Hide symbols in bn

ok tb@

Provide and use various quad word primitives.

This includes bn_qwaddqw(), bn_qwsubqw(), bn_qwmulw_addw() and
bn_qwmulw_addqw_addw(). These can typically be optimised on architectures
that have a reasonable number of general purpose registers.

ok tb@

unifdef BN_RECURSION

This removes a bunch of incomplete and scary code, which potentially leaks
secrets and is not constant time. A performance gain is achieved on arm64
for sizes that we care about, while a minimal decrease in performance is
noted for larger sizes on some other platforms.

While we will potentially reimplement Karatsuba (or Toom-Cook) at a later
date, it will be easier and safer to do it from a clean slate.

ok tb@

Call bn_copy() unconditionally in BN_mul() and BN_sqr()

bn_copy() does the right thing if source and target are the same, so
there is no need for an additional check.

Requested by jsing

Convert BN_copy() with missing error checks to bn_copy()

ok jsing

Replace bn_sub_part_words() with bn_sub().

Now that bn_sub() handles word arrays with potentially different lengths,
we no longer need bn_sub_part_words() - call bn_sub() instead. This allows
us to entirely remove the unnecessarily complex bn_sub_part_words() code.

ok tb@

Place bn_mul_add_words() after bn_mul_words().

Reimplement bn_mul_words(), bn_mul_add_words() and bn_mul_comba{4,8}().

Use bignum primitives rather than the current mess of macros, which also
allows us to remove the essentially duplicate versions of
bn_mul_words() and bn_mul_add_words() for BN_LLONG.

The "mul" macro gets replaced by bn_mulw_addw(), "mul_add" with
bn_mulw_addw_addw() and "mul_add_c" with bn_mulw_addtw() (where 'w'
indicates single word input and 'tw' indicates triple word input).

The variables in the comba functions have also been reordered, so that the
patterns are easier to understand - the compiler can take care of
optimising the inputs and outputs to avoid register moves.

ok tb@

Avoid negative zero.

Whenever setting negative to one (or when it could potentially be one),
always use BN_set_negative() since it checks for a zero valued bignum and
will not permit negative to be set in this case. Since BN_is_zero()
currently relies on top == 0, call BN_set_negative() after top has been
set (or bn_correct_top() has been called).

This fixes a long standing issue where -0 and +0 have been permitted,
however multiple code paths (such as BN_cmp()) fail to treat these as
equivalent.

Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz.

ok tb@

Move bn_mul_add_words() and bn_mul_words() from bn_asm.c to bn_mul.c.

These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS,
which are defined for architectures that provide their own assembly
versions.

Refactor BN_mul().

This splits BN_mul() into two parts, one of which is a separate bn_mul()
function. This makes the code more readable and managable, while also
providing a better entry point for assembly optimisation. A separate
bn_mul() is provided for the BN_RECURSION implementation, to reduce
complexity.

This also enables bn_mul_comba4() for four word long bignums - this was
disabled for unknown reasons.

ok tb@

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Provide and use various quad word primitives.

This includes bn_qwaddqw(), bn_qwsubqw(), bn_qwmulw_addw() and
bn_qwmulw_addqw_addw(). These can typically be optimised on architectures
that have a reasonable number of general purpose registers.

ok tb@

unifdef BN_RECURSION

This removes a bunch of incomplete and scary code, which potentially leaks
secrets and is not constant time. A performance gain is achieved on arm64
for sizes that we care about, while a minimal decrease in performance is
noted for larger sizes on some other platforms.

While we will potentially reimplement Karatsuba (or Toom-Cook) at a later
date, it will be easier and safer to do it from a clean slate.

ok tb@

Call bn_copy() unconditionally in BN_mul() and BN_sqr()

bn_copy() does the right thing if source and target are the same, so
there is no need for an additional check.

Requested by jsing

Convert BN_copy() with missing error checks to bn_copy()

ok jsing

Replace bn_sub_part_words() with bn_sub().

Now that bn_sub() handles word arrays with potentially different lengths,
we no longer need bn_sub_part_words() - call bn_sub() instead. This allows
us to entirely remove the unnecessarily complex bn_sub_part_words() code.

ok tb@

Place bn_mul_add_words() after bn_mul_words().

Reimplement bn_mul_words(), bn_mul_add_words() and bn_mul_comba{4,8}().

Use bignum primitives rather than the current mess of macros, which also
allows us to remove the essentially duplicate versions of
bn_mul_words() and bn_mul_add_words() for BN_LLONG.

The "mul" macro gets replaced by bn_mulw_addw(), "mul_add" with
bn_mulw_addw_addw() and "mul_add_c" with bn_mulw_addtw() (where 'w'
indicates single word input and 'tw' indicates triple word input).

The variables in the comba functions have also been reordered, so that the
patterns are easier to understand - the compiler can take care of
optimising the inputs and outputs to avoid register moves.

ok tb@

Avoid negative zero.

Whenever setting negative to one (or when it could potentially be one),
always use BN_set_negative() since it checks for a zero valued bignum and
will not permit negative to be set in this case. Since BN_is_zero()
currently relies on top == 0, call BN_set_negative() after top has been
set (or bn_correct_top() has been called).

This fixes a long standing issue where -0 and +0 have been permitted,
however multiple code paths (such as BN_cmp()) fail to treat these as
equivalent.

Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz.

ok tb@

Move bn_mul_add_words() and bn_mul_words() from bn_asm.c to bn_mul.c.

These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS,
which are defined for architectures that provide their own assembly
versions.

Refactor BN_mul().

This splits BN_mul() into two parts, one of which is a separate bn_mul()
function. This makes the code more readable and managable, while also
providing a better entry point for assembly optimisation. A separate
bn_mul() is provided for the BN_RECURSION implementation, to reduce
complexity.

This also enables bn_mul_comba4() for four word long bignums - this was
disabled for unknown reasons.

ok tb@

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

unifdef BN_RECURSION

This removes a bunch of incomplete and scary code, which potentially leaks
secrets and is not constant time. A performance gain is achieved on arm64
for sizes that we care about, while a minimal decrease in performance is
noted for larger sizes on some other platforms.

While we will potentially reimplement Karatsuba (or Toom-Cook) at a later
date, it will be easier and safer to do it from a clean slate.

ok tb@

Call bn_copy() unconditionally in BN_mul() and BN_sqr()

bn_copy() does the right thing if source and target are the same, so
there is no need for an additional check.

Requested by jsing

Convert BN_copy() with missing error checks to bn_copy()

ok jsing

Replace bn_sub_part_words() with bn_sub().

Now that bn_sub() handles word arrays with potentially different lengths,
we no longer need bn_sub_part_words() - call bn_sub() instead. This allows
us to entirely remove the unnecessarily complex bn_sub_part_words() code.

ok tb@

Place bn_mul_add_words() after bn_mul_words().

Reimplement bn_mul_words(), bn_mul_add_words() and bn_mul_comba{4,8}().

Use bignum primitives rather than the current mess of macros, which also
allows us to remove the essentially duplicate versions of
bn_mul_words() and bn_mul_add_words() for BN_LLONG.

The "mul" macro gets replaced by bn_mulw_addw(), "mul_add" with
bn_mulw_addw_addw() and "mul_add_c" with bn_mulw_addtw() (where 'w'
indicates single word input and 'tw' indicates triple word input).

The variables in the comba functions have also been reordered, so that the
patterns are easier to understand - the compiler can take care of
optimising the inputs and outputs to avoid register moves.

ok tb@

Avoid negative zero.

Whenever setting negative to one (or when it could potentially be one),
always use BN_set_negative() since it checks for a zero valued bignum and
will not permit negative to be set in this case. Since BN_is_zero()
currently relies on top == 0, call BN_set_negative() after top has been
set (or bn_correct_top() has been called).

This fixes a long standing issue where -0 and +0 have been permitted,
however multiple code paths (such as BN_cmp()) fail to treat these as
equivalent.

Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz.

ok tb@

Move bn_mul_add_words() and bn_mul_words() from bn_asm.c to bn_mul.c.

These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS,
which are defined for architectures that provide their own assembly
versions.

Refactor BN_mul().

This splits BN_mul() into two parts, one of which is a separate bn_mul()
function. This makes the code more readable and managable, while also
providing a better entry point for assembly optimisation. A separate
bn_mul() is provided for the BN_RECURSION implementation, to reduce
complexity.

This also enables bn_mul_comba4() for four word long bignums - this was
disabled for unknown reasons.

ok tb@

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Replace bn_sub_part_words() with bn_sub().

Now that bn_sub() handles word arrays with potentially different lengths,
we no longer need bn_sub_part_words() - call bn_sub() instead. This allows
us to entirely remove the unnecessarily complex bn_sub_part_words() code.

ok tb@

Place bn_mul_add_words() after bn_mul_words().

Reimplement bn_mul_words(), bn_mul_add_words() and bn_mul_comba{4,8}().

Use bignum primitives rather than the current mess of macros, which also
allows us to remove the essentially duplicate versions of
bn_mul_words() and bn_mul_add_words() for BN_LLONG.

The "mul" macro gets replaced by bn_mulw_addw(), "mul_add" with
bn_mulw_addw_addw() and "mul_add_c" with bn_mulw_addtw() (where 'w'
indicates single word input and 'tw' indicates triple word input).

The variables in the comba functions have also been reordered, so that the
patterns are easier to understand - the compiler can take care of
optimising the inputs and outputs to avoid register moves.

ok tb@

Avoid negative zero.

Whenever setting negative to one (or when it could potentially be one),
always use BN_set_negative() since it checks for a zero valued bignum and
will not permit negative to be set in this case. Since BN_is_zero()
currently relies on top == 0, call BN_set_negative() after top has been
set (or bn_correct_top() has been called).

This fixes a long standing issue where -0 and +0 have been permitted,
however multiple code paths (such as BN_cmp()) fail to treat these as
equivalent.

Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz.

ok tb@

Move bn_mul_add_words() and bn_mul_words() from bn_asm.c to bn_mul.c.

These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS,
which are defined for architectures that provide their own assembly
versions.

Refactor BN_mul().

This splits BN_mul() into two parts, one of which is a separate bn_mul()
function. This makes the code more readable and managable, while also
providing a better entry point for assembly optimisation. A separate
bn_mul() is provided for the BN_RECURSION implementation, to reduce
complexity.

This also enables bn_mul_comba4() for four word long bignums - this was
disabled for unknown reasons.

ok tb@

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Place bn_mul_add_words() after bn_mul_words().

Reimplement bn_mul_words(), bn_mul_add_words() and bn_mul_comba{4,8}().

Use bignum primitives rather than the current mess of macros, which also
allows us to remove the essentially duplicate versions of
bn_mul_words() and bn_mul_add_words() for BN_LLONG.

The "mul" macro gets replaced by bn_mulw_addw(), "mul_add" with
bn_mulw_addw_addw() and "mul_add_c" with bn_mulw_addtw() (where 'w'
indicates single word input and 'tw' indicates triple word input).

The variables in the comba functions have also been reordered, so that the
patterns are easier to understand - the compiler can take care of
optimising the inputs and outputs to avoid register moves.

ok tb@

Avoid negative zero.

Whenever setting negative to one (or when it could potentially be one),
always use BN_set_negative() since it checks for a zero valued bignum and
will not permit negative to be set in this case. Since BN_is_zero()
currently relies on top == 0, call BN_set_negative() after top has been
set (or bn_correct_top() has been called).

This fixes a long standing issue where -0 and +0 have been permitted,
however multiple code paths (such as BN_cmp()) fail to treat these as
equivalent.

Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz.

ok tb@

Move bn_mul_add_words() and bn_mul_words() from bn_asm.c to bn_mul.c.

These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS,
which are defined for architectures that provide their own assembly
versions.

Refactor BN_mul().

This splits BN_mul() into two parts, one of which is a separate bn_mul()
function. This makes the code more readable and managable, while also
providing a better entry point for assembly optimisation. A separate
bn_mul() is provided for the BN_RECURSION implementation, to reduce
complexity.

This also enables bn_mul_comba4() for four word long bignums - this was
disabled for unknown reasons.

ok tb@

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Place bn_mul_add_words() after bn_mul_words().

Reimplement bn_mul_words(), bn_mul_add_words() and bn_mul_comba{4,8}().

Use bignum primitives rather than the current mess of macros, which also
allows us to remove the essentially duplicate versions of
bn_mul_words() and bn_mul_add_words() for BN_LLONG.

The "mul" macro gets replaced by bn_mulw_addw(), "mul_add" with
bn_mulw_addw_addw() and "mul_add_c" with bn_mulw_addtw() (where 'w'
indicates single word input and 'tw' indicates triple word input).

The variables in the comba functions have also been reordered, so that the
patterns are easier to understand - the compiler can take care of
optimising the inputs and outputs to avoid register moves.

ok tb@

Avoid negative zero.

Whenever setting negative to one (or when it could potentially be one),
always use BN_set_negative() since it checks for a zero valued bignum and
will not permit negative to be set in this case. Since BN_is_zero()
currently relies on top == 0, call BN_set_negative() after top has been
set (or bn_correct_top() has been called).

This fixes a long standing issue where -0 and +0 have been permitted,
however multiple code paths (such as BN_cmp()) fail to treat these as
equivalent.

Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz.

ok tb@

Move bn_mul_add_words() and bn_mul_words() from bn_asm.c to bn_mul.c.

These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS,
which are defined for architectures that provide their own assembly
versions.

Refactor BN_mul().

This splits BN_mul() into two parts, one of which is a separate bn_mul()
function. This makes the code more readable and managable, while also
providing a better entry point for assembly optimisation. A separate
bn_mul() is provided for the BN_RECURSION implementation, to reduce
complexity.

This also enables bn_mul_comba4() for four word long bignums - this was
disabled for unknown reasons.

ok tb@

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Avoid negative zero.

Whenever setting negative to one (or when it could potentially be one),
always use BN_set_negative() since it checks for a zero valued bignum and
will not permit negative to be set in this case. Since BN_is_zero()
currently relies on top == 0, call BN_set_negative() after top has been
set (or bn_correct_top() has been called).

This fixes a long standing issue where -0 and +0 have been permitted,
however multiple code paths (such as BN_cmp()) fail to treat these as
equivalent.

Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz.

ok tb@

Move bn_mul_add_words() and bn_mul_words() from bn_asm.c to bn_mul.c.

These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS,
which are defined for architectures that provide their own assembly
versions.

Refactor BN_mul().

This splits BN_mul() into two parts, one of which is a separate bn_mul()
function. This makes the code more readable and managable, while also
providing a better entry point for assembly optimisation. A separate
bn_mul() is provided for the BN_RECURSION implementation, to reduce
complexity.

This also enables bn_mul_comba4() for four word long bignums - this was
disabled for unknown reasons.

ok tb@

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Move bn_mul_add_words() and bn_mul_words() from bn_asm.c to bn_mul.c.

These are wrapped with #ifndef HAVE_BN_ADD_MUL_WORDS/HAVE_BN_MUL_WORDS,
which are defined for architectures that provide their own assembly
versions.

Refactor BN_mul().

This splits BN_mul() into two parts, one of which is a separate bn_mul()
function. This makes the code more readable and managable, while also
providing a better entry point for assembly optimisation. A separate
bn_mul() is provided for the BN_RECURSION implementation, to reduce
complexity.

This also enables bn_mul_comba4() for four word long bignums - this was
disabled for unknown reasons.

ok tb@

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Refactor BN_mul().

This splits BN_mul() into two parts, one of which is a separate bn_mul()
function. This makes the code more readable and managable, while also
providing a better entry point for assembly optimisation. A separate
bn_mul() is provided for the BN_RECURSION implementation, to reduce
complexity.

This also enables bn_mul_comba4() for four word long bignums - this was
disabled for unknown reasons.

ok tb@

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Move bn_{mul,sqr}_comba{4,8}() from bn_asm.c to bn_mul.c/bn_sqr.c.

Wrap these in HAVE_BN_{MUL,SQR}_COMBA{4,8} defines. Add these defines to
bn_arch.h where the architecture currently provides its own version.

ok tb@

Remove unused code.

ok tb@

Reorder functions.

No functional change.

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Mop up debug code that escaped previously.

This is the result of `unifdef -m -U BN_COUNT'.

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Mop up more BN_DEBUG related code.

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.

Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.

ok tb@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

tags as requested by miod and tedu

Emergency knfectomie requested by tedu@.

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

Merge OpenSSL 0.9.7-stable-20020605,
correctly autogenerate obj_mac.h

Merge openssl-0.9.7-stable-SNAP-20020519

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.