A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.8.2 2023-09-24T08:08:54+00:00 2023-09-24T08:08:54+00:00 tb 2023-09-24T08:08:54+00:00 urn:sha1:f257f15dc71c18de778afce6d4d6b1f8f8a95c17 2023-09-24T07:58:31+00:00 tb 2023-09-24T07:58:31+00:00 urn:sha1:b4a6d4206140f6c81e1f9e13b0e660f5f46de2e1 EC key parameters can be determined by an OID or they can be explicitly encoded. The confusingly named eckey_{param2type,type2param}() decode a new EC key from either form of parameters, or they encode a given key's parameters in the proper way. Signature and semantics are all over the place. It also features an inlined version of EC_KEY_new_by_curve_name(). This commit brings some order into this mess. Parameters are given by a pair (ptype, pval), where the ptype is either V_ASN1_OBJECT for OID encoding or V_ASN1_SEQUENCE for explicit encoding. Accordingly, the void pointer pval is an ASN1_OBJECT or an ASN1_STRING. These pairs are abstracted away in the X509_ALGOR object. The library decides whether a given EC key uses OID or explicit parameter encoding using the asn1_flag on the EC key's internal EC_GROUP, i.e., the object representing its curve. If this flag is set, the OID is determined by the nid returned by EC_GROUP_get_curve_name(). Add 'mutually inverse' pairs of functions eckey_{to,from}_params() which wrap eckey_{to,from}_object() and eckey_{to,from}_explicit_params(). This way the EC ameth pub and priv key de/encoding functions can transparently translate from/to an X509_ALGOR object. Of course, this is just an intermediate step and if you look closely you notice const weirdness (due to the fact that the carefully planned and executed const rampage missed the ECParameters API) and all sorts of other things that need to be fixed. Who would bat an eye lid? It wouldn't be visible amid all the twitching anyway. ok jsing 2023-08-21T09:52:30+00:00 tb 2023-08-21T09:52:30+00:00 urn:sha1:5da8854a55630a13207388a7ea72fd22707b8355 Factor eckey_param_free() out of eckey_pub_encode(). ASN1_OBJECT_free() is not actually needed. This will be addressed later. i2o_ECPublicKey() allocates internally if *out == NULL, so no need to do the two-call dance. Its return value is documented to be <= 0 on error, which is wrong in the sense that only 0 is returned. Keep using the same check for <= 0 as everywhere else. Set of EC_PKEY_NO_PARAMETERS after the poorly named eckey_param2type() to avoid potential underhanded side effects. In eckey_priv_encode(), error exits would leak pval was leaked a few times. Avoid this and simplify using i2d's internal allocation. Reinstate the flags in a single error path. ok jsing 2023-08-12T08:07:35+00:00 tb 2023-08-12T08:07:35+00:00 urn:sha1:d70541cf13039714f8737b63907ee8c4912d935e The prefixes in here are all over the place... This removes one variety. 2023-08-11T04:45:27+00:00 tb 2023-08-11T04:45:27+00:00 urn:sha1:ee70e07b7195b179ba73fc468125496608d8e72d ok jsing 2023-08-03T18:53:56+00:00 tb 2023-08-03T18:53:56+00:00 urn:sha1:44ff07e01874ea8be0c72bf9d20cb7f13b76cca8 Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range(). The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word(). Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds. ok jsing 2023-07-28T15:50:33+00:00 tb 2023-07-28T15:50:33+00:00 urn:sha1:dee6ca6302cdbd5982c40288832f1fbe51d045d5 These headers are now reduced to #include <openssl/ec.h> and are provided for compatiblity only. There's no point in using them. At the same time garbage collect the last uses of OPENSSL_NO_{ECDSA,ECDH} in our tree. ok jsing 2023-07-28T09:28:37+00:00 tb 2023-07-28T09:28:37+00:00 urn:sha1:c043ade63ba3d45eacfb953347c00f0988397d9a In OpenSSL e2285d87, the KDF handling was moved from the compute_key() method into the public API. A consequence of this change is that the ECDH_compute_key() API no longer returns -1 for some errors. Existing checks for <= 0 are safe as are those checking for the exact length as return value, which is all what the ecosystem seems to be doing. ok jsing 2023-07-28T09:25:12+00:00 tb 2023-07-28T09:25:12+00:00 urn:sha1:2d27f5ba745b8f5de6e3e827829699607f11a54f The remaining two ECDH interfaces are relocated into ec.h. ecdh.h remains. It does nothing but include ec.h. ok jsing 2023-07-28T09:16:17+00:00 tb 2023-07-28T09:16:17+00:00 urn:sha1:bf7ee0210d0d1420ed787a79eda0c974f8d15f17 Move the remaining ECDSA API into ec.h to match OpenSSL 1.1's interface better. In particular, the EC_KEY sign and verify method accessors are moved to the right header. Whether the rest of the ECDSA stuff belongs there is debatable, but that was upstream's choice. ok jsing