summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec (follow)
Commit message (Collapse)AuthorAgeFilesLines
* If a NULL or zero cofactor is passed to EC_GROUP_set_generator(),tb2019-09-293-11/+113
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | try to compute it using Hasse's bound. This works as long as the cofactor is small enough. Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license) tests & ok inoguchi input & ok jsing commit 30c22fa8b1d840036b8e203585738df62a03cec8 Author: Billy Brumley <bbrumley@gmail.com> Date: Thu Sep 5 21:25:37 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9781)
* Plug memory leak in error paths. Found while comparing this filetb2019-09-091-5/+5
| | | | | | with OpenSSL 1.1.1's version which contains a similar fix. ok jsing
* Provide EVP_PKEY_CTX_get_signature_md() macro and implement thejsing2019-09-091-1/+5
| | | | | | | | EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@
* Move #include <openssl/cms.h> to more appropriate location (since it isjsing2019-09-091-3/+2
| | | | now being installed).
* Add CMS ECC support.jsing2019-09-081-2/+370
| | | | | | | | This brings in EC code from OpenSSL 1.1.1b, with style(9) and whitespace cleanups. All of this code is currently under OPENSSL_NO_CMS hence is a no-op. ok inoguchi@
* Add various macros and controls for EC_PKEY_CTX.jsing2019-09-063-27/+314
| | | | | | | | | These are needed for the upcoming EC CMS support (nothing else appears to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b. With input from inoguchi@ and tb@. ok inoguchi@ tb@
* Initialize EC_KEY_METHOD before use.bcook2019-05-101-2/+2
| | | | | | Fixes COV-186146 ok tb, beck
* $OpenBSD$tb2019-01-191-0/+1
|
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-192-9/+9
| | | | | | | Pass const method to EC_KEY_METHOD_get_*() to get rid of an XXX. from markus
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-194-29/+125
| | | | | | This commit adds missing API for ECDH/ECDSA_verify. from markus
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-194-23/+401
| | | | | | | This commit adds init/free, support for signing, setting and getting the method, engine support as well as extra data. from markus
* Port OpenSSL commit 99540ec79491f59ed8b46b4edf130e17dc907f52 -- mitigationtb2018-11-151-4/+4
| | | | | | | | | | for a timing vullnerability in ECDSA signature generation (CVE-2018-0735). Note that the blinding that we introduced back in June for ECDSA and DSA should mitigate this and related issues. This simply adds an additional layer of protection. discussed with jsing
* Avoid dereferencing eckey before checking it for NULL.tb2018-11-091-5/+6
| | | | | | CID 184282 ok beck jsing mestre
* unrevert the use of bn_rand_interval().tb2018-11-063-12/+9
| | | | ok beck jsing
* Unset Z_is_zero after applying coordinate blinding andtb2018-11-061-3/+4
| | | | | | re-enable coordinate blinding. ok jsing
* disable EC_POINT coordinate blinding due to failures in ECDHE and TLStb2018-11-061-1/+3
|
* revert use of bn_rand_interval due to failures with ECDHE and TLStb2018-11-062-7/+10
|
* Make use of bn_rand_interval() where appropriate.tb2018-11-052-10/+7
| | | | ok beck jsing
* Eliminate a few "} else" branches, a few unneeded NULL checks beforetb2018-11-051-16/+12
| | | | | | freeing and indent nearby labels. ok beck jsing
* Implement coordinate blinding for EC_POINT.tb2018-11-0510-18/+110
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on OpenSSL commit 875ba8b21ecc65ad9a6bdc66971e50 by Billy Brumley, Sohaib ul Hassan and Nicola Tuveri. ok beck jsing commit 875ba8b21ecc65ad9a6bdc66971e50461660fcbb Author: Sohaib ul Hassan <soh.19.hassan@gmail.com> Date: Sat Jun 16 17:07:40 2018 +0300 Implement coordinate blinding for EC_POINT This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for prime curves implemented through EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method. This commit is derived from the patch https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley. Coordinate blinding is a generally useful side-channel countermeasure and is (mostly) free. The function itself takes a few field multiplicationss, but is usually only necessary at the beginning of a scalar multiplication (as implemented in the patch). When used this way, it makes the values that variables take (i.e., field elements in an algorithm state) unpredictable. For instance, this mitigates chosen EC point side-channel attacks for settings such as ECDH and EC private key decryption, for the aforementioned curves. For EC_METHODs using different coordinate representations this commit does nothing, but the corresponding coordinate blinding function can be easily added in the future to extend these changes to such curves. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6526)
* Tweak comment.tb2018-09-011-5/+2
|
* Add consts to EVP_PKEY_asn1_set_private()tb2018-08-241-2/+2
| | | | | | | | | Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing
* After removing support for broken PKCS#8 formats (it was high time),tb2018-08-241-2/+2
| | | | | | | | we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing
* Use BN_swap_ct() instead of BN_consttime_swap() intb2018-07-231-5/+10
| | | | | | | | | ec_GF2m_montgomery_point_multiply(). The new BN_swap_ct() API is an improved version of the public BN_consttime_swap() function: it allows error checking, doesn't assert(), and has fewer assumptions on the input. This diff eliminates the last use of BN_consttime_swap() in our tree. ok inoguchi, jsing
* Recommit Billy Brumley's ECC constant time patch with a fix for sparc64tb2018-07-166-47/+341
| | | | | | | from Nicola Tuveri (who spotted the omission of ecp_nist.c from the PR). discussed with jsing tested by jsg
* recommit label indentation part of the backout; clearly unrelated to thetb2018-07-1519-91/+93
| | | | breakage.
* back out ecc constant time changesjsg2018-07-1520-426/+133
| | | | | | | | after the constant time commits various regress tests started failing on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out resulted in 'invalid elliptic curve value' ok tb@
* Indent labels by a space so they don't obliterate function names in diffs.tb2018-07-1019-91/+93
|
* ECC constant time scalar multiplication support. First step in overhaulingtb2018-07-105-46/+337
| | | | | | | | | | | the EC module. From Billy Brumley and his team, via https://github.com/libressl-portable/openbsd/pull/94 With tweaks from jsing and me. ok jsing
* Add a const qualifier to the 'key' argument of i2o_ECPublicKey() andtb2018-05-192-4/+4
| | | | | | | | | one to the last argument of each one of i2s_ASN1_OCTET_STRING(), s2i_ASN1_OCTET_STRING(), i2s_ASN1_INTEGER(), i2s_ASN1_ENUMERATED(), and i2s_ASN1_ENUMERATED_TABLE(). tested in a bulk build by sthen ok jsing
* Convert a handful of X509_*() functions to take const as in OpenSSL.tb2018-05-011-6/+6
| | | | | tested in a bulk by sthen ok jsing
* Make whitespace between functions and structs a bit more consistent.tb2018-04-231-3/+7
|
* Consistently spell "IPsec" in comments and debug outputs.mpi2018-03-161-2/+2
| | | | From Raf Czlonka, ok sthen@
* Fix for processing of EC public keyinoguchi2018-03-122-15/+27
| | | | | | | | | | | | | | Prevents segmentation fault while reading EC private key without public key. Generates missing EC public key when reading EC private key. Refer to these OpenSSL commits: 1f2b943254ce590867717375e4f364860a9b7154 2083f7c465d07867dd9867b8742bb71c03d1f203 Reported on GitHub https://github.com/libressl-portable/portable/issues/395 by Anton Bukov (@k06a) . ok beck@
* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().jsing2017-05-261-1/+7
| | | | | | Reported by Robert Swiecki, who found the issue using honggfuzz. ok bcook@
* use freezero() instead of memset/explicit_bzero + free. Substantiallyderaadt2017-05-027-30/+17
| | | | | | | | | | reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
* Send the function codes from the error functions to the bit bucket,beck2017-01-2922-562/+391
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Add ct and nonct versions of BN_mod_inverse for internal usebeck2017-01-211-3/+4
| | | | ok jsing@
* Explicitly export a list of symbols from libcrypto.jsing2016-12-212-3/+14
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* Add assembler code for the nist 256-bit GFp curve, written initially bymiod2016-11-049-6/+19107
| | | | | | | | | Intel. Obtained from BoringSSL, with some integration work borrowed from OpenSSL 1.0.2; assembler code for arm and sparc64 borrowed from OpenSSL 1.1.0. None of this code is enabled in libcrypto yet. ok beck@ jsing@
* unifdef OPENSSL_NO_CMSjsing2016-10-191-22/+1
|
* remove unused variablebeck2016-09-031-2/+1
|
* Fix some very unnecessary convoultion.beck2016-09-031-16/+6
| | | | ok krw@
* " the the " -> " the ", or in a couple of cases replace the superfluouskrw2016-03-201-2/+2
| | | | | | "the" with the obviously intended word. Started with a "the the" spotted by Mihal Mazurek.
* Add error handling to the remaining calls to bn_wexpand().bcook2016-03-121-12/+16
| | | | | | | Noticed by pascal-cuoq from Github: https://github.com/libressl-portable/openbsd/issues/56 ok beck@
* http -> https for a few more IETF URLs in comments or man pagesmmcc2016-03-101-2/+2
|
* Remove pointless externs - the structs are declared in the same files ajsing2015-10-161-3/+1
| | | | few lines above.
* Expand DECLARE_ASN1_ALLOC_FUNCTIONS and DECLARE_ASN1_FUNCTIONS_constjsing2015-10-161-6/+17
| | | | macros. The only change in the generated assembly is due to line numbering.
* Remove pointless uses of DECLARE_ASN1_ENCODE_FUNCTIONS_const.jsing2015-10-161-3/+3
| | | | | DECLARE_ASN1_FUNCTIONS_const already includes this macro so using both means we end up with duplicate function prototypes and externs.
* Convert ECParameters_dup() from a macro that uses ASN1_dup_of() into anjsing2015-10-132-4/+19
| | | | | | actual function. This removes the last ASN1_dup_of usage from the tree. Feedback from doug@ and miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 21:41:56 +0000