| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Reach into the group (p and order are always available) and use
BN_num_bytes() rather than using clumsy and badly named API.
It's shorter and more readable.
ok jsing
|
| |
|
|
|
|
|
| |
The field_type is always NID_X9_62_prime_field, no need to encode and
retrieve this from the group method.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We match curve parameters against the builtin curves and only accept
them if they're encoding a curve known to us. After getting rid of the
wtls curves, some of which used to coincide with secp curves (sometimes
the wrong ones), the nid is unambiguous. Setting the nid has no direct
implications on the encoding.
This helps ssh avoid doing ugly computations during the key exchange
for PEM keys using this encoding.
ok djm joshua jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
jsing rightly points out that this has nothing to do with ASN.1, but
ec_lib.c has no EC_KEY knowledge otherwise (it's about groups and points)
and moving it to ec_key.c is also not satisfactory since the weird
d2i/i2d for ECParameters don't belong there either.
no objection from jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a few local variables to make the checks at the start slightly less
unappealing. Use those to simplify the conditionals a bit and avoid a
particularly silly exit code. ok is set unless ret is 0, so what do you
think 'return (ok ? ret : 0);' returns? By the way, ret < 0 is an error
as well.
While most of the stuff in this file could use a lot more cleanup, I think
the first layer of cockroaches has been exterminated and there's even some
faint golden glimmer between the turds.
Let's shelve the biohazard warnings for now.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
a is a stupid name for an EC_key, so is ret. Pull apart the tests at the
start and check the length for negativity (long is always the wrong type).
Switch to ec_point_from_octets() and let it determine the point conversion
form rather than having yet another copy of the same ugly stanza.
Set the form on the key using EC_KEY_set_conv_form() (which also affects
the group on the key, so this is a slight change of behavior). Why on earth
this function returns the EC_KEY passed in, I'll never know.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Turn the function into single exit and use ec_point_to_octets() to avoid
the point2oct dance. Ensure that the buf_len size_t doesn't get truncated
by the int return.
While we could avoid an allocation in case out == NULL, we don't do so.
In case out != NULL and *out != NULL this API assumes *out has sufficient
room, copies the result into it and advances *out past it. This is just
asking for trouble (of course, i2d has the same misfeature). Don't use
this if you can help it.
Unfortunately, OpenSSH couldn't help it in at least one spot (that one's
on BoringSSL's allocator not returning an allocated pointer that you can
pass to free). We had to do it lest people run RedHat patches of dubious
quality. For: FIPS the monkey must be pleased at all cost.
ok jsing
|
| |
|
|
|
|
|
| |
This is inverse to ec_point_to_asn1_bit_string(). Use it to simplify the
ec_key_set_public_key() helper.
ok jsing
|
| |
|
|
|
|
|
| |
This is inverse to ec_point_to_asn1_octet_string() but again a lot
simpler. Simplify ec_asn1_set_group_parameters() by using it.
ok jsing
|
| |
|
|
|
| |
Garbage collect the ok variable and some comments from captain obvious,
wrap a long line and tidy up the exit path.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This adds a specialized helper for creating an ASN.1 bit string
out of an elliptic curve point (the public key) and use it in
i2d_ECPrivateKey().
ok jsing
|
| |
|
|
|
|
|
|
| |
This adds a specialized helper for creating an ASN.1 octet string
out of an elliptic curve point (the generator). Use this to simplify
ec_asn1_group2parameters().
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The private key is a random integer between 1 and order - 1. As such it
requires at most as many bytes as the order to encode. SEC 1, Section C.4
is very explicit about padding it to this length:
The component privateKey is the private key defined to be the octet
string of length [ceil(log_2 n/8)] (where n is the order of the curve)
obtained from the unsigned integer via the encoding of Section 2.3.7.
Fix this by generalizing a similar fix for field elements.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the public key is not part of the ECPrivateKey, it needs to be
computed. Rather than doing this ad hoc inline, use the function
from the ameth that already does this.
If it is present, decode it after checking that its unused bits octet
is zero. Again use the dedicated setter API to honor an eventual
EC_KEY_METHOD.
There remains a gross bit reading the point point conversion form out of
the first octet of the bit string. This will go away in a later commit.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Contrary to domain parameters and public key, the private key most be
part of the DER. Convert that to a BIGNUM and set it on the EC_KEY.
Use the dedicated setter for this (which will possibly call the handler
of the EC_KEY_METHOD) rather than doing this by hand.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to decode a private key, the group must be known in some way.
Typically, the group is encoded in the EC domain parameters, preferably
as a named curve (this is mandatory in PKIX per RFC 5480).
However, the group could be absent because the domain parameters are
OPTIONAL in the ECPrivateKey SEQUENCE. In that case the code falls
back to the group that may already be set on the EC_KEY. Now there is
no way to tell whether that group is the right one...
In any case. Split this thing out of the body of d2i_ECPrivateKey()
to make that function a bit less of an eyesore.
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Reduces an upcoming diff which is hard enough to review without these
distractions.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
All internal uses of EC_METHOD_get_field_type() and EC_GROUP_method_of()
are chained together. Implement this as a single API call that takes a
group and use it throughout. Gets rid of another eyesore in this part of
the tree. Not that there will be a shortage of eyesores anytime soon...
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
EC parameters are very general. While there are some minimal sanity checks,
for the parameters due to DoS risks found in the last decade, the elliptic
curve code is poorly written and a target rich environment for NULL
dereferences, busy loops, expensive computations and whatever other
nastiness you can think of. It is not too hard to come up with parameters
that reach very ugly code. While we have removed for the worst of it (the
"fast" nist code and GF2m come to mind), the code very much resembles the
Augean Stables.
Unfortunately, curve parameters are still in use - even mandatory in some
contexts - for example in machine-readable travel documents signed by ICAO
country signing certification authorities (see ICAO Doc 9303).
To avoid many of these DoS vectors, start enforcing that we know what the
curve parameters are about, namely that they correspond to a builtin curve.
This way we know that the parameters are at least as good as the standards
we implement and checking this is cheap:
Translate curve parameters into the ad hoc representation in the builtin
curve code and check there's a match. That's very cheap since most curves
are distinguished by cofactor and parameter length and we need to use an
actual parameter comparison for at most half a dozen curves, usually only
one or two.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This becomes a simple wrapper function that currently does three checks:
1. ensure the fieldID is for a prime field
2. check that the purported prime is of reasonable size, extract and
set curve coefficients and point conversion form
3. extract and set generator, order, cofactor and seed.
Sanity checks such as the Hasse bound are dealt with in the EC_GROUP API,
so need not be repeated here. They will become redundant once we enforce
that the parameters represent a builtin curve anyway.
ok jsing
|
| |
|
|
|
|
|
|
| |
These are more ergonomic, result in more readable code, avoid a copy and
we no longer ignore a possible memory allocation error due to API misdesign
and bad code.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SEC 1, section 2.3.5, is explicit that the encoding of an element of the
field of definition for an elliptic curve needs to be a zero-padded octet
string whose length matches the byte size of the field's degree. So use
BN_bn2binpad() to fix this. Factor things into a simple helper to avoid
copy-pasting.
This gets rid of some of the most grotesque code in this file.
ok jsing
|
| |
|
|
|
|
| |
Also remove a pointless cast.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
No idea how anyone would think that tmp_1 and tmp_2 are better suited for
this.
ok jsing
|
| |
|
|
|
|
|
|
| |
This drops some unnecessary freeing that was turned into a double free
reachable via public API in OpenSSL 1.1. Other than that it unindents
code and uses better variable names.
ok jsing
|
| |
|
|
|
|
|
| |
Only check for the OPENSSL_EC_NAMED_CURVE being set to treat the curve
parameters as named curve parameters.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
The callers already ensure that params != NULL.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Use better variable names and do things in a slightly more sensible order.
This way the code becomes almost self-documenting.
ok jsing
|
