#
e1e93f7a |
| 23-Aug-2022 |
FdaSilvaYY |
nit: fix some pointer comparisons Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19059)
|
#
1567a821 |
| 23-Aug-2022 |
FdaSilvaYY |
crypto: Fix various typos, repeated words, align some spelling to LDP. partially revamped from #16712 - fall thru -> fall through - time stamp -> timestamp - file name -> filename
crypto: Fix various typos, repeated words, align some spelling to LDP. partially revamped from #16712 - fall thru -> fall through - time stamp -> timestamp - file name -> filename - host name -> hostname Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19059)
show more ...
|
#
e077455e |
| 29-Sep-2022 |
Richard Levitte |
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from,
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
show more ...
|
#
1287dabd |
| 26-Oct-2021 |
x2018 |
fix some code with obvious wrong coding style Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org
fix some code with obvious wrong coding style Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16918)
show more ...
|
#
5cbd2ea3 |
| 28-May-2021 |
Pauli |
add zero strenght arguments to BN and RAND RNG calls Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15513)
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13 |
|
#
8020d79b |
| 11-Mar-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14512)
|
Revision tags: openssl-3.0.0-alpha12 |
|
#
32ab57cb |
| 18-Feb-2021 |
Shane Lontis |
Fix external symbols related to ec & sm2 keys Partial fix for #12964 This adds ossl_ names for the following symbols: ec_*, ecx_*, ecdh_*, ecdsa_*, sm2_* Reviewed-
Fix external symbols related to ec & sm2 keys Partial fix for #12964 This adds ossl_ names for the following symbols: ec_*, ecx_*, ecdh_*, ecdsa_*, sm2_* Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14231)
show more ...
|
Revision tags: OpenSSL_1_1_1j, openssl-3.0.0-alpha11, openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8 |
|
#
9311d0c4 |
| 04-Nov-2020 |
Richard Levitte |
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call This includes error reporting for libcrypto sub-libraries in surprising places. This was done using ut
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call This includes error reporting for libcrypto sub-libraries in surprising places. This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13318)
show more ...
|
Revision tags: openssl-3.0.0-alpha7, OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1 |
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|
Revision tags: OpenSSL_1_1_1g |
|
#
07caec83 |
| 12-Apr-2020 |
Billy Brumley |
[crypto/ec] deprecate Jprojective_coordinates_GFp functions Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.co
[crypto/ec] deprecate Jprojective_coordinates_GFp functions Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11527)
show more ...
|
#
c61ced5e |
| 01-Apr-2020 |
Billy Brumley |
[crypto/ec] blind coordinates in ec_wNAF_mul for robustness Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Nicola Tuveri <nicola.tuveri@ibm.com> (Merged from ht
[crypto/ec] blind coordinates in ec_wNAF_mul for robustness Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Nicola Tuveri <nicola.tuveri@ibm.com> (Merged from https://github.com/openssl/openssl/pull/11439)
show more ...
|
Revision tags: OpenSSL_1_1_1f |
|
#
a4a93bbf |
| 28-Mar-2020 |
Billy Brumley |
[crypto/ec] Ladder tweaks - Convert to affine coords on ladder entry. This lets us use more efficient ladder step formulae. - Convert to affine coords on ladder exit. This pre
[crypto/ec] Ladder tweaks - Convert to affine coords on ladder entry. This lets us use more efficient ladder step formulae. - Convert to affine coords on ladder exit. This prevents the current code awkwardness where conversion happens twice during serialization: first to fetch the buffer size, then again to fetch the coords. - Instead of projectively blinding the input point, blind both accumulators independently. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/11435)
show more ...
|
Revision tags: OpenSSL_1_1_1e |
|
#
579422c8 |
| 28-Jan-2020 |
Pauli |
Deprecate the ECDSA and EV_KEY_METHOD functions. Use of the low level ECDSA and EC_KEY_METHOD functions has been informally discouraged for a long time. We now formally deprecate them.
Deprecate the ECDSA and EV_KEY_METHOD functions. Use of the low level ECDSA and EC_KEY_METHOD functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10960)
show more ...
|
Revision tags: OpenSSL_1_0_2u |
|
#
706457b7 |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source direc
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|
Revision tags: OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d |
|
#
9bf682f6 |
| 11-Jul-2019 |
Patrick Steuer |
Enable curve-spefific ECDSA implementations via EC_METHOD which are already enabled for ECDH. Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Richard
Enable curve-spefific ECDSA implementations via EC_METHOD which are already enabled for ECDH. Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9348)
show more ...
|
#
a9612d6c |
| 03-Jul-2019 |
Matt Caswell |
Make the EC code available from inside the FIPS provider Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9380)
|
Revision tags: OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s |
|
#
ce1415ed |
| 18-Mar-2019 |
Shane Lontis |
Added NULL check to BN_clear() & BN_CTX_end() Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl
Added NULL check to BN_clear() & BN_CTX_end() Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8518)
show more ...
|
Revision tags: OpenSSL_1_0_2r, OpenSSL_1_1_1b |
|
#
e0033efc |
| 02-Feb-2019 |
Billy Brumley |
SCA hardening for mod. field inversion in EC_GROUP This commit adds a dedicated function in `EC_METHOD` to access a modular field inversion implementation suitable for the specifics of t
SCA hardening for mod. field inversion in EC_GROUP This commit adds a dedicated function in `EC_METHOD` to access a modular field inversion implementation suitable for the specifics of the implemented curve, featuring SCA countermeasures. The new pointer is defined as: `int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)` and computes the multiplicative inverse of `a` in the underlying field, storing the result in `r`. Three implementations are included, each including specific SCA countermeasures: - `ec_GFp_simple_field_inv()`, featuring SCA hardening through blinding. - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's Little Theorem (FLT) inversion. - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which already features SCA hardening through blinding. From a security point of view, this also helps addressing a leakage previously affecting conversions from projective to affine coordinates. This commit also adds a new error reason code (i.e., `EC_R_CANNOT_INVERT`) to improve consistency between the three implementations as all of them could fail for the same reason but through different code paths resulting in inconsistent error stack states. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8254)
show more ...
|
#
a7f182b7 |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in crypto/ec/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7
Following the license change, modify the boilerplates in crypto/ec/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7791)
show more ...
|
Revision tags: OpenSSL_1_0_2q, OpenSSL_1_1_0j, OpenSSL_1_1_1a, OpenSSL_1_1_1, OpenSSL_1_1_1-pre9 |
|
#
5d92b853 |
| 17-Aug-2018 |
Nicola Tuveri |
Replace GFp ladder implementation with ladd-2002-it-4 from EFD The EFD database does not state that the "ladd-2002-it-3" algorithm assumes X1 != 0. Consequently the current implement
Replace GFp ladder implementation with ladd-2002-it-4 from EFD The EFD database does not state that the "ladd-2002-it-3" algorithm assumes X1 != 0. Consequently the current implementation, based on it, fails to compute correctly if the affine x coordinate of the scalar multiplication input point is 0. We replace this implementation using the alternative algorithm based on Eq. (9) and (10) from the same paper, which being derived from the additive relation of (6) does not incur in this problem, but costs one extra field multiplication. The EFD entry for this algorithm is at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4 and the code to implement it was generated with tooling. Regression tests add one positive test for each named curve that has such a point. The `SharedSecret` was generated independently from the OpenSSL codebase with sage. This bug was originally reported by Dmitry Belyavsky on the openssl-users maling list: https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7000)
show more ...
|
Revision tags: OpenSSL_1_0_2p, OpenSSL_1_1_0i |
|
#
9cc570d4 |
| 30-Jul-2018 |
Matt Caswell |
Use the new non-curve type specific EC functions internally Fixes #6646 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6815)
|
#
9d91530d |
| 19-Jul-2018 |
Billy Brumley |
EC GFp ladder This commit leverages the Montgomery ladder scaffold introduced in #6690 (alongside a specialized Lopez-Dahab ladder for binary curves) to provide a specialized differe
EC GFp ladder This commit leverages the Montgomery ladder scaffold introduced in #6690 (alongside a specialized Lopez-Dahab ladder for binary curves) to provide a specialized differential addition-and-double implementation to speedup prime curves, while keeping all the features of `ec_scalar_mul_ladder` against SCA attacks. The arithmetic in ladder_pre, ladder_step and ladder_post is auto generated with tooling, from the following formulae: - `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2 - `ladder_step`: differential addition-and-doubling Eq. (8) and (10) from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3 - `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to work in projective coordinates. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6772)
show more ...
|
#
37124360 |
| 07-Jul-2018 |
Nicola Tuveri |
EC point multiplication: add `ladder` scaffold for specialized Montgomery ladder implementations PR #6009 and #6070 replaced the default EC point multiplication path for prime and bi
EC point multiplication: add `ladder` scaffold for specialized Montgomery ladder implementations PR #6009 and #6070 replaced the default EC point multiplication path for prime and binary curves with a unified Montgomery ladder implementation with various timing attack defenses (for the common paths when a secret scalar is feed to the point multiplication). The newly introduced default implementation directly used EC_POINT_add/dbl in the main loop. The scaffolding introduced by this commit allows EC_METHODs to define a specialized `ladder_step` function to improve performances by taking advantage of efficient formulas for differential addition-and-doubling and different coordinate systems. - `ladder_pre` is executed before the main loop of the ladder: by default it copies the input point P into S, and doubles it into R. Specialized implementations could, e.g., use this hook to transition to different coordinate systems before copying and doubling; - `ladder_step` is the core of the Montgomery ladder loop: by default it computes `S := R+S; R := 2R;`, but specific implementations could, e.g., implement a more efficient formula for differential addition-and-doubling; - `ladder_post` is executed after the Montgomery ladder loop: by default it's a noop, but specialized implementations could, e.g., use this hook to transition back from the coordinate system used for optimizing the differential addition-and-doubling or recover the y coordinate of the result point. This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`, as it better corresponds to what this function does: nothing can be truly said about the constant-timeness of the overall execution of this function, given that the underlying operations are not necessarily constant-time themselves. What this implementation ensures is that the same fixed sequence of operations is executed for each scalar multiplication (for a given EC_GROUP), with no dependency on the value of the input scalar. Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6690)
show more ...
|
Revision tags: OpenSSL_1_1_1-pre8 |
|
#
f667820c |
| 16-Jun-2018 |
Sohaib ul Hassan |
Implement coordinate blinding for EC_POINT This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for
Implement coordinate blinding for EC_POINT This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for prime curves implemented through EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method. This commit is derived from the patch https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley. Coordinate blinding is a generally useful side-channel countermeasure and is (mostly) free. The function itself takes a few field multiplicationss, but is usually only necessary at the beginning of a scalar multiplication (as implemented in the patch). When used this way, it makes the values that variables take (i.e., field elements in an algorithm state) unpredictable. For instance, this mitigates chosen EC point side-channel attacks for settings such as ECDH and EC private key decryption, for the aforementioned curves. For EC_METHODs using different coordinate representations this commit does nothing, but the corresponding coordinate blinding function can be easily added in the future to extend these changes to such curves. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6501)
show more ...
|
Revision tags: OpenSSL_1_1_1-pre7 |
|
#
83cf7abf |
| 29-May-2018 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6371)
|