summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add and fix check for BN functions return valueinoguchi2022-01-201-4/+5
| | | | ok jsing@ millert@ tb@
* Add check for BN functions return valueinoguchi2022-01-201-3/+5
| | | | | | | CID 21665 24835 comment from jsing@ and tb@ ok jsing@ millert@ tb@
* Move BN structs to bn_lcl.htb2022-01-142-50/+46
| | | | | | This makes all structs in bn.h opaque that are also opaque in OpenSSL. ok inoguchi jsing
* Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_APItb2022-01-141-65/+1
| | | | | This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits).
* Pull BN_{new,init,clear,clear_free,free} up to the top of bn_lib.cjsing2021-12-271-58/+58
| | | | Discussed with tb@
* Consistently call BN_init() before BN_with_flags()tb2021-12-261-13/+27
| | | | | | | | | | | | | | | | BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination which results in a potential use of an uninitialized bit. In practice this doesn't matter since we don't free the cloned BIGNUMs anyway. As jsing points out, these are mostly pointless noise and should be garbage collected. I'll leave that for another rainy day. Coverity flagged one instance BN_gcd_no_branch(), the rest was found by the ever so helpful grep(1). CID 345122 ok jsing
* Annotate the structs to be moved to bn_lcl.h in the next bumptb2021-12-041-1/+5
| | | | ok inoguchi jsing
* Use BN_is_negative(p) instead of p->neg in one place.tb2021-12-041-2/+2
|
* Implement the BN_to_montgomery() macro as a functiontb2021-12-042-2/+13
| | | | ok inoguchi jsing
* Implement the BN_is_negative macro as a functiontb2021-12-042-2/+13
| | | | ok inoguchi jsing
* Provide function implementations for various BN_* macrostb2021-12-042-4/+54
| | | | | | | | BN_abs_is_word, BN_is_{zero,one,word,odd}, BN_one, BN_zero_ex are now implemented as functions for internal use. They will be exposed publicly to replace the macros reaching into BIGNUM in the next bump. ok inoguchi jsing
* Provide replacement functions for the BN_{get,set,with}_flags() macros.tb2021-12-042-2/+34
| | | | ok inoguchi jsing
* Provide replacement functions for the BN_GENCB_set{,_old}() macrostb2021-12-042-3/+33
| | | | | | | | The function implementations are necessary to make BIGNUM opaque. They will be used in libcrypto internally until they will replace the macro implementations with the next bump. ok inoguchi jsing
* typo in commenttb2021-11-181-2/+2
|
* Switch to <endian.h> from <machine/endian.h> for better portability.bcook2021-11-091-3/+2
| | | | ok tb@
* Expose BN_bn2{,le}binpad() and BN_lebin2bn() in <openssl/bn.h>tb2021-09-101-3/+1
| | | | ok beck inoguchi
* Expose BN_RAND_* in <openssl/bn.h>tb2021-09-101-3/+1
| | | | ok beck jsing
* Prepare to provide BN_RAND_* flags for BN_rand_range()tb2021-09-101-1/+12
| | | | ok beck jsing
* Prepare to provide BN_bn2{,le}binpad() and BN_lebin2bn()tb2021-09-082-9/+137
| | | | | | | | | As found by jsg and patrick, this is needed for newer uboot and will also be used in upcoming elliptic curve work. This is from OpenSSL 1.1.1l with minor style tweaks. ok beck inoguchi
* whitespacetb2021-08-312-7/+7
|
* Unindent a bit of code that performs a few too many checks totb2020-09-121-10/+8
| | | | figure out whether top > 0 or top == 0.
* Avoid an out-of-bounds access in BN_rand()tb2020-09-121-3/+8
| | | | | | | | | | If BN_rand() is called with top > 0 and bits == 1, it would allocate a buf[] of size 1 and set the top bit of buf[1]. Found in OpenSSL commit efee575ad464bfb60bf72dcb73f9b51768f4b1a1 while looking for something else. ok beck djm inoguchi
* Change generating and checking of primes so that the error rate ofschwarze2019-08-251-18/+73
| | | | | | | | | | | not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2^-128. Patch from Kurt Roeckx <kurt@roeckx.be> and Annie Yousar via OpenSSL commit feac7a1c Jul 25 18:55:16 2018 +0200, still under a free license. OK tb@.
* make BN_CTX_end(NULL) a NOOP for compatibility with documented behaviourschwarze2019-08-201-1/+4
| | | | | | | | | in OpenSSL 1.1.1 even though in general, letting random functions accept NULL is not advisable because it can hide programming errors; "yes please" tb@ "unfortunately I suspect you're right" jsing@ "oh well" deraadt@
* Make BN_num_bits_word() constant time.tb2019-06-171-48/+18
| | | | | | | | | | | | | | | | | Previously, this function would leak the most significant word of its argument due to branching and memory access pattern. This patch is enough to fix the use of BN_num_bits() on RSA prime factors in the library. The diff is a simplified and more readable (but perhaps less efficient) version of https://github.com/openssl/openssl/commit/972c87df by Andy Polyakov and David Benjamin (pre license change). Consult that commit message for details. Subsequent fixes to follow in the near future. Issue pointed out by David Schrammel and Samuel Weiser as part of a larger report. tests & ok inoguchi, ok jsing
* Add range checks to varios ASN1_INTEGER functions to ensure thebeck2019-03-231-1/+3
| | | | | | sizes used remain a positive integer. Should address issue 13799 from oss-fuzz ok tb@ jsing@
* Fix BN_is_prime_* calls in libcrypto, the API returns -1 on error.tb2019-01-201-10/+20
| | | | | | | From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing
* Flip reversed test in bn_rand_interval().tb2018-11-061-2/+2
| | | | ok jsing
* Introduce bn_rand_interval() that allows specifying an interval [a, b)tb2018-11-052-2/+30
| | | | | | from which a a BIGNUM is chosen uniformly at random. ok beck jsing
* Use a size_t instead of an int for the byte count in BN_swap_ct().tb2018-07-232-8/+11
| | | | | | | | Since bignums use ints for the same purpose, this still uses an int internally after an overflow check. Suggested by and discussed with jsing. ok inoguchi, jsing
* Clean up our disgusting implementations of BN_{,u}{add,sub}(), followingtb2018-07-231-157/+67
| | | | | | | | | changes made in OpenSSL by Davide Galassi and others, so that one can actually follow what is going on. There is no performance impact from this change as the code still does essentially the same thing. There's a ton of work still to be done to make the BN code less terrible. ok jsing, kn
* Eliminate the weird condition in the BN_swap_ct() API that at most one bittb2018-07-131-3/+3
| | | | | | | | be set in condition. This makes the constant time bit-twiddling a bit trickier, but it's not too bad. Thanks to halex for an extensive rubber ducking session over a non-spicy spicy tabouleh falafel.. ok jsing, kn
* Sync commentkn2018-07-111-3/+5
| | | | | | Makes it a tad easier to read through and compare with BN_swap_ct(). OK tb
* Turn yesterday's optimistic ! in an XXX comment into a more cautious ?tb2018-07-111-2/+2
|
* Provide BN_swap_ct(), a constant time function that conditionally swapstb2018-07-102-2/+53
| | | | | | | | | | two bignums. It's saner and substantially less ugly than the existing public BN_constantime_swap() function and will be used in forthcoming work on constant time ECC code. From Billy Brumley and his team. Thanks! ok jsing
* fix odd whitespacetb2018-06-101-3/+3
|
* Use explicit_bzero() rather than memset() when clearing a BIGNUM.jsing2018-05-121-2/+2
| | | | ok bcook@ tb@
* Provide BN_GENCB_new(), BN_GENCB_free() and BN_GENCB_get_arg()jsing2018-02-202-2/+32
|
* Provide BN_get_rfc2409_prime_*() and BN_get_rfc3526_prime_*().jsing2018-02-202-2/+58
|
* use freezero() instead of memset/explicit_bzero + free. Substantiallyderaadt2017-05-024-28/+14
| | | | | | | | | | reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
* Send the function codes from the error functions to the bit bucket,beck2017-01-2917-118/+70
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Construct a BN_gcd_nonct, based on BN_mod_inverse_no_branch, as suggestedbeck2017-01-254-5/+165
| | | | | | | | | | | by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a sidechannel timing attack during RSA private key generation. Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force the use of the _ct or _nonct versions of the function only within the library. ok jsing@
* use BN_div_nonct where it is safe to do so.beck2017-01-211-2/+2
| | | | ok guenther@
* Add ct and nonct versions of BN_mod_inverse for internal usebeck2017-01-216-17/+43
| | | | ok jsing@
* Split out BN_div and BN_mod into ct and nonct versions for Internal use.beck2017-01-2110-33/+61
| | | | ok jsing@
* Make explicit _ct and _nonct versions of bn_mod_exp funcitons thatbeck2017-01-216-22/+78
| | | | | | | | | | | | matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
* /usr/bin/unifdef -D MONT_MUL_MOD -D MONT_EXP_WORD -D RECP_MUL_MOD -m bn_exp.cbeck2017-01-211-23/+2
| | | | | with some style cleanup after. no binary change ok jsing@
* Remove superfluous datatype that is 32 by default. Clang complainspatrick2017-01-041-1/+1
| | | | | | | about it and it's ok to remove it. This only came up as our clang is targeted at armv7 which enables the NEON instructions. ok kettenis@
* Explicitly export a list of symbols from libcrypto.jsing2016-12-213-124/+119
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* Reduce the ternary operator abuseguenther2016-11-081-3/+8
| | | | ok miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-29 02:00:30 +0000