Merge ECDSA code that will stay into ecdsa.c

discussed with jsing
author: tb <> 2023-07-05 12:18:21 +0000
committer: tb <> 2023-07-05 12:18:21 +0000
commit: 26010e9c7baa4f220e97d24329f0c64fc74430dd (patch)
tree: b7f4ae59c723f184139ba5a50306a43fb49194f4 /src/lib/libcrypto/ecdsa/ecs_ossl.c
parent: a71fe1d5846a4f1db4c2478c65f65ca026866e81 (diff)
download: openbsd-26010e9c7baa4f220e97d24329f0c64fc74430dd.tar.gz
openbsd-26010e9c7baa4f220e97d24329f0c64fc74430dd.tar.bz2
openbsd-26010e9c7baa4f220e97d24329f0c64fc74430dd.zip
1 files changed, 0 insertions, 732 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
deleted file mode 100644
index 9886852e0f..0000000000
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ /dev/null
@@ -1,732 +0,0 @@
-/* $OpenBSD: ecs_ossl.c,v 1.73 2023/07/05 11:37:46 tb Exp $ */
-/*
- * Written by Nils Larsch for the OpenSSL project
- */
-/* ====================================================================
- * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <string.h>
-#include <openssl/opensslconf.h>
-#include <openssl/bn.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include "bn_local.h"
-#include "ec_local.h"
-#include "ecdsa_local.h"
-/*
- * FIPS 186-5, section 6.4.1, step 2: convert hashed message into an integer.
- * Use the order_bits leftmost bits if it exceeds the group order.
- */
-static int
-ecdsa_prepare_digest(const unsigned char *digest, int digest_len,
-    const EC_KEY *key, BIGNUM *e)
-{
-        const EC_GROUP *group;
-        int digest_bits, order_bits;
-        if (!BN_bin2bn(digest, digest_len, e)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                return 0;
-        }
-        if ((group = EC_KEY_get0_group(key)) == NULL)
-                return 0;
-        order_bits = EC_GROUP_order_bits(group);
-        digest_bits = 8 * digest_len;
-        if (digest_bits <= order_bits)
-                return 1;
-        return BN_rshift(e, e, digest_bits - order_bits);
-}
-int
-ecdsa_sign(int type, const unsigned char *digest, int digest_len,
-    unsigned char *signature, unsigned int *signature_len, const BIGNUM *kinv,
-    const BIGNUM *r, EC_KEY *key)
-{
-        ECDSA_SIG *sig;
-        int out_len = 0;
-        int ret = 0;
-        if ((sig = ECDSA_do_sign_ex(digest, digest_len, kinv, r, key)) == NULL)
-                goto err;
-        if ((out_len = i2d_ECDSA_SIG(sig, &signature)) < 0) {
-                out_len = 0;
-                goto err;
-        }
-        ret = 1;
- err:
-        *signature_len = out_len;
-        ECDSA_SIG_free(sig);
-        return ret;
-}
-/*
- * FIPS 186-5, section 6.4.1, steps 3-8 and 11: Generate k, calculate r and
- * kinv, and clear it. If r == 0, try again with a new random k.
- */
-int
-ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, BIGNUM **out_r)
-{
-        const EC_GROUP *group;
-        EC_POINT *point = NULL;
-        BN_CTX *ctx = NULL;
-        BIGNUM *k = NULL, *r = NULL;
-        const BIGNUM *order;
-        BIGNUM *x;
-        int order_bits;
-        int ret = 0;
-        BN_free(*out_kinv);
-        *out_kinv = NULL;
-        BN_free(*out_r);
-        *out_r = NULL;
-        if (key == NULL) {
-                ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
-                goto err;
-        }
-        if ((group = EC_KEY_get0_group(key)) == NULL) {
-                ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
-                goto err;
-        }
-        if ((k = BN_new()) == NULL)
-                goto err;
-        if ((r = BN_new()) == NULL)
-                goto err;
-        if ((ctx = in_ctx) == NULL)
-                ctx = BN_CTX_new();
-        if (ctx == NULL) {
-                ECDSAerror(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        BN_CTX_start(ctx);
-        if ((x = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((point = EC_POINT_new(group)) == NULL) {
-                ECDSAerror(ERR_R_EC_LIB);
-                goto err;
-        }
-        if ((order = EC_GROUP_get0_order(group)) == NULL) {
-                ECDSAerror(ERR_R_EC_LIB);
-                goto err;
-        }
-        if (BN_cmp(order, BN_value_one()) <= 0) {
-                ECDSAerror(EC_R_INVALID_GROUP_ORDER);
-                goto err;
-        }
-        /* Reject curves with an order that is smaller than 80 bits. */
-        if ((order_bits = BN_num_bits(order)) < 80) {
-                ECDSAerror(EC_R_INVALID_GROUP_ORDER);
-                goto err;
-        }
-        /* Preallocate space. */
-        if (!BN_set_bit(k, order_bits) ||
-            !BN_set_bit(r, order_bits) ||
-            !BN_set_bit(x, order_bits))
-                goto err;
-        /* Step 11: repeat until r != 0. */
-        do {
-                /* Step 3: generate random k. */
-                if (!bn_rand_interval(k, BN_value_one(), order)) {
-                        ECDSAerror(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
-                        goto err;
-                }
-                /*
-                 * We do not want timing information to leak the length of k,
-                 * so we compute G * k using an equivalent scalar of fixed
-                 * bit-length.
-                 *
-                 * We unconditionally perform both of these additions to prevent
-                 * a small timing information leakage.  We then choose the sum
-                 * that is one bit longer than the order.  This guarantees the
-                 * code path used in the constant time implementations
-                 * elsewhere.
-                 *
-                 * TODO: revisit the bn_copy aiming for a memory access agnostic
-                 * conditional copy.
-                 */
-                if (!BN_add(r, k, order) ||
-                    !BN_add(x, r, order) ||
-                    !bn_copy(k, BN_num_bits(r) > order_bits ? r : x))
-                        goto err;
-                BN_set_flags(k, BN_FLG_CONSTTIME);
-                /* Step 5: P = k * G. */
-                if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {
-                        ECDSAerror(ERR_R_EC_LIB);
-                        goto err;
-                }
-                /* Steps 6 (and 7): from P = (x, y) retain the x-coordinate. */
-                if (!EC_POINT_get_affine_coordinates(group, point, x, NULL,
-                    ctx)) {
-                        ECDSAerror(ERR_R_EC_LIB);
-                        goto err;
-                }
-                /* Step 8: r = x (mod order). */
-                if (!BN_nnmod(r, x, order, ctx)) {
-                        ECDSAerror(ERR_R_BN_LIB);
-                        goto err;
-                }
-        } while (BN_is_zero(r));
-        /* Step 4: calculate kinv. */
-        if (BN_mod_inverse_ct(k, k, order, ctx) == NULL) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        *out_kinv = k;
-        k = NULL;
-        *out_r = r;
-        r = NULL;
-        ret = 1;
- err:
-        BN_CTX_end(ctx);
-        if (ctx != in_ctx)
-                BN_CTX_free(ctx);
-        BN_free(k);
-        BN_free(r);
-        EC_POINT_free(point);
-        return ret;
-}
-/*
- * FIPS 186-5, section 6.4.1, step 9: compute s = inv(k)(e + xr) mod order.
- * In order to reduce the possibility of a side-channel attack, the following
- * is calculated using a random blinding value b in [1, order):
- * s = inv(b)(be + bxr)inv(k) mod order.
- */
-static int
-ecdsa_compute_s(BIGNUM **out_s, const BIGNUM *e, const BIGNUM *kinv,
-    const BIGNUM *r, const EC_KEY *key, BN_CTX *ctx)
-{
-        const EC_GROUP *group;
-        const BIGNUM *order, *priv_key;
-        BIGNUM *b, *binv, *be, *bxr;
-        BIGNUM *s = NULL;
-        int ret = 0;
-        *out_s = NULL;
-        BN_CTX_start(ctx);
-        if ((group = EC_KEY_get0_group(key)) == NULL) {
-                ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
-                goto err;
-        }
-        if ((order = EC_GROUP_get0_order(group)) == NULL) {
-                ECDSAerror(ERR_R_EC_LIB);
-                goto err;
-        }
-        if ((priv_key = EC_KEY_get0_private_key(key)) == NULL) {
-                ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
-                goto err;
-        }
-        if ((b = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((binv = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((be = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((bxr = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((s = BN_new()) == NULL)
-                goto err;
-        /*
-         * In a valid ECDSA signature, r must be in [1, order). Since r can be
-         * caller provided - either directly or by replacing sign_setup() - we
-         * can't rely on this being the case.
-         */
-        if (BN_cmp(r, BN_value_one()) < 0 || BN_cmp(r, order) >= 0) {
-                ECDSAerror(ECDSA_R_BAD_SIGNATURE);
-                goto err;
-        }
-        if (!bn_rand_interval(b, BN_value_one(), order)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        if (BN_mod_inverse_ct(binv, b, order, ctx) == NULL) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        if (!BN_mod_mul(bxr, b, priv_key, order, ctx)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        if (!BN_mod_mul(bxr, bxr, r, order, ctx)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        if (!BN_mod_mul(be, b, e, order, ctx)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        if (!BN_mod_add(s, be, bxr, order, ctx)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        /* s = b(e + xr)k^-1 */
-        if (!BN_mod_mul(s, s, kinv, order, ctx)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        /* s = (e + xr)k^-1 */
-        if (!BN_mod_mul(s, s, binv, order, ctx)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        /* Step 11: if s == 0 start over. */
-        if (!BN_is_zero(s)) {
-                *out_s = s;
-                s = NULL;
-        }
-        ret = 1;
- err:
-        BN_CTX_end(ctx);
-        BN_free(s);
-        return ret;
-}
-/*
- * It is too expensive to check curve parameters on every sign operation.
- * Instead, cap the number of retries. A single retry is very unlikely, so
- * allowing 32 retries is amply enough.
- */
-#define ECDSA_MAX_SIGN_ITERATIONS               32
-/*
- * FIPS 186-5: Section 6.4.1: ECDSA signature generation, steps 2-12.
- * The caller provides the hash of the message, thus performs step 1.
- * Step 10, zeroing k and kinv, is done by BN_free().
- */
-ECDSA_SIG *
-ecdsa_sign_sig(const unsigned char *digest, int digest_len,
-    const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *key)
-{
-        BN_CTX *ctx = NULL;
-        BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
-        BIGNUM *e;
-        int caller_supplied_values = 0;
-        int attempts = 0;
-        ECDSA_SIG *sig = NULL;
-        if ((ctx = BN_CTX_new()) == NULL) {
-                ECDSAerror(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        BN_CTX_start(ctx);
-        if ((e = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        /* Step 2: convert hash into an integer. */
-        if (!ecdsa_prepare_digest(digest, digest_len, key, e))
-                goto err;
-        if (in_kinv != NULL && in_r != NULL) {
-                /*
-                 * Use the caller's kinv and r. Don't call ECDSA_sign_setup().
-                 * If we're unable to compute a valid signature, the caller
-                 * must provide new values.
-                 */
-                caller_supplied_values = 1;
-                if ((kinv = BN_dup(in_kinv)) == NULL) {
-                        ECDSAerror(ERR_R_MALLOC_FAILURE);
-                        goto err;
-                }
-                if ((r = BN_dup(in_r)) == NULL) {
-                        ECDSAerror(ERR_R_MALLOC_FAILURE);
-                        goto err;
-                }
-        }
-        do {
-                /* Steps 3-8: calculate kinv and r. */
-                if (!caller_supplied_values) {
-                        if (!ECDSA_sign_setup(key, ctx, &kinv, &r)) {
-                                ECDSAerror(ERR_R_ECDSA_LIB);
-                                goto err;
-                        }
-                }
-                /*
-                 * Steps 9 and 11: if s is non-NULL, we have a valid signature.
-                 */
-                if (!ecdsa_compute_s(&s, e, kinv, r, key, ctx))
-                        goto err;
-                if (s != NULL)
-                        break;
-                if (caller_supplied_values) {
-                        ECDSAerror(ECDSA_R_NEED_NEW_SETUP_VALUES);
-                        goto err;
-                }
-                if (++attempts > ECDSA_MAX_SIGN_ITERATIONS) {
-                        ECDSAerror(EC_R_WRONG_CURVE_PARAMETERS);
-                        goto err;
-                }
-        } while (1);
-        /* Step 12: output (r, s). */
-        if ((sig = ECDSA_SIG_new()) == NULL) {
-                ECDSAerror(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if (!ECDSA_SIG_set0(sig, r, s)) {
-                ECDSA_SIG_free(sig);
-                goto err;
-        }
-        r = NULL;
-        s = NULL;
- err:
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-        BN_free(kinv);
-        BN_free(r);
-        BN_free(s);
-        return sig;
-}
-int
-ecdsa_verify(int type, const unsigned char *digest, int digest_len,
-    const unsigned char *sigbuf, int sig_len, EC_KEY *key)
-{
-        ECDSA_SIG *s;
-        unsigned char *der = NULL;
-        const unsigned char *p;
-        int der_len = 0;
-        int ret = -1;
-        if ((s = ECDSA_SIG_new()) == NULL)
-                goto err;
-        p = sigbuf;
-        if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL)
-                goto err;
-        /* Ensure signature uses DER and doesn't have trailing garbage */
-        if ((der_len = i2d_ECDSA_SIG(s, &der)) != sig_len)
-                goto err;
-        if (timingsafe_memcmp(sigbuf, der, der_len))
-                goto err;
-        ret = ECDSA_do_verify(digest, digest_len, s, key);
- err:
-        freezero(der, der_len);
-        ECDSA_SIG_free(s);
-        return ret;
-}
-/*
- * FIPS 186-5, section 6.4.2: ECDSA signature verification.
- * The caller provides us with the hash of the message, so has performed step 2.
- */
-int
-ecdsa_verify_sig(const unsigned char *digest, int digest_len,
-    const ECDSA_SIG *sig, EC_KEY *key)
-{
-        const EC_GROUP *group;
-        const EC_POINT *pub_key;
-        EC_POINT *point = NULL;
-        const BIGNUM *order;
-        BN_CTX *ctx = NULL;
-        BIGNUM *e, *sinv, *u, *v, *x;
-        int ret = -1;
-        if (key == NULL || sig == NULL) {
-                ECDSAerror(ECDSA_R_MISSING_PARAMETERS);
-                goto err;
-        }
-        if ((group = EC_KEY_get0_group(key)) == NULL) {
-                ECDSAerror(ECDSA_R_MISSING_PARAMETERS);
-                goto err;
-        }
-        if ((pub_key = EC_KEY_get0_public_key(key)) == NULL) {
-                ECDSAerror(ECDSA_R_MISSING_PARAMETERS);
-                goto err;
-        }
-        if ((ctx = BN_CTX_new()) == NULL) {
-                ECDSAerror(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        BN_CTX_start(ctx);
-        if ((e = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((sinv = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((u = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((v = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((x = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((order = EC_GROUP_get0_order(group)) == NULL) {
-                ECDSAerror(ERR_R_EC_LIB);
-                goto err;
-        }
-        /* Step 1: verify that r and s are in the range [1, order). */
-        if (BN_cmp(sig->r, BN_value_one()) < 0 || BN_cmp(sig->r, order) >= 0) {
-                ECDSAerror(ECDSA_R_BAD_SIGNATURE);
-                ret = 0;
-                goto err;
-        }
-        if (BN_cmp(sig->s, BN_value_one()) < 0 || BN_cmp(sig->s, order) >= 0) {
-                ECDSAerror(ECDSA_R_BAD_SIGNATURE);
-                ret = 0;
-                goto err;
-        }
-        /* Step 3: convert the hash into an integer. */
-        if (!ecdsa_prepare_digest(digest, digest_len, key, e))
-                goto err;
-        /* Step 4: compute the inverse of s modulo order. */
-        if (BN_mod_inverse_ct(sinv, sig->s, order, ctx) == NULL) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        /* Step 5: compute u = s^-1 * e and v = s^-1 * r (modulo order). */
-        if (!BN_mod_mul(u, e, sinv, order, ctx)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        if (!BN_mod_mul(v, sig->r, sinv, order, ctx)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        /*
-         * Steps 6 and 7: compute R = G * u + pub_key * v = (x, y). Reject if
-         * it's the point at infinity - getting affine coordinates fails. Keep
-         * the x coordinate.
-         */
-        if ((point = EC_POINT_new(group)) == NULL) {
-                ECDSAerror(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if (!EC_POINT_mul(group, point, u, pub_key, v, ctx)) {
-                ECDSAerror(ERR_R_EC_LIB);
-                goto err;
-        }
-        if (!EC_POINT_get_affine_coordinates(group, point, x, NULL, ctx)) {
-                ECDSAerror(ERR_R_EC_LIB);
-                goto err;
-        }
-        /* Step 8: convert x to a number in [0, order). */
-        if (!BN_nnmod(x, x, order, ctx)) {
-                ECDSAerror(ERR_R_BN_LIB);
-                goto err;
-        }
-        /* Step 9: the signature is valid iff the x-coordinate is equal to r. */
-        ret = (BN_cmp(x, sig->r) == 0);
- err:
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-        EC_POINT_free(point);
-        return ret;
-}
-ECDSA_SIG *
-ECDSA_do_sign(const unsigned char *digest, int digest_len, EC_KEY *key)
-{
-        return ECDSA_do_sign_ex(digest, digest_len, NULL, NULL, key);
-}
-ECDSA_SIG *
-ECDSA_do_sign_ex(const unsigned char *digest, int digest_len,
-    const BIGNUM *kinv, const BIGNUM *out_r, EC_KEY *key)
-{
-        if (key->meth->sign_sig == NULL) {
-                ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
-                return 0;
-        }
-        return key->meth->sign_sig(digest, digest_len, kinv, out_r, key);
-}
-int
-ECDSA_sign(int type, const unsigned char *digest, int digest_len,
-    unsigned char *signature, unsigned int *signature_len, EC_KEY *key)
-{
-        return ECDSA_sign_ex(type, digest, digest_len, signature, signature_len,
-            NULL, NULL, key);
-}
-int
-ECDSA_sign_ex(int type, const unsigned char *digest, int digest_len,
-    unsigned char *signature, unsigned int *signature_len, const BIGNUM *kinv,
-    const BIGNUM *r, EC_KEY *key)
-{
-        if (key->meth->sign == NULL) {
-                ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
-                return 0;
-        }
-        return key->meth->sign(type, digest, digest_len, signature,
-            signature_len, kinv, r, key);
-}
-int
-ECDSA_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv,
-    BIGNUM **out_r)
-{
-        if (key->meth->sign_setup == NULL) {
-                ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
-                return 0;
-        }
-        return key->meth->sign_setup(key, in_ctx, out_kinv, out_r);
-}
-int
-ECDSA_do_verify(const unsigned char *digest, int digest_len,
-    const ECDSA_SIG *sig, EC_KEY *key)
-{
-        if (key->meth->verify_sig == NULL) {
-                ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
-                return 0;
-        }
-        return key->meth->verify_sig(digest, digest_len, sig, key);
-}
-int
-ECDSA_verify(int type, const unsigned char *digest, int digest_len,
-    const unsigned char *sigbuf, int sig_len, EC_KEY *key)
-{
-        if (key->meth->verify == NULL) {
-                ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
-                return 0;
-        }
-        return key->meth->verify(type, digest, digest_len, sigbuf, sig_len, key);
-}
-int
-ECDSA_size(const EC_KEY *r)
-{
-        const EC_GROUP *group;
-        const BIGNUM *order = NULL;
-        ECDSA_SIG sig;
-        int ret = 0;
-        if (r == NULL)
-                goto err;
-        if ((group = EC_KEY_get0_group(r)) == NULL)
-                goto err;
-        if ((order = EC_GROUP_get0_order(group)) == NULL)
-                goto err;
-        sig.r = (BIGNUM *)order;
-        sig.s = (BIGNUM *)order;
-        if ((ret = i2d_ECDSA_SIG(&sig, NULL)) < 0)
-                ret = 0;
- err:
-        return ret;
-}
author	tb <>	2023-07-05 12:18:21 +0000
committer	tb <>	2023-07-05 12:18:21 +0000
commit	26010e9c7baa4f220e97d24329f0c64fc74430dd (patch)
tree	b7f4ae59c723f184139ba5a50306a43fb49194f4 /src/lib/libcrypto/ecdsa/ecs_ossl.c
parent	a71fe1d5846a4f1db4c2478c65f65ca026866e81 (diff)
download	openbsd-26010e9c7baa4f220e97d24329f0c64fc74430dd.tar.gz openbsd-26010e9c7baa4f220e97d24329f0c64fc74430dd.tar.bz2 openbsd-26010e9c7baa4f220e97d24329f0c64fc74430dd.zip

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c deleted file mode 100644 index 9886852e0f..0000000000 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ /dev/null
@@ -1,732 +0,0 @@
1	/* $OpenBSD: ecs_ossl.c,v 1.73 2023/07/05 11:37:46 tb Exp $ */
2	/*
3	* Written by Nils Larsch for the OpenSSL project
4	*/
5	/* ====================================================================
6	* Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in
17	* the documentation and/or other materials provided with the
18	* distribution.
19	*
20	* 3. All advertising materials mentioning features or use of this
21	* software must display the following acknowledgment:
22	* "This product includes software developed by the OpenSSL Project
23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24	*
25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26	* endorse or promote products derived from this software without
27	* prior written permission. For written permission, please contact
28	* openssl-core@OpenSSL.org.
29	*
30	* 5. Products derived from this software may not be called "OpenSSL"
31	* nor may "OpenSSL" appear in their names without prior written
32	* permission of the OpenSSL Project.
33	*
34	* 6. Redistributions of any form whatsoever must retain the following
35	* acknowledgment:
36	* "This product includes software developed by the OpenSSL Project
37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38	*
39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	* OF THE POSSIBILITY OF SUCH DAMAGE.
51	* ====================================================================
52	*
53	* This product includes cryptographic software written by Eric Young
54	* (eay@cryptsoft.com). This product includes software written by Tim
55	* Hudson (tjh@cryptsoft.com).
56	*
57	*/
58
59	#include <string.h>
60
61	#include <openssl/opensslconf.h>
62
63	#include <openssl/bn.h>
64	#include <openssl/err.h>
65	#include <openssl/evp.h>
66	#include <openssl/objects.h>
67
68	#include "bn_local.h"
69	#include "ec_local.h"
70	#include "ecdsa_local.h"
71
72	/*
73	* FIPS 186-5, section 6.4.1, step 2: convert hashed message into an integer.
74	* Use the order_bits leftmost bits if it exceeds the group order.
75	*/
76	static int
77	ecdsa_prepare_digest(const unsigned char *digest, int digest_len,
78	const EC_KEY key, BIGNUM e)
79	{
80	const EC_GROUP *group;
81	int digest_bits, order_bits;
82
83	if (!BN_bin2bn(digest, digest_len, e)) {
84	ECDSAerror(ERR_R_BN_LIB);
85	return 0;
86	}
87
88	if ((group = EC_KEY_get0_group(key)) == NULL)
89	return 0;
90	order_bits = EC_GROUP_order_bits(group);
91
92	digest_bits = 8 * digest_len;
93	if (digest_bits <= order_bits)
94	return 1;
95
96	return BN_rshift(e, e, digest_bits - order_bits);
97	}
98
99	int
100	ecdsa_sign(int type, const unsigned char *digest, int digest_len,
101	unsigned char signature, unsigned int signature_len, const BIGNUM *kinv,
102	const BIGNUM r, EC_KEY key)
103	{
104	ECDSA_SIG *sig;
105	int out_len = 0;
106	int ret = 0;
107
108	if ((sig = ECDSA_do_sign_ex(digest, digest_len, kinv, r, key)) == NULL)
109	goto err;
110
111	if ((out_len = i2d_ECDSA_SIG(sig, &signature)) < 0) {
112	out_len = 0;
113	goto err;
114	}
115
116	ret = 1;
117
118	err:
119	*signature_len = out_len;
120	ECDSA_SIG_free(sig);
121
122	return ret;
123	}
124
125	/*
126	* FIPS 186-5, section 6.4.1, steps 3-8 and 11: Generate k, calculate r and
127	* kinv, and clear it. If r == 0, try again with a new random k.
128	*/
129
130	int
131	ecdsa_sign_setup(EC_KEY key, BN_CTX in_ctx, BIGNUM out_kinv, BIGNUM out_r)
132	{
133	const EC_GROUP *group;
134	EC_POINT *point = NULL;
135	BN_CTX *ctx = NULL;
136	BIGNUM k = NULL, r = NULL;
137	const BIGNUM *order;
138	BIGNUM *x;
139	int order_bits;
140	int ret = 0;
141
142	BN_free(*out_kinv);
143	*out_kinv = NULL;
144
145	BN_free(*out_r);
146	*out_r = NULL;
147
148	if (key == NULL) {
149	ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
150	goto err;
151	}
152	if ((group = EC_KEY_get0_group(key)) == NULL) {
153	ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
154	goto err;
155	}
156
157	if ((k = BN_new()) == NULL)
158	goto err;
159	if ((r = BN_new()) == NULL)
160	goto err;
161
162	if ((ctx = in_ctx) == NULL)
163	ctx = BN_CTX_new();
164	if (ctx == NULL) {
165	ECDSAerror(ERR_R_MALLOC_FAILURE);
166	goto err;
167	}
168
169	BN_CTX_start(ctx);
170
171	if ((x = BN_CTX_get(ctx)) == NULL)
172	goto err;
173
174	if ((point = EC_POINT_new(group)) == NULL) {
175	ECDSAerror(ERR_R_EC_LIB);
176	goto err;
177	}
178	if ((order = EC_GROUP_get0_order(group)) == NULL) {
179	ECDSAerror(ERR_R_EC_LIB);
180	goto err;
181	}
182
183	if (BN_cmp(order, BN_value_one()) <= 0) {
184	ECDSAerror(EC_R_INVALID_GROUP_ORDER);
185	goto err;
186	}
187
188	/* Reject curves with an order that is smaller than 80 bits. */
189	if ((order_bits = BN_num_bits(order)) < 80) {
190	ECDSAerror(EC_R_INVALID_GROUP_ORDER);
191	goto err;
192	}
193
194	/* Preallocate space. */
195	if (!BN_set_bit(k, order_bits) \|\|
196	!BN_set_bit(r, order_bits) \|\|
197	!BN_set_bit(x, order_bits))
198	goto err;
199
200	/* Step 11: repeat until r != 0. */
201	do {
202	/* Step 3: generate random k. */
203	if (!bn_rand_interval(k, BN_value_one(), order)) {
204	ECDSAerror(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
205	goto err;
206	}
207
208	/*
209	* We do not want timing information to leak the length of k,
210	* so we compute G * k using an equivalent scalar of fixed
211	* bit-length.
212	*
213	* We unconditionally perform both of these additions to prevent
214	* a small timing information leakage. We then choose the sum
215	* that is one bit longer than the order. This guarantees the
216	* code path used in the constant time implementations
217	* elsewhere.
218	*
219	* TODO: revisit the bn_copy aiming for a memory access agnostic
220	* conditional copy.
221	*/
222	if (!BN_add(r, k, order) \|\|
223	!BN_add(x, r, order) \|\|
224	!bn_copy(k, BN_num_bits(r) > order_bits ? r : x))
225	goto err;
226
227	BN_set_flags(k, BN_FLG_CONSTTIME);
228
229	/* Step 5: P = k * G. */
230	if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {
231	ECDSAerror(ERR_R_EC_LIB);
232	goto err;
233	}
234	/* Steps 6 (and 7): from P = (x, y) retain the x-coordinate. */
235	if (!EC_POINT_get_affine_coordinates(group, point, x, NULL,
236	ctx)) {
237	ECDSAerror(ERR_R_EC_LIB);
238	goto err;
239	}
240	/* Step 8: r = x (mod order). */
241	if (!BN_nnmod(r, x, order, ctx)) {
242	ECDSAerror(ERR_R_BN_LIB);
243	goto err;
244	}
245	} while (BN_is_zero(r));
246
247	/* Step 4: calculate kinv. */
248	if (BN_mod_inverse_ct(k, k, order, ctx) == NULL) {
249	ECDSAerror(ERR_R_BN_LIB);
250	goto err;
251	}
252
253	*out_kinv = k;
254	k = NULL;
255
256	*out_r = r;
257	r = NULL;
258
259	ret = 1;
260
261	err:
262	BN_CTX_end(ctx);
263	if (ctx != in_ctx)
264	BN_CTX_free(ctx);
265	BN_free(k);
266	BN_free(r);
267	EC_POINT_free(point);
268
269	return ret;
270	}
271
272	/*
273	* FIPS 186-5, section 6.4.1, step 9: compute s = inv(k)(e + xr) mod order.
274	* In order to reduce the possibility of a side-channel attack, the following
275	* is calculated using a random blinding value b in [1, order):
276	* s = inv(b)(be + bxr)inv(k) mod order.
277	*/
278
279	static int
280	ecdsa_compute_s(BIGNUM *out_s, const BIGNUM e, const BIGNUM *kinv,
281	const BIGNUM r, const EC_KEY key, BN_CTX *ctx)
282	{
283	const EC_GROUP *group;
284	const BIGNUM order, priv_key;
285	BIGNUM b, binv, be, bxr;
286	BIGNUM *s = NULL;
287	int ret = 0;
288
289	*out_s = NULL;
290
291	BN_CTX_start(ctx);
292
293	if ((group = EC_KEY_get0_group(key)) == NULL) {
294	ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
295	goto err;
296	}
297	if ((order = EC_GROUP_get0_order(group)) == NULL) {
298	ECDSAerror(ERR_R_EC_LIB);
299	goto err;
300	}
301	if ((priv_key = EC_KEY_get0_private_key(key)) == NULL) {
302	ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
303	goto err;
304	}
305
306	if ((b = BN_CTX_get(ctx)) == NULL)
307	goto err;
308	if ((binv = BN_CTX_get(ctx)) == NULL)
309	goto err;
310	if ((be = BN_CTX_get(ctx)) == NULL)
311	goto err;
312	if ((bxr = BN_CTX_get(ctx)) == NULL)
313	goto err;
314
315	if ((s = BN_new()) == NULL)
316	goto err;
317
318	/*
319	* In a valid ECDSA signature, r must be in [1, order). Since r can be
320	* caller provided - either directly or by replacing sign_setup() - we
321	* can't rely on this being the case.
322	*/
323	if (BN_cmp(r, BN_value_one()) < 0 \|\| BN_cmp(r, order) >= 0) {
324	ECDSAerror(ECDSA_R_BAD_SIGNATURE);
325	goto err;
326	}
327
328	if (!bn_rand_interval(b, BN_value_one(), order)) {
329	ECDSAerror(ERR_R_BN_LIB);
330	goto err;
331	}
332
333	if (BN_mod_inverse_ct(binv, b, order, ctx) == NULL) {
334	ECDSAerror(ERR_R_BN_LIB);
335	goto err;
336	}
337
338	if (!BN_mod_mul(bxr, b, priv_key, order, ctx)) {
339	ECDSAerror(ERR_R_BN_LIB);
340	goto err;
341	}
342	if (!BN_mod_mul(bxr, bxr, r, order, ctx)) {
343	ECDSAerror(ERR_R_BN_LIB);
344	goto err;
345	}
346	if (!BN_mod_mul(be, b, e, order, ctx)) {
347	ECDSAerror(ERR_R_BN_LIB);
348	goto err;
349	}
350	if (!BN_mod_add(s, be, bxr, order, ctx)) {
351	ECDSAerror(ERR_R_BN_LIB);
352	goto err;
353	}
354	/* s = b(e + xr)k^-1 */
355	if (!BN_mod_mul(s, s, kinv, order, ctx)) {
356	ECDSAerror(ERR_R_BN_LIB);
357	goto err;
358	}
359	/* s = (e + xr)k^-1 */
360	if (!BN_mod_mul(s, s, binv, order, ctx)) {
361	ECDSAerror(ERR_R_BN_LIB);
362	goto err;
363	}
364
365	/* Step 11: if s == 0 start over. */
366	if (!BN_is_zero(s)) {
367	*out_s = s;
368	s = NULL;
369	}
370
371	ret = 1;
372
373	err:
374	BN_CTX_end(ctx);
375	BN_free(s);
376
377	return ret;
378	}
379
380	/*
381	* It is too expensive to check curve parameters on every sign operation.
382	* Instead, cap the number of retries. A single retry is very unlikely, so
383	* allowing 32 retries is amply enough.
384	*/
385	#define ECDSA_MAX_SIGN_ITERATIONS 32
386
387	/*
388	* FIPS 186-5: Section 6.4.1: ECDSA signature generation, steps 2-12.
389	* The caller provides the hash of the message, thus performs step 1.
390	* Step 10, zeroing k and kinv, is done by BN_free().
391	*/
392
393	ECDSA_SIG *
394	ecdsa_sign_sig(const unsigned char *digest, int digest_len,
395	const BIGNUM in_kinv, const BIGNUM in_r, EC_KEY *key)
396	{
397	BN_CTX *ctx = NULL;
398	BIGNUM kinv = NULL, r = NULL, *s = NULL;
399	BIGNUM *e;
400	int caller_supplied_values = 0;
401	int attempts = 0;
402	ECDSA_SIG *sig = NULL;
403
404	if ((ctx = BN_CTX_new()) == NULL) {
405	ECDSAerror(ERR_R_MALLOC_FAILURE);
406	goto err;
407	}
408
409	BN_CTX_start(ctx);
410
411	if ((e = BN_CTX_get(ctx)) == NULL)
412	goto err;
413
414	/* Step 2: convert hash into an integer. */
415	if (!ecdsa_prepare_digest(digest, digest_len, key, e))
416	goto err;
417
418	if (in_kinv != NULL && in_r != NULL) {
419	/*
420	* Use the caller's kinv and r. Don't call ECDSA_sign_setup().
421	* If we're unable to compute a valid signature, the caller
422	* must provide new values.
423	*/
424	caller_supplied_values = 1;
425
426	if ((kinv = BN_dup(in_kinv)) == NULL) {
427	ECDSAerror(ERR_R_MALLOC_FAILURE);
428	goto err;
429	}
430	if ((r = BN_dup(in_r)) == NULL) {
431	ECDSAerror(ERR_R_MALLOC_FAILURE);
432	goto err;
433	}
434	}
435
436	do {
437	/* Steps 3-8: calculate kinv and r. */
438	if (!caller_supplied_values) {
439	if (!ECDSA_sign_setup(key, ctx, &kinv, &r)) {
440	ECDSAerror(ERR_R_ECDSA_LIB);
441	goto err;
442	}
443	}
444
445	/*
446	* Steps 9 and 11: if s is non-NULL, we have a valid signature.
447	*/
448	if (!ecdsa_compute_s(&s, e, kinv, r, key, ctx))
449	goto err;
450	if (s != NULL)
451	break;
452
453	if (caller_supplied_values) {
454	ECDSAerror(ECDSA_R_NEED_NEW_SETUP_VALUES);
455	goto err;
456	}
457
458	if (++attempts > ECDSA_MAX_SIGN_ITERATIONS) {
459	ECDSAerror(EC_R_WRONG_CURVE_PARAMETERS);
460	goto err;
461	}
462	} while (1);
463
464	/* Step 12: output (r, s). */
465	if ((sig = ECDSA_SIG_new()) == NULL) {
466	ECDSAerror(ERR_R_MALLOC_FAILURE);
467	goto err;
468	}
469	if (!ECDSA_SIG_set0(sig, r, s)) {
470	ECDSA_SIG_free(sig);
471	goto err;
472	}
473	r = NULL;
474	s = NULL;
475
476	err:
477	BN_CTX_end(ctx);
478	BN_CTX_free(ctx);
479	BN_free(kinv);
480	BN_free(r);
481	BN_free(s);
482
483	return sig;
484	}
485
486	int
487	ecdsa_verify(int type, const unsigned char *digest, int digest_len,
488	const unsigned char sigbuf, int sig_len, EC_KEY key)
489	{
490	ECDSA_SIG *s;
491	unsigned char *der = NULL;
492	const unsigned char *p;
493	int der_len = 0;
494	int ret = -1;
495
496	if ((s = ECDSA_SIG_new()) == NULL)
497	goto err;
498
499	p = sigbuf;
500	if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL)
501	goto err;
502
503	/* Ensure signature uses DER and doesn't have trailing garbage */
504	if ((der_len = i2d_ECDSA_SIG(s, &der)) != sig_len)
505	goto err;
506	if (timingsafe_memcmp(sigbuf, der, der_len))
507	goto err;
508
509	ret = ECDSA_do_verify(digest, digest_len, s, key);
510
511	err:
512	freezero(der, der_len);
513	ECDSA_SIG_free(s);
514
515	return ret;
516	}
517
518	/*
519	* FIPS 186-5, section 6.4.2: ECDSA signature verification.
520	* The caller provides us with the hash of the message, so has performed step 2.
521	*/
522
523	int
524	ecdsa_verify_sig(const unsigned char *digest, int digest_len,
525	const ECDSA_SIG sig, EC_KEY key)
526	{
527	const EC_GROUP *group;
528	const EC_POINT *pub_key;
529	EC_POINT *point = NULL;
530	const BIGNUM *order;
531	BN_CTX *ctx = NULL;
532	BIGNUM e, sinv, u, v, *x;
533	int ret = -1;
534
535	if (key == NULL \|\| sig == NULL) {
536	ECDSAerror(ECDSA_R_MISSING_PARAMETERS);
537	goto err;
538	}
539	if ((group = EC_KEY_get0_group(key)) == NULL) {
540	ECDSAerror(ECDSA_R_MISSING_PARAMETERS);
541	goto err;
542	}
543	if ((pub_key = EC_KEY_get0_public_key(key)) == NULL) {
544	ECDSAerror(ECDSA_R_MISSING_PARAMETERS);
545	goto err;
546	}
547
548	if ((ctx = BN_CTX_new()) == NULL) {
549	ECDSAerror(ERR_R_MALLOC_FAILURE);
550	goto err;
551	}
552
553	BN_CTX_start(ctx);
554
555	if ((e = BN_CTX_get(ctx)) == NULL)
556	goto err;
557	if ((sinv = BN_CTX_get(ctx)) == NULL)
558	goto err;
559	if ((u = BN_CTX_get(ctx)) == NULL)
560	goto err;
561	if ((v = BN_CTX_get(ctx)) == NULL)
562	goto err;
563	if ((x = BN_CTX_get(ctx)) == NULL)
564	goto err;
565
566	if ((order = EC_GROUP_get0_order(group)) == NULL) {
567	ECDSAerror(ERR_R_EC_LIB);
568	goto err;
569	}
570
571	/* Step 1: verify that r and s are in the range [1, order). */
572	if (BN_cmp(sig->r, BN_value_one()) < 0 \|\| BN_cmp(sig->r, order) >= 0) {
573	ECDSAerror(ECDSA_R_BAD_SIGNATURE);
574	ret = 0;
575	goto err;
576	}
577	if (BN_cmp(sig->s, BN_value_one()) < 0 \|\| BN_cmp(sig->s, order) >= 0) {
578	ECDSAerror(ECDSA_R_BAD_SIGNATURE);
579	ret = 0;
580	goto err;
581	}
582
583	/* Step 3: convert the hash into an integer. */
584	if (!ecdsa_prepare_digest(digest, digest_len, key, e))
585	goto err;
586
587	/* Step 4: compute the inverse of s modulo order. */
588	if (BN_mod_inverse_ct(sinv, sig->s, order, ctx) == NULL) {
589	ECDSAerror(ERR_R_BN_LIB);
590	goto err;
591	}
592	/* Step 5: compute u = s^-1 * e and v = s^-1 * r (modulo order). */
593	if (!BN_mod_mul(u, e, sinv, order, ctx)) {
594	ECDSAerror(ERR_R_BN_LIB);
595	goto err;
596	}
597	if (!BN_mod_mul(v, sig->r, sinv, order, ctx)) {
598	ECDSAerror(ERR_R_BN_LIB);
599	goto err;
600	}
601
602	/*
603	* Steps 6 and 7: compute R = G * u + pub_key * v = (x, y). Reject if
604	* it's the point at infinity - getting affine coordinates fails. Keep
605	* the x coordinate.
606	*/
607	if ((point = EC_POINT_new(group)) == NULL) {
608	ECDSAerror(ERR_R_MALLOC_FAILURE);
609	goto err;
610	}
611	if (!EC_POINT_mul(group, point, u, pub_key, v, ctx)) {
612	ECDSAerror(ERR_R_EC_LIB);
613	goto err;
614	}
615	if (!EC_POINT_get_affine_coordinates(group, point, x, NULL, ctx)) {
616	ECDSAerror(ERR_R_EC_LIB);
617	goto err;
618	}
619	/* Step 8: convert x to a number in [0, order). */
620	if (!BN_nnmod(x, x, order, ctx)) {
621	ECDSAerror(ERR_R_BN_LIB);
622	goto err;
623	}
624
625	/* Step 9: the signature is valid iff the x-coordinate is equal to r. */
626	ret = (BN_cmp(x, sig->r) == 0);
627
628	err:
629	BN_CTX_end(ctx);
630	BN_CTX_free(ctx);
631	EC_POINT_free(point);
632
633	return ret;
634	}
635
636	ECDSA_SIG *
637	ECDSA_do_sign(const unsigned char digest, int digest_len, EC_KEY key)
638	{
639	return ECDSA_do_sign_ex(digest, digest_len, NULL, NULL, key);
640	}
641
642	ECDSA_SIG *
643	ECDSA_do_sign_ex(const unsigned char *digest, int digest_len,
644	const BIGNUM kinv, const BIGNUM out_r, EC_KEY *key)
645	{
646	if (key->meth->sign_sig == NULL) {
647	ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
648	return 0;
649	}
650	return key->meth->sign_sig(digest, digest_len, kinv, out_r, key);
651	}
652
653	int
654	ECDSA_sign(int type, const unsigned char *digest, int digest_len,
655	unsigned char signature, unsigned int signature_len, EC_KEY *key)
656	{
657	return ECDSA_sign_ex(type, digest, digest_len, signature, signature_len,
658	NULL, NULL, key);
659	}
660
661	int
662	ECDSA_sign_ex(int type, const unsigned char *digest, int digest_len,
663	unsigned char signature, unsigned int signature_len, const BIGNUM *kinv,
664	const BIGNUM r, EC_KEY key)
665	{
666	if (key->meth->sign == NULL) {
667	ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
668	return 0;
669	}
670	return key->meth->sign(type, digest, digest_len, signature,
671	signature_len, kinv, r, key);
672	}
673
674	int
675	ECDSA_sign_setup(EC_KEY key, BN_CTX in_ctx, BIGNUM **out_kinv,
676	BIGNUM **out_r)
677	{
678	if (key->meth->sign_setup == NULL) {
679	ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
680	return 0;
681	}
682	return key->meth->sign_setup(key, in_ctx, out_kinv, out_r);
683	}
684
685	int
686	ECDSA_do_verify(const unsigned char *digest, int digest_len,
687	const ECDSA_SIG sig, EC_KEY key)
688	{
689	if (key->meth->verify_sig == NULL) {
690	ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
691	return 0;
692	}
693	return key->meth->verify_sig(digest, digest_len, sig, key);
694	}
695
696	int
697	ECDSA_verify(int type, const unsigned char *digest, int digest_len,
698	const unsigned char sigbuf, int sig_len, EC_KEY key)
699	{
700	if (key->meth->verify == NULL) {
701	ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED);
702	return 0;
703	}
704	return key->meth->verify(type, digest, digest_len, sigbuf, sig_len, key);
705	}
706
707	int
708	ECDSA_size(const EC_KEY *r)
709	{
710	const EC_GROUP *group;
711	const BIGNUM *order = NULL;
712	ECDSA_SIG sig;
713	int ret = 0;
714
715	if (r == NULL)
716	goto err;
717
718	if ((group = EC_KEY_get0_group(r)) == NULL)
719	goto err;
720
721	if ((order = EC_GROUP_get0_order(group)) == NULL)
722	goto err;
723
724	sig.r = (BIGNUM *)order;
725	sig.s = (BIGNUM *)order;
726
727	if ((ret = i2d_ECDSA_SIG(&sig, NULL)) < 0)
728	ret = 0;
729
730	err:
731	return ret;
732	}