ecdsa_ossl.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530
  1. /*
  2. * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * ECDSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <string.h>
  15. #include <openssl/err.h>
  16. #include <openssl/obj_mac.h>
  17. #include <openssl/rand.h>
  18. #include "crypto/bn.h"
  19. #include "ec_local.h"
  20. #include "internal/deterministic_nonce.h"
  21. #define MIN_ECDSA_SIGN_ORDERBITS 64
  22. /*
  23. * It is highly unlikely that a retry will happen,
  24. * Multiple retries would indicate that something is wrong
  25. * with the group parameters (which would normally only happen
  26. * with a bad custom group).
  27. */
  28. #define MAX_ECDSA_SIGN_RETRIES 8
  29. static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
  30. BIGNUM **kinvp, BIGNUM **rp,
  31. const unsigned char *dgst, int dlen,
  32. unsigned int nonce_type, const char *digestname,
  33. OSSL_LIB_CTX *libctx, const char *propq);
  34. int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
  35. BIGNUM **rp)
  36. {
  37. if (eckey->group->meth->ecdsa_sign_setup == NULL) {
  38. ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
  39. return 0;
  40. }
  41. return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
  42. }
  43. ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
  44. const BIGNUM *in_kinv, const BIGNUM *in_r,
  45. EC_KEY *eckey)
  46. {
  47. if (eckey->group->meth->ecdsa_sign_sig == NULL) {
  48. ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
  49. return NULL;
  50. }
  51. return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len,
  52. in_kinv, in_r, eckey);
  53. }
  54. int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
  55. const ECDSA_SIG *sig, EC_KEY *eckey)
  56. {
  57. if (eckey->group->meth->ecdsa_verify_sig == NULL) {
  58. ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
  59. return 0;
  60. }
  61. return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey);
  62. }
  63. int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
  64. unsigned char *sig, unsigned int *siglen,
  65. const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
  66. {
  67. ECDSA_SIG *s;
  68. s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
  69. if (s == NULL) {
  70. *siglen = 0;
  71. return 0;
  72. }
  73. *siglen = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL);
  74. ECDSA_SIG_free(s);
  75. return 1;
  76. }
  77. int ossl_ecdsa_deterministic_sign(const unsigned char *dgst, int dlen,
  78. unsigned char *sig, unsigned int *siglen,
  79. EC_KEY *eckey, unsigned int nonce_type,
  80. const char *digestname,
  81. OSSL_LIB_CTX *libctx, const char *propq)
  82. {
  83. ECDSA_SIG *s;
  84. BIGNUM *kinv = NULL, *r = NULL;
  85. int ret = 0;
  86. *siglen = 0;
  87. if (!ecdsa_sign_setup(eckey, NULL, &kinv, &r, dgst, dlen,
  88. nonce_type, digestname, libctx, propq))
  89. return 0;
  90. s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
  91. if (s == NULL)
  92. goto end;
  93. *siglen = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL);
  94. ECDSA_SIG_free(s);
  95. ret = 1;
  96. end:
  97. BN_clear_free(kinv);
  98. BN_clear_free(r);
  99. return ret;
  100. }
  101. static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
  102. BIGNUM **kinvp, BIGNUM **rp,
  103. const unsigned char *dgst, int dlen,
  104. unsigned int nonce_type, const char *digestname,
  105. OSSL_LIB_CTX *libctx, const char *propq)
  106. {
  107. BN_CTX *ctx = NULL;
  108. BIGNUM *k = NULL, *r = NULL, *X = NULL;
  109. const BIGNUM *order;
  110. EC_POINT *tmp_point = NULL;
  111. const EC_GROUP *group;
  112. int ret = 0;
  113. int order_bits;
  114. const BIGNUM *priv_key;
  115. if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
  116. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  117. return 0;
  118. }
  119. if ((priv_key = EC_KEY_get0_private_key(eckey)) == NULL) {
  120. ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY);
  121. return 0;
  122. }
  123. if (!EC_KEY_can_sign(eckey)) {
  124. ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
  125. return 0;
  126. }
  127. if ((ctx = ctx_in) == NULL) {
  128. if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL) {
  129. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  130. return 0;
  131. }
  132. }
  133. k = BN_secure_new(); /* this value is later returned in *kinvp */
  134. r = BN_new(); /* this value is later returned in *rp */
  135. X = BN_new();
  136. if (k == NULL || r == NULL || X == NULL) {
  137. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  138. goto err;
  139. }
  140. if ((tmp_point = EC_POINT_new(group)) == NULL) {
  141. ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
  142. goto err;
  143. }
  144. order = EC_GROUP_get0_order(group);
  145. /* Preallocate space */
  146. order_bits = BN_num_bits(order);
  147. /* Check the number of bits here so that an infinite loop is not possible */
  148. if (order_bits < MIN_ECDSA_SIGN_ORDERBITS
  149. || !BN_set_bit(k, order_bits)
  150. || !BN_set_bit(r, order_bits)
  151. || !BN_set_bit(X, order_bits))
  152. goto err;
  153. do {
  154. /* get random or deterministic value of k */
  155. do {
  156. int res = 0;
  157. if (dgst != NULL) {
  158. if (nonce_type == 1) {
  159. #ifndef FIPS_MODULE
  160. res = ossl_gen_deterministic_nonce_rfc6979(k, order,
  161. priv_key,
  162. dgst, dlen,
  163. digestname,
  164. libctx, propq);
  165. #endif
  166. } else {
  167. res = BN_generate_dsa_nonce(k, order, priv_key, dgst, dlen,
  168. ctx);
  169. }
  170. } else {
  171. res = BN_priv_rand_range_ex(k, order, 0, ctx);
  172. }
  173. if (!res) {
  174. ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
  175. goto err;
  176. }
  177. } while (BN_is_zero(k));
  178. /* compute r the x-coordinate of generator * k */
  179. if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
  180. ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
  181. goto err;
  182. }
  183. if (!EC_POINT_get_affine_coordinates(group, tmp_point, X, NULL, ctx)) {
  184. ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
  185. goto err;
  186. }
  187. if (!BN_nnmod(r, X, order, ctx)) {
  188. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  189. goto err;
  190. }
  191. } while (BN_is_zero(r));
  192. /* compute the inverse of k */
  193. if (!ossl_ec_group_do_inverse_ord(group, k, k, ctx)) {
  194. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  195. goto err;
  196. }
  197. /* clear old values if necessary */
  198. BN_clear_free(*rp);
  199. BN_clear_free(*kinvp);
  200. /* save the pre-computed values */
  201. *rp = r;
  202. *kinvp = k;
  203. ret = 1;
  204. err:
  205. if (!ret) {
  206. BN_clear_free(k);
  207. BN_clear_free(r);
  208. }
  209. if (ctx != ctx_in)
  210. BN_CTX_free(ctx);
  211. EC_POINT_free(tmp_point);
  212. BN_clear_free(X);
  213. return ret;
  214. }
  215. int ossl_ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
  216. BIGNUM **rp)
  217. {
  218. return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0,
  219. 0, NULL, NULL, NULL);
  220. }
  221. ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
  222. const BIGNUM *in_kinv, const BIGNUM *in_r,
  223. EC_KEY *eckey)
  224. {
  225. int ok = 0, i;
  226. int retries = 0;
  227. BIGNUM *kinv = NULL, *s, *m = NULL;
  228. const BIGNUM *order, *ckinv;
  229. BN_CTX *ctx = NULL;
  230. const EC_GROUP *group;
  231. ECDSA_SIG *ret;
  232. const BIGNUM *priv_key;
  233. group = EC_KEY_get0_group(eckey);
  234. priv_key = EC_KEY_get0_private_key(eckey);
  235. if (group == NULL) {
  236. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  237. return NULL;
  238. }
  239. if (priv_key == NULL) {
  240. ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY);
  241. return NULL;
  242. }
  243. if (!EC_KEY_can_sign(eckey)) {
  244. ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
  245. return NULL;
  246. }
  247. ret = ECDSA_SIG_new();
  248. if (ret == NULL) {
  249. ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB);
  250. return NULL;
  251. }
  252. ret->r = BN_new();
  253. ret->s = BN_new();
  254. if (ret->r == NULL || ret->s == NULL) {
  255. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  256. goto err;
  257. }
  258. s = ret->s;
  259. if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL
  260. || (m = BN_new()) == NULL) {
  261. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  262. goto err;
  263. }
  264. order = EC_GROUP_get0_order(group);
  265. i = BN_num_bits(order);
  266. /*
  267. * Need to truncate digest if it is too long: first truncate whole bytes.
  268. */
  269. if (8 * dgst_len > i)
  270. dgst_len = (i + 7) / 8;
  271. if (!BN_bin2bn(dgst, dgst_len, m)) {
  272. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  273. goto err;
  274. }
  275. /* If still too long, truncate remaining bits with a shift */
  276. if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
  277. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  278. goto err;
  279. }
  280. do {
  281. if (in_kinv == NULL || in_r == NULL) {
  282. if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len,
  283. 0, NULL, NULL, NULL)) {
  284. ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB);
  285. goto err;
  286. }
  287. ckinv = kinv;
  288. } else {
  289. ckinv = in_kinv;
  290. if (BN_copy(ret->r, in_r) == NULL) {
  291. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  292. goto err;
  293. }
  294. }
  295. /*
  296. * With only one multiplicant being in Montgomery domain
  297. * multiplication yields real result without post-conversion.
  298. * Also note that all operations but last are performed with
  299. * zero-padded vectors. Last operation, BN_mod_mul_montgomery
  300. * below, returns user-visible value with removed zero padding.
  301. */
  302. if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
  303. || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
  304. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  305. goto err;
  306. }
  307. if (!bn_mod_add_fixed_top(s, s, m, order)) {
  308. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  309. goto err;
  310. }
  311. /*
  312. * |s| can still be larger than modulus, because |m| can be. In
  313. * such case we count on Montgomery reduction to tie it up.
  314. */
  315. if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
  316. || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
  317. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  318. goto err;
  319. }
  320. if (BN_is_zero(s)) {
  321. /*
  322. * if kinv and r have been supplied by the caller, don't
  323. * generate new kinv and r values
  324. */
  325. if (in_kinv != NULL && in_r != NULL) {
  326. ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES);
  327. goto err;
  328. }
  329. /* Avoid infinite loops cause by invalid group parameters */
  330. if (retries++ > MAX_ECDSA_SIGN_RETRIES) {
  331. ERR_raise(ERR_LIB_EC, EC_R_TOO_MANY_RETRIES);
  332. goto err;
  333. }
  334. } else {
  335. /* s != 0 => we have a valid signature */
  336. break;
  337. }
  338. } while (1);
  339. ok = 1;
  340. err:
  341. if (!ok) {
  342. ECDSA_SIG_free(ret);
  343. ret = NULL;
  344. }
  345. BN_CTX_free(ctx);
  346. BN_clear_free(m);
  347. BN_clear_free(kinv);
  348. return ret;
  349. }
  350. /*-
  351. * returns
  352. * 1: correct signature
  353. * 0: incorrect signature
  354. * -1: error
  355. */
  356. int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
  357. const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
  358. {
  359. ECDSA_SIG *s;
  360. const unsigned char *p = sigbuf;
  361. unsigned char *der = NULL;
  362. int derlen = -1;
  363. int ret = -1;
  364. s = ECDSA_SIG_new();
  365. if (s == NULL)
  366. return ret;
  367. if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL)
  368. goto err;
  369. /* Ensure signature uses DER and doesn't have trailing garbage */
  370. derlen = i2d_ECDSA_SIG(s, &der);
  371. if (derlen != sig_len || memcmp(sigbuf, der, derlen) != 0)
  372. goto err;
  373. ret = ECDSA_do_verify(dgst, dgst_len, s, eckey);
  374. err:
  375. OPENSSL_free(der);
  376. ECDSA_SIG_free(s);
  377. return ret;
  378. }
  379. int ossl_ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
  380. const ECDSA_SIG *sig, EC_KEY *eckey)
  381. {
  382. int ret = -1, i;
  383. BN_CTX *ctx;
  384. const BIGNUM *order;
  385. BIGNUM *u1, *u2, *m, *X;
  386. EC_POINT *point = NULL;
  387. const EC_GROUP *group;
  388. const EC_POINT *pub_key;
  389. /* check input values */
  390. if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
  391. (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
  392. ERR_raise(ERR_LIB_EC, EC_R_MISSING_PARAMETERS);
  393. return -1;
  394. }
  395. if (!EC_KEY_can_sign(eckey)) {
  396. ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
  397. return -1;
  398. }
  399. ctx = BN_CTX_new_ex(eckey->libctx);
  400. if (ctx == NULL) {
  401. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  402. return -1;
  403. }
  404. BN_CTX_start(ctx);
  405. u1 = BN_CTX_get(ctx);
  406. u2 = BN_CTX_get(ctx);
  407. m = BN_CTX_get(ctx);
  408. X = BN_CTX_get(ctx);
  409. if (X == NULL) {
  410. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  411. goto err;
  412. }
  413. order = EC_GROUP_get0_order(group);
  414. if (order == NULL) {
  415. ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
  416. goto err;
  417. }
  418. if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
  419. BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
  420. BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
  421. ERR_raise(ERR_LIB_EC, EC_R_BAD_SIGNATURE);
  422. ret = 0; /* signature is invalid */
  423. goto err;
  424. }
  425. /* calculate tmp1 = inv(S) mod order */
  426. if (!ossl_ec_group_do_inverse_ord(group, u2, sig->s, ctx)) {
  427. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  428. goto err;
  429. }
  430. /* digest -> m */
  431. i = BN_num_bits(order);
  432. /*
  433. * Need to truncate digest if it is too long: first truncate whole bytes.
  434. */
  435. if (8 * dgst_len > i)
  436. dgst_len = (i + 7) / 8;
  437. if (!BN_bin2bn(dgst, dgst_len, m)) {
  438. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  439. goto err;
  440. }
  441. /* If still too long truncate remaining bits with a shift */
  442. if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
  443. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  444. goto err;
  445. }
  446. /* u1 = m * tmp mod order */
  447. if (!BN_mod_mul(u1, m, u2, order, ctx)) {
  448. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  449. goto err;
  450. }
  451. /* u2 = r * w mod q */
  452. if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
  453. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  454. goto err;
  455. }
  456. if ((point = EC_POINT_new(group)) == NULL) {
  457. ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
  458. goto err;
  459. }
  460. if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
  461. ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
  462. goto err;
  463. }
  464. if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) {
  465. ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
  466. goto err;
  467. }
  468. if (!BN_nnmod(u1, X, order, ctx)) {
  469. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  470. goto err;
  471. }
  472. /* if the signature is correct u1 is equal to sig->r */
  473. ret = (BN_ucmp(u1, sig->r) == 0);
  474. err:
  475. BN_CTX_end(ctx);
  476. BN_CTX_free(ctx);
  477. EC_POINT_free(point);
  478. return ret;
  479. }