Merge branch 'main' into EVP_safety

.github/workflows/aws-lc-rs.yml

@@ -69,5 +69,5 @@ jobs:
       - name: Install cross
         run: cargo install cross --git https://github.com/cross-rs/cross
       - name: Cross-compile arm-linux-androideabi
-        working-directory: ./aws-lc-rs/aws-lc-rs
-        run: cross test --release --features bindgen,unstable --target arm-linux-androideabi
+        working-directory: ./aws-lc-rs
+        run: cross test -p aws-lc-rs --release --features bindgen,unstable --target arm-linux-androideabi

.github/workflows/integrations.yml

@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update && sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang autoconf-archive libcmocka0 libcmocka-dev procps iproute2 build-essential git pkg-config gcc libtool automake libssl-dev uthash-dev autoconf doxygen libjson-c-dev libini-config-dev libcurl4-openssl-dev uuid-dev libltdl-dev libusb-1.0-0-dev libftdi-dev
+          sudo apt-get update && sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang autoconf-archive libcmocka0 libcmocka-dev procps iproute2 build-essential git pkg-config gcc libtool automake libssl-dev uthash-dev autoconf doxygen libjson-c-dev libini-config-dev libcurl4-openssl-dev uuid-dev libltdl-dev libusb-1.0-0-dev libftdi-dev libglib2.0-dev pandoc
       - uses: actions/checkout@v3
       - name: Run integration build
         run: |

.github/workflows/mingw.yml

@@ -0,0 +1,42 @@
+name: MinGW
+on:
+  pull_request:
+    branches: [ '*' ]
+  push:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+jobs:
+  mingw:
+    if: github.repository == 'aws/aws-lc'
+    runs-on: windows-latest
+    steps:
+      - name: Install NASM
+        uses: ilammy/setup-nasm@v1.5.1
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup MinGW
+        uses: egor-tensin/setup-mingw@v2.2.0
+        id: setup_mingw
+        with:
+          static: 0
+      - name: Setup CMake
+        uses: threeal/cmake-action@v1.3.0
+        with:
+          generator: Ninja
+          c-compiler: ${{ steps.setup_mingw.outputs.gcc }}
+          cxx-compiler: ${{ steps.setup_mingw.outputs.gxx }}
+          options: |
+            CMAKE_SYSTEM_NAME=Windows \
+            CMAKE_SYSTEM_PROCESSOR=x86_64 \
+            CMAKE_BUILD_TOOL=C:/ProgramData/chocolatey/lib/mingw/tools/install/mingw64/bin/ninja.exe \
+            CMAKE_FIND_ROOT_PATH=C:/ProgramData/chocolatey/lib/mingw/tools/install/mingw64 \
+            CMAKE_FIND_ROOT_PATH_MODE_PROGRAM=NEVER \
+            CMAKE_FIND_ROOT_PATH_MODE_LIBRARY=ONLY \
+            CMAKE_FIND_ROOT_PATH_MODE_INCLUDE=ONLY \
+      - name: Build Project
+        run: cmake --build ./build --target all
+      - name: Run tests
+        run: cmake --build ./build --target run_tests

LICENSE

@@ -206,8 +206,8 @@ are met:
    written permission.
 
 
-The code in crypto/kyber/pqcrystals-kyber_kyber512_ref carries the
-Public Domain license:
+The code in crypto/kyber/pqcrystals-kyber_kyber512_ref and
+crypto/ml_kem/ml_kem_ipd_ref_common carries the Public Domain license:
 
 Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)
 

crypto/CMakeLists.txt

@@ -434,6 +434,7 @@ add_library(
   refcount_win.c
   rsa_extra/rsa_asn1.c
   rsa_extra/rsassa_pss_asn1.c
+  rsa_extra/rsa_crypt.c
   rsa_extra/rsa_print.c
   stack/stack.c
   siphash/siphash.c
@@ -781,7 +782,7 @@ if(BUILD_TESTING)
   add_dependencies(${CRYPTO_TEST_EXEC} boringssl_prefix_symbols)
   target_link_libraries(${CRYPTO_TEST_EXEC} test_support_lib boringssl_gtest_main crypto)
   target_include_directories(${CRYPTO_TEST_EXEC} BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)
-  if(WIN32)
+  if(MSVC)
     target_link_libraries(${CRYPTO_TEST_EXEC} ws2_32)
   else()
     target_compile_options(${CRYPTO_TEST_EXEC} PUBLIC -Wno-deprecated-declarations)

crypto/asn1/asn1_test.cc

@@ -979,7 +979,7 @@ static struct tm make_tm(int sec, int min, int hour, int mday, int mon, int year
   t.tm_wday = wday;
   t.tm_yday = yday;
   t.tm_isdst = isdst;
-#if defined(__GNUC__)
+#if defined(__GNU__)
   t.tm_gmtoff = gmtoff;
   t.tm_zone = zone;
 #endif

crypto/bio/bio_test.cc

@@ -373,7 +373,7 @@ TEST(BIOTest, CloseFlags) {
 
   // Assert that CRLF line endings get inserted on write and translated back out
   // on read for text mode.
-  TempFILE text_bio_file(tmpfile());
+  TempFILE text_bio_file = createTempFILE();
   ASSERT_TRUE(text_bio_file);
   bssl::UniquePtr<BIO> text_bio(
       BIO_new_fp(text_bio_file.get(), BIO_NOCLOSE | BIO_FP_TEXT));
@@ -403,7 +403,7 @@ TEST(BIOTest, CloseFlags) {
 
   // Assert that CRLF line endings don't get inserted on write for
   // (default) binary mode.
-  TempFILE binary_bio_file(tmpfile());
+  TempFILE binary_bio_file = createTempFILE();
   ASSERT_TRUE(binary_bio_file);
   bssl::UniquePtr<BIO> binary_bio(
       BIO_new_fp(binary_bio_file.get(), BIO_NOCLOSE));
@@ -432,7 +432,7 @@ TEST(BIOTest, CloseFlags) {
 
   // Assert that BIO_CLOSE causes the underlying file to be closed on BIO free
   // (ftell will return < 0)
-  FILE *tmp = tmpfile();
+  FILE *tmp = createRawTempFILE();
   ASSERT_TRUE(tmp);
   BIO *bio = BIO_new_fp(tmp, BIO_CLOSE);
   EXPECT_EQ(0, BIO_tell(bio));
@@ -449,7 +449,7 @@ TEST(BIOTest, CloseFlags) {
 #endif
 
   // Assert that BIO_NOCLOSE does not close the underlying file on BIO free
-  tmp = tmpfile();
+  tmp = createRawTempFILE();
   ASSERT_TRUE(tmp);
   bio = BIO_new_fp(tmp, BIO_NOCLOSE);
   EXPECT_EQ(0, BIO_tell(bio));
@@ -737,7 +737,7 @@ TEST(BIOTest, Gets) {
       check_bio_gets(bio.get());
     }
 
-    TempFILE file(tmpfile());
+    TempFILE file = createTempFILE();
 #if defined(OPENSSL_ANDROID)
     // On Android, when running from an APK, |tmpfile| does not work. See
     // b/36991167#comment8.

crypto/cipher_extra/aead_test.cc

@@ -133,6 +133,10 @@ static const struct KnownAEAD kAEADs[] = {
      "aes_128_cbc_sha256_tls_implicit_iv_tests.txt",
      kLimitedImplementation | RequiresADLength(11)},
 
+  {"AES_256_CBC_SHA384_TLS", EVP_aead_aes_256_cbc_sha384_tls,
+     "aes_256_cbc_sha384_tls_tests.txt",
+     kLimitedImplementation | RequiresADLength(11)},
+
     {"AES_256_CBC_SHA1_TLS", EVP_aead_aes_256_cbc_sha1_tls,
      "aes_256_cbc_sha1_tls_tests.txt",
      kLimitedImplementation | RequiresADLength(11)},
@@ -1372,13 +1376,15 @@ struct EvpAeadCtxSerdeTestParams {
 class EvpAeadCtxSerdeTest
     : public testing::TestWithParam<EvpAeadCtxSerdeTestParams> {};
 
-static const uint8_t kEvpAeadCtxKey[68] = {
-    0x49, 0xd4, 0x9f, 0x84, 0x62, 0xf1, 0xda, 0x3a, 0xe1, 0x60, 0x08, 0xf3,
-    0xcf, 0xf6, 0x01, 0x2d, 0x95, 0x90, 0x08, 0xfe, 0xad, 0x89, 0x31, 0x21,
-    0x1c, 0x84, 0xf0, 0x77, 0x57, 0x18, 0x94, 0x03, 0xe3, 0x85, 0x30, 0x32,
-    0xc3, 0x0f, 0xae, 0x54, 0x54, 0x8d, 0x21, 0x55, 0x68, 0xc9, 0x6f, 0xb9,
-    0x23, 0x4e, 0xbc, 0xba, 0x1a, 0x4c, 0x9a, 0xd8, 0x35, 0x96, 0xc2, 0xb3,
-    0x6e, 0x7a, 0x47, 0xa8, 0x8e, 0xdd, 0x6e, 0x1d};
+static const uint8_t kEvpAeadCtxKey[80] = {
+    0x03, 0xeb, 0x1d, 0xb2, 0x2c, 0xa8, 0xc0, 0x3b, 0x29, 0x9c, 0x66, 0xe5,
+    0xdd, 0xb7, 0x70, 0x6c, 0x39, 0x86, 0x71, 0x94, 0x79, 0x5c, 0xf5, 0x88,
+    0xde, 0xd9, 0x05, 0x1f, 0x28, 0x96, 0x86, 0x28, 0x01, 0xb0, 0x59, 0x11,
+    0xb0, 0x3f, 0x35, 0xe6, 0xb5, 0x2f, 0x3b, 0xee, 0xbc, 0xf9, 0x11, 0xb1,
+    0x9e, 0x58, 0xf6, 0xb7, 0xf3, 0x3e, 0x5b, 0x66, 0x28, 0x85, 0x0c, 0x66,
+    0x2b, 0x75, 0xb7, 0x86, 0xfd, 0xa4, 0x2d, 0x4b, 0x8c, 0xe0, 0x9a, 0x58,
+    0xbf, 0xc6, 0x22, 0x4c, 0x39, 0x25, 0x66, 0xfd
+};
 
 static const EvpAeadCtxSerdeTestParams kEvpAeadCtxSerde[] = {
     {"EVP_aead_aes_128_gcm", EVP_aead_aes_128_gcm(), kEvpAeadCtxKey, 16, 16,
@@ -1421,6 +1427,8 @@ static const EvpAeadCtxSerdeTestParams kEvpAeadCtxSerde[] = {
      kEvpAeadCtxKey, 48, 32, 11},
     {"EVP_aead_aes_128_cbc_sha256_tls_implicit_iv",
      EVP_aead_aes_128_cbc_sha256_tls_implicit_iv(), kEvpAeadCtxKey, 64, 32, 12},
+    {"EVP_aead_aes_256_cbc_sha384_tls", EVP_aead_aes_256_cbc_sha384_tls(),
+     kEvpAeadCtxKey, 80, 48, 28},
     {"EVP_aead_des_ede3_cbc_sha1_tls", EVP_aead_des_ede3_cbc_sha1_tls(),
      kEvpAeadCtxKey, 44, 20, 13},
     {"EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv",

crypto/cipher_extra/cipher_test.cc

@@ -1008,6 +1008,54 @@ TEST(CipherTest, SHA256WithSecretSuffix) {
   }
 }
 
+TEST(CipherTest, SHA384WithSecretSuffix) {
+  uint8_t buf[SHA384_CBLOCK * 4];
+  RAND_bytes(buf, sizeof(buf));
+  // Hashing should run in time independent of the bytes.
+  CONSTTIME_SECRET(buf, sizeof(buf));
+
+  // Exhaustively testing interesting cases in this function is cubic in the
+  // block size, so we test in 7-byte increments.
+  constexpr size_t kSkip = 7;
+  // This value should be less than 16 to test the edge case when the 16-byte
+  // length wraps to the next block.
+  static_assert(kSkip < 16, "kSkip is too large");
+
+  // |EVP_final_with_secret_suffix_sha384| is sensitive to the public length of
+  // the partial block previously hashed. In TLS, this is the HMAC prefix, the
+  // header, and the public minimum padding length.
+  for (size_t prefix = 0; prefix < SHA384_CBLOCK; prefix += kSkip) {
+    SCOPED_TRACE(prefix);
+    // The first block is treated differently, so we run with up to three
+    // blocks of length variability.
+    for (size_t max_len = 0; max_len < 3 * SHA384_CBLOCK; max_len += kSkip) {
+      SCOPED_TRACE(max_len);
+      for (size_t len = 0; len <= max_len; len += kSkip) {
+        SCOPED_TRACE(len);
+
+        uint8_t expected[SHA384_DIGEST_LENGTH];
+        SHA384(buf, prefix + len, expected);
+        CONSTTIME_DECLASSIFY(expected, sizeof(expected));
+
+        // Make a copy of the secret length to avoid interfering with the loop.
+        size_t secret_len = len;
+        CONSTTIME_SECRET(&secret_len, sizeof(secret_len));
+
+        SHA512_CTX ctx;
+        SHA384_Init(&ctx);
+        SHA384_Update(&ctx, buf, prefix);
+        uint8_t computed[SHA384_DIGEST_LENGTH];
+        ASSERT_TRUE(EVP_final_with_secret_suffix_sha384(
+            &ctx, computed, buf + prefix, secret_len, max_len));
+
+        CONSTTIME_DECLASSIFY(computed, sizeof(computed));
+        EXPECT_EQ(Bytes(expected), Bytes(computed));
+      }
+    }
+  }
+}
+
+
 TEST(CipherTest, GetCipher) {
   const EVP_CIPHER *cipher = EVP_get_cipherbynid(NID_aes_128_gcm);
   ASSERT_TRUE(cipher);

crypto/cipher_extra/e_aes_cbc_hmac_sha256.c

@@ -246,8 +246,9 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
     size_t mac_len;
     uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
     uint8_t *record_mac;
-    if (!EVP_tls_cbc_digest_record_sha256(EVP_sha256(), mac, &mac_len, key->aux.tls_aad,
-                                   out, data_len, len, key->hmac_key, 64)) {
+    if (!EVP_tls_cbc_digest_record(EVP_sha256(), mac, &mac_len,
+                                   key->aux.tls_aad, out, data_len, len,
+                                   key->hmac_key, 64)) {
       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
       return 0;
     }

crypto/cipher_extra/e_tls.c

@@ -434,6 +434,14 @@ static int aead_aes_128_cbc_sha256_tls_implicit_iv_init(
                        EVP_sha256(), 1);
 }
 
+static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx,
+                                            const uint8_t *key, size_t key_len,
+                                            size_t tag_len,
+                                            enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
+                       EVP_sha384(), 0);
+}
+
 static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,
                                            const uint8_t *key, size_t key_len,
                                            size_t tag_len,
@@ -589,6 +597,26 @@ static const EVP_AEAD aead_aes_128_cbc_sha256_tls_implicit_iv = {
     NULL /* deserialize_state */,
 };
 
+static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
+    SHA384_DIGEST_LENGTH + 32,       // key len (SHA384 + AES256)
+    16,                              // nonce len (IV)
+    16 + SHA384_DIGEST_LENGTH,       // overhead (padding + SHA384)
+    SHA384_DIGEST_LENGTH,            // max tag length
+    AEAD_AES_256_CBC_SHA384_TLS_ID,  // evp_aead_id
+    0,                               // seal_scatter_supports_extra_in
+
+    NULL,  // init
+    aead_aes_256_cbc_sha384_tls_init,
+    aead_tls_cleanup,
+    aead_tls_open,
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
+    NULL /* serialize_state */,
+    NULL /* deserialize_state */,
+};
+
 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
     SHA_DIGEST_LENGTH + 24,         // key len (SHA1 + 3DES)
     8,                              // nonce len (IV)
@@ -673,6 +701,10 @@ const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls_implicit_iv(void) {
   return &aead_aes_128_cbc_sha256_tls_implicit_iv;
 }
 
+const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void) {
+  return &aead_aes_256_cbc_sha384_tls;
+}
+
 const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {
   return &aead_des_ede3_cbc_sha1_tls;
 }

crypto/cipher_extra/internal.h

@@ -110,12 +110,12 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
 // which EVP_tls_cbc_digest_record supports.
 int EVP_tls_cbc_record_digest_supported(const EVP_MD *md);
 
-// EVP_final_with_secret_suffix_sha1 and EVP_final_with_secret_suffix_sha256
-// compute the result of hashing |len| bytes from |in| to |ctx| and write the
-// resulting hash to |out|. |len| is treated as secret and must be at most
-// |max_len|, which is treated as public. |in| must point to a buffer of at
-// least |max_len| bytes. It returns one on success and zero if inputs are
-// too long.
+// EVP_final_with_secret_suffix_sha1, EVP_final_with_secret_suffix_sha256, and
+// EVP_final_with_secret_suffix_sha384 compute the result of hashing |len|
+// bytes from |in| to |ctx| and write the resulting hash to |out|.
+// |len| is treated as secret and must be at most |max_len|, which is treated
+// as public. |in| must point to a buffer of at least |max_len| bytes.
+// It returns one on success and zero if inputs are too long.
 //
 // The functions are exported for unit tests.
 OPENSSL_EXPORT int EVP_final_with_secret_suffix_sha1(
@@ -126,6 +126,10 @@ OPENSSL_EXPORT int EVP_final_with_secret_suffix_sha256(
     SHA256_CTX *ctx, uint8_t out[SHA256_DIGEST_LENGTH], const uint8_t *in,
     size_t len, size_t max_len);
 
+OPENSSL_EXPORT int EVP_final_with_secret_suffix_sha384(
+    SHA512_CTX *ctx, uint8_t out[SHA384_DIGEST_LENGTH], const uint8_t *in,
+    size_t len, size_t max_len);
+
 // EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
 // record.
 //
@@ -151,15 +155,6 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
                               const uint8_t *mac_secret,
                               unsigned mac_secret_length);
 
-// EVP_tls_cbc_digest_record_sha256 performs the same functionality of
-// EVP_tls_cbc_digest_record except it internally calls SHA256 instead of SHA1.
-int EVP_tls_cbc_digest_record_sha256(const EVP_MD *md, uint8_t *md_out,
-                              size_t *md_out_size, const uint8_t header[13],
-                              const uint8_t *data, size_t data_size,
-                              size_t data_plus_mac_plus_padding_size,
-                              const uint8_t *mac_secret,
-                              unsigned mac_secret_length);
-
 #define POLY1305_TAG_LEN 16
 
 // For convenience (the x86_64 calling convention allows only six parameters in