2698 Commits

Author SHA1 Message Date
Brian Smith
538a61b205 Remove irrelevant BIGNUM tests.
This is a step towards replacing bn_test.cc with Rust code for tests.
These scenerios are not relevant to *ring* as it details with only
positive inputs to the tested functions.
2017-03-19 12:07:15 -10:00
Brian Smith
8b026c93f2 Replace C code for serializing Elems with Rust code. 2017-03-19 11:48:57 -10:00
Brian Smith
f7f1fb7773 Remove unused crypto/perlasm/x86masm.pl. 2017-03-18 15:31:16 -10:00
Brian Smith
d46aaf15bd Match output filename more precisely/carefully in sha512-{armv8, x86_64}.pl.
The output path is usually in a directory with a (hex) numerical name, and
it is very possible that that name may contain the substring "512". If so,
the old regex will do the wrong thing, generating the SHA-512 code twice
instead of generating one copy of the SHA-256 code and one copy of the
SHA-512 code. This has actually happened on Travis CI.
2017-03-18 15:31:16 -10:00
Brian Smith
dd659d2994 Improve Perlasm machinery for SHA-2 on X86-64 and ARMv8.
Rename sha-{x86_64, armv8}.pl back to sha512-{x86_64, armv8}.pl. This
will simplify copmarisons between BoringSSL and *ring*.

Replace the *ring*-specific hacky logic done in Perl with hacky logic
done in Rust. The purpose of this hack is to deal with the fact that
sha512-{x86_64, armv8}.pl need to be run twice, once with "512" in the
output file path to generate
`GFp_sha512_block_data_order`, and again with "256" in the output file
path to generate `GFp_sha256_block_data_order`.
2017-03-18 15:31:15 -10:00
Brian Smith
ac8999da4d Remove currently-unused crypto/perlasm/ppc-xlate.pl. 2017-03-17 14:29:08 -10:00
Brian Smith
805c8db797 Remove currently-unused PowerPC source files imported from BoringSSL. 2017-03-16 15:45:40 -10:00
Brian Smith
b2ed2666e2 Stop using MSBuild on Windows. 2017-03-05 16:36:01 -10:00
Brian Smith
9f5fc93895 Remove redundant __STDC_CONSTANT_MACROS stuff in bn_test.cc.
This looks like it was probably the result of a bad merge.
2017-03-05 15:10:50 -10:00
Brian Smith
1d16b823a7 Avoid triggering truncation warnings in MSVC in Curve25519 code.
The truncation is intentional so the warnings were false positives.
Still, it is easy to avoid triggering them. The warnings are currently
disabled globally; this is a step towards enabling them.
2017-03-05 15:10:50 -10:00
Brian Smith
4ec664b5af Avoid triggering some MSVC warnings.
The warnings that these trigger are currently disabled globally. This
is a step towards re-enabling the warnings by default.
2017-03-05 15:10:49 -10:00
Brian Smith
ffa901fbbe Implement GFp_bn_add_words in terms of limbs_add. 2017-03-02 16:04:35 -10:00
Brian Smith
3442aa7d6c Implement GFp_bn_sub_words in terms of limbs_sub. 2017-03-02 16:04:32 -10:00
Brian Smith
7ef64a1b0e Rename GFp_DoubleLimb to DoubleLimb.
Match the new naming convetions in the limbs C submodule.
2017-03-02 15:36:41 -10:00
Brian Smith
e0c75358b4 Remove the last, non-x86_64-only, use of GFp_BN_from_mont.
Fix the non-x86_64 build.
2017-03-01 18:33:09 -10:00
Brian Smith
5c2310b20c Replace GFp_BN_from_mont with Rust code. 2017-03-01 17:47:36 -10:00
Brian Smith
a73859e9ef Get rid of BN_MONT_CTX.
This introduces some temporary performance regressions that will be
cleaned up in subsequent commits; they are marked with "XXX" comments.
2017-02-23 17:46:53 -10:00
Brian Smith
8568607a5f Fix macOS build.
`copy_from_prebuf()` and `copy_to_prebuf()` are only used in the
non-x86-64 implementation.
2017-02-16 12:09:35 -10:00
Brian Smith
8e8050caaa Use LIMBS_shl_mod() for P-384 multiplication by 2. 2017-02-16 12:01:15 -10:00
Brian Smith
77a1f935d9 Implement constant-time modular left shift by 1 bit. 2017-02-16 11:57:08 -10:00
Brian Smith
13eaec0bc1 Remove now-unused BIGNUM flag API. 2017-02-16 11:44:18 -10:00
Brian Smith
381f4ae4c2 Move GFp_BN_num_bytes() to test library. 2017-02-16 11:42:56 -10:00
Brian Smith
37349ebe6e Stop using BN_MONT_CTX in multiplication and reduction. 2017-02-16 02:16:42 -10:00
Brian Smith
3c044ea875 Replace GFp_BN_to_mont() with Rust code. 2017-02-16 02:12:38 -10:00
Brian Smith
f1cbc74798 Precompute 1 in the Montgomery domain during RSA keypair setup. 2017-02-16 02:12:37 -10:00
Brian Smith
818870afe8 Simplify implementation dispatching logic for GFp_BN_mod_exp_mont_consttime.
Statically choose the implementation so that the same implementation is always
used on every platform, particularly x64-64.
2017-02-16 02:11:00 -10:00
Brian Smith
4abff4cc4f Have caller do the Montgomery encoding for constant-time exponentiation. 2017-02-16 01:48:21 -10:00
Brian Smith
0b6aed23b8 Implement elem_reduced/GFp_BN_reduce_mont in Rust. 2017-02-16 01:29:20 -10:00
Brian Smith
191fcd2214 Remove now-unused test-only BN_MONT_CTX API. 2017-02-12 01:22:51 -10:00
Brian Smith
5438e43049 Rename RAND_bytes to GFp_RAND_bytes to avoid conflicts with OpenSSL. 2017-02-12 01:06:03 -10:00
Brian Smith
58859d76bf Remove now-unnecessary TestModInvRejectUnreduced test.
The test isn't necessary because we ensure that we pass in properly-
reduced values to `GFp_BN_mod_inverse_odd()`. It needs to be removed
so that we can remove `BN_MONT_CTX`.
2017-02-12 01:02:31 -10:00
Brian Smith
05ed20ccc9 Move modular squaring tests from C to Rust. 2017-02-12 01:02:30 -10:00
Brian Smith
229d859806 Move modular multiplication tests from C to Rust.
Instead of normalizing the inputs during the test to be in range,
the inputs are normalized ahead of time. Also, the tests with even
moduli were removed.
2017-02-12 01:02:29 -10:00
Brian Smith
d2dcd9e660 Remove support for tiny moduli in Montgomery multiplication. 2017-02-12 01:02:29 -10:00
Brian Smith
088af8800f Require GFp_BN_mod_exp_mont_consttime() inputs to be reduced.
Require that the input be reduced (mod n), simplifying the code.

Also, move the tests for `elem_exp_consttime()` to Rust and split the
vectors out into their own file, like was done for the
`elem_exp_vartime()` tests. The test vectors were taken directly from
BoringSSL, filtered as described in the comment at the top of the file.
2017-02-12 01:02:27 -10:00
Brian Smith
2c9807467e Test that into_odd_positive() rejects even inputs.
The tests in bn_tests.cc are now redundant, since the only way to
construct a `Modulus` is to construct a `PositiveInteger` then convert
into to an `OddPositive` and then to a `Modulus`. There were already
tests that conversion to `PositiveInteger` properly rejects zero.
2017-02-11 17:26:50 -10:00
Brian Smith
7d4d649cc5 Add back wrongly-removed prototypes in gfp_p384.c. 2017-02-09 22:25:28 -10:00
Brian Smith
9d70c1daa5 Factor out constant-time modular addition and subtraction. 2017-02-09 17:04:04 -10:00
Brian Smith
1df44861b5 Replace GFp_BN_mod_inverse_blinded with Rust code. 2017-02-09 16:51:11 -10:00
Brian Smith
d6fab2ef19 Simplify GFp_bn_mod_exp_base_2_vartime.
One extra shift is done, but the simplification makes it worthwhile.
2017-02-09 16:45:44 -10:00
Brian Smith
a891756d8d Remove crypto/cipher/asm/chacha20_poly1305_x86_64.pl until it is needed.
This unused file sitting around is making the build system work more
complicated, so just remove it for now.
2017-02-04 16:30:00 -10:00
Mathieu Poumeyrol
5d44d63cab Discard .thumb_func directive in GFp_x25519_NEON on ARMv7 iOS.
The `.thumb_func` directive was cargo-culted from some PerlAsm stuff,
seemingly wrongly.
2017-01-31 09:38:42 -10:00
Brian Smith
6fb8c5b7a0 Take BoringSSL 360a4c2: chacha20_poly1305_x86_64.pl: Use NASM-compatible syntax for |ldea|. 2017-01-27 16:04:25 -10:00
Brian Smith
ed80cbca1c Take BoringSSL 357a9f2: chacha20_poly1305_x86_64.pl: Use |imulq| instead of |imul|. 2017-01-27 16:04:04 -10:00
Brian Smith
d1499078c7 Take BoringSSL 3416d28: chacha20_poly1305_x86_64.pl: Escape command line args like other PerlAsm scripts. 2017-01-27 16:03:45 -10:00
Brian Smith
4c1841a7d5 Take BoringSSL 1da9c67: Use a Perlasm variable rather than an #if to exclude the ChaCha20-Poly1305 asm on Windows. 2017-01-27 15:57:16 -10:00
Brian Smith
360a4c2616 chacha20_poly1305_x86_64.pl: Use NASM-compatible syntax for |ldea|.
Cargo-cult the way other Perlasm scripts do it.

Change-Id: I86aaf725e41b601f24595518a8a6bc481fa0c7fc
Reviewed-on: https://boringssl-review.googlesource.com/13382
Reviewed-by: Adam Langley <agl@google.com>
2017-01-27 23:17:13 +00:00
Brian Smith
357a9f23fe chacha20_poly1305_x86_64.pl: Use |imulq| instead of |imul|.
Perlasm requires the size suffix when targeting NASM and Yasm; without
it, the resulting .asm file has |imu| instead of |imul|.

Change-Id: Icb95b8c0b68cf4f93becdc1930dc217398f56bec
Reviewed-on: https://boringssl-review.googlesource.com/13381
Reviewed-by: Adam Langley <agl@google.com>
2017-01-27 23:16:52 +00:00
Brian Smith
3416d28a57 chacha20_poly1305_x86_64.pl: Escape command line args like other PerlAsm scripts.
Use the same quoting used in other files so that this file can be built
the same way as other files on platforms that require the other kind of
quoting.

Change-Id: I808769bf014fbfe526fedcdc1e1f617b3490d03b
Reviewed-on: https://boringssl-review.googlesource.com/13380
Reviewed-by: Adam Langley <agl@google.com>
2017-01-27 23:16:27 +00:00
Adam Langley
3b3b62f39c X509_parse_from_buffer: reject massive certificates.
Otherwise we could pass a negative value into |d2i_X509|.

Change-Id: I52a35dd9648269094110b69eddd7667a56ec8253
Reviewed-on: https://boringssl-review.googlesource.com/13363
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-01-27 16:21:16 +00:00