openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	Implement coordinate blinding for EC_POINT.	tb	2018-11-05	1	-1/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Based on OpenSSL commit 875ba8b21ecc65ad9a6bdc66971e50 by Billy Brumley, Sohaib ul Hassan and Nicola Tuveri. ok beck jsing commit 875ba8b21ecc65ad9a6bdc66971e50461660fcbb Author: Sohaib ul Hassan <soh.19.hassan@gmail.com> Date: Sat Jun 16 17:07:40 2018 +0300 Implement coordinate blinding for EC_POINT This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for prime curves implemented through EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method. This commit is derived from the patch https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley. Coordinate blinding is a generally useful side-channel countermeasure and is (mostly) free. The function itself takes a few field multiplicationss, but is usually only necessary at the beginning of a scalar multiplication (as implemented in the patch). When used this way, it makes the values that variables take (i.e., field elements in an algorithm state) unpredictable. For instance, this mitigates chosen EC point side-channel attacks for settings such as ECDH and EC private key decryption, for the aforementioned curves. For EC_METHODs using different coordinate representations this commit does nothing, but the corresponding coordinate blinding function can be easily added in the future to extend these changes to such curves. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6526)
*	Recommit Billy Brumley's ECC constant time patch with a fix for sparc64	tb	2018-07-16	1	-8/+4
\| \| \| \| \| \| \|	from Nicola Tuveri (who spotted the omission of ecp_nist.c from the PR). discussed with jsing tested by jsg
*	recommit label indentation part of the backout; clearly unrelated to the	tb	2018-07-15	1	-10/+10
\| \| \| \|	breakage.
*	back out ecc constant time changes	jsg	2018-07-15	1	-13/+17
\| \| \| \| \| \| \| \|	after the constant time commits various regress tests started failing on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out resulted in 'invalid elliptic curve value' ok tb@
*	Indent labels by a space so they don't obliterate function names in diffs.	tb	2018-07-10	1	-10/+10
\|
*	ECC constant time scalar multiplication support. First step in overhauling	tb	2018-07-10	1	-8/+4
\| \| \| \| \| \| \| \| \| \| \|	the EC module. From Billy Brumley and his team, via https://github.com/libressl-portable/openbsd/pull/94 With tweaks from jsing and me. ok jsing
*	Send the function codes from the error functions to the bit bucket,	beck	2017-01-29	1	-6/+6
\| \| \| \| \| \|	as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
*	BN_CTX_get() can fail - consistently check its return value.	jsing	2015-02-09	1	-24/+32
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	There are currently cases where the return from each call is checked, the return from only the last call is checked and cases where it is not checked at all (including code in bn, ec and engine). Checking the last return value is valid as once the function fails it will continue to return NULL. However, in order to be consistent check each call with the same idiom. This makes it easy to verify. Note there are still a handful of cases that do not follow the idiom - these will be handled separately. ok beck@ doug@
*	Use `> 0' instead of `!= 0' as a successful condition for	miod	2015-02-08	1	-10/+10
\| \| \| \| \| \|	EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1 should an error arise. ok doug@ jsing@
*	if (x) FOO_free(x) -> FOO_free(x).	miod	2014-07-12	1	-11/+6
\| \| \| \| \| \| \|	Improves readability, keeps the code smaller so that it is warmer in your cache. review & ok deraadt@
*	Explicitly include <openssl/opensslconf.h> in every file that references	jsing	2014-07-10	1	-1/+3
\| \| \| \| \| \| \| \| \|	an OPENSSL_NO_* define. This avoids relying on something else pulling it in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is never going to do anything, since OPENSSL_NO_XYZ will never defined, due to the fact that opensslconf.h has not been included. This also includes some miscellaneous sorting/tidying of headers.
*	tags as requested by miod and tedu	deraadt	2014-06-12	1	-1/+1
\|
*	knf approximation	tedu	2014-05-06	1	-297/+370
\|
*	Use C99 initializers for the various FOO_METHOD structs. More readable, and	miod	2014-04-27	1	-40/+39
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	avoid unreadable/unmaintainable constructs like that: const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = { EVP_PKEY_CMAC, EVP_PKEY_CMAC, 0, "CMAC", "OpenSSL CMAC method", 0,0,0,0, 0,0,0, cmac_size, 0, 0,0,0,0,0,0,0, cmac_key_free, 0, 0,0 }; ok matthew@ deraadt@
*	remove FIPS mode support. people who require FIPS can buy something that	tedu	2014-04-15	1	-9/+0
\| \| \| \| \|	meets their needs, but dumping it in here only penalizes the rest of us. ok beck deraadt
*	resolve conflicts	djm	2012-10-13	1	-337/+14
\|
*	OpenSSL 1.0.0f: merge	djm	2012-01-05	1	-1/+1
\|
*	openssl-1.0.0e: resolve conflicts	djm	2011-11-03	1	-0/+3
\|
*	resolve conflicts, fix local changes	djm	2010-10-01	1	-23/+89
\|
*	cherrypick patch from OpenSSL 0.9.8m:	djm	2010-03-04	1	-4/+6
\| \| \| \| \|	*) Always check bn_wexpend() return values for failure. (CVE-2009-3245) [Martin Olsson, Neel Mehta]
*	import of OpenSSL 0.9.8h	djm	2008-09-06	1	-0/+971