openbsd/src/lib/libcrypto/ecdsa, branch libressl-v2.9.2 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v2.9.2 2019-01-19T01:17:41+00:00 Partial port of EC_KEY_METHOD from OpenSSL 1.1. 2019-01-19T01:17:41+00:00 tb 2019-01-19T01:17:41+00:00 urn:sha1:e703f4ea1718542db072958b64181b462187d8ba Pass const method to EC_KEY_METHOD_get_*() to get rid of an XXX. from markus Partial port of EC_KEY_METHOD from OpenSSL 1.1. 2019-01-19T01:12:48+00:00 tb 2019-01-19T01:12:48+00:00 urn:sha1:a8a1d0862b279d5f1d505fa305718acb94730824 This commit adds missing API for ECDH/ECDSA_verify. from markus Partial port of EC_KEY_METHOD from OpenSSL 1.1. 2019-01-19T01:07:00+00:00 tb 2019-01-19T01:07:00+00:00 urn:sha1:aa769d92fad41004606a446424dde716784d7854 This commit adds init/free, support for signing, setting and getting the method, engine support as well as extra data. from markus Factor out a bit of ugly code that truncates the digest to the order_bits 2018-07-10T21:36:02+00:00 tb 2018-07-10T21:36:02+00:00 urn:sha1:1160f4fd0218eb9c7787e1e38bb7f7e10e73e6bc leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate a microoptimization that only converts the relevant part of the digest to a bignum. ok beck, jsing Tiny tweak to the blinding comment. 2018-06-16T08:11:33+00:00 tb 2018-06-16T08:11:33+00:00 urn:sha1:5f165a6af7d0904da0c24e42868d1d9802b35c06 Basic cleanup. Handle the possibly NULL ctx_in in ecdsa_sign_setup() with 2018-06-15T19:24:13+00:00 tb 2018-06-15T19:24:13+00:00 urn:sha1:37a490a3eb5e6f687e99e269bbb85a8a39b124db the usual idiom. All the allocations are now handled inside conditionals as is usually done in this part of the tree. Turn a few comments into actual sentences and remove a few self-evident ones. Change outdated or cryptic comments into more helpful annotations. In ecdsa_do_verify(), start calculating only after properly truncating the message digest. More consistent variable names: prefer 'order_bits' and 'point' over 'i' and 'tmp_point'. ok jsing Clean up some whitespace and polish a few comments. Reduces noise in 2018-06-15T05:00:41+00:00 tb 2018-06-15T05:00:41+00:00 urn:sha1:51d162df4fc8b5327e3235d2baef79ffbaf42258 an upcoming diff. Use a blinding value when generating an ECDSA signature, in order to 2018-06-14T18:51:01+00:00 tb 2018-06-14T18:51:01+00:00 urn:sha1:685cc27d67759afe790d85e2f16a4eea7624758f reduce the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok jsing Avoid a timing side-channel leak when generating DSA and ECDSA signatures. 2018-06-13T15:05:04+00:00 jsing 2018-06-13T15:05:04+00:00 urn:sha1:70f6c28ec4997461a2ea714457e95ada1c2287ef This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@ Fix a small timing side channel in ecdsa_sign_setup(). Up to whitespace 2018-04-28T14:17:56+00:00 tb 2018-04-28T14:17:56+00:00 urn:sha1:14f45f5c33b8fb98a6fccb34d3a680c55fbf306b this is OpennSSL commit 4a089bbdf11f9e231cc68f42bba934c954d81a49. ok beck, jsing Original commit message: commit 4a089bbdf11f9e231cc68f42bba934c954d81a49 Author: Pauli <paul.dale@oracle.com> Date: Wed Nov 1 06:58:39 2017 +1000 Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in ECDSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576)]