Merge branch 'main' into get_ciphers

crypto/evp_extra/p_pqdsa.c

@@ -280,13 +280,9 @@ EVP_PKEY *EVP_PKEY_pqdsa_new_raw_public_key(int nid, const uint8_t *in, size_t l
     goto err;
   }
 
-  const PQDSA *pqdsa =  PQDSA_KEY_get0_dsa(ret->pkey.pqdsa_key);
-  if (pqdsa->public_key_len != len) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
-    goto err;
-  }
-
-  if (!PQDSA_KEY_set_raw_public_key(ret->pkey.pqdsa_key, in)) {
+  CBS cbs;
+  CBS_init(&cbs, in, len);
+  if (!PQDSA_KEY_set_raw_public_key(ret->pkey.pqdsa_key, &cbs)) {
     // PQDSA_KEY_set_raw_public_key sets the appropriate error.
     goto err;
   }
@@ -316,7 +312,9 @@ EVP_PKEY *EVP_PKEY_pqdsa_new_raw_private_key(int nid, const uint8_t *in, size_t
     goto err;
   }
 
-  if (!PQDSA_KEY_set_raw_private_key(ret->pkey.pqdsa_key, in)) {
+  CBS cbs;
+  CBS_init(&cbs, in, len);
+  if (!PQDSA_KEY_set_raw_private_key(ret->pkey.pqdsa_key, &cbs)) {
     // PQDSA_KEY_set_raw_private_key sets the appropriate error.
     goto err;
   }

crypto/evp_extra/p_pqdsa_asn1.c

@@ -89,18 +89,19 @@ static int pqdsa_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out,
 }
 
 static int pqdsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
-  // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ section 4.
-  // the only parameter that can be included is the OID which has length 9
+  // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/
+  // section 4. the only parameter that can be included is the OID which has
+  // length 9
   if (CBS_len(params) != 9) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
-  // set the pqdsa params on the fresh pkey
+  // Set the pqdsa params on |out|.
   if (!EVP_PKEY_pqdsa_set_params(out, OBJ_cbs2nid(params))) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
-  return PQDSA_KEY_set_raw_public_key(out->pkey.pqdsa_key,CBS_data(key));
+  return PQDSA_KEY_set_raw_public_key(out->pkey.pqdsa_key, key);
 }
 
 static int pqdsa_pub_encode(CBB *out, const EVP_PKEY *pkey) {
@@ -138,21 +139,22 @@ static int pqdsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {
 }
 
 static int pqdsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) {
-  // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ section 6.
-  // the only parameter that can be included is the OID which has length 9
-  if (CBS_len(params) != 9 ) {
+  // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/
+  // section 6. the only parameter that can be included is the OID which has
+  // length 9.
+  if (CBS_len(params) != 9) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
 
-  // Set the pqdsa params on the fresh pkey
+  // Set the pqdsa params on |out|.
   if (!EVP_PKEY_pqdsa_set_params(out, OBJ_cbs2nid(params))) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
 
   // Set the private key
-  if (!PQDSA_KEY_set_raw_private_key(out->pkey.pqdsa_key, CBS_data(key))) {
+  if (!PQDSA_KEY_set_raw_private_key(out->pkey.pqdsa_key, key)) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
@@ -167,7 +169,8 @@ static int pqdsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey)
   }
 
   // Construct the public key from the private key
-  if (!out->pkey.pqdsa_key->pqdsa->method->pqdsa_pack_pk_from_sk(public_key, CBS_data(key))) {
+  if (!out->pkey.pqdsa_key->pqdsa->method->pqdsa_pack_pk_from_sk(
+          public_key, CBS_data(key))) {
     OPENSSL_free(public_key);
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;

crypto/evp_extra/p_pqdsa_test.cc

@@ -1854,3 +1854,27 @@ TEST_P(PerMLDSATest, ACVPSigVer) {
     }
   });
 }
+
+static const uint8_t mldsa87kPublicKeyInvalidLength[] = {
+    0x30, 0x11, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+    0x65, 0x03, 0x04, 0x03, 0x13, 0x03, 0x02, 0x00, 0xe4};
+
+TEST(PQDSAParameterTest, ParsePublicKeyInvalidLength) {
+  CBS cbs;
+  CBS_init(&cbs, mldsa87kPublicKeyInvalidLength,
+           sizeof(mldsa87kPublicKeyInvalidLength));
+  bssl::UniquePtr<EVP_PKEY> pub_pkey_from_der(EVP_parse_public_key(&cbs));
+  ASSERT_FALSE(pub_pkey_from_der.get());
+}
+
+static const uint8_t mldsa44kPrivateKeyInvalidLength[] = {
+    0x30, 0x16, 0x02, 0x01, 0x00, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48,
+    0x01, 0x65, 0x03, 0x04, 0x03, 0x11, 0x04, 0x04, 0x82, 0x45, 0x52, 0xd8};
+
+TEST(PQDSAParameterTest, ParsePrivateKeyInvalidLength) {
+  CBS cbs;
+  CBS_init(&cbs, mldsa44kPrivateKeyInvalidLength,
+           sizeof(mldsa44kPrivateKeyInvalidLength));
+  bssl::UniquePtr<EVP_PKEY> private_pkey_from_der(EVP_parse_private_key(&cbs));
+  ASSERT_FALSE(private_pkey_from_der.get());
+}

crypto/fipsmodule/digest/digests.c

@@ -326,7 +326,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) {
 
 
 static void sha3_224_init(EVP_MD_CTX *ctx) {
-  CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_224_DIGEST_BITLENGTH));
+  CHECK(SHA3_Init(ctx->md_data, SHA3_224_DIGEST_BITLENGTH));
 }
 
 static void sha3_224_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
@@ -351,7 +351,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha3_224) {
 
 
 static void sha3_256_init(EVP_MD_CTX *ctx) {
-  CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_256_DIGEST_BITLENGTH));
+  CHECK(SHA3_Init(ctx->md_data, SHA3_256_DIGEST_BITLENGTH));
 }
 
 static void sha3_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
@@ -376,7 +376,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha3_256) {
 
 
 static void sha3_384_init(EVP_MD_CTX *ctx) {
-  CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_384_DIGEST_BITLENGTH));
+  CHECK(SHA3_Init(ctx->md_data, SHA3_384_DIGEST_BITLENGTH));
 }
 
 static void sha3_384_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
@@ -401,7 +401,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha3_384) {
 
 
 static void sha3_512_init(EVP_MD_CTX *ctx) {
-  CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_512_DIGEST_BITLENGTH));
+  CHECK(SHA3_Init(ctx->md_data, SHA3_512_DIGEST_BITLENGTH));
 }
 
 static void sha3_512_update(EVP_MD_CTX *ctx, const void *data, size_t count) {

crypto/fipsmodule/service_indicator/service_indicator_test.cc

@@ -5296,7 +5296,7 @@ TEST(ServiceIndicatorTest, ED25519SigGenVerify) {
 // Since this is running in FIPS mode it should end in FIPS
 // Update this when the AWS-LC version number is modified
 TEST(ServiceIndicatorTest, AWSLCVersionString) {
-  ASSERT_STREQ(awslc_version_string(), "AWS-LC FIPS 1.43.0");
+  ASSERT_STREQ(awslc_version_string(), "AWS-LC FIPS 1.44.0");
 }
 
 #else
@@ -5339,6 +5339,6 @@ TEST(ServiceIndicatorTest, BasicTest) {
 // Since this is not running in FIPS mode it shouldn't end in FIPS
 // Update this when the AWS-LC version number is modified
 TEST(ServiceIndicatorTest, AWSLCVersionString) {
-  ASSERT_STREQ(awslc_version_string(), "AWS-LC 1.43.0");
+  ASSERT_STREQ(awslc_version_string(), "AWS-LC 1.44.0");
 }
 #endif // AWSLC_FIPS

crypto/fipsmodule/sha/internal.h

@@ -408,7 +408,7 @@ int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len);
 void SHA3_Reset(KECCAK1600_CTX *ctx);
 
 // SHA3_Init initialises |ctx| fields and returns 1 on success and 0 on failure.
-OPENSSL_EXPORT int SHA3_Init(KECCAK1600_CTX *ctx, uint8_t pad, size_t bitlen);
+OPENSSL_EXPORT int SHA3_Init(KECCAK1600_CTX *ctx, size_t bitlen);
 
 // SHA3_Update processes all data blocks that don't need pad through
 // |Keccak1600_Absorb| and returns 1 and 0 on failure.

crypto/fipsmodule/sha/sha3.c

@@ -14,7 +14,7 @@ uint8_t *SHA3_224(const uint8_t *data, size_t len,
                   uint8_t out[SHA3_224_DIGEST_LENGTH]) {
   FIPS_service_indicator_lock_state();
   KECCAK1600_CTX ctx;
-  int ok = (SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_224_DIGEST_BITLENGTH) &&
+  int ok = (SHA3_Init(&ctx, SHA3_224_DIGEST_BITLENGTH) &&
             SHA3_Update(&ctx, data, len) &&
             SHA3_Final(out, &ctx));
 
@@ -31,7 +31,7 @@ uint8_t *SHA3_256(const uint8_t *data, size_t len,
                   uint8_t out[SHA3_256_DIGEST_LENGTH]) {
   FIPS_service_indicator_lock_state();
   KECCAK1600_CTX ctx;
-  int ok = (SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_256_DIGEST_BITLENGTH) &&
+  int ok = (SHA3_Init(&ctx, SHA3_256_DIGEST_BITLENGTH) &&
             SHA3_Update(&ctx, data, len) &&
             SHA3_Final(out, &ctx));
 
@@ -48,7 +48,7 @@ uint8_t *SHA3_384(const uint8_t *data, size_t len,
                   uint8_t out[SHA3_384_DIGEST_LENGTH]) {
   FIPS_service_indicator_lock_state();
   KECCAK1600_CTX ctx;
-  int ok = (SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_384_DIGEST_BITLENGTH) &&
+  int ok = (SHA3_Init(&ctx, SHA3_384_DIGEST_BITLENGTH) &&
             SHA3_Update(&ctx, data, len) &&
             SHA3_Final(out, &ctx));
 
@@ -65,7 +65,7 @@ uint8_t *SHA3_512(const uint8_t *data, size_t len,
                   uint8_t out[SHA3_512_DIGEST_LENGTH]) {
   FIPS_service_indicator_lock_state();
   KECCAK1600_CTX ctx;
-  int ok = (SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_512_DIGEST_BITLENGTH) &&
+  int ok = (SHA3_Init(&ctx, SHA3_512_DIGEST_BITLENGTH) &&
             SHA3_Update(&ctx, data, len) &&
             SHA3_Final(out, &ctx));
 
@@ -109,49 +109,43 @@ uint8_t *SHAKE256(const uint8_t *data, const size_t in_len, uint8_t *out, size_t
   return out;
 }
 
-int SHAKE_Init(KECCAK1600_CTX *ctx, size_t block_size) {
-  // The SHAKE block size depends on the security level of the algorithm only
-  // It is independent of the output size
-  ctx->block_size = block_size;
-  return SHA3_Init(ctx, SHAKE_PAD_CHAR, 0);
+// FIPS202 APIs manage internal input/output buffer on top of Keccak1600 API layer
+static void FIPS202_Reset(KECCAK1600_CTX *ctx) {
+  memset(ctx->A, 0, sizeof(ctx->A));
+  ctx->buf_load = 0;
+  ctx->padded=0;
 }
 
-
-int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) {
-  ctx->md_size = len;
-  return SHA3_Final(md, ctx);
+static int FIPS202_Init(KECCAK1600_CTX *ctx, uint8_t pad, size_t block_size, size_t bit_len) {
+  if (pad != SHA3_PAD_CHAR && 
+      pad != SHAKE_PAD_CHAR) { 
+    return 0;
+  }
+
+  if (block_size <= sizeof(ctx->buf)) {
+      FIPS202_Reset(ctx);
+      ctx->block_size = block_size;
+      ctx->md_size = bit_len / 8;
+      ctx->pad = pad;
+      return 1;
+    }
+    return 0;
 }
 
+// SHA3 APIs implement SHA3 functionalities on top of FIPS202 API layer
 void SHA3_Reset(KECCAK1600_CTX *ctx) {
   memset(ctx->A, 0, sizeof(ctx->A));
   ctx->buf_load = 0;
   ctx->padded = 0;
 }
 
-int SHA3_Init(KECCAK1600_CTX *ctx, uint8_t pad, size_t bit_len) {
-  size_t block_size;
-
-  // The block size is computed differently depending on which algorithm
-  // is calling |SHA3_Init|:
-  //   - for SHA3 we compute it by calling SHA3_BLOCKSIZE(bit_len)
-  //     because the block size depends on the digest bit-length,
-  //   - for SHAKE we take the block size from the context.
-  // We use the given padding character to differentiate between SHA3 and SHAKE.
-  if (pad == SHA3_PAD_CHAR) {
-    block_size = SHA3_BLOCKSIZE(bit_len);
-  } else if (pad == SHAKE_PAD_CHAR) {
-    block_size = ctx->block_size;
-  } else {
-    return 0;
-  }
-  ctx->padded = 0;
-
-  if (block_size <= sizeof(ctx->buf)) {
-    SHA3_Reset(ctx);
-    ctx->block_size = block_size;
-    ctx->md_size = bit_len / 8;
-    ctx->pad = pad;
-    return 1;
+int SHA3_Init(KECCAK1600_CTX *ctx, size_t bit_len) {
+  if (bit_len == SHA3_224_DIGEST_BITLENGTH || 
+      bit_len == SHA3_256_DIGEST_BITLENGTH || 
+      bit_len == SHA3_384_DIGEST_BITLENGTH || 
+      bit_len == SHA3_512_DIGEST_BITLENGTH) { 
+        // |block_size| depends on the SHA3 |bit_len| output (digest) length
+        return FIPS202_Init(ctx, SHA3_PAD_CHAR, SHA3_BLOCKSIZE(bit_len), bit_len);
   }
   return 0;
 }
@@ -230,3 +224,19 @@ int SHA3_Final(uint8_t *md, KECCAK1600_CTX *ctx) {
 
   return 1;
 }
+
+// SHAKE APIs implement SHAKE functionalities on top of FIPS202 API layer
+int SHAKE_Init(KECCAK1600_CTX *ctx, size_t block_size) {
+  if (block_size == SHAKE128_BLOCKSIZE ||
+      block_size == SHAKE256_BLOCKSIZE) {
+        // |block_size| depends on the SHAKE security level
+        // The output length |bit_len| is initialized to 0
+        return FIPS202_Init(ctx, SHAKE_PAD_CHAR, block_size, 0);
+  }
+  return 0;
+}
+
+int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) {
+  ctx->md_size = len;
+  return SHA3_Final(md, ctx);
+}

crypto/fipsmodule/sha/sha3_test.cc

@@ -208,7 +208,7 @@ TEST(KeccakInternalTest, SqueezeOutputBufferOverflow) {
   const size_t out_lens[] = {
       0, 1, 2, 3, 4, 5, 6, 7, 8, (1 << 5), (1 << 16) + 1};
   for (auto out_len : out_lens) {
-    EXPECT_TRUE(SHA3_Init(&ctx, SHA3_PAD_CHAR, SHA3_384_DIGEST_BITLENGTH));
+    EXPECT_TRUE(SHA3_Init(&ctx, SHA3_384_DIGEST_BITLENGTH));
     out.resize(out_len + canary.size());
     std::copy(canary.begin(), canary.end(), out.end() - canary.size());
     Keccak1600_Squeeze(ctx.A, out.data(), out_len, ctx.block_size, 1);

crypto/pkcs7/pkcs7.c

@@ -843,6 +843,33 @@ int PKCS7_is_detached(PKCS7 *p7) {
   return 0;
 }
 
+int PKCS7_set_detached(PKCS7 *p7, int detach) {
+  GUARD_PTR(p7);
+  if (detach != 0 && detach != 1) {
+    // |detach| is meant to be used as a boolean int.
+    return 0;
+  }
+
+  if (PKCS7_type_is_signed(p7)) {
+    if (p7->d.sign == NULL) {
+      OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CONTENT);
+      return 0;
+    }
+    if (detach && PKCS7_type_is_data(p7->d.sign->contents)) {
+      ASN1_OCTET_STRING_free(p7->d.sign->contents->d.data);
+      p7->d.sign->contents->d.data = NULL;
+    }
+    return detach;
+  } else {
+    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
+    return 0;
+  }
+}
+
+int PKCS7_get_detached(PKCS7 *p7) {
+  return PKCS7_is_detached(p7);
+}
+
 
 static BIO *pkcs7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) {
   GUARD_PTR(pmd);

crypto/pkcs7/pkcs7_test.cc

@@ -2043,3 +2043,28 @@ TEST(PKCS7Test, PKCS7PrintNoop) {
   ASSERT_TRUE(BIO_mem_contents(bio.get(), &contents, &len));
   EXPECT_EQ(Bytes(contents, len), Bytes("PKCS7 printing is not supported"));
 }
+
+TEST(PKCS7Test, SetDetached) {
+  bssl::UniquePtr<PKCS7> p7(PKCS7_new());
+  // |PKCS7_set_detached| does not work on an uninitialized |PKCS7|.
+  EXPECT_FALSE(PKCS7_set_detached(p7.get(), 0));
+  EXPECT_FALSE(PKCS7_set_detached(p7.get(), 1));
+  EXPECT_TRUE(PKCS7_set_type(p7.get(), NID_pkcs7_signed));
+  EXPECT_TRUE(PKCS7_type_is_signed(p7.get()));
+
+  PKCS7 *p7_internal = PKCS7_new();
+  EXPECT_TRUE(PKCS7_set_type(p7_internal, NID_pkcs7_data));
+  EXPECT_TRUE(PKCS7_type_is_data(p7_internal));
+  EXPECT_TRUE(PKCS7_set_content(p7.get(), p7_internal));
+
+  // Access the |p7|'s internal contents to verify that |PKCS7_set_detached|
+  // has the right behavior.
+  EXPECT_TRUE(p7.get()->d.sign->contents->d.data);
+  EXPECT_FALSE(PKCS7_set_detached(p7.get(), 0));
+  EXPECT_TRUE(p7.get()->d.sign->contents->d.data);
+  EXPECT_FALSE(PKCS7_set_detached(p7.get(), 2));
+  EXPECT_TRUE(p7.get()->d.sign->contents->d.data);
+  // data is "detached" when |PKCS7_set_detached| is set with 1.
+  EXPECT_TRUE(PKCS7_set_detached(p7.get(), 1));
+  EXPECT_FALSE(p7.get()->d.sign->contents->d.data);
+}

crypto/pqdsa/internal.h

@@ -76,8 +76,8 @@ PQDSA_KEY *PQDSA_KEY_new(void);
 void PQDSA_KEY_free(PQDSA_KEY *key);
 int EVP_PKEY_pqdsa_set_params(EVP_PKEY *pkey, int nid);
 
-int PQDSA_KEY_set_raw_public_key(PQDSA_KEY *key, const uint8_t *in);
-int PQDSA_KEY_set_raw_private_key(PQDSA_KEY *key, const uint8_t *in);
+int PQDSA_KEY_set_raw_public_key(PQDSA_KEY *key, CBS *in);
+int PQDSA_KEY_set_raw_private_key(PQDSA_KEY *key, CBS *in);
 #if defined(__cplusplus)
 }  // extern C
 #endif