| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Thanks to Mark Patruck for reporting.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Rather than sometimes clearing, turn the free functions into ones that
always clear (as we've done elsewhere). Turn the EC_GROUP_clear_free() and
EC_POINT_clear_free() functions into wrappers that call the *_free()
version. Do similar for the EC_METHOD implementations, removing the
group_clear_finish() and point_clear_finish() hooks in the process.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, if compiled without OPENSSL_BN_ASM_MONT,
EC_GROUP_new_curve_GFp() tries to use EC_GFp_nist_method(), falling back to
EC_GFp_mont_method() if it is not a NIST curve (if OPENSSL_BN_ASM_MONT is
defined we use EC_GFp_mont_method() unconditionally).
Now that we have a reasonable non-assembly Montgomery implementation, the
performance of EC_GFp_nist_method() is either similar or slower than
EC_GFp_mont_method() (the exception being P-521, however if you're using
that you're not doing it for performance reasons anyway).
The EC_GFp_nist_method() uses rather scary BN NIST code (which would
probably already be removed, if not for the BN and EC public APIs), it uses
code paths that are currently less constant time, and there is additional
overhead in checking to see if the curve is actually supported.
Stop trying to use EC_GFp_nist_method() and unconditionally use
EC_GFp_mont_method() in all cases. While here, factor out the common
setup code and call it from both EC_GROUP_new_curve_GFp() and
EC_GROUP_new_curve_GF2m().
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The EC code has an amazing array of function pointer hooks, such that a
method can hook into almost any operation... and then there is the
EC_FLAGS_DEFAULT_OCT flag, which adds a bunch of complex code and #ifdef
so you can avoid setting three of those function pointers!
Remove EC_FLAGS_DEFAULT_OCT, the now unused flags field from EC_METHOD,
along with the various code that was wrapped in EC_FLAGS_DEFAULT_OCT,
setting the three function pointers that need to be set in each of the
EC_METHODs.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly
instead.
ok tb@
|
| |
|
|
| |
This should have been included in a previous diff/commit...
|
| |
|
|
|
|
|
|
| |
Most of the implemeentation functions for EC_GFp_simple_method() are reused
by other code, hence they cannot be made static. However, this keeps the
pattern consistent.
ok tb@
|
| |
|
|
|
|
|
| |
Move the EC_METHOD to the bottom of the file, which allows implementation
functions to become static. Remove unneeded prototypes.
ok tb@
|
| |
|
|
|
|
|
| |
Move the EC_METHOD to the bottom of the file, which allows implementation
functions to become static. Remove unneeded prototypes.
ok tb@
|
| |
|
|
|
|
|
| |
Move the EC_METHOD to the bottom of the file, which allows all
implementation functions to become static. Remove unneeded prototypes.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
Use a fang dangled thing (known as a function) to avoid duplicating the
same code in five places.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
i2d functions return <= 0 on error, so check for that instead of == 0.
The issue with CMS_SharedInfo_encode() was found by Niels Dossche.
OpenSSL review overlooked that they had turned penclen into a size_t.
In principle the issue with i2d_X509_ALGOR() is purely cosmetic. Why do
a strange check when there is an idiomatic check? Then again this is CMS...
ok jsing
|
| |
|
|
|
|
| |
This was presumably intended to be OPENSSL_NO_EC_NISTP_64_GCC_128, however
generic code has ended up inside the ifdef (and none of the NISTP code
or prototypes now remain).
|
| |
|
|
| |
This code has been deleted, however the prototypes managed to hang around.
|
| | |
|
| |
|
|
|
| |
This is `unifdef -m -DOPENSSL_NO_EC_NISTP_64_GCC_128 -UECP_NISTZ256_ASM`
and some manual tidy up.
|
| |
|
|
|
|
|
|
| |
Rather than pretending that these "generic" variables are used for multiple
things, rename them to reflect their actual usage and use appropriate types
instead of void *.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Unlike in the affine/compressed/... cases, when setting projective
coordinates of an elliptic curve point, there is no check whether
the point is actually on the curve.
Pointed out by Guido Vranken
ok beck miod
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For various reasons, the ecp_nistp* and ecp_nistz* code is unused. While
ecp_nistp* was being compiled, it is disabled due to
OPENSSL_NO_EC_NISTP_64_GCC_128 being defined. On the other hand,
ecp_nistz* was not even being built.
We will bring in new versions or alternative versions of such code, if we
end up enabling it in the future. For now it is just causing complexity
(and grep noise) while trying to improve the EC code.
Discussed with tb@
|
| |
|
|
|
|
|
|
|
| |
If we have a BN_CTX available, make use of it rather than calling BN_new().
Always allocate a new priv_key and pub_key, rather than having complex
reuse dances on entry and exit. Add missing BN_CTX_start()/BN_CTX_end()
calls.
ok tb@
|
| |
|
|
|
|
|
| |
i removed the arithmetics -> arithmetic changes, as i felt they
were not clearly correct
ok tb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| |
|
|
| |
suggested by jsing
|
| |
|
|
|
|
|
|
| |
If y_bit is set for a zero y, something is wrong and we can error directly.
No need to run the non-trivial BN_kronecker() to check if BN_mod_sqrt()
lied or not, only to set a more specific error code.
ok jsing
|
| |
|
|
|
|
|
| |
Remove obvious comments, wrap long lines and general KNF cleanup. Format
and rephrase the more important comments.
Discussed with jsing
|
| |
|
|
|
|
|
|
|
| |
Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.
ok tb@
|
| |
|
|
|
|
|
| |
The current code manually calculates words from bits and then calls
bn_wexpand() - call bn_expand() with bits instead.
ok tb@
|
| |
|
|
|
|
|
|
| |
When ecx_key_set_{priv,pub}() fails, ecx_key is leaked.
CID 377014
From jsing
|
| |
|
|
|
|
| |
These now come directly via bn_lcl.h.
ok tb@
|
| | |
|
| |
|
|
|
|
| |
Dealing with elliptic curves makes some people think that it would be kind
of neat to multiply types with variable names. Sometimes. Only in function
definitions.
|
| | |
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
c99 6.11.5:
"The placement of a storage-class specifier other than at the beginning
of the declaration specifiers in a declaration is an obsolescent
feature."
ok miod@ tb@
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| |
|
|
| |
Pointed out by and ok jsing
|
| |
|
|
|
|
|
| |
This also provides a pkey_security_bits member to the PKEY ASN.1 methods
and a corresponding setter EVP_PKEY_asn1_set_security_bits().
ok beck jsing
|
| |
|
|
|
|
|
|
| |
Don't try to reuse curve->seed to avoid an allocation. Free it
unconditionally and copy over the group->seed if it's available.
Use asn1_abs_set_unused_bits() instead of inlining it.
ok jsing
|
| |
|
|
|
|
| |
asn1_abs_set_unused_bits()
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a private key encoded with EC parameters happens to have
order 1 and is used for ECDSA signatures, this causes an
infinite loop since a random integer x in the interval [0,1)
will be 0, so do ... while (x == 0); will loop indefinitely.
Found and reported with a reproducer by Hanno Boeck.
Helpful comments and analysis from David Benjamin.
ok beck jsing
|
| |
|
|
|
|
|
|
|
| |
d2i_EC_PRIVATEKEY() can handle the allocation of priv_key internally,
no need to do this up front and reach it through the dangerous reuse
mechanism. There's also no point in freeing a variable we know to be
NULL.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of bounding only bounding the group order, also bound the
cofactor using Hasse's theorem. This could probably be made a lot
tighter since all curves of cryptographic interest have small
cofactors, but for now this is good enough.
A timeout found by oss-fuzz creates a "group" with insane parameters
over a 40-bit field: the order is 14464, and the cofactor has 4196223
bits (which is obviously impossible by Hasse's theorem). These led to
running an expensive loop in ec_GFp_simple_mul_ct() millions of times.
Fixes oss-fuzz #46056
Diagnosed and fix joint with jsing
ok inoguchi jsing (previous version)
|
| |
|
|
|
|
|
| |
The cofactor we tried to calculate should only be zeroed if we failed
to compute it.
ok inoguchi jsing
|
| | |
|
| |
|
|
| |
ok jsing@ millert@ tb@
|
| |
|
|
|
|
|
| |
This is unused and was removed in OpenSSL 5b70372d when it was
replaced with an ASN.1 ADB callback (which we don't support).
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements checking of a public key and of key generation
parameters for DH and EC keys. With the same logic and setters
and const quirks as for EVP_PKEY_check().
There are a couple of quirks: For DH no default EVP_PKEY_check()
is implemented, instead EVP_PKEY_param_check() calls DH_check_ex()
even though DH_param_check_ex() was added for this purpose.
EVP_PKEY_public_check() for EC curves also checks the private key
if present.
ok inoguchi jsing
|
