summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn/bn_mont.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* const correct BN_MONT_CTX_copy()tb2025-03-091-2/+2
| | | | ok jsing
* Convert BN_MONT_CTX_set_locked() to BN_MONT_CTX_create()tb2025-02-131-4/+2
| | | | ok jsing
* bn: add internal BN_MONT_CTX_create()tb2025-02-131-1/+19
| | | | | | | | | | | | | This does what the public BN_MONT_CTX_new() should have done in the first place rather than doing the toolkit thing of returning an invalid object that you need to figure out how to populate and with what because the docs are abysmal. It takes the required arguments and calls BN_MONT_CTX_set(), which all callers do immediately after _new() (except for DSA which managed to squeeze 170 lines of garbage between the two calls). ok jsing
* Mark internal functions as static.jsing2024-03-261-5/+5
|
* Move bn_montgomery_reduce() and drop prototype.jsing2024-03-261-73/+71
| | | | No functional change.
* Hide symbols in bnbeck2023-07-081-1/+9
| | | | ok tb@
* Speed up Montgomery multiplication.jsing2023-06-171-10/+37
| | | | | | | | | | Factor out and optimise the inner loop for Montgomery multiplication, making use of bn_qwmulw_addqw_addw() to perform Montgomery multiplication by one word in larger steps. This provides a significant performance gain, especially on platforms where bn_qwmulw_addqw_addw() is (or can be) optimised. ok tb@
* whitespacetb2023-04-301-2/+2
|
* Remove the no longer used BN_MONT_CTX_init()tb2023-04-251-10/+1
|
* Improve bn_montgomery_multiply_words()jsing2023-04-221-9/+16
| | | | | | | | | Pull a number of invariants into variables, which avoids repeated loading from memory on architectures where sufficient registers are available. Also keep track of the per-iteration carry in a variable, rather than unnecessarily reading from and writing to memory. This gives a reasonable performance gain on some architectures (e.g. armv7)
* bn_mont: fix typo in comment divisable -> divisibletb2023-04-071-2/+2
|
* Replace the remaining BN_copy() with bn_copy()tb2023-03-271-4/+4
| | | | ok jsing
* Convert BN_copy() with explicit comparison against NULL to bn_copy()tb2023-03-271-2/+2
| | | | ok jsing
* Minor whitespace tidyingtb2023-03-261-2/+2
|
* Improve bn_montgomery_multiply_words().jsing2023-03-071-10/+13
| | | | | | | | | | | | | Rather than calling bn_mul_add_words() twice - once to multiply and once to reduce - perform the multiplication and reduction in a single pass using bn_mulw_addw_addw() directly. Also simplify the addition of the resulting carries, which in turn allows us to avoid zeroing the top half of the temporary words. This provides a ~20-25% performance improvement for RSA operations on aarch64. ok tb@
* Limit bn_mul_mont() usage to sizes less than or equal to 8192 bits.jsing2023-03-071-1/+9
| | | | | | | | | | | | The assembly bn_mul_mont() implementations effectively use alloca() to allocate space for computation (at up to 8x the input size), without any limitation. This means that sufficiently large inputs lead to the stack being blown. Prevent this by using the C based implementation instead. Thanks to Jiayi Lin <jlin139 at asu dot edu> for reporting this to us. ok beck@ tb@
* Implement bn_montgomery_multiply()jsing2023-03-071-3/+86
| | | | | | | | | | | Provide a constant-time-style Montgomery multiplication implementation. Use this in place of the assembly bn_mul_mont() on platforms that either do not have an assembly implementation or have not compiled it in. Also use this as the fallback version for bn_mul_mont(), rather than falling back to a non-constant time implementation. ok beck@ tb@
* Refactor BN_mod_mul_montgomery().jsing2023-03-071-20/+48
| | | | | | | | | | Pull out the simplistic implementation (using BN_mul() or BN_sqr()) into a bn_mod_mul_montgomery_simple() function. Provide bn_mod_mul_montgomery() with an implementation that changes depending on if the assembly bn_mul_mont() is available or not. Turn BN_mod_mul_montgomery() and BN_to_montgomery() into callers of bn_mod_mul_montgomery(). ok beck@ tb@
* Delete unused and unsafe bn_mul_mont() example code.jsing2023-03-071-54/+1
| | | | | | This came from bn_asm.c and did not even compile until recently. ok beck@ tb@
* Rewrite/simplify BN_from_montgomery_word() and BN_from_montgomery().jsing2023-02-281-92/+85
| | | | | | | | Rename BN_from_montgomery_word() to bn_montgomery_reduce() and rewrite it to be simpler and clearer, moving further towards constant time in the process. Clean up BN_from_montgomery() in the process. ok tb@
* Adjust parentheses in mont->ri assignment.jsing2023-02-221-2/+2
| | | | Requested by tb@
* Rewrite and simplify BN_MONT_CTX_set()jsing2023-02-221-91/+68
| | | | | | | | | | | | | | OpenSSL commit 4d524040bc8 changed BN_MONT_CTX_set() so that it computed a 64 bit N^-1 on both BN_BITS2 == 32 and BN_BITS2 == 64 platforms. However, the way in which this was done was to duplicate half the code and wrap it in #ifdef. Rewrite this code to use a single code path on all platforms, with #ifdef being limited to setting an additional word in the temporary N and storing the result on BN_BITS2 == 32 platforms. Also remove stack based BIGNUM in favour of using the already present BN_CTX. ok tb@
* remove extra argumentbcook2023-02-211-2/+2
| | | | ok tb@
* Unifdef MONT_WORD.jsing2023-02-211-71/+3
| | | | | | | | | | | It does not make sense to use code that is slower, currently broken and prevents the use of assembly Montgomery implementations. This is the result of `unifdef -m -DMONT_WORD`, followed by some manual clean up and the removal of the Ni bignum from BN_MONT_CTX (which was only used in the non-MONT_WORD case). ok miod@ tb@
* Move BN_MONT_CTX back to bn_local.h for now. It's still used by bn_exp.ctb2023-02-191-13/+1
|
* Rewrite BN_MONT_CTX_set_locked()jsing2023-02-191-23/+27
| | | | | | | | Rewrite and simplify BN_MONT_CTX_set_locked - in particular, only hold the lock for a short period of time, rather than holding a write lock for a module across an expensive operation. ok tb@
* First pass clean up of bn_mont.c.jsing2023-02-191-31/+37
| | | | | | | | | Use calloc() rather than malloc() with manual initialisation of all struct members to zero, use memset() instead of manually initialising all struct members to zero, use consistent naming, use BN_free() instead of BN_clear_free() (since it is the same thing). ok tb@
* Move BN_MONT_CTX_copy().jsing2023-02-191-19/+19
|
* Move struct bn_mont_ctx_st from bn_local.h to bn_mont.c.jsing2023-02-191-1/+13
| | | | | | No code outside of bn_mont.c needs access to it. ok tb@
* Avoid negative zero.jsing2023-02-131-4/+4
| | | | | | | | | | | | | | | | Whenever setting negative to one (or when it could potentially be one), always use BN_set_negative() since it checks for a zero valued bignum and will not permit negative to be set in this case. Since BN_is_zero() currently relies on top == 0, call BN_set_negative() after top has been set (or bn_correct_top() has been called). This fixes a long standing issue where -0 and +0 have been permitted, however multiple code paths (such as BN_cmp()) fail to treat these as equivalent. Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz. ok tb@
* Pull the MONT_WORD define to the top.jsing2023-02-011-3/+3
| | | | | | Reordering functions with defines hiding in the middle leads to fun outcomes... and apparently the non-MONT_WORD code is broken, at least on aarch64.
* Move BN_MONT_CTX_* functions to the top of the file.jsing2023-02-011-221/+221
| | | | No functional change.
* Move the more readable version of bn_mul_mont() from bn_asm.c to bn_mont.c.jsing2023-01-281-1/+54
| | | | | | | | | Nothing actually uses this code, as OPENSSL_BN_ASM_MONT is not defined unless there is an assembly implementation available (not to mention that defining both OPENSSL_NO_ASM and OPENSSL_BN_ASM_MONT at the same time is extra strange). Discussed with tb@
* Mop up debug code that escaped previously.jsing2023-01-161-4/+1
| | | | This is the result of `unifdef -m -U BN_COUNT'.
* Make internal header file names consistenttb2022-11-261-2/+2
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Remove BIGNUM consistency macros.jsing2022-11-261-5/+1
| | | | | | | | | | | | Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND) supposedly adds consistency checks to the BN code. These are rarely if ever used and introduce a bunch of clutter in the code. Furthermore, there are hacks in place to undo things that the debugging code does. Remove all of this mess and instead rely on always enabled checks, more readable code and proper regress coverage to ensure correct behaviour. "Good riddance." tb@
* Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.jsing2022-11-241-5/+5
| | | | | | | | | Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the callers use this (and many already treat it as a true/false value). Change these functions to return 0 on failure and 1 on success, revising callers that test against NULL in the process. ok tb@
* Use bn_wexpand() rather than bn_expand() with sizeof(BN_ULONG).jsing2022-11-231-2/+2
| | | | | | | This also fixes a bug in BN_MONT_CTX_set(), where the sizeof(BN_ULONG) in the call to bn_expand() was not multiplied by eight (to get bits). ok tb@
* Check for zero modulus in BN_MONT_CTX_set().tb2022-02-071-1/+4
| | | | | | From OpenSSL 6a009812, prompted by a report by Guido Vranken ok beck jsing
* Implement the BN_to_montgomery() macro as a functiontb2021-12-041-1/+7
| | | | ok inoguchi jsing
* Add ct and nonct versions of BN_mod_inverse for internal usebeck2017-01-211-4/+4
| | | | ok jsing@
* Split out BN_div and BN_mod into ct and nonct versions for Internal use.beck2017-01-211-5/+5
| | | | ok jsing@
* BN_CTX_get() can fail - consistently check its return value.jsing2015-02-091-6/+5
| | | | | | | | | | | | | | | There are currently cases where the return from each call is checked, the return from only the last call is checked and cases where it is not checked at all (including code in bn, ec and engine). Checking the last return value is valid as once the function fails it will continue to return NULL. However, in order to be consistent check each call with the same idiom. This makes it easy to verify. Note there are still a handful of cases that do not follow the idiom - these will be handled separately. ok beck@ doug@
* Only import cryptlib.h in the four source files that actually need it.jsing2014-07-111-2/+1
| | | | | | | | Remove the openssl public includes from cryptlib.h and add a small number of includes into the source files that actually need them. While here, also sort/group/tidy the includes. ok beck@ miod@
* Stop including standard headers via cryptlib.h - pull in the headers thatjsing2014-07-101-1/+3
| | | | | | are needed in the source files that actually require them. ok beck@ miod@
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* malloc() result does not need a cast.deraadt2014-06-071-1/+1
| | | | ok miod
* Emergency knfectomie requested by tedu@.jsing2014-05-081-217/+261
|
* When I grow up, I want to write workaround for long long multiplicationsmiod2014-04-231-15/+0
| | | | under __TANDEM systems and compilers, using hardcoded octal numbers. NOT.
* Lacking a proof that--for this implementation--exposure of Montgomeryguenther2014-04-191-3/+3
| | | | | | | | multiplication or RSA blinding parameters doesn't permit retroactive timing analysis of the secrets, we'll do the stupidly cheap thing and cleanse them before freeing them. ok deraadt@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-03 17:10:26 +0000