summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix some whitespace and comment formattingtb2022-11-221-37/+45
|
* Fix an annoying quirk in the EC codetb2022-11-1920-243/+243
| | | | | | Dealing with elliptic curves makes some people think that it would be kind of neat to multiply types with variable names. Sometimes. Only in function definitions.
* whitespacetb2022-11-1916-134/+134
|
* Implement EVP interfaces for Ed25519 and X25519.jsing2022-11-103-2/+868
| | | | ok beck@ tb@
* Fix a few more leaks in *_print() functions.tobhe2022-11-101-9/+19
| | | | ok jsing@
* static const, not const staticjsg2022-08-291-3/+3
| | | | | | | | | c99 6.11.5: "The placement of a storage-class specifier other than at the beginning of the declaration specifiers in a declaration is an obsolescent feature." ok miod@ tb@
* Remove mkerr.pl remnants from LibreSSLkn2022-07-122-12/+2
| | | | | | | This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
* Replace obj_mac.h with object.htb2022-06-303-8/+10
| | | | Pointed out by and ok jsing
* Prepare to provide EVP_PKEY_security_bits()tb2022-06-271-1/+21
| | | | | | | This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing
* Simplify ec_asn1_group2curve()tb2022-05-241-18/+21
| | | | | | | | Don't try to reuse curve->seed to avoid an allocation. Free it unconditionally and copy over the group->seed if it's available. Use asn1_abs_set_unused_bits() instead of inlining it. ok jsing
* Straightforward conversion of ecdh_cms_encrypt() totb2022-05-241-3/+3
| | | | | | asn1_abs_set_unused_bits() ok jsing
* Avoid infinite loop for custom curves of order 1tb2022-04-071-3/+3
| | | | | | | | | | | | If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing
* Simplify priv_key handling in d2i_ECPrivateKey()tb2022-03-311-8/+3
| | | | | | | | | d2i_EC_PRIVATEKEY() can handle the allocation of priv_key internally, no need to do this up front and reach it through the dangerous reuse mechanism. There's also no point in freeing a variable we know to be NULL. ok jsing
* Bound cofactor in EC_GROUP_set_generator()tb2022-03-291-1/+7
| | | | | | | | | | | | | | | | | | Instead of bounding only bounding the group order, also bound the cofactor using Hasse's theorem. This could probably be made a lot tighter since all curves of cryptographic interest have small cofactors, but for now this is good enough. A timeout found by oss-fuzz creates a "group" with insane parameters over a 40-bit field: the order is 14464, and the cofactor has 4196223 bits (which is obviously impossible by Hasse's theorem). These led to running an expensive loop in ec_GFp_simple_mul_ct() millions of times. Fixes oss-fuzz #46056 Diagnosed and fix joint with jsing ok inoguchi jsing (previous version)
* Do not zero cofactor on ec_guess_cofactor() successtb2022-03-291-2/+6
| | | | | | | The cofactor we tried to calculate should only be zeroed if we failed to compute it. ok inoguchi jsing
* Zap trailing whitespacetb2022-03-291-46/+46
|
* Fix check for BN_mod_inverse_ct return valueinoguchi2022-01-201-3/+3
| | | | ok jsing@ millert@ tb@
* Garbage collect the app_items field of ASN1_ADBtb2022-01-141-3/+1
| | | | | | | This is unused and was removed in OpenSSL 5b70372d when it was replaced with an ASN.1 ADB callback (which we don't support). ok inoguchi jsing
* Prepare to provide EVP_PKEY_{public,param}_checktb2022-01-101-1/+25
| | | | | | | | | | | | | | This implements checking of a public key and of key generation parameters for DH and EC keys. With the same logic and setters and const quirks as for EVP_PKEY_check(). There are a couple of quirks: For DH no default EVP_PKEY_check() is implemented, instead EVP_PKEY_param_check() calls DH_check_ex() even though DH_param_check_ex() was added for this purpose. EVP_PKEY_public_check() for EC curves also checks the private key if present. ok inoguchi jsing
* Prepare to provide EVP_PKEY_check()tb2022-01-101-2/+18
| | | | | | | | | | | | | | | | | | This allows checking the validity of an EVP_PKEY. Only RSA and EC keys are supported. If a check function is set the EVP_PKEY_METHOD, it will be used, otherwise the check function on the EVP_PKEY_ASN1_METHOD is used. The default ASN.1 methods wrap RSA_check_key() and EC_KEY_check_key(), respectively. The corresponding setters are EVP_PKEY_{asn1,meth}_set_check(). It is unclear why the PKEY method has no const while the ASN.1 method has const. Requested by tobhe and used by PHP 8.1. Based on OpenSSL commit 2aee35d3 ok inoguchi jsing
* Include evp_locl.h where it will be needed once most structs fromtb2021-12-121-1/+2
| | | | | | evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi
* Add #include "bn_lcl.h" to the files that will soon need it.tb2021-12-043-3/+7
| | | | ok inoguchi jsing
* Default to using named curve parameter encodingtb2021-09-122-4/+5
| | | | | | | | | | | | | | | | | | The pre-OpenSSL 1.1.0 default was to use explicit curve parameter encoding. Most applications want to use named curve parameter encoding and have to opt into this explicitly. Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into the old default. According to Debian's codesearch, no application currently does this, which indicates that we currently have a bad default. In the future it is more likely that applications expect the new default, so we follow OpenSSL to avoid problems. Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing. ok beck inoguchi jsing
* Expose EC_GROUP_order_bits() in <openssl/ec.h>tb2021-09-101-3/+1
| | | | ok beck jsing
* Prepare to provide EC_GROUP_order_bits()tb2021-09-0811-18/+45
| | | | ok jsing
* Remove some dead code that was missed in an earlier cleanup andtb2021-08-311-4/+3
| | | | | | | | fix a stale comment. Found by mortimer with clang 13's -Wunused-but-set-variable. ok beck
* Expose EC_POINT_{get,set}_affine_coordinates(3) andtb2021-05-101-7/+8
| | | | | | EC_POINT_set_compressed_coordinates(3) ok jsing
* Expose EC_GROUP_{get,set}_curve(3)tb2021-05-101-3/+2
| | | | ok jsing
* Fix corner case for compressed points on binary curvestb2021-05-031-1/+5
| | | | | | | | | Per X9.62 4.4.1.b., the compressed representation of a point with zero x coordinate on a binary curve must have y_bit unset. Error out in that case of ec_GF2m_set_compressed_coordinates() instead of ignoring y_bit. ok jsing
* Fix indent of EC_METHODs as requested by jsing.tb2021-04-206-192/+192
| | | | While there zap trailing whitespace from a KNF approximation gone wrong.
* Compare pointer against NULL and fix a KNF issue.tb2021-04-201-3/+3
| | | | ok jsing
* Prepare to provide EC_POINT_set_compressed_coordinatestb2021-04-205-57/+41
| | | | ok jsing
* Compare function pointers against NULL, not 0.tb2021-04-201-3/+3
| | | | ok jsing
* Provide EC_POINT_{g,s}et_Jprojective_coordinates for internal usetb2021-04-2010-77/+97
| | | | ok jsing
* Simplify code after adding EC_POINT_{s,g}et_affine_coordinates()tb2021-04-201-25/+6
| | | | ok jsing
* Compare function pointers against NULL, not 0.tb2021-04-201-3/+3
| | | | ok jsing
* Prepare to provide EC_POINT_{g,s}et_affine_coordinatestb2021-04-2013-71/+72
| | | | | | Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b ok jsing
* Simplify after EC_POINT_get_curve() additiontb2021-04-202-30/+8
| | | | ok jsing
* Compare function pointers against NULL, not 0.tb2021-04-201-3/+3
| | | | ok jsing
* Prepare to provide EC_GROUP_{get,set}_curve(3)tb2021-04-206-41/+51
| | | | | | | | | | | | | There are numerous functions in ec/ that exist with _GF2m and _GFp variants for no good reason. The code of both variants is the same. The EC_METHODs contain a pointer to the appropriate version. This commit hides the _GF2m and _GFp variants from internal use and provides versions that work for both curve types. These will be made public in an upcoming library bump. Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b ok jsing
* Avoid division by zero in hybrid point encodingtb2021-04-191-17/+49
| | | | | | | | | | | | | | | In hybrid and compressed point encodings, the form octet contains a bit of information allowing to calculate y from x. For a point on a binary curve, this bit is zero if x is zero, otherwise it must match the rightmost bit of of the field element y / x. The existing code only considers the second possibility. It could thus fail with a division by zero error as found by Guido Vranken's cryptofuzz. This commit adds a few explanatory comments to oct2point and fixes some KNF issues. The only actual code change is in the last hunk which adds a BN_is_zero(x) check to avoid the division by zero. ok jsing
* Move point-on-curve check to set_affine_coordinatestb2020-12-044-18/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bad API design makes it possible to set an EC_KEY public key to a point not on the curve. As a consequence, it was possible to have bogus ECDSA signatures validated. In practice, all software uses either EC_POINT_oct2point*() to unmarshal public keys or issues a call to EC_KEY_check_key() after setting it. This way, a point on curve check is performed and the problem is mitigated. In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia Kasper moved the point-on-curve check from EC_POINT_oct2point to EC_POINT_set_affine_coordinates_*, which results in more checking. In addition to this commit, we also check in the currently unused codepath of a user set callback for setting compressed coordinates, just in case this will be used at some point in the future. The documentation of EC_KEY_check_key() is very vague on what it checks and when checks are needed. It could certainly be improved a lot. It's also strange that EC_KEY_set_key() performs no checks, while EC_KEY_set_public_key_affine_coordinates() implicitly calls EC_KEY_check_key(). It's a mess. Issue found and reported by Guido Vranken who also tested an earlier version of this fix. ok jsing
* Add support for additional GOST curves.jsing2020-06-051-5/+163
| | | | | | | | | | | | | These GOST curves are defined in RFC 7836 and draft-deremin-rfc4491-bis. Add aliases for 256-bit GOST curves (see draft-smyshlyaev-tls12-gost-suites) and rename the 512-bit curve ids to follow names defined in tc26 OID registry. Diff from Dmitry Baryshkov <dbaryshkov@gmail.com> Sponsored by ROSA Linux. ok inoguchi@
* If a NULL or zero cofactor is passed to EC_GROUP_set_generator(),tb2019-09-293-11/+113
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | try to compute it using Hasse's bound. This works as long as the cofactor is small enough. Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license) tests & ok inoguchi input & ok jsing commit 30c22fa8b1d840036b8e203585738df62a03cec8 Author: Billy Brumley <bbrumley@gmail.com> Date: Thu Sep 5 21:25:37 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9781)
* Plug memory leak in error paths. Found while comparing this filetb2019-09-091-5/+5
| | | | | | with OpenSSL 1.1.1's version which contains a similar fix. ok jsing
* Provide EVP_PKEY_CTX_get_signature_md() macro and implement thejsing2019-09-091-1/+5
| | | | | | | | EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@
* Move #include <openssl/cms.h> to more appropriate location (since it isjsing2019-09-091-3/+2
| | | | now being installed).
* Add CMS ECC support.jsing2019-09-081-2/+370
| | | | | | | | This brings in EC code from OpenSSL 1.1.1b, with style(9) and whitespace cleanups. All of this code is currently under OPENSSL_NO_CMS hence is a no-op. ok inoguchi@
* Add various macros and controls for EC_PKEY_CTX.jsing2019-09-063-27/+314
| | | | | | | | | These are needed for the upcoming EC CMS support (nothing else appears to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b. With input from inoguchi@ and tb@. ok inoguchi@ tb@
* Initialize EC_KEY_METHOD before use.bcook2019-05-101-2/+2
| | | | | | Fixes COV-186146 ok tb, beck
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-28 12:30:36 +0000