summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Adjust parentheses in mont->ri assignment.jsing2023-02-221-2/+2
| | | | Requested by tb@
* Replace bn_sub_part_words() with bn_sub().jsing2023-02-224-370/+19
| | | | | | | | Now that bn_sub() handles word arrays with potentially different lengths, we no longer need bn_sub_part_words() - call bn_sub() instead. This allows us to entirely remove the unnecessarily complex bn_sub_part_words() code. ok tb@
* Rework bn_add()/bn_sub() to operate on word arrays.jsing2023-02-223-82/+99
| | | | | | | | Rather than working on BIGNUMs, change bn_add()/bn_sub() to operate on word arrays that potentially differ in length. This matches the behaviour of s2n-bignum's bignum_add() and bignum_sub(). ok tb@
* Rewrite and simplify BN_MONT_CTX_set()jsing2023-02-222-98/+76
| | | | | | | | | | | | | | OpenSSL commit 4d524040bc8 changed BN_MONT_CTX_set() so that it computed a 64 bit N^-1 on both BN_BITS2 == 32 and BN_BITS2 == 64 platforms. However, the way in which this was done was to duplicate half the code and wrap it in #ifdef. Rewrite this code to use a single code path on all platforms, with #ifdef being limited to setting an additional word in the temporary N and storing the result on BN_BITS2 == 32 platforms. Also remove stack based BIGNUM in favour of using the already present BN_CTX. ok tb@
* perlasm: properly spell .rodata for macOS on inteltb2023-02-211-0/+3
| | | | ok jsing
* remove extra argumentbcook2023-02-211-2/+2
| | | | ok tb@
* Unifdef MONT_WORD.jsing2023-02-212-75/+5
| | | | | | | | | | | It does not make sense to use code that is slower, currently broken and prevents the use of assembly Montgomery implementations. This is the result of `unifdef -m -DMONT_WORD`, followed by some manual clean up and the removal of the Ni bignum from BN_MONT_CTX (which was only used in the non-MONT_WORD case). ok miod@ tb@
* Move BN_MONT_CTX back to bn_local.h for now. It's still used by bn_exp.ctb2023-02-192-14/+14
|
* Rewrite BN_MONT_CTX_set_locked()jsing2023-02-191-23/+27
| | | | | | | | Rewrite and simplify BN_MONT_CTX_set_locked - in particular, only hold the lock for a short period of time, rather than holding a write lock for a module across an expensive operation. ok tb@
* First pass clean up of bn_mont.c.jsing2023-02-191-31/+37
| | | | | | | | | Use calloc() rather than malloc() with manual initialisation of all struct members to zero, use memset() instead of manually initialising all struct members to zero, use consistent naming, use BN_free() instead of BN_clear_free() (since it is the same thing). ok tb@
* Move BN_MONT_CTX_copy().jsing2023-02-191-19/+19
|
* Move struct bn_mont_ctx_st from bn_local.h to bn_mont.c.jsing2023-02-192-14/+14
| | | | | | No code outside of bn_mont.c needs access to it. ok tb@
* Provide optimised versions of bn_addw() and bn_subw() for aarch64.jsing2023-02-171-1/+35
|
* Remove now unused tangle of mul*/sqr* and BN_UMULT_* macros.jsing2023-02-171-251/+1
| | | | | | | No, I'm not trying to overwhelm you... however, we really no longer need this clutter. ok tb@
* Reimplement bn_sqr_comba{4,8}().jsing2023-02-172-102/+110
| | | | | | | | | | | | Use bignum primitives rather than the current mess of macros.The sqr_add_c macro gets replaced with bn_mulw_addtw(), while the sqr_add_c2 macro gets replaced with bn_mul2_mulw_addtw(). The variables in the comba functions have also been reordered, so that the patterns are easier to understand - the compiler can take care of optimising the inputs and outputs to avoid register moves. ok tb@
* Enable s2n-bignum word_clz() on amd64.jsing2023-02-164-4/+17
| | | | | | | | | The BN_num_bits_word() function is a hot path, being called more than 80 million times during a libcrypto regress run. The word_clz() implementation uses five instructions to do the same as the generic code that uses more than 60 instructions. Discussed with tb@
* Use bn_addw() in bn_mulw(), rather than duplicating add with carry code.jsing2023-02-161-12/+7
|
* Change include from _internal_s2n_bignum.h to s2n_bignum_internal.h.jsing2023-02-161-1/+1
|
* Include the ISC license from s2n-bignum's LICENSE file.jsing2023-02-161-1/+12
|
* Bring in word_clz.S from s2n-bignum for amd64.jsing2023-02-161-0/+48
|
* Rename bn_umul_hilo() to bn_mulw().jsing2023-02-169-105/+109
| | | | | | | | | This keeps the naming consistent with the other bignum primitives that have been recently introduced. Also, use 1/0 intead of h/l (e.g. a1 instead of ah), as this keeps consistency with other primitives and allows for naming that works with double word, triple word and quadruple word inputs/outputs. Discussed with tb@
* zap stray empty linetb2023-02-161-2/+1
|
* Add missing masks to accumulator version of bn_umul_hilo()jsing2023-02-161-1/+5
|
* libressl *_namespace.h: adjust *_ALIAS() to require a semicolontb2023-02-1685-1006/+1006
| | | | | | | | | | LCRYPTO_ALIAS() and LSSL_ALIAS() contained a trailing semicolon. This does not conform to style(9), breaks editors and ctags and (most importantly) my workflow. Fix this by neutering them with asm("") so that -Wpedantic doesn't complain. There's precedent in libc's namespace.h fix suggested by & ok jsing
* Reimplement bn_add_words() and bn_sub_words() using bignum primitives.jsing2023-02-162-111/+88
| | | | | | | This removes the effectively duplicate BN_LLONG version of bn_add_words() and simplifies the code considerably. ok tb@
* Place bn_mul_add_words() after bn_mul_words().jsing2023-02-151-39/+39
|
* zap tabtb2023-02-151-2/+2
|
* Remove the misnamed and now unused mul, mul_add and mul_add_c macros.jsing2023-02-141-122/+2
| | | | | | There were only three versions of each one... ok tb@
* Reimplement bn_mul_words(), bn_mul_add_words() and bn_mul_comba{4,8}().jsing2023-02-141-235/+152
| | | | | | | | | | | | | | | | Use bignum primitives rather than the current mess of macros, which also allows us to remove the essentially duplicate versions of bn_mul_words() and bn_mul_add_words() for BN_LLONG. The "mul" macro gets replaced by bn_mulw_addw(), "mul_add" with bn_mulw_addw_addw() and "mul_add_c" with bn_mulw_addtw() (where 'w' indicates single word input and 'tw' indicates triple word input). The variables in the comba functions have also been reordered, so that the patterns are easier to understand - the compiler can take care of optimising the inputs and outputs to avoid register moves. ok tb@
* Provide big number primitives for word addition/multiplication.jsing2023-02-141-1/+114
| | | | | | | | | | These use a consistent naming scheme and are implemented using bitwise/constant time style operations, which should generally be safe on all platforms (until a compiler decides to optimise and use branches). More optimised versions can be provided for a given architecture. ok tb@
* Make BN_is_zero() check word values.jsing2023-02-141-4/+9
| | | | | | | | Rather than completely relying on top, check the words of a bignum. This gets us one step away from being dependent on top and additionally means that we correctly report zero even if top is not yet correct. ok tb@
* Fix a -0 corner case in BN_div_internal()jsing2023-02-141-3/+5
| | | | | | | | | | If the numerator is negative, the numerator and divisor are the same length (in words) and the absolute value of the divisor > the absolute value of the numerator, the "no_branch" case produces -0 since negative has already been set. Call BN_set_negative() at the end of the function to avoid this. ok tb@
* Reimplement BN_num_bits_word().jsing2023-02-141-20/+25
| | | | | | | | | | Provide a simpler and more readable bn_word_clz() function that returns the number of leading zeros for a given BN_ULONG, then implement BN_num_bits_word() using bn_word_clz(). This is a hot path and bn_word_clz() can now be replaced with architecture specific versions where possible. ok tb@
* Make BN_set_negative() closer to constant time.jsing2023-02-141-2/+3
| | | | ok tb@
* Provide bn_ct_{eq,ne}_zero{,_mask}() inline functions.jsing2023-02-141-1/+33
| | | | | | | These will be used to test a BN_ULONG in cases where constant time style behaviour is required. ok tb@
* Merge dsa_sign.c and dsa_vrf.c into dsa_ossl.ctb2023-02-134-166/+37
| | | | discussed with jsing
* dsa/dsa_sign.c: unindent by inverting logic for DSA_SIG_free(NULL)tb2023-02-131-6/+7
|
* dsa/dsa_sign.c: shuffle functions into a more sensible ordertb2023-02-131-13/+13
|
* Avoid negative zero.jsing2023-02-1310-36/+40
| | | | | | | | | | | | | | | | Whenever setting negative to one (or when it could potentially be one), always use BN_set_negative() since it checks for a zero valued bignum and will not permit negative to be set in this case. Since BN_is_zero() currently relies on top == 0, call BN_set_negative() after top has been set (or bn_correct_top() has been called). This fixes a long standing issue where -0 and +0 have been permitted, however multiple code paths (such as BN_cmp()) fail to treat these as equivalent. Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz. ok tb@
* Simplify BN_set_negative().jsing2023-02-131-6/+3
| | | | ok tb@
* Remove bn_exp2.c, which is now empty.jsing2023-02-112-118/+1
|
* Bye bye x86_64-gcc.c.jsing2023-02-111-559/+0
| | | | This is no longer used, since we're now using s2n-bignum functions instead.
* Use .section .rodata instead of a plain .rodatatb2023-02-0914-15/+15
| | | | | | | | At least gcc 12 on Fedora is very unhappy about a plain .rodata and throws Error: unknown pseudo-op: `.rodata'. So add a .section in front of it to make it happy. ok deraadt miod
* Pull in bn_internal.h for the generic version of bn_umul_hilo()jsing2023-02-091-1/+2
|
* Clean up bn_sqr_words()jsing2023-02-092-53/+10
| | | | | | | | | | | Currently there are two versions of bn_sqr_words(), which call the sqr or sqr64 macro. Replace this with a single version that calls bn_umul_hilo() and remove the various implementations of the sqr macro. The only slight downside is that sqr64 does three multiplications instead of four, given that the second and third terms are identical. However, this is a minimal gain for the amount of duplication and entanglement it introduces. ok tb@
* Fix arbitrary memory read in GENERAL_NAME_cmp()tb2023-02-071-2/+3
| | | | | | | | | | | | | | | | | | The ASN.1 template for GENERAL_NAME and its corresponding C structure disagree on the type of the x400Address member. This results in an ASN.1 string to be considered as an ASN.1 type, which allows an attacker to read (essentially) arbitrary memory. Fix this by forcing comparison as strings. While the underlying type confusion has been present since time immemorial, this particular bug came with the EdiPartyName fix (6.8/008_asn1.patch.sig). Reported by David Benjamin, fix suggested by jsing. Release date for this was set to be January 31. Unilaterally pushed back to February 7 by OpenSSL by way of announcement of many completely unrelated embargoed issues, some of which they had been sitting on since July 2020. ok beck jsing
* libcrypto/ec: another missing point-on-curve checktb2023-02-071-3/+9
| | | | | | | | | | Unlike in the affine/compressed/... cases, when setting projective coordinates of an elliptic curve point, there is no check whether the point is actually on the curve. Pointed out by Guido Vranken ok beck miod
* Remove bn_sqr_words() on amd64.jsing2023-02-042-11/+2
| | | | | | | s2n-bignum's bignum_sqr() is not the same as bn_sqr_words() (which only computes a partial result, unlike the former). This went unnoticed since bn_sqr() is called directly on amd64, hence bn_sqr_words() is currently unused.
* Fix output constraints for bn_umul_hilo().jsing2023-02-044-8/+8
| | | | | | | | When bn_umul_hilo() is implemented using an instruction pair, mark the first output with a constraint that prevents the output from overlapping with the inputs ("&"). Otherwise the first instruction can overwrite the inputs, which then results in the second instruction producing incorrect value.
* Move BN_mod_exp2_mont() to bn_exp.c.jsing2023-02-032-188/+186
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-18 04:07:23 +0000