summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ecdsa/ecs_ossl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/ecdsa/ecs_ossl.c')
-rw-r--r--src/lib/libcrypto/ecdsa/ecs_ossl.c85
1 files changed, 39 insertions, 46 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 637da6535f..c7f4bcbe03 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ecs_ossl.c,v 1.8 2017/01/21 11:00:47 beck Exp $ */ 1/* $OpenBSD: ecs_ossl.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */
2/* 2/*
3 * Written by Nils Larsch for the OpenSSL project 3 * Written by Nils Larsch for the OpenSSL project
4 */ 4 */
@@ -95,14 +95,13 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
95 int ret = 0; 95 int ret = 0;
96 96
97 if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { 97 if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
98 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER); 98 ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
99 return 0; 99 return 0;
100 } 100 }
101 101
102 if (ctx_in == NULL) { 102 if (ctx_in == NULL) {
103 if ((ctx = BN_CTX_new()) == NULL) { 103 if ((ctx = BN_CTX_new()) == NULL) {
104 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 104 ECDSAerror(ERR_R_MALLOC_FAILURE);
105 ERR_R_MALLOC_FAILURE);
106 return 0; 105 return 0;
107 } 106 }
108 } else 107 } else
@@ -113,15 +112,15 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
113 order = BN_new(); 112 order = BN_new();
114 X = BN_new(); 113 X = BN_new();
115 if (!k || !r || !order || !X) { 114 if (!k || !r || !order || !X) {
116 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE); 115 ECDSAerror(ERR_R_MALLOC_FAILURE);
117 goto err; 116 goto err;
118 } 117 }
119 if ((tmp_point = EC_POINT_new(group)) == NULL) { 118 if ((tmp_point = EC_POINT_new(group)) == NULL) {
120 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); 119 ECDSAerror(ERR_R_EC_LIB);
121 goto err; 120 goto err;
122 } 121 }
123 if (!EC_GROUP_get_order(group, order, ctx)) { 122 if (!EC_GROUP_get_order(group, order, ctx)) {
124 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); 123 ECDSAerror(ERR_R_EC_LIB);
125 goto err; 124 goto err;
126 } 125 }
127 126
@@ -129,8 +128,7 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
129 /* get random k */ 128 /* get random k */
130 do 129 do
131 if (!BN_rand_range(k, order)) { 130 if (!BN_rand_range(k, order)) {
132 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 131 ECDSAerror(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
133 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
134 goto err; 132 goto err;
135 } 133 }
136 while (BN_is_zero(k)); 134 while (BN_is_zero(k));
@@ -148,15 +146,14 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
148 146
149 /* compute r the x-coordinate of generator * k */ 147 /* compute r the x-coordinate of generator * k */
150 if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { 148 if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
151 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); 149 ECDSAerror(ERR_R_EC_LIB);
152 goto err; 150 goto err;
153 } 151 }
154 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == 152 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
155 NID_X9_62_prime_field) { 153 NID_X9_62_prime_field) {
156 if (!EC_POINT_get_affine_coordinates_GFp(group, 154 if (!EC_POINT_get_affine_coordinates_GFp(group,
157 tmp_point, X, NULL, ctx)) { 155 tmp_point, X, NULL, ctx)) {
158 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 156 ECDSAerror(ERR_R_EC_LIB);
159 ERR_R_EC_LIB);
160 goto err; 157 goto err;
161 } 158 }
162 } 159 }
@@ -165,21 +162,20 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
165 { 162 {
166 if (!EC_POINT_get_affine_coordinates_GF2m(group, 163 if (!EC_POINT_get_affine_coordinates_GF2m(group,
167 tmp_point, X, NULL, ctx)) { 164 tmp_point, X, NULL, ctx)) {
168 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 165 ECDSAerror(ERR_R_EC_LIB);
169 ERR_R_EC_LIB);
170 goto err; 166 goto err;
171 } 167 }
172 } 168 }
173#endif 169#endif
174 if (!BN_nnmod(r, X, order, ctx)) { 170 if (!BN_nnmod(r, X, order, ctx)) {
175 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); 171 ECDSAerror(ERR_R_BN_LIB);
176 goto err; 172 goto err;
177 } 173 }
178 } while (BN_is_zero(r)); 174 } while (BN_is_zero(r));
179 175
180 /* compute the inverse of k */ 176 /* compute the inverse of k */
181 if (!BN_mod_inverse_ct(k, k, order, ctx)) { 177 if (!BN_mod_inverse_ct(k, k, order, ctx)) {
182 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); 178 ECDSAerror(ERR_R_BN_LIB);
183 goto err; 179 goto err;
184 } 180 }
185 /* clear old values if necessary */ 181 /* clear old values if necessary */
@@ -222,25 +218,25 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
222 priv_key = EC_KEY_get0_private_key(eckey); 218 priv_key = EC_KEY_get0_private_key(eckey);
223 219
224 if (group == NULL || priv_key == NULL || ecdsa == NULL) { 220 if (group == NULL || priv_key == NULL || ecdsa == NULL) {
225 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER); 221 ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
226 return NULL; 222 return NULL;
227 } 223 }
228 224
229 ret = ECDSA_SIG_new(); 225 ret = ECDSA_SIG_new();
230 if (!ret) { 226 if (!ret) {
231 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); 227 ECDSAerror(ERR_R_MALLOC_FAILURE);
232 return NULL; 228 return NULL;
233 } 229 }
234 s = ret->s; 230 s = ret->s;
235 231
236 if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || 232 if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
237 (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { 233 (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
238 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); 234 ECDSAerror(ERR_R_MALLOC_FAILURE);
239 goto err; 235 goto err;
240 } 236 }
241 237
242 if (!EC_GROUP_get_order(group, order, ctx)) { 238 if (!EC_GROUP_get_order(group, order, ctx)) {
243 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB); 239 ECDSAerror(ERR_R_EC_LIB);
244 goto err; 240 goto err;
245 } 241 }
246 i = BN_num_bits(order); 242 i = BN_num_bits(order);
@@ -250,49 +246,46 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
250 if (8 * dgst_len > i) 246 if (8 * dgst_len > i)
251 dgst_len = (i + 7)/8; 247 dgst_len = (i + 7)/8;
252 if (!BN_bin2bn(dgst, dgst_len, m)) { 248 if (!BN_bin2bn(dgst, dgst_len, m)) {
253 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); 249 ECDSAerror(ERR_R_BN_LIB);
254 goto err; 250 goto err;
255 } 251 }
256 /* If still too long truncate remaining bits with a shift */ 252 /* If still too long truncate remaining bits with a shift */
257 if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { 253 if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
258 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); 254 ECDSAerror(ERR_R_BN_LIB);
259 goto err; 255 goto err;
260 } 256 }
261 do { 257 do {
262 if (in_kinv == NULL || in_r == NULL) { 258 if (in_kinv == NULL || in_r == NULL) {
263 if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) { 259 if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) {
264 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, 260 ECDSAerror(ERR_R_ECDSA_LIB);
265 ERR_R_ECDSA_LIB);
266 goto err; 261 goto err;
267 } 262 }
268 ckinv = kinv; 263 ckinv = kinv;
269 } else { 264 } else {
270 ckinv = in_kinv; 265 ckinv = in_kinv;
271 if (BN_copy(ret->r, in_r) == NULL) { 266 if (BN_copy(ret->r, in_r) == NULL) {
272 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, 267 ECDSAerror(ERR_R_MALLOC_FAILURE);
273 ERR_R_MALLOC_FAILURE);
274 goto err; 268 goto err;
275 } 269 }
276 } 270 }
277 271
278 if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { 272 if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
279 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); 273 ECDSAerror(ERR_R_BN_LIB);
280 goto err; 274 goto err;
281 } 275 }
282 if (!BN_mod_add_quick(s, tmp, m, order)) { 276 if (!BN_mod_add_quick(s, tmp, m, order)) {
283 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); 277 ECDSAerror(ERR_R_BN_LIB);
284 goto err; 278 goto err;
285 } 279 }
286 if (!BN_mod_mul(s, s, ckinv, order, ctx)) { 280 if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
287 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); 281 ECDSAerror(ERR_R_BN_LIB);
288 goto err; 282 goto err;
289 } 283 }
290 if (BN_is_zero(s)) { 284 if (BN_is_zero(s)) {
291 /* if kinv and r have been supplied by the caller 285 /* if kinv and r have been supplied by the caller
292 * don't to generate new kinv and r values */ 286 * don't to generate new kinv and r values */
293 if (in_kinv != NULL && in_r != NULL) { 287 if (in_kinv != NULL && in_r != NULL) {
294 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, 288 ECDSAerror(ECDSA_R_NEED_NEW_SETUP_VALUES);
295 ECDSA_R_NEED_NEW_SETUP_VALUES);
296 goto err; 289 goto err;
297 } 290 }
298 } else 291 } else
@@ -329,13 +322,13 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
329 /* check input values */ 322 /* check input values */
330 if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || 323 if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
331 (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { 324 (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
332 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS); 325 ECDSAerror(ECDSA_R_MISSING_PARAMETERS);
333 return -1; 326 return -1;
334 } 327 }
335 328
336 ctx = BN_CTX_new(); 329 ctx = BN_CTX_new();
337 if (!ctx) { 330 if (!ctx) {
338 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE); 331 ECDSAerror(ERR_R_MALLOC_FAILURE);
339 return -1; 332 return -1;
340 } 333 }
341 BN_CTX_start(ctx); 334 BN_CTX_start(ctx);
@@ -345,25 +338,25 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
345 m = BN_CTX_get(ctx); 338 m = BN_CTX_get(ctx);
346 X = BN_CTX_get(ctx); 339 X = BN_CTX_get(ctx);
347 if (!X) { 340 if (!X) {
348 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); 341 ECDSAerror(ERR_R_BN_LIB);
349 goto err; 342 goto err;
350 } 343 }
351 344
352 if (!EC_GROUP_get_order(group, order, ctx)) { 345 if (!EC_GROUP_get_order(group, order, ctx)) {
353 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); 346 ECDSAerror(ERR_R_EC_LIB);
354 goto err; 347 goto err;
355 } 348 }
356 349
357 if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || 350 if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
358 BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || 351 BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
359 BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) { 352 BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
360 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE); 353 ECDSAerror(ECDSA_R_BAD_SIGNATURE);
361 ret = 0; /* signature is invalid */ 354 ret = 0; /* signature is invalid */
362 goto err; 355 goto err;
363 } 356 }
364 /* calculate tmp1 = inv(S) mod order */ 357 /* calculate tmp1 = inv(S) mod order */
365 if (!BN_mod_inverse_ct(u2, sig->s, order, ctx)) { 358 if (!BN_mod_inverse_ct(u2, sig->s, order, ctx)) {
366 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); 359 ECDSAerror(ERR_R_BN_LIB);
367 goto err; 360 goto err;
368 } 361 }
369 /* digest -> m */ 362 /* digest -> m */
@@ -374,38 +367,38 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
374 if (8 * dgst_len > i) 367 if (8 * dgst_len > i)
375 dgst_len = (i + 7)/8; 368 dgst_len = (i + 7)/8;
376 if (!BN_bin2bn(dgst, dgst_len, m)) { 369 if (!BN_bin2bn(dgst, dgst_len, m)) {
377 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); 370 ECDSAerror(ERR_R_BN_LIB);
378 goto err; 371 goto err;
379 } 372 }
380 /* If still too long truncate remaining bits with a shift */ 373 /* If still too long truncate remaining bits with a shift */
381 if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { 374 if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
382 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); 375 ECDSAerror(ERR_R_BN_LIB);
383 goto err; 376 goto err;
384 } 377 }
385 /* u1 = m * tmp mod order */ 378 /* u1 = m * tmp mod order */
386 if (!BN_mod_mul(u1, m, u2, order, ctx)) { 379 if (!BN_mod_mul(u1, m, u2, order, ctx)) {
387 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); 380 ECDSAerror(ERR_R_BN_LIB);
388 goto err; 381 goto err;
389 } 382 }
390 /* u2 = r * w mod q */ 383 /* u2 = r * w mod q */
391 if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) { 384 if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
392 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); 385 ECDSAerror(ERR_R_BN_LIB);
393 goto err; 386 goto err;
394 } 387 }
395 388
396 if ((point = EC_POINT_new(group)) == NULL) { 389 if ((point = EC_POINT_new(group)) == NULL) {
397 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE); 390 ECDSAerror(ERR_R_MALLOC_FAILURE);
398 goto err; 391 goto err;
399 } 392 }
400 if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) { 393 if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
401 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); 394 ECDSAerror(ERR_R_EC_LIB);
402 goto err; 395 goto err;
403 } 396 }
404 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == 397 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
405 NID_X9_62_prime_field) { 398 NID_X9_62_prime_field) {
406 if (!EC_POINT_get_affine_coordinates_GFp(group, 399 if (!EC_POINT_get_affine_coordinates_GFp(group,
407 point, X, NULL, ctx)) { 400 point, X, NULL, ctx)) {
408 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); 401 ECDSAerror(ERR_R_EC_LIB);
409 goto err; 402 goto err;
410 } 403 }
411 } 404 }
@@ -414,13 +407,13 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
414 { 407 {
415 if (!EC_POINT_get_affine_coordinates_GF2m(group, 408 if (!EC_POINT_get_affine_coordinates_GF2m(group,
416 point, X, NULL, ctx)) { 409 point, X, NULL, ctx)) {
417 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); 410 ECDSAerror(ERR_R_EC_LIB);
418 goto err; 411 goto err;
419 } 412 }
420 } 413 }
421#endif 414#endif
422 if (!BN_nnmod(u1, X, order, ctx)) { 415 if (!BN_nnmod(u1, X, order, ctx)) {
423 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); 416 ECDSAerror(ERR_R_BN_LIB);
424 goto err; 417 goto err;
425 } 418 }
426 /* if the signature is correct u1 is equal to sig->r */ 419 /* if the signature is correct u1 is equal to sig->r */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 12:56:46 +0000