Add DH groups from RFC 7919 to support MySQL 8.1 (aws#1371)

MySQL's new version release depends on some new DH groups. This adds the support for the new groups and updates our CI to test against the new version. * Security Groups added were ffdhe3072 and ffdhe8192. The NIDs were autogenerated with objects.go. * The MySQL integration version was updated, two 2 additional unrelated test cases are being skipped. One depends on a supervisor process, while one is using stateful session resumption.
justsmth · Dec 22, 2023 · b201aea · b201aea
1 parent 92febcc
commit b201aea
Show file tree

Hide file tree

Showing 8 changed files with 384 additions and 20 deletions.
diff --git a/crypto/dh_extra/dh_test.cc b/crypto/dh_extra/dh_test.cc
diff --git a/crypto/fipsmodule/dh/dh.c b/crypto/fipsmodule/dh/dh.c
@@ -88,8 +88,12 @@ DH *DH_new_by_nid(int nid) {
   switch (nid) {
     case NID_ffdhe2048:
       return DH_get_rfc7919_2048();
+    case NID_ffdhe3072:
+      return DH_get_rfc7919_3072();
     case NID_ffdhe4096:
       return DH_get_rfc7919_4096();
+    case NID_ffdhe8192:
+      return DH_get_rfc7919_8192();
     default:
       OPENSSL_PUT_ERROR(DH, DH_R_INVALID_NID);
       return NULL;
@@ -511,6 +515,39 @@ DH *DH_get_rfc7919_2048(void) {
   return calculate_rfc7919_DH_from_p(kFFDHE2048Data, OPENSSL_ARRAY_SIZE(kFFDHE2048Data));
 }
 
+DH *DH_get_rfc7919_3072(void) {
+  // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.2,
+  // which is specifically approved for FIPS in appendix D of SP 800-56Ar3.
+  static const BN_ULONG kFFDHE3072Data[] = {
+    TOBN(0xffffffff, 0xffffffff), TOBN(0x25e41d2b, 0x66c62e37),
+    TOBN(0x3c1b20ee, 0x3fd59d7c), TOBN(0x0abcd06b, 0xfa53ddef),
+    TOBN(0x1dbf9a42, 0xd5c4484e), TOBN(0xabc52197, 0x9b0deada),
+    TOBN(0xe86d2bc5, 0x22363a0d), TOBN(0x5cae82ab, 0x9c9df69e),
+    TOBN(0x64f2e21e, 0x71f54bff), TOBN(0xf4fd4452, 0xe2d74dd3),
+    TOBN(0xb4130c93, 0xbc437944), TOBN(0xaefe1309, 0x85139270),
+    TOBN(0x598cb0fa, 0xc186d91c), TOBN(0x7ad91d26, 0x91f7f7ee),
+    TOBN(0x61b46fc9, 0xd6e6c907), TOBN(0xbc34f4de, 0xf99c0238),
+    TOBN(0xde355b3b, 0x6519035b), TOBN(0x886b4238, 0x611fcfdc),
+    TOBN(0xc6f34a26, 0xc1b2effa), TOBN(0xc58ef183, 0x7d1683b2),
+    TOBN(0x3bb5fcbc, 0x2ec22005), TOBN(0xc3fe3b1b, 0x4c6fad73),
+    TOBN(0x8e4f1232, 0xeef28183), TOBN(0x9172fe9c, 0xe98583ff),
+    TOBN(0xc03404cd, 0x28342f61), TOBN(0x9e02fce1, 0xcdf7e2ec),
+    TOBN(0x0b07a7c8, 0xee0a6d70), TOBN(0xae56ede7, 0x6372bb19),
+    TOBN(0x1d4f42a3, 0xde394df4), TOBN(0xb96adab7, 0x60d7f468),
+    TOBN(0xd108a94b, 0xb2c8e3fb), TOBN(0xbc0ab182, 0xb324fb61),
+    TOBN(0x30acca4f, 0x483a797a), TOBN(0x1df158a1, 0x36ade735),
+    TOBN(0xe2a689da, 0xf3efe872), TOBN(0x984f0c70, 0xe0e68b77),
+    TOBN(0xb557135e, 0x7f57c935), TOBN(0x85636555, 0x3ded1af3),
+    TOBN(0x2433f51f, 0x5f066ed0), TOBN(0xd3df1ed5, 0xd5fd6561),
+    TOBN(0xf681b202, 0xaec4617a), TOBN(0x7d2fe363, 0x630c75d8),
+    TOBN(0xcc939dce, 0x249b3ef9), TOBN(0xa9e13641, 0x146433fb),
+    TOBN(0xd8b9c583, 0xce2d3695), TOBN(0xafdc5620, 0x273d3cf1),
+    TOBN(0xadf85458, 0xa2bb4a9a), TOBN(0xffffffff, 0xffffffff)};
+
+  return calculate_rfc7919_DH_from_p(kFFDHE3072Data,
+                                     OPENSSL_ARRAY_SIZE(kFFDHE3072Data));
+}
+
 DH *DH_get_rfc7919_4096(void) {
     // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.3,
     // which is specifically approved for FIPS in appendix D of SP 800-56Ar3.
@@ -551,3 +588,76 @@ DH *DH_get_rfc7919_4096(void) {
 
     return calculate_rfc7919_DH_from_p(kFFDHE4096Data, OPENSSL_ARRAY_SIZE(kFFDHE4096Data));
 }
+
+DH *DH_get_rfc7919_8192(void) {
+  // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.4,
+  // which is specifically approved for FIPS in appendix D of SP 800-56Ar3.
+  static const BN_ULONG kFFDHE8192Data[] = {
+      TOBN(0xffffffff, 0xffffffff), TOBN(0xd68c8bb7, 0xc5c6424c),
+      TOBN(0x011e2a94, 0x838ff88c), TOBN(0x0822e506, 0xa9f4614e),
+      TOBN(0x97d11d49, 0xf7a8443d), TOBN(0xa6bbfde5, 0x30677f0d),
+      TOBN(0x2f741ef8, 0xc1fe86fe), TOBN(0xfafabe1c, 0x5d71a87e),
+      TOBN(0xded2fbab, 0xfbe58a30), TOBN(0xb6855dfe, 0x72b0a66e),
+      TOBN(0x1efc8ce0, 0xba8a4fe8), TOBN(0x83f81d4a, 0x3f2fa457),
+      TOBN(0xa1fe3075, 0xa577e231), TOBN(0xd5b80194, 0x88d9c0a0),
+      TOBN(0x624816cd, 0xad9a95f9), TOBN(0x99e9e316, 0x50c1217b),
+      TOBN(0x51aa691e, 0x0e423cfc), TOBN(0x1c217e6c, 0x3826e52c),
+      TOBN(0x51a8a931, 0x09703fee), TOBN(0xbb709987, 0x6a460e74),
+      TOBN(0x541fc68c, 0x9c86b022), TOBN(0x59160cc0, 0x46fd8251),
+      TOBN(0x2846c0ba, 0x35c35f5c), TOBN(0x54504ac7, 0x8b758282),
+      TOBN(0x29388839, 0xd2af05e4), TOBN(0xcb2c0f1c, 0xc01bd702),
+      TOBN(0x555b2f74, 0x7c932665), TOBN(0x86b63142, 0xa3ab8829),
+      TOBN(0x0b8cc3bd, 0xf64b10ef), TOBN(0x687feb69, 0xedd1cc5e),
+      TOBN(0xfdb23fce, 0xc9509d43), TOBN(0x1e425a31, 0xd951ae64),
+      TOBN(0x36ad004c, 0xf600c838), TOBN(0xa40e329c, 0xcff46aaa),
+      TOBN(0xa41d570d, 0x7938dad4), TOBN(0x62a69526, 0xd43161c1),
+      TOBN(0x3fdd4a8e, 0x9adb1e69), TOBN(0x5b3b71f9, 0xdc6b80d6),
+      TOBN(0xec9d1810, 0xc6272b04), TOBN(0x8ccf2dd5, 0xcacef403),
+      TOBN(0xe49f5235, 0xc95b9117), TOBN(0x505dc82d, 0xb854338a),
+      TOBN(0x62292c31, 0x1562a846), TOBN(0xd72b0374, 0x6ae77f5e),
+      TOBN(0xf9c9091b, 0x462d538c), TOBN(0x0ae8db58, 0x47a67cbe),
+      TOBN(0xb3a739c1, 0x22611682), TOBN(0xeeaac023, 0x2a281bf6),
+      TOBN(0x94c6651e, 0x77caf992), TOBN(0x763e4e4b, 0x94b2bbc1),
+      TOBN(0x587e38da, 0x0077d9b4), TOBN(0x7fb29f8c, 0x183023c3),
+      TOBN(0x0abec1ff, 0xf9e3a26e), TOBN(0xa00ef092, 0x350511e3),
+      TOBN(0xb855322e, 0xdb6340d8), TOBN(0xa52471f7, 0xa9a96910),
+      TOBN(0x388147fb, 0x4cfdb477), TOBN(0x9b1f5c3e, 0x4e46041f),
+      TOBN(0xcdad0657, 0xfccfec71), TOBN(0xb38e8c33, 0x4c701c3a),
+      TOBN(0x917bdd64, 0xb1c0fd4c), TOBN(0x3bb45432, 0x9b7624c8),
+      TOBN(0x23ba4442, 0xcaf53ea6), TOBN(0x4e677d2c, 0x38532a3a),
+      TOBN(0x0bfd64b6, 0x45036c7a), TOBN(0xc68a007e, 0x5e0dd902),
+      TOBN(0x4db5a851, 0xf44182e1), TOBN(0x8ec9b55a, 0x7f88a46b),
+      TOBN(0x0a8291cd, 0xcec97dcf), TOBN(0x2a4ecea9, 0xf98d0acc),
+      TOBN(0x1a1db93d, 0x7140003c), TOBN(0x092999a3, 0x33cb8b7a),
+      TOBN(0x6dc778f9, 0x71ad0038), TOBN(0xa907600a, 0x918130c4),
+      TOBN(0xed6a1e01, 0x2d9e6832), TOBN(0x7135c886, 0xefb4318a),
+      TOBN(0x87f55ba5, 0x7e31cc7a), TOBN(0x7763cf1d, 0x55034004),
+      TOBN(0xac7d5f42, 0xd69f6d18), TOBN(0x7930e9e4, 0xe58857b6),
+      TOBN(0x6e6f52c3, 0x164df4fb), TOBN(0x25e41d2b, 0x669e1ef1),
+      TOBN(0x3c1b20ee, 0x3fd59d7c), TOBN(0x0abcd06b, 0xfa53ddef),
+      TOBN(0x1dbf9a42, 0xd5c4484e), TOBN(0xabc52197, 0x9b0deada),
+      TOBN(0xe86d2bc5, 0x22363a0d), TOBN(0x5cae82ab, 0x9c9df69e),
+      TOBN(0x64f2e21e, 0x71f54bff), TOBN(0xf4fd4452, 0xe2d74dd3),
+      TOBN(0xb4130c93, 0xbc437944), TOBN(0xaefe1309, 0x85139270),
+      TOBN(0x598cb0fa, 0xc186d91c), TOBN(0x7ad91d26, 0x91f7f7ee),
+      TOBN(0x61b46fc9, 0xd6e6c907), TOBN(0xbc34f4de, 0xf99c0238),
+      TOBN(0xde355b3b, 0x6519035b), TOBN(0x886b4238, 0x611fcfdc),
+      TOBN(0xc6f34a26, 0xc1b2effa), TOBN(0xc58ef183, 0x7d1683b2),
+      TOBN(0x3bb5fcbc, 0x2ec22005), TOBN(0xc3fe3b1b, 0x4c6fad73),
+      TOBN(0x8e4f1232, 0xeef28183), TOBN(0x9172fe9c, 0xe98583ff),
+      TOBN(0xc03404cd, 0x28342f61), TOBN(0x9e02fce1, 0xcdf7e2ec),
+      TOBN(0x0b07a7c8, 0xee0a6d70), TOBN(0xae56ede7, 0x6372bb19),
+      TOBN(0x1d4f42a3, 0xde394df4), TOBN(0xb96adab7, 0x60d7f468),
+      TOBN(0xd108a94b, 0xb2c8e3fb), TOBN(0xbc0ab182, 0xb324fb61),
+      TOBN(0x30acca4f, 0x483a797a), TOBN(0x1df158a1, 0x36ade735),
+      TOBN(0xe2a689da, 0xf3efe872), TOBN(0x984f0c70, 0xe0e68b77),
+      TOBN(0xb557135e, 0x7f57c935), TOBN(0x85636555, 0x3ded1af3),
+      TOBN(0x2433f51f, 0x5f066ed0), TOBN(0xd3df1ed5, 0xd5fd6561),
+      TOBN(0xf681b202, 0xaec4617a), TOBN(0x7d2fe363, 0x630c75d8),
+      TOBN(0xcc939dce, 0x249b3ef9), TOBN(0xa9e13641, 0x146433fb),
+      TOBN(0xd8b9c583, 0xce2d3695), TOBN(0xafdc5620, 0x273d3cf1),
+      TOBN(0xadf85458, 0xa2bb4a9a), TOBN(0xffffffff, 0xffffffff)};
+
+  return calculate_rfc7919_DH_from_p(kFFDHE8192Data,
+                                     OPENSSL_ARRAY_SIZE(kFFDHE8192Data));
+}
diff --git a/crypto/fipsmodule/dh/internal.h b/crypto/fipsmodule/dh/internal.h
@@ -55,6 +55,15 @@ int dh_check_params_fast(const DH *dh);
 int dh_compute_key_padded_no_self_test(unsigned char *out,
                                        const BIGNUM *peers_key, DH *dh);
 
+// DH_get_rfc7919_3072 returns the group `ffdhe3072` from
+// https://tools.ietf.org/html/rfc7919#appendix-A.2. It returns NULL if out
+// of memory.
+OPENSSL_EXPORT DH *DH_get_rfc7919_3072(void);
+
+// DH_get_rfc7919_8192 returns the group `ffdhe8192` from
+// https://tools.ietf.org/html/rfc7919#appendix-A.4. It returns NULL if out
+// of memory.
+OPENSSL_EXPORT DH *DH_get_rfc7919_8192(void);
 
 #if defined(__cplusplus)
 }

diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h
@@ -56,7 +56,7 @@
 
 /* This file is generated by crypto/obj/objects.go. */
 
-#define NUM_NID 983
+#define NUM_NID 985
 
 static const uint8_t kObjectData[] = {
     /* NID_rsadsi */
@@ -8887,6 +8887,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
      NID_SecP256r1Kyber768Draft00, 0, NULL, 0},
     {"X25519Kyber768Draft00", "X25519Kyber768Draft00",
      NID_X25519Kyber768Draft00, 0, NULL, 0},
+    {"ffdhe3072", "ffdhe3072", NID_ffdhe3072, 0, NULL, 0},
+    {"ffdhe8192", "ffdhe8192", NID_ffdhe8192, 0, NULL, 0},
 };
 
 static const uint16_t kNIDsInShortNameOrder[] = {
@@ -9248,7 +9250,9 @@ static const uint16_t kNIDsInShortNameOrder[] = {
     867 /* facsimileTelephoneNumber */,
     462 /* favouriteDrink */,
     976 /* ffdhe2048 */,
+    983 /* ffdhe3072 */,
     977 /* ffdhe4096 */,
+    984 /* ffdhe8192 */,
     857 /* freshestCRL */,
     453 /* friendlyCountry */,
     490 /* friendlyCountryName */,
@@ -10222,7 +10226,9 @@ static const uint16_t kNIDsInLongNameOrder[] = {
     867 /* facsimileTelephoneNumber */,
     462 /* favouriteDrink */,
     976 /* ffdhe2048 */,
+    983 /* ffdhe3072 */,
     977 /* ffdhe4096 */,
+    984 /* ffdhe8192 */,
     453 /* friendlyCountry */,
     490 /* friendlyCountryName */,
     156 /* friendlyName */,

diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num
@@ -970,3 +970,5 @@ shake128		979
 shake256		980
 SecP256r1Kyber768Draft00		981
 X25519Kyber768Draft00		982
+ffdhe3072		983
+ffdhe8192		984
diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt
@@ -129,7 +129,9 @@ secg-ellipticCurve 39		: sect571r1
 
 # Finite field diffie hellman groups
  : ffdhe2048
+ : ffdhe3072
  : ffdhe4096
+ : ffdhe8192
 
 # PQ Groups
  : SecP256r1Kyber768Draft00

diff --git a/include/openssl/nid.h b/include/openssl/nid.h
@@ -4325,6 +4325,12 @@ extern "C" {
 #define SN_X25519Kyber768Draft00 "X25519Kyber768Draft00"
 #define NID_X25519Kyber768Draft00 982
 
+#define SN_ffdhe3072 "ffdhe3072"
+#define NID_ffdhe3072 983
+
+#define SN_ffdhe8192 "ffdhe8192"
+#define NID_ffdhe8192 984
+
 #if defined(__cplusplus)
 } /* extern C */
 #endif

diff --git a/tests/ci/integration/run_mysql_integration.sh b/tests/ci/integration/run_mysql_integration.sh
@@ -4,7 +4,7 @@
 
 source tests/ci/common_posix_setup.sh
 
-MYSQL_VERSION_TAG="mysql-8.0.33"
+MYSQL_VERSION_TAG="mysql-8.1.0"
 # This directory is specific to the docker image used. Use -DDOWNLOAD_BOOST=1 -DWITH_BOOST=<directory>
 # with mySQL to download a compatible boost version locally.
 BOOST_INSTALL_FOLDER=/home/dependencies/boost
@@ -61,6 +61,7 @@ function mysql_run_tests() {
   # currently support this.
   echo "main.mysqlpump_bugs : Bug#0000 Can't create/open a file ~/dump.sql'
 main.restart_server : Bug#0000 mysqld is not managed by supervisor process
+main.udf_bug35242734 : Bug#0000 mysqld is not managed by supervisor process
 main.file_contents : Bug#0000 Cannot open 'INFO_SRC' in ''
 main.resource_group_thr_prio_unsupported : Bug#0000 Invalid thread priority value -5
 main.dd_upgrade_error : Bug#0000 running mysqld as root
@@ -83,10 +84,11 @@ main.ssl : Bug#0001 Uses DHE cipher suites in test, which AWS-LC does not suppor
 main.ssl_cipher : Bug#0001 Uses DHE cipher suites in test, which AWS-LC does not support.
 main.ssl_dynamic : Bug#0001 Uses DHE cipher suites in test, which AWS-LC does not support.
 main.ssl-sha512 : Bug#0001 Uses DHE cipher suites in test, which AWS-LC does not support.
+main.client_ssl_data_print  : Bug#0002 AWS-LC does not support Stateful session resumption (Session Caching).
 main.ssl_cache : Bug#0002 AWS-LC does not support Stateful session resumption (Session Caching).
 main.ssl_cache_tls13 : Bug#0002 AWS-LC does not support Stateful session resumption (Session Caching).
 "> skiplist
-  ./mtr --suite=main --force --parallel=auto --skip-test-list=${MYSQL_BUILD_FOLDER}/mysql-test/skiplist --retry-failure=3
+  ./mtr --suite=main --force --parallel=auto --skip-test-list=${MYSQL_BUILD_FOLDER}/mysql-test/skiplist --retry-failure=3 --retry=3 --report-unstable-tests
   popd
 }