It will be just xor-ed over the existing entropy
in the pool.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26128)
We use REF_PRINT_COUNT to dump out the value of various reference
counters in our code
However, we commonly use this macro after an increment or decrement. On
increment its fine, but on decrement its not, because the macro
dereferences the object holding the counter value, which may be freed by
another thread, as we've given up our ref count to it prior to using the
macro.
The rule is that we can't reference memory for an object once we've
released our reference, so lets fix this by altering REF_PRINT_COUNT to
accept the value returned by CRYPTO_[UP|DOWN]_REF instead. The
eliminates the need to dereference the memory the object points to an
allows us to use the call after we release our reference count
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25664)
If we had refcounted object allowing lockless writes
the relaxed semantics on DOWN_REF would allow scheduling
these writes after simultaneous release of the object by
another thread.
We do not have any such objects yet, but better to make
the refcount correct just in case we will have them
in future.
TSAN doesn't properly understand this so we use
even stronger acq_rel semantics if building with TSAN.
Fixes#25660
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25664)
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26122)
By adding the additional input directly to the pool
we were using just the additional input.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26112)
We currently run interop tests as a client only from the master branch.
While we are developing quic-server it would be beneficial to also get
interop test results from the quic-server branch run as both a client
and a server, until such time as the feature branch is merged. Add
building and running of a container in the test harness to our CI set
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26090)
Commit fa338aa7cd added zeroization of public security parameters as
required by ISO 19790:2012/Cor.1:2015 7.9. However, that commit
overlooked ECX keys, which are used for EdDSA and X25519/X448.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25807)
FreeBSD has supported both getrandom(2) and getentropy(3) since 12.0.
The last version which did *not* have these went EoL in September 2021.
Use getrandom(2) unconditionally and fallback to sysctl kern.arandom if
we do happen to have a FreeBSD that old.
This is generally a necessary step for FreeBSD's _FORTIFY_SOURCE
implementation, which needs to do some symbol renaming tricks with the
getentropy declaration that would otherwise add some platform-specific
hacks here to accommodate. getentropy(3) uses getrandom(2) internally
on FreeBSD, so we just cut out the middleman.
While we're here, it doesn't seem to make sense to ever prefer the
sysctl on FreeBSD or NetBSD. For both platforms, it's limited to 256
bytes in a single request while getrandom(2) will generally use the same
backend but service the entire request in one shot, even for larger
amounts of entropy, modulo the EINTR possibility that presents itself
with larger requests.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24903)
We would dereference p7->d.sign pointer which can be NULL.
Reported by Han Zheng.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26078)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26040)
Free the stack return value `dsa` on each early exit.
Fixes#25905
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25948)
At some point in time it was decided that the EC keymanagers ec_export()
function would only allow the selection to be both the public + private
parts. If just the private element is selected it returns an error.
Many openssl commandline apps use EVP_PKEY_print_private() which passes
EVP_PKEY_PRIVATE_KEY to the encoder. This selection propagates to
encoder_construct_pkey(). For external providers (such as the fips
provider this will call the keymanagers export() with the selection set
to just the private part.
So we either need to
1) change the selection in EVP_PKEY_print_private() or
2) modify the selection used in the export used in
encoder_construct_pkey
3) Change the ec_export to allow this.
I have chosen 2) but I am not sure if this is the correct thing to do
or whether it should conditionally do this when the output_type ==
'text'.
Issue was reported by Ilia Okomin (Oracle).
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26004)
call to die() in perl templates is currently ignored.
any error printed by die() commad appears in template
output.
In order to make sure die() terminates processing we
must ensure we emite `undef` value. This is ensured
by adding a `BROKEN` callback to `fill_in()` Template
method. The callback must return undef to stop processing.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26064)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26053)
Misnamed variable, just correct it to dst
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26075)
Their use by applications is inherently unsafe.
Fixes#26047
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/26056)
Clean up the code by using the dedicated stack copy function.
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25713)
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26069)
If your custom BIO does not implement BIO_CTRL_FLUSH, it won't work, but
this is not document anywhere.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26060)
With fips-jitter build time option, jitter can be inside FIPS
boundary.
Calls to jent_read_entropy() can return permanent failures for
Repetitive Count Test (RTC), Adaptive Proportion Test (APT), LAG
prediction test.
Ensure the module enters error state upon permanent jitter failures.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25957)
When ecx_gen_set_params() returns 0, it could have duplicated the memory
for the parameter OSSL_KDF_PARAM_PROPERTIES already in gctx->propq,
leading to a memory leak.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26015)
AES gets a performance enhancement of 7-33%.
Tested on an M4 Pro, but the CPU cores are the same on M4 and M4 Max.
Change-Id: I634c03f1d2b50fa5f8ca97dd65975e49d970c72b
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/25940)
FIPS 140-2 IG D.9 has become FIPS 140-3 D.G (see "Mapping FIPS 140-2
IGs to FIPS 140-3" in the FIPS 140-3 IG).
The requirements w.r.t. RSA KATs have now been relaxed, meaning that
existing full-message RSA signature verification (which is performed
separately) is sufficient to meet KAT requirements for all RSA
usecases (KEM/Encrypt/Decrypt/Sign/Verify).
Dropping this KAT is very useful, because it is large/expensive on
module startup, but also because it enables in the future to block RSA
Encrypt/Decrypt operations with paddings other than OAEP, which are
legacy or deprecated by either current or draft algorithm transition
SP.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25988)
At least this is done on module startup only.
To satisfy ISO/IEC 19790:2012/Cor.1:2015(E) Section 7.5 [05.10]
requirement.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25945)
