aboutsummaryrefslogtreecommitdiff
path: root/ecdsa.c
AgeCommit message (Collapse)Author
2017-03-04Don't use assert() for point-on-curve checks.Rob Austein
The stock assert() implementation turns out to be problematic in the stm32 environment, due to the lack of an output device, which makes "assert(foo)" equivalent to "if (!foo) abort()", leading to silent hangs. We probably ought to reimplement assert() to do something more useful, but, for now, avoid using it for "impossible" conditions which we do seem to be triggering anyway, like the occasional point-not-on-curve errors we get for points we ourselves have picked when testing multiple ECDSA clients in parallel. This should never happen, and we need to figure out what's causing it, but hanging the HSM when it happens does not help very much. assert() is somewhat problematic in an embedded environment in any case, since anything that can go wrong really should have some kind of recovery action, but in some of the low-probability cases it's far from obvious what sane recovery action we could possibly take.
2017-03-01Compute public key if necessary when loading a private key.Rob Austein
libhal and PKCS #11 have slightly different models of private keys: in libhal, a "private key" object is really a keypair, while in PKCS #11 a private key really is a naked private key. This was a deliberate design decision in libhal, both for simplicity and to better support user interfaces other than PKCS #11, so we'd rather not change it. This difference doesn't matter very much for RSA keys in PKCS #11, where the private key components are a superset of the public key components anyway, but the PKCS #11 template for ECDSA private keys doesn't allow setting public key components with C_CreateObject(). Fortunately, computing the public components of an ECDSA key pair from the private key is straightforward, so we just do that when needed.
2016-09-20Clean up the defines around rpc client, software hash cores, etc.Paul Selkirk
2016-03-29Client-side rsa and ecdsa need to call remote get_random.Paul Selkirk
2016-03-12Merge branch 'master' into rpcRob Austein
2016-03-12Disable ECDSA static-test-vectors hack, fix call to hal_get_random()Rob Austein
which was using the old (pre-hal_core_t) calling sequence.
2015-12-22Add ASN.1 support for public keys (X.509 SubjectPublicKeyInfo format).Rob Austein
2015-12-21Fix names of private key DER functions.Rob Austein
2015-12-20Consolidating curve names broke the ASN.1 code.Rob Austein
2015-12-20Drop support for the ASN.1-based ECDSA signature format in favor ofRob Austein
the simpler format which PKCS #11 uses, since we have to support the latter in any case and it's not worth the complexity of supporting both.
2015-12-20RPC server stuff mostly written. Compiles, not yet tested. RPCRob Austein
public key extraction functions on hold pending ASN.1 cleanup.
2015-12-13whack copyrightsPaul Selkirk
2015-11-13Merge branch 'config_core_selector'Paul Selkirk
2015-10-29Remove unused includes.Paul Selkirk
2015-10-04Whack libhal API to use current configure_core_selector mechanism.Rob Austein
Compiles, not yet tested.
2015-10-03Use initializers for automatic variables of type fp_int because it's aRob Austein
bit more obvious when we've forgotten to do this than when we've forgotten to call fp_init() or memset(). Convert rsa.c to use the one-element-array idiom so we can get stop prefixing every bignum reference with "&".
2015-10-02Impressive how much trouble one can get into with one uninitialized bignum.Rob Austein
2015-10-02Testing shows that signature and verification are both faster withRob Austein
mixed Jacobian-affine addition, so go with that. Minor additional clean-up and comments.
2015-10-02Revise point addition and point scalar multiplication routines to useRob Austein
mixed Jacobian-affine coordinates, per a suggestion from Pavel. Old code still present under compile time conditional for easy comparison, but will probably go away soon along with a bit of minor cleanup.
2015-09-14Fencepost error in hal_ecdas_key_from_ecpoint().Rob Austein
2015-09-11Avoid gratuitous assertion failure if caller gives us a larger bufferRob Austein
than necessary when writing private key to DER.
2015-09-06Add ECPoint I/O functions. ASN.1 cleanup.Rob Austein
2015-09-02Add PKCS11 ECDSA signature format.Rob Austein
2015-09-02Clean up excessively complicated handling of opaque types in hash andRob Austein
RSA code; use simpler model (pointer to incomplete structure) used in ECDSA code. Refactor RSA code to use shared ASN.1 routines.
2015-08-27Add point validation check to hal_ecdsa_verify(). Update README.mdRob Austein
and code comments.
2015-08-26Signature works better if we read the entire hash.Rob Austein
2015-08-25More ASN.1 fixes.Rob Austein
2015-08-25Rework RFC 5915 ASN.1.Rob Austein
2015-08-25ASN.1 bugfixes.Rob Austein
2015-08-24First stumblings towards ECDSA test code.Rob Austein
2015-08-22Rework point_scalar_multiply() to avoid a timing leak with small scalars.Rob Austein
2015-08-22Add hal_ecdsa_verify(). Move hashing out of ECDSA routines. Clean upRob Austein
a few bits that didn't pass self-review.
2015-08-21Updated point doubling and addition to use algorithms from theRob Austein
hyperelliptic.org formula database. Compiles, still not tested.
2015-08-21Snapshot along the way to ECDSA. Code mostly written, except forRob Austein
ecdsa_verify(). Untested. Point addition and doubling algorithms are the ones from libtomcrypt, main point of this commit is to save those before replacing them with faster algorithms from hyperelliptic.org.