Merge pull request #770 from jakemas/update-pq-branch-01-24-23

Update pq branch 01 24 23 - merge main
aws · Jan 24, 2023 · 16c8277 · 16c8277
2 parents a425db0 + 2b2f923
commit 16c8277
Show file tree

Hide file tree

Showing 23 changed files with 2,909 additions and 2,107 deletions.
diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c
@@ -1875,9 +1875,10 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
 }
 
 void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
-  uint8_t seed[32];
-  RAND_bytes(seed, 32);
+  uint8_t seed[ED25519_SEED_LEN];
+  RAND_bytes(seed, ED25519_SEED_LEN);
   ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
+  OPENSSL_cleanse(seed, ED25519_SEED_LEN);
 }
 
 int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,
@@ -1982,9 +1983,9 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
 
 void ED25519_keypair_from_seed(uint8_t out_public_key[32],
                                uint8_t out_private_key[64],
-                               const uint8_t seed[32]) {
+                               const uint8_t seed[ED25519_SEED_LEN]) {
   uint8_t az[SHA512_DIGEST_LENGTH];
-  SHA512(seed, 32, az);
+  SHA512(seed, ED25519_SEED_LEN, az);
 
   az[0] &= 248;
   az[31] &= 127;
@@ -1994,8 +1995,8 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[32],
   x25519_ge_scalarmult_base(&A, az);
   ge_p3_tobytes(out_public_key, &A);
 
-  OPENSSL_memcpy(out_private_key, seed, 32);
-  OPENSSL_memcpy(out_private_key + 32, out_public_key, 32);
+  OPENSSL_memcpy(out_private_key, seed, ED25519_SEED_LEN);
+  OPENSSL_memcpy(out_private_key + ED25519_SEED_LEN, out_public_key, 32);
 }
 
 

diff --git a/crypto/curve25519/spake25519.c b/crypto/curve25519/spake25519.c
@@ -439,6 +439,8 @@ int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len,
   *out_len = sizeof(ctx->my_msg);
   ctx->state = spake2_state_msg_generated;
 
+  OPENSSL_cleanse(private_tmp, 64);
+
   return 1;
 }
 

diff --git a/crypto/dsa/dsa.c b/crypto/dsa/dsa.c
@@ -458,6 +458,7 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
   }
 
   BN_MONT_CTX_free(mont);
+  OPENSSL_cleanse(seed, SHA256_DIGEST_LENGTH);
 
   return ok;
 }

diff --git a/crypto/evp_extra/evp_extra_test.cc b/crypto/evp_extra/evp_extra_test.cc
@@ -1714,7 +1714,7 @@ struct KnownKEM {
 };
 
 static const struct KnownKEM kKEMs[] = {
-  {"Kyber512", NID_KYBER512, 800, 1632, 768, 32, "pq_kem_kat_tests_kyber512.txt"},
+  {"Kyber512r3", NID_KYBER512_R3, 800, 1632, 768, 32, "pq_kem_kat_tests_kyber512.txt"},
 };
 
 class PerKEMTest : public testing::TestWithParam<KnownKEM> {};

diff --git a/crypto/fipsmodule/evp/p_rsa.c b/crypto/fipsmodule/evp/p_rsa.c
@@ -174,6 +174,22 @@ static int pkey_pss_init(EVP_PKEY_CTX *ctx) {
   return 1;
 }
 
+// |pkey_pss_init| was assigned to both the sign and verify operations
+// of the |EVP_PKEY_RSA_PSS| methods. This created an unwanted assembler
+// optimization for the gcc-8 FIPS static release build on Ubuntu x86_64.
+// The gcc-8 assembler will attempt to optimize function pointers used in
+// multiple places under a ".data.rel.ro.local" section, but "delocate.go"
+// does not have the ability to handle ".data" sections. Splitting
+// |pkey_pss_init| into two functions: |pkey_pss_init_sign| and
+// |pkey_pss_init_verify|, gets around this undesired behaviour.
+static int pkey_pss_init_sign(EVP_PKEY_CTX *ctx) {
+  return pkey_pss_init(ctx);
+}
+
+static int pkey_pss_init_verify(EVP_PKEY_CTX *ctx) {
+  return pkey_pss_init(ctx);
+}
+
 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) {
   RSA_PKEY_CTX *rctx;
   rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
@@ -697,10 +713,10 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_rsa_pss_pkey_meth) {
     out->copy = pkey_rsa_copy;
     out->cleanup = pkey_rsa_cleanup;
     out->keygen = pkey_rsa_keygen;
-    out->sign_init = pkey_pss_init; /* sign_init */
+    out->sign_init = pkey_pss_init_sign; /* sign_init */
     out->sign = pkey_rsa_sign;
     out->sign_message = NULL; /* sign_message */
-    out->verify_init = pkey_pss_init; /* verify_init */
+    out->verify_init = pkey_pss_init_verify; /* verify_init */
     out->verify = pkey_rsa_verify;
     out->verify_message = NULL; /* verify_message */
     out->verify_recover = NULL; /* verify_recover */

diff --git a/crypto/fipsmodule/rand/rand.c b/crypto/fipsmodule/rand/rand.c
@@ -392,6 +392,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
       CRYPTO_STATIC_MUTEX_unlock_write(thread_states_list_lock_bss_get());
     }
 #endif
+    OPENSSL_cleanse(seed, CTR_DRBG_ENTROPY_LEN);
+    OPENSSL_cleanse(personalization, CTR_DRBG_ENTROPY_LEN);
   }
 
   if (state->calls >= kReseedInterval ||
@@ -425,6 +427,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
     }
     state->calls = 0;
     state->fork_generation = fork_generation;
+    OPENSSL_cleanse(seed, CTR_DRBG_ENTROPY_LEN);
+    OPENSSL_cleanse(add_data_for_reseed, CTR_DRBG_ENTROPY_LEN);
   } else {
 #if defined(BORINGSSL_FIPS)
     CRYPTO_STATIC_MUTEX_lock_read(state_clear_all_lock_bss_get());
@@ -455,6 +459,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
     CTR_DRBG_clear(&state->drbg);
   }
 
+  OPENSSL_cleanse(additional_data, 32);
+
 #if defined(BORINGSSL_FIPS)
   CRYPTO_STATIC_MUTEX_unlock_read(state_clear_all_lock_bss_get());
 #endif

diff --git a/crypto/fipsmodule/rsa/rsa.c b/crypto/fipsmodule/rsa/rsa.c
@@ -742,6 +742,24 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
   return ret;
 }
 
+#if !defined(AWSLC_FIPS)
+static bool allow_rsa_keys_d_gt_n_flag = false;
+
+void allow_rsa_keys_d_gt_n(void) {
+  allow_rsa_keys_d_gt_n_flag = true;
+}
+
+static bool are_rsa_keys_with_d_gt_n_allowed(void) {
+  return allow_rsa_keys_d_gt_n_flag;
+}
+
+#else
+
+static bool are_rsa_keys_with_d_gt_n_allowed(void) {
+  return false;
+}
+#endif
+
 int RSA_validate_key(const RSA *key, rsa_asn1_key_encoding_t key_enc_type) {
   // TODO(davidben): RSA key initialization is spread across
   // |rsa_check_public_key|, |RSA_check_key|, |freeze_private_key|, and
@@ -759,10 +777,18 @@ int RSA_validate_key(const RSA *key, rsa_asn1_key_encoding_t key_enc_type) {
     return 0;
   }
 
+  if (key->d != NULL && (BN_is_negative(key->d))) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
+    return 0;
+  }
+
   // |key->d| must be bounded by |key->n|. This ensures bounds on |RSA_bits|
   // translate to bounds on the running time of private key operations.
+  // See above this functions the explanation for the exception when keys
+  // with |d > n| are allowed.
   if (key->d != NULL &&
-      (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0)) {
+      are_rsa_keys_with_d_gt_n_allowed() == false &&
+      BN_cmp(key->d, key->n) >= 0) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
     return 0;
   }
-Original file line number
+Diff line change
@@ Expand Up @@
       }
       BN_MONT_CTX_free(mont);
+      OPENSSL_cleanse(seed, SHA256_DIGEST_LENGTH);
       return ok;
     }
@@ Expand Down @@