Merge branch 'main' into evppkey

.github/workflows/actions-ci.yml

@@ -168,24 +168,80 @@ jobs:
           echo ${env:SDEROOT}
           .\tests\ci\run_windows_tests.bat "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x64 true
 
-  gcc-9-13-sanity:
+  gcc-ubuntu-2004-sanity:
+    if: github.repository_owner == 'aws'
+    needs: [sanity-test-run]
+    strategy:
+      fail-fast: false
+      matrix:
+        gccversion:
+          - "10"
+        fips:
+          - "0"
+          - "1"
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.18'
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: gcc-${{ matrix.gccversion }}
+          cxx-compiler: g++-${{ matrix.gccversion }}
+          options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
+      - name: Build Project
+        run: cmake --build ./build --target all
+      - name: Run tests
+        run: cmake --build ./build --target run_tests
+
+  gcc-ubuntu-2204-sanity:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
       fail-fast: false
       matrix:
         gccversion:
-          - "9"
           - "10"
           - "11"
           - "12"
+        fips:
+          - "0"
+          - "1"
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.18'
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: gcc-${{ matrix.gccversion }}
+          cxx-compiler: g++-${{ matrix.gccversion }}
+          options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
+      - name: Build Project
+        run: cmake --build ./build --target all
+      - name: Run tests
+        run: cmake --build ./build --target run_tests
+
+  gcc-ubuntu-2404-sanity:
+    if: github.repository_owner == 'aws'
+    needs: [ sanity-test-run ]
+    strategy:
+      fail-fast: false
+      matrix:
+        gccversion:
+          - "12"
           - "13"
-        os:
-          - "ubuntu-latest"
+          - "14"
         fips:
           - "0"
           - "1"
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
@@ -203,7 +259,38 @@ jobs:
       - name: Run tests
         run: cmake --build ./build --target run_tests
 
-  clang-13-15-sanity:
+  clang-ubuntu-2004-sanity:
+    if: github.repository_owner == 'aws'
+    needs: [sanity-test-run]
+    strategy:
+      fail-fast: false
+      matrix:
+        gccversion:
+          - "10"
+          - "11"
+          - "12"
+        fips:
+          - "0"
+          - "1"
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.18'
+      - name: Setup CMake
+        uses: threeal/[email protected]
+        with:
+          generator: Ninja
+          c-compiler: clang-${{ matrix.gccversion }}
+          cxx-compiler: clang++-${{ matrix.gccversion }}
+          options: FIPS=${{ matrix.fips }} CMAKE_BUILD_TYPE=Release
+      - name: Build Project
+        run: cmake --build ./build --target all
+      - name: Run tests
+        run: cmake --build ./build --target run_tests
+
+  clang-ubuntu-2204-sanity:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
@@ -213,12 +300,10 @@ jobs:
           - "13"
           - "14"
           - "15"
-        os:
-          - "ubuntu-latest"
         fips:
           - "0"
           - "1"
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
@@ -236,22 +321,20 @@ jobs:
       - name: Run tests
         run: cmake --build ./build --target run_tests
 
-  clang-10-12-sanity:
+  clang-ubuntu-2404-sanity:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
       fail-fast: false
       matrix:
         gccversion:
-          - "10"
-          - "11"
-          - "12"
-        os:
-          - "ubuntu-20.04"
+          - "16"
+          - "17"
+          - "18"
         fips:
           - "0"
           - "1"
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4

.github/workflows/aws-lc-rs.yml

@@ -10,6 +10,7 @@ concurrency:
 env:
   GOPROXY: https://proxy.golang.org,direct
   AWS_LC_SYS_CMAKE_BUILDER: 1
+  RUST_NIGHTLY_TOOLCHAIN: nightly-2024-05-22
 jobs:
   standard:
     if: github.repository_owner == 'aws'
@@ -20,11 +21,11 @@ jobs:
           repository: awslabs/aws-lc-rs
           path: ./aws-lc-rs
           submodules: false
-      - uses: actions-rs/toolchain@v1
+      - uses: dtolnay/rust-toolchain@master
         with:
           # Our aws-lc-sys generation scripts require nightly.
-          toolchain: nightly
-          override: true
+          toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN }}
+      - run: rustup override set $RUST_NIGHTLY_TOOLCHAIN
       - uses: actions-rs/cargo@v1
         with:
           command: install

.github/workflows/cross-test.yml

@@ -10,7 +10,7 @@ concurrency:
 jobs:
   ppc64-build-test:
     if: github.repository_owner == 'aws'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Install qemu
         run: |
@@ -21,7 +21,7 @@ jobs:
         run: tests/ci/run_cross_tests.sh ppc64 powerpc64-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release" "-DCMAKE_BUILD_TYPE=Release -DFIPS=1 -DBUILD_SHARED_LIBS=1"
   ppc32-non-fips-build-test:
     if: github.repository_owner == 'aws'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Install qemu
         run: |
@@ -32,7 +32,7 @@ jobs:
         run: tests/ci/run_cross_tests.sh ppc powerpc-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release"
   ppc32-fips-build-test:
     if: github.repository_owner == 'aws'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Install qemu
         run: |
@@ -43,7 +43,7 @@ jobs:
         run: tests/ci/run_cross_tests.sh ppc powerpc-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release -DFIPS=1 -DBUILD_SHARED_LIBS=1"
   ppc64le-build-test:
     if: github.repository_owner == 'aws'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Install qemu
         run: |
@@ -54,7 +54,7 @@ jobs:
         run: tests/ci/run_cross_tests.sh ppc64le powerpc64le-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release" "-DCMAKE_BUILD_TYPE=Release -DFIPS=1 -DBUILD_SHARED_LIBS=1"
   riscv64-non-fips-build-test:
     if: github.repository_owner == 'aws'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Install qemu
         run: |
@@ -72,7 +72,7 @@ jobs:
         run: tests/ci/run_cross_tests.sh riscv riscv64-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release"
   armv6-non-fips-build-test:
     if: github.repository_owner == 'aws'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Install qemu
         run: |
@@ -81,22 +81,19 @@ jobs:
       - uses: actions/checkout@v4
       - name: armv6 Build/Test
         run: tests/ci/run_cross_tests.sh armv6 armv6-unknown-linux-gnueabi "-DCMAKE_BUILD_TYPE=Release"
-#  TODO: enable once qemu-user-binfmt in ubuntu-latest supports loongarch64
-#        * QEMU added support for loongarch64 in 7.1: https://www.qemu.org/2022/08/30/qemu-7-1-0/
-#        * The next Ubuntu LTS should have a QEMU 8.x: https://packages.ubuntu.com/noble/qemu-user-binfmt
-#  loongarch64-non-fips-build-test:
-#    runs-on: ubuntu-latest
-#    steps:
-#      - name: Install qemu
-#        run: |
-#          sudo apt-get update
-#          sudo apt-get -y install qemu-user qemu-user-binfmt
-#      - uses: actions/checkout@v4
-#      - name: armv6 Build/Test
-#        run: tests/ci/run_cross_tests.sh loongarch64 loongarch64-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release"
+  loongarch64-non-fips-build-test:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install qemu
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install qemu-user qemu-user-binfmt
+      - uses: actions/checkout@v4
+      - name: loongarch64 Build/Test
+        run: tests/ci/run_cross_tests.sh loongarch64 loongarch64-unknown-linux-gnu "-DCMAKE_BUILD_TYPE=Release"
   s390x-non-fips-build-test:
     if: github.repository_owner == 'aws'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Install qemu
         run: |

.github/workflows/integrations.yml

@@ -148,3 +148,16 @@ jobs:
       - name: Run strongswan build
         run: |
           ./tests/ci/integration/run_strongswan_integration.sh
+  libevent:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y --no-install-recommends install \
+          cmake gcc ninja-build golang
+      - uses: actions/checkout@v4
+      - name: Run libevent build
+        run: |
+          ./tests/ci/integration/run_libevent_integration.sh

README.md

@@ -135,12 +135,37 @@ positive and negative unit tests, fuzz tests, Sanitizers
 Portions of AWS-LC have been formally verified in
 [AWS-LC Formal Verification](https://github.com/awslabs/aws-lc-verification),
 the checks are run in AWS-LC’s CI on every change. The algorithms that have been
-verified on certain platforms with caveats include:
-* SHA-2
-* HMAC
-* AES-KWP
-* ECDH & ECDSA with curve P-384
-* HKDF
+verified on certain CPUs with caveats include:
+| Algorithm | Parameters | CPUs |
+| ----------| ------------| -----------
+| SHA-2 | 384, 512 | SandyBridge+ |
+| SHA-2 | 384 | neoverse-n1, neoverse-v1 |
+| HMAC | with <nobr>SHA-384</nobr> | SandyBridge+ |
+| <nobr>AES-KW(P)</nobr> | 256 | SandyBridge+ |
+| Elliptic Curve Keys and Parameters | with <nobr>P-384</nobr> | SandyBridge+ |
+| ECDSA | with <nobr>P-384</nobr>, <nobr>SHA-384</nobr> | SandyBridge+ |
+| ECDH | with <nobr>P-384</nobr> | SandyBridge+ |
+| HKDF | with <nobr>HMAC-SHA384</nobr> | SandyBridge+ |
+
+The CPUs for which code is verified are defined in the following table.
+
+| CPUs        | Description |
+| --------------- | ------------|
+| SandyBridge+ | x86-64 with AES-NI, CLMUL, and AVX.
+| neoverse-n1 | aarch64 without SHA512.
+| neoverse-v1 | aarch64 with SHA512.
+
+For more details on verified API functions, caveats and technology used, check the [AWS-LC Formal Verification](https://github.com/awslabs/aws-lc-verification) repository.
+
+In addition, we use assembly from [s2n-bignum](https://github.com/awslabs/s2n-bignum) to implement algorithms or sub-routines for x86_64 and aarch64. The following table shows the assembly routines that are formally verified using HOL Light.
+
+| Algorithms | Routines | CPUs |
+| ----------| ------------| ------------|
+| RSA | Montgomery multiplication | aarch64 |
+| P-384 | field operations | aarch64, x86_64 |
+| P-521 | field operations | aarch64, x86_64 |
+| X25519 | field operations, group operations, scalar point multiplication | aarch64, x86_64 |
+| Ed25519 |  encode, decode, scalar point multiplication | aarch64, x86_64 |
 
 ## Have a Question?
 

crypto/asn1/a_dup.c

@@ -59,6 +59,26 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
+void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *input) {
+  if (i2d == NULL || d2i == NULL || input == NULL) {
+    OPENSSL_PUT_ERROR(ASN1, ERR_R_PASSED_NULL_PARAMETER);
+    return NULL;
+  }
+
+  // Size and allocate |buf|.
+  unsigned char *buf = NULL;
+  int buf_len = i2d(input, &buf);
+  if (buf == NULL || buf_len < 0) {
+    return NULL;
+  }
+
+  // |buf| needs to be converted to |const| to be passed in.
+  const unsigned char *temp_input = buf;
+  char *ret = d2i(NULL, &temp_input, buf_len);
+  OPENSSL_free(buf);
+  return ret;
+}
+
 // ASN1_ITEM version of dup: this follows the model above except we don't
 // need to allocate the buffer. At some point this could be rewritten to
 // directly dup the underlying structure instead of doing and encode and