ecdsa_ossl.c revision 1.1.1.6
1/* 2 * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * ECDSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14#include "internal/deprecated.h" 15 16#include <string.h> 17#include <openssl/err.h> 18#include <openssl/obj_mac.h> 19#include <openssl/rand.h> 20#include "crypto/bn.h" 21#include "ec_local.h" 22 23int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 24 BIGNUM **rp) 25{ 26 if (eckey->group->meth->ecdsa_sign_setup == NULL) { 27 ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); 28 return 0; 29 } 30 31 return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); 32} 33 34ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, 35 const BIGNUM *in_kinv, const BIGNUM *in_r, 36 EC_KEY *eckey) 37{ 38 if (eckey->group->meth->ecdsa_sign_sig == NULL) { 39 ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); 40 return NULL; 41 } 42 43 return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len, 44 in_kinv, in_r, eckey); 45} 46 47int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, 48 const ECDSA_SIG *sig, EC_KEY *eckey) 49{ 50 if (eckey->group->meth->ecdsa_verify_sig == NULL) { 51 ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); 52 return 0; 53 } 54 55 return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey); 56} 57 58int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, 59 unsigned char *sig, unsigned int *siglen, 60 const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) 61{ 62 ECDSA_SIG *s; 63 64 s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey); 65 if (s == NULL) { 66 *siglen = 0; 67 return 0; 68 } 69 *siglen = i2d_ECDSA_SIG(s, &sig); 70 ECDSA_SIG_free(s); 71 return 1; 72} 73 74static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, 75 BIGNUM **kinvp, BIGNUM **rp, 76 const unsigned char *dgst, int dlen) 77{ 78 BN_CTX *ctx = NULL; 79 BIGNUM *k = NULL, *r = NULL, *X = NULL; 80 const BIGNUM *order; 81 EC_POINT *tmp_point = NULL; 82 const EC_GROUP *group; 83 int ret = 0; 84 int order_bits; 85 const BIGNUM *priv_key; 86 87 if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { 88 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER); 89 return 0; 90 } 91 if ((priv_key = EC_KEY_get0_private_key(eckey)) == NULL) { 92 ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY); 93 return 0; 94 } 95 96 if (!EC_KEY_can_sign(eckey)) { 97 ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); 98 return 0; 99 } 100 101 if ((ctx = ctx_in) == NULL) { 102 if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL) { 103 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); 104 return 0; 105 } 106 } 107 108 k = BN_secure_new(); /* this value is later returned in *kinvp */ 109 r = BN_new(); /* this value is later returned in *rp */ 110 X = BN_new(); 111 if (k == NULL || r == NULL || X == NULL) { 112 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); 113 goto err; 114 } 115 if ((tmp_point = EC_POINT_new(group)) == NULL) { 116 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); 117 goto err; 118 } 119 order = EC_GROUP_get0_order(group); 120 121 /* Preallocate space */ 122 order_bits = BN_num_bits(order); 123 if (!BN_set_bit(k, order_bits) 124 || !BN_set_bit(r, order_bits) 125 || !BN_set_bit(X, order_bits)) 126 goto err; 127 128 do { 129 /* get random k */ 130 do { 131 if (dgst != NULL) { 132 if (!BN_generate_dsa_nonce(k, order, priv_key, 133 dgst, dlen, ctx)) { 134 ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED); 135 goto err; 136 } 137 } else { 138 if (!BN_priv_rand_range_ex(k, order, 0, ctx)) { 139 ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED); 140 goto err; 141 } 142 } 143 } while (BN_is_zero(k)); 144 145 /* compute r the x-coordinate of generator * k */ 146 if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { 147 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); 148 goto err; 149 } 150 151 if (!EC_POINT_get_affine_coordinates(group, tmp_point, X, NULL, ctx)) { 152 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); 153 goto err; 154 } 155 156 if (!BN_nnmod(r, X, order, ctx)) { 157 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 158 goto err; 159 } 160 } while (BN_is_zero(r)); 161 162 /* compute the inverse of k */ 163 if (!ossl_ec_group_do_inverse_ord(group, k, k, ctx)) { 164 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 165 goto err; 166 } 167 168 /* clear old values if necessary */ 169 BN_clear_free(*rp); 170 BN_clear_free(*kinvp); 171 /* save the pre-computed values */ 172 *rp = r; 173 *kinvp = k; 174 ret = 1; 175 err: 176 if (!ret) { 177 BN_clear_free(k); 178 BN_clear_free(r); 179 } 180 if (ctx != ctx_in) 181 BN_CTX_free(ctx); 182 EC_POINT_free(tmp_point); 183 BN_clear_free(X); 184 return ret; 185} 186 187int ossl_ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 188 BIGNUM **rp) 189{ 190 return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0); 191} 192 193ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, 194 const BIGNUM *in_kinv, const BIGNUM *in_r, 195 EC_KEY *eckey) 196{ 197 int ok = 0, i; 198 BIGNUM *kinv = NULL, *s, *m = NULL; 199 const BIGNUM *order, *ckinv; 200 BN_CTX *ctx = NULL; 201 const EC_GROUP *group; 202 ECDSA_SIG *ret; 203 const BIGNUM *priv_key; 204 205 group = EC_KEY_get0_group(eckey); 206 priv_key = EC_KEY_get0_private_key(eckey); 207 208 if (group == NULL) { 209 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER); 210 return NULL; 211 } 212 if (priv_key == NULL) { 213 ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY); 214 return NULL; 215 } 216 217 if (!EC_KEY_can_sign(eckey)) { 218 ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); 219 return NULL; 220 } 221 222 ret = ECDSA_SIG_new(); 223 if (ret == NULL) { 224 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); 225 return NULL; 226 } 227 ret->r = BN_new(); 228 ret->s = BN_new(); 229 if (ret->r == NULL || ret->s == NULL) { 230 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); 231 goto err; 232 } 233 s = ret->s; 234 235 if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL 236 || (m = BN_new()) == NULL) { 237 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); 238 goto err; 239 } 240 241 order = EC_GROUP_get0_order(group); 242 i = BN_num_bits(order); 243 /* 244 * Need to truncate digest if it is too long: first truncate whole bytes. 245 */ 246 if (8 * dgst_len > i) 247 dgst_len = (i + 7) / 8; 248 if (!BN_bin2bn(dgst, dgst_len, m)) { 249 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 250 goto err; 251 } 252 /* If still too long, truncate remaining bits with a shift */ 253 if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { 254 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 255 goto err; 256 } 257 do { 258 if (in_kinv == NULL || in_r == NULL) { 259 if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) { 260 ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB); 261 goto err; 262 } 263 ckinv = kinv; 264 } else { 265 ckinv = in_kinv; 266 if (BN_copy(ret->r, in_r) == NULL) { 267 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); 268 goto err; 269 } 270 } 271 272 /* 273 * With only one multiplicant being in Montgomery domain 274 * multiplication yields real result without post-conversion. 275 * Also note that all operations but last are performed with 276 * zero-padded vectors. Last operation, BN_mod_mul_montgomery 277 * below, returns user-visible value with removed zero padding. 278 */ 279 if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx) 280 || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) { 281 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 282 goto err; 283 } 284 if (!bn_mod_add_fixed_top(s, s, m, order)) { 285 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 286 goto err; 287 } 288 /* 289 * |s| can still be larger than modulus, because |m| can be. In 290 * such case we count on Montgomery reduction to tie it up. 291 */ 292 if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx) 293 || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) { 294 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 295 goto err; 296 } 297 298 if (BN_is_zero(s)) { 299 /* 300 * if kinv and r have been supplied by the caller, don't 301 * generate new kinv and r values 302 */ 303 if (in_kinv != NULL && in_r != NULL) { 304 ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES); 305 goto err; 306 } 307 } else { 308 /* s != 0 => we have a valid signature */ 309 break; 310 } 311 } while (1); 312 313 ok = 1; 314 err: 315 if (!ok) { 316 ECDSA_SIG_free(ret); 317 ret = NULL; 318 } 319 BN_CTX_free(ctx); 320 BN_clear_free(m); 321 BN_clear_free(kinv); 322 return ret; 323} 324 325/*- 326 * returns 327 * 1: correct signature 328 * 0: incorrect signature 329 * -1: error 330 */ 331int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, 332 const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) 333{ 334 ECDSA_SIG *s; 335 const unsigned char *p = sigbuf; 336 unsigned char *der = NULL; 337 int derlen = -1; 338 int ret = -1; 339 340 s = ECDSA_SIG_new(); 341 if (s == NULL) 342 return ret; 343 if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) 344 goto err; 345 /* Ensure signature uses DER and doesn't have trailing garbage */ 346 derlen = i2d_ECDSA_SIG(s, &der); 347 if (derlen != sig_len || memcmp(sigbuf, der, derlen) != 0) 348 goto err; 349 ret = ECDSA_do_verify(dgst, dgst_len, s, eckey); 350 err: 351 OPENSSL_free(der); 352 ECDSA_SIG_free(s); 353 return ret; 354} 355 356int ossl_ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, 357 const ECDSA_SIG *sig, EC_KEY *eckey) 358{ 359 int ret = -1, i; 360 BN_CTX *ctx; 361 const BIGNUM *order; 362 BIGNUM *u1, *u2, *m, *X; 363 EC_POINT *point = NULL; 364 const EC_GROUP *group; 365 const EC_POINT *pub_key; 366 367 /* check input values */ 368 if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || 369 (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { 370 ERR_raise(ERR_LIB_EC, EC_R_MISSING_PARAMETERS); 371 return -1; 372 } 373 374 if (!EC_KEY_can_sign(eckey)) { 375 ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); 376 return -1; 377 } 378 379 ctx = BN_CTX_new_ex(eckey->libctx); 380 if (ctx == NULL) { 381 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); 382 return -1; 383 } 384 BN_CTX_start(ctx); 385 u1 = BN_CTX_get(ctx); 386 u2 = BN_CTX_get(ctx); 387 m = BN_CTX_get(ctx); 388 X = BN_CTX_get(ctx); 389 if (X == NULL) { 390 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 391 goto err; 392 } 393 394 order = EC_GROUP_get0_order(group); 395 if (order == NULL) { 396 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); 397 goto err; 398 } 399 400 if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || 401 BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || 402 BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) { 403 ERR_raise(ERR_LIB_EC, EC_R_BAD_SIGNATURE); 404 ret = 0; /* signature is invalid */ 405 goto err; 406 } 407 /* calculate tmp1 = inv(S) mod order */ 408 if (!ossl_ec_group_do_inverse_ord(group, u2, sig->s, ctx)) { 409 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 410 goto err; 411 } 412 /* digest -> m */ 413 i = BN_num_bits(order); 414 /* 415 * Need to truncate digest if it is too long: first truncate whole bytes. 416 */ 417 if (8 * dgst_len > i) 418 dgst_len = (i + 7) / 8; 419 if (!BN_bin2bn(dgst, dgst_len, m)) { 420 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 421 goto err; 422 } 423 /* If still too long truncate remaining bits with a shift */ 424 if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { 425 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 426 goto err; 427 } 428 /* u1 = m * tmp mod order */ 429 if (!BN_mod_mul(u1, m, u2, order, ctx)) { 430 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 431 goto err; 432 } 433 /* u2 = r * w mod q */ 434 if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) { 435 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 436 goto err; 437 } 438 439 if ((point = EC_POINT_new(group)) == NULL) { 440 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); 441 goto err; 442 } 443 if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) { 444 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); 445 goto err; 446 } 447 448 if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) { 449 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); 450 goto err; 451 } 452 453 if (!BN_nnmod(u1, X, order, ctx)) { 454 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); 455 goto err; 456 } 457 /* if the signature is correct u1 is equal to sig->r */ 458 ret = (BN_ucmp(u1, sig->r) == 0); 459 err: 460 BN_CTX_end(ctx); 461 BN_CTX_free(ctx); 462 EC_POINT_free(point); 463 return ret; 464} 465