| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
It's still horrible, but slightly less so...
ok jsing
|
| |
|
|
|
|
|
|
| |
This streamlines this mess and adapts the API better to its only caller.
Nothing much going on here, except that we drop confusing checks and
unhelpful comment, thereby making the algorithm more cleanly visible.
ok jsing
|
| |
|
|
|
|
| |
This matches the ec_wNAF_mul() API better
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As its name indicates, the first, ec_compute_odd_multiples(), fills
point, 3 * point, 5 * point, ..., (2 * len - 1) * point into row[].
In fact, it first computes doubled = 2 * point and then goes on to
set row[i] = row[i - 1] + doubled. That's straightforward enough. One
change here is that this helper allocates row[i] on the fly rather
than preallocating the entire array of points up front.
The second piece is the actual precomputation, ec_wNAF_precompute().
It first computes the wNAF digits of the two scalars n and m (in this
order for now) with appropriate window size and length. Then the above
mentioned val[] array is allocated and populated with odd multiples
of point and generator. Finally, all points in val[] are made affine
in a single step, which means we only need one modular inversion, and
this then allows us to take fast paths in all the computations in the
one remaining loop in ec_wNAF_mul().
ok jsing
|
| |
|
|
|
|
| |
This used to be the case until they were given a 'more meaningful name'
about 20 years ago. We cant fix the public API, but I'm tired of being
confused by this nonsense.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Again, we know their sizes (always 2), so we can avoid allocating and
freeing them. Also remove the extra "pivot" element. It's not needed.
ok djm
|
| |
|
|
| |
pointed out by jsing
|
| |
|
|
| |
ok djm
|
| |
|
|
|
|
| |
This makes the mess a bit more readable.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
All the EC_POINT_* API has a fast path for the point at infinity. So we're
not gaining more than a few cycles by making this terrible mess even more
terrible than it already is by avoding calls ot it (it's also incorrect as
it is since we don't know that the point is no longer at infinity when it
is unset). Simplify and add a comment explaining what this mess is doing.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Use better variable names (cf. https://jmilne.org/math/tips.html#4) and
avoid the weird style of assigning to r (what does r stand for anyway?)
and short circuiting subsequent tests using if (r || ...). Also, do not
reuse the variables for order and cofactor that were previously used for
the curve coefficients.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The only caller passes in num = 1 and is itself called in a path that
ensures that the multiplier of the generator is != NULL. Consequently
we don't need to deal with an array of points and an array of scalars
so rename them accordingly.
In addition, the change implies that numblocks and num_scalar are now
always 1, so inline this information and take a first step towards
disentangling this gordian knot.
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As most other objects, EC_KEYs can be as sparsely and invalidly populated
as imagination permits and the competent designers of EC_KEY_copy() chose
to just copy over what's available (yeah, what kind of copy is that?) and
leave in place what happens to be there. In particular, if the dest EC key
was used with a different group and has a private key, but the source key
doesn't, the dest private key remains intact, as invalid, incompatible and
unusable as it may be. Fix this by clearing said private key.
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
spotted by jsing
|
| | |
|
| | |
|
| |
|
|
|
| |
These functions are no longer shared between multiple files, so they can
be static in ecp_methods.c and the long list of prototypes can go away.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
While not the greatest of names, ecp_methods.c is better than ecp_smpl.c.
It matches the naming ecx_methods.c and in a subsequent commit it will
become the new home of the stuff in ecp_mont.c as well.
discussed with jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This calls init() with the default method, so EC_KEY_copy() gets a chance
to call finish() if the source's method doesn't match. But no init() call
is made in EC_KEY_copy(). Of course the source method's copy() needs to be
able to cope. The great news is that ssh uses this. Sigh.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a special snowflake. Its logic is such that it only overwrites
things on the target that are available in the source. So if the source
has no group (yes, that's possible), the destination's group will remain.
Even better: if you copy a public key over what was previously a private
key, the private scalar will remain. That's almost never going to result
in a valid key. If you copy from a larger group to a smaller group the
private scalar will most likely be out of range [1, order).
Use dup functions instead of reimplementing badly and add a snarky comment
courtesy of beck to one of those silly const annotations (there's a small
addendum by me).
ok beck jsing
|
| |
|
|
|
|
|
|
| |
r is a silly name for an EC_KEY and it is silly to assign the refcount
to a variable i (short for uninspired) when you can check the function
return directly. Tweak sizeof in freezero to jsing's liking.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
Use a better variable name, simpler error handling. This could be
simplified further if we decide to have an ec_key_set0_group() that
avoids a copy.
ok beck jsing
|
| |
|
|
|
|
|
|
|
| |
jsing rightly points out that this has nothing to do with ASN.1, but
ec_lib.c has no EC_KEY knowledge otherwise (it's about groups and points)
and moving it to ec_key.c is also not satisfactory since the weird
d2i/i2d for ECParameters don't belong there either.
no objection from jsing
|
| | |
|
| |
|
|
| |
CID 514612
|
| |
|
|
| |
requested by jsing
|
| |
|
|
|
|
|
| |
This was about as unreadable as four lines of code doing a trivial thing
can get...
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch from artistic free reinterpretations of public API in the same file
to calling the real thing if possible.
This means that we need to copy the group's coefficients first instead of
last, so that we can call EC_GROUP_set_generator() to set - yes - all three
of generator, order, and cofactor of the group.
However, we may not have a generator yet since for some reason it is an
optional field and some code relies on that. In that case simply copy over
order and cofactor and punt on sanity checking for now (since this API
never did that anyway).
Finally set the seed using EC_GROUP_set_seed() instead of using a custom
reimplementation.
ok jsing
|
| |
|
|
|
|
|
|
| |
Use a single cleanup path, use calloc rather than setting several members
to 0/NULL. This has the side effect that finished can be called even when
init() wasn't called, but this isn't an issue with our EC_GROUP_METHODs.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This may have been different at some point in the past, but it may also
have been a confusion with EC_POINT_is_on_curve() which, like any great
API with a name implying a boolean return, actually has three possible
return values.
ok jsing
|
