openbsd/src/lib/libcrypto/ec, branch OPENBSD_7

openbsd/src/lib/libcrypto/ec, branch OPENBSD_7_2 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_2 2022-08-29T06:08:03+00:00 static const, not const static 2022-08-29T06:08:03+00:00 jsg 2022-08-29T06:08:03+00:00 urn:sha1:59c198b86e1865225a9669c36bf92d25ff2252eb c99 6.11.5: "The placement of a storage-class specifier other than at the beginning of the declaration specifiers in a declaration is an obsolescent feature." ok miod@ tb@ Remove mkerr.pl remnants from LibreSSL 2022-07-12T14:42:50+00:00 kn 2022-07-12T14:42:50+00:00 urn:sha1:89e42d5857196a8071fbafb5565388d0e20ec32b This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb Replace obj_mac.h with object.h 2022-06-30T11:14:47+00:00 tb 2022-06-30T11:14:47+00:00 urn:sha1:b9750dad90805ab9064b083f792c0c680759708a Pointed out by and ok jsing Prepare to provide EVP_PKEY_security_bits() 2022-06-27T12:36:06+00:00 tb 2022-06-27T12:36:06+00:00 urn:sha1:3a9b1012fb6b57946e4cf3ee7b795a4bdcb905cc This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing Simplify ec_asn1_group2curve() 2022-05-24T20:06:32+00:00 tb 2022-05-24T20:06:32+00:00 urn:sha1:435fb6426e62f7bb0b466ce6432633cd40849810 Don't try to reuse curve->seed to avoid an allocation. Free it unconditionally and copy over the group->seed if it's available. Use asn1_abs_set_unused_bits() instead of inlining it. ok jsing Straightforward conversion of ecdh_cms_encrypt() to 2022-05-24T20:00:15+00:00 tb 2022-05-24T20:00:15+00:00 urn:sha1:ec1bdf8bd3305af29424a61ce4b3f36852f88a35 asn1_abs_set_unused_bits() ok jsing Avoid infinite loop for custom curves of order 1 2022-04-07T17:37:25+00:00 tb 2022-04-07T17:37:25+00:00 urn:sha1:1061feec63ce8eec5e559ca2697b80bc73044484 If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing Simplify priv_key handling in d2i_ECPrivateKey() 2022-03-31T13:00:58+00:00 tb 2022-03-31T13:00:58+00:00 urn:sha1:91087446015ebb4341a9f7c6accff0e586a0ba5d d2i_EC_PRIVATEKEY() can handle the allocation of priv_key internally, no need to do this up front and reach it through the dangerous reuse mechanism. There's also no point in freeing a variable we know to be NULL. ok jsing Bound cofactor in EC_GROUP_set_generator() 2022-03-29T14:03:12+00:00 tb 2022-03-29T14:03:12+00:00 urn:sha1:89475160d42bc14609305f5d10c30b9f6042c4b0 Instead of bounding only bounding the group order, also bound the cofactor using Hasse's theorem. This could probably be made a lot tighter since all curves of cryptographic interest have small cofactors, but for now this is good enough. A timeout found by oss-fuzz creates a "group" with insane parameters over a 40-bit field: the order is 14464, and the cofactor has 4196223 bits (which is obviously impossible by Hasse's theorem). These led to running an expensive loop in ec_GFp_simple_mul_ct() millions of times. Fixes oss-fuzz #46056 Diagnosed and fix joint with jsing ok inoguchi jsing (previous version) Do not zero cofactor on ec_guess_cofactor() success 2022-03-29T13:48:40+00:00 tb 2022-03-29T13:48:40+00:00 urn:sha1:5c5a9e687c0eb72164516557865831f499cc3e04 The cofactor we tried to calculate should only be zeroed if we failed to compute it. ok inoguchi jsing