ "$BRANCH_NAME" = "release/2.6" ]; then + patchfile="${OPENVPN_PATCH_BUILD_FOLDER}/aws-lc-openvpn2-6-x.patch" + echo "Apply patch $patchfile..." + patch -p1 --quiet -i "$patchfile" + fi } function openvpn_run_tests() { - # Explicitly running as sudo and passing in LD_LIBRARY_PATH as some OpenVPN - # tests run as sudo and LD_LIBRARY_PATH doesn't get inherited. - sudo LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib" make check + sudo make check } git clone https://github.com/OpenVPN/openvpn.git ${OPENVPN_SRC_FOLDER} diff --git a/util/fipstools/acvp/acvptool/acvp.go b/util/fipstools/acvp/acvptool/acvp.go index 8cdb89de49..980c7d3576 100644 --- a/util/fipstools/acvp/acvptool/acvp.go +++ b/util/fipstools/acvp/acvptool/acvp.go @@ -38,6 +38,7 @@ import ( "time" "boringssl.googlesource.com/boringssl/util/fipstools/acvp/acvptool/acvp" + "boringssl.googlesource.com/boringssl/util/fipstools/acvp/acvptool/katemitter" "boringssl.googlesource.com/boringssl/util/fipstools/acvp/acvptool/subprocess" ) @@ -51,6 +52,7 @@ var ( expectedOutFlag = flag.String("expected-out", "", "Name of a file to write the expected results to") wrapperPath = flag.String("wrapper", "../../../../build/util/fipstools/acvp/modulewrapper/modulewrapper", "Path to the wrapper binary") waitForDebugger = flag.Bool("wait-for-debugger", false, "If true, jobs will run one at a time and pause for a debugger to attach") + katFilePath = flag.String("kat-out", "", "Writes a KAT file out if with test information for use with AWS-LC's file-based test framework. Support is limited, so if you don't see content it's likely not plumbed in.") ) type Config struct { @@ -555,6 +557,13 @@ func main() { log.Fatalf("failed to parse configuration from Middle: %s", err) } + if len(*katFilePath) > 0 { + if err := katemitter.EmitToFile(*katFilePath); err != nil { + log.Fatalf("failed to start kat emitter: %v", err) + } + defer katemitter.Close() + } + if *dumpRegcap { nonTestAlgos := make([]map[string]interface{}, 0, len(supportedAlgos)) for _, algo := range supportedAlgos { diff --git a/util/fipstools/acvp/acvptool/katemitter/emitter.go b/util/fipstools/acvp/acvptool/katemitter/emitter.go new file mode 100644 index 0000000000..cbca3e9761 --- /dev/null +++ b/util/fipstools/acvp/acvptool/katemitter/emitter.go @@ -0,0 +1,87 @@ +// katemitter is a package which (with best effort) will attempt to emit test case data to a configured file +// for use by AWS-LC's file-based test framework. "Attempt" because it doesn't check for errors on the writer +// destination. But this is mostly a facility to aid in getting KATs for algorithms and re-using the inputs/outputs +// from the ACVP server after they have been validated as accurate. +package katemitter + +import ( + "bytes" + "encoding/hex" + "fmt" + "io" + "os" +) + +type stubEmitter struct{} + +func (s *stubEmitter) Close() error { + return nil +} + +func (s *stubEmitter) Write(p []byte) (n int, err error) { + return len(p), nil +} + +var katDestination io.WriteCloser = &stubEmitter{} + +func EmitToFile(path string) error { + if err := Close(); err != nil { + return err + } + + f, err := os.Create(path) + if err != nil { + return err + } + + katDestination = f + + return nil +} + +func NewTestCase(comment string) { + var buffer bytes.Buffer + buffer.WriteRune('\n') + buffer.WriteString("# Case: ") + buffer.WriteString(comment) + buffer.WriteRune('\n') + _, _ = io.Copy(katDestination, &buffer) +} + +func NewSection(title string) { + var buffer bytes.Buffer + buffer.WriteRune('\n') + buffer.WriteString("# Section: ") + buffer.WriteString(title) + buffer.WriteByte('\n') + _, _ = io.Copy(katDestination, &buffer) +} + +func WriteComment(comment string) { + _, _ = katDestination.Write([]byte("# " + comment + "\n")) +} + +func WriteStringKvPair(key string, value string) { + _, _ = katDestination.Write([]byte(fmt.Sprintf("%s = %s\n", key, value))) +} + +func WriteBytesKvPair(key string, value []byte) { + _, _ = katDestination.Write([]byte(fmt.Sprintf("%s = %s\n", key, hex.EncodeToString(value)))) +} + +func WriteIntKvPair(key string, value int) { + _, _ = katDestination.Write([]byte(fmt.Sprintf("%s = %d\n", key, value))) +} + +func WriteInt64KvPair(key string, value int64) { + _, _ = katDestination.Write([]byte(fmt.Sprintf("%s = %d\n", key, value))) +} + +func WriteUInt64KvPair(key string, value uint64) { + _, _ = katDestination.Write([]byte(fmt.Sprintf("%s = %d\n", key, value))) +} + +func Close() error { + _, _ = katDestination.Write([]byte("\n")) + return katDestination.Close() +} diff --git a/util/fipstools/acvp/acvptool/subprocess/eddsa.go b/util/fipstools/acvp/acvptool/subprocess/eddsa.go index 2f8698b73f..c7ca48597c 100644 --- a/util/fipstools/acvp/acvptool/subprocess/eddsa.go +++ b/util/fipstools/acvp/acvptool/subprocess/eddsa.go @@ -7,6 +7,8 @@ import ( "encoding/json" "fmt" "strings" + + "boringssl.googlesource.com/boringssl/util/fipstools/acvp/acvptool/katemitter" ) // NIST ACVP EDDSA Schema: https://pages.nist.gov/ACVP/draft-celi-acvp-eddsa.html @@ -130,28 +132,50 @@ func processEddsaSigGenTestGroup(testGroups json.RawMessage, m Transactable) (in return nil, fmt.Errorf("unsupported test type %q", group.Type) } + if group.Prehash { + katemitter.NewSection(fmt.Sprintf("HashEdDSA %s %s", group.Curve, group.Type)) + } else { + katemitter.NewSection(fmt.Sprintf("EdDSA %s %s", group.Curve, group.Type)) + } + results, err := m.Transact("EDDSA/"+string(group.Curve)+"/keyGen", 2) if err != nil { return nil, err } seed := results[0] + q := results[1] response := eddsaSigGenTestGroupResponse{ ID: group.ID, - Q: results[1], + Q: q, } for _, test := range group.Tests { - results, err := m.Transact("EDDSA/"+string(group.Curve)+"/sigGen", 1, seed, test.Message) + command := "EDDSA/" + string(group.Curve) + "/sigGen" + args := [][]byte{seed, test.Message} + + if group.Prehash { + if test.ContextLength != len(test.Context) { + return nil, fmt.Errorf("mismatch between context and contextLength, %v != %v", test.ContextLength, len(test.Context)) + } + command += "/preHash" + args = append(args, test.Context) + } + + results, err := m.Transact(command, 1, args...) if err != nil { return nil, err } + signature := results[0] + response.Tests = append(response.Tests, eddsaSigGenTestCaseResponse{ ID: test.ID, - Signature: results[0], + Signature: signature, }) + + emitSigGenKatTestCase(test.ID, seed, q, test.Message, test.Context, signature) } ret = append(ret, response) @@ -178,7 +202,17 @@ func processEddsaSigVerTestGroup(testGroups json.RawMessage, m Transactable) (in } for _, test := range group.Tests { - results, err := m.Transact("EDDSA/"+string(group.Curve)+"/sigVer", 1, test.Message, test.Q, test.Signature) + command := "EDDSA/" + string(group.Curve) + "/sigVer" + args := [][]byte{test.Message, test.Q, test.Signature} + + if group.Prehash { + command += "/preHash" + // ACVP sigVer supports HashEdDSA/PreHash but doesn't list context as given in the schema? + // Assuming an empty context here for now until the schema changes... + args = append(args, []byte{}) + } + + results, err := m.Transact(command, 1, args...) if err != nil { return nil, err } @@ -247,8 +281,10 @@ type eddsaSigGenTestGroup struct { Prehash bool `json:"prehash"` Type string `json:"testType"` Tests []struct { - ID uint64 `json:"tcId"` - Message hexEncodedByteString `json:"message"` + ID uint64 `json:"tcId"` + Message hexEncodedByteString `json:"message"` + Context hexEncodedByteString `json:"context"` + ContextLength int `json:"contextLength"` } } @@ -306,3 +342,14 @@ type eddsaSigVerTestCaseResponse struct { ID uint64 `json:"tcId"` Passed *bool `json:"testPassed"` } + +func emitSigGenKatTestCase(id uint64, seed, q, message, context, signature []byte) { + katemitter.NewTestCase(fmt.Sprintf("%d", id)) + katemitter.WriteBytesKvPair("SEED", seed) + katemitter.WriteBytesKvPair("Q", q) + katemitter.WriteBytesKvPair("MESSAGE", message) + if len(context) > 0 { + katemitter.WriteBytesKvPair("CONTEXT", context) + } + katemitter.WriteBytesKvPair("SIGNATURE", signature) +} diff --git a/util/fipstools/acvp/acvptool/subprocess/ml_dsa.go b/util/fipstools/acvp/acvptool/subprocess/ml_dsa.go new file mode 100644 index 0000000000..fa7e7bc553 --- /dev/null +++ b/util/fipstools/acvp/acvptool/subprocess/ml_dsa.go @@ -0,0 +1,239 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 OR ISC + +package subprocess + +import ( + "encoding/json" + "fmt" + "strings" +) + +type mlDsa struct{} + +func (*mlDsa) Process(vectorSet []byte, m Transactable) (interface{}, error) { + var vs struct { + Mode string `json:"mode"` + TestGroups json.RawMessage `json:"testGroups"` + } + + if err := json.Unmarshal(vectorSet, &vs); err != nil { + return nil, err + } + + switch { + case strings.EqualFold(vs.Mode, "keyGen"): + return processMlDsaKeyGen(vs.TestGroups, m) + case strings.EqualFold(vs.Mode, "sigGen"): + return processMlDsaSigGen(vs.TestGroups, m) + case strings.EqualFold(vs.Mode, "sigVer"): + return processMlDsaSigVer(vs.TestGroups, m) + } + + return nil, fmt.Errorf("unknown ML-DSA mode: %v", vs.Mode) +} + +type mlDsaKeyGenTestGroup struct { + ID uint64 `json:"tgId"` + Type string `json:"testType"` + ParameterSet string `json:"parameterSet"` + Tests []struct { + ID uint64 `json:"tcId"` + SEED hexEncodedByteString `json:"seed"` + } +} + +type mlDsaKeyGenTestGroupResponse struct { + ID uint64 `json:"tgId"` + Tests []mlDsaKeyGenTestCaseResponse `json:"tests"` +} + +type mlDsaKeyGenTestCaseResponse struct { + ID uint64 `json:"tcId"` + PK hexEncodedByteString `json:"pk"` + SK hexEncodedByteString `json:"sk"` +} + +func processMlDsaKeyGen(vectors json.RawMessage, m Transactable) (interface{}, error) { + var groups []mlDsaKeyGenTestGroup + + if err := json.Unmarshal(vectors, &groups); err != nil { + return nil, err + } + + var responses []mlDsaKeyGenTestGroupResponse + + for _, group := range groups { + if !strings.EqualFold(group.Type, "AFT") { + return nil, fmt.Errorf("unsupported keyGen test type: %v", group.Type) + } + + response := mlDsaKeyGenTestGroupResponse{ + ID: group.ID, + } + + for _, test := range group.Tests { + results, err := m.Transact("ML-DSA/"+group.ParameterSet+"/keyGen", 2, test.SEED) + if err != nil { + return nil, err + } + + pk := results[0] + sk := results[1] + + response.Tests = append(response.Tests, mlDsaKeyGenTestCaseResponse{ + ID: test.ID, + PK: pk, + SK: sk, + }) + } + + responses = append(responses, response) + } + + return responses, nil +} + +type mlDsaSigGenTestGroup struct { + ID uint64 `json:"tgId"` + Type string `json:"testType"` + ParameterSet string `json:"parameterSet"` + Deterministic bool `json:"deterministic"` + SignatureInterface string `json:"signatureInterface"` + ExternalMu bool `json:"externalMu` + Tests []struct { + ID uint64 `json:"tcId"` + Message hexEncodedByteString `json:"message"` + MU hexEncodedByteString `json:"mu"` + SK hexEncodedByteString `json:"sk"` + RND hexEncodedByteString `json:"rnd"` + Context hexEncodedByteString `json:"context"` + HashAlg string `json:"hashAlg"` + } +} + +type mlDsaSigGenTestGroupResponse struct { + ID uint64 `json:"tgId"` + Tests []mlDsaSigGenTestCaseResponse `json:"tests"` +} + +type mlDsaSigGenTestCaseResponse struct { + ID uint64 `json:"tcId"` + Signature hexEncodedByteString `json:"signature"` +} + +// Convert boolean to byte slice (using 1 for true, 0 for false) +func boolToBytes(b bool) []byte { + if b { + return []byte{1} + } + return []byte{0} +} + +func processMlDsaSigGen(vectors json.RawMessage, m Transactable) (interface{}, error) { + var groups []mlDsaSigGenTestGroup + + if err := json.Unmarshal(vectors, &groups); err != nil { + return nil, err + } + + var responses []mlDsaSigGenTestGroupResponse + + for _, group := range groups { + if !strings.EqualFold(group.Type, "AFT") { + return nil, fmt.Errorf("unsupported sigGen test type: %v", group.Type) + } + + response := mlDsaSigGenTestGroupResponse{ + ID: group.ID, + } + + for _, test := range group.Tests { + results, err := m.Transact("ML-DSA/"+group.ParameterSet+"/sigGen", + 1, test.SK, test.Message, test.MU, test.RND, boolToBytes(group.ExternalMu)) + if err != nil { + return nil, err + } + + signature := results[0] + + response.Tests = append(response.Tests, mlDsaSigGenTestCaseResponse{ + ID: test.ID, + Signature: signature, + }) + } + + responses = append(responses, response) + } + return responses, nil +} + +type mlDsaSigVerTestGroup struct { + ID uint64 `json:"tgId"` + Type string `json:"testType"` + ParameterSet string `json:"parameterSet"` + Deterministic bool `json:"deterministic"` + SignatureInterface string `json:"signatureInterface"` + ExternalMu bool `json:"externalMu` + Tests []struct { + ID uint64 `json:"tcId"` + PK hexEncodedByteString `json:"pk"` + Message hexEncodedByteString `json:"message"` + MU hexEncodedByteString `json:"mu"` + Signature hexEncodedByteString `json:"signature"` + Context hexEncodedByteString `json:"context"` + HashAlg string `json:"hashAlg"` + } +} + +type mlDsaSigVerTestGroupResponse struct { + ID uint64 `json:"tgId"` + Tests []mlDsaSigVerTestCaseResponse `json:"tests"` +} + +type mlDsaSigVerTestCaseResponse struct { + ID uint64 `json:"tcId"` + TestPassed *bool `json:"testPassed"` +} + +func processMlDsaSigVer(vectors json.RawMessage, m Transactable) (interface{}, error) { + var groups []mlDsaSigVerTestGroup + + if err := json.Unmarshal(vectors, &groups); err != nil { + return nil, err + } + + var responses []mlDsaSigVerTestGroupResponse + + for _, group := range groups { + if !strings.EqualFold(group.Type, "AFT") { + return nil, fmt.Errorf("unsupported sigVer test type: %v", group.Type) + } + + response := mlDsaSigVerTestGroupResponse{ + ID: group.ID, + } + + for _, test := range group.Tests { + results, err := m.Transact("ML-DSA/"+group.ParameterSet+"/sigVer", 1, + test.Signature, test.PK, test.Message, test.MU, boolToBytes(group.ExternalMu)) + if err != nil { + return nil, err + } + + var passed *bool + if len(results[0]) == 1 { + val := results[0][0] == 1 + passed = &val + } + + response.Tests = append(response.Tests, mlDsaSigVerTestCaseResponse{ + ID: test.ID, + TestPassed: passed, + }) + } + + responses = append(responses, response) + } + return responses, nil +} diff --git a/util/fipstools/acvp/acvptool/subprocess/subprocess.go b/util/fipstools/acvp/acvptool/subprocess/subprocess.go index dc60c3050a..4825a8218c 100644 --- a/util/fipstools/acvp/acvptool/subprocess/subprocess.go +++ b/util/fipstools/acvp/acvptool/subprocess/subprocess.go @@ -155,6 +155,7 @@ func NewWithIO(cmd *exec.Cmd, in io.WriteCloser, out io.ReadCloser) *Subprocess "PBKDF": &pbkdf{}, "ML-KEM": &mlKem{}, "EDDSA": &eddsa{}, + "ML-DSA": &mlDsa{}, } m.primitives["ECDSA"] = &ecdsa{"ECDSA", map[string]bool{"P-224": true, "P-256": true, "P-384": true, "P-521": true}, m.primitives} diff --git a/util/fipstools/acvp/acvptool/test/expected/EDDSA.bz2 b/util/fipstools/acvp/acvptool/test/expected/EDDSA.bz2 index 954e023b51..e9160d80cd 100644 Binary files a/util/fipstools/acvp/acvptool/test/expected/EDDSA.bz2 and b/util/fipstools/acvp/acvptool/test/expected/EDDSA.bz2 differ diff --git a/util/fipstools/acvp/acvptool/test/expected/ML-DSA.bz2 b/util/fipstools/acvp/acvptool/test/expected/ML-DSA.bz2 new file mode 100644 index 0000000000..9f81f11c4d Binary files /dev/null and b/util/fipstools/acvp/acvptool/test/expected/ML-DSA.bz2 differ diff --git a/util/fipstools/acvp/acvptool/test/tests.json b/util/fipstools/acvp/acvptool/test/tests.json index a011e2b388..d344f105d5 100644 --- a/util/fipstools/acvp/acvptool/test/tests.json +++ b/util/fipstools/acvp/acvptool/test/tests.json @@ -37,5 +37,6 @@ {"Wrapper": "modulewrapper", "In": "vectors/ML-KEM.bz2", "Out": "expected/ML-KEM.bz2"}, {"Wrapper": "modulewrapper", "In": "vectors/EDDSA.bz2", "Out": "expected/EDDSA.bz2"}, {"Wrapper": "modulewrapper", "In": "vectors/EDDSA-KeyGen.bz2"}, -{"Wrapper": "modulewrapper", "In": "vectors/EDDSA-SigGen.bz2"} +{"Wrapper": "modulewrapper", "In": "vectors/EDDSA-SigGen.bz2"}, +{"Wrapper": "modulewrapper", "In": "vectors/ML-DSA.bz2", "Out": "expected/ML-DSA.bz2"} ] diff --git a/util/fipstools/acvp/acvptool/test/vectors/EDDSA-KeyGen.bz2 b/util/fipstools/acvp/acvptool/test/vectors/EDDSA-KeyGen.bz2 index 66c8536078..abd04b66c2 100644 Binary files a/util/fipstools/acvp/acvptool/test/vectors/EDDSA-KeyGen.bz2 and b/util/fipstools/acvp/acvptool/test/vectors/EDDSA-KeyGen.bz2 differ diff --git a/util/fipstools/acvp/acvptool/test/vectors/EDDSA-SigGen.bz2 b/util/fipstools/acvp/acvptool/test/vectors/EDDSA-SigGen.bz2 index 98199ace17..6ef758194e 100644 Binary files a/util/fipstools/acvp/acvptool/test/vectors/EDDSA-SigGen.bz2 and b/util/fipstools/acvp/acvptool/test/vectors/EDDSA-SigGen.bz2 differ diff --git a/util/fipstools/acvp/acvptool/test/vectors/EDDSA.bz2 b/util/fipstools/acvp/acvptool/test/vectors/EDDSA.bz2 index 4d32631402..f3fa2c53e6 100644 Binary files a/util/fipstools/acvp/acvptool/test/vectors/EDDSA.bz2 and b/util/fipstools/acvp/acvptool/test/vectors/EDDSA.bz2 differ diff --git a/util/fipstools/acvp/acvptool/test/vectors/ML-DSA.bz2 b/util/fipstools/acvp/acvptool/test/vectors/ML-DSA.bz2 new file mode 100644 index 0000000000..e9020f994b Binary files /dev/null and b/util/fipstools/acvp/acvptool/test/vectors/ML-DSA.bz2 differ diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc index 5328922589..aa480cec28 100644 --- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc +++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc @@ -57,19 +57,15 @@ #include "../../../../crypto/fipsmodule/hmac/internal.h" #include "../../../../crypto/fipsmodule/rand/internal.h" #include "../../../../crypto/fipsmodule/curve25519/internal.h" +#include "../../../../crypto/ml_dsa/ml_dsa.h" +#include "../../../../crypto/ml_dsa/ml_dsa_ref/params.h" #include "modulewrapper.h" namespace bssl { namespace acvp { -#if defined(OPENSSL_TRUSTY) -#include -#define LOG_ERROR(...) TLOGE(__VA_ARGS__) -#define TLOG_TAG "modulewrapper" -#else #define LOG_ERROR(...) fprintf(stderr, __VA_ARGS__) -#endif // OPENSSL_TRUSTY #define AES_GCM_NONCE_LENGTH 12 @@ -1368,14 +1364,74 @@ static bool GetConfig(const Span args[], "revision": "1.0", "curve": ["ED-25519"], "pure": true, - "preHash": false + "preHash": true, + "contextLength": [{"min": 0, "max": 255, "increment": 1}] },{ "algorithm": "EDDSA", "mode": "sigVer", "revision": "1.0", "curve": ["ED-25519"], "pure": true, - "preHash": false + "preHash": true, + "contextLength": [{"min": 0, "max": 255, "increment": 1}] + },)" + R"({ + "algorithm": "ML-DSA", + "mode": "keyGen", + "revision": "FIPS204", + "parameterSets": ["ML-DSA-44", "ML-DSA-65", "ML-DSA-87"] + },{ + "algorithm": "ML-DSA", + "mode": "sigGen", + "revision": "FIPS204", + "capabilities": [ + { + "parameterSets": [ + "ML-DSA-44", + "ML-DSA-65", + "ML-DSA-87" + ], + "messageLength": [ + { + "min": 8, + "max": 65536, + "increment": 8 + } + ] + } + ], + "deterministic": [false], + "externalMu": [ + true, + false + ], + "signatureInterfaces": ["internal"] + },{ + "algorithm": "ML-DSA", + "mode": "sigVer", + "revision": "FIPS204", + "capabilities": [ + { + "parameterSets": [ + "ML-DSA-44", + "ML-DSA-65", + "ML-DSA-87" + ], + "messageLength": [ + { + "min": 8, + "max": 65536, + "increment": 8 + } + ] + } + ], + "deterministic": [false], + "externalMu": [ + true, + false + ], + "signatureInterfaces": ["internal"] }])"; return write_reply({Span( reinterpret_cast(kConfig), sizeof(kConfig) - 1)}); @@ -3072,6 +3128,210 @@ static bool ED25519SigVer(const Span args[], return write_reply({Span(reply)}); } +static bool ED25519phSigGen(const Span args[], + ReplyCallback write_reply) { + const Span seed = args[0]; + const Span message = args[1]; + const Span context = args[2]; + + std::vector private_key(ED25519_PRIVATE_KEY_LEN); + std::vector public_key(ED25519_PUBLIC_KEY_LEN); + std::vector signature(ED25519_SIGNATURE_LEN); + + ::ED25519_keypair_from_seed(public_key.data(), private_key.data(), + seed.data()); + + if (!::ED25519ph_sign(signature.data(), message.data(), message.size(), + private_key.data(), context.data(), context.size())) { + return false; + } + + return write_reply({Span(signature)}); +} + +static bool ED25519phSigVer(const Span args[], + ReplyCallback write_reply) { + const Span message = args[0]; + const Span public_key = args[1]; + const Span signature = args[2]; + const Span context = args[3]; + + uint8_t reply[1] = {0}; + if (::ED25519ph_verify(message.data(), message.size(), signature.data(), + public_key.data(), context.data(), context.size())) { + reply[0] = 1; + } else { + ERR_clear_error(); + } + + return write_reply({Span(reply)}); +} + +template +static bool ML_DSA_KEYGEN(const Span args[], + ReplyCallback write_reply) { + const Span seed = args[0]; + + //init params of the correct size based on provided nid + ml_dsa_params params; + if (nid == NID_MLDSA44) { + ml_dsa_44_params_init(¶ms); + } + else if (nid == NID_MLDSA65) { + ml_dsa_65_params_init(¶ms); + } + else if (nid == NID_MLDSA87) { + ml_dsa_87_params_init(¶ms); + } + + // create public and private key buffers + std::vector public_key(params.public_key_bytes); + std::vector private_key(params.secret_key_bytes); + + // generate the keys + if (nid == NID_MLDSA44) { + if (!ml_dsa_44_keypair_internal(public_key.data(), private_key.data(), seed.data())) { + return false; + } + } + else if (nid == NID_MLDSA65) { + if (!ml_dsa_65_keypair_internal(public_key.data(), private_key.data(), seed.data())) { + return false; + } + } + else if (nid == NID_MLDSA87) { + if (!ml_dsa_87_keypair_internal(public_key.data(), private_key.data(), seed.data())) { + return false; + } + } + return write_reply({Span(public_key.data(), public_key.size()), + Span(private_key.data(), private_key.size())}); +} + +template +static bool ML_DSA_SIGGEN(const Span args[], + ReplyCallback write_reply) { + const Span sk = args[0]; + const Span msg = args[1]; + const Span mu = args[2]; + const Span rnd = args[3]; + const Span extmu = args[4]; + + ml_dsa_params params; + if (nid == NID_MLDSA44) { + ml_dsa_44_params_init(¶ms); + } + else if (nid == NID_MLDSA65) { + ml_dsa_65_params_init(¶ms); + } + else if (nid == NID_MLDSA87) { + ml_dsa_87_params_init(¶ms); + } + + size_t signature_len = params.bytes; + std::vector signature(signature_len); + + // generate the signatures raw sign mode + if (extmu.data()[0] == 0) { + if (nid == NID_MLDSA44) { + if (!ml_dsa_44_sign_internal(sk.data(), signature.data(), &signature_len, + msg.data(), msg.size(), nullptr, 0, rnd.data())) { + return false; + } + } + else if (nid == NID_MLDSA65) { + if (!ml_dsa_65_sign_internal(sk.data(), signature.data(), &signature_len, + msg.data(), msg.size(), nullptr, 0, rnd.data())) { + return false; + } + } + else if (nid == NID_MLDSA87) { + if (!ml_dsa_87_sign_internal(sk.data(), signature.data(), &signature_len, + msg.data(), msg.size(), nullptr, 0, rnd.data())) { + return false; + } + } + } + // generate the signatures digest sign mode (externalmu) + else { + if (nid == NID_MLDSA44) { + if (!ml_dsa_extmu_44_sign_internal(sk.data(), signature.data(), &signature_len, + mu.data(), mu.size(), nullptr, 0, rnd.data())) { + return false; + } + } + else if (nid == NID_MLDSA65) { + if (!ml_dsa_extmu_65_sign_internal(sk.data(), signature.data(), &signature_len, + mu.data(), mu.size(), nullptr, 0, rnd.data())) { + return false; + } + } + else if (nid == NID_MLDSA87) { + if (!ml_dsa_extmu_87_sign_internal(sk.data(), signature.data(), &signature_len, + mu.data(), mu.size(), nullptr, 0, rnd.data())) { + return false; + } + } + } + + return write_reply({Span(signature)}); +} + +template +static bool ML_DSA_SIGVER(const Span args[], ReplyCallback write_reply) { + const Span sig = args[0]; + const Span pk = args[1]; + const Span msg = args[2]; + const Span mu = args[3]; + const Span extmu = args[4]; + + uint8_t reply[1] = {0}; + + // verify the signatures raw sign mode + if (extmu.data()[0] == 0) { + if (nid == NID_MLDSA44) { + if (ml_dsa_44_verify_internal(pk.data(), sig.data(), sig.size(), msg.data(), + msg.size(), nullptr, 0)) { + reply[0] = 1; + } + } + else if (nid == NID_MLDSA65) { + if (ml_dsa_65_verify_internal(pk.data(), sig.data(), sig.size(), msg.data(), + msg.size(), nullptr, 0)) { + reply[0] = 1; + } + } + else if (nid == NID_MLDSA87) { + if (ml_dsa_87_verify_internal(pk.data(), sig.data(), sig.size(), msg.data(), + msg.size(), nullptr, 0)) { + reply[0] = 1; + } + } + } + // verify the signatures digest sign mode (externalmu) + else{ + if (nid == NID_MLDSA44) { + if (ml_dsa_extmu_44_verify_internal(pk.data(), sig.data(), sig.size(), mu.data(), + mu.size(), nullptr, 0)) { + reply[0] = 1; + } + } + else if (nid == NID_MLDSA65) { + if (ml_dsa_extmu_65_verify_internal(pk.data(), sig.data(), sig.size(), mu.data(), + mu.size(), nullptr, 0)) { + reply[0] = 1; + } + } + else if (nid == NID_MLDSA87) { + if (ml_dsa_extmu_87_verify_internal(pk.data(), sig.data(), sig.size(), mu.data(), + mu.size(), nullptr, 0)) { + reply[0] = 1; + } + } + } + return write_reply({Span(reply)}); +} + static struct { char name[kMaxNameLength + 1]; uint8_t num_expected_args; @@ -3320,7 +3580,18 @@ static struct { {"EDDSA/ED-25519/keyGen", 0, ED25519KeyGen}, {"EDDSA/ED-25519/keyVer", 1, ED25519KeyVer}, {"EDDSA/ED-25519/sigGen", 2, ED25519SigGen}, - {"EDDSA/ED-25519/sigVer", 3, ED25519SigVer}}; + {"EDDSA/ED-25519/sigGen/preHash", 3, ED25519phSigGen}, + {"EDDSA/ED-25519/sigVer", 3, ED25519SigVer}, + {"EDDSA/ED-25519/sigVer/preHash", 4, ED25519phSigVer}, + {"ML-DSA/ML-DSA-44/keyGen", 1, ML_DSA_KEYGEN}, + {"ML-DSA/ML-DSA-65/keyGen", 1, ML_DSA_KEYGEN}, + {"ML-DSA/ML-DSA-87/keyGen", 1, ML_DSA_KEYGEN}, + {"ML-DSA/ML-DSA-44/sigGen", 5, ML_DSA_SIGGEN}, + {"ML-DSA/ML-DSA-65/sigGen", 5, ML_DSA_SIGGEN}, + {"ML-DSA/ML-DSA-87/sigGen", 5, ML_DSA_SIGGEN}, + {"ML-DSA/ML-DSA-44/sigVer", 5, ML_DSA_SIGVER}, + {"ML-DSA/ML-DSA-65/sigVer", 5, ML_DSA_SIGVER}, + {"ML-DSA/ML-DSA-87/sigVer", 5, ML_DSA_SIGVER}}; Handler FindHandler(Span> args) { const bssl::Span algorithm = args[0];