| #
6454157e |
| 15-Apr-2024 |
tb <tb@openbsd.org> |
And here go {,EC}DSA_SIG_it
ok jsing
|
| #
34663717 |
| 08-Aug-2023 |
tb <tb@openbsd.org> |
Remove ECDSA nonce padding kludge
This was a workaround due to the historically non-constant time scalar
multiplication in the EC code. Since Brumley and Tuveri implemented the
Montgomery ladder, th
Remove ECDSA nonce padding kludge
This was a workaround due to the historically non-constant time scalar
multiplication in the EC code. Since Brumley and Tuveri implemented the
Montgomery ladder, this is no longer useful and should have been removed
a long time ago, as it now does more harm than good.
Keep the preallocations as they still help hiding some timing info.
ok jsing
show more ...
|
| #
12347e81 |
| 03-Aug-2023 |
tb <tb@openbsd.org> |
Make the bn_rand_interval() API a bit more ergonomic
Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().
The way bn_rand_range() is called
Make the bn_rand_interval() API a bit more ergonomic
Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().
The way bn_rand_range() is called in libcrypto, the lower bound is always
expressible as a word. In fact, most of the time it is 1, the DH code uses
a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in
the Tonelli-Shanks implementation where we use 32. Converting these lower
bounds to BIGNUMs on the call site is annoying so let bn_rand_interval()
do that internally and route that through bn_rand_in_range(). This way we
can avoid using BN_sub_word().
Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the
only caller that uses actual BIGNUMs as lower bounds.
ok jsing
show more ...
|
| #
91b97d20 |
| 28-Jul-2023 |
tb <tb@openbsd.org> |
Remove some unneeded includes from ecdsa.h
|
| #
218661de |
| 28-Jul-2023 |
tb <tb@openbsd.org> |
Place public ECDSA API next to the internal methods
It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig().
Especially since the distinction to ECDSA_{sign,verify}() isn't clear
Place public ECDSA API next to the internal methods
It is hard to remember that ECDSA_do_{sign,verify}() call ecdsa_sign_sig().
Especially since the distinction to ECDSA_{sign,verify}() isn't clear from
the names. To add to the confusion, the public API is ordered differently
than the methods they call. So in this case it seems tidier to place the
public API next to the methods.
ok jsing
show more ...
|
| #
29f18d75 |
| 28-Jul-2023 |
tb <tb@openbsd.org> |
Remove ECDSA_{do_,}sign_ex()
There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup()
but remove the logic for passed-in kinv and r.
Refuse to cooperate as far as possible. Someon
Remove ECDSA_{do_,}sign_ex()
There is no reason to keep these. It is cleaner to keep ECDSA_sign_setup()
but remove the logic for passed-in kinv and r.
Refuse to cooperate as far as possible. Someone could still implement
their own versions of ECDSA_{do_,}_sign_ex() and ECDSA_sign_setup() by
leveraging EC_KEY_METHOD_get_sign() and building their own wrappers.
We can't make such an implementation of ECDSA_sign_setup() fail, but we
make the actual signing fail since we no longer "do the right thing".
ok jsing
show more ...
|
| #
5fa15055 |
| 28-Jul-2023 |
tb <tb@openbsd.org> |
Make extended ECDSA signing routines internal
ECDSA_sign_setup() permits precomputing the values of the inverse of the
random k and the corresponding r. These can then be fed into the signing
routin
Make extended ECDSA signing routines internal
ECDSA_sign_setup() permits precomputing the values of the inverse of the
random k and the corresponding r. These can then be fed into the signing
routines ECDSA_{do_,}sign_ex() multiple times if needed. This is not a
great idea and the interface adds a lot of unwanted complexity.
Not to mention that nothing ever used this correctly - if s works out to
0, a special error code is thrown requesting that the caller provide new
kinv and r values. Unsurprisingly, nobody ever checked for that special
error code.
ok jsing
This commit marks the start of a libcrypto major bump. Do not build the
tree until I bumped the shlib_version and synced file sets (in about 35
commits).
show more ...
|
| #
e8c98450 |
| 10-Jul-2023 |
tb <tb@openbsd.org> |
Rename EC_KEY from r to key like in the rest of the file
|
| #
ea2baf45 |
| 07-Jul-2023 |
beck <beck@openbsd.org> |
Hide symbols in hkdf, evp, err, ecdsa, and ec
(part 2 of commit)
ok jsing@
|
| #
1c55417b |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
Mop up last uses of ECDHerror() and ECDSAerror()
ok jsing
|
| #
70458be1 |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
One more ECDSAerror goes.
|
| #
4f33f08f |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
ECDHerror() and ECDSAerror will go away
Move some trivial ones to ECerror().
discussed with jsing
|
| #
682ba1ec |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
Drop an incorrect part from a comment
|
| #
2979b3a0 |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
Missing . in comment
|
| #
5e179de8 |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
Fix #includes
|
| #
7dc32419 |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
Remove local prototypes for public API (?!)
|
| #
bd6cba7c |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
Improve BN_bn2bin() error check for readability
|
| #
c0ee283e |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
Move ECDSA_size() to a more sensible place in this file
|
| #
b4a65d29 |
| 05-Jul-2023 |
tb <tb@openbsd.org> |
Merge ECDSA code that will stay into ecdsa.c
discussed with jsing
|