| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Now that it is method-agnostic, we can remove the method and move the
implementation to the body of the public API function. And another
method goes away. We're soon down to the ones we really need.
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
| |
While this is nicely done, it is a bit too clever. We can do the
calculation in the normal domain rather than the Montgomery domain
and this way the method becomes method agnostic. This will be a bit
slower but since a couple of field operations are nothing compared
to the cost of BN_mod_sqrt() this isn't a concern.
ok jsing
|
| |
|
|
| |
discussed with jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
EC_POINTs_mul() was only ever used by Ruby and they stopped doing so for
LibreSSL when we incorporated the constant time multiplication work of
Brumley et al and restricted the length of the points array to 1, making
this API effectively useless. The only real reason you want to have an
API to calculate \sum n_i P_i is for ECDSA where you want m * G + n * P.
Whether something like his needs to be in the public API is doubtful.
EC_POINTs_make_affine() is an implementation detail of EC_POINTs_mul().
As such it never really belonged into the public API.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
Whatever the EC_METHOD, this will always be equivalent to getting and
setting the affine coordinates, so this needs no dedicated method.
Also, this is a function that makes no real sense since a caller should
never need to care about this... As always, our favorite language bindings
thought they might have users who care. This time it's Ruby and Perl.
ok jsing
|
| | |
|
| |
|
|
| |
requested by jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
After possibly decoding a and b in EC_GROUP_get_curve(), this is a pure
calculation in GFp and as such doesn't make use of any method-specifics.
Let's perform this calculation directly in the public API implementation
rather than redirecting through the methods and remove yet another method
handler.
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The degree made some sense when EC2M was a thing in libcrypto. Fortunately
that's not the case anymore. The order handler never made sense.
ok jsing
|
| |
|
|
| |
requested by jsing
|
| |
|
|
| |
requested by jsing
|
| |
|
|
|
|
| |
This is another bit of indirection that makes this code so hard to follow.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This is usually method specific, so remove the indirection and call the
appropriate blinding function directly.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is only used by ec_points_make_affine(), which is only used by the
wNAF multiplication, which is only used by ECDSA. We can afford computing
that one once per ECDSA verification given the cost of the rest of this.
Thus, the field_set_to_one() member disappears from the EC_METHOD and the
mont_one member disappears from EC_GROUP and with it all the complications
when setting/copying/freeing the group.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
That the BN-driven EC code uses Jacobian projective coordinates as an
optimization is an implementation detail. As such this should never have
leaked out of the library as part of the public API. No consumer should
ever care and if they do they're doing it wrong. The only port that cares
is one of those stupid little perl modules that expose all the things and
transform terrible OpenSSL regress tests into similarly horrible Perl.
In practice, only affine coordinates matter (perhaps in compressed form).
This prunes two more function pointers from EC_GROUP and prepares the
removal of the field_set_to_one() method which is now only used in
ec_points_make_affine().
ok jsing sthen
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The only way to get an EC_GROUP or an EC_POINT is by calling the relevant
_new() function and to get rid of it, something must call _free(). Thus we
can establish the invariant that every group has Weierstrass coefficients
p, a, b as well as order and cofactor hanging off it. Similarly, Every
point has allocated BIGNUMs for its Jacobian projective coordinates.
Unfortunately, a group has the generator as an optional component in
addition to seed and montgomery context/one (where optionality makes
more sense).
This is a mostly mechanical diff and only drops a few silly comments and
a couple of unnecessary NULL checks since in our part of the wrold the
word invariant has a meaning.
This should also appease Coverity who likes to throw fits at calling
BN_free() for BIGNUM on the stack (yes, this is actually a thing).
ok jsing
|
| |
|
|
|
|
|
| |
There is only one caller, EC_GROUP_free(), so inline the relevant free
calls there and dispose of a few layers of indirection.
ok jsing
|
| |
|
|
|
|
|
|
| |
For both in-tree methods these are just complicated ways of zeroing part
of the group object. The group is allocated with calloc(), so it's all
entirely pointless.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
| |
The shift is between 0 and 5 bits, so it doesn't matter, but VS is short
for very st...ubborn as are its users when it comes to reporting non-issues
|
| |
|
|
|
|
|
|
|
|
|
| |
This had an extra dance to allow a NULL output buffer. The plan was to
use this in i2o_ECPublicKey() to preserve the behavior of avoiding an
allocation if out == NULL. However, when I rewrote the latter I punted
on preserving that complication, as it was already batshit crazy enough.
Thus, remove said dance and make ec_point_to_octets() cleaner.
ok jsing
|
| | |
|
| |
|
|
|
|
| |
Now that we only do curves over GF(p) fields, there's no need to use a
weird, confusing name for what we usually call p. Adjust some comments
in the vicinity as well.
|
| | |
|
| | |
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This refactors the wNAF multiplication further and introduces a small API
that manages the wNAF digits for bn and the multiples of digit * point in
a single struct that is initialized and freed in two API calls in the main
function, ec_wNAF_mul(). This way the main algorithm is no longer cluttered
with logic to keep various arrays in sync, helper functions calculating the
wNAF splitting of bn and multiples of the point do not need to deal with
memory management, and a pair of accessors obviates previously missing
bounds checking.
At this point we have reached a relatively clean and straightforward wNAF
implementation that fits precisely the purpose needed in libcrypto, i.e.,
ECDSA verification instead of being generalized and optimized to the max
for no good reason apart from endowing the author with an academic degree.
Popper's famous maxim "if you can't say it clearly, keep quiet, and keep
working until you can" very much applies to code as well. In other words,
shut up and hack (and don't pour too much energy into commit messages, tb).
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We match curve parameters against the builtin curves and only accept
them if they're encoding a curve known to us. After getting rid of the
wtls curves, some of which used to coincide with secp curves (sometimes
the wrong ones), the nid is unambiguous. Setting the nid has no direct
implications on the encoding.
This helps ssh avoid doing ugly computations during the key exchange
for PEM keys using this encoding.
ok djm joshua jsing
|
| |
|
|
|
|
|
| |
This should really have been using SECP 160R2, not SECP 160R1. Of course
this means in particular that nobody ever used this curve, at least not
against another implementation than OpenSSL. Quasi-monocultures are
poisonous whether the monopolist is benevolent and competent or not.
|
| |
|
|
|
|
|
|
|
| |
Like most of the "group" methods these are shared between Montgomery
curves and simple curves. There's no point in five methods hanging off
the EC_METHODS struct whne they can just as well be inlined in the
public API. It makes all files involved shorter...
ok jsing
|
| |
|
|
|
|
|
|
| |
While there likely won't be enough BNs already available in the ctx, and
thus it won't greatly reduce the amount of allocated BNs, it simplifies
the exit path quite a bit.
review feedback from jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is unclear how the original code was supposed to work. It clearly
missed a few corner cases (like handling points at infinity correctly)
and the badly mangled comment that was supposed to display a binary
search tree didn't help at all.
Instead do something much more straightforward: multiply all the non-zero
Z coordinates of the points not at infinity together, keeping track of the
intermediate products. Then do a single expensive modular inversion before
working backwards to compute all the inverses. Then the transformation from
Jacobian coordinates to affine coordiantes (x, y, z) -> (x/z^2, y/z^3, 1)
becomes cheap. A little bit of care has to be taken for Montgomery curves
but that's very simple compared to the mess that was there before.
ok jsing
This is a cleaned up version of:
commit 0fe73d6c3641cb175871463bdddbbea3ee0b62ae
Author: Bodo Moeller <bodo@openssl.org>
Date: Fri Aug 1 17:18:14 2014 +0200
Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).
Reviewed-by: emilia@openssl.org
|
| |
|
|
|
|
|
|
|
|
|
| |
There are only two flag values that libcrypto understands and the default
value is 1 while, helpfully, the undesirable non-default is 0. The few
existing callers set OPENSSL_EC_NAMED_CURVE or OPENSSL_EC_EXPLICIT_CURVE.
Nevertheless, the flag should be checked properly as a flag. The recent
upstream checks for EC_GROUP_get_asn1_flag(group) == OPENSSL_EC_NAMED_CURVE
don't look right either...
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This disables all the curves over fields < 224 bits and a few others.
Specifically:
SECG: 112r1 112r2 128r1 128r2 160k1 160r1 160r2 192k1 192r1 192v{1,2,3}
WTLS: 6 7 8 9 12
Brainpool: P160r1 P160t1 P192r1 P192t1
These are below or at the limit of what is acceptable nowadays. This is
less aggressive than what some enterprise linux distributions are using
in their patched OpenSSL versions where everything over fields < 256 bits
is disabled with the exception of P-224, so interoperability should not
be a problem.
The curves are left in the tree for now and can be re-enabled by compiling
libcrypto with -DENABLE_SMALL_CURVES. They will be fully removed later.
One nice benefit of doing this is that the incorrect parameters for WTLS 7
are fixed (obviously nobody uses this one) and now all the builtin curves
have a unique corresponding OID (nid).
Something like this was suggested a while back by beck, makes sense to sthen
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The big change is that the "rows" are no longer slices of val[] but
that they actually own the points they contain. The price for this
is an extra allocation for val[] and to piece it together from the
two rows. That's ugly, but less ugly than before.
Add a helper for freeing a row of points. It can deal with a NULL
row so, we can remove a couple of complications.
The second change is that the logic for preparing the rows is pulled
back into ec_wNAF_mul[]. This way the m * G + n * P logic is in the
one function that needs to know about it, the rest just deals with
a pair of a point and a scalar.
This starts resembling actual code...
ok jsing
|
| |
|
|
|
|
|
|
| |
This is a corner case that isn't really of interest. We're making a few
calculations that don't really hurt, but it's super cheap, so one more
complication bites the dust.
ok jsing
|
| |
|
|
|
|
|
|
| |
We can now turn the for loop into a proper for loop for which there is
obviously no out of bounds access. The length can be determined up front
and it's easier to explain what's going on, so expand a few comments.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This is another micro optimization that introduces needless complications
for the sake of saving a few cycles. Specifically, by ditching the rule
defining the wNAF representation (at most one of w+1 consecutive digits
is non-zero) for the topmost digits, one can sometimes save a few digits
at the cost of crazy loop conditions and other weirdness. That's not worth
it.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
