| Age | Commit message (Collapse) | Author |
|---|
|
Previously, this function would leak the most significant word of its
argument due to branching and memory access pattern. This patch is
enough to fix the use of BN_num_bits() on RSA prime factors in the
library.
The diff is a simplified and more readable (but perhaps less efficient)
version of https://github.com/openssl/openssl/commit/972c87df
by Andy Polyakov and David Benjamin (pre license change). Consult that
commit message for details. Subsequent fixes to follow in the near future.
Issue pointed out by David Schrammel and Samuel Weiser as part of
a larger report.
tests & ok inoguchi, ok jsing
|
|
sizes used remain a positive integer. Should address issue
13799 from oss-fuzz
ok tb@ jsing@
|
|
From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd
by David Benjamin.
ok djm, jsing
|
|
ok jsing
|
|
from which a a BIGNUM is chosen uniformly at random.
ok beck jsing
|
|
Since bignums use ints for the same purpose, this still uses an int
internally after an overflow check.
Suggested by and discussed with jsing.
ok inoguchi, jsing
|
|
changes made in OpenSSL by Davide Galassi and others, so that one can
actually follow what is going on. There is no performance impact from
this change as the code still does essentially the same thing. There's
a ton of work still to be done to make the BN code less terrible.
ok jsing, kn
|
|
be set in condition. This makes the constant time bit-twiddling a bit
trickier, but it's not too bad. Thanks to halex for an extensive rubber
ducking session over a non-spicy spicy tabouleh falafel..
ok jsing, kn
|
|
Makes it a tad easier to read through and compare with BN_swap_ct().
OK tb
|
|
|
|
two bignums. It's saner and substantially less ugly than the existing
public BN_constantime_swap() function and will be used in forthcoming work
on constant time ECC code.
From Billy Brumley and his team. Thanks!
ok jsing
|
|
|
|
ok bcook@ tb@
|
|
|
|
|
|
reduces conditional logic (-218, +82).
MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c
wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and
BN_FLG_STATIC_DATA where the condition cannot be collapsed completely.
Passes regress. ok beck
|
|
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@
|
|
by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a
sidechannel timing attack during RSA private key generation.
Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force
the use of the _ct or _nonct versions of the function only within
the library.
ok jsing@
|
|
ok guenther@
|
|
ok jsing@
|
|
ok jsing@
|
|
matter for constant time, and make the public interface only used
external to the library.
This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.
Add regress tests for same.
ok jsing@
|
|
with some style cleanup after. no binary change
ok jsing@
|
|
about it and it's ok to remove it. This only came up as our clang
is targeted at armv7 which enables the NEON instructions.
ok kettenis@
|
|
Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting
the bn_* symbols. These are documented as only being intended for internal
use, so why they were placed in a public header is beyond me...
This hides 363 previously exported symbols, most of which exist in headers
that are not installed and were never intended to be public. This also
removes a few crusty old things that should have died long ago (like
_ossl_old_des_read_pw). But don't worry... there are still 3451 symbols
exported from the library.
With input and testing from inoguchi@.
ok beck@ inoguchi@
|
|
ok miod@
|
|
return statement.
ok beck@ jsing@
|
|
meaningful constants in a private header file, so that reviewers can actually
get a chance to figure out what the code is attempting to do without knowing
all cpuid bits.
While there, turn it from an array of two 32-bit ints into a properly aligned
64-bit int.
Use of OPENSSL_ia32_P is now restricted to the assembler parts. C code will
now always use OPENSSL_cpu_caps() and check for the proper bits in the
whole 64-bit word it returns.
i386 tests and ok jsing@
|
|
|
|
fails to reduce the input in the expected space then fail out instead
of overflowing the allocated buffer.
combines openssl commits 28a89639da50b1caed4ff3015508f23173bf3e49 and
3612ff6fcec0e3d1f2a598135fe12177c0419582
ok doug@ beck@
|
|
ok deraadt@
|
|
ok deraadt@
|
|
|
|
from OpenSSL commit 7f98aa7403a1244cf17d1aa489f5bb0f39bae431
CVE-2016-0702
ok beck@
|
|
Patch based on OpenSSL commit d7a854c055ff22fb7da80c3b0e7cb08d248591d0
"Performance penalty varies from platform to platform, and even
key length. For rsa2048 sign it was observed to reach almost 10%."
CVE-2016-0702
ok beck@
|
|
Don't dereference d when top is zero.
Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03
ok jsing@
|
|
Don't dereference d when top is zero.
Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03
ok jsing@
|
|
Found with STACK, originally from OpenSSL, ok @beck
|
|
|
|
|
|
ok beck@
|
|
BN_mod_word() can return incorrect results if the supplied modulus is
too big, so we need to fall back to BN_div_word.
Now that BN_mod_word may fail, handle errors properly update the man page.
Thanks to Brian Smith for pointing out these fixes from BoringSSL:
https://boringssl.googlesource.com/boringssl/+/67cb49d045f04973ddba0f92fe8a8ad483c7da89
https://boringssl.googlesource.com/boringssl/+/44bedc348d9491e63c7ed1438db100a4b8a830be
ok beck@
|
|
Started by diff from Mical Mazurek.
|
|
Noticed by pascal-cuoq from Github:
https://github.com/libressl-portable/openbsd/issues/56
ok beck@
|
|
uses a macro with multiple-evaluations of arguments (different amount
than the previous version..), but doug/bcook's inline version makes
BIGNUM not opaque [problem spotted by naddy]
ok doug
|
|
|
|
Need to make sure i * 4 won't overflow. Based on OpenSSL:
commit 99ba9fd02fd481eb971023a3a0a251a37eb87e4c
input + ok bcook@
ok beck@
|
|
|
|
reported by Ruslan Babayev.
|
|
becoming negative in probable_prime_dh_safe(). Reported by Franck Denis who
noticed `openssl gendh 0' would segfault.
Fix adapted from OpenSSL RT#2701.
ok beck@ jsing@
|
