summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ecdsa/ecs_ossl.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Avoid infinite loop for custom curves of order 1tb2022-04-071-1/+6
| | | | | | | | | | | | If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing
* Fix check for BN_mod_inverse_ct return valueinoguchi2022-01-201-3/+3
| | | | ok jsing@ millert@ tb@
* Simplify code after adding EC_POINT_{s,g}et_affine_coordinates()tb2021-04-201-33/+8
| | | | ok jsing
* Prepare to provide EC_POINT_{g,s}et_affine_coordinatestb2021-04-201-5/+5
| | | | | | Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b ok jsing
* Readability tweak in a comment.tb2019-06-041-2/+2
|
* Remove the blinding later to avoid leaking information on the lengthtb2019-06-041-3/+3
| | | | | | | | of ckinv. Pointed out and fix suggested by David Schrammel and Samuel Weiser ok jsing
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-191-1/+41
| | | | | | This commit adds missing API for ECDH/ECDSA_verify. from markus
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-191-1/+38
| | | | | | | This commit adds init/free, support for signing, setting and getting the method, engine support as well as extra data. from markus
* Factor out a bit of ugly code that truncates the digest to the order_bitstb2018-07-101-32/+32
| | | | | | | | leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate a microoptimization that only converts the relevant part of the digest to a bignum. ok beck, jsing
* Tiny tweak to the blinding comment.tb2018-06-161-2/+4
|
* Basic cleanup. Handle the possibly NULL ctx_in in ecdsa_sign_setup() withtb2018-06-151-67/+62
| | | | | | | | | | | | the usual idiom. All the allocations are now handled inside conditionals as is usually done in this part of the tree. Turn a few comments into actual sentences and remove a few self-evident ones. Change outdated or cryptic comments into more helpful annotations. In ecdsa_do_verify(), start calculating only after properly truncating the message digest. More consistent variable names: prefer 'order_bits' and 'point' over 'i' and 'tmp_point'. ok jsing
* Clean up some whitespace and polish a few comments. Reduces noise intb2018-06-151-24/+21
| | | | an upcoming diff.
* Use a blinding value when generating an ECDSA signature, in order totb2018-06-141-14/+65
| | | | | | | | reduce the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok jsing
* Avoid a timing side-channel leak when generating DSA and ECDSA signatures.jsing2018-06-131-2/+2
| | | | | | | | | This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
* Fix a small timing side channel in ecdsa_sign_setup(). Up to whitespacetb2018-04-281-8/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this is OpennSSL commit 4a089bbdf11f9e231cc68f42bba934c954d81a49. ok beck, jsing Original commit message: commit 4a089bbdf11f9e231cc68f42bba934c954d81a49 Author: Pauli <paul.dale@oracle.com> Date: Wed Nov 1 06:58:39 2017 +1000 Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in ECDSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576)]
* Send the function codes from the error functions to the bit bucket,beck2017-01-291-46/+39
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Add ct and nonct versions of BN_mod_inverse for internal usebeck2017-01-211-4/+6
| | | | ok jsing@
* Avoid a side-channel cache-timing attack that can leak the ECDSA privatejsing2017-01-051-1/+3
| | | | | | | | | keys when signing. This is due to BN_mod_inverse() being used without the constant time flag being set. This issue was reported by Cesar Pereida Garcia and Billy Brumley (Tampere University of Technology). The fix was developed by Cesar Pereida Garcia.
* Lob a KNF grenade into the ecdsa code.jsing2015-02-081-151/+114
|
* if (x) FOO_free(x) -> FOO_free(x).miod2014-07-121-27/+15
| | | | | | | Improves readability, keeps the code smaller so that it is warmer in your cache. review & ok deraadt@
* Explicitly include <openssl/opensslconf.h> in every file that referencesjsing2014-07-101-1/+3
| | | | | | | | | an OPENSSL_NO_* define. This avoids relying on something else pulling it in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is never going to do anything, since OPENSSL_NO_XYZ will never defined, due to the fact that opensslconf.h has not been included. This also includes some miscellaneous sorting/tidying of headers.
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* Use C99 initializers for the various FOO_METHOD structs. More readable, andmiod2014-04-271-10/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | avoid unreadable/unmaintainable constructs like that: const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = { EVP_PKEY_CMAC, EVP_PKEY_CMAC, 0, "CMAC", "OpenSSL CMAC method", 0,0,0,0, 0,0,0, cmac_size, 0, 0,0,0,0,0,0,0, cmac_key_free, 0, 0,0 }; ok matthew@ deraadt@
* import OpenSSL-1.0.1cdjm2012-10-131-1/+4
|
* import OpenSSL 1.0.0edjm2011-11-031-0/+8
|
* import OpenSSL-1.0.0adjm2010-10-011-30/+24
|
* import of OpenSSL 0.9.8hdjm2008-09-061-0/+478
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 05:43:57 +0000