Lob a KNF grenade into the ecdsa code.

author: jsing <> 2015-02-08 13:35:07 +0000
committer: jsing <> 2015-02-08 13:35:07 +0000
commit: 726b51738f080413928933335c86b6b01cf96864 (patch)
tree: 5a291cb11bb8d4fde0d4d335440fe8cad504b4c4 /src/lib/libcrypto/ecdsa/ecs_ossl.c
parent: f5656e5948afd96eceeae5f83939965ba96edc28 (diff)
download: openbsd-726b51738f080413928933335c86b6b01cf96864.tar.gz
openbsd-726b51738f080413928933335c86b6b01cf96864.tar.bz2
openbsd-726b51738f080413928933335c86b6b01cf96864.zip
1 files changed, 114 insertions, 151 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 0dde5386ff..31102138c0 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_ossl.c,v 1.5 2014/07/12 16:03:37 miod Exp $ */
+/* $OpenBSD: ecs_ossl.c,v 1.6 2015/02/08 13:35:07 jsing Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project
 */
@@ -10,7 +10,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -63,12 +63,12 @@
 #include <openssl/obj_mac.h>
 #include <openssl/bn.h>
-static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, 
+static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
-                const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
+    const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 
+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
-                BIGNUM **rp);
+    BIGNUM **rp);
-static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, 
+static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
-                const ECDSA_SIG *sig, EC_KEY *eckey);
+    const ECDSA_SIG *sig, EC_KEY *eckey);
 static ECDSA_METHOD openssl_ecdsa_meth = {
        .name = "OpenSSL ECDSA method",
@@ -77,65 +77,58 @@ static ECDSA_METHOD openssl_ecdsa_meth = {
        .ecdsa_do_verify = ecdsa_do_verify
 };
-const ECDSA_METHOD *ECDSA_OpenSSL(void)
+const ECDSA_METHOD *
+ECDSA_OpenSSL(void)
 {
        return &openssl_ecdsa_meth;
 }
-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+static int
-                BIGNUM **rp)
+ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 {
        BN_CTX   *ctx = NULL;
        BIGNUM   *k = NULL, *r = NULL, *order = NULL, *X = NULL;
-        EC_POINT *tmp_point=NULL;
+        EC_POINT *tmp_point = NULL;
        const EC_GROUP *group;
        int      ret = 0;
-        if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL)
+        if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
                return 0;
        }
-        if (ctx_in == NULL) 
+        if (ctx_in == NULL) {
-        {
+                if ((ctx = BN_CTX_new()) == NULL) {
-                if ((ctx = BN_CTX_new()) == NULL)
+                        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
-                {
+                            ERR_R_MALLOC_FAILURE);
-                        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE);
                        return 0;
                }
-        }
+        } else
-        else
                ctx = ctx_in;
-        k     = BN_new();       /* this value is later returned in *kinvp */
+        k = BN_new();   /* this value is later returned in *kinvp */
-        r     = BN_new();       /* this value is later returned in *rp    */
+        r = BN_new();   /* this value is later returned in *rp    */
        order = BN_new();
-        X     = BN_new();
+        X = BN_new();
-        if (!k || !r || !order || !X)
+        if (!k || !r || !order || !X) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
                goto err;
        }
-        if ((tmp_point = EC_POINT_new(group)) == NULL)
+        if ((tmp_point = EC_POINT_new(group)) == NULL) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
                goto err;
        }
-        if (!EC_GROUP_get_order(group, order, ctx))
+        if (!EC_GROUP_get_order(group, order, ctx)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
                goto err;
        }
-        
-        do
+        do {
-        {
+                /* get random k */
-                /* get random k */      
                do
-                        if (!BN_rand_range(k, order))
+                        if (!BN_rand_range(k, order)) {
-                        {
                                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
-                                 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);      
+                                    ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
                                goto err;
                        }
                while (BN_is_zero(k));
@@ -143,23 +136,23 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
                /* We do not want timing information to leak the length of k,
                 * so we compute G*k using an equivalent scalar of fixed
                 * bit-length. */
+                if (!BN_add(k, k, order))
-                if (!BN_add(k, k, order)) goto err;
+                        goto err;
                if (BN_num_bits(k) <= BN_num_bits(order))
-                        if (!BN_add(k, k, order)) goto err;
+                        if (!BN_add(k, k, order))
+                                goto err;
                /* compute r the x-coordinate of generator * k */
-                if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
+                if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
-                {
                        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
                        goto err;
                }
-                if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
+                if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
-                {
+                    NID_X9_62_prime_field) {
                        if (!EC_POINT_get_affine_coordinates_GFp(group,
-                                tmp_point, X, NULL, ctx))
+                            tmp_point, X, NULL, ctx)) {
-                        {
+                                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
-                                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
+                                    ERR_R_EC_LIB);
                                goto err;
                        }
                }
@@ -167,53 +160,52 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
                else /* NID_X9_62_characteristic_two_field */
                {
                        if (!EC_POINT_get_affine_coordinates_GF2m(group,
-                                tmp_point, X, NULL, ctx))
+                            tmp_point, X, NULL, ctx)) {
-                        {
+                                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
-                                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
+                                    ERR_R_EC_LIB);
                                goto err;
                        }
                }
 #endif
-                if (!BN_nnmod(r, X, order, ctx))
+                if (!BN_nnmod(r, X, order, ctx)) {
-                {
                        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
                        goto err;
                }
-        }
+        } while (BN_is_zero(r));
-        while (BN_is_zero(r));
        /* compute the inverse of k */
-        if (!BN_mod_inverse(k, k, order, ctx))
+        if (!BN_mod_inverse(k, k, order, ctx)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
-                goto err;       
+                goto err;
        }
        /* clear old values if necessary */
        BN_clear_free(*rp);
        BN_clear_free(*kinvp);
        /* save the pre-computed values  */
-        *rp    = r;
+        *rp = r;
        *kinvp = k;
        ret = 1;
 err:
        if (!ret) {
                BN_clear_free(k);
                BN_clear_free(r);
        }
-        if (ctx_in == NULL) 
+        if (ctx_in == NULL)
                BN_CTX_free(ctx);
        BN_free(order);
        EC_POINT_free(tmp_point);
        BN_clear_free(X);
-        return(ret);
+        return (ret);
 }
-static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, 
+static ECDSA_SIG *
-                const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
+ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
+    const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
 {
        int     ok = 0, i;
-        BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL;
+        BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;
        const BIGNUM *ckinv;
        BN_CTX     *ctx = NULL;
        const EC_GROUP   *group;
@@ -221,33 +213,29 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
        ECDSA_DATA *ecdsa;
        const BIGNUM *priv_key;
-        ecdsa    = ecdsa_check(eckey);
+        ecdsa = ecdsa_check(eckey);
-        group    = EC_KEY_get0_group(eckey);
+        group = EC_KEY_get0_group(eckey);
        priv_key = EC_KEY_get0_private_key(eckey);
-        
-        if (group == NULL || priv_key == NULL || ecdsa == NULL)
+        if (group == NULL || priv_key == NULL || ecdsa == NULL) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
                return NULL;
        }
        ret = ECDSA_SIG_new();
-        if (!ret)
+        if (!ret) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
                return NULL;
        }
        s = ret->s;
        if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
-                (tmp = BN_new()) == NULL || (m = BN_new()) == NULL)
+            (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
                goto err;
        }
-        if (!EC_GROUP_get_order(group, order, ctx))
+        if (!EC_GROUP_get_order(group, order, ctx)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
                goto err;
        }
@@ -257,73 +245,61 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
         */
        if (8 * dgst_len > i)
                dgst_len = (i + 7)/8;
-        if (!BN_bin2bn(dgst, dgst_len, m))
+        if (!BN_bin2bn(dgst, dgst_len, m)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
                goto err;
        }
        /* If still too long truncate remaining bits with a shift */
-        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
+        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
                goto err;
        }
-        do
+        do {
-        {
+                if (in_kinv == NULL || in_r == NULL) {
-                if (in_kinv == NULL || in_r == NULL)
+                        if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) {
-                {
+                                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
-                        if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r))
+                                    ERR_R_ECDSA_LIB);
-                        {
-                                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
                                goto err;
                        }
                        ckinv = kinv;
-                }
+                } else {
-                else
+                        ckinv = in_kinv;
-                {
+                        if (BN_copy(ret->r, in_r) == NULL) {
-                        ckinv  = in_kinv;
+                                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
-                        if (BN_copy(ret->r, in_r) == NULL)
+                                    ERR_R_MALLOC_FAILURE);
-                        {
-                                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
                                goto err;
                        }
                }
-                if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx))
+                if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
-                {
                        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
                        goto err;
                }
-                if (!BN_mod_add_quick(s, tmp, m, order))
+                if (!BN_mod_add_quick(s, tmp, m, order)) {
-                {
                        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
                        goto err;
                }
-                if (!BN_mod_mul(s, s, ckinv, order, ctx))
+                if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
-                {
                        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
                        goto err;
                }
-                if (BN_is_zero(s))
+                if (BN_is_zero(s)) {
-                {
                        /* if kinv and r have been supplied by the caller
                         * don't to generate new kinv and r values */
-                        if (in_kinv != NULL && in_r != NULL)
+                        if (in_kinv != NULL && in_r != NULL) {
-                        {
+                                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
-                                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES);
+                                    ECDSA_R_NEED_NEW_SETUP_VALUES);
                                goto err;
                        }
-                }
+                } else
-                else
                        /* s != 0 => we have a valid signature */
                        break;
-        }
+        } while (1);
-        while (1);
        ok = 1;
 err:
-        if (!ok)
+        if (!ok) {
-        {
                ECDSA_SIG_free(ret);
                ret = NULL;
        }
@@ -335,8 +311,9 @@ err:
        return ret;
 }
-static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
+static int
-                const ECDSA_SIG *sig, EC_KEY *eckey)
+ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
+    EC_KEY *eckey)
 {
        int ret = -1, i;
        BN_CTX   *ctx;
@@ -347,47 +324,41 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
        /* check input values */
        if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
-            (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
+            (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
                return -1;
        }
        ctx = BN_CTX_new();
-        if (!ctx)
+        if (!ctx) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
                return -1;
        }
        BN_CTX_start(ctx);
-        order = BN_CTX_get(ctx);        
+        order = BN_CTX_get(ctx);
-        u1    = BN_CTX_get(ctx);
+        u1 = BN_CTX_get(ctx);
-        u2    = BN_CTX_get(ctx);
+        u2 = BN_CTX_get(ctx);
-        m     = BN_CTX_get(ctx);
+        m = BN_CTX_get(ctx);
-        X     = BN_CTX_get(ctx);
+        X = BN_CTX_get(ctx);
-        if (!X)
+        if (!X) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
                goto err;
        }
-        
-        if (!EC_GROUP_get_order(group, order, ctx))
+        if (!EC_GROUP_get_order(group, order, ctx)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
                goto err;
        }
-        if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) || 
+        if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) ||
            BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||
-            BN_is_negative(sig->s)      || BN_ucmp(sig->s, order) >= 0)
+            BN_is_negative(sig->s)      || BN_ucmp(sig->s, order) >= 0) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
                ret = 0;        /* signature is invalid */
                goto err;
        }
        /* calculate tmp1 = inv(S) mod order */
-        if (!BN_mod_inverse(u2, sig->s, order, ctx))
+        if (!BN_mod_inverse(u2, sig->s, order, ctx)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
                goto err;
        }
@@ -398,45 +369,38 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
         */
        if (8 * dgst_len > i)
                dgst_len = (i + 7)/8;
-        if (!BN_bin2bn(dgst, dgst_len, m))
+        if (!BN_bin2bn(dgst, dgst_len, m)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
                goto err;
        }
        /* If still too long truncate remaining bits with a shift */
-        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
+        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
                goto err;
        }
        /* u1 = m * tmp mod order */
-        if (!BN_mod_mul(u1, m, u2, order, ctx))
+        if (!BN_mod_mul(u1, m, u2, order, ctx)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
                goto err;
        }
        /* u2 = r * w mod q */
-        if (!BN_mod_mul(u2, sig->r, u2, order, ctx))
+        if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
                goto err;
        }
-        if ((point = EC_POINT_new(group)) == NULL)
+        if ((point = EC_POINT_new(group)) == NULL) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
                goto err;
        }
-        if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx))
+        if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
                goto err;
        }
-        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
+        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
-        {
+            NID_X9_62_prime_field) {
                if (!EC_POINT_get_affine_coordinates_GFp(group,
-                        point, X, NULL, ctx))
+                    point, X, NULL, ctx)) {
-                {
                        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
                        goto err;
                }
@@ -445,20 +409,19 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
        else /* NID_X9_62_characteristic_two_field */
        {
                if (!EC_POINT_get_affine_coordinates_GF2m(group,
-                        point, X, NULL, ctx))
+                    point, X, NULL, ctx)) {
-                {
                        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
                        goto err;
                }
        }
-#endif  
+#endif
-        if (!BN_nnmod(u1, X, order, ctx))
+        if (!BN_nnmod(u1, X, order, ctx)) {
-        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
                goto err;
        }
        /*  if the signature is correct u1 is equal to sig->r */
        ret = (BN_ucmp(u1, sig->r) == 0);
 err:
        BN_CTX_end(ctx);
        BN_CTX_free(ctx);
author	jsing <>	2015-02-08 13:35:07 +0000
committer	jsing <>	2015-02-08 13:35:07 +0000
commit	726b51738f080413928933335c86b6b01cf96864 (patch)
tree	5a291cb11bb8d4fde0d4d335440fe8cad504b4c4 /src/lib/libcrypto/ecdsa/ecs_ossl.c
parent	f5656e5948afd96eceeae5f83939965ba96edc28 (diff)
download	openbsd-726b51738f080413928933335c86b6b01cf96864.tar.gz openbsd-726b51738f080413928933335c86b6b01cf96864.tar.bz2 openbsd-726b51738f080413928933335c86b6b01cf96864.zip

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index 0dde5386ff..31102138c0 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecs_ossl.c,v 1.5 2014/07/12 16:03:37 miod Exp $ */	1	/* $OpenBSD: ecs_ossl.c,v 1.6 2015/02/08 13:35:07 jsing Exp $ */
2	/*	2	/*
3	* Written by Nils Larsch for the OpenSSL project	3	* Written by Nils Larsch for the OpenSSL project
4	*/	4	*/
@@ -10,7 +10,7 @@
10	* are met:	10	* are met:
11	*	11	*
12	* 1. Redistributions of source code must retain the above copyright	12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.	13	* notice, this list of conditions and the following disclaimer.
14	*	14	*
15	* 2. Redistributions in binary form must reproduce the above copyright	15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in	16	* notice, this list of conditions and the following disclaimer in
@@ -63,12 +63,12 @@
63	#include <openssl/obj_mac.h>	63	#include <openssl/obj_mac.h>
64	#include <openssl/bn.h>	64	#include <openssl/bn.h>
65		65
66	static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dlen,	66	static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dlen,
67	const BIGNUM , const BIGNUM , EC_KEY *eckey);	67	const BIGNUM , const BIGNUM , EC_KEY *eckey);
68	static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,	68	static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
69	BIGNUM **rp);	69	BIGNUM **rp);
70	static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,	70	static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
71	const ECDSA_SIG sig, EC_KEY eckey);	71	const ECDSA_SIG sig, EC_KEY eckey);
72		72
73	static ECDSA_METHOD openssl_ecdsa_meth = {	73	static ECDSA_METHOD openssl_ecdsa_meth = {
74	.name = "OpenSSL ECDSA method",	74	.name = "OpenSSL ECDSA method",
@@ -77,65 +77,58 @@ static ECDSA_METHOD openssl_ecdsa_meth = {
77	.ecdsa_do_verify = ecdsa_do_verify	77	.ecdsa_do_verify = ecdsa_do_verify
78	};	78	};
79		79
80	const ECDSA_METHOD *ECDSA_OpenSSL(void)	80	const ECDSA_METHOD *
		81	ECDSA_OpenSSL(void)
81	{	82	{
82	return &openssl_ecdsa_meth;	83	return &openssl_ecdsa_meth;
83	}	84	}
84		85
85	static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,	86	static int
86	BIGNUM **rp)	87	ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
87	{	88	{
88	BN_CTX *ctx = NULL;	89	BN_CTX *ctx = NULL;
89	BIGNUM k = NULL, r = NULL, order = NULL, X = NULL;	90	BIGNUM k = NULL, r = NULL, order = NULL, X = NULL;
90	EC_POINT *tmp_point=NULL;	91	EC_POINT *tmp_point = NULL;
91	const EC_GROUP *group;	92	const EC_GROUP *group;
92	int ret = 0;	93	int ret = 0;
93		94
94	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL)	95	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL) {
95	{
96	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);	96	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
97	return 0;	97	return 0;
98	}	98	}
99		99
100	if (ctx_in == NULL)	100	if (ctx_in == NULL) {
101	{	101	if ((ctx = BN_CTX_new()) == NULL) {
102	if ((ctx = BN_CTX_new()) == NULL)	102	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
103	{	103	ERR_R_MALLOC_FAILURE);
104	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE);
105	return 0;	104	return 0;
106	}	105	}
107	}	106	} else
108	else
109	ctx = ctx_in;	107	ctx = ctx_in;
110		108
111	k = BN_new(); /* this value is later returned in kinvp /	109	k = BN_new(); /* this value is later returned in kinvp /
112	r = BN_new(); /* this value is later returned in rp /	110	r = BN_new(); /* this value is later returned in rp /
113	order = BN_new();	111	order = BN_new();
114	X = BN_new();	112	X = BN_new();
115	if (!k \|\| !r \|\| !order \|\| !X)	113	if (!k \|\| !r \|\| !order \|\| !X) {
116	{
117	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);	114	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
118	goto err;	115	goto err;
119	}	116	}
120	if ((tmp_point = EC_POINT_new(group)) == NULL)	117	if ((tmp_point = EC_POINT_new(group)) == NULL) {
121	{
122	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);	118	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
123	goto err;	119	goto err;
124	}	120	}
125	if (!EC_GROUP_get_order(group, order, ctx))	121	if (!EC_GROUP_get_order(group, order, ctx)) {
126	{
127	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);	122	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
128	goto err;	123	goto err;
129	}	124	}
130		125
131	do	126	do {
132	{	127	/* get random k */
133	/* get random k */
134	do	128	do
135	if (!BN_rand_range(k, order))	129	if (!BN_rand_range(k, order)) {
136	{
137	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,	130	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
138	ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);	131	ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
139	goto err;	132	goto err;
140	}	133	}
141	while (BN_is_zero(k));	134	while (BN_is_zero(k));
@@ -143,23 +136,23 @@ static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
143	/* We do not want timing information to leak the length of k,	136	/* We do not want timing information to leak the length of k,
144	* so we compute G*k using an equivalent scalar of fixed	137	* so we compute G*k using an equivalent scalar of fixed
145	* bit-length. */	138	* bit-length. */
146		139	if (!BN_add(k, k, order))
147	if (!BN_add(k, k, order)) goto err;	140	goto err;
148	if (BN_num_bits(k) <= BN_num_bits(order))	141	if (BN_num_bits(k) <= BN_num_bits(order))
149	if (!BN_add(k, k, order)) goto err;	142	if (!BN_add(k, k, order))
		143	goto err;
150		144
151	/* compute r the x-coordinate of generator * k */	145	/* compute r the x-coordinate of generator * k */
152	if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))	146	if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
153	{
154	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);	147	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
155	goto err;	148	goto err;
156	}	149	}
157	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)	150	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
158	{	151	NID_X9_62_prime_field) {
159	if (!EC_POINT_get_affine_coordinates_GFp(group,	152	if (!EC_POINT_get_affine_coordinates_GFp(group,
160	tmp_point, X, NULL, ctx))	153	tmp_point, X, NULL, ctx)) {
161	{	154	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
162	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);	155	ERR_R_EC_LIB);
163	goto err;	156	goto err;
164	}	157	}
165	}	158	}
@@ -167,53 +160,52 @@ static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
167	else /* NID_X9_62_characteristic_two_field */	160	else /* NID_X9_62_characteristic_two_field */
168	{	161	{
169	if (!EC_POINT_get_affine_coordinates_GF2m(group,	162	if (!EC_POINT_get_affine_coordinates_GF2m(group,
170	tmp_point, X, NULL, ctx))	163	tmp_point, X, NULL, ctx)) {
171	{	164	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
172	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);	165	ERR_R_EC_LIB);
173	goto err;	166	goto err;
174	}	167	}
175	}	168	}
176	#endif	169	#endif
177	if (!BN_nnmod(r, X, order, ctx))	170	if (!BN_nnmod(r, X, order, ctx)) {
178	{
179	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);	171	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
180	goto err;	172	goto err;
181	}	173	}
182	}	174	} while (BN_is_zero(r));
183	while (BN_is_zero(r));
184		175
185	/* compute the inverse of k */	176	/* compute the inverse of k */
186	if (!BN_mod_inverse(k, k, order, ctx))	177	if (!BN_mod_inverse(k, k, order, ctx)) {
187	{
188	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);	178	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
189	goto err;	179	goto err;
190	}	180	}
191	/* clear old values if necessary */	181	/* clear old values if necessary */
192	BN_clear_free(*rp);	182	BN_clear_free(*rp);
193	BN_clear_free(*kinvp);	183	BN_clear_free(*kinvp);
194	/* save the pre-computed values */	184	/* save the pre-computed values */
195	*rp = r;	185	*rp = r;
196	*kinvp = k;	186	*kinvp = k;
197	ret = 1;	187	ret = 1;
		188
198	err:	189	err:
199	if (!ret) {	190	if (!ret) {
200	BN_clear_free(k);	191	BN_clear_free(k);
201	BN_clear_free(r);	192	BN_clear_free(r);
202	}	193	}
203	if (ctx_in == NULL)	194	if (ctx_in == NULL)
204	BN_CTX_free(ctx);	195	BN_CTX_free(ctx);
205	BN_free(order);	196	BN_free(order);
206	EC_POINT_free(tmp_point);	197	EC_POINT_free(tmp_point);
207	BN_clear_free(X);	198	BN_clear_free(X);
208	return(ret);	199	return (ret);
209	}	200	}
210		201
211		202
212	static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dgst_len,	203	static ECDSA_SIG *
213	const BIGNUM in_kinv, const BIGNUM in_r, EC_KEY *eckey)	204	ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
		205	const BIGNUM in_kinv, const BIGNUM in_r, EC_KEY *eckey)
214	{	206	{
215	int ok = 0, i;	207	int ok = 0, i;
216	BIGNUM kinv=NULL, s, m=NULL,tmp=NULL,*order=NULL;	208	BIGNUM kinv = NULL, s, m = NULL, tmp = NULL, *order = NULL;
217	const BIGNUM *ckinv;	209	const BIGNUM *ckinv;
218	BN_CTX *ctx = NULL;	210	BN_CTX *ctx = NULL;
219	const EC_GROUP *group;	211	const EC_GROUP *group;
@@ -221,33 +213,29 @@ static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dgst_len,
221	ECDSA_DATA *ecdsa;	213	ECDSA_DATA *ecdsa;
222	const BIGNUM *priv_key;	214	const BIGNUM *priv_key;
223		215
224	ecdsa = ecdsa_check(eckey);	216	ecdsa = ecdsa_check(eckey);
225	group = EC_KEY_get0_group(eckey);	217	group = EC_KEY_get0_group(eckey);
226	priv_key = EC_KEY_get0_private_key(eckey);	218	priv_key = EC_KEY_get0_private_key(eckey);
227		219
228	if (group == NULL \|\| priv_key == NULL \|\| ecdsa == NULL)	220	if (group == NULL \|\| priv_key == NULL \|\| ecdsa == NULL) {
229	{
230	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);	221	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
231	return NULL;	222	return NULL;
232	}	223	}
233		224
234	ret = ECDSA_SIG_new();	225	ret = ECDSA_SIG_new();
235	if (!ret)	226	if (!ret) {
236	{
237	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);	227	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
238	return NULL;	228	return NULL;
239	}	229	}
240	s = ret->s;	230	s = ret->s;
241		231
242	if ((ctx = BN_CTX_new()) == NULL \|\| (order = BN_new()) == NULL \|\|	232	if ((ctx = BN_CTX_new()) == NULL \|\| (order = BN_new()) == NULL \|\|
243	(tmp = BN_new()) == NULL \|\| (m = BN_new()) == NULL)	233	(tmp = BN_new()) == NULL \|\| (m = BN_new()) == NULL) {
244	{
245	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);	234	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
246	goto err;	235	goto err;
247	}	236	}
248		237
249	if (!EC_GROUP_get_order(group, order, ctx))	238	if (!EC_GROUP_get_order(group, order, ctx)) {
250	{
251	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);	239	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
252	goto err;	240	goto err;
253	}	241	}
@@ -257,73 +245,61 @@ static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dgst_len,
257	*/	245	*/
258	if (8 * dgst_len > i)	246	if (8 * dgst_len > i)
259	dgst_len = (i + 7)/8;	247	dgst_len = (i + 7)/8;
260	if (!BN_bin2bn(dgst, dgst_len, m))	248	if (!BN_bin2bn(dgst, dgst_len, m)) {
261	{
262	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);	249	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
263	goto err;	250	goto err;
264	}	251	}
265	/* If still too long truncate remaining bits with a shift */	252	/* If still too long truncate remaining bits with a shift */
266	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))	253	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
267	{
268	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);	254	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
269	goto err;	255	goto err;
270	}	256	}
271	do	257	do {
272	{	258	if (in_kinv == NULL \|\| in_r == NULL) {
273	if (in_kinv == NULL \|\| in_r == NULL)	259	if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) {
274	{	260	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
275	if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r))	261	ERR_R_ECDSA_LIB);
276	{
277	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
278	goto err;	262	goto err;
279	}	263	}
280	ckinv = kinv;	264	ckinv = kinv;
281	}	265	} else {
282	else	266	ckinv = in_kinv;
283	{	267	if (BN_copy(ret->r, in_r) == NULL) {
284	ckinv = in_kinv;	268	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
285	if (BN_copy(ret->r, in_r) == NULL)	269	ERR_R_MALLOC_FAILURE);
286	{
287	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
288	goto err;	270	goto err;
289	}	271	}
290	}	272	}
291		273
292	if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx))	274	if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
293	{
294	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);	275	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
295	goto err;	276	goto err;
296	}	277	}
297	if (!BN_mod_add_quick(s, tmp, m, order))	278	if (!BN_mod_add_quick(s, tmp, m, order)) {
298	{
299	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);	279	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
300	goto err;	280	goto err;
301	}	281	}
302	if (!BN_mod_mul(s, s, ckinv, order, ctx))	282	if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
303	{
304	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);	283	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
305	goto err;	284	goto err;
306	}	285	}
307	if (BN_is_zero(s))	286	if (BN_is_zero(s)) {
308	{
309	/* if kinv and r have been supplied by the caller	287	/* if kinv and r have been supplied by the caller
310	* don't to generate new kinv and r values */	288	* don't to generate new kinv and r values */
311	if (in_kinv != NULL && in_r != NULL)	289	if (in_kinv != NULL && in_r != NULL) {
312	{	290	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
313	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES);	291	ECDSA_R_NEED_NEW_SETUP_VALUES);
314	goto err;	292	goto err;
315	}	293	}
316	}	294	} else
317	else
318	/* s != 0 => we have a valid signature */	295	/* s != 0 => we have a valid signature */
319	break;	296	break;
320	}	297	} while (1);
321	while (1);
322		298
323	ok = 1;	299	ok = 1;
		300
324	err:	301	err:
325	if (!ok)	302	if (!ok) {
326	{
327	ECDSA_SIG_free(ret);	303	ECDSA_SIG_free(ret);
328	ret = NULL;	304	ret = NULL;
329	}	305	}
@@ -335,8 +311,9 @@ err:
335	return ret;	311	return ret;
336	}	312	}
337		313
338	static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,	314	static int
339	const ECDSA_SIG sig, EC_KEY eckey)	315	ecdsa_do_verify(const unsigned char dgst, int dgst_len, const ECDSA_SIG sig,
		316	EC_KEY *eckey)
340	{	317	{
341	int ret = -1, i;	318	int ret = -1, i;
342	BN_CTX *ctx;	319	BN_CTX *ctx;
@@ -347,47 +324,41 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
347		324
348	/* check input values */	325	/* check input values */
349	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL \|\|	326	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL \|\|
350	(pub_key = EC_KEY_get0_public_key(eckey)) == NULL \|\| sig == NULL)	327	(pub_key = EC_KEY_get0_public_key(eckey)) == NULL \|\| sig == NULL) {
351	{
352	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);	328	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
353	return -1;	329	return -1;
354	}	330	}
355		331
356	ctx = BN_CTX_new();	332	ctx = BN_CTX_new();
357	if (!ctx)	333	if (!ctx) {
358	{
359	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);	334	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
360	return -1;	335	return -1;
361	}	336	}
362	BN_CTX_start(ctx);	337	BN_CTX_start(ctx);
363	order = BN_CTX_get(ctx);	338	order = BN_CTX_get(ctx);
364	u1 = BN_CTX_get(ctx);	339	u1 = BN_CTX_get(ctx);
365	u2 = BN_CTX_get(ctx);	340	u2 = BN_CTX_get(ctx);
366	m = BN_CTX_get(ctx);	341	m = BN_CTX_get(ctx);
367	X = BN_CTX_get(ctx);	342	X = BN_CTX_get(ctx);
368	if (!X)	343	if (!X) {
369	{
370	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);	344	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
371	goto err;	345	goto err;
372	}	346	}
373		347
374	if (!EC_GROUP_get_order(group, order, ctx))	348	if (!EC_GROUP_get_order(group, order, ctx)) {
375	{
376	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);	349	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
377	goto err;	350	goto err;
378	}	351	}
379		352
380	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|	353	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|
381	BN_ucmp(sig->r, order) >= 0 \|\| BN_is_zero(sig->s) \|\|	354	BN_ucmp(sig->r, order) >= 0 \|\| BN_is_zero(sig->s) \|\|
382	BN_is_negative(sig->s) \|\| BN_ucmp(sig->s, order) >= 0)	355	BN_is_negative(sig->s) \|\| BN_ucmp(sig->s, order) >= 0) {
383	{
384	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);	356	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
385	ret = 0; /* signature is invalid */	357	ret = 0; /* signature is invalid */
386	goto err;	358	goto err;
387	}	359	}
388	/* calculate tmp1 = inv(S) mod order */	360	/* calculate tmp1 = inv(S) mod order */
389	if (!BN_mod_inverse(u2, sig->s, order, ctx))	361	if (!BN_mod_inverse(u2, sig->s, order, ctx)) {
390	{
391	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);	362	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
392	goto err;	363	goto err;
393	}	364	}
@@ -398,45 +369,38 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
398	*/	369	*/
399	if (8 * dgst_len > i)	370	if (8 * dgst_len > i)
400	dgst_len = (i + 7)/8;	371	dgst_len = (i + 7)/8;
401	if (!BN_bin2bn(dgst, dgst_len, m))	372	if (!BN_bin2bn(dgst, dgst_len, m)) {
402	{
403	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);	373	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
404	goto err;	374	goto err;
405	}	375	}
406	/* If still too long truncate remaining bits with a shift */	376	/* If still too long truncate remaining bits with a shift */
407	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))	377	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
408	{
409	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);	378	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
410	goto err;	379	goto err;
411	}	380	}
412	/* u1 = m * tmp mod order */	381	/* u1 = m * tmp mod order */
413	if (!BN_mod_mul(u1, m, u2, order, ctx))	382	if (!BN_mod_mul(u1, m, u2, order, ctx)) {
414	{
415	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);	383	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
416	goto err;	384	goto err;
417	}	385	}
418	/* u2 = r * w mod q */	386	/* u2 = r * w mod q */
419	if (!BN_mod_mul(u2, sig->r, u2, order, ctx))	387	if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
420	{
421	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);	388	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
422	goto err;	389	goto err;
423	}	390	}
424		391
425	if ((point = EC_POINT_new(group)) == NULL)	392	if ((point = EC_POINT_new(group)) == NULL) {
426	{
427	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);	393	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
428	goto err;	394	goto err;
429	}	395	}
430	if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx))	396	if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
431	{
432	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);	397	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
433	goto err;	398	goto err;
434	}	399	}
435	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)	400	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
436	{	401	NID_X9_62_prime_field) {
437	if (!EC_POINT_get_affine_coordinates_GFp(group,	402	if (!EC_POINT_get_affine_coordinates_GFp(group,
438	point, X, NULL, ctx))	403	point, X, NULL, ctx)) {
439	{
440	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);	404	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
441	goto err;	405	goto err;
442	}	406	}
@@ -445,20 +409,19 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
445	else /* NID_X9_62_characteristic_two_field */	409	else /* NID_X9_62_characteristic_two_field */
446	{	410	{
447	if (!EC_POINT_get_affine_coordinates_GF2m(group,	411	if (!EC_POINT_get_affine_coordinates_GF2m(group,
448	point, X, NULL, ctx))	412	point, X, NULL, ctx)) {
449	{
450	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);	413	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
451	goto err;	414	goto err;
452	}	415	}
453	}	416	}
454	#endif	417	#endif
455	if (!BN_nnmod(u1, X, order, ctx))	418	if (!BN_nnmod(u1, X, order, ctx)) {
456	{
457	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);	419	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
458	goto err;	420	goto err;
459	}	421	}
460	/* if the signature is correct u1 is equal to sig->r */	422	/* if the signature is correct u1 is equal to sig->r */
461	ret = (BN_ucmp(u1, sig->r) == 0);	423	ret = (BN_ucmp(u1, sig->r) == 0);
		424
462	err:	425	err:
463	BN_CTX_end(ctx);	426	BN_CTX_end(ctx);
464	BN_CTX_free(ctx);	427	BN_CTX_free(ctx);