diff --git a/CMakeLists.txt b/CMakeLists.txt index b4e27619bf..61b026ead0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -118,7 +118,7 @@ elseif(CMAKE_C_COMPILER_ID MATCHES "GNU") set(GCC 1) endif() -if (UNIX AND NOT APPLE) +if (NOT WIN32 AND NOT APPLE) include(GNUInstallDirs) elseif(NOT DEFINED CMAKE_INSTALL_LIBDIR) set(CMAKE_INSTALL_LIBDIR "lib") @@ -145,7 +145,7 @@ if(NOT DISABLE_PERL) find_package(Perl REQUIRED) endif() -if("${CMAKE_SYSTEM_NAME}" STREQUAL "Linux" AND NOT CMAKE_CROSSCOMPILING) +if("${CMAKE_SYSTEM_NAME}" STREQUAL "Linux" AND BUILD_TESTING AND NOT CMAKE_CROSSCOMPILING) find_package(PkgConfig QUIET) if (PkgConfig_FOUND) pkg_check_modules(LIBUNWIND libunwind-generic) @@ -737,7 +737,7 @@ if(FIPS) message(FATAL_ERROR "Building AWS-LC for FIPS requires Go and Perl") endif() - if(NOT BUILD_SHARED_LIBS AND NOT (UNIX AND NOT APPLE)) + if(NOT BUILD_SHARED_LIBS AND NOT (NOT WIN32 AND NOT APPLE)) message(FATAL_ERROR "Static FIPS build of AWS-LC is suported only on Linux") endif() diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index a503186815..adf7c805c5 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -44,7 +44,7 @@ function(msbuild_aarch64_asm) endfunction() if(NOT OPENSSL_NO_ASM) - if(UNIX) + if(NOT WIN32) if(ARCH STREQUAL "aarch64") # The "armx" Perl scripts look for "64" in the style argument # in order to decide whether to generate 32- or 64-bit asm. @@ -186,7 +186,7 @@ else() set(ASSEMBLY_SOURCE ${GENERATE_CODE_ROOT}/ios-arm/crypto/) elseif(APPLE) set(ASSEMBLY_SOURCE ${GENERATE_CODE_ROOT}/mac-${ARCH}/crypto/) - elseif(UNIX) + elseif(NOT WIN32) if(${ARCH} STREQUAL "generic") message(STATUS "Detected generic linux platform. No assembly files will be included.") else() diff --git a/crypto/crypto_test.cc b/crypto/crypto_test.cc index 0f38923402..db3a79a2f7 100644 --- a/crypto/crypto_test.cc +++ b/crypto/crypto_test.cc @@ -73,6 +73,14 @@ TEST(CryptoTest, Strndup) { EXPECT_STREQ("", str.get()); } +TEST(CryptoTest, aws_lc_assert_entropy_cpu_jitter) { +#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) + ASSERT_EQ(1, FIPS_is_entropy_cpu_jitter()); +#else + ASSERT_EQ(0, FIPS_is_entropy_cpu_jitter()); +#endif +} + TEST(CryptoTest, OPENSSL_hexstr2buf) { const char *test_cases[][2] = {{"a2", "\xa2"}, {"a213", "\xa2\x13"}, diff --git a/crypto/fipsmodule/ml_kem/README.md b/crypto/fipsmodule/ml_kem/README.md index 69dc369d80..5ad7b64b5d 100644 --- a/crypto/fipsmodule/ml_kem/README.md +++ b/crypto/fipsmodule/ml_kem/README.md @@ -12,5 +12,6 @@ that initialize a given structure with values corresponding to a parameter set. - `symmetric-shake.c`: unnecessary include of fips202.h is removed. - `api.h`: `pqcrystals` prefix substituted with `ml_kem` (to be able to build alongside `crypto/kyber`). - `poly.c`: the `poly_frommsg` function was modified to address the constant-time issue described [here](https://github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c). +- All internal header files were updated with unique `ML_KEM_*` include guards. **Testing.** The KATs were obtained from an independent implementation of ML-KEM written in SPARK Ada subset: https://github.com/awslabs/LibMLKEM. diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.h index 5305193688..0ed2facc27 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.h @@ -1,5 +1,5 @@ -#ifndef CBD_H -#define CBD_H +#ifndef ML_KEM_CBD_H +#define ML_KEM_CBD_H #include #include "params.h" diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.h index 5687075697..d13fc48faf 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.h @@ -1,5 +1,5 @@ -#ifndef INDCPA_H -#define INDCPA_H +#ifndef ML_KEM_INDCPA_H +#define ML_KEM_INDCPA_H #include #include "params.h" diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.h index 227ea74f08..04636ad0c5 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.h @@ -1,5 +1,5 @@ -#ifndef NTT_H -#define NTT_H +#ifndef ML_KEM_NTT_H +#define ML_KEM_NTT_H #include #include "params.h" diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/params.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/params.h index 374b9bc2a1..fd796614f4 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/params.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/params.h @@ -1,5 +1,5 @@ -#ifndef PARAMS_H -#define PARAMS_H +#ifndef ML_KEM_PARAMS_H +#define ML_KEM_PARAMS_H #include diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.h index a7f8a3ae4f..df9b1fab14 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.h @@ -1,5 +1,5 @@ -#ifndef POLY_H -#define POLY_H +#ifndef ML_KEM_POLY_H +#define ML_KEM_POLY_H #include #include "params.h" diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.h index 04b6081260..a7b57cafc6 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.h @@ -1,5 +1,5 @@ -#ifndef POLYVEC_H -#define POLYVEC_H +#ifndef ML_KEM_POLYVEC_H +#define ML_KEM_POLYVEC_H #include #include "params.h" diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.h index c1bc1e4c7b..d4b6603ed6 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.h @@ -1,5 +1,5 @@ -#ifndef REDUCE_H -#define REDUCE_H +#ifndef ML_KEM_REDUCE_H +#define ML_KEM_REDUCE_H #include #include "params.h" diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric.h index 0f5678e51a..93d8b63a6f 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric.h @@ -1,5 +1,5 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H +#ifndef ML_KEM_SYMMETRIC_H +#define ML_KEM_SYMMETRIC_H #include #include diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/verify.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/verify.h index f95ac1b84e..1ae4196fb4 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/verify.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/verify.h @@ -1,5 +1,5 @@ -#ifndef VERIFY_H -#define VERIFY_H +#ifndef ML_KEM_VERIFY_H +#define ML_KEM_VERIFY_H #include #include diff --git a/crypto/fipsmodule/self_check/fips.c b/crypto/fipsmodule/self_check/fips.c index ab99ea78f6..d70f6bd965 100644 --- a/crypto/fipsmodule/self_check/fips.c +++ b/crypto/fipsmodule/self_check/fips.c @@ -28,6 +28,14 @@ int FIPS_mode(void) { #endif } +int FIPS_is_entropy_cpu_jitter(void) { +#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) + return 1; +#else + return 0; +#endif +} + int FIPS_mode_set(int on) { return on == FIPS_mode(); } #if defined(BORINGSSL_FIPS_140_3) diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 9897efa997..0e81efcdf9 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -117,6 +117,10 @@ OPENSSL_EXPORT void armv8_enable_dit(void); // which case it returns one. OPENSSL_EXPORT int FIPS_mode(void); +// FIPS_is_entropy_cpu_jitter returns 1 if CPU jitter is used as the entropy source +// for AWS-LC. Otherwise, returns 0; +OPENSSL_EXPORT int FIPS_is_entropy_cpu_jitter(void); + // fips_counter_t denotes specific APIs/algorithms. A counter is maintained for // each in FIPS mode so that tests can be written to assert that the expected, // FIPS functions are being called by a certain peice of code. diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc index 4e9956ad22..28010b8786 100644 --- a/ssl/test/bssl_shim.cc +++ b/ssl/test/bssl_shim.cc @@ -31,6 +31,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #endif #include +#include #ifndef __STDC_FORMAT_MACROS #define __STDC_FORMAT_MACROS @@ -986,6 +987,11 @@ static bool DoConnection(bssl::UniquePtr *out_session, int ssl_err = SSL_get_error(ssl.get(), -1); if (ssl_err != SSL_ERROR_NONE) { fprintf(stderr, "SSL error: %s\n", SSL_error_description(ssl_err)); + if (ssl_err == SSL_ERROR_SYSCALL) { + int err = errno; + fprintf(stderr, "Error occurred: errno = %d, description = %s\n", err, strerror(err)); + + } } return false; }