Merge branch 'main' into x509-name-constraints

Author: nhatnghiho

.github/workflows/linux-multi-arch-omnibus.yml

@@ -194,7 +194,7 @@ jobs:
             ./tests/ci/run_posix_tests.sh
 
   fips_tests:
-    name: ${{ matrix.enableASAN && 'asan-' || '' }}fips-tests-${{ matrix.image }}-${{ matrix.compiler }}-${{ matrix.arch }}
+    name: ${{ matrix.enableASAN && 'asan-' || '' }}${{ matrix.enableMSAN && 'msan-' || '' }}fips-tests-${{ matrix.image }}-${{ matrix.compiler }}-${{ matrix.arch }}
     runs-on:
       - codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
         image:${{ matrix.arch == 'x86_64' && 'linux-5.0' || matrix.arch == 'aarch64' && 'arm-3.0' }}
@@ -315,6 +315,10 @@ jobs:
           - image: ubuntu:22.04
             arch: x86_64
             compiler: clang-14
+          - image: amazonlinux:2023
+            arch: x86_64
+            compiler: clang-19
+            enableMSAN: 1
           - image: ubuntu:22.04
             arch: x86_64
             compiler: gcc-10
@@ -349,6 +353,7 @@ jobs:
             compiler: gcc-12
     env:
       AWSLC_ENABLE_FIPS_ASAN: ${{ matrix.enableASAN }}
+      AWSLC_ENABLE_FIPS_MSAN: ${{ matrix.enableMSAN }}
     steps:
       - uses: actions/checkout@v5
       - name: Login to Amazon ECR
@@ -360,6 +365,7 @@ jobs:
           image: ${{ steps.login-ecr.outputs.registry }}/aws-lc/${{ matrix.image }}
           env: |
             AWSLC_ENABLE_FIPS_ASAN
+            AWSLC_ENABLE_FIPS_MSAN
           run: |
             source /opt/compiler-env/setup-${{ matrix.compiler }}.sh
             if [[ "${{ matrix.goTestTimeout }}z" != "z" ]]; then

.github/workflows/windows-alt.yml

@@ -203,6 +203,41 @@ jobs:
       - name: x86_64-w64-mingw32 Build/Test
         run:
           ./tests/ci/run_cross_mingw_tests.sh x86_64 w64-mingw32 "-DCMAKE_BUILD_TYPE=Release"
+  cross-clang-cl-ninja:
+    # Cross-compile from Linux to x86_64-pc-windows-msvc with Ninja + clang-cl,
+    # mirroring the default aws-lc-rs setup. This catches command-line quoting
+    # regressions the Windows-native clang-cl-ninja job misses because cmd.exe
+    # and /bin/sh tokenize arguments differently (see aws/aws-lc-rs#981).
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup toolchain
+        run: |
+          set -ex
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
+          sudo apt-get install --assume-yes --no-install-recommends \
+            cmake ninja-build nasm \
+            wget lsb-release software-properties-common gnupg
+          # Clang 19 (xwin's MSVC STL headers require Clang >= 19; 24.04 ships 18).
+          wget -qO- https://apt.llvm.org/llvm.sh | sudo bash -s -- 19
+          sudo ln -sf /usr/bin/clang-19    /usr/local/bin/clang-cl
+          sudo ln -sf /usr/bin/lld-19      /usr/local/bin/lld-link
+          sudo ln -sf /usr/bin/llvm-ar-19  /usr/local/bin/llvm-lib
+          sudo ln -sf /usr/bin/llvm-rc-19  /usr/local/bin/llvm-rc
+          sudo ln -sf /usr/bin/llvm-mt-19  /usr/local/bin/llvm-mt
+          # xwin provides the MSVC SDK headers/libs for cross-compiling.
+          XWIN_VERSION=0.6.5
+          wget -qO- https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-x86_64-unknown-linux-musl.tar.gz | tar xz
+          sudo mv xwin-${XWIN_VERSION}-x86_64-unknown-linux-musl/xwin /usr/local/bin/
+          xwin --accept-license --arch x86_64 splat --output /tmp/xwin
+      - name: Build
+        run: |
+          set -ex
+          cmake -B build -G Ninja \
+            -DCMAKE_BUILD_TYPE=Release \
+            -DCMAKE_TOOLCHAIN_FILE=util/x86_64-windows-clang-cl-toolchain.cmake
+          cmake --build build --target all
   msys2:
     name: msys2 ${{ matrix.sys }} - ${{ matrix.generator }}
     if: github.repository_owner == 'aws'

CMakeLists.txt

@@ -5,7 +5,7 @@ cmake_policy(SET CMP0091 NEW)
 endif()
 
 set(SOFTWARE_NAME "awslc")
-set(SOFTWARE_VERSION "1.72.0")
+set(SOFTWARE_VERSION "1.72.1")
 set(ABI_VERSION 0)
 set(CRYPTO_LIB_NAME "crypto")
 set(SSL_LIB_NAME "ssl")
@@ -849,9 +849,12 @@ if(WIN32)
   # Allow use of fopen.
   add_definitions(-D_CRT_SECURE_NO_WARNINGS)
   # VS 2017 and higher supports STL-only warning suppressions.
-  # A bug in CMake < 3.13.0 may cause the space in this value to
-  # cause issues when building with NASM. In that case, update CMake.
-  add_definitions("-D_STL_EXTRA_DISABLED_WARNINGS=4774 4987")
+  # _STL_EXTRA_DISABLED_WARNINGS is only consumed by MSVC STL headers,
+  # so scope the definition to C++. Using add_compile_options with a
+  # CMake-escaped space keeps the value as a single argument under
+  # Ninja + clang-cl, where add_definitions with a space-containing
+  # value is not quoted robustly (see aws/aws-lc-rs#981).
+  add_compile_options($<$<COMPILE_LANGUAGE:CXX>:-D_STL_EXTRA_DISABLED_WARNINGS=4774\ 4987>)
 endif()
 
 add_flag_if_supported(C_CXX_FLAGS "-Wshadow")

crypto/cipher_extra/aead_test.cc

@@ -1302,7 +1302,19 @@ TEST(AEADTest, TestGCMSIV128Change16Alignment) {
   GTEST_LOG_(INFO) << "Orig. Ctx.State Location: " << &encrypt_ctx_128->state;
   EVP_AEAD_CTX *moved_encrypt_ctx_128 =
       (EVP_AEAD_CTX *)(((uint8_t *)encrypt_ctx_128) + 8);
+  // The destination pointer is offset into the allocation so that it aliases
+  // the |state| subobject; GCC / fortify-headers infer the subobject size and
+  // report a `stringop-overflow` false positive (see aws-lc#3083).
+  // -Wstringop-overflow was introduced in GCC 7; older GCC versions reject
+  // the pragma with -Werror=pragmas.
+#if defined(__GNUC__) && !defined(__clang__) && (__GNUC__ >= 7)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
+#endif
   memmove(moved_encrypt_ctx_128, encrypt_ctx_128, sizeof(EVP_AEAD_CTX));
+#if defined(__GNUC__) && !defined(__clang__) && (__GNUC__ >= 7)
+#pragma GCC diagnostic pop
+#endif
   GTEST_LOG_(INFO) << "Moved Ctx.State Location: "
                    << &moved_encrypt_ctx_128->state;
 
@@ -1343,7 +1355,15 @@ TEST(AEADTest, TestGCMSIV256Change16Alignment) {
   GTEST_LOG_(INFO) << "Orig. Ctx.State Location: " << &encrypt_ctx_256->state;
   EVP_AEAD_CTX *moved_encrypt_ctx_256 =
       (EVP_AEAD_CTX *)(((uint8_t *)encrypt_ctx_256) + 8);
+  // See TestGCMSIV128Change16Alignment for why this pragma is needed.
+#if defined(__GNUC__) && !defined(__clang__) && (__GNUC__ >= 7)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
+#endif
   memmove(moved_encrypt_ctx_256, encrypt_ctx_256, sizeof(EVP_AEAD_CTX));
+#if defined(__GNUC__) && !defined(__clang__) && (__GNUC__ >= 7)
+#pragma GCC diagnostic pop
+#endif
   GTEST_LOG_(INFO) << "Moved Ctx.State Location: "
                    << &moved_encrypt_ctx_256->state;
 

crypto/conf/conf.c

@@ -326,11 +326,20 @@ static int add_string(const CONF *conf, CONF_VALUE *section,
   CONF_VALUE *old_value;
 
   value->section = OPENSSL_strdup(section->section);
+  if (value->section == NULL) {
+    return 0;
+  }
+
   if (!sk_CONF_VALUE_push(section_stack, value)) {
+    OPENSSL_free(value->section);
+    value->section = NULL;
     return 0;
   }
 
   if (!lh_CONF_VALUE_insert(conf->data, &old_value, value)) {
+    (void)sk_CONF_VALUE_delete_ptr(section_stack, value);
+    OPENSSL_free(value->section);
+    value->section = NULL;
     return 0;
   }
   if (old_value != NULL) {

crypto/crypto_test.cc

@@ -106,7 +106,7 @@ TEST(CryptoTest, FIPSdownstreamPrecompilationFlag) {
 }
 #endif // defined(BORINGSSL_FIPS)
 
-#if defined(BORINGSSL_FIPS) && !defined(OPENSSL_ASAN)
+#if defined(BORINGSSL_FIPS) && !defined(OPENSSL_ASAN) && !defined(OPENSSL_MSAN)
 TEST(Crypto, OnDemandIntegrityTest) {
   BORINGSSL_integrity_test();
 }

crypto/err/evp.errordata

@@ -10,6 +10,7 @@ EVP,107,EXPECTING_AN_RSA_KEY
 EVP,139,EXPECTING_A_DH_KEY
 EVP,108,EXPECTING_A_DSA_KEY
 EVP,106,EXPECTING_A_EC_KEY_KEY
+EVP,141,EXPECTING_A_KEM_KEY
 EVP,140,EXPECTING_A_PQDSA_KEY
 EVP,109,ILLEGAL_OR_UNSUPPORTED_PADDING_MODE
 EVP,137,INVALID_BUFFER_SIZE

crypto/evp_extra/evp_asn1.c

@@ -19,13 +19,14 @@
 #include "../internal.h"
 #include "internal.h"
 #include "../fipsmodule/kem/internal.h"
+#include "../fipsmodule/cpucap/internal.h"
 
 // parse_key_type takes the algorithm cbs sequence |cbs| and extracts the OID.
 // The extracted OID will be set on |out_oid| so that it may be used later in
 // specific key type implementations like PQDSA.
 // The OID is then searched against ASN.1 methods for a method with that OID.
 // As the |OID| is read from |cbs| the buffer is advanced.
-// For the case of |NID_rsa| the method |rsa_asn1_meth| is returned.
+// For the case of |NID_rsa| or |NID_rsaesOaep| the method |rsa_asn1_meth| is returned.
 // For the case of |EVP_PKEY_PQDSA| the method |pqdsa_asn1.meth| is returned.
 // For the case of |EVP_PKEY_KEM| the method |kem_asn1.meth| is returned.
 static const EVP_PKEY_ASN1_METHOD *parse_key_type(CBS *cbs, CBS *out_oid) {
@@ -46,20 +47,25 @@ static const EVP_PKEY_ASN1_METHOD *parse_key_type(CBS *cbs, CBS *out_oid) {
     }
   }
 
-  // Special logic to handle the rarer |NID_rsa|.
+  // Special logic to handle the rarer |NID_rsa| and |NID_rsaesOaep|.
+  // NID_rsa:
   // https://www.itu.int/ITU-T/formal-language/itu-t/x/x509/2008/AlgorithmObjectIdentifiers.html
-  if (OBJ_cbs2nid(&oid) == NID_rsa) {
+  // NID_rsaesOaep: underlying key is the same as |NID_rsa|. Used by
+  // TPM 1.2 Endorsement Key certificates per TCG Credential Profiles
+  // V1.2, section 3.2.7.
+  int nid = OBJ_cbs2nid(&oid);
+  if (nid == NID_rsa || nid == NID_rsaesOaep) {
     return &rsa_asn1_meth;
   }
 
   // The pkey_id for the pqdsa_asn1_meth is EVP_PKEY_PQDSA, as this holds all
   // asn1 functions for pqdsa types. However, the incoming CBS has the OID for
   // the specific algorithm. So we must search explicitly for the algorithm.
-  const EVP_PKEY_ASN1_METHOD *pqdsa_method = PQDSA_find_asn1_by_nid(OBJ_cbs2nid(&oid));
+  const EVP_PKEY_ASN1_METHOD *pqdsa_method = PQDSA_find_asn1_by_nid(nid);
   if (pqdsa_method != NULL) {
     return pqdsa_method;
   }
-  return KEM_find_asn1_by_nid(OBJ_cbs2nid(&oid));
+  return KEM_find_asn1_by_nid(nid);
 }
 
 EVP_PKEY *EVP_parse_public_key(CBS *cbs) {
@@ -713,3 +719,17 @@ int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *pkey_base_id, int *ppkey_flags,
   }
   return 1;
 }
+
+int EVP_PKEY_get_private_seed(const EVP_PKEY *key, uint8_t *out,
+  size_t *out_len) {
+  SET_DIT_AUTO_RESET;
+  GUARD_PTR(key);
+  GUARD_PTR(out_len);
+
+  if (key->ameth == NULL || key->ameth->get_priv_seed == NULL) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
+    return 0;
+  }
+
+  return key->ameth->get_priv_seed(key, out, out_len);
+}

crypto/evp_extra/evp_extra_test.cc

@@ -1683,6 +1683,49 @@ TEST(EVPExtraTest, Ed25519) {
   ERR_clear_error();
 }
 
+// EVP_PKEY_get_private_seed returns an error for key types that don't
+// provide a get_priv_seed method. It must also reject NULL |key| regardless of
+// key type.
+TEST(EVPExtraTest, GetPrivateSeedUnsupportedKeyTypes) {
+  // NULL key is rejected.
+  size_t seed_len = 0;
+  ERR_clear_error();
+  EXPECT_FALSE(EVP_PKEY_get_private_seed(nullptr, nullptr, &seed_len));
+
+  // RSA
+  bssl::UniquePtr<EVP_PKEY> rsa_key(ParsePrivateKey(
+      EVP_PKEY_RSA, kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER)));
+  ASSERT_TRUE(rsa_key);
+  ERR_clear_error();
+  EXPECT_FALSE(EVP_PKEY_get_private_seed(rsa_key.get(), nullptr, &seed_len));
+  EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_EVP,
+                          EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE));
+
+  // EC
+  bssl::UniquePtr<EVP_PKEY> ec_key(ParsePrivateKey(
+      EVP_PKEY_EC, kExampleECKeyDER, sizeof(kExampleECKeyDER)));
+  ASSERT_TRUE(ec_key);
+  ERR_clear_error();
+  EXPECT_FALSE(EVP_PKEY_get_private_seed(ec_key.get(), nullptr, &seed_len));
+  EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_EVP,
+                          EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE));
+
+  // Ed25519: has a raw 32-byte private "seed" but does NOT wire up
+  // get_priv_seed. EVP_PKEY_get_raw_private_key is the correct accessor.
+  static const uint8_t kEd25519Seed[32] = {
+      0x9d, 0x61, 0xb1, 0x9d, 0xef, 0xfd, 0x5a, 0x60, 0xba, 0x84, 0x4a,
+      0xf4, 0x92, 0xec, 0x2c, 0xc4, 0x44, 0x49, 0xc5, 0x69, 0x7b, 0x32,
+      0x69, 0x19, 0x70, 0x3b, 0xac, 0x03, 0x1c, 0xae, 0x7f, 0x60,
+  };
+  bssl::UniquePtr<EVP_PKEY> ed_key(EVP_PKEY_new_raw_private_key(
+      EVP_PKEY_ED25519, nullptr, kEd25519Seed, sizeof(kEd25519Seed)));
+  ASSERT_TRUE(ed_key);
+  ERR_clear_error();
+  EXPECT_FALSE(EVP_PKEY_get_private_seed(ed_key.get(), nullptr, &seed_len));
+  EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_EVP,
+                          EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE));
+}
+
 static void ExpectECGroupOnly(const EVP_PKEY *pkey, int nid) {
   EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
   ASSERT_TRUE(ec);

crypto/evp_extra/p_dsa_asn1.c

@@ -217,6 +217,7 @@ const EVP_PKEY_ASN1_METHOD dsa_asn1_meth = {
   NULL /* set_pub_raw */,
   NULL /* get_priv_raw */,
   NULL /* get_pub_raw */,
+  NULL /* get_priv_seed */,
 
   NULL /* pkey_opaque */,