summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec/ec_lib.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Rename curve_name into nidtb2024-11-221-4/+4
| | | | | | This used to be the case until they were given a 'more meaningful name' about 20 years ago. We cant fix the public API, but I'm tired of being confused by this nonsense.
* ec_lib: zap a useless commenttb2024-11-171-3/+1
|
* Rewrite EC_GROUP_cmp()tb2024-11-171-51/+75
| | | | | | | | | | Use better variable names (cf. https://jmilne.org/math/tips.html#4) and avoid the weird style of assigning to r (what does r stand for anyway?) and short circuiting subsequent tests using if (r || ...). Also, do not reuse the variables for order and cofactor that were previously used for the curve coefficients. ok jsing
* Relocate ECParameters_dup() to ec_asn1tb2024-11-081-23/+1
| | | | | | | | | jsing rightly points out that this has nothing to do with ASN.1, but ec_lib.c has no EC_KEY knowledge otherwise (it's about groups and points) and moving it to ec_key.c is also not satisfactory since the weird d2i/i2d for ECParameters don't belong there either. no objection from jsing
* Ugh. Don't return the group after freeing ittb2024-11-081-2/+2
| | | | CID 514612
* EC_GROUP_set_seed(): flip order of seed and len null checkstb2024-11-061-2/+2
| | | | requested by jsing
* Treat the curls in EC_GROUP_dup() with a flatirontb2024-11-061-9/+17
| | | | | | | This was about as unreadable as four lines of code doing a trivial thing can get... ok jsing
* Clean up EC_GROUP_copy()tb2024-11-061-27/+15
| | | | | | | | | | | | | | | | | | | Switch from artistic free reinterpretations of public API in the same file to calling the real thing if possible. This means that we need to copy the group's coefficients first instead of last, so that we can call EC_GROUP_set_generator() to set - yes - all three of generator, order, and cofactor of the group. However, we may not have a generator yet since for some reason it is an optional field and some code relies on that. In that case simply copy over order and cofactor and punt on sanity checking for now (since this API never did that anyway). Finally set the seed using EC_GROUP_set_seed() instead of using a custom reimplementation. ok jsing
* Switch EC_GROUP_new() to calloc()tb2024-11-061-21/+20
| | | | | | | | Use a single cleanup path, use calloc rather than setting several members to 0/NULL. This has the side effect that finished can be called even when init() wasn't called, but this isn't an issue with our EC_GROUP_METHODs. ok jsing
* EC_POINT_is_at_infinity() returns a booleantb2024-11-051-2/+2
| | | | | | | | | This may have been different at some point in the past, but it may also have been a confusion with EC_POINT_is_on_curve() which, like any great API with a name implying a boolean return, actually has three possible return values. ok jsing
* Rewrite EC_POINT_new() and EC_POINT_dup()tb2024-11-041-27/+34
| | | | | | | | Like most of the code in this file that hasn't been overhauled, these are just terrible. As jsing points out, we will need to ensure that finish() works on a not fully initialized point. That's currently safe. ok jsing
* Move point at infinity check to API boundarytb2024-11-031-2/+7
| | | | | | | | Since we only consider standard affine coordinates, the point at infinity must be excluded. Check at the API boundary that the point isn't the point at infinity rather than hiding this check somewhere in a method. ok jsing
* Fix includes in ec_lib and ecp_smpltb2024-11-021-1/+5
|
* Merge compressed coordinate setting back into ecp_smpl and ec_libtb2024-11-021-1/+40
| | | | The reason these were in separate files was FIPS. Not our problem.
* Minor cosmetic tweaks for EC_GROUP_set_seed()tb2024-10-251-9/+8
| | | | | No need to guard free() with a NULL check, check explicitly against 0 and rename p to seed.
* Provide and use ec_group_get_field_type()tb2024-10-221-3/+11
| | | | | | | | | All internal uses of EC_METHOD_get_field_type() and EC_GROUP_method_of() are chained together. Implement this as a single API call that takes a group and use it throughout. Gets rid of another eyesore in this part of the tree. Not that there will be a shortage of eyesores anytime soon... ok jsing
* EC_GROUP_check(): zap useless commentstb2024-10-191-4/+3
|
* Move EC_GROUP_check() to ec_lib.ctb2024-10-191-1/+56
| | | | EC_GROUP_check() is quite simple. It doesn't need to use its own file.
* Move EC_GROUP_new_curve_GFp() into ec_lib.ctb2024-10-181-1/+22
| | | | Another single-function file goes away.
* Unindent error check in EC_GROUP_set_generator()tb2024-10-151-5/+5
|
* Provide EC_GROUP_get0_cofactor() for internal usetb2024-10-151-1/+7
| | | | | | While this is public API in OpenSSL, there are no plans to expose it. ok jsing
* One empty line is enoughtb2024-04-231-18/+1
|
* Hide deprecated functions in ec.hbeck2024-04-101-1/+9
| | | | | | use LCRYPTO_UNUSED and remove the LIBRESSL_INTERNAL guard ok tb@
* EC_POINT_is_on_curve() error is -1, not 0.tb2023-07-251-2/+2
| | | | ok miod
* Unbreak the namespace build after a broken mk.conf and tool misfire hadbeck2023-07-071-9/+1
| | | | | | | | me aliasing symbols not in the headers I was procesing. This unbreaks the namespace build so it will pass again ok tb@
* Hide symbols in hkdf, evp, err, ecdsa, and ecbeck2023-07-071-1/+55
| | | | | | (part 2 of commit) ok jsing@
* Provide internal-only EC_GROUP_get0_order()tb2023-07-031-2/+7
| | | | ok jsing
* Remove EC_EXTRA_DATAtb2023-06-251-153/+1
| | | | | | | | | | | With the ecdh_check() and ecdsa_check() abominations gone, we can finally get rid of EC_EXTRA_DATA and EC_KEY_{get,insert}_key_method_data(). The EC_EX_DATA_*() handlers, (which fortunately have always had "'package' level visibility") join the ride to the great bit bucket in the sky. Thanks to op for making this possible. ok jsing
* Remove precompute_mult/have_precompute_mult from EC_METHOD.jsing2023-06-241-23/+3
| | | | | | | These are no longer in use - stub EC_GROUP_precompute_mult() and EC_GROUP_have_precompute_mult() to match their existing behaviour. ok tb@
* Mop up EC_GROUP precomp machinery.jsing2023-06-241-19/+1
| | | | | | | | | | | Since there are now no EC implementations that perform pre-computation at the EC_GROUP level, remove all of the precomp machinery, including the extra_data EC_GROUP member. The ec_wNAF_mul() code is horrific - simply cut out the precomp code, rather than trying to rewrite it (that's a project for another day). ok tb@
* Consolidate elliptic curve cofactor handlingtb2023-06-201-49/+41
| | | | | | | | | | | | | The various checks of the cofactor to be set in EC_GROUP_set_generator() are a bit all over the place. Move them into a single function and clean things up a little. Instead of calculating directly with the cofactor member of the group, use a temporary variable and copy this variable only if all tests passed. In cryptographic contexts the cofactor almost always fits if not into a single byte then into a word, so copying is cheap. Also streamline the computations a bit and remove some binary curve contortions. ok jsing
* Rewrite ECParameters_dup()tb2023-05-041-7/+12
| | | | | | | This should leak slightly less than the direct expansion of ASN1_dup_of(). Use freezero() since the DER could contain a private key. ok jsing
* GF2m bites the dust. It won't be missed.tb2023-04-251-35/+1
|
* ec_lib.c: fix a few NULL misspellingstb2023-04-131-6/+6
|
* Fix various early return issues spotted by coveritytb2023-04-131-13/+13
| | | | | | | A large mechanical diff led to sloppy review and gave coverity an opportunity to be right for once. First time in a good many weeks. same diff/ok jsing
* Handle BN_CTX at the EC API boundary.jsing2023-04-111-114/+338
| | | | | | | | | | | The EC API allows callers to optionally pass in a BN_CTX, which means that any code needing a BN_CTX has to check if one was provided, allocate one if not, then free it again. Rather than doing this dance throughout the EC code, handle the BN_CTX existance at the EC API boundary. This means that lower level implementation code can simply assume that the BN_CTX is available. ok tb@
* Replace the remaining BN_copy() with bn_copy()tb2023-03-271-8/+8
| | | | ok jsing
* Fix previous.jsing2023-03-081-5/+5
|
* Always clear EC groups and points on free.jsing2023-03-081-40/+13
| | | | | | | | | | Rather than sometimes clearing, turn the free functions into ones that always clear (as we've done elsewhere). Turn the EC_GROUP_clear_free() and EC_POINT_clear_free() functions into wrappers that call the *_free() version. Do similar for the EC_METHOD implementations, removing the group_clear_finish() and point_clear_finish() hooks in the process. ok tb@
* Call BN_free() instead of BN_clear_free().jsing2023-03-071-3/+3
| | | | | | | BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly instead. ok tb@
* libcrypto/ec: another missing point-on-curve checktb2023-02-071-3/+9
| | | | | | | | | | Unlike in the affine/compressed/... cases, when setting projective coordinates of an elliptic curve point, there is no check whether the point is actually on the curve. Pointed out by Guido Vranken ok beck miod
* Make internal header file names consistenttb2022-11-261-3/+3
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Fix an annoying quirk in the EC codetb2022-11-191-30/+30
| | | | | | Dealing with elliptic curves makes some people think that it would be kind of neat to multiply types with variable names. Sometimes. Only in function definitions.
* Avoid infinite loop for custom curves of order 1tb2022-04-071-3/+3
| | | | | | | | | | | | If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing
* Bound cofactor in EC_GROUP_set_generator()tb2022-03-291-1/+7
| | | | | | | | | | | | | | | | | | Instead of bounding only bounding the group order, also bound the cofactor using Hasse's theorem. This could probably be made a lot tighter since all curves of cryptographic interest have small cofactors, but for now this is good enough. A timeout found by oss-fuzz creates a "group" with insane parameters over a 40-bit field: the order is 14464, and the cofactor has 4196223 bits (which is obviously impossible by Hasse's theorem). These led to running an expensive loop in ec_GFp_simple_mul_ct() millions of times. Fixes oss-fuzz #46056 Diagnosed and fix joint with jsing ok inoguchi jsing (previous version)
* Do not zero cofactor on ec_guess_cofactor() successtb2022-03-291-2/+6
| | | | | | | The cofactor we tried to calculate should only be zeroed if we failed to compute it. ok inoguchi jsing
* Zap trailing whitespacetb2022-03-291-46/+46
|
* Default to using named curve parameter encodingtb2021-09-121-2/+2
| | | | | | | | | | | | | | | | | | The pre-OpenSSL 1.1.0 default was to use explicit curve parameter encoding. Most applications want to use named curve parameter encoding and have to opt into this explicitly. Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into the old default. According to Debian's codesearch, no application currently does this, which indicates that we currently have a bad default. In the future it is more likely that applications expect the new default, so we follow OpenSSL to avoid problems. Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing. ok beck inoguchi jsing
* Prepare to provide EC_GROUP_order_bits()tb2021-09-081-1/+17
| | | | ok jsing
* Compare function pointers against NULL, not 0.tb2021-04-201-3/+3
| | | | ok jsing