#
e26f653d |
| 13-Jan-2019 |
Anna Henningsen |
Fix compilation with `-DREF_PRINT` CLA: trivial Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from ht
Fix compilation with `-DREF_PRINT` CLA: trivial Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8016)
show more ...
|
#
a7f182b7 |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in crypto/ec/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7
Following the license change, modify the boilerplates in crypto/ec/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7791)
show more ...
|
Revision tags: OpenSSL_1_0_2q, OpenSSL_1_1_0j, OpenSSL_1_1_1a, OpenSSL_1_1_1, OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i |
|
#
7b953da4 |
| 24-Jul-2018 |
Andy Polyakov |
ec/ecp_nistz256.c: fix Coverity nit. |ctx| recently became unconditionally non-NULL and is already dereferenced earlier. Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
8fc4aeb9 |
| 18-Jul-2018 |
Andy Polyakov |
ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine. ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it d
ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine. ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6738)
show more ...
|
#
01ad66f8 |
| 08-Jul-2018 |
Nicola Tuveri |
EC2M Lopez-Dahab ladder: use it also for ECDSA verify By default `ec_scalar_mul_ladder` (which uses the Lopez-Dahab ladder implementation) is used only for (k * Generator) or (k * Variab
EC2M Lopez-Dahab ladder: use it also for ECDSA verify By default `ec_scalar_mul_ladder` (which uses the Lopez-Dahab ladder implementation) is used only for (k * Generator) or (k * VariablePoint). ECDSA verification uses (a * Generator + b * VariablePoint): this commit forces the use of `ec_scalar_mul_ladder` also for the ECDSA verification path, while using the default wNAF implementation for any other case. With this commit `ec_scalar_mul_ladder` loses the static attribute, and is added to ec_lcl.h so EC_METHODs can directly use it. While working on a new custom EC_POINTs_mul implementation, I realized that many checks (e.g. all the points being compatible with the given EC_GROUP, creating a temporary BN_CTX if `ctx == NULL`, check for the corner case `scalar == NULL && num == 0`) were duplicated again and again in every single implementation (and actually some implementations lacked some of the tests). I thought that it makes way more sense for those checks that are independent from the actual implementation and should always be done, to be moved in the EC_POINTs_mul wrapper: so this commit also includes these changes. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6690)
show more ...
|
#
37124360 |
| 07-Jul-2018 |
Nicola Tuveri |
EC point multiplication: add `ladder` scaffold for specialized Montgomery ladder implementations PR #6009 and #6070 replaced the default EC point multiplication path for prime and bi
EC point multiplication: add `ladder` scaffold for specialized Montgomery ladder implementations PR #6009 and #6070 replaced the default EC point multiplication path for prime and binary curves with a unified Montgomery ladder implementation with various timing attack defenses (for the common paths when a secret scalar is feed to the point multiplication). The newly introduced default implementation directly used EC_POINT_add/dbl in the main loop. The scaffolding introduced by this commit allows EC_METHODs to define a specialized `ladder_step` function to improve performances by taking advantage of efficient formulas for differential addition-and-doubling and different coordinate systems. - `ladder_pre` is executed before the main loop of the ladder: by default it copies the input point P into S, and doubles it into R. Specialized implementations could, e.g., use this hook to transition to different coordinate systems before copying and doubling; - `ladder_step` is the core of the Montgomery ladder loop: by default it computes `S := R+S; R := 2R;`, but specific implementations could, e.g., implement a more efficient formula for differential addition-and-doubling; - `ladder_post` is executed after the Montgomery ladder loop: by default it's a noop, but specialized implementations could, e.g., use this hook to transition back from the coordinate system used for optimizing the differential addition-and-doubling or recover the y coordinate of the result point. This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`, as it better corresponds to what this function does: nothing can be truly said about the constant-timeness of the overall execution of this function, given that the underlying operations are not necessarily constant-time themselves. What this implementation ensures is that the same fixed sequence of operations is executed for each scalar multiplication (for a given EC_GROUP), with no dependency on the value of the input scalar. Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6690)
show more ...
|
Revision tags: OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7 |
|
#
792546eb |
| 08-May-2018 |
Billy Brumley |
[crypto/ec] default to FLT or error Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6
[crypto/ec] default to FLT or error Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6116)
show more ...
|
#
f667820c |
| 16-Jun-2018 |
Sohaib ul Hassan |
Implement coordinate blinding for EC_POINT This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for
Implement coordinate blinding for EC_POINT This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for prime curves implemented through EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method. This commit is derived from the patch https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley. Coordinate blinding is a generally useful side-channel countermeasure and is (mostly) free. The function itself takes a few field multiplicationss, but is usually only necessary at the beginning of a scalar multiplication (as implemented in the patch). When used this way, it makes the values that variables take (i.e., field elements in an algorithm state) unpredictable. For instance, this mitigates chosen EC point side-channel attacks for settings such as ECDH and EC private key decryption, for the aforementioned curves. For EC_METHODs using different coordinate representations this commit does nothing, but the corresponding coordinate blinding function can be easily added in the future to extend these changes to such curves. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6501)
show more ...
|
#
b14e6015 |
| 21-May-2018 |
Matt Caswell |
Improve compatibility of point and curve checks We check that the curve name associated with the point is the same as that for the curve. Fixes #6302 Reviewed-by: Rich
Improve compatibility of point and curve checks We check that the curve name associated with the point is the same as that for the curve. Fixes #6302 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6323)
show more ...
|
Revision tags: OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4, OpenSSL_1_0_2o, OpenSSL_1_1_0h, OpenSSL_1_1_1-pre3, OpenSSL_1_1_1-pre2, OpenSSL_1_1_1-pre1 |
|
#
8e403a79 |
| 09-Jan-2018 |
Todd Short |
Fix --strict-warnings with C90 Found with gcc 4.8.4 Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com
Fix --strict-warnings with C90 Found with gcc 4.8.4 Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5045)
show more ...
|
#
3c7d0945 |
| 09-Jan-2018 |
Richard Levitte |
Update copyright years on all files merged since Jan 1st 2018 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5038)
|
#
10bc3409 |
| 30-Dec-2017 |
Andy Polyakov |
ec/ecp_nistz256.c: switch to faster addition chain in scalar inversion. [and improve formatting] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/opens
ec/ecp_nistz256.c: switch to faster addition chain in scalar inversion. [and improve formatting] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5001)
show more ...
|
#
ab4f2026 |
| 30-Dec-2017 |
Andy Polyakov |
ec/asm/ecp_nistz256-armv8.pl: add optimized inversion. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5001)
|
#
eb791696 |
| 30-Dec-2017 |
Andy Polyakov |
ec/ecp_nistz256.c: improve ECDSA sign by 30-40%. This is based on RT#3810, which added dedicated modular inversion. ECDSA verify results improves as well, but not as much. Revie
ec/ecp_nistz256.c: improve ECDSA sign by 30-40%. This is based on RT#3810, which added dedicated modular inversion. ECDSA verify results improves as well, but not as much. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5001)
show more ...
|
Revision tags: OpenSSL_1_0_2n, OpenSSL_1_0_2m, OpenSSL_1_1_0g |
|
#
cd420b0b |
| 21-Aug-2017 |
Pauli |
Move the REF_PRINT support from e_os.h to internal/refcount.h. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://
Move the REF_PRINT support from e_os.h to internal/refcount.h. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4188)
show more ...
|
#
677963e5 |
| 18-Aug-2017 |
Pauli |
e_os.h removal from other headers and source files. Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and ssl/ssl_locl.h). Added e_os.h into the files
e_os.h removal from other headers and source files. Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and ssl/ssl_locl.h). Added e_os.h into the files that need it now. Directly reference internal/nelem.h when required. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4188)
show more ...
|
#
dcf6e50f |
| 15-Jun-2017 |
Rich Salz |
Merge Intel copyright notice into standard This is done with the kind permission of Intel. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/open
Merge Intel copyright notice into standard This is done with the kind permission of Intel. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3813)
show more ...
|
Revision tags: OpenSSL_1_0_2l, OpenSSL_1_1_0f, OpenSSL-fips-2_0_16 |
|
#
f44903a4 |
| 14-Apr-2017 |
Benjamin Kaduk |
Address some -Wold-style-declaration warnings gcc's -Wextra pulls in -Wold-style-declaration, which triggers when a declaration has a storage-class specifier as a non-initial qualifier.
Address some -Wold-style-declaration warnings gcc's -Wextra pulls in -Wold-style-declaration, which triggers when a declaration has a storage-class specifier as a non-initial qualifier. The ISO C formal grammar requires the storage-class to be the first component of the declaration, if present. Seeint as the register storage-class specifier does not really have any effect anymore with modern compilers, remove it entirely while we're here, instead of fixing up the order. Interestingly, the gcc devteam warnings do not pull in -Wextra, though the clang ones do. [extended tests] Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3239)
show more ...
|
Revision tags: OpenSSL_1_1_0e, OpenSSL_1_0_2k, OpenSSL_1_1_0d, OpenSSL-fips-2_0_15, OpenSSL-fips-2_0_14, OpenSSL_1_1_0c, OpenSSL_1_0_2j, OpenSSL_1_1_0b, OpenSSL_1_0_1u, OpenSSL_1_0_2i, OpenSSL_1_1_0a |
|
#
2f545ae4 |
| 27-Aug-2016 |
Kurt Roeckx |
Add support for reference counting using C11 atomics Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1500
|
#
f3b3d7f0 |
| 30-Aug-2016 |
Rich Salz |
Add -Wswitch-enum Change code so when switching on an enumeration, have case's for all enumeration values. Reviewed-by: Andy Polyakov <appro@openssl.org>
|
Revision tags: OpenSSL_1_1_0 |
|
#
e3057a57 |
| 19-Aug-2016 |
Andy Polyakov |
ec/ecp_nistz256: harmonize is_infinity with ec_GFp_simple_is_at_infinity. RT#4625 Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
b62b2454 |
| 20-Aug-2016 |
Andy Polyakov |
ec/asm/ecp_nistz256-x86_64.pl: addition to perform stricter reduction. Addition was not preserving inputs' property of being fully reduced. Thanks to Brian Smith for reporting this.
ec/asm/ecp_nistz256-x86_64.pl: addition to perform stricter reduction. Addition was not preserving inputs' property of being fully reduced. Thanks to Brian Smith for reporting this. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
2e929e53 |
| 18-Aug-2016 |
Andy Polyakov |
ecp_nistz256.c: get is_one on 32-bit platforms right. Thanks to Brian Smith for reporting this. Reviewed-by: Rich Salz <rsalz@openssl.org>
|
Revision tags: OpenSSL_1_1_0-pre6, OpenSSL-fips-2_0_13 |
|
#
aa6bb135 |
| 17-May-2016 |
Rich Salz |
Copyright consolidation 05/10 Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
dccd20d1 |
| 03-May-2016 |
FdaSilvaYY |
fix tab-space mixed indentation No code change Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
|