ecdsa_ossl.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466
  1. /*
  2. * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * ECDSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <string.h>
  15. #include <openssl/err.h>
  16. #include <openssl/obj_mac.h>
  17. #include <openssl/rand.h>
  18. #include "crypto/bn.h"
  19. #include "ec_local.h"
  20. int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
  21. BIGNUM **rp)
  22. {
  23. if (eckey->group->meth->ecdsa_sign_setup == NULL) {
  24. ECerr(EC_F_OSSL_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
  25. return 0;
  26. }
  27. return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
  28. }
  29. ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
  30. const BIGNUM *in_kinv, const BIGNUM *in_r,
  31. EC_KEY *eckey)
  32. {
  33. if (eckey->group->meth->ecdsa_sign_sig == NULL) {
  34. ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
  35. return NULL;
  36. }
  37. return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len,
  38. in_kinv, in_r, eckey);
  39. }
  40. int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
  41. const ECDSA_SIG *sig, EC_KEY *eckey)
  42. {
  43. if (eckey->group->meth->ecdsa_verify_sig == NULL) {
  44. ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
  45. return 0;
  46. }
  47. return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey);
  48. }
  49. int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
  50. unsigned char *sig, unsigned int *siglen,
  51. const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
  52. {
  53. ECDSA_SIG *s;
  54. s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
  55. if (s == NULL) {
  56. *siglen = 0;
  57. return 0;
  58. }
  59. *siglen = i2d_ECDSA_SIG(s, &sig);
  60. ECDSA_SIG_free(s);
  61. return 1;
  62. }
  63. static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
  64. BIGNUM **kinvp, BIGNUM **rp,
  65. const unsigned char *dgst, int dlen)
  66. {
  67. BN_CTX *ctx = NULL;
  68. BIGNUM *k = NULL, *r = NULL, *X = NULL;
  69. const BIGNUM *order;
  70. EC_POINT *tmp_point = NULL;
  71. const EC_GROUP *group;
  72. int ret = 0;
  73. int order_bits;
  74. const BIGNUM *priv_key;
  75. if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
  76. ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
  77. return 0;
  78. }
  79. if ((priv_key = EC_KEY_get0_private_key(eckey)) == NULL) {
  80. ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_MISSING_PRIVATE_KEY);
  81. return 0;
  82. }
  83. if (!EC_KEY_can_sign(eckey)) {
  84. ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
  85. return 0;
  86. }
  87. if ((ctx = ctx_in) == NULL) {
  88. if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL) {
  89. ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
  90. return 0;
  91. }
  92. }
  93. k = BN_secure_new(); /* this value is later returned in *kinvp */
  94. r = BN_new(); /* this value is later returned in *rp */
  95. X = BN_new();
  96. if (k == NULL || r == NULL || X == NULL) {
  97. ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
  98. goto err;
  99. }
  100. if ((tmp_point = EC_POINT_new(group)) == NULL) {
  101. ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
  102. goto err;
  103. }
  104. order = EC_GROUP_get0_order(group);
  105. /* Preallocate space */
  106. order_bits = BN_num_bits(order);
  107. if (!BN_set_bit(k, order_bits)
  108. || !BN_set_bit(r, order_bits)
  109. || !BN_set_bit(X, order_bits))
  110. goto err;
  111. do {
  112. /* get random k */
  113. do {
  114. if (dgst != NULL) {
  115. if (!BN_generate_dsa_nonce(k, order, priv_key,
  116. dgst, dlen, ctx)) {
  117. ECerr(EC_F_ECDSA_SIGN_SETUP,
  118. EC_R_RANDOM_NUMBER_GENERATION_FAILED);
  119. goto err;
  120. }
  121. } else {
  122. if (!BN_priv_rand_range_ex(k, order, ctx)) {
  123. ECerr(EC_F_ECDSA_SIGN_SETUP,
  124. EC_R_RANDOM_NUMBER_GENERATION_FAILED);
  125. goto err;
  126. }
  127. }
  128. } while (BN_is_zero(k));
  129. /* compute r the x-coordinate of generator * k */
  130. if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
  131. ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
  132. goto err;
  133. }
  134. if (!EC_POINT_get_affine_coordinates(group, tmp_point, X, NULL, ctx)) {
  135. ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
  136. goto err;
  137. }
  138. if (!BN_nnmod(r, X, order, ctx)) {
  139. ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
  140. goto err;
  141. }
  142. } while (BN_is_zero(r));
  143. /* compute the inverse of k */
  144. if (!ec_group_do_inverse_ord(group, k, k, ctx)) {
  145. ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
  146. goto err;
  147. }
  148. /* clear old values if necessary */
  149. BN_clear_free(*rp);
  150. BN_clear_free(*kinvp);
  151. /* save the pre-computed values */
  152. *rp = r;
  153. *kinvp = k;
  154. ret = 1;
  155. err:
  156. if (!ret) {
  157. BN_clear_free(k);
  158. BN_clear_free(r);
  159. }
  160. if (ctx != ctx_in)
  161. BN_CTX_free(ctx);
  162. EC_POINT_free(tmp_point);
  163. BN_clear_free(X);
  164. return ret;
  165. }
  166. int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
  167. BIGNUM **rp)
  168. {
  169. return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0);
  170. }
  171. ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
  172. const BIGNUM *in_kinv, const BIGNUM *in_r,
  173. EC_KEY *eckey)
  174. {
  175. int ok = 0, i;
  176. BIGNUM *kinv = NULL, *s, *m = NULL;
  177. const BIGNUM *order, *ckinv;
  178. BN_CTX *ctx = NULL;
  179. const EC_GROUP *group;
  180. ECDSA_SIG *ret;
  181. const BIGNUM *priv_key;
  182. group = EC_KEY_get0_group(eckey);
  183. priv_key = EC_KEY_get0_private_key(eckey);
  184. if (group == NULL) {
  185. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER);
  186. return NULL;
  187. }
  188. if (priv_key == NULL) {
  189. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY);
  190. return NULL;
  191. }
  192. if (!EC_KEY_can_sign(eckey)) {
  193. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
  194. return NULL;
  195. }
  196. ret = ECDSA_SIG_new();
  197. if (ret == NULL) {
  198. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
  199. return NULL;
  200. }
  201. ret->r = BN_new();
  202. ret->s = BN_new();
  203. if (ret->r == NULL || ret->s == NULL) {
  204. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
  205. goto err;
  206. }
  207. s = ret->s;
  208. if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL
  209. || (m = BN_new()) == NULL) {
  210. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
  211. goto err;
  212. }
  213. order = EC_GROUP_get0_order(group);
  214. i = BN_num_bits(order);
  215. /*
  216. * Need to truncate digest if it is too long: first truncate whole bytes.
  217. */
  218. if (8 * dgst_len > i)
  219. dgst_len = (i + 7) / 8;
  220. if (!BN_bin2bn(dgst, dgst_len, m)) {
  221. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
  222. goto err;
  223. }
  224. /* If still too long, truncate remaining bits with a shift */
  225. if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
  226. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
  227. goto err;
  228. }
  229. do {
  230. if (in_kinv == NULL || in_r == NULL) {
  231. if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) {
  232. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_ECDSA_LIB);
  233. goto err;
  234. }
  235. ckinv = kinv;
  236. } else {
  237. ckinv = in_kinv;
  238. if (BN_copy(ret->r, in_r) == NULL) {
  239. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
  240. goto err;
  241. }
  242. }
  243. /*
  244. * With only one multiplicant being in Montgomery domain
  245. * multiplication yields real result without post-conversion.
  246. * Also note that all operations but last are performed with
  247. * zero-padded vectors. Last operation, BN_mod_mul_montgomery
  248. * below, returns user-visible value with removed zero padding.
  249. */
  250. if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
  251. || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
  252. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
  253. goto err;
  254. }
  255. if (!bn_mod_add_fixed_top(s, s, m, order)) {
  256. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
  257. goto err;
  258. }
  259. /*
  260. * |s| can still be larger than modulus, because |m| can be. In
  261. * such case we count on Montgomery reduction to tie it up.
  262. */
  263. if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
  264. || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
  265. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
  266. goto err;
  267. }
  268. if (BN_is_zero(s)) {
  269. /*
  270. * if kinv and r have been supplied by the caller, don't
  271. * generate new kinv and r values
  272. */
  273. if (in_kinv != NULL && in_r != NULL) {
  274. ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
  275. goto err;
  276. }
  277. } else {
  278. /* s != 0 => we have a valid signature */
  279. break;
  280. }
  281. } while (1);
  282. ok = 1;
  283. err:
  284. if (!ok) {
  285. ECDSA_SIG_free(ret);
  286. ret = NULL;
  287. }
  288. BN_CTX_free(ctx);
  289. BN_clear_free(m);
  290. BN_clear_free(kinv);
  291. return ret;
  292. }
  293. /*-
  294. * returns
  295. * 1: correct signature
  296. * 0: incorrect signature
  297. * -1: error
  298. */
  299. int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
  300. const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
  301. {
  302. ECDSA_SIG *s;
  303. const unsigned char *p = sigbuf;
  304. unsigned char *der = NULL;
  305. int derlen = -1;
  306. int ret = -1;
  307. s = ECDSA_SIG_new();
  308. if (s == NULL)
  309. return ret;
  310. if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL)
  311. goto err;
  312. /* Ensure signature uses DER and doesn't have trailing garbage */
  313. derlen = i2d_ECDSA_SIG(s, &der);
  314. if (derlen != sig_len || memcmp(sigbuf, der, derlen) != 0)
  315. goto err;
  316. ret = ECDSA_do_verify(dgst, dgst_len, s, eckey);
  317. err:
  318. OPENSSL_free(der);
  319. ECDSA_SIG_free(s);
  320. return ret;
  321. }
  322. int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
  323. const ECDSA_SIG *sig, EC_KEY *eckey)
  324. {
  325. int ret = -1, i;
  326. BN_CTX *ctx;
  327. const BIGNUM *order;
  328. BIGNUM *u1, *u2, *m, *X;
  329. EC_POINT *point = NULL;
  330. const EC_GROUP *group;
  331. const EC_POINT *pub_key;
  332. /* check input values */
  333. if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
  334. (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
  335. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
  336. return -1;
  337. }
  338. if (!EC_KEY_can_sign(eckey)) {
  339. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
  340. return -1;
  341. }
  342. ctx = BN_CTX_new_ex(eckey->libctx);
  343. if (ctx == NULL) {
  344. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
  345. return -1;
  346. }
  347. BN_CTX_start(ctx);
  348. u1 = BN_CTX_get(ctx);
  349. u2 = BN_CTX_get(ctx);
  350. m = BN_CTX_get(ctx);
  351. X = BN_CTX_get(ctx);
  352. if (X == NULL) {
  353. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
  354. goto err;
  355. }
  356. order = EC_GROUP_get0_order(group);
  357. if (order == NULL) {
  358. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
  359. goto err;
  360. }
  361. if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
  362. BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
  363. BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
  364. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_BAD_SIGNATURE);
  365. ret = 0; /* signature is invalid */
  366. goto err;
  367. }
  368. /* calculate tmp1 = inv(S) mod order */
  369. if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) {
  370. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
  371. goto err;
  372. }
  373. /* digest -> m */
  374. i = BN_num_bits(order);
  375. /*
  376. * Need to truncate digest if it is too long: first truncate whole bytes.
  377. */
  378. if (8 * dgst_len > i)
  379. dgst_len = (i + 7) / 8;
  380. if (!BN_bin2bn(dgst, dgst_len, m)) {
  381. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
  382. goto err;
  383. }
  384. /* If still too long truncate remaining bits with a shift */
  385. if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
  386. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
  387. goto err;
  388. }
  389. /* u1 = m * tmp mod order */
  390. if (!BN_mod_mul(u1, m, u2, order, ctx)) {
  391. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
  392. goto err;
  393. }
  394. /* u2 = r * w mod q */
  395. if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
  396. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
  397. goto err;
  398. }
  399. if ((point = EC_POINT_new(group)) == NULL) {
  400. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
  401. goto err;
  402. }
  403. if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
  404. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
  405. goto err;
  406. }
  407. if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) {
  408. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
  409. goto err;
  410. }
  411. if (!BN_nnmod(u1, X, order, ctx)) {
  412. ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
  413. goto err;
  414. }
  415. /* if the signature is correct u1 is equal to sig->r */
  416. ret = (BN_ucmp(u1, sig->r) == 0);
  417. err:
  418. BN_CTX_end(ctx);
  419. BN_CTX_free(ctx);
  420. EC_POINT_free(point);
  421. return ret;
  422. }