| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
This will simplify review/upcoming changes.
No functional change.
|
| |
|
|
| |
This is the result of `unifdef -m -U BN_COUNT'.
|
| |
|
|
|
| |
on amd64. no pic handling is neccessary since amd64 has full reach.
ok kettenis
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current BN_CTX implementation is an incredibly overengineered piece of
code, which even includes its own debug system.
Rewrite BN_CTX from scratch, simplifying things things considerably by
having a "stack" of BIGNUM pointers and a matching array of group
assignments. This means that BN_CTX_start() and BN_CTX_end() effectively
do not fail. Unlike the previous implementation, if a failure occurs
nothing will work and the BN_CTX must be freed/recreated, instead of
trying to pick up at the point where the failure occurred (which does
not make sense given its intended usage).
Additionally, it has long been documented that BN_CTX_start() must be
called before BN_CTX_get() can be used, however the previous implementation
did not actually enforce this. Now that missing BN_CTX_start() and
BN_CTX_end() calls have been added to DSA and EC, we can actually make
this a hard requirement.
ok tb@
|
| |
|
|
|
|
|
|
| |
We have a function called recallocarray() - make use of it rather than
handrolling a version of it. Also have bn_expand() call bn_wexpand(),
which avoids some duplication.
ok tb@
|
| |
|
|
|
|
|
| |
fetch them correctly when building PIC. Also drop unused data, and remove
--no-execute-only from linker flags.
ok kettenis@
|
| |
|
|
|
|
|
| |
fetch them correctly when building PIC. Also drop unused data, and remove
--no-execute-only from linker flags.
ok jsing@ kettenis@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, BN_lshift1() and BN_rshift1() are separate implementations
that are intended to be faster since the shift is known (and only one bit
crosses a word boundary). However, with the rewrite of BN_lshift() and
BN_rshift(), they are either slower or only minimally faster (depending
on architecture).
Avoid duplication and turn BN_lshift1()/BN_rshift1() into functions that
call inlined versions of BN_lshift()/BN_rshift(), making BN_lshift() and
BN_rshift() call the same inlined implementation. This results in a single
implementation and BN_lshift1()/BN_rshift1() that out perform the previous
versions (in part due to compiler optimisation).
Now that none of the original code exists, replace the license and
copyright for this file.
ok tb@
|
| |
|
|
|
|
|
|
| |
This improves readability and eliminates special handling for various
cases, making the code cleaner and closer to constant time. Basic
benchmarking shows a performance gain on modern 64 bit architectures.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
All of our BIGNUMs are cleared when we free them - move the code to
BN_free() and have BN_clear_free() call BN_free(), rather than the other
way around.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This improves readability and eliminates special handling for various
cases, making the code cleaner and closer to constant time.
Basic benchmarking shows a performance gain on modern 64 bit architectures,
while there is a decrease on legacy 32 bit architectures (i386),
particularly for the zero bit shift case (which is now handled in the
same code path).
ok tb@
|
| |
|
|
|
|
|
| |
i removed the arithmetics -> arithmetic changes, as i felt they
were not clearly correct
ok tb
|
| |
|
|
|
|
|
|
|
|
| |
The only real difference between BN_cmp() and BN_ucmp() is that one has
to respect the sign of the BN (although BN_cmp() also gets to deal with
some insanity from accepting NULLs). Rewrite/cleanup BN_ucmp() and turn
BN_cmp() into code that handles differences in sign, before calling
BN_ucmp().
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
BN_zero() is currently implemented using BN_set_word(), which means it can
fail, however almost nothing ever checks the return value. A long time
ago OpenSSL changed BN_zero() to always succeed and return void, however
kept BN_zero as a macro that calls a new BN_zero_ex() function, so that
it can be switched back to the "can fail" version.
Take a simpler approach - change BN_zero()/BN_one() to functions and make
BN_zero() always succeed. This will be exposed in the next bump, at which
point we can hopefully also remove the BN_zero_ex() function.
ok tb@
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
bn_correct_top() is currently a macro and far more complex than it needs
to be - rewrite it as a function.
ok tb@
|
| |
|
|
|
|
|
|
| |
BN_ucmp() is supposed to return -1/0/1 on a < b, a == b and a > b, however
it currently returns other negative and positive values when the top of
a and b differ. Correct this.
ok tb@
|
| | |
|
| |
|
|
|
| |
Not all of them, only those that didn't leak into a public header...
Yes.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.
Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.
"Good riddance." tb@
|
| |
|
|
|
|
|
|
|
| |
Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.
ok tb@
|
| |
|
|
|
|
|
| |
This also fixes a bug in BN_MONT_CTX_set(), where the sizeof(BN_ULONG) in
the call to bn_expand() was not multiplied by eight (to get bits).
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
Any sensible compiler will likely inline this anyway (and even if it does
not, one extra function call/return is the least of the performance
overhead for this code).
ok tb@
|
| |
|
|
|
|
| |
No functional change.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
The BN_set_params()/BN_get_params() and associated unused variables are
meant to be in this block, not things like BN_new() and BN_free().
ok tb@
|
| |
|
|
|
| |
This was fixed by Eric A. Young in "a C2Net version of SSLeay" and
committed to OpenSSL by Mark J. Cox in January 1999 (OpenSSL a0a54079).
|
| |
|
|
|
|
|
|
|
| |
bn_print.c r1.29 added length checks to avoid overflowing the BIGNUM.
If these checks are hit in length-only mode, i.e., bn is NULL, the
error path dereferences bn. Change goto err to an early return to
avoid this.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All other wrappers in the same file that use a temporary array of
degrees size that array dynamically, such that they are able to
handle reducing polynomials of arbitrary lengths. BN_GF2m_mod(3)
was the only one that used a static array of size 6 instead, limiting
it to trinomials and pentanomials and causing it to fail for longer
reducing polynomials.
Make this more uniform and less surprising by using exactly the
same code as in all the other wrappers, such that BN_GF2m_mod(3)
works with reducing polynomials of arbitrary length, too, just like
the others.
Again, tb@ points out this quirk is very unlikely to cause
vulnerabilities in practice because cryptographic applications do
not use longer reducing polynomials.
This patch is not expected to significantly impact performance
because the relevant caller, BN_GF2m_mod_div(3), already uses dynamic
allocation via BN_GF2m_mod_mul(3).
OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the last argument, the size of the output array, is too small to
contain all degrees present in the input polynomial plus one for the
terminating -1, the function is documented to return the size of the
output array that would be needed (in comments in the source code, in
the new manual page, and by the way how the function is used by other
functions in the same file). However, in case of overflow, the existing
code failed to include the element needed for the terminating -1 in the
return value, wrongly indicating success if everything but the -1 did
fit and reporting failure with a size that was still too small otherwise.
According to tb@, this is very unlikely to cause vulnerabilities in
practical applications because there is no real reason to pick a
reducing polynomial longer than a pentanomial, because all known
callers use either fixed size arrays of size 6 or dynamic allocation,
because use of GF(2^m) is rare in practice, and GF(2^m) with custom
reducing polynomials even more so.
OK tb@
|
| |
|
|
|
| |
It was placed and formatted weirdly. Fix the title of the book referenced
and complete the reference's information.
|
| |
|
|
|
|
| |
It's entirely trivial.
ok beck
|
| |
|
|
|
|
|
| |
This way we deduplicate two inclusions of the same big table and eliminate
lots of stupid casts.
input and ok many
|
| |
|
|
|
|
|
|
|
| |
Instead of using the BN_is_prime_fasttime_ex() API, use a direct call to
bn_is_prime_bpsw(). This increases readability and simplifies error
handling. Also put a division by two to the natural place now that we no
longer need to do Miller-Rabin rounds.
ok beck jsing
|
| |
|
|
|
|
|
| |
Garbage collect a few pointless variables and remove a loop that wasn't
really a loop. Simplify BN_CTX handling and drop some stupid comments.
ok jsing miod
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
found with CodeChecker
feedback from millert@
ok tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Shuffle variables around for consistency, also ensuring appropriate and
consistent initialisation.
ok tb@
|
| |
|
|
|
|
|
| |
Also move the _bignum_nist_p_.*_sqr static BIGNUMs out of individual
functions.
ok tb@
|
| |
|
|
|
| |
a shortcut bypassing expensive computation, so change goto err to
goto done. Bug introduced in last refactoring before commit.
|
| | |
|
