Merge branch 'main' into shake_bytes

crypto/fipsmodule/FIPS.md

@@ -45,6 +45,9 @@ Some FIPS tests cannot be broken by replacing a known string in the binary. For
 
 1. `RSA_PWCT`
 2. `ECDSA_PWCT`
+3. `EDDSA_PWCT`
+4. `MLKEM_PWCT`
+5. `MLDSA_PWCT`
 
 ## Running ACVP tests
 

crypto/fipsmodule/bcm.c

@@ -270,8 +270,7 @@ static void BORINGSSL_bcm_power_on_self_test(void) {
 
 #if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU)
   if (jent_entropy_init()) {
-    fprintf(stderr, "CPU Jitter entropy RNG initialization failed.\n");
-    AWS_LC_FIPS_failure("CPU Jitter failed to initilize");
+    AWS_LC_FIPS_failure("CPU Jitter entropy RNG initialization failed");
   }
 #endif
 
@@ -333,8 +332,8 @@ int BORINGSSL_integrity_test(void) {
 
   uint8_t result[SHA256_DIGEST_LENGTH];
   const EVP_MD *const kHashFunction = EVP_sha256();
-  if (!boringssl_self_test_sha256(true) ||
-      !boringssl_self_test_hmac_sha256(true)) {
+  if (!boringssl_self_test_sha256() ||
+      !boringssl_self_test_hmac_sha256()) {
     return 0;
   }
 
@@ -379,11 +378,11 @@ int BORINGSSL_integrity_test(void) {
 
 #if defined(BORINGSSL_FIPS_BREAK_TESTS)
   // Check the integrity but don't call AWS_LC_FIPS_failure or return 0
-  check_test(expected, result, sizeof(result), "FIPS integrity test", false);
+  check_test_optional_abort(expected, result, sizeof(result), "FIPS integrity test", false);
 #else
   // Check the integrity, call AWS_LC_FIPS_failure if it doesn't match which will
   // result in an abort
-  check_test(expected, result, sizeof(result), "FIPS integrity test", true);
+  check_test_optional_abort(expected, result, sizeof(result), "FIPS integrity test", true);
 #endif
 
   OPENSSL_cleanse(result, sizeof(result)); // FIPS 140-3, AS05.10.
@@ -393,14 +392,19 @@ int BORINGSSL_integrity_test(void) {
 
 void AWS_LC_FIPS_failure(const char* message) {
   fprintf(stderr, "AWS-LC FIPS failure caused by:\n%s\n", message);
+  fflush(stderr);
   for (;;) {
     abort();
     exit(1);
   }
 }
 
+#else  // BORINGSSL_FIPS
+void AWS_LC_FIPS_failure(const char* message) {
+  fprintf(stderr, "AWS-LC FIPS failure caused by:\n%s\n", message);
+  fflush(stderr);
+}
 #endif  // BORINGSSL_FIPS
-
 #if !defined(AWSLC_FIPS) && !defined(BORINGSSL_SHARED_LIBRARY)
 // When linking with a static library, if no symbols in an object file are
 // referenced then the object file is discarded, even if it has a constructor

crypto/fipsmodule/curve25519/curve25519.c

@@ -117,8 +117,15 @@ static void ed25519_keypair_pct(uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
 #if defined(AWSLC_FIPS)
   uint8_t msg[16] = {16};
   uint8_t out_sig[ED25519_SIGNATURE_LEN];
-  if (ED25519_sign_no_self_test(out_sig, msg, 16, private_key) != 1 ||
-      ED25519_verify_no_self_test(msg, 16, out_sig, public_key) != 1) {
+  if (ED25519_sign_no_self_test(out_sig, msg, 16, private_key) != 1) {
+    // This should never happen and static analysis will say that ED25519_sign_no_self_test
+    // always returns 1
+    AWS_LC_FIPS_failure("Ed25519 keygen PCT failed");
+  }
+  if (boringssl_fips_break_test("EDDSA_PWCT")) {
+    msg[0] = ~msg[0];
+  }
+  if (ED25519_verify_no_self_test(msg, 16, out_sig, public_key) != 1) {
     AWS_LC_FIPS_failure("Ed25519 keygen PCT failed");
   }
 #endif

crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c

@@ -25,13 +25,16 @@
 static int ml_dsa_keypair_pct(ml_dsa_params *params,
                               uint8_t *pk,
                               uint8_t *sk) {
+  uint8_t message[1] = {0};
   uint8_t signature[MLDSA87_SIGNATURE_BYTES];
-  uint8_t empty_msg[1] = {0};
-  int ret = ml_dsa_sign(params, signature, &params->bytes, empty_msg, 0, NULL, 0, sk);
+  int ret = ml_dsa_sign(params, signature, &params->bytes, message, sizeof(message), NULL, 0, sk);
   if (ret < 0) {
     return 0;
   }
-  return ml_dsa_verify(params, signature, params->bytes, empty_msg, 0, NULL, 0, pk) == 0;
+  if (boringssl_fips_break_test("MLDSA_PWCT")) {
+    message[0] = ~message[0];
+  }
+  return ml_dsa_verify(params, signature, params->bytes, message, sizeof(message), NULL, 0, pk) == 0;
 }
 #endif
 

crypto/fipsmodule/ml_kem/ml_kem.c

@@ -34,16 +34,32 @@ int ml_kem_512_keypair_deterministic_no_self_test(uint8_t *public_key  /* OUT */
                                                   uint8_t *secret_key  /* OUT */,
                                                   const uint8_t *seed  /* IN */) {
   ml_kem_params params;
+  int res;
   ml_kem_512_params_init(&params);
-  return ml_kem_keypair_derand_ref(&params, public_key, secret_key, seed);
+  res = ml_kem_keypair_derand_ref(&params, public_key, secret_key, seed);
+#if defined(AWSLC_FIPS)
+  /* PCT failure is the only failure condition for key generation. */
+  if (res != 0) {
+      AWS_LC_FIPS_failure("ML-KEM keygen PCT failed");
+  }
+#endif
+  return res;
 }
 
 int ml_kem_512_keypair(uint8_t *public_key /* OUT */,
                            uint8_t *secret_key /* OUT */) {
   boringssl_ensure_ml_kem_self_test();
+  int res;
   ml_kem_params params;
   ml_kem_512_params_init(&params);
-  return ml_kem_keypair_ref(&params, public_key, secret_key);
+  res = ml_kem_keypair_ref(&params, public_key, secret_key);
+#if defined(AWSLC_FIPS)
+  /* PCT failure is the only failure condition for key generation. */
+  if (res != 0) {
+      AWS_LC_FIPS_failure("ML-KEM keygen PCT failed");
+  }
+#endif
+  return res;
 }
 
 int ml_kem_512_encapsulate_deterministic(uint8_t *ciphertext       /* OUT */,
@@ -94,16 +110,32 @@ int ml_kem_768_keypair_deterministic(uint8_t *public_key  /* OUT */,
                                          const uint8_t *seed  /* IN */) {
   boringssl_ensure_ml_kem_self_test();
   ml_kem_params params;
+  int res;
   ml_kem_768_params_init(&params);
-  return ml_kem_keypair_derand_ref(&params, public_key, secret_key, seed);
+  res = ml_kem_keypair_derand_ref(&params, public_key, secret_key, seed);
+#if defined(AWSLC_FIPS)
+  /* PCT failure is the only failure condition for key generation. */
+  if (res != 0) {
+      AWS_LC_FIPS_failure("ML-KEM keygen PCT failed");
+  }
+#endif
+  return res;
 }
 
 int ml_kem_768_keypair(uint8_t *public_key /* OUT */,
                            uint8_t *secret_key /* OUT */) {
   boringssl_ensure_ml_kem_self_test();
   ml_kem_params params;
+  int res;
   ml_kem_768_params_init(&params);
-  return ml_kem_keypair_ref(&params, public_key, secret_key);
+  res = ml_kem_keypair_ref(&params, public_key, secret_key);
+#if defined(AWSLC_FIPS)
+  /* PCT failure is the only failure condition for key generation. */
+  if (res != 0) {
+      AWS_LC_FIPS_failure("ML-KEM keygen PCT failed");
+  }
+#endif
+  return res;
 }
 
 int ml_kem_768_encapsulate_deterministic(uint8_t *ciphertext       /* OUT */,
@@ -139,16 +171,32 @@ int ml_kem_1024_keypair_deterministic(uint8_t *public_key  /* OUT */,
                                           const uint8_t *seed  /* IN */) {
   boringssl_ensure_ml_kem_self_test();
   ml_kem_params params;
+  int res;
   ml_kem_1024_params_init(&params);
-  return ml_kem_keypair_derand_ref(&params, public_key, secret_key, seed);
+  res = ml_kem_keypair_derand_ref(&params, public_key, secret_key, seed);
+#if defined(AWSLC_FIPS)
+  /* PCT failure is the only failure condition for key generation. */
+  if (res != 0) {
+      AWS_LC_FIPS_failure("ML-KEM keygen PCT failed");
+  }
+#endif
+  return res;
 }
 
 int ml_kem_1024_keypair(uint8_t *public_key /* OUT */,
                             uint8_t *secret_key /* OUT */) {
   boringssl_ensure_ml_kem_self_test();
   ml_kem_params params;
+  int res;
   ml_kem_1024_params_init(&params);
-  return ml_kem_keypair_ref(&params, public_key, secret_key);
+  res = ml_kem_keypair_ref(&params, public_key, secret_key);
+#if defined(AWSLC_FIPS)
+  /* PCT failure is the only failure condition for key generation. */
+  if (res != 0) {
+      AWS_LC_FIPS_failure("ML-KEM keygen PCT failed");
+  }
+#endif
+  return res;
 }
 
 int ml_kem_1024_encapsulate_deterministic(uint8_t *ciphertext       /* OUT */,

crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c

@@ -7,7 +7,6 @@
 #include "./verify.h"
 #include "./reduce.h"
 #include "./symmetric.h"
-#include "../../../internal.h"
 
 #include "openssl/rand.h"
 
@@ -24,6 +23,10 @@ static int keygen_pct(ml_kem_params *params, const uint8_t *ek, const uint8_t *d
   crypto_kem_enc(params, ct, ss_enc, ek);
   crypto_kem_dec(params, ss_dec, ct, dk);
 
+  if (boringssl_fips_break_test("MLKEM_PWCT")) {
+    ss_enc[0] = ~ss_enc[0];
+  }
+
   return verify(ss_enc, ss_dec, KYBER_SSBYTES);
 }
 #endif
@@ -40,8 +43,9 @@ static int keygen_pct(ml_kem_params *params, const uint8_t *ek, const uint8_t *d
 *                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
 *              - uint8_t *coins: pointer to input randomness
 *                (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
-**
-* Returns 0 on success, aborts on failure.
+*
+* Returns:     - 0 on success
+*              - -1 upon PCT failure (if AWSLC_FIPS is set)
 **************************************************/
 int crypto_kem_keypair_derand(ml_kem_params *params,
                               uint8_t *pk,
@@ -57,7 +61,7 @@ int crypto_kem_keypair_derand(ml_kem_params *params,
 #if defined(AWSLC_FIPS)
   // Abort in case of PCT failure.
   if (keygen_pct(params, pk, sk)) {
-    AWS_LC_FIPS_failure("ML-KEM keygen PCT failed");
+    return -1;
   }
 #endif
   return 0;
@@ -74,7 +78,8 @@ int crypto_kem_keypair_derand(ml_kem_params *params,
 *              - uint8_t *sk: pointer to output private key
 *                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
 *
-* Returns 0 on success, aborts on failure.
+* Returns:     - 0 on success
+*              - -1 upon PCT failure (if AWSLC_FIPS is set)
 **************************************************/
 int crypto_kem_keypair(ml_kem_params *params,
                        uint8_t *pk,
@@ -83,7 +88,6 @@ int crypto_kem_keypair(ml_kem_params *params,
   uint8_t coins[2*KYBER_SYMBYTES];
   RAND_bytes(coins, 2*KYBER_SYMBYTES);
   int res = crypto_kem_keypair_derand(params, pk, sk, coins);
-  assert(res == 0);
 
   // FIPS 203. Section 3.3 Destruction of intermediate values.
   OPENSSL_cleanse(coins, sizeof(coins));