Adam Langley
a90b1e32d2
Add volatile qualifications to two blocks of inline asm to stop GCC from
...
eliminating them as dead code.
Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.
(cherry picked from commit 7753a3a684
)
Conflicts:
crypto/bn/asm/x86_64-gcc.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-19 17:09:27 +02:00
Matt Caswell
72370164c3
Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
...
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.
This does have the impact of masking any *real* unitialised data reads in bn though.
Patch based on approach suggested by Rich Salz.
PR#3415
(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
2014-07-13 22:23:10 +01:00
Andy Polyakov
e432336433
bn_exp.c: fix x86_64-specific crash with one-word modulus.
...
PR: #3397
(cherry picked from commit eca441b2b4
)
2014-07-02 21:21:02 +02:00
Huzaifa Sidhpurwala
fef58ce79e
Make sure BN_sqr can never return a negative value.
...
PR#3410
(cherry picked from commit e14e764c0d5d469da63d0819c6ffc0e1e9e7f0bb)
2014-06-26 23:50:36 +01:00
Geoff Thorpe
d8afda60a9
bignum: allow concurrent BN_MONT_CTX_set_locked()
...
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as
noted by Daniel Sands and co at Sandia. This was to handle the case that
2 or more threads race to lazy-init the same context, but stunted all
scalability in the case where 2 or more threads are doing unrelated
things! We favour the latter case by punishing the former. The init work
gets done by each thread that finds the context to be uninitialised, and
we then lock the "set" logic after that work is done - the winning
thread's work gets used, the losing threads throw away what they've done.
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-05-06 18:10:21 -04:00
Dr. Stephen Henson
4b7a4ba29c
Fix for CVE-2014-0076
...
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
(cherry picked from commit 2198be3483
)
Conflicts:
CHANGES
2014-03-12 14:19:54 +00:00
Dr. Stephen Henson
c776a3f398
make update
2014-01-06 13:33:27 +00:00
Dr. Stephen Henson
60df657b3a
make update
2013-12-08 13:23:14 +00:00
Andy Polyakov
accb3007ac
bn/asm/x86_64-mont5.pl: comply with Win64 ABI.
...
PR: 3189
Submitted by: Oscar Ciurana
(cherry picked from commit c5d5f5bd0f
)
2013-12-04 00:03:46 +01:00
Andy Polyakov
7ed244a0b3
Make Makefiles OSF-make-friendly.
...
PR: 3165
(cherry picked from commit d1cf23ac86
)
2013-11-12 22:01:20 +01:00
Andy Polyakov
68dd8512b7
MIPS assembly pack: get rid of deprecated instructions.
...
Latest MIPS ISA specification declared 'branch likely' instructions
obsolete. To makes code future-proof replace them with equivalent.
(cherry picked from commit 0c2adb0a9b
)
2013-10-13 13:19:12 +02:00
Andy Polyakov
cd2693862b
PA-RISC assembler pack: switch to bve in 64-bit builds.
...
PR: 3074
(cherry picked from commit 02450ec69d
)
2013-06-30 23:15:53 +02:00
Andy Polyakov
bca0d7fdb5
x86_64-gf2m.pl: fix typo.
...
(cherry picked from commit 342dbbbe4e
)
2013-03-01 22:38:11 +01:00
Andy Polyakov
bc4ae2cb0b
x86_64-gf2m.pl: add missing Windows build fix for #2963 .
...
PR: 3004
(cherry picked from commit 7c43601d44
)
2013-03-01 21:58:08 +01:00
Andy Polyakov
ef4b9f001a
bn_nist.c: cumulative update from master.
...
PR: 2981, 2837
2013-02-16 11:40:35 +01:00
Andy Polyakov
b2226c6c83
bn_word.c: fix overflow bug in BN_add_word.
...
(cherry picked from commit 134c00659a
)
2013-02-02 22:39:00 +01:00
Andy Polyakov
024de2174b
x86_64 assembly pack: keep making Windows build more robust.
...
PR: 2963 and a number of others
(cherry picked from commit 4568182a8b
)
2013-02-02 22:26:20 +01:00
Andy Polyakov
b286a96811
x86_64 assembly pack: make Windows build more robust [from master].
...
PR: 2963 and a number of others
2013-01-22 22:54:04 +01:00
Andy Polyakov
2a2df2e9f2
bn/asm/mips.pl: hardwire local call to bn_div_words.
2013-01-22 21:16:51 +01:00
Andy Polyakov
554cf97f03
bn_lcl.h: gcc removed support for "h" constraint, which broke inline
...
assembler [from HEAD].
2012-09-01 13:23:05 +00:00
Andy Polyakov
e1e882a368
x86_64 assembly pack: make it possible to compile with Perl located
...
on path with spaces [from HEAD].
PR: 2835
2012-06-27 12:58:03 +00:00
Ben Laurie
af454b5bb0
Reduce version skew.
2012-06-08 09:18:47 +00:00
Andy Polyakov
0a5575f3f6
bn/bn_gf2m.c: make new BN_GF2m_mod_inv work with BN_DEBUG_RAND [from HEAD].
2012-03-30 17:40:52 +00:00
Andy Polyakov
d06f047b04
bn_nist.c: make new optimized code dependent on BN_LLONG [from HEAD].
2012-02-02 07:46:19 +00:00
Dr. Stephen Henson
7b23c126e6
undef some symbols that cause problems with make depend for fips builds
2012-01-18 01:40:36 +00:00
Andy Polyakov
7b467c6b81
modexp512-x86_64.pl: Solaris portability fix [from HEAD].
...
PR: 2656
2011-12-12 15:12:09 +00:00
Andy Polyakov
8ee0591f28
x86-mont.pl: fix bug in integer-only squaring path.
...
PR: 2648
2011-12-09 14:26:28 +00:00
Ben Laurie
825e1a7c56
Fix warnings.
2011-12-02 14:39:41 +00:00
Andy Polyakov
62f685a9cd
bn/asm/mips.pl: fix typos [from HEAD].
2011-12-01 12:17:20 +00:00
Andy Polyakov
2357ae17e7
x86 assembler pack update from HEAD.
2011-11-14 21:06:50 +00:00
Andy Polyakov
9f1c5491d2
BN update from HEAD.
2011-11-14 21:05:42 +00:00
Andy Polyakov
70b52222f5
x86_64 assembler pack update from HEAD.
2011-11-14 21:01:21 +00:00
Andy Polyakov
88cb59727c
ARM assembler pack update from HEAD.
2011-11-14 20:58:01 +00:00
Andy Polyakov
b66723b23e
MIPS assembler pack update from HEAD.
2011-11-14 20:55:24 +00:00
Andy Polyakov
cf96d71c22
PPC assembler pack update from HEAD.
2011-11-14 20:54:17 +00:00
Andy Polyakov
1a111921da
PA-RISC assembler pack update from HEAD.
2011-11-14 20:50:15 +00:00
Andy Polyakov
9833757b5d
s390x assembler pack update from HEAD.
2011-11-14 20:47:22 +00:00
Andy Polyakov
4195343c0d
IA64 assembler pack update from HEAD.
2011-11-14 20:45:57 +00:00
Andy Polyakov
4afba1f3d9
Mafiles updates to accomodate assembler update from HEAD.
2011-11-14 20:42:22 +00:00
Andy Polyakov
02597f2885
ppc.pl: fix bug in bn_mul_comba4 [from HEAD].
...
PR: 2636
Submitted by: Charles Bryant
2011-11-05 10:16:30 +00:00
Bodo Möller
2d95ceedc5
BN_BLINDING multi-threading fix.
...
Submitted by: Emilia Kasper (Google)
2011-10-19 14:58:59 +00:00
Andy Polyakov
2bfb23f102
modexp512-x86_64.pl: make it work with ml64 [from HEAD].
2011-08-19 06:31:27 +00:00
Andy Polyakov
8ff5c8874f
Alpha assembler fixed from HEAD.
...
PR: 2577
2011-08-12 12:31:08 +00:00
Andy Polyakov
1190d3f442
Add RSAX builtin engine [from HEAD].
2011-07-20 21:51:33 +00:00
Dr. Stephen Henson
dcbe723bc5
PR: 2540
...
Submitted by: emmanuel.azencot@bull.net
Reviewed by: steve
Prevent infinite loop in BN_GF2m_mod_inv().
2011-06-22 15:23:40 +00:00
Dr. Stephen Henson
f610a516a0
Backport from HEAD:
...
New option to disable characteristic two fields in EC code.
Make no-ec2m work on Win32 build.
2011-06-06 11:49:36 +00:00
Richard Levitte
9f427a52cb
make update (1.0.1-stable)
...
This meant a slight renumbering in util/libeay.num due to symbols
appearing in 1.0.0-stable. However, since there's been no release on
this branch yet, it should be harmless.
2011-03-23 00:06:04 +00:00
Richard Levitte
01d2e27a2b
Apply all the changes submitted by Steven M. Schweda <sms@antinode.info>
2011-03-19 09:47:47 +00:00
Andy Polyakov
2bbd82cf24
s390x-mont.pl: optimize for z196.
2011-03-04 13:13:04 +00:00
Dr. Stephen Henson
d5654d2b20
Move BN_options function to bn_print.c to remove dependency for BIO printf
...
routines from bn_lib.c
2011-01-25 17:10:42 +00:00
Dr. Stephen Henson
8ed8454115
add X9.31 prime generation routines from 0.9.8 branch
2011-01-09 13:22:47 +00:00
Andy Polyakov
7665b436f0
s390x.S: fix typo in bn_mul_words [from HEAD].
...
PR: 2380
2010-11-22 21:57:29 +00:00
Dr. Stephen Henson
7770da4b41
PR: 2295
...
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve
OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
2010-10-11 23:25:23 +00:00
Andy Polyakov
9e15cc606e
Alpha assembler pack: adapt for Linux [from HEAD].
...
PR: 2335
2010-09-13 20:32:53 +00:00
Andy Polyakov
9447da5065
crypto/bn/asm/s390x.S: drop redundant instructions [from HEAD].
2010-09-10 14:55:34 +00:00
Dr. Stephen Henson
e97359435e
Fix warnings (From HEAD, original patch by Ben).
2010-06-15 17:25:15 +00:00
Andy Polyakov
b620447dcc
alpha-mont.pl: comply with stack alignment requirement [from HEAD].
2010-04-10 13:33:46 +00:00
Andy Polyakov
1244d5b713
ARMv4 assembler: [unconfirmed] fix for compilation failure [from HEAD].
2010-03-29 09:59:58 +00:00
Ben Laurie
bcd9d12a8d
Fix warning.
2010-02-28 13:38:16 +00:00
Bodo Möller
7fe747d1eb
Always check bn_wexpend() return values for failure (CVE-2009-3245).
...
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)
Submitted by: Neel Mehta
2010-02-23 10:36:30 +00:00
Dr. Stephen Henson
7b1856e5a1
PR: 2111
...
Submitted by: Martin Olsson <molsson@opera.com>
Check for bn_wexpand errors in bn_mul.c
2009-12-02 15:28:05 +00:00
Dr. Stephen Henson
50d70c01d6
PR: 2062
...
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org
Correct BN_rand error handling in bntest.c
2009-10-01 00:21:55 +00:00
Dr. Stephen Henson
27713e3fc2
Check t too.
2009-06-17 11:47:54 +00:00
Dr. Stephen Henson
8280b43a62
Update from HEAD.
2009-06-17 11:26:09 +00:00
Ben Laurie
7de819237d
Two digits is not wide enough.
2009-06-14 10:23:29 +00:00
Dr. Stephen Henson
477fd4596f
PR: 1835
...
Submitted by: Damien Miller <djm@mindrot.org>
Approved by: steve@openssl.org
Fix various typos.
2009-02-14 21:49:38 +00:00
Andy Polyakov
0f529cbdc3
s390x-mont.pl: optimize prologue.
2009-02-10 08:46:48 +00:00
Andy Polyakov
8626230a02
s390x assembler pack update.
2009-02-09 15:42:04 +00:00
Dr. Stephen Henson
41b7619596
Fix missing prototype warnings then fix different prototype warnings ;-)
2009-01-11 16:17:26 +00:00
Andy Polyakov
a68c7b9171
bn_lib.c: [re-]fix Win64 compiler warning.
2008-12-29 12:44:33 +00:00
Andy Polyakov
5cabcf96e7
Fix "possible loss of data" Win64 compiler warnings.
2008-12-29 12:35:49 +00:00
Andy Polyakov
be01f79d3d
x86_64 assembler pack: add support for Win64 SEH.
2008-12-19 11:17:29 +00:00
Andy Polyakov
3ebbe8853f
Bring C bn_mul_mont template closer to assembler.
2008-12-16 07:28:38 +00:00
Andy Polyakov
93c4ba07d7
x86_64-xlate.pl update, engage x86_64 assembler in mingw64.
2008-11-14 16:40:37 +00:00
Andy Polyakov
1416aec60d
Update make rules for x86_64 assembler pack.
2008-11-12 08:19:04 +00:00
Andy Polyakov
aa8f38e49b
x86_64 assembler pack to comply with updated styling x86_64-xlate.pl rules.
2008-11-12 08:15:52 +00:00
Andy Polyakov
2fbc8a2aad
Revert commit #17603 , it should have been part of #17617 .
2008-11-12 07:27:36 +00:00
Geoff Thorpe
6343829a39
Revert the size_t modifications from HEAD that had led to more
...
knock-on work than expected - they've been extracted into a patch
series that can be completed elsewhere, or in a different branch,
before merging back to HEAD.
2008-11-12 03:58:08 +00:00
Bodo Möller
0a8c9f7de1
symbol deobnoxification
2008-11-11 07:08:59 +00:00
Dr. Stephen Henson
0afc9f5bc0
PR: 1777
...
Submitted by: "Alon Bar-Lev" <alon.barlev@gmail.com>
Approved by: steve@openssl.org
Fix some size_t issues.
2008-11-05 23:14:32 +00:00
Dr. Stephen Henson
e6e0c9018c
Fix prototypes.
2008-11-02 18:12:36 +00:00
Dr. Stephen Henson
9619b730b4
Use stddef.h to pick up size_t def.
2008-11-02 16:56:13 +00:00
Dr. Stephen Henson
c76fd290be
Fix warnings about mismatched prototypes, undefined size_t and value computed
...
not used.
2008-11-02 12:50:48 +00:00
Ben Laurie
4d6e1e4f29
size_tification.
2008-11-01 14:37:00 +00:00
Andy Polyakov
122396f2db
Fix SHA512 and optimize BN for mingw64.
2008-11-01 12:46:18 +00:00
Andy Polyakov
f1455b3063
Minor clean-up in bn_lib.c: constification and optimization.
2008-10-28 13:52:51 +00:00
Andy Polyakov
b764f82c64
Fix crash in BN_rshift.
...
PR: 1663
2008-10-28 13:46:14 +00:00
Geoff Thorpe
ae7ec4c71d
Apparently '__top' is also risky, obfuscate further. (All this to
...
avoid inlines...)
2008-10-22 12:00:15 +00:00
Geoff Thorpe
3fdc6c11aa
Use of a 'top' var creates "shadow variable" warnings.
2008-10-22 01:25:45 +00:00
Ben Laurie
0d6f9c7181
Constification.
2008-10-19 22:51:27 +00:00
Andy Polyakov
aff8259510
Fix argument order in BN_nnmod call and implement rigorous boundary
...
condition check.
2008-10-16 07:54:41 +00:00
Andy Polyakov
256b3e9c5f
Optimize bn_correct_top.
2008-10-15 10:48:52 +00:00
Andy Polyakov
762a2e3cab
Remove redundant BN_ucmp, fix boundary condition in BN_nist_mod_224 and
...
reimplement BN_nist_mod_521.
2008-10-15 10:47:48 +00:00
Geoff Thorpe
fa0f834c20
Fix build warnings.
2008-09-15 04:02:37 +00:00
Bodo Möller
f8d6be3f81
Some precautions to avoid potential security-relevant problems.
2008-09-14 13:42:34 +00:00
Andy Polyakov
492279f6f3
AIX build updates.
2008-09-12 14:45:54 +00:00
Geoff Thorpe
4c3296960d
Remove the dual-callback scheme for numeric and pointer thread IDs,
...
deprecate the original (numeric-only) scheme, and replace with the
CRYPTO_THREADID object. This hides the platform-specifics and should reduce
the possibility for programming errors (where failing to explicitly check
both thread ID forms could create subtle, platform-specific bugs).
Thanks to Bodo, for invaluable review and feedback.
2008-08-06 15:54:15 +00:00
Geoff Thorpe
5f834ab123
Revert my earlier CRYPTO_THREADID commit, I will commit a reworked
...
version some time soon.
2008-07-03 19:59:25 +00:00
Bodo Möller
8228fd89fc
avoid potential infinite loop in final reduction round of BN_GF2m_mod_arr()
...
Submitted by: Huang Ying
Reviewed by: Douglas Stebila
2008-06-23 20:46:24 +00:00
Bodo Möller
fabe640f5e
Clarifying comment.
2008-05-02 18:47:48 +00:00