crypto/ecdsa/ecs_ossl.c

4Srgrimes/* crypto/ecdsa/ecs_ossl.c */
4Srgrimes/*
209371Smav * Written by Nils Larsch for the OpenSSL project
4Srgrimes */
4Srgrimes/* ====================================================================
4Srgrimes * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
4Srgrimes *
4Srgrimes * Redistribution and use in source and binary forms, with or without
4Srgrimes * modification, are permitted provided that the following conditions
4Srgrimes * are met:
4Srgrimes *
4Srgrimes * 1. Redistributions of source code must retain the above copyright
4Srgrimes *    notice, this list of conditions and the following disclaimer.
4Srgrimes *
4Srgrimes * 2. Redistributions in binary form must reproduce the above copyright
4Srgrimes *    notice, this list of conditions and the following disclaimer in
4Srgrimes *    the documentation and/or other materials provided with the
4Srgrimes *    distribution.
4Srgrimes *
4Srgrimes * 3. All advertising materials mentioning features or use of this
4Srgrimes *    software must display the following acknowledgment:
4Srgrimes *    "This product includes software developed by the OpenSSL Project
4Srgrimes *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
4Srgrimes *
4Srgrimes * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
4Srgrimes *    endorse or promote products derived from this software without
4Srgrimes *    prior written permission. For written permission, please contact
4Srgrimes *    openssl-core@OpenSSL.org.
4Srgrimes *
4Srgrimes * 5. Products derived from this software may not be called "OpenSSL"
4Srgrimes *    nor may "OpenSSL" appear in their names without prior written
4Srgrimes *    permission of the OpenSSL Project.
619Srgrimes *
4Srgrimes * 6. Redistributions of any form whatsoever must retain the following
4Srgrimes *    acknowledgment:
115703Sobrien *    "This product includes software developed by the OpenSSL Project
115703Sobrien *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
115703Sobrien *
3185Ssos * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
19173Sbde * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19173Sbde * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
19173Sbde * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
16299Spst * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
89980Sbde * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
71797Speter * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
13228Swollman * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2056Swollman * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
2056Swollman * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
61994Smsmith * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
74914Sjhb * OF THE POSSIBILITY OF SUCH DAMAGE.
131938Smarcel * ====================================================================
67356Sjhb *
65557Sjasone * This product includes cryptographic software written by Eric Young
2056Swollman * (eay@cryptsoft.com).  This product includes software written by Tim
129876Sphk * Hudson (tjh@cryptsoft.com).
209371Smav *
153384Speter */
191745Smav
15508Sbde#include "ecs_locl.h"
209371Smav#include <openssl/err.h>
209371Smav#include <openssl/obj_mac.h>
15508Sbde#include <openssl/bn.h>
4180Sbde
153666Sjhbstatic ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
121986Sjhb		const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
146211Snyanstatic int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
146211Snyan		BIGNUM **rp);
15508Sbdestatic int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
209979Smav		const ECDSA_SIG *sig, EC_KEY *eckey);
209979Smav
209979Smavstatic ECDSA_METHOD openssl_ecdsa_meth = {
47642Sdfr	"OpenSSL ECDSA method",
209979Smav	ecdsa_do_sign,
89980Sbde	ecdsa_sign_setup,
209979Smav	ecdsa_do_verify,
209979Smav#if 0
209979Smav	NULL, /* init     */
146211Snyan	NULL, /* finish   */
209979Smav#endif
61994Smsmith	0,    /* flags    */
89980Sbde	NULL  /* app_data */
4Srgrimes};
71797Speter
112551Smdoddconst ECDSA_METHOD *ECDSA_OpenSSL(void)
50823Smdodd{
50823Smdodd	return &openssl_ecdsa_meth;
47588Sbde}
33690Sphk
209979Smavstatic int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
209979Smav		BIGNUM **rp)
209979Smav{
33690Sphk	BN_CTX   *ctx = NULL;
33690Sphk	BIGNUM	 *k = NULL, *r = NULL, *order = NULL, *X = NULL;
209979Smav	EC_POINT *tmp_point=NULL;
177631Sphk	const EC_GROUP *group;
177631Sphk	int 	 ret = 0;
177631Sphk
212778Smav	if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL)
1390Ssos	{
178193Sphk		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
128695Sjhb		return 0;
209371Smav	}
209371Smav
128695Sjhb	if (ctx_in == NULL)
33690Sphk	{
17231Sjoerg		if ((ctx = BN_CTX_new()) == NULL)
209371Smav		{
209371Smav			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE);
209927Smav			return 0;
209927Smav		}
209371Smav	}
209979Smav	else
209979Smav		ctx = ctx_in;
209979Smav
209979Smav	k     = BN_new();	/* this value is later returned in *kinvp */
209371Smav	r     = BN_new();	/* this value is later returned in *rp    */
209371Smav	order = BN_new();
209371Smav	X     = BN_new();
212778Smav	if (!k || !r || !order || !X)
212778Smav	{
212778Smav		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
212778Smav		goto err;
212778Smav	}
209371Smav	if ((tmp_point = EC_POINT_new(group)) == NULL)
209371Smav	{
209371Smav		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
212812Smav		goto err;
212812Smav	}
17231Sjoerg	if (!EC_GROUP_get_order(group, order, ctx))
17236Sjoerg	{
17236Sjoerg		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
17236Sjoerg		goto err;
17236Sjoerg	}
17231Sjoerg
17231Sjoerg	do
4180Sbde	{
92765Salfred		/* get random k */
212778Smav		do
17353Sbde			if (!BN_rand_range(k, order))
166901Spiso			{
209371Smav				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
2074Swollman				 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
209371Smav				goto err;
65557Sjasone			}
212778Smav		while (BN_is_zero(k));
72200Sbmilekic
47588Sbde		/* compute r the x-coordinate of generator * k */
39503Sbde		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
47588Sbde		{
177631Sphk			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
39503Sbde			goto err;
39503Sbde		}
47588Sbde		if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
72200Sbmilekic		{
39503Sbde			if (!EC_POINT_get_affine_coordinates_GFp(group,
179278Sjb				tmp_point, X, NULL, ctx))
212778Smav			{
209990Smav				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
179278Sjb				goto err;
71797Speter			}
50823Smdodd		}
50823Smdodd		else /* NID_X9_62_characteristic_two_field */
50823Smdodd		{
50823Smdodd			if (!EC_POINT_get_affine_coordinates_GF2m(group,
166901Spiso				tmp_point, X, NULL, ctx))
1390Ssos			{
1390Ssos				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
120404Simp				goto err;
177642Sphk			}
1390Ssos		}
177642Sphk		if (!BN_nnmod(r, X, order, ctx))
17231Sjoerg		{
209979Smav			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
209979Smav			goto err;
209979Smav		}
177642Sphk	}
209979Smav	while (BN_is_zero(r));
177642Sphk
17231Sjoerg	/* compute the inverse of k */
17231Sjoerg	if (!BN_mod_inverse(k, k, order, ctx))
17231Sjoerg	{
17236Sjoerg		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
17236Sjoerg		goto err;
17236Sjoerg	}
17236Sjoerg	/* clear old values if necessary */
17236Sjoerg	if (*rp != NULL)
17236Sjoerg		BN_clear_free(*rp);
17236Sjoerg	if (*kinvp != NULL)
17236Sjoerg		BN_clear_free(*kinvp);
209979Smav	/* save the pre-computed values  */
209979Smav	*rp    = r;
209979Smav	*kinvp = k;
17236Sjoerg	ret = 1;
209979Smaverr:
177642Sphk	if (!ret)
17231Sjoerg	{
1390Ssos		if (k != NULL) BN_clear_free(k);
1390Ssos		if (r != NULL) BN_clear_free(r);
120404Simp	}
177642Sphk	if (ctx_in == NULL)
1390Ssos		BN_CTX_free(ctx);
17231Sjoerg	if (order != NULL)
17231Sjoerg		BN_free(order);
17231Sjoerg	if (tmp_point != NULL)
17231Sjoerg		EC_POINT_free(tmp_point);
209979Smav	if (X)
209979Smav		BN_clear_free(X);
209979Smav	return(ret);
17236Sjoerg}
209979Smav
177642Sphk
17231Sjoergstatic ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
1390Ssos		const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
1390Ssos{
177642Sphk	int     ok = 0;
177642Sphk	BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL;
177642Sphk	const BIGNUM *ckinv;
177642Sphk	BN_CTX     *ctx = NULL;
177642Sphk	const EC_GROUP   *group;
177642Sphk	ECDSA_SIG  *ret;
209979Smav	ECDSA_DATA *ecdsa;
209979Smav	const BIGNUM *priv_key;
209979Smav
209979Smav	ecdsa    = ecdsa_check(eckey);
177642Sphk	group    = EC_KEY_get0_group(eckey);
177642Sphk	priv_key = EC_KEY_get0_private_key(eckey);
209979Smav
177642Sphk	if (group == NULL || priv_key == NULL || ecdsa == NULL)
177642Sphk	{
177642Sphk		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
166901Spiso		return NULL;
10268Sbde	}
1390Ssos
66716Sjhb	ret = ECDSA_SIG_new();
1390Ssos	if (!ret)
131991Smarcel	{
16428Sbde		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
16428Sbde		return NULL;
19173Sbde	}
16428Sbde	s = ret->s;
1390Ssos
1390Ssos	if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
16428Sbde		(tmp = BN_new()) == NULL || (m = BN_new()) == NULL)
131991Smarcel	{
1390Ssos		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
1390Ssos		goto err;
1390Ssos	}
2017Swollman
1390Ssos	if (!EC_GROUP_get_order(group, order, ctx))
177631Sphk	{
1390Ssos		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
1390Ssos		goto err;
1390Ssos	}
1390Ssos	if (dgst_len > BN_num_bytes(order))
1390Ssos	{
22106Sbde		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
1390Ssos			ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
1390Ssos		goto err;
1390Ssos	}
1390Ssos
1390Ssos	if (!BN_bin2bn(dgst, dgst_len, m))
153384Speter	{
1390Ssos		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
153384Speter		goto err;
153384Speter	}
153384Speter	do
153384Speter	{
153384Speter		if (in_kinv == NULL || in_r == NULL)
153384Speter		{
153384Speter			if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r))
175405Sjhb			{
153384Speter				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
153384Speter				goto err;
153384Speter			}
153384Speter			ckinv = kinv;
153384Speter		}
153384Speter		else
1390Ssos		{
1390Ssos			ckinv  = in_kinv;
1390Ssos			if (BN_copy(ret->r, in_r) == NULL)
1390Ssos			{
1390Ssos				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
1390Ssos				goto err;
1390Ssos			}
1390Ssos		}
1390Ssos
1390Ssos		if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx))
1390Ssos		{
1390Ssos			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
1390Ssos			goto err;
1390Ssos		}
1390Ssos		if (!BN_mod_add_quick(s, tmp, m, order))
131991Smarcel		{
131991Smarcel			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
131991Smarcel			goto err;
131991Smarcel		}
131991Smarcel		if (!BN_mod_mul(s, s, ckinv, order, ctx))
1390Ssos		{
131991Smarcel			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
131991Smarcel			goto err;
131991Smarcel		}
131991Smarcel		if (BN_is_zero(s))
131991Smarcel		{
131991Smarcel			/* if kinv and r have been supplied by the caller
22106Sbde			 * don't to generate new kinv and r values */
1390Ssos			if (in_kinv != NULL && in_r != NULL)
177631Sphk			{
1390Ssos				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES);
1390Ssos				goto err;
22106Sbde			}
22106Sbde		}
22106Sbde		else
22106Sbde			/* s != 0 => we have a valid signature */
22106Sbde			break;
22106Sbde	}
22106Sbde	while (1);
22106Sbde
22106Sbde	ok = 1;
22106Sbdeerr:
22106Sbde	if (!ok)
22106Sbde	{
22106Sbde		ECDSA_SIG_free(ret);
22106Sbde		ret = NULL;
22106Sbde	}
22106Sbde	if (ctx)
22106Sbde		BN_CTX_free(ctx);
177631Sphk	if (m)
22106Sbde		BN_clear_free(m);
1390Ssos	if (tmp)
1390Ssos		BN_clear_free(tmp);
131991Smarcel	if (order)
131991Smarcel		BN_free(order);
209979Smav	if (kinv)
209979Smav		BN_clear_free(kinv);
209979Smav	return ret;
131991Smarcel}
209979Smav
131991Smarcelstatic int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
131991Smarcel		const ECDSA_SIG *sig, EC_KEY *eckey)
177631Sphk{
131991Smarcel	int ret = -1;
131991Smarcel	BN_CTX   *ctx;
131991Smarcel	BIGNUM   *order, *u1, *u2, *m, *X;
1390Ssos	EC_POINT *point = NULL;
1390Ssos	const EC_GROUP *group;
1390Ssos	const EC_POINT *pub_key;
21783Sbde
1390Ssos	/* check input values */
21783Sbde	if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
177631Sphk	    (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
21783Sbde	{
177631Sphk		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
21783Sbde		return -1;
177631Sphk	}
21783Sbde
21783Sbde	ctx = BN_CTX_new();
21783Sbde	if (!ctx)
21783Sbde	{
21783Sbde		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
21783Sbde		return -1;
1390Ssos	}
1390Ssos	BN_CTX_start(ctx);
1390Ssos	order = BN_CTX_get(ctx);
1390Ssos	u1    = BN_CTX_get(ctx);
1390Ssos	u2    = BN_CTX_get(ctx);
1390Ssos	m     = BN_CTX_get(ctx);
1390Ssos	X     = BN_CTX_get(ctx);
1390Ssos	if (!X)
15508Sbde	{
212778Smav		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
15508Sbde		goto err;
212812Smav	}
15508Sbde
72200Sbmilekic	if (!EC_GROUP_get_order(group, order, ctx))
212812Smav	{
212812Smav		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
212812Smav		goto err;
212812Smav	}
212812Smav
212812Smav	if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) ||
212812Smav	    BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||
212812Smav	    BN_is_negative(sig->s)      || BN_ucmp(sig->s, order) >= 0)
212812Smav	{
212812Smav		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
212812Smav		ret = 0;	/* signature is invalid */
212812Smav		goto err;
212812Smav	}
212812Smav	/* calculate tmp1 = inv(S) mod order */
212778Smav	if (!BN_mod_inverse(u2, sig->s, order, ctx))
212778Smav	{
212778Smav		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
212812Smav		goto err;
212812Smav	}
212778Smav	/* digest -> m */
212778Smav	if (!BN_bin2bn(dgst, dgst_len, m))
147727Sjhb	{
212812Smav		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
212812Smav		goto err;
212778Smav	}
212778Smav	/* u1 = m * tmp mod order */
212778Smav	if (!BN_mod_mul(u1, m, u2, order, ctx))
212812Smav	{
212812Smav		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
212778Smav		goto err;
33309Sbde	}
212812Smav	/* u2 = r * w mod q */
72200Sbmilekic	if (!BN_mod_mul(u2, sig->r, u2, order, ctx))
15508Sbde	{
15508Sbde		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
82971Siwasaki		goto err;
52669Siwasaki	}
52669Siwasaki
52669Siwasaki	if ((point = EC_POINT_new(group)) == NULL)
212812Smav	{
212812Smav		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
212778Smav		goto err;
212778Smav	}
212778Smav	if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx))
52669Siwasaki	{
52669Siwasaki		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
204309Sattilio		goto err;
52669Siwasaki	}
105328Siwasaki	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
105328Siwasaki	{
105328Siwasaki		if (!EC_POINT_get_affine_coordinates_GFp(group,
105328Siwasaki			point, X, NULL, ctx))
105328Siwasaki		{
204309Sattilio			ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
204309Sattilio			goto err;
82971Siwasaki		}
82971Siwasaki	}
82971Siwasaki	else /* NID_X9_62_characteristic_two_field */
82971Siwasaki	{
82971Siwasaki		if (!EC_POINT_get_affine_coordinates_GF2m(group,
177631Sphk			point, X, NULL, ctx))
209979Smav		{
178193Sphk			ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
209979Smav			goto err;
82971Siwasaki		}
204309Sattilio	}
82971Siwasaki
166186Sbde	if (!BN_nnmod(u1, X, order, ctx))
1390Ssos	{
166186Sbde		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
166186Sbde		goto err;
166186Sbde	}
166186Sbde	/*  if the signature is correct u1 is equal to sig->r */
209979Smav	ret = (BN_ucmp(u1, sig->r) == 0);
209979Smaverr:
209979Smav	BN_CTX_end(ctx);
209979Smav	BN_CTX_free(ctx);
212778Smav	if (point)
166186Sbde		EC_POINT_free(point);
166186Sbde	return ret;
166186Sbde}
8876Srgrimes