TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / refs/heads/dev/mbed-crypto-0.1.0-alpha / . / library / ecdsa.c
blob: a05cae48887cf853bd84cc52d53d673521affc8e [file] [log] [blame]
Jaeden Ameroe54e6932018-08-06 16:19:58 +0100[diff] [blame]1/*
2 * Elliptic curve DSA
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of Mbed Crypto (https://tls.mbed.org)
20 */
21
22/*
23 * References:
24 *
25 * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
26 */
27
28#if !defined(MBEDCRYPTO_CONFIG_FILE)
29#include "mbedcrypto/config.h"
30#else
31#include MBEDCRYPTO_CONFIG_FILE
32#endif
33
34#if defined(MBEDCRYPTO_ECDSA_C)
35
36#include "mbedcrypto/ecdsa.h"
37#include "mbedcrypto/asn1write.h"
38
39#include <string.h>
40
41#if defined(MBEDCRYPTO_ECDSA_DETERMINISTIC)
42#include "mbedcrypto/hmac_drbg.h"
43#endif
44
45/*
46 * Derive a suitable integer for group grp from a buffer of length len
47 * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
48 */
49static int derive_mpi( const mbedcrypto_ecp_group *grp, mbedcrypto_mpi *x,
50 const unsigned char *buf, size_t blen )
51{
52 int ret;
53 size_t n_size = ( grp->nbits + 7 ) / 8;
54 size_t use_size = blen > n_size ? n_size : blen;
55
56 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( x, buf, use_size ) );
57 if( use_size * 8 > grp->nbits )
58 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_shift_r( x, use_size * 8 - grp->nbits ) );
59
60 /* While at it, reduce modulo N */
61 if( mbedcrypto_mpi_cmp_mpi( x, &grp->N ) >= 0 )
62 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_sub_mpi( x, x, &grp->N ) );
63
64cleanup:
65 return( ret );
66}
67
68#if !defined(MBEDCRYPTO_ECDSA_SIGN_ALT)
69/*
70 * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
71 * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
72 */
73int mbedcrypto_ecdsa_sign( mbedcrypto_ecp_group *grp, mbedcrypto_mpi *r, mbedcrypto_mpi *s,
74 const mbedcrypto_mpi *d, const unsigned char *buf, size_t blen,
75 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
76{
77 int ret, key_tries, sign_tries, blind_tries;
78 mbedcrypto_ecp_point R;
79 mbedcrypto_mpi k, e, t;
80
81 /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
82 if( grp->N.p == NULL )
83 return( MBEDCRYPTO_ERR_ECP_BAD_INPUT_DATA );
84
85 /* Make sure d is in range 1..n-1 */
86 if( mbedcrypto_mpi_cmp_int( d, 1 ) < 0 || mbedcrypto_mpi_cmp_mpi( d, &grp->N ) >= 0 )
87 return( MBEDCRYPTO_ERR_ECP_INVALID_KEY );
88
89 mbedcrypto_ecp_point_init( &R );
90 mbedcrypto_mpi_init( &k ); mbedcrypto_mpi_init( &e ); mbedcrypto_mpi_init( &t );
91
92 sign_tries = 0;
93 do
94 {
95 /*
96 * Steps 1-3: generate a suitable ephemeral keypair
97 * and set r = xR mod n
98 */
99 key_tries = 0;
100 do
101 {
102 MBEDCRYPTO_MPI_CHK( mbedcrypto_ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
103 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( r, &R.X, &grp->N ) );
104
105 if( key_tries++ > 10 )
106 {
107 ret = MBEDCRYPTO_ERR_ECP_RANDOM_FAILED;
108 goto cleanup;
109 }
110 }
111 while( mbedcrypto_mpi_cmp_int( r, 0 ) == 0 );
112
113 /*
114 * Step 5: derive MPI from hashed message
115 */
116 MBEDCRYPTO_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
117
118 /*
119 * Generate a random value to blind inv_mod in next step,
120 * avoiding a potential timing leak.
121 */
122 blind_tries = 0;
123 do
124 {
125 size_t n_size = ( grp->nbits + 7 ) / 8;
126 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_fill_random( &t, n_size, f_rng, p_rng ) );
127 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_shift_r( &t, 8 * n_size - grp->nbits ) );
128
129 /* See mbedcrypto_ecp_gen_keypair() */
130 if( ++blind_tries > 30 )
131 return( MBEDCRYPTO_ERR_ECP_RANDOM_FAILED );
132 }
133 while( mbedcrypto_mpi_cmp_int( &t, 1 ) < 0 ||
134 mbedcrypto_mpi_cmp_mpi( &t, &grp->N ) >= 0 );
135
136 /*
137 * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
138 */
139 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( s, r, d ) );
140 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_add_mpi( &e, &e, s ) );
141 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &e, &e, &t ) );
142 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &k, &k, &t ) );
143 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_inv_mod( s, &k, &grp->N ) );
144 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( s, s, &e ) );
145 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( s, s, &grp->N ) );
146
147 if( sign_tries++ > 10 )
148 {
149 ret = MBEDCRYPTO_ERR_ECP_RANDOM_FAILED;
150 goto cleanup;
151 }
152 }
153 while( mbedcrypto_mpi_cmp_int( s, 0 ) == 0 );
154
155cleanup:
156 mbedcrypto_ecp_point_free( &R );
157 mbedcrypto_mpi_free( &k ); mbedcrypto_mpi_free( &e ); mbedcrypto_mpi_free( &t );
158
159 return( ret );
160}
161#endif /* MBEDCRYPTO_ECDSA_SIGN_ALT */
162
163#if defined(MBEDCRYPTO_ECDSA_DETERMINISTIC)
164/*
165 * Deterministic signature wrapper
166 */
167int mbedcrypto_ecdsa_sign_det( mbedcrypto_ecp_group *grp, mbedcrypto_mpi *r, mbedcrypto_mpi *s,
168 const mbedcrypto_mpi *d, const unsigned char *buf, size_t blen,
169 mbedcrypto_md_type_t md_alg )
170{
171 int ret;
172 mbedcrypto_hmac_drbg_context rng_ctx;
173 unsigned char data[2 * MBEDCRYPTO_ECP_MAX_BYTES];
174 size_t grp_len = ( grp->nbits + 7 ) / 8;
175 const mbedcrypto_md_info_t *md_info;
176 mbedcrypto_mpi h;
177
178 if( ( md_info = mbedcrypto_md_info_from_type( md_alg ) ) == NULL )
179 return( MBEDCRYPTO_ERR_ECP_BAD_INPUT_DATA );
180
181 mbedcrypto_mpi_init( &h );
182 mbedcrypto_hmac_drbg_init( &rng_ctx );
183
184 /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
185 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( d, data, grp_len ) );
186 MBEDCRYPTO_MPI_CHK( derive_mpi( grp, &h, buf, blen ) );
187 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &h, data + grp_len, grp_len ) );
188 mbedcrypto_hmac_drbg_seed_buf( &rng_ctx, md_info, data, 2 * grp_len );
189
190 ret = mbedcrypto_ecdsa_sign( grp, r, s, d, buf, blen,
191 mbedcrypto_hmac_drbg_random, &rng_ctx );
192
193cleanup:
194 mbedcrypto_hmac_drbg_free( &rng_ctx );
195 mbedcrypto_mpi_free( &h );
196
197 return( ret );
198}
199#endif /* MBEDCRYPTO_ECDSA_DETERMINISTIC */
200
201#if !defined(MBEDCRYPTO_ECDSA_VERIFY_ALT)
202/*
203 * Verify ECDSA signature of hashed message (SEC1 4.1.4)
204 * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
205 */
206int mbedcrypto_ecdsa_verify( mbedcrypto_ecp_group *grp,
207 const unsigned char *buf, size_t blen,
208 const mbedcrypto_ecp_point *Q, const mbedcrypto_mpi *r, const mbedcrypto_mpi *s)
209{
210 int ret;
211 mbedcrypto_mpi e, s_inv, u1, u2;
212 mbedcrypto_ecp_point R;
213
214 mbedcrypto_ecp_point_init( &R );
215 mbedcrypto_mpi_init( &e ); mbedcrypto_mpi_init( &s_inv ); mbedcrypto_mpi_init( &u1 ); mbedcrypto_mpi_init( &u2 );
216
217 /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
218 if( grp->N.p == NULL )
219 return( MBEDCRYPTO_ERR_ECP_BAD_INPUT_DATA );
220
221 /*
222 * Step 1: make sure r and s are in range 1..n-1
223 */
224 if( mbedcrypto_mpi_cmp_int( r, 1 ) < 0 || mbedcrypto_mpi_cmp_mpi( r, &grp->N ) >= 0 ||
225 mbedcrypto_mpi_cmp_int( s, 1 ) < 0 || mbedcrypto_mpi_cmp_mpi( s, &grp->N ) >= 0 )
226 {
227 ret = MBEDCRYPTO_ERR_ECP_VERIFY_FAILED;
228 goto cleanup;
229 }
230
231 /*
232 * Additional precaution: make sure Q is valid
233 */
234 MBEDCRYPTO_MPI_CHK( mbedcrypto_ecp_check_pubkey( grp, Q ) );
235
236 /*
237 * Step 3: derive MPI from hashed message
238 */
239 MBEDCRYPTO_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
240
241 /*
242 * Step 4: u1 = e / s mod n, u2 = r / s mod n
243 */
244 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_inv_mod( &s_inv, s, &grp->N ) );
245
246 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &u1, &e, &s_inv ) );
247 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( &u1, &u1, &grp->N ) );
248
249 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &u2, r, &s_inv ) );
250 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( &u2, &u2, &grp->N ) );
251
252 /*
253 * Step 5: R = u1 G + u2 Q
254 *
255 * Since we're not using any secret data, no need to pass a RNG to
256 * mbedcrypto_ecp_mul() for countermesures.
257 */
258 MBEDCRYPTO_MPI_CHK( mbedcrypto_ecp_muladd( grp, &R, &u1, &grp->G, &u2, Q ) );
259
260 if( mbedcrypto_ecp_is_zero( &R ) )
261 {
262 ret = MBEDCRYPTO_ERR_ECP_VERIFY_FAILED;
263 goto cleanup;
264 }
265
266 /*
267 * Step 6: convert xR to an integer (no-op)
268 * Step 7: reduce xR mod n (gives v)
269 */
270 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
271
272 /*
273 * Step 8: check if v (that is, R.X) is equal to r
274 */
275 if( mbedcrypto_mpi_cmp_mpi( &R.X, r ) != 0 )
276 {
277 ret = MBEDCRYPTO_ERR_ECP_VERIFY_FAILED;
278 goto cleanup;
279 }
280
281cleanup:
282 mbedcrypto_ecp_point_free( &R );
283 mbedcrypto_mpi_free( &e ); mbedcrypto_mpi_free( &s_inv ); mbedcrypto_mpi_free( &u1 ); mbedcrypto_mpi_free( &u2 );
284
285 return( ret );
286}
287#endif /* MBEDCRYPTO_ECDSA_VERIFY_ALT */
288
289/*
290 * Convert a signature (given by context) to ASN.1
291 */
292static int ecdsa_signature_to_asn1( const mbedcrypto_mpi *r, const mbedcrypto_mpi *s,
293 unsigned char *sig, size_t *slen )
294{
295 int ret;
296 unsigned char buf[MBEDCRYPTO_ECDSA_MAX_LEN];
297 unsigned char *p = buf + sizeof( buf );
298 size_t len = 0;
299
300 MBEDCRYPTO_ASN1_CHK_ADD( len, mbedcrypto_asn1_write_mpi( &p, buf, s ) );
301 MBEDCRYPTO_ASN1_CHK_ADD( len, mbedcrypto_asn1_write_mpi( &p, buf, r ) );
302
303 MBEDCRYPTO_ASN1_CHK_ADD( len, mbedcrypto_asn1_write_len( &p, buf, len ) );
304 MBEDCRYPTO_ASN1_CHK_ADD( len, mbedcrypto_asn1_write_tag( &p, buf,
305 MBEDCRYPTO_ASN1_CONSTRUCTED | MBEDCRYPTO_ASN1_SEQUENCE ) );
306
307 memcpy( sig, p, len );
308 *slen = len;
309
310 return( 0 );
311}
312
313/*
314 * Compute and write signature
315 */
316int mbedcrypto_ecdsa_write_signature( mbedcrypto_ecdsa_context *ctx, mbedcrypto_md_type_t md_alg,
317 const unsigned char *hash, size_t hlen,
318 unsigned char *sig, size_t *slen,
319 int (*f_rng)(void *, unsigned char *, size_t),
320 void *p_rng )
321{
322 int ret;
323 mbedcrypto_mpi r, s;
324
325 mbedcrypto_mpi_init( &r );
326 mbedcrypto_mpi_init( &s );
327
328#if defined(MBEDCRYPTO_ECDSA_DETERMINISTIC)
329 (void) f_rng;
330 (void) p_rng;
331
332 MBEDCRYPTO_MPI_CHK( mbedcrypto_ecdsa_sign_det( &ctx->grp, &r, &s, &ctx->d,
333 hash, hlen, md_alg ) );
334#else
335 (void) md_alg;
336
337 MBEDCRYPTO_MPI_CHK( mbedcrypto_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
338 hash, hlen, f_rng, p_rng ) );
339#endif
340
341 MBEDCRYPTO_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) );
342
343cleanup:
344 mbedcrypto_mpi_free( &r );
345 mbedcrypto_mpi_free( &s );
346
347 return( ret );
348}
349
350#if ! defined(MBEDCRYPTO_DEPRECATED_REMOVED) && \
351 defined(MBEDCRYPTO_ECDSA_DETERMINISTIC)
352int mbedcrypto_ecdsa_write_signature_det( mbedcrypto_ecdsa_context *ctx,
353 const unsigned char *hash, size_t hlen,
354 unsigned char *sig, size_t *slen,
355 mbedcrypto_md_type_t md_alg )
356{
357 return( mbedcrypto_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen,
358 NULL, NULL ) );
359}
360#endif
361
362/*
363 * Read and check signature
364 */
365int mbedcrypto_ecdsa_read_signature( mbedcrypto_ecdsa_context *ctx,
366 const unsigned char *hash, size_t hlen,
367 const unsigned char *sig, size_t slen )
368{
369 int ret;
370 unsigned char *p = (unsigned char *) sig;
371 const unsigned char *end = sig + slen;
372 size_t len;
373 mbedcrypto_mpi r, s;
374
375 mbedcrypto_mpi_init( &r );
376 mbedcrypto_mpi_init( &s );
377
378 if( ( ret = mbedcrypto_asn1_get_tag( &p, end, &len,
379 MBEDCRYPTO_ASN1_CONSTRUCTED | MBEDCRYPTO_ASN1_SEQUENCE ) ) != 0 )
380 {
381 ret += MBEDCRYPTO_ERR_ECP_BAD_INPUT_DATA;
382 goto cleanup;
383 }
384
385 if( p + len != end )
386 {
387 ret = MBEDCRYPTO_ERR_ECP_BAD_INPUT_DATA +
388 MBEDCRYPTO_ERR_ASN1_LENGTH_MISMATCH;
389 goto cleanup;
390 }
391
392 if( ( ret = mbedcrypto_asn1_get_mpi( &p, end, &r ) ) != 0 ||
393 ( ret = mbedcrypto_asn1_get_mpi( &p, end, &s ) ) != 0 )
394 {
395 ret += MBEDCRYPTO_ERR_ECP_BAD_INPUT_DATA;
396 goto cleanup;
397 }
398
399 if( ( ret = mbedcrypto_ecdsa_verify( &ctx->grp, hash, hlen,
400 &ctx->Q, &r, &s ) ) != 0 )
401 goto cleanup;
402
403 /* At this point we know that the buffer starts with a valid signature.
404 * Return 0 if the buffer just contains the signature, and a specific
405 * error code if the valid signature is followed by more data. */
406 if( p != end )
407 ret = MBEDCRYPTO_ERR_ECP_SIG_LEN_MISMATCH;
408
409cleanup:
410 mbedcrypto_mpi_free( &r );
411 mbedcrypto_mpi_free( &s );
412
413 return( ret );
414}
415
416#if !defined(MBEDCRYPTO_ECDSA_GENKEY_ALT)
417/*
418 * Generate key pair
419 */
420int mbedcrypto_ecdsa_genkey( mbedcrypto_ecdsa_context *ctx, mbedcrypto_ecp_group_id gid,
421 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
422{
423 return( mbedcrypto_ecp_group_load( &ctx->grp, gid ) ||
424 mbedcrypto_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) );
425}
426#endif /* MBEDCRYPTO_ECDSA_GENKEY_ALT */
427
428/*
429 * Set context from an mbedcrypto_ecp_keypair
430 */
431int mbedcrypto_ecdsa_from_keypair( mbedcrypto_ecdsa_context *ctx, const mbedcrypto_ecp_keypair *key )
432{
433 int ret;
434
435 if( ( ret = mbedcrypto_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
436 ( ret = mbedcrypto_mpi_copy( &ctx->d, &key->d ) ) != 0 ||
437 ( ret = mbedcrypto_ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
438 {
439 mbedcrypto_ecdsa_free( ctx );
440 }
441
442 return( ret );
443}
444
445/*
446 * Initialize context
447 */
448void mbedcrypto_ecdsa_init( mbedcrypto_ecdsa_context *ctx )
449{
450 mbedcrypto_ecp_keypair_init( ctx );
451}
452
453/*
454 * Free context
455 */
456void mbedcrypto_ecdsa_free( mbedcrypto_ecdsa_context *ctx )
457{
458 mbedcrypto_ecp_keypair_free( ctx );
459}
460
461#endif /* MBEDCRYPTO_ECDSA_C */