summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* ECDSA signing: annotate code with steps corresponding to FIPS 185-6.tb2023-07-041-3/+25
| | | | ok jsing
* Extract private key and group order in s computationtb2023-07-041-19/+18
| | | | | | | This pushes a few variables no longer needed in ossl_ecdsa_sign_sig() into ecdsa_compute_s() separating API logic and pure computation a bit more. ok beck
* Use key for the EC_KEY everywheretb2023-07-041-39/+38
|
* Some more consistency in variable namestb2023-07-041-15/+15
|
* Normalize ECDSA_SIG to be sig everywheretb2023-07-041-11/+11
|
* Normalize on digest and digest_len rather than dgst dlen dgstlen, etc.tb2023-07-041-28/+34
|
* Rework ecdsa_prepare_digest()tb2023-07-041-35/+35
| | | | | | | | Make it take an EC_KEY instead of a group order in preparation for further cleanup. Rename m into e to match the standard better. Also buy some vowels for jsing. ok beck jsing
* Factor the computation of ECDSA s into a functiontb2023-07-041-69/+88
| | | | | | | | ossl_ecdsa_sign_sig() is already complicated enough. The math bit is entirely self contained and does not need to obfuscate control flow and logic. with feedback from and ok jsing
* sign_sig: drop ckinvtb2023-07-031-5/+7
| | | | | | | | The only reason ckinv exists is to be able to avoid a copy. This copy leaks some timing info, that will be mitigated in a subsequent step. It is an unused or at least uncommonly used codepath. ok jsing
* Rework the logic in ECDSA sign_sig()tb2023-07-031-24/+30
| | | | | | | | | | | If the caller supplied both kinv and r, we don't loop but rather throw an undocumented error code that no one uses, which is intended to tell the caller to run ECDSA_sign_setup() and try again. Use a boolean that indicates this situation so that the logic becomes a bit more transparent. ok jsing
* Delete some more references to dead policy code.tobhe2023-07-031-12/+1
| | | | | | Fixes -DNAMESPACE ok tb@
* sign_sig: test on assignmenttb2023-07-031-5/+6
|
* sign_setup: split another check into twotb2023-07-031-2/+6
|
* typotobhe2023-07-031-1/+1
|
* Split range checks for ECDSA r and ECDSA stb2023-07-031-3/+8
| | | | requested by jsing
* Switch a couple of test from ucmp to cmptb2023-07-031-4/+4
| | | | | | | | This is confusing, as both sides involved should be unsigned. The ec code is undecided on whether the group order can be negative. It should never be, so lets see what happen with this slightly stricter check. discussed with jsing
* ossl_ecdsa_verify_sig(): simplify range checkstb2023-07-031-6/+4
| | | | | | | The checks whether r and s lie in the interval [1, order) were a bit uglier than necessary. Clean this up. ok beck jsing
* List variables in a somewhat more sensible ordertb2023-07-031-4/+4
|
* In ossl_ecdsa_verify_sig() use BN_CTX more idiomaticallytb2023-07-031-8/+10
| | | | ok beck jsing
* Split a bunch of unrelated checkstb2023-07-031-3/+10
| | | | ok beck jsing
* Make ossl_ecdsa_verify_sig() single exittb2023-07-031-4/+4
| | | | ok beck jsing
* Switch ossl_ecdsa_verify() to timingsafe_memcmp()tb2023-07-031-2/+2
| | | | Requested by jsing
* Streamline ossl_ecdsa_verify()tb2023-07-031-7/+13
| | | | | | | Make it single exit and use API more idiomatically and some other cosmetics. ok beck jsing
* Explicit parameter printing can also use get0_order()tb2023-07-031-5/+6
| | | | ok beck jsing
* Convert ossl_ec_key_gen() and EC_KEY_check_key()tb2023-07-031-23/+6
| | | | | | These also get the EC_GROUP_get0_order() treatment ok beck jsing
* Convert EC_GROUP_check() to EC_GROUP_get0_order()tb2023-07-031-10/+3
| | | | ok beck jsing
* Inline two copies of EC_GROUP_order_bits()tb2023-07-031-22/+6
| | | | | | | This code is way more complicated than it needs to be. Simplify. ec_bits() was particularly stupid. ok beck jsing
* Switch ECDSA code to using EC_GROUP_get0_order()tb2023-07-031-25/+17
| | | | ok jsing
* Provide internal-only EC_GROUP_get0_order()tb2023-07-032-3/+11
| | | | ok jsing
* Another empty line did not want to go intb2023-07-031-1/+2
|
* Trade a pair of extra braces for a missing empty linetb2023-07-031-3/+3
|
* Simplify allocation checkstb2023-07-021-11/+11
| | | | | | | | | | Instead of attempting to allocate a few times and only then check all the returned pointers for NULL, allocate and check one after the othre. This is easier on the eyes and what we usually do. Prompted by a report by Ilya Shipitsin ok beck
* Clean up dynamic tables in OPENSSL_cleanup()tb2023-07-021-1/+10
| | | | | | | | | This is not currently done in OpenSSL, but it looks more like something that was mised rather than desired behavior. There are some thread safety issues here, but those are rife in this codebase anyway (although I heard claims on some versions of this lib being "fully threadsafe"). no objection jsing
* Disable TLS 1.0 and TLS 1.1 in libsslbeck2023-07-022-12/+4
| | | | | | | | | | | | Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@
* Convert some tables to C99 initializerstb2023-07-023-42/+249
| | | | ok & "happy pirate day" beck
* Fix return values of ecx methodstb2023-07-021-5/+5
| | | | | | | | | It is hard to get your return values right if you choose them to be a random subset of {-2, ..., 3}. The item_verify() and the digestverify() methods don't return 0 on error, but -1. Here 0 means "failed to verify", obviously. ok jsing
* Demacro SHA-512.jsing2023-07-021-54/+112
| | | | | | | | | | | | | | | Use static inline functions instead of macros to implement SHA-512. At the same time, make two key changes - firstly, rather than trying to outsmart the compiler and shuffle variables around, write the algorithm the way it is documented and actually swap the variable contents. Secondly, instead of interleaving the message schedule update and the round, do the full message schedule update first, then process the round. Overall, we get safer and more readable code. Additionally, the compiler can generate smaller and faster code (with a gain of 5-10% across a range of architectures). ok beck@ tb@
* Fix typo in previoustb2023-07-021-2/+2
|
* Use asprintf() to avoid repetition in string constantstb2023-07-021-6/+13
| | | | | | ... since ASN1_bn_print() is stupid. ok jsing
* Split ECPKParameters_print()tb2023-07-021-121/+150
| | | | | | | | | This function has two entirely independent parts, so instead of a huge if/else just use two functions. In ecpk_print_explicity parameters() do some additional boring cleanup such as switching to actually using the local BN_CTX and shuffling things into a slightly more sensible order. ok jsing
* Switch sign_sig() and sign_setup() to using BN_CTXtb2023-07-021-47/+73
| | | | | | | | | | | Both these functions use a BN_CTX internally to deal with the EC API that usually requires one. However, they don't actually make use of it. Get the BIGNUMs from the BN_CTX instead, which simplifies the cleanup. Also defer allocation of the ECDSA_SIG to the very end. Instead of using its internal r and s, use two local r and s variables and transfer those to the ECDSA_SIG on success. ok beck jsing
* Revert hunk accidentally committed in r1.39tb2023-07-021-11/+1
|
* Rework handling of the out_kinv and out_r pointerstb2023-07-021-8/+15
| | | | suggested by jsing
* Replace bn_sqr_words() with bn_sqr_add_words().jsing2023-07-021-35/+23
| | | | | | | | | | | | | | In order to implement efficient squaring, we compute the sum of products (omitting the squares), double the sum of products and then finally compute and add in the squares. However, for reasons unknown the final calculation was implemented as two separate steps. Replace bn_sqr_words() with bn_sqr_add_words() such that we do the computation in one step, avoid the need for temporary BN and remove needless overhead. This gives us a performance gain across most architectures (even with the loss of sse2 on i386, for example). ok tb@
* Rename ctx_in into in_ctx, kinvp into out_kinv and rp into out_rtb2023-07-021-12/+13
|
* Rename a few variables from X to xtb2023-07-021-14/+14
|
* Simplify things by switching to bn_rand_interval()tb2023-07-021-22/+19
| | | | | | | | This avoids some silly dances in ECDSA signature generation by replacing them with a single API call. Also garbage collect the now unnecessary range. ok beck jsing
* Unconditionally zero the ECDH keytb2023-07-021-6/+3
| | | | | | | While memset() is quite expensive, we can afford zeroing a few extra bytes to make this code more readable. ok beck jsing
* Remove the ability to do tls 1.0 and 1.1 from libtls.beck2023-07-024-24/+18
| | | | | | | | With this change any requests from configurations to request versions of tls before tls 1.2 will use tls 1.2. This prepares us to deprecate tls 1.0 and tls 1.1 support from libssl. ok tb@
* ECDSA_size(): move order a few lines downtb2023-07-021-2/+2
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-01 21:37:49 +0000