Rework BN_BLINDING to use pthread_t directly

Instead of CRYPTO_THREADID, which passes pthread_via through unsigned long,
we can use pthread_self() and pthread_equal() directly. This commit keeps
usi

Rework BN_BLINDING to use pthread_t directly

Instead of CRYPTO_THREADID, which passes pthread_via through unsigned long,
we can use pthread_self() and pthread_equal() directly. This commit keeps
using the awkward 'local' nomenclature as that is used throughout the rsa
code. This will be changed after the blinding code will have been fully
merged into rsa_blinding.c.

ok jsing

show more ...

Merge remainder of rsa_crpt.c into rsa_eay.c

Most of these are one line wrappers around methods implemented in rsa_eay.c
by default.

Drop the _ex from BN_BLINDING_{convert,invert}_ex()

Hide symbols in rsa

ok tb@

Rename RSA_eay_* to rsa_*.

Rename all of the RSA_eay_* functions to rsa_*, as well as changing the
method name (and naming). Reorder things slightly so that we can remove
all of the prototypes for s

Rename RSA_eay_* to rsa_*.

Rename all of the RSA_eay_* functions to rsa_*, as well as changing the
method name (and naming). Reorder things slightly so that we can remove
all of the prototypes for static functions.

ok tb@

show more ...

Add back support for RSA_X931_PADDING

This makes the custom stalt stack work again.

Tested by robert as part of a larger diff
ok jsing

Stop supporting the long-retired X9.31 standard

This isolates the three API functions from the library so they can be
easily removed and any attempt to use RSA_X931_PADDING mode will now
result in a

Stop supporting the long-retired X9.31 standard

This isolates the three API functions from the library so they can be
easily removed and any attempt to use RSA_X931_PADDING mode will now
result in an error.

ok jsing

show more ...

Add a few missing braces

ok jsing

Set up the RSA's _method_mod_n before the initial blinding

As observed by Bernd Edlinger, the main part of the RSA timing leak that was
recently made public is that the initial blinding isn't done w

Set up the RSA's _method_mod_n before the initial blinding

As observed by Bernd Edlinger, the main part of the RSA timing leak that was
recently made public is that the initial blinding isn't done with Montgomery
exponentiation but rather with plain exponentiation.

Pull up the initialization of the cached Montgomery context to ensure we use
Montgomery exponentiation. Do this for private_{de,en}crypt(). Interestingly,
the latter was fixed in OpenSSL a while ago by Andy Polyakov as part of the
"smooth CRT-RSA" addition.

If this code was anything but completely insane this would never have been
an issue in the first place. But it's libcrypto...

ok jsing

show more ...

spelling fixes; from paul tagliamonte
i removed the arithmetics -> arithmetic changes, as i felt they
were not clearly correct

ok tb

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_l

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

show more ...

Add check for BN_sub return value

CID 24839

ok jsing@ millert@ tb@

Prepare to make RSA and RSA_METHOD opaque by including rsa_locl.h
where it will be needed in the upcoming bump.

discussed with jsing

Consistently call BN_init() before BN_with_flags()

BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination
which results in a potential use of an uninitialized bit. In practice
this do

Consistently call BN_init() before BN_with_flags()

BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination
which results in a potential use of an uninitialized bit. In practice
this doesn't matter since we don't free the cloned BIGNUMs anyway.

As jsing points out, these are mostly pointless noise and should be
garbage collected. I'll leave that for another rainy day.

Coverity flagged one instance BN_gcd_no_branch(), the rest was found by
the ever so helpful grep(1).

CID 345122

ok jsing

show more ...

Provide RSA_PKCS1_OpenSSL().

Prompted by inoguchi@

Remove RSA_padding_add_SSLv23()/RSA_padding_check_SSLv23() and related
code. We removed SSLv2/SSLv3 a long time ago...

Discussed with doug@

use freezero() instead of memset/explicit_bzero + free. Substantially
reduces conditional logic (-218, +82).

MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c
wasn'tt quite

use freezero() instead of memset/explicit_bzero + free. Substantially
reduces conditional logic (-218, +82).

MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c
wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and
BN_FLG_STATIC_DATA where the condition cannot be collapsed completely.

Passes regress. ok beck

show more ...

revert previous accidental commit

*** empty log message ***

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Split out BN_div and BN_mod into ct and nonct versions for Internal use.
ok jsing@

Make explicit _ct and _nonct versions of bn_mod_exp funcitons that
matter for constant time, and make the public interface only used
external to the library.

This moves us to a model where the impor

Make explicit _ct and _nonct versions of bn_mod_exp funcitons that
matter for constant time, and make the public interface only used
external to the library.

This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.

Add regress tests for same.
ok jsing@

show more ...

missing space after comma
(this was apparently lost during the repo surgery)

ok bcook

call BN_init on temporaries to avoid use-before-set warnings

ok beck@

Remove flags for disabling constant-time operations.

This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME,
and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unc

Remove flags for disabling constant-time operations.

This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME,
and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally
constant-time.

Based on the original patch by César Pereid. ok beck@

show more ...