#
1.19 |
|
15-Apr-2024 |
tb |
And here go {,EC}DSA_SIG_it
ok jsing
|
Revision tags: OPENBSD_7_4_BASE OPENBSD_7_5_BASE
|
#
1.18 |
|
08-Aug-2023 |
tb |
Remove ECDSA nonce padding kludge
This was a workaround due to the historically non-constant time scalar multiplication in the EC code. Since Brumley and Tuveri implemented the Montgomery ladder, this is no longer useful and should have been removed a long time ago, as it now does more harm than good.
Keep the preallocations as they still help hiding some timing info.
ok jsing
|
#
1.17 |
|
03-Aug-2023 |
tb |
Make the bn_rand_interval() API a bit more ergonomic
Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range().
The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word().
Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds.
ok jsing
|
#
1.16 |
|
28-Jul-2023 |
tb |
Remove some unneeded includes from ecdsa.h
|
#
1.15 |
|
28-Jul-2023 |
tb |
Place public ECDSA API next to the internal methods
It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig(). Especially since the distinction to ECDSA_{sign,verify}() isn't clear from the names. To add to the confusion, the public API is ordered differently than the methods they call. So in this case it seems tidier to place the public API next to the methods.
ok jsing
|
#
1.14 |
|
28-Jul-2023 |
tb |
Remove ECDSA_{do_,}sign_ex()
There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup() but remove the logic for passed-in kinv and r.
Refuse to cooperate as far as possible. Someone could still implement their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by leveraging EC_KEY_METHOD_get_sign() and building their own wrappers. We can't make such an implementation of ECDSA_sign_setup() fail, but we make the actual signing fail since we no longer "do the right thing".
ok jsing
|
#
1.13 |
|
28-Jul-2023 |
tb |
Make extended ECDSA signing routines internal
ECDSA_sign_setup() permits precomputing the values of the inverse of the random k and the corresponding r. These can then be fed into the signing routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a great idea and the interface adds a lot of unwanted complexity.
Not to mention that nothing ever used this correctly - if s works out to 0, a special error code is thrown requesting that the caller provide new kinv and r values. Unsurprisingly, nobody ever checked for that special error code.
ok jsing
This commit marks the start of a libcrypto major bump. Do not build the tree until I bumped the shlib_version and synced file sets (in about 35 commits).
|
#
1.12 |
|
10-Jul-2023 |
tb |
Rename EC_KEY from r to key like in the rest of the file
|
#
1.11 |
|
07-Jul-2023 |
beck |
Hide symbols in hkdf, evp, err, ecdsa, and ec
(part 2 of commit)
ok jsing@
|
#
1.10 |
|
05-Jul-2023 |
tb |
Mop up last uses of ECDHerror() and ECDSAerror()
ok jsing
|
#
1.9 |
|
05-Jul-2023 |
tb |
One more ECDSAerror goes.
|
#
1.8 |
|
05-Jul-2023 |
tb |
ECDHerror() and ECDSAerror will go away
Move some trivial ones to ECerror().
discussed with jsing
|
#
1.7 |
|
05-Jul-2023 |
tb |
Drop an incorrect part from a comment
|
#
1.6 |
|
05-Jul-2023 |
tb |
Missing . in comment
|
#
1.5 |
|
05-Jul-2023 |
tb |
Fix #includes
|
#
1.4 |
|
05-Jul-2023 |
tb |
Remove local prototypes for public API (?!)
|
#
1.3 |
|
05-Jul-2023 |
tb |
Improve BN_bn2bin() error check for readability
|
#
1.2 |
|
05-Jul-2023 |
tb |
Move ECDSA_size() to a more sensible place in this file
|
#
1.1 |
|
05-Jul-2023 |
tb |
Merge ECDSA code that will stay into ecdsa.c
discussed with jsing
|
#
1.18 |
|
08-Aug-2023 |
tb |
Remove ECDSA nonce padding kludge
This was a workaround due to the historically non-constant time scalar multiplication in the EC code. Since Brumley and Tuveri implemented the Montgomery ladder, this is no longer useful and should have been removed a long time ago, as it now does more harm than good.
Keep the preallocations as they still help hiding some timing info.
ok jsing
|
#
1.17 |
|
03-Aug-2023 |
tb |
Make the bn_rand_interval() API a bit more ergonomic
Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range().
The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word().
Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds.
ok jsing
|
#
1.16 |
|
28-Jul-2023 |
tb |
Remove some unneeded includes from ecdsa.h
|
#
1.15 |
|
28-Jul-2023 |
tb |
Place public ECDSA API next to the internal methods
It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig(). Especially since the distinction to ECDSA_{sign,verify}() isn't clear from the names. To add to the confusion, the public API is ordered differently than the methods they call. So in this case it seems tidier to place the public API next to the methods.
ok jsing
|
#
1.14 |
|
28-Jul-2023 |
tb |
Remove ECDSA_{do_,}sign_ex()
There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup() but remove the logic for passed-in kinv and r.
Refuse to cooperate as far as possible. Someone could still implement their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by leveraging EC_KEY_METHOD_get_sign() and building their own wrappers. We can't make such an implementation of ECDSA_sign_setup() fail, but we make the actual signing fail since we no longer "do the right thing".
ok jsing
|
#
1.13 |
|
28-Jul-2023 |
tb |
Make extended ECDSA signing routines internal
ECDSA_sign_setup() permits precomputing the values of the inverse of the random k and the corresponding r. These can then be fed into the signing routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a great idea and the interface adds a lot of unwanted complexity.
Not to mention that nothing ever used this correctly - if s works out to 0, a special error code is thrown requesting that the caller provide new kinv and r values. Unsurprisingly, nobody ever checked for that special error code.
ok jsing
This commit marks the start of a libcrypto major bump. Do not build the tree until I bumped the shlib_version and synced file sets (in about 35 commits).
|
#
1.12 |
|
10-Jul-2023 |
tb |
Rename EC_KEY from r to key like in the rest of the file
|
#
1.11 |
|
07-Jul-2023 |
beck |
Hide symbols in hkdf, evp, err, ecdsa, and ec
(part 2 of commit)
ok jsing@
|
#
1.10 |
|
05-Jul-2023 |
tb |
Mop up last uses of ECDHerror() and ECDSAerror()
ok jsing
|
#
1.9 |
|
05-Jul-2023 |
tb |
One more ECDSAerror goes.
|
#
1.8 |
|
05-Jul-2023 |
tb |
ECDHerror() and ECDSAerror will go away
Move some trivial ones to ECerror().
discussed with jsing
|
#
1.7 |
|
05-Jul-2023 |
tb |
Drop an incorrect part from a comment
|
#
1.6 |
|
05-Jul-2023 |
tb |
Missing . in comment
|
#
1.5 |
|
05-Jul-2023 |
tb |
Fix #includes
|
#
1.4 |
|
05-Jul-2023 |
tb |
Remove local prototypes for public API (?!)
|
#
1.3 |
|
05-Jul-2023 |
tb |
Improve BN_bn2bin() error check for readability
|
#
1.2 |
|
05-Jul-2023 |
tb |
Move ECDSA_size() to a more sensible place in this file
|
#
1.1 |
|
05-Jul-2023 |
tb |
Merge ECDSA code that will stay into ecdsa.c
discussed with jsing
|
#
1.17 |
|
03-Aug-2023 |
tb |
Make the bn_rand_interval() API a bit more ergonomic
Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range().
The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word().
Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds.
ok jsing
|
#
1.16 |
|
28-Jul-2023 |
tb |
Remove some unneeded includes from ecdsa.h
|
#
1.15 |
|
28-Jul-2023 |
tb |
Place public ECDSA API next to the internal methods
It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig(). Especially since the distinction to ECDSA_{sign,verify}() isn't clear from the names. To add to the confusion, the public API is ordered differently than the methods they call. So in this case it seems tidier to place the public API next to the methods.
ok jsing
|
#
1.14 |
|
28-Jul-2023 |
tb |
Remove ECDSA_{do_,}sign_ex()
There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup() but remove the logic for passed-in kinv and r.
Refuse to cooperate as far as possible. Someone could still implement their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by leveraging EC_KEY_METHOD_get_sign() and building their own wrappers. We can't make such an implementation of ECDSA_sign_setup() fail, but we make the actual signing fail since we no longer "do the right thing".
ok jsing
|
#
1.13 |
|
28-Jul-2023 |
tb |
Make extended ECDSA signing routines internal
ECDSA_sign_setup() permits precomputing the values of the inverse of the random k and the corresponding r. These can then be fed into the signing routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a great idea and the interface adds a lot of unwanted complexity.
Not to mention that nothing ever used this correctly - if s works out to 0, a special error code is thrown requesting that the caller provide new kinv and r values. Unsurprisingly, nobody ever checked for that special error code.
ok jsing
This commit marks the start of a libcrypto major bump. Do not build the tree until I bumped the shlib_version and synced file sets (in about 35 commits).
|
#
1.12 |
|
10-Jul-2023 |
tb |
Rename EC_KEY from r to key like in the rest of the file
|
#
1.11 |
|
07-Jul-2023 |
beck |
Hide symbols in hkdf, evp, err, ecdsa, and ec
(part 2 of commit)
ok jsing@
|
#
1.10 |
|
05-Jul-2023 |
tb |
Mop up last uses of ECDHerror() and ECDSAerror()
ok jsing
|
#
1.9 |
|
05-Jul-2023 |
tb |
One more ECDSAerror goes.
|
#
1.8 |
|
05-Jul-2023 |
tb |
ECDHerror() and ECDSAerror will go away
Move some trivial ones to ECerror().
discussed with jsing
|
#
1.7 |
|
05-Jul-2023 |
tb |
Drop an incorrect part from a comment
|
#
1.6 |
|
05-Jul-2023 |
tb |
Missing . in comment
|
#
1.5 |
|
05-Jul-2023 |
tb |
Fix #includes
|
#
1.4 |
|
05-Jul-2023 |
tb |
Remove local prototypes for public API (?!)
|
#
1.3 |
|
05-Jul-2023 |
tb |
Improve BN_bn2bin() error check for readability
|
#
1.2 |
|
05-Jul-2023 |
tb |
Move ECDSA_size() to a more sensible place in this file
|
#
1.1 |
|
05-Jul-2023 |
tb |
Merge ECDSA code that will stay into ecdsa.c
discussed with jsing
|
#
1.16 |
|
28-Jul-2023 |
tb |
Remove some unneeded includes from ecdsa.h
|
#
1.15 |
|
28-Jul-2023 |
tb |
Place public ECDSA API next to the internal methods
It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig(). Especially since the distinction to ECDSA_{sign,verify}() isn't clear from the names. To add to the confusion, the public API is ordered differently than the methods they call. So in this case it seems tidier to place the public API next to the methods.
ok jsing
|
#
1.14 |
|
28-Jul-2023 |
tb |
Remove ECDSA_{do_,}sign_ex()
There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup() but remove the logic for passed-in kinv and r.
Refuse to cooperate as far as possible. Someone could still implement their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by leveraging EC_KEY_METHOD_get_sign() and building their own wrappers. We can't make such an implementation of ECDSA_sign_setup() fail, but we make the actual signing fail since we no longer "do the right thing".
ok jsing
|
#
1.13 |
|
28-Jul-2023 |
tb |
Make extended ECDSA signing routines internal
ECDSA_sign_setup() permits precomputing the values of the inverse of the random k and the corresponding r. These can then be fed into the signing routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a great idea and the interface adds a lot of unwanted complexity.
Not to mention that nothing ever used this correctly - if s works out to 0, a special error code is thrown requesting that the caller provide new kinv and r values. Unsurprisingly, nobody ever checked for that special error code.
ok jsing
This commit marks the start of a libcrypto major bump. Do not build the tree until I bumped the shlib_version and synced file sets (in about 35 commits).
|
#
1.12 |
|
10-Jul-2023 |
tb |
Rename EC_KEY from r to key like in the rest of the file
|
#
1.11 |
|
07-Jul-2023 |
beck |
Hide symbols in hkdf, evp, err, ecdsa, and ec
(part 2 of commit)
ok jsing@
|
#
1.10 |
|
05-Jul-2023 |
tb |
Mop up last uses of ECDHerror() and ECDSAerror()
ok jsing
|
#
1.9 |
|
05-Jul-2023 |
tb |
One more ECDSAerror goes.
|
#
1.8 |
|
05-Jul-2023 |
tb |
ECDHerror() and ECDSAerror will go away
Move some trivial ones to ECerror().
discussed with jsing
|
#
1.7 |
|
05-Jul-2023 |
tb |
Drop an incorrect part from a comment
|
#
1.6 |
|
05-Jul-2023 |
tb |
Missing . in comment
|
#
1.5 |
|
05-Jul-2023 |
tb |
Fix #includes
|
#
1.4 |
|
05-Jul-2023 |
tb |
Remove local prototypes for public API (?!)
|
#
1.3 |
|
05-Jul-2023 |
tb |
Improve BN_bn2bin() error check for readability
|
#
1.2 |
|
05-Jul-2023 |
tb |
Move ECDSA_size() to a more sensible place in this file
|
#
1.1 |
|
05-Jul-2023 |
tb |
Merge ECDSA code that will stay into ecdsa.c
discussed with jsing
|
#
1.12 |
|
10-Jul-2023 |
tb |
Rename EC_KEY from r to key like in the rest of the file
|
#
1.11 |
|
07-Jul-2023 |
beck |
Hide symbols in hkdf, evp, err, ecdsa, and ec
(part 2 of commit)
ok jsing@
|
#
1.10 |
|
05-Jul-2023 |
tb |
Mop up last uses of ECDHerror() and ECDSAerror()
ok jsing
|
#
1.9 |
|
05-Jul-2023 |
tb |
One more ECDSAerror goes.
|
#
1.8 |
|
05-Jul-2023 |
tb |
ECDHerror() and ECDSAerror will go away
Move some trivial ones to ECerror().
discussed with jsing
|
#
1.7 |
|
05-Jul-2023 |
tb |
Drop an incorrect part from a comment
|
#
1.6 |
|
05-Jul-2023 |
tb |
Missing . in comment
|
#
1.5 |
|
05-Jul-2023 |
tb |
Fix #includes
|
#
1.4 |
|
05-Jul-2023 |
tb |
Remove local prototypes for public API (?!)
|
#
1.3 |
|
05-Jul-2023 |
tb |
Improve BN_bn2bin() error check for readability
|
#
1.2 |
|
05-Jul-2023 |
tb |
Move ECDSA_size() to a more sensible place in this file
|
#
1.1 |
|
05-Jul-2023 |
tb |
Merge ECDSA code that will stay into ecdsa.c
discussed with jsing
|
#
1.11 |
|
07-Jul-2023 |
beck |
Hide symbols in hkdf, evp, err, ecdsa, and ec
(part 2 of commit)
ok jsing@
|
#
1.10 |
|
05-Jul-2023 |
tb |
Mop up last uses of ECDHerror() and ECDSAerror()
ok jsing
|
#
1.9 |
|
05-Jul-2023 |
tb |
One more ECDSAerror goes.
|
#
1.8 |
|
05-Jul-2023 |
tb |
ECDHerror() and ECDSAerror will go away
Move some trivial ones to ECerror().
discussed with jsing
|
#
1.7 |
|
05-Jul-2023 |
tb |
Drop an incorrect part from a comment
|
#
1.6 |
|
05-Jul-2023 |
tb |
Missing . in comment
|
#
1.5 |
|
05-Jul-2023 |
tb |
Fix #includes
|
#
1.4 |
|
05-Jul-2023 |
tb |
Remove local prototypes for public API (?!)
|
#
1.3 |
|
05-Jul-2023 |
tb |
Improve BN_bn2bin() error check for readability
|
#
1.2 |
|
05-Jul-2023 |
tb |
Move ECDSA_size() to a more sensible place in this file
|
#
1.1 |
|
05-Jul-2023 |
tb |
Merge ECDSA code that will stay into ecdsa.c
discussed with jsing
|