Lines Matching +full:- +full:s
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
11 * SEC1 https://www.secg.org/sec1-v2.pdf
35 * Sub-context for ecdsa_verify()
46 * Init verify restart sub-context
50 mbedtls_mpi_init(&ctx->u1); in ecdsa_restart_ver_init()
51 mbedtls_mpi_init(&ctx->u2); in ecdsa_restart_ver_init()
52 ctx->state = ecdsa_ver_init; in ecdsa_restart_ver_init()
56 * Free the components of a verify restart sub-context
64 mbedtls_mpi_free(&ctx->u1); in ecdsa_restart_ver_free()
65 mbedtls_mpi_free(&ctx->u2); in ecdsa_restart_ver_free()
71 * Sub-context for ecdsa_sign()
76 mbedtls_mpi k; /* per-signature random */
86 * Init verify sign sub-context
90 ctx->sign_tries = 0; in ecdsa_restart_sig_init()
91 ctx->key_tries = 0; in ecdsa_restart_sig_init()
92 mbedtls_mpi_init(&ctx->k); in ecdsa_restart_sig_init()
93 mbedtls_mpi_init(&ctx->r); in ecdsa_restart_sig_init()
94 ctx->state = ecdsa_sig_init; in ecdsa_restart_sig_init()
98 * Free the components of a sign restart sub-context
106 mbedtls_mpi_free(&ctx->k); in ecdsa_restart_sig_free()
107 mbedtls_mpi_free(&ctx->r); in ecdsa_restart_sig_free()
112 * Sub-context for ecdsa_sign_det()
123 * Init verify sign_det sub-context
127 mbedtls_hmac_drbg_init(&ctx->rng_ctx); in ecdsa_restart_det_init()
128 ctx->state = ecdsa_det_init; in ecdsa_restart_det_init()
132 * Free the components of a sign_det restart sub-context
140 mbedtls_hmac_drbg_free(&ctx->rng_ctx); in ecdsa_restart_det_free()
146 #define ECDSA_RS_ECP (rs_ctx == NULL ? NULL : &rs_ctx->ecp)
152 /* Call this when entering a function that needs its own sub-context */
154 /* reset ops count for this call if top-level */ \
155 if (rs_ctx != NULL && rs_ctx->ecp.depth++ == 0) \
156 rs_ctx->ecp.ops_done = 0; \
158 /* set up our own sub-context if needed */ \
160 rs_ctx != NULL && rs_ctx->SUB == NULL) \
162 rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB)); \
163 if (rs_ctx->SUB == NULL) \
166 ecdsa_restart_## SUB ##_init(rs_ctx->SUB); \
170 /* Call this when leaving a function that needs its own sub-context */
172 /* clear our sub-context when not in progress (done or error) */ \
173 if (rs_ctx != NULL && rs_ctx->SUB != NULL && \
176 ecdsa_restart_## SUB ##_free(rs_ctx->SUB); \
177 mbedtls_free(rs_ctx->SUB); \
178 rs_ctx->SUB = NULL; \
182 rs_ctx->ecp.depth--; \
189 #define ECDSA_BUDGET(ops) /* no-op; for compatibility */
207 size_t n_size = (grp->nbits + 7) / 8; in derive_mpi()
211 if (use_size * 8 > grp->nbits) { in derive_mpi()
212 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(x, use_size * 8 - grp->nbits)); in derive_mpi()
216 if (mbedtls_mpi_cmp_mpi(x, &grp->N) >= 0) { in derive_mpi()
217 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(x, x, &grp->N)); in derive_mpi()
244 mbedtls_mpi *r, mbedtls_mpi *s, in mbedtls_ecdsa_sign_restartable() argument
258 if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) { in mbedtls_ecdsa_sign_restartable()
262 /* Make sure d is in range 1..n-1 */ in mbedtls_ecdsa_sign_restartable()
263 if (mbedtls_mpi_cmp_int(d, 1) < 0 || mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) { in mbedtls_ecdsa_sign_restartable()
273 if (rs_ctx != NULL && rs_ctx->sig != NULL) { in mbedtls_ecdsa_sign_restartable()
275 p_sign_tries = &rs_ctx->sig->sign_tries; in mbedtls_ecdsa_sign_restartable()
276 p_key_tries = &rs_ctx->sig->key_tries; in mbedtls_ecdsa_sign_restartable()
277 pk = &rs_ctx->sig->k; in mbedtls_ecdsa_sign_restartable()
278 pr = &rs_ctx->sig->r; in mbedtls_ecdsa_sign_restartable()
281 if (rs_ctx->sig->state == ecdsa_sig_mul) { in mbedtls_ecdsa_sign_restartable()
284 if (rs_ctx->sig->state == ecdsa_sig_modn) { in mbedtls_ecdsa_sign_restartable()
298 * Steps 1-3: generate a suitable ephemeral keypair in mbedtls_ecdsa_sign_restartable()
311 if (rs_ctx != NULL && rs_ctx->sig != NULL) { in mbedtls_ecdsa_sign_restartable()
312 rs_ctx->sig->state = ecdsa_sig_mul; in mbedtls_ecdsa_sign_restartable()
317 MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &R, pk, &grp->G, in mbedtls_ecdsa_sign_restartable()
321 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pr, &R.X, &grp->N)); in mbedtls_ecdsa_sign_restartable()
325 if (rs_ctx != NULL && rs_ctx->sig != NULL) { in mbedtls_ecdsa_sign_restartable()
326 rs_ctx->sig->state = ecdsa_sig_modn; in mbedtls_ecdsa_sign_restartable()
350 * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n in mbedtls_ecdsa_sign_restartable()
352 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, pr, d)); in mbedtls_ecdsa_sign_restartable()
353 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&e, &e, s)); in mbedtls_ecdsa_sign_restartable()
356 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pk, pk, &grp->N)); in mbedtls_ecdsa_sign_restartable()
357 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(s, pk, &grp->N)); in mbedtls_ecdsa_sign_restartable()
358 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, s, &e)); in mbedtls_ecdsa_sign_restartable()
359 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(s, s, &grp->N)); in mbedtls_ecdsa_sign_restartable()
360 } while (mbedtls_mpi_cmp_int(s, 0) == 0); in mbedtls_ecdsa_sign_restartable()
363 if (rs_ctx != NULL && rs_ctx->sig != NULL) { in mbedtls_ecdsa_sign_restartable()
380 int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, in mbedtls_ecdsa_sign() argument
385 return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen, in mbedtls_ecdsa_sign()
398 mbedtls_mpi *r, mbedtls_mpi *s, in mbedtls_ecdsa_sign_det_restartable() argument
409 size_t grp_len = (grp->nbits + 7) / 8; in mbedtls_ecdsa_sign_det_restartable()
423 if (rs_ctx != NULL && rs_ctx->det != NULL) { in mbedtls_ecdsa_sign_det_restartable()
425 p_rng = &rs_ctx->det->rng_ctx; in mbedtls_ecdsa_sign_det_restartable()
428 if (rs_ctx->det->state == ecdsa_det_sign) { in mbedtls_ecdsa_sign_det_restartable()
441 if (rs_ctx != NULL && rs_ctx->det != NULL) { in mbedtls_ecdsa_sign_det_restartable()
442 rs_ctx->det->state = ecdsa_det_sign; in mbedtls_ecdsa_sign_det_restartable()
450 ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen, in mbedtls_ecdsa_sign_det_restartable()
453 ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen, in mbedtls_ecdsa_sign_det_restartable()
471 mbedtls_mpi *s, const mbedtls_mpi *d, in mbedtls_ecdsa_sign_det_ext() argument
478 return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg, in mbedtls_ecdsa_sign_det_ext()
492 const mbedtls_mpi *s, in mbedtls_ecdsa_verify_restartable() argument
505 if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) { in mbedtls_ecdsa_verify_restartable()
512 if (rs_ctx != NULL && rs_ctx->ver != NULL) { in mbedtls_ecdsa_verify_restartable()
514 pu1 = &rs_ctx->ver->u1; in mbedtls_ecdsa_verify_restartable()
515 pu2 = &rs_ctx->ver->u2; in mbedtls_ecdsa_verify_restartable()
518 if (rs_ctx->ver->state == ecdsa_ver_muladd) { in mbedtls_ecdsa_verify_restartable()
525 * Step 1: make sure r and s are in range 1..n-1 in mbedtls_ecdsa_verify_restartable()
527 if (mbedtls_mpi_cmp_int(r, 1) < 0 || mbedtls_mpi_cmp_mpi(r, &grp->N) >= 0 || in mbedtls_ecdsa_verify_restartable()
528 mbedtls_mpi_cmp_int(s, 1) < 0 || mbedtls_mpi_cmp_mpi(s, &grp->N) >= 0) { in mbedtls_ecdsa_verify_restartable()
539 * Step 4: u1 = e / s mod n, u2 = r / s mod n in mbedtls_ecdsa_verify_restartable()
543 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&s_inv, s, &grp->N)); in mbedtls_ecdsa_verify_restartable()
546 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu1, pu1, &grp->N)); in mbedtls_ecdsa_verify_restartable()
549 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu2, pu2, &grp->N)); in mbedtls_ecdsa_verify_restartable()
552 if (rs_ctx != NULL && rs_ctx->ver != NULL) { in mbedtls_ecdsa_verify_restartable()
553 rs_ctx->ver->state = ecdsa_ver_muladd; in mbedtls_ecdsa_verify_restartable()
562 &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP)); in mbedtls_ecdsa_verify_restartable()
570 * Step 6: convert xR to an integer (no-op) in mbedtls_ecdsa_verify_restartable()
573 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&R.X, &R.X, &grp->N)); in mbedtls_ecdsa_verify_restartable()
600 const mbedtls_mpi *s) in mbedtls_ecdsa_verify() argument
602 return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL); in mbedtls_ecdsa_verify()
609 static int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s, in ecdsa_signature_to_asn1() argument
618 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, s)); in ecdsa_signature_to_asn1()
648 mbedtls_mpi r, s; in mbedtls_ecdsa_write_signature_restartable() local
654 mbedtls_mpi_init(&s); in mbedtls_ecdsa_write_signature_restartable()
657 MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d, in mbedtls_ecdsa_write_signature_restartable()
666 MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ctx->grp, &r, &s, &ctx->d, in mbedtls_ecdsa_write_signature_restartable()
670 MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d, in mbedtls_ecdsa_write_signature_restartable()
676 MBEDTLS_MPI_CHK(ecdsa_signature_to_asn1(&r, &s, sig, sig_size, slen)); in mbedtls_ecdsa_write_signature_restartable()
680 mbedtls_mpi_free(&s); in mbedtls_ecdsa_write_signature_restartable()
723 mbedtls_mpi r, s; in mbedtls_ecdsa_read_signature_restartable() local
725 mbedtls_mpi_init(&s); in mbedtls_ecdsa_read_signature_restartable()
740 (ret = mbedtls_asn1_get_mpi(&p, end, &s)) != 0) { in mbedtls_ecdsa_read_signature_restartable()
747 if ((ret = mbedtls_ecdsa_verify(&ctx->grp, hash, hlen, in mbedtls_ecdsa_read_signature_restartable()
748 &ctx->Q, &r, &s)) != 0) { in mbedtls_ecdsa_read_signature_restartable()
752 if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen, in mbedtls_ecdsa_read_signature_restartable()
753 &ctx->Q, &r, &s, rs_ctx)) != 0) { in mbedtls_ecdsa_read_signature_restartable()
767 mbedtls_mpi_free(&s); in mbedtls_ecdsa_read_signature_restartable()
780 ret = mbedtls_ecp_group_load(&ctx->grp, gid); in mbedtls_ecdsa_genkey()
785 return mbedtls_ecp_gen_keypair(&ctx->grp, &ctx->d, in mbedtls_ecdsa_genkey()
786 &ctx->Q, f_rng, p_rng); in mbedtls_ecdsa_genkey()
796 if ((ret = mbedtls_ecp_group_copy(&ctx->grp, &key->grp)) != 0 || in mbedtls_ecdsa_from_keypair()
797 (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0 || in mbedtls_ecdsa_from_keypair()
798 (ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0) { in mbedtls_ecdsa_from_keypair()
831 mbedtls_ecp_restart_init(&ctx->ecp); in mbedtls_ecdsa_restart_init()
833 ctx->ver = NULL; in mbedtls_ecdsa_restart_init()
834 ctx->sig = NULL; in mbedtls_ecdsa_restart_init()
836 ctx->det = NULL; in mbedtls_ecdsa_restart_init()
849 mbedtls_ecp_restart_free(&ctx->ecp); in mbedtls_ecdsa_restart_free()
851 ecdsa_restart_ver_free(ctx->ver); in mbedtls_ecdsa_restart_free()
852 mbedtls_free(ctx->ver); in mbedtls_ecdsa_restart_free()
853 ctx->ver = NULL; in mbedtls_ecdsa_restart_free()
855 ecdsa_restart_sig_free(ctx->sig); in mbedtls_ecdsa_restart_free()
856 mbedtls_free(ctx->sig); in mbedtls_ecdsa_restart_free()
857 ctx->sig = NULL; in mbedtls_ecdsa_restart_free()
860 ecdsa_restart_det_free(ctx->det); in mbedtls_ecdsa_restart_free()
861 mbedtls_free(ctx->det); in mbedtls_ecdsa_restart_free()
862 ctx->det = NULL; in mbedtls_ecdsa_restart_free()