summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Make BN_set_negative() closer to constant time.jsing2023-02-141-2/+3
| | | | ok tb@
* Provide bn_ct_{eq,ne}_zero{,_mask}() inline functions.jsing2023-02-141-1/+33
| | | | | | | These will be used to test a BN_ULONG in cases where constant time style behaviour is required. ok tb@
* Add regress coverage for BN_num_bits_word()tb2023-02-141-1/+25
|
* asn1x509 test: Remove unnecessary line continuationstb2023-02-131-24/+24
|
* Merge dsa_sign.c and dsa_vrf.c into dsa_ossl.ctb2023-02-134-166/+37
| | | | discussed with jsing
* dsa/dsa_sign.c: unindent by inverting logic for DSA_SIG_free(NULL)tb2023-02-131-6/+7
|
* dsa/dsa_sign.c: shuffle functions into a more sensible ordertb2023-02-131-13/+13
|
* Revise for negative zero changes.jsing2023-02-131-2/+2
|
* Avoid negative zero.jsing2023-02-1310-36/+40
| | | | | | | | | | | | | | | | Whenever setting negative to one (or when it could potentially be one), always use BN_set_negative() since it checks for a zero valued bignum and will not permit negative to be set in this case. Since BN_is_zero() currently relies on top == 0, call BN_set_negative() after top has been set (or bn_correct_top() has been called). This fixes a long standing issue where -0 and +0 have been permitted, however multiple code paths (such as BN_cmp()) fail to treat these as equivalent. Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz. ok tb@
* Simplify BN_set_negative().jsing2023-02-131-6/+3
| | | | ok tb@
* Add currently failing negative zero check to BN_rshift() regress.jsing2023-02-131-1/+5
|
* Remove bn_exp2.c, which is now empty.jsing2023-02-112-118/+1
|
* Bye bye x86_64-gcc.c.jsing2023-02-111-559/+0
| | | | This is no longer used, since we're now using s2n-bignum functions instead.
* Use .section .rodata instead of a plain .rodatatb2023-02-0914-15/+15
| | | | | | | | At least gcc 12 on Fedora is very unhappy about a plain .rodata and throws Error: unknown pseudo-op: `.rodata'. So add a .section in front of it to make it happy. ok deraadt miod
* Pull in bn_internal.h for the generic version of bn_umul_hilo()jsing2023-02-091-1/+2
|
* Clean up bn_sqr_words()jsing2023-02-092-53/+10
| | | | | | | | | | | Currently there are two versions of bn_sqr_words(), which call the sqr or sqr64 macro. Replace this with a single version that calls bn_umul_hilo() and remove the various implementations of the sqr macro. The only slight downside is that sqr64 does three multiplications instead of four, given that the second and third terms are identical. However, this is a minimal gain for the amount of duplication and entanglement it introduces. ok tb@
* openssl(1) pkcs7 avoid crash on malformed filestb2023-02-081-5/+9
| | | | | | | | When printing certificates or CRLs, check signed and signedAndEnveloped before dereferencing them. Prevents crash on inspecting malformed PKCS7 files. ok jsing
* Fix arbitrary memory read in GENERAL_NAME_cmp()tb2023-02-071-2/+3
| | | | | | | | | | | | | | | | | | The ASN.1 template for GENERAL_NAME and its corresponding C structure disagree on the type of the x400Address member. This results in an ASN.1 string to be considered as an ASN.1 type, which allows an attacker to read (essentially) arbitrary memory. Fix this by forcing comparison as strings. While the underlying type confusion has been present since time immemorial, this particular bug came with the EdiPartyName fix (6.8/008_asn1.patch.sig). Reported by David Benjamin, fix suggested by jsing. Release date for this was set to be January 31. Unilaterally pushed back to February 7 by OpenSSL by way of announcement of many completely unrelated embargoed issues, some of which they had been sitting on since July 2020. ok beck jsing
* libcrypto/ec: another missing point-on-curve checktb2023-02-071-3/+9
| | | | | | | | | | Unlike in the affine/compressed/... cases, when setting projective coordinates of an elliptic curve point, there is no check whether the point is actually on the curve. Pointed out by Guido Vranken ok beck miod
* Remove bn_sqr_words() on amd64.jsing2023-02-042-11/+2
| | | | | | | s2n-bignum's bignum_sqr() is not the same as bn_sqr_words() (which only computes a partial result, unlike the former). This went unnoticed since bn_sqr() is called directly on amd64, hence bn_sqr_words() is currently unused.
* Fix output constraints for bn_umul_hilo().jsing2023-02-044-8/+8
| | | | | | | | When bn_umul_hilo() is implemented using an instruction pair, mark the first output with a constraint that prevents the output from overlapping with the inputs ("&"). Otherwise the first instruction can overwrite the inputs, which then results in the second instruction producing incorrect value.
* Move BN_mod_exp2_mont() to bn_exp.c.jsing2023-02-032-188/+186
|
* Reorder functions in bn_exp.c to be slightly sensible...jsing2023-02-031-282/+279
| | | | No functional change intended.
* Clean up and simplify BN_mod_lshift{,_quick}().jsing2023-02-031-38/+34
| | | | | | | | | | | | BN_mod_lshift() already has a BN_CTX available, make use of it rather than calling BN_dup() and BN_free(). In BN_mod_lshift_quick(), BN_copy() already handles dst == src, so avoid checking this before the call. The max_shift == 0 case can also be handled without code duplication. And as with other *_quick() functions, use BN_ucmp() and BN_usub() directly given the 0 <= a < m constraint. ok tb@
* Clean up BN_mod_mul() and simplify BN_mod_sqr().jsing2023-02-031-14/+16
| | | | | | | | | | | | | | Use the same naming/code pattern in BN_mod_mul() as is used in BN_mul(). Note that the 'rr' allocation is unnecessary, since both BN_mul() and BN_sqr() handle the case where r == a || r == b. However, it avoids a potential copy on the exit from BN_mul()/BN_sqr(), so leave it in place for now. Turn BN_mod_sqr() into a wrapper that calls BN_mod_mul(), since it already calls BN_sqr() in the a == b. The supposed gain of calling BN_mod_ct() instead of BN_nnmod() does not really exist. ok tb@
* Simplify BN_mod_{lshift1,sub}_quick().jsing2023-02-031-13/+19
| | | | | | | | | The BN_mod_.*_quick() functions require that their inputs are non-negative and are already reduced. As such, they can and should use BN_ucmp() and BN_usub() instead of BN_cmp() and BN_add()/BN_sub() (which internally call BN_uadd()/BN_usub() and potentially BN_cmp()). ok tb@
* Simplify BN_nnmod().jsing2023-02-031-13/+12
| | | | | | | | | In the case that the result is negative (i.e. one of a or m is negative), the positive result can be achieved via a single BN_usub(). This simplifies BN_nnmod() and avoids indirection via BN_add()/BN_sub(), which do BN_cmp() and then call into BN_uadd()/BN_usub(). ok tb@
* Turn BN_mod_{ct,nonct}() into symbols.jsing2023-02-032-6/+19
| | | | | | Also use accurate/useful variables names. ok tb@
* Remove AIX toc data after every function. NFCmiod2023-02-025-71/+2
|
* Refactor BN_uadd() and BN_usub().jsing2023-02-023-39/+99
| | | | | | | | | | | | | | | | | | Unlike bn_add_words()/bn_sub_words(), the s2n-bignum bignum_add() and bignum_sub() functions correctly handle inputs with differing word lengths. This means that they can be called directly, without needing to fix up any remaining words manually. Split BN_uadd() in two - the default bn_add() implementation calls bn_add_words(), before handling the carry for any remaining words. Likewise split BN_usub() in two - the default bn_sub() implementation calls bn_sub_words(), before handling the borrow for any remaining words. On amd64, provide an implementation of bn_add() that calls s2n-bignum's bignum_add() directly, similarly with an implementation of bn_sub() that calls s2n-bignum's bignum_sub() directly. ok tb@
* Unbreak vpaes-x86 implementation.jsing2023-02-021-2/+0
| | | | | | Remove remnants of previous PIC handling. ok miod@
* Move all data blocks from .text to .rodata and cleanup up and homogeneize codemiod2023-02-023-18/+5
| | | | responsible from getting the proper address of those blocks.
* Sync function prototypes and declarations to satisfy clang 15.anton2023-02-021-3/+3
| | | | ok jsing@
* Move all data blocks from .text to .rodata and cleanup up and homogeneize codemiod2023-02-0116-236/+248
| | | | | | responsible from getting the proper address of those blocks. ok tb@ jsing@
* For xonly, move sha512-ppc.pl's table from text to rodatagkoehler2023-02-011-18/+7
| | | | | | | | | | | OpenBSD/macppc will enforce xonly on PowerPC G5, then libcrypto's sha256 would crash by SIGSEGV, because it can't read text. Use ELF relocations "@ha" and "@l" to find the table in rodata. This might break the PowerPC asm on a not-ELF platform (like AIX or Mac OS) if someone would try it there. ok kettenis@ deraadt@
* Don't run session tests with openssl 3.0 - these tests aren't TLSv1.3 readytb2023-02-011-2/+2
|
* Hopefully the last one.tb2023-02-011-4/+4
|
* One more openssl 1.0.2 thing missed.tb2023-02-011-4/+4
|
* Switch from eopenssl to eopenssl30. Missed in both previous commitstb2023-02-011-4/+4
| | | | for some reason.
* Retire OpenSSL 1.0.2 interoptb2023-02-017-93/+13
| | | | | | Now that the OpenSSL 1.0.2 port is gone, there's no need to keep the interop tests anymore. anton's and bluhm's regress tests will switch to testing interoperability with OpenSSL 3.0.
* Pull the MONT_WORD define to the top.jsing2023-02-011-3/+3
| | | | | | Reordering functions with defines hiding in the middle leads to fun outcomes... and apparently the non-MONT_WORD code is broken, at least on aarch64.
* Move BN_MONT_CTX_* functions to the top of the file.jsing2023-02-011-221/+221
| | | | No functional change.
* Remove the now empty bn_asm.c.jsing2023-01-318-78/+6
| | | | | | This rather misnamed file (bn_asm.c) previously contained the C code that was needed to build libcrypto bignum on platforms that did not have assembly implementations of the functions it contained.
* Simplify bn_div_3_words().jsing2023-01-311-49/+15
| | | | | | | Make use of bn_umul_hilo() and remove the tangle of preprocessor directives that implement different code paths depending on what defines exist. ok tb@
* Provide inline assembly bn_umul_hilo() for alpha/powerpc64/riscv64.jsing2023-01-313-3/+67
| | | | | | These should work, but are currently untested and disabled. ok tb@
* Provide inline assembly versions of bn_umul_hilo() for aarch64/amd64/i386.jsing2023-01-313-3/+67
| | | | ok tb@
* Provide bn_umul_hilo().jsing2023-01-311-0/+159
| | | | | | | | | | | | | | | | | The bignum code needs to be able to multiply two words, producing a double word result. Some architectures do not have native support for this, hence a pure C version is required. bn_umul_hilo() provides this functionality. There are currently two implementations, both of which are branch free. The first uses bitwise operations for the carry, while the second uses accumulators. The accumulator version uses fewer instructions, however requires more variables/registers and seems to be slower, at least on amd64/i386. The accumulator version may be faster on architectures that have more registers available. Further testing can be performed and one of the two implementations can be removed at a later date. ok tb@
* Correctly detect b < a in BN_usub().jsing2023-01-312-5/+8
| | | | | | | | | | | | BN_usub() requires that a >= b and should return an error in the case that b < a. This is currently only detected by checking the number of words in a versus b - if they have the same number of words, the top word is not checked and b < a, which then succeeds and produces an incorrect result. Fix this by checking for the case where a and b have an equal number of words, yet there is a borrow returned from bn_sub_words(). ok miod@ tb@
* Add bn/arch/${MACHINE_CPU} to the include path.jsing2023-01-311-1/+2
| | | | This will be needed once headers pull in bn_arch.h.
* Add more regress tests for BN_usub().jsing2023-01-311-1/+22
| | | | | | This adds more tests for BN_usub(), particularly where b > a, which should be an error condition. One of these currently succeeds and produces incorrect results.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 07:52:51 +0000