diff --git a/.github/workflows/actions-ci.yml b/.github/workflows/actions-ci.yml index 8afda4f526..393238e7a1 100644 --- a/.github/workflows/actions-ci.yml +++ b/.github/workflows/actions-ci.yml @@ -32,9 +32,12 @@ jobs: macOS-x86: if: github.repository_owner == 'aws' needs: [sanity-test-run] - runs-on: macos-latest + runs-on: macos-latest-large steps: - uses: actions/checkout@v2 + - name: Install dependencies + run: | + brew install ninja golang - name: Build ${{ env.PACKAGE_NAME }} run: | ./tests/ci/run_posix_tests.sh @@ -42,9 +45,12 @@ jobs: macOS-x86-FIPS: if: github.repository_owner == 'aws' needs: [sanity-test-run] - runs-on: macos-latest + runs-on: macos-latest-large steps: - uses: actions/checkout@v2 + - name: Install dependencies + run: | + brew install ninja golang - name: Build ${{ env.PACKAGE_NAME }} with FIPS mode run: | ./tests/ci/run_fips_tests.sh @@ -136,6 +142,104 @@ jobs: echo ${env:SDEROOT} .\tests\ci\run_windows_tests.bat "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x64 true + gcc-9-13-sanity: + if: github.repository_owner == 'aws' + needs: [sanity-test-run] + strategy: + matrix: + gccversion: + - "9" + - "10" + - "11" + - "12" + - "13" + os: + - "ubuntu-latest" + fips: + - "0" + - "1" + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v4 + with: + go-version: '>=1.18' + - name: Setup CMake + uses: threeal/cmake-action@v1.3.0 + with: + generator: Ninja + c-compiler: gcc-${{ matrix.gccversion }} + cxx-compiler: g++-${{ matrix.gccversion }} + options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release + - name: Build Project + run: cmake --build ./build --target all + - name: Run tests + run: cmake --build ./build --target run_tests + + clang-13-15-sanity: + if: github.repository_owner == 'aws' + needs: [sanity-test-run] + strategy: + matrix: + gccversion: + - "13" + - "14" + - "15" + os: + - "ubuntu-latest" + fips: + - "0" + - "1" + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v4 + with: + go-version: '>=1.18' + - name: Setup CMake + uses: threeal/cmake-action@v1.3.0 + with: + generator: Ninja + c-compiler: clang-${{ matrix.gccversion }} + cxx-compiler: clang++-${{ matrix.gccversion }} + options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release + - name: Build Project + run: cmake --build ./build --target all + - name: Run tests + run: cmake --build ./build --target run_tests + + clang-10-12-sanity: + if: github.repository_owner == 'aws' + needs: [sanity-test-run] + strategy: + matrix: + gccversion: + - "10" + - "11" + - "12" + os: + - "ubuntu-20.04" + fips: + - "0" + - "1" + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v4 + with: + go-version: '>=1.18' + - name: Setup CMake + uses: threeal/cmake-action@v1.3.0 + with: + generator: Ninja + c-compiler: clang-${{ matrix.gccversion }} + cxx-compiler: clang++-${{ matrix.gccversion }} + options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release + - name: Build Project + run: cmake --build ./build --target all + - name: Run tests + run: cmake --build ./build --target run_tests + # TODO: Investigate sudden hanging tests and failures in GHA runners (P114059413) # MSVC-SDE-32-bit: # needs: [sanity-test-run] diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml index e967d09b6e..17aabcb66c 100644 --- a/.github/workflows/integrations.yml +++ b/.github/workflows/integrations.yml @@ -46,7 +46,7 @@ jobs: - name: Install OS Dependencies run: | apt-get update - apt-get -y --no-install-recommends install cmake gcc g++ ninja-build golang make python3 python3-sphinx autoconf libtool pkg-config git libc++-dev + apt-get -y --no-install-recommends install cmake gcc g++ ninja-build golang make python3 python3-sphinx autoconf libtool pkg-config git libc++-dev python3-six - uses: actions/checkout@v3 - name: Run integration build run: | diff --git a/CMakeLists.txt b/CMakeLists.txt index bbc2ae5895..d52e8fe34a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -290,10 +290,13 @@ if(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) message(STATUS "MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX selected, removing AVX512 optimisations") endif() -# Detect if memcmp is wrongly stripped like strcmp. -# If exists, let CMake generate a warning. -# memcmp bug link https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189. if (GCC) + # All versions of GCC that AWS-LC supports has this warning + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wredundant-decls") + + # Detect if memcmp is wrongly stripped like strcmp. + # If exists, let CMake generate a warning. + # memcmp bug link https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189. # CMake try_run requires these variables must be preset. # https://cmake.org/cmake/help/latest/command/try_run.html set(MEMCMP_INVALID_STRIPPED "") diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 8fc82ab5ca..4c5d7b092c 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -165,14 +165,22 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, utf8_len += cbb_get_utf8_len(c); if (maxsize > 0 && nchar > (size_t)maxsize) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG); +#if defined(OPENSSL_WINDOWS) + ERR_add_error_dataf("maxsize=%lu", (unsigned long)maxsize); +#else ERR_add_error_dataf("maxsize=%zu", (size_t)maxsize); +#endif return -1; } } if (minsize > 0 && nchar < (size_t)minsize) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_SHORT); +#if defined(OPENSSL_WINDOWS) + ERR_add_error_dataf("minsize=%lu", (unsigned long)minsize); +#else ERR_add_error_dataf("minsize=%zu", (size_t)minsize); +#endif return -1; } diff --git a/crypto/curve25519/x25519_test.cc b/crypto/curve25519/x25519_test.cc index 495741d027..99753ef87d 100644 --- a/crypto/curve25519/x25519_test.cc +++ b/crypto/curve25519/x25519_test.cc @@ -157,7 +157,9 @@ TEST(X25519Test, SmallOrder) { TEST(X25519Test, Iterated) { // Taken from https://tools.ietf.org/html/rfc7748#section-5.2. - uint8_t scalar[32] = {9}, point[32] = {9}, out[32]; + uint8_t scalar[32] = {}, point[32] = {}, out[32]; + scalar[0] = 9; + point[0] = 9; for (unsigned i = 0; i < 1000; i++) { EXPECT_TRUE(ctwrapX25519(out, scalar, point)); @@ -176,7 +178,9 @@ TEST(X25519Test, Iterated) { TEST(X25519Test, DISABLED_IteratedLarge) { // Taken from https://tools.ietf.org/html/rfc7748#section-5.2. - uint8_t scalar[32] = {9}, point[32] = {9}, out[32]; + uint8_t scalar[32] = {}, point[32] = {}, out[32]; + scalar[0] = 9; + point[0] = 9; for (unsigned i = 0; i < 1000000; i++) { EXPECT_TRUE(ctwrapX25519(out, scalar, point)); diff --git a/crypto/evp_extra/internal.h b/crypto/evp_extra/internal.h index 895c14545b..d3103f38b3 100644 --- a/crypto/evp_extra/internal.h +++ b/crypto/evp_extra/internal.h @@ -1,6 +1,9 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC +#ifndef AWS_LC_EVP_EXTRA_INTERNAL_H +#define AWS_LC_EVP_EXTRA_INTERNAL_H + #include #include "../fipsmodule/evp/internal.h" @@ -60,3 +63,5 @@ const EVP_PKEY_METHOD *const *AWSLC_non_fips_pkey_evp_methods(void); // Returns a reference to the list |asn1_evp_pkey_methods|. The list has // size |ASN1_EVP_PKEY_METHODS|. const EVP_PKEY_ASN1_METHOD *const *AWSLC_non_fips_pkey_evp_asn1_methods(void); + +#endif diff --git a/crypto/fipsmodule/cpucap/cpu_intel.c b/crypto/fipsmodule/cpucap/cpu_intel.c index 9cce06dc72..5d5fa5eff6 100644 --- a/crypto/fipsmodule/cpucap/cpu_intel.c +++ b/crypto/fipsmodule/cpucap/cpu_intel.c @@ -158,7 +158,6 @@ static void handle_cpu_env(uint32_t *out, const char *in) { } } -extern uint32_t OPENSSL_ia32cap_P[4]; extern uint8_t OPENSSL_cpucap_initialized; void OPENSSL_cpuid_setup(void) { diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c index 5685452dea..4587f8a36a 100644 --- a/crypto/fipsmodule/evp/evp.c +++ b/crypto/fipsmodule/evp/evp.c @@ -68,8 +68,9 @@ #include #include -#include "internal.h" +#include "../../evp_extra/internal.h" #include "../../internal.h" +#include "internal.h" // Node depends on |EVP_R_NOT_XOF_OR_INVALID_LENGTH|. @@ -234,8 +235,6 @@ const char *EVP_MD_name(const EVP_MD *md) { return EVP_MD_get0_name(md); } -extern const EVP_PKEY_ASN1_METHOD *const *AWSLC_non_fips_pkey_evp_asn1_methods(void); - // evp_pkey_asn1_find returns the ASN.1 method table for the given |nid|, which // should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is // unknown. diff --git a/crypto/fipsmodule/evp/evp_ctx.c b/crypto/fipsmodule/evp/evp_ctx.c index 1a8574f718..801fe0a12a 100644 --- a/crypto/fipsmodule/evp/evp_ctx.c +++ b/crypto/fipsmodule/evp/evp_ctx.c @@ -64,9 +64,7 @@ #include "../../internal.h" #include "internal.h" - -// Forward declaration of |AWSLC_non_fips_pkey_evp_methods| to learn return type. -extern const EVP_PKEY_METHOD *const *AWSLC_non_fips_pkey_evp_methods(void); +#include "../../evp_extra/internal.h" DEFINE_LOCAL_DATA(struct fips_evp_pkey_methods, AWSLC_fips_evp_pkey_methods) { out->methods[0] = EVP_PKEY_rsa_pkey_meth(); diff --git a/crypto/fipsmodule/self_check/fips.c b/crypto/fipsmodule/self_check/fips.c index 28226017bb..ab99ea78f6 100644 --- a/crypto/fipsmodule/self_check/fips.c +++ b/crypto/fipsmodule/self_check/fips.c @@ -62,6 +62,11 @@ int FIPS_query_algorithm_status(const char *algorithm) { "SHA2-384", "SHA2-512", "SHA2-512/256", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "SHAKE128", + "SHAKE256", }; for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kApprovedAlgorithms); i++) { if (strcmp(algorithm, kApprovedAlgorithms[i]) == 0) { diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c index 97fae26131..4885a2309a 100644 --- a/crypto/fipsmodule/self_check/self_check.c +++ b/crypto/fipsmodule/self_check/self_check.c @@ -924,6 +924,28 @@ static int boringssl_self_test_hkdf_sha256(void) { "HKDF-SHA-256 KAT"); } +static int boringssl_self_test_sha3_256(void) { + // From: SHA3_256ShortMsg.txt + // Len = 128 + // Msg = d83c721ee51b060c5a41438a8221e040 + // MD = b87d9e4722edd3918729ded9a6d03af8256998ee088a1ae662ef4bcaff142a96 + static const uint8_t kInput[16] = { + 0xd8, 0x3c, 0x72, 0x1e, 0xe5, 0x1b, 0x06, 0x0c, + 0x5a, 0x41, 0x43, 0x8a, 0x82, 0x21, 0xe0, 0x40, +}; + static const uint8_t kPlaintextSHA3_256[SHA3_256_DIGEST_LENGTH] = { + 0xb8, 0x7d, 0x9e, 0x47, 0x22, 0xed, 0xd3, 0x91, 0x87, 0x29, 0xde, + 0xd9, 0xa6, 0xd0, 0x3a, 0xf8, 0x25, 0x69, 0x98, 0xee, 0x08, 0x8a, + 0x1a, 0xe6, 0x62, 0xef, 0x4b, 0xca, 0xff, 0x14, 0x2a, 0x96, +}; + uint8_t output[SHA3_256_DIGEST_LENGTH]; + + // SHA3-256 KAT + SHA3_256(kInput, sizeof(kInput), output); + return check_test(kPlaintextSHA3_256, output, sizeof(kPlaintextSHA3_256), + "SHA3-256 KAT"); +} + static int boringssl_self_test_fast(void) { static const uint8_t kAESKey[16] = "BoringCrypto Key"; // Older versions of the gcc release build on ARM will optimize out the @@ -1063,6 +1085,7 @@ static int boringssl_self_test_fast(void) { } if (!boringssl_self_test_sha512() || + !boringssl_self_test_sha3_256() || !boringssl_self_test_hkdf_sha256()) { goto err; } diff --git a/crypto/fipsmodule/sha/sha1-altivec.c b/crypto/fipsmodule/sha/sha1-altivec.c index 3152827a0c..ab3645ff91 100644 --- a/crypto/fipsmodule/sha/sha1-altivec.c +++ b/crypto/fipsmodule/sha/sha1-altivec.c @@ -69,8 +69,6 @@ #include -void sha1_block_data_order(uint32_t *state, const uint8_t *data, size_t num); - static uint32_t rotate(uint32_t a, int n) { return (a << n) | (a >> (32 - n)); } typedef vector unsigned int vec_uint32_t; diff --git a/docs/porting/configuration-differences.md b/docs/porting/configuration-differences.md index 3dcc9b5a3b..618d370942 100644 --- a/docs/porting/configuration-differences.md +++ b/docs/porting/configuration-differences.md @@ -55,12 +55,12 @@ The following table contains the differences in libssl configuration options AWS

- + SSL_CTX_set_mode
SSL_set_mode

- + SSL_CTX_clear_mode
SSL_clear_mode @@ -85,7 +85,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_MODE_AUTO_RETRY

+

+ + SSL_MODE_AUTO_RETRY + +

ON

@@ -96,7 +100,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_MODE_RELEASE_BUFFERS

+

+ + SSL_MODE_RELEASE_BUFFERS + +

ON

@@ -107,7 +115,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_MODE_SEND_CLIENTHELLO_TIME

+

+ + SSL_MODE_SEND_CLIENTHELLO_TIME + +

OFF

@@ -118,7 +130,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_MODE_SEND_SERVERHELLO_TIME

+

+ + SSL_MODE_SEND_SERVERHELLO_TIME + +

ON

@@ -131,12 +147,12 @@ The following table contains the differences in libssl configuration options AWS

- + SSL_CTX_set_options
SSL_set_options

- + SSL_CTX_clear_options
SSL_clear_options @@ -144,7 +160,11 @@ The following table contains the differences in libssl configuration options AWS

-

SSL_OP_ALL

+

+ + SSL_OP_ALL + +

OFF

@@ -155,7 +175,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

+

+ + SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + +

OFF

@@ -166,7 +190,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

+

+ + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + +

ON

@@ -177,7 +205,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_OP_LEGACY_SERVER_CONNECT

+

+ + SSL_OP_LEGACY_SERVER_CONNECT + +

OFF

@@ -188,7 +220,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_OP_NO_COMPRESSION

+

+ + SSL_OP_NO_COMPRESSION + +

ON

@@ -199,7 +235,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_OP_NO_RENEGOTIATION

+

+ + SSL_OP_NO_RENEGOTIATION + +

ON

@@ -213,7 +253,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION

+

+ + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + +

ON

@@ -224,7 +268,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_OP_NO_SSLv3

+

+ + SSL_OP_NO_SSLv3 + +

ON

@@ -235,7 +283,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_OP_TLS_ROLLBACK_BUG

+

+ + SSL_OP_TLS_ROLLBACK_BUG + +

OFF

@@ -246,7 +298,11 @@ The following table contains the differences in libssl configuration options AWS -

SSL_VERIFY_CLIENT_ONCE

+

+ + SSL_VERIFY_CLIENT_ONCE + +

OFF

@@ -259,18 +315,31 @@ The following table contains the differences in libssl configuration options AWS

- + SSL_set_hostflags
+ + + X509_STORE_CTX_set_flags
+ + X509_STORE_set_flags
+ + X509_VERIFY_PARAM_set_flags
- X509_VERIFY_PARAM_set_hostflags + + + X509_VERIFY_PARAM_set_hostflags

-

X509_V_FLAG_X509_STRICT

+

+ + X509_V_FLAG_X509_STRICT + +

ON

@@ -281,7 +350,11 @@ The following table contains the differences in libssl configuration options AWS -

X509_V_FLAG_ALLOW_PROXY_CERTS

+

+ + X509_V_FLAG_ALLOW_PROXY_CERTS + +

OFF

@@ -319,9 +392,13 @@ The following table contains the differences in libcrypto configuration options

- + X509_check_host
+ + X509_check_email
+ + X509_check_ip
X509_check_ip_asc @@ -329,7 +406,11 @@ The following table contains the differences in libcrypto configuration options

-

X509_CHECK_FLAG_NO_WILDCARDS

+

+ + X509_CHECK_FLAG_NO_WILDCARDS + +

OFF

@@ -340,7 +421,11 @@ The following table contains the differences in libcrypto configuration options -

X509_CHECK_FLAG_NEVER_CHECK_SUBJECT

+

+ + X509_CHECK_FLAG_NEVER_CHECK_SUBJECT + +

OFF

@@ -351,7 +436,11 @@ The following table contains the differences in libcrypto configuration options -

X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT

+

+ + X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT + +

OFF

@@ -362,7 +451,11 @@ The following table contains the differences in libcrypto configuration options -

X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS

+

+ + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + +

ON

@@ -373,7 +466,11 @@ The following table contains the differences in libcrypto configuration options -

X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS

+

+ + X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS + +

OFF

@@ -384,7 +481,11 @@ The following table contains the differences in libcrypto configuration options -

X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS

+

+ + X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + +

OFF

@@ -397,14 +498,18 @@ The following table contains the differences in libcrypto configuration options

- + PKCS7_sign

-

PKCS7_DETACHED

+

+ + PKCS7_DETACHED + +

OFF

@@ -415,7 +520,11 @@ The following table contains the differences in libcrypto configuration options -

PKCS7_BINARY

+

+ + PKCS7_BINARY + +

@@ -435,17 +544,29 @@ The following table contains the differences in libcrypto configuration options -

PKCS7_NOATTR

+

+ + PKCS7_NOATTR + +

-

PKCS7_PARTIAL

+

+ + PKCS7_PARTIAL + +

-

PKCS7_TEXT

+

+ + PKCS7_TEXT + +

OFF

@@ -456,7 +577,11 @@ The following table contains the differences in libcrypto configuration options -

PKCS7_NOCERTS

+

+ + PKCS7_NOCERTS + +

OFF

@@ -467,7 +592,11 @@ The following table contains the differences in libcrypto configuration options -

PKCS7_STREAM

+

+ + PKCS7_STREAM + +

OFF

@@ -478,7 +607,11 @@ The following table contains the differences in libcrypto configuration options -

PKCS7_NOSMIMECAP

+

+ + PKCS7_NOSMIMECAP + +

OFF

@@ -489,10 +622,18 @@ The following table contains the differences in libcrypto configuration options -

EVP_PKEY_assign

+

+ + EVP_PKEY_assign + +

-

EVP_PKEY_DH

+

+ + EVP_PKEY_DH + +

Not Supported

@@ -503,7 +644,11 @@ The following table contains the differences in libcrypto configuration options -

EVP_PKEY_X448

+

+ + EVP_PKEY_X448 + +

Not Supported

@@ -514,7 +659,11 @@ The following table contains the differences in libcrypto configuration options -

EVP_PKEY_ED448

+

+ + EVP_PKEY_ED448 + +

Not Supported

@@ -525,7 +674,11 @@ The following table contains the differences in libcrypto configuration options -

EVP_PKEY_RSA2

+

+ + EVP_PKEY_RSA2 + +

Not Supported

@@ -563,7 +716,7 @@ The following table contains configuration options AWS-LC has intentionally omit

- + BN_FLG_CONSTTIME diff --git a/docs/porting/functionality-differences.md b/docs/porting/functionality-differences.md index d6999dbc1c..6798e0b709 100644 --- a/docs/porting/functionality-differences.md +++ b/docs/porting/functionality-differences.md @@ -40,9 +40,8 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor

- - ssl.h
- Security Levels + + Security Levels No-ops

@@ -68,9 +67,8 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor

- - ssl.h
- Deprecated DH functions + + FFDH Ciphersuite No-ops

@@ -114,9 +112,8 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor

- - ssl.h
- Deprecated COMP functions + + SSL_COMP and COMP_METHOD No-ops

@@ -174,8 +171,7 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor

- - ssl.h
+ TLS Renegotiation

@@ -200,8 +196,7 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor

- - ssl.h
+ SSL_get_shared_ciphers

@@ -217,8 +212,7 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor

- - ssl.h
+ SSL_get_shared_sigalgs

@@ -234,8 +228,7 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor

- - ssl.h
+ SSL_get_server_tmp_key

@@ -332,11 +325,12 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- - evp.h -
+ + EVP_PKEY_DSA No-ops + +

- EVP_PKEY_DSA + Porting Guide

@@ -360,8 +354,8 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- - evp.h + + EVP_PKEY_DH No-ops

@@ -385,7 +379,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + evp.h @@ -407,11 +401,12 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- - ec_key.h -

- - ec.h + + EC_KEY + +

+ + EC_GROUP

@@ -443,8 +438,8 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- - ec.h + + EC_METHOD

@@ -468,8 +463,8 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- - ec.h + + Compressed Forms

@@ -480,7 +475,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

Returns nothing as a void function. Aborts if a form other than - POINT_CONVERSION_UNCOMPRESSED is requested. + POINT_CONVERSION_UNCOMPRESSED or POINT_CONVERSION_COMPRESSED is requested.

@@ -491,7 +486,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + conf.h @@ -535,6 +530,10 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

+ + rand.h + +

Entropy Sources @@ -653,7 +652,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + asn1.h @@ -697,7 +696,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + thread.h @@ -838,7 +837,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + evp.h @@ -887,7 +886,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + cipher.h @@ -900,7 +899,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

Does nothing.

This functions sets flags for EVP_CIPHER_CTX, so any related flags are also no-ops. Related no-op flags can be found in - + the surrounding documentation . @@ -919,7 +918,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + digest.h @@ -932,7 +931,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

Does nothing.

This functions sets flags for EVP_MD_CTX, so any related flags are also no-ops. Related no-op flags can be found in - + the surrounding documentation . @@ -951,7 +950,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + dh.h @@ -964,7 +963,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

Does nothing.

This functions clears flags for DH, so any related flags are also no-ops. Related no-op flags can be found in - + the surrounding documentation . @@ -975,7 +974,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + ex_data.h @@ -1000,7 +999,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

- + bio.h diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index ad8e68e495..2dcb53fd96 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -5602,7 +5602,7 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // AWS-LC #define SSL_OP_NO_SSLv2 0 -// SSL_OP_NO_SSLv2 is ON by default in AWS-LC. There is no support for SSLv3 in +// SSL_OP_NO_SSLv3 is ON by default in AWS-LC. There is no support for SSLv3 in // AWS-LC #define SSL_OP_NO_SSLv3 0 diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 1d82962518..7af554b8c8 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -3279,12 +3279,6 @@ OPENSSL_EXPORT int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *path, (X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY | \ X509_V_FLAG_INHIBIT_ANY | X509_V_FLAG_INHIBIT_MAP) -// X509_OBJECT_new allocates an |X509_OBJECT| on the heap. -OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_new(void); - -// X509_OBJECT_free frees an |X509_OBJECT| from the heap. -OPENSSL_EXPORT void X509_OBJECT_free(X509_OBJECT *a); - // X509_OBJECT_new returns a newly-allocated, empty |X509_OBJECT| or NULL on // error. OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_new(void); @@ -3337,7 +3331,15 @@ OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm); OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm); -OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); + +// X509_STORE_set_flags enables all values in |flags| in |store|'s verification +// flags. |flags| should be a combination of |X509_V_FLAG_*| constants. +// +// WARNING: These flags will be combined with default flags when copied to an +// |X509_STORE_CTX|. This means it is impossible to unset those defaults from +// the |X509_STORE|. See discussion in |X509_STORE_get0_param|. +OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *store, unsigned long flags); + OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *ctx, int trust); OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *ctx, @@ -3460,6 +3462,10 @@ OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); OPENSSL_EXPORT int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust); + +// X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s +// verification flags. |flags| should be a combination of |X509_V_FLAG_*| +// constants. OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags); @@ -3538,8 +3544,13 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from); OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from); + +// X509_VERIFY_PARAM_set_flags enables all values in |flags| in |param|'s +// verification flags and returns one. |flags| should be a combination of +// |X509_V_FLAG_*| constants. OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); + OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags); OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( diff --git a/tests/ci/cdk/cdk/codebuild/ec2_test_framework_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/ec2_test_framework_omnibus.yaml index 92288ea862..bd12fa827e 100644 --- a/tests/ci/cdk/cdk/codebuild/ec2_test_framework_omnibus.yaml +++ b/tests/ci/cdk/cdk/codebuild/ec2_test_framework_omnibus.yaml @@ -4,13 +4,17 @@ version: 0.2 # Doc for batch https://docs.aws.amazon.com/codebuild/latest/userguide/batch-build-buildspec.html#build-spec.batch.build-list -# The batch and build-list targets can't be null or 0 length. pre_push_checker is the fastest placeholder batch: build-list: - - identifier: pre_push_checker - buildspec: ./tests/ci/codebuild/linux-x86/pre-push.yml + # Actual tests are ran on an Graviton3 ec2 instance via SSM Commands. + - identifier: graviton3_tests + buildspec: ./tests/ci/codebuild/common/run_ec2_target.yml env: type: LINUX_CONTAINER privileged-mode: false compute-type: BUILD_GENERAL1_SMALL - image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-20.04_clang-8x_latest + image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-20.04_clang-7x-bm-framework_latest + variables: + EC2_AMI: "ami-0a24e6e101933d294" + EC2_INSTANCE_TYPE: "c7g.2xlarge" + ECR_DOCKER_TAG: "amazonlinux-2023_clang-15x_sanitizer" diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_linux_arm_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_linux_arm_omnibus.yaml index 73cfc7f709..8fa0c10b14 100644 --- a/tests/ci/cdk/cdk/codebuild/github_ci_linux_arm_omnibus.yaml +++ b/tests/ci/cdk/cdk/codebuild/github_ci_linux_arm_omnibus.yaml @@ -284,7 +284,7 @@ batch: # Sanitizer is very slow on ARM. # https://github.com/google/sanitizers/issues/1331 - - identifier: amazonlinux_2023_clang_14x_sanitizer + - identifier: amazonlinux_2023_clang_15x_sanitizer buildspec: ./tests/ci/codebuild/common/run_simple_target.yml env: type: ARM_CONTAINER diff --git a/tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml b/tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml index d42d4598b4..3fc27b763f 100644 --- a/tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml +++ b/tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml @@ -14,31 +14,59 @@ mainSteps: # Codebuild just "stops" the instance calling the script, so "trap cleanup" is not executed. - shutdown -P +60 - sudo -i + - systemctl stop apt-daily.timer - export DEBIAN_FRONTEND=noninteractive - export CPU_TYPE=$(dpkg --print-architecture) + - export SOURCE={SOURCE} # if we have a cpu type of x86, we want linux-x86 - - if [ "${CPU_TYPE}" = amd64 ]; then export CPU_ARCH=linux-x86; export AWS_CLI_PREFIX=x86_; sudo sh -c "echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo"; fi + - if [ "${CPU_TYPE}" = amd64 ]; then export CPU_ARCH=linux-x86; export AWS_CLI_PREFIX=x86_; fi # if we have a cpu type of arm, we want linux-aarch - if [ "${CPU_TYPE}" = arm64 ]; then export CPU_ARCH=linux-aarch; export AWS_CLI_PREFIX=aarch; fi # install aws-cli + - killall apt apt-get + - apt-get update - apt-get -y install unzip - curl "https://awscli.amazonaws.com/awscli-exe-linux-${AWS_CLI_PREFIX}64.zip" -o "awscliv2.zip" - unzip awscliv2.zip - ./aws/install - - git clone {GITHUB_REPO} aws-lc-pr - - cd aws-lc-pr - - git checkout {COMMIT_ID} + # Check if the source code is on S3, otherwise treat the source as a PR. + - > + if [ "$(expr substr "$SOURCE" 1 16)" = "aws-lc-codebuild" ]; then + aws s3api get-object --bucket {S3_BUCKET} --key "${SOURCE##{S3_BUCKET}/}" aws-lc-pr.zip + unzip aws-lc-pr.zip + else + git clone {SOURCE} aws-lc-pr + cd aws-lc-pr + git fetch origin pull/{PR_NUM}/head:temp + git checkout temp + git show + if [ "$(git log -n 1 --pretty=format:"%H")" != "{COMMIT_ID}" ]; then + exit 1 + fi + fi # install docker if its not already installed - chmod +x ./tests/ci/benchmark_framework/install_docker.sh - ./tests/ci/benchmark_framework/install_docker.sh # log into docker and get needed docker image from ecr - export ECR_REPO="{AWS_ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-${CPU_ARCH}" - aws ecr get-login-password --region us-west-2 | docker login -u AWS --password-stdin "${ECR_REPO}" - - docker pull "${ECR_REPO}:{ECR_DOCKER_TAG}" - - # start the container and run the bm script - - exec_docker="docker run --env AWS_ACCOUNT_ID={AWS_ACCOUNT_ID} --env PR_NUM={PR_NUM} --env COMMIT_ID={COMMIT_ID} --env CPU_TYPE=${CPU_TYPE} -v `pwd`:`pwd` -w `pwd` ${ECR_REPO}:{ECR_DOCKER_TAG}_latest" - - chmod +x ./tests/ci/run_posix_sanitizers.sh - - $exec_docker ./tests/ci/run_posix_sanitizers.sh - - chmod +x ./tests/ci/run_fips_tests.sh - - $exec_docker ./tests/ci/run_fips_tests.sh + - docker pull "${ECR_REPO}:{ECR_DOCKER_TAG}_latest" + # Start the container. Docker needs to be run in "privileged" mode for TSAN tests to pass. + - exec_docker="docker run -v `pwd`:`pwd` -w `pwd` --privileged ${ECR_REPO}:{ECR_DOCKER_TAG}_latest" + # Check if container was spun up succesfully. Then run test scripts and check the output. + - > + if [ -n "$exec_docker" ]; then + chmod +x ./tests/ci/run_posix_sanitizers.sh + $exec_docker ./tests/ci/run_posix_sanitizers.sh + if [ $? != 0 ]; then + exit 1 + fi + chmod +x ./tests/ci/run_fips_tests.sh + $exec_docker ./tests/ci/run_fips_tests.sh + if [ $? != 0 ]; then + exit 1 + fi + else + exit 1 + fi - echo All ec2 test framework tests passed diff --git a/tests/ci/run_ec2_test_framework.sh b/tests/ci/run_ec2_test_framework.sh index d37d3312a9..45e39f298d 100755 --- a/tests/ci/run_ec2_test_framework.sh +++ b/tests/ci/run_ec2_test_framework.sh @@ -19,9 +19,10 @@ cleanup() { generate_ssm_document_file() { # use sed to replace placeholder values inside preexisting document sed -e "s,{AWS_ACCOUNT_ID},${AWS_ACCOUNT_ID},g" \ - -e "s,{PR_NUM},${CODEBUILD_WEBHOOK_TRIGGER},g" \ + -e "s,{PR_NUM},${CODEBUILD_WEBHOOK_TRIGGER//pr\/},g" \ -e "s,{COMMIT_ID},${CODEBUILD_SOURCE_VERSION},g" \ - -e "s,{GITHUB_REPO},${CODEBUILD_SOURCE_REPO_URL},g" \ + -e "s,{SOURCE},${CODEBUILD_SOURCE_REPO_URL},g" \ + -e "s,{S3_BUCKET},${s3_bucket_name},g" \ -e "s,{ECR_DOCKER_TAG},${ecr_docker_tag},g" \ tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml \ > "tests/ci/cdk/cdk/ssm/${ec2_ami_id}_ssm_document.yaml" @@ -45,9 +46,8 @@ trap cleanup EXIT # print some information for reference echo GitHub PR Number: "${CODEBUILD_WEBHOOK_TRIGGER}" -echo GitHub Commit Version: "${CODEBUILD_SOURCE_VERSION}" echo AWS Account ID: "${AWS_ACCOUNT_ID}" -echo GitHub Repo Link: "${CODEBUILD_SOURCE_REPO_URL}" +echo Source: "${CODEBUILD_SOURCE_REPO_URL}" export ec2_ami_id="$1" export ec2_instance_type="$2" export ecr_docker_tag="$3" @@ -77,6 +77,9 @@ for i in {1..30}; do sleep 60 done +# Wait 5 minutes for instance to "warm up"? +echo "Instances need to initialize a few minutes before SSM commands can be properly run" +sleep 300 # Create, and run ssm command. ssm_doc_name=$(create_ssm_document "${ec2_ami_id}") @@ -85,17 +88,18 @@ cloudwatch_group_name="aws-lc-ci-ec2-test-framework-cw-logs" ec2_test_ssm_command_id=$(run_ssm_command "${ssm_doc_name}" "${instance_id}" ${cloudwatch_group_name}) run_url="https://${AWS_REGION}.console.aws.amazon.com/cloudwatch/home?region=${AWS_REGION}\ -#logsV2:log-groups/log-group/${cloudwatch_group_name}/log-events/\ -${ec2_test_ssm_command_id}\$252F${instance_id}\$252FrunShellScript\$252Fstdout" +#logsV2:log-groups/log-group/${cloudwatch_group_name}/log-events/${ec2_test_ssm_command_id}\$252F${instance_id}\$252FrunShellScript\$252F" -echo "Actual Run in EC2 can be observered at CloudWatch URL: ${run_url}" +echo "Actual Run in EC2 can be observered at CloudWatch URL: ${run_url}stdout" +echo "Error outputs can be observered at CloudWatch URL: ${run_url}stderr" -# Give some time for the commands to run + +# Give some time for the commands to run, total wait time is 90 minutes. done=false success=false -for i in {1..45}; do - echo "${i}: Continue to wait 2 min for SSM commands to finish." - sleep 120 +for i in {1..90}; do + echo "${i}: Continue to wait 1 min for SSM commands to finish." + sleep 60 ssm_command_status="$(aws ssm list-commands --command-id "${ec2_test_ssm_command_id}" --query Commands[*].Status --output text)" ssm_target_count="$(aws ssm list-commands --command-id "${ec2_test_ssm_command_id}" --query Commands[*].TargetCount --output text)" diff --git a/third_party/s2n-bignum/include/s2n-bignum_aws-lc.h b/third_party/s2n-bignum/include/s2n-bignum_aws-lc.h index e3a3f7c19a..87ac773fa5 100644 --- a/third_party/s2n-bignum/include/s2n-bignum_aws-lc.h +++ b/third_party/s2n-bignum/include/s2n-bignum_aws-lc.h @@ -12,9 +12,9 @@ * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ - #ifndef S2N_BIGNUM_AWS_LC_H #define S2N_BIGNUM_AWS_LC_H + // ---------------------------------------------------------------------------- // C prototypes for s2n-bignum functions used in AWS-LC // ---------------------------------------------------------------------------- diff --git a/tool/speed.cc b/tool/speed.cc index 18a8282bd3..fde748495f 100644 --- a/tool/speed.cc +++ b/tool/speed.cc @@ -1613,7 +1613,7 @@ static bool SpeedEvpEcdh(const std::string &selected) { return SpeedEvpEcdhCurve("EVP ECDH X25519", NID_X25519, selected); } -static bool SpeedECMULCurve(const std::string &name, int nid, +static bool SpeedECPOINTCurve(const std::string &name, int nid, const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; @@ -1624,6 +1624,7 @@ static bool SpeedECMULCurve(const std::string &name, int nid, BM_NAMESPACE::UniquePtr scalar0(BN_new()); BM_NAMESPACE::UniquePtr scalar1(BN_new()); BM_NAMESPACE::UniquePtr pin0(EC_POINT_new(group.get())); + BM_NAMESPACE::UniquePtr pin1(EC_POINT_new(group.get())); BM_NAMESPACE::UniquePtr pout(EC_POINT_new(group.get())); @@ -1633,11 +1634,36 @@ static bool SpeedECMULCurve(const std::string &name, int nid, return false; } - // Generate one random EC point. + // Generate two random EC point. EC_POINT_mul(group.get(), pin0.get(), scalar0.get(), nullptr, nullptr, ctx.get()); + EC_POINT_mul(group.get(), pin1.get(), scalar1.get(), nullptr, nullptr, ctx.get()); TimeResults results; + // Measure point doubling. + if (!TimeFunction(&results, [&group, &pout, &ctx, &pin0]() -> bool { + if (!EC_POINT_dbl(group.get(), pout.get(), pin0.get(), ctx.get())) { + return false; + } + + return true; + })) { + return false; + } + results.Print(name + " dbl"); + + // Measure point addition. + if (!TimeFunction(&results, [&group, &pout, &ctx, &pin0, &pin1]() -> bool { + if (!EC_POINT_add(group.get(), pout.get(), pin0.get(), pin1.get(), ctx.get())) { + return false; + } + + return true; + })) { + return false; + } + results.Print(name + " add"); + // Measure scalar multiplication of an arbitrary curve point. if (!TimeFunction(&results, [&group, &pout, &ctx, &pin0, &scalar0]() -> bool { if (!EC_POINT_mul(group.get(), pout.get(), nullptr, pin0.get(), scalar0.get(), ctx.get())) { @@ -1677,10 +1703,10 @@ static bool SpeedECMULCurve(const std::string &name, int nid, return true; } -static bool SpeedECMUL(const std::string &selected) { +static bool SpeedECPOINT(const std::string &selected) { for (const auto& config : supported_curves) { - std::string message = "ECMUL " + config.name; - if(!SpeedECMULCurve(message, config.nid, selected)) { + std::string message = "EC POINT " + config.name; + if(!SpeedECPOINTCurve(message, config.nid, selected)) { return false; } } @@ -2699,7 +2725,7 @@ bool Speed(const std::vector &args) { // OpenSSL 1.0.2 is missing functions e.g. |EVP_PKEY_get0_EC_KEY| and // doesn't implement X255519 either. !SpeedEvpEcdh(selected) || - !SpeedECMUL(selected) || + !SpeedECPOINT(selected) || // OpenSSL 1.0 doesn't support Scrypt !SpeedScrypt(selected) || #endif