A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_3_BASE 2023-03-15T04:30:20+00:00 2023-03-15T04:30:20+00:00 jsing 2023-03-15T04:30:20+00:00 urn:sha1:d3cf2a2533c22b330e12679aad10a700eb6fc870 A negative input to BN_mod_exp_mont_consttime() is not correctly reduced, remaining negative (when it should be in the range [0, m)). Fix this by unconditionally calling BN_nnmod() on the input. Fixes ossfuzz #55997. ok tb@ 2023-03-11T14:14:54+00:00 jsing 2023-03-11T14:14:54+00:00 urn:sha1:52fd1244f8c53de73ef10d4f9511eee80489d31a Currently, the use of BN_div_word() can result in -0 - avoid this by setting negative again, at the end of the computation. Should fix oss-fuzz 56667. ok tb@ 2023-03-11T14:13:11+00:00 jsing 2023-03-11T14:13:11+00:00 urn:sha1:0011bd4b5ca21dd631b72942920a62fa4a90fa88 A sign handling bug was introduced to BN_add_word() in bn_word.c r1.18. When handling addition to a negative bignum, the BN_sub_word() call can result in the sign being flipped, which we need to account for. Use the same code in BN_sub_word() - while not technically needed here it keeps the code consistent. Issue discovered by tb@ ok tb@ 2023-03-07T09:42:09+00:00 jsing 2023-03-07T09:42:09+00:00 urn:sha1:ecd1f4763943bcfd15caa4b48ac41a4b1f90be7a Rather than calling bn_mul_add_words() twice - once to multiply and once to reduce - perform the multiplication and reduction in a single pass using bn_mulw_addw_addw() directly. Also simplify the addition of the resulting carries, which in turn allows us to avoid zeroing the top half of the temporary words. This provides a ~20-25% performance improvement for RSA operations on aarch64. ok tb@ 2023-03-07T09:35:55+00:00 jsing 2023-03-07T09:35:55+00:00 urn:sha1:2797564eff6fe818c2b46b64fbb198f80be86e35 Call bn_mulw_addw() rather than doing bn_mulw() follow by bn_addw(). This simplifies the code slightly, plus on some platforms bn_mulw_addw() can be optimised (and bn_mulw_addtw() will then benefit from such an optimisation). ok tb@ 2023-03-07T09:27:10+00:00 jsing 2023-03-07T09:27:10+00:00 urn:sha1:19dfe7f484e5739359ee8c102d879d125df916ad BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly instead. ok tb@ 2023-03-07T06:28:36+00:00 jsing 2023-03-07T06:28:36+00:00 urn:sha1:9a319239aa9791b8d59bd245ae1eb82cd3d46720 The assembly bn_mul_mont() implementations effectively use alloca() to allocate space for computation (at up to 8x the input size), without any limitation. This means that sufficiently large inputs lead to the stack being blown. Prevent this by using the C based implementation instead. Thanks to Jiayi Lin <jlin139 at asu dot edu> for reporting this to us. ok beck@ tb@ 2023-03-07T06:19:44+00:00 jsing 2023-03-07T06:19:44+00:00 urn:sha1:0997c0b71b5d3563776da385640073eeb53919be Provide a constant-time-style Montgomery multiplication implementation. Use this in place of the assembly bn_mul_mont() on platforms that either do not have an assembly implementation or have not compiled it in. Also use this as the fallback version for bn_mul_mont(), rather than falling back to a non-constant time implementation. ok beck@ tb@ 2023-03-07T06:15:09+00:00 jsing 2023-03-07T06:15:09+00:00 urn:sha1:9b37857f5b8c81178521129dbb3c0afdcab594ac Pull out the simplistic implementation (using BN_mul() or BN_sqr()) into a bn_mod_mul_montgomery_simple() function. Provide bn_mod_mul_montgomery() with an implementation that changes depending on if the assembly bn_mul_mont() is available or not. Turn BN_mod_mul_montgomery() and BN_to_montgomery() into callers of bn_mod_mul_montgomery(). ok beck@ tb@ 2023-03-07T06:05:06+00:00 jsing 2023-03-07T06:05:06+00:00 urn:sha1:a11e3f4bc655f7f0e41fc25cdf9ae62072074f19 This came from bn_asm.c and did not even compile until recently. ok beck@ tb@