| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
EC_GROUP_check() is quite simple. It doesn't need to use its own file.
|
| |
|
|
|
| |
When determining the minimum of nitems and EC_CURVE_LIST_LENGTH
we need neither an extra variable nor a ternary operator.
|
| |
|
|
|
|
|
| |
Rename struct ec_list_element into struct ec_curve. Accordingly, curve_list
becomes struct ec_curve ec_curve_list[]. Adjust internal API to match.
suggested by jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
EC parameters are very general. While there are some minimal sanity checks,
for the parameters due to DoS risks found in the last decade, the elliptic
curve code is poorly written and a target rich environment for NULL
dereferences, busy loops, expensive computations and whatever other
nastiness you can think of. It is not too hard to come up with parameters
that reach very ugly code. While we have removed for the worst of it (the
"fast" nist code and GF2m come to mind), the code very much resembles the
Augean Stables.
Unfortunately, curve parameters are still in use - even mandatory in some
contexts - for example in machine-readable travel documents signed by ICAO
country signing certification authorities (see ICAO Doc 9303).
To avoid many of these DoS vectors, start enforcing that we know what the
curve parameters are about, namely that they correspond to a builtin curve.
This way we know that the parameters are at least as good as the standards
we implement and checking this is cheap:
Translate curve parameters into the ad hoc representation in the builtin
curve code and check there's a match. That's very cheap since most curves
are distinguished by cofactor and parameter length and we need to use an
actual parameter comparison for at most half a dozen curves, usually only
one or two.
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
This is the same CPU capabilities code that is now used for amd64. Like
amd64 we now only populate OPENSSL_ia32cap_P with bits used by perlasm.
Discussed with tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a CPU capability detection implementation in C, with minimal
inline assembly (for cpuid and xgetbv). This replaces the assembly
mess generated by x86_64cpuid.pl. Rather than populating OPENSSL_ia32cap_P
directly with CPUID output, just set the bits that the remaining
perlasm checks (namely AESNI, AVX, FXSR, INTEL, HT, MMX, PCLMUL, SSE, SSE2
and SSSE3).
ok joshua@ tb@
|
| |
|
|
|
|
|
| |
This used to be a trivial wrapper of the ASN1_add_oid_module() horror.
It's no longer exported, so it can go away. It moves from the terribly
named file conf_mall.c to the equally terribly named file conf_sap.c.
I have no idea what mall and sap are supposed to mean in this context.
|
| |
|
|
| |
Another single-function file goes away.
|
| |
|
|
|
|
| |
The latter was used for EC_GROUP_new_curve_GF2m() and is now pointless.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This becomes a simple wrapper function that currently does three checks:
1. ensure the fieldID is for a prime field
2. check that the purported prime is of reasonable size, extract and
set curve coefficients and point conversion form
3. extract and set generator, order, cofactor and seed.
Sanity checks such as the Hasse bound are dealt with in the EC_GROUP API,
so need not be repeated here. They will become redundant once we enforce
that the parameters represent a builtin curve anyway.
ok jsing
|
| |
|
|
|
|
|
| |
This can be overridden on a per-architecture basis. The default version
calls OPENSSL_cpuid_setup(), which will be eventually replaced/removed.
ok joshua@ tb@
|
| |
|
|
|
|
|
| |
OPENSSL_cpuid_setup() is no longer exported and is now only ever run under
pthread_once().
ok joshua@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
These are more ergonomic, result in more readable code, avoid a copy and
we no longer ignore a possible memory allocation error due to API misdesign
and bad code.
ok jsing
|
| |
|
|
|
|
| |
While this is public API in OpenSSL, there are no plans to expose it.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SEC 1, section 2.3.5, is explicit that the encoding of an element of the
field of definition for an elliptic curve needs to be a zero-padded octet
string whose length matches the byte size of the field's degree. So use
BN_bn2binpad() to fix this. Factor things into a simple helper to avoid
copy-pasting.
This gets rid of some of the most grotesque code in this file.
ok jsing
|
| |
|
|
|
|
| |
Also remove a pointless cast.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
No idea how anyone would think that tmp_1 and tmp_2 are better suited for
this.
ok jsing
|
| |
|
|
|
|
|
|
| |
This drops some unnecessary freeing that was turned into a double free
reachable via public API in OpenSSL 1.1. Other than that it unindents
code and uses better variable names.
ok jsing
|
| |
|
|
|
|
|
| |
Only check for the OPENSSL_EC_NAMED_CURVE being set to treat the curve
parameters as named curve parameters.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
The callers already ensure that params != NULL.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Use better variable names and do things in a slightly more sensible order.
This way the code becomes almost self-documenting.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
err_build_SYS_str_reasons() is only called during initialisation, under
pthread_once(). As such, there is no need to grab CRYPTO_LOCK_ERR or
check for reentrant calls.
ok tb@
|
| |
|
|
| |
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Provide err_load_const_strings(), which takes a const ERR_STRING_DATA *
and does not perform a library error value fixup. Make ERR_str_*[] tables
const.
ok tb@
|
| |
|
|
|
|
|
|
| |
This is currently added via err_load_strings(), which means
ERR_str_functs[] cannot be made const. Adding ERR_LIB_SYS means the fixup
becomes unnecessary.
ok tb@
|
| |
|
|
|
|
|
| |
Its only caller passes NULL, so we can simplify the entry point and the
exit of this function a bit.
ok jsing
|
| |
|
|
|
|
|
| |
The parameters argument is always NULL, so we can simplify this helper
accordingly.
ok jsing
|
| |
|
|
|
|
|
|
| |
priv_key->parameters is always NULL at this point, since its corresponding
entry in the ASN.1 template has ASN1_TFLG_OPTIONAL set, so there is no point
in pretending to pass it to ec_asn1_group2pkparameters().
ok jsing
|
| |
|
|
|
|
|
|
| |
Use better variable names and turn it into single-exit. This changes the
behavior slightly in that an error is pushed onto the stack also for
i2d_ECPKPARAMETERS() return values < 0.
ok jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
|
| |
This was only used by the NIST method. For all other group methods it's
an uninitialized pointer (as EC_GROUP_new() still uses the malloc + set
all members to 0 idiom).
ok jsing
|
| |
|
|
| |
They aren't used outside of this file.
|
| |
|
|
|
|
|
| |
Same issue/leak as for BN_to_ASN1_INTEGER(). Stop reusing the elliptic
curve parameters a and b for order and cofacter. It's confusing.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
You can either let this API reuse an existing ASN1_INTEGER or you can let
it allocate a new one. If you try to do both at the same time, you'll leak.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
The brilliant idea of installing a fragile non-idempotent cleanup atexit
handler as a library has bitten many people over time. This gets particularly
exciting when you can't control who dlopens the lib first (don't we all love
Python bindings) or if you are in a threaded context. Fake OpenSSL clones
chose not to do this but now get to carry a noop flag since people start
opting out of this madness (there's a good old tradition at work here).
ok beck joshua jsing millert miod
|
| | |
|
| |
|
|
|
| |
Reorder functions so that things are somewhat more logical, moving internal
functions towards the top (and removing now unnecessary prototypes).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Like all good OpenSSL code, errors was built to be completely extensible.
Thankfully, the ERR_{get,set}_implementation() functions were removed in
r1.127 of err.c, which means that the extensibility can no longer be used.
Take the first of many steps to clean up this code - remove err_fns and
associated machinery, calling functions directly. Rename so that we have
an 'err_' prefix rather than 'int_' (or nothing).
ok joshua@ tb@
|
