1 files changed, 0 insertions, 430 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
deleted file mode 100644
index 31102138c0..0000000000
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ /dev/null
@@ -1,430 +0,0 @@
-/* $OpenBSD: ecs_ossl.c,v 1.6 2015/02/08 13:35:07 jsing Exp $ */
-/*
- * Written by Nils Larsch for the OpenSSL project
- */
-/* ====================================================================
- * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <openssl/opensslconf.h>
-#include "ecs_locl.h"
-#include <openssl/err.h>
-#include <openssl/obj_mac.h>
-#include <openssl/bn.h>
-static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
-    const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
-    BIGNUM **rp);
-static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
-    const ECDSA_SIG *sig, EC_KEY *eckey);
-static ECDSA_METHOD openssl_ecdsa_meth = {
-        .name = "OpenSSL ECDSA method",
-        .ecdsa_do_sign = ecdsa_do_sign,
-        .ecdsa_sign_setup = ecdsa_sign_setup,
-        .ecdsa_do_verify = ecdsa_do_verify
-};
-const ECDSA_METHOD *
-ECDSA_OpenSSL(void)
-{
-        return &openssl_ecdsa_meth;
-}
-static int
-ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
-{
-        BN_CTX   *ctx = NULL;
-        BIGNUM   *k = NULL, *r = NULL, *order = NULL, *X = NULL;
-        EC_POINT *tmp_point = NULL;
-        const EC_GROUP *group;
-        int      ret = 0;
-        if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
-                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
-                return 0;
-        }
-        if (ctx_in == NULL) {
-                if ((ctx = BN_CTX_new()) == NULL) {
-                        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
-                            ERR_R_MALLOC_FAILURE);
-                        return 0;
-                }
-        } else
-                ctx = ctx_in;
-        k = BN_new();   /* this value is later returned in *kinvp */
-        r = BN_new();   /* this value is later returned in *rp    */
-        order = BN_new();
-        X = BN_new();
-        if (!k || !r || !order || !X) {
-                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if ((tmp_point = EC_POINT_new(group)) == NULL) {
-                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
-                goto err;
-        }
-        if (!EC_GROUP_get_order(group, order, ctx)) {
-                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
-                goto err;
-        }
-        do {
-                /* get random k */
-                do
-                        if (!BN_rand_range(k, order)) {
-                                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
-                                    ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
-                                goto err;
-                        }
-                while (BN_is_zero(k));
-                /* We do not want timing information to leak the length of k,
-                 * so we compute G*k using an equivalent scalar of fixed
-                 * bit-length. */
-                if (!BN_add(k, k, order))
-                        goto err;
-                if (BN_num_bits(k) <= BN_num_bits(order))
-                        if (!BN_add(k, k, order))
-                                goto err;
-                /* compute r the x-coordinate of generator * k */
-                if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
-                        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
-                        goto err;
-                }
-                if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
-                    NID_X9_62_prime_field) {
-                        if (!EC_POINT_get_affine_coordinates_GFp(group,
-                            tmp_point, X, NULL, ctx)) {
-                                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
-                                    ERR_R_EC_LIB);
-                                goto err;
-                        }
-                }
-#ifndef OPENSSL_NO_EC2M
-                else /* NID_X9_62_characteristic_two_field */
-                {
-                        if (!EC_POINT_get_affine_coordinates_GF2m(group,
-                            tmp_point, X, NULL, ctx)) {
-                                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
-                                    ERR_R_EC_LIB);
-                                goto err;
-                        }
-                }
-#endif
-                if (!BN_nnmod(r, X, order, ctx)) {
-                        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
-                        goto err;
-                }
-        } while (BN_is_zero(r));
-        /* compute the inverse of k */
-        if (!BN_mod_inverse(k, k, order, ctx)) {
-                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
-                goto err;
-        }
-        /* clear old values if necessary */
-        BN_clear_free(*rp);
-        BN_clear_free(*kinvp);
-        /* save the pre-computed values  */
-        *rp = r;
-        *kinvp = k;
-        ret = 1;
-err:
-        if (!ret) {
-                BN_clear_free(k);
-                BN_clear_free(r);
-        }
-        if (ctx_in == NULL)
-                BN_CTX_free(ctx);
-        BN_free(order);
-        EC_POINT_free(tmp_point);
-        BN_clear_free(X);
-        return (ret);
-}
-static ECDSA_SIG *
-ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
-    const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
-{
-        int     ok = 0, i;
-        BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;
-        const BIGNUM *ckinv;
-        BN_CTX     *ctx = NULL;
-        const EC_GROUP   *group;
-        ECDSA_SIG  *ret;
-        ECDSA_DATA *ecdsa;
-        const BIGNUM *priv_key;
-        ecdsa = ecdsa_check(eckey);
-        group = EC_KEY_get0_group(eckey);
-        priv_key = EC_KEY_get0_private_key(eckey);
-        if (group == NULL || priv_key == NULL || ecdsa == NULL) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
-                return NULL;
-        }
-        ret = ECDSA_SIG_new();
-        if (!ret) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
-        s = ret->s;
-        if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
-            (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if (!EC_GROUP_get_order(group, order, ctx)) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
-                goto err;
-        }
-        i = BN_num_bits(order);
-        /* Need to truncate digest if it is too long: first truncate whole
-         * bytes.
-         */
-        if (8 * dgst_len > i)
-                dgst_len = (i + 7)/8;
-        if (!BN_bin2bn(dgst, dgst_len, m)) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-                goto err;
-        }
-        /* If still too long truncate remaining bits with a shift */
-        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-                goto err;
-        }
-        do {
-                if (in_kinv == NULL || in_r == NULL) {
-                        if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) {
-                                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
-                                    ERR_R_ECDSA_LIB);
-                                goto err;
-                        }
-                        ckinv = kinv;
-                } else {
-                        ckinv = in_kinv;
-                        if (BN_copy(ret->r, in_r) == NULL) {
-                                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
-                                    ERR_R_MALLOC_FAILURE);
-                                goto err;
-                        }
-                }
-                if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
-                        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-                        goto err;
-                }
-                if (!BN_mod_add_quick(s, tmp, m, order)) {
-                        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-                        goto err;
-                }
-                if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
-                        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-                        goto err;
-                }
-                if (BN_is_zero(s)) {
-                        /* if kinv and r have been supplied by the caller
-                         * don't to generate new kinv and r values */
-                        if (in_kinv != NULL && in_r != NULL) {
-                                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
-                                    ECDSA_R_NEED_NEW_SETUP_VALUES);
-                                goto err;
-                        }
-                } else
-                        /* s != 0 => we have a valid signature */
-                        break;
-        } while (1);
-        ok = 1;
-err:
-        if (!ok) {
-                ECDSA_SIG_free(ret);
-                ret = NULL;
-        }
-        BN_CTX_free(ctx);
-        BN_clear_free(m);
-        BN_clear_free(tmp);
-        BN_free(order);
-        BN_clear_free(kinv);
-        return ret;
-}
-static int
-ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
-    EC_KEY *eckey)
-{
-        int ret = -1, i;
-        BN_CTX   *ctx;
-        BIGNUM   *order, *u1, *u2, *m, *X;
-        EC_POINT *point = NULL;
-        const EC_GROUP *group;
-        const EC_POINT *pub_key;
-        /* check input values */
-        if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
-            (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
-                return -1;
-        }
-        ctx = BN_CTX_new();
-        if (!ctx) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
-                return -1;
-        }
-        BN_CTX_start(ctx);
-        order = BN_CTX_get(ctx);
-        u1 = BN_CTX_get(ctx);
-        u2 = BN_CTX_get(ctx);
-        m = BN_CTX_get(ctx);
-        X = BN_CTX_get(ctx);
-        if (!X) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
-                goto err;
-        }
-        if (!EC_GROUP_get_order(group, order, ctx)) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
-                goto err;
-        }
-        if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) ||
-            BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||
-            BN_is_negative(sig->s)      || BN_ucmp(sig->s, order) >= 0) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
-                ret = 0;        /* signature is invalid */
-                goto err;
-        }
-        /* calculate tmp1 = inv(S) mod order */
-        if (!BN_mod_inverse(u2, sig->s, order, ctx)) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
-                goto err;
-        }
-        /* digest -> m */
-        i = BN_num_bits(order);
-        /* Need to truncate digest if it is too long: first truncate whole
-         * bytes.
-         */
-        if (8 * dgst_len > i)
-                dgst_len = (i + 7)/8;
-        if (!BN_bin2bn(dgst, dgst_len, m)) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
-                goto err;
-        }
-        /* If still too long truncate remaining bits with a shift */
-        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
-                goto err;
-        }
-        /* u1 = m * tmp mod order */
-        if (!BN_mod_mul(u1, m, u2, order, ctx)) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
-                goto err;
-        }
-        /* u2 = r * w mod q */
-        if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
-                goto err;
-        }
-        if ((point = EC_POINT_new(group)) == NULL) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
-                goto err;
-        }
-        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
-            NID_X9_62_prime_field) {
-                if (!EC_POINT_get_affine_coordinates_GFp(group,
-                    point, X, NULL, ctx)) {
-                        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
-                        goto err;
-                }
-        }
-#ifndef OPENSSL_NO_EC2M
-        else /* NID_X9_62_characteristic_two_field */
-        {
-                if (!EC_POINT_get_affine_coordinates_GF2m(group,
-                    point, X, NULL, ctx)) {
-                        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
-                        goto err;
-                }
-        }
-#endif
-        if (!BN_nnmod(u1, X, order, ctx)) {
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
-                goto err;
-        }
-        /*  if the signature is correct u1 is equal to sig->r */
-        ret = (BN_ucmp(u1, sig->r) == 0);
-err:
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-        EC_POINT_free(point);
-        return ret;
-}

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c deleted file mode 100644 index 31102138c0..0000000000 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ /dev/null
@@ -1,430 +0,0 @@
1	/* $OpenBSD: ecs_ossl.c,v 1.6 2015/02/08 13:35:07 jsing Exp $ */
2	/*
3	* Written by Nils Larsch for the OpenSSL project
4	*/
5	/* ====================================================================
6	* Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in
17	* the documentation and/or other materials provided with the
18	* distribution.
19	*
20	* 3. All advertising materials mentioning features or use of this
21	* software must display the following acknowledgment:
22	* "This product includes software developed by the OpenSSL Project
23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24	*
25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26	* endorse or promote products derived from this software without
27	* prior written permission. For written permission, please contact
28	* openssl-core@OpenSSL.org.
29	*
30	* 5. Products derived from this software may not be called "OpenSSL"
31	* nor may "OpenSSL" appear in their names without prior written
32	* permission of the OpenSSL Project.
33	*
34	* 6. Redistributions of any form whatsoever must retain the following
35	* acknowledgment:
36	* "This product includes software developed by the OpenSSL Project
37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38	*
39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	* OF THE POSSIBILITY OF SUCH DAMAGE.
51	* ====================================================================
52	*
53	* This product includes cryptographic software written by Eric Young
54	* (eay@cryptsoft.com). This product includes software written by Tim
55	* Hudson (tjh@cryptsoft.com).
56	*
57	*/
58
59	#include <openssl/opensslconf.h>
60
61	#include "ecs_locl.h"
62	#include <openssl/err.h>
63	#include <openssl/obj_mac.h>
64	#include <openssl/bn.h>
65
66	static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dlen,
67	const BIGNUM , const BIGNUM , EC_KEY *eckey);
68	static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
69	BIGNUM **rp);
70	static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
71	const ECDSA_SIG sig, EC_KEY eckey);
72
73	static ECDSA_METHOD openssl_ecdsa_meth = {
74	.name = "OpenSSL ECDSA method",
75	.ecdsa_do_sign = ecdsa_do_sign,
76	.ecdsa_sign_setup = ecdsa_sign_setup,
77	.ecdsa_do_verify = ecdsa_do_verify
78	};
79
80	const ECDSA_METHOD *
81	ECDSA_OpenSSL(void)
82	{
83	return &openssl_ecdsa_meth;
84	}
85
86	static int
87	ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
88	{
89	BN_CTX *ctx = NULL;
90	BIGNUM k = NULL, r = NULL, order = NULL, X = NULL;
91	EC_POINT *tmp_point = NULL;
92	const EC_GROUP *group;
93	int ret = 0;
94
95	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL) {
96	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
97	return 0;
98	}
99
100	if (ctx_in == NULL) {
101	if ((ctx = BN_CTX_new()) == NULL) {
102	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
103	ERR_R_MALLOC_FAILURE);
104	return 0;
105	}
106	} else
107	ctx = ctx_in;
108
109	k = BN_new(); /* this value is later returned in kinvp /
110	r = BN_new(); /* this value is later returned in rp /
111	order = BN_new();
112	X = BN_new();
113	if (!k \|\| !r \|\| !order \|\| !X) {
114	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
115	goto err;
116	}
117	if ((tmp_point = EC_POINT_new(group)) == NULL) {
118	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
119	goto err;
120	}
121	if (!EC_GROUP_get_order(group, order, ctx)) {
122	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
123	goto err;
124	}
125
126	do {
127	/* get random k */
128	do
129	if (!BN_rand_range(k, order)) {
130	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
131	ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
132	goto err;
133	}
134	while (BN_is_zero(k));
135
136	/* We do not want timing information to leak the length of k,
137	* so we compute G*k using an equivalent scalar of fixed
138	* bit-length. */
139	if (!BN_add(k, k, order))
140	goto err;
141	if (BN_num_bits(k) <= BN_num_bits(order))
142	if (!BN_add(k, k, order))
143	goto err;
144
145	/* compute r the x-coordinate of generator * k */
146	if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
147	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
148	goto err;
149	}
150	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
151	NID_X9_62_prime_field) {
152	if (!EC_POINT_get_affine_coordinates_GFp(group,
153	tmp_point, X, NULL, ctx)) {
154	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
155	ERR_R_EC_LIB);
156	goto err;
157	}
158	}
159	#ifndef OPENSSL_NO_EC2M
160	else /* NID_X9_62_characteristic_two_field */
161	{
162	if (!EC_POINT_get_affine_coordinates_GF2m(group,
163	tmp_point, X, NULL, ctx)) {
164	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
165	ERR_R_EC_LIB);
166	goto err;
167	}
168	}
169	#endif
170	if (!BN_nnmod(r, X, order, ctx)) {
171	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
172	goto err;
173	}
174	} while (BN_is_zero(r));
175
176	/* compute the inverse of k */
177	if (!BN_mod_inverse(k, k, order, ctx)) {
178	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
179	goto err;
180	}
181	/* clear old values if necessary */
182	BN_clear_free(*rp);
183	BN_clear_free(*kinvp);
184	/* save the pre-computed values */
185	*rp = r;
186	*kinvp = k;
187	ret = 1;
188
189	err:
190	if (!ret) {
191	BN_clear_free(k);
192	BN_clear_free(r);
193	}
194	if (ctx_in == NULL)
195	BN_CTX_free(ctx);
196	BN_free(order);
197	EC_POINT_free(tmp_point);
198	BN_clear_free(X);
199	return (ret);
200	}
201
202
203	static ECDSA_SIG *
204	ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
205	const BIGNUM in_kinv, const BIGNUM in_r, EC_KEY *eckey)
206	{
207	int ok = 0, i;
208	BIGNUM kinv = NULL, s, m = NULL, tmp = NULL, *order = NULL;
209	const BIGNUM *ckinv;
210	BN_CTX *ctx = NULL;
211	const EC_GROUP *group;
212	ECDSA_SIG *ret;
213	ECDSA_DATA *ecdsa;
214	const BIGNUM *priv_key;
215
216	ecdsa = ecdsa_check(eckey);
217	group = EC_KEY_get0_group(eckey);
218	priv_key = EC_KEY_get0_private_key(eckey);
219
220	if (group == NULL \|\| priv_key == NULL \|\| ecdsa == NULL) {
221	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
222	return NULL;
223	}
224
225	ret = ECDSA_SIG_new();
226	if (!ret) {
227	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
228	return NULL;
229	}
230	s = ret->s;
231
232	if ((ctx = BN_CTX_new()) == NULL \|\| (order = BN_new()) == NULL \|\|
233	(tmp = BN_new()) == NULL \|\| (m = BN_new()) == NULL) {
234	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
235	goto err;
236	}
237
238	if (!EC_GROUP_get_order(group, order, ctx)) {
239	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
240	goto err;
241	}
242	i = BN_num_bits(order);
243	/* Need to truncate digest if it is too long: first truncate whole
244	* bytes.
245	*/
246	if (8 * dgst_len > i)
247	dgst_len = (i + 7)/8;
248	if (!BN_bin2bn(dgst, dgst_len, m)) {
249	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
250	goto err;
251	}
252	/* If still too long truncate remaining bits with a shift */
253	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
254	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
255	goto err;
256	}
257	do {
258	if (in_kinv == NULL \|\| in_r == NULL) {
259	if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) {
260	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
261	ERR_R_ECDSA_LIB);
262	goto err;
263	}
264	ckinv = kinv;
265	} else {
266	ckinv = in_kinv;
267	if (BN_copy(ret->r, in_r) == NULL) {
268	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
269	ERR_R_MALLOC_FAILURE);
270	goto err;
271	}
272	}
273
274	if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
275	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
276	goto err;
277	}
278	if (!BN_mod_add_quick(s, tmp, m, order)) {
279	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
280	goto err;
281	}
282	if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
283	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
284	goto err;
285	}
286	if (BN_is_zero(s)) {
287	/* if kinv and r have been supplied by the caller
288	* don't to generate new kinv and r values */
289	if (in_kinv != NULL && in_r != NULL) {
290	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
291	ECDSA_R_NEED_NEW_SETUP_VALUES);
292	goto err;
293	}
294	} else
295	/* s != 0 => we have a valid signature */
296	break;
297	} while (1);
298
299	ok = 1;
300
301	err:
302	if (!ok) {
303	ECDSA_SIG_free(ret);
304	ret = NULL;
305	}
306	BN_CTX_free(ctx);
307	BN_clear_free(m);
308	BN_clear_free(tmp);
309	BN_free(order);
310	BN_clear_free(kinv);
311	return ret;
312	}
313
314	static int
315	ecdsa_do_verify(const unsigned char dgst, int dgst_len, const ECDSA_SIG sig,
316	EC_KEY *eckey)
317	{
318	int ret = -1, i;
319	BN_CTX *ctx;
320	BIGNUM order, u1, u2, m, *X;
321	EC_POINT *point = NULL;
322	const EC_GROUP *group;
323	const EC_POINT *pub_key;
324
325	/* check input values */
326	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL \|\|
327	(pub_key = EC_KEY_get0_public_key(eckey)) == NULL \|\| sig == NULL) {
328	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
329	return -1;
330	}
331
332	ctx = BN_CTX_new();
333	if (!ctx) {
334	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
335	return -1;
336	}
337	BN_CTX_start(ctx);
338	order = BN_CTX_get(ctx);
339	u1 = BN_CTX_get(ctx);
340	u2 = BN_CTX_get(ctx);
341	m = BN_CTX_get(ctx);
342	X = BN_CTX_get(ctx);
343	if (!X) {
344	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
345	goto err;
346	}
347
348	if (!EC_GROUP_get_order(group, order, ctx)) {
349	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
350	goto err;
351	}
352
353	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|
354	BN_ucmp(sig->r, order) >= 0 \|\| BN_is_zero(sig->s) \|\|
355	BN_is_negative(sig->s) \|\| BN_ucmp(sig->s, order) >= 0) {
356	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
357	ret = 0; /* signature is invalid */
358	goto err;
359	}
360	/* calculate tmp1 = inv(S) mod order */
361	if (!BN_mod_inverse(u2, sig->s, order, ctx)) {
362	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
363	goto err;
364	}
365	/* digest -> m */
366	i = BN_num_bits(order);
367	/* Need to truncate digest if it is too long: first truncate whole
368	* bytes.
369	*/
370	if (8 * dgst_len > i)
371	dgst_len = (i + 7)/8;
372	if (!BN_bin2bn(dgst, dgst_len, m)) {
373	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
374	goto err;
375	}
376	/* If still too long truncate remaining bits with a shift */
377	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
378	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
379	goto err;
380	}
381	/* u1 = m * tmp mod order */
382	if (!BN_mod_mul(u1, m, u2, order, ctx)) {
383	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
384	goto err;
385	}
386	/* u2 = r * w mod q */
387	if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
388	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
389	goto err;
390	}
391
392	if ((point = EC_POINT_new(group)) == NULL) {
393	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
394	goto err;
395	}
396	if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
397	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
398	goto err;
399	}
400	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
401	NID_X9_62_prime_field) {
402	if (!EC_POINT_get_affine_coordinates_GFp(group,
403	point, X, NULL, ctx)) {
404	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
405	goto err;
406	}
407	}
408	#ifndef OPENSSL_NO_EC2M
409	else /* NID_X9_62_characteristic_two_field */
410	{
411	if (!EC_POINT_get_affine_coordinates_GF2m(group,
412	point, X, NULL, ctx)) {
413	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
414	goto err;
415	}
416	}
417	#endif
418	if (!BN_nnmod(u1, X, order, ctx)) {
419	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
420	goto err;
421	}
422	/* if the signature is correct u1 is equal to sig->r */
423	ret = (BN_ucmp(u1, sig->r) == 0);
424
425	err:
426	BN_CTX_end(ctx);
427	BN_CTX_free(ctx);
428	EC_POINT_free(point);
429	return ret;
430	}