Commit graph

1271 commits

Author SHA1 Message Date
Emilia Kasper
a9009e518c BN_mod_exp_mont_consttime: check for zero modulus.
Don't dereference |d| when |top| is zero. Also test that various BIGNUM methods behave correctly on zero/even inputs.

Follow-up to b11980d79a

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-31 19:25:59 +02:00
Rich Salz
3c65047d30 Fix memory over-read
Fix from David Baggett via tweet.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-27 17:29:46 -04:00
Rich Salz
22dc08d00a BN_bin2bn handle leading zero's
If a binary sequence is all zero's, call BN_zero.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-26 07:00:43 -04:00
Matt Caswell
6a009812b2 Check for 0 modulus in BN_MONT_CTX_set
The function BN_MONT_CTX_set was assuming that the modulus was non-zero
and therefore that |mod->top| > 0. In an error situation that may not be
the case and could cause a seg fault.

This is a follow on from CVE-2015-1794.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-11 19:57:01 +01:00
Rich Salz
fbfcb22439 RT3999: Remove sub-component version strings
Especially since after the #ifdef cleanups this is not useful.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-10 12:13:32 -04:00
Loganaden Velvindron
1a586b3942 Clear BN-mont values when free'ing it.
From a CloudFlare patch.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-07-31 13:38:15 -04:00
Emilia Kasper
f4ee22be03 rsaz_exp.h: align license with the rest of the contribution
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-23 14:20:28 +02:00
Rich Salz
9f040d6dec Some cleanups for crypto/bn
Create bn_free_d utility routine and use it.
Fix RT3950
Also a missing cleanse, from Loganaden Velvindron (loganaden@gmail.com),
who noticed it in a Cloudflare patch.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-07-22 14:43:05 -04:00
Richard Levitte
053fa39af6 Conversion to UTF-8 where needed
This leaves behind files with names ending with '.iso-8859-1'.  These
should be safe to remove.  If something went wrong when re-encoding,
there will be some files with names ending with '.utf8' left behind.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-14 01:10:01 +02:00
Rich Salz
74924dcb38 More secure storage of key material.
Add secure heap for storage of private keys (when possible).
Add BIO_s_secmem(), CBIGNUM, etc.
Add BIO_CTX_secure_new so all BIGNUM's in the context are secure.
Contributed by Akamai Technologies under the Corporate CLA.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-23 17:09:35 -04:00
Richard Levitte
a1c506ae9e make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-23 02:59:47 +02:00
Richard Levitte
ed45f3c242 Rearrange rsaz
A small rearrangement so the inclusion of rsaz_exp.h would be
unconditional, but what that header defines becomes conditional.

This solves the weirdness where rsaz_exp.h gets in and out of the
dependency list for bn_exp.c, depending on the present architecture.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-23 02:59:47 +02:00
Andy Polyakov
4924b37ee0 bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.
CVE-2015-1788

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-11 13:34:13 +02:00
Matt Caswell
c56353071d Fix off-by-one error in BN_bn2hex
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account
for this and can allocate a buffer one byte too short in the event of -0
being used, leading to a one byte buffer overrun. All usage within the
OpenSSL library is considered safe. Any security risk is considered
negligible.

With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and
Filip Palian for discovering and reporting this issue.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-04 09:23:02 +01:00
Dr. Stephen Henson
97cacc537e make update.
Make update with manual edit so EVP_PKEY_asn1_set_item uses the same
ordinal as 1.0.2.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-03 15:39:29 +01:00
Andy Polyakov
60c268b21a bn/bn_lcl.h: fix MIPS-specific gcc version check.
RT#3859

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-26 10:06:28 +02:00
Andy Polyakov
69567687b0 bn/asm/x86_64-mont5.pl: fix valgrind error.
bn_get_bits5 was overstepping array boundary by 1 byte. It was exclusively
read overstep and data could not have been used. The only potential problem
would be if array happens to end on the very edge of last accesible page.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-24 21:30:39 +02:00
Andy Polyakov
86e5d1e32b bn/bn_gf2m.c: appease STACK, unstable code detector.
RT#3852

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-24 21:25:59 +02:00
Matt Caswell
efee575ad4 Fix off-by-one in BN_rand
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-22 23:40:38 +01:00
Matt Caswell
7cc18d8158 Reject negative shifts for BN_rshift and BN_lshift
The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-22 23:15:02 +01:00
Richard Levitte
0f539dc1a2 Fix the update target and remove duplicate file updates
We had updates of certain header files in both Makefile.org and the
Makefile in the directory the header file lived in.  This is error
prone and also sometimes generates slightly different results (usually
just a comment that differs) depending on which way the update was
done.

This removes the file update targets from the top level Makefile, adds
an update: target in all Makefiles and has it depend on the depend: or
local_depend: targets, whichever is appropriate, so we don't get a
double run through the whole file tree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-22 18:44:33 +02:00
Andy Polyakov
579734ced6 bn/asm/vis3-mont.pl: fix intermittent EC failures on SPARC T3.
BLKINIT optimization worked on T4, but for some reason appears "too
aggressive" for T3 triggering intermiitent EC failures. It's not clear
why only EC is affected...

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-20 09:11:25 +02:00
Richard Levitte
a3aadb2d9c make depend
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-14 17:38:31 +02:00
Richard Levitte
b39fc56061 Identify and move common internal libcrypto header files
There are header files in crypto/ that are used by a number of crypto/
submodules.  Move those to crypto/include/internal and adapt the
affected source code and Makefiles.

The header files that got moved are:

crypto/cryptolib.h
crypto/md32_common.h

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-14 17:21:40 +02:00
Andy Polyakov
7ee7f92025 bn/Makefile: give MacOS X hand to compiler armv8-mont module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-13 17:14:22 +02:00
Andy Polyakov
d38f1b39f1 bn/asm/armv8-mont.pl: boost performance.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-13 17:14:00 +02:00
Rich Salz
16f8d4ebf0 memset, memcpy, sizeof consistency fixes
Just as with the OPENSSL_malloc calls, consistently use sizeof(*ptr)
for memset and memcpy.  Remove needless casts for those functions.
For memset, replace alternative forms of zero with 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-05 22:18:59 -04:00
Rich Salz
b4faea50c3 Use safer sizeof variant in malloc
For a local variable:
        TYPE *p;
Allocations like this are "risky":
        p = OPENSSL_malloc(sizeof(TYPE));
if the type of p changes, and the malloc call isn't updated, you
could get memory corruption.  Instead do this:
        p = OPENSSL_malloc(sizeof(*p));
Also fixed a few memset() calls that I noticed while doing this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-04 15:00:13 -04:00
Dr. Stephen Henson
b6eb9827a6 Add OSSL_NELEM macro.
Add OSSL_NELEM macro to e_os.h to determine the number of elements in an
array.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-03 12:53:08 +01:00
Rich Salz
b548a1f11c free null cleanup finale
Don't check for NULL before calling OPENSSL_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-01 10:02:07 -04:00
Rich Salz
23a1d5e97c free NULL cleanup 7
This gets BN_.*free:
    BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free
    BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free

Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd
dead code in engines/e_ubsec.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 21:37:06 -04:00
Rich Salz
4b45c6e52b free cleanup almost the finale
Add OPENSSL_clear_free which merges cleanse and free.
(Names was picked to be similar to BN_clear_free, etc.)
Removed OPENSSL_freeFunc macro.
Fixed the small simple ones that are left:
        CRYPTO_free CRYPTO_free_locked OPENSSL_free_locked

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:57:32 -04:00
Rich Salz
b196e7d936 remove malloc casts
Following ANSI C rules, remove the casts from calls to
OPENSSL_malloc and OPENSSL_realloc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-28 15:28:14 -04:00
Emilia Kasper
e22d2199e2 Error checking and memory leak fixes in NISTZ256.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-27 16:21:48 +02:00
Andy Polyakov
313e6ec11f Add assembly support for 32-bit iOS.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-20 15:06:22 +02:00
Andy Polyakov
cb2ed54582 Add ARMv8 Montgomery multiplication module.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 14:39:34 +02:00
Richard Levitte
a80e33b991 Remove EXHEADER, TEST, APPS, links:, install: and uninstall: where relevant
With no more symlinks, there's no need for those variables, or the links
target.  This also goes for all install: and uninstall: targets that do
nothing but copy $(EXHEADER) files, since that's now taken care of by the
top Makefile.

Also, removed METHTEST from test/Makefile.  It looks like an old test that's
forgotten...

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-31 20:16:01 +02:00
Richard Levitte
dee502be89 Stop symlinking, move files to intended directory
Rather than making include/openssl/foo.h a symlink to
crypto/foo/foo.h, this change moves the file to include/openssl/foo.h
once and for all.

Likewise, move crypto/foo/footest.c to test/footest.c, instead of
symlinking it there.

Originally-by: Geoff Thorpe <geoff@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-31 20:16:01 +02:00
Matt Caswell
266483d2f5 RAND_bytes updates
Ensure RAND_bytes return value is checked correctly, and that we no longer
use RAND_pseudo_bytes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:38:07 +00:00
Matt Caswell
e4676e900f Fix probable_prime over large shift
In the probable_prime() function we behave slightly different if the number
of bits we are interested in is <= BN_BITS2 (the num of bits in a BN_ULONG).
As part of the calculation we work out a size_limit as follows:

    size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;

There is a problem though if bits == BN_BITS2. Shifting by that much causes
undefined behaviour. I did some tests. On my system BN_BITS2 == 64. So I
set bits to 64 and calculated the result of:

    (((BN_ULONG)1) << bits)

I was expecting to get the result 0. I actually got 1! Strangely this...

    (((BN_ULONG)0) << BN_BITS2)

...does equal 0! This means that, on my system at least, size_limit will be
off by 1 when bits == BN_BITS2.

This commit fixes the behaviour so that we always get consistent results.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-03-17 13:41:49 +00:00
Matt Caswell
8c5a7b33c6 Fix error handling in bn_exp
In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-03-12 09:18:22 +00:00
Matt Caswell
efb4597345 Remove some functions that are no longer used and break the build with:
./config --strict-warnings enable-deprecated

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-10 14:33:03 +00:00
Andy Polyakov
c2cfc956e5 bn/bn_add.c: fix dead code elimination that went bad.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-09 15:54:58 +01:00
Rich Salz
06cf881a3a Final (for me, for now) dead code cleanup
This is a final pass looking for '#if 0'/'#if 1' controls and
removing the appropriate pieces.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-02-08 18:48:09 -05:00
Rich Salz
fe6d2a339b Use memset in bn_mont
Use memset() not inline code.  Compilers are smarter now.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-05 15:07:40 -05:00
Rich Salz
9ccc00ef6e Dead code cleanup: #if 0 dropped from tests
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-02-02 11:11:34 -05:00
Richard Levitte
c6ef15c494 clang on Linux x86_64 complains about unreachable code.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-01-29 01:54:09 +01:00
Rich Salz
1a5adcfb5e "#if 0" removal: header files
Remove all "#if 0" blocks from header files.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-27 17:44:12 -05:00
Rich Salz
474e469bbd OPENSSL_NO_xxx cleanup: SHA
Remove support for SHA0 and DSS0 (they were broken), and remove
the ability to attempt to build without SHA (it didn't work).
For simplicity, remove the option of not building various SHA algorithms;
you could argue that SHA_224/256/384/512 should be kept, since they're
like crypto algorithms, but I decided to go the other way.
So these options are gone:
	GENUINE_DSA         OPENSSL_NO_SHA0
	OPENSSL_NO_SHA      OPENSSL_NO_SHA1
	OPENSSL_NO_SHA224   OPENSSL_NO_SHA256
	OPENSSL_NO_SHA384   OPENSSL_NO_SHA512

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-27 12:34:45 -05:00
Rich Salz
a00ae6c46e OPENSSL_NO_xxx cleanup: many removals
The following compile options (#ifdef's) are removed:
    OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
    OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
    OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
    OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY

This diff is big because of updating the indents on preprocessor lines.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-27 10:06:22 -05:00
Rich Salz
c436e05bdc Remove unused eng_rsax and related asm file
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-24 16:27:03 -05:00
Rich Salz
a2b18e657e ifdef cleanup, part 4a: '#ifdef undef'
This removes all code surrounded by '#ifdef undef'
One case is left: memmove() replaced by open-coded for loop,
in crypto/stack/stack.c  That needs further review.

Also removed a couple of instances of /* dead code */ if I saw them
while doing the main removal.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-24 10:58:38 -05:00
Matt Caswell
35a1cc90bc More comment realignment
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:10 +00:00
Matt Caswell
50e735f9e5 Re-align some comments after running the reformat script.
This should be a one off operation (subsequent invokation of the
script should not move them)

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:10 +00:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
68d39f3ce6 Move more comments that confuse indent
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
7a2cb6f034 Fix indent comment corruption issue
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Andy Polyakov
f4c46d0aab bn/bn_const.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Andy Polyakov
c27310f938 bn/asm/x86_64-gcc.cL make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Andy Polyakov
7cc63545a3 bn/bn_asm.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Andy Polyakov
0546db3ef7 bn/bn_exp.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Matt Caswell
dbd87ffc21 indent has problems with comments that are on the right hand side of a line.
Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Andy Polyakov
985a9af813 bn/bntest.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:07 +00:00
Andy Polyakov
e95bbc3ca6 bn/bn_recp.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:07 +00:00
Andy Polyakov
5f0b444899 bn/rsaz_exp.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:07 +00:00
Matt Caswell
e636e2acd7 Fix source where indent will not be able to cope
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:06 +00:00
Matt Caswell
c80fd6b215 Further comment changes for reformat (master)
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:19:59 +00:00
Rich Salz
4b618848f9 Cleanup OPENSSL_NO_xxx, part 1
OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
Two typo's on #endif comments fixed:
	OPENSSL_NO_ECB fixed to OPENSSL_NO_OCB
	OPENSSL_NO_HW_SureWare fixed to OPENSSL_NO_HW_SUREWARE

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-14 15:57:28 -05:00
Andy Polyakov
b3d7294976 Add Broadwell performance results.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-01-13 21:40:14 +01:00
Dr. Stephen Henson
a5a412350d Remove use of BN_init, BN_RECP_CTX_init from bntest
BN_init and BN_RECP_CTX_init are deprecated and are not exported
from shared libraries on some platforms (e.g. Windows) convert
bntest to use BN_new and BN_RECP_CTX_new instead.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-13 15:39:37 +00:00
Rich Salz
6d23cf9744 RT3548: Remove unsupported platforms
This last one for this ticket.  Removes WIN16.
So long, MS_CALLBACK and MS_FAR.  We won't miss you.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-12 17:30:54 -05:00
Rich Salz
fcf64ba0ac RT3548: Remove some unsupported platforms.
This commit removes NCR, Tandem, Cray.
Regenerates TABLE.
Removes another missing BEOS fluff.
The last platform remaining on this ticket is WIN16.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-12 10:40:00 -05:00
Andy Polyakov
a7a44ba55c Fix for CVE-2014-3570 (with minor bn_asm.c revamp).
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2015-01-08 15:49:45 +00:00
Matt Caswell
3a83462dfe Further comment amendments to preserve formatting prior to source reformat
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-06 15:45:25 +00:00
Andy Polyakov
219338115b Revert "CHANGES: mention "universal" ARM support."
This reverts commit 4fec915069.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-06 12:11:01 +01:00
Andy Polyakov
4fec915069 CHANGES: mention "universal" ARM support.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-06 11:10:01 +01:00
Andy Polyakov
c1669e1c20 Remove inconsistency in ARM support.
This facilitates "universal" builds, ones that target multiple
architectures, e.g. ARMv5 through ARMv7. See commentary in
Configure for details.

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-04 23:45:08 +01:00
Tim Hudson
1d97c84351 mark all block comments that need format preserving so that
indent will not alter them when reformatting comments

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-30 22:10:26 +00:00
Matt Caswell
53e95716f5 Change all instances of OPENSSL_NO_DEPRECATED to OPENSSL_USE_DEPRECATED
Introduce use of DECLARE_DEPRECATED

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-12-18 19:57:14 +00:00
Matt Caswell
5bafb04d2e Remove redundant OPENSSL_NO_DEPRECATED suppression
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-12-18 19:57:05 +00:00
Richard Levitte
a93891632d Clear warnings/errors within BN_CTX_DEBUG code sections
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-17 10:15:09 +01:00
Emilia Kasper
a015758d11 Check for invalid divisors in BN_div.
Invalid zero-padding in the divisor could cause a division by 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit a43bcd9e96)
2014-12-17 10:01:04 +01:00
Emilia Kasper
9669d2e1ad Fix unused variable warning
The temporary variable causes unused variable warnings in opt mode with clang,
because the subsequent assert is compiled out.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-12-15 13:12:44 +01:00
Matt Caswell
fd0ba77717 make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-11 23:52:47 +00:00
Matt Caswell
02a62d1a4a Move bn internal functions into bn_int.h and bn_lcl.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 21:41:42 +00:00
Matt Caswell
1939187922 Make bn opaque
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 21:41:27 +00:00
Matt Caswell
aeb556f831 Implement internally opaque bn access from srp
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 21:41:02 +00:00
Matt Caswell
829ccf6ab6 Implement internally opaque bn access from dh
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 21:40:32 +00:00
Matt Caswell
7a5233118c Prepare exptest for bn opaquify
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 21:40:19 +00:00
Matt Caswell
85bcf27ccc Prepare for bn opaquify. Implement internal helper functions.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 21:40:12 +00:00
Geoff Thorpe
e52a3c3d14 Include <openssl/foo.h> instead of "foo.h"
Exported headers shouldn't be included as "foo.h" by code from the same
module, it should only do so for module-internal headers. This is
because the symlinking of exported headers (from include/openssl/foo.h
to crypto/foo/foo.h) is being removed, and the exported headers are
being moved to the include/openssl/ directory instead.

Change-Id: I4c1d80849544713308ddc6999a549848afc25f94
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-12-08 14:21:35 -05:00
Dr. Stephen Henson
73e45b2dd1 remove OPENSSL_FIPSAPI
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
ebdf37e4b1 remove FIPS module code from crypto/bn
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
e4e5bc39f9 Remove fips_constseg references.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
c603c723ce Remove OPENSSL_FIPSCANISTER code.
OPENSSL_FIPSCANISTER is only set if the fips module is being built
(as opposed to being used). Since the fips module wont be built in
master this is redundant.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:16 +00:00
Dr. Stephen Henson
f072785eb4 Remove fipscanister build functionality from makefiles.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:23:45 +00:00
Rich Salz
8cfe08b4ec Remove all .cvsignore files
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-11-28 18:32:43 -05:00
Mike Bland
dbaf608320 Remove redundant test targets outside of test/
These correspond to targets of the same name in test/Makefile that clash when
using the single-makefile build method using GitConfigure and GitMake.

Change-Id: If7e900c75f4341b446608b6916a3d76f202026ea
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-16 16:44:51 -05:00
Dr. Stephen Henson
ecb9966e7c Fix WIN32 build by disabling bn* calls.
The trial division and probable prime with coprime tests are disabled
on WIN32 builds because they use internal functions not exported from
the WIN32 DLLs.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-29 22:23:31 +00:00
Rich Salz
df8c39d522 RT3549: Remove obsolete files in crypto
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-10-01 16:05:47 -04:00
Andy Polyakov
323154be33 crypto/bn/bn_nist.c: bring original failing code back for reference.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-09-30 21:00:44 +02:00
Rich Salz
3d81ec5b92 Remove #ifdef's for IRIX_CC_BUG
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-09-25 14:43:24 -04:00
Andy Polyakov
8b07c005fe crypto/bn/bn_nist.c: work around MSC ARM compiler bug.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-09-25 00:42:26 +02:00
Andy Polyakov
d475b2a3bf Harmonize Tru64 and Linux make rules.
RT: 3333,3165
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-20 10:20:38 +02:00
Andy Polyakov
569e2d1257 crypto/bn/asm/x86_64-mont*.pl: add missing clang detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-12 00:44:51 +02:00
Andy Polyakov
15735e4f0e bn/asm/rsaz-*.pl: allow spaces in Perl path name.
RT: 2835

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-21 00:17:45 +02:00
Martin Olsson
1afd7fa97c RT2513: Fix typo's paramter-->parameter
I also found a couple of others (padlock and signinit)
and fixed them.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-19 11:09:33 -04:00
Doug Goldstein
448155e9bb RT2163: Remove some unneeded #include's
Several files #include stdio.h and don't need it.
Also, per tjh, remove BN_COUNT

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-18 12:50:00 -04:00
Matt Caswell
f8571ce822 Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415
2014-07-13 22:17:39 +01:00
Andy Polyakov
1b0fe79f3e x86_64 assembly pack: improve masm support. 2014-07-09 20:08:01 +02:00
Andy Polyakov
eca441b2b4 bn_exp.c: fix x86_64-specific crash with one-word modulus.
PR: #3397
2014-07-02 19:35:50 +02:00
Ben Laurie
8892ce7714 Constification - mostly originally from Chromium. 2014-06-29 21:05:23 +01:00
Andy Polyakov
a356e488ad x86_64 assembly pack: refine clang detection. 2014-06-28 17:23:21 +02:00
Andy Polyakov
406d4af050 bn/asm/rsaz-avx2.pl: fix occasional failures. 2014-06-27 22:41:58 +02:00
Huzaifa Sidhpurwala
3b3b69ab25 Make sure BN_sqr can never return a negative value.
PR#3410
2014-06-26 23:56:34 +01:00
Andy Polyakov
f3f620e1e0 bn_exp.c: move check for AD*X to rsaz-avx2.pl.
This ensures high performance is situations when assembler supports
AVX2, but not AD*X.
2014-06-27 00:07:15 +02:00
Andy Polyakov
7eb0488280 x86_64 assembly pack: addendum to last clang commit. 2014-06-24 08:37:05 +02:00
Andy Polyakov
ac171925ab x86_64 assembly pack: allow clang to compile AVX code. 2014-06-24 08:24:25 +02:00
Andy Polyakov
5dcf70a1c5 ARM assembly pack: get ARMv7 instruction endianness right.
Pointer out and suggested by: Ard Biesheuvel.
2014-06-06 21:27:18 +02:00
Ben Laurie
c93233dbfd Tidy up, don't exceed the number of requested bits. 2014-06-01 15:31:27 +01:00
Ben Laurie
46838817c7 Constify and reduce coprime random bits to allow for multiplier. 2014-06-01 15:31:27 +01:00
Felix Laurie von Massenbach
8927c2786d Add a test to check we're really generating probable primes. 2014-06-01 15:31:27 +01:00
Felix Laurie von Massenbach
9a3a99748b Remove unused BIGNUMs. 2014-06-01 15:31:27 +01:00
Felix Laurie von Massenbach
c74e148776 Refactor the first prime index. 2014-06-01 15:31:26 +01:00
Felix Laurie von Massenbach
982c42cb20 Try skipping over the adding and just picking a new random number.
Generates a number coprime to 2, 3, 5, 7, 11.

Speed:
Trial div (add) : trial div (retry) : coprime
1 : 0.42 : 0.84
2014-06-01 15:31:26 +01:00
Felix Laurie von Massenbach
c09ec5d2a0 Generate safe primes not divisible by 3, 5 or 7.
~2% speed improvement on trial division.
2014-06-01 15:31:26 +01:00
Felix Laurie von Massenbach
b0513819e0 Add a method to generate a prime that is guaranteed not to be divisible by 3 or 5.
Possibly some reduction in bias, but no speed gains.
2014-06-01 15:31:26 +01:00
Felix Laurie von Massenbach
e46a059ebf Remove static from probable_prime_dh. 2014-06-01 15:31:26 +01:00
Felix Laurie von Massenbach
e55fca760b Remove indentation from the goto targets. 2014-06-01 15:31:26 +01:00
Geoff Thorpe
12e9f627f9 bignum: allow concurrent BN_MONT_CTX_set_locked()
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as
noted by Daniel Sands and co at Sandia. This was to handle the case that
2 or more threads race to lazy-init the same context, but stunted all
scalability in the case where 2 or more threads are doing unrelated
things! We favour the latter case by punishing the former. The init work
gets done by each thread that finds the context to be uninitialised, and
we then lock the "set" logic after that work is done - the winning
thread's work gets used, the losing threads throw away what they've done.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-05-06 17:43:35 -04:00
Andy Polyakov
bd227733b9 C64x+ assembly pack: make it work with older toolchain. 2014-05-04 16:38:32 +02:00
Geoff Thorpe
a529261891 bignum: fix boundary condition in montgomery logic
It's not clear whether this inconsistency could lead to an actual
computation error, but it involved a BIGNUM being passed around the
montgomery logic in an inconsistent state. This was found using flags
-DBN_DEBUG -DBN_DEBUG_RAND, and working backwards from this assertion
in 'ectest';

ectest: bn_mul.c:960: BN_mul: Assertion `(_bnum2->top == 0) ||
(_bnum2->d[_bnum2->top - 1] != 0)' failed

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-04-30 11:49:31 -04:00
Andy Polyakov
f8cee9d081 bn/asm/armv4-gf2m.pl, modes/asm/ghash-armv4.pl: faster multiplication
algorithm suggested in following paper:

Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
Polynomial Multiplication on ARM Processors using the NEON Engine.

http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf
2014-04-24 10:24:53 +02:00
Dr. Stephen Henson
2514fa79ac Add functions returning security bits.
Add functions to return the "bits of security" for various public key
algorithms. Based on SP800-57.
2014-03-28 14:49:04 +00:00
Dr. Stephen Henson
f9b6c0ba4c Fix for CVE-2014-0076
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
(cherry picked from commit 2198be3483)

Conflicts:

	CHANGES
2014-03-12 14:29:43 +00:00
Dr. Stephen Henson
4cfeb00be9 make depend 2014-02-19 20:09:08 +00:00
Andy Polyakov
eedab5241e bn/asm/x86_64-mont5.pl: fix compilation error on Solaris. 2014-01-09 13:44:59 +01:00
Andy Polyakov
2218c296b4 ARM assembly pack: make it work with older toolchain. 2013-12-28 12:17:08 +01:00
Andy Polyakov
ec9cc70f72 bn/asm/x86_64-mont5.pl: add MULX/AD*X code path.
This also eliminates code duplication between x86_64-mont and x86_64-mont
and optimizes even original non-MULX code.
2013-12-09 21:02:24 +01:00
Andy Polyakov
d1671f4f1a bn/asm/armv4-mont.pl: add NEON code path. 2013-12-04 22:37:49 +01:00
Andy Polyakov
c5d5f5bd0f bn/asm/x86_64-mont5.pl: comply with Win64 ABI.
PR: 3189
Submitted by: Oscar Ciurana
2013-12-03 23:59:55 +01:00
Andy Polyakov
8bd7ca9996 crypto/bn/asm/rsaz-x86_64.pl: make it work on Win64. 2013-12-03 22:28:48 +01:00
Andy Polyakov
31ed9a2131 crypto/bn/rsaz*: fix licensing note.
rsaz_exp.c: harmonize line terminating;
asm/rsaz-*.pl: minor optimizations.
2013-12-03 22:08:29 +01:00
Andy Polyakov
6efef384c6 bn/asm/rsaz-x86_64.pl: fix prototype. 2013-12-03 09:43:06 +01:00
Andy Polyakov
b9e87d07cb ppc64-mont.pl: eliminate dependency on GPRs' upper halves. 2013-11-27 22:50:00 +01:00
Andy Polyakov
d1cf23ac86 Make Makefiles OSF-make-friendly.
PR: 3165
2013-11-12 21:51:37 +01:00
Andy Polyakov
4eeb750d20 bn/asm/x86_64-mont.pl: minor optimization [for Decoded ICache]. 2013-10-25 10:14:20 +02:00
Andy Polyakov
d6019e1654 PPC assembly pack: add .size directives. 2013-10-15 00:14:39 +02:00
Andy Polyakov
30b9c2348d bn/asm/*x86_64*.pl: correct assembler requirement for ad*x. 2013-10-14 22:41:00 +02:00
Andy Polyakov
039081b809 Initial aarch64 bits. 2013-10-13 19:15:15 +02:00
Andy Polyakov
0c2adb0a9b MIPS assembly pack: get rid of deprecated instructions.
Latest MIPS ISA specification declared 'branch likely' instructions
obsolete. To makes code future-proof replace them with equivalent.
2013-10-13 13:14:52 +02:00
Andy Polyakov
fa104be35e bn/asm/rsax-avx2.pl: minor optimization [for Decoded ICache]. 2013-10-10 23:06:43 +02:00
Andy Polyakov
37de2b5c1e bn/bn_exp.c: prefer MULX/AD*X over AVX2. 2013-10-09 11:08:52 +02:00
Andy Polyakov
a5bb5bca52 bn/asm/x86_64-mont*.pl: add MULX/ADCX/ADOX code path. 2013-10-03 00:45:04 +02:00
Andy Polyakov
87954638a6 rsaz-x86_64.pl: add MULX/ADCX/ADOX code path. 2013-10-03 00:30:12 +02:00
Andy Polyakov
72a158703b crypto/bn/asm/x86_64-mont.pl: minor optimization. 2013-09-09 21:40:33 +02:00
Veres Lajos
478b50cf67 misspellings fixes by https://github.com/vlajos/misspell_fixer 2013-09-05 21:39:42 +01:00
Andy Polyakov
fd8ad019e1 crypto/bn/asm/rsax-x86_64.pl: make it work on Darwin. 2013-08-03 16:28:50 +02:00
Andy Polyakov
5c57c69f9e bn/asm/rsaz-avx2.pl: Windows-specific fix. 2013-07-12 18:59:17 +02:00
Ben Laurie
852f837f5e s/rsaz_eligible/rsaz_avx2_eligible/. 2013-07-12 12:47:39 +01:00
Andy Polyakov
ca48ace5c5 Take RSAZ modules into build loop, add glue and engage.
RT: 2582, 2850
2013-07-05 21:39:47 +02:00
Andy Polyakov
0b4bb91db6 Add RSAZ assembly modules.
RT: 2582, 2850
2013-07-05 21:30:18 +02:00
Andy Polyakov
26e43b48a3 bn/asm/x86_86-mont.pl: optimize reduction for Intel Core family. 2013-07-05 21:10:56 +02:00
Andy Polyakov
cbce8c4644 bn/bn_exp.c: harmonize. 2013-07-05 20:52:58 +02:00
Andy Polyakov
b74ce8d948 bn/bn_exp.c: Solaris-specific fix, T4 MONTMUL relies on alloca. 2013-06-30 23:09:09 +02:00
Andy Polyakov
4ddacd9921 Optimize SPARC T4 MONTMUL support.
Improve RSA sing performance by 20-30% by:
- switching from floating-point to integer conditional moves;
- daisy-chaining sqr-sqr-sqr-sqr-sqr-mul sequences;
- using MONTMUL even during powers table setup;
2013-06-18 10:39:38 +02:00
Andy Polyakov
02450ec69d PA-RISC assembler pack: switch to bve in 64-bit builds.
PR: 3074
2013-06-18 10:37:00 +02:00
Adam Langley
8a99cb29d1 Add secure DSA nonce flag.
This change adds the option to calculate (EC)DSA nonces by hashing the
message and private key along with entropy to avoid leaking the private
key if the PRNG fails.
2013-06-13 17:26:07 +01:00
Adam Langley
96a4c31be3 Ensure that, when generating small primes, the result is actually of the
requested size. Fixes OpenSSL #2701.

This change does not address the cases of generating safe primes, or
where the |add| parameter is non-NULL.

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c
2013-06-04 18:52:30 +01:00
Adam Langley
2b0180c37f Ensure that x**0 mod 1 = 0. 2013-06-04 18:47:11 +01:00
Adam Langley
7753a3a684 Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.

Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.
2013-06-04 18:46:25 +01:00
Andy Polyakov
b69437e1e5 crypto/bn/bn_exp.c: SPARC portability fix. 2013-06-01 09:58:07 +02:00
Andy Polyakov
342dbbbe4e x86_64-gf2m.pl: fix typo. 2013-03-01 22:36:36 +01:00
Andy Polyakov
7c43601d44 x86_64-gf2m.pl: add missing Windows build fix for #2963.
PR: 3004
2013-03-01 21:43:10 +01:00
Andy Polyakov
750398acd8 bn_nist.c: work around clang 3.0 bug. 2013-02-14 09:51:41 +01:00
Andy Polyakov
4568182a8b x86_64 assembly pack: keep making Windows build more robust.
PR: 2963 and a number of others
2013-02-02 19:54:59 +01:00
Andy Polyakov
46bf83f07a x86_64 assembly pack: make Windows build more robust.
PR: 2963 and a number of others
2013-01-22 22:27:28 +01:00
Andy Polyakov
543fd85460 bn/asm/mips.pl: hardwire local call to bn_div_words. 2013-01-22 21:13:37 +01:00
Ben Laurie
b204ab6506 Update ignores. 2012-12-11 15:52:10 +00:00
Andy Polyakov
904732f68b C64x+ assembly pack: improve EABI support. 2012-11-28 13:19:10 +00:00
Andy Polyakov
9f6b0635ad x86_64-gcc.c: resore early clobber constraint.
Submitted by: Florian Weimer
2012-11-19 15:02:00 +00:00
Andy Polyakov
68c06bf6b2 Support for SPARC T4 MONT[MUL|SQR] instructions.
Submitted by: David Miller, Andy Polyakov
2012-11-17 10:34:11 +00:00
Andy Polyakov
134c00659a bn_word.c: fix overflow bug in BN_add_word. 2012-11-09 13:58:40 +00:00
Andy Polyakov
1efd583085 SPARCv9 assembly pack: harmonize ABI handling (so that it's handled in one
place at a time, by pre-processor in .S case and perl - in .s).
2012-10-25 12:07:32 +00:00
Andy Polyakov
0c832ec5c6 Add VIS3-capable sparcv9-gf2m module. 2012-10-20 15:59:14 +00:00
Andy Polyakov
947d78275b Add VIS3 Montgomery multiplication. 2012-10-20 09:13:21 +00:00
Andy Polyakov
a58fdc7a34 bn_lcl.h: gcc removed support for "h" constraint, which broke inline
assembler.
2012-09-01 13:17:32 +00:00
Andy Polyakov
be0d31b166 Add linux-x32 target. 2012-08-29 14:08:46 +00:00
Andy Polyakov
1a002d88ad MIPS assembly pack: assign default value to $flavour. 2012-08-17 09:10:31 +00:00
Andy Polyakov
32e03a3016 bn_nist.c: compensate for VC bug [with optimization off!].
PR: 2837
2012-07-02 13:30:32 +00:00
Andy Polyakov
8d00f34239 crypto/bn/*.h: move PTR_SIZE_INT to private header. 2012-07-02 13:27:30 +00:00
Andy Polyakov
6251989eb6 x86_64 assembly pack: make it possible to compile with Perl located on
path with spaces.

PR: 2835
2012-06-27 10:08:23 +00:00
Ben Laurie
71fa451343 Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
Andy Polyakov
3e181369dd C64x+ assembler pack. linux-c64xplus build is *not* tested nor can it be
tested, because kernel is not in shape to handle it *yet*. The code is
committed mostly to stimulate the kernel development.
2012-04-18 13:01:36 +00:00
Dr. Stephen Henson
d3379de5a9 don't shadow 2012-03-30 15:43:32 +00:00
Andy Polyakov
4736eab947 bn/bn_gf2m.c: make new BN_GF2m_mod_inv work with BN_DEBUG_RAND. 2012-03-29 21:35:28 +00:00
Andy Polyakov
0208ab2e3f bn_nist.c: make new optimized code dependent on BN_LLONG. 2012-02-02 07:46:05 +00:00
Andy Polyakov
ce0727f9bd bn_nist.c: harmonize buf in BN_nist_mod_256 with other mod functions. 2012-01-06 13:17:47 +00:00
Ben Laurie
e166891e0d Fix warning. 2011-12-13 15:55:35 +00:00
Andy Polyakov
8c98b2591f modexp512-x86_64.pl: Solaris protability fix.
PR: 2656
2011-12-12 15:10:14 +00:00
Andy Polyakov
5711dd8eac x86-mont.pl: fix bug in integer-only squaring path.
PR: 2648
2011-12-09 14:21:25 +00:00
Andy Polyakov
6600126825 bn/asm/mips.pl: fix typos. 2011-12-01 12:16:09 +00:00
Andy Polyakov
0985bd4f80 bn_nist.c: fix strict-aliasing compiler warning. 2011-11-13 17:31:03 +00:00
Dr. Stephen Henson
20bee9684d Add RFC5114 DH parameters to OpenSSL. Add test data to dhtest. 2011-11-13 14:07:36 +00:00
Andy Polyakov
29fd6746f5 armv4cpuid.S, armv4-gf2m.pl: make newest code compilable by older assembler. 2011-11-05 13:07:18 +00:00
Andy Polyakov
09f40a3cb9 ppc.pl: fix bug in bn_mul_comba4.
PR: 2636
Submitted by: Charles Bryant
2011-11-05 10:16:04 +00:00
Andy Polyakov
0933887112 bn_exp.c: fix corner case in new constant-time code.
Submitted by: Emilia Kasper
2011-10-29 19:25:13 +00:00
Andy Polyakov
a9cf0b81fa Remove superseded MIPS assembler modules. 2011-10-19 21:42:21 +00:00
Bodo Möller
e5641d7f05 BN_BLINDING multi-threading fix.
Submitted by: Emilia Kasper (Google)
2011-10-19 14:59:27 +00:00
Andy Polyakov
78f288d5c9 bn_mont.c: get corner cases right in updated BN_from_montgomery_word. 2011-10-17 23:35:00 +00:00
Andy Polyakov
8329e2e776 bn_exp.c: further optimizations using more ideas from
http://eprint.iacr.org/2011/239.
2011-10-17 17:41:49 +00:00
Andy Polyakov
3f66f2040a x86_64-mont.pl: minor optimization. 2011-10-17 17:39:59 +00:00
Andy Polyakov
2534891874 bn_mont.c: simplify BN_from_montgomery_word. 2011-10-17 17:24:28 +00:00
Andy Polyakov
79ba545c09 bn_shift.c: minimize reallocations, which allows BN_FLG_STATIC_DATA to
be shifted in specific cases.
2011-10-17 17:20:48 +00:00
Bodo Möller
4f2015742d Oops - ectest.c finds further problems beyond those exposed by bntext.c 2011-10-13 14:29:59 +00:00
Bodo Möller
0a06ad76a1 Avoid failed assertion in BN_DEBUG builds 2011-10-13 14:21:39 +00:00
Bodo Möller
cdfe0fdde6 Fix OPENSSL_BN_ASM_MONT5 for corner cases; add a test.
Submitted by: Emilia Kasper
2011-10-13 12:35:10 +00:00
Andy Polyakov
03e389cf04 Allow for dynamic base in Win64 FIPS module. 2011-09-14 20:48:49 +00:00
Andy Polyakov
dd83d0f4a7 crypto/bn/bn_gf2m.c: make it work with BN_DEBUG. 2011-09-05 16:14:43 +00:00
Bodo Möller
612fcfbd29 Fix d2i_SSL_SESSION. 2011-09-05 13:31:17 +00:00
Bodo Möller
ae53b299fa make update 2011-09-05 09:46:15 +00:00
Andy Polyakov
cfdbff23ab bn_exp.c: improve portability. 2011-08-27 19:38:55 +00:00
Andy Polyakov
6c01cbb6a0 modexp512-x86_64.pl: make it work with ml64. 2011-08-19 06:30:32 +00:00
Andy Polyakov
bf3dfe7fee bn_div.c: remove duplicate code by merging BN_div and BN_div_no_branch. 2011-08-14 11:31:35 +00:00
Andy Polyakov
e7d1363d12 x86_64-mont5.pl: add missing Win64 support. 2011-08-14 09:06:06 +00:00
Andy Polyakov
10bd69bf4f armv4-mont.pl: profiler-assisted optimization gives 8%-14% improvement
(more for longer keys) on RSA/DSA.
2011-08-13 12:38:41 +00:00
Andy Polyakov
ae8b47f07f SPARC assembler pack: fix FIPS linking errors. 2011-08-12 21:38:19 +00:00
Andy Polyakov
361512da0d This commit completes recent modular exponentiation optimizations on
x86_64 platform. It targets specifically RSA1024 sign (using ideas
from http://eprint.iacr.org/2011/239) and adds more than 10% on most
platforms. Overall performance improvement relative to 1.0.0 is ~40%
in average, with best result of 54% on Westmere. Incidentally ~40%
is average improvement even for longer key lengths.
2011-08-12 16:44:32 +00:00
Andy Polyakov
20735f4c81 alphacpuid.pl: fix alignment bug.
alpha-mont.pl: fix typo.
PR: 2577
2011-08-12 12:28:52 +00:00
Andy Polyakov
85ec54a417 x86_64-mont.pl: futher optimization resulting in up to 48% improvement
(4096-bit RSA sign benchmark on Core2) in comparison to initial version
from 2005.
2011-08-09 13:05:05 +00:00
Andy Polyakov
be9a8cc2af Add RSAX builtin engine. It optimizes RSA1024 sign benchmark. 2011-07-20 21:49:46 +00:00
Andy Polyakov
87873f4328 ARM assembler pack: add platform run-time detection. 2011-07-17 17:40:29 +00:00
Andy Polyakov
6179f06077 x86_64-mont.pl: add squaring procedure and improve RSA sign performance
by up to 38% (4096-bit benchmark on Core2).
2011-07-05 09:21:03 +00:00
Andy Polyakov
02a73e2bed s390x-gf2m.pl: commentary update (final performance numbers turned to be
higher).
2011-07-04 11:20:33 +00:00
Andy Polyakov
b247f7387f crypto/bn/Makefile: fix typo. 2011-06-28 08:52:36 +00:00
Andy Polyakov
0c237e42a4 s390x assembler pack: add s390x-gf2m.pl and harmonize AES_xts_[en|de]crypt. 2011-06-27 10:00:31 +00:00
Dr. Stephen Henson
8038e7e44c PR: 2540
Submitted by: emmanuel.azencot@bull.net
Reviewed by: steve

Prevent infinite loop in BN_GF2m_mod_inv().
2011-06-22 15:24:05 +00:00
Dr. Stephen Henson
9945b460e2 Give parameters names in prototypes. 2011-06-17 16:47:41 +00:00
Dr. Stephen Henson
f41154b206 #undef bn_div_words as it is defined for FIPS builds. 2011-06-10 14:03:27 +00:00
Andy Polyakov
6715034002 PPC assembler pack: adhere closer to ABI specs, add PowerOpen traceback data. 2011-05-27 13:32:34 +00:00
Andy Polyakov
96abea332c x86_64-gf2m.pl: add Win64 SEH. 2011-05-22 18:29:11 +00:00
Andy Polyakov
2b9a8ca15b x86gas.pl: add palignr and move pclmulqdq. 2011-05-16 18:07:00 +00:00
Andy Polyakov
afebe623c5 x86_64 assembler pack: add x86_64-gf2m module. 2011-05-16 17:46:45 +00:00
Andy Polyakov
b0188c4f07 bn_nist.c: fix shadowing warnings. 2011-05-11 20:19:00 +00:00
Dr. Stephen Henson
c2fd598994 Rename FIPS_mode_set and FIPS_mode. Theses symbols will be defined in
the FIPS capable OpenSSL.
2011-05-11 14:43:38 +00:00
Dr. Stephen Henson
0b59755f43 Call fipsas.pl directly for pa-risc targets. 2011-05-09 15:23:00 +00:00
Andy Polyakov
1fb97e1313 Optimized bn_nist.c. Performance improvement varies from one benchmark
and platform to another. It was measured to deliver 20-30% better
performance on x86 platforms and 30-40% on x86_64, on nistp384 benchmark.
2011-05-09 10:16:32 +00:00
Andy Polyakov
56c5f703c1 IA-64 assembler pack: fix typos and make it work on HP-UX. 2011-05-07 20:36:05 +00:00
Andy Polyakov
58cc21fdea x86 assembler pack: add bn_GF2m_mul_2x2 implementations (see x86-gf2m.pl for
details and performance data).
2011-05-07 10:31:06 +00:00
Andy Polyakov
925596f85b ARM assembler pack: engage newly introduced armv4-gf2m module. 2011-05-05 21:57:11 +00:00
Dr. Stephen Henson
8d3cdd5b58 Fix warning of signed/unsigned comparison. 2011-05-05 14:47:38 +00:00
Andy Polyakov
75359644d0 ARM assembler pack. Add bn_GF2m_mul_2x2 implementation (see source code
for details and performance data).
2011-05-05 07:21:17 +00:00
Andy Polyakov
034688ec4d bn_gf2m.c: optimized BN_GF2m_mod_inv delivers sometimes 2x of ECDSA sign.
Exact improvement coefficients vary from one benchmark and platform to
another, e.g. it performs 70%-33% better on ARM, hereafter less for
longer keys, and 100%-90% better on x86_64.
2011-05-04 15:22:53 +00:00
Dr. Stephen Henson
48da9b8f2a Fix warning. 2011-04-11 14:52:59 +00:00
Richard Levitte
c6dbe90895 make update 2011-03-24 22:59:02 +00:00
Richard Levitte
537c982306 After some adjustments, apply the changes OpenSSL 1.0.0d on OpenVMS
submitted by Steven M. Schweda <sms@antinode.info>
2011-03-19 10:58:14 +00:00
Ben Laurie
edc032b5e3 Add SRP support. 2011-03-12 17:01:19 +00:00
Andy Polyakov
a000759a5c ia64-mont.pl: optimize short-key performance. 2011-03-04 13:27:29 +00:00
Andy Polyakov
0ab8fd58e1 s390x assembler pack: tune-up and support for new z196 hardware. 2011-03-04 13:09:16 +00:00
Dr. Stephen Henson
949c6f8ccf Stop warnings. 2011-02-23 16:06:33 +00:00
Dr. Stephen Henson
b7056b6414 Update dependencies. 2011-02-21 17:51:59 +00:00
Dr. Stephen Henson
d749e1080a Experimental symbol renaming to avoid clashes with regular OpenSSL.
Make sure crypto.h is included first in any affected files.
2011-02-16 14:40:06 +00:00
Dr. Stephen Henson
fe26d066ff Add ECDSA functionality to fips module. Initial very incomplete version
of algorithm test program.
2011-02-14 17:14:55 +00:00
Dr. Stephen Henson
133291f8e7 New function BN_nist_mod_func which returns an appropriate function
if the passed prime is a NIST prime.
2011-02-14 16:44:29 +00:00
Dr. Stephen Henson
c9a90645a5 Disable some functions in headers with no-ec2m 2011-02-12 17:38:06 +00:00
Dr. Stephen Henson
b331016124 New option to disable characteristic two fields in EC code. 2011-02-12 17:23:32 +00:00
Dr. Stephen Henson
ed12c2f7ca In FIPS mode only use "Generation by Testing Candidates" equivalent. 2011-02-11 15:19:54 +00:00
Dr. Stephen Henson
14ae26f2e4 Transfer error redirection to fips.h, add OPENSSL_FIPSAPI to source files
that use it.
2011-02-03 17:00:24 +00:00
Bodo Möller
9d0397e977 make update 2011-02-03 10:17:53 +00:00
Dr. Stephen Henson
7edfe67456 Move all FIPSAPI renames into fips.h header file, include early in
crypto.h if needed.

Modify source tree to handle change.
2011-01-27 19:10:56 +00:00
Dr. Stephen Henson
7cc684f4f7 Redirect FIPS memory allocation to FIPS_malloc() routine, remove
OpenSSL malloc dependencies.
2011-01-27 17:23:43 +00:00
Dr. Stephen Henson
aa87945f47 Update source files to handle new FIPS_lock() location. Add FIPS_lock()
definition. Remove stale function references from fips.h
2011-01-27 15:57:31 +00:00
Dr. Stephen Henson
7c8ced94c3 Change OPENSSL_FIPSEVP to OPENSSL_FIPSAPI as it doesn't just refer
to EVP any more.

Move locking #define into fips.h.

Set FIPS locking callbacks at same time as OpenSSL locking callbacks.
2011-01-27 15:22:26 +00:00
Dr. Stephen Henson
a27de7b7fd use FIPSEVP in some bn and rsa files 2011-01-27 14:24:42 +00:00
Dr. Stephen Henson
879bd6e38c Internal version of BN_mod_inverse allowing checking of no-inverse without
need to inspect error queue.
2011-01-26 16:59:47 +00:00
Dr. Stephen Henson
df6de39fe7 Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
Dr. Stephen Henson
13a5519208 Move BN_options function to bn_print.c to remove dependency for BIO printf
routines from bn_lib.c
2011-01-25 17:10:30 +00:00
Dr. Stephen Henson
7b1a04519f add X9.31 prime generation routines from 0.9.8 branch 2011-01-09 13:02:14 +00:00
Andy Polyakov
e822c756b6 s390x assembler pack: adapt for -m31 build, see commentary in Configure
for more details.
2010-11-29 20:52:43 +00:00
Andy Polyakov
dd128715a2 s390x.S: fix typo in bn_mul_words.
PR: 2380
2010-11-22 21:55:07 +00:00
Dr. Stephen Henson
776654adff PR: 2295
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve

OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
2010-10-11 23:49:22 +00:00
Andy Polyakov
d466588788 MIPS assembler pack: enable it in Configure, add SHA2 module, fix make rules,
update commentary...
2010-10-02 11:47:17 +00:00
Andy Polyakov
da4d239dad Add unified mips.pl, which will replace mips3.s. 2010-09-27 21:19:43 +00:00
Andy Polyakov
0985473636 sha1-mips.pl, mips-mont.pl: unify MIPS assembler modules in respect to
ABI and binutils.
2010-09-22 08:43:09 +00:00
Andy Polyakov
f8927c89d0 Alpha assembler pack: adapt for Linux.
PR: 2335
2010-09-13 13:28:52 +00:00
Andy Polyakov
dd4a0af370 crypto/bn/asm/s390x.S: drop redundant instructions. 2010-09-10 14:53:36 +00:00
Andy Polyakov
1cbdca7bf2 Harmonize s390x assembler modules with "catch-all" rules from commit#19749. 2010-07-09 12:11:12 +00:00
Andy Polyakov
e216cd6ee9 armv4-mont.pl: addenum to previous commit#19749. 2010-07-08 15:06:01 +00:00
Andy Polyakov
396df7311e crypto/*/Makefile: unify "catch-all" assembler make rules and harmonize
ARM assembler modules.
2010-07-08 15:03:42 +00:00
Ben Laurie
c8bbd98a2b Fix warnings. 2010-06-12 14:13:23 +00:00
Andy Polyakov
3efe51a407 Revert previous Linux-specific/centric commit#19629. If it really has to
be done, it's definitely not the way to do it. So far answer to the
question was to ./config -Wa,--noexecstack (adopted by RedHat).
2010-05-05 22:05:39 +00:00
Ben Laurie
0e3ef596e5 Non-executable stack in asm. 2010-05-05 15:50:13 +00:00
Andy Polyakov
d23f4e9d5a alpha-mont.pl: comply with stack alignment requirements. 2010-04-10 13:33:04 +00:00
Andy Polyakov
97a6a01f0f ARMv4 assembler: fix compilation failure. Fix is actually unconfirmed, but
I can't think of any other cause for failure
2010-03-29 09:55:19 +00:00
Bodo Möller
2d9dcd4ff0 Always check bn_wexpend() return values for failure (CVE-2009-3245).
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)

Submitted by: Neel Mehta
2010-02-23 10:36:35 +00:00
Andy Polyakov
964ed94649 parisc-mont.pl: PA-RISC 2.0 code path optimization based on intruction-
level profiling data resulted in almost 50% performance improvement.
PA-RISC 1.1 is also reordered in same manner, mostly to be consistent,
as no gain was observed, not on PA-7100LC.
2010-01-25 23:12:00 +00:00
Andy Polyakov
4f38565204 bn_lcl.h: add MIPS III-specific BN_UMULT_LOHI as alternative to porting
crypto/bn/asm/mips3.s from IRIX. Performance improvement is not as
impressive as with complete assembler, but still... it's almost 2.5x
[on R5000].
2010-01-17 12:08:24 +00:00
Andy Polyakov
4407700c40 ia64-mont.pl: add shorter vector support ("shorter" refers to 512 bits and
less).
2010-01-17 11:33:59 +00:00
Andy Polyakov
74f2260694 ia64-mont.pl: addp4 is not needed when referring to stack (this is 32-bit
HP-UX thing).
2010-01-07 15:36:59 +00:00
Andy Polyakov
1f23001d07 ppc64-mont.pl: commentary update. 2010-01-06 10:58:59 +00:00