summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Add a new implementation of BN_mod_sqrt()tb2023-04-113-411/+728
| | | | | | | | | | | | | | | | | | | This is a reimplementation from scratch of the Tonelli-Shanks algorithm based on Henri Cohen "A Course in Computational Algebraic Number Theory", Springer GTM 138, section 1.5.1. It is API compatible with the previous implementation, so no documentation change is required. Contrary to the old implementation, this does not have any infinite loops and has various additional sanity checks to prevent misbehavior in case the input modulus is not a prime. It contains extensive comments and the individual parts of the algorithm are split into digestible chunks instead of having one huge function. One difference of note is that it BN_mod_sqrt() now always returns the smaller of the two possible answers. In other words, while its core is non-deterministic, its answer is not. ok jsing
* Correct benchmark result computation on 32 bit platforms.jsing2023-04-112-4/+4
|
* Some more cleanup in bn_to_stringtb2023-04-101-12/+8
|
* Drop BN_NO_DEPRECATED dance from bn_testtb2023-04-101-7/+1
|
* Provide benchmarks for BN_copy()jsing2023-04-102-1/+184
|
* Fix indentation of structs and unions in x509v3.htb2023-04-101-87/+87
| | | | No change according to diff -w
* Make bn_to_string() statictb2023-04-101-3/+3
| | | | | This function is no longer used directly by regress, so it can now be local to this file.
* bn_to_string no longer needs to be linked staticallytb2023-04-101-2/+1
|
* Rework the bn_to_string() to use public APItb2023-04-101-73/+213
| | | | | | We can use the undocumented functions {i2s,s2i}_ASN1_INTEGER(3) to exercise bn_to_string(). This way we use public API and remove the need of linking statically.
* Move a few functions out of OPENSSL_NO_DEPRECATEDtb2023-04-098-29/+19
| | | | | | | | | | | | | | | | | | | | | | | | Geoff Thorpe added OPENSSL_NO_DEPRECATED nearly two decades ago. The hope was that at some point some functions can be dropped. Most of the functions marked deprecated are actually unused nowadays but unfortunately some of them are still used in the ecosystem. Move them out of OPENSSL_NO_DEPRECATED so we can define it without breaking the consumers in the next bump. ERR_remove_state() is still used by a dozen or so ports. This isn't a big deal since it is just a stupid wrapper for the not quite as deprecated ERR_remove_thread_state(). It's not worth patching these ports. Annoyingly, {DH,DSA}_generate_parameters() and RSA_generate_key() are still used. They "make use" of the old-style BN_GENCB callback, which is therefore more difficult to remove - in case you don't know know: that's the thing responsible for printing pretty '.', '+' and '*' when you generate keys. Most annoyingly, DH_generate_parameters() was added to rust-openssl in 2020 for "advanced DH support". This is very unfortunate since cargo bundles a rust-openssl and updates it only every few years or so. As a consequence we're going to be stuck with this nonsense for a good while. ok beck jsing
* Remove some doubled empty linestb2023-04-091-7/+1
|
* Remove X9.31 support from openssl(1)tb2023-04-092-18/+7
| | | | | | | The X9.31 standard has long been retired and deprecated and libcrypto will drop support for it soon. This prepares userland. ok jsing
* Drop X9.31 support from libtlstb2023-04-092-7/+2
| | | | | | | | | The TLS signer isn't exposed in public API (we should finally fix it...) and it supports X9.31, a standard that has been retired and deprecated for a very long time. libcrypto will stop supporting it soon, this step is needed to prepare userland. ok jsing
* Minor code cleanuptb2023-04-091-42/+31
| | | | | | Unwrap a few awkwardly wrapped lines, drop redundant parentheses and add empty lines after some variable declarations. No change in the generated assembly.
* Provide and use sha{224,384}_{update,final} functions.jsing2023-04-091-28/+54
| | | | | | | | | | Improve readability and consistency by providing and using functions named for the specific hash, rather than reusing the sha256/sha512 update and final functions. No functional change. ok tb@
* Rename SHA functions to have sha{1,224,256,384,512}_ prefix.jsing2023-04-091-31/+31
| | | | | | | | Also remove some unnecessary parentheses. No functional change. ok tb@
* fix double wordsjsg2023-04-091-3/+3
|
* bn_test: two minor style tweakstb2023-04-081-6/+3
|
* bn_mont: fix typo in comment divisable -> divisibletb2023-04-071-2/+2
|
* bn_test: rename rc into ret as per usualtb2023-04-071-91/+91
|
* bn_test: pass BN_CTX into all functionstb2023-04-071-364/+297
| | | | | There is a BN_CTX at program scope. Pass it into all test functions. This simplifies memory management at the end of the functions quite a bit.
* bn_test: drop a few braces that are now unnecessarytb2023-04-071-33/+17
|
* bn_test: move rc initialization to its own linetb2023-04-071-9/+17
|
* bn_test: keep the error stack cleantb2023-04-071-1/+13
| | | | | | Make message() print and clear the error stack. This way we can know what test errored. To make this work also clear the error stack after a handful of xfail tests.
* bn_test: use bn_copy() instead of BN_free/BN_duptb2023-04-071-3/+2
| | | | This is not only simpler but also required by an upcoming change.
* bn_test: a few early return would leak. goto err insteadtb2023-04-071-5/+5
|
* bn_test: rand_neg() is not only one of the most stupidly named functionstb2023-04-071-2/+2
| | | | in the entire code base it also has a few parentheses too many
* bn_test: handle rc consistentlytb2023-04-071-111/+134
| | | | | | | Various test functions had bugs due to the fact that the return code would be set to 1 at the top so that each error would have to set rc = 0. This is silly. Fail closed instead by setting rc = 0 at the top and only flipping to 1 before the err label
* bn_test: inline the only use of lst[]tb2023-04-071-14/+12
| | | | | | lst[] can be converted from a bit string to a hex string. Use BN_hex2bn() isntead of BN_bin2bn(). Handle this inside test_lshift() rather than doing artistic ownership dances.
* Improve some test failure reportingtb2023-04-071-5/+12
|
* Ignore ten getter and setter control macros related to proxy BIOs.schwarze2023-04-071-0/+6
| | | | | | | Those are not useful because such a BIO type neither exists in LibreSSL nor in OpenSSL 1.1.1. Not adding the deprecation notice to some manual page because there is no manual page that is even vaguely related.
* Two minor tweaks that are useful for processing bio.h, among other headers:schwarze2023-04-071-1/+2
| | | | | * ignore lines defining "__bounded__()" * ignore whitespace between "#" and "include"
* Mark BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionallyschwarze2023-04-071-2/+7
| | | | | undocumented because they are unused according to codesearch.debian.net and would cause nothing but obfuscation if they were used.
* Document the effects that BIO_set_info_callback(3), BIO_callback_ctrl(3),schwarze2023-04-061-3/+54
| | | | BIO_get_info_callback(3), and BIO_info_cb(3) have on connect BIOs.
* Properly document BIO_set_info_callback(3) and BIO_get_info_callback(3)schwarze2023-04-061-8/+96
| | | | | | | | which where mentioned below SYNOPSIS and HISTORY but not described. Also document the command constant BIO_CTRL_SET_CALLBACK and the deprecated function type name bio_info_cb(3). Mention that callbacks installed using BIO_set_callback_ex(3) and BIO_set_callback(3) can tamper with *all* the return values.
* Use RCS tag instead of an incorrect path.tb2023-04-061-1/+1
|
* Move a comment to the proper placetb2023-04-061-6/+5
|
* wycheproof: fix copy-paste error in previoustb2023-04-061-2/+2
|
* wycheproof: use EVP_MD instead of importing "hash"tb2023-04-061-70/+52
|
* Check and assign on one linetb2023-04-061-3/+2
|
* Zap extra empty linetb2023-04-061-2/+1
|
* Add a few missing bracestb2023-04-051-4/+7
| | | | ok jsing
* Set up the RSA's _method_mod_n before the initial blindingtb2023-04-051-11/+13
| | | | | | | | | | | | | | | | As observed by Bernd Edlinger, the main part of the RSA timing leak that was recently made public is that the initial blinding isn't done with Montgomery exponentiation but rather with plain exponentiation. Pull up the initialization of the cached Montgomery context to ensure we use Montgomery exponentiation. Do this for private_{de,en}crypt(). Interestingly, the latter was fixed in OpenSSL a while ago by Andy Polyakov as part of the "smooth CRT-RSA" addition. If this code was anything but completely insane this would never have been an issue in the first place. But it's libcrypto... ok jsing
* Sprinkle a few BTI instructions into the arm64 assembly files and passkettenis2023-04-052-1/+8
| | | | | | -mmark-bti-property to indicate those now have BTI support. ok jsing@, deraadt@
* bn_mod_sqrt: Improve a handful of comments and a printftb2023-04-051-5/+9
|
* Improve regress coverage for BN_mod_sqrt()tb2023-04-051-3/+2783
| | | | | This now covers all the main branches of both the old and new BN_mod_sqrt() implementation except for negative p.
* Simplify mod_sqrt_test() a bittb2023-04-051-35/+16
|
* bn_mod_sqrt test: Use a #define rather than hard coded 100tb2023-04-051-3/+5
|
* Add coverage for the truly non-deterministic path of Tonelli-Shankstb2023-04-051-4/+1625
| | | | | Regress coverage of all of BN_mod_sqrt() is still lacking after this. This will improve in forthcoming commits.
* Introduce variation in location of junked bytes; ok tb@otto2023-04-051-3/+8
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-29 07:06:57 +0000