Commit graph

142 commits

Author SHA1 Message Date
Dr. Stephen Henson
f9b6c0ba4c Fix for CVE-2014-0076
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
(cherry picked from commit 2198be3483)

Conflicts:

	CHANGES
2014-03-12 14:29:43 +00:00
Adam Langley
8a99cb29d1 Add secure DSA nonce flag.
This change adds the option to calculate (EC)DSA nonces by hashing the
message and private key along with entropy to avoid leaking the private
key if the PRNG fails.
2013-06-13 17:26:07 +01:00
Adam Langley
96a4c31be3 Ensure that, when generating small primes, the result is actually of the
requested size. Fixes OpenSSL #2701.

This change does not address the cases of generating safe primes, or
where the |add| parameter is non-NULL.

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c
2013-06-04 18:52:30 +01:00
Andy Polyakov
8d00f34239 crypto/bn/*.h: move PTR_SIZE_INT to private header. 2012-07-02 13:27:30 +00:00
Dr. Stephen Henson
9945b460e2 Give parameters names in prototypes. 2011-06-17 16:47:41 +00:00
Richard Levitte
537c982306 After some adjustments, apply the changes OpenSSL 1.0.0d on OpenVMS
submitted by Steven M. Schweda <sms@antinode.info>
2011-03-19 10:58:14 +00:00
Dr. Stephen Henson
133291f8e7 New function BN_nist_mod_func which returns an appropriate function
if the passed prime is a NIST prime.
2011-02-14 16:44:29 +00:00
Dr. Stephen Henson
c9a90645a5 Disable some functions in headers with no-ec2m 2011-02-12 17:38:06 +00:00
Dr. Stephen Henson
7b1a04519f add X9.31 prime generation routines from 0.9.8 branch 2011-01-09 13:02:14 +00:00
Geoff Thorpe
6343829a39 Revert the size_t modifications from HEAD that had led to more
knock-on work than expected - they've been extracted into a patch
series that can be completed elsewhere, or in a different branch,
before merging back to HEAD.
2008-11-12 03:58:08 +00:00
Bodo Möller
0a8c9f7de1 symbol deobnoxification 2008-11-11 07:08:59 +00:00
Ben Laurie
4d6e1e4f29 size_tification. 2008-11-01 14:37:00 +00:00
Geoff Thorpe
ae7ec4c71d Apparently '__top' is also risky, obfuscate further. (All this to
avoid inlines...)
2008-10-22 12:00:15 +00:00
Geoff Thorpe
3fdc6c11aa Use of a 'top' var creates "shadow variable" warnings. 2008-10-22 01:25:45 +00:00
Ben Laurie
0d6f9c7181 Constification. 2008-10-19 22:51:27 +00:00
Andy Polyakov
256b3e9c5f Optimize bn_correct_top. 2008-10-15 10:48:52 +00:00
Geoff Thorpe
4c3296960d Remove the dual-callback scheme for numeric and pointer thread IDs,
deprecate the original (numeric-only) scheme, and replace with the
CRYPTO_THREADID object. This hides the platform-specifics and should reduce
the possibility for programming errors (where failing to explicitly check
both thread ID forms could create subtle, platform-specific bugs).

Thanks to Bodo, for invaluable review and feedback.
2008-08-06 15:54:15 +00:00
Geoff Thorpe
5f834ab123 Revert my earlier CRYPTO_THREADID commit, I will commit a reworked
version some time soon.
2008-07-03 19:59:25 +00:00
Bodo Möller
d05a474556 Montgomery-related minor cleanups/documentation 2008-05-01 18:48:20 +00:00
Geoff Thorpe
f7ccba3edf There was a need to support thread ID types that couldn't be reliably cast
to 'unsigned long' (ie. odd platforms/compilers), so a pointer-typed
version was added but it required portable code to check *both* modes to
determine equality. This commit maintains the availability of both thread
ID types, but deprecates the type-specific accessor APIs that invoke the
callbacks - instead a single type-independent API is used.  This simplifies
software that calls into this interface, and should also make it less
error-prone - as forgetting to call and compare *both* thread ID accessors
could have led to hard-to-debug/infrequent bugs (that might only affect
certain platforms or thread implementations). As the CHANGES note says,
there were corresponding deprecations and replacements in the
thread-related functions for BN_BLINDING and ERR too.
2008-03-28 02:49:43 +00:00
Andy Polyakov
55525742f4 Privatize BN_*_no_branch. 2007-06-11 16:33:03 +00:00
Bodo Möller
24a8c25ab5 fix error codes 2007-04-19 15:14:21 +00:00
Bodo Möller
bd31fb2145 Change to mitigate branch prediction attacks
Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
2007-03-28 00:15:28 +00:00
Bodo Möller
48fc582f66 New functions CRYPTO_set_idptr_callback(),
CRYPTO_get_idptr_callback(), CRYPTO_thread_idptr() for a 'void *' type
thread ID, since the 'unsigned long' type of the existing thread ID
does not always work well.
2006-06-23 15:21:36 +00:00
Bodo Möller
c4e7870ac1 Change array representation of binary polynomials to make GF2m part of
the BN library more generally useful.

Submitted by: Douglas Stebila
2006-06-18 22:00:57 +00:00
Dr. Stephen Henson
54d853ebc3 Add support for setting keybits and public exponent value for pkey RSA keygen. 2006-04-11 17:28:37 +00:00
Nils Larsch
3798cb8182 fix comment
PR: 1270
2006-01-13 23:50:26 +00:00
Andy Polyakov
f5826b8014 We all make typos:-) Fix just introduced ones in bn.h 2005-12-16 10:43:33 +00:00
Andy Polyakov
4a47f55639 Eliminate warning induced by http://cvs.openssl.org/chngview?cn=14690 and
keep disclaiming narrower than 32-bit support.
2005-12-16 10:37:24 +00:00
Andy Polyakov
877e8e970c Allow for bn(64,32) on LP64 platforms. 2005-12-15 22:31:16 +00:00
Andy Polyakov
bd2abcae37 Move declaration for optional bn_mul_mont to bn_lcl.h in order to hide
it from mkdef.pl.
2005-11-06 22:10:38 +00:00
Andy Polyakov
4d524040bc Change bn_mul_mont declaration and BN_MONT_CTX. Update CHANGES. 2005-10-22 17:57:18 +00:00
Andy Polyakov
ca04d7a208 Leave the decision to call/implement bn_sqr_mont to assembler developer. 2005-10-06 09:12:39 +00:00
Dr. Stephen Henson
40a3c12305 Initialize bignum constants using BN_bin2bn() instead of BN_hex2bn(). This
saves a bit of space and avoids a compiler warning about string length.
2005-10-05 17:51:43 +00:00
Andy Polyakov
682b112abc Reserve for SMALL_FOOTPRINT bn_asm.c. Currently OPENSSL_SMALL_FOOTPRINT
is defined on Windows CE targets.
2005-10-04 06:22:11 +00:00
Andy Polyakov
e738280547 Add reference implementation for bn_[mul|sqr]_mont, new candidates for
assembler implementation.
2005-10-04 06:19:29 +00:00
Nils Larsch
8215e7a938 fix warnings when building openssl with the following compiler options:
-Wmissing-prototypes -Wcomment -Wformat -Wimplicit -Wmain -Wmultichar
        -Wswitch -Wshadow -Wtrigraphs -Werror -Wchar-subscripts
        -Wstrict-prototypes -Wreturn-type -Wpointer-arith  -W -Wunused
        -Wno-unused-parameter -Wuninitialized
2005-08-28 22:49:57 +00:00
Ben Laurie
bf3d6c0c9b Make D-H safer, include well-known primes. 2005-08-21 16:00:17 +00:00
Andy Polyakov
bb00084863 Replace _int64 with __int64, which is more widely accepted among Win32
compiler vendors.
2005-06-28 11:50:50 +00:00
Bodo Möller
a28a5d9c62 Use BN_with_flags() in a cleaner way. 2005-05-27 15:38:53 +00:00
Bodo Möller
46a643763d Implement fixed-window exponentiation to mitigate hyper-threading
timing attacks.

BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for
RSA/DSA/DH private key computations unless
RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/
DH_FLAG_NO_EXP_CONSTTIME is set.

Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
2005-05-16 01:43:31 +00:00
Bodo Möller
8afca8d9c6 Fix more error codes.
(Also improve util/ck_errf.pl script, and occasionally
fix source code formatting.)
2005-05-11 03:45:39 +00:00
Richard Levitte
82e8cb403a Since BN_LLONG will only be defined for Alpha/VMS and not VAX/VMS,
there's no need to undefine it here.  Then, let's get a bit paranoid
and not define BN_ULLONG on THIRTY_TWO_BIT machines when BN_LLONG
isn't defined.
2005-05-06 13:34:35 +00:00
Nils Larsch
f15c448a72 remove BN_ncopy, it was only used in bn_nist.c and wasn't particular
useful anyway
2005-05-03 20:27:00 +00:00
Dr. Stephen Henson
6ec8e63af6 Port BN_MONT_CTX_set_locked() from stable branch.
The function rsa_eay_mont_helper() has been removed because it is no longer
needed after this change.
2005-04-26 23:58:54 +00:00
Nils Larsch
800e400de5 some updates for the blinding code; summary:
- possibility of re-creation of the blinding parameters after a
  fixed number of uses (suggested by Bodo)
- calculatition of the rsa::e in case it's absent and p and q
  are present (see bug report #785)
- improve the performance when if one rsa structure is shared by
  more than a thread (see bug report #555)
- fix the problem described in bug report #827
- hide the definition ot the BN_BLINDING structure in bn_blind.c
2005-04-26 22:31:48 +00:00
Bodo Möller
aa4ce7315f Fix various incorrect error function codes.
("perl util/ck_errf.pl */*.c */*/*.c" still reports many more.)
2005-04-26 18:53:22 +00:00
Nils Larsch
ff22e913a3 - use BN_set_negative and BN_is_negative instead of BN_set_sign
and BN_get_sign
- implement BN_set_negative as a function
- always use "#define BN_is_zero(a) ((a)->top == 0)"
2005-04-22 20:02:44 +00:00
Geoff Thorpe
ace3ebd661 Improve error handling if decompression of an ec point fails, and cleanup
ec_curve.c (unify comments, etc).

Submitted by: Nils Larsch
Reviewed by: Bodo Moeller, Geoff Thorpe
2004-07-06 15:50:04 +00:00
Geoff Thorpe
d459e39012 Tidy up, including;
- Remove unused and unuseful debug cruft.
- Remove unnecessary 'top' fudging from BN_copy().
- Fix a potential memory leak and simplify the expansion logic in
  BN_bin2bn().

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2004-06-20 04:16:12 +00:00