Merge branch 'main' into jdb

Author: chockalingamc

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 2.6.0
+
+### Minor
+* [PR 433:](https://github.com/corretto/amazon-corretto-crypto-provider/pull/433) Add build option for exposing self-test failure messages
+
 ## 2.5.0
 
 ### Minor
@@ -13,6 +18,7 @@
 * [PR 426:](https://github.com/corretto/amazon-corretto-crypto-provider/pull/426) Add null check to AesCbcSpi
 * [PR 427:](https://github.com/corretto/amazon-corretto-crypto-provider/pull/427) Add provider info string
 * [PR 432:](https://github.com/corretto/amazon-corretto-crypto-provider/pull/432) Support Ed25519ph, bump AWS-LC to v1.46.0yy
+* [PR 434:](https://github.com/corretto/amazon-corretto-crypto-provider/pull/434) Encode ML-DSA priv key as seed, expose MlDsaUtils
 
 ## 2.4.1
 

CMakeLists.txt

@@ -42,6 +42,7 @@ set(TEST_DATA_DIR ${PROJECT_SOURCE_DIR}/test-data/ CACHE STRING "Path to directo
 set(ORIG_SRCROOT ${PROJECT_SOURCE_DIR} CACHE STRING "Path to root of original package")
 set(PROVIDER_VERSION_STRING "" CACHE STRING "X.Y.Z formatted version of the provider")
 set(EXPERIMENTAL_FIPS NO CACHE BOOL "Determines if this build is for FIPS mode with extra features from a non-FIPS branch of AWS-LC.")
+set(FIPS_SELF_TEST_SKIP_ABORT NO CACHE BOOL "Determines whether ACCP throws exceptions on self-test failure, or AWS-LC aborts. If NO, AWS-LC aborts. If YES, ACCP will provide error messages.")
 set(FIPS NO CACHE BOOL "Determine if this build is for FIPS mode")
 set(ALWAYS_ALLOW_EXTERNAL_LIB NO CACHE BOOL "Always permit tests to load ACCP shared objects from the library path")
 set(AWS_LC_VERSION_STRING "" CACHE STRING "Git version of AWS-LC used in this build")
@@ -51,6 +52,10 @@ if (EXPERIMENTAL_FIPS)
     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DEXPERIMENTAL_FIPS_BUILD")
 endif()
 
+if (FIPS_SELF_TEST_SKIP_ABORT)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DFIPS_SELF_TEST_SKIP_ABORT")
+endif()
+
 if (USE_CLANG_TIDY)
     # https://releases.llvm.org/9.0.0/tools/clang/tools/extra/docs/clang-tidy/checks/list.html
     # https://clang.llvm.org/extra/clang-tidy/#suppressing-undesired-diagnostics
@@ -161,10 +166,12 @@ add_custom_command(
 #       detected by CMake.
 if (${CMAKE_VERSION} VERSION_LESS "3.12.0")
     file(GLOB_RECURSE ACCP_SRC "src/com/amazon/corretto/crypto/provider/*.java")
+    file(GLOB_RECURSE ACCP_UTILS_SRC "src/com/amazon/corretto/crypto/utils/*.java")
 else()
     file(GLOB_RECURSE ACCP_SRC CONFIGURE_DEPENDS "src/com/amazon/corretto/crypto/provider/*.java")
+    file(GLOB_RECURSE ACCP_UTILS_SRC CONFIGURE_DEPENDS "src/com/amazon/corretto/crypto/utils/*.java")
 endif()
-set(ACCP_SRC ${ACCP_SRC} ${GENERATED_JAVA_SRC})
+set(ACCP_SRC ${ACCP_SRC} ${ACCP_UTILS_SRC} ${GENERATED_JAVA_SRC})
 
 set(BASE_JAVA_COMPILE_FLAGS ${CMAKE_JAVA_COMPILE_FLAGS} -h "${JNI_HEADER_DIR}" -Werror -Xlint)
 
@@ -292,6 +299,7 @@ set(C_SRC
     csrc/util.cpp
     csrc/util_class.cpp
     csrc/fips_kat_self_test.cpp
+    csrc/fips_status.cpp
     ${JNI_HEADER_DIR}/generated-headers.h)
 
 if(FIPS)
@@ -502,7 +510,7 @@ if(NOT ENABLE_NATIVE_TEST_HOOKS)
     CHECK_LINKER_FLAG_SUPPORT(USE_VERSION_SCRIPT "-Wl,--version-script -Wl,${CMAKE_CURRENT_SOURCE_DIR}/final-link.version")
 
 # This does the same thing as the version script, but works on Darwin platforms
-    CHECK_LINKER_FLAG_SUPPORT(USE_EXPORTED_SYMBOL "-Wl,-exported_symbol '-Wl,_Java_*' -Wl,-exported_symbol '-Wl,_JNI_*'")
+    CHECK_LINKER_FLAG_SUPPORT(USE_EXPORTED_SYMBOL "-Wl,-exported_symbol '-Wl,_Java_*' '-Wl,_AWS_LC_fips_failure_callback' -Wl,-exported_symbol '-Wl,_JNI_*'")
 endif()
 
 # Attempt to drop unused sections; the idea here is to exclude unreferenced
@@ -679,6 +687,7 @@ add_custom_target(check-junit
         --select-package=com.amazon.corretto.crypto.provider.test
         --exclude-package=com.amazon.corretto.crypto.provider.test.integration
         --exclude-classname=com.amazon.corretto.crypto.provider.test.SecurityManagerTest
+        --exclude-classname=com.amazon.corretto.crypto.provider.test.FipsStatusTest
 
     DEPENDS accp-jar tests-jar)
 
@@ -700,6 +709,15 @@ add_custom_target(check-junit-SecurityManager
 
     DEPENDS accp-jar tests-jar)
 
+add_custom_target(check-junit-FipsStatus
+    COMMAND ${TEST_JAVA_EXECUTABLE}
+        ${TEST_RUNNER_ARGUMENTS}
+        --select-class=com.amazon.corretto.crypto.provider.test.AesTest # Force loading ciphers
+        --select-class=com.amazon.corretto.crypto.provider.test.SHA1Test # Force loading digests
+        --select-class=com.amazon.corretto.crypto.provider.test.FipsStatusTest
+
+    DEPENDS accp-jar tests-jar)
+
 add_custom_target(check-with-jni-flag
     COMMAND ${TEST_JAVA_EXECUTABLE}
         -Xcheck:jni
@@ -747,6 +765,7 @@ add_custom_target(check-junit-extra-checks
         ${TEST_RUNNER_ARGUMENTS}
         --select-package=com.amazon.corretto.crypto.provider.test
         --exclude-package=com.amazon.corretto.crypto.provider.test.integration
+        --exclude-classname=com.amazon.corretto.crypto.provider.test.FipsStatusTest
         --exclude-classname=com.amazon.corretto.crypto.provider.test.SecurityManagerTest
 
     DEPENDS accp-jar tests-jar)
@@ -843,7 +862,8 @@ add_custom_target(check-junit-edKeyFactory
 
     DEPENDS accp-jar tests-jar)
 
-set(check_targets check-recursive-init
+set(check_targets
+    check-recursive-init
     check-install-via-properties
     check-install-via-properties-with-debug
     check-junit
@@ -852,7 +872,8 @@ set(check_targets check-recursive-init
     check-junit-AesLazy
     check-junit-AesEager
     check-junit-DifferentTempDir
-    check-junit-edKeyFactory)
+    check-junit-edKeyFactory
+    check-junit-FipsStatus)
 
 if(${CMAKE_SYSTEM_NAME} MATCHES "Linux")
   set(check_targets ${check_targets} check-with-jni-flag)

README.md

@@ -133,7 +133,8 @@ ACCP did not track a FIPS branch/release version of AWS-LC until ACCP v2.3.0. Be
 | 2.3.3               | 1.17.0         | 2.0.2               |
 | 2.4.0               | 1.30.1         | 2.0.13              |
 | 2.4.1               | 1.30.1         | 2.0.13              |
-| 2.5.0               | 1.46.0         | 3.0.0               |
+| 2.5.0               | 1.47.0         | 3.0.0               |
+| 2.6.0               | 1.48.2         | 3.0.0               |
 
 Notable differences between ACCP and ACCP-FIPS:
 * ACCP uses [the latest release of AWS-LC](https://github.com/aws/aws-lc/releases), whereas, ACCP-FIPS uses [the fips-2022-11-02 branch of AWS-LC](https://github.com/aws/aws-lc/tree/fips-2022-11-02).

aws-lc

@@ -8,13 +8,13 @@ plugins {
     id 'maven-publish'
     id 'signing'
     id "com.diffplug.spotless" version "6.18.0"
-    id "com.google.osdetector" version "1.7.0"
+    id "com.google.osdetector" version "1.7.3"
     id "io.github.gradle-nexus.publish-plugin" version "1.1.0"
 }
 
 group = 'software.amazon.cryptools'
 version = '2.5.0'
-ext.awsLcMainTag = 'v1.46.0'
+ext.awsLcMainTag = 'v1.48.2'
 ext.awsLcFipsTag = 'AWS-LC-FIPS-3.0.0'
 ext.isExperimentalFips = Boolean.getBoolean('EXPERIMENTAL_FIPS')
 ext.isFips = ext.isExperimentalFips || Boolean.getBoolean('FIPS')
@@ -32,6 +32,16 @@ if (System.properties["AWSLC_GITVERSION"]) {
 }
 
 ext.isLegacyBuild = Boolean.getBoolean('LEGACY_BUILD')
+ext.allowFipsTestBreak = Boolean.getBoolean('ALLOW_FIPS_TEST_BREAK')
+ext.isFipsSelfTestFailureSkipAbort = Boolean.getBoolean('FIPS_SELF_TEST_SKIP_ABORT')
+
+if (allowFipsTestBreak && !isFips) {
+    throw new GradleException("ALLOW_FIPS_TEST_BREAK can only be set if FIPS is also set to true")
+}
+
+if (isFipsSelfTestFailureSkipAbort && !isFips) {
+    throw new GradleException("FIPS_SELF_TEST_SKIP_ABORT can only be set if FIPS is also set to true")
+}
 
 ext.lcovIgnore = System.properties['LCOV_IGNORE']
 if (ext.lcovIgnore == null) {
@@ -78,6 +88,7 @@ spotless {
         target 'csrc/*'
         licenseHeaderFile 'build-tools/license-headers/LicenseHeader.h'
         clangFormat(clangFormatVersion)
+        toggleOffOn()
     }
   }
 }
@@ -90,13 +101,11 @@ spotless {
  */
 def getClangFormatVersion() {
     def version_command = 'clang-format --version'
-    def shell_output = new ByteArrayOutputStream()
-    exec {
+    def version_exec = providers.exec {
         commandLine "bash", "-c", version_command
-        standardOutput = shell_output
-        ignoreExitValue true
+        ignoreExitValue = true
     }
-    def shell_output_string = shell_output.toString().trim()
+    def shell_output_string = version_exec.standardOutput.asText.get().trim()
     def matcher = shell_output_string =~ /version ([\w\.-]+)/
     if (matcher.find()) {
         return matcher.group(1)
@@ -114,13 +123,11 @@ if (System.properties["AWSLC_SRC_DIR"]) {
 
 // Execute cmake3 command to see if it exists. Mainly to support AL2.
 def detect_cmake3 = {
-    def exec_cmake3 = exec {
+    def cmake3_exec = providers.exec {
         executable "bash" args "-l", "-c", 'command -v cmake3'
-        ignoreExitValue true
-        standardOutput = new ByteArrayOutputStream()
-        errorOutput = standardOutput
+        ignoreExitValue = true
     }
-    if(exec_cmake3.getExitValue() == 0) {
+    if (cmake3_exec.result.get().exitValue == 0) {
         return "cmake3"
     }
     return "cmake"
@@ -249,12 +256,27 @@ task buildAwsLc {
                 args '-DCMAKE_BUILD_TYPE=RelWithDebInfo'
                 args "-DCMAKE_INSTALL_PREFIX=${sharedObjectOutDir}"
                 args "-DCMAKE_VERBOSE_MAKEFILE:BOOL=ON"
-
+                def cmakeCFlags = ""
 
                 if (isFips) {
+                    println "Building AWS-LC in FIPS mode"
                     args '-DFIPS=1'
                 }
 
+                if (allowFipsTestBreak) {
+                    println "Building AWS-LC with hooks to break FIPS tests"
+                    cmakeCFlags += '-DBORINGSSL_FIPS_BREAK_TESTS '
+                }
+
+                if (isFipsSelfTestFailureSkipAbort) {
+                    println "Building AWS-LC to enable CPU jitter sampling when seeding its DRBG"
+                    args '-DENABLE_FIPS_ENTROPY_CPU_JITTER=ON'
+                    println "Building AWS-LC to call callback instead of aborting on self-test failure"
+                    cmakeCFlags += '-DAWSLC_FIPS_FAILURE_CALLBACK '
+                }
+
+                args "-DCMAKE_C_FLAGS='${cmakeCFlags}'"
+
                 args '.'
             }
         }
@@ -341,6 +363,11 @@ task executeCmake(type: Exec) {
     if (isExperimentalFips) {
         args '-DEXPERIMENTAL_FIPS=ON'
     }
+
+    if (isFipsSelfTestFailureSkipAbort) {
+        args '-DFIPS_SELF_TEST_SKIP_ABORT=ON'
+    }
+
     if (prebuiltJar != null) {
        args '-DSIGNED_JAR=' + prebuiltJar
        println "Using SIGNED_JAR=${prebuiltJar}"
@@ -478,8 +505,8 @@ task unit_tests(type: Copy) {
 test.dependsOn unit_tests
 
 task singleTest(type: Exec) {
-    group 'Verification'
-    description 'Pass in the test class using -DSINGLE_TEST=${fully_qualified_test_class}'
+    group = 'Verification'
+    description = 'Pass in the test class using -DSINGLE_TEST=${fully_qualified_test_class}'
     dependsOn executeCmake
     workingDir "${buildDir}/cmake"
     // Our cmake doesn't properly react java source changes, but it will rebuild them if the jars are missing
@@ -552,11 +579,9 @@ task coverage_cmake(type: Exec) {
     if (isExperimentalFips) {
         args '-DEXPERIMENTAL_FIPS=ON'
     }
-
     if (System.properties['JAVA_HOME'] != null) {
         args '-DJAVA_HOME=' + System.properties['JAVA_HOME']
     }
-
     if (System.properties['SINGLE_TEST'] != null) {
         args '-DSINGLE_TEST=' + System.properties['SINGLE_TEST']
 

build.gradle

@@ -117,6 +117,11 @@ class OPENSSL_buffer_auto {
     {
     }
 
+    explicit OPENSSL_buffer_auto(size_t buf_size)
+        : buf((unsigned char*)OPENSSL_malloc(buf_size))
+    {
+    }
+
     virtual ~OPENSSL_buffer_auto() { OPENSSL_free(buf); }
 
     operator unsigned char*() { return buf; }

csrc/auto_free.h

@@ -7,12 +7,12 @@
 
 using namespace AmazonCorrettoCryptoProvider;
 
-void generateEdKey(EVP_PKEY_auto& key)
+static void generateEdKey(EVP_PKEY_auto& key)
 {
     EVP_PKEY_CTX_auto ctx = EVP_PKEY_CTX_auto::from(EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, nullptr));
     CHECK_OPENSSL(ctx.isInitialized());
     CHECK_OPENSSL(EVP_PKEY_keygen_init(ctx) == 1);
-    CHECK_OPENSSL(EVP_PKEY_keygen(ctx, key.getAddressOfPtr()));
+    CHECK_OPENSSL(EVP_PKEY_keygen(ctx, key.getAddressOfPtr()) == 1);
 }
 
 JNIEXPORT jlong JNICALL Java_com_amazon_corretto_crypto_provider_EdGen_generateEvpEdKey(JNIEnv* pEnv, jclass)