Merge branch 'main' into cipherfuncs

Author: justsmth

.github/workflows/aws-lc-rs.yml

@@ -69,5 +69,5 @@ jobs:
       - name: Install cross
         run: cargo install cross --git https://github.com/cross-rs/cross
       - name: Cross-compile arm-linux-androideabi
-        working-directory: ./aws-lc-rs/aws-lc-rs
-        run: cross test --release --features bindgen,unstable --target arm-linux-androideabi
+        working-directory: ./aws-lc-rs
+        run: cross test -p aws-lc-rs --release --features bindgen,unstable --target arm-linux-androideabi

.github/workflows/integrations.yml

@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Install OS Dependencies
         run: |
-          sudo apt-get update && sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang autoconf-archive libcmocka0 libcmocka-dev procps iproute2 build-essential git pkg-config gcc libtool automake libssl-dev uthash-dev autoconf doxygen libjson-c-dev libini-config-dev libcurl4-openssl-dev uuid-dev libltdl-dev libusb-1.0-0-dev libftdi-dev
+          sudo apt-get update && sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang autoconf-archive libcmocka0 libcmocka-dev procps iproute2 build-essential git pkg-config gcc libtool automake libssl-dev uthash-dev autoconf doxygen libjson-c-dev libini-config-dev libcurl4-openssl-dev uuid-dev libltdl-dev libusb-1.0-0-dev libftdi-dev libglib2.0-dev pandoc
       - uses: actions/checkout@v3
       - name: Run integration build
         run: |

.github/workflows/mingw.yml

@@ -0,0 +1,42 @@
+name: MinGW
+on:
+  pull_request:
+    branches: [ '*' ]
+  push:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+jobs:
+  mingw:
+    if: github.repository == 'aws/aws-lc'
+    runs-on: windows-latest
+    steps:
+      - name: Install NASM
+        uses: ilammy/[email protected]
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup MinGW
+        uses: egor-tensin/[email protected]
+        id: setup_mingw
+        with:
+          static: 0
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: ${{ steps.setup_mingw.outputs.gcc }}
+          cxx-compiler: ${{ steps.setup_mingw.outputs.gxx }}
+          options: |
+            CMAKE_SYSTEM_NAME=Windows \
+            CMAKE_SYSTEM_PROCESSOR=x86_64 \
+            CMAKE_BUILD_TOOL=C:/ProgramData/chocolatey/lib/mingw/tools/install/mingw64/bin/ninja.exe \
+            CMAKE_FIND_ROOT_PATH=C:/ProgramData/chocolatey/lib/mingw/tools/install/mingw64 \
+            CMAKE_FIND_ROOT_PATH_MODE_PROGRAM=NEVER \
+            CMAKE_FIND_ROOT_PATH_MODE_LIBRARY=ONLY \
+            CMAKE_FIND_ROOT_PATH_MODE_INCLUDE=ONLY \
+      - name: Build Project
+        run: cmake --build ./build --target all
+      - name: Run tests
+        run: cmake --build ./build --target run_tests

LICENSE

@@ -206,8 +206,8 @@ are met:
    written permission.
 
 
-The code in crypto/kyber/pqcrystals-kyber_kyber512_ref carries the
-Public Domain license:
+The code in crypto/kyber/pqcrystals-kyber_kyber512_ref and
+crypto/ml_kem/ml_kem_ipd_ref_common carries the Public Domain license:
 
 Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)
 

crypto/CMakeLists.txt

@@ -434,6 +434,7 @@ add_library(
   refcount_win.c
   rsa_extra/rsa_asn1.c
   rsa_extra/rsassa_pss_asn1.c
+  rsa_extra/rsa_crypt.c
   rsa_extra/rsa_print.c
   stack/stack.c
   siphash/siphash.c
@@ -781,7 +782,7 @@ if(BUILD_TESTING)
   add_dependencies(${CRYPTO_TEST_EXEC} boringssl_prefix_symbols)
   target_link_libraries(${CRYPTO_TEST_EXEC} test_support_lib boringssl_gtest_main crypto)
   target_include_directories(${CRYPTO_TEST_EXEC} BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)
-  if(WIN32)
+  if(MSVC)
     target_link_libraries(${CRYPTO_TEST_EXEC} ws2_32)
   else()
     target_compile_options(${CRYPTO_TEST_EXEC} PUBLIC -Wno-deprecated-declarations)

crypto/asn1/a_i2d_fp.c

@@ -54,13 +54,46 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
+#include <assert.h>
+
 #include <openssl/asn1.h>
 
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
 
+int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, void *in) {
+  if (i2d == NULL || out == NULL || in == NULL) {
+    OPENSSL_PUT_ERROR(ASN1, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
+
+  int size = i2d(in, NULL);
+  if (size <= 0) {
+    OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+
+  unsigned char *buffer = (unsigned char *)OPENSSL_malloc(size);
+  if (buffer == NULL) {
+    OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  unsigned char *outp = buffer;
+  int ret = i2d(in, &outp);
+  if (ret < 0 || ret > size) {
+    OPENSSL_PUT_ERROR(ASN1, ASN1_R_BUFFER_TOO_SMALL);
+    OPENSSL_free(buffer);
+    return 0;
+  }
+
+  ret = BIO_write_all(out, buffer, size);
+  OPENSSL_free(buffer);
+  return ret;
+}
+
 int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x) {
   BIO *b = BIO_new_fp(out, BIO_NOCLOSE);
   if (b == NULL) {

crypto/asn1/asn1_test.cc

@@ -979,7 +979,7 @@ static struct tm make_tm(int sec, int min, int hour, int mday, int mon, int year
   t.tm_wday = wday;
   t.tm_yday = yday;
   t.tm_isdst = isdst;
-#if defined(__GNUC__)
+#if defined(__GNU__)
   t.tm_gmtoff = gmtoff;
   t.tm_zone = zone;
 #endif
@@ -2471,6 +2471,34 @@ TEST(ASN1Test, Recursive) {
   ASN1_LINKED_LIST_free(list);
 }
 
+static int i2d_ASN1_LINKED_LIST_void(const void *a, unsigned char **out) {
+  return i2d_ASN1_LINKED_LIST((ASN1_LINKED_LIST *)a, out);
+}
+
+TEST(ASN1Test, BIO) {
+  bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
+  bssl::UniquePtr<uint8_t> data;
+  size_t len;
+  ASSERT_TRUE(MakeLinkedList(&data, &len, 5));
+  const uint8_t *ptr = data.get();
+  ASN1_LINKED_LIST *list = d2i_ASN1_LINKED_LIST(nullptr, &ptr, len);
+  EXPECT_TRUE(list);
+
+  // Retrieve expected bytes.
+  uint8_t *expected = nullptr;
+  int expected_len = i2d_ASN1_LINKED_LIST(list, &expected);
+  ASSERT_GT(expected_len, 0);
+
+  const uint8_t *out;
+  size_t out_len;
+  EXPECT_TRUE(ASN1_i2d_bio(i2d_ASN1_LINKED_LIST_void, bio.get(), list));
+  ASSERT_TRUE(BIO_mem_contents(bio.get(), &out, &out_len));
+
+  EXPECT_EQ(Bytes(out, out_len), Bytes(expected, expected_len));
+  OPENSSL_free(expected);
+  ASN1_LINKED_LIST_free(list);
+}
+
 struct IMPLICIT_CHOICE {
   ASN1_STRING *string;
 };

crypto/base64/base64.c

@@ -193,7 +193,7 @@ int EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
   if (total > INT_MAX) {
     // We cannot signal an error, but we can at least avoid making *out_len
     // negative.
-    total = 0;
+    *out_len = 0;
     return 0;
   }
   *out_len = (int)total;

crypto/bio/bio.c

@@ -239,8 +239,11 @@ int BIO_write(BIO *bio, const void *in, int inl) {
 int BIO_write_all(BIO *bio, const void *data, size_t len) {
   const uint8_t *data_u8 = data;
   while (len > 0) {
-    int ret = BIO_write(bio, data_u8, len > INT_MAX ? INT_MAX : (int)len);
+    const int write_len = ((len > INT_MAX) ? INT_MAX : (int)len);
+    int ret = BIO_write(bio, data_u8, write_len);
+    assert(ret <= write_len);
     if (ret <= 0) {
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_BUFFER_TOO_SMALL);
       return 0;
     }
     data_u8 += ret;

crypto/bio/bio_test.cc

@@ -373,7 +373,7 @@ TEST(BIOTest, CloseFlags) {
 
   // Assert that CRLF line endings get inserted on write and translated back out
   // on read for text mode.
-  TempFILE text_bio_file(tmpfile());
+  TempFILE text_bio_file = createTempFILE();
   ASSERT_TRUE(text_bio_file);
   bssl::UniquePtr<BIO> text_bio(
       BIO_new_fp(text_bio_file.get(), BIO_NOCLOSE | BIO_FP_TEXT));
@@ -403,7 +403,7 @@ TEST(BIOTest, CloseFlags) {
 
   // Assert that CRLF line endings don't get inserted on write for
   // (default) binary mode.
-  TempFILE binary_bio_file(tmpfile());
+  TempFILE binary_bio_file = createTempFILE();
   ASSERT_TRUE(binary_bio_file);
   bssl::UniquePtr<BIO> binary_bio(
       BIO_new_fp(binary_bio_file.get(), BIO_NOCLOSE));
@@ -432,7 +432,7 @@ TEST(BIOTest, CloseFlags) {
 
   // Assert that BIO_CLOSE causes the underlying file to be closed on BIO free
   // (ftell will return < 0)
-  FILE *tmp = tmpfile();
+  FILE *tmp = createRawTempFILE();
   ASSERT_TRUE(tmp);
   BIO *bio = BIO_new_fp(tmp, BIO_CLOSE);
   EXPECT_EQ(0, BIO_tell(bio));
@@ -449,7 +449,7 @@ TEST(BIOTest, CloseFlags) {
 #endif
 
   // Assert that BIO_NOCLOSE does not close the underlying file on BIO free
-  tmp = tmpfile();
+  tmp = createRawTempFILE();
   ASSERT_TRUE(tmp);
   bio = BIO_new_fp(tmp, BIO_NOCLOSE);
   EXPECT_EQ(0, BIO_tell(bio));
@@ -737,7 +737,7 @@ TEST(BIOTest, Gets) {
       check_bio_gets(bio.get());
     }
 
-    TempFILE file(tmpfile());
+    TempFILE file = createTempFILE();
 #if defined(OPENSSL_ANDROID)
     // On Android, when running from an APK, |tmpfile| does not work. See
     // b/36991167#comment8.

crypto/cipher_extra/aead_test.cc

@@ -133,6 +133,10 @@ static const struct KnownAEAD kAEADs[] = {
      "aes_128_cbc_sha256_tls_implicit_iv_tests.txt",
      kLimitedImplementation | RequiresADLength(11)},
 
+  {"AES_256_CBC_SHA384_TLS", EVP_aead_aes_256_cbc_sha384_tls,
+     "aes_256_cbc_sha384_tls_tests.txt",
+     kLimitedImplementation | RequiresADLength(11)},
+
     {"AES_256_CBC_SHA1_TLS", EVP_aead_aes_256_cbc_sha1_tls,
      "aes_256_cbc_sha1_tls_tests.txt",
      kLimitedImplementation | RequiresADLength(11)},
@@ -1372,13 +1376,15 @@ struct EvpAeadCtxSerdeTestParams {
 class EvpAeadCtxSerdeTest
     : public testing::TestWithParam<EvpAeadCtxSerdeTestParams> {};
 
-static const uint8_t kEvpAeadCtxKey[68] = {
-    0x49, 0xd4, 0x9f, 0x84, 0x62, 0xf1, 0xda, 0x3a, 0xe1, 0x60, 0x08, 0xf3,
-    0xcf, 0xf6, 0x01, 0x2d, 0x95, 0x90, 0x08, 0xfe, 0xad, 0x89, 0x31, 0x21,
-    0x1c, 0x84, 0xf0, 0x77, 0x57, 0x18, 0x94, 0x03, 0xe3, 0x85, 0x30, 0x32,
-    0xc3, 0x0f, 0xae, 0x54, 0x54, 0x8d, 0x21, 0x55, 0x68, 0xc9, 0x6f, 0xb9,
-    0x23, 0x4e, 0xbc, 0xba, 0x1a, 0x4c, 0x9a, 0xd8, 0x35, 0x96, 0xc2, 0xb3,
-    0x6e, 0x7a, 0x47, 0xa8, 0x8e, 0xdd, 0x6e, 0x1d};
+static const uint8_t kEvpAeadCtxKey[80] = {
+    0x03, 0xeb, 0x1d, 0xb2, 0x2c, 0xa8, 0xc0, 0x3b, 0x29, 0x9c, 0x66, 0xe5,
+    0xdd, 0xb7, 0x70, 0x6c, 0x39, 0x86, 0x71, 0x94, 0x79, 0x5c, 0xf5, 0x88,
+    0xde, 0xd9, 0x05, 0x1f, 0x28, 0x96, 0x86, 0x28, 0x01, 0xb0, 0x59, 0x11,
+    0xb0, 0x3f, 0x35, 0xe6, 0xb5, 0x2f, 0x3b, 0xee, 0xbc, 0xf9, 0x11, 0xb1,
+    0x9e, 0x58, 0xf6, 0xb7, 0xf3, 0x3e, 0x5b, 0x66, 0x28, 0x85, 0x0c, 0x66,
+    0x2b, 0x75, 0xb7, 0x86, 0xfd, 0xa4, 0x2d, 0x4b, 0x8c, 0xe0, 0x9a, 0x58,
+    0xbf, 0xc6, 0x22, 0x4c, 0x39, 0x25, 0x66, 0xfd
+};
 
 static const EvpAeadCtxSerdeTestParams kEvpAeadCtxSerde[] = {
     {"EVP_aead_aes_128_gcm", EVP_aead_aes_128_gcm(), kEvpAeadCtxKey, 16, 16,
@@ -1421,6 +1427,8 @@ static const EvpAeadCtxSerdeTestParams kEvpAeadCtxSerde[] = {
      kEvpAeadCtxKey, 48, 32, 11},
     {"EVP_aead_aes_128_cbc_sha256_tls_implicit_iv",
      EVP_aead_aes_128_cbc_sha256_tls_implicit_iv(), kEvpAeadCtxKey, 64, 32, 12},
+    {"EVP_aead_aes_256_cbc_sha384_tls", EVP_aead_aes_256_cbc_sha384_tls(),
+     kEvpAeadCtxKey, 80, 48, 28},
     {"EVP_aead_des_ede3_cbc_sha1_tls", EVP_aead_des_ede3_cbc_sha1_tls(),
      kEvpAeadCtxKey, 44, 20, 13},
     {"EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv",

crypto/cipher_extra/cipher_test.cc

@@ -1008,6 +1008,54 @@ TEST(CipherTest, SHA256WithSecretSuffix) {
   }
 }
 
+TEST(CipherTest, SHA384WithSecretSuffix) {
+  uint8_t buf[SHA384_CBLOCK * 4];
+  RAND_bytes(buf, sizeof(buf));
+  // Hashing should run in time independent of the bytes.
+  CONSTTIME_SECRET(buf, sizeof(buf));
+
+  // Exhaustively testing interesting cases in this function is cubic in the
+  // block size, so we test in 7-byte increments.
+  constexpr size_t kSkip = 7;
+  // This value should be less than 16 to test the edge case when the 16-byte
+  // length wraps to the next block.
+  static_assert(kSkip < 16, "kSkip is too large");
+
+  // |EVP_final_with_secret_suffix_sha384| is sensitive to the public length of
+  // the partial block previously hashed. In TLS, this is the HMAC prefix, the
+  // header, and the public minimum padding length.
+  for (size_t prefix = 0; prefix < SHA384_CBLOCK; prefix += kSkip) {
+    SCOPED_TRACE(prefix);
+    // The first block is treated differently, so we run with up to three
+    // blocks of length variability.
+    for (size_t max_len = 0; max_len < 3 * SHA384_CBLOCK; max_len += kSkip) {
+      SCOPED_TRACE(max_len);
+      for (size_t len = 0; len <= max_len; len += kSkip) {
+        SCOPED_TRACE(len);
+
+        uint8_t expected[SHA384_DIGEST_LENGTH];
+        SHA384(buf, prefix + len, expected);
+        CONSTTIME_DECLASSIFY(expected, sizeof(expected));
+
+        // Make a copy of the secret length to avoid interfering with the loop.
+        size_t secret_len = len;
+        CONSTTIME_SECRET(&secret_len, sizeof(secret_len));
+
+        SHA512_CTX ctx;
+        SHA384_Init(&ctx);
+        SHA384_Update(&ctx, buf, prefix);
+        uint8_t computed[SHA384_DIGEST_LENGTH];
+        ASSERT_TRUE(EVP_final_with_secret_suffix_sha384(
+            &ctx, computed, buf + prefix, secret_len, max_len));
+
+        CONSTTIME_DECLASSIFY(computed, sizeof(computed));
+        EXPECT_EQ(Bytes(expected), Bytes(computed));
+      }
+    }
+  }
+}
+
+
 TEST(CipherTest, GetCipher) {
   const EVP_CIPHER *cipher = EVP_get_cipherbynid(NID_aes_128_gcm);
   ASSERT_TRUE(cipher);

crypto/cipher_extra/e_aes_cbc_hmac_sha256.c

@@ -246,8 +246,9 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
     size_t mac_len;
     uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
     uint8_t *record_mac;
-    if (!EVP_tls_cbc_digest_record_sha256(EVP_sha256(), mac, &mac_len, key->aux.tls_aad,
-                                   out, data_len, len, key->hmac_key, 64)) {
+    if (!EVP_tls_cbc_digest_record(EVP_sha256(), mac, &mac_len,
+                                   key->aux.tls_aad, out, data_len, len,
+                                   key->hmac_key, 64)) {
       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
       return 0;
     }