diff options
| author | tb <> | 2018-06-15 05:00:41 +0000 |
|---|---|---|
| committer | tb <> | 2018-06-15 05:00:41 +0000 |
| commit | 2c25c4b4c61884af3b090e7db459cc826945c359 (patch) | |
| tree | 1e5f44dcbb1c94f1a2e3d51a23f7458936a1a7f7 /src/lib/libcrypto/ecdsa | |
| parent | 419cc2003a828092974570e1c645b732b8908228 (diff) | |
| download | openbsd-2c25c4b4c61884af3b090e7db459cc826945c359.tar.gz openbsd-2c25c4b4c61884af3b090e7db459cc826945c359.tar.bz2 openbsd-2c25c4b4c61884af3b090e7db459cc826945c359.zip | |
Clean up some whitespace and polish a few comments. Reduces noise in
an upcoming diff.
Diffstat (limited to 'src/lib/libcrypto/ecdsa')
| -rw-r--r-- | src/lib/libcrypto/ecdsa/ecs_ossl.c | 45 |
1 files changed, 21 insertions, 24 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index 3939d7c8c1..be279b34b6 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecs_ossl.c,v 1.12 2018/06/14 18:51:01 tb Exp $ */ | 1 | /* $OpenBSD: ecs_ossl.c,v 1.13 2018/06/15 05:00:41 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Written by Nils Larsch for the OpenSSL project | 3 | * Written by Nils Larsch for the OpenSSL project |
| 4 | */ | 4 | */ |
| @@ -92,7 +92,7 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 92 | BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; | 92 | BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; |
| 93 | EC_POINT *tmp_point = NULL; | 93 | EC_POINT *tmp_point = NULL; |
| 94 | const EC_GROUP *group; | 94 | const EC_GROUP *group; |
| 95 | int order_bits, ret = 0; | 95 | int order_bits, ret = 0; |
| 96 | 96 | ||
| 97 | if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { | 97 | if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { |
| 98 | ECDSAerror(ERR_R_PASSED_NULL_PARAMETER); | 98 | ECDSAerror(ERR_R_PASSED_NULL_PARAMETER); |
| @@ -124,7 +124,7 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 124 | goto err; | 124 | goto err; |
| 125 | } | 125 | } |
| 126 | 126 | ||
| 127 | /* Preallocate space */ | 127 | /* Preallocate space. */ |
| 128 | order_bits = BN_num_bits(order); | 128 | order_bits = BN_num_bits(order); |
| 129 | if (!BN_set_bit(k, order_bits) || | 129 | if (!BN_set_bit(k, order_bits) || |
| 130 | !BN_set_bit(r, order_bits) || | 130 | !BN_set_bit(r, order_bits) || |
| @@ -135,16 +135,17 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 135 | /* get random k */ | 135 | /* get random k */ |
| 136 | do | 136 | do |
| 137 | if (!BN_rand_range(k, order)) { | 137 | if (!BN_rand_range(k, order)) { |
| 138 | ECDSAerror(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); | 138 | ECDSAerror( |
| 139 | ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); | ||
| 139 | goto err; | 140 | goto err; |
| 140 | } | 141 | } |
| 141 | while (BN_is_zero(k)); | 142 | while (BN_is_zero(k)); |
| 142 | 143 | ||
| 143 | /* | 144 | /* |
| 144 | * We do not want timing information to leak the length of k, | 145 | * We do not want timing information to leak the length of k, |
| 145 | * so we compute G*k using an equivalent scalar of fixed | 146 | * so we compute G * k using an equivalent scalar of fixed |
| 146 | * bit-length. | 147 | * bit-length. |
| 147 | * | 148 | * |
| 148 | * We unconditionally perform both of these additions to prevent | 149 | * We unconditionally perform both of these additions to prevent |
| 149 | * a small timing information leakage. We then choose the sum | 150 | * a small timing information leakage. We then choose the sum |
| 150 | * that is one bit longer than the order. This guarantees the | 151 | * that is one bit longer than the order. This guarantees the |
| @@ -175,8 +176,7 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 175 | } | 176 | } |
| 176 | } | 177 | } |
| 177 | #ifndef OPENSSL_NO_EC2M | 178 | #ifndef OPENSSL_NO_EC2M |
| 178 | else /* NID_X9_62_characteristic_two_field */ | 179 | else { /* NID_X9_62_characteristic_two_field */ |
| 179 | { | ||
| 180 | if (!EC_POINT_get_affine_coordinates_GF2m(group, | 180 | if (!EC_POINT_get_affine_coordinates_GF2m(group, |
| 181 | tmp_point, X, NULL, ctx)) { | 181 | tmp_point, X, NULL, ctx)) { |
| 182 | ECDSAerror(ERR_R_EC_LIB); | 182 | ECDSAerror(ERR_R_EC_LIB); |
| @@ -203,8 +203,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 203 | *kinvp = k; | 203 | *kinvp = k; |
| 204 | ret = 1; | 204 | ret = 1; |
| 205 | 205 | ||
| 206 | err: | 206 | err: |
| 207 | if (!ret) { | 207 | if (ret == 0) { |
| 208 | BN_clear_free(k); | 208 | BN_clear_free(k); |
| 209 | BN_clear_free(r); | 209 | BN_clear_free(r); |
| 210 | } | 210 | } |
| @@ -259,20 +259,19 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, | |||
| 259 | goto err; | 259 | goto err; |
| 260 | } | 260 | } |
| 261 | i = BN_num_bits(order); | 261 | i = BN_num_bits(order); |
| 262 | /* Need to truncate digest if it is too long: first truncate whole | 262 | /* Truncate digest if it is too long: first truncate whole bytes. */ |
| 263 | * bytes. | ||
| 264 | */ | ||
| 265 | if (8 * dgst_len > i) | 263 | if (8 * dgst_len > i) |
| 266 | dgst_len = (i + 7)/8; | 264 | dgst_len = (i + 7)/8; |
| 267 | if (!BN_bin2bn(dgst, dgst_len, m)) { | 265 | if (!BN_bin2bn(dgst, dgst_len, m)) { |
| 268 | ECDSAerror(ERR_R_BN_LIB); | 266 | ECDSAerror(ERR_R_BN_LIB); |
| 269 | goto err; | 267 | goto err; |
| 270 | } | 268 | } |
| 271 | /* If still too long truncate remaining bits with a shift */ | 269 | /* If it is still too long, truncate the remaining bits with a shift. */ |
| 272 | if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { | 270 | if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { |
| 273 | ECDSAerror(ERR_R_BN_LIB); | 271 | ECDSAerror(ERR_R_BN_LIB); |
| 274 | goto err; | 272 | goto err; |
| 275 | } | 273 | } |
| 274 | |||
| 276 | do { | 275 | do { |
| 277 | if (in_kinv == NULL || in_r == NULL) { | 276 | if (in_kinv == NULL || in_r == NULL) { |
| 278 | if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) { | 277 | if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) { |
| @@ -298,7 +297,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, | |||
| 298 | * | 297 | * |
| 299 | * where b is a random value in the range [1, order-1]. | 298 | * where b is a random value in the range [1, order-1]. |
| 300 | */ | 299 | */ |
| 301 | 300 | ||
| 302 | /* Generate b in range [1, order-1]. */ | 301 | /* Generate b in range [1, order-1]. */ |
| 303 | if (!BN_sub(range, order, BN_value_one())) { | 302 | if (!BN_sub(range, order, BN_value_one())) { |
| 304 | ECDSAerror(ERR_R_BN_LIB); | 303 | ECDSAerror(ERR_R_BN_LIB); |
| @@ -359,7 +358,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, | |||
| 359 | 358 | ||
| 360 | ok = 1; | 359 | ok = 1; |
| 361 | 360 | ||
| 362 | err: | 361 | err: |
| 363 | if (!ok) { | 362 | if (!ok) { |
| 364 | ECDSA_SIG_free(ret); | 363 | ECDSA_SIG_free(ret); |
| 365 | ret = NULL; | 364 | ret = NULL; |
| @@ -429,16 +428,14 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, | |||
| 429 | } | 428 | } |
| 430 | /* digest -> m */ | 429 | /* digest -> m */ |
| 431 | i = BN_num_bits(order); | 430 | i = BN_num_bits(order); |
| 432 | /* Need to truncate digest if it is too long: first truncate whole | 431 | /* Truncate digest if it is too long: first truncate whole bytes. */ |
| 433 | * bytes. | ||
| 434 | */ | ||
| 435 | if (8 * dgst_len > i) | 432 | if (8 * dgst_len > i) |
| 436 | dgst_len = (i + 7)/8; | 433 | dgst_len = (i + 7)/8; |
| 437 | if (!BN_bin2bn(dgst, dgst_len, m)) { | 434 | if (!BN_bin2bn(dgst, dgst_len, m)) { |
| 438 | ECDSAerror(ERR_R_BN_LIB); | 435 | ECDSAerror(ERR_R_BN_LIB); |
| 439 | goto err; | 436 | goto err; |
| 440 | } | 437 | } |
| 441 | /* If still too long truncate remaining bits with a shift */ | 438 | /* If it is still too long, truncate the remaining bits with a shift. */ |
| 442 | if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { | 439 | if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { |
| 443 | ECDSAerror(ERR_R_BN_LIB); | 440 | ECDSAerror(ERR_R_BN_LIB); |
| 444 | goto err; | 441 | goto err; |
| @@ -471,8 +468,7 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, | |||
| 471 | } | 468 | } |
| 472 | } | 469 | } |
| 473 | #ifndef OPENSSL_NO_EC2M | 470 | #ifndef OPENSSL_NO_EC2M |
| 474 | else /* NID_X9_62_characteristic_two_field */ | 471 | else { /* NID_X9_62_characteristic_two_field */ |
| 475 | { | ||
| 476 | if (!EC_POINT_get_affine_coordinates_GF2m(group, | 472 | if (!EC_POINT_get_affine_coordinates_GF2m(group, |
| 477 | point, X, NULL, ctx)) { | 473 | point, X, NULL, ctx)) { |
| 478 | ECDSAerror(ERR_R_EC_LIB); | 474 | ECDSAerror(ERR_R_EC_LIB); |
| @@ -484,10 +480,11 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, | |||
| 484 | ECDSAerror(ERR_R_BN_LIB); | 480 | ECDSAerror(ERR_R_BN_LIB); |
| 485 | goto err; | 481 | goto err; |
| 486 | } | 482 | } |
| 487 | /* if the signature is correct u1 is equal to sig->r */ | 483 | |
| 484 | /* If the signature is correct, then u1 is equal to sig->r. */ | ||
| 488 | ret = (BN_ucmp(u1, sig->r) == 0); | 485 | ret = (BN_ucmp(u1, sig->r) == 0); |
| 489 | 486 | ||
| 490 | err: | 487 | err: |
| 491 | BN_CTX_end(ctx); | 488 | BN_CTX_end(ctx); |
| 492 | BN_CTX_free(ctx); | 489 | BN_CTX_free(ctx); |
| 493 | EC_POINT_free(point); | 490 | EC_POINT_free(point); |