Always end BN_mod_exp_mont_consttime with normal Montgomery reduction.

This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime
would sometimes return m, the modulus, when

Always end BN_mod_exp_mont_consttime with normal Montgomery reduction.

This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime
would sometimes return m, the modulus, when it should have returned
zero. Thanks to Guido Vranken for reporting it. It is only a partial fix
because the same bug also exists in the "rsaz" codepath.

The bug only affects zero outputs (with non-zero inputs), so we believe
it has no security impact on our cryptographic functions.

The fx is to delete lowercase bn_from_montgomery altogether, and have the
mont5 path use the same BN_from_montgomery ending as the non-mont5 path.
This only impacts the final step of the whole exponentiation and has no
measurable perf impact.

See the original BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/13c9d5c69d04485a7a8840c12185c832026c8315
for further analysis.

Original-author: David Benjamin <davidben@google.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18510)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

Fix Coverity 1201763 uninitialised pointer read

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openss

Fix Coverity 1201763 uninitialised pointer read

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17890)

show more ...

Dual 1536/2048-bit exponentiation optimization for Intel IceLake CPU

It uses AVX512_IFMA + AVX512_VL (with 256-bit wide registers) ISA to
keep lower power license.

Reviewed-by:

Dual 1536/2048-bit exponentiation optimization for Intel IceLake CPU

It uses AVX512_IFMA + AVX512_VL (with 256-bit wide registers) ISA to
keep lower power license.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14908)

show more ...

Split bignum code out of the sparcv9cap.c

Fixes #15978

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16019)

Rework and make DEBUG macros consistent.

Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.

Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it

Rework and make DEBUG macros consistent.

Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.

Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it for printing reference counts.

Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG

Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to
be set also.

Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.

Fixes #15357

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15353)

show more ...

rsa: rename global rsaz_ sumbols so they are in namespace

The symbols renamed are:

RSAZ_amm52x20_x1_256
RSAZ_amm52x20_x2_256
rsaz_avx512ifma_eligible
RSAZ_mod_exp_avx512

rsa: rename global rsaz_ sumbols so they are in namespace

The symbols renamed are:

RSAZ_amm52x20_x1_256
RSAZ_amm52x20_x2_256
rsaz_avx512ifma_eligible
RSAZ_mod_exp_avx512_x2

Additionally, RSAZ_exp52x20_x2_256 was made static

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15445)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14801)

Dual 1024-bit exponentiation optimization for Intel IceLake CPU
with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key
operations. It uses 256-bit registers to avoid CPU

Dual 1024-bit exponentiation optimization for Intel IceLake CPU
with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key
operations. It uses 256-bit registers to avoid CPU frequency scaling issues.
The performance speedup for RSA2k signature on ICL is ~2x.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13750)

show more ...

remove unused assignments

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13577)

Update copyright year

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13533)

Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call

This includes error reporting for libcrypto sub-libraries in surprising
places.

This was done using ut

Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call

This includes error reporting for libcrypto sub-libraries in surprising
places.

This was done using util/err-to-raise

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13318)

show more ...

Reorganize local header files

Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
direc

Reorganize local header files

Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
directory. Currently, they have different suffixes like

'*_lcl.h', '*_local.h', or '*_int.h'

This commit changes the different suffixes to '*_local.h' uniformly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)

show more ...

Reduce inputs before the RSAZ code.

The RSAZ code requires the input be fully-reduced. To be consistent with the
other codepaths, move the BN_nnmod logic before the RSAZ check.

Reduce inputs before the RSAZ code.

The RSAZ code requires the input be fully-reduced. To be consistent with the
other codepaths, move the BN_nnmod logic before the RSAZ check.

This fixes an oft-reported fuzzer bug.
https://github.com/google/oss-fuzz/issues/1761

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7187)

show more ...

Following the license change, modify the boilerplates in crypto/bn/

[skip ci]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7

Following the license change, modify the boilerplates in crypto/bn/

[skip ci]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7777)

show more ...

Fix MSVC warning C4819

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/open

Fix MSVC warning C4819

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7444)

show more ...

Remove zero special-case in BN_mod_exp_mont.

A number intended to treat the base as secret should not be branching on
whether it is zero. Test-wise, this is covered by existing tests in

Remove zero special-case in BN_mod_exp_mont.

A number intended to treat the base as secret should not be branching on
whether it is zero. Test-wise, this is covered by existing tests in bnmod.txt.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6733)

show more ...

bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.

Note that exported functions maintain original behaviour, so that
external callers won't observe difference. While interna

bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.

Note that exported functions maintain original behaviour, so that
external callers won't observe difference. While internally we can
now perform Montogomery multiplication on fixed-length vectors, fixed
at modulus size. The new functions, bn_to_mont_fixed_top and
bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use
them even outside bn, e.g. in RSA, DSA, ECDSA...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

show more ...

bn/bn_exp.c: harmonize all code paths with last commit.

848113a30b431c2fe21ae8de2a366b9b6146fb92 added mitigation for a
side-channel attack. This commit extends approach to all code

bn/bn_exp.c: harmonize all code paths with last commit.

848113a30b431c2fe21ae8de2a366b9b6146fb92 added mitigation for a
side-channel attack. This commit extends approach to all code
paths for consistency.

[It also removes redundant white spaces introduced in last commit.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6480)

show more ...

bn/bn_exp.c: mitigation of the One-and-Done side-channel attack.

The One&Done attack, which is described in a paper to appear in the
USENIX Security'18 conference, uses EM emanations to

bn/bn_exp.c: mitigation of the One-and-Done side-channel attack.

The One&Done attack, which is described in a paper to appear in the
USENIX Security'18 conference, uses EM emanations to recover the values
of the bits that are obtained using BN_is_bit_set while constructing
the value of the window in BN_mod_exp_consttime. The EM signal changes
slightly depending on the value of the bit, and since the lookup of a
bit is surrounded by highly regular execution (constant-time Montgomery
multiplications) the attack is able to isolate the (very brief) part of
the signal that changes depending on the bit. Although the change is
slight, the attack recovers it successfully >90% of the time on several
phones and IoT devices (all with ARM processors with clock rates around
1GHz), so after only one RSA decryption more than 90% of the bits in
d_p and d_q are recovered correctly, which enables rapid recovery of
the full RSA key using an algorithm (also described in the paper) that
modifies the branch-and-prune approach for a situation in which the
exponents' bits are recovered with errors, i.e. where we do not know
a priori which bits are correctly recovered.

The mitigation for the attack is relatively simple - all the bits of
the window are obtained at once, along with other bits so that an
entire integer's worth of bits are obtained together using masking and
shifts, without unnecessarily considering each bit in isolation. This
improves performance somewhat (one call to bn_get_bits is faster than
several calls to BN_is_bit_set), so the attacker now gets one signal
snippet per window (rather than one per bit) in which the signal is
affected by all bits in the integer (rather than just the one bit).

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6276)

show more ...

The result of a ^ 0 mod -1 is 0 not 1

Thanks to Guido Vranken and OSSFuzz for finding this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/open

The result of a ^ 0 mod -1 is 0 not 1

Thanks to Guido Vranken and OSSFuzz for finding this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6355)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>

Don't leak the exponent bit width in BN_mod_exp_mont_consttime.

The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its
bit length are both secret. The only public upper

Don't leak the exponent bit width in BN_mod_exp_mont_consttime.

The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its
bit length are both secret. The only public upper bound is the bit width
of the corresponding modulus (RSA n, p, and q, respectively).

Although BN_num_bits is constant-time (sort of; see bn_correct_top notes
in preceding patch), this does not fix the root problem, which is that
the windows are based on the minimal bit width, not the upper bound. We
could use BN_num_bits(m), but BN_mod_exp_mont_consttime is public API
and may be called with larger exponents. Instead, use all top*BN_BITS2
bits in the BIGNUM. This is still sensitive to the long-standing
bn_correct_top leak, but we need to fix that regardless.

This may cause us to do a handful of extra multiplications for RSA keys
which are just above a whole number of words, but that is not a standard
RSA key size.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5154)

show more ...

bn/bn_exp.c: harmonize BN_mod_exp_mont_consttime with negative input.

All exponentiation subroutines but BN_mod_exp_mont_consttime produce
non-negative result for negative input, which i

bn/bn_exp.c: harmonize BN_mod_exp_mont_consttime with negative input.

All exponentiation subroutines but BN_mod_exp_mont_consttime produce
non-negative result for negative input, which is confusing for fuzzer.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4676)

show more ...

Remove parentheses of return.

Since return is inconsistent, I removed unnecessary parentheses and
unified them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt

Remove parentheses of return.

Since return is inconsistent, I removed unnecessary parentheses and
unified them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)

show more ...