Rework ecdsa_prepare_digest()

Make it take an EC_KEY instead of a group order in preparation for further cleanup. Rename m into e to match the standard better. Also buy some vowels for jsing. ok beck jsing
author: tb <> 2023-07-04 10:06:36 +0000
committer: tb <> 2023-07-04 10:06:36 +0000
commit: 86d9e2671a60a6d38eb68893276182e4e22b3828 (patch)
tree: a4245e3ae608d2686fca1dcca8110f07d8c23920 /src/lib
parent: aa6ae09c992307573b17674b1e762095dfd12da6 (diff)
download: openbsd-86d9e2671a60a6d38eb68893276182e4e22b3828.tar.gz
openbsd-86d9e2671a60a6d38eb68893276182e4e22b3828.tar.bz2
openbsd-86d9e2671a60a6d38eb68893276182e4e22b3828.zip
1 files changed, 35 insertions, 35 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 5b5013d631..be74d3b95c 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_ossl.c,v 1.62 2023/07/04 07:38:31 tb Exp $ */
+/* $OpenBSD: ecs_ossl.c,v 1.63 2023/07/04 10:06:36 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project
 */
@@ -69,31 +69,31 @@
 #include "ec_local.h"
 #include "ecs_local.h"
-static int ecdsa_prepare_digest(const unsigned char *dgst, int dgst_len,
+/*
-    const BIGNUM *order, BIGNUM *ret);
+ * FIPS 186-5, section 6.4.1, step 2: convert hashed message into an integer.
+ * Use the order_bits leftmost bits if it exceeds the group order.
+ */
 static int
-ecdsa_prepare_digest(const unsigned char *dgst, int dgst_len,
+ecdsa_prepare_digest(const unsigned char *digest, int digest_len,
-    const BIGNUM *order, BIGNUM *ret)
+    const EC_KEY *key, BIGNUM *e)
 {
-        int dgst_bits, order_bits;
+        const EC_GROUP *group;
+        int digest_bits, order_bits;
-        if (!BN_bin2bn(dgst, dgst_len, ret)) {
+        if (!BN_bin2bn(digest, digest_len, e)) {
                ECDSAerror(ERR_R_BN_LIB);
                return 0;
        }
-        /* FIPS 186-3 6.4: Use order_bits leftmost bits if digest is too long */
+        if ((group = EC_KEY_get0_group(key)) == NULL)
-        dgst_bits = 8 * dgst_len;
+                return 0;
-        order_bits = BN_num_bits(order);
+        order_bits = EC_GROUP_order_bits(group);
-        if (dgst_bits > order_bits) {
-                if (!BN_rshift(ret, ret, dgst_bits - order_bits)) {
+        digest_bits = 8 * digest_len;
-                        ECDSAerror(ERR_R_BN_LIB);
+        if (digest_bits <= order_bits)
-                        return 0;
+                return 1;
-                }
-        }
-        return 1;
+        return BN_rshift(e, e, digest_bits - order_bits);
 }
 int
@@ -260,17 +260,17 @@ ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *in_ctx, BIGNUM **out_kinv,
 }
 /*
- * FIPS 186-5, section 6.4.1, step 9: compute s = inv(k)(m + xr) mod order.
+ * FIPS 186-5, section 6.4.1, step 9: compute s = inv(k)(e + xr) mod order.
 * In order to reduce the possibility of a side-channel attack, the following
 * is calculated using a random blinding value b in [1, order):
- * s = inv(b)(bm + bxr)inv(k) mod order.
+ * s = inv(b)(be + bxr)inv(k) mod order.
 */
 static int
-ecdsa_compute_s(BIGNUM **out_s, const BIGNUM *m, const BIGNUM *kinv,
+ecdsa_compute_s(BIGNUM **out_s, const BIGNUM *e, const BIGNUM *kinv,
    const BIGNUM *r, const BIGNUM *priv_key, const BIGNUM *order, BN_CTX *ctx)
 {
-        BIGNUM *b, *binv, *bm, *bxr;
+        BIGNUM *b, *binv, *be, *bxr;
        BIGNUM *s = NULL;
        int ret = 0;
@@ -282,7 +282,7 @@ ecdsa_compute_s(BIGNUM **out_s, const BIGNUM *m, const BIGNUM *kinv,
                goto err;
        if ((binv = BN_CTX_get(ctx)) == NULL)
                goto err;
-        if ((bm = BN_CTX_get(ctx)) == NULL)
+        if ((be = BN_CTX_get(ctx)) == NULL)
                goto err;
        if ((bxr = BN_CTX_get(ctx)) == NULL)
                goto err;
@@ -308,20 +308,20 @@ ecdsa_compute_s(BIGNUM **out_s, const BIGNUM *m, const BIGNUM *kinv,
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
-        if (!BN_mod_mul(bm, b, m, order, ctx)) {
+        if (!BN_mod_mul(be, b, e, order, ctx)) {
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
-        if (!BN_mod_add(s, bm, bxr, order, ctx)) {
+        if (!BN_mod_add(s, be, bxr, order, ctx)) {
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
-        /* s = b(m + xr)k^-1 */
+        /* s = b(e + xr)k^-1 */
        if (!BN_mod_mul(s, s, kinv, order, ctx)) {
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
-        /* s = (m + xr)k^-1 */
+        /* s = (e + xr)k^-1 */
        if (!BN_mod_mul(s, s, binv, order, ctx)) {
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
@@ -355,7 +355,7 @@ ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
        const EC_GROUP *group;
        BN_CTX *ctx = NULL;
        BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
-        BIGNUM *m;
+        BIGNUM *e;
        const BIGNUM *order, *priv_key;
        int caller_supplied_values = 0;
        int attempts = 0;
@@ -377,7 +377,7 @@ ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
        BN_CTX_start(ctx);
-        if ((m = BN_CTX_get(ctx)) == NULL)
+        if ((e = BN_CTX_get(ctx)) == NULL)
                goto err;
        if ((order = EC_GROUP_get0_order(group)) == NULL) {
@@ -385,7 +385,7 @@ ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
                goto err;
        }
-        if (!ecdsa_prepare_digest(dgst, dgst_len, order, m))
+        if (!ecdsa_prepare_digest(dgst, dgst_len, eckey, e))
                goto err;
        if (in_kinv != NULL && in_r != NULL) {
@@ -415,7 +415,7 @@ ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
                }
                /* If s is non-NULL, we have a valid signature. */
-                if (!ecdsa_compute_s(&s, m, kinv, r, priv_key, order, ctx))
+                if (!ecdsa_compute_s(&s, e, kinv, r, priv_key, order, ctx))
                        goto err;
                if (s != NULL)
                        break;
@@ -493,7 +493,7 @@ ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *
        EC_POINT *point = NULL;
        const BIGNUM *order;
        BN_CTX *ctx = NULL;
-        BIGNUM *u1, *u2, *m, *x;
+        BIGNUM *u1, *u2, *e, *x;
        int ret = -1;
        if (eckey == NULL || sig == NULL) {
@@ -520,7 +520,7 @@ ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *
                goto err;
        if ((u2 = BN_CTX_get(ctx)) == NULL)
                goto err;
-        if ((m = BN_CTX_get(ctx)) == NULL)
+        if ((e = BN_CTX_get(ctx)) == NULL)
                goto err;
        if ((x = BN_CTX_get(ctx)) == NULL)
                goto err;
@@ -542,14 +542,14 @@ ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *
                goto err;
        }
-        if (!ecdsa_prepare_digest(dgst, dgst_len, order, m))
+        if (!ecdsa_prepare_digest(dgst, dgst_len, eckey, e))
                goto err;
        if (BN_mod_inverse_ct(u2, sig->s, order, ctx) == NULL) { /* w = inv(s) */
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
-        if (!BN_mod_mul(u1, m, u2, order, ctx)) {               /* u1 = mw */
+        if (!BN_mod_mul(u1, e, u2, order, ctx)) {               /* u1 = ew */
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
author	tb <>	2023-07-04 10:06:36 +0000
committer	tb <>	2023-07-04 10:06:36 +0000
commit	86d9e2671a60a6d38eb68893276182e4e22b3828 (patch)
tree	a4245e3ae608d2686fca1dcca8110f07d8c23920 /src/lib
parent	aa6ae09c992307573b17674b1e762095dfd12da6 (diff)
download	openbsd-86d9e2671a60a6d38eb68893276182e4e22b3828.tar.gz openbsd-86d9e2671a60a6d38eb68893276182e4e22b3828.tar.bz2 openbsd-86d9e2671a60a6d38eb68893276182e4e22b3828.zip

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index 5b5013d631..be74d3b95c 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecs_ossl.c,v 1.62 2023/07/04 07:38:31 tb Exp $ */	1	/* $OpenBSD: ecs_ossl.c,v 1.63 2023/07/04 10:06:36 tb Exp $ */
2	/*	2	/*
3	* Written by Nils Larsch for the OpenSSL project	3	* Written by Nils Larsch for the OpenSSL project
4	*/	4	*/
@@ -69,31 +69,31 @@
69	#include "ec_local.h"	69	#include "ec_local.h"
70	#include "ecs_local.h"	70	#include "ecs_local.h"
71		71
72	static int ecdsa_prepare_digest(const unsigned char *dgst, int dgst_len,	72	/*
73	const BIGNUM order, BIGNUM ret);	73	* FIPS 186-5, section 6.4.1, step 2: convert hashed message into an integer.
74		74	* Use the order_bits leftmost bits if it exceeds the group order.
		75	*/
75	static int	76	static int
76	ecdsa_prepare_digest(const unsigned char *dgst, int dgst_len,	77	ecdsa_prepare_digest(const unsigned char *digest, int digest_len,
77	const BIGNUM order, BIGNUM ret)	78	const EC_KEY key, BIGNUM e)
78	{	79	{
79	int dgst_bits, order_bits;	80	const EC_GROUP *group;
		81	int digest_bits, order_bits;
80		82
81	if (!BN_bin2bn(dgst, dgst_len, ret)) {	83	if (!BN_bin2bn(digest, digest_len, e)) {
82	ECDSAerror(ERR_R_BN_LIB);	84	ECDSAerror(ERR_R_BN_LIB);
83	return 0;	85	return 0;
84	}	86	}
85		87
86	/* FIPS 186-3 6.4: Use order_bits leftmost bits if digest is too long */	88	if ((group = EC_KEY_get0_group(key)) == NULL)
87	dgst_bits = 8 * dgst_len;	89	return 0;
88	order_bits = BN_num_bits(order);	90	order_bits = EC_GROUP_order_bits(group);
89	if (dgst_bits > order_bits) {	91
90	if (!BN_rshift(ret, ret, dgst_bits - order_bits)) {	92	digest_bits = 8 * digest_len;
91	ECDSAerror(ERR_R_BN_LIB);	93	if (digest_bits <= order_bits)
92	return 0;	94	return 1;
93	}
94	}
95		95
96	return 1;	96	return BN_rshift(e, e, digest_bits - order_bits);
97	}	97	}
98		98
99	int	99	int
@@ -260,17 +260,17 @@ ossl_ecdsa_sign_setup(EC_KEY eckey, BN_CTX in_ctx, BIGNUM **out_kinv,
260	}	260	}
261		261
262	/*	262	/*
263	* FIPS 186-5, section 6.4.1, step 9: compute s = inv(k)(m + xr) mod order.	263	* FIPS 186-5, section 6.4.1, step 9: compute s = inv(k)(e + xr) mod order.
264	* In order to reduce the possibility of a side-channel attack, the following	264	* In order to reduce the possibility of a side-channel attack, the following
265	* is calculated using a random blinding value b in [1, order):	265	* is calculated using a random blinding value b in [1, order):
266	* s = inv(b)(bm + bxr)inv(k) mod order.	266	* s = inv(b)(be + bxr)inv(k) mod order.
267	*/	267	*/
268		268
269	static int	269	static int
270	ecdsa_compute_s(BIGNUM *out_s, const BIGNUM m, const BIGNUM *kinv,	270	ecdsa_compute_s(BIGNUM *out_s, const BIGNUM e, const BIGNUM *kinv,
271	const BIGNUM r, const BIGNUM priv_key, const BIGNUM order, BN_CTX ctx)	271	const BIGNUM r, const BIGNUM priv_key, const BIGNUM order, BN_CTX ctx)
272	{	272	{
273	BIGNUM b, binv, bm, bxr;	273	BIGNUM b, binv, be, bxr;
274	BIGNUM *s = NULL;	274	BIGNUM *s = NULL;
275	int ret = 0;	275	int ret = 0;
276		276
@@ -282,7 +282,7 @@ ecdsa_compute_s(BIGNUM *out_s, const BIGNUM m, const BIGNUM *kinv,
282	goto err;	282	goto err;
283	if ((binv = BN_CTX_get(ctx)) == NULL)	283	if ((binv = BN_CTX_get(ctx)) == NULL)
284	goto err;	284	goto err;
285	if ((bm = BN_CTX_get(ctx)) == NULL)	285	if ((be = BN_CTX_get(ctx)) == NULL)
286	goto err;	286	goto err;
287	if ((bxr = BN_CTX_get(ctx)) == NULL)	287	if ((bxr = BN_CTX_get(ctx)) == NULL)
288	goto err;	288	goto err;
@@ -308,20 +308,20 @@ ecdsa_compute_s(BIGNUM *out_s, const BIGNUM m, const BIGNUM *kinv,
308	ECDSAerror(ERR_R_BN_LIB);	308	ECDSAerror(ERR_R_BN_LIB);
309	goto err;	309	goto err;
310	}	310	}
311	if (!BN_mod_mul(bm, b, m, order, ctx)) {	311	if (!BN_mod_mul(be, b, e, order, ctx)) {
312	ECDSAerror(ERR_R_BN_LIB);	312	ECDSAerror(ERR_R_BN_LIB);
313	goto err;	313	goto err;
314	}	314	}
315	if (!BN_mod_add(s, bm, bxr, order, ctx)) {	315	if (!BN_mod_add(s, be, bxr, order, ctx)) {
316	ECDSAerror(ERR_R_BN_LIB);	316	ECDSAerror(ERR_R_BN_LIB);
317	goto err;	317	goto err;
318	}	318	}
319	/* s = b(m + xr)k^-1 */	319	/* s = b(e + xr)k^-1 */
320	if (!BN_mod_mul(s, s, kinv, order, ctx)) {	320	if (!BN_mod_mul(s, s, kinv, order, ctx)) {
321	ECDSAerror(ERR_R_BN_LIB);	321	ECDSAerror(ERR_R_BN_LIB);
322	goto err;	322	goto err;
323	}	323	}
324	/* s = (m + xr)k^-1 */	324	/* s = (e + xr)k^-1 */
325	if (!BN_mod_mul(s, s, binv, order, ctx)) {	325	if (!BN_mod_mul(s, s, binv, order, ctx)) {
326	ECDSAerror(ERR_R_BN_LIB);	326	ECDSAerror(ERR_R_BN_LIB);
327	goto err;	327	goto err;
@@ -355,7 +355,7 @@ ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
355	const EC_GROUP *group;	355	const EC_GROUP *group;
356	BN_CTX *ctx = NULL;	356	BN_CTX *ctx = NULL;
357	BIGNUM kinv = NULL, r = NULL, *s = NULL;	357	BIGNUM kinv = NULL, r = NULL, *s = NULL;
358	BIGNUM *m;	358	BIGNUM *e;
359	const BIGNUM order, priv_key;	359	const BIGNUM order, priv_key;
360	int caller_supplied_values = 0;	360	int caller_supplied_values = 0;
361	int attempts = 0;	361	int attempts = 0;
@@ -377,7 +377,7 @@ ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
377		377
378	BN_CTX_start(ctx);	378	BN_CTX_start(ctx);
379		379
380	if ((m = BN_CTX_get(ctx)) == NULL)	380	if ((e = BN_CTX_get(ctx)) == NULL)
381	goto err;	381	goto err;
382		382
383	if ((order = EC_GROUP_get0_order(group)) == NULL) {	383	if ((order = EC_GROUP_get0_order(group)) == NULL) {
@@ -385,7 +385,7 @@ ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
385	goto err;	385	goto err;
386	}	386	}
387		387
388	if (!ecdsa_prepare_digest(dgst, dgst_len, order, m))	388	if (!ecdsa_prepare_digest(dgst, dgst_len, eckey, e))
389	goto err;	389	goto err;
390		390
391	if (in_kinv != NULL && in_r != NULL) {	391	if (in_kinv != NULL && in_r != NULL) {
@@ -415,7 +415,7 @@ ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
415	}	415	}
416		416
417	/* If s is non-NULL, we have a valid signature. */	417	/* If s is non-NULL, we have a valid signature. */
418	if (!ecdsa_compute_s(&s, m, kinv, r, priv_key, order, ctx))	418	if (!ecdsa_compute_s(&s, e, kinv, r, priv_key, order, ctx))
419	goto err;	419	goto err;
420	if (s != NULL)	420	if (s != NULL)
421	break;	421	break;
@@ -493,7 +493,7 @@ ossl_ecdsa_verify_sig(const unsigned char dgst, int dgst_len, const ECDSA_SIG
493	EC_POINT *point = NULL;	493	EC_POINT *point = NULL;
494	const BIGNUM *order;	494	const BIGNUM *order;
495	BN_CTX *ctx = NULL;	495	BN_CTX *ctx = NULL;
496	BIGNUM u1, u2, m, x;	496	BIGNUM u1, u2, e, x;
497	int ret = -1;	497	int ret = -1;
498		498
499	if (eckey == NULL \|\| sig == NULL) {	499	if (eckey == NULL \|\| sig == NULL) {
@@ -520,7 +520,7 @@ ossl_ecdsa_verify_sig(const unsigned char dgst, int dgst_len, const ECDSA_SIG
520	goto err;	520	goto err;
521	if ((u2 = BN_CTX_get(ctx)) == NULL)	521	if ((u2 = BN_CTX_get(ctx)) == NULL)
522	goto err;	522	goto err;
523	if ((m = BN_CTX_get(ctx)) == NULL)	523	if ((e = BN_CTX_get(ctx)) == NULL)
524	goto err;	524	goto err;
525	if ((x = BN_CTX_get(ctx)) == NULL)	525	if ((x = BN_CTX_get(ctx)) == NULL)
526	goto err;	526	goto err;
@@ -542,14 +542,14 @@ ossl_ecdsa_verify_sig(const unsigned char dgst, int dgst_len, const ECDSA_SIG
542	goto err;	542	goto err;
543	}	543	}
544		544
545	if (!ecdsa_prepare_digest(dgst, dgst_len, order, m))	545	if (!ecdsa_prepare_digest(dgst, dgst_len, eckey, e))
546	goto err;	546	goto err;
547		547
548	if (BN_mod_inverse_ct(u2, sig->s, order, ctx) == NULL) { /* w = inv(s) */	548	if (BN_mod_inverse_ct(u2, sig->s, order, ctx) == NULL) { /* w = inv(s) */
549	ECDSAerror(ERR_R_BN_LIB);	549	ECDSAerror(ERR_R_BN_LIB);
550	goto err;	550	goto err;
551	}	551	}
552	if (!BN_mod_mul(u1, m, u2, order, ctx)) { /* u1 = mw */	552	if (!BN_mod_mul(u1, e, u2, order, ctx)) { /* u1 = ew */
553	ECDSAerror(ERR_R_BN_LIB);	553	ECDSAerror(ERR_R_BN_LIB);
554	goto err;	554	goto err;
555	}	555	}