summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ecdsa (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove ECDSA nonce padding kludgetb2023-08-081-22/+1
| | | | | | | | | | | This was a workaround due to the historically non-constant time scalar multiplication in the EC code. Since Brumley and Tuveri implemented the Montgomery ladder, this is no longer useful and should have been removed a long time ago, as it now does more harm than good. Keep the preallocations as they still help hiding some timing info. ok jsing
* Make the bn_rand_interval() API a bit more ergonomictb2023-08-031-3/+3
| | | | | | | | | | | | | | | | | | Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range(). The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word(). Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds. ok jsing
* Stop including ecdsa.h and ecdh.h internallytb2023-07-281-2/+2
| | | | | | | | These headers are now reduced to #include <openssl/ec.h> and are provided for compatiblity only. There's no point in using them. At the same time garbage collect the last uses of OPENSSL_NO_{ECDSA,ECDH} in our tree. ok jsing
* Remove some unneeded includes from ecdsa.htb2023-07-281-5/+1
|
* Merge ecdsa.h into ec.htb2023-07-281-138/+2
| | | | | | | | | Move the remaining ECDSA API into ec.h to match OpenSSL 1.1's interface better. In particular, the EC_KEY sign and verify method accessors are moved to the right header. Whether the rest of the ECDSA stuff belongs there is debatable, but that was upstream's choice. ok jsing
* Remove ECDSA_METHODtb2023-07-282-151/+1
| | | | | | | | After smtpd (in base) and libtls finally switched from ECDSA_METHOD to EC_KEY_METHOD, much of the ECDSA_METHOD code was neutered. Remove the remaining public API as well as numerous tentacles into ENGINE. ok jsing
* Remove ecs_err.ctb2023-07-282-119/+1
| | | | | | | These error codes have been unused for a while, so the public API loading them is pointless. ok jsing
* Place public ECDSA API next to the internal methodstb2023-07-281-51/+48
| | | | | | | | | | It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig(). Especially since the distinction to ECDSA_{sign,verify}() isn't clear from the names. To add to the confusion, the public API is ordered differently than the methods they call. So in this case it seems tidier to place the public API next to the methods. ok jsing
* Remove ECDSA_{do_,}sign_ex()tb2023-07-281-57/+20
| | | | | | | | | | | | | There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup() but remove the logic for passed-in kinv and r. Refuse to cooperate as far as possible. Someone could still implement their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by leveraging EC_KEY_METHOD_get_sign() and building their own wrappers. We can't make such an implementation of ECDSA_sign_setup() fail, but we make the actual signing fail since we no longer "do the right thing". ok jsing
* Make extended ECDSA signing routines internaltb2023-07-282-15/+13
| | | | | | | | | | | | | | | | | | ECDSA_sign_setup() permits precomputing the values of the inverse of the random k and the corresponding r. These can then be fed into the signing routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a great idea and the interface adds a lot of unwanted complexity. Not to mention that nothing ever used this correctly - if s works out to 0, a special error code is thrown requesting that the caller provide new kinv and r values. Unsurprisingly, nobody ever checked for that special error code. ok jsing This commit marks the start of a libcrypto major bump. Do not build the tree until I bumped the shlib_version and synced file sets (in about 35 commits).
* Rename EC_KEY from r to key like in the rest of the filetb2023-07-101-4/+4
|
* Hide symbols in hkdf, evp, err, ecdsa, and ecbeck2023-07-073-3/+27
| | | | | | (part 2 of commit) ok jsing@
* Mop up last uses of ECDHerror() and ECDSAerror()tb2023-07-051-17/+15
| | | | ok jsing
* One more ECDSAerror goes.tb2023-07-051-2/+2
|
* ECDHerror() and ECDSAerror will go awaytb2023-07-051-37/+37
| | | | | | Move some trivial ones to ECerror(). discussed with jsing
* Drop an incorrect part from a commenttb2023-07-051-2/+2
|
* Missing . in commenttb2023-07-051-2/+2
|
* Fix #includestb2023-07-051-2/+6
|
* Remove local prototypes for public API (?!)tb2023-07-051-6/+1
|
* Improve BN_bn2bin() error check for readabilitytb2023-07-051-2/+2
|
* Move ECDSA_size() to a more sensible place in this filetb2023-07-051-28/+28
|
* Merge ECDSA code that will stay into ecdsa.ctb2023-07-052-157/+95
| | | | discussed with jsing
* Rename ecs_local.h into ecdsa_local.htb2023-07-054-7/+7
|
* Make variables in prototypes match function declarationstb2023-07-051-6/+6
|
* Drop useless ossl_ prefixestb2023-07-053-15/+14
| | | | discussed with jsing
* Avoid outputting invalid signaturestb2023-07-041-1/+11
| | | | | | | | | | | | The caller can provide an r which will be added to the ECDSA_SIG unchecked. This can happen via ECDSA_{,do_}sign_ex() or ECDSA_sign_setup() or else via a custom sign_sig() handler. Therefore add a check that it is in the bounds required. Since k was long thrown away, there's no way to check kinv, so it needs to be trusted. Misdesigned APIs that will output garbage everywhere... ok jsing
* Clean up ECDSA verificationtb2023-07-041-14/+29
| | | | | | | | Use variable names that correspond more closely to the standard. Use an additional variable for s^-1 for readability. Annotate the code with the corresponding steps from FIPS 186-5. ok jsing
* ECDSA signing: annotate code with steps corresponding to FIPS 185-6.tb2023-07-041-3/+25
| | | | ok jsing
* Extract private key and group order in s computationtb2023-07-041-19/+18
| | | | | | | This pushes a few variables no longer needed in ossl_ecdsa_sign_sig() into ecdsa_compute_s() separating API logic and pure computation a bit more. ok beck
* Use key for the EC_KEY everywheretb2023-07-041-39/+38
|
* Some more consistency in variable namestb2023-07-041-15/+15
|
* Normalize ECDSA_SIG to be sig everywheretb2023-07-041-11/+11
|
* Normalize on digest and digest_len rather than dgst dlen dgstlen, etc.tb2023-07-041-28/+34
|
* Rework ecdsa_prepare_digest()tb2023-07-041-35/+35
| | | | | | | | Make it take an EC_KEY instead of a group order in preparation for further cleanup. Rename m into e to match the standard better. Also buy some vowels for jsing. ok beck jsing
* Factor the computation of ECDSA s into a functiontb2023-07-041-69/+88
| | | | | | | | ossl_ecdsa_sign_sig() is already complicated enough. The math bit is entirely self contained and does not need to obfuscate control flow and logic. with feedback from and ok jsing
* sign_sig: drop ckinvtb2023-07-031-5/+7
| | | | | | | | The only reason ckinv exists is to be able to avoid a copy. This copy leaks some timing info, that will be mitigated in a subsequent step. It is an unused or at least uncommonly used codepath. ok jsing
* Rework the logic in ECDSA sign_sig()tb2023-07-031-24/+30
| | | | | | | | | | | If the caller supplied both kinv and r, we don't loop but rather throw an undocumented error code that no one uses, which is intended to tell the caller to run ECDSA_sign_setup() and try again. Use a boolean that indicates this situation so that the logic becomes a bit more transparent. ok jsing
* sign_sig: test on assignmenttb2023-07-031-5/+6
|
* sign_setup: split another check into twotb2023-07-031-2/+6
|
* Split range checks for ECDSA r and ECDSA stb2023-07-031-3/+8
| | | | requested by jsing
* Switch a couple of test from ucmp to cmptb2023-07-031-4/+4
| | | | | | | | This is confusing, as both sides involved should be unsigned. The ec code is undecided on whether the group order can be negative. It should never be, so lets see what happen with this slightly stricter check. discussed with jsing
* ossl_ecdsa_verify_sig(): simplify range checkstb2023-07-031-6/+4
| | | | | | | The checks whether r and s lie in the interval [1, order) were a bit uglier than necessary. Clean this up. ok beck jsing
* List variables in a somewhat more sensible ordertb2023-07-031-4/+4
|
* In ossl_ecdsa_verify_sig() use BN_CTX more idiomaticallytb2023-07-031-8/+10
| | | | ok beck jsing
* Split a bunch of unrelated checkstb2023-07-031-3/+10
| | | | ok beck jsing
* Make ossl_ecdsa_verify_sig() single exittb2023-07-031-4/+4
| | | | ok beck jsing
* Switch ossl_ecdsa_verify() to timingsafe_memcmp()tb2023-07-031-2/+2
| | | | Requested by jsing
* Streamline ossl_ecdsa_verify()tb2023-07-031-7/+13
| | | | | | | Make it single exit and use API more idiomatically and some other cosmetics. ok beck jsing
* Switch ECDSA code to using EC_GROUP_get0_order()tb2023-07-031-25/+17
| | | | ok jsing
* Another empty line did not want to go intb2023-07-031-1/+2
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 12:33:29 +0000