openbsd/src/lib/libcrypto/ecdsa, branch libressl-v3.9.1

Remove ECDSA nonce padding kludge

2023-08-08T13:09:28+00:00

This was a workaround due to the historically non-constant time scalar multiplication in the EC code. Since Brumley and Tuveri implemented the Montgomery ladder, this is no longer useful and should have been removed a long time ago, as it now does more harm than good. Keep the preallocations as they still help hiding some timing info. ok jsing

Make the bn_rand_interval() API a bit more ergonomic

2023-08-03T18:53:56+00:00

Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range(). The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word(). Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds. ok jsing

Stop including ecdsa.h and ecdh.h internally

2023-07-28T15:50:33+00:00

These headers are now reduced to #include and are provided for compatiblity only. There's no point in using them. At the same time garbage collect the last uses of OPENSSL_NO_{ECDSA,ECDH} in our tree. ok jsing

Remove some unneeded includes from ecdsa.h

2023-07-28T09:18:10+00:00

Merge ecdsa.h into ec.h

2023-07-28T09:16:17+00:00

Move the remaining ECDSA API into ec.h to match OpenSSL 1.1's interface better. In particular, the EC_KEY sign and verify method accessors are moved to the right header. Whether the rest of the ECDSA stuff belongs there is debatable, but that was upstream's choice. ok jsing

Remove ECDSA_METHOD

2023-07-28T09:08:31+00:00

After smtpd (in base) and libtls finally switched from ECDSA_METHOD to EC_KEY_METHOD, much of the ECDSA_METHOD code was neutered. Remove the remaining public API as well as numerous tentacles into ENGINE. ok jsing

Remove ecs_err.c

2023-07-28T09:01:25+00:00

These error codes have been unused for a while, so the public API loading them is pointless. ok jsing

Place public ECDSA API next to the internal methods

2023-07-28T08:57:46+00:00

It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig(). Especially since the distinction to ECDSA_{sign,verify}() isn't clear from the names. To add to the confusion, the public API is ordered differently than the methods they call. So in this case it seems tidier to place the public API next to the methods. ok jsing

Remove ECDSA_{do_,}sign_ex()

2023-07-28T08:54:41+00:00

There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup() but remove the logic for passed-in kinv and r. Refuse to cooperate as far as possible. Someone could still implement their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by leveraging EC_KEY_METHOD_get_sign() and building their own wrappers. We can't make such an implementation of ECDSA_sign_setup() fail, but we make the actual signing fail since we no longer "do the right thing". ok jsing

Make extended ECDSA signing routines internal

2023-07-28T08:49:43+00:00

ECDSA_sign_setup() permits precomputing the values of the inverse of the random k and the corresponding r. These can then be fed into the signing routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a great idea and the interface adds a lot of unwanted complexity. Not to mention that nothing ever used this correctly - if s works out to 0, a special error code is thrown requesting that the caller provide new kinv and r values. Unsurprisingly, nobody ever checked for that special error code. ok jsing This commit marks the start of a libcrypto major bump. Do not build the tree until I bumped the shlib_version and synced file sets (in about 35 commits).