summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Shuffle functions into a more sensible ordertb2025-01-062-42/+39
| | | | | | BN_reciprocal() is only called by BN_div_recp() which in turn is only called by BN_mod_mul_reciprocal(). So use this order and make the first two static.
* Rewrite bn2binpad.jsing2024-11-081-58/+44
| | | | | | | | | | | | | | | Rewrite bn2binpad, removing some OpenSSL specific behaviour and unnecessary complexity. Our BN_num_bytes() does not return bogus lengths, so we don't need to see if things work out with nominated outputs. Swipe away some endianness_t, but continue to ignore negatives and don't dare give away padded zeroes. Implement a more readable constant time conversion. In particular, the little endian is the less common use case, which we can implement by reversing the padded output in place, rather than complicating all of the conversion code. ok beck@ tb@
* Clean up PPC CPU capabilities and Montgomery code.jsing2024-11-012-1090/+2
| | | | | | | | | | ppc64-mont.pl (which produces bn_mul_mont_fpu64()) is unused on both powerpc and powerpc64, so remove it. ppccap.c doesn't actually contain anything to do with CPU capabilities - it just provides a bn_mul_mont() that calls bn_mul_mont_int() (which ppc-mont.pl generates). Change ppc-mont.pl to generate bn_mul_mont() directly and remove ppccap.c. ok tb@
* libcrypto: constify most error string tablestb2024-06-241-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | These constitute the bulk of the remaining global mutable state in libcrypto. This commit moves most of them into data.rel.ro, leaving out ERR_str_{functs,libraries,reasons} (which require a slightly different approach) and SYS_str_reasons which is populated on startup. The main observation is that if ERR_load_strings() is called with a 0 lib argument, the ERR_STRING_DATA argument is not actually modified. We could use this fact to cast away const on the caller side and be done with it. We can make this cleaner by adding a helper ERR_load_const_strings() which explicitly avoids the assignment to str->error overriding the error code already set in the table. In order for this to work, we need to sprinkle some const in err/err.c. CMS called ERR_load_strings() with non-0 lib argument, but this didn't actually modify the error data since it ored in the value already stored in the table. Annoyingly, we need to cast const away once, namely in the call to lh_insert() in int_err_set_item(). Fixing this would require changing the public API and is going to be tricky since it requires that the LHASH_DOALL_FN_* types adjust. ok jsing
* Rewrite BN_bn2mpi() using CBB.jsing2024-06-221-24/+35
| | | | | | | | | | | | | | The content is effectively a u32 length prefixed field, so use CBB_add_u32_length_prefixed(). Use BN_bn2binpad() rather than manually padding if we need to extend and use sensible variable names so that the code becomes more readable. Note that since CBB can fail we now need to be able to indicate failure. This means that BN_bn2mpi() can now return -1 when it would not have previously (correct callers will check that BN_bn2mpi() returns a positive length). ok tb@
* bn_convert: zap extra blank linetb2024-04-171-2/+1
|
* Rewrite BN_mpi2bn() using CBS and bn_bin2bn_cbs().jsing2024-04-171-32/+29
| | | | ok tb@
* Rewrite BN_lebin2bn() using CBS.jsing2024-04-171-48/+16
| | | | | | | We get an implementation of this for free by having bn_bin2bn_cbs() use CBS_get_u8() instead of CBS_get_last_u8(). ok tb@
* Invert BN_BITS2 handling in bn_bin2bn_cbs() and bn_hex2bn_cbs().jsing2024-04-161-11/+11
| | | | | | This results in simpler code. Suggested by tb@ during review.
* Rewrite BN_bin2bn() using CBS.jsing2024-04-161-35/+58
| | | | ok tb@
* Provide bn_expand_bytes().jsing2024-04-162-2/+16
| | | | | | This will be used in an upcoming change. ok tb@
* Rename bn_expand() to bn_expand_bits().jsing2024-04-163-10/+7
| | | | | | | Also change the bits type from int to size_t, since that's what the callers are passing and we can avoid unnecessary input validation. ok tb@
* Prevent negative zero from being created via BN bit functions.jsing2024-04-151-1/+7
| | | | | | | | | | | | Both BN_clear_bit() and BN_mask_bits() can create zero values - in both cases ensure that the negative sign is correctly handled if the value becomes zero. Thanks to Guido Vranken for providing a reproducer. Fixes oss-fuzz #67901 ok tb@
* Remove the prototype of BN_gcd_nonct()tb2024-04-101-2/+1
|
* Hide symbols in bn.hbeck2024-04-104-18/+10
| | | | | | | Mark them LCRYPTO_UNUSED appropriately and remove the LIBRESSL_INTERNAL guards around them ok tb@
* Provide an optimised bn_subw() for amd64.jsing2024-03-261-3/+22
| | | | bn_subw() will be used more widely in an upcoming change.
* Mark internal functions as static.jsing2024-03-261-5/+5
|
* Move bn_montgomery_reduce() and drop prototype.jsing2024-03-261-73/+71
| | | | No functional change.
* Fix signed integer overflow in bnrand()tb2024-03-161-1/+6
| | | | | | | | | | | | | | | If more bits than INT_MAX - 7 are requested, the calculation of number of bytes required to store the bignum triggers undefined behavior due to signed integer overflow. This will typically result in bytes becoming negative which will then make malloc() fail. If the ulimit should be high enough to make malloc() succeed, there is a bad out of bounds write in case bottom is set (an odd number was requested). On jsing's request this does not deal with another bug which we could catch with a similar check due to BN_bn2bin() failing later on as the number of words in a BIGNUM is some fraction of INT_MAX. ok jsing
* Make BN_mod_exp2_mont() and BN_mod_exp_mont_word() internaltb2024-03-023-10/+9
| | | | | | | | The former could be useful but nothing uses it. The latter is a dangerous implementation detail of Montgomery exponentiation that should never have been leaked out of the library. Fix this. ok jsing
* Make BN_mod_exp_simple() internaltb2024-03-023-6/+6
| | | | | | | This function is very slow and useful for testing purposes only. It should never have been part of the public API. Remove it from there. ok jsing
* Remove BIO_{sn,v,vsn}printf(3)tb2024-03-021-1/+2
| | | | | | | Unsued printing functionality. If something should need this we can readily add it back. ok jsing
* Replace uses of endbr64 with _CET_ENDBR from cet.htb2024-02-2415-24/+30
| | | | | | | | | cet.h is needed for other platforms to emit the relevant .gnu.properties sections that are necessary for them to enable IBT. It also avoids issues with older toolchains on macOS that explode on encountering endbr64. based on a diff by kettenis ok beck kettenis
* Garbage collect weird /* 1 */ and /* 2 */ commentstb2023-10-191-7/+7
| | | | | | If they ever had any meaning, that's long been lost. Requested by jsing
* Fix aliasing of result and exponent in the internal BN_mod_exp_recp()tb2023-10-191-12/+19
| | | | This is basically the same fix as the one applied in BN_mod_exp_simple().
* Fix aliasing of result with exponent or modulus in BN_mod_exp_simple()tb2023-10-191-10/+22
| | | | | | Reported and reminded by Guido Vranken in OpenSSL issue #21110 ok jsing
* Move bn_blind.c to rsa_blinding.ctb2023-08-092-268/+1
| | | | discussed with jsing
* Make declaration and definition of BN_BLINDING_new() match.tb2023-08-092-4/+4
| | | | Also, make mod const.
* Merge BN_BLINDING_create_param() into BN_BLINDING_new()tb2023-08-092-31/+14
|
* Set up the blinding factors on first usetb2023-08-091-27/+14
| | | | | | | Only call BN_BLINDING_setup() from BN_BLINDING_update(). This allows another simplification of the counter logic. ok jsing
* Remove retry loop in BN_BLINDING_setup()tb2023-08-091-24/+5
| | | | | | | If we generate a non-invertible blinding, we have accidentally factored the modulus. This won't happen, so get rid of this ugly complication. ok jsing
* Compute a square using BN_mod_sqr() instead of BN_mod_mul()tb2023-08-091-3/+3
| | | | ok jsing
* Simplify BN_BLINDING_invert()tb2023-08-091-14/+5
| | | | | | | If the blinding is non-NULL, Ai is set on it, so no need to check for that. Also, we can get away with a single call to BN_mod_mul(). ok jsing
* Unwrap a linetb2023-08-091-3/+2
|
* Unwrap a linetb2023-08-081-3/+2
|
* Drop the unused BN_BLINDING argument of BN_BLINDING_create_param()tb2023-08-082-10/+6
|
* Rename ret into b in BN_BLINDING_setup()tb2023-08-081-8/+8
|
* Factor the actual setup step for the blinding into a helpertb2023-08-081-30/+43
| | | | ok jsing
* Make BN_BLINDING respect some invariantstb2023-08-081-48/+17
| | | | | | | | | | | | Pass e and mod into BN_BLINDING_new() for now and unconditionally allocate A and Ai. This way non-NULL blindings always have these four members set. This allows removing several unnecessary checks in the update, convert and parameter creation code paths. Fix exit BN_BLINDING_create_param() so as to signal errors to the caller if a non-NULL blinding was passed. This fixes a long standing bug. ok jsing
* Make the bn_rand_interval() API a bit more ergonomictb2023-08-034-27/+36
| | | | | | | | | | | | | | | | | | Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range(). The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word(). Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds. ok jsing
* More whitespace fixes from knfmttb2023-08-021-7/+7
|
* Remove extraneous parentheses and fix weird whitespace.tb2023-08-021-16/+15
|
* Drop the _ex from BN_BLINDING_{convert,invert}_ex()tb2023-08-022-6/+6
|
* Remove the unused BN_BLINDING_{convert,invert}()tb2023-08-022-16/+2
| | | | ok jsing
* Make BN_BLINDING_{new,update}() static in bn_blind.ctb2023-08-022-6/+4
| | | | ok jsing
* Remove the unused flags member of BN_BLINDINGtb2023-08-022-10/+4
| | | | | | | Nothing sets this, so remove it along with BN_BLINDING_NO_{UPDATE,RECREATE} and some checks that are always true. ok jsing
* Remove the unused flags accessors for BN_BLINDINGtb2023-08-022-16/+2
| | | | ok jsing
* Remove a 16 year old confusing lietb2023-08-021-2/+2
| | | | | The mod member of BN_BLINDING hasn't been /* just a reference */ since the branch prediction mitigations in OpenSSL bd31fb21 from March 2007.
* Remove more *_options() stufftb2023-07-311-2/+1
| | | | | | | The public symbols were removed. Some prototypes and in the case of DES even the implementation remained. ok jsing
* Remove various ${thing}_optionstb2023-07-281-21/+1
| | | | | | | | | | Various, ancient ciphers exposed some of their innards via an _options() API. Apart from openssl version/speed, only some lua thingie in nmap ever looked at these. Go figure. hppa testing by miod, i386 testing by sthen. Thanks! ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-25 10:07:45 +0000