| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This used to be the case until they were given a 'more meaningful name'
about 20 years ago. We cant fix the public API, but I'm tired of being
confused by this nonsense.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Use better variable names (cf. https://jmilne.org/math/tips.html#4) and
avoid the weird style of assigning to r (what does r stand for anyway?)
and short circuiting subsequent tests using if (r || ...). Also, do not
reuse the variables for order and cofactor that were previously used for
the curve coefficients.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
jsing rightly points out that this has nothing to do with ASN.1, but
ec_lib.c has no EC_KEY knowledge otherwise (it's about groups and points)
and moving it to ec_key.c is also not satisfactory since the weird
d2i/i2d for ECParameters don't belong there either.
no objection from jsing
|
| |
|
|
| |
CID 514612
|
| |
|
|
| |
requested by jsing
|
| |
|
|
|
|
|
| |
This was about as unreadable as four lines of code doing a trivial thing
can get...
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch from artistic free reinterpretations of public API in the same file
to calling the real thing if possible.
This means that we need to copy the group's coefficients first instead of
last, so that we can call EC_GROUP_set_generator() to set - yes - all three
of generator, order, and cofactor of the group.
However, we may not have a generator yet since for some reason it is an
optional field and some code relies on that. In that case simply copy over
order and cofactor and punt on sanity checking for now (since this API
never did that anyway).
Finally set the seed using EC_GROUP_set_seed() instead of using a custom
reimplementation.
ok jsing
|
| |
|
|
|
|
|
|
| |
Use a single cleanup path, use calloc rather than setting several members
to 0/NULL. This has the side effect that finished can be called even when
init() wasn't called, but this isn't an issue with our EC_GROUP_METHODs.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This may have been different at some point in the past, but it may also
have been a confusion with EC_POINT_is_on_curve() which, like any great
API with a name implying a boolean return, actually has three possible
return values.
ok jsing
|
| |
|
|
|
|
|
|
| |
Like most of the code in this file that hasn't been overhauled, these are
just terrible. As jsing points out, we will need to ensure that finish()
works on a not fully initialized point. That's currently safe.
ok jsing
|
| |
|
|
|
|
|
|
| |
Since we only consider standard affine coordinates, the point at infinity
must be excluded. Check at the API boundary that the point isn't the point
at infinity rather than hiding this check somewhere in a method.
ok jsing
|
| | |
|
| |
|
|
| |
The reason these were in separate files was FIPS. Not our problem.
|
| |
|
|
|
| |
No need to guard free() with a NULL check, check explicitly against 0
and rename p to seed.
|
| |
|
|
|
|
|
|
|
| |
All internal uses of EC_METHOD_get_field_type() and EC_GROUP_method_of()
are chained together. Implement this as a single API call that takes a
group and use it throughout. Gets rid of another eyesore in this part of
the tree. Not that there will be a shortage of eyesores anytime soon...
ok jsing
|
| | |
|
| |
|
|
| |
EC_GROUP_check() is quite simple. It doesn't need to use its own file.
|
| |
|
|
| |
Another single-function file goes away.
|
| | |
|
| |
|
|
|
|
| |
While this is public API in OpenSSL, there are no plans to expose it.
ok jsing
|
| | |
|
| |
|
|
|
|
| |
use LCRYPTO_UNUSED and remove the LIBRESSL_INTERNAL guard
ok tb@
|
| |
|
|
| |
ok miod
|
| |
|
|
|
|
|
|
| |
me aliasing symbols not in the headers I was procesing.
This unbreaks the namespace build so it will pass again
ok tb@
|
| |
|
|
|
|
| |
(part 2 of commit)
ok jsing@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
With the ecdh_check() and ecdsa_check() abominations gone, we can finally
get rid of EC_EXTRA_DATA and EC_KEY_{get,insert}_key_method_data(). The
EC_EX_DATA_*() handlers, (which fortunately have always had "'package'
level visibility") join the ride to the great bit bucket in the sky.
Thanks to op for making this possible.
ok jsing
|
| |
|
|
|
|
|
| |
These are no longer in use - stub EC_GROUP_precompute_mult() and
EC_GROUP_have_precompute_mult() to match their existing behaviour.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Since there are now no EC implementations that perform pre-computation at
the EC_GROUP level, remove all of the precomp machinery, including the
extra_data EC_GROUP member.
The ec_wNAF_mul() code is horrific - simply cut out the precomp code,
rather than trying to rewrite it (that's a project for another day).
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The various checks of the cofactor to be set in EC_GROUP_set_generator()
are a bit all over the place. Move them into a single function and clean
things up a little. Instead of calculating directly with the cofactor
member of the group, use a temporary variable and copy this variable only
if all tests passed. In cryptographic contexts the cofactor almost always
fits if not into a single byte then into a word, so copying is cheap.
Also streamline the computations a bit and remove some binary curve
contortions.
ok jsing
|
| |
|
|
|
|
|
| |
This should leak slightly less than the direct expansion of ASN1_dup_of().
Use freezero() since the DER could contain a private key.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
A large mechanical diff led to sloppy review and gave coverity an
opportunity to be right for once. First time in a good many weeks.
same diff/ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
The EC API allows callers to optionally pass in a BN_CTX, which means that
any code needing a BN_CTX has to check if one was provided, allocate one if
not, then free it again. Rather than doing this dance throughout the EC
code, handle the BN_CTX existance at the EC API boundary. This means that
lower level implementation code can simply assume that the BN_CTX is
available.
ok tb@
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Rather than sometimes clearing, turn the free functions into ones that
always clear (as we've done elsewhere). Turn the EC_GROUP_clear_free() and
EC_POINT_clear_free() functions into wrappers that call the *_free()
version. Do similar for the EC_METHOD implementations, removing the
group_clear_finish() and point_clear_finish() hooks in the process.
ok tb@
|
| |
|
|
|
|
|
| |
BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly
instead.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Unlike in the affine/compressed/... cases, when setting projective
coordinates of an elliptic curve point, there is no check whether
the point is actually on the curve.
Pointed out by Guido Vranken
ok beck miod
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| |
|
|
|
|
| |
Dealing with elliptic curves makes some people think that it would be kind
of neat to multiply types with variable names. Sometimes. Only in function
definitions.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a private key encoded with EC parameters happens to have
order 1 and is used for ECDSA signatures, this causes an
infinite loop since a random integer x in the interval [0,1)
will be 0, so do ... while (x == 0); will loop indefinitely.
Found and reported with a reproducer by Hanno Boeck.
Helpful comments and analysis from David Benjamin.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of bounding only bounding the group order, also bound the
cofactor using Hasse's theorem. This could probably be made a lot
tighter since all curves of cryptographic interest have small
cofactors, but for now this is good enough.
A timeout found by oss-fuzz creates a "group" with insane parameters
over a 40-bit field: the order is 14464, and the cofactor has 4196223
bits (which is obviously impossible by Hasse's theorem). These led to
running an expensive loop in ec_GFp_simple_mul_ct() millions of times.
Fixes oss-fuzz #46056
Diagnosed and fix joint with jsing
ok inoguchi jsing (previous version)
|
| |
|
|
|
|
|
| |
The cofactor we tried to calculate should only be zeroed if we failed
to compute it.
ok inoguchi jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pre-OpenSSL 1.1.0 default was to use explicit curve parameter
encoding. Most applications want to use named curve parameter encoding
and have to opt into this explicitly.
Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years
ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into
the old default. According to Debian's codesearch, no application
currently does this, which indicates that we currently have a bad default.
In the future it is more likely that applications expect the new
default, so we follow OpenSSL to avoid problems.
Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing.
ok beck inoguchi jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
