PR feedback: fix indentation, combine if/defs for AWS_LC_FIPS_failure…

…, also move the callback_test back into crypto_test since it works with everything else now

CMakeLists.txt

@@ -992,6 +992,7 @@ if(BUILD_TESTING)
 
   # sets tests to compile an so executable file for testing in our Android app CI.
   if(ANDROIDTESTRUNNER)
+    set(TEST_EXECUTABLE_EXT ".so")
   endif()
 
   set(CRYPTO_TEST_EXEC crypto_test${TEST_EXECUTABLE_EXT})
@@ -1002,7 +1003,6 @@ if(BUILD_TESTING)
   set(INTEGRATION_TEST_EXEC integration_test${TEST_EXECUTABLE_EXT})
   set(DYNAMIC_LOADING_TEST_EXEC dynamic_loading_test${TEST_EXECUTABLE_EXT})
   set(RWLOCK_STATIC_INIT_TEST_EXEC rwlock_static_init${TEST_EXECUTABLE_EXT})
-  set(FIPS_CALLBACK_TEST_EXEC fips_callback_test${TEST_EXECUTABLE_EXT})
 
   add_subdirectory(util/fipstools/acvp/modulewrapper)
 

crypto/CMakeLists.txt

@@ -738,9 +738,6 @@ if(BUILD_TESTING)
   )
   set_test_location(${RANDOM_TEST_EXEC})
 
-  # fips_callback_test tests that setting the callback overrides the default abort behavior
-  add_test_executable(${FIPS_CALLBACK_TEST_EXEC} fips_callback_test.cc)
-
   add_dependencies(${RANDOM_TEST_EXEC} boringssl_prefix_symbols)
   target_link_libraries(${RANDOM_TEST_EXEC} test_support_lib boringssl_gtest crypto)
   target_include_directories(${RANDOM_TEST_EXEC} BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)
@@ -775,6 +772,7 @@ if(BUILD_TESTING)
     evp_extra/evp_test.cc
     evp_extra/p_pqdsa_test.cc
     evp_extra/scrypt_test.cc
+    fips_callback_test.cc
     fipsmodule/aes/aes_test.cc
     fipsmodule/bn/bn_test.cc
     fipsmodule/bn/bn_assert_test.cc

crypto/fips_callback_test.cc

@@ -1,7 +1,6 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
-#if defined(BORINGSSL_FIPS)
 #include <gtest/gtest.h>
 #include <openssl/crypto.h>
 #include <openssl/curve25519.h>
@@ -54,9 +53,9 @@ void AWS_LC_fips_failure_callback(const char* message) {
     {"ML-KEM-keyGen-encaps", {"ML-KEM-keyGen-encaps failed.\nExpected:   0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nCalculated: a7cc68f8d02110ca5720223b9e2a8987c8a24835a20dabcbefa430e74a85af80b9b74b74574c5e5f585459ca3610940f0b57b33344ceacccc135557b82f4968688a0168c1aa2940e5604482bf8b900a4343096446330cfee10917c0338181b7fe8d30f4816087d6299f225417f533ee40473894847bd45291367be6b1a7dee55bb21d60e3828552f4c8a6f3c54fc74cf67a614eeab002a076851879cef2218fdb3766123c2de32a269b6aa4661b69370314c004446f7258c40b2ea789f40ca023bbb1217c2c44b380c6e3194edd129d039218d9b75194a386d944acce7a9720ab026362004e95bf9229290b53613416082e82ba8a42a5ff14759f57712395706b307f7635ecee42317a48eb3b90683f3ab53d17c50f53c6cfb1c0cf59d6f2a981021428a7ac5edf13b26844d83c31d3608710e623aabb24b6c5b48baebc1b3078972589201b7a30bc09315612b067655bec403a69c89eb137c31157971098cb693ba4ae9ae40a8031cec92580bcc1b5ab3ecd1aa5f79aa2cd69249d138c8965a81c87a07eb59a4612e60658f4df028cef8af1b837e0ab0bfedb726904290d0bc41df6a67f7a4166609952439631960648e229a21f2a4d82abad3ec8135dc9bb43c703d3b33e437c9ef7bca91c3465676740125a15ad1707088b101b4273d3c4bf30181b4b2575de75ccfc13312a2a6bcebc477a9668e751629b569bfa20beca09800992c63f04b6b4a7df977a00131c2f8722e5138775235b517a709852167c1d415fdc7ad32f2aaca437e9cc6b248d9ca7c65b405e68d24e81b8688caa22b3cf5c9b147f0cc27e667a80b83ccbb4f4161a5ffd0194b1b5720e68ea0f59997f26740972d2c8124d7a6ad8327c2075a3f76b968d2aaad19c00697599e0be49fa6d65b4088b0be692dcda028095852a0d7205e4417409c0317780305a878fb582963b6953f6b8f0880b050178301d659be3a4db7e0bf2587129164178f32707d40392d85713dea82913999aa6c35aa94b3547abe40e2b0ba82b5b78319182a5a47d173176ba6fa3a4d70a8130b310743fa8aaae314381c9b7f49991f19a4ff8369638de380b5d828b7b5fcfdd91fe68efe16d4cd9eed66d65c1d2d8caf5af4a692\n", "ML-KEM self tests failed"}},
     {"ML-KEM-encapsulate-ciphertext", {"ML-KEM-encapsulate-ciphertext failed.\nExpected:   000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nCalculated: 431a4f1b2d2c6c00f1690bbe482541ef3d563774daff83207f96de7e5e4a59d5d936d9443ad422e645793e7a60a9b0a76cd672d20c69b82a5563df52d96f9a6cdfc56fbd4fd8d5a8afeb2a09d92ec854094794b4ed2db381f04c68439608aa9902a4d1689e2eb1e5f07a4a1c709262d7c2ff2f81f6eeaab2a86a41ba210eb1bf8e75febccd1a15b4d7a7b60257c89d00bd81d39fcb8d1ce3278102595dd652f7fb7d5584874f3327b174043b350ebd4d41fe08bd0e854d41cbb027c481da64dc6151b88dececcf022ddac2e22736c147e0773294231c0589967154c526b0b7cdd59568eeff5749a40cb100c60c6480897655d96e9f64d61684c0b3150646732c19409fe565540a31894703cf0179cae85bc8c1a5732649836e48e676405b9591b65ba25f9b489b9e5772aa1ed5a00143cb9f5449fd013457a3c13874cb58c75b52c9b6a9ae495ccb504a89cb5f145695b921632fb85b0316b30d4ad17fef0862d6b1e6ca6a611c8a6a7234b4362c5ca0ad9f7697687798cf624dc9f35fbb376e09953156532a9033709df755b46cc6d83de3a111e19a76b361e0ef14c91db8d91c6c6d9e3e46f42291fd6cbf5cfd122716fb0675698e602ab39ee98e0d8145eebaaa9374f5b3bb0df4d0fd83a40e0d25038c39e9bee01cf79c86f3086158d031d5c5e86bc7e7eb16e622505f2888213884c0b5252289b11fce5bfeebfbef0a32ceaf9c14c6250090028463db6f8d19684f541108fe934d88e7ef5cce9daebb32700b9397691a684298c9bf1b7c22d1bcec3fcacfbb17f2ed2b98b85e6a8fe2482996b5e099e9d0211cb9412614de87dc18d23613ed7f6c29cc37b727116dd901c2817938c29fcd026089336addc09eca90de9a25a6374fee86bcdd06ae3daaf0b1bc5b3b2790d4d9f759bef8ac743612a2bbf6e45de8b22efa61226625d4c39f346b844c5ebec5355866c00b726cc1640cb237c34a20a7c603d251f46e6b3b0fa71b3276835e3e9da5b9485e789614af49f1e9504db2528631fbe1cd7dbee85164e4c099a27a4583e9247d078f8830b46874c1b010bf3cd90eb0774961f239ba\n", "ML-KEM self tests failed"}},
     {"ML-KEM-encapsulate-shared-secret", {"ML-KEM-encapsulate-shared-secret failed.\nExpected:   0000000000000000000000000000000000000000000000000000000000000000\nCalculated: a772df2de250ac7d896bbb820b57f2ae05f9a412ab55baa421d4af6dac62662a\n", "ML-KEM self tests failed"}},
-    {"HKDF-SHA-256", {"HKDF-SHA-256 KAT failed.\nExpected:   3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865\nCalculated: 5f59c2b22f7dc2decd91068cabda75bacf8079c31748f91e4ba67ea26c36ad8e0b8e48c9b630c42bfc3f\n", "Power on self test failed"}},
+    {"HKDF-SHA-256", {"HKDF-SHA-256 KAT failed.\nExpected:   000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nCalculated: ca5e6410e7a52332fe0ab3601212a7d3dbdf55a162af42a5daf38b94f24523477e880dd711508684cc21\n", "Power on self test failed"}},
     {"KBKDF", {"KBKDF-CTR-HMAC-SHA-256 KAT failed.\nExpected:   10621342bfb0fd40046c0e29f2cfdbf0\nCalculated: 606060902f7c6632bcde3a67f5818c48\n", "Power on self test failed"}},
-    {"PBKDF2", {"PBKDF2 KAT failed.\nExpected:   13dc8a7c13d372c90382822d2dc492f2ed52467fb7828ea864\nCalculated: e442f1807d5fc9b466badcdfd3806fed7fa50da9a6f5729117\n", "Power on self test failed"}},
+    {"PBKDF2", {"PBKDF2 KAT failed.\nExpected:   c6ac0779e4a117c922287f5e10e7ee6ba74d8b19519b4cc738\nCalculated: e442f1807d5fc9b466badcdfd3806fed7fa50da9a6f5729117\n", "Power on self test failed"}},
     {"SSKDF", {"SSKDF_digest KAT failed.\nExpected:   5a2e26644d16222cd636a1fdb57bfaa17f94449127612bcd7be1bb39cc18f32893d3c648c16372fb6e9c63de5433b1ccdeb51bb5f15368c8a849a1e5a4efc666fd33eeb9f6728b0479f76668cfafc13a91367074def2b50e9d9a918a120210824165d596ad4f94a3236ef7cf5843282a0a57a483819f63e0cfb2081daf9ccf35c66a03e7a02d3891f45022e1c89d888aa8087e08f45babbc52062b18e6fb70c12dcb29a194d23abc351cfb3cf4f161cc775a3e711bb1502d6901f6931407a9ae868476f998d1ca4cca296a9f14752d14f47427e666289f80892a3d14a84fe343fd78d0dadbde1819aca915f7c0c024376b40cb34bae2d26e9f4552b6b1a26fa5\nCalculated: 63d19beaa2b5a2685510e4a3bd3692cec7d370f7d8eea41239a2d89439dc9643767c37c3fd892434c4f567d3c6854b57e63222bc99df63d7d02e6527b90fe57baaecf7fcb4ba278be3b2ff6f22d8435ccbc1c4d92fd89b88915d0711ad5ca81151d7c62a3d12a8315c2b3cf6f1d7b8b367687eadcb87d7c7b4e79f629df1aa35e05a8450291fdcdb744c1013bc25883fb913942ab0b77ac3a9dcd068e46af564e7deb1d2abc60d45d7f16ff985c652bc7559b8277026d238460f6133dfe6ab5641dbbcb749481c94c6e910161e54bef623cbaec3f4e096ec66bb6f3702c86dad3bd57b25d5115a972aafe8ab15fd60a30d401a6fbd421bab89095f7be374a439\n", "Power on self test failed"}}
   };
 
@@ -78,7 +77,7 @@ void AWS_LC_fips_failure_callback(const char* message) {
 
 }
 
-  TEST(FIPSCallback, PowerOnSelfTests) {
+TEST(FIPSCallback, PowerOnSelfTests) {
   char* broken_kat = getenv("FIPS_CALLBACK_TEST_EXPECTED_FAILURE");
   SCOPED_TRACE(broken_kat);
 
@@ -158,5 +157,3 @@ TEST(FIPSCallback, PWCT) {
     EXPECT_TRUE(EVP_PKEY_keygen(dsa_ctx, &dsa_raw));
   }
 }
-
-#endif

crypto/fipsmodule/bcm.c

@@ -401,26 +401,24 @@ int BORINGSSL_integrity_test(void) {
 }
 #endif  // OPENSSL_ASAN
 
-#if defined(AWSLC_FIPS_FAILURE_CALLBACK)
 void AWS_LC_FIPS_failure(const char* message) {
+#if defined(AWSLC_FIPS_FAILURE_CALLBACK)
   if (AWS_LC_fips_failure_callback == NULL) {
     fprintf(stderr, "AWS_LC_fips_failure_callback not defined but AWS-LC built with AWSLC_FIPS_FAILURE_CALLBACK. FIPS failure:\n%s", message);
     fflush(stderr);
     abort();
   } else {
     AWS_LC_fips_failure_callback(message);
   }
-}
 #else
-void AWS_LC_FIPS_failure(const char* message) {
   fprintf(stderr, "AWS-LC FIPS failure caused by:\n%s\n", message);
   fflush(stderr);
   for (;;) {
     abort();
     exit(1);
   }
-}
 #endif
+}
 #else  // BORINGSSL_FIPS
 void AWS_LC_FIPS_failure(const char* message) {
   fprintf(stderr, "AWS-LC FIPS failure caused by:\n%s\n", message);

crypto/fipsmodule/self_check/self_check.c

@@ -2391,9 +2391,10 @@ int boringssl_self_test_hmac_sha256(void) {
 }
 
 static int boringssl_self_test_hkdf_sha256(void) {
-  static const uint8_t kHKDF_ikm_tc1[] = {   // RFC 5869 Test Case 1
-      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
+  static const uint8_t kHKDF_ikm_tc1[] = {
+      0x58, 0x3e, 0xa3, 0xcf, 0x8f, 0xcf, 0xc8, 0x08, 0x73, 0xcc, 0x7b, 0x88,
+      0x00, 0x9d, 0x4a, 0xed, 0x07, 0xd8, 0xd8, 0x88, 0xae, 0x98, 0x76, 0x8d,
+      0xca, 0x07, 0xcb, 0x1e, 0x4b, 0x33, 0x1e, 0xb9
   };
   static const uint8_t kHKDF_salt_tc1[] = {
       0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
@@ -2403,10 +2404,10 @@ static int boringssl_self_test_hkdf_sha256(void) {
       0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9
   };
   static const uint8_t kHKDF_okm_tc1_sha256[] = {
-      0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, 0x64,
-      0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
-      0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, 0x00, 0x72, 0x08,
-      0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65
+      0xca, 0x5e, 0x64, 0x10, 0xe7, 0xa5, 0x23, 0x32, 0xfe, 0x0a, 0xb3, 0x60,
+      0x12, 0x12, 0xa7, 0xd3, 0xdb, 0xdf, 0x55, 0xa1, 0x62, 0xaf, 0x42, 0xa5,
+      0xda, 0xf3, 0x8b, 0x94, 0xf2, 0x45, 0x23, 0x47, 0x7e, 0x88, 0x0d, 0xd7,
+      0x11, 0x50, 0x86, 0x84, 0xcc, 0x21
   };
 
   uint8_t output[sizeof(kHKDF_okm_tc1_sha256)];
@@ -2670,11 +2671,9 @@ static int boringssl_self_test_fast(void) {
     goto err;
   }
 
-  // PBKDF2 KAT - password/salt data from RFC 6070, derived key generated by
-  // Python's cryptography module
   static const uint8_t kPBKDF2Password[] = {
-    'p', 'a', 's', 's', 'w', 'o', 'r', 'd', 'P', 'A', 'S', 'S', 'W', 'O', 'R',
-    'D', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd'
+    'A', 'W', 'S', '-', 'L', 'C', 'F', 'I', 'P', 'S', 'p', 'a', 's', 's', 'w',
+    'o', 'r', 'd'
   };
   static const uint8_t kPBKDF2Salt[] = {
     's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L',
@@ -2683,9 +2682,9 @@ static int boringssl_self_test_fast(void) {
   };
   const unsigned kPBKDF2Iterations = 2;
   static const uint8_t kPBKDF2DerivedKey[] = {
-    0x13, 0xdc, 0x8a, 0x7c, 0x13, 0xd3, 0x72, 0xc9, 0x03, 0x82, 0x82, 0x2d,
-    0x2d, 0xc4, 0x92, 0xf2, 0xed, 0x52, 0x46, 0x7f, 0xb7, 0x82, 0x8e, 0xa8,
-    0x64    // 25 bytes
+    0xc6, 0xac, 0x07, 0x79, 0xe4, 0xa1, 0x17, 0xc9, 0x22, 0x28, 0x7f, 0x5e,
+    0x10, 0xe7, 0xee, 0x6b, 0xa7, 0x4d, 0x8b, 0x19, 0x51, 0x9b, 0x4c, 0xc7,
+    0x38
   };
   uint8_t pbkdf2_output[sizeof(kPBKDF2DerivedKey)];
   if (!PKCS5_PBKDF2_HMAC((const char *)kPBKDF2Password, sizeof(kPBKDF2Password),

tests/ci/run_fips_callback_tests.sh

@@ -4,11 +4,12 @@ set -ex
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 source tests/ci/common_posix_setup.sh
 
-original_test="${BUILD_ROOT}/crypto/fips_callback_test"
-broken_test="${BUILD_ROOT}/crypto/fips_callback_test_broken"
+original_test="${BUILD_ROOT}/crypto/crypto_test"
+broken_test="${BUILD_ROOT}/crypto/crypto_test_broken"
 
 # By default the test should pass
-$original_test
+$original_test --gtest_filter=FIPSCallback.PowerOnSelfTests
+$original_test --gtest_filter=FIPSCallback.PWCT
 
 # Break the tests
 KATS=$(go run "${SRC_ROOT}/util/fipstools/break-kat.go" --list-tests)

util/fipstools/break-kat.go

@@ -25,9 +25,9 @@ var (
 		"SHA-256":                          "ff3b857da7236a2baa0f396b51522217",
 		"SHA-512":                          "212512f8d2ad8322781c6c4d69a9daa1",
 		"SHA3-256":                         "d83c721ee51b060c5a41438a8221e040",
-		"HKDF-SHA-256":                     "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
+		"HKDF-SHA-256":                     "ca5e6410e7a52332fe0ab3601212a7d3dbdf55a162af42a5daf38b94f24523477e880dd711508684cc21",
 		"TLS-KDF":                          "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731",
-		"PBKDF2":                           "70617373776F726450415353574F524470617373776F7264",
+		"PBKDF2":                           "4157532d4c434649505370617373776f7264",
 		"SSKDF":                            "39a1e2b3899e87efecf6271282d8f8008f252686dd35bfc39a0f71478da48c691565cee431254dd50cab7462c6cf199be9bf5c",
 		"KBKDF":                            "dd1d91b7d90b2bd3138533ce92b272fbf8a369316aefe242e659cc0ae238afe0",
 		"RSA-sign":                         "d2b56e53306f720d7929d8708bf46f1c22300305582b115bedcac722d8aa5ab2",