A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_7 2025-03-24T13:07:04+00:00 2025-03-24T13:07:04+00:00 jsing 2025-03-24T13:07:04+00:00 urn:sha1:865465694bb9f7950a0710e8d7667d2540779602 EC_POINT_mul() has a complex multi-use interface - there are effectively three different ways it will behave, depending on which arguments are NULL. In the case where we compute g_scalar * generator + p_scalar * point, the mul_double_nonct() function pointer is called, however only g_scalar, p_scalar and point are passed - it is expected that the lower level implementation (in this case ec_wnaf_mul()) will use the generator from the group. Change mul_double_nonct(), ec_mul_double_nonct() and ec_wnaf_mul() so that they take scalar1, point1, scalar2 and point2. This removes all knowledge of g_scalar and the generator from the multiplication code, keeping it limited to EC_POINT_mul(). While here also consistently pass scalar then point, rather than a mix of scalar/point and point/scalar. ok tb@ 2025-03-24T12:49:13+00:00 jsing 2025-03-24T12:49:13+00:00 urn:sha1:572b48cb49edaff7e25c2a2130a6715142745223 When a non-NULL generator scalar is passed to EC_POINT_mul(), the group's generator will be used in multiplication. Add a check that ensures that the group generator is non-NULL, in order to avoid needing to handle this elsewhere (currently in the lower level point multiplication code). ok tb@ 2025-03-13T10:39:51+00:00 tb 2025-03-13T10:39:51+00:00 urn:sha1:496f9bc849b86c6d78029441fca5894a030c1798 The last argument is a pointer to the KDF, so use NULL, not 0. 2025-03-13T10:31:12+00:00 tb 2025-03-13T10:31:12+00:00 urn:sha1:a8dfe0e93a8dd087c97360014c85b4a5b706ac43 Reach into the group (p and order are always available) and use BN_num_bytes() rather than using clumsy and badly named API. It's shorter and more readable. ok jsing 2025-03-10T08:38:11+00:00 tb 2025-03-10T08:38:11+00:00 urn:sha1:fa5bb46ab31f9e9a8c9ba86cd323f062d73fbfa7 With the removal of the EC_POINTs_* API, this header features no arrays anymore, so this noise can go away. ok miod 2025-03-09T17:53:11+00:00 tb 2025-03-09T17:53:11+00:00 urn:sha1:c7dcb1bd37246960fb73fc82d90f6ccf1543d70b There are three "X9.62 curve over a 239 bit prime field" and the Brainpool curves are a pair for each field size thanks to their characteristic twist. Just include the curve name for each of the curves. discussed with jsing 2025-03-09T15:42:19+00:00 tb 2025-03-09T15:42:19+00:00 urn:sha1:4be808e28680e2a2170b30eec229c60cf8d921ec And another one... Completely overengineered for the sake of academic credentials and only Ruby ever picked this garbage up. Fortunately, it's no longer used with LibreSSL since we defanged this in 2018. The latest version of ruby/openssl has completely removed this as part of their post 1.0.x cleanup. ok jsing 2025-03-09T15:39:39+00:00 tb 2025-03-09T15:39:39+00:00 urn:sha1:56f34fa2487d9426eeedabbd78842094c36f8c8c There goes another implementation detail that should never have been leaked out of the library. ok jsing 2025-03-09T15:37:31+00:00 tb 2025-03-09T15:37:31+00:00 urn:sha1:6bee4b83725b153b6d7208954ada4af2402d16da These have been noops for a while and as usual some Perl module was the only thing "using" it. ok jsing 2025-03-09T15:35:40+00:00 tb 2025-03-09T15:35:40+00:00 urn:sha1:4ddad434176a7ad7ea0ce3b49407fb745e911351 Without EC_GROUP_new(), this API is useless. There's EC_GROUP_dup(). ok jsing