kris
/
boringssl
1
0
複製 0
程式碼 問題 0 合併請求 0 版本發佈 0 Wiki 活動
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
153 提交
12 分支
38 MiB
 
 
 
 
 
 
目錄樹: 389110ae89
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 '389110ae89'
${ noResults }
boringssl/crypto/ecdsa/ecdsa.c

481 line
14 KiB
原始文件 Blame 歷史記錄 

  1. /* ====================================================================

  2.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

  3.  *

  4.  * Redistribution and use in source and binary forms, with or without

  5.  * modification, are permitted provided that the following conditions

  6.  * are met:

  7.  *

  8.  * 1. Redistributions of source code must retain the above copyright

  9.  *    notice, this list of conditions and the following disclaimer.

  10.  *

  11.  * 2. Redistributions in binary form must reproduce the above copyright

  12.  *    notice, this list of conditions and the following disclaimer in

  13.  *    the documentation and/or other materials provided with the

  14.  *    distribution.

  15.  *

  16.  * 3. All advertising materials mentioning features or use of this

  17.  *    software must display the following acknowledgment:

  18.  *    "This product includes software developed by the OpenSSL Project

  19.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  20.  *

  21.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  22.  *    endorse or promote products derived from this software without

  23.  *    prior written permission. For written permission, please contact

  24.  *    openssl-core@OpenSSL.org.

  25.  *

  26.  * 5. Products derived from this software may not be called "OpenSSL"

  27.  *    nor may "OpenSSL" appear in their names without prior written

  28.  *    permission of the OpenSSL Project.

  29.  *

  30.  * 6. Redistributions of any form whatsoever must retain the following

  31.  *    acknowledgment:

  32.  *    "This product includes software developed by the OpenSSL Project

  33.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  34.  *

  35.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  36.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  37.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  38.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  39.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  40.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  41.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  42.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  43.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  44.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  45.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  46.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  47.  * ====================================================================

  48.  *

  49.  * This product includes cryptographic software written by Eric Young

  50.  * (eay@cryptsoft.com).  This product includes software written by Tim

  51.  * Hudson (tjh@cryptsoft.com). */

  52. 

  53. #include <openssl/ecdsa.h>

  54. 

  55. #include <openssl/bn.h>

  56. #include <openssl/err.h>

  57. #include <openssl/mem.h>

  58. #include <openssl/thread.h>

  59. 

  60. #include "../ec/internal.h"

  61. 

  62. 

  63. int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig,

  64.                unsigned int *sig_len, EC_KEY *eckey) {

  65.   if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {

  66.     return eckey->ecdsa_meth->sign(digest, digest_len, sig, sig_len, eckey);

  67.   }

  68. 

  69.   return ECDSA_sign_ex(type, digest, digest_len, sig, sig_len, NULL, NULL,

  70.                        eckey);

  71. }

  72. 

  73. int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len,

  74.                  const uint8_t *sig, size_t sig_len, EC_KEY *eckey) {

  75.   ECDSA_SIG *s;

  76.   int ret = -1;

  77. 

  78.   if (eckey->ecdsa_meth && eckey->ecdsa_meth->verify) {

  79.     return eckey->ecdsa_meth->verify(digest, digest_len, sig, sig_len, eckey);

  80.   }

  81. 

  82.   s = ECDSA_SIG_new();

  83.   if (s == NULL || d2i_ECDSA_SIG(&s, &sig, sig_len) == NULL) {

  84.     goto err;

  85.   }

  86.   ret = ECDSA_do_verify(digest, digest_len, s, eckey);

  87. 

  88. err:

  89.   if (s != NULL) {

  90.     ECDSA_SIG_free(s);

  91.   }

  92.   return ret;

  93. }

  94. 

  95. /* digest_to_bn interprets |digest_len| bytes from |digest| as a big-endian

  96.  * number and sets |out| to that value. It then truncates |out| so that it's,

  97.  * at most, as long as |order|. It returns one on success and zero otherwise. */

  98. static int digest_to_bn(BIGNUM *out, const uint8_t *digest, size_t digest_len,

  99.                         const BIGNUM *order) {

  100.   size_t num_bits;

  101. 

  102.   num_bits = BN_num_bits(order);

  103.   /* Need to truncate digest if it is too long: first truncate whole

  104.    * bytes. */

  105.   if (8 * digest_len > num_bits) {

  106.     digest_len = (num_bits + 7) / 8;

  107.   }

  108.   if (!BN_bin2bn(digest, digest_len, out)) {

  109.     OPENSSL_PUT_ERROR(ECDSA, digest_to_bn, ERR_R_BN_LIB);

  110.     return 0;

  111.   }

  112. 

  113.   /* If still too long truncate remaining bits with a shift */

  114.   if ((8 * digest_len > num_bits) &&

  115.       !BN_rshift(out, out, 8 - (num_bits & 0x7))) {

  116.     OPENSSL_PUT_ERROR(ECDSA, digest_to_bn, ERR_R_BN_LIB);

  117.     return 0;

  118.   }

  119. 

  120.   return 1;

  121. }

  122. 

  123. ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,

  124.                          EC_KEY *key) {

  125.   return ECDSA_do_sign_ex(digest, digest_len, NULL, NULL, key);

  126. }

  127. 

  128. int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,

  129.                     const ECDSA_SIG *sig, EC_KEY *eckey) {

  130.   int ret = -1;

  131.   BN_CTX *ctx;

  132.   BIGNUM *order, *u1, *u2, *m, *X;

  133.   EC_POINT *point = NULL;

  134.   const EC_GROUP *group;

  135.   const EC_POINT *pub_key;

  136. 

  137.   if (eckey->ecdsa_meth && eckey->ecdsa_meth->verify) {

  138.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_sign_ex, ECDSA_R_NOT_IMPLEMENTED);

  139.     return -1;

  140.   }

  141. 

  142.   /* check input values */

  143.   if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||

  144.       (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {

  145.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ECDSA_R_MISSING_PARAMETERS);

  146.     return -1;

  147.   }

  148. 

  149.   ctx = BN_CTX_new();

  150.   if (!ctx) {

  151.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_MALLOC_FAILURE);

  152.     return -1;

  153.   }

  154.   BN_CTX_start(ctx);

  155.   order = BN_CTX_get(ctx);

  156.   u1 = BN_CTX_get(ctx);

  157.   u2 = BN_CTX_get(ctx);

  158.   m = BN_CTX_get(ctx);

  159.   X = BN_CTX_get(ctx);

  160.   if (!X) {

  161.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_BN_LIB);

  162.     goto err;

  163.   }

  164. 

  165.   if (!EC_GROUP_get_order(group, order, ctx)) {

  166.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_EC_LIB);

  167.     goto err;

  168.   }

  169. 

  170.   if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||

  171.       BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||

  172.       BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {

  173.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ECDSA_R_BAD_SIGNATURE);

  174.     ret = 0; /* signature is invalid */

  175.     goto err;

  176.   }

  177.   /* calculate tmp1 = inv(S) mod order */

  178.   if (!BN_mod_inverse(u2, sig->s, order, ctx)) {

  179.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_BN_LIB);

  180.     goto err;

  181.   }

  182.   if (!digest_to_bn(m, digest, digest_len, order)) {

  183.     goto err;

  184.   }

  185.   /* u1 = m * tmp mod order */

  186.   if (!BN_mod_mul(u1, m, u2, order, ctx)) {

  187.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_BN_LIB);

  188.     goto err;

  189.   }

  190.   /* u2 = r * w mod q */

  191.   if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {

  192.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_BN_LIB);

  193.     goto err;

  194.   }

  195. 

  196.   point = EC_POINT_new(group);

  197.   if (point == NULL) {

  198.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_MALLOC_FAILURE);

  199.     goto err;

  200.   }

  201.   if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {

  202.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_EC_LIB);

  203.     goto err;

  204.   }

  205.   if (!EC_POINT_get_affine_coordinates_GFp(group, point, X, NULL, ctx)) {

  206.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_EC_LIB);

  207.     goto err;

  208.   }

  209.   if (!BN_nnmod(u1, X, order, ctx)) {

  210.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ERR_R_BN_LIB);

  211.     goto err;

  212.   }

  213.   /* if the signature is correct u1 is equal to sig->r */

  214.   ret = (BN_ucmp(u1, sig->r) == 0);

  215. 

  216. err:

  217.   BN_CTX_end(ctx);

  218.   BN_CTX_free(ctx);

  219.   if (point) {

  220.     EC_POINT_free(point);

  221.   }

  222.   return ret;

  223. }

  224. 

  225. static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,

  226.                             BIGNUM **rp, const uint8_t *digest,

  227.                             size_t digest_len) {

  228.   BN_CTX *ctx = NULL;

  229.   BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL;

  230.   EC_POINT *tmp_point = NULL;

  231.   const EC_GROUP *group;

  232.   int ret = 0;

  233. 

  234.   if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {

  235.     OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_PASSED_NULL_PARAMETER);

  236.     return 0;

  237.   }

  238. 

  239.   if (ctx_in == NULL) {

  240.     if ((ctx = BN_CTX_new()) == NULL) {

  241.       OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_MALLOC_FAILURE);

  242.       return 0;

  243.     }

  244.   } else {

  245.     ctx = ctx_in;

  246.   }

  247. 

  248.   k = BN_new(); /* this value is later returned in *kinvp */

  249.   r = BN_new(); /* this value is later returned in *rp    */

  250.   order = BN_new();

  251.   X = BN_new();

  252.   if (!k || !r || !order || !X) {

  253.     OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_MALLOC_FAILURE);

  254.     goto err;

  255.   }

  256.   tmp_point = EC_POINT_new(group);

  257.   if (tmp_point == NULL) {

  258.     OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_EC_LIB);

  259.     goto err;

  260.   }

  261.   if (!EC_GROUP_get_order(group, order, ctx)) {

  262.     OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_EC_LIB);

  263.     goto err;

  264.   }

  265. 

  266.   do {

  267.     /* If possible, we'll include the private key and message digest in the k

  268.      * generation. The |digest| argument is only empty if |ECDSA_sign_setup| is

  269.      * being used. */

  270.     do {

  271.       int ok;

  272. 

  273.       if (digest_len > 0) {

  274.         ok = BN_generate_dsa_nonce(k, order, EC_KEY_get0_private_key(eckey),

  275.                                    digest, digest_len, ctx);

  276.       } else {

  277.         ok = BN_rand_range(k, order);

  278.       }

  279.       if (!ok) {

  280.         OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup,

  281.                           ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);

  282.         goto err;

  283.       }

  284.     } while (BN_is_zero(k));

  285. 

  286.     /* We do not want timing information to leak the length of k,

  287.      * so we compute G*k using an equivalent scalar of fixed

  288.      * bit-length. */

  289. 

  290.     if (!BN_add(k, k, order)) {

  291.       goto err;

  292.     }

  293.     if (BN_num_bits(k) <= BN_num_bits(order)) {

  294.       if (!BN_add(k, k, order)) {

  295.         goto err;

  296.       }

  297.     }

  298. 

  299.     /* compute r the x-coordinate of generator * k */

  300.     if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {

  301.       OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_EC_LIB);

  302.       goto err;

  303.     }

  304.     if (!EC_POINT_get_affine_coordinates_GFp(group, tmp_point, X, NULL, ctx)) {

  305.       OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_EC_LIB);

  306.       goto err;

  307.     }

  308. 

  309.     if (!BN_nnmod(r, X, order, ctx)) {

  310.       OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_BN_LIB);

  311.       goto err;

  312.     }

  313.   } while (BN_is_zero(r));

  314. 

  315.   /* compute the inverse of k */

  316.   if (!BN_mod_inverse(k, k, order, ctx)) {

  317.     OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_BN_LIB);

  318.     goto err;

  319.   }

  320.   /* clear old values if necessary */

  321.   if (*rp != NULL) {

  322.     BN_clear_free(*rp);

  323.   }

  324.   if (*kinvp != NULL) {

  325.     BN_clear_free(*kinvp);

  326.   }

  327. 

  328.   /* save the pre-computed values  */

  329.   *rp = r;

  330.   *kinvp = k;

  331.   ret = 1;

  332. 

  333. err:

  334.   if (!ret) {

  335.     if (k != NULL) {

  336.       BN_clear_free(k);

  337.     }

  338.     if (r != NULL) {

  339.       BN_clear_free(r);

  340.     }

  341.   }

  342.   if (ctx_in == NULL)

  343.     BN_CTX_free(ctx);

  344.   if (order != NULL)

  345.     BN_free(order);

  346.   if (tmp_point != NULL)

  347.     EC_POINT_free(tmp_point);

  348.   if (X)

  349.     BN_clear_free(X);

  350.   return ret;

  351. }

  352. 

  353. int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp) {

  354.   return ecdsa_sign_setup(eckey, ctx, kinv, rp, NULL, 0);

  355. }

  356. 

  357. ECDSA_SIG *ECDSA_do_sign_ex(const uint8_t *digest, size_t digest_len,

  358.                             const BIGNUM *in_kinv, const BIGNUM *in_r,

  359.                             EC_KEY *eckey) {

  360.   int ok = 0;

  361.   BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;

  362.   const BIGNUM *ckinv;

  363.   BN_CTX *ctx = NULL;

  364.   const EC_GROUP *group;

  365.   ECDSA_SIG *ret;

  366.   const BIGNUM *priv_key;

  367. 

  368.   if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {

  369.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_sign_ex, ECDSA_R_NOT_IMPLEMENTED);

  370.     return NULL;

  371.   }

  372. 

  373.   group = EC_KEY_get0_group(eckey);

  374.   priv_key = EC_KEY_get0_private_key(eckey);

  375. 

  376.   if (group == NULL || priv_key == NULL) {

  377.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ERR_R_PASSED_NULL_PARAMETER);

  378.     return NULL;

  379.   }

  380. 

  381.   ret = ECDSA_SIG_new();

  382.   if (!ret) {

  383.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ERR_R_MALLOC_FAILURE);

  384.     return NULL;

  385.   }

  386.   s = ret->s;

  387. 

  388.   if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||

  389.       (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {

  390.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ERR_R_MALLOC_FAILURE);

  391.     goto err;

  392.   }

  393. 

  394.   if (!EC_GROUP_get_order(group, order, ctx)) {

  395.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ERR_R_EC_LIB);

  396.     goto err;

  397.   }

  398.   if (!digest_to_bn(m, digest, digest_len, order)) {

  399.     goto err;

  400.   }

  401.   for (;;) {

  402.     if (in_kinv == NULL || in_r == NULL) {

  403.       if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, digest, digest_len)) {

  404.         OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ERR_R_ECDSA_LIB);

  405.         goto err;

  406.       }

  407.       ckinv = kinv;

  408.     } else {

  409.       ckinv = in_kinv;

  410.       if (BN_copy(ret->r, in_r) == NULL) {

  411.         OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ERR_R_MALLOC_FAILURE);

  412.         goto err;

  413.       }

  414.     }

  415. 

  416.     if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {

  417.       OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ERR_R_BN_LIB);

  418.       goto err;

  419.     }

  420.     if (!BN_mod_add_quick(s, tmp, m, order)) {

  421.       OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ERR_R_BN_LIB);

  422.       goto err;

  423.     }

  424.     if (!BN_mod_mul(s, s, ckinv, order, ctx)) {

  425.       OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ERR_R_BN_LIB);

  426.       goto err;

  427.     }

  428.     if (BN_is_zero(s)) {

  429.       /* if kinv and r have been supplied by the caller

  430.        * don't to generate new kinv and r values */

  431.       if (in_kinv != NULL && in_r != NULL) {

  432.         OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_sign_ex, ECDSA_R_NEED_NEW_SETUP_VALUES);

  433.         goto err;

  434.       }

  435.     } else {

  436.       /* s != 0 => we have a valid signature */

  437.       break;

  438.     }

  439.   }

  440. 

  441.   ok = 1;

  442. 

  443. err:

  444.   if (!ok) {

  445.     ECDSA_SIG_free(ret);

  446.     ret = NULL;

  447.   }

  448.   if (ctx)

  449.     BN_CTX_free(ctx);

  450.   if (m)

  451.     BN_clear_free(m);

  452.   if (tmp)

  453.     BN_clear_free(tmp);

  454.   if (order)

  455.     BN_free(order);

  456.   if (kinv)

  457.     BN_clear_free(kinv);

  458.   return ret;

  459. }

  460. 

  461. int ECDSA_sign_ex(int type, const uint8_t *digest, size_t digest_len,

  462.                   uint8_t *sig, unsigned int *sig_len, const BIGNUM *kinv,

  463.                   const BIGNUM *r, EC_KEY *eckey) {

  464.   ECDSA_SIG *s = NULL;

  465. 

  466.   if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {

  467.     OPENSSL_PUT_ERROR(ECDSA, ECDSA_sign_ex, ECDSA_R_NOT_IMPLEMENTED);

  468.     *sig_len = 0;

  469.     return 0;

  470.   }

  471. 

  472.   s = ECDSA_do_sign_ex(digest, digest_len, kinv, r, eckey);

  473.   if (s == NULL) {

  474.     *sig_len = 0;

  475.     return 0;

  476.   }

  477.   *sig_len = i2d_ECDSA_SIG(s, &sig);

  478.   ECDSA_SIG_free(s);

  479.   return 1;

  480. }