summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ecdsa (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Move EC_KEY_{insert,set}_key_method_data() to internal-onlytb2023-04-251-2/+4
|
* Bring includes into canonical ordertb2023-04-181-2/+3
| | | | Requested by jsing
* Move some includes out of OPENSSL_NO_DEPRECATEDtb2023-04-181-3/+1
| | | | | | | | | | | | | Some headers were included conditionally on OPENSSL_NO_DEPRECATED in hopes that eventually the mess of everything includes everything will magically resolve itself. Of course everyone would end up building openssl with OPENSSL_NO_DEPRECATED over time... Right. Surprisingly, the ecosystem has come to rely on these implicit inclusions, so about two dozen ports would fail to build because of this. Patching this would be easy but really not worth the effort. ok jsing
* Remove files that definitely contain no code anymoretb2023-04-132-148/+0
| | | | (experts disagree whether they ever did)
* Fold ECDSA sign and verify mess into ecs_ossl.ctb2023-04-133-63/+68
| | | | discussed with jsing
* i2d_ECDSA_SIG() may return a negative value in case of error. Handlebluhm2023-03-301-5/+14
| | | | | this in ossl_ecdsa_sign() and propagate the return code. OK jsing@ tb@
* Replace the remaining BN_copy() with bn_copy()tb2023-03-271-3/+3
| | | | ok jsing
* Convert BN_copy() with explicit comparison against NULL to bn_copy()tb2023-03-271-2/+2
| | | | ok jsing
* BN_free() is defined in <openssl/bn.h>tb2023-03-251-3/+5
| | | | | | This is currently pulled in via dsa.h and ecdsa.h, but only when OPENSSL_NO_DEPRECATED is not defined. We should fix this in the public header, too - let's wait a bit with that.
* Call BN_free() instead of BN_clear_free().jsing2023-03-073-17/+17
| | | | | | | BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly instead. ok tb@
* Enforce a lower bound of of EC group order so 80 bits for ECDSAtb2023-03-041-2/+7
| | | | | | | | This makes sure that the elliptic curve is not completely stupid. This is conservative enough: the smallest named groups that we support have an order of 112 bits. ok beck jsing
* Cap the number of iterations in ECDSA signingtb2023-03-041-1/+15
| | | | | | | | | | | | ECDSA is essentially the same thing as DSA, except that it is slightly less stupid. Signing specifies an infinite loop, which is only possible with arbitrary ECDSA domain parameters. Fortunately, most use of ECDSA in the wild is based on well-known groups, so it is known a priori that the loop is not infinite. Still, infinite loops are bad. A retry is unlikely, 32 retries have a probability of ~2^-8000. So it's pretty safe to error out. ok beck jsing
* spelling fixes; from paul tagliamontejmc2022-12-261-3/+3
| | | | | | | i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct ok tb
* Make header guards of internal headers consistenttb2022-11-261-4/+4
| | | | | Not all of them, only those that didn't leak into a public header... Yes.
* Make internal header file names consistenttb2022-11-266-16/+16
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Stop using CBIGNUM_it internal to libcrypto.jsing2022-09-031-3/+3
| | | | | | | | | CBIGNUM_it is supposed to be the "clear bignum" or "secure" bignum - that is one which zeros its memory after use and ensures that the constant time flags are set... in LibreSSL we always do both of these things for BIGNUMs, so just use BIGNUM_it instead. ok tb@
* Rework DSA_size() and ECDSA_size()tb2022-08-311-25/+22
| | | | | | | | | | | | | | | | | | | DSA_size() and ECDSA_size() have a very special hack. They fudge up an ASN1_INTEGER with a size which is typically > 100 bytes, backed by a buffer of size 4. This was "fine", however, since they set buf[0] = 0xff, where the craziness that was i2c_ASN1_INTEGER() only looks at the first octet (one may then ask why a buffer of size 4 was necessary...). This changed with the rewrite of i2c_ASN1_INTEGER(), which doesn't respect this particular hack and rightly assumes that it is fed an actual ASN1_INTEGER... Instead, create an appropriate signature and use i2d to determine its size. Fixes an out-of-bounds read flagged by ASAN and oss-fuzz. ok jsing
* Remove mkerr.pl remnants from LibreSSLkn2022-07-122-13/+2
| | | | | | | This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
* Replace obj_mac.h with object.htb2022-06-301-3/+3
| | | | Pointed out by and ok jsing
* Avoid infinite loop for custom curves of order 1tb2022-04-071-1/+6
| | | | | | | | | | | | If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing
* sort includes as usualtb2022-01-271-2/+2
|
* Do not depend on engine.h pulling in err.h and evp.htb2022-01-272-6/+10
|
* Fix check for BN_mod_inverse_ct return valueinoguchi2022-01-201-3/+3
| | | | ok jsing@ millert@ tb@
* Move ECDSA_SIG to ecs_locl.htb2022-01-142-11/+7
| | | | | | We can't make ECDSA_METHOD opaque since it is still used in smtpd(8) ok inoguchi jsing
* Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_APItb2022-01-141-3/+1
| | | | | This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits).
* Prepare to provide ECDSA_SIG_get0_{r,s}()tb2022-01-052-2/+19
| | | | ok inoguchi jsing
* Add #include "bn_lcl.h" to the files that will soon need it.tb2021-12-042-2/+5
| | | | ok inoguchi jsing
* Simplify code after adding EC_POINT_{s,g}et_affine_coordinates()tb2021-04-201-33/+8
| | | | ok jsing
* Prepare to provide EC_POINT_{g,s}et_affine_coordinatestb2021-04-201-5/+5
| | | | | | Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b ok jsing
* Readability tweak in a comment.tb2019-06-041-2/+2
|
* Remove the blinding later to avoid leaking information on the lengthtb2019-06-041-3/+3
| | | | | | | | of ckinv. Pointed out and fix suggested by David Schrammel and Samuel Weiser ok jsing
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-191-3/+3
| | | | | | | Pass const method to EC_KEY_METHOD_get_*() to get rid of an XXX. from markus
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-193-30/+64
| | | | | | This commit adds missing API for ECDH/ECDSA_verify. from markus
* Partial port of EC_KEY_METHOD from OpenSSL 1.1.tb2019-01-194-25/+84
| | | | | | | This commit adds init/free, support for signing, setting and getting the method, engine support as well as extra data. from markus
* Factor out a bit of ugly code that truncates the digest to the order_bitstb2018-07-101-32/+32
| | | | | | | | leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate a microoptimization that only converts the relevant part of the digest to a bignum. ok beck, jsing
* Tiny tweak to the blinding comment.tb2018-06-161-2/+4
|
* Basic cleanup. Handle the possibly NULL ctx_in in ecdsa_sign_setup() withtb2018-06-151-67/+62
| | | | | | | | | | | | the usual idiom. All the allocations are now handled inside conditionals as is usually done in this part of the tree. Turn a few comments into actual sentences and remove a few self-evident ones. Change outdated or cryptic comments into more helpful annotations. In ecdsa_do_verify(), start calculating only after properly truncating the message digest. More consistent variable names: prefer 'order_bits' and 'point' over 'i' and 'tmp_point'. ok jsing
* Clean up some whitespace and polish a few comments. Reduces noise intb2018-06-151-24/+21
| | | | an upcoming diff.
* Use a blinding value when generating an ECDSA signature, in order totb2018-06-141-14/+65
| | | | | | | | reduce the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok jsing
* Avoid a timing side-channel leak when generating DSA and ECDSA signatures.jsing2018-06-131-2/+2
| | | | | | | | | This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
* Fix a small timing side channel in ecdsa_sign_setup(). Up to whitespacetb2018-04-281-8/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this is OpennSSL commit 4a089bbdf11f9e231cc68f42bba934c954d81a49. ok beck, jsing Original commit message: commit 4a089bbdf11f9e231cc68f42bba934c954d81a49 Author: Pauli <paul.dale@oracle.com> Date: Wed Nov 1 06:58:39 2017 +1000 Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in ECDSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576)]
* make ENGINE_finish() succeed on NULL and simplify callers as intb2018-04-141-8/+5
| | | | | | | | | | | OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi
* Provide ECDSA_SIG_{g,s}et0().tb2018-03-172-2/+38
| | | | ok jsing
* use freezero() instead of memset/explicit_bzero + free. Substantiallyderaadt2017-05-022-9/+4
| | | | | | | | | | reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
* Send the function codes from the error functions to the bit bucket,beck2017-01-293-56/+44
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Add ct and nonct versions of BN_mod_inverse for internal usebeck2017-01-211-4/+6
| | | | ok jsing@
* Avoid a side-channel cache-timing attack that can leak the ECDSA privatejsing2017-01-051-1/+3
| | | | | | | | | keys when signing. This is due to BN_mod_inverse() being used without the constant time flag being set. This issue was reported by Cesar Pereida Garcia and Billy Brumley (Tampere University of Technology). The fix was developed by Cesar Pereida Garcia.
* Explicitly export a list of symbols from libcrypto.jsing2016-12-211-7/+3
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* Remove pointless externs - the structs are declared in the same files ajsing2015-10-161-2/+1
| | | | few lines above.
* Expand DECLARE_ASN1_ALLOC_FUNCTIONS and DECLARE_ASN1_FUNCTIONS_constjsing2015-10-161-2/+6
| | | | macros. The only change in the generated assembly is due to line numbering.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-05 05:38:46 +0000