| Age | Commit message (Collapse) | Author |
|---|
|
BN_is_prime_fasttest_ex begins by rejecting if a <= 1. Then it goes to
set A := abs(a), but a cannot be negative at this point.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3275)
(cherry picked from commit 8b24f94209676bbe9933affd2879a686b1ed044d)
|
|
Factorise multiple bn_get_top(group->field) calls
Add missing checks on some conditional BN_copy return value
Add missing checks on some BN_copy return value
Add missing checks on a few bn_wexpand return value
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1626)
(cherry picked from commit 78e09b53a40729f5e99829ccc733b592bd22fea1)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1429)
|
|
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1264)
|
|
As of 37258dadaa9e36db4b96a3aa54aa6c67136160cc and the corresponding upstream
change, BN_mod_word may fail, like BN_div_word. Handle this properly. Thanks to
Brian Smith for pointing this out. See BoringSSL's
44bedc348d9491e63c7ed1438db100a4b8a830be.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1251
|
|
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1168)
|
|
Some misc return value checks
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
In BN_generate_prime_ex() we do some sanity checks first and return
with an error if they fail. We should do that *before* allocating any
resources to avoid a memory leak.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
This fixes clang compilation problem with size_t NUMPRIMES and int
loop counters.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Also cleaned up bn_prime.pl to current coding style.
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
This was done by the following
find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
print unless $. == 1 && m@/\* .*\.[ch] \*/@;
close ARGV if eof; # Close file to reset $.
And then some hand-editing of other files.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
|
Use malloc/free instead of big onstack buffers.
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
There are header files in crypto/ that are used by a number of crypto/
submodules. Move those to crypto/include/internal and adapt the
affected source code and Makefiles.
The header files that got moved are:
crypto/cryptolib.h
crypto/md32_common.h
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
This gets BN_.*free:
BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free
BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free
Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd
dead code in engines/e_ubsec.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
In the probable_prime() function we behave slightly different if the number
of bits we are interested in is <= BN_BITS2 (the num of bits in a BN_ULONG).
As part of the calculation we work out a size_limit as follows:
size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
There is a problem though if bits == BN_BITS2. Shifting by that much causes
undefined behaviour. I did some tests. On my system BN_BITS2 == 64. So I
set bits to 64 and calculated the result of:
(((BN_ULONG)1) << bits)
I was expecting to get the result 0. I actually got 1! Strangely this...
(((BN_ULONG)0) << BN_BITS2)
...does equal 0! This means that, on my system at least, size_limit will be
off by 1 when bits == BN_BITS2.
This commit fixes the behaviour so that we always get consistent results.
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
This should be a one off operation (subsequent invokation of the
script should not move them)
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
indent will not alter them when reformatting comments
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
Generates a number coprime to 2, 3, 5, 7, 11.
Speed:
Trial div (add) : trial div (retry) : coprime
1 : 0.42 : 0.84
|
|
~2% speed improvement on trial division.
|
|
or 5.
Possibly some reduction in bias, but no speed gains.
|
|
|
|
|
|
requested size. Fixes OpenSSL #2701.
This change does not address the cases of generating safe primes, or
where the |add| parameter is non-NULL.
Conflicts:
crypto/bn/bn.h
crypto/bn/bn_err.c
|
|
|
|
[Problem pointed out by Adam Young <adamy (at) acm.org>]
|
|
PR: 1266
|
|
locally initialising their own.
NB: I've removed the "BN_clear_free()" loops for the exit-paths in some of
these functions, and that may be a major part of the performance
improvements we're seeing. The "free" part can be removed because we're
using BN_CTX. The "clear" part OTOH can be removed because BN_CTX
destruction automatically performs this task, so performing it inside
functions that may be called repeatedly is wasteful. This is currently safe
within openssl due to the fact that BN_CTX objects are never created for
longer than a single high-level operation. However, that is only because
there's currently no mechanism in openssl for thread-local storage. Beyond
that, this might be an issue for applications using the bignum API directly
and caching their own BN_CTX objects. The solution is to introduce a flag
to BN_CTX_start() that allows its variables to be automatically sanitised
on release during BN_CTX_end(). This way any higher-level function (and
perhaps the application) can specify this flag in its own
BN_CTX_start()/BN_CTX_end() pair, and this will cause inner-loop functions
specifying the flag to be ignored so that sanitisation is handled only once
back out at the higher level. I will be implementing this in the near
future.
|
|
is itself experimental, and in addition may cause execution to break on
existing openssl "bugs" that previously were harmless or at least
invisible.
|
|
|
|
PR: 446
|
|
- a patch to fix a memory leak in rsa_gen.c
- a note about compiler warnings with unions
- a note about improving structure element names
This applies his patch and implements a solution to the notes.
|
|
key-generation and prime-checking functions. Rather than explicitly passing
callback functions and caller-defined context data for the callbacks, a new
structure BN_GENCB is defined that encapsulates this; a pointer to the
structure is passed to all such functions instead.
This wrapper structure allows the encapsulation of "old" and "new" style
callbacks - "new" callbacks return a boolean result on the understanding
that returning FALSE should terminate keygen/primality processing. The
BN_GENCB abstraction will allow future callback modifications without
needing to break binary compatibility nor change the API function
prototypes. The new API functions have been given names ending in "_ex" and
the old functions are implemented as wrappers to the new ones. The
OPENSSL_NO_DEPRECATED symbol has been introduced so that, if defined,
declaration of the older functions will be skipped. NB: Some
openssl-internal code will stick with the older callbacks for now, so
appropriate "#undef" logic will be put in place - this is in case the user
is *building* openssl (rather than *including* its headers) with this
symbol defined.
There is another change in the new _ex functions; the key-generation
functions do not return key structures but operate on structures passed by
the caller, the return value is a boolean. This will allow for a smoother
transition to having key-generation as "virtual function" in the various
***_METHOD tables.
|
|
|
|
|
|
(by using new BN_pseudo_rand_range function)
|
|
two functions that did expansion on in parameters (BN_mul() and
BN_sqr()). The problem was solved by making bn_dup_expand() which is
a mix of bn_expand2() and BN_dup().
|
|
temporary BIGNUMs. BN_CTX still uses a fixed number of BIGNUMs, but
the BN_CTX implementation could now easily be changed.
|
|
|
|
|
|
|
|
|
|
|
|
primes (negligible for larger ones).
|
