Commit graph

54 commits

Author SHA1 Message Date
Emilia Kasper
a43bcd9e96 Check for invalid divisors in BN_div.
Invalid zero-padding in the divisor could cause a division by 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-17 10:00:17 +01:00
Ben Laurie
68d2cf51bc Reduce version skew: trivia (I hope). 2012-06-03 22:03:37 +00:00
Andy Polyakov
9f1c5491d2 BN update from HEAD. 2011-11-14 21:05:42 +00:00
Bodo Möller
7fe747d1eb Always check bn_wexpend() return values for failure (CVE-2009-3245).
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)

Submitted by: Neel Mehta
2010-02-23 10:36:30 +00:00
Dr. Stephen Henson
8280b43a62 Update from HEAD. 2009-06-17 11:26:09 +00:00
Geoff Thorpe
6343829a39 Revert the size_t modifications from HEAD that had led to more
knock-on work than expected - they've been extracted into a patch
series that can be completed elsewhere, or in a different branch,
before merging back to HEAD.
2008-11-12 03:58:08 +00:00
Ben Laurie
4d6e1e4f29 size_tification. 2008-11-01 14:37:00 +00:00
Bodo Möller
f8d6be3f81 Some precautions to avoid potential security-relevant problems. 2008-09-14 13:42:34 +00:00
Dr. Stephen Henson
56c7754cab Avoid warnings. 2008-02-28 14:05:01 +00:00
Andy Polyakov
55525742f4 Privatize BN_*_no_branch. 2007-06-11 16:33:03 +00:00
Bodo Möller
24a8c25ab5 fix error codes 2007-04-19 15:14:21 +00:00
Bodo Möller
d1e7d1d96c don't violate the bn_check_top assertion in BN_mod_inverse_no_branch() 2007-04-19 14:45:57 +00:00
Bodo Möller
b002265ee3 make BN_FLG_CONSTTIME semantics more fool-proof 2007-03-28 18:41:23 +00:00
Bodo Möller
bd31fb2145 Change to mitigate branch prediction attacks
Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
2007-03-28 00:15:28 +00:00
Nils Larsch
8215e7a938 fix warnings when building openssl with the following compiler options:
-Wmissing-prototypes -Wcomment -Wformat -Wimplicit -Wmain -Wmultichar
        -Wswitch -Wshadow -Wtrigraphs -Werror -Wchar-subscripts
        -Wstrict-prototypes -Wreturn-type -Wpointer-arith  -W -Wunused
        -Wno-unused-parameter -Wuninitialized
2005-08-28 22:49:57 +00:00
Geoff Thorpe
9e051bac13 Document a change I'd already made, and at the same time, correct the
change to work properly; BN_zero() should set 'neg' to zero as well as
'top' to match the behaviour of BN_new().
2004-03-13 22:10:15 +00:00
Geoff Thorpe
a8aa764d3c Minimise the amount of code dependent on BN_DEBUG_RAND. In particular,
redefine bn_clear_top2max() to be a NOP in the non-debugging case, and
remove some unnecessary usages in bn_nist.c.

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller
2004-03-09 03:53:40 +00:00
Geoff Thorpe
9e989810ba BN_div() cleanup: replace the use of BN_sub and BN_add with bn_sub_words
and bn_add_words to avoid using fake bignums to window other bignums that
can lead to corruption. This change allows all bignum tests to pass with
BN_DEBUG and BN_DEBUG_RAND debugging and valgrind. NB: This should be
tested on a few different architectures and configuration targets, as the
bignum code this deals with is quite preprocessor (and assembly) sensitive.

Submitted by: Nils Narsch
Reviewed by: Geoff Thorpe, Ulf Moeller
2003-11-22 20:23:41 +00:00
Geoff Thorpe
5c0c22803e Put more debug screening in BN_div() and correct a comment. 2003-11-06 23:11:07 +00:00
Geoff Thorpe
d870740cd7 Put the first stage of my bignum debugging adventures into CVS. This code
is itself experimental, and in addition may cause execution to break on
existing openssl "bugs" that previously were harmless or at least
invisible.
2003-11-04 22:54:49 +00:00
Geoff Thorpe
a9fd78f9da bn_div() does some pretty nasty things with temporary variables,
constructing BIGNUM structures with pointers offset into other bignums
(among other things). This corrects some of it that is too plainly insane,
and tries to ensure that bignums are normalised when passed to other
functions.
2003-10-31 01:35:16 +00:00
Geoff Thorpe
c4db1a8b5c This fixes a couple of cases where an inconsistent BIGNUM could be passed as
input to a function.
2003-10-30 01:03:31 +00:00
Richard Levitte
3c801fa460 A little debugging. 2002-12-20 16:38:06 +00:00
Andy Polyakov
2f98abbcb6 x86_64 performance patch. 2002-12-14 20:42:05 +00:00
Richard Levitte
9cdf87f194 Check the return values where memory allocation failures may happen.
PR: 49
2002-05-30 16:47:45 +00:00
Ulf Möller
5dd955dcd2 openbsd-x86 macros
Submitted by: Toomas Kiisk <vix@cyber.ee>
2001-10-14 00:57:30 +00:00
Andy Polyakov
500230ee94 The IRIX fix. Asm recap and corresponding declation.
Submitted by:
Reviewed by:
PR:
2001-03-27 22:30:46 +00:00
Dr. Stephen Henson
3d2e469cfa Fix a bug which caused BN_div to produce the
wrong result if rm==num and num < 0.
2001-02-28 00:51:48 +00:00
Richard Levitte
cf1b7d9664 Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
2001-02-19 16:06:34 +00:00
Ulf Möller
75802000c8 There is no C version of bn_div_3_words 2001-01-23 16:26:15 +00:00
Bodo Möller
80d89e6a6a Sign-related fixes (and tests).
BN_mod_exp_mont does not work properly yet if modulus m
is negative (we want computations to be carried out
modulo |m|).
2000-12-07 08:48:58 +00:00
Bodo Möller
78a0c1f18d modular arithmetics
"make update"
2000-11-26 16:42:38 +00:00
Bodo Möller
7f7b8d6871 BN_CTX-related fixes. 2000-11-08 10:05:34 +00:00
Dr. Stephen Henson
2d978cbd30 Changes needed for Tandem NSK, supplied by Scott Uroff (scott@xypro.com).
Fix warnings with BIO_dump_indent().
2000-08-04 00:01:39 +00:00
Andy Polyakov
89cee61b45 New NO_INLINE_ASM macro. Primary target for the moment is Solaris x86
which can't stand GNU C assembler templates.
2000-02-15 17:20:52 +00:00
Ulf Möller
4a6222d71b BN_div bugfix. The q-- loop should not be entered in the n0==d0 case. 2000-02-06 00:25:39 +00:00
Ulf Möller
9b141126d4 New functions BN_CTX_start(), BN_CTX_get(), BN_CTX_end() to access
temporary BIGNUMs. BN_CTX still uses a fixed number of BIGNUMs, but
the BN_CTX implementation could now easily be changed.
2000-02-05 14:17:32 +00:00
Andy Polyakov
fb81ac5e6b Support for "multiply high" instruction, see BN_UMULT_HIGH comment in
crypto/bn/bn_lcl.h for further details. It should be noted that for
the moment of this writing the code was tested only on Alpha. If
compiled with DEC C the C implementation exhibits 12% performance
improvement over the crypto/bn/asm/alpha.s (on EV56 box running
AlphaLinux). GNU C is (unfortunately) 8% behind the assembler
implementation. But it's OpenVMS Alpha users who *may* benefit most
as 'apps/openssl speed rsa' exhibits 6 (six) times performance
improvement over the original VMS bignum implementation. Where "*may*"
means "as soon as code is enabled though #define SIXTY_FOUR_BIT and
crypto/bn/asm/vms.mar is skipped."
2000-02-02 16:18:12 +00:00
Ulf Möller
0bde1089f8 match the prototype 2000-02-01 23:47:24 +00:00
Bodo Möller
cb5b7850ac If n0 == d0, we must alway compute 'rem' "by hand" 2000-02-01 11:10:54 +00:00
Bodo Möller
fe7cd1647d Typo in preprocessor symbol. 2000-02-01 08:48:30 +00:00
Ulf Möller
3b14cb717d Solaris x86 assembler problem is already addressed in ./config
(bug reports keep coming in because that was still missing in 0.9.4)
1999-12-14 15:28:10 +00:00
Ulf Möller
a4af39ac44 Don't use inline assembler on x86 Solaris (would need a different syntax). 1999-12-08 22:55:06 +00:00
Ulf Möller
8e1589ece5 VC++ warning. 1999-09-29 22:11:06 +00:00
Andy Polyakov
0bbd03525e Minor MIPS III/IV tune-up. 1999-08-24 16:02:16 +00:00
Ben Laurie
97e84e38df Make it compile under -pedantic. 1999-08-03 10:18:27 +00:00
Andy Polyakov
4c22909e31 Extra i386+gcc bn_div.c tune-up featuring inline division and saving
the remainder left in %edx. Here is the resulting performance improvement
matrix (improvement as a result of this *and* previous tune-up committed
two days ago). The results were obtained by profiling the "div" part of
the crypto/bn/bnspeed.c.

CPU	BN_div	bn_div_words	overall	comment
------------------------------------------------------------------------
PII	+16%	accumulated by	+2-3%	PII multiplies damn fast! Taking
		inlining		multiplication out of the loop
					didn't make too much difference.
					Eliminating of the multiplication
					involved in remainder calculation
					is the major factor.

Pentium	+45%	accumulated by	+7-9%	mull isn't that fast and replacing
		inlining		multiplications with additions in
					the loop has more visible effect:-)

MIPS	+75%	+12%		+20-25%	In addition to the taking mults
R10000					out of the loop (giving 12% in the
					asm/mips3.s) three mults were
					eliminated in BN_div.

Alpha	+30%	+50%		+10-15%	Same as above. But remember that
EV4					bn_div_words is a C implementation.
					It takes 4 Alpha mults in C to do
					the same thing as 1 MIPS mult in
					assembler does. So the effect (50%)
					is more impressive. But not the
					overall one... Well, if Alpha
					bn_mul_add would be implemented
					in assembler overall improvement
					would be closer to MIPS...
1999-07-31 23:27:41 +00:00
Andy Polyakov
0dd25e3606 Bignum division tune-up. Idea is to move multiplications in front of
loop body and replace 'em with addition/subtraction.
1999-07-30 11:43:43 +00:00
Ulf Möller
adc7fe123b Circumvent bug in SC5 without patch #107357-01.
Submitted by: Andy Polyakov <appro@fy.chalmers.se>
1999-06-09 21:13:27 +00:00
Ben Laurie
84c15db551 Some constification and stacks that slipped through the cracks (how?). 1999-06-04 22:23:10 +00:00