aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/bn/bn_asm.c
Commit message (Collapse)AuthorAgeFilesLines
* Copyright year updatesMatt Caswell2023-09-071-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
* Alternative fix for CVE-2022-4304Bernd Edlinger2023-04-041-48/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is about a timing leak in the topmost limb of the internal result of RSA_private_decrypt, before the padding check. There are in fact at least three bugs together that caused the timing leak: First and probably most important is the fact that the blinding did not use the constant time code path at all when the RSA object was used for a private decrypt, due to the fact that the Montgomery context rsa->_method_mod_n was not set up early enough in rsa_ossl_private_decrypt, when BN_BLINDING_create_param needed it, and that was persisted as blinding->m_ctx, although the RSA object creates the Montgomery context just a bit later. Then the infamous bn_correct_top was used on the secret value right after the blinding was removed. And finally the function BN_bn2binpad did not use the constant-time code path since the BN_FLG_CONSTTIME was not set on the secret value. In order to address the first problem, this patch makes sure that the rsa->_method_mod_n is initialized right before the blinding context. And to fix the second problem, we add a new utility function bn_correct_top_consttime, a const-time variant of bn_correct_top. Together with the fact, that BN_bn2binpad is already constant time if the flag BN_FLG_CONSTTIME is set, this should eliminate the timing oracle completely. In addition the no-asm variant may also have branches that depend on secret values, because the last invocation of bn_sub_words in bn_from_montgomery_word had branches when the function is compiled by certain gcc compiler versions, due to the clumsy coding style. So additionally this patch stream-lined the no-asm C-code in order to avoid branches where possible and improve the resulting code quality. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20281)
* Remove some unnecessary undefs in bn_asm.cBernd Edlinger2021-12-141-7/+0
| | | | | | | | This is likely the leftover of a previous hack, and thus should be removed now. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17259)
* Reorganize local header filesDr. Matthias St. Pierre2019-09-281-1/+1
| | | | | | | | | | | | | Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
* Following the license change, modify the boilerplates in crypto/bn/Richard Levitte2018-12-061-1/+1
| | | | | | | [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7777)
* Remove parentheses of return.KaoruToda2017-10-181-16/+16
| | | | | | | | | Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4541)
* Copyright consolidation 06/10Rich Salz2016-05-171-54/+6
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Clean-up *_DEBUG options.Andy Polyakov2016-04-071-5/+0
| | | | | | | | | Since NDEBUG is defined unconditionally on command line for release builds, we can omit *_DEBUG options in favour of effective "all-on" in debug builds exercised though CI. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Remove /* foo.c */ commentsRich Salz2016-01-261-1/+0
| | | | | | | | | | | | This was done by the following find . -name '*.[ch]' | /tmp/pl where /tmp/pl is the following three-line script: print unless $. == 1 && m@/\* .*\.[ch] \*/@; close ARGV if eof; # Close file to reset $. And then some hand-editing of other files. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
* Identify and move common internal libcrypto header filesRichard Levitte2015-05-141-1/+1
| | | | | | | | | | | | | There are header files in crypto/ that are used by a number of crypto/ submodules. Move those to crypto/include/internal and adapt the affected source code and Makefiles. The header files that got moved are: crypto/cryptolib.h crypto/md32_common.h Reviewed-by: Rich Salz <rsalz@openssl.org>
* Run util/openssl-format-source -v -c .Matt Caswell2015-01-221-885/+945
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* bn/bn_asm.c: make it indent-friendly.Andy Polyakov2015-01-221-15/+15
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix for CVE-2014-3570 (with minor bn_asm.c revamp).Andy Polyakov2015-01-081-119/+122
| | | | Reviewed-by: Emilia Kasper <emilia@openssl.org>
* Remove OPENSSL_FIPSCANISTER code.Dr. Stephen Henson2014-12-081-4/+0
| | | | | | | OPENSSL_FIPSCANISTER is only set if the fips module is being built (as opposed to being used). Since the fips module wont be built in master this is redundant. Reviewed-by: Tim Hudson <tjh@openssl.org>
* RT2163: Remove some unneeded #include'sDoug Goldstein2014-08-181-1/+0
| | | | | | | Several files #include stdio.h and don't need it. Also, per tjh, remove BN_COUNT Reviewed-by: Emilia Kasper <emilia@openssl.org>
* Experimental symbol renaming to avoid clashes with regular OpenSSL.Dr. Stephen Henson2011-02-161-1/+6
| | | | Make sure crypto.h is included first in any affected files.
* Bring C bn_mul_mont template closer to assembler.Andy Polyakov2008-12-161-2/+24
|
* Revert commit #17603, it should have been part of #17617.Andy Polyakov2008-11-121-4/+4
|
* Revert the size_t modifications from HEAD that had led to moreGeoff Thorpe2008-11-121-5/+5
| | | | | | knock-on work than expected - they've been extracted into a patch series that can be completed elsewhere, or in a different branch, before merging back to HEAD.
* PR: 1777Dr. Stephen Henson2008-11-051-4/+4
| | | | | | | Submitted by: "Alon Bar-Lev" <alon.barlev@gmail.com> Approved by: steve@openssl.org Fix some size_t issues.
* Fix prototypes.Dr. Stephen Henson2008-11-021-5/+5
|
* bn_asm.c update.Andy Polyakov2005-10-221-4/+10
|
* Change bn_mul_mont declaration and BN_MONT_CTX. Update CHANGES.Andy Polyakov2005-10-221-3/+5
|
* Fix bug in SMALL_FOOTPRINT path and clarify comment.Andy Polyakov2005-10-141-4/+8
|
* Leave the decision to call/implement bn_sqr_mont to assembler developer.Andy Polyakov2005-10-061-19/+26
|
* Reserve for SMALL_FOOTPRINT bn_asm.c. Currently OPENSSL_SMALL_FOOTPRINTAndy Polyakov2005-10-041-75/+82
| | | | is defined on Windows CE targets.
* Add reference implementation for bn_[mul|sqr]_mont, new candidates forAndy Polyakov2005-10-041-2/+124
| | | | assembler implementation.
* 3-4 times better RSA/DSA performance on WIN64A target. Well, on AMD64 CPU,Andy Polyakov2005-08-041-0/+28
| | | | EMT64T will hardly exhibit better performance...
* fix assertionNils Larsch2005-05-311-1/+1
|
* Make the definition of bn_add_words() match the definition.Richard Levitte2000-11-181-1/+1
|
* More constification of the BN library.Richard Levitte2000-11-161-10/+10
|
* Avoid abort() throughout the library, except when preprocessorBodo Möller2000-09-041-8/+3
| | | | symbols for debugging are defined.
* Typo.Ben Laurie2000-02-271-1/+1
|
* Reorganize bn_mul.c (no bugfix yet), remove obsolete files in BN library.Ulf Möller2000-02-261-18/+29
|
* Support for "multiply high" instruction, see BN_UMULT_HIGH comment inAndy Polyakov2000-02-021-37/+61
| | | | | | | | | | | | | crypto/bn/bn_lcl.h for further details. It should be noted that for the moment of this writing the code was tested only on Alpha. If compiled with DEC C the C implementation exhibits 12% performance improvement over the crypto/bn/asm/alpha.s (on EV56 box running AlphaLinux). GNU C is (unfortunately) 8% behind the assembler implementation. But it's OpenVMS Alpha users who *may* benefit most as 'apps/openssl speed rsa' exhibits 6 (six) times performance improvement over the original VMS bignum implementation. Where "*may*" means "as soon as code is enabled though #define SIXTY_FOUR_BIT and crypto/bn/asm/vms.mar is skipped."
* Bignum division tune-up. Idea is to move multiplications in front ofAndy Polyakov1999-07-301-4/+6
| | | | loop body and replace 'em with addition/subtraction.
* Get rid of redundant multiplications in bn_div_words.Andy Polyakov1999-07-211-5/+5
|
* Circument egcs bug.Bodo Möller1999-05-261-1/+2
| | | | Submitted by: Andy Polyakov <appro@fy.chalmers.se>
* Change functions to ANSI C.Ulf Möller1999-04-191-51/+19
|
* Fixes to BN code. Previously the default was to define BN_RECURSIONMark J. Cox1999-01-281-1/+3
| | | | | | | | | but the BN code had some problems that would cause failures when doing certificate verification and some other functions. Submitted by: Eric A Young from a C2Net version of SSLeay Reviewed by: Mark J Cox PR:
* Import of old SSLeay release: SSLeay 0.9.1b (unreleased)Ralf S. Engelschall1998-12-211-0/+829
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-20 01:22:35 +0000