Commit graph

780 commits

Author SHA1 Message Date
Bodo Möller
bd31fb2145 Change to mitigate branch prediction attacks
Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
2007-03-28 00:15:28 +00:00
Andy Polyakov
8b71d35458 nasm fixes. 2007-03-20 08:55:58 +00:00
Andy Polyakov
760e353528 sparcv9a-mont was modified to handle 32-bit aligned input, but check
for 64-bit alignment was not removed.
2007-03-20 08:54:51 +00:00
Dr. Stephen Henson
af32f9fdda Update from fips2 branch. 2007-02-03 17:32:49 +00:00
Dr. Stephen Henson
560b79cbff Constify version strings and some structures. 2007-01-21 13:07:17 +00:00
Andy Polyakov
64aecc6720 Make armv4t-mont module backward binary compatible with armv4 and rename it
accordingly.
2007-01-17 20:12:41 +00:00
Andy Polyakov
43b8fe1cd0 Montgomery multiplication for ARMv4. 2007-01-11 21:43:25 +00:00
Andy Polyakov
8876e58f34 Montgomery multiplication for MIPS III/IV. Not engaged. 2006-12-29 11:09:33 +00:00
Andy Polyakov
7321a84d4c Minor clean-up in crypto/bn/asm. 2006-12-29 11:05:20 +00:00
Andy Polyakov
4cfe3df1f5 Minor performance improvements to x86-mont.pl. 2006-12-28 12:43:16 +00:00
Andy Polyakov
8f2d60ec26 Fix for "strange errors" exposed by ccgost engine. The fix is
two extra insructions in sqradd loop at line #503.
2006-12-27 10:59:51 +00:00
Andy Polyakov
1702c8c4bf x86-mont.pl sse2 tune-up and integer-only squaring procedure. 2006-12-22 15:28:07 +00:00
Andy Polyakov
87d3af6475 Eliminate 64-bit alignment limitation in sparcv9a-mont. 2006-12-08 15:18:41 +00:00
Andy Polyakov
98939a05b6 alpha-mont.pl: gcc portability fix and make-rule. 2006-12-08 14:18:58 +00:00
Andy Polyakov
d28134b8f3 Minor, +10%, tune-up for x86_64-mont.pl. 2006-12-08 10:13:51 +00:00
Andy Polyakov
8583eba015 Montgomery multiplication routine for Alpha. 2006-12-08 10:12:56 +00:00
Andy Polyakov
73b979e601 Clarify HAL SPARC64 support situation in sparcv9a-mont.pl. 2006-11-28 11:07:36 +00:00
Andy Polyakov
ebae8092cb Minor optimizations based on intruction level profiler feedback. 2006-11-28 10:34:51 +00:00
Andy Polyakov
2e21922eb6 Modulo-schedule loops in sparcv9a-mont.pl. Overall improvement factor
over 0.9.8 is up to 3x on USI&II cores and up to 80% - on USIII&IV.
2006-11-28 07:24:26 +00:00
Andy Polyakov
1c3d2b94be This is "informational" commit. Its mere purpose is to expose "modulo
factor" in inner loops.
2006-11-28 07:20:36 +00:00
Andy Polyakov
48d2335d73 Non-SSE2 path to bn_mul_mont. But it's disabled, because it currently
doesn't give performance improvement.
2006-11-27 14:59:35 +00:00
Dr. Stephen Henson
47a9d527ab Update from 0.9.8 stable. Eliminate duplicate error codes. 2006-11-21 21:29:44 +00:00
Andy Polyakov
31439046e0 bn/asm/ppc.pl to use ppc-xlate.pl. 2006-10-17 14:37:07 +00:00
Andy Polyakov
cecfdbf72d VIA-specific Montgomery multiplication routine. 2006-10-17 07:04:48 +00:00
Bodo Möller
a53cdc5b08 Ensure that the addition mods[i]+delta cannot overflow in probable_prime().
[Problem pointed out by Adam Young <adamy (at) acm.org>]
2006-09-18 14:00:49 +00:00
Andy Polyakov
8ea975d070 +20% tune-up for Power5. 2006-08-09 15:40:30 +00:00
Andy Polyakov
c8a0d0aaf9 Engage assembler in solaris64-x86_64-cc. 2006-07-31 22:28:40 +00:00
Dr. Stephen Henson
f0fa285f75 Update .cvsignore again. 2006-07-17 16:42:06 +00:00
Andy Polyakov
1a4e245f3e Unsigned vs signed comparison warning. 2006-07-04 20:29:14 +00:00
Bodo Möller
48fc582f66 New functions CRYPTO_set_idptr_callback(),
CRYPTO_get_idptr_callback(), CRYPTO_thread_idptr() for a 'void *' type
thread ID, since the 'unsigned long' type of the existing thread ID
does not always work well.
2006-06-23 15:21:36 +00:00
Bodo Möller
c4e7870ac1 Change array representation of binary polynomials to make GF2m part of
the BN library more generally useful.

Submitted by: Douglas Stebila
2006-06-18 22:00:57 +00:00
Bodo Möller
4584eccea0 another thread-safety fix 2006-06-16 01:00:47 +00:00
Bodo Möller
675f605d44 Thread-safety fixes 2006-06-14 08:55:23 +00:00
Andy Polyakov
67d990904e Futher minor PPC assembler update. 2006-05-04 21:30:41 +00:00
Andy Polyakov
c09a0318b7 Minor PPC assembler updates. 2006-05-03 14:07:34 +00:00
Andy Polyakov
2c5d4daac5 Yet another "teaser" Montgomery multiplication module, for PowerPC. 2006-04-30 21:15:29 +00:00
Dr. Stephen Henson
54d853ebc3 Add support for setting keybits and public exponent value for pkey RSA keygen. 2006-04-11 17:28:37 +00:00
Nils Larsch
b4e88ccb28 ensure the pointer is valid before using it 2006-03-18 14:27:41 +00:00
Ulf Möller
3b408d83fe make update 2006-02-12 23:21:56 +00:00
Dr. Stephen Henson
15ac971681 Update filenames in makefiles. 2006-02-04 01:45:59 +00:00
Nils Larsch
8c5a2bd6bb add additional checks + cleanup
Submitted by: David Hartman <david_hartman@symantec.com>
2006-01-29 23:12:22 +00:00
Nils Larsch
3798cb8182 fix comment
PR: 1270
2006-01-13 23:50:26 +00:00
Nils Larsch
2c5fadbce3 2 is a prime
PR: 1266
2006-01-13 23:27:59 +00:00
Andy Polyakov
7a5dbeb782 Minor sparcv9 clean-ups. 2005-12-27 21:27:39 +00:00
Andy Polyakov
3b4a0225e2 As SPARCV9 CPU flavor is [expected to be] detected at run-time, we can
afford to relax SPARCV9/8+ compiler command line and produce "unversal"
binaries as we used to.
2005-12-19 09:10:06 +00:00
Andy Polyakov
a00e414faf Unify sparcv9 assembler naming and build rules among 32- and 64-bit builds.
Engage run-time switch between bn_mul_mont_fpu and bn_mul_mont_int.
2005-12-16 17:39:57 +00:00
Andy Polyakov
f5826b8014 We all make typos:-) Fix just introduced ones in bn.h 2005-12-16 10:43:33 +00:00
Andy Polyakov
4a47f55639 Eliminate warning induced by http://cvs.openssl.org/chngview?cn=14690 and
keep disclaiming narrower than 32-bit support.
2005-12-16 10:37:24 +00:00
Andy Polyakov
68ea60683a Add IALU-only bn_mul_mont for SPARCv9. See commentary section for details. 2005-12-15 22:43:33 +00:00
Andy Polyakov
6df8c74d5b Switch 64-bit sparcv9 platforms from bn(64,64) to bn(64,32). This doesn't
have impact on performance, because amount of multiplications does not
increase with this switch, not on sparcv9 that is. On the contrary, it
actually improves performance, because it spares a load of instructions
used to chase carries. Not to mention that BN assembler modules can be
shared more freely between 32- and 64-bit builts.
2005-12-15 22:40:58 +00:00
Andy Polyakov
877e8e970c Allow for bn(64,32) on LP64 platforms. 2005-12-15 22:31:16 +00:00
Andy Polyakov
07645deeb8 Apply "better safe than sorry" approach after addressing sporadic SEGV in
bn_sub_words to the rest of the sparcv8plus.S.
2005-11-15 08:02:10 +00:00
Andy Polyakov
c52c82ffc1 Attempt to resolve sporadic SEGV crashes in bn_sub_words in OpenSSH. I'm
baffled why it crashes and does it sporadically...
2005-11-11 20:07:07 +00:00
Dr. Stephen Henson
d6a03a23a8 Update from stable branch. 2005-11-11 13:00:07 +00:00
Andy Polyakov
bd2abcae37 Move declaration for optional bn_mul_mont to bn_lcl.h in order to hide
it from mkdef.pl.
2005-11-06 22:10:38 +00:00
Andy Polyakov
a4d729f31d Clarify binary compatibility with HAL/Fujitsu SPARC64 family. 2005-10-25 15:39:47 +00:00
Andy Polyakov
8c0ceb17a2 bn_asm.c update. 2005-10-22 20:20:06 +00:00
Andy Polyakov
c2012f9b82 Eliminate gcc warning in bn_mont.c. 2005-10-22 20:17:01 +00:00
Andy Polyakov
aa2be094ae Add support for 32-bit ABI to sparcv9a-mont.pl module. 2005-10-22 18:16:09 +00:00
Andy Polyakov
4d524040bc Change bn_mul_mont declaration and BN_MONT_CTX. Update CHANGES. 2005-10-22 17:57:18 +00:00
Andy Polyakov
bcb43bb358 Yet another "teaser" Montgomery multiply module, for UltraSPARC. It's not
integrated yet, but it's tested and benchmarked [see commentary section
for further details].
2005-10-19 07:12:06 +00:00
Andy Polyakov
34736de4c0 Flip saved argument block and tp [required for non-SSE2 path]. 2005-10-14 16:05:21 +00:00
Andy Polyakov
5f50d597f2 Make sure x86-mont.pl returns zero even if compiled with no-sse2. 2005-10-14 15:24:06 +00:00
Andy Polyakov
df94f187b9 Fix bug in SMALL_FOOTPRINT path and clarify comment. 2005-10-14 15:22:27 +00:00
Andy Polyakov
35593b33f4 Add timestamp to x86-mont.pl. 2005-10-09 10:26:56 +00:00
Andy Polyakov
54f3d200d3 Throw in bn/asm/x86-mont.pl Montgomery multiplication "teaser". 2005-10-09 09:53:58 +00:00
Andy Polyakov
7a2f4cbfe8 x86_64-mont.pl readability improvement. 2005-10-07 15:18:16 +00:00
Andy Polyakov
5ac7bde7c9 Throw in Montgomery multiplication assembler for x86_64. 2005-10-07 14:18:06 +00:00
Andy Polyakov
9b4eab501a Refine logic in bn_mont.c and eliminate redundant BN_CTX pulls. 2005-10-06 13:12:28 +00:00
Andy Polyakov
ca04d7a208 Leave the decision to call/implement bn_sqr_mont to assembler developer. 2005-10-06 09:12:39 +00:00
Dr. Stephen Henson
40a3c12305 Initialize bignum constants using BN_bin2bn() instead of BN_hex2bn(). This
saves a bit of space and avoids a compiler warning about string length.
2005-10-05 17:51:43 +00:00
Andy Polyakov
22cd982566 Fix typo in exptest.c. 2005-10-04 06:23:15 +00:00
Andy Polyakov
682b112abc Reserve for SMALL_FOOTPRINT bn_asm.c. Currently OPENSSL_SMALL_FOOTPRINT
is defined on Windows CE targets.
2005-10-04 06:22:11 +00:00
Andy Polyakov
e738280547 Add reference implementation for bn_[mul|sqr]_mont, new candidates for
assembler implementation.
2005-10-04 06:19:29 +00:00
Andy Polyakov
6f9afa68cd IA-32 BN tune-up. Performance imrpovement varies with platform and
keylength, this time larger improvement for shorter keys, and reaches
15%. Both SSE2 and IALU code pathes are improved.
2005-09-20 12:26:54 +00:00
Nils Larsch
8215e7a938 fix warnings when building openssl with the following compiler options:
-Wmissing-prototypes -Wcomment -Wformat -Wimplicit -Wmain -Wmultichar
        -Wswitch -Wshadow -Wtrigraphs -Werror -Wchar-subscripts
        -Wstrict-prototypes -Wreturn-type -Wpointer-arith  -W -Wunused
        -Wno-unused-parameter -Wuninitialized
2005-08-28 22:49:57 +00:00
Bodo Möller
7534d131d6 avoid potential spurious BN_free()
Submitted by: David Heine <dlheine@suif.Stanford.EDU>
2005-08-23 04:14:40 +00:00
Nils Larsch
725111f7cb add missing file 2005-08-21 23:02:05 +00:00
Ben Laurie
bf3d6c0c9b Make D-H safer, include well-known primes. 2005-08-21 16:00:17 +00:00
Andy Polyakov
7cfe2a5e65 Fix Intel assembler warnings. 2005-08-10 08:28:36 +00:00
Andy Polyakov
11de71b04c 3-4 times better RSA/DSA performance on WIN64A target. Well, on AMD64 CPU,
EMT64T will hardly exhibit better performance...
2005-08-04 17:35:42 +00:00
Nils Larsch
0260405c68 fix BN_mod_word and give a more reasonable return value if an error occurred 2005-07-25 22:57:54 +00:00
Nils Larsch
17a2994dbd set correct bn->top value 2005-07-21 22:40:39 +00:00
Andy Polyakov
ef428d5681 Fix unwind directives in IA-64 assembler modules. This helps symbolic
debugging and doesn't affect functionality.

Submitted by: David Mosberger

Obtained from: http://www.hpl.hp.com/research/linux/crypto/
2005-07-18 09:54:14 +00:00
Nils Larsch
449bd384ed bugfix: 0 - w (w != 0) is actually negative 2005-07-17 16:09:09 +00:00
Andy Polyakov
31efffbdba Trap condition should be 64-bit when it's due. 2005-07-03 09:17:50 +00:00
Andy Polyakov
aaa5dc614f More elegant solution to "sparse decimal printout on PPC" problem. 2005-07-02 08:58:55 +00:00
Andy Polyakov
8be97c01d1 Decimal printout of a BN is wrong on PPC, it's sparse with very few
significant digits. As soon it verifies elsewhere it goes to 0.9.8 and
0.9.7.
2005-07-01 17:49:47 +00:00
Ben Laurie
a51a97262d Brought forward from 0.9.8 - 64 bit warning fixes and fussy compiler fixes. 2005-06-29 11:02:15 +00:00
Andy Polyakov
bb00084863 Replace _int64 with __int64, which is more widely accepted among Win32
compiler vendors.
2005-06-28 11:50:50 +00:00
Andy Polyakov
c25f2f1cbf Missed -c in IRIX rules. 2005-06-23 20:37:29 +00:00
Andy Polyakov
62526671e9 Typo in bn-mips3 rule. 2005-06-23 16:24:51 +00:00
Andy Polyakov
88ebf53577 Rename mips3.o to bn-mips3.o [it's better in long run] and adjust the
rule to accomodate gcc4, which no longer support SGI as.
2005-06-23 16:23:06 +00:00
Nils Larsch
88737991d2 fix assertion 2005-05-31 20:39:16 +00:00
Andy Polyakov
20a85e9f69 Missing sparcv8.o rule.
PR: 1082
2005-05-31 12:17:35 +00:00
Richard Levitte
9426364be9 Typo 2005-05-29 12:11:50 +00:00
Bodo Möller
a28a5d9c62 Use BN_with_flags() in a cleaner way. 2005-05-27 15:38:53 +00:00
Bodo Möller
c61f571ce0 check BN_copy() return value 2005-05-26 04:30:49 +00:00
Richard Levitte
b172dec864 DEC C complains about bad subscript, but we know better, so let's shut it up. 2005-05-24 03:22:53 +00:00
Andy Polyakov
ce92b6eb9c Further BUILDENV refinement, further fool-proofing of Makefiles and
[most importantly] put back dependencies accidentaly eliminated in
check-in #13342.
2005-05-16 16:55:47 +00:00
Bodo Möller
46a643763d Implement fixed-window exponentiation to mitigate hyper-threading
timing attacks.

BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for
RSA/DSA/DH private key computations unless
RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/
DH_FLAG_NO_EXP_CONSTTIME is set.

Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
2005-05-16 01:43:31 +00:00
Andy Polyakov
81a86fcf17 Fool-proofing Makefiles 2005-05-15 22:23:26 +00:00
Ben Laurie
4b26fe30de There must be an explicit way to build the .o! 2005-05-11 16:39:05 +00:00
Bodo Möller
8afca8d9c6 Fix more error codes.
(Also improve util/ck_errf.pl script, and occasionally
fix source code formatting.)
2005-05-11 03:45:39 +00:00
Richard Levitte
82e8cb403a Since BN_LLONG will only be defined for Alpha/VMS and not VAX/VMS,
there's no need to undefine it here.  Then, let's get a bit paranoid
and not define BN_ULLONG on THIRTY_TWO_BIT machines when BN_LLONG
isn't defined.
2005-05-06 13:34:35 +00:00
Nils Larsch
f15c448a72 remove BN_ncopy, it was only used in bn_nist.c and wasn't particular
useful anyway
2005-05-03 20:27:00 +00:00
Nils Larsch
fcb41c0ee8 rewrite of bn_nist.c, disable support for some curves on 64 bit platforms
for now (it was broken anyway)
2005-05-03 20:23:33 +00:00
Nils Larsch
c1a8a5de13 don't let BN_CTX_free(NULL) segfault 2005-04-29 21:20:31 +00:00
Dr. Stephen Henson
6ec8e63af6 Port BN_MONT_CTX_set_locked() from stable branch.
The function rsa_eay_mont_helper() has been removed because it is no longer
needed after this change.
2005-04-26 23:58:54 +00:00
Dr. Stephen Henson
465b9f6b26 Stop unused variable warning. 2005-04-26 23:45:49 +00:00
Nils Larsch
800e400de5 some updates for the blinding code; summary:
- possibility of re-creation of the blinding parameters after a
  fixed number of uses (suggested by Bodo)
- calculatition of the rsa::e in case it's absent and p and q
  are present (see bug report #785)
- improve the performance when if one rsa structure is shared by
  more than a thread (see bug report #555)
- fix the problem described in bug report #827
- hide the definition ot the BN_BLINDING structure in bn_blind.c
2005-04-26 22:31:48 +00:00
Bodo Möller
aa4ce7315f Fix various incorrect error function codes.
("perl util/ck_errf.pl */*.c */*/*.c" still reports many more.)
2005-04-26 18:53:22 +00:00
Ben Laurie
36d16f8ee0 Add DTLS support. 2005-04-26 16:02:40 +00:00
Nils Larsch
ff22e913a3 - use BN_set_negative and BN_is_negative instead of BN_set_sign
and BN_get_sign
- implement BN_set_negative as a function
- always use "#define BN_is_zero(a) ((a)->top == 0)"
2005-04-22 20:02:44 +00:00
Dr. Stephen Henson
29dc350813 Rebuild error codes. 2005-04-12 16:15:22 +00:00
Richard Levitte
4bb61becbb Add emacs cache files to .cvsignore. 2005-04-11 14:17:07 +00:00
Andy Polyakov
0abfd60604 Extend Solaris x86 support to amd64. 2005-04-04 17:10:53 +00:00
Andy Polyakov
60fd574cdf Make bn/asm/x86_64-gcc.c gcc4 savvy. +r is likely to be initially
introduced for a reason [like bug in initial gcc port], but proposed
=&r is treated correctly by senior 3.2, so we can assume it's safe now.
PR: 1031
2005-04-03 18:53:29 +00:00
Nils Larsch
fea4280a8b fix header 2005-03-30 21:38:29 +00:00
Ben Laurie
42ba5d2329 Blow away Makefile.ssl. 2005-03-30 13:05:57 +00:00
Andy Polyakov
da30c74a27 Remove unused assembler modules. 2005-02-06 13:43:02 +00:00
Andy Polyakov
67ea999d4a This patch was "ignited" by OpenBSD 3>=4 support. They've switched to ELF
and GNU binutils, but kept BSD make... And I took the opportunity to
unify other targets to this common least denominator...
2005-02-06 13:23:34 +00:00
Andy Polyakov
76ef6ac956 Refine PowerPC platform support. 2004-12-20 13:44:34 +00:00
Dr. Stephen Henson
a0e7c8eede Add lots of checks for memory allocation failure, error codes to indicate
failure and freeing up memory if a failure occurs.

PR:620
2004-12-05 01:03:15 +00:00
Richard Levitte
a2ac429da2 Don't use $(EXHEADER) directly in for loops, as most shells will break
if $(EXHEADER) is empty.

Notified by many, solution suggested by Carson Gaspar <carson@taltos.org>
2004-11-02 23:55:01 +00:00
Geoff Thorpe
f79110c633 Two TODO comments taken care of. Nils pointed out that one of them had already
been done, and took care of the other one (which hadn't).

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2004-09-19 04:43:46 +00:00
Andy Polyakov
16760a3089 Proper support for OpenBSD-i386 shared build, including assember modules!
"Proper" means "compiles and passes test." Versioning is broken (I think).
2004-08-29 21:36:37 +00:00
Andy Polyakov
2b247cf81f OPENSSL_ia32cap final touches. Note that OPENSSL_ia32cap is no longer a
symbol, but a macro expanded as (*(OPENSSL_ia32cap_loc())). The latter
is the only one to be exported to application.
2004-08-29 16:36:05 +00:00
Andy Polyakov
34413fca84 OpenBSD fix-up for new a.out targets. OpenBSD .s.o rule is busted... 2004-08-01 21:16:26 +00:00
Andy Polyakov
ec38ddc765 Clean-up GAS targets: get rid of "cpp" stuff and replace it with "purified"
COFF and a.out targets [similar to ELF targets]. You might notice some
rudementary support for shared mingw builds under cygwin. It works (it
produces cryptoeay32.dll and ssleay32.dll with everything exported by
name), but it's primarily for testing/debugging purposes, at least for
now...
2004-08-01 17:33:58 +00:00
Andy Polyakov
33c3ecf741 Build-n-link new IA-64 modules on Linux and HP-UX. 2004-07-23 23:27:10 +00:00
Andy Polyakov
8169dd73f9 All SIXTY_FOUR_BIT platforms (mind the difference between SIXTY_FOUR_BIT and
SIXTY_FOUR_BIT_LONG) were failing to pass 'cd test; make test_bn'.
2004-07-22 09:32:11 +00:00
Andy Polyakov
859ceeeb51 Anchor AES and SHA-256/-512 assembler from C. 2004-07-18 17:26:01 +00:00
Andy Polyakov
d0590fe6b2 Add anchors for AES, SHA-256/-512 assembler modules and SSE2 code pathes.
I also used this opportunity to clean up some out-of-date targets and
re-group targets by OS.
2004-07-18 16:19:34 +00:00
Geoff Thorpe
ace3ebd661 Improve error handling if decompression of an ec point fails, and cleanup
ec_curve.c (unify comments, etc).

Submitted by: Nils Larsch
Reviewed by: Bodo Moeller, Geoff Thorpe
2004-07-06 15:50:04 +00:00
Andy Polyakov
e2f2a9af2c New scalable bn_mul_add_words loop, which provides up to >20% overall
performance improvement. Make module more gcc friendly and clarify
copyright issues for division routine.
2004-07-01 11:10:38 +00:00
Geoff Thorpe
d459e39012 Tidy up, including;
- Remove unused and unuseful debug cruft.
- Remove unnecessary 'top' fudging from BN_copy().
- Fix a potential memory leak and simplify the expansion logic in
  BN_bin2bn().

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2004-06-20 04:16:12 +00:00
Geoff Thorpe
df11e1e921 Deprecate unused cruft, and "make update". 2004-06-17 23:50:25 +00:00
Geoff Thorpe
afbe74d386 Actually, that last change to BN_get_word() was a little too simple. 2004-06-17 22:05:40 +00:00
Geoff Thorpe
9088d5f24f As Nils put it;
Yet another question: some time ago you changed BN_set_word.
    Why didn't you change BN_get_word as well?

Quite. I'm also removing the older commented-out implementations to improve
readability. This complex stuff seems to date from a time when the types
didn't match up well.

Submitted by: Nils Larsch, Geoff Thorpe
2004-06-17 20:13:50 +00:00
Geoff Thorpe
cf9056cfda BN_div_word() was breaking when called from BN_bn2dec() (actually, this is
the only function that uses it) because it would trip up an assertion in
bn_div_words() when first invoked. This also adds BN_div_word() testing to
bntest.

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2004-06-17 20:03:56 +00:00
Andy Polyakov
1809e858bb Eliminate compiler warnings and throw in performance table. 2004-05-28 10:15:58 +00:00
Geoff Thorpe
d6dda126b7 Make some more API types opaquely available from ossl_typ.h, meaning the
corresponding headers are only required for API functions or structure
details. This now includes the bignum types and BUF_MEM. Subsequent commits
will remove various dependencies on bn.h and buffer.h and update the
makefile dependencies.
2004-05-15 18:32:08 +00:00
Andy Polyakov
d3adc3d3ed SSE2 accelerated bn_mul_add_words. Code is currently disabled till proper
config and run-time support is added.
PR: 788
Submitted by: <dean@arctic.org>
Reviewed by: <appro>

Obtained from: http://arctic.org/~dean/crypto/rsa.html
2004-05-06 10:36:49 +00:00
Andy Polyakov
dd55880644 Improved PowerPC support. Proper ./config support for ppc targets,
especially for AIX. But most important BIGNUM assembler implementation
submitted by IBM.

Submitted by: Peter Waltenberg <pwalten@au1.ibm.com>
Reviewed by: appro
2004-04-27 22:05:50 +00:00
Richard Levitte
863d2b196f Print the debug thingies on stderr instead of stdout. If for nothing
else then at least so bc doesn't have problems parsing the output from
bntest :-).
2004-04-20 10:57:07 +00:00
Geoff Thorpe
c57bc2dc51 make update 2004-04-19 18:33:41 +00:00
Richard Levitte
a87228031f RAND_add() wants a double as it's last argument. 2004-03-25 15:52:43 +00:00
Geoff Thorpe
c86f2054f3 Adjust various bignum functions to use BN_CTX for variables instead of
locally initialising their own.

NB: I've removed the "BN_clear_free()" loops for the exit-paths in some of
these functions, and that may be a major part of the performance
improvements we're seeing. The "free" part can be removed because we're
using BN_CTX. The "clear" part OTOH can be removed because BN_CTX
destruction automatically performs this task, so performing it inside
functions that may be called repeatedly is wasteful. This is currently safe
within openssl due to the fact that BN_CTX objects are never created for
longer than a single high-level operation. However, that is only because
there's currently no mechanism in openssl for thread-local storage. Beyond
that, this might be an issue for applications using the bignum API directly
and caching their own BN_CTX objects. The solution is to introduce a flag
to BN_CTX_start() that allows its variables to be automatically sanitised
on release during BN_CTX_end(). This way any higher-level function (and
perhaps the application) can specify this flag in its own
BN_CTX_start()/BN_CTX_end() pair, and this will cause inner-loop functions
specifying the flag to be ignored so that sanitisation is handled only once
back out at the higher level. I will be implementing this in the near
future.
2004-03-25 04:32:24 +00:00
Geoff Thorpe
5c98b2caf5 Replace the BN_CTX implementation with my current work. I'm leaving the
little TODO list in there as well as the debugging code (only enabled if
BN_CTX_DEBUG is defined).

I'd appreciate as much review and testing as can be spared for this. I'll
commit some changes to other parts of the bignum code shortly to make
better use of this implementation (no more fixed size limitations). Note
also that under identical optimisations, I'm seeing a noticable speed
increase over openssl-0.9.7 - so any feedback to confirm/deny this on other
systems would also be most welcome.
2004-03-25 04:16:14 +00:00
Geoff Thorpe
e042540f6b Variety of belt-tightenings in the bignum code. (Please help test this!)
- Remove some unnecessary "+1"-like fudges. Sizes should be handled
  exactly, as enlarging size parameters causes needless bloat and may just
  make bugs less likely rather than fixing them: bn_expand() macro,
  bn_expand_internal(), and BN_sqr().
- Deprecate bn_dup_expand() - it's new since 0.9.7, unused, and not that
  useful.
- Remove unnecessary zeroing of unused bytes in bn_expand2().
- Rewrite BN_set_word() - it should be much simpler, the previous
  complexities probably date from old mismatched type issues.
- Add missing bn_check_top() macros in bn_word.c
- Improve some degenerate case handling in BN_[add|sub]_word(), add
  comments, and avoid a bignum expansion if an overflow isn't possible.
2004-03-17 17:36:54 +00:00
Geoff Thorpe
b6358c89a1 Convert openssl code not to assume the deprecated form of BN_zero().
Remove certain redundant BN_zero() initialisations, because BN_CTX_get(),
BN_init(), [etc] already initialise to zero.

Correct error checking in bn_sqr.c, and be less wishy-wash about how/why
the result's 'top' value is set (note also, 'max' is always > 0 at this
point).
2004-03-13 23:57:20 +00:00
Geoff Thorpe
5d735465d1 The efforts to eliminate the dual-representation of zero and to ensure
bignums are passed in and out of functions and APIs in a consistent form
has highlighted that zero-valued bignums don't need any allocated word
data. The use of BN_set_word() to initialise a bignum to zero causes
needless allocation and gives it a return value that must be checked. This
change converts BN_zero() to a self-contained macro that has no
return/expression value and does not cause any expansion of bignum data.

Note, it would be tempting to rewrite the deprecated version as a
success-valued comma expression, such as;
   #define BN_zero(a) ((a)->top = (a)->neg = 0, 1)
However, this evaluates 'a' twice and would confuse initialisation loops
(eg. while(..) { BN_zero(bn++) } ). As such, the deprecated version
continues to use BN_set_word().
2004-03-13 23:04:15 +00:00
Geoff Thorpe
9e051bac13 Document a change I'd already made, and at the same time, correct the
change to work properly; BN_zero() should set 'neg' to zero as well as
'top' to match the behaviour of BN_new().
2004-03-13 22:10:15 +00:00
Geoff Thorpe
a8aa764d3c Minimise the amount of code dependent on BN_DEBUG_RAND. In particular,
redefine bn_clear_top2max() to be a NOP in the non-debugging case, and
remove some unnecessary usages in bn_nist.c.

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller
2004-03-09 03:53:40 +00:00
Geoff Thorpe
e7716b7a19 More changes coming out of the bignum auditing. BN_CTX_get() should ideally
return a "zero" bignum as BN_new() does - so reset 'top'. During
BN_CTX_end(), released bignums should be consistent so enforce this in
debug builds. Also, reduce the number of wasted BN_clear_free() calls from
BN_CTX_end() (typically by 75% or so).

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller
2004-03-09 03:47:35 +00:00
Geoff Thorpe
1b06804491 When adding positive elements, we can use BN_uadd() instead of BN_add().
Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2004-02-22 19:30:41 +00:00
Andy Polyakov
1751034669 Typo in crypto/bn/asm/x86_64.c, bn_div_words().
PR: 821
2004-02-07 09:51:28 +00:00
Andy Polyakov
d04b1b4656 Typo in PA-RISC 2 rules in crypto/bn/Makefile.ssl 2004-01-30 05:41:23 +00:00
Andy Polyakov
1247092776 HP/UX PA-RISC 2 targets update. 2004-01-29 22:16:08 +00:00
Richard Levitte
1fb724449d make update 2004-01-28 18:38:33 +00:00
Andy Polyakov
27b2b78f90 Even though C specification explicitly says that constant type "stretches"
automatically to accomodate the value, some compilers fail to do so. Most
notably 0x0123456789ABCDEF should come out as long long in 32-bit context,
but HP compiler truncates it to 32-bit value. Which in turn breaks GF(2^m)
arithmetics in hpux-parisc2-cc build. Therefore this fix...
2004-01-25 10:53:43 +00:00
Richard Levitte
79b42e7654 Use sh explicitely to run point.sh
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:59:07 +00:00
Richard Levitte
d420ac2c7d Use BUF_strlcpy() instead of strcpy().
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:40:17 +00:00
Ulf Möller
380e145daf Add "dif" variable to clean up the loop implementations.
Submitted by: Nils Larsch
2003-12-06 11:55:46 +00:00
Ulf Möller
ce38bb1a8c Avoid segfault if ret==0.
Submitted by: Nils Larsch
2003-12-06 11:39:37 +00:00
Geoff Thorpe
2bfd2c74d2 Incremental cleanups to bn_lib.c.
- Add missing bn_check_top() calls and relocate some others
- Use BN_is_zero() where appropriate
- Remove assert()s that bn_check_top() is already covering
- Simplify the code in places (esp. bn_expand2())
- Only keep ambiguous zero handling if BN_STRICT isn't defined
- Remove some white-space and make some other aesthetic tweaks
2003-12-02 20:01:30 +00:00
Geoff Thorpe
82b2f57e30 Use the BN_is_odd() macro in place of code that (inconsistently) does much
the same thing.

Also, I have some stuff on the back-burner related to some BN_CTX notes
from Peter Gutmann about his cryptlib hacks to the bignum code. The BN_CTX
comments are there to remind me of some relevant points in the code.
2003-12-02 03:28:24 +00:00
Geoff Thorpe
2ae1ea3788 BN_FLG_FREE is of extremely dubious usefulness, and is only referred to
once in the source (where it is set for the benefit of no other code
whatsoever). I've deprecated the declaration in the header and likewise
made the use of the flag conditional in bn_lib.c. Note, this change also
NULLs the 'd' pointer in a BIGNUM when it is reset but not deallocated.
2003-12-02 03:16:56 +00:00
Geoff Thorpe
34066d741a Declare the static BIGNUM "BN_value_one()" more carefully. 2003-12-01 23:13:17 +00:00
Geoff Thorpe
b74cc0776b Add missing bn_check_top()s to bn_kron.c, remove some miscellaneous
white-space, and include extra headers to satisfy debugging builds.
2003-12-01 23:11:45 +00:00
Geoff Thorpe
e7e5fe4705 Add missing bn_check_top()s to bn_gf2m.c and remove some miscellaneous
white-space.
2003-12-01 23:10:21 +00:00
Geoff Thorpe
998ae048e7 The bn_set_max() macro is only "used" by the bn_set_[low|high]() macros
which, in turn, are used nowhere at all. This is a good thing because
bn_set_max() would currently generate code that wouldn't compile (BIGNUM
has no 'max' element).

The only apparent use for bn_set_[low|high] would be for implementing
windowing algorithms, and all of openssl's seem to use bn_***_words()
helpers instead (including the BN_div() that Nils fixed recently, which had
been using independently-coded versions of what these unused macros are
intended for). I'm therefore consigning these macros to cvs oblivion in the
name of readability.
2003-12-01 22:11:08 +00:00
Geoff Thorpe
e65c2b9872 bn_fix_top() exists for compatibility's sake and is mapped to
bn_correct_top() or bn_check_top() depending on debug settings. For
internal source, all bn_fix_top()s should be converted one way or the other
depending on whether the use of bn_correct_top() is justified.

For BN_div_recp(), these cases should not require correction if the other
bignum functions are doing their jobs properly, so convert to
bn_check_top().
2003-12-01 21:59:40 +00:00
Geoff Thorpe
46cb8d3689 If BN_STRICT is defined, don't accept an ambiguous representation of zero
(ie. where top may be zero, or it may be one if the corresponding word is
set to zero). Note, this only affects the macros in bn.h, there are probably
similar corrections required in some c files.

Also, clarify the audit-related macros at the top of the header. Mental
note: I must not forget to clean all this out before 0.9.8 is released ...
2003-11-30 22:23:12 +00:00
Geoff Thorpe
23fc5ac646 Improve a couple of the bignum macros. Note, this doesn't eliminate
tolerance of ambiguous zero-representation, it just improves
BN_abs_is_word() and simplifies other macros that depend on it.
2003-11-30 22:02:10 +00:00
Geoff Thorpe
5734bebe05 Make BN_DEBUG_RAND less painfully slow by only consuming one byte of
pseudo-random data for each bn_pollute().
2003-11-30 21:21:30 +00:00
Geoff Thorpe
657a919598 This improves the placement of check_top() macros in a couple of bn_lib
functions.
2003-11-29 20:34:07 +00:00
Geoff Thorpe
444c3a8492 Get rid of some signed/unsigned comparison warnings. 2003-11-28 16:39:16 +00:00
Richard Levitte
4d8743f490 Netware-specific changes,
PR: 780
Submitted by: Verdon Walker <VWalker@novell.com>
Reviewed by: Richard Levitte
2003-11-28 13:10:58 +00:00
Geoff Thorpe
81ba5f6713 Due to recent debugging bursts, openssl should be more or less solid
against inconsistent BIGNUMs coming out of any of its API functions. So
this change no longer "fixes" the bn_print.c functions, but it makes for
cleaner code. This patch was a part of ticket 697.

PR: 697
Submitted by: Otto Moerbeek
Reviewed by: Geoff Thorpe
2003-11-25 21:07:59 +00:00
Geoff Thorpe
6defae04f3 Fix some handling in bn_word. This also resolves the issues observed in
ticket 697 (though uses a different solution than the proposed one). This
problem was initially raised by Otto Moerbeek.

PR: 697
Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2003-11-25 20:39:19 +00:00
Geoff Thorpe
e1064adfd3 Some changes for bn_gf2m.c: better error checking plus some minor
optimizations.

Submitted by: Nils Larsch
2003-11-25 03:41:20 +00:00
Geoff Thorpe
9e989810ba BN_div() cleanup: replace the use of BN_sub and BN_add with bn_sub_words
and bn_add_words to avoid using fake bignums to window other bignums that
can lead to corruption. This change allows all bignum tests to pass with
BN_DEBUG and BN_DEBUG_RAND debugging and valgrind. NB: This should be
tested on a few different architectures and configuration targets, as the
bignum code this deals with is quite preprocessor (and assembly) sensitive.

Submitted by: Nils Narsch
Reviewed by: Geoff Thorpe, Ulf Moeller
2003-11-22 20:23:41 +00:00
Ulf Möller
1a01733047 BN_set_bit() etc should use "unsigned int".
Keep it as is to avoid an API change, but check for negativ values.

Submitted by: Nils Larsch
2003-11-15 08:37:50 +00:00
Geoff Thorpe
9dde17e8b4 This rewrites two "for" loops in BN_rshift() - equality with zero is
generally a more efficient comparison than comparing two integers, and the
first of these two loops was off-by-one (copying one too many values). This
change also removes a superfluous assignment that would set an unused word
to zero (and potentially allow an overrun in some cases).

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2003-11-13 15:03:14 +00:00
Geoff Thorpe
f75abcefed This extends the debugging macros to use "pollution" during
bn_correct_top(), previously only bn_check_top() did this.
2003-11-06 23:24:44 +00:00
Geoff Thorpe
18f62d4b82 Add debug-screening of input parameters to some functions I'd missed
before.
2003-11-06 23:13:04 +00:00
Geoff Thorpe
5c0c22803e Put more debug screening in BN_div() and correct a comment. 2003-11-06 23:11:07 +00:00
Geoff Thorpe
0ef85c7f45 This is a revert of my previous commit to "improve" the declaration of
constant BIGNUMs. It turns out that this trips up different but equally
useful compiler warnings to -Wcast-qual, and so wasn't worth the ugliness
it created. (Thanks to Ulf for the forehead-slap.)
2003-11-05 19:30:29 +00:00
Ulf Möller
078dd1a0f9 typo in comment 2003-11-05 17:28:59 +00:00
Ulf Möller
2b96c95197 cleanup as discussed with Geoff 2003-11-05 17:28:25 +00:00
Geoff Thorpe
d870740cd7 Put the first stage of my bignum debugging adventures into CVS. This code
is itself experimental, and in addition may cause execution to break on
existing openssl "bugs" that previously were harmless or at least
invisible.
2003-11-04 22:54:49 +00:00
Geoff Thorpe
c465e7941e This is the least unacceptable way I've found for declaring the bignum data
and structures as constant without having to cast away const at any point.
There is still plenty of other code that makes gcc's "-Wcast-qual" unhappy,
but crypto/bn/ is now ok. Purists are welcome to suggest alternatives.
2003-11-04 00:29:09 +00:00
Geoff Thorpe
a9fd78f9da bn_div() does some pretty nasty things with temporary variables,
constructing BIGNUM structures with pointers offset into other bignums
(among other things). This corrects some of it that is too plainly insane,
and tries to ensure that bignums are normalised when passed to other
functions.
2003-10-31 01:35:16 +00:00
Geoff Thorpe
5f747c7f4b When a BN_CTX is used for temporary workspace, the variables are sometimes
left in an inconsistent state when they are released for later reuse. This
change resets the BIGNUMs when they are released back to the context.
2003-10-30 01:07:56 +00:00
Geoff Thorpe
c4db1a8b5c This fixes a couple of cases where an inconsistent BIGNUM could be passed as
input to a function.
2003-10-30 01:03:31 +00:00
Geoff Thorpe
31166ec8f3 Some provisional bignum debugging has begun to detect inconsistent BIGNUM
structures being passed in to or out of API functions, and this corrects a
couple of cases found so far.

Also, lop off a couple of bytes of white-space.
2003-10-29 20:47:49 +00:00
Geoff Thorpe
2754597013 A general spring-cleaning (in autumn) to fix up signed/unsigned warnings.
I have tried to convert 'len' type variable declarations to unsigned as a
means to address these warnings when appropriate, but when in doubt I have
used casts in the comparisons instead. The better solution (that would get
us all lynched by API users) would be to go through and convert all the
function prototypes and structure definitions to use unsigned variables
except when signed is necessary. The proliferation of (signed) "int" for
strictly non-negative uses is unfortunate.
2003-10-29 20:24:15 +00:00
Geoff Thorpe
2ce90b9b74 BN_CTX is opaque and the static initialiser BN_CTX_init() is not used
except internally to the allocator BN_CTX_new(), as such this deprecates
the use of BN_CTX_init() in the API. Moreover, the structure definition of
BN_CTX is taken out of bn_lcl.h and moved into bn_ctx.c itself.

NDEBUG should probably only be "forced" in the top-level configuration, but
until it is I will avoid removing it from bn_ctx.c which might surprise
people with massive slow-downs in their keygens. So I've left it in
bn_ctx.c but tidied up the preprocessor logic a touch and made it more
tolerant of debugging efforts.
2003-10-29 18:04:37 +00:00