Merge branch 'main' into mysql-ci-tests

aws · Jul 21, 2023 · cec8db8 · cec8db8
2 parents 81482e1 + 56067dc
commit cec8db8
Show file tree

Hide file tree

Showing 46 changed files with 1,634 additions and 1,301 deletions.
diff --git a/.github/workflows/aws-lc-rs.yml b/.github/workflows/aws-lc-rs.yml
@@ -5,7 +5,6 @@ on:
   pull_request:
     branches: [ '*' ]
 env:
-  CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse
   GOPROXY: https://proxy.golang.org,direct
 jobs:
   standard:
@@ -19,7 +18,8 @@ jobs:
           submodules: false
       - uses: actions-rs/toolchain@v1
         with:
-          toolchain: stable
+          # Our aws-lc-sys generation scripts require nightly.
+          toolchain: nightly
           override: true
       - uses: actions-rs/cargo@v1
         with:

diff --git a/LICENSE b/LICENSE
@@ -219,7 +219,7 @@ comments on top of the respective files.
 Licenses for support code
 -------------------------
 
-Parts of the TLS test suite are under the Go license. This code is not included
+Parts of the TLS test suite are under the Go license (BSD-3-Clause). This code is not included
 in BoringSSL (i.e. libcrypto and libssl) when compiled, however, so
 distributing code linked against BoringSSL does not trigger this license:
 
@@ -254,7 +254,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 BoringSSL uses the Chromium test infrastructure to run a continuous build,
 trybots etc. The scripts which manage this, and the script for generating build
-metadata, are under the Chromium license. Distributing code linked against
+metadata, are under the Chromium license (BSD-3-Clause). Distributing code linked against
 BoringSSL does not trigger this license.
 
 Copyright 2015 The Chromium Authors. All rights reserved.

diff --git a/crypto/evp_extra/evp_test.cc b/crypto/evp_extra/evp_test.cc
@@ -105,6 +105,14 @@ static const EVP_MD *GetDigest(FileTest *t, const std::string &name) {
     return EVP_sha512();
   } else if (name == "SHA512/256") {
     return EVP_sha512_256();
+  } else if (name == "SHA3-224") {
+    return EVP_sha3_224();
+  } else if (name == "SHA3-256") {
+    return EVP_sha3_256();
+  } else if (name == "SHA3-384") {
+    return EVP_sha3_384();
+  } else if (name == "SHA3-512") {
+    return EVP_sha3_512();
   }
   ADD_FAILURE() << "Unknown digest: " << name;
   return nullptr;

diff --git a/crypto/evp_extra/evp_tests.txt b/crypto/evp_extra/evp_tests.txt
@@ -1685,6 +1685,46 @@ Digest = SHA512/256
 Input = "Hello world"
 Output = 3046022100e410d8f0fac6d7ed59d1d447d7b87ad1b01d9b1d87232d40e5052267d4e9fdc4022100b59253fb9a8c1b963a65f26cfc413a1a65253d24147b8c647a6bbdbe4b5e6798
 
+SignMessage = P-256
+Digest = SHA3-224
+Input = "Hello world"
+Output = ""
+
+VerifyMessage = P-256
+Digest = SHA3-224
+Input = "Hello world"
+Output = 304502207bb34d40c1618f0ff8457934f575a4ba5ca4b53f96bed60e71e36940d6438c1a02210084996f3b8fa8356e11186f29de9981ab3ac0f7d2f769ecbf38c199c628bc5693
+
+SignMessage = P-256
+Digest = SHA3-256
+Input = "Hello world"
+Output = ""
+
+VerifyMessage = P-256
+Digest = SHA3-256
+Input = "Hello world"
+Output = 3046022100f5530d0a7450e8bc4951e37b21d390dbfa7bb48e08e450b146baa8569e13d961022100fd09d172168ef060e6c93d3f98828576db6f7151fa3a850d7da0d7f6a7ef17ab
+
+SignMessage = P-256
+Digest = SHA3-384
+Input = "Hello world"
+Output = ""
+
+VerifyMessage = P-256
+Digest = SHA3-384
+Input = "Hello world"
+Output = 3043021f1c8d2c3ccbca8cc48f14dc0534f1bc9d0571967a4ee7f1eaeaea6d7e281c0c02200b89663032d94022d8b36a9bb5ce3a0d95c7c0598dd546de6919e2f14b1d16ff
+
+SignMessage = P-256
+Digest = SHA3-512
+Input = "Hello world"
+Output = ""
+
+VerifyMessage = P-256
+Digest = SHA3-512
+Input = "Hello world"
+Output = 30450221008e031b317f932cfb66fb38fb7b4962dac541d6c07f04aeeecfffa299bd8b473f02200f13277d4c8b8f1a56f0f50a9470df7ae7a2e7f5b9cbc75299788f6429e9c851
+
 # Digest can't be omitted in many algorithms.
 SignMessage = RSA-2048
 Input = "Hello world"

diff --git a/crypto/fipsmodule/evp/p_ec.c b/crypto/fipsmodule/evp/p_ec.c
@@ -193,7 +193,10 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
       int md_type = EVP_MD_type(md);
       if (md_type != NID_sha1 && md_type != NID_sha224 &&
           md_type != NID_sha256 && md_type != NID_sha384 &&
-          md_type != NID_sha512 && md_type != NID_sha512_256) {
+          md_type != NID_sha512 && md_type != NID_sha512_256 &&
+          md_type != NID_sha3_224 && md_type != NID_sha3_256 &&
+          md_type != NID_sha3_384 && md_type != NID_sha3_512
+      ) {
         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE);
         return 0;
       }

diff --git a/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/crypto/fipsmodule/service_indicator/service_indicator_test.cc
@@ -2234,19 +2234,35 @@ static const struct ECDSATestVector kECDSATestVectors[] = {
      AWSLC_APPROVED},
     {NID_secp224r1, &EVP_sha512_256, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
      AWSLC_NOT_APPROVED},
+    {NID_secp224r1, &EVP_sha3_224, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp224r1, &EVP_sha3_256, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp224r1, &EVP_sha3_384, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp224r1, &EVP_sha3_512, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
 
-    {NID_X9_62_prime256v1, &EVP_sha1, AWSLC_APPROVED,
-     AWSLC_NOT_APPROVED, AWSLC_APPROVED},
-    {NID_X9_62_prime256v1, &EVP_sha224, AWSLC_APPROVED,
-     AWSLC_APPROVED, AWSLC_APPROVED},
-    {NID_X9_62_prime256v1, &EVP_sha256, AWSLC_APPROVED,
-     AWSLC_APPROVED, AWSLC_APPROVED},
-    {NID_X9_62_prime256v1, &EVP_sha384, AWSLC_APPROVED,
-     AWSLC_APPROVED, AWSLC_APPROVED},
-    {NID_X9_62_prime256v1, &EVP_sha512, AWSLC_APPROVED,
-     AWSLC_APPROVED, AWSLC_APPROVED},
+    {NID_X9_62_prime256v1, &EVP_sha1, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_APPROVED},
+    {NID_X9_62_prime256v1, &EVP_sha224, AWSLC_APPROVED, AWSLC_APPROVED,
+     AWSLC_APPROVED},
+    {NID_X9_62_prime256v1, &EVP_sha256, AWSLC_APPROVED, AWSLC_APPROVED,
+     AWSLC_APPROVED},
+    {NID_X9_62_prime256v1, &EVP_sha384, AWSLC_APPROVED, AWSLC_APPROVED,
+     AWSLC_APPROVED},
+    {NID_X9_62_prime256v1, &EVP_sha512, AWSLC_APPROVED, AWSLC_APPROVED,
+     AWSLC_APPROVED},
     {NID_X9_62_prime256v1, &EVP_sha512_256, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
      AWSLC_NOT_APPROVED},
+    {NID_X9_62_prime256v1, &EVP_sha3_224, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_X9_62_prime256v1, &EVP_sha3_256, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_X9_62_prime256v1, &EVP_sha3_384, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_X9_62_prime256v1, &EVP_sha3_512, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
 
     {NID_secp384r1, &EVP_sha1, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
      AWSLC_APPROVED},
@@ -2260,6 +2276,14 @@ static const struct ECDSATestVector kECDSATestVectors[] = {
      AWSLC_APPROVED},
     {NID_secp384r1, &EVP_sha512_256, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
      AWSLC_NOT_APPROVED},
+    {NID_secp384r1, &EVP_sha3_224, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp384r1, &EVP_sha3_256, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp384r1, &EVP_sha3_384, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp384r1, &EVP_sha3_512, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
 
     {NID_secp521r1, &EVP_sha1, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
      AWSLC_APPROVED},
@@ -2273,19 +2297,35 @@ static const struct ECDSATestVector kECDSATestVectors[] = {
      AWSLC_APPROVED},
     {NID_secp521r1, &EVP_sha512_256, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
      AWSLC_NOT_APPROVED},
+    {NID_secp521r1, &EVP_sha3_224, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp521r1, &EVP_sha3_256, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp521r1, &EVP_sha3_384, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp521r1, &EVP_sha3_512, AWSLC_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
 
-    {NID_secp256k1, &EVP_sha1, AWSLC_NOT_APPROVED,
-     AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED},
-    {NID_secp256k1, &EVP_sha224, AWSLC_NOT_APPROVED,
-     AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED},
-    {NID_secp256k1, &EVP_sha256, AWSLC_NOT_APPROVED,
-     AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED},
-    {NID_secp256k1, &EVP_sha384, AWSLC_NOT_APPROVED,
-     AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED},
-    {NID_secp256k1, &EVP_sha512, AWSLC_NOT_APPROVED,
-     AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED},
-    {NID_secp256k1, &EVP_sha512_256, AWSLC_NOT_APPROVED,
-     AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha1, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha224, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha256, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha384, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha512, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha512_256, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha3_224, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha3_256, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha3_384, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
+    {NID_secp256k1, &EVP_sha3_512, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED,
+     AWSLC_NOT_APPROVED},
 };
 
 class ECDSAServiceIndicatorTest : public TestWithNoErrors<ECDSATestVector> {};
@@ -4036,7 +4076,7 @@ TEST(ServiceIndicatorTest, DRBG) {
 // Since this is running in FIPS mode it should end in FIPS
 // Update this when the AWS-LC version number is modified
 TEST(ServiceIndicatorTest, AWSLCVersionString) {
-  ASSERT_STREQ(awslc_version_string(), "AWS-LC FIPS 1.12.0");
+  ASSERT_STREQ(awslc_version_string(), "AWS-LC FIPS 1.12.1");
 }
 
 #else
@@ -4079,6 +4119,6 @@ TEST(ServiceIndicatorTest, BasicTest) {
 // Since this is not running in FIPS mode it shouldn't end in FIPS
 // Update this when the AWS-LC version number is modified
 TEST(ServiceIndicatorTest, AWSLCVersionString) {
-  ASSERT_STREQ(awslc_version_string(), "AWS-LC 1.12.0");
+  ASSERT_STREQ(awslc_version_string(), "AWS-LC 1.12.1");
 }
 #endif // AWSLC_FIPS
diff --git a/crypto/ocsp/ocsp_test.cc b/crypto/ocsp/ocsp_test.cc
@@ -518,6 +518,86 @@ TEST(OCSPTest, TestGoodOCSP_SHA256) {
   ASSERT_EQ(-1, X509_cmp_time(nextupd, &connection_time));
 }
 
+struct OCSPVerifyFlagTestVector {
+  const char *ocsp_response;
+  unsigned long ocsp_verify_flag;
+  bool include_expired_signer_cert;
+  int expected_ocsp_verify_status;
+};
+
+static const OCSPVerifyFlagTestVector OCSPVerifyFlagTestVectors[] = {
+    {"ocsp_response", OCSP_NOINTERN, false, OCSP_VERIFYSTATUS_ERROR},
+    {"ocsp_response", OCSP_NOCHAIN, false, OCSP_VERIFYSTATUS_SUCCESS},
+    {"ocsp_response_expired_signer", OCSP_NOVERIFY, false,
+     OCSP_VERIFYSTATUS_SUCCESS},
+    {"ocsp_response_wrong_signer", OCSP_NOVERIFY, false,
+     OCSP_VERIFYSTATUS_SUCCESS},
+    {"ocsp_response", OCSP_NOEXPLICIT, false, OCSP_VERIFYSTATUS_SUCCESS},
+    {"ocsp_response", OCSP_TRUSTOTHER, false, OCSP_VERIFYSTATUS_SUCCESS},
+    {"ocsp_response_expired_signer", OCSP_TRUSTOTHER, false,
+     OCSP_VERIFYSTATUS_ERROR},
+    // |OCSP_TRUSTOTHER| sets |OCSP_NOVERIFY| if the signer cert is included
+    // within the parameters.
+    {"ocsp_response_expired_signer", OCSP_TRUSTOTHER, true,
+     OCSP_VERIFYSTATUS_SUCCESS},
+};
+
+class OCSPVerifyFlagTest
+    : public testing::TestWithParam<OCSPVerifyFlagTestVector> {};
+
+INSTANTIATE_TEST_SUITE_P(All, OCSPVerifyFlagTest,
+                         testing::ValuesIn(OCSPVerifyFlagTestVectors));
+
+TEST_P(OCSPVerifyFlagTest, OCSPVerifyFlagTest) {
+  const OCSPVerifyFlagTestVector &t = GetParam();
+
+  std::string respData =
+      GetTestData(std::string("crypto/ocsp/test/aws/" +
+                              std::string(t.ocsp_response) + ".der")
+                      .c_str());
+  std::vector<uint8_t> ocsp_response_data(respData.begin(), respData.end());
+
+  bssl::UniquePtr<OCSP_RESPONSE> ocsp_response =
+      LoadOCSP_RESPONSE(ocsp_response_data);
+  ASSERT_TRUE(ocsp_response);
+
+  int ret = OCSP_response_status(ocsp_response.get());
+  ASSERT_EQ(OCSP_RESPONSE_STATUS_SUCCESSFUL, ret);
+
+  bssl::UniquePtr<OCSP_BASICRESP> basic_response =
+      bssl::UniquePtr<OCSP_BASICRESP>(
+          OCSP_response_get1_basic(ocsp_response.get()));
+  ASSERT_TRUE(basic_response);
+
+  // Set up trust store and certificate chain.
+  bssl::UniquePtr<X509> ca_cert(CertFromPEM(
+      GetTestData(std::string("crypto/ocsp/test/aws/ca_cert.pem").c_str())
+          .c_str()));
+  bssl::UniquePtr<X509> server_cert(CertFromPEM(
+      GetTestData(std::string("crypto/ocsp/test/aws/server_cert.pem").c_str())
+          .c_str()));
+
+  bssl::UniquePtr<X509_STORE> trust_store(X509_STORE_new());
+  X509_STORE_add_cert(trust_store.get(), ca_cert.get());
+  bssl::UniquePtr<STACK_OF(X509)> server_cert_chain(
+      CertsToStack({server_cert.get(), ca_cert.get()}));
+  ASSERT_TRUE(server_cert_chain);
+  if (t.include_expired_signer_cert) {
+    bssl::UniquePtr<X509> signing_cert(CertFromPEM(
+        GetTestData(
+            std::string("crypto/ocsp/test/aws/ocsp_expired_cert.pem").c_str())
+            .c_str()));
+    ASSERT_TRUE(sk_X509_push(server_cert_chain.get(), signing_cert.get()));
+    X509_up_ref(signing_cert.get());
+  }
+
+  // Does basic verification on OCSP response.
+  const int ocsp_verify_status =
+      OCSP_basic_verify(basic_response.get(), server_cert_chain.get(),
+                        trust_store.get(), t.ocsp_verify_flag);
+  ASSERT_EQ(t.expected_ocsp_verify_status, ocsp_verify_status);
+}
+
 TEST(OCSPTest, GetInfo) {
   bssl::UniquePtr<X509> issuer(CertFromPEM(
       GetTestData(std::string("crypto/ocsp/test/aws/ca_cert.pem").c_str())