- Jul 26, 2018
-
-
Billy Brumley authored
This commit leverages the Montgomery ladder scaffold introduced in #6690 (alongside a specialized Lopez-Dahab ladder for binary curves) to provide a specialized differential addition-and-double implementation to speedup prime curves, while keeping all the features of `ec_scalar_mul_ladder` against SCA attacks. The arithmetic in ladder_pre, ladder_step and ladder_post is auto generated with tooling, from the following formulae: - `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2 - `ladder_step`: differential addition-and-doubling Eq. (8) and (10) from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3 - `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to work in projective coordinates. Co-authored-by:
Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6772)
-
Andy Polyakov authored
Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6782)
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by: -
Kurt Roeckx authored
Reviewed-by:Tim Hudson <tjh@openssl.org> GH: #6794
-
Paul Yang authored
Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
Kurt Roeckx authored
The old numbers where all generated for an 80 bit security level. But the number should depend on security level you want to reach. For bigger primes we want a higher security level and so need to do more tests. Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by:
Paul Dale <paul.dale@oracle.com> GH: #6075 Fixes: #6012
-
Kurt Roeckx authored
This changes the security level from 100 to 128 bit. We only have 1 define, this sets it to the highest level supported for DSA, and needed for keys larger than 3072 bit. Reviewed-by:
-
- Jul 25, 2018
-
-
Shane Lontis authored
Reviewed-by:
-
Rich Salz authored
Thanks to Jiecheng Wu, Zuxing Gu for the report. Reviewed-by:
-
Andy Polyakov authored
Problem was that Windows threads that were terminating before libcrypto was initialized were referencing uninitialized or possibly even unrelated thread local storage index. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
|ctx| recently became unconditionally non-NULL and is already dereferenced earlier. Reviewed-by: -
Andy Polyakov authored
Reviewed-by:
-
- Jul 24, 2018
-
-
Richard Levitte authored
This is done by calling die again, just make sure to reset the __DIE__ handler first. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
David Benjamin authored
A number intended to treat the base as secret should not be branching on whether it is zero. Test-wise, this is covered by existing tests in bnmod.txt. Reviewed-by:
-
Richard Levitte authored
On the same note, change the 'NASM not found' message to give specific advice on how to handle the failure. Fixes #6765 Reviewed-by:
-
neighbads authored
asn1_encode : x, y => 0 | x,0 | y (because of DER encoding rules when x and y have high bit set) CLA: Trivial Reviewed-by:
-
Richard Levitte authored
If there's anything in the |biosk| stack, the first element is always the input BIO. It should never be freed in this function, so we must take careful steps not to do so inadvertently when freeing the stack. Reviewed-by:
-
- Jul 23, 2018
-
-
Andy Polyakov authored
Build jobs keep timing out initializing... Reviewed-by: -
Richard Levitte authored
The result is that we don't have to produce different names on different platforms, and we won't have confusion on Windows depending on if the script was built with mingw or with MSVC. Partial fix for #3254 Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6764)
-
Matt Caswell authored
In some circumstances it is possible for a client to have a session reporting a max early data value that is greater than the server will support. In such cases the client could encounter an aborted connection. Fixes #6735 Reviewed-by:
-
- Jul 22, 2018
-
-
Andy Polyakov authored
ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by:
-
Andy Polyakov authored
The ecp_nistz256_scatter_w7 function is called when application attempts to use custom generator, i.e. rarely. Even though non-x86_64 versions were wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Richard Levitte authored
Fixes #6755 Reviewed-by:
-
Richard Levitte authored
As per RFC 7292. Fixes #6665 Reviewed-by:
-
- Jul 20, 2018
-
-
Benjamin Kaduk authored
The API used to set what SNI value to send in the ClientHello can also be used on server SSL objects, with undocumented and un-useful behavior. Unfortunately, when generic SSL_METHODs are used, s->server is still set, prior to the start of the handshake, so we cannot prevent this nonsensical usage at the present time. Leave a note to revisit this when ABI-breaking changes are permitted. Reviewed-by:
-
Benjamin Kaduk authored
In particular, adhere to the rule that we must not modify any property of an SSL_SESSION object once it is (or might be) in a session cache. Such modifications are thread-unsafe and have been observed to cause crashes at runtime. To effect this change, standardize on the property that SSL_SESSION->ext.hostname is set only when that SNI value has been negotiated by both parties for use with that session. For session resumption this is trivially the case, so only new handshakes are affected. On the client, the new semantics are that the SSL->ext.hostname is for storing the value configured by the caller, and this value is used when constructing the ClientHello. On the server, SSL->ext.hostname is used to hold the value received from the client. Only if the SNI negotiation is successful will the hostname be stored into the session object; the server can do this after it sends the ServerHello, and the client after it has received and processed the ServerHello. This obviates the need to remove the hostname from the session object in case of failed negotiation (a change that was introduced in commit 9fb6cb81 in order to allow TLS 1.3 early data when SNI was present in the ClientHello but not the session being resumed), which was modifying cached sessions in certain cases. (In TLS 1.3 we always produce a new SSL_SESSION object for new connections, even in the case of resumption, so no TLS 1.3 handshakes were affected.) Reviewed-by:
-
Benjamin Kaduk authored
These tiny functions only read from the input SSL, and we are about to use them from functions that only have a const SSL* available, so propagate const a bit further. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
