Make EDDSA/Ed25519 POST lazy initalized (#1848)

Makes the [previously added](17bb2f2) ED25519 POST to be lazy initialized. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
aws · Sep 12, 2024 · 3c22151 · 3c22151
1 parent 307898a
commit 3c22151
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 47 deletions.
diff --git a/crypto/fipsmodule/curve25519/curve25519.c b/crypto/fipsmodule/curve25519/curve25519.c
@@ -72,6 +72,10 @@ void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH],
 void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN],
   const uint8_t seed[ED25519_SEED_LEN]) {
+  // ED25519_keypair already ensures this with the same check, and is also the
+  // function that is approved for FIPS (sets the indicator). Ensuring it here
+  // for brevity.
+  boringssl_ensure_eddsa_self_test();
 
   // Step: rfc8032 5.1.5.1
   // Compute SHA512(seed).
@@ -101,6 +105,7 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
 
 void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) {
+  boringssl_ensure_eddsa_self_test();
   SET_DIT_AUTO_DISABLE;
 
   // Ed25519 key generation: rfc8032 5.1.5
@@ -119,6 +124,13 @@ void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
 int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
                  const uint8_t *message, size_t message_len,
                  const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) {
+  boringssl_ensure_eddsa_self_test();
+  return ED25519_sign_no_self_test(out_sig, message, message_len, private_key);
+}
+
+int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN],
+                              const uint8_t *message, size_t message_len,
+                              const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) {
   // NOTE: The documentation on this function says that it returns zero on
   // allocation failure. While that can't happen with the current
   // implementation, we want to reserve the ability to allocate in this
@@ -165,7 +177,13 @@ int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
 int ED25519_verify(const uint8_t *message, size_t message_len,
                    const uint8_t signature[ED25519_SIGNATURE_LEN],
                    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
+  boringssl_ensure_eddsa_self_test();
+  return ED25519_verify_no_self_test(message, message_len, signature, public_key);
+}
 
+int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len,
+                                const uint8_t signature[ED25519_SIGNATURE_LEN],
+                                const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
   // Ed25519 verify: rfc8032 5.1.7
 
   // Step: rfc8032 5.1.7.1 (up to decoding the public key)

diff --git a/crypto/fipsmodule/curve25519/internal.h b/crypto/fipsmodule/curve25519/internal.h
@@ -23,6 +23,14 @@ extern "C" {
 
 #include "../../internal.h"
 
+int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN],
+                              const uint8_t *message, size_t message_len,
+                              const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]);
+
+int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len,
+                                const uint8_t signature[ED25519_SIGNATURE_LEN],
+                                const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+
 // If (1) x86_64 or aarch64, (2) linux or apple, and (3) OPENSSL_NO_ASM is not
 // set, s2n-bignum path is capable.
 #if ((defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX)) || \

diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c
@@ -36,6 +36,7 @@
 #include <openssl/sha.h>
 
 #include "../../internal.h"
+#include "../curve25519/internal.h"
 #include "../dh/internal.h"
 #include "../ec/internal.h"
 #include "../ecdsa/internal.h"
@@ -1470,6 +1471,61 @@ static int boringssl_self_test_ml_kem(void) {
   return ret;
 }
 
+static int boringssl_self_test_eddsa(void) {
+  int ret = 0;
+
+  const uint8_t kEd25519PrivateKey[ED25519_PRIVATE_KEY_SEED_LEN] = {
+      0xb3, 0x99, 0x05, 0xbf, 0x43, 0x0b, 0x2a, 0xd2, 0x1d, 0xb6, 0x5d,
+      0x49, 0xa6, 0xab, 0x03, 0xc1, 0x7d, 0xdb, 0x72, 0xe7, 0xa9, 0x8e,
+      0xb9, 0x8f, 0xae, 0x59, 0x91, 0x7a, 0xe2, 0x5f, 0x92, 0x14};
+  const uint8_t kEd25519PublicKey[ED25519_PUBLIC_KEY_LEN] = {
+      0xe7, 0x75, 0xcf, 0x0e, 0x33, 0x48, 0x52, 0xa7, 0xe6, 0x99, 0xbe,
+      0xba, 0x13, 0xbc, 0x24, 0xf8, 0x32, 0xf3, 0xc2, 0xa3, 0xa0, 0x3d,
+      0xc9, 0x3c, 0x42, 0xb5, 0x92, 0x76, 0x15, 0xa5, 0x46, 0xba};
+  const uint8_t kEd25519Signature[ED25519_SIGNATURE_LEN] = {
+      0x30, 0x1a, 0x4c, 0x56, 0xe0, 0x37, 0x0b, 0x57, 0x2f, 0x7d, 0x8c,
+      0x75, 0x1b, 0x5c, 0xfa, 0xb6, 0xc3, 0x98, 0x7c, 0x6f, 0x5d, 0xe8,
+      0x7c, 0xac, 0x4d, 0x71, 0x16, 0x73, 0xda, 0x8c, 0xb2, 0x19, 0x86,
+      0x03, 0xcd, 0x91, 0x82, 0x73, 0xa5, 0x34, 0x24, 0x93, 0xf1, 0xc1,
+      0xad, 0x0e, 0x8a, 0x78, 0x45, 0x15, 0xa7, 0xfe, 0xc8, 0xc9, 0xbe,
+      0xa2, 0xa3, 0xf1, 0xcf, 0x7b, 0x3a, 0x89, 0x10, 0x0f};
+  const uint8_t kEd25519Message[128] = {
+      0x13, 0x1d, 0x2a, 0xa9, 0x8f, 0x46, 0xfd, 0x5a, 0xca, 0xef, 0x8e, 0x92,
+      0xfa, 0x8c, 0x50, 0xd4, 0x8b, 0xda, 0xdf, 0xfe, 0x13, 0xd7, 0x9c, 0xc7,
+      0x1b, 0x95, 0x85, 0x5f, 0xaf, 0xa4, 0x84, 0x66, 0x50, 0x2a, 0x1c, 0x61,
+      0x4d, 0xb7, 0x85, 0xfc, 0xc9, 0x4c, 0x50, 0x61, 0x65, 0x23, 0x93, 0x42,
+      0xcb, 0x9b, 0x3e, 0xe6, 0x3b, 0x35, 0xdc, 0x2f, 0x7e, 0x78, 0x61, 0x15,
+      0x42, 0xc7, 0xa6, 0x1b, 0x50, 0xf3, 0xb6, 0x8e, 0xcf, 0x1b, 0x70, 0xca,
+      0xc0, 0x1b, 0x34, 0xef, 0x06, 0x1b, 0x3f, 0x7c, 0xaa, 0xc8, 0x26, 0x56,
+      0xbf, 0xd5, 0x5a, 0x06, 0xb8, 0xeb, 0x7d, 0xbe, 0x82, 0x45, 0x17, 0xfe,
+      0x3c, 0x56, 0x7d, 0xa5, 0xa0, 0x3e, 0x0b, 0xf2, 0xf1, 0xfe, 0xbb, 0x96,
+      0x3c, 0x94, 0x1a, 0xfc, 0x36, 0xe4, 0x5a, 0x5a, 0xc5, 0xe2, 0x71, 0xcd,
+      0x99, 0x56, 0xcc, 0xda, 0x0d, 0x62, 0xc8, 0x7c};
+  uint8_t ed25519_private_key[ED25519_PRIVATE_KEY_LEN] = {0};
+  OPENSSL_memcpy(ed25519_private_key, kEd25519PrivateKey,
+                 ED25519_PRIVATE_KEY_SEED_LEN);
+  OPENSSL_memcpy(ed25519_private_key + ED25519_PRIVATE_KEY_SEED_LEN,
+                 kEd25519PublicKey, ED25519_PUBLIC_KEY_LEN);
+  uint8_t ed25519_out_sig[ED25519_SIGNATURE_LEN] = {0};
+  if (!ED25519_sign_no_self_test(&ed25519_out_sig[0], &kEd25519Message[0],
+                                 sizeof(kEd25519Message),
+                                 ed25519_private_key) ||
+      !check_test(&kEd25519Signature[0], &ed25519_out_sig[0],
+                  ED25519_SIGNATURE_LEN, "ED25519 sign")) {
+    fprintf(stderr, "ED25519 sign failed.\n");
+    goto err;
+  }
+  if (!ED25519_verify_no_self_test(&kEd25519Message[0], sizeof(kEd25519Message),
+                                   ed25519_out_sig, kEd25519PublicKey)) {
+    fprintf(stderr, "ED25519 verify failed.\n");
+    goto err;
+  }
+
+  ret = 1;
+err:
+  return ret;
+}
+
 #if defined(BORINGSSL_FIPS)
 
 static void run_self_test_rsa(void) {
@@ -1520,6 +1576,18 @@ void boringssl_ensure_ml_kem_self_test(void) {
   CRYPTO_once(g_self_test_once_ml_kem_bss_get(), run_self_test_ml_kem);
 }
 
+static void run_self_test_eddsa(void) {
+  if (!boringssl_self_test_eddsa()) {
+    BORINGSSL_FIPS_abort();
+  }
+}
+
+DEFINE_STATIC_ONCE(g_self_test_once_eddsa);
+
+void boringssl_ensure_eddsa_self_test(void) {
+  CRYPTO_once(g_self_test_once_eddsa_bss_get(), run_self_test_eddsa);
+}
+
 #endif  // BORINGSSL_FIPS
 
 
@@ -1937,52 +2005,6 @@ static int boringssl_self_test_fast(void) {
     goto err;
   }
 
-  const uint8_t kEd25519PrivateKey[ED25519_PRIVATE_KEY_SEED_LEN] = {
-      0xb3, 0x99, 0x05, 0xbf, 0x43, 0x0b, 0x2a, 0xd2, 0x1d, 0xb6, 0x5d,
-      0x49, 0xa6, 0xab, 0x03, 0xc1, 0x7d, 0xdb, 0x72, 0xe7, 0xa9, 0x8e,
-      0xb9, 0x8f, 0xae, 0x59, 0x91, 0x7a, 0xe2, 0x5f, 0x92, 0x14};
-  const uint8_t kEd25519PublicKey[ED25519_PUBLIC_KEY_LEN] = {
-      0xe7, 0x75, 0xcf, 0x0e, 0x33, 0x48, 0x52, 0xa7, 0xe6, 0x99, 0xbe,
-      0xba, 0x13, 0xbc, 0x24, 0xf8, 0x32, 0xf3, 0xc2, 0xa3, 0xa0, 0x3d,
-      0xc9, 0x3c, 0x42, 0xb5, 0x92, 0x76, 0x15, 0xa5, 0x46, 0xba};
-  const uint8_t kEd25519Signature[ED25519_SIGNATURE_LEN] = {
-      0x30, 0x1a, 0x4c, 0x56, 0xe0, 0x37, 0x0b, 0x57, 0x2f, 0x7d, 0x8c,
-      0x75, 0x1b, 0x5c, 0xfa, 0xb6, 0xc3, 0x98, 0x7c, 0x6f, 0x5d, 0xe8,
-      0x7c, 0xac, 0x4d, 0x71, 0x16, 0x73, 0xda, 0x8c, 0xb2, 0x19, 0x86,
-      0x03, 0xcd, 0x91, 0x82, 0x73, 0xa5, 0x34, 0x24, 0x93, 0xf1, 0xc1,
-      0xad, 0x0e, 0x8a, 0x78, 0x45, 0x15, 0xa7, 0xfe, 0xc8, 0xc9, 0xbe,
-      0xa2, 0xa3, 0xf1, 0xcf, 0x7b, 0x3a, 0x89, 0x10, 0x0f};
-  const uint8_t kEd25519Message[128] = {
-      0x13, 0x1d, 0x2a, 0xa9, 0x8f, 0x46, 0xfd, 0x5a, 0xca, 0xef, 0x8e, 0x92,
-      0xfa, 0x8c, 0x50, 0xd4, 0x8b, 0xda, 0xdf, 0xfe, 0x13, 0xd7, 0x9c, 0xc7,
-      0x1b, 0x95, 0x85, 0x5f, 0xaf, 0xa4, 0x84, 0x66, 0x50, 0x2a, 0x1c, 0x61,
-      0x4d, 0xb7, 0x85, 0xfc, 0xc9, 0x4c, 0x50, 0x61, 0x65, 0x23, 0x93, 0x42,
-      0xcb, 0x9b, 0x3e, 0xe6, 0x3b, 0x35, 0xdc, 0x2f, 0x7e, 0x78, 0x61, 0x15,
-      0x42, 0xc7, 0xa6, 0x1b, 0x50, 0xf3, 0xb6, 0x8e, 0xcf, 0x1b, 0x70, 0xca,
-      0xc0, 0x1b, 0x34, 0xef, 0x06, 0x1b, 0x3f, 0x7c, 0xaa, 0xc8, 0x26, 0x56,
-      0xbf, 0xd5, 0x5a, 0x06, 0xb8, 0xeb, 0x7d, 0xbe, 0x82, 0x45, 0x17, 0xfe,
-      0x3c, 0x56, 0x7d, 0xa5, 0xa0, 0x3e, 0x0b, 0xf2, 0xf1, 0xfe, 0xbb, 0x96,
-      0x3c, 0x94, 0x1a, 0xfc, 0x36, 0xe4, 0x5a, 0x5a, 0xc5, 0xe2, 0x71, 0xcd,
-      0x99, 0x56, 0xcc, 0xda, 0x0d, 0x62, 0xc8, 0x7c};
-  uint8_t ed25519_private_key[ED25519_PRIVATE_KEY_LEN] = {0};
-  OPENSSL_memcpy(ed25519_private_key, kEd25519PrivateKey,
-                 ED25519_PRIVATE_KEY_SEED_LEN);
-  OPENSSL_memcpy(ed25519_private_key + ED25519_PRIVATE_KEY_SEED_LEN,
-                 kEd25519PublicKey, ED25519_PUBLIC_KEY_LEN);
-  uint8_t ed25519_out_sig[ED25519_SIGNATURE_LEN] = {0};
-  if (!ED25519_sign(&ed25519_out_sig[0], &kEd25519Message[0],
-                    sizeof(kEd25519Message), ed25519_private_key) ||
-      !check_test(&kEd25519Signature[0], &ed25519_out_sig[0],
-                  ED25519_SIGNATURE_LEN, "ED25519 sign")) {
-    fprintf(stderr, "ED25519 sign failed.\n");
-    goto err;
-  }
-  if (!ED25519_verify(&kEd25519Message[0], sizeof(kEd25519Message),
-                      ed25519_out_sig, kEd25519PublicKey)) {
-    fprintf(stderr, "ED25519 verify failed.\n");
-    goto err;
-  }
-
   ret = 1;
 
 err:
@@ -1997,7 +2019,8 @@ int BORINGSSL_self_test(void) {
       !boringssl_self_test_rsa() ||
       !boringssl_self_test_ecc() ||
       !boringssl_self_test_ffdh() ||
-      !boringssl_self_test_ml_kem()) {
+      !boringssl_self_test_ml_kem() ||
+      !boringssl_self_test_eddsa()) {
     return 0;
   }
 

diff --git a/crypto/internal.h b/crypto/internal.h
@@ -1301,6 +1301,11 @@ void boringssl_ensure_ffdh_self_test(void);
 // address space if unsuccessful.
 void boringssl_ensure_ml_kem_self_test(void);
 
+// boringssl_ensure_eddsa_self_test checks whether the EDDSA self-test
+// has been run in this address space. If not, it runs it and crashes the
+// address space if unsuccessful.
+void boringssl_ensure_eddsa_self_test(void);
+
 #else
 
 // Outside of FIPS mode, the lazy tests are no-ops.
@@ -1309,6 +1314,7 @@ OPENSSL_INLINE void boringssl_ensure_rsa_self_test(void) {}
 OPENSSL_INLINE void boringssl_ensure_ecc_self_test(void) {}
 OPENSSL_INLINE void boringssl_ensure_ffdh_self_test(void) {}
 OPENSSL_INLINE void boringssl_ensure_ml_kem_self_test(void) {}
+OPENSSL_INLINE void boringssl_ensure_eddsa_self_test(void) {}
 
 #endif  // FIPS