| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
This helper will be needed in a subsequent commit.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Contrary to domain parameters and public key, the private key most be
part of the DER. Convert that to a BIGNUM and set it on the EC_KEY.
Use the dedicated setter for this (which will possibly call the handler
of the EC_KEY_METHOD) rather than doing this by hand.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to decode a private key, the group must be known in some way.
Typically, the group is encoded in the EC domain parameters, preferably
as a named curve (this is mandatory in PKIX per RFC 5480).
However, the group could be absent because the domain parameters are
OPTIONAL in the ECPrivateKey SEQUENCE. In that case the code falls
back to the group that may already be set on the EC_KEY. Now there is
no way to tell whether that group is the right one...
In any case. Split this thing out of the body of d2i_ECPrivateKey()
to make that function a bit less of an eyesore.
ok jsing
|
| | |
|
| | |
|
| |
|
|
| |
It doesn't currently need ec_local.h, but it will soon, so leave it there.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Reduces an upcoming diff which is hard enough to review without these
distractions.
|
| | |
|
| | |
|
| |
|
|
|
| |
This can't be perfectly symmetric, but the logic is now roughly the same
in both these functions.
|
| | |
|
| |
|
|
|
| |
No need to guard free() with a NULL check, check explicitly against 0
and rename p to seed.
|
| | |
|
| |
|
|
| |
CID 511280
|
| |
|
|
|
|
|
|
| |
This is annoying since it undoes some polishing done before commit and
reintroduces an unpleasant asymmetry.
found by anton via openssl-ruby tests
ok jsing
|
| |
|
|
| |
... is obviously r.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Factor ad-hoc inline code into helper functions. Use CBB and
BN_bn2binpad() instead of batshit crazy skip loops and pointer
banging. With all this done, the function becomes relatively
streamlined and pretty much symmetric with the new oct2point()
implementation.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Transform the spaghetti in here into something more readable. Factor
various inline checks into helper functions to make the logic clearer.
This is a bit longer but a lot safer and simpler. It accepts exactly
the same input as the original version.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SEC 1 standard defines various ways of encoding an elliptic curve
point as ASN.1 octet string. It's also used for the public key, which
isn't an octet string but a bit string for whatever historic reason.
The public API is incomplete and inconvenient, so we need to jump
through a few hoops to support it and to preserve our own sanity.
Split a small helper function out of ec_GFp_simple_point2oct() that
checks that a uint8_t represents a valid point conversion form. It
supports exactly the four possible variants and helps translating
from point_conversion_form_t at the API boundary.
Reject the form for the point at infinity since the function has
historically done that even for the case that the point actually is
the point at infinity.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
All internal uses of EC_METHOD_get_field_type() and EC_GROUP_method_of()
are chained together. Implement this as a single API call that takes a
group and use it throughout. Gets rid of another eyesore in this part of
the tree. Not that there will be a shortage of eyesores anytime soon...
ok jsing
|
| |
|
|
|
|
|
|
| |
We can just reach into the group to obtain its EC_GROUP_METHOD. After all
ec_local.h has to be in scope. This will permit marking this ugly API as
unused internally after the next commit.
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This makes the thing a bit easier on the eyes and improves greppability.
ok joshua jsing
|
| | |
|
| |
|
|
| |
EC_GROUP_check() is quite simple. It doesn't need to use its own file.
|
| |
|
|
|
| |
When determining the minimum of nitems and EC_CURVE_LIST_LENGTH
we need neither an extra variable nor a ternary operator.
|
| |
|
|
|
|
|
| |
Rename struct ec_list_element into struct ec_curve. Accordingly, curve_list
becomes struct ec_curve ec_curve_list[]. Adjust internal API to match.
suggested by jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
EC parameters are very general. While there are some minimal sanity checks,
for the parameters due to DoS risks found in the last decade, the elliptic
curve code is poorly written and a target rich environment for NULL
dereferences, busy loops, expensive computations and whatever other
nastiness you can think of. It is not too hard to come up with parameters
that reach very ugly code. While we have removed for the worst of it (the
"fast" nist code and GF2m come to mind), the code very much resembles the
Augean Stables.
Unfortunately, curve parameters are still in use - even mandatory in some
contexts - for example in machine-readable travel documents signed by ICAO
country signing certification authorities (see ICAO Doc 9303).
To avoid many of these DoS vectors, start enforcing that we know what the
curve parameters are about, namely that they correspond to a builtin curve.
This way we know that the parameters are at least as good as the standards
we implement and checking this is cheap:
Translate curve parameters into the ad hoc representation in the builtin
curve code and check there's a match. That's very cheap since most curves
are distinguished by cofactor and parameter length and we need to use an
actual parameter comparison for at most half a dozen curves, usually only
one or two.
ok jsing
|
| |
|
|
| |
Another single-function file goes away.
|
| |
|
|
|
|
| |
The latter was used for EC_GROUP_new_curve_GF2m() and is now pointless.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This becomes a simple wrapper function that currently does three checks:
1. ensure the fieldID is for a prime field
2. check that the purported prime is of reasonable size, extract and
set curve coefficients and point conversion form
3. extract and set generator, order, cofactor and seed.
Sanity checks such as the Hasse bound are dealt with in the EC_GROUP API,
so need not be repeated here. They will become redundant once we enforce
that the parameters represent a builtin curve anyway.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
These are more ergonomic, result in more readable code, avoid a copy and
we no longer ignore a possible memory allocation error due to API misdesign
and bad code.
ok jsing
|
| |
|
|
|
|
| |
While this is public API in OpenSSL, there are no plans to expose it.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SEC 1, section 2.3.5, is explicit that the encoding of an element of the
field of definition for an elliptic curve needs to be a zero-padded octet
string whose length matches the byte size of the field's degree. So use
BN_bn2binpad() to fix this. Factor things into a simple helper to avoid
copy-pasting.
This gets rid of some of the most grotesque code in this file.
ok jsing
|
| |
|
|
|
|
| |
Also remove a pointless cast.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
No idea how anyone would think that tmp_1 and tmp_2 are better suited for
this.
ok jsing
|
| |
|
|
|
|
|
|
| |
This drops some unnecessary freeing that was turned into a double free
reachable via public API in OpenSSL 1.1. Other than that it unindents
code and uses better variable names.
ok jsing
|
