Commit graph

604 commits

Author SHA1 Message Date
Nils Larsch
611ed5f312 fix comment
PR: 1270
2006-01-13 23:52:17 +00:00
Nils Larsch
27fbb5dbf4 2 is a prime number ...
PR: 1266
2006-01-13 23:29:31 +00:00
Andy Polyakov
98c045cf3a crypto/bn/asm/sparcv8plus.S update from HEAD. 2005-11-15 08:05:19 +00:00
Dr. Stephen Henson
8860f3a82a Fix possible race condition. 2005-11-11 12:59:39 +00:00
Dr. Stephen Henson
1bef284ab1 Update from HEAD. 2005-10-05 17:53:40 +00:00
Nils Larsch
7f622f6c04 fix warnings when building openssl with (gcc 3.3.1):
-Wmissing-prototypes -Wcomment -Wformat -Wimplicit -Wmain -Wmultichar
-Wswitch -Wshadow -Wtrigraphs -Werror -Wchar-subscripts
-Wstrict-prototypes -Wreturn-type -Wpointer-arith  -W -Wunused
-Wno-unused-parameter -Wuninitialized
2005-08-28 23:20:52 +00:00
Bodo Möller
9eaf7e14c7 avoid potential spurious BN_free()
Submitted by: David Heine <dlheine@suif.Stanford.EDU>
2005-08-23 04:14:55 +00:00
Ben Laurie
9ddb11f11c Avoid weak subgroups in Diffie Hellman. 2005-08-20 18:35:53 +00:00
Andy Polyakov
984aefe0e8 3-4 times better RSA/DSA performance on WIN64A target [from HEAD]. 2005-08-04 17:42:58 +00:00
Nils Larsch
87b857b6bf fix BN_mod_word and give a more reasonable return value if an error occurred 2005-07-25 22:55:48 +00:00
Nils Larsch
7dec24688f set correct bn->top value 2005-07-21 22:38:16 +00:00
Nils Larsch
3c6ab9aad9 bugfix: 0 - w (w != 0) is actually negative 2005-07-17 16:08:21 +00:00
Andy Polyakov
fbfb947b21 Bugfix for bn_div_words PPC assembler implementation [from HEAD]. 2005-07-03 09:23:57 +00:00
Ben Laurie
c0e29e5b01 Fix warnings. 2005-06-28 12:32:48 +00:00
Andy Polyakov
2f03129d46 bn.h update from HEAD. 2005-06-28 11:52:52 +00:00
Andy Polyakov
2a5b22d6f9 Missed -c in IRIX rule. 2005-06-23 20:38:19 +00:00
Andy Polyakov
f247dc7522 IRIX upadte from HEAD. 2005-06-23 16:47:21 +00:00
Nils Larsch
431712293d fix assertion
PR: 1072
2005-05-31 20:38:31 +00:00
Andy Polyakov
39663d2c40 Missing sparcv8.o rule.
PR: 1082
2005-05-31 12:18:15 +00:00
Richard Levitte
c9028b0ab5 Typo 2005-05-29 11:26:56 +00:00
Bodo Möller
cad811fc41 Use BN_with_flags() in a cleaner way. 2005-05-27 15:39:24 +00:00
Bodo Möller
a506b8c7dd check BN_copy() return value 2005-05-26 04:30:48 +00:00
Richard Levitte
2f596aeef5 DEC C complains about bad subscript, but we know better, so let's shut it up. 2005-05-24 03:22:56 +00:00
Andy Polyakov
ce92b6eb9c Further BUILDENV refinement, further fool-proofing of Makefiles and
[most importantly] put back dependencies accidentaly eliminated in
check-in #13342.
2005-05-16 16:55:47 +00:00
Bodo Möller
46a643763d Implement fixed-window exponentiation to mitigate hyper-threading
timing attacks.

BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for
RSA/DSA/DH private key computations unless
RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/
DH_FLAG_NO_EXP_CONSTTIME is set.

Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
2005-05-16 01:43:31 +00:00
Andy Polyakov
81a86fcf17 Fool-proofing Makefiles 2005-05-15 22:23:26 +00:00
Ben Laurie
4b26fe30de There must be an explicit way to build the .o! 2005-05-11 16:39:05 +00:00
Bodo Möller
8afca8d9c6 Fix more error codes.
(Also improve util/ck_errf.pl script, and occasionally
fix source code formatting.)
2005-05-11 03:45:39 +00:00
Richard Levitte
82e8cb403a Since BN_LLONG will only be defined for Alpha/VMS and not VAX/VMS,
there's no need to undefine it here.  Then, let's get a bit paranoid
and not define BN_ULLONG on THIRTY_TWO_BIT machines when BN_LLONG
isn't defined.
2005-05-06 13:34:35 +00:00
Nils Larsch
f15c448a72 remove BN_ncopy, it was only used in bn_nist.c and wasn't particular
useful anyway
2005-05-03 20:27:00 +00:00
Nils Larsch
fcb41c0ee8 rewrite of bn_nist.c, disable support for some curves on 64 bit platforms
for now (it was broken anyway)
2005-05-03 20:23:33 +00:00
Nils Larsch
c1a8a5de13 don't let BN_CTX_free(NULL) segfault 2005-04-29 21:20:31 +00:00
Dr. Stephen Henson
6ec8e63af6 Port BN_MONT_CTX_set_locked() from stable branch.
The function rsa_eay_mont_helper() has been removed because it is no longer
needed after this change.
2005-04-26 23:58:54 +00:00
Dr. Stephen Henson
465b9f6b26 Stop unused variable warning. 2005-04-26 23:45:49 +00:00
Nils Larsch
800e400de5 some updates for the blinding code; summary:
- possibility of re-creation of the blinding parameters after a
  fixed number of uses (suggested by Bodo)
- calculatition of the rsa::e in case it's absent and p and q
  are present (see bug report #785)
- improve the performance when if one rsa structure is shared by
  more than a thread (see bug report #555)
- fix the problem described in bug report #827
- hide the definition ot the BN_BLINDING structure in bn_blind.c
2005-04-26 22:31:48 +00:00
Bodo Möller
aa4ce7315f Fix various incorrect error function codes.
("perl util/ck_errf.pl */*.c */*/*.c" still reports many more.)
2005-04-26 18:53:22 +00:00
Ben Laurie
36d16f8ee0 Add DTLS support. 2005-04-26 16:02:40 +00:00
Nils Larsch
ff22e913a3 - use BN_set_negative and BN_is_negative instead of BN_set_sign
and BN_get_sign
- implement BN_set_negative as a function
- always use "#define BN_is_zero(a) ((a)->top == 0)"
2005-04-22 20:02:44 +00:00
Dr. Stephen Henson
29dc350813 Rebuild error codes. 2005-04-12 16:15:22 +00:00
Richard Levitte
4bb61becbb Add emacs cache files to .cvsignore. 2005-04-11 14:17:07 +00:00
Andy Polyakov
0abfd60604 Extend Solaris x86 support to amd64. 2005-04-04 17:10:53 +00:00
Andy Polyakov
60fd574cdf Make bn/asm/x86_64-gcc.c gcc4 savvy. +r is likely to be initially
introduced for a reason [like bug in initial gcc port], but proposed
=&r is treated correctly by senior 3.2, so we can assume it's safe now.
PR: 1031
2005-04-03 18:53:29 +00:00
Nils Larsch
fea4280a8b fix header 2005-03-30 21:38:29 +00:00
Ben Laurie
42ba5d2329 Blow away Makefile.ssl. 2005-03-30 13:05:57 +00:00
Andy Polyakov
da30c74a27 Remove unused assembler modules. 2005-02-06 13:43:02 +00:00
Andy Polyakov
67ea999d4a This patch was "ignited" by OpenBSD 3>=4 support. They've switched to ELF
and GNU binutils, but kept BSD make... And I took the opportunity to
unify other targets to this common least denominator...
2005-02-06 13:23:34 +00:00
Andy Polyakov
76ef6ac956 Refine PowerPC platform support. 2004-12-20 13:44:34 +00:00
Dr. Stephen Henson
a0e7c8eede Add lots of checks for memory allocation failure, error codes to indicate
failure and freeing up memory if a failure occurs.

PR:620
2004-12-05 01:03:15 +00:00
Richard Levitte
a2ac429da2 Don't use $(EXHEADER) directly in for loops, as most shells will break
if $(EXHEADER) is empty.

Notified by many, solution suggested by Carson Gaspar <carson@taltos.org>
2004-11-02 23:55:01 +00:00
Geoff Thorpe
f79110c633 Two TODO comments taken care of. Nils pointed out that one of them had already
been done, and took care of the other one (which hadn't).

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2004-09-19 04:43:46 +00:00
Andy Polyakov
16760a3089 Proper support for OpenBSD-i386 shared build, including assember modules!
"Proper" means "compiles and passes test." Versioning is broken (I think).
2004-08-29 21:36:37 +00:00
Andy Polyakov
2b247cf81f OPENSSL_ia32cap final touches. Note that OPENSSL_ia32cap is no longer a
symbol, but a macro expanded as (*(OPENSSL_ia32cap_loc())). The latter
is the only one to be exported to application.
2004-08-29 16:36:05 +00:00
Andy Polyakov
34413fca84 OpenBSD fix-up for new a.out targets. OpenBSD .s.o rule is busted... 2004-08-01 21:16:26 +00:00
Andy Polyakov
ec38ddc765 Clean-up GAS targets: get rid of "cpp" stuff and replace it with "purified"
COFF and a.out targets [similar to ELF targets]. You might notice some
rudementary support for shared mingw builds under cygwin. It works (it
produces cryptoeay32.dll and ssleay32.dll with everything exported by
name), but it's primarily for testing/debugging purposes, at least for
now...
2004-08-01 17:33:58 +00:00
Andy Polyakov
33c3ecf741 Build-n-link new IA-64 modules on Linux and HP-UX. 2004-07-23 23:27:10 +00:00
Andy Polyakov
8169dd73f9 All SIXTY_FOUR_BIT platforms (mind the difference between SIXTY_FOUR_BIT and
SIXTY_FOUR_BIT_LONG) were failing to pass 'cd test; make test_bn'.
2004-07-22 09:32:11 +00:00
Andy Polyakov
859ceeeb51 Anchor AES and SHA-256/-512 assembler from C. 2004-07-18 17:26:01 +00:00
Andy Polyakov
d0590fe6b2 Add anchors for AES, SHA-256/-512 assembler modules and SSE2 code pathes.
I also used this opportunity to clean up some out-of-date targets and
re-group targets by OS.
2004-07-18 16:19:34 +00:00
Geoff Thorpe
ace3ebd661 Improve error handling if decompression of an ec point fails, and cleanup
ec_curve.c (unify comments, etc).

Submitted by: Nils Larsch
Reviewed by: Bodo Moeller, Geoff Thorpe
2004-07-06 15:50:04 +00:00
Andy Polyakov
e2f2a9af2c New scalable bn_mul_add_words loop, which provides up to >20% overall
performance improvement. Make module more gcc friendly and clarify
copyright issues for division routine.
2004-07-01 11:10:38 +00:00
Geoff Thorpe
d459e39012 Tidy up, including;
- Remove unused and unuseful debug cruft.
- Remove unnecessary 'top' fudging from BN_copy().
- Fix a potential memory leak and simplify the expansion logic in
  BN_bin2bn().

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2004-06-20 04:16:12 +00:00
Geoff Thorpe
df11e1e921 Deprecate unused cruft, and "make update". 2004-06-17 23:50:25 +00:00
Geoff Thorpe
afbe74d386 Actually, that last change to BN_get_word() was a little too simple. 2004-06-17 22:05:40 +00:00
Geoff Thorpe
9088d5f24f As Nils put it;
Yet another question: some time ago you changed BN_set_word.
    Why didn't you change BN_get_word as well?

Quite. I'm also removing the older commented-out implementations to improve
readability. This complex stuff seems to date from a time when the types
didn't match up well.

Submitted by: Nils Larsch, Geoff Thorpe
2004-06-17 20:13:50 +00:00
Geoff Thorpe
cf9056cfda BN_div_word() was breaking when called from BN_bn2dec() (actually, this is
the only function that uses it) because it would trip up an assertion in
bn_div_words() when first invoked. This also adds BN_div_word() testing to
bntest.

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2004-06-17 20:03:56 +00:00
Andy Polyakov
1809e858bb Eliminate compiler warnings and throw in performance table. 2004-05-28 10:15:58 +00:00
Geoff Thorpe
d6dda126b7 Make some more API types opaquely available from ossl_typ.h, meaning the
corresponding headers are only required for API functions or structure
details. This now includes the bignum types and BUF_MEM. Subsequent commits
will remove various dependencies on bn.h and buffer.h and update the
makefile dependencies.
2004-05-15 18:32:08 +00:00
Andy Polyakov
d3adc3d3ed SSE2 accelerated bn_mul_add_words. Code is currently disabled till proper
config and run-time support is added.
PR: 788
Submitted by: <dean@arctic.org>
Reviewed by: <appro>

Obtained from: http://arctic.org/~dean/crypto/rsa.html
2004-05-06 10:36:49 +00:00
Andy Polyakov
dd55880644 Improved PowerPC support. Proper ./config support for ppc targets,
especially for AIX. But most important BIGNUM assembler implementation
submitted by IBM.

Submitted by: Peter Waltenberg <pwalten@au1.ibm.com>
Reviewed by: appro
2004-04-27 22:05:50 +00:00
Richard Levitte
863d2b196f Print the debug thingies on stderr instead of stdout. If for nothing
else then at least so bc doesn't have problems parsing the output from
bntest :-).
2004-04-20 10:57:07 +00:00
Geoff Thorpe
c57bc2dc51 make update 2004-04-19 18:33:41 +00:00
Richard Levitte
a87228031f RAND_add() wants a double as it's last argument. 2004-03-25 15:52:43 +00:00
Geoff Thorpe
c86f2054f3 Adjust various bignum functions to use BN_CTX for variables instead of
locally initialising their own.

NB: I've removed the "BN_clear_free()" loops for the exit-paths in some of
these functions, and that may be a major part of the performance
improvements we're seeing. The "free" part can be removed because we're
using BN_CTX. The "clear" part OTOH can be removed because BN_CTX
destruction automatically performs this task, so performing it inside
functions that may be called repeatedly is wasteful. This is currently safe
within openssl due to the fact that BN_CTX objects are never created for
longer than a single high-level operation. However, that is only because
there's currently no mechanism in openssl for thread-local storage. Beyond
that, this might be an issue for applications using the bignum API directly
and caching their own BN_CTX objects. The solution is to introduce a flag
to BN_CTX_start() that allows its variables to be automatically sanitised
on release during BN_CTX_end(). This way any higher-level function (and
perhaps the application) can specify this flag in its own
BN_CTX_start()/BN_CTX_end() pair, and this will cause inner-loop functions
specifying the flag to be ignored so that sanitisation is handled only once
back out at the higher level. I will be implementing this in the near
future.
2004-03-25 04:32:24 +00:00
Geoff Thorpe
5c98b2caf5 Replace the BN_CTX implementation with my current work. I'm leaving the
little TODO list in there as well as the debugging code (only enabled if
BN_CTX_DEBUG is defined).

I'd appreciate as much review and testing as can be spared for this. I'll
commit some changes to other parts of the bignum code shortly to make
better use of this implementation (no more fixed size limitations). Note
also that under identical optimisations, I'm seeing a noticable speed
increase over openssl-0.9.7 - so any feedback to confirm/deny this on other
systems would also be most welcome.
2004-03-25 04:16:14 +00:00
Geoff Thorpe
e042540f6b Variety of belt-tightenings in the bignum code. (Please help test this!)
- Remove some unnecessary "+1"-like fudges. Sizes should be handled
  exactly, as enlarging size parameters causes needless bloat and may just
  make bugs less likely rather than fixing them: bn_expand() macro,
  bn_expand_internal(), and BN_sqr().
- Deprecate bn_dup_expand() - it's new since 0.9.7, unused, and not that
  useful.
- Remove unnecessary zeroing of unused bytes in bn_expand2().
- Rewrite BN_set_word() - it should be much simpler, the previous
  complexities probably date from old mismatched type issues.
- Add missing bn_check_top() macros in bn_word.c
- Improve some degenerate case handling in BN_[add|sub]_word(), add
  comments, and avoid a bignum expansion if an overflow isn't possible.
2004-03-17 17:36:54 +00:00
Geoff Thorpe
b6358c89a1 Convert openssl code not to assume the deprecated form of BN_zero().
Remove certain redundant BN_zero() initialisations, because BN_CTX_get(),
BN_init(), [etc] already initialise to zero.

Correct error checking in bn_sqr.c, and be less wishy-wash about how/why
the result's 'top' value is set (note also, 'max' is always > 0 at this
point).
2004-03-13 23:57:20 +00:00
Geoff Thorpe
5d735465d1 The efforts to eliminate the dual-representation of zero and to ensure
bignums are passed in and out of functions and APIs in a consistent form
has highlighted that zero-valued bignums don't need any allocated word
data. The use of BN_set_word() to initialise a bignum to zero causes
needless allocation and gives it a return value that must be checked. This
change converts BN_zero() to a self-contained macro that has no
return/expression value and does not cause any expansion of bignum data.

Note, it would be tempting to rewrite the deprecated version as a
success-valued comma expression, such as;
   #define BN_zero(a) ((a)->top = (a)->neg = 0, 1)
However, this evaluates 'a' twice and would confuse initialisation loops
(eg. while(..) { BN_zero(bn++) } ). As such, the deprecated version
continues to use BN_set_word().
2004-03-13 23:04:15 +00:00
Geoff Thorpe
9e051bac13 Document a change I'd already made, and at the same time, correct the
change to work properly; BN_zero() should set 'neg' to zero as well as
'top' to match the behaviour of BN_new().
2004-03-13 22:10:15 +00:00
Geoff Thorpe
a8aa764d3c Minimise the amount of code dependent on BN_DEBUG_RAND. In particular,
redefine bn_clear_top2max() to be a NOP in the non-debugging case, and
remove some unnecessary usages in bn_nist.c.

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller
2004-03-09 03:53:40 +00:00
Geoff Thorpe
e7716b7a19 More changes coming out of the bignum auditing. BN_CTX_get() should ideally
return a "zero" bignum as BN_new() does - so reset 'top'. During
BN_CTX_end(), released bignums should be consistent so enforce this in
debug builds. Also, reduce the number of wasted BN_clear_free() calls from
BN_CTX_end() (typically by 75% or so).

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller
2004-03-09 03:47:35 +00:00
Geoff Thorpe
1b06804491 When adding positive elements, we can use BN_uadd() instead of BN_add().
Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe
2004-02-22 19:30:41 +00:00
Andy Polyakov
1751034669 Typo in crypto/bn/asm/x86_64.c, bn_div_words().
PR: 821
2004-02-07 09:51:28 +00:00
Andy Polyakov
d04b1b4656 Typo in PA-RISC 2 rules in crypto/bn/Makefile.ssl 2004-01-30 05:41:23 +00:00
Andy Polyakov
1247092776 HP/UX PA-RISC 2 targets update. 2004-01-29 22:16:08 +00:00
Richard Levitte
1fb724449d make update 2004-01-28 18:38:33 +00:00
Andy Polyakov
27b2b78f90 Even though C specification explicitly says that constant type "stretches"
automatically to accomodate the value, some compilers fail to do so. Most
notably 0x0123456789ABCDEF should come out as long long in 32-bit context,
but HP compiler truncates it to 32-bit value. Which in turn breaks GF(2^m)
arithmetics in hpux-parisc2-cc build. Therefore this fix...
2004-01-25 10:53:43 +00:00
Richard Levitte
79b42e7654 Use sh explicitely to run point.sh
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:59:07 +00:00
Richard Levitte
d420ac2c7d Use BUF_strlcpy() instead of strcpy().
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:40:17 +00:00
Ulf Möller
380e145daf Add "dif" variable to clean up the loop implementations.
Submitted by: Nils Larsch
2003-12-06 11:55:46 +00:00
Ulf Möller
ce38bb1a8c Avoid segfault if ret==0.
Submitted by: Nils Larsch
2003-12-06 11:39:37 +00:00
Geoff Thorpe
2bfd2c74d2 Incremental cleanups to bn_lib.c.
- Add missing bn_check_top() calls and relocate some others
- Use BN_is_zero() where appropriate
- Remove assert()s that bn_check_top() is already covering
- Simplify the code in places (esp. bn_expand2())
- Only keep ambiguous zero handling if BN_STRICT isn't defined
- Remove some white-space and make some other aesthetic tweaks
2003-12-02 20:01:30 +00:00
Geoff Thorpe
82b2f57e30 Use the BN_is_odd() macro in place of code that (inconsistently) does much
the same thing.

Also, I have some stuff on the back-burner related to some BN_CTX notes
from Peter Gutmann about his cryptlib hacks to the bignum code. The BN_CTX
comments are there to remind me of some relevant points in the code.
2003-12-02 03:28:24 +00:00
Geoff Thorpe
2ae1ea3788 BN_FLG_FREE is of extremely dubious usefulness, and is only referred to
once in the source (where it is set for the benefit of no other code
whatsoever). I've deprecated the declaration in the header and likewise
made the use of the flag conditional in bn_lib.c. Note, this change also
NULLs the 'd' pointer in a BIGNUM when it is reset but not deallocated.
2003-12-02 03:16:56 +00:00
Geoff Thorpe
34066d741a Declare the static BIGNUM "BN_value_one()" more carefully. 2003-12-01 23:13:17 +00:00
Geoff Thorpe
b74cc0776b Add missing bn_check_top()s to bn_kron.c, remove some miscellaneous
white-space, and include extra headers to satisfy debugging builds.
2003-12-01 23:11:45 +00:00
Geoff Thorpe
e7e5fe4705 Add missing bn_check_top()s to bn_gf2m.c and remove some miscellaneous
white-space.
2003-12-01 23:10:21 +00:00
Geoff Thorpe
998ae048e7 The bn_set_max() macro is only "used" by the bn_set_[low|high]() macros
which, in turn, are used nowhere at all. This is a good thing because
bn_set_max() would currently generate code that wouldn't compile (BIGNUM
has no 'max' element).

The only apparent use for bn_set_[low|high] would be for implementing
windowing algorithms, and all of openssl's seem to use bn_***_words()
helpers instead (including the BN_div() that Nils fixed recently, which had
been using independently-coded versions of what these unused macros are
intended for). I'm therefore consigning these macros to cvs oblivion in the
name of readability.
2003-12-01 22:11:08 +00:00
Geoff Thorpe
e65c2b9872 bn_fix_top() exists for compatibility's sake and is mapped to
bn_correct_top() or bn_check_top() depending on debug settings. For
internal source, all bn_fix_top()s should be converted one way or the other
depending on whether the use of bn_correct_top() is justified.

For BN_div_recp(), these cases should not require correction if the other
bignum functions are doing their jobs properly, so convert to
bn_check_top().
2003-12-01 21:59:40 +00:00
Geoff Thorpe
46cb8d3689 If BN_STRICT is defined, don't accept an ambiguous representation of zero
(ie. where top may be zero, or it may be one if the corresponding word is
set to zero). Note, this only affects the macros in bn.h, there are probably
similar corrections required in some c files.

Also, clarify the audit-related macros at the top of the header. Mental
note: I must not forget to clean all this out before 0.9.8 is released ...
2003-11-30 22:23:12 +00:00
Geoff Thorpe
23fc5ac646 Improve a couple of the bignum macros. Note, this doesn't eliminate
tolerance of ambiguous zero-representation, it just improves
BN_abs_is_word() and simplifies other macros that depend on it.
2003-11-30 22:02:10 +00:00