PR 433 follow ups (#441)

Author: WillChilds-Klein

README.md

@@ -134,6 +134,7 @@ ACCP did not track a FIPS branch/release version of AWS-LC until ACCP v2.3.0. Be
 | 2.4.0               | 1.30.1         | 2.0.13              |
 | 2.4.1               | 1.30.1         | 2.0.13              |
 | 2.5.0               | 1.47.0         | 3.0.0               |
+| 2.6.0               | 1.48.2         | 3.0.0               |
 
 Notable differences between ACCP and ACCP-FIPS:
 * ACCP uses [the latest release of AWS-LC](https://github.com/aws/aws-lc/releases), whereas, ACCP-FIPS uses [the fips-2022-11-02 branch of AWS-LC](https://github.com/aws/aws-lc/tree/fips-2022-11-02).

aws-lc

@@ -14,7 +14,7 @@ plugins {
 
 group = 'software.amazon.cryptools'
 version = '2.5.0'
-ext.awsLcMainTag = 'v1.47.0'
+ext.awsLcMainTag = 'v1.48.2'
 ext.awsLcFipsTag = 'AWS-LC-FIPS-3.0.0'
 ext.isExperimentalFips = Boolean.getBoolean('EXPERIMENTAL_FIPS')
 ext.isFips = ext.isExperimentalFips || Boolean.getBoolean('FIPS')
@@ -260,7 +260,7 @@ task buildAwsLc {
                 args '-DCMAKE_BUILD_TYPE=RelWithDebInfo'
                 args "-DCMAKE_INSTALL_PREFIX=${sharedObjectOutDir}"
                 args "-DCMAKE_VERBOSE_MAKEFILE:BOOL=ON"
-
+                def cmakeCFlags = ""
 
                 if (isFips) {
                     println "Building AWS-LC in FIPS mode"
@@ -269,14 +269,18 @@ task buildAwsLc {
 
                 if (allowFipsTestBreak) {
                     println "Building AWS-LC with hooks to break FIPS tests"
-                    args '-DFIPS_BREAK_TEST=TESTS'
+                    cmakeCFlags += '-DBORINGSSL_FIPS_BREAK_TESTS '
                 }
 
                 if (isFipsSelfTestFailureSkipAbort) {
+                    println "Building AWS-LC to enable CPU jitter sampling when seeding its DRBG"
+                    args '-DENABLE_FIPS_ENTROPY_CPU_JITTER=ON'
                     println "Building AWS-LC to call callback instead of aborting on self-test failure"
-                    args '-DCMAKE_C_FLAGS="-DAWSLC_FIPS_FAILURE_CALLBACK"'
+                    cmakeCFlags += '-DAWSLC_FIPS_FAILURE_CALLBACK '
                 }
 
+                args "-DCMAKE_C_FLAGS='${cmakeCFlags}'"
+
                 args '.'
             }
         }

build.gradle

@@ -1,5 +1,6 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
+#include <openssl/crypto.h>
 #include <cstdio>
 #include <functional>
 #include <jni.h>
@@ -66,10 +67,22 @@ Java_com_amazon_corretto_crypto_provider_AmazonCorrettoCryptoProvider_getFipsSel
     return arrayList;
 }
 
-extern "C" JNIEXPORT int JNICALL
-Java_com_amazon_corretto_crypto_provider_AmazonCorrettoCryptoProvider_fipsStatusErrorCount(JNIEnv* env, jobject thisObj)
+extern "C" JNIEXPORT bool JNICALL
+Java_com_amazon_corretto_crypto_provider_AmazonCorrettoCryptoProvider_isFipsStatusOkInternal(
+    JNIEnv* env, jobject thisObj)
 {
-    return fipsStatusErrors.size();
+#if defined(EXPERIMENTAL_FIPS_BUILD)
+    if (!FIPS_is_entropy_cpu_jitter()) {
+        AWS_LC_fips_failure_callback("CPU Jitter is not enabled");
+        return false;
+    }
+#else
+    // Below macro check can be removed once we consume an AWS-LC-FIPS verison with |FIPS_is_entropy_cpu_jitter|.
+    // Until then, this function should never be called unless we're in EXPERIMENTAL_FIPS_BUILD, so abort below
+    // to alert us when EXPERIMENTAL_FIPS_BUILD is dropped from FIPS_SELF_TEST_SKIP_ABORT in testing.
+    abort();
+#endif
+    return fipsStatusErrors.size() == 0;
 }
 
 // TEST methods below

csrc/fips_status.cpp

@@ -652,7 +652,7 @@ public boolean isFips() {
     return Loader.FIPS_BUILD;
   }
 
-  private native int fipsStatusErrorCount();
+  private native boolean isFipsStatusOkInternal();
 
   /**
    * @return true if and only if the underlying libcrypto library's FIPS related checks pass
@@ -676,7 +676,7 @@ public boolean isFipsStatusOk() {
         }
       }
     }
-    return fipsStatusErrorCount() == 0;
+    return isFipsStatusOkInternal();
   }
 
   private native List<String> getFipsSelfTestFailuresInternal();

src/com/amazon/corretto/crypto/provider/AmazonCorrettoCryptoProvider.java

@@ -28,7 +28,8 @@
 @ResourceLock(value = TestUtil.RESOURCE_GLOBAL, mode = ResourceAccessMode.READ_WRITE)
 public class FipsStatusTest {
 
-  private final AmazonCorrettoCryptoProvider provider = AmazonCorrettoCryptoProvider.INSTANCE;
+  private static final AmazonCorrettoCryptoProvider provider =
+      AmazonCorrettoCryptoProvider.INSTANCE;
   private static final String PWCT_BREAKAGE_ENV_VAR = "BORINGSSL_FIPS_BREAK_TEST";
 
   @Test
@@ -55,18 +56,30 @@ public void givenAccpBuiltWithFips_whenAWS_LC_fips_failure_callback_expectExcept
     }
   }
 
-  private void testPwctBreakage(final String algo, String envVarValue) throws Exception {
+  // Key generation should ~never fail under normal conditions, so consider a breakage to
+  // indicate that AWS-LC was built with the FIPS_BREAK_TEST build flag set.
+  private static boolean awsLcIsBuiltWitFipshBreakTest() throws Exception {
+    final String algorithm = "RSA";
+    KeyPairGenerator kpg = KeyPairGenerator.getInstance(algorithm, provider);
+    TestUtil.setEnv(PWCT_BREAKAGE_ENV_VAR, String.format("%s_PWCT", algorithm));
+    try {
+      kpg.generateKeyPair();
+    } catch (RuntimeCryptoException e) {
+      return true;
+    } finally {
+      TestUtil.setEnv(PWCT_BREAKAGE_ENV_VAR, null);
+    }
+    return false;
+  }
+
+  private static void testPwctBreakage(final String algo, String envVarValue) throws Exception {
     NativeTestHooks.resetFipsStatus();
     final KeyPairGenerator kpg = KeyPairGenerator.getInstance(algo, provider);
     assertTrue(provider.isFipsStatusOk());
     // Set PWCT_BREAKAGE_ENV_VAR for desired keygen test to break it
     TestUtil.setEnv(PWCT_BREAKAGE_ENV_VAR, envVarValue);
     // Key generation should now fail
-    if ("Ed25519".equals(algo)) { // TODO: Remove after https://github.com/aws/aws-lc/pull/2256
-      assertNotNull(kpg.generateKeyPair());
-    } else {
-      assertThrows(RuntimeCryptoException.class, () -> kpg.generateKeyPair());
-    }
+    assertThrows(RuntimeCryptoException.class, () -> kpg.generateKeyPair());
     // Global FIPS status should not be OK, and we shouldn't be able to get more KPG instances
     assertTrue(provider.getFipsSelfTestFailures().size() > 0);
     assertFalse(provider.isFipsStatusOk());
@@ -86,12 +99,10 @@ private void testPwctBreakage(final String algo, String envVarValue) throws Exce
   public void testPwctBreakageSkipAbort() throws Exception {
     assumeTrue(provider.isFips());
     assumeTrue(provider.isFipsSelfTestFailureSkipAbort());
+    assumeTrue(awsLcIsBuiltWitFipshBreakTest());
     testPwctBreakage("RSA", "RSA_PWCT");
     testPwctBreakage("EC", "ECDSA_PWCT");
-    // TODO: remove check after https://github.com/corretto/amazon-corretto-crypto-provider/pull/438
-    if (TestUtil.getJavaVersion() >= 15) {
-      testPwctBreakage("Ed25519", "EDDSA_PWCT");
-    }
+    testPwctBreakage("Ed25519", "EDDSA_PWCT");
     if (provider.isExperimentalFips()) { // can be removed when AWS-LC-FIPS supports ML-DSA
       testPwctBreakage("ML-DSA", "MLDSA_PWCT");
     }