Richard Levitte [Wed, 3 Dec 2025 20:21:37 +0000 (21:21 +0100)]
OSSL_FN: Refactor OSSL_FN_add() and OSSL_FN_sub() for truncation
OSSL_FN_mul() set a path that wasn't considered for OSSL_FN_add() and
OSSL_FN_sub(); a truncated result if the result OSSL_FN isn't large
enough to contain the full result.
This is done to keep the OSSL_FN API consistent, with a (tentative)
bonus, that the function calls become more constant time accross
repeated calls with the same size for operands and result.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29309)
Richard Levitte [Mon, 24 Nov 2025 13:33:33 +0000 (14:33 +0100)]
OSSL_FN: Add the 'mul' function
OSSL_FN_mul() multiplies two operands. The result OSSL_FN may be of any
size, and if it's smaller than the result of multiplying the two operands,
the result is truncated to that size.
This also adds the function OSSL_FN_copy(), a counterpart for BN_copy(),
as well as an OSSL_FN API test program.
Finally, test/fn_api_test.c is updated with a 'struct test_case_st', used
to instruct test functions what numbers to operate on, and some conditions,
and the 'add' and 'sub' test functions are upgraded to use that structure
for their input.
Richard Levitte [Mon, 24 Nov 2025 13:26:42 +0000 (14:26 +0100)]
Add ossl_num_bits(), which returns the significant number of bits in a size_t
This existed as an isolated static function in crypto/asn1/x_long.c, but
is really a pretty generic integer function, so it will serve better by
being exactly that.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29203)
Richard Levitte [Mon, 24 Nov 2025 07:52:53 +0000 (08:52 +0100)]
BIGNUM: separate out word-only helper functions from bn_mul.c
This separation will allow us to use the word-only helper functions
from OSSL_FN functions without pulling in functions that operate on
BIGNUMs.
This also starts the collection of source files with word-only BN
functions that haven't found their way into bn_asm.c for various
reasons.
To recognise them, they are prefixed 'bnw_' instead of 'bn_'.
While at it, consitification is done where appropriate among words
helpers.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29203)
Richard Levitte [Mon, 17 Nov 2025 12:50:43 +0000 (13:50 +0100)]
Add the fixed number context (OSSL_FN_CTX) with (de)allocators and tests
OSSL_FN_CTX is a reimplementation of BN_CTX, with the intent to have
good enough API parity.
The distinguishing feature with OSSL_FN_CTX is that it works as an arena
allocator, so it must be allocated with an estimate of how much memory
space will be needed for all OSSL_FN instances that will be retrieved
from that arena, and a bit of overhead.
Richard Levitte [Thu, 23 Oct 2025 11:33:37 +0000 (13:33 +0200)]
OSSL_FN: Add internal functions to acquire the OSSL_FN from a BIGNUM
bn_acquire_ossl_fn() returns the OSSL_FN of a BIGNUM if there is one,
expanded to a given number of limbs.
bn_release() makes necessary adjustments to the BIGNUM after a run of
OSSL_FN operations on the OSSL instance it's backed by.
These two functions are most useful with BIGNUMs used to store operation
results, and are meant to help refactoring BN operators to be wrappers
around corresponding OSSL_FN operators.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29028)
Richard Levitte [Thu, 16 Oct 2025 12:58:43 +0000 (14:58 +0200)]
OSSL_FN: Add 'add' and 'sub' functions
This also introduces 'cmp' and 'ucmp' functions, as well as an OSSL_FN
API test program.
OSSL_FNs must not be polluted, so if a BIGNUM has a non-NULL 'data'
field, bn_pollute() will not pollute it. It may be a good idea, though,
to pollute an OSSL_FN before an operation result is written to it, for
testing purposes.
Richard Levitte [Wed, 22 Oct 2025 13:50:41 +0000 (15:50 +0200)]
OSSL_FN: Add internal construction and introspection functions
These functions will be useful with other test programs without having
to include crypto/fn/fn_local.h, making them closer to real world use.
This also introduces OSSL_FN errors
Related-to: doc/designs/fixed-size-large-numbers.md Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29028)
Richard Levitte [Mon, 27 Oct 2025 12:57:56 +0000 (13:57 +0100)]
BIGNUM: Adjust the requirements on 'top' and the 'd' array for OSSL_FN compat
BIGNUM is quite sloppy with its contents of the 'd' array above 'top'. This
has been further exasperated by the 'bn_pollute' macro, which makes that slop
quite explicit.
That's fine within a purely BIGNUM context.
Enter OSSL_FN, which requires that the whole 'd' array is numerically
consistent, not just the BN_ULONGs up to 'top'.
This will, of course, cause trouble as soon as an OSSL_FN that's integrated
in a BIGNUM gets passed to OSSL_FN functions.
To ensure consistency, the following updates are made:
- [only for BIGNUMs in which 'data' is non-NULL] when decreasing 'top', all
BN_ULONGs between the preceding 'top' and the new 'top' must be made zero.
- Drop bn_pollute() entirely, as it's now more harmful than useful.
- Modify bn_check_top() to better check the consistency of BIGNUM with
integrated OSSL_FN, by checking that the part of the 'd' array between
'top' and 'dmax' is all zeroes.
- Add the function 'bn_set_top()', which is recommended to use instead of
assigning 'top' directly, as it will zeroise the intermediary limbs in
the 'd' array when 'top' decreases.
On using 'bn_set_top()', it's highly recommended to use it everywhere,
unless you can be absolutely sure that the BIGNUM that's modified will never
be checked with 'bn_check_top()' or passed to any OSSL_FN function.
Related-to: doc/designs/fixed-size-large-numbers.md Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29015)
Richard Levitte [Wed, 15 Oct 2025 12:06:34 +0000 (14:06 +0200)]
First integration of OSSL_FN into BIGNUM
This integration is made in such a way that OSSL_FN is an optional
'data' field in BIGNUM, i.e. it's allowed to be NULL even though
the BIGNUM's 'd' field is non-NULL.
The public BIGNUM API will do what it can to ensure that the 'data'
field becomes non-NULL, but remains lax on input BIGNUMs, for now.
This allows diverse internal bn constants and hacks to continue to
function with minimal friction. These constants and hacks will
incrementally be modified to use OSSL_FN where they currently use
BN_ULONG.
Richard Levitte [Wed, 8 Oct 2025 12:56:34 +0000 (14:56 +0200)]
Add the fixed number type (OSSL_FN) and its allocators and deallocator
This includes a small test program that performs introspection of the
OSSL_FN, to check that diverse functions do what's expected of them.
For future compatibility reasons, the limb type OSSL_FN_ULONG is based
on BN_ULONG. This caused a slight rearrangement of public BIGNUM related
headers.
Note: experiments with changing the current BIGNUM's 'dmax' and 'top' to be
"size_t" has shown disastrous effects, due to some lower level functions
assuming that they'll receive the size in "int" form rather than "size_t"
form (on some major platforms, these two types have different sizes).
Therefore, this change deviates slightly from the design for fixed numbers
(doc/designs/fixed-size-large-numbers.md) by making OSSL_FN's 'dsize' an
"int" rather than a "size_t".
Richard Levitte [Thu, 11 Sep 2025 13:30:15 +0000 (15:30 +0200)]
design: Fixed size large numbers
For the longest time, we have mitigated security issues related to large
numbers (BIGNUM) and constant time in a piece-meal fashion, without really
looking at the problem from a zoomed out, holistic perspective.
An interesting aspect in this problem is that large numbers can vary in
size, and that depending on their combined sizes, the time to perform
mathematical calculations with them vary equally much, and may thereby
unintentionally leak information on those numbers.
To mitigate that sort of timing issue, we introduce fixed size numbers,
which are designed to have payload sizes that are pre-determined, usually by
the crypto system that uses them. This means that even a very small number
(let's take 1 as a ridiculous example) would have the same size payload as a
much larger number, and calculations using them would perform across all
payload bits of all input numbers combined.
These fixed size numbers primarly differ from BIGNUMs in that once they have
been allocated to a certain size, that size will not change throughout its
lifetime.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28522)
Dmitry Misharov [Tue, 9 Dec 2025 16:39:14 +0000 (17:39 +0100)]
run codespell pre-commit hook on staged files only
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29360)
Neil Horman [Mon, 8 Dec 2025 18:22:05 +0000 (13:22 -0500)]
Only write to pdays/psecs if they are not null
We have a few cases in which one of the paramters passed to
ASN1_TIME_diff is null (i.e. the caller doesn't care about the psec
differnce and so passes NULL as that pointer parameter).
However, OPENSSL_gmtime_diff assumes both pointers are valid, and so
writes to them unilaterally resulting in a crash as observed here:
https://github.com/openssl/openssl/pull/29333#issuecomment-3628103959
Check the pointers before writing to them.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29337)
Matt Caswell [Tue, 9 Dec 2025 12:22:02 +0000 (12:22 +0000)]
Fix array formatting in evp_extra_test.c
The reformat did something silly with some of the arrays in evp_extra_test.c
Fix the arrays such that clang-format is still happy.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29349)
Bob Beck [Tue, 9 Dec 2025 14:01:47 +0000 (07:01 -0700)]
Disable clang-format around this macro
clang-format sensibly thinks this is an arithmatic operation,
and formats the math. Sadly it does not know we eventually
stringify this behind several other layers of nested macros
and so putting spaces in here is bad.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29350)
Bob Beck [Tue, 9 Dec 2025 07:08:07 +0000 (00:08 -0700)]
4.0-POST-CLANG-FORMAT-WEBKIT
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29242)
Bob Beck [Tue, 9 Dec 2025 07:05:43 +0000 (00:05 -0700)]
4.0-PRE-CLANG-FORMAT-WEBKIT
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29242)
Resolves: https://scan5.scan.coverity.com/#/project-view/65138/10222?selectedIssue=1675327 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29317)
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29286)
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29306)
Neil Horman [Wed, 3 Dec 2025 19:36:54 +0000 (14:36 -0500)]
Make find-doc-nits compatible accross git versions
We recently found that the addition of a git config command in
util/find-doc-nits is broken in some cases, sepecifically because git
around version 2.46 broke command line compatibility, replacing the
--regexp option with the --get-regexp option. So to maintain usage of
this specific command to parse the .gitconfig file, we would need to do
some extra version detection to construct the proper command line.
However, find-doc-nits already has a fallback condition, which does some
pure perl parsing of the gitconfig file, which works perfectly well.
Instead of trying to do version matching to construct the right form of
the git config command line, just remove it all, and rely on the perl
parrse to do this work for us, which works currently in all cases.
Fixes #29197
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29304)
Viktor Dukhovni [Wed, 3 Dec 2025 04:24:46 +0000 (15:24 +1100)]
Clarify/fix encoder/decoder context docs and code
In was premature to make OSSL_(EN|DE)CODER_CTX_[sg]et_finalized() be
public interfaces. Forunately, these have not yet appeared outside the
"master" branch, so we can still retract them.
Also, in the case of decoders, the implementation failed to take into
account that the context was duplicated before it was returned to the
user, and the duplicated copy failed to copy the "finalized" field.
This commit also renames "finalized" to "frozen", because
finalisation is a misleading term in this context, it suggests
resource reclamation during garbage collection or deallocation,
not marking a structure partly immutable.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29206)
Viktor Dukhovni [Mon, 24 Nov 2025 13:37:49 +0000 (00:37 +1100)]
Per-key encoding formats for ML-KEM and ML-DSA
We support selection of ML-KEM and ML-DSA key formats on input and
output at the provider level, these are essentially global defaults,
in effect for the lifetime of the process.
Unfortunately, the JAVA interface in openssl-jostle needs to be able to
output a specific key in seed-only form. To that end, this PR
introduces a new "output-formats" PKEY encoding parameter, that can be used
with OSSL_ENCODER_CTX_set_params(3) when encoding a key to PKCS#8, after
using OSSL_ENCODER_CTX_new_for_key(3), rather than i2d_PrivateKey(3),
i2d_PKCS8PrivateKey(3) or PEM equivalents.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29206)
In a hypothetical scenario that jent_entropy_init_ex fails, or if
get_jitter_random-value fails, there are a few unexpected
posibilities.
If jent_entropy_init_ex fails, the seed initialisation may return NULL
and then DRBG will be initiated with NULL seed, which will
automatically fallback to os-seed, which will escape module boundary
(if this jitter rng is from the fips module), and call getrandom
syscall.
And separately if get_jitter_random_value fails, it may put DRBG in an
error state, but it might not put the FIPS module in error state, like
it should as per the ISO standard.
To instrument these things, I had to create tampered
jitterentropy-library that always returns errors for init_ex and
read_entropy apis, and then use gdb tracing on both libcrypto.so and
fips.so.
The most minimal solution to above hypothetical error code paths, is
to simply call ossl_set_error_state. It is either harmless, or in case
of fips-jitter will correctly put the FIPS module into error state and
prevent any further operation; and cruitially prevent silent fallback
to getrandom syscall.
Note it is unlikely that this ever was out of compliance, as often
enough getrandom syscall goes to a kernel with validated entropy
source; and openssl fips module still did reject sampling which is too
entropy source compliant.
Nonetheless it is good to fix this hypothetical error path, and
backport this to 3.5 and up.
This is similar / additional fixes, to this previous change:
- https://github.com/openssl/openssl/pull/25957
- https://github.com/openssl/openssl/commit/b9886a6f3483e0525596d3b3956416282038da82
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29226)
Norbert Pocs [Thu, 13 Nov 2025 14:53:28 +0000 (15:53 +0100)]
apps: Remove opt_legacy_okay function
The function used to check for ENGINEs to determine if a legacy code
path is available, but it makes no sense to keep it after the ENGINE
removal, as the legacy path will always fail.
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
Norbert Pocs [Fri, 21 Nov 2025 13:04:20 +0000 (14:04 +0100)]
Remove OPENSSL_INIT_ENGINE_* definitions
Keeping OPENSSL_INIT_ENGINE_ALL_BUILTIN to be defined always to zero as
it might be the most used one outside of the library, meanwhile keeping
the others undefined unless OPENSSL_ENGINE_STUBS is defined.
Neil Horman [Thu, 11 Sep 2025 20:09:56 +0000 (16:09 -0400)]
remove dasync engine test from test_rand
We're removing the engine, so we don't need to test this anymore.
NOTE: This also removes the engine skip check from the test, and this
breaks testing until such time as PR #28461 is merged (which replaces
the remaining engine test with a provider).
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
Neil Horman [Thu, 11 Sep 2025 19:39:44 +0000 (15:39 -0400)]
remove afalg tests
We have a specific test suite that exercizes the afalg engine, that is
becoming useless with engine removal.
I had considered that we should perhaps convert this into a provider,
but having looked at the engine itself, it only offers implementations
for AES-128, AES-192 and AES-256. Given that the default provider
offers these algorithms with hardware acceleration via the aesni
instruction set (or comparable instructions on non-x86 arches), it seems
like the only advantage the afalg engine offers is acceleration of these
ciphers on platforms that have off-cpu accelerators and no cpu based
acceleration support.
given that:
a) Most cpus have instruction based acceleration
b) We don't test with any platforms that use external accelerators
It seems like alot of investment to get no real advantage, so just
remove the test, allowing us to delete the engine entirely in another
PR.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
Neil Horman [Thu, 11 Sep 2025 19:19:45 +0000 (15:19 -0400)]
Remove dasync engine from sslapitest and sslbuffertest
With the impending engine removal, we don't have a need to test engine
functionality in these tests anymore, so remove the test cases that make
use of the dasync engine here.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
projects / thirdparty / openssl.git / log
