summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec/ecp_nist.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Implement coordinate blinding for EC_POINT.tb2018-11-051-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on OpenSSL commit 875ba8b21ecc65ad9a6bdc66971e50 by Billy Brumley, Sohaib ul Hassan and Nicola Tuveri. ok beck jsing commit 875ba8b21ecc65ad9a6bdc66971e50461660fcbb Author: Sohaib ul Hassan <soh.19.hassan@gmail.com> Date: Sat Jun 16 17:07:40 2018 +0300 Implement coordinate blinding for EC_POINT This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for prime curves implemented through EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method. This commit is derived from the patch https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley. Coordinate blinding is a generally useful side-channel countermeasure and is (mostly) free. The function itself takes a few field multiplicationss, but is usually only necessary at the beginning of a scalar multiplication (as implemented in the patch). When used this way, it makes the values that variables take (i.e., field elements in an algorithm state) unpredictable. For instance, this mitigates chosen EC point side-channel attacks for settings such as ECDH and EC private key decryption, for the aforementioned curves. For EC_METHODs using different coordinate representations this commit does nothing, but the corresponding coordinate blinding function can be easily added in the future to extend these changes to such curves. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6526)
* Recommit Billy Brumley's ECC constant time patch with a fix for sparc64tb2018-07-161-1/+4
| | | | | | | from Nicola Tuveri (who spotted the omission of ecp_nist.c from the PR). discussed with jsing tested by jsg
* recommit label indentation part of the backout; clearly unrelated to thetb2018-07-151-4/+4
| | | | breakage.
* back out ecc constant time changesjsg2018-07-151-4/+4
| | | | | | | | after the constant time commits various regress tests started failing on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out resulted in 'invalid elliptic curve value' ok tb@
* Indent labels by a space so they don't obliterate function names in diffs.tb2018-07-101-4/+4
|
* Send the function codes from the error functions to the bit bucket,beck2017-01-291-4/+4
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* if (x) FOO_free(x) -> FOO_free(x).miod2014-07-121-7/+4
| | | | | | | Improves readability, keeps the code smaller so that it is warmer in your cache. review & ok deraadt@
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* knf approximationtedu2014-05-061-44/+51
|
* Use C99 initializers for the various FOO_METHOD structs. More readable, andmiod2014-04-271-40/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | avoid unreadable/unmaintainable constructs like that: const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = { EVP_PKEY_CMAC, EVP_PKEY_CMAC, 0, "CMAC", "OpenSSL CMAC method", 0,0,0,0, 0,0,0, cmac_size, 0, 0,0,0,0,0,0,0, cmac_key_free, 0, 0,0 }; ok matthew@ deraadt@
* remove FIPS mode support. people who require FIPS can buy something thattedu2014-04-151-8/+0
| | | | | meets their needs, but dumping it in here only penalizes the rest of us. ok beck deraadt
* resolve conflictsdjm2012-10-131-3/+10
|
* resolve conflicts, fix local changesdjm2010-10-011-26/+0
|
* resolve conflictsdjm2008-09-061-39/+141
|
* OpenSSL 0.9.7 stable 2002 05 08 mergebeck2002-05-151-0/+134
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-12 23:44:01 +0000