Hide symbols in rsa

ok tb@

The NBs have been duly noted and ignored. Drop them.

Move RSA_generate_key() from rsa_depr.c to rsa_gen.c

Discussed with jsing

Convert BN_copy() with missing error checks to bn_copy()

ok jsing

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_l

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

show more ...

Fix check for BN_mod_inverse_ct return value

ok jsing@ millert@ tb@

Prepare to make RSA and RSA_METHOD opaque by including rsa_locl.h
where it will be needed in the upcoming bump.

discussed with jsing

Consistently call BN_init() before BN_with_flags()

BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination
which results in a potential use of an uninitialized bit. In practice
this do

Consistently call BN_init() before BN_with_flags()

BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination
which results in a potential use of an uninitialized bit. In practice
this doesn't matter since we don't free the cloned BIGNUMs anyway.

As jsing points out, these are mostly pointless noise and should be
garbage collected. I'll leave that for another rainy day.

Coverity flagged one instance BN_gcd_no_branch(), the rest was found by
the ever so helpful grep(1).

CID 345122

ok jsing

show more ...

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Construct a BN_gcd_nonct, based on BN_mod_inverse_no_branch, as suggested
by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a
sidechannel timing attack during RSA private key genera

Construct a BN_gcd_nonct, based on BN_mod_inverse_no_branch, as suggested
by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a
sidechannel timing attack during RSA private key generation.

Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force
the use of the _ct or _nonct versions of the function only within
the library.

ok jsing@

show more ...

Add ct and nonct versions of BN_mod_inverse for internal use
ok jsing@

Split out BN_div and BN_mod into ct and nonct versions for Internal use.
ok jsing@

Remove flags for disabling constant-time operations.

This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME,
and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unc

Remove flags for disabling constant-time operations.

This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME,
and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally
constant-time.

Based on the original patch by César Pereid. ok beck@

show more ...

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

show more ...

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need t

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

show more ...

More KNF.

KNF

tags as requested by miod and tedu

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok beck deraadt

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

resolve conflicts

resolve conflicts

resolve conflicts