Merging upstream version 1.76.0+dfsg1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

6 files changed, 158 insertions, 72 deletions

diff --git a/vendor/ecdsa/.cargo-checksum.json b/vendor/ecdsa/.cargo-checksum.json
index 0bb212096..640ce7fcc 100644
--- a/vendor/ecdsa/.cargo-checksum.json
+++ b/vendor/ecdsa/.cargo-checksum.json
@@ -1 +1 @@
-{"files":{"CHANGELOG.md":"4279491bdaea14ba337058cfa381685d13f79cf38e806e8dfb3acb969f29d204","Cargo.toml":"c202563302268fd4423282cac188151281fe6b20baba52231bd62648e5fc6a1d","LICENSE-APACHE":"78779d420019e6b4630376af8e86b6b335ee8a2f89ede6e0411e0469a326aaa4","LICENSE-MIT":"bdebaf9156a298f8fdab56dd26cb5144673de522d80f4c0d88e0039145f147f9","README.md":"f99485065d3d5541ef1814ea8d3f75718f08cb78eb5626f9d34941799655b4b9","src/der.rs":"12d336b65d1a9d45a44809746c572084d512812e4a8baad23158127a67c583b6","src/dev.rs":"75d56ac79f04efc018b37eca752c7861579772a758cac94874ccf85aa880602a","src/hazmat.rs":"6d888d3389ac9d0431beed24b865260f0554271cdbb9aa24a6ca9341717fdfc7","src/lib.rs":"83449168dc7e3c9777291900b1c8e470d9c9701a705091a1a9aa3ff0862dacbe","src/recovery.rs":"41141f9f4ffbd155c5167fbe749299496077c55e6b64ed83f65ced1372205623","src/signing.rs":"11842af046b43fe53add72a7fdc78a9555a1dbc37fe6bb0d1139e8b25491538f","src/verifying.rs":"c7441025d4ddcfce2c7701813d84c032364da4bd38bd28895a75d09eaca53ee3","tests/lib.rs":"68922b3fb793f7f64a6fdf8aa59b6fb9432d4706d7ad1d82129a8337c5cf6568"},"package":"0997c976637b606099b9985693efa3581e84e41f5c11ba5255f88711058ad428"}
\ No newline at end of file
+{"files":{"CHANGELOG.md":"a6b49a96975d94d85d698369e5e1fc3cea7022c381c0ebe741efcc7a2879ba3c","Cargo.toml":"a1e1f54de247dd373355a433e3f45c657ea9a127a56154efc285a05b0a82ef52","LICENSE-APACHE":"78779d420019e6b4630376af8e86b6b335ee8a2f89ede6e0411e0469a326aaa4","LICENSE-MIT":"bdebaf9156a298f8fdab56dd26cb5144673de522d80f4c0d88e0039145f147f9","README.md":"f99485065d3d5541ef1814ea8d3f75718f08cb78eb5626f9d34941799655b4b9","src/der.rs":"12d336b65d1a9d45a44809746c572084d512812e4a8baad23158127a67c583b6","src/dev.rs":"75d56ac79f04efc018b37eca752c7861579772a758cac94874ccf85aa880602a","src/hazmat.rs":"230f3b337e826188825f76eb26ffc2fa19ce8b2bd45cc7b80f87c34f33cfe13d","src/lib.rs":"aeda83d19f5088920a814f9331f45fd0f1026e18bae384ebfaaaeb00b814cb47","src/normalized.rs":"57d6f3c00fa603a42b6351d29f4cb4a101b79277b3217c2bfa963f289fc475c9","src/recovery.rs":"41141f9f4ffbd155c5167fbe749299496077c55e6b64ed83f65ced1372205623","src/signing.rs":"11842af046b43fe53add72a7fdc78a9555a1dbc37fe6bb0d1139e8b25491538f","src/verifying.rs":"c7441025d4ddcfce2c7701813d84c032364da4bd38bd28895a75d09eaca53ee3","tests/lib.rs":"68922b3fb793f7f64a6fdf8aa59b6fb9432d4706d7ad1d82129a8337c5cf6568"},"package":"ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"}
\ No newline at end of file
diff --git a/vendor/ecdsa/CHANGELOG.md b/vendor/ecdsa/CHANGELOG.md
index 675eecc2a..77609d8f6 100644
--- a/vendor/ecdsa/CHANGELOG.md
+++ b/vendor/ecdsa/CHANGELOG.md
@@ -4,8 +4,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## 0.16.7 (2023-05-11)
+## 0.16.9 (2023-11-16)
+### Changed
+- Loosen `signature` bound to `2.0, <2.3` ([#756])
+
+[#756]: https://github.com/RustCrypto/signatures/pull/756
+
+## 0.16.8 (2023-07-20)
+### Added
+- `hazmat::{sign_prehashed, verify_prehashed}` ([#731])
 
+### Changed
+- Refactor `Signature` constructors and improve docs ([#730])
+
+[#730]: https://github.com/RustCrypto/signatures/pull/730
+[#731]: https://github.com/RustCrypto/signatures/pull/731
+
+## 0.16.7 (2023-05-11)
 ### Added
 - RFC5480 citation for `der::Signature` ([#710])
 - support for the `SignatureBitStringEncoding` trait ([#716])
diff --git a/vendor/ecdsa/Cargo.toml b/vendor/ecdsa/Cargo.toml
index 6e0c75aba..482299de2 100644
--- a/vendor/ecdsa/Cargo.toml
+++ b/vendor/ecdsa/Cargo.toml
@@ -13,7 +13,7 @@
 edition = "2021"
 rust-version = "1.65"
 name = "ecdsa"
-version = "0.16.7"
+version = "0.16.9"
 authors = ["RustCrypto Developers"]
 description = """
 Pure Rust implementation of the Elliptic Curve Digital Signature Algorithm
@@ -47,13 +47,13 @@ version = "0.7"
 optional = true
 
 [dependencies.digest]
-version = "0.10.6"
+version = "0.10.7"
 features = ["oid"]
 optional = true
 default-features = false
 
 [dependencies.elliptic-curve]
-version = "0.13.4"
+version = "0.13.6"
 features = [
     "digest",
     "sec1",
@@ -77,7 +77,7 @@ optional = true
 default-features = false
 
 [dependencies.signature]
-version = "2.0, <2.2"
+version = "2.0, <2.3"
 features = ["rand_core"]
 default-features = false
 
diff --git a/vendor/ecdsa/src/hazmat.rs b/vendor/ecdsa/src/hazmat.rs
index 6e59f2e2e..0f7ddbf2a 100644
--- a/vendor/ecdsa/src/hazmat.rs
+++ b/vendor/ecdsa/src/hazmat.rs
@@ -18,7 +18,7 @@ use elliptic_curve::{generic_array::typenum::Unsigned, FieldBytes, PrimeCurve};
 use {
     crate::{RecoveryId, SignatureSize},
     elliptic_curve::{
-        ff::PrimeField,
+        ff::{Field, PrimeField},
         group::{Curve as _, Group},
         ops::{Invert, LinearCombination, MulByGenerator, Reduce},
         point::AffineCoordinates,
@@ -56,7 +56,7 @@ pub trait SignPrimitive<C>:
     + Reduce<C::Uint, Bytes = FieldBytes<C>>
     + Sized
 where
-    C: PrimeCurve + CurveArithmetic + CurveArithmetic<Scalar = Self>,
+    C: PrimeCurve + CurveArithmetic<Scalar = Self>,
     SignatureSize<C>: ArrayLength<u8>,
 {
     /// Try to sign the prehashed message.
@@ -71,7 +71,6 @@ where
     ///
     /// ECDSA [`Signature`] and, when possible/desired, a [`RecoveryId`]
     /// which can be used to recover the verifying key for a given signature.
-    #[allow(non_snake_case)]
     fn try_sign_prehashed<K>(
         &self,
         k: K,
@@ -80,33 +79,7 @@ where
     where
         K: AsRef<Self> + Invert<Output = CtOption<Self>>,
     {
-        if k.as_ref().is_zero().into() {
-            return Err(Error::new());
-        }
-
-        let z = <Self as Reduce<C::Uint>>::reduce_bytes(z);
-
-        // Compute scalar inversion of 𝑘
-        let k_inv = Option::<Scalar<C>>::from(k.invert()).ok_or_else(Error::new)?;
-
-        // Compute 𝑹 = 𝑘×𝑮
-        let R = ProjectivePoint::<C>::mul_by_generator(k.as_ref()).to_affine();
-
-        // Lift x-coordinate of 𝑹 (element of base field) into a serialized big
-        // integer, then reduce it into an element of the scalar field
-        let r = Self::reduce_bytes(&R.x());
-        let x_is_reduced = r.to_repr() != R.x();
-
-        // Compute 𝒔 as a signature over 𝒓 and 𝒛.
-        let s = k_inv * (z + (r * self));
-
-        if s.is_zero().into() {
-            return Err(Error::new());
-        }
-
-        let signature = Signature::from_scalars(r, s)?;
-        let recovery_id = RecoveryId::new(R.y_is_odd().into(), x_is_reduced);
-        Ok((signature, Some(recovery_id)))
+        sign_prehashed(self, k, z).map(|(sig, recid)| (sig, (Some(recid))))
     }
 
     /// Try to sign the given message digest deterministically using the method
@@ -117,7 +90,7 @@ where
     /// - `ad`: optional additional data, e.g. added entropy from an RNG
     ///
     /// [RFC6979]: https://datatracker.ietf.org/doc/html/rfc6979
-    #[cfg(all(feature = "rfc6979"))]
+    #[cfg(feature = "rfc6979")]
     fn try_sign_prehashed_rfc6979<D>(
         &self,
         z: &FieldBytes<C>,
@@ -147,10 +120,10 @@ where
 #[cfg(feature = "arithmetic")]
 pub trait VerifyPrimitive<C>: AffineCoordinates<FieldRepr = FieldBytes<C>> + Copy + Sized
 where
-    C: PrimeCurve + CurveArithmetic<AffinePoint = Self> + CurveArithmetic,
+    C: PrimeCurve + CurveArithmetic<AffinePoint = Self>,
     SignatureSize<C>: ArrayLength<u8>,
 {
-    /// Verify the prehashed message against the provided signature
+    /// Verify the prehashed message against the provided ECDSA signature.
     ///
     /// Accepts the following arguments:
     ///
@@ -158,25 +131,7 @@ where
     ///        CRYPTOGRAPHICALLY SECURE DIGEST ALGORITHM!!!
     /// - `sig`: signature to be verified against the key and message
     fn verify_prehashed(&self, z: &FieldBytes<C>, sig: &Signature<C>) -> Result<()> {
-        let z = Scalar::<C>::reduce_bytes(z);
-        let (r, s) = sig.split_scalars();
-        let s_inv = *s.invert_vartime();
-        let u1 = z * s_inv;
-        let u2 = *r * s_inv;
-        let x = ProjectivePoint::<C>::lincomb(
-            &ProjectivePoint::<C>::generator(),
-            &u1,
-            &ProjectivePoint::<C>::from(*self),
-            &u2,
-        )
-        .to_affine()
-        .x();
-
-        if *r == Scalar::<C>::reduce_bytes(&x) {
-            Ok(())
-        } else {
-            Err(Error::new())
-        }
+        verify_prehashed(&ProjectivePoint::<C>::from(*self), z, sig)
     }
 
     /// Verify message digest against the provided signature.
@@ -250,6 +205,93 @@ pub fn bits2field<C: PrimeCurve>(bits: &[u8]) -> Result<FieldBytes<C>> {
     Ok(field_bytes)
 }
 
+/// Sign a prehashed message digest using the provided secret scalar and
+/// ephemeral scalar, returning an ECDSA signature.
+///
+/// Accepts the following arguments:
+///
+/// - `d`: signing key. MUST BE UNIFORMLY RANDOM!!!
+/// - `k`: ephemeral scalar value. MUST BE UNIFORMLY RANDOM!!!
+/// - `z`: message digest to be signed. MUST BE OUTPUT OF A CRYPTOGRAPHICALLY
+///        SECURE DIGEST ALGORITHM!!!
+///
+/// # Returns
+///
+/// ECDSA [`Signature`] and, when possible/desired, a [`RecoveryId`]
+/// which can be used to recover the verifying key for a given signature.
+#[cfg(feature = "arithmetic")]
+#[allow(non_snake_case)]
+pub fn sign_prehashed<C, K>(
+    d: &Scalar<C>,
+    k: K,
+    z: &FieldBytes<C>,
+) -> Result<(Signature<C>, RecoveryId)>
+where
+    C: PrimeCurve + CurveArithmetic,
+    K: AsRef<Scalar<C>> + Invert<Output = CtOption<Scalar<C>>>,
+    SignatureSize<C>: ArrayLength<u8>,
+{
+    // TODO(tarcieri): use `NonZeroScalar<C>` for `k`.
+    if k.as_ref().is_zero().into() {
+        return Err(Error::new());
+    }
+
+    let z = <Scalar<C> as Reduce<C::Uint>>::reduce_bytes(z);
+
+    // Compute scalar inversion of 𝑘
+    let k_inv = Option::<Scalar<C>>::from(k.invert()).ok_or_else(Error::new)?;
+
+    // Compute 𝑹 = 𝑘×𝑮
+    let R = ProjectivePoint::<C>::mul_by_generator(k.as_ref()).to_affine();
+
+    // Lift x-coordinate of 𝑹 (element of base field) into a serialized big
+    // integer, then reduce it into an element of the scalar field
+    let r = Scalar::<C>::reduce_bytes(&R.x());
+    let x_is_reduced = r.to_repr() != R.x();
+
+    // Compute 𝒔 as a signature over 𝒓 and 𝒛.
+    let s = k_inv * (z + (r * d));
+
+    // NOTE: `Signature::from_scalars` checks that both `r` and `s` are non-zero.
+    let signature = Signature::from_scalars(r, s)?;
+    let recovery_id = RecoveryId::new(R.y_is_odd().into(), x_is_reduced);
+    Ok((signature, recovery_id))
+}
+
+/// Verify the prehashed message against the provided ECDSA signature.
+///
+/// Accepts the following arguments:
+///
+/// - `q`: public key with which to verify the signature.
+/// - `z`: message digest to be verified. MUST BE OUTPUT OF A
+///        CRYPTOGRAPHICALLY SECURE DIGEST ALGORITHM!!!
+/// - `sig`: signature to be verified against the key and message.
+#[cfg(feature = "arithmetic")]
+pub fn verify_prehashed<C>(
+    q: &ProjectivePoint<C>,
+    z: &FieldBytes<C>,
+    sig: &Signature<C>,
+) -> Result<()>
+where
+    C: PrimeCurve + CurveArithmetic,
+    SignatureSize<C>: ArrayLength<u8>,
+{
+    let z = Scalar::<C>::reduce_bytes(z);
+    let (r, s) = sig.split_scalars();
+    let s_inv = *s.invert_vartime();
+    let u1 = z * s_inv;
+    let u2 = *r * s_inv;
+    let x = ProjectivePoint::<C>::lincomb(&ProjectivePoint::<C>::generator(), &u1, q, &u2)
+        .to_affine()
+        .x();
+
+    if *r == Scalar::<C>::reduce_bytes(&x) {
+        Ok(())
+    } else {
+        Err(Error::new())
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::bits2field;
diff --git a/vendor/ecdsa/src/lib.rs b/vendor/ecdsa/src/lib.rs
index 96f1a16e5..a449829b5 100644
--- a/vendor/ecdsa/src/lib.rs
+++ b/vendor/ecdsa/src/lib.rs
@@ -57,6 +57,7 @@
 #[cfg(feature = "alloc")]
 extern crate alloc;
 
+mod normalized;
 mod recovery;
 
 #[cfg(feature = "der")]
@@ -70,7 +71,7 @@ mod signing;
 #[cfg(feature = "verifying")]
 mod verifying;
 
-pub use crate::recovery::RecoveryId;
+pub use crate::{normalized::NormalizedSignature, recovery::RecoveryId};
 
 // Re-export the `elliptic-curve` crate (and select types)
 pub use elliptic_curve::{self, sec1::EncodedPoint, PrimeCurve};
@@ -85,7 +86,7 @@ pub use crate::verifying::VerifyingKey;
 
 use core::{fmt, ops::Add};
 use elliptic_curve::{
-    generic_array::{sequence::Concat, typenum::Unsigned, ArrayLength, GenericArray},
+    generic_array::{typenum::Unsigned, ArrayLength, GenericArray},
     FieldBytes, FieldBytesSize, ScalarPrimitive,
 };
 
@@ -176,9 +177,11 @@ pub type SignatureBytes<C> = GenericArray<u8, SignatureSize<C>>;
 /// - `r`: field element size for the given curve, big-endian
 /// - `s`: field element size for the given curve, big-endian
 ///
+/// Both `r` and `s` MUST be non-zero.
+///
 /// For example, in a curve with a 256-bit modulus like NIST P-256 or
-/// secp256k1, `r` and `s` will both be 32-bytes, resulting in a signature
-/// with a total of 64-bytes.
+/// secp256k1, `r` and `s` will both be 32-bytes and serialized as big endian,
+/// resulting in a signature with a total of 64-bytes.
 ///
 /// ASN.1 DER-encoded signatures also supported via the
 /// [`Signature::from_der`] and [`Signature::to_der`] methods.
@@ -202,17 +205,19 @@ where
     C: PrimeCurve,
     SignatureSize<C>: ArrayLength<u8>,
 {
-    /// Parse a signature from fixed-with bytes.
+    /// Parse a signature from fixed-width bytes, i.e. 2 * the size of
+    /// [`FieldBytes`] for a particular curve.
+    ///
+    /// # Returns
+    /// - `Ok(signature)` if the `r` and `s` components are both in the valid
+    ///   range `1..n` when serialized as concatenated big endian integers.
+    /// - `Err(err)` if the `r` and/or `s` component of the signature is
+    ///   out-of-range when interpreted as a big endian integer.
     pub fn from_bytes(bytes: &SignatureBytes<C>) -> Result<Self> {
         let (r_bytes, s_bytes) = bytes.split_at(C::FieldBytesSize::USIZE);
-        let r = ScalarPrimitive::from_slice(r_bytes).map_err(|_| Error::new())?;
-        let s = ScalarPrimitive::from_slice(s_bytes).map_err(|_| Error::new())?;
-
-        if r.is_zero().into() || s.is_zero().into() {
-            return Err(Error::new());
-        }
-
-        Ok(Self { r, s })
+        let r = FieldBytes::<C>::clone_from_slice(r_bytes);
+        let s = FieldBytes::<C>::clone_from_slice(s_bytes);
+        Self::from_scalars(r, s)
     }
 
     /// Parse a signature from a byte slice.
@@ -236,8 +241,21 @@ where
 
     /// Create a [`Signature`] from the serialized `r` and `s` scalar values
     /// which comprise the signature.
+    ///
+    /// # Returns
+    /// - `Ok(signature)` if the `r` and `s` components are both in the valid
+    ///   range `1..n` when serialized as concatenated big endian integers.
+    /// - `Err(err)` if the `r` and/or `s` component of the signature is
+    ///   out-of-range when interpreted as a big endian integer.
     pub fn from_scalars(r: impl Into<FieldBytes<C>>, s: impl Into<FieldBytes<C>>) -> Result<Self> {
-        Self::try_from(r.into().concat(s.into()).as_slice())
+        let r = ScalarPrimitive::from_slice(&r.into()).map_err(|_| Error::new())?;
+        let s = ScalarPrimitive::from_slice(&s.into()).map_err(|_| Error::new())?;
+
+        if r.is_zero().into() || s.is_zero().into() {
+            return Err(Error::new());
+        }
+
+        Ok(Self { r, s })
     }
 
     /// Split the signature into its `r` and `s` components, represented as bytes.
diff --git a/vendor/ecdsa/src/normalized.rs b/vendor/ecdsa/src/normalized.rs
new file mode 100644
index 000000000..6a66a4b74
--- /dev/null
+++ b/vendor/ecdsa/src/normalized.rs
@@ -0,0 +1,11 @@
+//! Support for ECDSA signatures with low-S normalization.
+
+use crate::Signature;
+use elliptic_curve::PrimeCurve;
+
+/// ECDSA signature with low-S normalization applied.
+#[derive(Clone, Eq, PartialEq)]
+#[repr(transparent)]
+pub struct NormalizedSignature<C: PrimeCurve> {
+    inner: Signature<C>,
+}