Merge branch 'main' into s2n-bignum-alt-func-handling

aws · Apr 30, 2024 · f928c14 · f928c14
2 parents 0568ec3 + 0541314
commit f928c14
Show file tree

Hide file tree

Showing 22 changed files with 520 additions and 149 deletions.
diff --git a/.github/workflows/actions-ci.yml b/.github/workflows/actions-ci.yml
@@ -32,19 +32,25 @@ jobs:
   macOS-x86:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
-    runs-on: macos-latest
+    runs-on: macos-latest-large
     steps:
       - uses: actions/checkout@v2
+      - name: Install dependencies
+        run: |
+          brew install ninja golang
       - name: Build ${{ env.PACKAGE_NAME }}
         run: |
           ./tests/ci/run_posix_tests.sh
 
   macOS-x86-FIPS:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
-    runs-on: macos-latest
+    runs-on: macos-latest-large
     steps:
       - uses: actions/checkout@v2
+      - name: Install dependencies
+        run: |
+          brew install ninja golang
       - name: Build ${{ env.PACKAGE_NAME }} with FIPS mode
         run: |
           ./tests/ci/run_fips_tests.sh
@@ -136,6 +142,104 @@ jobs:
           echo ${env:SDEROOT}
           .\tests\ci\run_windows_tests.bat "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x64 true
 
+  gcc-9-13-sanity:
+    if: github.repository_owner == 'aws'
+    needs: [sanity-test-run]
+    strategy:
+      matrix:
+        gccversion:
+          - "9"
+          - "10"
+          - "11"
+          - "12"
+          - "13"
+        os:
+          - "ubuntu-latest"
+        fips:
+          - "0"
+          - "1"
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.18'
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: gcc-${{ matrix.gccversion }}
+          cxx-compiler: g++-${{ matrix.gccversion }}
+          options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
+      - name: Build Project
+        run: cmake --build ./build --target all
+      - name: Run tests
+        run: cmake --build ./build --target run_tests
+
+  clang-13-15-sanity:
+    if: github.repository_owner == 'aws'
+    needs: [sanity-test-run]
+    strategy:
+      matrix:
+        gccversion:
+          - "13"
+          - "14"
+          - "15"
+        os:
+          - "ubuntu-latest"
+        fips:
+          - "0"
+          - "1"
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.18'
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: clang-${{ matrix.gccversion }}
+          cxx-compiler: clang++-${{ matrix.gccversion }}
+          options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
+      - name: Build Project
+        run: cmake --build ./build --target all
+      - name: Run tests
+        run: cmake --build ./build --target run_tests
+
+  clang-10-12-sanity:
+    if: github.repository_owner == 'aws'
+    needs: [sanity-test-run]
+    strategy:
+      matrix:
+        gccversion:
+          - "10"
+          - "11"
+          - "12"
+        os:
+          - "ubuntu-20.04"
+        fips:
+          - "0"
+          - "1"
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.18'
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: clang-${{ matrix.gccversion }}
+          cxx-compiler: clang++-${{ matrix.gccversion }}
+          options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
+      - name: Build Project
+        run: cmake --build ./build --target all
+      - name: Run tests
+        run: cmake --build ./build --target run_tests
+
     # TODO: Investigate sudden hanging tests and failures in GHA runners (P114059413)
 #  MSVC-SDE-32-bit:
 #    needs: [sanity-test-run]

diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml
@@ -46,7 +46,7 @@ jobs:
       - name: Install OS Dependencies
         run: |
           apt-get update
-          apt-get -y --no-install-recommends install cmake gcc g++ ninja-build golang make python3 python3-sphinx autoconf libtool pkg-config git libc++-dev
+          apt-get -y --no-install-recommends install cmake gcc g++ ninja-build golang make python3 python3-sphinx autoconf libtool pkg-config git libc++-dev python3-six
       - uses: actions/checkout@v3
       - name: Run integration build
         run: |

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -290,10 +290,13 @@ if(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX)
   message(STATUS "MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX selected, removing AVX512 optimisations")
 endif()
 
-# Detect if memcmp is wrongly stripped like strcmp.
-# If exists, let CMake generate a warning.
-# memcmp bug link https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189.
 if (GCC)
+  # All versions of GCC that AWS-LC supports has this warning
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wredundant-decls")
+
+  # Detect if memcmp is wrongly stripped like strcmp.
+  # If exists, let CMake generate a warning.
+  # memcmp bug link https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189.
   # CMake try_run requires these variables must be preset.
   # https://cmake.org/cmake/help/latest/command/try_run.html
   set(MEMCMP_INVALID_STRIPPED "")

diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
@@ -165,14 +165,22 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in,
     utf8_len += cbb_get_utf8_len(c);
     if (maxsize > 0 && nchar > (size_t)maxsize) {
       OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);
+#if defined(OPENSSL_WINDOWS)
+      ERR_add_error_dataf("maxsize=%lu", (unsigned long)maxsize);
+#else
       ERR_add_error_dataf("maxsize=%zu", (size_t)maxsize);
+#endif
       return -1;
     }
   }
 
   if (minsize > 0 && nchar < (size_t)minsize) {
     OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_SHORT);
+#if defined(OPENSSL_WINDOWS)
+    ERR_add_error_dataf("minsize=%lu", (unsigned long)minsize);
+#else
     ERR_add_error_dataf("minsize=%zu", (size_t)minsize);
+#endif
     return -1;
   }
 

diff --git a/crypto/curve25519/x25519_test.cc b/crypto/curve25519/x25519_test.cc
@@ -157,7 +157,9 @@ TEST(X25519Test, SmallOrder) {
 
 TEST(X25519Test, Iterated) {
   // Taken from https://tools.ietf.org/html/rfc7748#section-5.2.
-  uint8_t scalar[32] = {9}, point[32] = {9}, out[32];
+  uint8_t scalar[32] = {}, point[32] = {}, out[32];
+  scalar[0] = 9;
+  point[0] = 9;
 
   for (unsigned i = 0; i < 1000; i++) {
     EXPECT_TRUE(ctwrapX25519(out, scalar, point));
@@ -176,7 +178,9 @@ TEST(X25519Test, Iterated) {
 
 TEST(X25519Test, DISABLED_IteratedLarge) {
   // Taken from https://tools.ietf.org/html/rfc7748#section-5.2.
-  uint8_t scalar[32] = {9}, point[32] = {9}, out[32];
+  uint8_t scalar[32] = {}, point[32] = {}, out[32];
+  scalar[0] = 9;
+  point[0] = 9;
 
   for (unsigned i = 0; i < 1000000; i++) {
     EXPECT_TRUE(ctwrapX25519(out, scalar, point));

diff --git a/crypto/evp_extra/internal.h b/crypto/evp_extra/internal.h
@@ -1,6 +1,9 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
+#ifndef AWS_LC_EVP_EXTRA_INTERNAL_H
+#define AWS_LC_EVP_EXTRA_INTERNAL_H
+
 #include <openssl/base.h>
 #include "../fipsmodule/evp/internal.h"
 
@@ -60,3 +63,5 @@ const EVP_PKEY_METHOD *const *AWSLC_non_fips_pkey_evp_methods(void);
 // Returns a reference to the list |asn1_evp_pkey_methods|. The list has
 // size |ASN1_EVP_PKEY_METHODS|.
 const EVP_PKEY_ASN1_METHOD *const *AWSLC_non_fips_pkey_evp_asn1_methods(void);
+
+#endif
diff --git a/crypto/fipsmodule/cpucap/cpu_intel.c b/crypto/fipsmodule/cpucap/cpu_intel.c
@@ -158,7 +158,6 @@ static void handle_cpu_env(uint32_t *out, const char *in) {
   }
 }
 
-extern uint32_t OPENSSL_ia32cap_P[4];
 extern uint8_t OPENSSL_cpucap_initialized;
 
 void OPENSSL_cpuid_setup(void) {

diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c
@@ -68,8 +68,9 @@
 #include <openssl/rsa.h>
 #include <openssl/thread.h>
 
-#include "internal.h"
+#include "../../evp_extra/internal.h"
 #include "../../internal.h"
+#include "internal.h"
 
 
 // Node depends on |EVP_R_NOT_XOF_OR_INVALID_LENGTH|.
@@ -234,8 +235,6 @@ const char *EVP_MD_name(const EVP_MD *md) {
   return EVP_MD_get0_name(md);
 }
 
-extern const EVP_PKEY_ASN1_METHOD *const *AWSLC_non_fips_pkey_evp_asn1_methods(void);
-
 // evp_pkey_asn1_find returns the ASN.1 method table for the given |nid|, which
 // should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is
 // unknown.

diff --git a/crypto/fipsmodule/evp/evp_ctx.c b/crypto/fipsmodule/evp/evp_ctx.c
@@ -64,9 +64,7 @@
 
 #include "../../internal.h"
 #include "internal.h"
-
-// Forward declaration of |AWSLC_non_fips_pkey_evp_methods| to learn return type.
-extern const EVP_PKEY_METHOD *const *AWSLC_non_fips_pkey_evp_methods(void);
+#include "../../evp_extra/internal.h"
 
 DEFINE_LOCAL_DATA(struct fips_evp_pkey_methods, AWSLC_fips_evp_pkey_methods) {
   out->methods[0] = EVP_PKEY_rsa_pkey_meth();

diff --git a/crypto/fipsmodule/self_check/fips.c b/crypto/fipsmodule/self_check/fips.c
@@ -62,6 +62,11 @@ int FIPS_query_algorithm_status(const char *algorithm) {
     "SHA2-384",
     "SHA2-512",
     "SHA2-512/256",
+    "SHA3-256",
+    "SHA3-384",
+    "SHA3-512",
+    "SHAKE128",
+    "SHAKE256",
   };
   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kApprovedAlgorithms); i++) {
     if (strcmp(algorithm, kApprovedAlgorithms[i]) == 0) {

diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c
@@ -924,6 +924,28 @@ static int boringssl_self_test_hkdf_sha256(void) {
                     "HKDF-SHA-256 KAT");
 }
 
+static int boringssl_self_test_sha3_256(void) {
+  // From: SHA3_256ShortMsg.txt
+  // Len = 128
+  // Msg = d83c721ee51b060c5a41438a8221e040
+  // MD  = b87d9e4722edd3918729ded9a6d03af8256998ee088a1ae662ef4bcaff142a96
+  static const uint8_t kInput[16] = {
+    0xd8, 0x3c, 0x72, 0x1e, 0xe5, 0x1b, 0x06, 0x0c,
+    0x5a, 0x41, 0x43, 0x8a, 0x82, 0x21, 0xe0, 0x40,
+};
+  static const uint8_t kPlaintextSHA3_256[SHA3_256_DIGEST_LENGTH] = {
+    0xb8, 0x7d, 0x9e, 0x47, 0x22, 0xed, 0xd3, 0x91, 0x87, 0x29, 0xde,
+    0xd9, 0xa6, 0xd0, 0x3a, 0xf8, 0x25, 0x69, 0x98, 0xee, 0x08, 0x8a,
+    0x1a, 0xe6, 0x62, 0xef, 0x4b, 0xca, 0xff, 0x14, 0x2a, 0x96,
+};
+  uint8_t output[SHA3_256_DIGEST_LENGTH];
+
+  // SHA3-256 KAT
+  SHA3_256(kInput, sizeof(kInput), output);
+  return check_test(kPlaintextSHA3_256, output, sizeof(kPlaintextSHA3_256),
+                    "SHA3-256 KAT");
+}
+
 static int boringssl_self_test_fast(void) {
   static const uint8_t kAESKey[16] = "BoringCrypto Key";
   // Older versions of the gcc release build on ARM will optimize out the
@@ -1063,6 +1085,7 @@ static int boringssl_self_test_fast(void) {
   }
 
   if (!boringssl_self_test_sha512() ||
+      !boringssl_self_test_sha3_256() ||
       !boringssl_self_test_hkdf_sha256()) {
     goto err;
   }

diff --git a/crypto/fipsmodule/sha/sha1-altivec.c b/crypto/fipsmodule/sha/sha1-altivec.c
@@ -69,8 +69,6 @@
 
 #include <altivec.h>
 
-void sha1_block_data_order(uint32_t *state, const uint8_t *data, size_t num);
-
 static uint32_t rotate(uint32_t a, int n) { return (a << n) | (a >> (32 - n)); }
 
 typedef vector unsigned int vec_uint32_t;