| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
This simplifies the handling of the BN_MONT_CTX passed in and unifies the
exit paths. Also zap some particularly insightful comments by our favorite
captain.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This does what the public BN_MONT_CTX_new() should have done in the first
place rather than doing the toolkit thing of returning an invalid object
that you need to figure out how to populate and with what because the docs
are abysmal.
It takes the required arguments and calls BN_MONT_CTX_set(), which all
callers do immediately after _new() (except for DSA which managed to
squeeze 170 lines of garbage between the two calls).
ok jsing
|
| |
|
|
|
| |
(leaving out a dotasm comment that would become harder to read than it
already is)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This is simpler, doesn't need an auxiliary function of dubious value,
avouds an auxiliary variable and gets rid of a bunch of comments that
are hard to make sense of.
This doesn't bother to invalidate recp->shift since on error you should
not be reusing the RECP_CTX without reinitializing it.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
The fast path where no division is performed can be dealt with without
BN_CTX, so do that up front so there's no need to clean up before return.
Error check BN_CTX_get() on each use asd simplify the logic for optional
input parameters. KNF for an ugly comment.
ok jsing
|
| |
|
|
|
|
|
| |
Instead of doing a weird dance, set the sign on N in BN_RECP_CTX_create().
Since we're not exposing a general purpose calculator API, we can simplify.
ok jsing
|
| |
|
|
| |
Requested by jsing
|
| |
|
|
|
|
|
|
| |
There's no need for BN_mod_mul_reciprocal() to have this complication.
The caller knows when x == y, so place the burden on the caller. This
simplifies both the caller side and the implementation in bn_recp.c.
ok jsing
|
| |
|
|
|
|
|
| |
No caller ever passes y == NULL, so remove the corresponding contortions
and unindent the relevant bits.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces a BN_RECP_CTX_create() function that allocates and
populates the BN_RECP_CTX in a single call, without taking an unused
BN_CTX argument.
At the same time, make the N and Nr members BIGNUMs on the heap which
are allocated by BN_RECP_CTX_create() and freed by BN_RECP_CTX_free()
and remove the unnecessary flags argument.
Garbage collect the now unused BN_RECP_CTX_{new,init,set}().
ok jsing
|
| |
|
|
| |
+ some whitespace cosmetics
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
BN_reciprocal() is only called by BN_div_recp() which in turn is only
called by BN_mod_mul_reciprocal(). So use this order and make the first
two static.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rewrite bn2binpad, removing some OpenSSL specific behaviour and unnecessary
complexity. Our BN_num_bytes() does not return bogus lengths, so we don't
need to see if things work out with nominated outputs. Swipe away some
endianness_t, but continue to ignore negatives and don't dare give away
padded zeroes.
Implement a more readable constant time conversion. In particular, the
little endian is the less common use case, which we can implement by
reversing the padded output in place, rather than complicating all of the
conversion code.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
ppc64-mont.pl (which produces bn_mul_mont_fpu64()) is unused on both
powerpc and powerpc64, so remove it. ppccap.c doesn't actually contain
anything to do with CPU capabilities - it just provides a bn_mul_mont()
that calls bn_mul_mont_int() (which ppc-mont.pl generates). Change
ppc-mont.pl to generate bn_mul_mont() directly and remove ppccap.c.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These constitute the bulk of the remaining global mutable state in
libcrypto. This commit moves most of them into data.rel.ro, leaving
out ERR_str_{functs,libraries,reasons} (which require a slightly
different approach) and SYS_str_reasons which is populated on startup.
The main observation is that if ERR_load_strings() is called with a 0 lib
argument, the ERR_STRING_DATA argument is not actually modified. We could
use this fact to cast away const on the caller side and be done with it.
We can make this cleaner by adding a helper ERR_load_const_strings() which
explicitly avoids the assignment to str->error overriding the error code
already set in the table.
In order for this to work, we need to sprinkle some const in err/err.c.
CMS called ERR_load_strings() with non-0 lib argument, but this didn't
actually modify the error data since it ored in the value already stored
in the table.
Annoyingly, we need to cast const away once, namely in the call to
lh_insert() in int_err_set_item(). Fixing this would require changing
the public API and is going to be tricky since it requires that the
LHASH_DOALL_FN_* types adjust.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The content is effectively a u32 length prefixed field, so use
CBB_add_u32_length_prefixed(). Use BN_bn2binpad() rather than manually
padding if we need to extend and use sensible variable names so that the
code becomes more readable.
Note that since CBB can fail we now need to be able to indicate failure.
This means that BN_bn2mpi() can now return -1 when it would not have
previously (correct callers will check that BN_bn2mpi() returns a positive
length).
ok tb@
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
We get an implementation of this for free by having bn_bin2bn_cbs() use
CBS_get_u8() instead of CBS_get_last_u8().
ok tb@
|
| |
|
|
|
|
| |
This results in simpler code.
Suggested by tb@ during review.
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
This will be used in an upcoming change.
ok tb@
|
| |
|
|
|
|
|
| |
Also change the bits type from int to size_t, since that's what the callers
are passing and we can avoid unnecessary input validation.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Both BN_clear_bit() and BN_mask_bits() can create zero values - in both
cases ensure that the negative sign is correctly handled if the value
becomes zero.
Thanks to Guido Vranken for providing a reproducer.
Fixes oss-fuzz #67901
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
Mark them LCRYPTO_UNUSED appropriately and remove the LIBRESSL_INTERNAL
guards around them
ok tb@
|
| |
|
|
| |
bn_subw() will be used more widely in an upcoming change.
|
| | |
|
| |
|
|
| |
No functional change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If more bits than INT_MAX - 7 are requested, the calculation of number
of bytes required to store the bignum triggers undefined behavior due to
signed integer overflow. This will typically result in bytes becoming
negative which will then make malloc() fail. If the ulimit should be
high enough to make malloc() succeed, there is a bad out of bounds write
in case bottom is set (an odd number was requested).
On jsing's request this does not deal with another bug which we could
catch with a similar check due to BN_bn2bin() failing later on as the
number of words in a BIGNUM is some fraction of INT_MAX.
ok jsing
|
| |
|
|
|
|
|
|
| |
The former could be useful but nothing uses it. The latter is a
dangerous implementation detail of Montgomery exponentiation that
should never have been leaked out of the library. Fix this.
ok jsing
|
| |
|
|
|
|
|
| |
This function is very slow and useful for testing purposes only. It
should never have been part of the public API. Remove it from there.
ok jsing
|
| |
|
|
|
|
|
| |
Unsued printing functionality. If something should need this we can readily
add it back.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
cet.h is needed for other platforms to emit the relevant .gnu.properties
sections that are necessary for them to enable IBT. It also avoids issues
with older toolchains on macOS that explode on encountering endbr64.
based on a diff by kettenis
ok beck kettenis
|
| |
|
|
|
|
| |
If they ever had any meaning, that's long been lost.
Requested by jsing
|
| |
|
|
| |
This is basically the same fix as the one applied in BN_mod_exp_simple().
|
| |
|
|
|
|
| |
Reported and reminded by Guido Vranken in OpenSSL issue #21110
ok jsing
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
Also, make mod const.
|
| | |
|
| |
|
|
|
|
|
| |
Only call BN_BLINDING_setup() from BN_BLINDING_update(). This allows
another simplification of the counter logic.
ok jsing
|
