| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As most other objects, EC_KEYs can be as sparsely and invalidly populated
as imagination permits and the competent designers of EC_KEY_copy() chose
to just copy over what's available (yeah, what kind of copy is that?) and
leave in place what happens to be there. In particular, if the dest EC key
was used with a different group and has a private key, but the source key
doesn't, the dest private key remains intact, as invalid, incompatible and
unusable as it may be. Fix this by clearing said private key.
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
spotted by jsing
|
| | |
|
| | |
|
| |
|
|
|
| |
These functions are no longer shared between multiple files, so they can
be static in ecp_methods.c and the long list of prototypes can go away.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
While not the greatest of names, ecp_methods.c is better than ecp_smpl.c.
It matches the naming ecx_methods.c and in a subsequent commit it will
become the new home of the stuff in ecp_mont.c as well.
discussed with jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This calls init() with the default method, so EC_KEY_copy() gets a chance
to call finish() if the source's method doesn't match. But no init() call
is made in EC_KEY_copy(). Of course the source method's copy() needs to be
able to cope. The great news is that ssh uses this. Sigh.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a special snowflake. Its logic is such that it only overwrites
things on the target that are available in the source. So if the source
has no group (yes, that's possible), the destination's group will remain.
Even better: if you copy a public key over what was previously a private
key, the private scalar will remain. That's almost never going to result
in a valid key. If you copy from a larger group to a smaller group the
private scalar will most likely be out of range [1, order).
Use dup functions instead of reimplementing badly and add a snarky comment
courtesy of beck to one of those silly const annotations (there's a small
addendum by me).
ok beck jsing
|
| |
|
|
|
|
|
|
| |
r is a silly name for an EC_KEY and it is silly to assign the refcount
to a variable i (short for uninspired) when you can check the function
return directly. Tweak sizeof in freezero to jsing's liking.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
Use a better variable name, simpler error handling. This could be
simplified further if we decide to have an ec_key_set0_group() that
avoids a copy.
ok beck jsing
|
| |
|
|
|
|
|
|
|
| |
jsing rightly points out that this has nothing to do with ASN.1, but
ec_lib.c has no EC_KEY knowledge otherwise (it's about groups and points)
and moving it to ec_key.c is also not satisfactory since the weird
d2i/i2d for ECParameters don't belong there either.
no objection from jsing
|
| | |
|
| |
|
|
| |
CID 514612
|
| |
|
|
| |
requested by jsing
|
| |
|
|
|
|
|
| |
This was about as unreadable as four lines of code doing a trivial thing
can get...
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch from artistic free reinterpretations of public API in the same file
to calling the real thing if possible.
This means that we need to copy the group's coefficients first instead of
last, so that we can call EC_GROUP_set_generator() to set - yes - all three
of generator, order, and cofactor of the group.
However, we may not have a generator yet since for some reason it is an
optional field and some code relies on that. In that case simply copy over
order and cofactor and punt on sanity checking for now (since this API
never did that anyway).
Finally set the seed using EC_GROUP_set_seed() instead of using a custom
reimplementation.
ok jsing
|
| |
|
|
|
|
|
|
| |
Use a single cleanup path, use calloc rather than setting several members
to 0/NULL. This has the side effect that finished can be called even when
init() wasn't called, but this isn't an issue with our EC_GROUP_METHODs.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This may have been different at some point in the past, but it may also
have been a confusion with EC_POINT_is_on_curve() which, like any great
API with a name implying a boolean return, actually has three possible
return values.
ok jsing
|
| |
|
|
|
|
|
|
| |
Like most of the code in this file that hasn't been overhauled, these are
just terrible. As jsing points out, we will need to ensure that finish()
works on a not fully initialized point. That's currently safe.
ok jsing
|
| |
|
|
|
| |
So... zap the now redundant check. Should have been committed along with
ec_lib.c -r1.77
|
| |
|
|
|
|
|
|
| |
Since we only consider standard affine coordinates, the point at infinity
must be excluded. Check at the API boundary that the point isn't the point
at infinity rather than hiding this check somewhere in a method.
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
The reason these were in separate files was FIPS. Not our problem.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The biggest change here is that the computation is now performed in the
Montgomery domain if we have a Montgomery curve. This avoids constant
checking whether need to use plain field operations or whether we can
use curve-specific ones.
Use a few better variable names and stop attempting to figure out whether
the operation failed due to an error in BN_mod_sqrt() or a bad point. All
in all this only shaves off 10 lines, but it is astounding what a few tweaks
can do to code that looked like Rome in 455 AD.
with/ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
EC_POINT_oct2point() is the only API that needs detailed knowledge about
this incomplete enum. [Arguably, the setters for the EC_KEY and EC_GROUP
member of that type would also need to be able to validate what's being
set, but they can't since they can't fail.] Anyway. Add a helper that lets
EC_POINT_oct2point() translate that enum to its internal representation
at the API boundary and add a check that ensures that we only encode the
point at infinity as the point at infinity.
ok jsing
|
| |
|
|
| |
It was only used by EC2M.
|
| |
|
|
|
|
|
| |
With the functions living in ec_convert now, the oct makes little sense.
And ec_oct_oct2point() was too much for poor jsing to bear.
requested by jsing
|
| |
|
|
|
|
|
|
| |
Both our remaining EC_METHODs use the methods that used to be called
ec_GFp_simple_{oct2point,point2oct}() so there's no need for the function
pointer indirection. Make the public API call them directly.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a few local variables to make the checks at the start slightly less
unappealing. Use those to simplify the conditionals a bit and avoid a
particularly silly exit code. ok is set unless ret is 0, so what do you
think 'return (ok ? ret : 0);' returns? By the way, ret < 0 is an error
as well.
While most of the stuff in this file could use a lot more cleanup, I think
the first layer of cockroaches has been exterminated and there's even some
faint golden glimmer between the turds.
Let's shelve the biohazard warnings for now.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
a is a stupid name for an EC_key, so is ret. Pull apart the tests at the
start and check the length for negativity (long is always the wrong type).
Switch to ec_point_from_octets() and let it determine the point conversion
form rather than having yet another copy of the same ugly stanza.
Set the form on the key using EC_KEY_set_conv_form() (which also affects
the group on the key, so this is a slight change of behavior). Why on earth
this function returns the EC_KEY passed in, I'll never know.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Turn the function into single exit and use ec_point_to_octets() to avoid
the point2oct dance. Ensure that the buf_len size_t doesn't get truncated
by the int return.
While we could avoid an allocation in case out == NULL, we don't do so.
In case out != NULL and *out != NULL this API assumes *out has sufficient
room, copies the result into it and advances *out past it. This is just
asking for trouble (of course, i2d has the same misfeature). Don't use
this if you can help it.
Unfortunately, OpenSSH couldn't help it in at least one spot (that one's
on BoringSSL's allocator not returning an allocated pointer that you can
pass to free). We had to do it lest people run RedHat patches of dubious
quality. For: FIPS the monkey must be pleased at all cost.
ok jsing
|
| | |
|
| | |
|
