1 /*
2 * Elliptic curve DSA
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * References:
22 *
23 * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_ECDSA_C)
29
30 #include "mbedtls/ecdsa.h"
31 #include "mbedtls/asn1write.h"
32
33 #include <string.h>
34
35 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
36 #include "mbedtls/hmac_drbg.h"
37 #endif
38
39 #if defined(MBEDTLS_PLATFORM_C)
40 #include "mbedtls/platform.h"
41 #else
42 #include <stdlib.h>
43 #define mbedtls_calloc calloc
44 #define mbedtls_free free
45 #endif
46
47 #include "mbedtls/platform_util.h"
48 #include "mbedtls/error.h"
49
50 /* Parameter validation macros based on platform_util.h */
51 #define ECDSA_VALIDATE_RET( cond ) \
52 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
53 #define ECDSA_VALIDATE( cond ) \
54 MBEDTLS_INTERNAL_VALIDATE( cond )
55
56 #if defined(MBEDTLS_ECP_RESTARTABLE)
57
58 /*
59 * Sub-context for ecdsa_verify()
60 */
61 struct mbedtls_ecdsa_restart_ver
62 {
63 mbedtls_mpi u1, u2; /* intermediate values */
64 enum { /* what to do next? */
65 ecdsa_ver_init = 0, /* getting started */
66 ecdsa_ver_muladd, /* muladd step */
67 } state;
68 };
69
70 /*
71 * Init verify restart sub-context
72 */
ecdsa_restart_ver_init(mbedtls_ecdsa_restart_ver_ctx * ctx)73 static void ecdsa_restart_ver_init( mbedtls_ecdsa_restart_ver_ctx *ctx )
74 {
75 mbedtls_mpi_init( &ctx->u1 );
76 mbedtls_mpi_init( &ctx->u2 );
77 ctx->state = ecdsa_ver_init;
78 }
79
80 /*
81 * Free the components of a verify restart sub-context
82 */
ecdsa_restart_ver_free(mbedtls_ecdsa_restart_ver_ctx * ctx)83 static void ecdsa_restart_ver_free( mbedtls_ecdsa_restart_ver_ctx *ctx )
84 {
85 if( ctx == NULL )
86 return;
87
88 mbedtls_mpi_free( &ctx->u1 );
89 mbedtls_mpi_free( &ctx->u2 );
90
91 ecdsa_restart_ver_init( ctx );
92 }
93
94 /*
95 * Sub-context for ecdsa_sign()
96 */
97 struct mbedtls_ecdsa_restart_sig
98 {
99 int sign_tries;
100 int key_tries;
101 mbedtls_mpi k; /* per-signature random */
102 mbedtls_mpi r; /* r value */
103 enum { /* what to do next? */
104 ecdsa_sig_init = 0, /* getting started */
105 ecdsa_sig_mul, /* doing ecp_mul() */
106 ecdsa_sig_modn, /* mod N computations */
107 } state;
108 };
109
110 /*
111 * Init verify sign sub-context
112 */
ecdsa_restart_sig_init(mbedtls_ecdsa_restart_sig_ctx * ctx)113 static void ecdsa_restart_sig_init( mbedtls_ecdsa_restart_sig_ctx *ctx )
114 {
115 ctx->sign_tries = 0;
116 ctx->key_tries = 0;
117 mbedtls_mpi_init( &ctx->k );
118 mbedtls_mpi_init( &ctx->r );
119 ctx->state = ecdsa_sig_init;
120 }
121
122 /*
123 * Free the components of a sign restart sub-context
124 */
ecdsa_restart_sig_free(mbedtls_ecdsa_restart_sig_ctx * ctx)125 static void ecdsa_restart_sig_free( mbedtls_ecdsa_restart_sig_ctx *ctx )
126 {
127 if( ctx == NULL )
128 return;
129
130 mbedtls_mpi_free( &ctx->k );
131 mbedtls_mpi_free( &ctx->r );
132 }
133
134 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
135 /*
136 * Sub-context for ecdsa_sign_det()
137 */
138 struct mbedtls_ecdsa_restart_det
139 {
140 mbedtls_hmac_drbg_context rng_ctx; /* DRBG state */
141 enum { /* what to do next? */
142 ecdsa_det_init = 0, /* getting started */
143 ecdsa_det_sign, /* make signature */
144 } state;
145 };
146
147 /*
148 * Init verify sign_det sub-context
149 */
ecdsa_restart_det_init(mbedtls_ecdsa_restart_det_ctx * ctx)150 static void ecdsa_restart_det_init( mbedtls_ecdsa_restart_det_ctx *ctx )
151 {
152 mbedtls_hmac_drbg_init( &ctx->rng_ctx );
153 ctx->state = ecdsa_det_init;
154 }
155
156 /*
157 * Free the components of a sign_det restart sub-context
158 */
ecdsa_restart_det_free(mbedtls_ecdsa_restart_det_ctx * ctx)159 static void ecdsa_restart_det_free( mbedtls_ecdsa_restart_det_ctx *ctx )
160 {
161 if( ctx == NULL )
162 return;
163
164 mbedtls_hmac_drbg_free( &ctx->rng_ctx );
165
166 ecdsa_restart_det_init( ctx );
167 }
168 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
169
170 #define ECDSA_RS_ECP ( rs_ctx == NULL ? NULL : &rs_ctx->ecp )
171
172 /* Utility macro for checking and updating ops budget */
173 #define ECDSA_BUDGET( ops ) \
174 MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, ECDSA_RS_ECP, ops ) );
175
176 /* Call this when entering a function that needs its own sub-context */
177 #define ECDSA_RS_ENTER( SUB ) do { \
178 /* reset ops count for this call if top-level */ \
179 if( rs_ctx != NULL && rs_ctx->ecp.depth++ == 0 ) \
180 rs_ctx->ecp.ops_done = 0; \
181 \
182 /* set up our own sub-context if needed */ \
183 if( mbedtls_ecp_restart_is_enabled() && \
184 rs_ctx != NULL && rs_ctx->SUB == NULL ) \
185 { \
186 rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) ); \
187 if( rs_ctx->SUB == NULL ) \
188 return( MBEDTLS_ERR_ECP_ALLOC_FAILED ); \
189 \
190 ecdsa_restart_## SUB ##_init( rs_ctx->SUB ); \
191 } \
192 } while( 0 )
193
194 /* Call this when leaving a function that needs its own sub-context */
195 #define ECDSA_RS_LEAVE( SUB ) do { \
196 /* clear our sub-context when not in progress (done or error) */ \
197 if( rs_ctx != NULL && rs_ctx->SUB != NULL && \
198 ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) \
199 { \
200 ecdsa_restart_## SUB ##_free( rs_ctx->SUB ); \
201 mbedtls_free( rs_ctx->SUB ); \
202 rs_ctx->SUB = NULL; \
203 } \
204 \
205 if( rs_ctx != NULL ) \
206 rs_ctx->ecp.depth--; \
207 } while( 0 )
208
209 #else /* MBEDTLS_ECP_RESTARTABLE */
210
211 #define ECDSA_RS_ECP NULL
212
213 #define ECDSA_BUDGET( ops ) /* no-op; for compatibility */
214
215 #define ECDSA_RS_ENTER( SUB ) (void) rs_ctx
216 #define ECDSA_RS_LEAVE( SUB ) (void) rs_ctx
217
218 #endif /* MBEDTLS_ECP_RESTARTABLE */
219
220 /*
221 * Derive a suitable integer for group grp from a buffer of length len
222 * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
223 */
derive_mpi(const mbedtls_ecp_group * grp,mbedtls_mpi * x,const unsigned char * buf,size_t blen)224 static int derive_mpi( const mbedtls_ecp_group *grp, mbedtls_mpi *x,
225 const unsigned char *buf, size_t blen )
226 {
227 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
228 size_t n_size = ( grp->nbits + 7 ) / 8;
229 size_t use_size = blen > n_size ? n_size : blen;
230
231 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( x, buf, use_size ) );
232 if( use_size * 8 > grp->nbits )
233 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( x, use_size * 8 - grp->nbits ) );
234
235 /* While at it, reduce modulo N */
236 if( mbedtls_mpi_cmp_mpi( x, &grp->N ) >= 0 )
237 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( x, x, &grp->N ) );
238
239 cleanup:
240 return( ret );
241 }
242
243 #if !defined(MBEDTLS_ECDSA_SIGN_ALT)
244 /*
245 * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
246 * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
247 */
ecdsa_sign_restartable(mbedtls_ecp_group * grp,mbedtls_mpi * r,mbedtls_mpi * s,const mbedtls_mpi * d,const unsigned char * buf,size_t blen,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int (* f_rng_blind)(void *,unsigned char *,size_t),void * p_rng_blind,mbedtls_ecdsa_restart_ctx * rs_ctx)248 static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
249 mbedtls_mpi *r, mbedtls_mpi *s,
250 const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
251 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
252 int (*f_rng_blind)(void *, unsigned char *, size_t),
253 void *p_rng_blind,
254 mbedtls_ecdsa_restart_ctx *rs_ctx )
255 {
256 int ret, key_tries, sign_tries;
257 int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
258 mbedtls_ecp_point R;
259 mbedtls_mpi k, e, t;
260 mbedtls_mpi *pk = &k, *pr = r;
261
262 /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
263 if( ! mbedtls_ecdsa_can_do( grp->id ) || grp->N.p == NULL )
264 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
265
266 /* Make sure d is in range 1..n-1 */
267 if( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
268 return( MBEDTLS_ERR_ECP_INVALID_KEY );
269
270 mbedtls_ecp_point_init( &R );
271 mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t );
272
273 ECDSA_RS_ENTER( sig );
274
275 #if defined(MBEDTLS_ECP_RESTARTABLE)
276 if( rs_ctx != NULL && rs_ctx->sig != NULL )
277 {
278 /* redirect to our context */
279 p_sign_tries = &rs_ctx->sig->sign_tries;
280 p_key_tries = &rs_ctx->sig->key_tries;
281 pk = &rs_ctx->sig->k;
282 pr = &rs_ctx->sig->r;
283
284 /* jump to current step */
285 if( rs_ctx->sig->state == ecdsa_sig_mul )
286 goto mul;
287 if( rs_ctx->sig->state == ecdsa_sig_modn )
288 goto modn;
289 }
290 #endif /* MBEDTLS_ECP_RESTARTABLE */
291
292 *p_sign_tries = 0;
293 do
294 {
295 if( (*p_sign_tries)++ > 10 )
296 {
297 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
298 goto cleanup;
299 }
300
301 /*
302 * Steps 1-3: generate a suitable ephemeral keypair
303 * and set r = xR mod n
304 */
305 *p_key_tries = 0;
306 do
307 {
308 if( (*p_key_tries)++ > 10 )
309 {
310 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
311 goto cleanup;
312 }
313
314 MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );
315
316 #if defined(MBEDTLS_ECP_RESTARTABLE)
317 if( rs_ctx != NULL && rs_ctx->sig != NULL )
318 rs_ctx->sig->state = ecdsa_sig_mul;
319
320 mul:
321 #endif
322 MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G,
323 f_rng_blind,
324 p_rng_blind,
325 ECDSA_RS_ECP ) );
326 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) );
327 }
328 while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 );
329
330 #if defined(MBEDTLS_ECP_RESTARTABLE)
331 if( rs_ctx != NULL && rs_ctx->sig != NULL )
332 rs_ctx->sig->state = ecdsa_sig_modn;
333
334 modn:
335 #endif
336 /*
337 * Accounting for everything up to the end of the loop
338 * (step 6, but checking now avoids saving e and t)
339 */
340 ECDSA_BUDGET( MBEDTLS_ECP_OPS_INV + 4 );
341
342 /*
343 * Step 5: derive MPI from hashed message
344 */
345 MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
346
347 /*
348 * Generate a random value to blind inv_mod in next step,
349 * avoiding a potential timing leak.
350 */
351 MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng_blind,
352 p_rng_blind ) );
353
354 /*
355 * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
356 */
357 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, pr, d ) );
358 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
359 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
360 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
361 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) );
362 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
363 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
364 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
365 }
366 while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );
367
368 #if defined(MBEDTLS_ECP_RESTARTABLE)
369 if( rs_ctx != NULL && rs_ctx->sig != NULL )
370 mbedtls_mpi_copy( r, pr );
371 #endif
372
373 cleanup:
374 mbedtls_ecp_point_free( &R );
375 mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t );
376
377 ECDSA_RS_LEAVE( sig );
378
379 return( ret );
380 }
381
mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid)382 int mbedtls_ecdsa_can_do( mbedtls_ecp_group_id gid )
383 {
384 switch( gid )
385 {
386 #ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED
387 case MBEDTLS_ECP_DP_CURVE25519: return 0;
388 #endif
389 #ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
390 case MBEDTLS_ECP_DP_CURVE448: return 0;
391 #endif
392 default: return 1;
393 }
394 }
395
396 /*
397 * Compute ECDSA signature of a hashed message
398 */
mbedtls_ecdsa_sign(mbedtls_ecp_group * grp,mbedtls_mpi * r,mbedtls_mpi * s,const mbedtls_mpi * d,const unsigned char * buf,size_t blen,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)399 int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
400 const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
401 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
402 {
403 ECDSA_VALIDATE_RET( grp != NULL );
404 ECDSA_VALIDATE_RET( r != NULL );
405 ECDSA_VALIDATE_RET( s != NULL );
406 ECDSA_VALIDATE_RET( d != NULL );
407 ECDSA_VALIDATE_RET( f_rng != NULL );
408 ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
409
410 /* Use the same RNG for both blinding and ephemeral key generation */
411 return( ecdsa_sign_restartable( grp, r, s, d, buf, blen,
412 f_rng, p_rng, f_rng, p_rng, NULL ) );
413 }
414 #endif /* !MBEDTLS_ECDSA_SIGN_ALT */
415
416 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
417 /*
418 * Deterministic signature wrapper
419 */
ecdsa_sign_det_restartable(mbedtls_ecp_group * grp,mbedtls_mpi * r,mbedtls_mpi * s,const mbedtls_mpi * d,const unsigned char * buf,size_t blen,mbedtls_md_type_t md_alg,int (* f_rng_blind)(void *,unsigned char *,size_t),void * p_rng_blind,mbedtls_ecdsa_restart_ctx * rs_ctx)420 static int ecdsa_sign_det_restartable( mbedtls_ecp_group *grp,
421 mbedtls_mpi *r, mbedtls_mpi *s,
422 const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
423 mbedtls_md_type_t md_alg,
424 int (*f_rng_blind)(void *, unsigned char *, size_t),
425 void *p_rng_blind,
426 mbedtls_ecdsa_restart_ctx *rs_ctx )
427 {
428 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
429 mbedtls_hmac_drbg_context rng_ctx;
430 mbedtls_hmac_drbg_context *p_rng = &rng_ctx;
431 unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
432 size_t grp_len = ( grp->nbits + 7 ) / 8;
433 const mbedtls_md_info_t *md_info;
434 mbedtls_mpi h;
435
436 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
437 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
438
439 mbedtls_mpi_init( &h );
440 mbedtls_hmac_drbg_init( &rng_ctx );
441
442 ECDSA_RS_ENTER( det );
443
444 #if defined(MBEDTLS_ECP_RESTARTABLE)
445 if( rs_ctx != NULL && rs_ctx->det != NULL )
446 {
447 /* redirect to our context */
448 p_rng = &rs_ctx->det->rng_ctx;
449
450 /* jump to current step */
451 if( rs_ctx->det->state == ecdsa_det_sign )
452 goto sign;
453 }
454 #endif /* MBEDTLS_ECP_RESTARTABLE */
455
456 /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
457 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) );
458 MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) );
459 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) );
460 mbedtls_hmac_drbg_seed_buf( p_rng, md_info, data, 2 * grp_len );
461
462 #if defined(MBEDTLS_ECP_RESTARTABLE)
463 if( rs_ctx != NULL && rs_ctx->det != NULL )
464 rs_ctx->det->state = ecdsa_det_sign;
465
466 sign:
467 #endif
468 #if defined(MBEDTLS_ECDSA_SIGN_ALT)
469 ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen,
470 mbedtls_hmac_drbg_random, p_rng );
471 #else
472 if( f_rng_blind != NULL )
473 ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
474 mbedtls_hmac_drbg_random, p_rng,
475 f_rng_blind, p_rng_blind, rs_ctx );
476 else
477 {
478 mbedtls_hmac_drbg_context *p_rng_blind_det;
479
480 #if !defined(MBEDTLS_ECP_RESTARTABLE)
481 /*
482 * To avoid reusing rng_ctx and risking incorrect behavior we seed a
483 * second HMAC-DRBG with the same seed. We also apply a label to avoid
484 * reusing the bits of the ephemeral key for blinding and eliminate the
485 * risk that they leak this way.
486 */
487 const char* blind_label = "BLINDING CONTEXT";
488 mbedtls_hmac_drbg_context rng_ctx_blind;
489
490 mbedtls_hmac_drbg_init( &rng_ctx_blind );
491 p_rng_blind_det = &rng_ctx_blind;
492 mbedtls_hmac_drbg_seed_buf( p_rng_blind_det, md_info,
493 data, 2 * grp_len );
494 ret = mbedtls_hmac_drbg_update_ret( p_rng_blind_det,
495 (const unsigned char*) blind_label,
496 strlen( blind_label ) );
497 if( ret != 0 )
498 {
499 mbedtls_hmac_drbg_free( &rng_ctx_blind );
500 goto cleanup;
501 }
502 #else
503 /*
504 * In the case of restartable computations we would either need to store
505 * the second RNG in the restart context too or set it up at every
506 * restart. The first option would penalize the correct application of
507 * the function and the second would defeat the purpose of the
508 * restartable feature.
509 *
510 * Therefore in this case we reuse the original RNG. This comes with the
511 * price that the resulting signature might not be a valid deterministic
512 * ECDSA signature with a very low probability (same magnitude as
513 * successfully guessing the private key). However even then it is still
514 * a valid ECDSA signature.
515 */
516 p_rng_blind_det = p_rng;
517 #endif /* MBEDTLS_ECP_RESTARTABLE */
518
519 /*
520 * Since the output of the RNGs is always the same for the same key and
521 * message, this limits the efficiency of blinding and leaks information
522 * through side channels. After mbedtls_ecdsa_sign_det() is removed NULL
523 * won't be a valid value for f_rng_blind anymore. Therefore it should
524 * be checked by the caller and this branch and check can be removed.
525 */
526 ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
527 mbedtls_hmac_drbg_random, p_rng,
528 mbedtls_hmac_drbg_random, p_rng_blind_det,
529 rs_ctx );
530
531 #if !defined(MBEDTLS_ECP_RESTARTABLE)
532 mbedtls_hmac_drbg_free( &rng_ctx_blind );
533 #endif
534 }
535 #endif /* MBEDTLS_ECDSA_SIGN_ALT */
536
537 cleanup:
538 mbedtls_hmac_drbg_free( &rng_ctx );
539 mbedtls_mpi_free( &h );
540
541 ECDSA_RS_LEAVE( det );
542
543 return( ret );
544 }
545
546 /*
547 * Deterministic signature wrappers
548 */
549
550 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_ecdsa_sign_det(mbedtls_ecp_group * grp,mbedtls_mpi * r,mbedtls_mpi * s,const mbedtls_mpi * d,const unsigned char * buf,size_t blen,mbedtls_md_type_t md_alg)551 int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
552 mbedtls_mpi *s, const mbedtls_mpi *d,
553 const unsigned char *buf, size_t blen,
554 mbedtls_md_type_t md_alg )
555 {
556 ECDSA_VALIDATE_RET( grp != NULL );
557 ECDSA_VALIDATE_RET( r != NULL );
558 ECDSA_VALIDATE_RET( s != NULL );
559 ECDSA_VALIDATE_RET( d != NULL );
560 ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
561
562 return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg,
563 NULL, NULL, NULL ) );
564 }
565 #endif /* MBEDTLS_DEPRECATED_REMOVED */
566
mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group * grp,mbedtls_mpi * r,mbedtls_mpi * s,const mbedtls_mpi * d,const unsigned char * buf,size_t blen,mbedtls_md_type_t md_alg,int (* f_rng_blind)(void *,unsigned char *,size_t),void * p_rng_blind)567 int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
568 mbedtls_mpi *s, const mbedtls_mpi *d,
569 const unsigned char *buf, size_t blen,
570 mbedtls_md_type_t md_alg,
571 int (*f_rng_blind)(void *, unsigned char *,
572 size_t),
573 void *p_rng_blind )
574 {
575 ECDSA_VALIDATE_RET( grp != NULL );
576 ECDSA_VALIDATE_RET( r != NULL );
577 ECDSA_VALIDATE_RET( s != NULL );
578 ECDSA_VALIDATE_RET( d != NULL );
579 ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
580 ECDSA_VALIDATE_RET( f_rng_blind != NULL );
581
582 return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg,
583 f_rng_blind, p_rng_blind, NULL ) );
584 }
585 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
586
587 #if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
588 /*
589 * Verify ECDSA signature of hashed message (SEC1 4.1.4)
590 * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
591 */
ecdsa_verify_restartable(mbedtls_ecp_group * grp,const unsigned char * buf,size_t blen,const mbedtls_ecp_point * Q,const mbedtls_mpi * r,const mbedtls_mpi * s,mbedtls_ecdsa_restart_ctx * rs_ctx)592 static int ecdsa_verify_restartable( mbedtls_ecp_group *grp,
593 const unsigned char *buf, size_t blen,
594 const mbedtls_ecp_point *Q,
595 const mbedtls_mpi *r, const mbedtls_mpi *s,
596 mbedtls_ecdsa_restart_ctx *rs_ctx )
597 {
598 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
599 mbedtls_mpi e, s_inv, u1, u2;
600 mbedtls_ecp_point R;
601 mbedtls_mpi *pu1 = &u1, *pu2 = &u2;
602
603 mbedtls_ecp_point_init( &R );
604 mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv );
605 mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
606
607 /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
608 if( ! mbedtls_ecdsa_can_do( grp->id ) || grp->N.p == NULL )
609 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
610
611 ECDSA_RS_ENTER( ver );
612
613 #if defined(MBEDTLS_ECP_RESTARTABLE)
614 if( rs_ctx != NULL && rs_ctx->ver != NULL )
615 {
616 /* redirect to our context */
617 pu1 = &rs_ctx->ver->u1;
618 pu2 = &rs_ctx->ver->u2;
619
620 /* jump to current step */
621 if( rs_ctx->ver->state == ecdsa_ver_muladd )
622 goto muladd;
623 }
624 #endif /* MBEDTLS_ECP_RESTARTABLE */
625
626 /*
627 * Step 1: make sure r and s are in range 1..n-1
628 */
629 if( mbedtls_mpi_cmp_int( r, 1 ) < 0 || mbedtls_mpi_cmp_mpi( r, &grp->N ) >= 0 ||
630 mbedtls_mpi_cmp_int( s, 1 ) < 0 || mbedtls_mpi_cmp_mpi( s, &grp->N ) >= 0 )
631 {
632 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
633 goto cleanup;
634 }
635
636 /*
637 * Step 3: derive MPI from hashed message
638 */
639 MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
640
641 /*
642 * Step 4: u1 = e / s mod n, u2 = r / s mod n
643 */
644 ECDSA_BUDGET( MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2 );
645
646 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &s_inv, s, &grp->N ) );
647
648 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu1, &e, &s_inv ) );
649 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu1, pu1, &grp->N ) );
650
651 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu2, r, &s_inv ) );
652 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu2, pu2, &grp->N ) );
653
654 #if defined(MBEDTLS_ECP_RESTARTABLE)
655 if( rs_ctx != NULL && rs_ctx->ver != NULL )
656 rs_ctx->ver->state = ecdsa_ver_muladd;
657
658 muladd:
659 #endif
660 /*
661 * Step 5: R = u1 G + u2 Q
662 */
663 MBEDTLS_MPI_CHK( mbedtls_ecp_muladd_restartable( grp,
664 &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP ) );
665
666 if( mbedtls_ecp_is_zero( &R ) )
667 {
668 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
669 goto cleanup;
670 }
671
672 /*
673 * Step 6: convert xR to an integer (no-op)
674 * Step 7: reduce xR mod n (gives v)
675 */
676 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
677
678 /*
679 * Step 8: check if v (that is, R.X) is equal to r
680 */
681 if( mbedtls_mpi_cmp_mpi( &R.X, r ) != 0 )
682 {
683 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
684 goto cleanup;
685 }
686
687 cleanup:
688 mbedtls_ecp_point_free( &R );
689 mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv );
690 mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
691
692 ECDSA_RS_LEAVE( ver );
693
694 return( ret );
695 }
696
697 /*
698 * Verify ECDSA signature of hashed message
699 */
mbedtls_ecdsa_verify(mbedtls_ecp_group * grp,const unsigned char * buf,size_t blen,const mbedtls_ecp_point * Q,const mbedtls_mpi * r,const mbedtls_mpi * s)700 int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
701 const unsigned char *buf, size_t blen,
702 const mbedtls_ecp_point *Q,
703 const mbedtls_mpi *r,
704 const mbedtls_mpi *s)
705 {
706 ECDSA_VALIDATE_RET( grp != NULL );
707 ECDSA_VALIDATE_RET( Q != NULL );
708 ECDSA_VALIDATE_RET( r != NULL );
709 ECDSA_VALIDATE_RET( s != NULL );
710 ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
711
712 return( ecdsa_verify_restartable( grp, buf, blen, Q, r, s, NULL ) );
713 }
714 #endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
715
716 /*
717 * Convert a signature (given by context) to ASN.1
718 */
ecdsa_signature_to_asn1(const mbedtls_mpi * r,const mbedtls_mpi * s,unsigned char * sig,size_t * slen)719 static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
720 unsigned char *sig, size_t *slen )
721 {
722 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
723 unsigned char buf[MBEDTLS_ECDSA_MAX_LEN];
724 unsigned char *p = buf + sizeof( buf );
725 size_t len = 0;
726
727 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, s ) );
728 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, r ) );
729
730 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, len ) );
731 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf,
732 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
733
734 memcpy( sig, p, len );
735 *slen = len;
736
737 return( 0 );
738 }
739
740 /*
741 * Compute and write signature
742 */
mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hlen,unsigned char * sig,size_t * slen,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_ecdsa_restart_ctx * rs_ctx)743 int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
744 mbedtls_md_type_t md_alg,
745 const unsigned char *hash, size_t hlen,
746 unsigned char *sig, size_t *slen,
747 int (*f_rng)(void *, unsigned char *, size_t),
748 void *p_rng,
749 mbedtls_ecdsa_restart_ctx *rs_ctx )
750 {
751 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
752 mbedtls_mpi r, s;
753 ECDSA_VALIDATE_RET( ctx != NULL );
754 ECDSA_VALIDATE_RET( hash != NULL );
755 ECDSA_VALIDATE_RET( sig != NULL );
756 ECDSA_VALIDATE_RET( slen != NULL );
757
758 mbedtls_mpi_init( &r );
759 mbedtls_mpi_init( &s );
760
761 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
762 MBEDTLS_MPI_CHK( ecdsa_sign_det_restartable( &ctx->grp, &r, &s, &ctx->d,
763 hash, hlen, md_alg, f_rng,
764 p_rng, rs_ctx ) );
765 #else
766 (void) md_alg;
767
768 #if defined(MBEDTLS_ECDSA_SIGN_ALT)
769 MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
770 hash, hlen, f_rng, p_rng ) );
771 #else
772 /* Use the same RNG for both blinding and ephemeral key generation */
773 MBEDTLS_MPI_CHK( ecdsa_sign_restartable( &ctx->grp, &r, &s, &ctx->d,
774 hash, hlen, f_rng, p_rng, f_rng,
775 p_rng, rs_ctx ) );
776 #endif /* MBEDTLS_ECDSA_SIGN_ALT */
777 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
778
779 MBEDTLS_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) );
780
781 cleanup:
782 mbedtls_mpi_free( &r );
783 mbedtls_mpi_free( &s );
784
785 return( ret );
786 }
787
788 /*
789 * Compute and write signature
790 */
mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hlen,unsigned char * sig,size_t * slen,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)791 int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
792 mbedtls_md_type_t md_alg,
793 const unsigned char *hash, size_t hlen,
794 unsigned char *sig, size_t *slen,
795 int (*f_rng)(void *, unsigned char *, size_t),
796 void *p_rng )
797 {
798 ECDSA_VALIDATE_RET( ctx != NULL );
799 ECDSA_VALIDATE_RET( hash != NULL );
800 ECDSA_VALIDATE_RET( sig != NULL );
801 ECDSA_VALIDATE_RET( slen != NULL );
802 return( mbedtls_ecdsa_write_signature_restartable(
803 ctx, md_alg, hash, hlen, sig, slen, f_rng, p_rng, NULL ) );
804 }
805
806 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && \
807 defined(MBEDTLS_ECDSA_DETERMINISTIC)
mbedtls_ecdsa_write_signature_det(mbedtls_ecdsa_context * ctx,const unsigned char * hash,size_t hlen,unsigned char * sig,size_t * slen,mbedtls_md_type_t md_alg)808 int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
809 const unsigned char *hash, size_t hlen,
810 unsigned char *sig, size_t *slen,
811 mbedtls_md_type_t md_alg )
812 {
813 ECDSA_VALIDATE_RET( ctx != NULL );
814 ECDSA_VALIDATE_RET( hash != NULL );
815 ECDSA_VALIDATE_RET( sig != NULL );
816 ECDSA_VALIDATE_RET( slen != NULL );
817 return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen,
818 NULL, NULL ) );
819 }
820 #endif
821
822 /*
823 * Read and check signature
824 */
mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context * ctx,const unsigned char * hash,size_t hlen,const unsigned char * sig,size_t slen)825 int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
826 const unsigned char *hash, size_t hlen,
827 const unsigned char *sig, size_t slen )
828 {
829 ECDSA_VALIDATE_RET( ctx != NULL );
830 ECDSA_VALIDATE_RET( hash != NULL );
831 ECDSA_VALIDATE_RET( sig != NULL );
832 return( mbedtls_ecdsa_read_signature_restartable(
833 ctx, hash, hlen, sig, slen, NULL ) );
834 }
835
836 /*
837 * Restartable read and check signature
838 */
mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context * ctx,const unsigned char * hash,size_t hlen,const unsigned char * sig,size_t slen,mbedtls_ecdsa_restart_ctx * rs_ctx)839 int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
840 const unsigned char *hash, size_t hlen,
841 const unsigned char *sig, size_t slen,
842 mbedtls_ecdsa_restart_ctx *rs_ctx )
843 {
844 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
845 unsigned char *p = (unsigned char *) sig;
846 const unsigned char *end = sig + slen;
847 size_t len;
848 mbedtls_mpi r, s;
849 ECDSA_VALIDATE_RET( ctx != NULL );
850 ECDSA_VALIDATE_RET( hash != NULL );
851 ECDSA_VALIDATE_RET( sig != NULL );
852
853 mbedtls_mpi_init( &r );
854 mbedtls_mpi_init( &s );
855
856 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
857 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
858 {
859 ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
860 goto cleanup;
861 }
862
863 if( p + len != end )
864 {
865 ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
866 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
867 goto cleanup;
868 }
869
870 if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 ||
871 ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 )
872 {
873 ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
874 goto cleanup;
875 }
876 #if defined(MBEDTLS_ECDSA_VERIFY_ALT)
877 if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen,
878 &ctx->Q, &r, &s ) ) != 0 )
879 goto cleanup;
880 #else
881 if( ( ret = ecdsa_verify_restartable( &ctx->grp, hash, hlen,
882 &ctx->Q, &r, &s, rs_ctx ) ) != 0 )
883 goto cleanup;
884 #endif /* MBEDTLS_ECDSA_VERIFY_ALT */
885
886 /* At this point we know that the buffer starts with a valid signature.
887 * Return 0 if the buffer just contains the signature, and a specific
888 * error code if the valid signature is followed by more data. */
889 if( p != end )
890 ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;
891
892 cleanup:
893 mbedtls_mpi_free( &r );
894 mbedtls_mpi_free( &s );
895
896 return( ret );
897 }
898
899 #if !defined(MBEDTLS_ECDSA_GENKEY_ALT)
900 /*
901 * Generate key pair
902 */
mbedtls_ecdsa_genkey(mbedtls_ecdsa_context * ctx,mbedtls_ecp_group_id gid,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)903 int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
904 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
905 {
906 int ret = 0;
907 ECDSA_VALIDATE_RET( ctx != NULL );
908 ECDSA_VALIDATE_RET( f_rng != NULL );
909
910 ret = mbedtls_ecp_group_load( &ctx->grp, gid );
911 if( ret != 0 )
912 return( ret );
913
914 return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d,
915 &ctx->Q, f_rng, p_rng ) );
916 }
917 #endif /* !MBEDTLS_ECDSA_GENKEY_ALT */
918
919 /*
920 * Set context from an mbedtls_ecp_keypair
921 */
mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context * ctx,const mbedtls_ecp_keypair * key)922 int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key )
923 {
924 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
925 ECDSA_VALIDATE_RET( ctx != NULL );
926 ECDSA_VALIDATE_RET( key != NULL );
927
928 if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
929 ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 ||
930 ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
931 {
932 mbedtls_ecdsa_free( ctx );
933 }
934
935 return( ret );
936 }
937
938 /*
939 * Initialize context
940 */
mbedtls_ecdsa_init(mbedtls_ecdsa_context * ctx)941 void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx )
942 {
943 ECDSA_VALIDATE( ctx != NULL );
944
945 mbedtls_ecp_keypair_init( ctx );
946 }
947
948 /*
949 * Free context
950 */
mbedtls_ecdsa_free(mbedtls_ecdsa_context * ctx)951 void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx )
952 {
953 if( ctx == NULL )
954 return;
955
956 mbedtls_ecp_keypair_free( ctx );
957 }
958
959 #if defined(MBEDTLS_ECP_RESTARTABLE)
960 /*
961 * Initialize a restart context
962 */
mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx * ctx)963 void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx )
964 {
965 ECDSA_VALIDATE( ctx != NULL );
966
967 mbedtls_ecp_restart_init( &ctx->ecp );
968
969 ctx->ver = NULL;
970 ctx->sig = NULL;
971 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
972 ctx->det = NULL;
973 #endif
974 }
975
976 /*
977 * Free the components of a restart context
978 */
mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx * ctx)979 void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx )
980 {
981 if( ctx == NULL )
982 return;
983
984 mbedtls_ecp_restart_free( &ctx->ecp );
985
986 ecdsa_restart_ver_free( ctx->ver );
987 mbedtls_free( ctx->ver );
988 ctx->ver = NULL;
989
990 ecdsa_restart_sig_free( ctx->sig );
991 mbedtls_free( ctx->sig );
992 ctx->sig = NULL;
993
994 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
995 ecdsa_restart_det_free( ctx->det );
996 mbedtls_free( ctx->det );
997 ctx->det = NULL;
998 #endif
999 }
1000 #endif /* MBEDTLS_ECP_RESTARTABLE */
1001
1002 #endif /* MBEDTLS_ECDSA_C */
1003
