Use NULL, not 0 for pointers and use an explicit comparison against NULL.

Handle BN_CTX at the EC API boundary.

The EC API allows callers to optionally pass in a BN_CTX, which means that
any code needing a BN_CTX has to check if one was provided, allocate one if
not, then free it again. Rather than doing this dance throughout the EC
code, handle the BN_CTX existance at the EC API boundary. This means that
lower level implementation code can simply assume that the BN_CTX is
available.

ok tb@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Merge the second y_bit check into the first one where it belongs

suggested by jsing

Simplify y_bit handling in compressed coordinates

If y_bit is set for a zero y, something is wrong and we can error directly.
No need to run the non-trivial BN_kronecker() to check if BN_mod_sqrt()
lied or not, only to set a more specific error code.

ok jsing

Fix an annoying quirk in the EC code

Dealing with elliptic curves makes some people think that it would be kind
of neat to multiply types with variable names. Sometimes. Only in function
definitions.

whitespace

Prepare to provide EC_POINT_set_compressed_coordinates

ok jsing

Prepare to provide EC_POINT_{g,s}et_affine_coordinates

Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b

ok jsing

Move point-on-curve check to set_affine_coordinates

Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.

In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.

The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().

It's a mess.

Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.

ok jsing

recommit label indentation part of the backout; clearly unrelated to the
breakage.

back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@

Indent labels by a space so they don't obliterate function names in diffs.

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Use `> 0' instead of `!= 0' as a successful condition for
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

tags as requested by miod and tedu

knf approximation

Cope with the removal of openssl/symhacks.h

branches: 1.1.1;
Initial revision

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Merge the second y_bit check into the first one where it belongs

suggested by jsing

Simplify y_bit handling in compressed coordinates

If y_bit is set for a zero y, something is wrong and we can error directly.
No need to run the non-trivial BN_kronecker() to check if BN_mod_sqrt()
lied or not, only to set a more specific error code.

ok jsing

Fix an annoying quirk in the EC code

Dealing with elliptic curves makes some people think that it would be kind
of neat to multiply types with variable names. Sometimes. Only in function
definitions.

whitespace

Prepare to provide EC_POINT_set_compressed_coordinates

ok jsing

Prepare to provide EC_POINT_{g,s}et_affine_coordinates

Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b

ok jsing

Move point-on-curve check to set_affine_coordinates

Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.

In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.

The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().

It's a mess.

Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.

ok jsing

recommit label indentation part of the backout; clearly unrelated to the
breakage.

back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@

Indent labels by a space so they don't obliterate function names in diffs.

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Use `> 0' instead of `!= 0' as a successful condition for
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

tags as requested by miod and tedu

knf approximation

Cope with the removal of openssl/symhacks.h

branches: 1.1.1;
Initial revision

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Merge the second y_bit check into the first one where it belongs

suggested by jsing

Simplify y_bit handling in compressed coordinates

If y_bit is set for a zero y, something is wrong and we can error directly.
No need to run the non-trivial BN_kronecker() to check if BN_mod_sqrt()
lied or not, only to set a more specific error code.

ok jsing

Fix an annoying quirk in the EC code

Dealing with elliptic curves makes some people think that it would be kind
of neat to multiply types with variable names. Sometimes. Only in function
definitions.

whitespace

Prepare to provide EC_POINT_set_compressed_coordinates

ok jsing

Prepare to provide EC_POINT_{g,s}et_affine_coordinates

Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b

ok jsing

Move point-on-curve check to set_affine_coordinates

Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.

In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.

The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().

It's a mess.

Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.

ok jsing

recommit label indentation part of the backout; clearly unrelated to the
breakage.

back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@

Indent labels by a space so they don't obliterate function names in diffs.

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Use `> 0' instead of `!= 0' as a successful condition for
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

tags as requested by miod and tedu

knf approximation

Cope with the removal of openssl/symhacks.h

branches: 1.1.1;
Initial revision

Fix an annoying quirk in the EC code

Dealing with elliptic curves makes some people think that it would be kind
of neat to multiply types with variable names. Sometimes. Only in function
definitions.

whitespace

Prepare to provide EC_POINT_set_compressed_coordinates

ok jsing

Prepare to provide EC_POINT_{g,s}et_affine_coordinates

Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b

ok jsing

Move point-on-curve check to set_affine_coordinates

Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.

In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.

The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().

It's a mess.

Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.

ok jsing

recommit label indentation part of the backout; clearly unrelated to the
breakage.

back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@

Indent labels by a space so they don't obliterate function names in diffs.

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Use `> 0' instead of `!= 0' as a successful condition for
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

tags as requested by miod and tedu

knf approximation

Cope with the removal of openssl/symhacks.h

branches: 1.1.1;
Initial revision

Prepare to provide EC_POINT_set_compressed_coordinates

ok jsing

Prepare to provide EC_POINT_{g,s}et_affine_coordinates

Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b

ok jsing

Move point-on-curve check to set_affine_coordinates

Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.

In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.

The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().

It's a mess.

Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.

ok jsing

recommit label indentation part of the backout; clearly unrelated to the
breakage.

back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@

Indent labels by a space so they don't obliterate function names in diffs.

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Use `> 0' instead of `!= 0' as a successful condition for
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

tags as requested by miod and tedu

knf approximation

Cope with the removal of openssl/symhacks.h

branches: 1.1.1;
Initial revision

Move point-on-curve check to set_affine_coordinates

Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.

In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.

The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().

It's a mess.

Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.

ok jsing

recommit label indentation part of the backout; clearly unrelated to the
breakage.

back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@

Indent labels by a space so they don't obliterate function names in diffs.

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Use `> 0' instead of `!= 0' as a successful condition for
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

tags as requested by miod and tedu

knf approximation

Cope with the removal of openssl/symhacks.h

branches: 1.1.1;
Initial revision

recommit label indentation part of the backout; clearly unrelated to the
breakage.

back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@

Indent labels by a space so they don't obliterate function names in diffs.

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Use `> 0' instead of `!= 0' as a successful condition for
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

tags as requested by miod and tedu

knf approximation

Cope with the removal of openssl/symhacks.h

branches: 1.1.1;
Initial revision

Indent labels by a space so they don't obliterate function names in diffs.

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Use `> 0' instead of `!= 0' as a successful condition for
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

tags as requested by miod and tedu

knf approximation

Cope with the removal of openssl/symhacks.h

branches: 1.1.1;
Initial revision

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

BN_CTX_get() can fail - consistently check its return value.

There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).

Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.

Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.

ok beck@ doug@

Use `> 0' instead of `!= 0' as a successful condition for
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

tags as requested by miod and tedu

knf approximation

Cope with the removal of openssl/symhacks.h

branches: 1.1.1;
Initial revision