summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ecdsa/ecs_ossl.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Factor the computation of ECDSA s into a functiontb2023-07-041-69/+88
| | | | | | | | ossl_ecdsa_sign_sig() is already complicated enough. The math bit is entirely self contained and does not need to obfuscate control flow and logic. with feedback from and ok jsing
* sign_sig: drop ckinvtb2023-07-031-5/+7
| | | | | | | | The only reason ckinv exists is to be able to avoid a copy. This copy leaks some timing info, that will be mitigated in a subsequent step. It is an unused or at least uncommonly used codepath. ok jsing
* Rework the logic in ECDSA sign_sig()tb2023-07-031-24/+30
| | | | | | | | | | | If the caller supplied both kinv and r, we don't loop but rather throw an undocumented error code that no one uses, which is intended to tell the caller to run ECDSA_sign_setup() and try again. Use a boolean that indicates this situation so that the logic becomes a bit more transparent. ok jsing
* sign_sig: test on assignmenttb2023-07-031-5/+6
|
* sign_setup: split another check into twotb2023-07-031-2/+6
|
* Split range checks for ECDSA r and ECDSA stb2023-07-031-3/+8
| | | | requested by jsing
* Switch a couple of test from ucmp to cmptb2023-07-031-4/+4
| | | | | | | | This is confusing, as both sides involved should be unsigned. The ec code is undecided on whether the group order can be negative. It should never be, so lets see what happen with this slightly stricter check. discussed with jsing
* ossl_ecdsa_verify_sig(): simplify range checkstb2023-07-031-6/+4
| | | | | | | The checks whether r and s lie in the interval [1, order) were a bit uglier than necessary. Clean this up. ok beck jsing
* List variables in a somewhat more sensible ordertb2023-07-031-4/+4
|
* In ossl_ecdsa_verify_sig() use BN_CTX more idiomaticallytb2023-07-031-8/+10
| | | | ok beck jsing
* Split a bunch of unrelated checkstb2023-07-031-3/+10
| | | | ok beck jsing
* Make ossl_ecdsa_verify_sig() single exittb2023-07-031-4/+4
| | | | ok beck jsing
* Switch ossl_ecdsa_verify() to timingsafe_memcmp()tb2023-07-031-2/+2
| | | | Requested by jsing
* Streamline ossl_ecdsa_verify()tb2023-07-031-7/+13
| | | | | | | Make it single exit and use API more idiomatically and some other cosmetics. ok beck jsing
* Switch ECDSA code to using EC_GROUP_get0_order()tb2023-07-031-25/+17
| | | | ok jsing
* Another empty line did not want to go intb2023-07-031-1/+2
|
* Trade a pair of extra braces for a missing empty linetb2023-07-031-3/+3
|
* Switch sign_sig() and sign_setup() to using BN_CTXtb2023-07-021-47/+73
| | | | | | | | | | | Both these functions use a BN_CTX internally to deal with the EC API that usually requires one. However, they don't actually make use of it. Get the BIGNUMs from the BN_CTX instead, which simplifies the cleanup. Also defer allocation of the ECDSA_SIG to the very end. Instead of using its internal r and s, use two local r and s variables and transfer those to the ECDSA_SIG on success. ok beck jsing
* Revert hunk accidentally committed in r1.39tb2023-07-021-11/+1
|
* Rework handling of the out_kinv and out_r pointerstb2023-07-021-8/+15
| | | | suggested by jsing
* Rename ctx_in into in_ctx, kinvp into out_kinv and rp into out_rtb2023-07-021-12/+13
|
* Rename a few variables from X to xtb2023-07-021-14/+14
|
* Simplify things by switching to bn_rand_interval()tb2023-07-021-22/+19
| | | | | | | | This avoids some silly dances in ECDSA signature generation by replacing them with a single API call. Also garbage collect the now unnecessary range. ok beck jsing
* ECDSA_size(): move order a few lines downtb2023-07-021-2/+2
|
* Invert method checks to avoid stupid line breakstb2023-07-021-22/+26
|
* Move ECDSA_size() to ecs_ossl.c to match what was done in ecdhtb2023-06-251-1/+33
|
* Move ECDH_OpenSSL() ECDSA_OpenSSL() to *_lib.ctb2023-06-251-14/+1
| | | | | | Now that they no longer use static methods, they can move where they belong. Also make the static method const, as it should have been all along.
* Remove method wrappers that use {ecdh,ecdsa}_check()tb2023-06-251-52/+10
| | | | | | | | Now that it is no longer possible to set a custom {ECDH,ECDSA}_METHOD, EC_KEY_METHOD can just call the relevant method directly without the need for this extra contortion. ok jsing
* ecdsa_do_sign(): remove useless ecdsa_check() calltb2023-06-251-4/+2
| | | | ok jsing
* Fold ECDSA sign and verify mess into ecs_ossl.ctb2023-04-131-1/+66
| | | | discussed with jsing
* i2d_ECDSA_SIG() may return a negative value in case of error. Handlebluhm2023-03-301-5/+14
| | | | | this in ossl_ecdsa_sign() and propagate the return code. OK jsing@ tb@
* Replace the remaining BN_copy() with bn_copy()tb2023-03-271-3/+3
| | | | ok jsing
* Convert BN_copy() with explicit comparison against NULL to bn_copy()tb2023-03-271-2/+2
| | | | ok jsing
* Call BN_free() instead of BN_clear_free().jsing2023-03-071-12/+12
| | | | | | | BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly instead. ok tb@
* Enforce a lower bound of of EC group order so 80 bits for ECDSAtb2023-03-041-2/+7
| | | | | | | | This makes sure that the elliptic curve is not completely stupid. This is conservative enough: the smallest named groups that we support have an order of 112 bits. ok beck jsing
* Cap the number of iterations in ECDSA signingtb2023-03-041-1/+15
| | | | | | | | | | | | ECDSA is essentially the same thing as DSA, except that it is slightly less stupid. Signing specifies an infinite loop, which is only possible with arbitrary ECDSA domain parameters. Fortunately, most use of ECDSA in the wild is based on well-known groups, so it is known a priori that the loop is not infinite. Still, infinite loops are bad. A retry is unlikely, 32 retries have a probability of ~2^-8000. So it's pretty safe to error out. ok beck jsing
* Make internal header file names consistenttb2022-11-261-3/+3
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Replace obj_mac.h with object.htb2022-06-301-3/+3
| | | | Pointed out by and ok jsing
* Avoid infinite loop for custom curves of order 1tb2022-04-071-1/+6
| | | | | | | | | | | | If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing
* Fix check for BN_mod_inverse_ct return valueinoguchi2022-01-201-3/+3
| | | | ok jsing@ millert@ tb@
* Simplify code after adding EC_POINT_{s,g}et_affine_coordinates()tb2021-04-201-33/+8
| | | | ok jsing
* Prepare to provide EC_POINT_{g,s}et_affine_coordinatestb2021-04-201-5/+5
| | | | | | Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b ok jsing
* Readability tweak in a comment.tb2019-06-041-2/+2
|
* Remove the blinding later to avoid leaking information on the lengthtb2019-06-041-3/+3
| | | | | | | | of ckinv. Pointed out and fix suggested by David Schrammel and Samuel Weiser ok jsing
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-191-1/+41
| | | | | | This commit adds missing API for ECDH/ECDSA_verify. from markus
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-191-1/+38
| | | | | | | This commit adds init/free, support for signing, setting and getting the method, engine support as well as extra data. from markus
* Factor out a bit of ugly code that truncates the digest to the order_bitstb2018-07-101-32/+32
| | | | | | | | leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate a microoptimization that only converts the relevant part of the digest to a bignum. ok beck, jsing
* Tiny tweak to the blinding comment.tb2018-06-161-2/+4
|
* Basic cleanup. Handle the possibly NULL ctx_in in ecdsa_sign_setup() withtb2018-06-151-67/+62
| | | | | | | | | | | | the usual idiom. All the allocations are now handled inside conditionals as is usually done in this part of the tree. Turn a few comments into actual sentences and remove a few self-evident ones. Change outdated or cryptic comments into more helpful annotations. In ecdsa_do_verify(), start calculating only after properly truncating the message digest. More consistent variable names: prefer 'order_bits' and 'point' over 'i' and 'tmp_point'. ok jsing
* Clean up some whitespace and polish a few comments. Reduces noise intb2018-06-151-24/+21
| | | | an upcoming diff.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-09-22 08:55:05 +0000