Merge branch 'main' into go_version

aws · Jul 25, 2024 · 2db8be2 · 2db8be2
2 parents 7589531 + fc14c55
commit 2db8be2
Show file tree

Hide file tree

Showing 52 changed files with 26,678 additions and 4,580 deletions.
diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml
@@ -175,6 +175,21 @@ jobs:
       - name: Run strongswan build
         run: |
           ./tests/ci/integration/run_strongswan_integration.sh
+  openvpn:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y --no-install-recommends install \
+          cmake gcc ninja-build golang libnl-3-dev libnl-genl-3-dev \
+          libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
+          python3-docutils
+      - uses: actions/checkout@v4
+      - name: Run openvpn build
+        run: |
+          ./tests/ci/integration/run_openvpn_integration.sh
   libevent:
     if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest

diff --git a/.github/workflows/opensslcomparison.yml b/.github/workflows/opensslcomparison.yml
@@ -0,0 +1,27 @@
+name: OpenSSL CLI Comparison Tests
+on:
+  push:
+    branches: [ '*' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  openssl_comparison_tests:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y --no-install-recommends install \
+            cmake gcc ninja-build golang make autoconf pkg-config openssl
+
+      - name: Make the script executable
+        run: chmod +x ./tests/ci/run_openssl_comparison_tests.sh
+
+      - name: Build AWS-LC & OpenSSL and Run Comparison Tests
+        run: |
+            ./tests/ci/run_openssl_comparison_tests.sh
diff --git a/crypto/fipsmodule/ec/ec_nistp.c b/crypto/fipsmodule/ec/ec_nistp.c
@@ -360,16 +360,27 @@ static void generate_table(const ec_nistp_meth *ctx,
   }
 }
 
-// Writes to xyz_out the idx-th point from table in constant-time.
-static void select_point_from_table(const ec_nistp_meth *ctx,
-                                    ec_nistp_felem_limb *xyz_out,
-                                    const ec_nistp_felem_limb *table,
-                                    const size_t idx) {
-  size_t entry_size = 3 * ctx->felem_num_limbs * sizeof(ec_nistp_felem_limb);
-
-  constant_time_select_entry_from_table_8(
-          (uint8_t*)xyz_out, (uint8_t*)table,
+// Writes to out the idx-th point from table in constant-time.
+static inline void select_point_from_table(const ec_nistp_meth *ctx,
+                                           ec_nistp_felem_limb *out,
+                                           const ec_nistp_felem_limb *table,
+                                           const size_t idx,
+                                           const size_t projective) {
+  // if projective != 0 then a point is (x, y, z), otherwise (x, y).
+  size_t point_num_coord = 2 + (projective != 0 ? 1 : 0);
+  size_t point_num_limbs = ctx->felem_num_limbs * point_num_coord;
+
+  // The ifdef branching below is temporary. Using only constant_..._table_8
+  // would be best for simplicity, but unfortunatelly, on x86 systems it is
+  // significantly slower than constant_..._table_w.
+#if defined(EC_NISTP_USE_64BIT_LIMB) && defined(OPENSSL_64_BIT)
+  constant_time_select_entry_from_table_w(out, (crypto_word_t*) table, idx,
+          SCALAR_MUL_TABLE_NUM_POINTS, point_num_limbs);
+#else
+  size_t entry_size = point_num_limbs * sizeof(ec_nistp_felem_limb);
+  constant_time_select_entry_from_table_8((uint8_t*)out, (uint8_t*)table,
           idx, SCALAR_MUL_TABLE_NUM_POINTS, entry_size);
+#endif
 }
 
 // Multiplication of an arbitrary point by a scalar, r = [scalar]P.
@@ -443,7 +454,7 @@ void ec_nistp_scalar_mul(const ec_nistp_meth *ctx,
   // can't be negative).
   int16_t idx = rwnaf[num_windows - 1];
   idx >>= 1;
-  select_point_from_table(ctx, res, table, idx);
+  select_point_from_table(ctx, res, table, idx, 1);
 
   // Step 2. Process the remaining digits of the scalar (s_{m-2} to s_0).
   for (int i = num_windows - 2; i >= 0; i--) {
@@ -459,7 +470,7 @@ void ec_nistp_scalar_mul(const ec_nistp_meth *ctx,
 
     // Step 4b. Select from table the point corresponding to abs(s_i).
     idx = d >> 1;
-    select_point_from_table(ctx, tmp, table, idx);
+    select_point_from_table(ctx, tmp, table, idx, 1);
 
     // Step 4c. Negate the point if s_i < 0.
     ec_nistp_felem ftmp;

diff --git a/tests/ci/common_posix_setup.sh b/tests/ci/common_posix_setup.sh
@@ -203,6 +203,19 @@ function sde_getenforce_check {
   fi
 }
 
+function build_openssl {
+    branch=$1
+    echo "building OpenSSL ${branch}"
+    git clone --depth 1 --branch "${branch}" "${openssl_url}" "${scratch_folder}/openssl-${branch}"
+    pushd "${scratch_folder}/openssl-${branch}"
+    mkdir -p "${install_dir}/openssl-${branch}"
+    ./config --prefix="${install_dir}/openssl-${branch}" --openssldir="${install_dir}/openssl-${branch}" -d
+    make "-j${NUM_CPU_THREADS}" > /dev/null
+    make install_sw
+    popd
+    rm -rf "${scratch_folder}/openssl-${branch}"
+}
+
 print_executable_information "cmake" "--version" "CMake version"
 print_executable_information "cmake3" "--version" "CMake version (cmake3 executable)"
 print_executable_information "go" "version" "Go version"

diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-cert.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-cert.patch
diff --git a/...ration/openvpn_patch/aws-lc-openvpn.patch → ...n/openvpn_patch/aws-lc-openvpn2-6-x.patch b/...ration/openvpn_patch/aws-lc-openvpn.patch → ...n/openvpn_patch/aws-lc-openvpn2-6-x.patch
@@ -1,8 +1,17 @@
 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index 50683b67..eef80d54 100644
+index fbc95ff7..e174ed76 100644
 --- a/src/openvpn/crypto_openssl.c
 +++ b/src/openvpn/crypto_openssl.c
-@@ -1460,7 +1460,12 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
+@@ -1398,7 +1398,7 @@ memcmp_constant_time(const void *a, const void *b, size_t size)
+     return CRYPTO_memcmp(a, b, size);
+ }
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_AWSLC)
+ bool
+ ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
+              int secret_len, uint8_t *output, int output_len)
+@@ -1478,7 +1478,12 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
      int ret = false;
 
      chunk = EVP_MD_size(md);
@@ -29,10 +38,29 @@ index c9fa7196..a48ef391 100644
  #endif
 
 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 4383e981..bd2039d3 100644
+index 2595f878..cf99c3ec 100644
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
-@@ -2314,7 +2314,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
+@@ -1658,8 +1658,10 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
+             sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+         }
+
++        int cnum;
+         if (tls_server)
+         {
++            cnum = sk_X509_NAME_num(cert_names);
+             SSL_CTX_set_client_CA_list(ctx->ctx, cert_names);
+         }
+
+@@ -1672,7 +1674,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
+
+         if (tls_server)
+         {
+-            int cnum = sk_X509_NAME_num(cert_names);
+             if (cnum != added)
+             {
+                 crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d "
+@@ -2234,7 +2235,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
          crypto_msg(M_FATAL, "Cannot create SSL object");
      }
 

diff --git a/tests/ci/integration/run_openvpn_integration.sh b/tests/ci/integration/run_openvpn_integration.sh
@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -exu
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# SYS_ROOT
+#  - SRC_ROOT(aws-lc)
+#    - SCRATCH_FOLDER
+#      - OPENVPN_SRC_FOLDER
+#      - AWS_LC_BUILD_FOLDER
+#      - AWS_LC_INSTALL_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRATCH_FOLDER="${SRC_ROOT}/OPENVPN_BUILD_ROOT"
+OPENVPN_SRC_FOLDER="${SCRATCH_FOLDER}/openvpn"
+OPENVPN_BUILD_PREFIX="${OPENVPN_SRC_FOLDER}/build/install"
+OPENVPN_BUILD_EPREFIX="${OPENVPN_SRC_FOLDER}/build/exec-install"
+OPENVPN_PATCH_BUILD_FOLDER="${SRC_ROOT}/tests/ci/integration/openvpn_patch"
+
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+
+
+mkdir -p ${SCRATCH_FOLDER}
+rm -rf "${SCRATCH_FOLDER:?}"/*
+cd ${SCRATCH_FOLDER}
+
+function openvpn_build() {
+  autoreconf -ivf
+
+  OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" \
+  OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib -lssl -lcrypto" \
+  ./configure \
+    --prefix="$OPENVPN_BUILD_PREFIX" \
+    --exec-prefix="$OPENVPN_BUILD_EPREFIX" \
+    --with-crypto-library=openssl \
+    --with-openssl-engine=no \
+    --disable-management
+
+  make -j install
+
+  export LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib"
+
+  local openvpn_executable="${OPENVPN_SRC_FOLDER}/build/exec-install/sbin/openvpn"
+  ldd ${openvpn_executable} \
+    | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1
+}
+
+# TODO: Remove this when we make an upstream contribution.
+function openvpn_patch_build() {
+  for patchfile in $(find -L "${OPENVPN_PATCH_BUILD_FOLDER}" -type f -name '*.patch'); do
+    echo "Apply patch $patchfile..."
+    patch -p1 --quiet -i "$patchfile"
+  done
+}
+
+function openvpn_run_tests() {
+  # Explicitly running as sudo and passing in LD_LIBRARY_PATH as some OpenVPN
+  # tests run as sudo and LD_LIBRARY_PATH doesn't get inherited.
+  sudo LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib" make check
+}
+
+git clone https://github.com/OpenVPN/openvpn.git ${OPENVPN_SRC_FOLDER}
+
+# anchoring to tip of minor release 2.6.x for OpenVPN, currently not compatible
+# with tip of main
+cd ${OPENVPN_SRC_FOLDER} && git checkout release/2.6
+mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
+ls
+
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=Debug -DBUILD_SHARED_LIBS=1
+
+# Build openvpn from source.
+pushd ${OPENVPN_SRC_FOLDER}
+openvpn_patch_build
+openvpn_build
+openvpn_run_tests
diff --git a/tests/ci/run_benchmark_build_tests.sh b/tests/ci/run_benchmark_build_tests.sh
@@ -52,19 +52,6 @@ function build_aws_lc_branch {
     rm -rf "${scratch_folder}/aws-lc-${branch}"
 }
 
-function build_openssl {
-    branch=$1
-    echo "building OpenSSL ${branch}"
-    git clone --depth 1 --branch "${branch}" "${openssl_url}" "${scratch_folder}/openssl-${branch}"
-    pushd "${scratch_folder}/openssl-${branch}"
-    mkdir -p "${install_dir}/openssl-${branch}"
-    ./config --prefix="${install_dir}/openssl-${branch}" --openssldir="${install_dir}/openssl-${branch}" -d
-    make "-j${NUM_CPU_THREADS}" > /dev/null
-    make install_sw
-    popd
-    rm -rf "${scratch_folder}/openssl-${branch}"
-}
-
 function build_boringssl {
   git clone --depth 1 https://github.com/google/boringssl.git "${scratch_folder}/boringssl"
   pushd "${scratch_folder}/boringssl"

diff --git a/tests/ci/run_openssl_comparison_tests.sh b/tests/ci/run_openssl_comparison_tests.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -ex
+
+source tests/ci/common_posix_setup.sh
+
+scratch_folder=${SYS_ROOT}/"openssl-scratch"
+install_dir="${scratch_folder}/libcrypto_install_dir"
+openssl_url='https://github.com/openssl/openssl.git'
+openssl_1_1_1_branch='OpenSSL_1_1_1-stable'
+openssl_1_0_2_branch='OpenSSL_1_0_2-stable'
+openssl_3_1_branch='openssl-3.1'
+openssl_3_2_branch='openssl-3.2'
+openssl_master_branch='master'
+
+mkdir -p "${scratch_folder}"
+rm -rf "${scratch_folder:?}"/*
+
+build_openssl $openssl_1_0_2_branch
+build_openssl $openssl_1_1_1_branch
+build_openssl $openssl_3_1_branch
+build_openssl $openssl_3_2_branch
+build_openssl $openssl_master_branch
+
+run_build -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_STANDARD=11 -DENABLE_DILITHIUM=ON
+
+# OpenSSL 3.1.0 on switches from lib folder to lib64 folder
+declare -A openssl_branches=(
+  ["$openssl_1_0_2_branch"]="lib"
+  ["$openssl_1_1_1_branch"]="lib"
+  ["$openssl_3_1_branch"]="lib64"
+  ["$openssl_3_2_branch"]="lib64"
+  ["$openssl_master_branch"]="lib64"
+)
+
+# Run X509 Comparison Tests against all OpenSSL branches
+export AWSLC_TOOL_PATH="${BUILD_ROOT}/tool-openssl/openssl"
+for branch in "${!openssl_branches[@]}"; do
+  export OPENSSL_TOOL_PATH="${install_dir}/openssl-${branch}/bin/openssl"
+  echo "Running X509ComparisonTests against OpenSSL ${branch}"
+  LD_LIBRARY_PATH="${install_dir}/openssl-${branch}/${openssl_branches[$branch]}" "${BUILD_ROOT}/tool-openssl/tool_openssl_test" --gtest_filter=X509ComparisonTest.*
+done
+
diff --git a/third_party/s2n-bignum/arm/curve25519/curve25519_x25519.S b/third_party/s2n-bignum/arm/curve25519/curve25519_x25519.S
@@ -1242,7 +1242,7 @@ curve25519_x25519_scalarloop:
         usra    v20.2d, v25.2d, #25
         and     v27.16b, v25.16b, v23.16b       // ubignum_of_hreglist 1 + ubignum_of_lreglist 1 // INTERMEDIATE H|L = x4|z5
         bfi     x17, x7, #32, #25               // ubignum_of_preglist 1 // INTERMEDIATE z4
-        mov     v5.d[0], x3                     // depth 86
+        mov     v5.d[0], x3
         mov     v1.d[0], x5                     // FINAL z2
         usra    v26.2d, v20.2d, #26             // ubignum_of_hreglist 3 + ubignum_of_lreglist 3 // INTERMEDIATE H|L = x4|z5
         and     v28.16b, v20.16b, v30.16b       // ubignum_of_hreglist 2 + ubignum_of_lreglist 2 // INTERMEDIATE H|L = x4|z5