| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This does what the public BN_MONT_CTX_new() should have done in the first
place rather than doing the toolkit thing of returning an invalid object
that you need to figure out how to populate and with what because the docs
are abysmal.
It takes the required arguments and calls BN_MONT_CTX_set(), which all
callers do immediately after _new() (except for DSA which managed to
squeeze 170 lines of garbage between the two calls).
ok jsing
|
| |
|
|
|
| |
(leaving out a dotasm comment that would become harder to read than it
already is)
|
| |
|
|
| |
Requested by jsing
|
| |
|
|
|
|
|
|
| |
There's no need for BN_mod_mul_reciprocal() to have this complication.
The caller knows when x == y, so place the burden on the caller. This
simplifies both the caller side and the implementation in bn_recp.c.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces a BN_RECP_CTX_create() function that allocates and
populates the BN_RECP_CTX in a single call, without taking an unused
BN_CTX argument.
At the same time, make the N and Nr members BIGNUMs on the heap which
are allocated by BN_RECP_CTX_create() and freed by BN_RECP_CTX_free()
and remove the unnecessary flags argument.
Garbage collect the now unused BN_RECP_CTX_{new,init,set}().
ok jsing
|
| | |
|
| |
|
|
|
|
| |
BN_reciprocal() is only called by BN_div_recp() which in turn is only
called by BN_mod_mul_reciprocal(). So use this order and make the first
two static.
|
| |
|
|
|
|
| |
This will be used in an upcoming change.
ok tb@
|
| |
|
|
|
|
|
| |
Also change the bits type from int to size_t, since that's what the callers
are passing and we can avoid unnecessary input validation.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
The former could be useful but nothing uses it. The latter is a
dangerous implementation detail of Montgomery exponentiation that
should never have been leaked out of the library. Fix this.
ok jsing
|
| |
|
|
|
|
|
| |
This function is very slow and useful for testing purposes only. It
should never have been part of the public API. Remove it from there.
ok jsing
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
Also, make mod const.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().
The way bn_rand_range() is called in libcrypto, the lower bound is always
expressible as a word. In fact, most of the time it is 1, the DH code uses
a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in
the Tonelli-Shanks implementation where we use 32. Converting these lower
bounds to BIGNUMs on the call site is annoying so let bn_rand_interval()
do that internally and route that through bn_rand_in_range(). This way we
can avoid using BN_sub_word().
Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the
only caller that uses actual BIGNUMs as lower bounds.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Nothing sets this, so remove it along with BN_BLINDING_NO_{UPDATE,RECREATE}
and some checks that are always true.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
RSA is pretty bad. In my most optimistic moments I dream of a world that
stopped using it. That won't happen during my lifetime, unfortunately.
Blinding is one way of making it a little less leaky. Unfortunately this
side-channel leak mitigation leaked out of the library for no good reason.
Let's at least fix that aspect of it.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Various outputting functions are variants of BN_bn2hex(). They do not
want a sign or they display the BIGNUM at nibble granularity instead
of byte granularity. So add this functionality to an internal variant
of BN_bn2hex().
with/ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
ASN1_bn_print() will be removed in an upcoming bump. This adds an internal
API that covers the same functionality but doesn't require that the caller
pass in a sufficiently large scratch space that ASN1_bn_print() may or may
not use. In addition, this takes a format string, which allows us to ditch
some extra dances.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Rework bn_sqr()/bn_sqr_normal() so that it is less convoluted and more
readable. Instead of recomputing values that the caller has already
computed, pass it as an argument. Avoid branching and remove duplication
of variables. Consistently use a_len and r_len naming for lengths.
ok tb@
|
| |
|
|
|
|
|
|
| |
Provide bn_bitsize(), which performs a constant time scan of a BN in order
to determine the bit size of the BN value. Use this for BN_num_bits() such
that it is no longer dependent on the bn->top value.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The behavior of the BPSW primality test for numbers > 2^64 is not very
well understood. While there is no known composite that passes the test,
there are heuristics that indicate that there are likely infinitely many.
Therefore it seems appropriate to harden the test. Having a settable
number of MR rounds before doing a version of BPSW is also the approach
taken by Go's primality check in math/big.
This adds a new implementation of the old MR test that runs before running
the strong Lucas test. I like to imagine that it's slightly cleaner code.
We're effectively at about twice the cost of what we had a year ago. In
addition, it adds some non-determinism in case there actually are false
positives for the BPSW test.
The implementation is straightforward. It could easily be tweaked to use
the additional gcds in the "enhanced" MR test of FIPS 186-5, but as long
as we are only going to throw away the additional info, that's not worth
much.
This is a first step towards incorporating some of the considerations in
"A performant misuse-resistant API for Primality Testing" by Massimo and
Paterson. Further work will happen in tree. In particular, there are plans
to crank the number of Miller-Rabin tests considerably so as to have a
guaranteed baseline. The manual will be updated shortly.
positive feedback beck
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This removes a bunch of incomplete and scary code, which potentially leaks
secrets and is not constant time. A performance gain is achieved on arm64
for sizes that we care about, while a minimal decrease in performance is
noted for larger sizes on some other platforms.
While we will potentially reimplement Karatsuba (or Toom-Cook) at a later
date, it will be easier and safer to do it from a clean slate.
ok tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
Now that bn_sub() handles word arrays with potentially different lengths,
we no longer need bn_sub_part_words() - call bn_sub() instead. This allows
us to entirely remove the unnecessarily complex bn_sub_part_words() code.
ok tb@
|
| |
|
|
|
|
|
|
| |
Rather than working on BIGNUMs, change bn_add()/bn_sub() to operate on word
arrays that potentially differ in length. This matches the behaviour of
s2n-bignum's bignum_add() and bignum_sub().
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL commit 4d524040bc8 changed BN_MONT_CTX_set() so that it computed
a 64 bit N^-1 on both BN_BITS2 == 32 and BN_BITS2 == 64 platforms. However,
the way in which this was done was to duplicate half the code and wrap it
in #ifdef.
Rewrite this code to use a single code path on all platforms, with #ifdef
being limited to setting an additional word in the temporary N and storing
the result on BN_BITS2 == 32 platforms. Also remove stack based BIGNUM in
favour of using the already present BN_CTX.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
It does not make sense to use code that is slower, currently broken and
prevents the use of assembly Montgomery implementations.
This is the result of `unifdef -m -DMONT_WORD`, followed by some manual
clean up and the removal of the Ni bignum from BN_MONT_CTX (which was only
used in the non-MONT_WORD case).
ok miod@ tb@
|
| | |
|
| |
|
|
|
|
| |
No code outside of bn_mont.c needs access to it.
ok tb@
|
| |
|
|
|
|
|
| |
No, I'm not trying to overwhelm you... however, we really no longer need
this clutter.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The BN_num_bits_word() function is a hot path, being called more than
80 million times during a libcrypto regress run. The word_clz()
implementation uses five instructions to do the same as the generic code
that uses more than 60 instructions.
Discussed with tb@
|
| |
|
|
|
|
| |
There were only three versions of each one...
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently there are two versions of bn_sqr_words(), which call the sqr or
sqr64 macro. Replace this with a single version that calls bn_umul_hilo()
and remove the various implementations of the sqr macro. The only slight
downside is that sqr64 does three multiplications instead of four, given
that the second and third terms are identical. However, this is a minimal
gain for the amount of duplication and entanglement it introduces.
ok tb@
|
| |
|
|
|
|
| |
Also use accurate/useful variables names.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a function that divides a double word (h:l) by d, returning the
quotient q and the remainder r, such that q * d + r is equal to the
numerator. Call this from the three places that currently implement this
themselves.
This is implemented with some slight indirection, which allows for per
architecture implementations, replacing the define/macro tangle, which
messes with variables that are not passed to it.
Also remove a duplicate of bn_div_words() for the BN_ULLONG && BN_DIV2W
case - this is already handled.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
These depend on other macros that are in already in bn_local.h and this
makes them available to other source files. A lot more clean up will be
needed in the future.
Of course x86_64-gcc.c makes use of the same macro names - sprinkle some
undef in there for the time being.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
bn_correct_top() is currently a macro and far more complex than it needs
to be - rewrite it as a function.
ok tb@
|
| |
|
|
|
| |
Not all of them, only those that didn't leak into a public header...
Yes.
|
|
|
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
