| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
| |
spotted by jsing
|
| | |
|
| | |
|
| |
|
|
|
| |
These functions are no longer shared between multiple files, so they can
be static in ecp_methods.c and the long list of prototypes can go away.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
While not the greatest of names, ecp_methods.c is better than ecp_smpl.c.
It matches the naming ecx_methods.c and in a subsequent commit it will
become the new home of the stuff in ecp_mont.c as well.
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
| |
It is impossible to use EVP_DigestInit_ex(3) for CMAC.
Besides, EVP_PKEY_CTX_new_id(3) does not produce an EVP_MD_CTX object.
Instead, mention the easiest way to actually get the job done
using EVP_PKEY_new_CMAC_key(3) and EVP_DigestSignInit(3).
OK tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This is relevant because EVP_EncryptInit(3) takes a "key" argument,
and users need to consider the size of that argument.
While here, also mention whether ciphers are stream ciphers
or block ciphers and what the block size is.
|
| |
|
|
|
|
|
|
| |
function EVP_MD_CTX_init(3) and talk about EVP_MD_CTX_new(3) instead.
This is similar in spirit to OpenSSL commit 25191fff (Dec 1, 2015),
but i'm also mentioning EVP_MD_CTX_reset(3), slightly reordering some
sentences in a more systematic way, and improving some related wordings
to be more precise and read better.
|
| |
|
|
|
|
|
|
|
| |
This calls init() with the default method, so EC_KEY_copy() gets a chance
to call finish() if the source's method doesn't match. But no init() call
is made in EC_KEY_copy(). Of course the source method's copy() needs to be
able to cope. The great news is that ssh uses this. Sigh.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a special snowflake. Its logic is such that it only overwrites
things on the target that are available in the source. So if the source
has no group (yes, that's possible), the destination's group will remain.
Even better: if you copy a public key over what was previously a private
key, the private scalar will remain. That's almost never going to result
in a valid key. If you copy from a larger group to a smaller group the
private scalar will most likely be out of range [1, order).
Use dup functions instead of reimplementing badly and add a snarky comment
courtesy of beck to one of those silly const annotations (there's a small
addendum by me).
ok beck jsing
|
| |
|
|
|
|
|
|
| |
r is a silly name for an EC_KEY and it is silly to assign the refcount
to a variable i (short for uninspired) when you can check the function
return directly. Tweak sizeof in freezero to jsing's liking.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
Use a better variable name, simpler error handling. This could be
simplified further if we decide to have an ec_key_set0_group() that
avoids a copy.
ok beck jsing
|
| |
|
|
| |
mentioned in NAME and described in DESCRIPTION and RETURN VALUES.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the perlasm generated SHA-256 assembly implementation with one that
is actually readable. Call the assembly implementation from a C wrapper
that can, in the future, dispatch to alternate implementations. Performance
is similar (or even better) on modern CPUs, while somewhat slower on older
CPUs (this is in part due to the wrapper, the impact of which is more
noticable with small block sizes).
Thanks to gkoehler@ and tb@ for testing.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rewrite bn2binpad, removing some OpenSSL specific behaviour and unnecessary
complexity. Our BN_num_bytes() does not return bogus lengths, so we don't
need to see if things work out with nominated outputs. Swipe away some
endianness_t, but continue to ignore negatives and don't dare give away
padded zeroes.
Implement a more readable constant time conversion. In particular, the
little endian is the less common use case, which we can implement by
reversing the padded output in place, rather than complicating all of the
conversion code.
ok beck@ tb@
|
| |
|
|
|
|
| |
These will be used in an upcoming change.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
jsing rightly points out that this has nothing to do with ASN.1, but
ec_lib.c has no EC_KEY knowledge otherwise (it's about groups and points)
and moving it to ec_key.c is also not satisfactory since the weird
d2i/i2d for ECParameters don't belong there either.
no objection from jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace the aarch64 CPU detection code with a version that parses ISAR0,
avoiding signal handling and SIGILL. This gets ISAR0 via sysctl(), but this
can be adapted to other mechanisms for other platforms (or alternatively
the same can be achieved via HWCAP).
This now follows the same naming/design as used by amd64 and i386, hence
define HAVE_CRYPTO_CPU_CAPS_INIT for aarch64.
ok kettenis@ tb@
|
| | |
|
| |
|
|
| |
CID 514612
|
| | |
|
| | |
|
| |
|
|
|
| |
the important manual page EVP_EncryptInit(3). Belatedly adjust some
cross references.
|
| |
|
|
| |
requested by jsing
|
| |
|
|
|
|
|
| |
This was about as unreadable as four lines of code doing a trivial thing
can get...
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch from artistic free reinterpretations of public API in the same file
to calling the real thing if possible.
This means that we need to copy the group's coefficients first instead of
last, so that we can call EC_GROUP_set_generator() to set - yes - all three
of generator, order, and cofactor of the group.
However, we may not have a generator yet since for some reason it is an
optional field and some code relies on that. In that case simply copy over
order and cofactor and punt on sanity checking for now (since this API
never did that anyway).
Finally set the seed using EC_GROUP_set_seed() instead of using a custom
reimplementation.
ok jsing
|
| |
|
|
|
|
|
|
| |
Use a single cleanup path, use calloc rather than setting several members
to 0/NULL. This has the side effect that finished can be called even when
init() wasn't called, but this isn't an issue with our EC_GROUP_METHODs.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Apparently it's important that five trivial one-line wrappers remain in a
file with the ISC license. So instead of cleaning the root directory of our
favorite pigsty further by squashing all the useless legacy garbage into a
single file, rename the oddly-named malloc-wrapper.c into crypto_memory.c.
discussed with beck, jsing
|
| |
|
|
|
|
|
| |
It is a bit sad, because cpt is such an apt abbreviation for crypto that
everybody immediately understands.
discussed with jsing
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
|
|
| |
The correct spelling is explicit_bzero() and it doesn't need its own file.
discussed with jsing
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
discussed with jsing
|
| | |
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
|
|
|
|
|
| |
This may have been different at some point in the past, but it may also
have been a confusion with EC_POINT_is_on_curve() which, like any great
API with a name implying a boolean return, actually has three possible
return values.
ok jsing
|
| |
|
|
|
|
|
|
| |
It is gross that an internal detail leaked into a public header, but,
hey, it's openssl. No hack is too terrible to appear in this library.
opensslconf.h needs major pruning but the day that happens is not today.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
Like most of the code in this file that hasn't been overhauled, these are
just terrible. As jsing points out, we will need to ensure that finish()
works on a not fully initialized point. That's currently safe.
ok jsing
|
| |
|
|
|
| |
So... zap the now redundant check. Should have been committed along with
ec_lib.c -r1.77
|
| |
|
|
|
|
|
|
| |
Since we only consider standard affine coordinates, the point at infinity
must be excluded. Check at the API boundary that the point isn't the point
at infinity rather than hiding this check somewhere in a method.
ok jsing
|
| | |
|
