especially for AIX. But most important BIGNUM assembler implementation
submitted by IBM.
Submitted by: Peter Waltenberg <pwalten@au1.ibm.com>
Reviewed by: appro
small key sizes seems to result from the code continually regenerating the
same prime value once the range is small enough. From my tests, this change
fixes the problem by setting an escape velocity of 3 repeats for the second
of the two primes.
PR: 874
proposed the change and submitted the patch, I jiggled it slightly and
adjusted the other parts of openssl that were affected.
PR: 867
Submitted by: Jelte Jansen
Reviewed by: Geoff Thorpe
changes are the fallout). As this could break source code that doesn't
directly include headers for interfaces it uses, changes to recursive
includes are covered by the OPENSSL_NO_DEPRECATED symbol. It's better to
define this when building and using openssl, and then adapt code where
necessary - this is how to stay current. However the mechanism exists for
the lethargic.
available compiler versions generated bogus machine code trying to
compile new crypto/des/cfb_enc.c. Secondly, 8th version defines
__GNUC__ macro, but fails to compile *some* inline assembler correctly.
Note that all versions of icc implement MSC-like _lrot[rl] intrinsic,
which is used now instead of offensive asm. Finally, unnecessary linker
dependencies are eliminated. Most notably dependency from libirc.a
caused trouble at application start-up, if libcrypto.so is linked with
-Bsymbolic (which it is).
locally initialising their own.
NB: I've removed the "BN_clear_free()" loops for the exit-paths in some of
these functions, and that may be a major part of the performance
improvements we're seeing. The "free" part can be removed because we're
using BN_CTX. The "clear" part OTOH can be removed because BN_CTX
destruction automatically performs this task, so performing it inside
functions that may be called repeatedly is wasteful. This is currently safe
within openssl due to the fact that BN_CTX objects are never created for
longer than a single high-level operation. However, that is only because
there's currently no mechanism in openssl for thread-local storage. Beyond
that, this might be an issue for applications using the bignum API directly
and caching their own BN_CTX objects. The solution is to introduce a flag
to BN_CTX_start() that allows its variables to be automatically sanitised
on release during BN_CTX_end(). This way any higher-level function (and
perhaps the application) can specify this flag in its own
BN_CTX_start()/BN_CTX_end() pair, and this will cause inner-loop functions
specifying the flag to be ignored so that sanitisation is handled only once
back out at the higher level. I will be implementing this in the near
future.
little TODO list in there as well as the debugging code (only enabled if
BN_CTX_DEBUG is defined).
I'd appreciate as much review and testing as can be spared for this. I'll
commit some changes to other parts of the bignum code shortly to make
better use of this implementation (no more fixed size limitations). Note
also that under identical optimisations, I'm seeing a noticable speed
increase over openssl-0.9.7 - so any feedback to confirm/deny this on other
systems would also be most welcome.
operations no longer require two distinct BN_CTX structures. This may put
more "strain" on the current BN_CTX implementation (which has a fixed limit
to the number of variables it will hold), but so far this limit is not
triggered by any of the tests pass and I will be changing BN_CTX in the
near future to avoid this problem anyway.
This also changes the default RSA implementation code to use the BN_CTX in
favour of initialising some of its variables locally in each function.
- Remove some unnecessary "+1"-like fudges. Sizes should be handled
exactly, as enlarging size parameters causes needless bloat and may just
make bugs less likely rather than fixing them: bn_expand() macro,
bn_expand_internal(), and BN_sqr().
- Deprecate bn_dup_expand() - it's new since 0.9.7, unused, and not that
useful.
- Remove unnecessary zeroing of unused bytes in bn_expand2().
- Rewrite BN_set_word() - it should be much simpler, the previous
complexities probably date from old mismatched type issues.
- Add missing bn_check_top() macros in bn_word.c
- Improve some degenerate case handling in BN_[add|sub]_word(), add
comments, and avoid a bignum expansion if an overflow isn't possible.
by using the Codenomicon TLS Test Tool (CAN-2004-0079)
Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
(CAN-2004-0112)
Ready for 0.9.7d build
Submitted by: Steven Henson
Reviewed by: Joe Orton
Approved by: Mark Cox
functions and macros.
This change has associated tags: LEVITTE_before_const and
LEVITTE_after_const. Those will be removed when this change has been
properly reviewed.
Remove certain redundant BN_zero() initialisations, because BN_CTX_get(),
BN_init(), [etc] already initialise to zero.
Correct error checking in bn_sqr.c, and be less wishy-wash about how/why
the result's 'top' value is set (note also, 'max' is always > 0 at this
point).
bignums are passed in and out of functions and APIs in a consistent form
has highlighted that zero-valued bignums don't need any allocated word
data. The use of BN_set_word() to initialise a bignum to zero causes
needless allocation and gives it a return value that must be checked. This
change converts BN_zero() to a self-contained macro that has no
return/expression value and does not cause any expansion of bignum data.
Note, it would be tempting to rewrite the deprecated version as a
success-valued comma expression, such as;
#define BN_zero(a) ((a)->top = (a)->neg = 0, 1)
However, this evaluates 'a' twice and would confuse initialisation loops
(eg. while(..) { BN_zero(bn++) } ). As such, the deprecated version
continues to use BN_set_word().
redefine bn_clear_top2max() to be a NOP in the non-debugging case, and
remove some unnecessary usages in bn_nist.c.
Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller
return a "zero" bignum as BN_new() does - so reset 'top'. During
BN_CTX_end(), released bignums should be consistent so enforce this in
debug builds. Also, reduce the number of wasted BN_clear_free() calls from
BN_CTX_end() (typically by 75% or so).
Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller
automatically to accomodate the value, some compilers fail to do so. Most
notably 0x0123456789ABCDEF should come out as long long in 32-bit context,
but HP compiler truncates it to 32-bit value. Which in turn breaks GF(2^m)
arithmetics in hpux-parisc2-cc build. Therefore this fix...
VMS. The C RTL can handle it well if the "directory" is a logical
name with no colon, therefore ending being 'logname/file'. However,
if the given logical names actually has a colon, or if you use a full
VMS-syntax directory, you end up with 'logname:/file' or
'dev:[dir1.dir2]/file', and that isn't handled in any good way.
So, on VMS, we need to check if the directory string ends with a
separator (one of ':', ']' or '>' (< and > can be used instead [ and
])), and handle that by not inserting anything between the directory
spec and the file name. In all other cases, it's assumed the
directory spec is a logical name, so we need to place a colon between
it and the file.
Notified by Kevin Greaney <kevin.greaney@hp.com>.
VMS. The C RTL can handle it well if the "directory" is a logical
name with no colon, therefore ending being 'logname/file'. However,
if the given logical names actually has a colon, or if you use a full
VMS-syntax directory, you end up with 'logname:/file' or
'dev:[dir1.dir2]/file', and that isn't handled in any good way.
So, on VMS, we need to check if the directory string ends with a
separator (one of ':', ']' or '>' (< and > can be used instead [ and
])), and handle that by not inserting anything between the directory
spec and the file name. In all other cases, it's assumed the
directory spec is a logical name, so we need to place a colon between
it and the file.
Notified by Kevin Greaney <kevin.greaney@hp.com>.
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
- Add missing bn_check_top() calls and relocate some others
- Use BN_is_zero() where appropriate
- Remove assert()s that bn_check_top() is already covering
- Simplify the code in places (esp. bn_expand2())
- Only keep ambiguous zero handling if BN_STRICT isn't defined
- Remove some white-space and make some other aesthetic tweaks
the same thing.
Also, I have some stuff on the back-burner related to some BN_CTX notes
from Peter Gutmann about his cryptlib hacks to the bignum code. The BN_CTX
comments are there to remind me of some relevant points in the code.
once in the source (where it is set for the benefit of no other code
whatsoever). I've deprecated the declaration in the header and likewise
made the use of the flag conditional in bn_lib.c. Note, this change also
NULLs the 'd' pointer in a BIGNUM when it is reset but not deallocated.
which, in turn, are used nowhere at all. This is a good thing because
bn_set_max() would currently generate code that wouldn't compile (BIGNUM
has no 'max' element).
The only apparent use for bn_set_[low|high] would be for implementing
windowing algorithms, and all of openssl's seem to use bn_***_words()
helpers instead (including the BN_div() that Nils fixed recently, which had
been using independently-coded versions of what these unused macros are
intended for). I'm therefore consigning these macros to cvs oblivion in the
name of readability.
bn_correct_top() or bn_check_top() depending on debug settings. For
internal source, all bn_fix_top()s should be converted one way or the other
depending on whether the use of bn_correct_top() is justified.
For BN_div_recp(), these cases should not require correction if the other
bignum functions are doing their jobs properly, so convert to
bn_check_top().
(ie. where top may be zero, or it may be one if the corresponding word is
set to zero). Note, this only affects the macros in bn.h, there are probably
similar corrections required in some c files.
Also, clarify the audit-related macros at the top of the header. Mental
note: I must not forget to clean all this out before 0.9.8 is released ...
that gets built before objects barfs all over the place because it
uses a new NID that hasn't had a chance of getting defined yet (in
this case, it was about a couple of new EC curves, and therefore a
couple of new corresponding NIDs).
I'm placing objects first in SDIRS! There.
of libcrypto, then it is possible that when they are loaded they will share
the same static data as the loading application/library. This means it will
be too late to set memory/ERR/ex_data/[etc] callbacks, but entirely
unnecessary to try.
This change (and a great part of this comment) was implemented in
0.9.8-dev a long time ago, but slightly differently. In 0.9.8-dev, a
specific function that just returns a pointer to some static object is
used. For 0.9.7x, we couldn't do that, since the way we handle feature
freezes is, among other, to not add any more non-static functions.
Instead, we use the function ERR_get_implementation() and compare the
returned value with fns->err_fns, a member of fns that already is
there, and which therefore can safely be used in this manner.
What happens is that if the loaded ENGINE's return value from this
function matches the loading application/library's return value - they
share static data. If they don't match, the loaded ENGINE has its own
copy of libcrypto's static data and so the callbacks need to be set.
against inconsistent BIGNUMs coming out of any of its API functions. So
this change no longer "fixes" the bn_print.c functions, but it makes for
cleaner code. This patch was a part of ticket 697.
PR: 697
Submitted by: Otto Moerbeek
Reviewed by: Geoff Thorpe
ticket 697 (though uses a different solution than the proposed one). This
problem was initially raised by Otto Moerbeek.
PR: 697
Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
and bn_add_words to avoid using fake bignums to window other bignums that
can lead to corruption. This change allows all bignum tests to pass with
BN_DEBUG and BN_DEBUG_RAND debugging and valgrind. NB: This should be
tested on a few different architectures and configuration targets, as the
bignum code this deals with is quite preprocessor (and assembly) sensitive.
Submitted by: Nils Narsch
Reviewed by: Geoff Thorpe, Ulf Moeller
sure the current length is used to calculate the new buffer length instead
of using the old length (prior to any variable substitution).
Submitted by: Nils Larsch
generally a more efficient comparison than comparing two integers, and the
first of these two loops was off-by-one (copying one too many values). This
change also removes a superfluous assignment that would set an unused word
to zero (and potentially allow an overrun in some cases).
Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
(where it was impossible to create an EC certificate with a compressed
public key), and has some style improvements based on some comments from
Steve Henson about use of the ASN1 macros.
Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
constant BIGNUMs. It turns out that this trips up different but equally
useful compiler warnings to -Wcast-qual, and so wasn't worth the ugliness
it created. (Thanks to Ulf for the forehead-slap.)
and structures as constant without having to cast away const at any point.
There is still plenty of other code that makes gcc's "-Wcast-qual" unhappy,
but crypto/bn/ is now ok. Purists are welcome to suggest alternatives.
constructing BIGNUM structures with pointers offset into other bignums
(among other things). This corrects some of it that is too plainly insane,
and tries to ensure that bignums are normalised when passed to other
functions.
structures being passed in to or out of API functions, and this corrects a
couple of cases found so far.
Also, lop off a couple of bytes of white-space.
I have tried to convert 'len' type variable declarations to unsigned as a
means to address these warnings when appropriate, but when in doubt I have
used casts in the comparisons instead. The better solution (that would get
us all lynched by API users) would be to go through and convert all the
function prototypes and structure definitions to use unsigned variables
except when signed is necessary. The proliferation of (signed) "int" for
strictly non-negative uses is unfortunate.
except internally to the allocator BN_CTX_new(), as such this deprecates
the use of BN_CTX_init() in the API. Moreover, the structure definition of
BN_CTX is taken out of bn_lcl.h and moved into bn_ctx.c itself.
NDEBUG should probably only be "forced" in the top-level configuration, but
until it is I will avoid removing it from bn_ctx.c which might surprise
people with massive slow-downs in their keygens. So I've left it in
bn_ctx.c but tidied up the preprocessor logic a touch and made it more
tolerant of debugging efforts.
choice but to have to cast away "const" qualifiers from their prototypes.
This does not remove constification restrictions from hash/compare
callbacks, but allows destructor commands to be run over a tables' elements
without bad casts.
linux system (namely mine) chokes on our definitions and uses of the "HZ"
symbol in crypto/tmdiff.[ch] and apps/speed.c as a "bad function cast"
(when in fact there is no function casting involved at all). In both cases,
it is easily worked around by not defining a cast into the macro and
jiggling the expressions slightly.
In addition - this highlights some cruft in openssl that needs sorting out.
The tmdiff.h header is exported as part of the openssl API despite the fact
that it is ugly as the driven sludge and not used anywhere in the library,
applications, or utilities. More weird still, almost identical code exists
in apps/speed.c though it looks to be slightly tweaked - so either tmdiff
should be updated and used by speed.c, or it should be dumped because it's
obviously not useful enough.
Rather than removing it for now, I've changed the API for tmdiff to at
least make sense. This involves taking the object type (MS_TM) from the
implementation and using it in the header rather than using "char *" in the
API and casting mercilessly in the code (ugh). If someone doesn't like
"MS_TM" and the "ms_time_***" naming, by all means change it. This should
be a harmless improvement, because the existing API is clearly not very
useful (eg. we reimplement it rather than using it in our own utils).
However, someone still needs to take a hack at consolidating speed.c and
tmdiff.[ch] somehow.
be) precompiled out in the API headers. This change is to ensure that if
it is defined when compiling openssl, the deprecated functions aren't
implemented either.
a multiple of AES_BLOCK_SIZE.
Optimize decryption of all complete blocks in AES-CBC by removing an
unnecessary memcpy().
The error was notified by James Fernandes <jf210032@exchange.DAYTONOH.NCR.com>.
The unnecessary memcpy() was found as an effect of investigating that error.
a multiple of AES_BLOCK_SIZE.
Optimize decryption of all complete blocks in AES-CBC by removing an
unnecessary memcpy().
The error was notified by James Fernandes <jf210032@exchange.DAYTONOH.NCR.com>.
The unnecessary memcpy() was found as an effect of investigating that error.
compression identity is already present among the registered
compression methods, and if so, reject the addition request.
Declare SSL_COMP_get_compression_method() so it can be used properly.
Change ssltest.c so it checks what compression methods are available
and enumerates them. As a side-effect, built-in compression methods
will be automagically loaded that way. Additionally, change the
identities for ZLIB and RLE to be conformant to
draft-ietf-tls-compression-05.txt.
Finally, make update.
Next on my list: have the built-in compression methods added
"automatically" instead of requiring that the author call
SSL_COMP_add_compression_method() or
SSL_COMP_get_compression_methods().
sure the loop does correctly stop and breaking ("division by zero")
modulus operations are not performed. The (pre-generated) prime
table crypto/bn/bn_prime.h was already correct, but it could not be
re-generated on some platforms because of the "division by zero"
situation in the script.
platforms that don't (necessarely) have it. In the case of VMS, this
means moving a couple of functions from apps/ to crypto/ and make them
general (although only used privately).
OpenSSL-fips-0_9_7-stable.
Since the 0.9.7-stable branch is supposed to be in freeze and should
only contain bug corrections, this change removes the FIPS changes
from that branch.
1. CreateToolhelp32Snapshot returns INVALID_HANDLE_VALUE, not NULL, on error.
2. On Windows CE, a snapshot handle is closed with CloseToolhelp32Snapshot,
not CloseHandle.
1. CreateToolhelp32Snapshot returns INVALID_HANDLE_VALUE, not NULL, on error.
2. On Windows CE, a snapshot handle is closed with CloseToolhelp32Snapshot,
not CloseHandle.
Have the f parameter to _ctrl functions have the prototype (*)(void)
rather than (*)(), for the sake of C++ compilers.
Disable unimplemented functionality.
should not be necessary in any case, but more importantly the result and
input BIGNUMs could be the same, in which case this is clearly a problem.
Submitted by: Jonathan Hersch
Reviewed by: Joe Orton
Approved by: Geoff Thorpe
called downstream that need it to be non-const. The fact that the RSA_METHOD
functions take the RSA* as a const doesn't matter, it just expresses that
*they* won't touch it.
PR: 602
called downstream that need it to be non-const. The fact that the RSA_METHOD
functions take the RSA* as a const doesn't matter, it just expresses that
*they* won't touch it.
PR: 602