Skip to content

Remove retries on PCT failure in EC and RSA key generation.#1938

Merged
nebeid merged 5 commits intoaws:mainfrom
nebeid:remove-pct-retries
Oct 23, 2024
Merged

Remove retries on PCT failure in EC and RSA key generation.#1938
nebeid merged 5 commits intoaws:mainfrom
nebeid:remove-pct-retries

Conversation

@nebeid
Copy link
Copy Markdown
Contributor

@nebeid nebeid commented Oct 21, 2024
edited
Loading

Issues:

Addresses #CryptoAlg-2756

Description of changes:

FIPS review: The module should enter an error state if PCT fails in EC or RSA key generation, so there should be no retries and it aborts. This is to avoid that other threads would continue to use the module.

Testing:

Death tests are testing aborting when keygen is in error.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@nebeid nebeid requested a review from a team as a code owner October 21, 2024 22:01
@nebeid nebeid requested a review from skmcgrail October 21, 2024 22:02
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Oct 21, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 93.75000% with 1 line in your changes missing coverage. Please review.

Project coverage is 78.66%. Comparing base (a3df396) to head (e04ce5e).

Files with missing lines Patch % Lines
crypto/fipsmodule/rsa/rsa_impl.c 92.85% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1938      +/-   ##
==========================================
- Coverage   78.67%   78.66%   -0.01%     
==========================================
  Files         585      585              
  Lines      100860   100849      -11     
  Branches    14300    14299       -1     
==========================================
- Hits        79355    79337      -18     
- Misses      20871    20876       +5     
- Partials      634      636       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

justsmth
justsmth previously approved these changes Oct 22, 2024
View reviewed changes
@nebeid nebeid requested a review from justsmth October 22, 2024 15:46
@nebeid nebeid enabled auto-merge (squash) October 22, 2024 18:20
@nebeid nebeid merged commit 90d2a34 into aws:main Oct 23, 2024
@nebeid nebeid deleted the remove-pct-retries branch October 23, 2024 16:54
nebeid added a commit to nebeid/aws-lc that referenced this pull request Oct 23, 2024
@nebeid
Remove retries on PCT failure in EC and RSA key generation. (aws#1938)
2127ba8 
FIPS review: The module should enter an error state if PCT fails in EC
or RSA key generation, so there should be no retries and it aborts. This
is to avoid that other threads would continue to use the module.

(cherry picked from commit 90d2a34)
@nebeid nebeid mentioned this pull request Oct 23, 2024
Merged
nebeid added a commit that referenced this pull request Oct 23, 2024
@nebeid
Remove retries on PCT failure in EC and RSA key generation. (#1944)
993087f 
FIPS review: The module should enter an error state if PCT fails in EC
or RSA key generation, so there should be no retries and it aborts. This
is to avoid that other threads would continue to use the module.

(cherry picked from commit 90d2a34 on
main, PR #1938)
@skmcgrail skmcgrail mentioned this pull request Nov 7, 2024
Merged
skmcgrail added a commit that referenced this pull request Nov 7, 2024
@skmcgrail
Prepare v1.38.0 release (#1975)
2d07d39 
## What's Changed
* 800-131Ar1: length of the key-derivation key shall be at least 112
bits. by @skmcgrail in #1924
* Marshalling/Unmarshalling DH public keys by @justsmth in
#1916
* Also prune SSM documents from ec2-test-framework by @samuel40791765 in
#1925
* Use illegal_parameter instead of decode_error for invalid key shares
by @justsmth in #1923
* Add null check in dh testing by @torben-hansen in
#1937
* DH paramgen callback by @justsmth in
#1928
* Upstream merge 2024 10 17 by @torben-hansen in
#1934
* Remove old Intel CPU types by @justsmth in
#1942
* Remove retries on PCT failure in EC and RSA key generation. by @nebeid
in #1938
* Add p4p, bump up time by @justsmth in
#1943
* PQ README by @jakemas in #1932
* bump mysql CI to 9.1.0 by @justsmth in
#1939
* HKDF, HKDF_expand, and PBKDF Truncated SHA2-512 by @skmcgrail in
#1946
* Missing functionality + Adding Nmap to our CI by @smittals2 in
#1915
* Fix FIPS.md typo by @justsmth in
#1950
* Support encode or decode ∞ like OpenSSL by @samuel40791765 in
#1930
* Expand support for EVP_PKEY_HMAC by @justsmth in
#1933
* Add PKCS7-internal BIO_f_cipher by @WillChilds-Klein in
#1836
* Add PKCS7-internal BIO_f_md by @WillChilds-Klein in
#1886
* Ruby Support - DSA custom md by @justsmth in
#1953
* Add support for POINT_CONVERSION_HYBRID by @samuel40791765 in
#1936
* Fixes for Coverity Alerts by @smittals2 in
#1960
* Also test w/ gcc 4.8 by @justsmth in
#1962
* Actually add support for SSL_get_server/peer_tmp_key by
@samuel40791765 in #1945
* Coverity Fix Null Check by @smittals2 in
#1965
* ML-KEM keygen Pairwise Consistency Test by @dkostic in
#1964
* EDDSA PCT by @torben-hansen in #1968
* Expose AES_cfb1_encrypt and AES_cfb8_encrypt by @skmcgrail in
#1967

**Full Changelog**:
v1.37.0...v1.38.0

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skmcgrail skmcgrail skmcgrail approved these changes

@justsmth justsmth justsmth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nebeid @codecov-commenter @skmcgrail @justsmth