| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
| |
The existence of the public get_rfc*() API is a historic curiosity that may
soon be corrected. We inherited its use and it survived in libssl until now.
Switch to the better named BN_get_rfc*() wrappers.
ok jsing
|
| |
|
|
|
|
|
| |
This code is unreachable since binary curve support was removed.
There is a lot more to clean up in here...
ok jsing
|
| |
|
|
|
|
|
| |
This was needed for defining the multiplication over binary fields. Since
that code is gone, this is no longer needed.
ok jsing
|
| |
|
|
|
|
|
|
| |
The remaining EC_METHODs in libcrypto all have a field type of
NID_X9_62_prime_field, so this function always returns 0. Make
that more obvious.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For some reason there is no NULL check on setting the HKDF key for p2 like
in the other cases in the switch, instead OpenSSL fail in memdup, nulling
out the key but leaving he key_len at the old value. This looks accidental
but our behavior makes some haproxy regress tests segfault. So mimic weird
OpenSSL semantics but in addition set the key_len to 0.
Reported by Ilya Shipitsin
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
These were accidentally left behind in a previous commit.
|
| |
|
|
|
| |
In anticipation of merging ecdh/ and ecdsa/ into ec/, move the last
remaining thing in ech_local.h where it will soon belong.
|
| |
|
|
|
| |
This way the public ECDH API that will remain in libcrypto is in one file
and the public ECDH API that will go is in the other one.
|
| |
|
|
| |
No other file uses this anymore
|
| |
|
|
|
|
| |
Now that they no longer use static methods, they can move where they
belong. Also make the static method const, as it should have been all
along.
|
| |
|
|
|
|
|
|
|
|
|
| |
With the ecdh_check() and ecdsa_check() abominations gone, we can finally
get rid of EC_EXTRA_DATA and EC_KEY_{get,insert}_key_method_data(). The
EC_EX_DATA_*() handlers, (which fortunately have always had "'package'
level visibility") join the ride to the great bit bucket in the sky.
Thanks to op for making this possible.
ok jsing
|
| |
|
|
|
|
|
| |
This is now unused code. Removing it will free us up to remove some
other ugliness in the ec directory.
ok jsing
|
| |
|
|
|
|
|
|
| |
Now that it is no longer possible to set a custom {ECDH,ECDSA}_METHOD,
EC_KEY_METHOD can just call the relevant method directly without the
need for this extra contortion.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
They will be removed in the next major bump. No port uses them. They use
code that is in the way of upcoming surgery. Only libtls and smtpd used
to use the ECDSA version.
ok jsing
|
| |
|
|
|
|
|
|
| |
They will be removed in the next major bump. No port uses them. They use
code that is in the way of upcoming surgery. Only libtls used the ECDSA
version, but thankfully op cleaned that up.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Per RFC 5280, 4.2: A certificate MUST NOT include more than one instance
of a particular extension.
This implements such a check in x509v3_cache_extensions() by sorting the
list of extensions and looking for duplicate neighbors. This sidesteps
complications from extensions we do not know about and keeps algorithmic
complexity reasonable. If the check fails, EXFLAG_INVALID is set on the
certificate, which means that the verifier will not validate it.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On BN_ULLONG architectures, the C compiler can usually do a decent job
of optimising primitives, however it struggles to see through primitive
calls due to type narrowing. As such, providing explicit versions of
compound primitives can result in the production of more optimal code.
For example, on arm the bn_mulw_addw_addw() primitive can be replaced
with a single umaal instruction, which provides significant performance
gains.
Rather than intermingling #ifdef/#else throughout the header, the
BN_ULLONG defines are pulled up above the normal functions. This also
allows complex compound primitives to be reused. The conditionals have also
been changed from BN_LLONG to BN_ULLONG, since that is what really matters.
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
These are no longer in use - stub EC_GROUP_precompute_mult() and
EC_GROUP_have_precompute_mult() to match their existing behaviour.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Since there are now no EC implementations that perform pre-computation at
the EC_GROUP level, remove all of the precomp machinery, including the
extra_data EC_GROUP member.
The ec_wNAF_mul() code is horrific - simply cut out the precomp code,
rather than trying to rewrite it (that's a project for another day).
ok tb@
|
| |
|
|
|
|
|
|
| |
These were previously called by GF2m code and are no longer used.
Also remove ec_pre_comp_new(), since it is only called by
ec_wNAF_precompute_mult() and is now unused.
ok tb@
|
| |
|
|
|
| |
At least one of our bn_mul_words() assembly implementation fails to handle
n = 0 correctly... *sigh*
|
| | |
|
| |
|
|
|
|
| |
This removes a data dependent timing path from BN_sqr().
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rework bn_sqr()/bn_sqr_normal() so that it is less convoluted and more
readable. Instead of recomputing values that the caller has already
computed, pass it as an argument. Avoid branching and remove duplication
of variables. Consistently use a_len and r_len naming for lengths.
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Historically (and currently in OpenSSL), BN_asc2bn() could be called with
NULL, but only for positive numbers. So BN_asc2bn(NULL, "1") would succeed
but BN_asc2bn(NULL, "-1"), would crash. The other *2bn functions return a
length, so accepting a NULL makes some sense since it allows callers to
skip over part of the string just parsed (atoi-style).
For BN_asc2bn() a NULL bn makes no sense because it returns a boolean. The
recent CBS rewrite makes BN_asc2bn(NULL, *) always crash which in turn made
Coverity throw a fit.
Another change of behavior from that rewrite pertains to accidents (or is
it madness?) like -0x-11 and 0x-11 being parsed as decimal -17 (which Ingo
of course spotted and diligently documented). This will be addressed later.
ok jsing
|
| |
|
|
|
|
|
|
| |
Purely cosmetic change taking into account the fact that this function
returns a length rather than a boolean. This is the last offender in the
library.
ok jsing
|
| |
|
|
|
|
|
| |
It returns a length, not a Boolean, so check for 0 explicitly. This is
purely cosmetic.
ok jsing
|
| | |
|
| |
|
|
| |
This file is already enough of an eyesore without them.
|
| |
|
|
| |
__builtin_return_address(a) with a != 0.
|
| | |
|
| |
|
|
| |
ok deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
On some architectures, we can provide an optimised (often single
instruction) count-leading-zero implementation. In order to do this
effectively, provide bn_clzw() as a static inline that can be replaced
by an architecture specific version. The default implementation defers
to the bn_word_clz() function (which may also be architecture specific).
ok tb@
|
| |
|
|
|
|
|
|
| |
Provide bn_bitsize(), which performs a constant time scan of a BN in order
to determine the bit size of the BN value. Use this for BN_num_bits() such
that it is no longer dependent on the bn->top value.
ok tb@
|
| |
|
|
|
| |
Test BN_sqr() with a newly allocated BN, a BN explicitly set to zero and
small values that fit in a single BN_ULONG.
|
