ecdsa.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451
  1. /*
  2. * Elliptic curve DSA
  3. *
  4. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  5. * SPDX-License-Identifier: GPL-2.0
  6. *
  7. * This program is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * This program is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License along
  18. * with this program; if not, write to the Free Software Foundation, Inc.,
  19. * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  20. *
  21. * This file is part of mbed TLS (https://tls.mbed.org)
  22. */
  23. /*
  24. * References:
  25. *
  26. * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
  27. */
  28. #if !defined(MBEDTLS_CONFIG_FILE)
  29. #include "mbedtls/config.h"
  30. #else
  31. #include MBEDTLS_CONFIG_FILE
  32. #endif
  33. #if defined(MBEDTLS_ECDSA_C)
  34. #include "mbedtls/ecdsa.h"
  35. #include "mbedtls/asn1write.h"
  36. #include <string.h>
  37. #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
  38. #include "mbedtls/hmac_drbg.h"
  39. #endif
  40. /*
  41. * Derive a suitable integer for group grp from a buffer of length len
  42. * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
  43. */
  44. static int derive_mpi( const mbedtls_ecp_group *grp, mbedtls_mpi *x,
  45. const unsigned char *buf, size_t blen )
  46. {
  47. int ret;
  48. size_t n_size = ( grp->nbits + 7 ) / 8;
  49. size_t use_size = blen > n_size ? n_size : blen;
  50. MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( x, buf, use_size ) );
  51. if( use_size * 8 > grp->nbits )
  52. MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( x, use_size * 8 - grp->nbits ) );
  53. /* While at it, reduce modulo N */
  54. if( mbedtls_mpi_cmp_mpi( x, &grp->N ) >= 0 )
  55. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( x, x, &grp->N ) );
  56. cleanup:
  57. return( ret );
  58. }
  59. /*
  60. * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
  61. * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
  62. */
  63. int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
  64. const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
  65. int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
  66. {
  67. int ret, key_tries, sign_tries, blind_tries;
  68. mbedtls_ecp_point R;
  69. mbedtls_mpi k, e, t;
  70. /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
  71. if( grp->N.p == NULL )
  72. return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
  73. mbedtls_ecp_point_init( &R );
  74. mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t );
  75. sign_tries = 0;
  76. do
  77. {
  78. /*
  79. * Steps 1-3: generate a suitable ephemeral keypair
  80. * and set r = xR mod n
  81. */
  82. key_tries = 0;
  83. do
  84. {
  85. MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
  86. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( r, &R.X, &grp->N ) );
  87. if( key_tries++ > 10 )
  88. {
  89. ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
  90. goto cleanup;
  91. }
  92. }
  93. while( mbedtls_mpi_cmp_int( r, 0 ) == 0 );
  94. /*
  95. * Step 5: derive MPI from hashed message
  96. */
  97. MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
  98. /*
  99. * Generate a random value to blind inv_mod in next step,
  100. * avoiding a potential timing leak.
  101. */
  102. blind_tries = 0;
  103. do
  104. {
  105. size_t n_size = ( grp->nbits + 7 ) / 8;
  106. MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &t, n_size, f_rng, p_rng ) );
  107. MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &t, 8 * n_size - grp->nbits ) );
  108. /* See mbedtls_ecp_gen_keypair() */
  109. if( ++blind_tries > 30 )
  110. return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
  111. }
  112. while( mbedtls_mpi_cmp_int( &t, 1 ) < 0 ||
  113. mbedtls_mpi_cmp_mpi( &t, &grp->N ) >= 0 );
  114. /*
  115. * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
  116. */
  117. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, r, d ) );
  118. MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
  119. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
  120. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) );
  121. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) );
  122. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
  123. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
  124. if( sign_tries++ > 10 )
  125. {
  126. ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
  127. goto cleanup;
  128. }
  129. }
  130. while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );
  131. cleanup:
  132. mbedtls_ecp_point_free( &R );
  133. mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t );
  134. return( ret );
  135. }
  136. #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
  137. /*
  138. * Deterministic signature wrapper
  139. */
  140. int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
  141. const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
  142. mbedtls_md_type_t md_alg )
  143. {
  144. int ret;
  145. mbedtls_hmac_drbg_context rng_ctx;
  146. unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
  147. size_t grp_len = ( grp->nbits + 7 ) / 8;
  148. const mbedtls_md_info_t *md_info;
  149. mbedtls_mpi h;
  150. if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
  151. return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
  152. mbedtls_mpi_init( &h );
  153. mbedtls_hmac_drbg_init( &rng_ctx );
  154. /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
  155. MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) );
  156. MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) );
  157. MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) );
  158. mbedtls_hmac_drbg_seed_buf( &rng_ctx, md_info, data, 2 * grp_len );
  159. ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen,
  160. mbedtls_hmac_drbg_random, &rng_ctx );
  161. cleanup:
  162. mbedtls_hmac_drbg_free( &rng_ctx );
  163. mbedtls_mpi_free( &h );
  164. return( ret );
  165. }
  166. #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
  167. /*
  168. * Verify ECDSA signature of hashed message (SEC1 4.1.4)
  169. * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
  170. */
  171. int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
  172. const unsigned char *buf, size_t blen,
  173. const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s)
  174. {
  175. int ret;
  176. mbedtls_mpi e, s_inv, u1, u2;
  177. mbedtls_ecp_point R;
  178. mbedtls_ecp_point_init( &R );
  179. mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv ); mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
  180. /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
  181. if( grp->N.p == NULL )
  182. return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
  183. /*
  184. * Step 1: make sure r and s are in range 1..n-1
  185. */
  186. if( mbedtls_mpi_cmp_int( r, 1 ) < 0 || mbedtls_mpi_cmp_mpi( r, &grp->N ) >= 0 ||
  187. mbedtls_mpi_cmp_int( s, 1 ) < 0 || mbedtls_mpi_cmp_mpi( s, &grp->N ) >= 0 )
  188. {
  189. ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
  190. goto cleanup;
  191. }
  192. /*
  193. * Additional precaution: make sure Q is valid
  194. */
  195. MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, Q ) );
  196. /*
  197. * Step 3: derive MPI from hashed message
  198. */
  199. MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
  200. /*
  201. * Step 4: u1 = e / s mod n, u2 = r / s mod n
  202. */
  203. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &s_inv, s, &grp->N ) );
  204. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u1, &e, &s_inv ) );
  205. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &u1, &u1, &grp->N ) );
  206. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u2, r, &s_inv ) );
  207. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &u2, &u2, &grp->N ) );
  208. /*
  209. * Step 5: R = u1 G + u2 Q
  210. *
  211. * Since we're not using any secret data, no need to pass a RNG to
  212. * mbedtls_ecp_mul() for countermesures.
  213. */
  214. MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, &R, &u1, &grp->G, &u2, Q ) );
  215. if( mbedtls_ecp_is_zero( &R ) )
  216. {
  217. ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
  218. goto cleanup;
  219. }
  220. /*
  221. * Step 6: convert xR to an integer (no-op)
  222. * Step 7: reduce xR mod n (gives v)
  223. */
  224. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
  225. /*
  226. * Step 8: check if v (that is, R.X) is equal to r
  227. */
  228. if( mbedtls_mpi_cmp_mpi( &R.X, r ) != 0 )
  229. {
  230. ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
  231. goto cleanup;
  232. }
  233. cleanup:
  234. mbedtls_ecp_point_free( &R );
  235. mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv ); mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
  236. return( ret );
  237. }
  238. /*
  239. * Convert a signature (given by context) to ASN.1
  240. */
  241. static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
  242. unsigned char *sig, size_t *slen )
  243. {
  244. int ret;
  245. unsigned char buf[MBEDTLS_ECDSA_MAX_LEN];
  246. unsigned char *p = buf + sizeof( buf );
  247. size_t len = 0;
  248. MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, s ) );
  249. MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, r ) );
  250. MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, len ) );
  251. MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf,
  252. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
  253. memcpy( sig, p, len );
  254. *slen = len;
  255. return( 0 );
  256. }
  257. /*
  258. * Compute and write signature
  259. */
  260. int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
  261. const unsigned char *hash, size_t hlen,
  262. unsigned char *sig, size_t *slen,
  263. int (*f_rng)(void *, unsigned char *, size_t),
  264. void *p_rng )
  265. {
  266. int ret;
  267. mbedtls_mpi r, s;
  268. mbedtls_mpi_init( &r );
  269. mbedtls_mpi_init( &s );
  270. #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
  271. (void) f_rng;
  272. (void) p_rng;
  273. MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det( &ctx->grp, &r, &s, &ctx->d,
  274. hash, hlen, md_alg ) );
  275. #else
  276. (void) md_alg;
  277. MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
  278. hash, hlen, f_rng, p_rng ) );
  279. #endif
  280. MBEDTLS_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) );
  281. cleanup:
  282. mbedtls_mpi_free( &r );
  283. mbedtls_mpi_free( &s );
  284. return( ret );
  285. }
  286. #if ! defined(MBEDTLS_DEPRECATED_REMOVED) && \
  287. defined(MBEDTLS_ECDSA_DETERMINISTIC)
  288. int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
  289. const unsigned char *hash, size_t hlen,
  290. unsigned char *sig, size_t *slen,
  291. mbedtls_md_type_t md_alg )
  292. {
  293. return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen,
  294. NULL, NULL ) );
  295. }
  296. #endif
  297. /*
  298. * Read and check signature
  299. */
  300. int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
  301. const unsigned char *hash, size_t hlen,
  302. const unsigned char *sig, size_t slen )
  303. {
  304. int ret;
  305. unsigned char *p = (unsigned char *) sig;
  306. const unsigned char *end = sig + slen;
  307. size_t len;
  308. mbedtls_mpi r, s;
  309. mbedtls_mpi_init( &r );
  310. mbedtls_mpi_init( &s );
  311. if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  312. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  313. {
  314. ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
  315. goto cleanup;
  316. }
  317. if( p + len != end )
  318. {
  319. ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
  320. MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
  321. goto cleanup;
  322. }
  323. if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 ||
  324. ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 )
  325. {
  326. ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
  327. goto cleanup;
  328. }
  329. if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen,
  330. &ctx->Q, &r, &s ) ) != 0 )
  331. goto cleanup;
  332. if( p != end )
  333. ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;
  334. cleanup:
  335. mbedtls_mpi_free( &r );
  336. mbedtls_mpi_free( &s );
  337. return( ret );
  338. }
  339. /*
  340. * Generate key pair
  341. */
  342. int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
  343. int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
  344. {
  345. return( mbedtls_ecp_group_load( &ctx->grp, gid ) ||
  346. mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) );
  347. }
  348. /*
  349. * Set context from an mbedtls_ecp_keypair
  350. */
  351. int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key )
  352. {
  353. int ret;
  354. if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
  355. ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 ||
  356. ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
  357. {
  358. mbedtls_ecdsa_free( ctx );
  359. }
  360. return( ret );
  361. }
  362. /*
  363. * Initialize context
  364. */
  365. void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx )
  366. {
  367. mbedtls_ecp_keypair_init( ctx );
  368. }
  369. /*
  370. * Free context
  371. */
  372. void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx )
  373. {
  374. mbedtls_ecp_keypair_free( ctx );
  375. }
  376. #endif /* MBEDTLS_ECDSA_C */