summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn/bn.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove more *_options() stufftb2023-07-311-2/+1
| | | | | | | The public symbols were removed. Some prototypes and in the case of DES even the implementation remained. ok jsing
* Remove the get_rfc*_prime_*() APItb2023-07-281-9/+1
| | | | | | | Inconsistently named with the rest of the API, so OpenSSL 1.1 introduced the same functions with a BN_ prefix. We'll keep the latter. ok jsing
* Make BN_BLINDING internaltb2023-07-281-22/+1
| | | | | | | | | | RSA is pretty bad. In my most optimistic moments I dream of a world that stopped using it. That won't happen during my lifetime, unfortunately. Blinding is one way of making it a little less leaky. Unfortunately this side-channel leak mitigation leaked out of the library for no good reason. Let's at least fix that aspect of it. ok jsing
* Add a BN_R_INVALID_ARGUMENT error codetb2023-06-131-1/+2
| | | | | | | | | | One problem with OpenSSL error codes is that they tend to be too specific (another problem is that they are extremely ugly). So add an EINVAL-style error code. This will be used in an upcoming commit to disallow aliasing of the 'return value' with the modulus in BN_mod_* functions and should be applicable elsewhere, outside of this one narrow use case. ok jsing
* Remove a useless doxygen commenttb2023-04-271-5/+1
|
* Remove the deprecated API from BNtb2023-04-251-33/+2
|
* GF2m bites the dust. It won't be missed.tb2023-04-251-62/+1
|
* Remove the horror show that is bn_nist and ecp_nisttb2023-04-251-17/+1
| | | | | | This code is full of problematic C and is also otherwise of questionable quality. It is far from constant time and jsing informs me it also isn't faster. Good riddance.
* Remove the no longer used BN_MONT_CTX_init()tb2023-04-251-5/+1
|
* Move a few now internal prototypes to bn_local.htb2023-04-251-23/+1
|
* Remove old BN_one/BN_zero compat stufftb2023-04-251-13/+1
| | | | ok jsing
* Remove X9.31 supporttb2023-04-251-15/+1
| | | | ok jsing
* Remove the no longer used BN_CTX_init()tb2023-04-251-7/+1
| | | | ok jsing
* unifdef BN_RECURSIONjsing2023-04-191-7/+1
| | | | | | | | | | | | This removes a bunch of incomplete and scary code, which potentially leaks secrets and is not constant time. A performance gain is achieved on arm64 for sizes that we care about, while a minimal decrease in performance is noted for larger sizes on some other platforms. While we will potentially reimplement Karatsuba (or Toom-Cook) at a later date, it will be easier and safer to do it from a clean slate. ok tb@
* Mark X9.31 BN API for removaltb2023-04-161-1/+4
| | | | | | | This supports a mostly forgotten, seemingly unused and long retired standard. No need for this in our public API Dyson sphere. ok jsing
* The BN reciprocal API will also become internal-onlytb2023-04-161-1/+7
| | | | | | | This is unused outside of the library and could do with some reworking. That's easier without having to care about outside consumers. ok jsing
* Various BN*init() will be removed from the public APItb2023-04-161-1/+10
| | | | | | | | With the corresponding structs now being opaque, the only thing they are good for outside the library are memory leaks. They will be removed completely or become internal only. ok jsing
* Mark public bn_nist and ec_nist API for removaltb2023-04-161-1/+3
| | | | | | | | | | | | | The faster nist code is rife with problematic C. While this is generally considered to be a pleonasm nowadays, here it specifically refers to aliasing issues and other flavors of undefined behavior. With compilers and standardization committees becoming seemingly more determined about making C even more unusable than it already is, this code has resulted in miscompilations and generally is a target rich environment for fuzzers to feast on. We're better off without it. Go look while it's still there. It's some of the very worst we have to offer. ok jsing
* Provide BN_zero()/BN_one() as functions and make BN_zero() always succeed.jsing2022-12-171-1/+6
| | | | | | | | | | | | | | BN_zero() is currently implemented using BN_set_word(), which means it can fail, however almost nothing ever checks the return value. A long time ago OpenSSL changed BN_zero() to always succeed and return void, however kept BN_zero as a macro that calls a new BN_zero_ex() function, so that it can be switched back to the "can fail" version. Take a simpler approach - change BN_zero()/BN_one() to functions and make BN_zero() always succeed. This will be exposed in the next bump, at which point we can hopefully also remove the BN_zero_ex() function. ok tb@
* Mop up more BN_DEBUG related code.jsing2022-11-301-13/+1
|
* Remove mkerr.pl remnants from LibreSSLkn2022-07-121-5/+1
| | | | | | | This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
* Expose new API in headers.tb2022-07-071-3/+1
| | | | | | | These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
* Prepare to provide BN_security_bits()tb2022-06-271-1/+5
| | | | ok beck jsing
* Move BN structs to bn_lcl.htb2022-01-141-49/+1
| | | | | | This makes all structs in bn.h opaque that are also opaque in OpenSSL. ok inoguchi jsing
* Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_APItb2022-01-141-65/+1
| | | | | This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits).
* Annotate the structs to be moved to bn_lcl.h in the next bumptb2021-12-041-1/+5
| | | | ok inoguchi jsing
* Implement the BN_to_montgomery() macro as a functiontb2021-12-041-1/+6
| | | | ok inoguchi jsing
* Implement the BN_is_negative macro as a functiontb2021-12-041-1/+6
| | | | ok inoguchi jsing
* Provide function implementations for various BN_* macrostb2021-12-041-3/+15
| | | | | | | | BN_abs_is_word, BN_is_{zero,one,word,odd}, BN_one, BN_zero_ex are now implemented as functions for internal use. They will be exposed publicly to replace the macros reaching into BIGNUM in the next bump. ok inoguchi jsing
* Provide replacement functions for the BN_{get,set,with}_flags() macros.tb2021-12-041-1/+9
| | | | ok inoguchi jsing
* Provide replacement functions for the BN_GENCB_set{,_old}() macrostb2021-12-041-2/+14
| | | | | | | | The function implementations are necessary to make BIGNUM opaque. They will be used in libcrypto internally until they will replace the macro implementations with the next bump. ok inoguchi jsing
* typo in commenttb2021-11-181-2/+2
|
* Expose BN_bn2{,le}binpad() and BN_lebin2bn() in <openssl/bn.h>tb2021-09-101-3/+1
| | | | ok beck inoguchi
* Expose BN_RAND_* in <openssl/bn.h>tb2021-09-101-3/+1
| | | | ok beck jsing
* Prepare to provide BN_RAND_* flags for BN_rand_range()tb2021-09-101-1/+12
| | | | ok beck jsing
* Prepare to provide BN_bn2{,le}binpad() and BN_lebin2bn()tb2021-09-081-1/+6
| | | | | | | | | As found by jsg and patrick, this is needed for newer uboot and will also be used in upcoming elliptic curve work. This is from OpenSSL 1.1.1l with minor style tweaks. ok beck inoguchi
* Change generating and checking of primes so that the error rate ofschwarze2019-08-251-18/+73
| | | | | | | | | | | not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2^-128. Patch from Kurt Roeckx <kurt@roeckx.be> and Annie Yousar via OpenSSL commit feac7a1c Jul 25 18:55:16 2018 +0200, still under a free license. OK tb@.
* Provide BN_GENCB_new(), BN_GENCB_free() and BN_GENCB_get_arg()jsing2018-02-201-1/+6
|
* Provide BN_get_rfc2409_prime_*() and BN_get_rfc3526_prime_*().jsing2018-02-201-1/+9
|
* Construct a BN_gcd_nonct, based on BN_mod_inverse_no_branch, as suggestedbeck2017-01-251-1/+3
| | | | | | | | | | | by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a sidechannel timing attack during RSA private key generation. Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force the use of the _ct or _nonct versions of the function only within the library. ok jsing@
* Add ct and nonct versions of BN_mod_inverse for internal usebeck2017-01-211-1/+3
| | | | ok jsing@
* Split out BN_div and BN_mod into ct and nonct versions for Internal use.beck2017-01-211-1/+3
| | | | ok jsing@
* Make explicit _ct and _nonct versions of bn_mod_exp funcitons thatbeck2017-01-211-1/+3
| | | | | | | | | | | | matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
* Explicitly export a list of symbols from libcrypto.jsing2016-12-211-115/+1
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* graduate bn_expand() to a real function. the openssl version of thisderaadt2016-03-041-3/+3
| | | | | | | uses a macro with multiple-evaluations of arguments (different amount than the previous version..), but doug/bcook's inline version makes BIGNUM not opaque [problem spotted by naddy] ok doug
* Revert bn_expand until there's consensus on a fix.doug2016-03-041-14/+3
|
* Add bounds checking for BN_hex2bn/BN_dec2bn.doug2016-03-021-3/+14
| | | | | | | | | Need to make sure i * 4 won't overflow. Based on OpenSSL: commit 99ba9fd02fd481eb971023a3a0a251a37eb87e4c input + ok bcook@ ok beck@
* Reject too small bits value in BN_generate_prime_ex(), so that it does not riskmiod2015-10-211-1/+3
| | | | | | | | becoming negative in probable_prime_dh_safe(). Reported by Franck Denis who noticed `openssl gendh 0' would segfault. Fix adapted from OpenSSL RT#2701. ok beck@ jsing@
* actually include the prerequisite dependency for BIO instead of doing nastynessbeck2015-10-161-5/+2
|
* Delete a lot of #if 0 code in libressl.doug2015-02-071-12/+1
| | | | | | | | | | | | | | | | | | | | | | | | | There are a few instances where #if 1 is removed but the code remains. Based on the following OpenSSL commits. Some of the commits weren't strictly deletions so they are going to be split up into separate commits. 6f91b017bbb7140f816721141ac156d1b828a6b3 3d47c1d331fdc7574d2275cda1a630ccdb624b08 dfb56425b68314b2b57e17c82c1df42e7a015132 c8fa2356a00cbaada8963f739e5570298311a060 f16a64d11f55c01f56baa62ebf1dec7f8fe718cb 9ccc00ef6ea65567622e40c49aca43f2c6d79cdb 02a938c953b3e1ced71d9a832de1618f907eb96d 75d0ebef2aef7a2c77b27575b8da898e22f3ccd5 d6fbb194095312f4722c81c9362dbd0de66cb656 6f1a93ad111c7dfe36a09a976c4c009079b19ea1 1a5adcfb5edfe23908b350f8757df405b0f5f71f 8de24b792743d11e1d5a0dcd336a49368750c577 a2b18e657ea1a932d125154f4e13ab2258796d90 8e964419603d2478dfb391c66e7ccb2dcc9776b4 32dfde107636ac9bc62a5b3233fe2a54dbc27008 input + ok jsing@, miod@, tedu@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-08 07:06:33 +0000