Merge pull request #1439 from justsmth/upstream-merge-2024-02-09

Upstream merge 2024 02 09

crypto/cipher_extra/cipher_test.cc

@@ -218,6 +218,7 @@ static void TestCipherAPI(const EVP_CIPHER *cipher, Operation op, bool padding,
     ASSERT_LE(iv.size(), size_t{INT_MAX});
     ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_IVLEN,
                                     static_cast<int>(iv.size()), 0));
+    ASSERT_EQ(EVP_CIPHER_CTX_iv_length(ctx.get()), iv.size());
   } else {
     ASSERT_EQ(iv.size(), EVP_CIPHER_CTX_iv_length(ctx.get()));
   }

crypto/fipsmodule/cipher/cipher.c

@@ -590,6 +590,17 @@ unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) {
 }
 
 unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) {
+  if (EVP_CIPHER_mode(ctx->cipher) == EVP_CIPH_GCM_MODE ||
+      EVP_CIPHER_mode(ctx->cipher) == EVP_CIPH_CCM_MODE) {
+    int length;
+    int res = EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN, 0,
+                                  &length);
+    // EVP_CIPHER_CTX_ctrl returning an error should be impossible under this
+    // circumstance. If it somehow did, fallback to the static cipher iv_len.
+    if (res == 1) {
+      return length;
+    }
+  }
   return ctx->cipher->iv_len;
 }
 

crypto/fipsmodule/cipher/e_aes.c

@@ -463,6 +463,10 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
       gctx->ivlen = arg;
       return 1;
 
+    case EVP_CTRL_GET_IVLEN:
+      *(int *)ptr = gctx->ivlen;
+      return 1;
+
     case EVP_CTRL_AEAD_SET_TAG:
       if (arg <= 0 || arg > 16 || c->encrypt) {
         return 0;

crypto/internal.h

@@ -204,6 +204,12 @@ typedef __uint128_t uint128_t;
 #define OPENSSL_SSE2
 #endif
 
+#if defined(__GNUC__) || defined(__clang__)
+#define OPENSSL_ATTR_PURE __attribute__((pure))
+#else
+#define OPENSSL_ATTR_PURE
+#endif
+
 
 // Pointer utility functions.
 

include/openssl/cipher.h

@@ -590,7 +590,7 @@ OPENSSL_EXPORT void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx,
 #define EVP_CTRL_AEAD_SET_MAC_KEY 0x17
 // EVP_CTRL_GCM_SET_IV_INV sets the GCM invocation field, decrypt only
 #define EVP_CTRL_GCM_SET_IV_INV 0x18
-#define EVP_CTRL_GET_IVLEN 0x25
+#define EVP_CTRL_GET_IVLEN 0x19
 
 // The following constants are unused.
 #define EVP_GCM_TLS_FIXED_IV_LEN 4

include/openssl/ssl.h

@@ -4356,12 +4356,15 @@ OPENSSL_EXPORT int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx,
 
 // Handshake hints.
 //
-// *** EXPERIMENTAL — DO NOT USE WITHOUT CHECKING ***
+// WARNING: Contact the BoringSSL team before using this API. While this
+// mechanism was designed to gracefully recover from version skew and
+// configuration mismatch, splitting a single TLS server into multiple services
+// is complex.
 //
 // Some server deployments make asynchronous RPC calls in both ClientHello
 // dispatch and private key operations. In TLS handshakes where the private key
 // operation occurs in the first round-trip, this results in two consecutive RPC
-// round-trips. Handshake hints allow the RPC service to predicte a signature.
+// round-trips. Handshake hints allow the RPC service to predict a signature.
 // If correctly predicted, this can skip the second RPC call.
 //
 // First, the server installs a certificate selection callback (see
@@ -4387,10 +4390,6 @@ OPENSSL_EXPORT int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx,
 // the private key in later round-trips, such as TLS 1.3 HelloRetryRequest. In
 // those cases, BoringSSL will not predict a signature as there is no benefit.
 // Callers must allow for handshakes to complete without a predicted signature.
-//
-// Handshake hints are supported for TLS 1.3 and partially supported for
-// TLS 1.2. TLS 1.2 resumption handshakes are not yet fully hinted. They will
-// still work, but may not be as efficient.
 
 // SSL_serialize_capabilities writes an opaque byte string to |out| describing
 // some of |ssl|'s capabilities. It returns one on success and zero on error.
@@ -5824,10 +5823,18 @@ BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
 BORINGSSL_MAKE_UP_REF(SSL_SESSION, SSL_SESSION_up_ref)
 
 
-// *** EXPERIMENTAL — DO NOT USE WITHOUT CHECKING ***
+// *** DEPRECATED EXPERIMENT — DO NOT USE ***
 //
 // Split handshakes.
 //
+// WARNING: This mechanism is deprecated and should not be used. It is very
+// fragile and difficult to use correctly. The relationship between
+// configuration options across the two halves is ill-defined and not
+// self-consistent. Additionally, version skew across the two halves risks
+// unusual behavior and connection failure. New development should use the
+// handshake hints API. Existing deployments should migrate to handshake hints
+// to reduce the risk of service outages.
+//
 // Split handshakes allows the handshake part of a TLS connection to be
 // performed in a different process (or on a different machine) than the data
 // exchange. This only applies to servers.

ssl/test/runner/handshake_client.go

@@ -997,6 +997,10 @@ func (hs *clientHandshakeState) doTLS13Handshake(msg any) error {
 	if haveHelloRetryRequest {
 		hs.writeServerHash(helloRetryRequest.marshal())
 
+		if !bytes.Equal(hs.hello.sessionID, helloRetryRequest.sessionID) {
+			return errors.New("tls: ClientHello and HelloRetryRequest session IDs did not match.")
+		}
+
 		if c.config.Bugs.FailIfHelloRetryRequested {
 			return errors.New("tls: unexpected HelloRetryRequest")
 		}
@@ -1097,7 +1101,7 @@ func (hs *clientHandshakeState) doTLS13Handshake(msg any) error {
 	}
 
 	if !bytes.Equal(hs.hello.sessionID, hs.serverHello.sessionID) {
-		return errors.New("tls: session IDs did not match.")
+		return errors.New("tls: ClientHello and ServerHello session IDs did not match.")
 	}
 
 	// Resolve PSK and compute the early secret.

util/fipstools/acvp/acvptool/subprocess/aead.go

@@ -74,6 +74,7 @@ func (a *aead) Process(vectorSet []byte, m Transactable) (any, error) {
 	// versions of the ACVP documents. You can find fragments in
 	// https://github.com/usnistgov/ACVP.)
 	for _, group := range parsed.Groups {
+		group := group
 		response := aeadTestGroupResponse{
 			ID: group.ID,
 		}
@@ -117,6 +118,8 @@ func (a *aead) Process(vectorSet []byte, m Transactable) (any, error) {
 		tagBytes := group.TagBits / 8
 
 		for _, test := range group.Tests {
+			test := test
+
 			if len(test.KeyHex) != keyBytes*2 {
 				return nil, fmt.Errorf("test case %d/%d contains key %q of length %d, but expected %d-bit key", group.ID, test.ID, test.KeyHex, len(test.KeyHex), group.KeyBits)
 			}

util/fipstools/acvp/acvptool/subprocess/block.go

@@ -299,6 +299,7 @@ func (b *blockCipher) Process(vectorSet []byte, m Transactable) (any, error) {
 	// http://usnistgov.github.io/ACVP/artifacts/draft-celi-acvp-block-ciph-00.html#rfc.section.5.2
 	// for details about the tests.
 	for _, group := range parsed.Groups {
+		group := group
 		response := blockCipherTestGroupResponse{
 			ID: group.ID,
 		}
@@ -346,6 +347,8 @@ func (b *blockCipher) Process(vectorSet []byte, m Transactable) (any, error) {
 		}
 
 		for _, test := range group.Tests {
+			test := test
+
 			if len(test.KeyHex) == 0 && len(test.Key1Hex) > 0 {
 				// 3DES encodes the key differently.
 				test.KeyHex = test.Key1Hex + test.Key2Hex + test.Key3Hex

util/fipstools/acvp/acvptool/subprocess/drbg.go

@@ -84,6 +84,7 @@ func (d *drbg) Process(vectorSet []byte, m Transactable) (any, error) {
 	// https://pages.nist.gov/ACVP/draft-vassilev-acvp-drbg.html#name-test-vectors
 	// for details about the tests.
 	for _, group := range parsed.Groups {
+		group := group
 		response := drbgTestGroupResponse{
 			ID: group.ID,
 		}
@@ -97,6 +98,8 @@ func (d *drbg) Process(vectorSet []byte, m Transactable) (any, error) {
 		}
 
 		for _, test := range group.Tests {
+			test := test
+
 			ent, err := extractField(test.EntropyHex, group.EntropyBits)
 			if err != nil {
 				return nil, fmt.Errorf("failed to extract entropy hex from test case %d/%d: %s", group.ID, test.ID, err)

util/fipstools/acvp/acvptool/subprocess/ecdsa.go

@@ -83,6 +83,8 @@ func (e *ecdsa) Process(vectorSet []byte, m Transactable) (any, error) {
 	// https://pages.nist.gov/ACVP/draft-fussell-acvp-ecdsa.html#name-test-vectors
 	// for details about the tests.
 	for _, group := range parsed.Groups {
+		group := group
+
 		if _, ok := e.curves[group.Curve]; !ok {
 			return nil, fmt.Errorf("curve %q in test group %d not supported", group.Curve, group.ID)
 		}
@@ -95,6 +97,8 @@ func (e *ecdsa) Process(vectorSet []byte, m Transactable) (any, error) {
 		var qyHex []byte
 
 		for _, test := range group.Tests {
+			test := test
+
 			var testResp ecdsaTestResponse
 
 			switch parsed.Mode {

util/fipstools/acvp/acvptool/subprocess/hash.go

@@ -86,11 +86,14 @@ func (h *hashPrimitive) Process(vectorSet []byte, m Transactable) (any, error) {
 	// https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html#name-test-vectors
 	// for details about the tests.
 	for _, group := range parsed.Groups {
+		group := group
 		response := hashTestGroupResponse{
 			ID: group.ID,
 		}
 
 		for _, test := range group.Tests {
+			test := test
+
 			if uint64(len(test.MsgHex))*4 != test.BitLength {
 				return nil, fmt.Errorf("test case %d/%d contains hex message of length %d but specifies a bit length of %d", group.ID, test.ID, len(test.MsgHex), test.BitLength)
 			}

util/fipstools/acvp/acvptool/subprocess/hkdf.go

@@ -132,6 +132,7 @@ func (k *hkdf) Process(vectorSet []byte, m Transactable) (any, error) {
 
 	var respGroups []hkdfTestGroupResponse
 	for _, group := range parsed.Groups {
+		group := group
 		groupResp := hkdfTestGroupResponse{ID: group.ID}
 
 		// determine the test type
@@ -152,6 +153,7 @@ func (k *hkdf) Process(vectorSet []byte, m Transactable) (any, error) {
 		}
 
 		for _, test := range group.Tests {
+			test := test
 			testResp := hkdfTestResponse{ID: test.ID}
 
 			key, salt, err := test.Params.extract()

util/fipstools/acvp/acvptool/subprocess/hmac.go

@@ -87,6 +87,7 @@ func (h *hmacPrimitive) Process(vectorSet []byte, m Transactable) (any, error) {
 	// https://pages.nist.gov/ACVP/draft-fussell-acvp-mac.html#name-test-vectors
 	// for details about the tests.
 	for _, group := range parsed.Groups {
+		group := group
 		response := hmacTestGroupResponse{
 			ID: group.ID,
 		}
@@ -95,6 +96,8 @@ func (h *hmacPrimitive) Process(vectorSet []byte, m Transactable) (any, error) {
 		}
 
 		for _, test := range group.Tests {
+			test := test
+
 			if len(test.MsgHex)*4 != group.MsgBits {
 				return nil, fmt.Errorf("test case %d/%d contains hex message of length %d but specifies a bit length of %d", group.ID, test.ID, len(test.MsgHex), group.MsgBits)
 			}

util/fipstools/acvp/acvptool/subprocess/kas.go

@@ -77,6 +77,7 @@ func (k *kas) Process(vectorSet []byte, m Transactable) (any, error) {
 	// See https://pages.nist.gov/ACVP/draft-fussell-acvp-kas-ecc.html#name-test-vectors
 	var ret []kasTestGroupResponse
 	for _, group := range parsed.Groups {
+		group := group
 		response := kasTestGroupResponse{
 			ID: group.ID,
 		}
@@ -119,6 +120,8 @@ func (k *kas) Process(vectorSet []byte, m Transactable) (any, error) {
 		method := "ECDH/" + group.Curve
 
 		for _, test := range group.Tests {
+			test := test
+
 			var xHex, yHex, privateKeyHex string
 			if useStaticNamedFields {
 				xHex, yHex, privateKeyHex = test.StaticXHex, test.StaticYHex, test.StaticPrivateKeyHex

util/fipstools/acvp/acvptool/subprocess/kasdh.go

@@ -68,6 +68,7 @@ func (k *kasDH) Process(vectorSet []byte, m Transactable) (any, error) {
 	// See https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-ffc-sp800-56ar3.html
 	var ret []kasDHTestGroupResponse
 	for _, group := range parsed.Groups {
+		group := group
 		response := kasDHTestGroupResponse{
 			ID: group.ID,
 		}
@@ -110,6 +111,8 @@ func (k *kasDH) Process(vectorSet []byte, m Transactable) (any, error) {
 
 		const method = "FFDH"
 		for _, test := range group.Tests {
+			test := test
+
 			if len(test.PeerPublicHex) == 0 {
 				return nil, fmt.Errorf("%d/%d is missing peer's key", group.ID, test.ID)
 			}

util/fipstools/acvp/acvptool/subprocess/kdf.go

@@ -67,6 +67,7 @@ func (k *kdfPrimitive) Process(vectorSet []byte, m Transactable) (any, error) {
 
 	var respGroups []kdfTestGroupResponse
 	for _, group := range parsed.Groups {
+		group := group
 		groupResp := kdfTestGroupResponse{ID: group.ID}
 
 		if group.OutputBits%8 != 0 {
@@ -96,6 +97,7 @@ func (k *kdfPrimitive) Process(vectorSet []byte, m Transactable) (any, error) {
 		rand.Read(fixedData)
 
 		for _, test := range group.Tests {
+			test := test
 			testResp := kdfTestResponse{ID: test.ID}
 
 			key, err := hex.DecodeString(test.KeyHex)

util/fipstools/acvp/acvptool/subprocess/keyedMac.go

@@ -65,6 +65,7 @@ func (k *keyedMACPrimitive) Process(vectorSet []byte, m Transactable) (any, erro
 
 	var respGroups []keyedMACTestGroupResponse
 	for _, group := range vs.Groups {
+		group := group
 		respGroup := keyedMACTestGroupResponse{ID: group.ID}
 
 		if group.KeyBits%8 != 0 {
@@ -90,6 +91,7 @@ func (k *keyedMACPrimitive) Process(vectorSet []byte, m Transactable) (any, erro
 		outputBytes := uint32le(group.MACBits / 8)
 
 		for _, test := range group.Tests {
+			test := test
 			respTest := keyedMACTestResponse{ID: test.ID}
 
 			// Validate input.

util/fipstools/acvp/acvptool/subprocess/rsa.go

@@ -126,6 +126,7 @@ func processKeyGen(vectorSet []byte, m Transactable) (any, error) {
 	var ret []rsaKeyGenTestGroupResponse
 
 	for _, group := range parsed.Groups {
+	    group := group
 		// We support both GDT and AFT tests, which are formatted the same and expect the same output.
 		if !(group.Type == "GDT" || group.Type == "AFT") {
 			return nil, fmt.Errorf("RSA KeyGen test group has type %q, but only GDT and AFT tests are supported", group.Type)
@@ -136,6 +137,7 @@ func processKeyGen(vectorSet []byte, m Transactable) (any, error) {
 		}
 
 		for _, test := range group.Tests {
+		    test := test
 			results, err := m.Transact("RSA/keyGen", 5, uint32le(group.ModulusBits))
 			if err != nil {
 				return nil, err
@@ -166,6 +168,8 @@ func processSigGen(vectorSet []byte, m Transactable) (any, error) {
 	var ret []rsaSigGenTestGroupResponse
 
 	for _, group := range parsed.Groups {
+		group := group
+
 		// GDT means "Generated data test", i.e. "please generate an RSA signature".
 		const expectedType = "GDT"
 		if group.Type != expectedType {
@@ -180,6 +184,8 @@ func processSigGen(vectorSet []byte, m Transactable) (any, error) {
 		ver_operation := "RSA/sigVer/" + group.Hash + "/" + group.SigType
 
 		for _, test := range group.Tests {
+			test := test
+
 			msg, err := hex.DecodeString(test.MessageHex)
 			if err != nil {
 				return nil, fmt.Errorf("test case %d/%d contains invalid hex: %s", group.ID, test.ID, err)
@@ -230,6 +236,8 @@ func processSigVer(vectorSet []byte, m Transactable) (any, error) {
 	var ret []rsaSigVerTestGroupResponse
 
 	for _, group := range parsed.Groups {
+		group := group
+
 		// GDT means "Generated data test", which makes no sense in this context.
 		const expectedType = "GDT"
 		if group.Type != expectedType {
@@ -252,6 +260,7 @@ func processSigVer(vectorSet []byte, m Transactable) (any, error) {
 		operation := "RSA/sigVer/" + group.Hash + "/" + group.SigType
 
 		for _, test := range group.Tests {
+			test := test
 			msg, err := hex.DecodeString(test.MessageHex)
 			if err != nil {
 				return nil, fmt.Errorf("test case %d/%d contains invalid hex: %s", group.ID, test.ID, err)

util/fipstools/acvp/acvptool/subprocess/tls13.go

@@ -77,9 +77,11 @@ func (k *tls13) Process(vectorSet []byte, m Transactable) (any, error) {
 
 	var respGroups []tls13TestGroupResponse
 	for _, group := range parsed.Groups {
+		group := group
 		groupResp := tls13TestGroupResponse{ID: group.ID}
 
 		for _, test := range group.Tests {
+			test := test
 			testResp := tls13TestResponse{ID: test.ID}
 
 			clientHello, err := hex.DecodeString(test.ClientHelloHex)

util/fipstools/acvp/acvptool/subprocess/xts.go

@@ -67,6 +67,7 @@ func (h *xts) Process(vectorSet []byte, m Transactable) (any, error) {
 
 	var ret []xtsTestGroupResponse
 	for _, group := range parsed.Groups {
+		group := group
 		response := xtsTestGroupResponse{
 			ID: group.ID,
 		}
@@ -88,6 +89,7 @@ func (h *xts) Process(vectorSet []byte, m Transactable) (any, error) {
 		funcName := "AES-XTS/" + group.Direction
 
 		for _, test := range group.Tests {
+			test := test
 			if group.KeyLen != len(test.KeyHex)*4/2 {
 				return nil, fmt.Errorf("test case %d/%d contains hex message of length %d but specifies a key length of %d (remember that XTS keys are twice the length of the underlying key size)", group.ID, test.ID, len(test.KeyHex), group.KeyLen)
 			}

util/fipstools/delocate/delocate.peg

@@ -45,7 +45,7 @@ Arg <- QuotedArg / [[0-9a-z%+\-*_@.]]*
 QuotedArg <- '"' QuotedText '"'
 QuotedText <- (EscapedChar / [^"])*
 LabelContainingDirective <- LabelContainingDirectiveName WS SymbolArgs
-LabelContainingDirectiveName <- ".xword" / ".word" / ".long" / ".set" / ".byte" / ".8byte" / ".4byte" / ".quad" / ".tc" / ".localentry" / ".size" / ".type" / ".uleb128" / ".sleb128"
+LabelContainingDirectiveName <- ".xword" / ".word" / ".hword" / ".long" / ".set" / ".byte" / ".8byte" / ".4byte" / ".quad" / ".tc" / ".localentry" / ".size" / ".type" / ".uleb128" / ".sleb128"
 SymbolArgs <- SymbolArg ((WS? ',' WS?) SymbolArg)*
 SymbolArg <- SymbolExpr
 SymbolExpr <- SymbolAtom (WS? SymbolOperator WS? SymbolExpr)?