summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* spelling fixes; from paul tagliamontejmc2022-12-266-42/+42
| | | | | | | i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct ok tb
* Make internal header file names consistenttb2022-11-2626-65/+65
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Merge the second y_bit check into the first one where it belongstb2022-11-241-5/+5
| | | | suggested by jsing
* Simplify y_bit handling in compressed coordinatestb2022-11-241-15/+2
| | | | | | | | If y_bit is set for a zero y, something is wrong and we can error directly. No need to run the non-trivial BN_kronecker() to check if BN_mod_sqrt() lied or not, only to set a more specific error code. ok jsing
* Clean up EC_METHOD and EC_GROUP definitionstb2022-11-241-102/+111
| | | | | | | Remove obvious comments, wrap long lines and general KNF cleanup. Format and rephrase the more important comments. Discussed with jsing
* Change bn_expand()/bn_wexpand() to indicate failure/success via 0/1.jsing2022-11-243-16/+16
| | | | | | | | | Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the callers use this (and many already treat it as a true/false value). Change these functions to return 0 on failure and 1 on success, revising callers that test against NULL in the process. ok tb@
* Call bn_expand() rather than handrolling an equivalent.jsing2022-11-241-5/+5
| | | | | | | The current code manually calculates words from bits and then calls bn_wexpand() - call bn_expand() with bits instead. ok tb@
* Fix leaks in ecx_set_{priv,pub}_key()tb2022-11-231-9/+9
| | | | | | | | When ecx_key_set_{priv,pub}() fails, ecx_key is leaked. CID 377014 From jsing
* Remove bn_* defines/prototypes.jsing2022-11-231-4/+1
| | | | | | These now come directly via bn_lcl.h. ok tb@
* Fix some whitespace and comment formattingtb2022-11-221-37/+45
|
* Fix an annoying quirk in the EC codetb2022-11-1920-243/+243
| | | | | | Dealing with elliptic curves makes some people think that it would be kind of neat to multiply types with variable names. Sometimes. Only in function definitions.
* whitespacetb2022-11-1916-134/+134
|
* Implement EVP interfaces for Ed25519 and X25519.jsing2022-11-103-2/+868
| | | | ok beck@ tb@
* Fix a few more leaks in *_print() functions.tobhe2022-11-101-9/+19
| | | | ok jsing@
* static const, not const staticjsg2022-08-291-3/+3
| | | | | | | | | c99 6.11.5: "The placement of a storage-class specifier other than at the beginning of the declaration specifiers in a declaration is an obsolescent feature." ok miod@ tb@
* Remove mkerr.pl remnants from LibreSSLkn2022-07-122-12/+2
| | | | | | | This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
* Replace obj_mac.h with object.htb2022-06-303-8/+10
| | | | Pointed out by and ok jsing
* Prepare to provide EVP_PKEY_security_bits()tb2022-06-271-1/+21
| | | | | | | This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing
* Simplify ec_asn1_group2curve()tb2022-05-241-18/+21
| | | | | | | | Don't try to reuse curve->seed to avoid an allocation. Free it unconditionally and copy over the group->seed if it's available. Use asn1_abs_set_unused_bits() instead of inlining it. ok jsing
* Straightforward conversion of ecdh_cms_encrypt() totb2022-05-241-3/+3
| | | | | | asn1_abs_set_unused_bits() ok jsing
* Avoid infinite loop for custom curves of order 1tb2022-04-071-3/+3
| | | | | | | | | | | | If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing
* Simplify priv_key handling in d2i_ECPrivateKey()tb2022-03-311-8/+3
| | | | | | | | | d2i_EC_PRIVATEKEY() can handle the allocation of priv_key internally, no need to do this up front and reach it through the dangerous reuse mechanism. There's also no point in freeing a variable we know to be NULL. ok jsing
* Bound cofactor in EC_GROUP_set_generator()tb2022-03-291-1/+7
| | | | | | | | | | | | | | | | | | Instead of bounding only bounding the group order, also bound the cofactor using Hasse's theorem. This could probably be made a lot tighter since all curves of cryptographic interest have small cofactors, but for now this is good enough. A timeout found by oss-fuzz creates a "group" with insane parameters over a 40-bit field: the order is 14464, and the cofactor has 4196223 bits (which is obviously impossible by Hasse's theorem). These led to running an expensive loop in ec_GFp_simple_mul_ct() millions of times. Fixes oss-fuzz #46056 Diagnosed and fix joint with jsing ok inoguchi jsing (previous version)
* Do not zero cofactor on ec_guess_cofactor() successtb2022-03-291-2/+6
| | | | | | | The cofactor we tried to calculate should only be zeroed if we failed to compute it. ok inoguchi jsing
* Zap trailing whitespacetb2022-03-291-46/+46
|
* Fix check for BN_mod_inverse_ct return valueinoguchi2022-01-201-3/+3
| | | | ok jsing@ millert@ tb@
* Garbage collect the app_items field of ASN1_ADBtb2022-01-141-3/+1
| | | | | | | This is unused and was removed in OpenSSL 5b70372d when it was replaced with an ASN.1 ADB callback (which we don't support). ok inoguchi jsing
* Prepare to provide EVP_PKEY_{public,param}_checktb2022-01-101-1/+25
| | | | | | | | | | | | | | This implements checking of a public key and of key generation parameters for DH and EC keys. With the same logic and setters and const quirks as for EVP_PKEY_check(). There are a couple of quirks: For DH no default EVP_PKEY_check() is implemented, instead EVP_PKEY_param_check() calls DH_check_ex() even though DH_param_check_ex() was added for this purpose. EVP_PKEY_public_check() for EC curves also checks the private key if present. ok inoguchi jsing
* Prepare to provide EVP_PKEY_check()tb2022-01-101-2/+18
| | | | | | | | | | | | | | | | | | This allows checking the validity of an EVP_PKEY. Only RSA and EC keys are supported. If a check function is set the EVP_PKEY_METHOD, it will be used, otherwise the check function on the EVP_PKEY_ASN1_METHOD is used. The default ASN.1 methods wrap RSA_check_key() and EC_KEY_check_key(), respectively. The corresponding setters are EVP_PKEY_{asn1,meth}_set_check(). It is unclear why the PKEY method has no const while the ASN.1 method has const. Requested by tobhe and used by PHP 8.1. Based on OpenSSL commit 2aee35d3 ok inoguchi jsing
* Include evp_locl.h where it will be needed once most structs fromtb2021-12-121-1/+2
| | | | | | evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi
* Add #include "bn_lcl.h" to the files that will soon need it.tb2021-12-043-3/+7
| | | | ok inoguchi jsing
* Default to using named curve parameter encodingtb2021-09-122-4/+5
| | | | | | | | | | | | | | | | | | The pre-OpenSSL 1.1.0 default was to use explicit curve parameter encoding. Most applications want to use named curve parameter encoding and have to opt into this explicitly. Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into the old default. According to Debian's codesearch, no application currently does this, which indicates that we currently have a bad default. In the future it is more likely that applications expect the new default, so we follow OpenSSL to avoid problems. Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing. ok beck inoguchi jsing
* Expose EC_GROUP_order_bits() in <openssl/ec.h>tb2021-09-101-3/+1
| | | | ok beck jsing
* Prepare to provide EC_GROUP_order_bits()tb2021-09-0811-18/+45
| | | | ok jsing
* Remove some dead code that was missed in an earlier cleanup andtb2021-08-311-4/+3
| | | | | | | | fix a stale comment. Found by mortimer with clang 13's -Wunused-but-set-variable. ok beck
* Expose EC_POINT_{get,set}_affine_coordinates(3) andtb2021-05-101-7/+8
| | | | | | EC_POINT_set_compressed_coordinates(3) ok jsing
* Expose EC_GROUP_{get,set}_curve(3)tb2021-05-101-3/+2
| | | | ok jsing
* Fix corner case for compressed points on binary curvestb2021-05-031-1/+5
| | | | | | | | | Per X9.62 4.4.1.b., the compressed representation of a point with zero x coordinate on a binary curve must have y_bit unset. Error out in that case of ec_GF2m_set_compressed_coordinates() instead of ignoring y_bit. ok jsing
* Fix indent of EC_METHODs as requested by jsing.tb2021-04-206-192/+192
| | | | While there zap trailing whitespace from a KNF approximation gone wrong.
* Compare pointer against NULL and fix a KNF issue.tb2021-04-201-3/+3
| | | | ok jsing
* Prepare to provide EC_POINT_set_compressed_coordinatestb2021-04-205-57/+41
| | | | ok jsing
* Compare function pointers against NULL, not 0.tb2021-04-201-3/+3
| | | | ok jsing
* Provide EC_POINT_{g,s}et_Jprojective_coordinates for internal usetb2021-04-2010-77/+97
| | | | ok jsing
* Simplify code after adding EC_POINT_{s,g}et_affine_coordinates()tb2021-04-201-25/+6
| | | | ok jsing
* Compare function pointers against NULL, not 0.tb2021-04-201-3/+3
| | | | ok jsing
* Prepare to provide EC_POINT_{g,s}et_affine_coordinatestb2021-04-2013-71/+72
| | | | | | Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b ok jsing
* Simplify after EC_POINT_get_curve() additiontb2021-04-202-30/+8
| | | | ok jsing
* Compare function pointers against NULL, not 0.tb2021-04-201-3/+3
| | | | ok jsing
* Prepare to provide EC_GROUP_{get,set}_curve(3)tb2021-04-206-41/+51
| | | | | | | | | | | | | There are numerous functions in ec/ that exist with _GF2m and _GFp variants for no good reason. The code of both variants is the same. The EC_METHODs contain a pointer to the appropriate version. This commit hides the _GF2m and _GFp variants from internal use and provides versions that work for both curve types. These will be made public in an upcoming library bump. Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b ok jsing
* Avoid division by zero in hybrid point encodingtb2021-04-191-17/+49
| | | | | | | | | | | | | | | In hybrid and compressed point encodings, the form octet contains a bit of information allowing to calculate y from x. For a point on a binary curve, this bit is zero if x is zero, otherwise it must match the rightmost bit of of the field element y / x. The existing code only considers the second possibility. It could thus fail with a division by zero error as found by Guido Vranken's cryptofuzz. This commit adds a few explanatory comments to oct2point and fixes some KNF issues. The only actual code change is in the last hunk which adds a BN_is_zero(x) check to avoid the division by zero. ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-25 14:41:34 +0000