| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
| |
This is no longer used, since we're now using s2n-bignum functions instead.
|
| |
|
|
|
|
|
|
| |
At least gcc 12 on Fedora is very unhappy about a plain .rodata and throws
Error: unknown pseudo-op: `.rodata'. So add a .section in front of it to
make it happy.
ok deraadt miod
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently there are two versions of bn_sqr_words(), which call the sqr or
sqr64 macro. Replace this with a single version that calls bn_umul_hilo()
and remove the various implementations of the sqr macro. The only slight
downside is that sqr64 does three multiplications instead of four, given
that the second and third terms are identical. However, this is a minimal
gain for the amount of duplication and entanglement it introduces.
ok tb@
|
| |
|
|
|
|
|
| |
s2n-bignum's bignum_sqr() is not the same as bn_sqr_words() (which only
computes a partial result, unlike the former). This went unnoticed since
bn_sqr() is called directly on amd64, hence bn_sqr_words() is currently
unused.
|
| |
|
|
|
|
|
|
| |
When bn_umul_hilo() is implemented using an instruction pair, mark the
first output with a constraint that prevents the output from overlapping
with the inputs ("&"). Otherwise the first instruction can overwrite the
inputs, which then results in the second instruction producing incorrect
value.
|
| | |
|
| |
|
|
| |
No functional change intended.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
BN_mod_lshift() already has a BN_CTX available, make use of it rather than
calling BN_dup() and BN_free().
In BN_mod_lshift_quick(), BN_copy() already handles dst == src, so avoid
checking this before the call. The max_shift == 0 case can also be handled
without code duplication. And as with other *_quick() functions, use
BN_ucmp() and BN_usub() directly given the 0 <= a < m constraint.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the same naming/code pattern in BN_mod_mul() as is used in BN_mul().
Note that the 'rr' allocation is unnecessary, since both BN_mul() and
BN_sqr() handle the case where r == a || r == b. However, it avoids a
potential copy on the exit from BN_mul()/BN_sqr(), so leave it in place
for now.
Turn BN_mod_sqr() into a wrapper that calls BN_mod_mul(), since it already
calls BN_sqr() in the a == b. The supposed gain of calling BN_mod_ct()
instead of BN_nnmod() does not really exist.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The BN_mod_.*_quick() functions require that their inputs are non-negative
and are already reduced. As such, they can and should use BN_ucmp() and
BN_usub() instead of BN_cmp() and BN_add()/BN_sub() (which internally call
BN_uadd()/BN_usub() and potentially BN_cmp()).
ok tb@
|
| |
|
|
|
|
|
|
|
| |
In the case that the result is negative (i.e. one of a or m is negative),
the positive result can be achieved via a single BN_usub(). This simplifies
BN_nnmod() and avoids indirection via BN_add()/BN_sub(), which do BN_cmp()
and then call into BN_uadd()/BN_usub().
ok tb@
|
| |
|
|
|
|
| |
Also use accurate/useful variables names.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unlike bn_add_words()/bn_sub_words(), the s2n-bignum bignum_add() and
bignum_sub() functions correctly handle inputs with differing word
lengths. This means that they can be called directly, without needing to
fix up any remaining words manually.
Split BN_uadd() in two - the default bn_add() implementation calls
bn_add_words(), before handling the carry for any remaining words.
Likewise split BN_usub() in two - the default bn_sub() implementation
calls bn_sub_words(), before handling the borrow for any remaining words.
On amd64, provide an implementation of bn_add() that calls s2n-bignum's
bignum_add() directly, similarly with an implementation of bn_sub() that
calls s2n-bignum's bignum_sub() directly.
ok tb@
|
| |
|
|
| |
responsible from getting the proper address of those blocks.
|
| |
|
|
|
|
| |
responsible from getting the proper address of those blocks.
ok tb@ jsing@
|
| |
|
|
|
|
| |
Reordering functions with defines hiding in the middle leads to fun
outcomes... and apparently the non-MONT_WORD code is broken, at least on
aarch64.
|
| |
|
|
| |
No functional change.
|
| |
|
|
|
|
| |
This rather misnamed file (bn_asm.c) previously contained the C code that
was needed to build libcrypto bignum on platforms that did not have
assembly implementations of the functions it contained.
|
| |
|
|
|
|
|
| |
Make use of bn_umul_hilo() and remove the tangle of preprocessor directives
that implement different code paths depending on what defines exist.
ok tb@
|
| |
|
|
|
|
| |
These should work, but are currently untested and disabled.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bignum code needs to be able to multiply two words, producing a
double word result. Some architectures do not have native support for
this, hence a pure C version is required. bn_umul_hilo() provides this
functionality.
There are currently two implementations, both of which are branch free.
The first uses bitwise operations for the carry, while the second uses
accumulators. The accumulator version uses fewer instructions, however
requires more variables/registers and seems to be slower, at least on
amd64/i386. The accumulator version may be faster on architectures that
have more registers available. Further testing can be performed and one
of the two implementations can be removed at a later date.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
BN_usub() requires that a >= b and should return an error in the case that
b < a. This is currently only detected by checking the number of words in
a versus b - if they have the same number of words, the top word is not
checked and b < a, which then succeeds and produces an incorrect result.
Fix this by checking for the case where a and b have an equal number of
words, yet there is a borrow returned from bn_sub_words().
ok miod@ tb@
|
| |
|
|
|
|
|
|
| |
The sparc platform got retired a while back, however some parts remained
hiding in libcrypto. Mop these up (along with the bn_arch.h that I
introduced).
Spotted by and ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
This switches the core bignum assembly implementations from x86_64-gcc.c to
s2n-bignum for amd64.
ok miod@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
They should go away, but they have not yet disappeared and this
consolidates the source files.
Discussed with tb@
|
| |
|
|
|
|
|
|
|
| |
Nothing actually uses this code, as OPENSSL_BN_ASM_MONT is not defined
unless there is an assembly implementation available (not to mention that
defining both OPENSSL_NO_ASM and OPENSSL_BN_ASM_MONT at the same time is
extra strange).
Discussed with tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a function that divides a double word (h:l) by d, returning the
quotient q and the remainder r, such that q * d + r is equal to the
numerator. Call this from the three places that currently implement this
themselves.
This is implemented with some slight indirection, which allows for per
architecture implementations, replacing the define/macro tangle, which
messes with variables that are not passed to it.
Also remove a duplicate of bn_div_words() for the BN_ULLONG && BN_DIV2W
case - this is already handled.
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This brings in bignum_add(), bignum_cmadd(), bignum_cmul(), bignum_mul()
and bignum_sub(), along with bignum_{mul,sqr}_4_8_alt() and
bignum_{mul,sqr}_8_16_alt().
Discussed with tb@
|
| |
|
|
|
|
| |
These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS,
which are defined for architectures that provide their own assembly
versions.
|
| |
|
|
|
| |
This is wrapped with #ifndef HAVE_BN_SQR_WORDS, which is then defined for
architectures that provide their own assembly versions.
|
| |
|
|
|
| |
This is wrapped with #ifndef HAVE_BN_DIV_WORDS, which are defined for
architectures that provide their own assembly versions.
|
| | |
|
| |
|
|
|
| |
These are wrapped with #ifndef HAVE_BN_ADD_WORDS/HAVE_BN_SUB_WORDS, which
are defined for architectures that provide their own assembly versions.
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| | |
|
| | |
|
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
s2n-bignum provides a collection of bignum routines that are written in
pure machine code. Each function is written in constant-time style and
has a formal proof. We intend on making use of these for libcrypto's
bignum implementation on aarch64 and amd64.
ok tb@
|
