And here go {,EC}DSA_SIG_it

ok jsing

Remove ECDSA nonce padding kludge

This was a workaround due to the historically non-constant time scalar
multiplication in the EC code. Since Brumley and Tuveri implemented the
Montgomery ladder, this is no longer useful and should have been removed
a long time ago, as it now does more harm than good.

Keep the preallocations as they still help hiding some timing info.

ok jsing

Make the bn_rand_interval() API a bit more ergonomic

Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().

The way bn_rand_range() is called in libcrypto, the lower bound is always
expressible as a word. In fact, most of the time it is 1, the DH code uses
a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in
the Tonelli-Shanks implementation where we use 32. Converting these lower
bounds to BIGNUMs on the call site is annoying so let bn_rand_interval()
do that internally and route that through bn_rand_in_range(). This way we
can avoid using BN_sub_word().

Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the
only caller that uses actual BIGNUMs as lower bounds.

ok jsing

Remove some unneeded includes from ecdsa.h

Place public ECDSA API next to the internal methods

It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig().
Especially since the distinction to ECDSA_{sign,verify}() isn't clear from
the names. To add to the confusion, the public API is ordered differently
than the methods they call. So in this case it seems tidier to place the
public API next to the methods.

ok jsing

Remove ECDSA_{do_,}sign_ex()

There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup()
but remove the logic for passed-in kinv and r.

Refuse to cooperate as far as possible. Someone could still implement
their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by
leveraging EC_KEY_METHOD_get_sign() and building their own wrappers.
We can't make such an implementation of ECDSA_sign_setup() fail, but we
make the actual signing fail since we no longer "do the right thing".

ok jsing

Make extended ECDSA signing routines internal

ECDSA_sign_setup() permits precomputing the values of the inverse of the
random k and the corresponding r. These can then be fed into the signing
routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a
great idea and the interface adds a lot of unwanted complexity.

Not to mention that nothing ever used this correctly - if s works out to
0, a special error code is thrown requesting that the caller provide new
kinv and r values. Unsurprisingly, nobody ever checked for that special
error code.

ok jsing

This commit marks the start of a libcrypto major bump. Do not build the
tree until I bumped the shlib_version and synced file sets (in about 35
commits).

Rename EC_KEY from r to key like in the rest of the file

Hide symbols in hkdf, evp, err, ecdsa, and ec

(part 2 of commit)

ok jsing@

Mop up last uses of ECDHerror() and ECDSAerror()

ok jsing

One more ECDSAerror goes.

ECDHerror() and ECDSAerror will go away

Move some trivial ones to ECerror().

discussed with jsing

Drop an incorrect part from a comment

Missing . in comment

Fix #includes

Remove local prototypes for public API (?!)

Improve BN_bn2bin() error check for readability

Move ECDSA_size() to a more sensible place in this file

Merge ECDSA code that will stay into ecdsa.c

discussed with jsing

Remove ECDSA nonce padding kludge

This was a workaround due to the historically non-constant time scalar
multiplication in the EC code. Since Brumley and Tuveri implemented the
Montgomery ladder, this is no longer useful and should have been removed
a long time ago, as it now does more harm than good.

Keep the preallocations as they still help hiding some timing info.

ok jsing

Make the bn_rand_interval() API a bit more ergonomic

Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().

The way bn_rand_range() is called in libcrypto, the lower bound is always
expressible as a word. In fact, most of the time it is 1, the DH code uses
a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in
the Tonelli-Shanks implementation where we use 32. Converting these lower
bounds to BIGNUMs on the call site is annoying so let bn_rand_interval()
do that internally and route that through bn_rand_in_range(). This way we
can avoid using BN_sub_word().

Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the
only caller that uses actual BIGNUMs as lower bounds.

ok jsing

Remove some unneeded includes from ecdsa.h

Place public ECDSA API next to the internal methods

It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig().
Especially since the distinction to ECDSA_{sign,verify}() isn't clear from
the names. To add to the confusion, the public API is ordered differently
than the methods they call. So in this case it seems tidier to place the
public API next to the methods.

ok jsing

Remove ECDSA_{do_,}sign_ex()

There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup()
but remove the logic for passed-in kinv and r.

Refuse to cooperate as far as possible. Someone could still implement
their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by
leveraging EC_KEY_METHOD_get_sign() and building their own wrappers.
We can't make such an implementation of ECDSA_sign_setup() fail, but we
make the actual signing fail since we no longer "do the right thing".

ok jsing

Make extended ECDSA signing routines internal

ECDSA_sign_setup() permits precomputing the values of the inverse of the
random k and the corresponding r. These can then be fed into the signing
routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a
great idea and the interface adds a lot of unwanted complexity.

Not to mention that nothing ever used this correctly - if s works out to
0, a special error code is thrown requesting that the caller provide new
kinv and r values. Unsurprisingly, nobody ever checked for that special
error code.

ok jsing

This commit marks the start of a libcrypto major bump. Do not build the
tree until I bumped the shlib_version and synced file sets (in about 35
commits).

Rename EC_KEY from r to key like in the rest of the file

Hide symbols in hkdf, evp, err, ecdsa, and ec

(part 2 of commit)

ok jsing@

Mop up last uses of ECDHerror() and ECDSAerror()

ok jsing

One more ECDSAerror goes.

ECDHerror() and ECDSAerror will go away

Move some trivial ones to ECerror().

discussed with jsing

Drop an incorrect part from a comment

Missing . in comment

Fix #includes

Remove local prototypes for public API (?!)

Improve BN_bn2bin() error check for readability

Move ECDSA_size() to a more sensible place in this file

Merge ECDSA code that will stay into ecdsa.c

discussed with jsing

Make the bn_rand_interval() API a bit more ergonomic

Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().

The way bn_rand_range() is called in libcrypto, the lower bound is always
expressible as a word. In fact, most of the time it is 1, the DH code uses
a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in
the Tonelli-Shanks implementation where we use 32. Converting these lower
bounds to BIGNUMs on the call site is annoying so let bn_rand_interval()
do that internally and route that through bn_rand_in_range(). This way we
can avoid using BN_sub_word().

Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the
only caller that uses actual BIGNUMs as lower bounds.

ok jsing

Remove some unneeded includes from ecdsa.h

Place public ECDSA API next to the internal methods

It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig().
Especially since the distinction to ECDSA_{sign,verify}() isn't clear from
the names. To add to the confusion, the public API is ordered differently
than the methods they call. So in this case it seems tidier to place the
public API next to the methods.

ok jsing

Remove ECDSA_{do_,}sign_ex()

There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup()
but remove the logic for passed-in kinv and r.

Refuse to cooperate as far as possible. Someone could still implement
their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by
leveraging EC_KEY_METHOD_get_sign() and building their own wrappers.
We can't make such an implementation of ECDSA_sign_setup() fail, but we
make the actual signing fail since we no longer "do the right thing".

ok jsing

Make extended ECDSA signing routines internal

ECDSA_sign_setup() permits precomputing the values of the inverse of the
random k and the corresponding r. These can then be fed into the signing
routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a
great idea and the interface adds a lot of unwanted complexity.

Not to mention that nothing ever used this correctly - if s works out to
0, a special error code is thrown requesting that the caller provide new
kinv and r values. Unsurprisingly, nobody ever checked for that special
error code.

ok jsing

This commit marks the start of a libcrypto major bump. Do not build the
tree until I bumped the shlib_version and synced file sets (in about 35
commits).

Rename EC_KEY from r to key like in the rest of the file

Hide symbols in hkdf, evp, err, ecdsa, and ec

(part 2 of commit)

ok jsing@

Mop up last uses of ECDHerror() and ECDSAerror()

ok jsing

One more ECDSAerror goes.

ECDHerror() and ECDSAerror will go away

Move some trivial ones to ECerror().

discussed with jsing

Drop an incorrect part from a comment

Missing . in comment

Fix #includes

Remove local prototypes for public API (?!)

Improve BN_bn2bin() error check for readability

Move ECDSA_size() to a more sensible place in this file

Merge ECDSA code that will stay into ecdsa.c

discussed with jsing

Remove some unneeded includes from ecdsa.h

Place public ECDSA API next to the internal methods

It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig().
Especially since the distinction to ECDSA_{sign,verify}() isn't clear from
the names. To add to the confusion, the public API is ordered differently
than the methods they call. So in this case it seems tidier to place the
public API next to the methods.

ok jsing

Remove ECDSA_{do_,}sign_ex()

There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup()
but remove the logic for passed-in kinv and r.

Refuse to cooperate as far as possible. Someone could still implement
their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by
leveraging EC_KEY_METHOD_get_sign() and building their own wrappers.
We can't make such an implementation of ECDSA_sign_setup() fail, but we
make the actual signing fail since we no longer "do the right thing".

ok jsing

Make extended ECDSA signing routines internal

ECDSA_sign_setup() permits precomputing the values of the inverse of the
random k and the corresponding r. These can then be fed into the signing
routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a
great idea and the interface adds a lot of unwanted complexity.

Not to mention that nothing ever used this correctly - if s works out to
0, a special error code is thrown requesting that the caller provide new
kinv and r values. Unsurprisingly, nobody ever checked for that special
error code.

ok jsing

This commit marks the start of a libcrypto major bump. Do not build the
tree until I bumped the shlib_version and synced file sets (in about 35
commits).

Rename EC_KEY from r to key like in the rest of the file

Hide symbols in hkdf, evp, err, ecdsa, and ec

(part 2 of commit)

ok jsing@

Mop up last uses of ECDHerror() and ECDSAerror()

ok jsing

One more ECDSAerror goes.

ECDHerror() and ECDSAerror will go away

Move some trivial ones to ECerror().

discussed with jsing

Drop an incorrect part from a comment

Missing . in comment

Fix #includes

Remove local prototypes for public API (?!)

Improve BN_bn2bin() error check for readability

Move ECDSA_size() to a more sensible place in this file

Merge ECDSA code that will stay into ecdsa.c

discussed with jsing

Rename EC_KEY from r to key like in the rest of the file

Hide symbols in hkdf, evp, err, ecdsa, and ec

(part 2 of commit)

ok jsing@

Mop up last uses of ECDHerror() and ECDSAerror()

ok jsing

One more ECDSAerror goes.

ECDHerror() and ECDSAerror will go away

Move some trivial ones to ECerror().

discussed with jsing

Drop an incorrect part from a comment

Missing . in comment

Fix #includes

Remove local prototypes for public API (?!)

Improve BN_bn2bin() error check for readability

Move ECDSA_size() to a more sensible place in this file

Merge ECDSA code that will stay into ecdsa.c

discussed with jsing

Hide symbols in hkdf, evp, err, ecdsa, and ec

(part 2 of commit)

ok jsing@

Mop up last uses of ECDHerror() and ECDSAerror()

ok jsing

One more ECDSAerror goes.

ECDHerror() and ECDSAerror will go away

Move some trivial ones to ECerror().

discussed with jsing

Drop an incorrect part from a comment

Missing . in comment

Fix #includes

Remove local prototypes for public API (?!)

Improve BN_bn2bin() error check for readability

Move ECDSA_size() to a more sensible place in this file

Merge ECDSA code that will stay into ecdsa.c

discussed with jsing