summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Document behavior change of EC_POINTs_mul() again.tb2018-07-161-4/+22
|
* Recommit Billy Brumley's ECC constant time patch with a fix for sparc64tb2018-07-166-47/+341
| | | | | | | from Nicola Tuveri (who spotted the omission of ecp_nist.c from the PR). discussed with jsing tested by jsg
* re-commit the removal of the EC_POINTs_mul() regression tests with num > 1tb2018-07-151-161/+27
|
* recommit label indentation part of the backout; clearly unrelated to thetb2018-07-1519-91/+93
| | | | breakage.
* $OpenBSD$tb2018-07-151-0/+1
|
* Also revert regression tests so that EC_POINTs_mul() with longer vectorstb2018-07-151-26/+160
| | | | gets exercised again.
* back out ecc constant time changesjsg2018-07-1521-448/+137
| | | | | | | | after the constant time commits various regress tests started failing on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out resulted in 'invalid elliptic curve value' ok tb@
* openssl app timers: TM_START -> TM_RESET, TM_STOP -> TM_GETcheloha2018-07-134-15/+15
| | | | | | | | Much more apt than the current operation names. Names suggested by jca@ ages ago. ok jca, jsing
* Eliminate the weird condition in the BN_swap_ct() API that at most one bittb2018-07-131-3/+3
| | | | | | | | be set in condition. This makes the constant time bit-twiddling a bit trickier, but it's not too bad. Thanks to halex for an extensive rubber ducking session over a non-spicy spicy tabouleh falafel.. ok jsing, kn
* Sync commentkn2018-07-111-3/+5
| | | | | | Makes it a tad easier to read through and compare with BN_swap_ct(). OK tb
* Document behavior change of EC_POINTs_mul(3) from EC constant time changes.tb2018-07-111-4/+22
| | | | ok beck on earlier version, markup help from Schwarze.
* Turn yesterday's optimistic ! in an XXX comment into a more cautious ?tb2018-07-111-2/+2
|
* Update EC regression tests.tb2018-07-111-160/+26
| | | | | | | Part of https://github.com/libressl-portable/openbsd/pull/94 from Billy Brumley and his team. ok jsing
* Indent labels by a space so they don't obliterate function names in diffs.tb2018-07-1019-91/+93
|
* ECC constant time scalar multiplication support. First step in overhaulingtb2018-07-105-46/+337
| | | | | | | | | | | the EC module. From Billy Brumley and his team, via https://github.com/libressl-portable/openbsd/pull/94 With tweaks from jsing and me. ok jsing
* Provide BN_swap_ct(), a constant time function that conditionally swapstb2018-07-102-2/+53
| | | | | | | | | | two bignums. It's saner and substantially less ugly than the existing public BN_constantime_swap() function and will be used in forthcoming work on constant time ECC code. From Billy Brumley and his team. Thanks! ok jsing
* Factor out a bit of ugly code that truncates the digest to the order_bitstb2018-07-101-32/+32
| | | | | | | | leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate a microoptimization that only converts the relevant part of the digest to a bignum. ok beck, jsing
* $OpenBSD$tb2018-07-102-1/+2
|
* Now that all *_free() functions are NULL safe, we can generate thetb2018-07-105-239/+123
| | | | | | freenull test from Symbols.list. Suggested by jsing, discussed with beck and bluhm.
* +addsubtb2018-07-101-1/+2
|
* Add simple regression tests for BN_{,u}{add,sub}(3). With input from jcatb2018-07-102-0/+248
|
* Move a detail on tls_connect(3) to its documentation and be a bit moretb2018-07-091-5/+7
| | | | | | explicit about the servername argument of tls_connect_servername(3). input & ok jsing, input & ok schwarze on earlier version
* wording tweak for tls_init() from jsingtb2018-07-091-4/+4
| | | | ok jsing, schwarze
* sync with const changes in x509.h r1.68.tb2018-07-091-4/+4
|
* sync with const changes in evp.h r1.64.tb2018-07-091-3/+3
|
* sync with const changes in bio.h r1.44.tb2018-07-091-3/+3
|
* sync with const changes in bio.h r1.45.tb2018-07-091-10/+10
|
* import the relevant parts of a new ASN1_INTEGER_get(3) manual pageschwarze2018-07-082-1/+240
| | | | from OpenSSL, fixing many bugs and polishing many details
* Simplify and shorten the description of tls_init(3),schwarze2018-07-081-4/+4
| | | | | fixing an awkward wording noticed by tb@. OK tb@
* This code is already painful enough to look at. Putting the braces at thetb2018-06-161-74/+64
| | | | right spot helps this a bit. Other whitespace and typo fixes while there.
* Tiny tweak to the blinding comment.tb2018-06-161-2/+4
|
* Basic cleanup. Handle the possibly NULL ctx_in in ecdsa_sign_setup() withtb2018-06-151-67/+62
| | | | | | | | | | | | the usual idiom. All the allocations are now handled inside conditionals as is usually done in this part of the tree. Turn a few comments into actual sentences and remove a few self-evident ones. Change outdated or cryptic comments into more helpful annotations. In ecdsa_do_verify(), start calculating only after properly truncating the message digest. More consistent variable names: prefer 'order_bits' and 'point' over 'i' and 'tmp_point'. ok jsing
* Clean up some whitespace and polish a few comments. Reduces noise intb2018-06-151-24/+21
| | | | an upcoming diff.
* Use a blinding value when generating an ECDSA signature, in order totb2018-06-141-14/+65
| | | | | | | | reduce the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok jsing
* Use a blinding value when generating a DSA signature, in order to reducejsing2018-06-141-9/+39
| | | | | | | | the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok tb@
* Clarify the digest truncation comment in DSA signature generation.jsing2018-06-141-3/+4
| | | | Requested by and ok tb@
* Pull up the code that converts the digest to a BIGNUM - this only needsjsing2018-06-141-10/+10
| | | | | | | to occur once and not be repeated if the signature generation has to be repeated. ok tb@
* Fix a potential leak/incorrect return value in DSA signature generation.jsing2018-06-141-4/+6
| | | | | | | | | | In the very unlikely case where we have to repeat the signature generation, the DSA_SIG return value has already been allocated. This will either result in a leak when we allocate again on the next iteration, or it will give a false success (with missing signature values) if any error occurs on the next iteration. ok tb@
* Call DSA_SIG_new() instead of hand rolling the same.jsing2018-06-141-5/+2
| | | | ok beck@ tb@
* DSA_SIG_new() amounts to a single calloc() call.jsing2018-06-141-10/+3
| | | | ok beck@ tb@
* style(9), comments and whitespace.jsing2018-06-131-30/+32
|
* Avoid a timing side-channel leak when generating DSA and ECDSA signatures.jsing2018-06-132-7/+4
| | | | | | | | | This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
* zap stray tabsthen2018-06-121-2/+2
|
* Reject excessively large primes in DH key generation. Problem reportedsthen2018-06-121-1/+6
| | | | | | | | | | | by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457) and based on his diff. suggestions from tb@, ok tb@ jsing@ "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack."
* fix odd whitespacetb2018-06-101-3/+3
|
* Remove a handrolled GOST_le2bn().jsing2018-06-101-8/+4
| | | | From Dmitry Eremin-Solenikov <dbaryshkov at gmail dot com>.
* Now that all of the server-side client key exchange processing functionsjsing2018-06-101-53/+40
| | | | | | have been converted to CBS, pull it up a level. ok inoguchi@ tb@
* Allocate a dedicated buffer for use when deriving a shared key duringjsing2018-06-031-10/+18
| | | | | | | client KEX DHE processing, rather than reusing the buffer that is used to send/receive handshake messages. ok beck@ inoguchi@
* Check the return value from DH_size() in ssl3_send_client_kex_dhe().jsing2018-06-031-4/+6
| | | | ok beck@ inoguchi@
* Convert ssl3_get_client_kex_ecdhe_ecp() to CBS.jsing2018-06-021-44/+42
| | | | | | | Also allocate a dedicated buffer to hold the shared secret, rather than reusing init_buf. ok inoguchi@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-01 04:56:09 +0000