1 /* 2 * Elliptic curve DSA 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 /* 21 * References: 22 * 23 * SEC1 http://www.secg.org/index.php?action=secg,docs_secg 24 */ 25 26 #include "common.h" 27 28 #if defined(MBEDTLS_ECDSA_C) 29 30 #include "mbedtls/ecdsa.h" 31 #include "mbedtls/asn1write.h" 32 33 #include <string.h> 34 35 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 36 #include "mbedtls/hmac_drbg.h" 37 #endif 38 39 #if defined(MBEDTLS_PLATFORM_C) 40 #include "mbedtls/platform.h" 41 #else 42 #include <stdlib.h> 43 #define mbedtls_calloc calloc 44 #define mbedtls_free free 45 #endif 46 47 #include "mbedtls/platform_util.h" 48 #include "mbedtls/error.h" 49 50 /* Parameter validation macros based on platform_util.h */ 51 #define ECDSA_VALIDATE_RET( cond ) \ 52 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) 53 #define ECDSA_VALIDATE( cond ) \ 54 MBEDTLS_INTERNAL_VALIDATE( cond ) 55 56 #if defined(MBEDTLS_ECP_RESTARTABLE) 57 58 /* 59 * Sub-context for ecdsa_verify() 60 */ 61 struct mbedtls_ecdsa_restart_ver 62 { 63 mbedtls_mpi u1, u2; /* intermediate values */ 64 enum { /* what to do next? */ 65 ecdsa_ver_init = 0, /* getting started */ 66 ecdsa_ver_muladd, /* muladd step */ 67 } state; 68 }; 69 70 /* 71 * Init verify restart sub-context 72 */ 73 static void ecdsa_restart_ver_init( mbedtls_ecdsa_restart_ver_ctx *ctx ) 74 { 75 mbedtls_mpi_init( &ctx->u1 ); 76 mbedtls_mpi_init( &ctx->u2 ); 77 ctx->state = ecdsa_ver_init; 78 } 79 80 /* 81 * Free the components of a verify restart sub-context 82 */ 83 static void ecdsa_restart_ver_free( mbedtls_ecdsa_restart_ver_ctx *ctx ) 84 { 85 if( ctx == NULL ) 86 return; 87 88 mbedtls_mpi_free( &ctx->u1 ); 89 mbedtls_mpi_free( &ctx->u2 ); 90 91 ecdsa_restart_ver_init( ctx ); 92 } 93 94 /* 95 * Sub-context for ecdsa_sign() 96 */ 97 struct mbedtls_ecdsa_restart_sig 98 { 99 int sign_tries; 100 int key_tries; 101 mbedtls_mpi k; /* per-signature random */ 102 mbedtls_mpi r; /* r value */ 103 enum { /* what to do next? */ 104 ecdsa_sig_init = 0, /* getting started */ 105 ecdsa_sig_mul, /* doing ecp_mul() */ 106 ecdsa_sig_modn, /* mod N computations */ 107 } state; 108 }; 109 110 /* 111 * Init verify sign sub-context 112 */ 113 static void ecdsa_restart_sig_init( mbedtls_ecdsa_restart_sig_ctx *ctx ) 114 { 115 ctx->sign_tries = 0; 116 ctx->key_tries = 0; 117 mbedtls_mpi_init( &ctx->k ); 118 mbedtls_mpi_init( &ctx->r ); 119 ctx->state = ecdsa_sig_init; 120 } 121 122 /* 123 * Free the components of a sign restart sub-context 124 */ 125 static void ecdsa_restart_sig_free( mbedtls_ecdsa_restart_sig_ctx *ctx ) 126 { 127 if( ctx == NULL ) 128 return; 129 130 mbedtls_mpi_free( &ctx->k ); 131 mbedtls_mpi_free( &ctx->r ); 132 } 133 134 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 135 /* 136 * Sub-context for ecdsa_sign_det() 137 */ 138 struct mbedtls_ecdsa_restart_det 139 { 140 mbedtls_hmac_drbg_context rng_ctx; /* DRBG state */ 141 enum { /* what to do next? */ 142 ecdsa_det_init = 0, /* getting started */ 143 ecdsa_det_sign, /* make signature */ 144 } state; 145 }; 146 147 /* 148 * Init verify sign_det sub-context 149 */ 150 static void ecdsa_restart_det_init( mbedtls_ecdsa_restart_det_ctx *ctx ) 151 { 152 mbedtls_hmac_drbg_init( &ctx->rng_ctx ); 153 ctx->state = ecdsa_det_init; 154 } 155 156 /* 157 * Free the components of a sign_det restart sub-context 158 */ 159 static void ecdsa_restart_det_free( mbedtls_ecdsa_restart_det_ctx *ctx ) 160 { 161 if( ctx == NULL ) 162 return; 163 164 mbedtls_hmac_drbg_free( &ctx->rng_ctx ); 165 166 ecdsa_restart_det_init( ctx ); 167 } 168 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 169 170 #define ECDSA_RS_ECP ( rs_ctx == NULL ? NULL : &rs_ctx->ecp ) 171 172 /* Utility macro for checking and updating ops budget */ 173 #define ECDSA_BUDGET( ops ) \ 174 MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, ECDSA_RS_ECP, ops ) ); 175 176 /* Call this when entering a function that needs its own sub-context */ 177 #define ECDSA_RS_ENTER( SUB ) do { \ 178 /* reset ops count for this call if top-level */ \ 179 if( rs_ctx != NULL && rs_ctx->ecp.depth++ == 0 ) \ 180 rs_ctx->ecp.ops_done = 0; \ 181 \ 182 /* set up our own sub-context if needed */ \ 183 if( mbedtls_ecp_restart_is_enabled() && \ 184 rs_ctx != NULL && rs_ctx->SUB == NULL ) \ 185 { \ 186 rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) ); \ 187 if( rs_ctx->SUB == NULL ) \ 188 return( MBEDTLS_ERR_ECP_ALLOC_FAILED ); \ 189 \ 190 ecdsa_restart_## SUB ##_init( rs_ctx->SUB ); \ 191 } \ 192 } while( 0 ) 193 194 /* Call this when leaving a function that needs its own sub-context */ 195 #define ECDSA_RS_LEAVE( SUB ) do { \ 196 /* clear our sub-context when not in progress (done or error) */ \ 197 if( rs_ctx != NULL && rs_ctx->SUB != NULL && \ 198 ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) \ 199 { \ 200 ecdsa_restart_## SUB ##_free( rs_ctx->SUB ); \ 201 mbedtls_free( rs_ctx->SUB ); \ 202 rs_ctx->SUB = NULL; \ 203 } \ 204 \ 205 if( rs_ctx != NULL ) \ 206 rs_ctx->ecp.depth--; \ 207 } while( 0 ) 208 209 #else /* MBEDTLS_ECP_RESTARTABLE */ 210 211 #define ECDSA_RS_ECP NULL 212 213 #define ECDSA_BUDGET( ops ) /* no-op; for compatibility */ 214 215 #define ECDSA_RS_ENTER( SUB ) (void) rs_ctx 216 #define ECDSA_RS_LEAVE( SUB ) (void) rs_ctx 217 218 #endif /* MBEDTLS_ECP_RESTARTABLE */ 219 220 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) || \ 221 !defined(MBEDTLS_ECDSA_SIGN_ALT) || \ 222 !defined(MBEDTLS_ECDSA_VERIFY_ALT) 223 /* 224 * Derive a suitable integer for group grp from a buffer of length len 225 * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3 226 */ 227 static int derive_mpi( const mbedtls_ecp_group *grp, mbedtls_mpi *x, 228 const unsigned char *buf, size_t blen ) 229 { 230 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 231 size_t n_size = ( grp->nbits + 7 ) / 8; 232 size_t use_size = blen > n_size ? n_size : blen; 233 234 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( x, buf, use_size ) ); 235 if( use_size * 8 > grp->nbits ) 236 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( x, use_size * 8 - grp->nbits ) ); 237 238 /* While at it, reduce modulo N */ 239 if( mbedtls_mpi_cmp_mpi( x, &grp->N ) >= 0 ) 240 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( x, x, &grp->N ) ); 241 242 cleanup: 243 return( ret ); 244 } 245 #endif /* ECDSA_DETERMINISTIC || !ECDSA_SIGN_ALT || !ECDSA_VERIFY_ALT */ 246 247 #if !defined(MBEDTLS_ECDSA_SIGN_ALT) 248 /* 249 * Compute ECDSA signature of a hashed message (SEC1 4.1.3) 250 * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message) 251 */ 252 static int ecdsa_sign_restartable( mbedtls_ecp_group *grp, 253 mbedtls_mpi *r, mbedtls_mpi *s, 254 const mbedtls_mpi *d, const unsigned char *buf, size_t blen, 255 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 256 int (*f_rng_blind)(void *, unsigned char *, size_t), 257 void *p_rng_blind, 258 mbedtls_ecdsa_restart_ctx *rs_ctx ) 259 { 260 int ret, key_tries, sign_tries; 261 int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries; 262 mbedtls_ecp_point R; 263 mbedtls_mpi k, e, t; 264 mbedtls_mpi *pk = &k, *pr = r; 265 266 /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */ 267 if( ! mbedtls_ecdsa_can_do( grp->id ) || grp->N.p == NULL ) 268 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 269 270 /* Make sure d is in range 1..n-1 */ 271 if( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 ) 272 return( MBEDTLS_ERR_ECP_INVALID_KEY ); 273 274 mbedtls_ecp_point_init( &R ); 275 mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t ); 276 277 ECDSA_RS_ENTER( sig ); 278 279 #if defined(MBEDTLS_ECP_RESTARTABLE) 280 if( rs_ctx != NULL && rs_ctx->sig != NULL ) 281 { 282 /* redirect to our context */ 283 p_sign_tries = &rs_ctx->sig->sign_tries; 284 p_key_tries = &rs_ctx->sig->key_tries; 285 pk = &rs_ctx->sig->k; 286 pr = &rs_ctx->sig->r; 287 288 /* jump to current step */ 289 if( rs_ctx->sig->state == ecdsa_sig_mul ) 290 goto mul; 291 if( rs_ctx->sig->state == ecdsa_sig_modn ) 292 goto modn; 293 } 294 #endif /* MBEDTLS_ECP_RESTARTABLE */ 295 296 *p_sign_tries = 0; 297 do 298 { 299 if( (*p_sign_tries)++ > 10 ) 300 { 301 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED; 302 goto cleanup; 303 } 304 305 /* 306 * Steps 1-3: generate a suitable ephemeral keypair 307 * and set r = xR mod n 308 */ 309 *p_key_tries = 0; 310 do 311 { 312 if( (*p_key_tries)++ > 10 ) 313 { 314 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED; 315 goto cleanup; 316 } 317 318 MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) ); 319 320 #if defined(MBEDTLS_ECP_RESTARTABLE) 321 if( rs_ctx != NULL && rs_ctx->sig != NULL ) 322 rs_ctx->sig->state = ecdsa_sig_mul; 323 324 mul: 325 #endif 326 MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G, 327 f_rng_blind, 328 p_rng_blind, 329 ECDSA_RS_ECP ) ); 330 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) ); 331 } 332 while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 ); 333 334 #if defined(MBEDTLS_ECP_RESTARTABLE) 335 if( rs_ctx != NULL && rs_ctx->sig != NULL ) 336 rs_ctx->sig->state = ecdsa_sig_modn; 337 338 modn: 339 #endif 340 /* 341 * Accounting for everything up to the end of the loop 342 * (step 6, but checking now avoids saving e and t) 343 */ 344 ECDSA_BUDGET( MBEDTLS_ECP_OPS_INV + 4 ); 345 346 /* 347 * Step 5: derive MPI from hashed message 348 */ 349 MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) ); 350 351 /* 352 * Generate a random value to blind inv_mod in next step, 353 * avoiding a potential timing leak. 354 */ 355 MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng_blind, 356 p_rng_blind ) ); 357 358 /* 359 * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n 360 */ 361 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, pr, d ) ); 362 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) ); 363 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) ); 364 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) ); 365 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) ); 366 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) ); 367 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) ); 368 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) ); 369 } 370 while( mbedtls_mpi_cmp_int( s, 0 ) == 0 ); 371 372 #if defined(MBEDTLS_ECP_RESTARTABLE) 373 if( rs_ctx != NULL && rs_ctx->sig != NULL ) 374 mbedtls_mpi_copy( r, pr ); 375 #endif 376 377 cleanup: 378 mbedtls_ecp_point_free( &R ); 379 mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t ); 380 381 ECDSA_RS_LEAVE( sig ); 382 383 return( ret ); 384 } 385 386 int mbedtls_ecdsa_can_do( mbedtls_ecp_group_id gid ) 387 { 388 switch( gid ) 389 { 390 #ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED 391 case MBEDTLS_ECP_DP_CURVE25519: return 0; 392 #endif 393 #ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED 394 case MBEDTLS_ECP_DP_CURVE448: return 0; 395 #endif 396 default: return 1; 397 } 398 } 399 400 /* 401 * Compute ECDSA signature of a hashed message 402 */ 403 int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, 404 const mbedtls_mpi *d, const unsigned char *buf, size_t blen, 405 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 406 { 407 ECDSA_VALIDATE_RET( grp != NULL ); 408 ECDSA_VALIDATE_RET( r != NULL ); 409 ECDSA_VALIDATE_RET( s != NULL ); 410 ECDSA_VALIDATE_RET( d != NULL ); 411 ECDSA_VALIDATE_RET( f_rng != NULL ); 412 ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); 413 414 /* Use the same RNG for both blinding and ephemeral key generation */ 415 return( ecdsa_sign_restartable( grp, r, s, d, buf, blen, 416 f_rng, p_rng, f_rng, p_rng, NULL ) ); 417 } 418 #endif /* !MBEDTLS_ECDSA_SIGN_ALT */ 419 420 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 421 /* 422 * Deterministic signature wrapper 423 */ 424 static int ecdsa_sign_det_restartable( mbedtls_ecp_group *grp, 425 mbedtls_mpi *r, mbedtls_mpi *s, 426 const mbedtls_mpi *d, const unsigned char *buf, size_t blen, 427 mbedtls_md_type_t md_alg, 428 int (*f_rng_blind)(void *, unsigned char *, size_t), 429 void *p_rng_blind, 430 mbedtls_ecdsa_restart_ctx *rs_ctx ) 431 { 432 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 433 mbedtls_hmac_drbg_context rng_ctx; 434 mbedtls_hmac_drbg_context *p_rng = &rng_ctx; 435 unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES]; 436 size_t grp_len = ( grp->nbits + 7 ) / 8; 437 const mbedtls_md_info_t *md_info; 438 mbedtls_mpi h; 439 440 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) 441 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 442 443 mbedtls_mpi_init( &h ); 444 mbedtls_hmac_drbg_init( &rng_ctx ); 445 446 ECDSA_RS_ENTER( det ); 447 448 #if defined(MBEDTLS_ECP_RESTARTABLE) 449 if( rs_ctx != NULL && rs_ctx->det != NULL ) 450 { 451 /* redirect to our context */ 452 p_rng = &rs_ctx->det->rng_ctx; 453 454 /* jump to current step */ 455 if( rs_ctx->det->state == ecdsa_det_sign ) 456 goto sign; 457 } 458 #endif /* MBEDTLS_ECP_RESTARTABLE */ 459 460 /* Use private key and message hash (reduced) to initialize HMAC_DRBG */ 461 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) ); 462 MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) ); 463 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) ); 464 mbedtls_hmac_drbg_seed_buf( p_rng, md_info, data, 2 * grp_len ); 465 466 #if defined(MBEDTLS_ECP_RESTARTABLE) 467 if( rs_ctx != NULL && rs_ctx->det != NULL ) 468 rs_ctx->det->state = ecdsa_det_sign; 469 470 sign: 471 #endif 472 #if defined(MBEDTLS_ECDSA_SIGN_ALT) 473 (void) f_rng_blind; 474 (void) p_rng_blind; 475 ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen, 476 mbedtls_hmac_drbg_random, p_rng ); 477 #else 478 if( f_rng_blind != NULL ) 479 ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen, 480 mbedtls_hmac_drbg_random, p_rng, 481 f_rng_blind, p_rng_blind, rs_ctx ); 482 else 483 { 484 mbedtls_hmac_drbg_context *p_rng_blind_det; 485 486 #if !defined(MBEDTLS_ECP_RESTARTABLE) 487 /* 488 * To avoid reusing rng_ctx and risking incorrect behavior we seed a 489 * second HMAC-DRBG with the same seed. We also apply a label to avoid 490 * reusing the bits of the ephemeral key for blinding and eliminate the 491 * risk that they leak this way. 492 */ 493 const char* blind_label = "BLINDING CONTEXT"; 494 mbedtls_hmac_drbg_context rng_ctx_blind; 495 496 mbedtls_hmac_drbg_init( &rng_ctx_blind ); 497 p_rng_blind_det = &rng_ctx_blind; 498 mbedtls_hmac_drbg_seed_buf( p_rng_blind_det, md_info, 499 data, 2 * grp_len ); 500 ret = mbedtls_hmac_drbg_update_ret( p_rng_blind_det, 501 (const unsigned char*) blind_label, 502 strlen( blind_label ) ); 503 if( ret != 0 ) 504 { 505 mbedtls_hmac_drbg_free( &rng_ctx_blind ); 506 goto cleanup; 507 } 508 #else 509 /* 510 * In the case of restartable computations we would either need to store 511 * the second RNG in the restart context too or set it up at every 512 * restart. The first option would penalize the correct application of 513 * the function and the second would defeat the purpose of the 514 * restartable feature. 515 * 516 * Therefore in this case we reuse the original RNG. This comes with the 517 * price that the resulting signature might not be a valid deterministic 518 * ECDSA signature with a very low probability (same magnitude as 519 * successfully guessing the private key). However even then it is still 520 * a valid ECDSA signature. 521 */ 522 p_rng_blind_det = p_rng; 523 #endif /* MBEDTLS_ECP_RESTARTABLE */ 524 525 /* 526 * Since the output of the RNGs is always the same for the same key and 527 * message, this limits the efficiency of blinding and leaks information 528 * through side channels. After mbedtls_ecdsa_sign_det() is removed NULL 529 * won't be a valid value for f_rng_blind anymore. Therefore it should 530 * be checked by the caller and this branch and check can be removed. 531 */ 532 ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen, 533 mbedtls_hmac_drbg_random, p_rng, 534 mbedtls_hmac_drbg_random, p_rng_blind_det, 535 rs_ctx ); 536 537 #if !defined(MBEDTLS_ECP_RESTARTABLE) 538 mbedtls_hmac_drbg_free( &rng_ctx_blind ); 539 #endif 540 } 541 #endif /* MBEDTLS_ECDSA_SIGN_ALT */ 542 543 cleanup: 544 mbedtls_hmac_drbg_free( &rng_ctx ); 545 mbedtls_mpi_free( &h ); 546 547 ECDSA_RS_LEAVE( det ); 548 549 return( ret ); 550 } 551 552 /* 553 * Deterministic signature wrappers 554 */ 555 556 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 557 int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, 558 mbedtls_mpi *s, const mbedtls_mpi *d, 559 const unsigned char *buf, size_t blen, 560 mbedtls_md_type_t md_alg ) 561 { 562 ECDSA_VALIDATE_RET( grp != NULL ); 563 ECDSA_VALIDATE_RET( r != NULL ); 564 ECDSA_VALIDATE_RET( s != NULL ); 565 ECDSA_VALIDATE_RET( d != NULL ); 566 ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); 567 568 return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, 569 NULL, NULL, NULL ) ); 570 } 571 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 572 573 int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r, 574 mbedtls_mpi *s, const mbedtls_mpi *d, 575 const unsigned char *buf, size_t blen, 576 mbedtls_md_type_t md_alg, 577 int (*f_rng_blind)(void *, unsigned char *, 578 size_t), 579 void *p_rng_blind ) 580 { 581 ECDSA_VALIDATE_RET( grp != NULL ); 582 ECDSA_VALIDATE_RET( r != NULL ); 583 ECDSA_VALIDATE_RET( s != NULL ); 584 ECDSA_VALIDATE_RET( d != NULL ); 585 ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); 586 ECDSA_VALIDATE_RET( f_rng_blind != NULL ); 587 588 return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, 589 f_rng_blind, p_rng_blind, NULL ) ); 590 } 591 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 592 593 #if !defined(MBEDTLS_ECDSA_VERIFY_ALT) 594 /* 595 * Verify ECDSA signature of hashed message (SEC1 4.1.4) 596 * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message) 597 */ 598 static int ecdsa_verify_restartable( mbedtls_ecp_group *grp, 599 const unsigned char *buf, size_t blen, 600 const mbedtls_ecp_point *Q, 601 const mbedtls_mpi *r, const mbedtls_mpi *s, 602 mbedtls_ecdsa_restart_ctx *rs_ctx ) 603 { 604 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 605 mbedtls_mpi e, s_inv, u1, u2; 606 mbedtls_ecp_point R; 607 mbedtls_mpi *pu1 = &u1, *pu2 = &u2; 608 609 mbedtls_ecp_point_init( &R ); 610 mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv ); 611 mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 ); 612 613 /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */ 614 if( ! mbedtls_ecdsa_can_do( grp->id ) || grp->N.p == NULL ) 615 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 616 617 ECDSA_RS_ENTER( ver ); 618 619 #if defined(MBEDTLS_ECP_RESTARTABLE) 620 if( rs_ctx != NULL && rs_ctx->ver != NULL ) 621 { 622 /* redirect to our context */ 623 pu1 = &rs_ctx->ver->u1; 624 pu2 = &rs_ctx->ver->u2; 625 626 /* jump to current step */ 627 if( rs_ctx->ver->state == ecdsa_ver_muladd ) 628 goto muladd; 629 } 630 #endif /* MBEDTLS_ECP_RESTARTABLE */ 631 632 /* 633 * Step 1: make sure r and s are in range 1..n-1 634 */ 635 if( mbedtls_mpi_cmp_int( r, 1 ) < 0 || mbedtls_mpi_cmp_mpi( r, &grp->N ) >= 0 || 636 mbedtls_mpi_cmp_int( s, 1 ) < 0 || mbedtls_mpi_cmp_mpi( s, &grp->N ) >= 0 ) 637 { 638 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; 639 goto cleanup; 640 } 641 642 /* 643 * Step 3: derive MPI from hashed message 644 */ 645 MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) ); 646 647 /* 648 * Step 4: u1 = e / s mod n, u2 = r / s mod n 649 */ 650 ECDSA_BUDGET( MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2 ); 651 652 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &s_inv, s, &grp->N ) ); 653 654 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu1, &e, &s_inv ) ); 655 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu1, pu1, &grp->N ) ); 656 657 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu2, r, &s_inv ) ); 658 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu2, pu2, &grp->N ) ); 659 660 #if defined(MBEDTLS_ECP_RESTARTABLE) 661 if( rs_ctx != NULL && rs_ctx->ver != NULL ) 662 rs_ctx->ver->state = ecdsa_ver_muladd; 663 664 muladd: 665 #endif 666 /* 667 * Step 5: R = u1 G + u2 Q 668 */ 669 MBEDTLS_MPI_CHK( mbedtls_ecp_muladd_restartable( grp, 670 &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP ) ); 671 672 if( mbedtls_ecp_is_zero( &R ) ) 673 { 674 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; 675 goto cleanup; 676 } 677 678 /* 679 * Step 6: convert xR to an integer (no-op) 680 * Step 7: reduce xR mod n (gives v) 681 */ 682 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &R.X, &R.X, &grp->N ) ); 683 684 /* 685 * Step 8: check if v (that is, R.X) is equal to r 686 */ 687 if( mbedtls_mpi_cmp_mpi( &R.X, r ) != 0 ) 688 { 689 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; 690 goto cleanup; 691 } 692 693 cleanup: 694 mbedtls_ecp_point_free( &R ); 695 mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv ); 696 mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 ); 697 698 ECDSA_RS_LEAVE( ver ); 699 700 return( ret ); 701 } 702 703 /* 704 * Verify ECDSA signature of hashed message 705 */ 706 int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp, 707 const unsigned char *buf, size_t blen, 708 const mbedtls_ecp_point *Q, 709 const mbedtls_mpi *r, 710 const mbedtls_mpi *s) 711 { 712 ECDSA_VALIDATE_RET( grp != NULL ); 713 ECDSA_VALIDATE_RET( Q != NULL ); 714 ECDSA_VALIDATE_RET( r != NULL ); 715 ECDSA_VALIDATE_RET( s != NULL ); 716 ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); 717 718 return( ecdsa_verify_restartable( grp, buf, blen, Q, r, s, NULL ) ); 719 } 720 #endif /* !MBEDTLS_ECDSA_VERIFY_ALT */ 721 722 /* 723 * Convert a signature (given by context) to ASN.1 724 */ 725 static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, 726 unsigned char *sig, size_t *slen ) 727 { 728 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 729 unsigned char buf[MBEDTLS_ECDSA_MAX_LEN] = {0}; 730 unsigned char *p = buf + sizeof( buf ); 731 size_t len = 0; 732 733 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, s ) ); 734 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, r ) ); 735 736 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, len ) ); 737 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf, 738 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); 739 740 memcpy( sig, p, len ); 741 *slen = len; 742 743 return( 0 ); 744 } 745 746 /* 747 * Compute and write signature 748 */ 749 int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx, 750 mbedtls_md_type_t md_alg, 751 const unsigned char *hash, size_t hlen, 752 unsigned char *sig, size_t *slen, 753 int (*f_rng)(void *, unsigned char *, size_t), 754 void *p_rng, 755 mbedtls_ecdsa_restart_ctx *rs_ctx ) 756 { 757 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 758 mbedtls_mpi r, s; 759 ECDSA_VALIDATE_RET( ctx != NULL ); 760 ECDSA_VALIDATE_RET( hash != NULL ); 761 ECDSA_VALIDATE_RET( sig != NULL ); 762 ECDSA_VALIDATE_RET( slen != NULL ); 763 764 mbedtls_mpi_init( &r ); 765 mbedtls_mpi_init( &s ); 766 767 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 768 MBEDTLS_MPI_CHK( ecdsa_sign_det_restartable( &ctx->grp, &r, &s, &ctx->d, 769 hash, hlen, md_alg, f_rng, 770 p_rng, rs_ctx ) ); 771 #else 772 (void) md_alg; 773 774 #if defined(MBEDTLS_ECDSA_SIGN_ALT) 775 (void) rs_ctx; 776 777 MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d, 778 hash, hlen, f_rng, p_rng ) ); 779 #else 780 /* Use the same RNG for both blinding and ephemeral key generation */ 781 MBEDTLS_MPI_CHK( ecdsa_sign_restartable( &ctx->grp, &r, &s, &ctx->d, 782 hash, hlen, f_rng, p_rng, f_rng, 783 p_rng, rs_ctx ) ); 784 #endif /* MBEDTLS_ECDSA_SIGN_ALT */ 785 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 786 787 MBEDTLS_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) ); 788 789 cleanup: 790 mbedtls_mpi_free( &r ); 791 mbedtls_mpi_free( &s ); 792 793 return( ret ); 794 } 795 796 /* 797 * Compute and write signature 798 */ 799 int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, 800 mbedtls_md_type_t md_alg, 801 const unsigned char *hash, size_t hlen, 802 unsigned char *sig, size_t *slen, 803 int (*f_rng)(void *, unsigned char *, size_t), 804 void *p_rng ) 805 { 806 ECDSA_VALIDATE_RET( ctx != NULL ); 807 ECDSA_VALIDATE_RET( hash != NULL ); 808 ECDSA_VALIDATE_RET( sig != NULL ); 809 ECDSA_VALIDATE_RET( slen != NULL ); 810 return( mbedtls_ecdsa_write_signature_restartable( 811 ctx, md_alg, hash, hlen, sig, slen, f_rng, p_rng, NULL ) ); 812 } 813 814 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && \ 815 defined(MBEDTLS_ECDSA_DETERMINISTIC) 816 int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx, 817 const unsigned char *hash, size_t hlen, 818 unsigned char *sig, size_t *slen, 819 mbedtls_md_type_t md_alg ) 820 { 821 ECDSA_VALIDATE_RET( ctx != NULL ); 822 ECDSA_VALIDATE_RET( hash != NULL ); 823 ECDSA_VALIDATE_RET( sig != NULL ); 824 ECDSA_VALIDATE_RET( slen != NULL ); 825 return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen, 826 NULL, NULL ) ); 827 } 828 #endif 829 830 /* 831 * Read and check signature 832 */ 833 int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx, 834 const unsigned char *hash, size_t hlen, 835 const unsigned char *sig, size_t slen ) 836 { 837 ECDSA_VALIDATE_RET( ctx != NULL ); 838 ECDSA_VALIDATE_RET( hash != NULL ); 839 ECDSA_VALIDATE_RET( sig != NULL ); 840 return( mbedtls_ecdsa_read_signature_restartable( 841 ctx, hash, hlen, sig, slen, NULL ) ); 842 } 843 844 /* 845 * Restartable read and check signature 846 */ 847 int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx, 848 const unsigned char *hash, size_t hlen, 849 const unsigned char *sig, size_t slen, 850 mbedtls_ecdsa_restart_ctx *rs_ctx ) 851 { 852 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 853 unsigned char *p = (unsigned char *) sig; 854 const unsigned char *end = sig + slen; 855 size_t len; 856 mbedtls_mpi r, s; 857 ECDSA_VALIDATE_RET( ctx != NULL ); 858 ECDSA_VALIDATE_RET( hash != NULL ); 859 ECDSA_VALIDATE_RET( sig != NULL ); 860 861 mbedtls_mpi_init( &r ); 862 mbedtls_mpi_init( &s ); 863 864 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 865 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 866 { 867 ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 868 goto cleanup; 869 } 870 871 if( p + len != end ) 872 { 873 ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 874 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 875 goto cleanup; 876 } 877 878 if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 || 879 ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 ) 880 { 881 ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 882 goto cleanup; 883 } 884 #if defined(MBEDTLS_ECDSA_VERIFY_ALT) 885 (void) rs_ctx; 886 887 if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen, 888 &ctx->Q, &r, &s ) ) != 0 ) 889 goto cleanup; 890 #else 891 if( ( ret = ecdsa_verify_restartable( &ctx->grp, hash, hlen, 892 &ctx->Q, &r, &s, rs_ctx ) ) != 0 ) 893 goto cleanup; 894 #endif /* MBEDTLS_ECDSA_VERIFY_ALT */ 895 896 /* At this point we know that the buffer starts with a valid signature. 897 * Return 0 if the buffer just contains the signature, and a specific 898 * error code if the valid signature is followed by more data. */ 899 if( p != end ) 900 ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH; 901 902 cleanup: 903 mbedtls_mpi_free( &r ); 904 mbedtls_mpi_free( &s ); 905 906 return( ret ); 907 } 908 909 #if !defined(MBEDTLS_ECDSA_GENKEY_ALT) 910 /* 911 * Generate key pair 912 */ 913 int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, 914 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 915 { 916 int ret = 0; 917 ECDSA_VALIDATE_RET( ctx != NULL ); 918 ECDSA_VALIDATE_RET( f_rng != NULL ); 919 920 ret = mbedtls_ecp_group_load( &ctx->grp, gid ); 921 if( ret != 0 ) 922 return( ret ); 923 924 return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, 925 &ctx->Q, f_rng, p_rng ) ); 926 } 927 #endif /* !MBEDTLS_ECDSA_GENKEY_ALT */ 928 929 /* 930 * Set context from an mbedtls_ecp_keypair 931 */ 932 int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key ) 933 { 934 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 935 ECDSA_VALIDATE_RET( ctx != NULL ); 936 ECDSA_VALIDATE_RET( key != NULL ); 937 938 if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 || 939 ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 || 940 ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 ) 941 { 942 mbedtls_ecdsa_free( ctx ); 943 } 944 945 return( ret ); 946 } 947 948 /* 949 * Initialize context 950 */ 951 void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx ) 952 { 953 ECDSA_VALIDATE( ctx != NULL ); 954 955 mbedtls_ecp_keypair_init( ctx ); 956 } 957 958 /* 959 * Free context 960 */ 961 void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx ) 962 { 963 if( ctx == NULL ) 964 return; 965 966 mbedtls_ecp_keypair_free( ctx ); 967 } 968 969 #if defined(MBEDTLS_ECP_RESTARTABLE) 970 /* 971 * Initialize a restart context 972 */ 973 void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx ) 974 { 975 ECDSA_VALIDATE( ctx != NULL ); 976 977 mbedtls_ecp_restart_init( &ctx->ecp ); 978 979 ctx->ver = NULL; 980 ctx->sig = NULL; 981 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 982 ctx->det = NULL; 983 #endif 984 } 985 986 /* 987 * Free the components of a restart context 988 */ 989 void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx ) 990 { 991 if( ctx == NULL ) 992 return; 993 994 mbedtls_ecp_restart_free( &ctx->ecp ); 995 996 ecdsa_restart_ver_free( ctx->ver ); 997 mbedtls_free( ctx->ver ); 998 ctx->ver = NULL; 999 1000 ecdsa_restart_sig_free( ctx->sig ); 1001 mbedtls_free( ctx->sig ); 1002 ctx->sig = NULL; 1003 1004 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 1005 ecdsa_restart_det_free( ctx->det ); 1006 mbedtls_free( ctx->det ); 1007 ctx->det = NULL; 1008 #endif 1009 } 1010 #endif /* MBEDTLS_ECP_RESTARTABLE */ 1011 1012 #endif /* MBEDTLS_ECDSA_C */ 1013