summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn/bn_lib.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Provide bn_expand_bytes().jsing2024-04-161-1/+14
| | | | | | This will be used in an upcoming change. ok tb@
* Rename bn_expand() to bn_expand_bits().jsing2024-04-161-5/+2
| | | | | | | Also change the bits type from int to size_t, since that's what the callers are passing and we can avoid unnecessary input validation. ok tb@
* Prevent negative zero from being created via BN bit functions.jsing2024-04-151-1/+7
| | | | | | | | | | | | Both BN_clear_bit() and BN_mask_bits() can create zero values - in both cases ensure that the negative sign is correctly handled if the value becomes zero. Thanks to Guido Vranken for providing a reproducer. Fixes oss-fuzz #67901 ok tb@
* Remove various ${thing}_optionstb2023-07-281-21/+1
| | | | | | | | | | Various, ancient ciphers exposed some of their innards via an _options() API. Apart from openssl version/speed, only some lua thingie in nmap ever looked at these. Go figure. hppa testing by miod, i386 testing by sthen. Thanks! ok jsing
* Hide symbols in bnbeck2023-07-081-1/+39
| | | | ok tb@
* Provide and use bn_clzw() in place of bn_word_clz().jsing2023-06-211-2/+2
| | | | | | | | | | On some architectures, we can provide an optimised (often single instruction) count-leading-zero implementation. In order to do this effectively, provide bn_clzw() as a static inline that can be replaced by an architecture specific version. The default implementation defers to the bn_word_clz() function (which may also be architecture specific). ok tb@
* Make BN_num_bits() independent of bn->top.jsing2023-06-211-28/+3
| | | | | | | | Provide bn_bitsize(), which performs a constant time scan of a BN in order to determine the bit size of the BN value. Use this for BN_num_bits() such that it is no longer dependent on the bn->top value. ok tb@
* Garbage collect BN_zero_ex()tb2023-04-301-7/+1
|
* Remove the deprecated API from BNtb2023-04-251-66/+1
|
* Move the BN_bn2bin()/BN_bin2bn() family to bn_convert.cjsing2023-04-191-181/+1
|
* Move BN_options() from bn_convert.c to bn_lib.cjsing2023-04-191-1/+20
|
* unifdef BN_RECURSIONjsing2023-04-191-49/+1
| | | | | | | | | | | | This removes a bunch of incomplete and scary code, which potentially leaks secrets and is not constant time. A performance gain is achieved on arm64 for sizes that we care about, while a minimal decrease in performance is noted for larger sizes on some other platforms. While we will potentially reimplement Karatsuba (or Toom-Cook) at a later date, it will be easier and safer to do it from a clean slate. ok tb@
* Provide and use bn_copy_words() in BN_copy().jsing2023-04-141-31/+15
| | | | | | | | This is simpler than the current code, while still being well optimised by compilers, across a range of architectures. In many cases we even get a performance gain for the BN sizes that we primarily care about. Joint work with tb@
* Pull static const data out of BN_value_one()tb2023-04-011-7/+11
| | | | | | Also use C99 initializers for readability. discussed with jsing
* Copy BN_FLG flags in BN_copy()tb2023-03-311-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | BN_copy() forgot to copy the flags from the source to the target. Fix this by copying the flags. In fact, only copy BN_FLG_CONSTTIME since propagating BN_FLG_MALLOCED and BN_FLG_STATIC_DATA is wrong. Ignore the BN_FLG_FREE flag "used for debugging" which of course means "unused" like a lot of other debug code that somehow ended up in public headers. Also: make BN_FLG_CONSTTIME sticky on the target, i.e., don't clear the flag when copying from a non-constant time BIGNUM to a constant time one for the following reason: if a is constant time, BN_sqr(a, a, ctx) would use a BIGNUM without the flag internally, then copy the result to a in which process a would lose its constant time flag. Fixing this would be a lot of pointless work since someone had the good sense of not relying on a fragile flag for something this important. Rather, libcrypto always uses the constant time paths instead of the faster, cryptographically inadequate paths. Before this was changed, this was a pretty bad bug. The RSA code uses the horrible BN_with_flags() function to create local versions of the private moduli and set BN_FLG_CONSTTIME on them. If the RSA_FLAG_CACHE_PRIVATE for caching moduli is set on the RSA, which it is by default, it attempts to set these constant time versions on the RSA's internal Montgomery contexts. Since it is called BN_MONT_CTX_set(), the setter doesn't set a BIGNUM on the BN_MONT_CTX, rather it copies it over, losing the BN_FLG_CONSTTIME flag in the process and make all the horrible leaky RSA code leak some more. Good job. This is all harmless and is mostly a cosmetic fix. BN_FLG_CONSTTIME should be removed internally. It will be kept since various language bindings of course picked it up and expose it. ok beck jsing
* Replace the remaining BN_copy() with bn_copy()tb2023-03-271-2/+2
| | | | ok jsing
* Add bn_copy(), a sane wrapper of BN_copy() for internal usetb2023-03-271-1/+7
| | | | ok jsing
* Make BN_is_zero() check word values.jsing2023-02-141-4/+9
| | | | | | | | Rather than completely relying on top, check the words of a bignum. This gets us one step away from being dependent on top and additionally means that we correctly report zero even if top is not yet correct. ok tb@
* Reimplement BN_num_bits_word().jsing2023-02-141-20/+25
| | | | | | | | | | Provide a simpler and more readable bn_word_clz() function that returns the number of leading zeros for a given BN_ULONG, then implement BN_num_bits_word() using bn_word_clz(). This is a hot path and bn_word_clz() can now be replaced with architecture specific versions where possible. ok tb@
* Make BN_set_negative() closer to constant time.jsing2023-02-141-2/+3
| | | | ok tb@
* Simplify BN_set_negative().jsing2023-02-131-6/+3
| | | | ok tb@
* Greatly simplify bn_expand_internal().jsing2023-01-141-103/+26
| | | | | | | | We have a function called recallocarray() - make use of it rather than handrolling a version of it. Also have bn_expand() call bn_wexpand(), which avoids some duplication. ok tb@
* Rewrite/simplify BN_free().jsing2023-01-071-10/+12
| | | | ok tb@
* Flip BN_clear_free() and BN_free()jsing2023-01-071-4/+4
| | | | | | | | All of our BIGNUMs are cleared when we free them - move the code to BN_free() and have BN_clear_free() call BN_free(), rather than the other way around. ok tb@
* Use calloc() in BN_new(), rather than malloc() and then manually zeroing.jsing2023-01-071-10/+7
| | | | ok tb@
* Simplify BN_cmp() and BN_ucmp().jsing2022-12-231-46/+15
| | | | | | | | | | The only real difference between BN_cmp() and BN_ucmp() is that one has to respect the sign of the BN (although BN_cmp() also gets to deal with some insanity from accepting NULLs). Rewrite/cleanup BN_ucmp() and turn BN_cmp() into code that handles differences in sign, before calling BN_ucmp(). ok tb@
* Provide BN_zero()/BN_one() as functions and make BN_zero() always succeed.jsing2022-12-171-3/+14
| | | | | | | | | | | | | | BN_zero() is currently implemented using BN_set_word(), which means it can fail, however almost nothing ever checks the return value. A long time ago OpenSSL changed BN_zero() to always succeed and return void, however kept BN_zero as a macro that calls a new BN_zero_ex() function, so that it can be switched back to the "can fail" version. Take a simpler approach - change BN_zero()/BN_one() to functions and make BN_zero() always succeed. This will be exposed in the next bump, at which point we can hopefully also remove the BN_zero_ex() function. ok tb@
* Rewrite bn_correct_top().jsing2022-11-301-1/+8
| | | | | | | bn_correct_top() is currently a macro and far more complex than it needs to be - rewrite it as a function. ok tb@
* Fix return values bug in BN_ucmp().jsing2022-11-301-4/+6
| | | | | | | | BN_ucmp() is supposed to return -1/0/1 on a < b, a == b and a > b, however it currently returns other negative and positive values when the top of a and b differ. Correct this. ok tb@
* Mop up more BN_DEBUG related code.jsing2022-11-301-6/+1
|
* Make internal header file names consistenttb2022-11-261-2/+2
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Remove BIGNUM consistency macros.jsing2022-11-261-32/+1
| | | | | | | | | | | | Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND) supposedly adds consistency checks to the BN code. These are rarely if ever used and introduce a bunch of clutter in the code. Furthermore, there are hacks in place to undo things that the debugging code does. Remove all of this mess and instead rely on always enabled checks, more readable code and proper regress coverage to ensure correct behaviour. "Good riddance." tb@
* Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.jsing2022-11-241-18/+18
| | | | | | | | | Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the callers use this (and many already treat it as a true/false value). Change these functions to return 0 on failure and 1 on success, revising callers that test against NULL in the process. ok tb@
* Use bn_wexpand() rather than bn_expand() with sizeof(BN_ULONG).jsing2022-11-231-2/+2
| | | | | | | This also fixes a bug in BN_MONT_CTX_set(), where the sizeof(BN_ULONG) in the call to bn_expand() was not multiplied by eight (to get bits). ok tb@
* Ensure that bn_expand()/bn_wexpand() fail on negative sizes.jsing2022-11-231-1/+7
| | | | ok tb@
* Turn bn_wexpand() into a function.jsing2022-11-231-2/+11
| | | | | | | | Any sensible compiler will likely inline this anyway (and even if it does not, one extra function call/return is the least of the performance overhead for this code). ok tb@
* Move bn_expand() under bn_expand2().jsing2022-11-231-13/+13
| | | | | | No functional change. ok tb@
* Remove unused bn_dup_expand().jsing2022-11-231-53/+1
| | | | ok tb@
* Move #ifndef OPENSSL_NO_DEPRECATED.jsing2022-11-231-21/+21
| | | | | | | The BN_set_params()/BN_get_params() and associated unused variables are meant to be in this block, not things like BN_new() and BN_free(). ok tb@
* Prepare to provide BN_security_bits()tb2022-06-271-1/+32
| | | | ok beck jsing
* Pull BN_{new,init,clear,clear_free,free} up to the top of bn_lib.cjsing2021-12-271-58/+58
| | | | Discussed with tb@
* Implement the BN_is_negative macro as a functiontb2021-12-041-1/+7
| | | | ok inoguchi jsing
* Provide function implementations for various BN_* macrostb2021-12-041-1/+39
| | | | | | | | BN_abs_is_word, BN_is_{zero,one,word,odd}, BN_one, BN_zero_ex are now implemented as functions for internal use. They will be exposed publicly to replace the macros reaching into BIGNUM in the next bump. ok inoguchi jsing
* Provide replacement functions for the BN_{get,set,with}_flags() macros.tb2021-12-041-1/+25
| | | | ok inoguchi jsing
* Provide replacement functions for the BN_GENCB_set{,_old}() macrostb2021-12-041-1/+19
| | | | | | | | The function implementations are necessary to make BIGNUM opaque. They will be used in libcrypto internally until they will replace the macro implementations with the next bump. ok inoguchi jsing
* Prepare to provide BN_bn2{,le}binpad() and BN_lebin2bn()tb2021-09-081-8/+131
| | | | | | | | | As found by jsg and patrick, this is needed for newer uboot and will also be used in upcoming elliptic curve work. This is from OpenSSL 1.1.1l with minor style tweaks. ok beck inoguchi
* Make BN_num_bits_word() constant time.tb2019-06-171-48/+18
| | | | | | | | | | | | | | | | | Previously, this function would leak the most significant word of its argument due to branching and memory access pattern. This patch is enough to fix the use of BN_num_bits() on RSA prime factors in the library. The diff is a simplified and more readable (but perhaps less efficient) version of https://github.com/openssl/openssl/commit/972c87df by Andy Polyakov and David Benjamin (pre license change). Consult that commit message for details. Subsequent fixes to follow in the near future. Issue pointed out by David Schrammel and Samuel Weiser as part of a larger report. tests & ok inoguchi, ok jsing
* Add range checks to varios ASN1_INTEGER functions to ensure thebeck2019-03-231-1/+3
| | | | | | sizes used remain a positive integer. Should address issue 13799 from oss-fuzz ok tb@ jsing@
* Use a size_t instead of an int for the byte count in BN_swap_ct().tb2018-07-231-6/+9
| | | | | | | | Since bignums use ints for the same purpose, this still uses an int internally after an overflow check. Suggested by and discussed with jsing. ok inoguchi, jsing
* Eliminate the weird condition in the BN_swap_ct() API that at most one bittb2018-07-131-3/+3
| | | | | | | | be set in condition. This makes the constant time bit-twiddling a bit trickier, but it's not too bad. Thanks to halex for an extensive rubber ducking session over a non-spicy spicy tabouleh falafel.. ok jsing, kn
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 06:46:41 +0000