diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-19 09:25:56 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-19 09:25:56 +0000 |
commit | 018c4950b9406055dec02ef0fb52f132e2bb1e2c (patch) | |
tree | a835ebdf2088ef88fa681f8fad45f09922c1ae9a /vendor/ecdsa | |
parent | Adding debian version 1.75.0+dfsg1-5. (diff) | |
download | rustc-018c4950b9406055dec02ef0fb52f132e2bb1e2c.tar.xz rustc-018c4950b9406055dec02ef0fb52f132e2bb1e2c.zip |
Merging upstream version 1.76.0+dfsg1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'vendor/ecdsa')
-rw-r--r-- | vendor/ecdsa/.cargo-checksum.json | 2 | ||||
-rw-r--r-- | vendor/ecdsa/CHANGELOG.md | 17 | ||||
-rw-r--r-- | vendor/ecdsa/Cargo.toml | 8 | ||||
-rw-r--r-- | vendor/ecdsa/src/hazmat.rs | 146 | ||||
-rw-r--r-- | vendor/ecdsa/src/lib.rs | 46 | ||||
-rw-r--r-- | vendor/ecdsa/src/normalized.rs | 11 |
6 files changed, 158 insertions, 72 deletions
diff --git a/vendor/ecdsa/.cargo-checksum.json b/vendor/ecdsa/.cargo-checksum.json index 0bb212096..640ce7fcc 100644 --- a/vendor/ecdsa/.cargo-checksum.json +++ b/vendor/ecdsa/.cargo-checksum.json @@ -1 +1 @@ -{"files":{"CHANGELOG.md":"4279491bdaea14ba337058cfa381685d13f79cf38e806e8dfb3acb969f29d204","Cargo.toml":"c202563302268fd4423282cac188151281fe6b20baba52231bd62648e5fc6a1d","LICENSE-APACHE":"78779d420019e6b4630376af8e86b6b335ee8a2f89ede6e0411e0469a326aaa4","LICENSE-MIT":"bdebaf9156a298f8fdab56dd26cb5144673de522d80f4c0d88e0039145f147f9","README.md":"f99485065d3d5541ef1814ea8d3f75718f08cb78eb5626f9d34941799655b4b9","src/der.rs":"12d336b65d1a9d45a44809746c572084d512812e4a8baad23158127a67c583b6","src/dev.rs":"75d56ac79f04efc018b37eca752c7861579772a758cac94874ccf85aa880602a","src/hazmat.rs":"6d888d3389ac9d0431beed24b865260f0554271cdbb9aa24a6ca9341717fdfc7","src/lib.rs":"83449168dc7e3c9777291900b1c8e470d9c9701a705091a1a9aa3ff0862dacbe","src/recovery.rs":"41141f9f4ffbd155c5167fbe749299496077c55e6b64ed83f65ced1372205623","src/signing.rs":"11842af046b43fe53add72a7fdc78a9555a1dbc37fe6bb0d1139e8b25491538f","src/verifying.rs":"c7441025d4ddcfce2c7701813d84c032364da4bd38bd28895a75d09eaca53ee3","tests/lib.rs":"68922b3fb793f7f64a6fdf8aa59b6fb9432d4706d7ad1d82129a8337c5cf6568"},"package":"0997c976637b606099b9985693efa3581e84e41f5c11ba5255f88711058ad428"}
\ No newline at end of file +{"files":{"CHANGELOG.md":"a6b49a96975d94d85d698369e5e1fc3cea7022c381c0ebe741efcc7a2879ba3c","Cargo.toml":"a1e1f54de247dd373355a433e3f45c657ea9a127a56154efc285a05b0a82ef52","LICENSE-APACHE":"78779d420019e6b4630376af8e86b6b335ee8a2f89ede6e0411e0469a326aaa4","LICENSE-MIT":"bdebaf9156a298f8fdab56dd26cb5144673de522d80f4c0d88e0039145f147f9","README.md":"f99485065d3d5541ef1814ea8d3f75718f08cb78eb5626f9d34941799655b4b9","src/der.rs":"12d336b65d1a9d45a44809746c572084d512812e4a8baad23158127a67c583b6","src/dev.rs":"75d56ac79f04efc018b37eca752c7861579772a758cac94874ccf85aa880602a","src/hazmat.rs":"230f3b337e826188825f76eb26ffc2fa19ce8b2bd45cc7b80f87c34f33cfe13d","src/lib.rs":"aeda83d19f5088920a814f9331f45fd0f1026e18bae384ebfaaaeb00b814cb47","src/normalized.rs":"57d6f3c00fa603a42b6351d29f4cb4a101b79277b3217c2bfa963f289fc475c9","src/recovery.rs":"41141f9f4ffbd155c5167fbe749299496077c55e6b64ed83f65ced1372205623","src/signing.rs":"11842af046b43fe53add72a7fdc78a9555a1dbc37fe6bb0d1139e8b25491538f","src/verifying.rs":"c7441025d4ddcfce2c7701813d84c032364da4bd38bd28895a75d09eaca53ee3","tests/lib.rs":"68922b3fb793f7f64a6fdf8aa59b6fb9432d4706d7ad1d82129a8337c5cf6568"},"package":"ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"}
\ No newline at end of file diff --git a/vendor/ecdsa/CHANGELOG.md b/vendor/ecdsa/CHANGELOG.md index 675eecc2a..77609d8f6 100644 --- a/vendor/ecdsa/CHANGELOG.md +++ b/vendor/ecdsa/CHANGELOG.md @@ -4,8 +4,23 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## 0.16.7 (2023-05-11) +## 0.16.9 (2023-11-16) +### Changed +- Loosen `signature` bound to `2.0, <2.3` ([#756]) + +[#756]: https://github.com/RustCrypto/signatures/pull/756 + +## 0.16.8 (2023-07-20) +### Added +- `hazmat::{sign_prehashed, verify_prehashed}` ([#731]) +### Changed +- Refactor `Signature` constructors and improve docs ([#730]) + +[#730]: https://github.com/RustCrypto/signatures/pull/730 +[#731]: https://github.com/RustCrypto/signatures/pull/731 + +## 0.16.7 (2023-05-11) ### Added - RFC5480 citation for `der::Signature` ([#710]) - support for the `SignatureBitStringEncoding` trait ([#716]) diff --git a/vendor/ecdsa/Cargo.toml b/vendor/ecdsa/Cargo.toml index 6e0c75aba..482299de2 100644 --- a/vendor/ecdsa/Cargo.toml +++ b/vendor/ecdsa/Cargo.toml @@ -13,7 +13,7 @@ edition = "2021" rust-version = "1.65" name = "ecdsa" -version = "0.16.7" +version = "0.16.9" authors = ["RustCrypto Developers"] description = """ Pure Rust implementation of the Elliptic Curve Digital Signature Algorithm @@ -47,13 +47,13 @@ version = "0.7" optional = true [dependencies.digest] -version = "0.10.6" +version = "0.10.7" features = ["oid"] optional = true default-features = false [dependencies.elliptic-curve] -version = "0.13.4" +version = "0.13.6" features = [ "digest", "sec1", @@ -77,7 +77,7 @@ optional = true default-features = false [dependencies.signature] -version = "2.0, <2.2" +version = "2.0, <2.3" features = ["rand_core"] default-features = false diff --git a/vendor/ecdsa/src/hazmat.rs b/vendor/ecdsa/src/hazmat.rs index 6e59f2e2e..0f7ddbf2a 100644 --- a/vendor/ecdsa/src/hazmat.rs +++ b/vendor/ecdsa/src/hazmat.rs @@ -18,7 +18,7 @@ use elliptic_curve::{generic_array::typenum::Unsigned, FieldBytes, PrimeCurve}; use { crate::{RecoveryId, SignatureSize}, elliptic_curve::{ - ff::PrimeField, + ff::{Field, PrimeField}, group::{Curve as _, Group}, ops::{Invert, LinearCombination, MulByGenerator, Reduce}, point::AffineCoordinates, @@ -56,7 +56,7 @@ pub trait SignPrimitive<C>: + Reduce<C::Uint, Bytes = FieldBytes<C>> + Sized where - C: PrimeCurve + CurveArithmetic + CurveArithmetic<Scalar = Self>, + C: PrimeCurve + CurveArithmetic<Scalar = Self>, SignatureSize<C>: ArrayLength<u8>, { /// Try to sign the prehashed message. @@ -71,7 +71,6 @@ where /// /// ECDSA [`Signature`] and, when possible/desired, a [`RecoveryId`] /// which can be used to recover the verifying key for a given signature. - #[allow(non_snake_case)] fn try_sign_prehashed<K>( &self, k: K, @@ -80,33 +79,7 @@ where where K: AsRef<Self> + Invert<Output = CtOption<Self>>, { - if k.as_ref().is_zero().into() { - return Err(Error::new()); - } - - let z = <Self as Reduce<C::Uint>>::reduce_bytes(z); - - // Compute scalar inversion of 𝑘 - let k_inv = Option::<Scalar<C>>::from(k.invert()).ok_or_else(Error::new)?; - - // Compute 𝑹 = 𝑘×𝑮 - let R = ProjectivePoint::<C>::mul_by_generator(k.as_ref()).to_affine(); - - // Lift x-coordinate of 𝑹 (element of base field) into a serialized big - // integer, then reduce it into an element of the scalar field - let r = Self::reduce_bytes(&R.x()); - let x_is_reduced = r.to_repr() != R.x(); - - // Compute 𝒔 as a signature over 𝒓 and 𝒛. - let s = k_inv * (z + (r * self)); - - if s.is_zero().into() { - return Err(Error::new()); - } - - let signature = Signature::from_scalars(r, s)?; - let recovery_id = RecoveryId::new(R.y_is_odd().into(), x_is_reduced); - Ok((signature, Some(recovery_id))) + sign_prehashed(self, k, z).map(|(sig, recid)| (sig, (Some(recid)))) } /// Try to sign the given message digest deterministically using the method @@ -117,7 +90,7 @@ where /// - `ad`: optional additional data, e.g. added entropy from an RNG /// /// [RFC6979]: https://datatracker.ietf.org/doc/html/rfc6979 - #[cfg(all(feature = "rfc6979"))] + #[cfg(feature = "rfc6979")] fn try_sign_prehashed_rfc6979<D>( &self, z: &FieldBytes<C>, @@ -147,10 +120,10 @@ where #[cfg(feature = "arithmetic")] pub trait VerifyPrimitive<C>: AffineCoordinates<FieldRepr = FieldBytes<C>> + Copy + Sized where - C: PrimeCurve + CurveArithmetic<AffinePoint = Self> + CurveArithmetic, + C: PrimeCurve + CurveArithmetic<AffinePoint = Self>, SignatureSize<C>: ArrayLength<u8>, { - /// Verify the prehashed message against the provided signature + /// Verify the prehashed message against the provided ECDSA signature. /// /// Accepts the following arguments: /// @@ -158,25 +131,7 @@ where /// CRYPTOGRAPHICALLY SECURE DIGEST ALGORITHM!!! /// - `sig`: signature to be verified against the key and message fn verify_prehashed(&self, z: &FieldBytes<C>, sig: &Signature<C>) -> Result<()> { - let z = Scalar::<C>::reduce_bytes(z); - let (r, s) = sig.split_scalars(); - let s_inv = *s.invert_vartime(); - let u1 = z * s_inv; - let u2 = *r * s_inv; - let x = ProjectivePoint::<C>::lincomb( - &ProjectivePoint::<C>::generator(), - &u1, - &ProjectivePoint::<C>::from(*self), - &u2, - ) - .to_affine() - .x(); - - if *r == Scalar::<C>::reduce_bytes(&x) { - Ok(()) - } else { - Err(Error::new()) - } + verify_prehashed(&ProjectivePoint::<C>::from(*self), z, sig) } /// Verify message digest against the provided signature. @@ -250,6 +205,93 @@ pub fn bits2field<C: PrimeCurve>(bits: &[u8]) -> Result<FieldBytes<C>> { Ok(field_bytes) } +/// Sign a prehashed message digest using the provided secret scalar and +/// ephemeral scalar, returning an ECDSA signature. +/// +/// Accepts the following arguments: +/// +/// - `d`: signing key. MUST BE UNIFORMLY RANDOM!!! +/// - `k`: ephemeral scalar value. MUST BE UNIFORMLY RANDOM!!! +/// - `z`: message digest to be signed. MUST BE OUTPUT OF A CRYPTOGRAPHICALLY +/// SECURE DIGEST ALGORITHM!!! +/// +/// # Returns +/// +/// ECDSA [`Signature`] and, when possible/desired, a [`RecoveryId`] +/// which can be used to recover the verifying key for a given signature. +#[cfg(feature = "arithmetic")] +#[allow(non_snake_case)] +pub fn sign_prehashed<C, K>( + d: &Scalar<C>, + k: K, + z: &FieldBytes<C>, +) -> Result<(Signature<C>, RecoveryId)> +where + C: PrimeCurve + CurveArithmetic, + K: AsRef<Scalar<C>> + Invert<Output = CtOption<Scalar<C>>>, + SignatureSize<C>: ArrayLength<u8>, +{ + // TODO(tarcieri): use `NonZeroScalar<C>` for `k`. + if k.as_ref().is_zero().into() { + return Err(Error::new()); + } + + let z = <Scalar<C> as Reduce<C::Uint>>::reduce_bytes(z); + + // Compute scalar inversion of 𝑘 + let k_inv = Option::<Scalar<C>>::from(k.invert()).ok_or_else(Error::new)?; + + // Compute 𝑹 = 𝑘×𝑮 + let R = ProjectivePoint::<C>::mul_by_generator(k.as_ref()).to_affine(); + + // Lift x-coordinate of 𝑹 (element of base field) into a serialized big + // integer, then reduce it into an element of the scalar field + let r = Scalar::<C>::reduce_bytes(&R.x()); + let x_is_reduced = r.to_repr() != R.x(); + + // Compute 𝒔 as a signature over 𝒓 and 𝒛. + let s = k_inv * (z + (r * d)); + + // NOTE: `Signature::from_scalars` checks that both `r` and `s` are non-zero. + let signature = Signature::from_scalars(r, s)?; + let recovery_id = RecoveryId::new(R.y_is_odd().into(), x_is_reduced); + Ok((signature, recovery_id)) +} + +/// Verify the prehashed message against the provided ECDSA signature. +/// +/// Accepts the following arguments: +/// +/// - `q`: public key with which to verify the signature. +/// - `z`: message digest to be verified. MUST BE OUTPUT OF A +/// CRYPTOGRAPHICALLY SECURE DIGEST ALGORITHM!!! +/// - `sig`: signature to be verified against the key and message. +#[cfg(feature = "arithmetic")] +pub fn verify_prehashed<C>( + q: &ProjectivePoint<C>, + z: &FieldBytes<C>, + sig: &Signature<C>, +) -> Result<()> +where + C: PrimeCurve + CurveArithmetic, + SignatureSize<C>: ArrayLength<u8>, +{ + let z = Scalar::<C>::reduce_bytes(z); + let (r, s) = sig.split_scalars(); + let s_inv = *s.invert_vartime(); + let u1 = z * s_inv; + let u2 = *r * s_inv; + let x = ProjectivePoint::<C>::lincomb(&ProjectivePoint::<C>::generator(), &u1, q, &u2) + .to_affine() + .x(); + + if *r == Scalar::<C>::reduce_bytes(&x) { + Ok(()) + } else { + Err(Error::new()) + } +} + #[cfg(test)] mod tests { use super::bits2field; diff --git a/vendor/ecdsa/src/lib.rs b/vendor/ecdsa/src/lib.rs index 96f1a16e5..a449829b5 100644 --- a/vendor/ecdsa/src/lib.rs +++ b/vendor/ecdsa/src/lib.rs @@ -57,6 +57,7 @@ #[cfg(feature = "alloc")] extern crate alloc; +mod normalized; mod recovery; #[cfg(feature = "der")] @@ -70,7 +71,7 @@ mod signing; #[cfg(feature = "verifying")] mod verifying; -pub use crate::recovery::RecoveryId; +pub use crate::{normalized::NormalizedSignature, recovery::RecoveryId}; // Re-export the `elliptic-curve` crate (and select types) pub use elliptic_curve::{self, sec1::EncodedPoint, PrimeCurve}; @@ -85,7 +86,7 @@ pub use crate::verifying::VerifyingKey; use core::{fmt, ops::Add}; use elliptic_curve::{ - generic_array::{sequence::Concat, typenum::Unsigned, ArrayLength, GenericArray}, + generic_array::{typenum::Unsigned, ArrayLength, GenericArray}, FieldBytes, FieldBytesSize, ScalarPrimitive, }; @@ -176,9 +177,11 @@ pub type SignatureBytes<C> = GenericArray<u8, SignatureSize<C>>; /// - `r`: field element size for the given curve, big-endian /// - `s`: field element size for the given curve, big-endian /// +/// Both `r` and `s` MUST be non-zero. +/// /// For example, in a curve with a 256-bit modulus like NIST P-256 or -/// secp256k1, `r` and `s` will both be 32-bytes, resulting in a signature -/// with a total of 64-bytes. +/// secp256k1, `r` and `s` will both be 32-bytes and serialized as big endian, +/// resulting in a signature with a total of 64-bytes. /// /// ASN.1 DER-encoded signatures also supported via the /// [`Signature::from_der`] and [`Signature::to_der`] methods. @@ -202,17 +205,19 @@ where C: PrimeCurve, SignatureSize<C>: ArrayLength<u8>, { - /// Parse a signature from fixed-with bytes. + /// Parse a signature from fixed-width bytes, i.e. 2 * the size of + /// [`FieldBytes`] for a particular curve. + /// + /// # Returns + /// - `Ok(signature)` if the `r` and `s` components are both in the valid + /// range `1..n` when serialized as concatenated big endian integers. + /// - `Err(err)` if the `r` and/or `s` component of the signature is + /// out-of-range when interpreted as a big endian integer. pub fn from_bytes(bytes: &SignatureBytes<C>) -> Result<Self> { let (r_bytes, s_bytes) = bytes.split_at(C::FieldBytesSize::USIZE); - let r = ScalarPrimitive::from_slice(r_bytes).map_err(|_| Error::new())?; - let s = ScalarPrimitive::from_slice(s_bytes).map_err(|_| Error::new())?; - - if r.is_zero().into() || s.is_zero().into() { - return Err(Error::new()); - } - - Ok(Self { r, s }) + let r = FieldBytes::<C>::clone_from_slice(r_bytes); + let s = FieldBytes::<C>::clone_from_slice(s_bytes); + Self::from_scalars(r, s) } /// Parse a signature from a byte slice. @@ -236,8 +241,21 @@ where /// Create a [`Signature`] from the serialized `r` and `s` scalar values /// which comprise the signature. + /// + /// # Returns + /// - `Ok(signature)` if the `r` and `s` components are both in the valid + /// range `1..n` when serialized as concatenated big endian integers. + /// - `Err(err)` if the `r` and/or `s` component of the signature is + /// out-of-range when interpreted as a big endian integer. pub fn from_scalars(r: impl Into<FieldBytes<C>>, s: impl Into<FieldBytes<C>>) -> Result<Self> { - Self::try_from(r.into().concat(s.into()).as_slice()) + let r = ScalarPrimitive::from_slice(&r.into()).map_err(|_| Error::new())?; + let s = ScalarPrimitive::from_slice(&s.into()).map_err(|_| Error::new())?; + + if r.is_zero().into() || s.is_zero().into() { + return Err(Error::new()); + } + + Ok(Self { r, s }) } /// Split the signature into its `r` and `s` components, represented as bytes. diff --git a/vendor/ecdsa/src/normalized.rs b/vendor/ecdsa/src/normalized.rs new file mode 100644 index 000000000..6a66a4b74 --- /dev/null +++ b/vendor/ecdsa/src/normalized.rs @@ -0,0 +1,11 @@ +//! Support for ECDSA signatures with low-S normalization. + +use crate::Signature; +use elliptic_curve::PrimeCurve; + +/// ECDSA signature with low-S normalization applied. +#[derive(Clone, Eq, PartialEq)] +#[repr(transparent)] +pub struct NormalizedSignature<C: PrimeCurve> { + inner: Signature<C>, +} |