summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn/bn_exp.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Convert bn_exp to BN_MONT_CTX_create()tb2025-02-131-53/+38
| | | | | | | | This simplifies the handling of the BN_MONT_CTX passed in and unifies the exit paths. Also zap some particularly insightful comments by our favorite captain. ok jsing
* Rename BN_mod_exp_recp() to BN_mod_exp_reciprocal()tb2025-02-121-3/+3
| | | | | (leaving out a dotasm comment that would become harder to read than it already is)
* bn_recp: Avoid complication for negative modulitb2025-01-221-12/+3
| | | | | | | Instead of doing a weird dance, set the sign on N in BN_RECP_CTX_create(). Since we're not exposing a general purpose calculator API, we can simplify. ok jsing
* Split BN_mod_sqr_reciprocal() out of BN_mod_mul_reciprocal()tb2025-01-221-4/+4
| | | | | | | | There's no need for BN_mod_mul_reciprocal() to have this complication. The caller knows when x == y, so place the burden on the caller. This simplifies both the caller side and the implementation in bn_recp.c. ok jsing
* Move BN_RECP_CTX to the heaptb2025-01-211-12/+10
| | | | | | | | | | | | | | This introduces a BN_RECP_CTX_create() function that allocates and populates the BN_RECP_CTX in a single call, without taking an unused BN_CTX argument. At the same time, make the N and Nr members BIGNUMs on the heap which are allocated by BN_RECP_CTX_create() and freed by BN_RECP_CTX_free() and remove the unnecessary flags argument. Garbage collect the now unused BN_RECP_CTX_{new,init,set}(). ok jsing
* Hide symbols in bn.hbeck2024-04-101-1/+3
| | | | | | | Mark them LCRYPTO_UNUSED appropriately and remove the LIBRESSL_INTERNAL guards around them ok tb@
* Make BN_mod_exp2_mont() and BN_mod_exp_mont_word() internaltb2024-03-021-3/+1
| | | | | | | | The former could be useful but nothing uses it. The latter is a dangerous implementation detail of Montgomery exponentiation that should never have been leaked out of the library. Fix this. ok jsing
* Make BN_mod_exp_simple() internaltb2024-03-021-2/+1
| | | | | | | This function is very slow and useful for testing purposes only. It should never have been part of the public API. Remove it from there. ok jsing
* Garbage collect weird /* 1 */ and /* 2 */ commentstb2023-10-191-7/+7
| | | | | | If they ever had any meaning, that's long been lost. Requested by jsing
* Fix aliasing of result and exponent in the internal BN_mod_exp_recp()tb2023-10-191-12/+19
| | | | This is basically the same fix as the one applied in BN_mod_exp_simple().
* Fix aliasing of result with exponent or modulus in BN_mod_exp_simple()tb2023-10-191-10/+22
| | | | | | Reported and reminded by Guido Vranken in OpenSSL issue #21110 ok jsing
* Hide symbols in bnbeck2023-07-081-1/+6
| | | | ok tb@
* bn_exp: also special case -1 modulustb2023-05-091-6/+6
| | | | | | | | | | Anything taken to the power of 0 is 1, and then reduced mod 1 or mod -1 it will be 0. If "anything" includes 0 or not is a matter of convention, but it should not depend on the sign of the modulus... Reported by Guido Vranken ok jsing (who had the same diff)
* Rework BN_exp() a bittb2023-03-301-27/+28
| | | | | | | | | This mostly only cleans up the mess that it was - which doesn't stand out because of the horror that lurks in the rest of this file. It avoids copying the partial calculation out on error and does away with some other weirdness. with/ok jsing
* Replace the remaining BN_copy() with bn_copy()tb2023-03-271-3/+3
| | | | ok jsing
* Convert BN_copy() with missing error checks to bn_copy()tb2023-03-271-3/+5
| | | | ok jsing
* Convert BN_copy() with explicit comparison against NULL to bn_copy()tb2023-03-271-3/+3
| | | | ok jsing
* Minor whitespace tidyingtb2023-03-261-4/+5
|
* Make several calls to BN_nnmod() unconditionaltb2023-03-261-19/+10
| | | | | | | | This removes a potential branch in a sensitive function and makes the code a lot simpler. It is a really bad idea optimize here for what davidben aptly calls "calculator" purposes. ok jsing
* Correctly reduce negative inpot to BN_mod_exp2_mont()tb2023-03-261-3/+3
| | | | | | | | | | Negative bases could result in a negative modulus being returned. This is not strictly speaking incorrect but slightly surprising. This is all a consequence of the shortcut of defining BN_mod() as a macro using BN_div(). Fixes ossfuzz #55997 ok jsing
* Ensure negative input to BN_mod_exp_mont_consttime() is correctly reduced.jsing2023-03-151-7/+4
| | | | | | | | | | A negative input to BN_mod_exp_mont_consttime() is not correctly reduced, remaining negative (when it should be in the range [0, m)). Fix this by unconditionally calling BN_nnmod() on the input. Fixes ossfuzz #55997. ok tb@
* Move BN_mod_exp2_mont() to bn_exp.c.jsing2023-02-031-1/+185
|
* Reorder functions in bn_exp.c to be slightly sensible...jsing2023-02-031-282/+279
| | | | No functional change intended.
* Make internal header file names consistenttb2022-11-261-3/+3
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Remove BIGNUM consistency macros.jsing2022-11-261-18/+1
| | | | | | | | | | | | Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND) supposedly adds consistency checks to the BN code. These are rarely if ever used and introduce a bunch of clutter in the code. Furthermore, there are hacks in place to undo things that the debugging code does. Remove all of this mess and instead rely on always enabled checks, more readable code and proper regress coverage to ensure correct behaviour. "Good riddance." tb@
* Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.jsing2022-11-241-2/+2
| | | | | | | | | Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the callers use this (and many already treat it as a true/false value). Change these functions to return 0 on failure and 1 on success, revising callers that test against NULL in the process. ok tb@
* Avoid use of uninitialized in BN_mod_exp_recp()tb2022-04-201-2/+3
| | | | | | | | | | If either of the two initial BN_CTX_get() fails, we will call BN_RECP_CTX_free() on the uninitialized recp, which won't end well, so hoist the BN_RECP_CTX_init() call a few lines up. From Pauli, OpenSSL ad249412 ok inoguchi jsing
* use freezero() instead of memset/explicit_bzero + free. Substantiallyderaadt2017-05-021-9/+4
| | | | | | | | | | reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
* Send the function codes from the error functions to the bit bucket,beck2017-01-291-11/+8
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Split out BN_div and BN_mod into ct and nonct versions for Internal use.beck2017-01-211-3/+3
| | | | ok jsing@
* Make explicit _ct and _nonct versions of bn_mod_exp funcitons thatbeck2017-01-211-11/+55
| | | | | | | | | | | | matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
* /usr/bin/unifdef -D MONT_MUL_MOD -D MONT_EXP_WORD -D RECP_MUL_MOD -m bn_exp.cbeck2017-01-211-23/+2
| | | | | with some style cleanup after. no binary change ok jsing@
* add constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF.bcook2016-09-031-16/+55
| | | | | | | | | | Patch based on OpenSSL commit d7a854c055ff22fb7da80c3b0e7cb08d248591d0 "Performance penalty varies from platform to platform, and even key length. For rsa2048 sign it was observed to reach almost 10%." CVE-2016-0702 ok beck@
* BN_mod_exp_mont_consttime: check for zero modulus.bcook2016-09-031-9/+33
| | | | | | | Don't dereference d when top is zero. Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03 ok jsing@
* BN_mod_exp_mont_consttime: check for zero modulus.bcook2016-09-031-4/+5
| | | | | | | Don't dereference |d| when |top| is zero. Also test that various BIGNUM methods behave correctly on zero/even inputs. Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03
* Correct spelling of OPENSSL_cleanse.jsing2015-09-101-2/+2
| | | | ok miod@
* Fix indentation that incorrectly implies a different control flow.doug2015-03-211-2/+3
| | | | | | | | | | | | | The actual control flow is intentional while the indenting is incorrect. This is intended to be a cosmetic change. Verified that each of these was part of a KNF commit that wasn't intending to change behavior. Also, double checked against the history of changes in OpenSSL and BoringSSL. Addresses Coverity CIDs: 78842, 78859, 78863. ok tedu@
* Potential NULL dereference in the error path; Coverity CID 21720miod2015-02-141-2/+2
| | | | ok doug@ jsing@
* BN_CTX_get() can fail - consistently check its return value.jsing2015-02-091-15/+17
| | | | | | | | | | | | | | | There are currently cases where the return from each call is checked, the return from only the last call is checked and cases where it is not checked at all (including code in bn, ec and engine). Checking the last return value is valid as once the function fails it will continue to return NULL. However, in order to be consistent check each call with the same idiom. This makes it easy to verify. Note there are still a handful of cases that do not follow the idiom - these will be handled separately. ok beck@ doug@
* Apparently better fix for OpenSSL PR #3397 (Joyent bug #7704), from OpenSSLmiod2014-07-111-2/+2
| | | | trunk
* Only import cryptlib.h in the four source files that actually need it.jsing2014-07-111-2/+3
| | | | | | | | Remove the openssl public includes from cryptlib.h and add a small number of includes into the source files that actually need them. While here, also sort/group/tidy the includes. ok beck@ miod@
* Stop including standard headers via cryptlib.h - pull in the headers thatjsing2014-07-101-3/+3
| | | | | | are needed in the source files that actually require them. ok beck@ miod@
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* malloc() result does not need a cast.deraadt2014-06-071-1/+1
| | | | ok miod
* Replace (sometimes conditional) use of alloca with malloc, and clearingmiod2014-05-231-16/+0
| | | | | | through volatile pointers with explicit_bzero(). ok beck@ jsing@
* if (x) free(x) -> free(x); semantic patch generated with coccinelle, carefullymiod2014-05-221-2/+1
| | | | eyeballed before applying. Contributed by Cyril Roelandt on tech@
* Emergency knfectomie requested by tedu@.jsing2014-05-081-564/+582
|
* Remove WIN32, WIN64 and MINGW32 tentacles.miod2014-04-281-6/+1
| | | | | | | | Also check for _LP64 rather than __arch64__ (the former being more reliable than __LP64__ or __arch64__) to tell 64-bit int platforms apart from 32-bit int platforms. Loosely based upon a diff from Martijn van Duren on tech@
* Change library to use intrinsic memory allocation functions instead ofbeck2014-04-171-2/+2
| | | | | | | | OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
* resolve conflictsdjm2012-10-131-67/+173
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-20 16:01:31 +0000