summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Reorder functions in bn_exp.c to be slightly sensible...jsing2023-02-031-282/+279
| | | | No functional change intended.
* Clean up and simplify BN_mod_lshift{,_quick}().jsing2023-02-031-38/+34
| | | | | | | | | | | | BN_mod_lshift() already has a BN_CTX available, make use of it rather than calling BN_dup() and BN_free(). In BN_mod_lshift_quick(), BN_copy() already handles dst == src, so avoid checking this before the call. The max_shift == 0 case can also be handled without code duplication. And as with other *_quick() functions, use BN_ucmp() and BN_usub() directly given the 0 <= a < m constraint. ok tb@
* Clean up BN_mod_mul() and simplify BN_mod_sqr().jsing2023-02-031-14/+16
| | | | | | | | | | | | | | Use the same naming/code pattern in BN_mod_mul() as is used in BN_mul(). Note that the 'rr' allocation is unnecessary, since both BN_mul() and BN_sqr() handle the case where r == a || r == b. However, it avoids a potential copy on the exit from BN_mul()/BN_sqr(), so leave it in place for now. Turn BN_mod_sqr() into a wrapper that calls BN_mod_mul(), since it already calls BN_sqr() in the a == b. The supposed gain of calling BN_mod_ct() instead of BN_nnmod() does not really exist. ok tb@
* Simplify BN_mod_{lshift1,sub}_quick().jsing2023-02-031-13/+19
| | | | | | | | | The BN_mod_.*_quick() functions require that their inputs are non-negative and are already reduced. As such, they can and should use BN_ucmp() and BN_usub() instead of BN_cmp() and BN_add()/BN_sub() (which internally call BN_uadd()/BN_usub() and potentially BN_cmp()). ok tb@
* Simplify BN_nnmod().jsing2023-02-031-13/+12
| | | | | | | | | In the case that the result is negative (i.e. one of a or m is negative), the positive result can be achieved via a single BN_usub(). This simplifies BN_nnmod() and avoids indirection via BN_add()/BN_sub(), which do BN_cmp() and then call into BN_uadd()/BN_usub(). ok tb@
* Turn BN_mod_{ct,nonct}() into symbols.jsing2023-02-032-6/+19
| | | | | | Also use accurate/useful variables names. ok tb@
* Remove AIX toc data after every function. NFCmiod2023-02-025-71/+2
|
* Refactor BN_uadd() and BN_usub().jsing2023-02-023-39/+99
| | | | | | | | | | | | | | | | | | Unlike bn_add_words()/bn_sub_words(), the s2n-bignum bignum_add() and bignum_sub() functions correctly handle inputs with differing word lengths. This means that they can be called directly, without needing to fix up any remaining words manually. Split BN_uadd() in two - the default bn_add() implementation calls bn_add_words(), before handling the carry for any remaining words. Likewise split BN_usub() in two - the default bn_sub() implementation calls bn_sub_words(), before handling the borrow for any remaining words. On amd64, provide an implementation of bn_add() that calls s2n-bignum's bignum_add() directly, similarly with an implementation of bn_sub() that calls s2n-bignum's bignum_sub() directly. ok tb@
* Unbreak vpaes-x86 implementation.jsing2023-02-021-2/+0
| | | | | | Remove remnants of previous PIC handling. ok miod@
* Move all data blocks from .text to .rodata and cleanup up and homogeneize codemiod2023-02-023-18/+5
| | | | responsible from getting the proper address of those blocks.
* Move all data blocks from .text to .rodata and cleanup up and homogeneize codemiod2023-02-0116-236/+248
| | | | | | responsible from getting the proper address of those blocks. ok tb@ jsing@
* For xonly, move sha512-ppc.pl's table from text to rodatagkoehler2023-02-011-18/+7
| | | | | | | | | | | OpenBSD/macppc will enforce xonly on PowerPC G5, then libcrypto's sha256 would crash by SIGSEGV, because it can't read text. Use ELF relocations "@ha" and "@l" to find the table in rodata. This might break the PowerPC asm on a not-ELF platform (like AIX or Mac OS) if someone would try it there. ok kettenis@ deraadt@
* Pull the MONT_WORD define to the top.jsing2023-02-011-3/+3
| | | | | | Reordering functions with defines hiding in the middle leads to fun outcomes... and apparently the non-MONT_WORD code is broken, at least on aarch64.
* Move BN_MONT_CTX_* functions to the top of the file.jsing2023-02-011-221/+221
| | | | No functional change.
* Remove the now empty bn_asm.c.jsing2023-01-318-78/+6
| | | | | | This rather misnamed file (bn_asm.c) previously contained the C code that was needed to build libcrypto bignum on platforms that did not have assembly implementations of the functions it contained.
* Simplify bn_div_3_words().jsing2023-01-311-49/+15
| | | | | | | Make use of bn_umul_hilo() and remove the tangle of preprocessor directives that implement different code paths depending on what defines exist. ok tb@
* Provide inline assembly bn_umul_hilo() for alpha/powerpc64/riscv64.jsing2023-01-313-3/+67
| | | | | | These should work, but are currently untested and disabled. ok tb@
* Provide inline assembly versions of bn_umul_hilo() for aarch64/amd64/i386.jsing2023-01-313-3/+67
| | | | ok tb@
* Provide bn_umul_hilo().jsing2023-01-311-0/+159
| | | | | | | | | | | | | | | | | The bignum code needs to be able to multiply two words, producing a double word result. Some architectures do not have native support for this, hence a pure C version is required. bn_umul_hilo() provides this functionality. There are currently two implementations, both of which are branch free. The first uses bitwise operations for the carry, while the second uses accumulators. The accumulator version uses fewer instructions, however requires more variables/registers and seems to be slower, at least on amd64/i386. The accumulator version may be faster on architectures that have more registers available. Further testing can be performed and one of the two implementations can be removed at a later date. ok tb@
* Correctly detect b < a in BN_usub().jsing2023-01-312-5/+8
| | | | | | | | | | | | BN_usub() requires that a >= b and should return an error in the case that b < a. This is currently only detected by checking the number of words in a versus b - if they have the same number of words, the top word is not checked and b < a, which then succeeds and produces an incorrect result. Fix this by checking for the case where a and b have an equal number of words, yet there is a borrow returned from bn_sub_words(). ok miod@ tb@
* Remove sparc related files from libcrypto.jsing2023-01-314-1678/+0
| | | | | | | | The sparc platform got retired a while back, however some parts remained hiding in libcrypto. Mop these up (along with the bn_arch.h that I introduced). Spotted by and ok tb@
* Fix logic of picmeup() to only produce one set of statements on OpenBSD; thismiod2023-01-301-1/+1
| | | | got accidentally lost in 1.4.
* Remove the now empty/unused bn_depr.c.jsing2023-01-292-66/+1
|
* Use s2n-bignum assembly implementations for libcrypto bignum on amd64.jsing2023-01-292-3/+90
| | | | | | | This switches the core bignum assembly implementations from x86_64-gcc.c to s2n-bignum for amd64. ok miod@ tb@
* Stop installing x509_verify.htb2023-01-281-2/+1
| | | | ok jsing
* Stop relying on x509_verify.h being publictb2023-01-281-3/+2
| | | | | | | | | | | | Use x509_verify.h from the libcrypto sources instead of the public copy. The x509_verify.h header was installed as a public header since early on we had ideas of using a public API in libtls, but we eventually decided against that. It makes no sense to install a public header that hides everything behind LIBRESSL_INTERNAL. The public API will not be exposed anytime soon if at all. ok jsing
* Remove comment referencing bn_depr.c.jsing2023-01-281-6/+1
|
* Move the three functions that are in bn_depr.c back to bn_prime.c.jsing2023-01-282-53/+57
| | | | | | | They should go away, but they have not yet disappeared and this consolidates the source files. Discussed with tb@
* Move the more readable version of bn_mul_mont() from bn_asm.c to bn_mont.c.jsing2023-01-282-168/+55
| | | | | | | | | Nothing actually uses this code, as OPENSSL_BN_ASM_MONT is not defined unless there is an assembly implementation available (not to mention that defining both OPENSSL_NO_ASM and OPENSSL_BN_ASM_MONT at the same time is extra strange). Discussed with tb@
* Fix previous.jsing2023-01-281-4/+9
|
* Provide bn_div_rem_words() and make use of it.jsing2023-01-285-67/+87
| | | | | | | | | | | | | | | | Provide a function that divides a double word (h:l) by d, returning the quotient q and the remainder r, such that q * d + r is equal to the numerator. Call this from the three places that currently implement this themselves. This is implemented with some slight indirection, which allows for per architecture implementations, replacing the define/macro tangle, which messes with variables that are not passed to it. Also remove a duplicate of bn_div_words() for the BN_ULLONG && BN_DIV2W case - this is already handled. ok tb@
* Check return value of X509_digestjob2023-01-241-2/+3
| | | | OK tb@
* Change include from _internal_s2n_bignum.h to s2n_bignum_internal.h.jsing2023-01-239-9/+9
|
* Include the ISC license from s2n-bignum's LICENSE file.jsing2023-01-239-9/+108
|
* Bring in various s2n-bignum functions for amd64.jsing2023-01-239-0/+1458
| | | | | | | | This brings in bignum_add(), bignum_cmadd(), bignum_cmul(), bignum_mul() and bignum_sub(), along with bignum_{mul,sqr}_4_8_alt() and bignum_{mul,sqr}_8_16_alt(). Discussed with tb@
* Move bn_mul_add_words() and bn_mul_words() from bn_asm.c to bn_mul.c.jsing2023-01-237-138/+156
| | | | | | These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS, which are defined for architectures that provide their own assembly versions.
* Move bn_sqr_words from bn_asm.c to bn_sqr.c.jsing2023-01-237-59/+69
| | | | | This is wrapped with #ifndef HAVE_BN_SQR_WORDS, which is then defined for architectures that provide their own assembly versions.
* Move bn_div_words from bn_asm.c to bn_div.c.jsing2023-01-237-86/+98
| | | | | This is wrapped with #ifndef HAVE_BN_DIV_WORDS, which are defined for architectures that provide their own assembly versions.
* Include bn_arch.h now that we're using defines from it.jsing2023-01-231-1/+2
|
* Move bn_add_words() and bn_sub_words from bn_asm.c to bn_add.c.jsing2023-01-237-159/+184
| | | | | These are wrapped with #ifndef HAVE_BN_ADD_WORDS/HAVE_BN_SUB_WORDS, which are defined for architectures that provide their own assembly versions.
* Enable bn_sqr() on amd64.jsing2023-01-211-1/+2
| | | | ok tb@
* Provide an implementation of bn_sqr() that calls s2n-bignum's bignum_sqr().jsing2023-01-213-3/+41
| | | | ok tb@
* Fix include.jsing2023-01-211-1/+1
|
* Include the ISC license from s2n-bignum's LICENSE file.jsing2023-01-211-1/+12
|
* Bring in s2n-bignum's bignum_sqr() for amd64.jsing2023-01-211-0/+185
| | | | ok tb@
* Include the ISC license from s2n-bignum's LICENSE file.jsing2023-01-212-1/+25
|
* Bring in the internal and "public" headers for s2n-bignum.jsing2023-01-212-0/+862
| | | | | | | | | s2n-bignum provides a collection of bignum routines that are written in pure machine code. Each function is written in constant-time style and has a formal proof. We intend on making use of these for libcrypto's bignum implementation on aarch64 and amd64. ok tb@
* Refactor BN_mul().jsing2023-01-211-67/+81
| | | | | | | | | | | | | This splits BN_mul() into two parts, one of which is a separate bn_mul() function. This makes the code more readable and managable, while also providing a better entry point for assembly optimisation. A separate bn_mul() is provided for the BN_RECURSION implementation, to reduce complexity. This also enables bn_mul_comba4() for four word long bignums - this was disabled for unknown reasons. ok tb@
* Refactor BN_sqr().jsing2023-01-211-50/+80
| | | | | | | | This splits BN_sqr() into two parts, one of which is a separate bn_sqr() function. This makes the code more readable and managable, while also providing a better entry point for assembly optimisation. ok tb@
* Reorder functions and drop unnessary static prototypes.jsing2023-01-211-372/+363
| | | | No functional change.