| Age | Commit message (Collapse) | Author |
|---|
|
ok jsing
|
|
This was a workaround due to the historically non-constant time scalar
multiplication in the EC code. Since Brumley and Tuveri implemented the
Montgomery ladder, this is no longer useful and should have been removed
a long time ago, as it now does more harm than good.
Keep the preallocations as they still help hiding some timing info.
ok jsing
|
|
Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().
The way bn_rand_range() is called in libcrypto, the lower bound is always
expressible as a word. In fact, most of the time it is 1, the DH code uses
a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in
the Tonelli-Shanks implementation where we use 32. Converting these lower
bounds to BIGNUMs on the call site is annoying so let bn_rand_interval()
do that internally and route that through bn_rand_in_range(). This way we
can avoid using BN_sub_word().
Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the
only caller that uses actual BIGNUMs as lower bounds.
ok jsing
|
|
These headers are now reduced to #include <openssl/ec.h> and are provided
for compatiblity only. There's no point in using them. At the same time
garbage collect the last uses of OPENSSL_NO_{ECDSA,ECDH} in our tree.
ok jsing
|
|
|
|
Move the remaining ECDSA API into ec.h to match OpenSSL 1.1's interface
better. In particular, the EC_KEY sign and verify method accessors are
moved to the right header. Whether the rest of the ECDSA stuff belongs
there is debatable, but that was upstream's choice.
ok jsing
|
|
After smtpd (in base) and libtls finally switched from ECDSA_METHOD to
EC_KEY_METHOD, much of the ECDSA_METHOD code was neutered. Remove the
remaining public API as well as numerous tentacles into ENGINE.
ok jsing
|
|
These error codes have been unused for a while, so the public API loading
them is pointless.
ok jsing
|
|
It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig().
Especially since the distinction to ECDSA_{sign,verify}() isn't clear from
the names. To add to the confusion, the public API is ordered differently
than the methods they call. So in this case it seems tidier to place the
public API next to the methods.
ok jsing
|
|
There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup()
but remove the logic for passed-in kinv and r.
Refuse to cooperate as far as possible. Someone could still implement
their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by
leveraging EC_KEY_METHOD_get_sign() and building their own wrappers.
We can't make such an implementation of ECDSA_sign_setup() fail, but we
make the actual signing fail since we no longer "do the right thing".
ok jsing
|
|
ECDSA_sign_setup() permits precomputing the values of the inverse of the
random k and the corresponding r. These can then be fed into the signing
routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a
great idea and the interface adds a lot of unwanted complexity.
Not to mention that nothing ever used this correctly - if s works out to
0, a special error code is thrown requesting that the caller provide new
kinv and r values. Unsurprisingly, nobody ever checked for that special
error code.
ok jsing
This commit marks the start of a libcrypto major bump. Do not build the
tree until I bumped the shlib_version and synced file sets (in about 35
commits).
|
|
|
|
(part 2 of commit)
ok jsing@
|
|
ok jsing
|
|
|
|
Move some trivial ones to ECerror().
discussed with jsing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
discussed with jsing
|
|
|
|
|
|
discussed with jsing
|
|
The caller can provide an r which will be added to the ECDSA_SIG unchecked.
This can happen via ECDSA_{,do_}sign_ex() or ECDSA_sign_setup() or else via
a custom sign_sig() handler. Therefore add a check that it is in the bounds
required.
Since k was long thrown away, there's no way to check kinv, so it needs to
be trusted. Misdesigned APIs that will output garbage everywhere...
ok jsing
|
|
Use variable names that correspond more closely to the standard. Use an
additional variable for s^-1 for readability. Annotate the code with
the corresponding steps from FIPS 186-5.
ok jsing
|
|
ok jsing
|
|
This pushes a few variables no longer needed in ossl_ecdsa_sign_sig() into
ecdsa_compute_s() separating API logic and pure computation a bit more.
ok beck
|
|
|
|
|
|
|
|
|
|
Make it take an EC_KEY instead of a group order in preparation for further
cleanup. Rename m into e to match the standard better. Also buy some vowels
for jsing.
ok beck jsing
|
|
ossl_ecdsa_sign_sig() is already complicated enough. The math bit is
entirely self contained and does not need to obfuscate control flow
and logic.
with feedback from and ok jsing
|
|
The only reason ckinv exists is to be able to avoid a copy. This copy
leaks some timing info, that will be mitigated in a subsequent step.
It is an unused or at least uncommonly used codepath.
ok jsing
|
|
If the caller supplied both kinv and r, we don't loop but rather throw
an undocumented error code that no one uses, which is intended to tell
the caller to run ECDSA_sign_setup() and try again.
Use a boolean that indicates this situation so that the logic becomes
a bit more transparent.
ok jsing
|
|
|
|
|
|
requested by jsing
|
|
This is confusing, as both sides involved should be unsigned. The ec
code is undecided on whether the group order can be negative. It should
never be, so lets see what happen with this slightly stricter check.
discussed with jsing
|
|
The checks whether r and s lie in the interval [1, order) were a bit
uglier than necessary. Clean this up.
ok beck jsing
|
|
|
|
ok beck jsing
|
|
ok beck jsing
|
|
ok beck jsing
|
|
Requested by jsing
|
|
Make it single exit and use API more idiomatically and some other
cosmetics.
ok beck jsing
|
|
ok jsing
|
