summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortb <>2023-07-04 14:57:05 +0000
committertb <>2023-07-04 14:57:05 +0000
commit1f34fd05738e4ace8b7be84c9441adc6f601d5f8 (patch)
tree8d28340e2fdc4f731b0441acef2ec02793cd067d
parente29c1d622ce88688738223acc85fde2ebce9b3d8 (diff)
downloadopenbsd-1f34fd05738e4ace8b7be84c9441adc6f601d5f8.tar.gz
openbsd-1f34fd05738e4ace8b7be84c9441adc6f601d5f8.tar.bz2
openbsd-1f34fd05738e4ace8b7be84c9441adc6f601d5f8.zip
ECDSA signing: annotate code with steps corresponding to FIPS 185-6.
ok jsing
Diffstat
-rw-r--r--src/lib/libcrypto/ecdsa/ecs_ossl.c28
1 files changed, 25 insertions, 3 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 4bc77a4920..685ba6e6c7 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ecs_ossl.c,v 1.68 2023/07/04 10:53:42 tb Exp $ */ 1/* $OpenBSD: ecs_ossl.c,v 1.69 2023/07/04 14:57:05 tb Exp $ */
2/* 2/*
3 * Written by Nils Larsch for the OpenSSL project 3 * Written by Nils Larsch for the OpenSSL project
4 */ 4 */
@@ -122,6 +122,11 @@ ossl_ecdsa_sign(int type, const unsigned char *digest, int digest_len,
122 return ret; 122 return ret;
123} 123}
124 124
125/*
126 * FIPS 186-5, section 6.4.1, steps 3-8 and 11: Generate k, calculate r and
127 * kinv, and clear it. If r == 0, try again with a new random k.
128 */
129
125int 130int
126ossl_ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, 131ossl_ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv,
127 BIGNUM **out_r) 132 BIGNUM **out_r)
@@ -193,7 +198,9 @@ ossl_ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv,
193 !BN_set_bit(x, order_bits)) 198 !BN_set_bit(x, order_bits))
194 goto err; 199 goto err;
195 200
201 /* Step 11: repeat until r != 0. */
196 do { 202 do {
203 /* Step 3: generate random k. */
197 if (!bn_rand_interval(k, BN_value_one(), order)) { 204 if (!bn_rand_interval(k, BN_value_one(), order)) {
198 ECDSAerror(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); 205 ECDSAerror(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
199 goto err; 206 goto err;
@@ -220,22 +227,25 @@ ossl_ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv,
220 227
221 BN_set_flags(k, BN_FLG_CONSTTIME); 228 BN_set_flags(k, BN_FLG_CONSTTIME);
222 229
223 /* Compute r, the x-coordinate of G * k. */ 230 /* Step 5: P = k * G. */
224 if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) { 231 if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {
225 ECDSAerror(ERR_R_EC_LIB); 232 ECDSAerror(ERR_R_EC_LIB);
226 goto err; 233 goto err;
227 } 234 }
235 /* Steps 6 (and 7): from P = (x, y) retain the x-coordinate. */
228 if (!EC_POINT_get_affine_coordinates(group, point, x, NULL, 236 if (!EC_POINT_get_affine_coordinates(group, point, x, NULL,
229 ctx)) { 237 ctx)) {
230 ECDSAerror(ERR_R_EC_LIB); 238 ECDSAerror(ERR_R_EC_LIB);
231 goto err; 239 goto err;
232 } 240 }
241 /* Step 8: r = x (mod order). */
233 if (!BN_nnmod(r, x, order, ctx)) { 242 if (!BN_nnmod(r, x, order, ctx)) {
234 ECDSAerror(ERR_R_BN_LIB); 243 ECDSAerror(ERR_R_BN_LIB);
235 goto err; 244 goto err;
236 } 245 }
237 } while (BN_is_zero(r)); 246 } while (BN_is_zero(r));
238 247
248 /* Step 4: calculate kinv. */
239 if (BN_mod_inverse_ct(k, k, order, ctx) == NULL) { 249 if (BN_mod_inverse_ct(k, k, order, ctx) == NULL) {
240 ECDSAerror(ERR_R_BN_LIB); 250 ECDSAerror(ERR_R_BN_LIB);
241 goto err; 251 goto err;
@@ -343,6 +353,7 @@ ecdsa_compute_s(BIGNUM **out_s, const BIGNUM *e, const BIGNUM *kinv,
343 goto err; 353 goto err;
344 } 354 }
345 355
356 /* Step 11: if s == 0 start over. */
346 if (!BN_is_zero(s)) { 357 if (!BN_is_zero(s)) {
347 *out_s = s; 358 *out_s = s;
348 s = NULL; 359 s = NULL;
@@ -364,6 +375,12 @@ ecdsa_compute_s(BIGNUM **out_s, const BIGNUM *e, const BIGNUM *kinv,
364 */ 375 */
365#define ECDSA_MAX_SIGN_ITERATIONS 32 376#define ECDSA_MAX_SIGN_ITERATIONS 32
366 377
378/*
379 * FIPS 186-5: Section 6.4.1: ECDSA signature generation, steps 2-12.
380 * The caller provides the hash of the message, thus performs step 1.
381 * Step 10, zeroing k and kinv, is done by BN_free().
382 */
383
367ECDSA_SIG * 384ECDSA_SIG *
368ossl_ecdsa_sign_sig(const unsigned char *digest, int digest_len, 385ossl_ecdsa_sign_sig(const unsigned char *digest, int digest_len,
369 const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *key) 386 const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *key)
@@ -385,6 +402,7 @@ ossl_ecdsa_sign_sig(const unsigned char *digest, int digest_len,
385 if ((e = BN_CTX_get(ctx)) == NULL) 402 if ((e = BN_CTX_get(ctx)) == NULL)
386 goto err; 403 goto err;
387 404
405 /* Step 2: convert hash into an integer. */
388 if (!ecdsa_prepare_digest(digest, digest_len, key, e)) 406 if (!ecdsa_prepare_digest(digest, digest_len, key, e))
389 goto err; 407 goto err;
390 408
@@ -407,6 +425,7 @@ ossl_ecdsa_sign_sig(const unsigned char *digest, int digest_len,
407 } 425 }
408 426
409 do { 427 do {
428 /* Steps 3-8: calculate kinv and r. */
410 if (!caller_supplied_values) { 429 if (!caller_supplied_values) {
411 if (!ECDSA_sign_setup(key, ctx, &kinv, &r)) { 430 if (!ECDSA_sign_setup(key, ctx, &kinv, &r)) {
412 ECDSAerror(ERR_R_ECDSA_LIB); 431 ECDSAerror(ERR_R_ECDSA_LIB);
@@ -414,7 +433,9 @@ ossl_ecdsa_sign_sig(const unsigned char *digest, int digest_len,
414 } 433 }
415 } 434 }
416 435
417 /* If s is non-NULL, we have a valid signature. */ 436 /*
437 * Steps 9 and 11: if s is non-NULL, we have a valid signature.
438 */
418 if (!ecdsa_compute_s(&s, e, kinv, r, key, ctx)) 439 if (!ecdsa_compute_s(&s, e, kinv, r, key, ctx))
419 goto err; 440 goto err;
420 if (s != NULL) 441 if (s != NULL)
@@ -431,6 +452,7 @@ ossl_ecdsa_sign_sig(const unsigned char *digest, int digest_len,
431 } 452 }
432 } while (1); 453 } while (1);
433 454
455 /* Step 12: output (r, s). */
434 if ((sig = ECDSA_SIG_new()) == NULL) { 456 if ((sig = ECDSA_SIG_new()) == NULL) {
435 ECDSAerror(ERR_R_MALLOC_FAILURE); 457 ECDSAerror(ERR_R_MALLOC_FAILURE);
436 goto err; 458 goto err;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-24 09:08:07 +0000