summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Provide BN_GENCB_new(), BN_GENCB_free() and BN_GENCB_get_arg()jsing2018-02-202-2/+32
|
* Provide BN_get_rfc2409_prime_*() and BN_get_rfc3526_prime_*().jsing2018-02-202-2/+58
|
* use freezero() instead of memset/explicit_bzero + free. Substantiallyderaadt2017-05-024-28/+14
| | | | | | | | | | reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
* Send the function codes from the error functions to the bit bucket,beck2017-01-2917-118/+70
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Construct a BN_gcd_nonct, based on BN_mod_inverse_no_branch, as suggestedbeck2017-01-254-5/+165
| | | | | | | | | | | by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a sidechannel timing attack during RSA private key generation. Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force the use of the _ct or _nonct versions of the function only within the library. ok jsing@
* use BN_div_nonct where it is safe to do so.beck2017-01-211-2/+2
| | | | ok guenther@
* Add ct and nonct versions of BN_mod_inverse for internal usebeck2017-01-216-17/+43
| | | | ok jsing@
* Split out BN_div and BN_mod into ct and nonct versions for Internal use.beck2017-01-2110-33/+61
| | | | ok jsing@
* Make explicit _ct and _nonct versions of bn_mod_exp funcitons thatbeck2017-01-216-22/+78
| | | | | | | | | | | | matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
* /usr/bin/unifdef -D MONT_MUL_MOD -D MONT_EXP_WORD -D RECP_MUL_MOD -m bn_exp.cbeck2017-01-211-23/+2
| | | | | with some style cleanup after. no binary change ok jsing@
* Remove superfluous datatype that is 32 by default. Clang complainspatrick2017-01-041-1/+1
| | | | | | | about it and it's ok to remove it. This only came up as our clang is targeted at armv7 which enables the NEON instructions. ok kettenis@
* Explicitly export a list of symbols from libcrypto.jsing2016-12-213-124/+119
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* Reduce the ternary operator abuseguenther2016-11-081-3/+8
| | | | ok miod@
* Stop abusing the ternary operator to decide which function to call in amiod2016-11-051-3/+6
| | | | | return statement. ok beck@ jsing@
* Replace all uses of magic numbers when operating on OPENSSL_ia32_P[] bymiod2016-11-044-12/+13
| | | | | | | | | | | | | | | meaningful constants in a private header file, so that reviewers can actually get a chance to figure out what the code is attempting to do without knowing all cpuid bits. While there, turn it from an array of two 32-bit ints into a properly aligned 64-bit int. Use of OPENSSL_ia32_P is now restricted to the assembler parts. C code will now always use OPENSSL_cpu_caps() and check for the proper bits in the whole 64-bit word it returns. i386 tests and ok jsing@
* If BN_div_word() fails (by returning (BN_ULONG)-1) or if the divisionguenther2016-10-171-4/+8
| | | | | | | | | | fails to reduce the input in the expected space then fail out instead of overflowing the allocated buffer. combines openssl commits 28a89639da50b1caed4ff3015508f23173bf3e49 and 3612ff6fcec0e3d1f2a598135fe12177c0419582 ok doug@ beck@
* Less S390.jsing2016-09-043-1176/+0
| | | | ok deraadt@
* Less IA64.jsing2016-09-042-2406/+0
| | | | ok deraadt@
* switch to a constant-time gather procedure for amd64 mont5 asmbcook2016-09-031-199/+314
| | | | | | | from OpenSSL commit 7f98aa7403a1244cf17d1aa489f5bb0f39bae431 CVE-2016-0702 ok beck@
* add constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF.bcook2016-09-031-16/+55
| | | | | | | | | | Patch based on OpenSSL commit d7a854c055ff22fb7da80c3b0e7cb08d248591d0 "Performance penalty varies from platform to platform, and even key length. For rsa2048 sign it was observed to reach almost 10%." CVE-2016-0702 ok beck@
* BN_mod_exp_mont_consttime: check for zero modulus.bcook2016-09-031-9/+33
| | | | | | | Don't dereference d when top is zero. Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03 ok jsing@
* BN_mod_exp_mont_consttime: check for zero modulus.bcook2016-09-031-4/+5
| | | | | | | Don't dereference |d| when |top| is zero. Also test that various BIGNUM methods behave correctly on zero/even inputs. Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03
* Avoid undefined-behavior right-shifting by a word-size # of bits.bcook2016-09-031-3/+2
| | | | Found with STACK, originally from OpenSSL, ok @beck
* don't mix code and decls, ok tedu@bcook2016-07-181-2/+3
|
* use memset to initialize the unionbcook2016-07-171-2/+4
|
* Initialize buffers before use, noted by Kinichiro Inoguchi.bcook2016-07-171-7/+7
| | | | ok beck@
* On systems where we do not have BN_ULLONG defined (most 64-bit systems),bcook2016-07-052-9/+37
| | | | | | | | | | | | | | BN_mod_word() can return incorrect results if the supplied modulus is too big, so we need to fall back to BN_div_word. Now that BN_mod_word may fail, handle errors properly update the man page. Thanks to Brian Smith for pointing out these fixes from BoringSSL: https://boringssl.googlesource.com/boringssl/+/67cb49d045f04973ddba0f92fe8a8ad483c7da89 https://boringssl.googlesource.com/boringssl/+/44bedc348d9491e63c7ed1438db100a4b8a830be ok beck@
* 'accomodate' -> 'accommodate' in comments.krw2016-03-151-2/+2
| | | | Started by diff from Mical Mazurek.
* Add error handling to the remaining calls to bn_wexpand().bcook2016-03-121-4/+7
| | | | | | | Noticed by pascal-cuoq from Github: https://github.com/libressl-portable/openbsd/issues/56 ok beck@
* graduate bn_expand() to a real function. the openssl version of thisderaadt2016-03-042-4/+16
| | | | | | | uses a macro with multiple-evaluations of arguments (different amount than the previous version..), but doug/bcook's inline version makes BIGNUM not opaque [problem spotted by naddy] ok doug
* Revert bn_expand until there's consensus on a fix.doug2016-03-041-14/+3
|
* Add bounds checking for BN_hex2bn/BN_dec2bn.doug2016-03-022-10/+26
| | | | | | | | | Need to make sure i * 4 won't overflow. Based on OpenSSL: commit 99ba9fd02fd481eb971023a3a0a251a37eb87e4c input + ok bcook@ ok beck@
* More adress -> addressmmcc2015-12-241-1/+1
|
* Fix gcc version preprocessor checks to cope with gcc 5.x and beyond;miod2015-11-061-2/+2
| | | | reported by Ruslan Babayev.
* Reject too small bits value in BN_generate_prime_ex(), so that it does not riskmiod2015-10-213-4/+22
| | | | | | | | becoming negative in probable_prime_dh_safe(). Reported by Franck Denis who noticed `openssl gendh 0' would segfault. Fix adapted from OpenSSL RT#2701. ok beck@ jsing@
* actually include the prerequisite dependency for BIO instead of doing nastynessbeck2015-10-161-5/+2
|
* remove excessive brackets on pointer mathderaadt2015-09-281-8/+8
|
* Redo 1.25, without the NULL deref.miod2015-09-271-22/+31
| | | | ok sthen@ bcook@
* Revert bn_print.c:r1.25 ("handle negative-zero in BN_bn2dec() too") forsthen2015-09-181-31/+22
| | | | now, it has a NULL deref. Segfault reported by Mikolaj Kucharski, ok bcook
* Handle negative-zero in BN_bn2dec() too, just like in BN_print().deraadt2015-09-131-22/+31
| | | | ok miod
* BN does support negative-zero -- BN_print() sets the standard here.deraadt2015-09-131-3/+3
| | | | | | | BN_bn2hex() had a 1-byte overflow when creating "-0\0". Reported to me a while back by unknown person -- did not have enough experience to push this through then. advice from jsing, ok miod
* Remove workaround for old SIMICS toolchain.miod2015-09-121-45/+1
|
* Remove horribly old and outdated `documentation' for the assembly code.miod2015-09-121-27/+0
|
* Fixup inter-bank movq/movd operations, emit bytes for pclmulqdq again.bcook2015-09-112-12/+12
| | | | | | | | | | Fixes builds gcc + Apple's assembler, working on reenabling builds with older OpenBSD releases. based on OpenSSL commit: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=902b30df193afc3417a96ba72a81ed390bd50de3 ok miod@
* Correct spelling of OPENSSL_cleanse.jsing2015-09-103-8/+9
| | | | ok miod@
* typosmiod2015-08-181-1/+1
|
* Avoid an infinite loop that can be triggered by parsing an ASN.1jsing2015-06-111-3/+8
| | | | | | | | | | | ECParameters structure that has a specially malformed binary polynomial field. Issue reported by Joseph Barr-Pixton and fix based on OpenSSL. Fixes CVE-2015-1788. ok doug@ miod@
* Add missing BN_CTX_end() calls.doug2015-04-293-11/+15
| | | | | | | | After calling BN_CTX_start(), there must be a BN_CTX_end() before returning. There were missing BN_CTX_end() calls in error paths. One diff chunk was simply removing redundant code related to this. ok deraadt@
* Fix indentation that incorrectly implies a different control flow.doug2015-03-212-6/+9
| | | | | | | | | | | | | The actual control flow is intentional while the indenting is incorrect. This is intended to be a cosmetic change. Verified that each of these was part of a KNF commit that wasn't intending to change behavior. Also, double checked against the history of changes in OpenSSL and BoringSSL. Addresses Coverity CIDs: 78842, 78859, 78863. ok tedu@
* Fix CVE-2014-3570: properly calculate the square of a BIGNUM value.bcook2015-02-253-654/+303
| | | | | | | | | | | See https://www.openssl.org/news/secadv_20150108.txt for a more detailed discussion. Original OpenSSL patch here: https://github.com/openssl/openssl/commit/a7a44ba55cb4f884c6bc9ceac90072dea38e66d0 The regression test is modified a little for KNF. ok miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 04:50:20 +0000