| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
Mark them LCRYPTO_UNUSED appropriately and remove the LIBRESSL_INTERNAL
guards around them
ok tb@
|
| |
|
|
|
|
|
|
| |
The former could be useful but nothing uses it. The latter is a
dangerous implementation detail of Montgomery exponentiation that
should never have been leaked out of the library. Fix this.
ok jsing
|
| |
|
|
|
|
|
| |
This function is very slow and useful for testing purposes only. It
should never have been part of the public API. Remove it from there.
ok jsing
|
| |
|
|
|
|
|
| |
The public symbols were removed. Some prototypes and in the case of DES
even the implementation remained.
ok jsing
|
| |
|
|
|
|
|
| |
Inconsistently named with the rest of the API, so OpenSSL 1.1 introduced
the same functions with a BN_ prefix. We'll keep the latter.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
RSA is pretty bad. In my most optimistic moments I dream of a world that
stopped using it. That won't happen during my lifetime, unfortunately.
Blinding is one way of making it a little less leaky. Unfortunately this
side-channel leak mitigation leaked out of the library for no good reason.
Let's at least fix that aspect of it.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
One problem with OpenSSL error codes is that they tend to be too specific
(another problem is that they are extremely ugly). So add an EINVAL-style
error code. This will be used in an upcoming commit to disallow aliasing
of the 'return value' with the modulus in BN_mod_* functions and should
be applicable elsewhere, outside of this one narrow use case.
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This code is full of problematic C and is also otherwise of questionable
quality. It is far from constant time and jsing informs me it also isn't
faster. Good riddance.
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This removes a bunch of incomplete and scary code, which potentially leaks
secrets and is not constant time. A performance gain is achieved on arm64
for sizes that we care about, while a minimal decrease in performance is
noted for larger sizes on some other platforms.
While we will potentially reimplement Karatsuba (or Toom-Cook) at a later
date, it will be easier and safer to do it from a clean slate.
ok tb@
|
| |
|
|
|
|
|
| |
This supports a mostly forgotten, seemingly unused and long retired
standard. No need for this in our public API Dyson sphere.
ok jsing
|
| |
|
|
|
|
|
| |
This is unused outside of the library and could do with some reworking.
That's easier without having to care about outside consumers.
ok jsing
|
| |
|
|
|
|
|
|
| |
With the corresponding structs now being opaque, the only thing they are
good for outside the library are memory leaks. They will be removed
completely or become internal only.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The faster nist code is rife with problematic C. While this is generally
considered to be a pleonasm nowadays, here it specifically refers to
aliasing issues and other flavors of undefined behavior. With compilers
and standardization committees becoming seemingly more determined about
making C even more unusable than it already is, this code has resulted
in miscompilations and generally is a target rich environment for fuzzers
to feast on. We're better off without it. Go look while it's still there.
It's some of the very worst we have to offer.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
BN_zero() is currently implemented using BN_set_word(), which means it can
fail, however almost nothing ever checks the return value. A long time
ago OpenSSL changed BN_zero() to always succeed and return void, however
kept BN_zero as a macro that calls a new BN_zero_ex() function, so that
it can be switched back to the "can fail" version.
Take a simpler approach - change BN_zero()/BN_one() to functions and make
BN_zero() always succeed. This will be exposed in the next bump, at which
point we can hopefully also remove the BN_zero_ex() function.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| |
|
|
|
|
|
| |
These are mostly security-level related, but there are also ASN1_TIME
and ASN_INTEGER functions here, as well as some missing accessors.
ok jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
| |
This makes all structs in bn.h opaque that are also opaque in OpenSSL.
ok inoguchi jsing
|
| |
|
|
|
| |
This marks the start of major surgery in libcrypto. Do not attempt to
build the tree for a while (~50 commits).
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
| |
BN_abs_is_word, BN_is_{zero,one,word,odd}, BN_one, BN_zero_ex are
now implemented as functions for internal use. They will be exposed
publicly to replace the macros reaching into BIGNUM in the next bump.
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
| |
The function implementations are necessary to make BIGNUM opaque.
They will be used in libcrypto internally until they will replace
the macro implementations with the next bump.
ok inoguchi jsing
|
| | |
|
| |
|
|
| |
ok beck inoguchi
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
|
|
| |
As found by jsg and patrick, this is needed for newer uboot and
will also be used in upcoming elliptic curve work.
This is from OpenSSL 1.1.1l with minor style tweaks.
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
| |
not being prime depends on the intended use based on the size of
the input. For larger primes this will result in more rounds of
Miller-Rabin. The maximal error rate for primes with more than
1080 bits is lowered to 2^-128.
Patch from Kurt Roeckx <kurt@roeckx.be> and Annie Yousar
via OpenSSL commit feac7a1c Jul 25 18:55:16 2018 +0200,
still under a free license.
OK tb@.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a
sidechannel timing attack during RSA private key generation.
Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force
the use of the _ct or _nonct versions of the function only within
the library.
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
matter for constant time, and make the public interface only used
external to the library.
This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.
Add regress tests for same.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting
the bn_* symbols. These are documented as only being intended for internal
use, so why they were placed in a public header is beyond me...
This hides 363 previously exported symbols, most of which exist in headers
that are not installed and were never intended to be public. This also
removes a few crusty old things that should have died long ago (like
_ossl_old_des_read_pw). But don't worry... there are still 3451 symbols
exported from the library.
With input and testing from inoguchi@.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
| |
uses a macro with multiple-evaluations of arguments (different amount
than the previous version..), but doug/bcook's inline version makes
BIGNUM not opaque [problem spotted by naddy]
ok doug
|
