Merge branch 'main' into x86-sse2-flag

aws · Sep 12, 2024 · 966232e · 966232e
2 parents b8942d5 + 3c22151
commit 966232e
Show file tree

Hide file tree

Showing 42 changed files with 2,560 additions and 639 deletions.
diff --git a/crypto/ec_extra/ec_asn1.c b/crypto/ec_extra/ec_asn1.c
@@ -56,8 +56,9 @@
 #include <limits.h>
 #include <string.h>
 
-#include <openssl/bytestring.h>
+#include <openssl/bio.h>
 #include <openssl/bn.h>
+#include <openssl/bytestring.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/nid.h>
@@ -76,19 +77,15 @@ static const CBS_ASN1_TAG kPublicKeyTag =
 // acceptable groups, so parsers don't have to pull in all four.
 typedef const EC_GROUP *(*ec_group_func)(void);
 static const ec_group_func kAllGroups[] = {
-    &EC_group_p224,
-    &EC_group_p256,
-    &EC_group_p384,
-    &EC_group_p521,
-	&EC_group_secp256k1,
+    &EC_group_p224, &EC_group_p256,      &EC_group_p384,
+    &EC_group_p521, &EC_group_secp256k1,
 };
 
 EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {
   CBS ec_private_key, private_key;
   uint64_t version;
   if (!CBS_get_asn1(cbs, &ec_private_key, CBS_ASN1_SEQUENCE) ||
-      !CBS_get_asn1_uint64(&ec_private_key, &version) ||
-      version != 1 ||
+      !CBS_get_asn1_uint64(&ec_private_key, &version) || version != 1 ||
       !CBS_get_asn1(&ec_private_key, &private_key, CBS_ASN1_OCTETSTRING)) {
     OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);
     return NULL;
@@ -151,8 +148,7 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {
         !CBS_get_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||
         // As in a SubjectPublicKeyInfo, the byte-encoded public key is then
         // encoded as a BIT STRING with bits ordered as in the DER encoding.
-        !CBS_get_u8(&public_key, &padding) ||
-        padding != 0 ||
+        !CBS_get_u8(&public_key, &padding) || padding != 0 ||
         // Explicitly check |public_key| is non-empty to save the conversion
         // form later.
         CBS_len(&public_key) == 0 ||
@@ -264,16 +260,14 @@ static int parse_explicit_prime_curve(CBS *in,
   int has_cofactor;
   uint64_t version;
   if (!CBS_get_asn1(in, &params, CBS_ASN1_SEQUENCE) ||
-      !CBS_get_asn1_uint64(&params, &version) ||
-      version != 1 ||
+      !CBS_get_asn1_uint64(&params, &version) || version != 1 ||
       !CBS_get_asn1(&params, &field_id, CBS_ASN1_SEQUENCE) ||
       !CBS_get_asn1(&field_id, &field_type, CBS_ASN1_OBJECT) ||
       CBS_len(&field_type) != sizeof(kPrimeField) ||
       OPENSSL_memcmp(CBS_data(&field_type), kPrimeField, sizeof(kPrimeField)) !=
           0 ||
       !CBS_get_asn1(&field_id, &out->prime, CBS_ASN1_INTEGER) ||
-      !CBS_is_unsigned_asn1_integer(&out->prime) ||
-      CBS_len(&field_id) != 0 ||
+      !CBS_is_unsigned_asn1_integer(&out->prime) || CBS_len(&field_id) != 0 ||
       !CBS_get_asn1(&params, &curve, CBS_ASN1_SEQUENCE) ||
       !CBS_get_asn1(&curve, &out->a, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&curve, &out->b, CBS_ASN1_OCTETSTRING) ||
@@ -292,8 +286,7 @@ static int parse_explicit_prime_curve(CBS *in,
 
   if (has_cofactor) {
     // We only support prime-order curves so the cofactor must be one.
-    if (CBS_len(&cofactor) != 1 ||
-        CBS_data(&cofactor)[0] != 1) {
+    if (CBS_len(&cofactor) != 1 || CBS_data(&cofactor)[0] != 1) {
       OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);
       return 0;
     }
@@ -546,6 +539,40 @@ int i2d_ECPKParameters(const EC_GROUP *group, uint8_t **outp) {
   return CBB_finish_i2d(&cbb, outp);
 }
 
+EC_GROUP *d2i_ECPKParameters_bio(BIO *bio, EC_GROUP **out_group) {
+  if (bio == NULL) {
+    OPENSSL_PUT_ERROR(PKCS7, ERR_R_PASSED_NULL_PARAMETER);
+    return NULL;
+  }
+
+  uint8_t *data;
+  size_t len;
+  if (!BIO_read_asn1(bio, &data, &len, INT_MAX)) {
+    return NULL;
+  }
+  const uint8_t *ptr = data;
+  EC_GROUP *ret = d2i_ECPKParameters(out_group, &ptr, len);
+  OPENSSL_free(data);
+  return ret;
+}
+
+int i2d_ECPKParameters_bio(BIO *bio, const EC_GROUP *group) {
+  if (bio == NULL || group == NULL) {
+    OPENSSL_PUT_ERROR(PKCS7, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
+
+  uint8_t *out = NULL;
+  int len = i2d_ECPKParameters(group, &out);
+  if (out == NULL) {
+    return 0;
+  }
+
+  int ret = BIO_write_all(bio, out, len);
+  OPENSSL_free(out);
+  return ret;
+}
+
 EC_KEY *o2i_ECPublicKey(EC_KEY **keyp, const uint8_t **inp, long len) {
   EC_KEY *ret = NULL;
 
@@ -599,8 +626,8 @@ size_t EC_get_builtin_curves(EC_builtin_curve *out_curves,
 }
 
 static size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
-                                 point_conversion_form_t form,
-                                 uint8_t **pbuf, BN_CTX *ctx) {
+                                 point_conversion_form_t form, uint8_t **pbuf,
+                                 BN_CTX *ctx) {
   size_t len;
   uint8_t *buf;
 

diff --git a/crypto/fipsmodule/curve25519/curve25519.c b/crypto/fipsmodule/curve25519/curve25519.c
@@ -72,6 +72,10 @@ void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH],
 void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN],
   const uint8_t seed[ED25519_SEED_LEN]) {
+  // ED25519_keypair already ensures this with the same check, and is also the
+  // function that is approved for FIPS (sets the indicator). Ensuring it here
+  // for brevity.
+  boringssl_ensure_eddsa_self_test();
 
   // Step: rfc8032 5.1.5.1
   // Compute SHA512(seed).
@@ -101,6 +105,7 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
 
 void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) {
+  boringssl_ensure_eddsa_self_test();
   SET_DIT_AUTO_DISABLE;
 
   // Ed25519 key generation: rfc8032 5.1.5
@@ -112,11 +117,20 @@ void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   // description why this is useful.
   ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
   OPENSSL_cleanse(seed, ED25519_SEED_LEN);
+
+  FIPS_service_indicator_update_state();
 }
 
 int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
                  const uint8_t *message, size_t message_len,
                  const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) {
+  boringssl_ensure_eddsa_self_test();
+  return ED25519_sign_no_self_test(out_sig, message, message_len, private_key);
+}
+
+int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN],
+                              const uint8_t *message, size_t message_len,
+                              const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) {
   // NOTE: The documentation on this function says that it returns zero on
   // allocation failure. While that can't happen with the current
   // implementation, we want to reserve the ability to allocate in this
@@ -155,13 +169,21 @@ int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN],
 
   // The signature is computed from the private key, but is public.
   CONSTTIME_DECLASSIFY(out_sig, 64);
+
+  FIPS_service_indicator_update_state();
   return 1;
 }
 
 int ED25519_verify(const uint8_t *message, size_t message_len,
                    const uint8_t signature[ED25519_SIGNATURE_LEN],
                    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
+  boringssl_ensure_eddsa_self_test();
+  return ED25519_verify_no_self_test(message, message_len, signature, public_key);
+}
 
+int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len,
+                                const uint8_t signature[ED25519_SIGNATURE_LEN],
+                                const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
   // Ed25519 verify: rfc8032 5.1.7
 
   // Step: rfc8032 5.1.7.1 (up to decoding the public key)
@@ -212,10 +234,21 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
 #endif
 
   // Comparison [S]B - [k]A' =? R_expected. Short-circuits if decoding failed.
-  return (res == 1) &&
-         CRYPTO_memcmp(R_computed_encoded, R_expected, sizeof(R_computed_encoded)) == 0;
+  res = (res == 1) && CRYPTO_memcmp(R_computed_encoded, R_expected,
+                                    sizeof(R_computed_encoded)) == 0;
+  if(res) {
+    FIPS_service_indicator_update_state();
+  }
+  return res;
 }
 
+int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
+#if defined(CURVE25519_S2N_BIGNUM_CAPABLE)
+  return ed25519_check_public_key_s2n_bignum(public_key);
+#else
+  return ed25519_check_public_key_nohw(public_key);
+#endif
+}
 
 void X25519_public_from_private(
   uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN],

diff --git a/crypto/fipsmodule/curve25519/curve25519_nohw.c b/crypto/fipsmodule/curve25519/curve25519_nohw.c
@@ -2043,3 +2043,11 @@ int ed25519_verify_nohw(uint8_t R_computed_encoded[32],
 
   return 1;
 }
+
+int ed25519_check_public_key_nohw(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
+  ge_p3 A;
+  if (!x25519_ge_frombytes_vartime(&A, public_key)) {
+    return 0;
+  }
+  return 1;
+}
diff --git a/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c b/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c
@@ -120,4 +120,12 @@ int ed25519_verify_s2n_bignum(uint8_t R_computed_encoded[32],
   return 1;
 }
 
+int ed25519_check_public_key_s2n_bignum(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) {
+  uint64_t A[8] = {0};
+  if (edwards25519_decode_selector(A, public_key) != 0) {
+    return 0;
+  }
+  return 1;
+}
+
 #endif
diff --git a/crypto/fipsmodule/curve25519/internal.h b/crypto/fipsmodule/curve25519/internal.h
@@ -23,6 +23,14 @@ extern "C" {
 
 #include "../../internal.h"
 
+int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN],
+                              const uint8_t *message, size_t message_len,
+                              const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]);
+
+int ED25519_verify_no_self_test(const uint8_t *message, size_t message_len,
+                                const uint8_t signature[ED25519_SIGNATURE_LEN],
+                                const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+
 // If (1) x86_64 or aarch64, (2) linux or apple, and (3) OPENSSL_NO_ASM is not
 // set, s2n-bignum path is capable.
 #if ((defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX)) || \
@@ -185,6 +193,11 @@ void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH],
   const void *input1, size_t len1, const void *input2, size_t len2,
   const void *input3, size_t len3);
 
+
+int ed25519_check_public_key_s2n_bignum(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+int ed25519_check_public_key_nohw(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+OPENSSL_EXPORT int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+
 #if defined(__cplusplus)
 }  // extern C
 #endif

diff --git a/crypto/fipsmodule/ec/ec_test.cc b/crypto/fipsmodule/ec/ec_test.cc
@@ -2551,3 +2551,12 @@ TEST(ECTest, ECEngine) {
   EC_KEY_METHOD_free(eng_funcs);
 }
 
+TEST(ECTest, ECPKParmatersBio) {
+  bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
+
+  EXPECT_TRUE(i2d_ECPKParameters_bio(bio.get(), EC_group_p256()));
+  EXPECT_EQ(d2i_ECPKParameters_bio(bio.get(), nullptr), EC_group_p256());
+
+  EXPECT_TRUE(i2d_ECPKParameters_bio(bio.get(), EC_group_secp256k1()));
+  EXPECT_EQ(d2i_ECPKParameters_bio(bio.get(), nullptr), EC_group_secp256k1());
+}
diff --git a/crypto/fipsmodule/ec/internal.h b/crypto/fipsmodule/ec/internal.h
@@ -823,7 +823,10 @@ struct ec_key_st {
 
 // d2i_ECPKParameters deserializes the |ECPKParameters| specified in RFC 3279
 // to an |EC_GROUP| from |inp|. Only deserialization of namedCurves or
-// explicitly-encoded versions of namedCurves are supported.
+// explicitly-encoded versions of namedCurves are supported. If |*out_group| is
+// non-null, the original |*out_group| is freed and the returned |EC_GROUP| is
+// also written to |*out_group|. The user continues to maintain the memory
+// assigned to |*out_group| if non-null.
 EC_GROUP *d2i_ECPKParameters(EC_GROUP **out_group, const uint8_t **inp,
                              long len);
 

diff --git a/crypto/fipsmodule/evp/digestsign.c b/crypto/fipsmodule/evp/digestsign.c
@@ -292,7 +292,9 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len,
                                        data_len);
 end:
   FIPS_service_indicator_unlock_state();
-  if (ret > 0) {
+  if (ret > 0 && out_sig != NULL) {
+    // Indicator should only be set if we performed crypto, don't set if we only
+    // performed a size check.
     EVP_DigestSign_verify_service_indicator(ctx);
   }
   return ret;

diff --git a/crypto/fipsmodule/evp/evp_ctx.c b/crypto/fipsmodule/evp/evp_ctx.c
@@ -591,30 +591,56 @@ int EVP_PKEY_encapsulate_deterministic(EVP_PKEY_CTX *ctx,
                                                seed, seed_len);
 }
 
-int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
-                         uint8_t *ciphertext, size_t *ciphertext_len,
-                         uint8_t *shared_secret, size_t *shared_secret_len) {
+int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx, uint8_t *ciphertext,
+                         size_t *ciphertext_len, uint8_t *shared_secret,
+                         size_t *shared_secret_len) {
+  // We have to avoid potential underlying services updating the indicator
+  // state, so we lock the state here.
+  FIPS_service_indicator_lock_state();
   SET_DIT_AUTO_DISABLE;
+  int ret = 0;
   if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->encapsulate == NULL) {
-      OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
-      return 0;
+    OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
+    goto end;
   }
 
-  return ctx->pmeth->encapsulate(ctx, ciphertext, ciphertext_len,
-                                 shared_secret, shared_secret_len);
+  if (!ctx->pmeth->encapsulate(ctx, ciphertext, ciphertext_len, shared_secret,
+                               shared_secret_len)) {
+    goto end;
+  }
+  ret = 1;
+end:
+  FIPS_service_indicator_unlock_state();
+  if (ret && ciphertext != NULL && shared_secret != NULL) {
+    EVP_PKEY_encapsulate_verify_service_indicator(ctx);
+  }
+  return ret;
 }
 
-int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx,
-                         uint8_t *shared_secret, size_t *shared_secret_len,
-                         const uint8_t *ciphertext, size_t ciphertext_len) {
+int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx, uint8_t *shared_secret,
+                         size_t *shared_secret_len, const uint8_t *ciphertext,
+                         size_t ciphertext_len) {
+  // We have to avoid potential underlying services updating the indicator
+  // state, so we lock the state here.
+  FIPS_service_indicator_lock_state();
   SET_DIT_AUTO_DISABLE;
+  int ret = 0;
   if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->decapsulate == NULL) {
-      OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
-      return 0;
+    OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
+    goto end;
   }
 
-  return ctx->pmeth->decapsulate(ctx, shared_secret, shared_secret_len,
-                                 ciphertext, ciphertext_len);
+  if (!ctx->pmeth->decapsulate(ctx, shared_secret, shared_secret_len,
+                               ciphertext, ciphertext_len)) {
+    goto end;
+  }
+  ret = 1;
+end:
+  FIPS_service_indicator_unlock_state();
+  if (ret && shared_secret != NULL) {
+    EVP_PKEY_decapsulate_verify_service_indicator(ctx);
+  }
+  return ret;
 }
 
 // Deprecated keygen NO-OP functions

diff --git a/crypto/fipsmodule/evp/p_kem.c b/crypto/fipsmodule/evp/p_kem.c
@@ -95,10 +95,11 @@ static int pkey_kem_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
   if (key == NULL ||
       !KEM_KEY_init(key, kem) ||
       !kem->method->keygen(key->public_key, key->secret_key) ||
-      !EVP_PKEY_assign(pkey, EVP_PKEY_KEM, key)) {
+      !EVP_PKEY_set_type(pkey, EVP_PKEY_KEM)) {
     KEM_KEY_free(key);
     return 0;
   }
+  pkey->pkey.kem_key = key;
 
   return 1;
 }