Merge branch 'main' into ml-dsa-seeds

aws · Feb 28, 2025 · f718c29 · f718c29
2 parents d4455e0 + 4898adb
commit f718c29
Show file tree

Hide file tree

Showing 12 changed files with 326 additions and 23 deletions.
diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml
@@ -10,6 +10,18 @@ concurrency:
 env:
   CC: gcc
 jobs:
+  libssh2:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
+          sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make
+      - uses: actions/checkout@v4
+      - name: Run libssh2 integration tests
+        run: |
+          ./tests/ci/integration/run_libssh2_integration.sh
   python-main:
     if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest

diff --git a/crypto/fipsmodule/aes/asm/aesni-xts-avx512.pl b/crypto/fipsmodule/aes/asm/aesni-xts-avx512.pl
@@ -2493,7 +2493,7 @@
   vmovdqu8 	 0x40($input),%zmm2
   vmovdqu8 	 0x80($input),%zmm3
   vmovdqu8 	 0xc0($input),%zmm4
-  vmovdqu8 	 0xf0($input),%zmm5
+  vmovdqu8 	 0xf0($input),%xmm5
   add 	 \$0x100,$input
 ___
   }

diff --git a/crypto/fipsmodule/modes/xts_test.cc b/crypto/fipsmodule/modes/xts_test.cc
@@ -23,7 +23,9 @@
 #include "internal.h"
 #include "../../test/test_util.h"
 
-
+#if defined(OPENSSL_LINUX)
+#include <sys/mman.h>
+#endif
 struct XTSTestCase {
   const char *key_hex;
   const char *iv_hex;
@@ -995,8 +997,30 @@ static const XTSTestCase kXTSTestCases[] = {
     },
 };
 
+#if defined(OPENSSL_LINUX)
+static uint8_t *get_buffer_end(int pagesize) {
+  uint8_t *two_pages_p = (uint8_t *)mmap(NULL, 2*pagesize, PROT_READ|PROT_WRITE,
+                                      MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  EXPECT_TRUE(two_pages_p != NULL) << "mmap returned NULL.";
+
+  int ret = mprotect(two_pages_p + pagesize, pagesize, PROT_NONE);
+  EXPECT_TRUE(ret == 0) << "mprotect failed.";
+
+  return two_pages_p + pagesize;
+}
+
+static void free_memory(uint8_t *addr, int pagesize) {
+  munmap(addr - pagesize, 2 * pagesize);
+}
+#endif
+
 TEST(XTSTest, TestVectors) {
   unsigned test_num = 0;
+#if defined(OPENSSL_LINUX)
+  int pagesize = sysconf(_SC_PAGE_SIZE);
+  uint8_t *in_buffer_end = get_buffer_end(pagesize);
+  uint8_t *out_buffer_end = get_buffer_end(pagesize);
+#endif
   for (const auto &test : kXTSTestCases) {
     test_num++;
     SCOPED_TRACE(test_num);
@@ -1013,45 +1037,57 @@ TEST(XTSTest, TestVectors) {
     ASSERT_EQ(EVP_CIPHER_iv_length(cipher), iv.size());
     ASSERT_EQ(plaintext.size(), ciphertext.size());
 
+    int len;
+    uint8_t *in_p, *out_p;
+  #if defined(OPENSSL_LINUX)
+    ASSERT_GE(pagesize, (int)plaintext.size());
+    in_p = in_buffer_end - plaintext.size();
+    out_p = out_buffer_end - plaintext.size();
+    OPENSSL_memset(in_p, 0x00, plaintext.size());
+    OPENSSL_memset(out_p, 0x00, plaintext.size());
+  #else
+    std::unique_ptr<uint8_t[]> in(new uint8_t[plaintext.size()]);
+    std::unique_ptr<uint8_t[]> out(new uint8_t[plaintext.size()]);
+    in_p = in.get();
+    out_p = out.get();
+  #endif
+
     // Note XTS doesn't support streaming, so we only test single-shot inputs.
     for (bool in_place : {false, true}) {
       SCOPED_TRACE(in_place);
 
       // Test encryption.
-      bssl::Span<const uint8_t> in = plaintext;
-      std::vector<uint8_t> out(plaintext.size());
+
+      OPENSSL_memcpy(in_p, plaintext.data(), plaintext.size());
       if (in_place) {
-        out = plaintext;
-        in = out;
+        out_p = in_p;
       }
 
       bssl::ScopedEVP_CIPHER_CTX ctx;
       ASSERT_TRUE(EVP_EncryptInit_ex(ctx.get(), cipher, nullptr, key.data(),
                                      iv.data()));
-      int len;
       ASSERT_TRUE(
-          EVP_EncryptUpdate(ctx.get(), out.data(), &len, in.data(), in.size()));
-      out.resize(len);
-      EXPECT_EQ(Bytes(ciphertext), Bytes(out));
+          EVP_EncryptUpdate(ctx.get(), out_p, &len, in_p, plaintext.size()));
+      EXPECT_EQ(Bytes(ciphertext), Bytes(out_p, static_cast<size_t>(len)));
 
       // Test decryption.
-      in = ciphertext;
-      out.clear();
-      out.resize(plaintext.size());
-      if (in_place) {
-        out = ciphertext;
-        in = out;
+
+      if (!in_place) {
+        OPENSSL_memset(in_p, 0, len);
       }
 
       ctx.Reset();
       ASSERT_TRUE(EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(),
                                      iv.data()));
       ASSERT_TRUE(
-          EVP_DecryptUpdate(ctx.get(), out.data(), &len, in.data(), in.size()));
-      out.resize(len);
-      EXPECT_EQ(Bytes(plaintext), Bytes(out));
+          EVP_DecryptUpdate(ctx.get(), in_p, &len, out_p, ciphertext.size()));
+      EXPECT_EQ(Bytes(plaintext), Bytes(in_p, static_cast<size_t>(len)));
     }
   }
+#if defined(OPENSSL_LINUX)
+  free_memory(in_buffer_end, pagesize);
+  free_memory(out_buffer_end, pagesize);
+#endif
 }
 
 // Negative test for key1 = key2

diff --git a/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S b/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S
@@ -3271,7 +3271,7 @@ aes_hw_xts_decrypt_avx512:
 	vmovdqu8	64(%rdi),%zmm2
 	vmovdqu8	128(%rdi),%zmm3
 	vmovdqu8	192(%rdi),%zmm4
-	vmovdqu8	240(%rdi),%zmm5
+	vmovdqu8	240(%rdi),%xmm5
 	addq	$0x100,%rdi
 	vpxorq	%zmm9,%zmm1,%zmm1
 	vpxorq	%zmm10,%zmm2,%zmm2

diff --git a/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S b/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S
@@ -3271,7 +3271,7 @@ L$_main_loop_run_16_amivrujEyduiFoi:
 	vmovdqu8	64(%rdi),%zmm2
 	vmovdqu8	128(%rdi),%zmm3
 	vmovdqu8	192(%rdi),%zmm4
-	vmovdqu8	240(%rdi),%zmm5
+	vmovdqu8	240(%rdi),%xmm5
 	addq	$0x100,%rdi
 	vpxorq	%zmm9,%zmm1,%zmm1
 	vpxorq	%zmm10,%zmm2,%zmm2

diff --git a/generated-src/win-x86_64/crypto/fipsmodule/aesni-xts-avx512.asm b/generated-src/win-x86_64/crypto/fipsmodule/aesni-xts-avx512.asm
@@ -3330,7 +3330,7 @@ $L$_main_loop_run_16_amivrujEyduiFoi:
 	vmovdqu8	zmm2,ZMMWORD[64+rcx]
 	vmovdqu8	zmm3,ZMMWORD[128+rcx]
 	vmovdqu8	zmm4,ZMMWORD[192+rcx]
-	vmovdqu8	zmm5,ZMMWORD[240+rcx]
+	vmovdqu8	xmm5,XMMWORD[240+rcx]
 	add	rcx,0x100
 	vpxorq	zmm1,zmm1,zmm9
 	vpxorq	zmm2,zmm2,zmm10

diff --git a/include/openssl/des.h b/include/openssl/des.h
@@ -77,6 +77,8 @@ typedef struct DES_cblock_st {
   uint8_t bytes[8];
 } DES_cblock;
 
+typedef struct DES_cblock_st const_DES_cblock;
+
 typedef struct DES_ks {
   uint32_t subkeys[16][2];
 } DES_key_schedule;

diff --git a/ssl/dtls_method.cc b/ssl/dtls_method.cc
@@ -89,7 +89,7 @@ static bool dtls1_set_read_state(SSL *ssl, ssl_encryption_level_t level,
   }
 
   ssl->d1->r_epoch++;
-  OPENSSL_memset(&ssl->d1->bitmap, 0, sizeof(ssl->d1->bitmap));
+  ssl->d1->bitmap = DTLS1_BITMAP();
   OPENSSL_memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));
 
   ssl->s3->aead_read_ctx = std::move(aead_ctx);

diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml
@@ -36,6 +36,16 @@ batch:
         variables:
           AWS_LC_CI_TARGET: "tests/ci/integration/run_crt_integration.sh"
 
+    - identifier: libgit2_x86_64
+      buildspec: tests/ci/codebuild/common/run_simple_target.yml
+      env:
+        type: LINUX_CONTAINER
+        privileged-mode: false
+        compute-type: BUILD_GENERAL1_SMALL
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_integration_latest
+        variables:
+          AWS_LC_CI_TARGET: "tests/ci/integration/run_libgit2_integration.sh"
+
     - identifier: openssh_integration_master_x86_64
       buildspec: tests/ci/codebuild/common/run_simple_target.yml
       env:

diff --git a/tests/ci/integration/libgit2_patch/0001-Support-for-AWS-LC.patch b/tests/ci/integration/libgit2_patch/0001-Support-for-AWS-LC.patch
@@ -0,0 +1,87 @@
+From 399b74c9a4fd6caa55118f6f9ffdb93808aa0fbc Mon Sep 17 00:00:00 2001
+From: Justin Smith <justsmth@amazon.com>
+Date: Tue, 25 Feb 2025 11:50:34 -0500
+Subject: [PATCH] Support for AWS-LC
+
+---
+ deps/ntlmclient/crypt_openssl.c |  8 +++++++-
+ deps/ntlmclient/crypt_openssl.h | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/deps/ntlmclient/crypt_openssl.c b/deps/ntlmclient/crypt_openssl.c
+index 3bec27259..abdb46322 100644
+--- a/deps/ntlmclient/crypt_openssl.c
++++ b/deps/ntlmclient/crypt_openssl.c
+@@ -44,7 +44,7 @@ NTLM_INLINE(void) HMAC_CTX_free(HMAC_CTX *ctx)
+
+ #endif
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_AWSLC)) || \
+ 	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x03050000fL) || \
+ 	defined(CRYPT_OPENSSL_DYNAMIC)
+
+@@ -214,8 +214,14 @@ bool ntlm_hmac_md5_init(
+
+ 	ntlm->crypt_ctx.hmac_ctx_cleanup_fn(ntlm->crypt_ctx.hmac);
+
++#if defined(OPENSSL_IS_AWSLC)
++	ntlm->crypt_ctx.hmac_ctx_reset_fn(ntlm->crypt_ctx.hmac);
++	return ntlm->crypt_ctx.hmac_init_ex_fn(ntlm->crypt_ctx.hmac, key, key_len, md5, NULL);
++#else
+ 	return ntlm->crypt_ctx.hmac_ctx_reset_fn(ntlm->crypt_ctx.hmac) &&
+ 	       ntlm->crypt_ctx.hmac_init_ex_fn(ntlm->crypt_ctx.hmac, key, key_len, md5, NULL);
++#endif
++
+ }
+
+ bool ntlm_hmac_md5_update(
+diff --git a/deps/ntlmclient/crypt_openssl.h b/deps/ntlmclient/crypt_openssl.h
+index 8654027db..c18df6848 100644
+--- a/deps/ntlmclient/crypt_openssl.h
++++ b/deps/ntlmclient/crypt_openssl.h
+@@ -60,6 +60,34 @@ typedef struct hmac_ctx_st {
+ } HMAC_CTX;
+ #endif
+
++#if defined(OPENSSL_IS_AWSLC)
++struct ntlm_crypt_ctx {
++	HMAC_CTX *hmac;
++
++	void *openssl_handle;
++
++	void (*des_ecb_encrypt_fn)(const_DES_cblock *input, DES_cblock *output, const DES_key_schedule *ks, int enc);
++	int (*des_set_key_fn)(const_DES_cblock *key, DES_key_schedule *schedule);
++
++	uint32_t (*err_get_error_fn)(void);
++	const char *(*err_lib_error_string_fn)(uint32_t e);
++
++	const EVP_MD *(*evp_md5_fn)(void);
++
++	HMAC_CTX *(*hmac_ctx_new_fn)(void);
++	void (*hmac_ctx_reset_fn)(HMAC_CTX *ctx);
++	void (*hmac_ctx_free_fn)(HMAC_CTX *ctx);
++	void (*hmac_ctx_cleanup_fn)(HMAC_CTX *ctx);
++
++	int (*hmac_init_ex_fn)(HMAC_CTX *ctx, const void *key, unsigned long key_len, const EVP_MD *md, ENGINE *impl);
++	int (*hmac_update_fn)(HMAC_CTX *ctx, const unsigned char *data, size_t len);
++	int (*hmac_final_fn)(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
++
++	unsigned char *(*md4_fn)(const unsigned char *d, size_t n, unsigned char *md);
++
++	int (*rand_bytes_fn)(unsigned char *buf, unsigned long num);
++};
++#else
+ struct ntlm_crypt_ctx {
+ 	HMAC_CTX *hmac;
+
+@@ -86,5 +114,6 @@ struct ntlm_crypt_ctx {
+
+ 	int (*rand_bytes_fn)(unsigned char *buf, int num);
+ };
++#endif
+
+ #endif /* PRIVATE_CRYPT_OPENSSL_H__ */
+-- 
+2.39.5 (Apple Git-154)
+
diff --git a/tests/ci/integration/run_libgit2_integration.sh b/tests/ci/integration/run_libgit2_integration.sh
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -exu
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# SYS_ROOT
+#  |
+#  - SRC_ROOT(aws-lc)
+#  |
+#  - SCRATCH_FOLDER
+#    |
+#    - libgit2
+#    - LIBGIT2_BUILD_FOLDER
+#    - LIBGIT2_INSTALL_FOLDER
+#    - AWS_LC_BUILD_FOLDER
+#    - AWS_LC_INSTALL_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+SCRATCH_FOLDER=${SYS_ROOT}/"LIBGIT2_SCRATCH"
+LIBGIT2_SRC_FOLDER="${SCRATCH_FOLDER}/libgit2"
+LIBGIT2_PATCH_FOLDER="${SCRIPT_DIR}"/libgit2_patch
+LIBGIT2_BUILD_FOLDER="${SCRATCH_FOLDER}/libgit2-build"
+LIBGIT2_INSTALL_FOLDER="${SCRATCH_FOLDER}/libgit2-install"
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+
+mkdir -p "${SCRATCH_FOLDER}"
+rm -rf "${SCRATCH_FOLDER:?}"/*
+
+pushd "${SCRATCH_FOLDER}"
+
+function libgit2_patch_build() {
+  pushd "${LIBGIT2_SRC_FOLDER}"
+  for patchfile in $(find -L "${LIBGIT2_PATCH_FOLDER}" -type f -name '*.patch' | sort); do
+    echo "Apply patch $patchfile..."
+    patch -p1 --quiet -i "$patchfile"
+  done
+  popd
+}
+
+function libgit2_build_shared() {
+  cmake -B "${LIBGIT2_BUILD_FOLDER}" -DBUILD_SHARED_LIBS=ON -DLINK_WITH_STATIC_LIBRARIES=OFF -DBUILD_TESTS=1 -DCMAKE_INSTALL_PREFIX="${LIBGIT2_INSTALL_FOLDER}" -DOPENSSL_ROOT_DIR="${AWS_LC_INSTALL_FOLDER}" -DUSE_SSH=exec -DUSE_HTTPS=openssl -DUSE_SHA1=HTTPS -DUSE_SHA256=HTTPS -DCMAKE_C_STANDARD=99 -DUSE_AUTH_NTLM=builtin
+  cmake --build "${LIBGIT2_BUILD_FOLDER}" --target install
+  ldd "${LIBGIT2_INSTALL_FOLDER}/bin/git2" | grep "${AWS_LC_INSTALL_FOLDER}" | grep "libcrypto.so" || exit 1
+}
+
+function libgit2_build_static() {
+  cmake -B "${LIBGIT2_BUILD_FOLDER}" -DBUILD_SHARED_LIBS=OFF -DLINK_WITH_STATIC_LIBRARIES=ON -DBUILD_TESTS=1 -DCMAKE_INSTALL_PREFIX="${LIBGIT2_INSTALL_FOLDER}" -DOPENSSL_ROOT_DIR="${AWS_LC_INSTALL_FOLDER}" -DUSE_SSH=exec -DUSE_HTTPS=openssl -DUSE_SHA1=HTTPS -DUSE_SHA256=HTTPS -DCMAKE_C_STANDARD=99 -DUSE_AUTH_NTLM=builtin
+  cmake --build "${LIBGIT2_BUILD_FOLDER}" --target install
+  nm --defined-only "${LIBGIT2_INSTALL_FOLDER}/bin/git2" | grep awslc_version_string || exit 1
+}
+
+function libgit2_run_tests() {
+  ctest --extra-verbose
+}
+
+# Get latest libgit2 version.
+git clone https://github.com/libgit2/libgit2.git "${LIBGIT2_SRC_FOLDER}"
+mkdir -p "${AWS_LC_BUILD_FOLDER}" "${AWS_LC_INSTALL_FOLDER}" "${LIBGIT2_BUILD_FOLDER}" "${LIBGIT2_INSTALL_FOLDER}"
+ls
+
+libgit2_patch_build
+
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=1
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=0
+export LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib/:${AWS_LC_INSTALL_FOLDER}/lib64/:${LD_LIBRARY_PATH:-}"
+
+pushd "${LIBGIT2_SRC_FOLDER}"
+libgit2_build_shared
+popd
+
+pushd "${LIBGIT2_BUILD_FOLDER}"
+libgit2_run_tests
+popd
+
+rm -rf "${LIBGIT2_BUILD_FOLDER:?}"/* "${LIBGIT2_INSTALL_FOLDER:?}"/*
+
+pushd "${LIBGIT2_SRC_FOLDER}"
+libgit2_build_static
+popd
+
+pushd "${LIBGIT2_BUILD_FOLDER}"
+libgit2_run_tests
+popd
+
+popd
+
+