1*f0865ec9SKyle Evans /* 2*f0865ec9SKyle Evans * Copyright (C) 2017 - This file is part of libecc project 3*f0865ec9SKyle Evans * 4*f0865ec9SKyle Evans * Authors: 5*f0865ec9SKyle Evans * Ryad BENADJILA <ryadbenadjila@gmail.com> 6*f0865ec9SKyle Evans * Arnaud EBALARD <arnaud.ebalard@ssi.gouv.fr> 7*f0865ec9SKyle Evans * Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr> 8*f0865ec9SKyle Evans * 9*f0865ec9SKyle Evans * Contributors: 10*f0865ec9SKyle Evans * Nicolas VIVET <nicolas.vivet@ssi.gouv.fr> 11*f0865ec9SKyle Evans * Karim KHALFALLAH <karim.khalfallah@ssi.gouv.fr> 12*f0865ec9SKyle Evans * 13*f0865ec9SKyle Evans * This software is licensed under a dual BSD and GPL v2 license. 14*f0865ec9SKyle Evans * See LICENSE file at the root folder of the project. 15*f0865ec9SKyle Evans */ 16*f0865ec9SKyle Evans #include <libecc/lib_ecc_config.h> 17*f0865ec9SKyle Evans #if defined(WITH_SIG_ECDSA) || defined(WITH_SIG_DECDSA) 18*f0865ec9SKyle Evans 19*f0865ec9SKyle Evans #include <libecc/nn/nn_rand.h> 20*f0865ec9SKyle Evans #include <libecc/nn/nn_mul_public.h> 21*f0865ec9SKyle Evans #include <libecc/nn/nn_logical.h> 22*f0865ec9SKyle Evans 23*f0865ec9SKyle Evans #include <libecc/sig/sig_algs_internal.h> 24*f0865ec9SKyle Evans #include <libecc/sig/ec_key.h> 25*f0865ec9SKyle Evans #include <libecc/utils/utils.h> 26*f0865ec9SKyle Evans #ifdef VERBOSE_INNER_VALUES 27*f0865ec9SKyle Evans #define EC_SIG_ALG "ECDSA" 28*f0865ec9SKyle Evans #endif 29*f0865ec9SKyle Evans #include <libecc/utils/dbg_sig.h> 30*f0865ec9SKyle Evans 31*f0865ec9SKyle Evans 32*f0865ec9SKyle Evans #if defined(WITH_SIG_DECDSA) 33*f0865ec9SKyle Evans #include <libecc/hash/hmac.h> 34*f0865ec9SKyle Evans 35*f0865ec9SKyle Evans /* 36*f0865ec9SKyle Evans * Deterministic nonce generation function for deterministic ECDSA, as 37*f0865ec9SKyle Evans * described in RFC6979. 38*f0865ec9SKyle Evans * NOTE: Deterministic nonce generation for ECDSA is useful against attackers 39*f0865ec9SKyle Evans * in contexts where only poor RNG/entropy are available, or when nonce bits 40*f0865ec9SKyle Evans * leaking can be possible through side-channel attacks. 41*f0865ec9SKyle Evans * However, in contexts where fault attacks are easy to mount, deterministic 42*f0865ec9SKyle Evans * ECDSA can bring more security risks than regular ECDSA. 43*f0865ec9SKyle Evans * 44*f0865ec9SKyle Evans * Depending on the context where you use the library, choose carefully if 45*f0865ec9SKyle Evans * you want to use the deterministic version or not. 46*f0865ec9SKyle Evans * 47*f0865ec9SKyle Evans */ 48*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET static int __ecdsa_rfc6979_nonce(nn_t k, nn_src_t q, bitcnt_t q_bit_len, 49*f0865ec9SKyle Evans nn_src_t x, const u8 *hash, u8 hsize, 50*f0865ec9SKyle Evans hash_alg_type hash_type) 51*f0865ec9SKyle Evans { 52*f0865ec9SKyle Evans int ret, cmp; 53*f0865ec9SKyle Evans u8 V[MAX_DIGEST_SIZE]; 54*f0865ec9SKyle Evans u8 K[MAX_DIGEST_SIZE]; 55*f0865ec9SKyle Evans u8 T[BYTECEIL(CURVES_MAX_Q_BIT_LEN) + MAX_DIGEST_SIZE]; 56*f0865ec9SKyle Evans u8 priv_key_buff[EC_PRIV_KEY_MAX_SIZE]; 57*f0865ec9SKyle Evans hmac_context hmac_ctx; 58*f0865ec9SKyle Evans bitcnt_t t_bit_len; 59*f0865ec9SKyle Evans u8 q_len; 60*f0865ec9SKyle Evans u8 hmac_size; 61*f0865ec9SKyle Evans u8 tmp; 62*f0865ec9SKyle Evans 63*f0865ec9SKyle Evans /* Sanity checks */ 64*f0865ec9SKyle Evans MUST_HAVE((k != NULL), ret, err); 65*f0865ec9SKyle Evans MUST_HAVE((hash != NULL), ret, err); 66*f0865ec9SKyle Evans ret = nn_check_initialized(q); EG(ret, err); 67*f0865ec9SKyle Evans ret = nn_check_initialized(x); EG(ret, err); 68*f0865ec9SKyle Evans 69*f0865ec9SKyle Evans q_len = (u8)BYTECEIL(q_bit_len); 70*f0865ec9SKyle Evans 71*f0865ec9SKyle Evans MUST_HAVE((q_len <= EC_PRIV_KEY_MAX_SIZE) && (hsize <= MAX_BLOCK_SIZE), ret, err); 72*f0865ec9SKyle Evans 73*f0865ec9SKyle Evans /* Steps b. and c.: set V = 0x01 ... 0x01 and K = 0x00 ... 0x00 */ 74*f0865ec9SKyle Evans ret = local_memset(V, 0x01, hsize); EG(ret, err); 75*f0865ec9SKyle Evans ret = local_memset(K, 0x00, hsize); EG(ret, err); 76*f0865ec9SKyle Evans /* Export our private key in a buffer */ 77*f0865ec9SKyle Evans ret = nn_export_to_buf(priv_key_buff, q_len, x); EG(ret, err); 78*f0865ec9SKyle Evans /* Step d.: set K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1)) 79*f0865ec9SKyle Evans * where x is the private key and h1 the message hash. 80*f0865ec9SKyle Evans */ 81*f0865ec9SKyle Evans ret = hmac_init(&hmac_ctx, K, hsize, hash_type); EG(ret, err); 82*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, V, hsize); EG(ret, err); 83*f0865ec9SKyle Evans 84*f0865ec9SKyle Evans tmp = 0x00; 85*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, &tmp, 1); EG(ret, err); 86*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, priv_key_buff, q_len); EG(ret, err); 87*f0865ec9SKyle Evans 88*f0865ec9SKyle Evans /* We compute bits2octets(hash) here */ 89*f0865ec9SKyle Evans ret = nn_init_from_buf(k, hash, hsize); EG(ret, err); 90*f0865ec9SKyle Evans if((8 * hsize) > q_bit_len){ 91*f0865ec9SKyle Evans ret = nn_rshift(k, k, (bitcnt_t)((8 * hsize) - q_bit_len)); EG(ret, err); 92*f0865ec9SKyle Evans } 93*f0865ec9SKyle Evans ret = nn_mod(k, k, q); EG(ret, err); 94*f0865ec9SKyle Evans ret = nn_export_to_buf(T, q_len, k); EG(ret, err); 95*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, T, q_len); EG(ret, err); 96*f0865ec9SKyle Evans hmac_size = sizeof(K); 97*f0865ec9SKyle Evans ret = hmac_finalize(&hmac_ctx, K, &hmac_size); EG(ret, err); 98*f0865ec9SKyle Evans 99*f0865ec9SKyle Evans /* Step e.: set V = HMAC_K(V) */ 100*f0865ec9SKyle Evans hmac_size = sizeof(V); 101*f0865ec9SKyle Evans ret = hmac(K, hsize, hash_type, V, hsize, V, &hmac_size); EG(ret, err); 102*f0865ec9SKyle Evans /* Step f.: K = HMAC_K(V || 0x01 || int2octets(x) || bits2octets(h1)) */ 103*f0865ec9SKyle Evans ret = hmac_init(&hmac_ctx, K, hsize, hash_type); EG(ret, err); 104*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, V, hsize); EG(ret, err); 105*f0865ec9SKyle Evans 106*f0865ec9SKyle Evans tmp = 0x01; 107*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, &tmp, 1); EG(ret, err); 108*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, priv_key_buff, q_len); EG(ret, err); 109*f0865ec9SKyle Evans 110*f0865ec9SKyle Evans /* We compute bits2octets(hash) here */ 111*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, T, q_len); EG(ret, err); 112*f0865ec9SKyle Evans hmac_size = sizeof(K); 113*f0865ec9SKyle Evans ret = hmac_finalize(&hmac_ctx, K, &hmac_size); EG(ret, err); 114*f0865ec9SKyle Evans /* Step g.: set V = HMAC_K(V)*/ 115*f0865ec9SKyle Evans hmac_size = sizeof(V); 116*f0865ec9SKyle Evans ret = hmac(K, hsize, hash_type, V, hsize, V, &hmac_size); EG(ret, err); 117*f0865ec9SKyle Evans 118*f0865ec9SKyle Evans /* Step h. now apply the generation algorithm until we get 119*f0865ec9SKyle Evans * a proper nonce value: 120*f0865ec9SKyle Evans * 1. Set T to the empty sequence. The length of T (in bits) is 121*f0865ec9SKyle Evans * denoted tlen; thus, at that point, tlen = 0. 122*f0865ec9SKyle Evans * 2. While tlen < qlen, do the following: 123*f0865ec9SKyle Evans * V = HMAC_K(V) 124*f0865ec9SKyle Evans * T = T || V 125*f0865ec9SKyle Evans * 3. Compute: 126*f0865ec9SKyle Evans * k = bits2int(T) 127*f0865ec9SKyle Evans * If that value of k is within the [1,q-1] range, and is 128*f0865ec9SKyle Evans * suitable for DSA or ECDSA (i.e., it results in an r value 129*f0865ec9SKyle Evans * that is not 0; see Section 3.4), then the generation of k is 130*f0865ec9SKyle Evans * finished. The obtained value of k is used in DSA or ECDSA. 131*f0865ec9SKyle Evans * Otherwise, compute: 132*f0865ec9SKyle Evans * K = HMAC_K(V || 0x00) 133*f0865ec9SKyle Evans * V = HMAC_K(V) 134*f0865ec9SKyle Evans * and loop (try to generate a new T, and so on). 135*f0865ec9SKyle Evans */ 136*f0865ec9SKyle Evans restart: 137*f0865ec9SKyle Evans t_bit_len = 0; 138*f0865ec9SKyle Evans while(t_bit_len < q_bit_len){ 139*f0865ec9SKyle Evans /* V = HMAC_K(V) */ 140*f0865ec9SKyle Evans hmac_size = sizeof(V); 141*f0865ec9SKyle Evans ret = hmac(K, hsize, hash_type, V, hsize, V, &hmac_size); EG(ret, err); 142*f0865ec9SKyle Evans ret = local_memcpy(&T[BYTECEIL(t_bit_len)], V, hmac_size); EG(ret, err); 143*f0865ec9SKyle Evans t_bit_len = (bitcnt_t)(t_bit_len + (8 * hmac_size)); 144*f0865ec9SKyle Evans } 145*f0865ec9SKyle Evans ret = nn_init_from_buf(k, T, q_len); EG(ret, err); 146*f0865ec9SKyle Evans if((8 * q_len) > q_bit_len){ 147*f0865ec9SKyle Evans ret = nn_rshift(k, k, (bitcnt_t)((8 * q_len) - q_bit_len)); EG(ret, err); 148*f0865ec9SKyle Evans } 149*f0865ec9SKyle Evans ret = nn_cmp(k, q, &cmp); EG(ret, err); 150*f0865ec9SKyle Evans if(cmp >= 0){ 151*f0865ec9SKyle Evans /* K = HMAC_K(V || 0x00) */ 152*f0865ec9SKyle Evans ret = hmac_init(&hmac_ctx, K, hsize, hash_type); EG(ret, err); 153*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, V, hsize); EG(ret, err); 154*f0865ec9SKyle Evans 155*f0865ec9SKyle Evans tmp = 0x00; 156*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, &tmp, 1); EG(ret, err); 157*f0865ec9SKyle Evans 158*f0865ec9SKyle Evans hmac_size = sizeof(K); 159*f0865ec9SKyle Evans ret = hmac_finalize(&hmac_ctx, K, &hmac_size); EG(ret, err); 160*f0865ec9SKyle Evans /* V = HMAC_K(V) */ 161*f0865ec9SKyle Evans hmac_size = sizeof(V); 162*f0865ec9SKyle Evans ret = hmac(K, hsize, hash_type, V, hsize, V, &hmac_size); EG(ret, err); 163*f0865ec9SKyle Evans 164*f0865ec9SKyle Evans goto restart; 165*f0865ec9SKyle Evans } 166*f0865ec9SKyle Evans 167*f0865ec9SKyle Evans err: 168*f0865ec9SKyle Evans return ret; 169*f0865ec9SKyle Evans } 170*f0865ec9SKyle Evans #endif 171*f0865ec9SKyle Evans 172*f0865ec9SKyle Evans int __ecdsa_init_pub_key(ec_pub_key *out_pub, const ec_priv_key *in_priv, 173*f0865ec9SKyle Evans ec_alg_type key_type) 174*f0865ec9SKyle Evans { 175*f0865ec9SKyle Evans prj_pt_src_t G; 176*f0865ec9SKyle Evans int ret, cmp; 177*f0865ec9SKyle Evans nn_src_t q; 178*f0865ec9SKyle Evans 179*f0865ec9SKyle Evans MUST_HAVE((out_pub != NULL), ret, err); 180*f0865ec9SKyle Evans 181*f0865ec9SKyle Evans /* Zero init public key to be generated */ 182*f0865ec9SKyle Evans ret = local_memset(out_pub, 0, sizeof(ec_pub_key)); EG(ret, err); 183*f0865ec9SKyle Evans 184*f0865ec9SKyle Evans ret = priv_key_check_initialized_and_type(in_priv, key_type); EG(ret, err); 185*f0865ec9SKyle Evans q = &(in_priv->params->ec_gen_order); 186*f0865ec9SKyle Evans 187*f0865ec9SKyle Evans /* Sanity check on key compliance */ 188*f0865ec9SKyle Evans MUST_HAVE((!nn_cmp(&(in_priv->x), q, &cmp)) && (cmp < 0), ret, err); 189*f0865ec9SKyle Evans 190*f0865ec9SKyle Evans /* Y = xG */ 191*f0865ec9SKyle Evans G = &(in_priv->params->ec_gen); 192*f0865ec9SKyle Evans /* Use blinding when computing point scalar multiplication */ 193*f0865ec9SKyle Evans ret = prj_pt_mul_blind(&(out_pub->y), &(in_priv->x), G); EG(ret, err); 194*f0865ec9SKyle Evans 195*f0865ec9SKyle Evans out_pub->key_type = key_type; 196*f0865ec9SKyle Evans out_pub->params = in_priv->params; 197*f0865ec9SKyle Evans out_pub->magic = PUB_KEY_MAGIC; 198*f0865ec9SKyle Evans 199*f0865ec9SKyle Evans err: 200*f0865ec9SKyle Evans return ret; 201*f0865ec9SKyle Evans } 202*f0865ec9SKyle Evans 203*f0865ec9SKyle Evans int __ecdsa_siglen(u16 p_bit_len, u16 q_bit_len, u8 hsize, u8 blocksize, u8 *siglen) 204*f0865ec9SKyle Evans { 205*f0865ec9SKyle Evans int ret; 206*f0865ec9SKyle Evans 207*f0865ec9SKyle Evans MUST_HAVE(siglen != NULL, ret, err); 208*f0865ec9SKyle Evans MUST_HAVE((p_bit_len <= CURVES_MAX_P_BIT_LEN) && 209*f0865ec9SKyle Evans (q_bit_len <= CURVES_MAX_Q_BIT_LEN) && 210*f0865ec9SKyle Evans (hsize <= MAX_DIGEST_SIZE) && (blocksize <= MAX_BLOCK_SIZE), ret, err); 211*f0865ec9SKyle Evans (*siglen) = (u8)ECDSA_SIGLEN(q_bit_len); 212*f0865ec9SKyle Evans ret = 0; 213*f0865ec9SKyle Evans 214*f0865ec9SKyle Evans err: 215*f0865ec9SKyle Evans return ret; 216*f0865ec9SKyle Evans } 217*f0865ec9SKyle Evans 218*f0865ec9SKyle Evans /* 219*f0865ec9SKyle Evans * Generic *internal* ECDSA signature functions (init, update and finalize). 220*f0865ec9SKyle Evans * Their purpose is to allow passing a specific hash function (along with 221*f0865ec9SKyle Evans * its output size) and the random ephemeral key k, so that compliance 222*f0865ec9SKyle Evans * tests against test vectors can be made without ugly hack in the code 223*f0865ec9SKyle Evans * itself. 224*f0865ec9SKyle Evans * 225*f0865ec9SKyle Evans * Global EC-DSA signature process is as follows (I,U,F provides 226*f0865ec9SKyle Evans * information in which function(s) (init(), update() or finalize()) 227*f0865ec9SKyle Evans * a specific step is performed): 228*f0865ec9SKyle Evans * 229*f0865ec9SKyle Evans *| IUF - ECDSA signature 230*f0865ec9SKyle Evans *| 231*f0865ec9SKyle Evans *| UF 1. Compute h = H(m) 232*f0865ec9SKyle Evans *| F 2. If |h| > bitlen(q), set h to bitlen(q) 233*f0865ec9SKyle Evans *| leftmost (most significant) bits of h 234*f0865ec9SKyle Evans *| F 3. e = OS2I(h) mod q 235*f0865ec9SKyle Evans *| F 4. Get a random value k in ]0,q[ 236*f0865ec9SKyle Evans *| F 5. Compute W = (W_x,W_y) = kG 237*f0865ec9SKyle Evans *| F 6. Compute r = W_x mod q 238*f0865ec9SKyle Evans *| F 7. If r is 0, restart the process at step 4. 239*f0865ec9SKyle Evans *| F 8. If e == rx, restart the process at step 4. 240*f0865ec9SKyle Evans *| F 9. Compute s = k^-1 * (xr + e) mod q 241*f0865ec9SKyle Evans *| F 10. If s is 0, restart the process at step 4. 242*f0865ec9SKyle Evans *| F 11. Return (r,s) 243*f0865ec9SKyle Evans * 244*f0865ec9SKyle Evans * Implementation notes: 245*f0865ec9SKyle Evans * 246*f0865ec9SKyle Evans * a) Usually (this is for instance the case in ISO 14888-3 and X9.62), the 247*f0865ec9SKyle Evans * process starts with steps 4 to 7 and is followed by steps 1 to 3. 248*f0865ec9SKyle Evans * The order is modified here w/o impact on the result and the security 249*f0865ec9SKyle Evans * in order to allow the algorithm to be compatible with an 250*f0865ec9SKyle Evans * init/update/finish API. More explicitly, the generation of k, which 251*f0865ec9SKyle Evans * may later result in a (unlikely) restart of the whole process is 252*f0865ec9SKyle Evans * postponed until the hash of the message has been computed. 253*f0865ec9SKyle Evans * b) sig is built as the concatenation of r and s. Both r and s are 254*f0865ec9SKyle Evans * encoded on ceil(bitlen(q)/8) bytes. 255*f0865ec9SKyle Evans * c) in EC-DSA, the public part of the key is not needed per se during the 256*f0865ec9SKyle Evans * signature but - as it is needed in other signature algs implemented 257*f0865ec9SKyle Evans * in the library - the whole key pair is passed instead of just the 258*f0865ec9SKyle Evans * private key. 259*f0865ec9SKyle Evans */ 260*f0865ec9SKyle Evans 261*f0865ec9SKyle Evans #define ECDSA_SIGN_MAGIC ((word_t)(0x80299a2bf630945bULL)) 262*f0865ec9SKyle Evans #define ECDSA_SIGN_CHECK_INITIALIZED(A, ret, err) \ 263*f0865ec9SKyle Evans MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == ECDSA_SIGN_MAGIC), ret, err) 264*f0865ec9SKyle Evans 265*f0865ec9SKyle Evans int __ecdsa_sign_init(struct ec_sign_context *ctx, ec_alg_type key_type) 266*f0865ec9SKyle Evans { 267*f0865ec9SKyle Evans int ret; 268*f0865ec9SKyle Evans 269*f0865ec9SKyle Evans /* First, verify context has been initialized */ 270*f0865ec9SKyle Evans ret = sig_sign_check_initialized(ctx); EG(ret, err); 271*f0865ec9SKyle Evans 272*f0865ec9SKyle Evans /* Additional sanity checks on input params from context */ 273*f0865ec9SKyle Evans ret = key_pair_check_initialized_and_type(ctx->key_pair, key_type); EG(ret, err); 274*f0865ec9SKyle Evans 275*f0865ec9SKyle Evans MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && 276*f0865ec9SKyle Evans (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); 277*f0865ec9SKyle Evans 278*f0865ec9SKyle Evans /* 279*f0865ec9SKyle Evans * Initialize hash context stored in our private part of context 280*f0865ec9SKyle Evans * and record data init has been done 281*f0865ec9SKyle Evans */ 282*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */ 283*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); 284*f0865ec9SKyle Evans ret = ctx->h->hfunc_init(&(ctx->sign_data.ecdsa.h_ctx)); EG(ret, err); 285*f0865ec9SKyle Evans 286*f0865ec9SKyle Evans ctx->sign_data.ecdsa.magic = ECDSA_SIGN_MAGIC; 287*f0865ec9SKyle Evans 288*f0865ec9SKyle Evans err: 289*f0865ec9SKyle Evans return ret; 290*f0865ec9SKyle Evans } 291*f0865ec9SKyle Evans 292*f0865ec9SKyle Evans int __ecdsa_sign_update(struct ec_sign_context *ctx, 293*f0865ec9SKyle Evans const u8 *chunk, u32 chunklen, ec_alg_type key_type) 294*f0865ec9SKyle Evans { 295*f0865ec9SKyle Evans int ret; 296*f0865ec9SKyle Evans 297*f0865ec9SKyle Evans /* 298*f0865ec9SKyle Evans * First, verify context has been initialized and private 299*f0865ec9SKyle Evans * part too. This guarantees the context is an ECDSA 300*f0865ec9SKyle Evans * signature one and we do not update() or finalize() 301*f0865ec9SKyle Evans * before init(). 302*f0865ec9SKyle Evans */ 303*f0865ec9SKyle Evans ret = sig_sign_check_initialized(ctx); EG(ret, err); 304*f0865ec9SKyle Evans ECDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecdsa), ret, err); 305*f0865ec9SKyle Evans 306*f0865ec9SKyle Evans /* Additional sanity checks on input params from context */ 307*f0865ec9SKyle Evans ret = key_pair_check_initialized_and_type(ctx->key_pair, key_type); EG(ret, err); 308*f0865ec9SKyle Evans 309*f0865ec9SKyle Evans /* 1. Compute h = H(m) */ 310*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */ 311*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); 312*f0865ec9SKyle Evans ret = ctx->h->hfunc_update(&(ctx->sign_data.ecdsa.h_ctx), chunk, chunklen); 313*f0865ec9SKyle Evans 314*f0865ec9SKyle Evans err: 315*f0865ec9SKyle Evans return ret; 316*f0865ec9SKyle Evans } 317*f0865ec9SKyle Evans 318*f0865ec9SKyle Evans int __ecdsa_sign_finalize(struct ec_sign_context *ctx, u8 *sig, u8 siglen, 319*f0865ec9SKyle Evans ec_alg_type key_type) 320*f0865ec9SKyle Evans { 321*f0865ec9SKyle Evans int ret, iszero, cmp; 322*f0865ec9SKyle Evans const ec_priv_key *priv_key; 323*f0865ec9SKyle Evans prj_pt_src_t G; 324*f0865ec9SKyle Evans u8 hash[MAX_DIGEST_SIZE]; 325*f0865ec9SKyle Evans bitcnt_t rshift, q_bit_len; 326*f0865ec9SKyle Evans prj_pt kG; 327*f0865ec9SKyle Evans nn_src_t q, x; 328*f0865ec9SKyle Evans u8 hsize, q_len; 329*f0865ec9SKyle Evans nn k, r, e, tmp, s, kinv; 330*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING 331*f0865ec9SKyle Evans /* b is the blinding mask */ 332*f0865ec9SKyle Evans nn b; 333*f0865ec9SKyle Evans b.magic = WORD(0); 334*f0865ec9SKyle Evans #endif 335*f0865ec9SKyle Evans 336*f0865ec9SKyle Evans k.magic = r.magic = e.magic = WORD(0); 337*f0865ec9SKyle Evans tmp.magic = s.magic = kinv.magic = WORD(0); 338*f0865ec9SKyle Evans kG.magic = WORD(0); 339*f0865ec9SKyle Evans 340*f0865ec9SKyle Evans /* 341*f0865ec9SKyle Evans * First, verify context has been initialized and private 342*f0865ec9SKyle Evans * part too. This guarantees the context is an ECDSA 343*f0865ec9SKyle Evans * signature one and we do not finalize() before init(). 344*f0865ec9SKyle Evans */ 345*f0865ec9SKyle Evans ret = sig_sign_check_initialized(ctx); EG(ret, err); 346*f0865ec9SKyle Evans ECDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecdsa), ret, err); 347*f0865ec9SKyle Evans MUST_HAVE((sig != NULL), ret, err); 348*f0865ec9SKyle Evans 349*f0865ec9SKyle Evans /* Additional sanity checks on input params from context */ 350*f0865ec9SKyle Evans ret = key_pair_check_initialized_and_type(ctx->key_pair, key_type); EG(ret, err); 351*f0865ec9SKyle Evans 352*f0865ec9SKyle Evans /* Zero init out point */ 353*f0865ec9SKyle Evans ret = local_memset(&kG, 0, sizeof(prj_pt)); EG(ret, err); 354*f0865ec9SKyle Evans 355*f0865ec9SKyle Evans /* Make things more readable */ 356*f0865ec9SKyle Evans priv_key = &(ctx->key_pair->priv_key); 357*f0865ec9SKyle Evans q = &(priv_key->params->ec_gen_order); 358*f0865ec9SKyle Evans q_bit_len = priv_key->params->ec_gen_order_bitlen; 359*f0865ec9SKyle Evans G = &(priv_key->params->ec_gen); 360*f0865ec9SKyle Evans q_len = (u8)BYTECEIL(q_bit_len); 361*f0865ec9SKyle Evans x = &(priv_key->x); 362*f0865ec9SKyle Evans hsize = ctx->h->digest_size; 363*f0865ec9SKyle Evans 364*f0865ec9SKyle Evans MUST_HAVE((priv_key->key_type == key_type), ret, err); 365*f0865ec9SKyle Evans 366*f0865ec9SKyle Evans /* Sanity check */ 367*f0865ec9SKyle Evans ret = nn_cmp(x, q, &cmp); EG(ret, err); 368*f0865ec9SKyle Evans /* This should not happen and means that our 369*f0865ec9SKyle Evans * private key is not compliant! 370*f0865ec9SKyle Evans */ 371*f0865ec9SKyle Evans MUST_HAVE((cmp < 0), ret, err); 372*f0865ec9SKyle Evans 373*f0865ec9SKyle Evans dbg_nn_print("p", &(priv_key->params->ec_fp.p)); 374*f0865ec9SKyle Evans dbg_nn_print("q", &(priv_key->params->ec_gen_order)); 375*f0865ec9SKyle Evans dbg_priv_key_print("x", priv_key); 376*f0865ec9SKyle Evans dbg_ec_point_print("G", &(priv_key->params->ec_gen)); 377*f0865ec9SKyle Evans dbg_pub_key_print("Y", &(ctx->key_pair->pub_key)); 378*f0865ec9SKyle Evans 379*f0865ec9SKyle Evans /* Check given signature buffer length has the expected size */ 380*f0865ec9SKyle Evans MUST_HAVE((siglen == ECDSA_SIGLEN(q_bit_len)), ret, err); 381*f0865ec9SKyle Evans 382*f0865ec9SKyle Evans /* 1. Compute h = H(m) */ 383*f0865ec9SKyle Evans ret = local_memset(hash, 0, hsize); EG(ret, err); 384*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */ 385*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); 386*f0865ec9SKyle Evans ret = ctx->h->hfunc_finalize(&(ctx->sign_data.ecdsa.h_ctx), hash); EG(ret, err); 387*f0865ec9SKyle Evans dbg_buf_print("h", hash, hsize); 388*f0865ec9SKyle Evans 389*f0865ec9SKyle Evans /* 390*f0865ec9SKyle Evans * 2. If |h| > bitlen(q), set h to bitlen(q) 391*f0865ec9SKyle Evans * leftmost bits of h. 392*f0865ec9SKyle Evans * 393*f0865ec9SKyle Evans * Note that it's easier to check if the truncation has 394*f0865ec9SKyle Evans * to be done here but only implement it using a logical 395*f0865ec9SKyle Evans * shift at the beginning of step 3. below once the hash 396*f0865ec9SKyle Evans * has been converted to an integer. 397*f0865ec9SKyle Evans */ 398*f0865ec9SKyle Evans rshift = 0; 399*f0865ec9SKyle Evans if ((hsize * 8) > q_bit_len) { 400*f0865ec9SKyle Evans rshift = (bitcnt_t)((hsize * 8) - q_bit_len); 401*f0865ec9SKyle Evans } 402*f0865ec9SKyle Evans 403*f0865ec9SKyle Evans /* 404*f0865ec9SKyle Evans * 3. Compute e = OS2I(h) mod q, i.e. by converting h to an 405*f0865ec9SKyle Evans * integer and reducing it mod q 406*f0865ec9SKyle Evans */ 407*f0865ec9SKyle Evans ret = nn_init_from_buf(&e, hash, hsize); EG(ret, err); 408*f0865ec9SKyle Evans dbg_nn_print("h initial import as nn", &e); 409*f0865ec9SKyle Evans if (rshift) { 410*f0865ec9SKyle Evans ret = nn_rshift_fixedlen(&e, &e, rshift); EG(ret, err); 411*f0865ec9SKyle Evans } 412*f0865ec9SKyle Evans dbg_nn_print("h final import as nn", &e); 413*f0865ec9SKyle Evans ret = nn_mod(&e, &e, q); EG(ret, err); 414*f0865ec9SKyle Evans dbg_nn_print("e", &e); 415*f0865ec9SKyle Evans 416*f0865ec9SKyle Evans restart: 417*f0865ec9SKyle Evans /* 4. get a random value k in ]0,q[ */ 418*f0865ec9SKyle Evans #ifdef NO_KNOWN_VECTORS 419*f0865ec9SKyle Evans /* NOTE: when we do not need self tests for known vectors, 420*f0865ec9SKyle Evans * we can be strict about random function handler! 421*f0865ec9SKyle Evans * This allows us to avoid the corruption of such a pointer. 422*f0865ec9SKyle Evans */ 423*f0865ec9SKyle Evans /* Sanity check on the handler before calling it */ 424*f0865ec9SKyle Evans if(ctx->rand != nn_get_random_mod){ 425*f0865ec9SKyle Evans #ifdef WITH_SIG_DECDSA 426*f0865ec9SKyle Evans /* In deterministic ECDSA, nevermind! */ 427*f0865ec9SKyle Evans if(key_type != DECDSA) 428*f0865ec9SKyle Evans #endif 429*f0865ec9SKyle Evans { 430*f0865ec9SKyle Evans ret = -1; 431*f0865ec9SKyle Evans goto err; 432*f0865ec9SKyle Evans } 433*f0865ec9SKyle Evans } 434*f0865ec9SKyle Evans #endif 435*f0865ec9SKyle Evans if(ctx->rand != NULL){ 436*f0865ec9SKyle Evans /* Non-deterministic generation, or deterministic with 437*f0865ec9SKyle Evans * test vectors. 438*f0865ec9SKyle Evans */ 439*f0865ec9SKyle Evans ret = ctx->rand(&k, q); 440*f0865ec9SKyle Evans } 441*f0865ec9SKyle Evans else 442*f0865ec9SKyle Evans #if defined(WITH_SIG_DECDSA) 443*f0865ec9SKyle Evans { 444*f0865ec9SKyle Evans /* Only applies for DETERMINISTIC ECDSA */ 445*f0865ec9SKyle Evans if(key_type != DECDSA){ 446*f0865ec9SKyle Evans ret = -1; 447*f0865ec9SKyle Evans goto err; 448*f0865ec9SKyle Evans } 449*f0865ec9SKyle Evans /* Deterministically generate k as RFC6979 mandates */ 450*f0865ec9SKyle Evans ret = __ecdsa_rfc6979_nonce(&k, q, q_bit_len, &(priv_key->x), 451*f0865ec9SKyle Evans hash, hsize, ctx->h->type); 452*f0865ec9SKyle Evans } 453*f0865ec9SKyle Evans #else 454*f0865ec9SKyle Evans { 455*f0865ec9SKyle Evans /* NULL rand function is not accepted for regular ECDSA */ 456*f0865ec9SKyle Evans ret = -1; 457*f0865ec9SKyle Evans goto err; 458*f0865ec9SKyle Evans } 459*f0865ec9SKyle Evans #endif 460*f0865ec9SKyle Evans if (ret) { 461*f0865ec9SKyle Evans ret = -1; 462*f0865ec9SKyle Evans goto err; 463*f0865ec9SKyle Evans } 464*f0865ec9SKyle Evans dbg_nn_print("k", &k); 465*f0865ec9SKyle Evans 466*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING 467*f0865ec9SKyle Evans /* Note: if we use blinding, r and e are multiplied by 468*f0865ec9SKyle Evans * a random value b in ]0,q[ */ 469*f0865ec9SKyle Evans ret = nn_get_random_mod(&b, q); EG(ret, err); 470*f0865ec9SKyle Evans 471*f0865ec9SKyle Evans dbg_nn_print("b", &b); 472*f0865ec9SKyle Evans #endif /* USE_SIG_BLINDING */ 473*f0865ec9SKyle Evans 474*f0865ec9SKyle Evans 475*f0865ec9SKyle Evans /* 5. Compute W = (W_x,W_y) = kG */ 476*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING 477*f0865ec9SKyle Evans ret = prj_pt_mul_blind(&kG, &k, G); EG(ret, err); 478*f0865ec9SKyle Evans #else 479*f0865ec9SKyle Evans ret = prj_pt_mul(&kG, &k, G); EG(ret, err); 480*f0865ec9SKyle Evans #endif /* USE_SIG_BLINDING */ 481*f0865ec9SKyle Evans ret = prj_pt_unique(&kG, &kG); EG(ret, err); 482*f0865ec9SKyle Evans 483*f0865ec9SKyle Evans dbg_nn_print("W_x", &(kG.X.fp_val)); 484*f0865ec9SKyle Evans dbg_nn_print("W_y", &(kG.Y.fp_val)); 485*f0865ec9SKyle Evans 486*f0865ec9SKyle Evans /* 6. Compute r = W_x mod q */ 487*f0865ec9SKyle Evans ret = nn_mod(&r, &(kG.X.fp_val), q); EG(ret, err); 488*f0865ec9SKyle Evans dbg_nn_print("r", &r); 489*f0865ec9SKyle Evans 490*f0865ec9SKyle Evans /* 7. If r is 0, restart the process at step 4. */ 491*f0865ec9SKyle Evans ret = nn_iszero(&r, &iszero); EG(ret, err); 492*f0865ec9SKyle Evans if (iszero) { 493*f0865ec9SKyle Evans goto restart; 494*f0865ec9SKyle Evans } 495*f0865ec9SKyle Evans 496*f0865ec9SKyle Evans /* Clean hash buffer as we do not need it anymore */ 497*f0865ec9SKyle Evans ret = local_memset(hash, 0, hsize); EG(ret, err); 498*f0865ec9SKyle Evans 499*f0865ec9SKyle Evans /* Export r */ 500*f0865ec9SKyle Evans ret = nn_export_to_buf(sig, q_len, &r); EG(ret, err); 501*f0865ec9SKyle Evans 502*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING 503*f0865ec9SKyle Evans /* Blind r with b */ 504*f0865ec9SKyle Evans ret = nn_mod_mul(&r, &r, &b, q); EG(ret, err); 505*f0865ec9SKyle Evans 506*f0865ec9SKyle Evans /* Blind the message e */ 507*f0865ec9SKyle Evans ret = nn_mod_mul(&e, &e, &b, q); EG(ret, err); 508*f0865ec9SKyle Evans #endif /* USE_SIG_BLINDING */ 509*f0865ec9SKyle Evans 510*f0865ec9SKyle Evans /* tmp = xr mod q */ 511*f0865ec9SKyle Evans ret = nn_mod_mul(&tmp, x, &r, q); EG(ret, err); 512*f0865ec9SKyle Evans dbg_nn_print("x*r mod q", &tmp); 513*f0865ec9SKyle Evans 514*f0865ec9SKyle Evans /* 8. If e == rx, restart the process at step 4. */ 515*f0865ec9SKyle Evans ret = nn_cmp(&e, &tmp, &cmp); EG(ret, err); 516*f0865ec9SKyle Evans if (!cmp) { 517*f0865ec9SKyle Evans goto restart; 518*f0865ec9SKyle Evans } 519*f0865ec9SKyle Evans 520*f0865ec9SKyle Evans /* 9. Compute s = k^-1 * (xr + e) mod q */ 521*f0865ec9SKyle Evans 522*f0865ec9SKyle Evans /* tmp = (e + xr) mod q */ 523*f0865ec9SKyle Evans ret = nn_mod_add(&tmp, &tmp, &e, q); EG(ret, err); 524*f0865ec9SKyle Evans dbg_nn_print("(xr + e) mod q", &tmp); 525*f0865ec9SKyle Evans 526*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING 527*f0865ec9SKyle Evans /* 528*f0865ec9SKyle Evans * In case of blinding, we compute (b*k)^-1, and b^-1 will 529*f0865ec9SKyle Evans * automatically unblind (r*x) in the following. 530*f0865ec9SKyle Evans */ 531*f0865ec9SKyle Evans ret = nn_mod_mul(&k, &k, &b, q); EG(ret, err); 532*f0865ec9SKyle Evans #endif 533*f0865ec9SKyle Evans /* Compute k^-1 mod q */ 534*f0865ec9SKyle Evans /* NOTE: we use Fermat's little theorem inversion for 535*f0865ec9SKyle Evans * constant time here. This is possible since q is prime. 536*f0865ec9SKyle Evans */ 537*f0865ec9SKyle Evans ret = nn_modinv_fermat(&kinv, &k, q); EG(ret, err); 538*f0865ec9SKyle Evans 539*f0865ec9SKyle Evans dbg_nn_print("k^-1 mod q", &kinv); 540*f0865ec9SKyle Evans 541*f0865ec9SKyle Evans /* s = k^-1 * tmp2 mod q */ 542*f0865ec9SKyle Evans ret = nn_mod_mul(&s, &tmp, &kinv, q); EG(ret, err); 543*f0865ec9SKyle Evans 544*f0865ec9SKyle Evans dbg_nn_print("s", &s); 545*f0865ec9SKyle Evans 546*f0865ec9SKyle Evans /* 10. If s is 0, restart the process at step 4. */ 547*f0865ec9SKyle Evans ret = nn_iszero(&s, &iszero); EG(ret, err); 548*f0865ec9SKyle Evans if (iszero) { 549*f0865ec9SKyle Evans goto restart; 550*f0865ec9SKyle Evans } 551*f0865ec9SKyle Evans 552*f0865ec9SKyle Evans /* 11. return (r,s) */ 553*f0865ec9SKyle Evans ret = nn_export_to_buf(sig + q_len, q_len, &s); 554*f0865ec9SKyle Evans 555*f0865ec9SKyle Evans err: 556*f0865ec9SKyle Evans nn_uninit(&k); 557*f0865ec9SKyle Evans nn_uninit(&r); 558*f0865ec9SKyle Evans nn_uninit(&e); 559*f0865ec9SKyle Evans nn_uninit(&tmp); 560*f0865ec9SKyle Evans nn_uninit(&s); 561*f0865ec9SKyle Evans nn_uninit(&kinv); 562*f0865ec9SKyle Evans prj_pt_uninit(&kG); 563*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING 564*f0865ec9SKyle Evans nn_uninit(&b); 565*f0865ec9SKyle Evans #endif 566*f0865ec9SKyle Evans 567*f0865ec9SKyle Evans /* 568*f0865ec9SKyle Evans * We can now clear data part of the context. This will clear 569*f0865ec9SKyle Evans * magic and avoid further reuse of the whole context. 570*f0865ec9SKyle Evans */ 571*f0865ec9SKyle Evans if(ctx != NULL){ 572*f0865ec9SKyle Evans IGNORE_RET_VAL(local_memset(&(ctx->sign_data.ecdsa), 0, sizeof(ecdsa_sign_data))); 573*f0865ec9SKyle Evans } 574*f0865ec9SKyle Evans 575*f0865ec9SKyle Evans /* Clean what remains on the stack */ 576*f0865ec9SKyle Evans PTR_NULLIFY(priv_key); 577*f0865ec9SKyle Evans PTR_NULLIFY(G); 578*f0865ec9SKyle Evans PTR_NULLIFY(q); 579*f0865ec9SKyle Evans PTR_NULLIFY(x); 580*f0865ec9SKyle Evans VAR_ZEROIFY(q_len); 581*f0865ec9SKyle Evans VAR_ZEROIFY(q_bit_len); 582*f0865ec9SKyle Evans VAR_ZEROIFY(rshift); 583*f0865ec9SKyle Evans VAR_ZEROIFY(hsize); 584*f0865ec9SKyle Evans 585*f0865ec9SKyle Evans return ret; 586*f0865ec9SKyle Evans } 587*f0865ec9SKyle Evans 588*f0865ec9SKyle Evans /* 589*f0865ec9SKyle Evans * Generic *internal* ECDSA verification functions (init, update and finalize). 590*f0865ec9SKyle Evans * Their purpose is to allow passing a specific hash function (along with 591*f0865ec9SKyle Evans * its output size) and the random ephemeral key k, so that compliance 592*f0865ec9SKyle Evans * tests against test vectors can be made without ugly hack in the code 593*f0865ec9SKyle Evans * itself. 594*f0865ec9SKyle Evans * 595*f0865ec9SKyle Evans * Global ECDSA verification process is as follows (I,U,F provides 596*f0865ec9SKyle Evans * information in which function(s) (init(), update() or finalize()) 597*f0865ec9SKyle Evans * a specific step is performed): 598*f0865ec9SKyle Evans * 599*f0865ec9SKyle Evans *| IUF - ECDSA verification 600*f0865ec9SKyle Evans *| 601*f0865ec9SKyle Evans *| I 1. Reject the signature if r or s is 0. 602*f0865ec9SKyle Evans *| UF 2. Compute h = H(m) 603*f0865ec9SKyle Evans *| F 3. If |h| > bitlen(q), set h to bitlen(q) 604*f0865ec9SKyle Evans *| leftmost (most significant) bits of h 605*f0865ec9SKyle Evans *| F 4. Compute e = OS2I(h) mod q 606*f0865ec9SKyle Evans *| F 5. Compute u = (s^-1)e mod q 607*f0865ec9SKyle Evans *| F 6. Compute v = (s^-1)r mod q 608*f0865ec9SKyle Evans *| F 7. Compute W' = uG + vY 609*f0865ec9SKyle Evans *| F 8. If W' is the point at infinity, reject the signature. 610*f0865ec9SKyle Evans *| F 9. Compute r' = W'_x mod q 611*f0865ec9SKyle Evans *| F 10. Accept the signature if and only if r equals r' 612*f0865ec9SKyle Evans * 613*f0865ec9SKyle Evans */ 614*f0865ec9SKyle Evans 615*f0865ec9SKyle Evans #define ECDSA_VERIFY_MAGIC ((word_t)(0x5155fe73e7fd51beULL)) 616*f0865ec9SKyle Evans #define ECDSA_VERIFY_CHECK_INITIALIZED(A, ret, err) \ 617*f0865ec9SKyle Evans MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == ECDSA_VERIFY_MAGIC), ret, err) 618*f0865ec9SKyle Evans 619*f0865ec9SKyle Evans int __ecdsa_verify_init(struct ec_verify_context *ctx, const u8 *sig, u8 siglen, 620*f0865ec9SKyle Evans ec_alg_type key_type) 621*f0865ec9SKyle Evans { 622*f0865ec9SKyle Evans bitcnt_t q_bit_len; 623*f0865ec9SKyle Evans u8 q_len; 624*f0865ec9SKyle Evans nn_src_t q; 625*f0865ec9SKyle Evans nn *r, *s; 626*f0865ec9SKyle Evans int ret, cmp1, cmp2, iszero1, iszero2; 627*f0865ec9SKyle Evans 628*f0865ec9SKyle Evans /* First, verify context has been initialized */ 629*f0865ec9SKyle Evans ret = sig_verify_check_initialized(ctx); EG(ret, err); 630*f0865ec9SKyle Evans 631*f0865ec9SKyle Evans /* Do some sanity checks on input params */ 632*f0865ec9SKyle Evans ret = pub_key_check_initialized_and_type(ctx->pub_key, key_type); EG(ret, err); 633*f0865ec9SKyle Evans MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && 634*f0865ec9SKyle Evans (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); 635*f0865ec9SKyle Evans MUST_HAVE((sig != NULL), ret, err); 636*f0865ec9SKyle Evans 637*f0865ec9SKyle Evans /* Make things more readable */ 638*f0865ec9SKyle Evans q = &(ctx->pub_key->params->ec_gen_order); 639*f0865ec9SKyle Evans q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen; 640*f0865ec9SKyle Evans q_len = (u8)BYTECEIL(q_bit_len); 641*f0865ec9SKyle Evans r = &(ctx->verify_data.ecdsa.r); 642*f0865ec9SKyle Evans s = &(ctx->verify_data.ecdsa.s); 643*f0865ec9SKyle Evans 644*f0865ec9SKyle Evans /* Check given signature length is the expected one */ 645*f0865ec9SKyle Evans MUST_HAVE((siglen == ECDSA_SIGLEN(q_bit_len)), ret, err); 646*f0865ec9SKyle Evans 647*f0865ec9SKyle Evans /* Import r and s values from signature buffer */ 648*f0865ec9SKyle Evans ret = nn_init_from_buf(r, sig, q_len); EG(ret, err); 649*f0865ec9SKyle Evans ret = nn_init_from_buf(s, sig + q_len, q_len); EG(ret, err); 650*f0865ec9SKyle Evans dbg_nn_print("r", r); 651*f0865ec9SKyle Evans dbg_nn_print("s", s); 652*f0865ec9SKyle Evans 653*f0865ec9SKyle Evans /* 1. Reject the signature if r or s is 0. */ 654*f0865ec9SKyle Evans ret = nn_iszero(r, &iszero1); EG(ret, err); 655*f0865ec9SKyle Evans ret = nn_iszero(s, &iszero2); EG(ret, err); 656*f0865ec9SKyle Evans ret = nn_cmp(r, q, &cmp1); EG(ret, err); 657*f0865ec9SKyle Evans ret = nn_cmp(s, q, &cmp2); EG(ret, err); 658*f0865ec9SKyle Evans MUST_HAVE(((!iszero1) && (cmp1 < 0) && !iszero2 && (cmp2 < 0)), ret, err); 659*f0865ec9SKyle Evans 660*f0865ec9SKyle Evans /* Initialize the remaining of verify context. */ 661*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */ 662*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); 663*f0865ec9SKyle Evans ret = ctx->h->hfunc_init(&(ctx->verify_data.ecdsa.h_ctx)); EG(ret, err); 664*f0865ec9SKyle Evans 665*f0865ec9SKyle Evans ctx->verify_data.ecdsa.magic = ECDSA_VERIFY_MAGIC; 666*f0865ec9SKyle Evans 667*f0865ec9SKyle Evans err: 668*f0865ec9SKyle Evans VAR_ZEROIFY(q_len); 669*f0865ec9SKyle Evans VAR_ZEROIFY(q_bit_len); 670*f0865ec9SKyle Evans PTR_NULLIFY(q); 671*f0865ec9SKyle Evans PTR_NULLIFY(r); 672*f0865ec9SKyle Evans PTR_NULLIFY(s); 673*f0865ec9SKyle Evans 674*f0865ec9SKyle Evans return ret; 675*f0865ec9SKyle Evans } 676*f0865ec9SKyle Evans 677*f0865ec9SKyle Evans int __ecdsa_verify_update(struct ec_verify_context *ctx, 678*f0865ec9SKyle Evans const u8 *chunk, u32 chunklen, ec_alg_type key_type) 679*f0865ec9SKyle Evans { 680*f0865ec9SKyle Evans int ret; 681*f0865ec9SKyle Evans 682*f0865ec9SKyle Evans /* 683*f0865ec9SKyle Evans * First, verify context has been initialized and public 684*f0865ec9SKyle Evans * part too. This guarantees the context is an ECDSA 685*f0865ec9SKyle Evans * verification one and we do not update() or finalize() 686*f0865ec9SKyle Evans * before init(). 687*f0865ec9SKyle Evans */ 688*f0865ec9SKyle Evans ret = sig_verify_check_initialized(ctx); EG(ret, err); 689*f0865ec9SKyle Evans ECDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecdsa), ret, err); 690*f0865ec9SKyle Evans /* Do some sanity checks on input params */ 691*f0865ec9SKyle Evans ret = pub_key_check_initialized_and_type(ctx->pub_key, key_type); EG(ret, err); 692*f0865ec9SKyle Evans 693*f0865ec9SKyle Evans /* 2. Compute h = H(m) */ 694*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */ 695*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); 696*f0865ec9SKyle Evans ret = ctx->h->hfunc_update(&(ctx->verify_data.ecdsa.h_ctx), chunk, chunklen); 697*f0865ec9SKyle Evans 698*f0865ec9SKyle Evans err: 699*f0865ec9SKyle Evans return ret; 700*f0865ec9SKyle Evans } 701*f0865ec9SKyle Evans 702*f0865ec9SKyle Evans int __ecdsa_verify_finalize(struct ec_verify_context *ctx, 703*f0865ec9SKyle Evans ec_alg_type key_type) 704*f0865ec9SKyle Evans { 705*f0865ec9SKyle Evans prj_pt uG, vY; 706*f0865ec9SKyle Evans prj_pt_t W_prime; 707*f0865ec9SKyle Evans nn e, sinv, uv, r_prime; 708*f0865ec9SKyle Evans prj_pt_src_t G, Y; 709*f0865ec9SKyle Evans u8 hash[MAX_DIGEST_SIZE]; 710*f0865ec9SKyle Evans bitcnt_t rshift, q_bit_len; 711*f0865ec9SKyle Evans nn_src_t q; 712*f0865ec9SKyle Evans nn *s, *r; 713*f0865ec9SKyle Evans u8 hsize; 714*f0865ec9SKyle Evans int ret, iszero, cmp; 715*f0865ec9SKyle Evans 716*f0865ec9SKyle Evans uG.magic = vY.magic = WORD(0); 717*f0865ec9SKyle Evans e.magic = sinv.magic = uv.magic = r_prime.magic = WORD(0); 718*f0865ec9SKyle Evans 719*f0865ec9SKyle Evans /* NOTE: we reuse uG for W_prime to optimize local variables */ 720*f0865ec9SKyle Evans W_prime = &uG; 721*f0865ec9SKyle Evans 722*f0865ec9SKyle Evans /* 723*f0865ec9SKyle Evans * First, verify context has been initialized and public 724*f0865ec9SKyle Evans * part too. This guarantees the context is an ECDSA 725*f0865ec9SKyle Evans * verification one and we do not finalize() before init(). 726*f0865ec9SKyle Evans */ 727*f0865ec9SKyle Evans ret = sig_verify_check_initialized(ctx); EG(ret, err); 728*f0865ec9SKyle Evans ECDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecdsa), ret, err); 729*f0865ec9SKyle Evans /* Do some sanity checks on input params */ 730*f0865ec9SKyle Evans ret = pub_key_check_initialized_and_type(ctx->pub_key, key_type); EG(ret, err); 731*f0865ec9SKyle Evans 732*f0865ec9SKyle Evans /* Zero init points */ 733*f0865ec9SKyle Evans ret = local_memset(&uG, 0, sizeof(prj_pt)); EG(ret, err); 734*f0865ec9SKyle Evans ret = local_memset(&vY, 0, sizeof(prj_pt)); EG(ret, err); 735*f0865ec9SKyle Evans 736*f0865ec9SKyle Evans /* Make things more readable */ 737*f0865ec9SKyle Evans G = &(ctx->pub_key->params->ec_gen); 738*f0865ec9SKyle Evans Y = &(ctx->pub_key->y); 739*f0865ec9SKyle Evans q = &(ctx->pub_key->params->ec_gen_order); 740*f0865ec9SKyle Evans q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen; 741*f0865ec9SKyle Evans hsize = ctx->h->digest_size; 742*f0865ec9SKyle Evans r = &(ctx->verify_data.ecdsa.r); 743*f0865ec9SKyle Evans s = &(ctx->verify_data.ecdsa.s); 744*f0865ec9SKyle Evans 745*f0865ec9SKyle Evans /* 2. Compute h = H(m) */ 746*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */ 747*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); 748*f0865ec9SKyle Evans ret = ctx->h->hfunc_finalize(&(ctx->verify_data.ecdsa.h_ctx), hash); EG(ret, err); 749*f0865ec9SKyle Evans dbg_buf_print("h = H(m)", hash, hsize); 750*f0865ec9SKyle Evans 751*f0865ec9SKyle Evans /* 752*f0865ec9SKyle Evans * 3. If |h| > bitlen(q), set h to bitlen(q) 753*f0865ec9SKyle Evans * leftmost bits of h. 754*f0865ec9SKyle Evans * 755*f0865ec9SKyle Evans * Note that it's easier to check here if the truncation 756*f0865ec9SKyle Evans * needs to be done but implement it using a logical 757*f0865ec9SKyle Evans * shift at the beginning of step 3. below once the hash 758*f0865ec9SKyle Evans * has been converted to an integer. 759*f0865ec9SKyle Evans */ 760*f0865ec9SKyle Evans rshift = 0; 761*f0865ec9SKyle Evans if ((hsize * 8) > q_bit_len) { 762*f0865ec9SKyle Evans rshift = (bitcnt_t)((hsize * 8) - q_bit_len); 763*f0865ec9SKyle Evans } 764*f0865ec9SKyle Evans 765*f0865ec9SKyle Evans /* 766*f0865ec9SKyle Evans * 4. Compute e = OS2I(h) mod q, by converting h to an integer 767*f0865ec9SKyle Evans * and reducing it mod q 768*f0865ec9SKyle Evans */ 769*f0865ec9SKyle Evans ret = nn_init_from_buf(&e, hash, hsize); EG(ret, err); 770*f0865ec9SKyle Evans ret = local_memset(hash, 0, hsize); EG(ret, err); 771*f0865ec9SKyle Evans dbg_nn_print("h initial import as nn", &e); 772*f0865ec9SKyle Evans if (rshift) { 773*f0865ec9SKyle Evans ret = nn_rshift_fixedlen(&e, &e, rshift); EG(ret, err); 774*f0865ec9SKyle Evans } 775*f0865ec9SKyle Evans dbg_nn_print("h final import as nn", &e); 776*f0865ec9SKyle Evans 777*f0865ec9SKyle Evans ret = nn_mod(&e, &e, q); EG(ret, err); 778*f0865ec9SKyle Evans dbg_nn_print("e", &e); 779*f0865ec9SKyle Evans 780*f0865ec9SKyle Evans /* Compute s^-1 mod q */ 781*f0865ec9SKyle Evans ret = nn_modinv(&sinv, s, q); EG(ret, err); 782*f0865ec9SKyle Evans dbg_nn_print("s", s); 783*f0865ec9SKyle Evans dbg_nn_print("sinv", &sinv); 784*f0865ec9SKyle Evans 785*f0865ec9SKyle Evans /* 5. Compute u = (s^-1)e mod q */ 786*f0865ec9SKyle Evans ret = nn_mod_mul(&uv, &e, &sinv, q); EG(ret, err); 787*f0865ec9SKyle Evans dbg_nn_print("u = (s^-1)e mod q", &uv); 788*f0865ec9SKyle Evans ret = prj_pt_mul(&uG, &uv, G); EG(ret, err); 789*f0865ec9SKyle Evans 790*f0865ec9SKyle Evans /* 6. Compute v = (s^-1)r mod q */ 791*f0865ec9SKyle Evans ret = nn_mod_mul(&uv, r, &sinv, q); EG(ret, err); 792*f0865ec9SKyle Evans dbg_nn_print("v = (s^-1)r mod q", &uv); 793*f0865ec9SKyle Evans ret = prj_pt_mul(&vY, &uv, Y); EG(ret, err); 794*f0865ec9SKyle Evans 795*f0865ec9SKyle Evans /* 7. Compute W' = uG + vY */ 796*f0865ec9SKyle Evans ret = prj_pt_add(W_prime, &uG, &vY); EG(ret, err); 797*f0865ec9SKyle Evans 798*f0865ec9SKyle Evans /* 8. If W' is the point at infinity, reject the signature. */ 799*f0865ec9SKyle Evans ret = prj_pt_iszero(W_prime, &iszero); EG(ret, err); 800*f0865ec9SKyle Evans MUST_HAVE(!iszero, ret, err); 801*f0865ec9SKyle Evans 802*f0865ec9SKyle Evans /* 9. Compute r' = W'_x mod q */ 803*f0865ec9SKyle Evans ret = prj_pt_unique(W_prime, W_prime); EG(ret, err); 804*f0865ec9SKyle Evans dbg_nn_print("W'_x", &(W_prime->X.fp_val)); 805*f0865ec9SKyle Evans dbg_nn_print("W'_y", &(W_prime->Y.fp_val)); 806*f0865ec9SKyle Evans ret = nn_mod(&r_prime, &(W_prime->X.fp_val), q); EG(ret, err); 807*f0865ec9SKyle Evans 808*f0865ec9SKyle Evans /* 10. Accept the signature if and only if r equals r' */ 809*f0865ec9SKyle Evans ret = nn_cmp(&r_prime, r, &cmp); EG(ret, err); 810*f0865ec9SKyle Evans ret = (cmp != 0) ? -1 : 0; 811*f0865ec9SKyle Evans 812*f0865ec9SKyle Evans err: 813*f0865ec9SKyle Evans prj_pt_uninit(&uG); 814*f0865ec9SKyle Evans prj_pt_uninit(&vY); 815*f0865ec9SKyle Evans nn_uninit(&e); 816*f0865ec9SKyle Evans nn_uninit(&sinv); 817*f0865ec9SKyle Evans nn_uninit(&uv); 818*f0865ec9SKyle Evans nn_uninit(&r_prime); 819*f0865ec9SKyle Evans 820*f0865ec9SKyle Evans /* 821*f0865ec9SKyle Evans * We can now clear data part of the context. This will clear 822*f0865ec9SKyle Evans * magic and avoid further reuse of the whole context. 823*f0865ec9SKyle Evans */ 824*f0865ec9SKyle Evans if(ctx != NULL){ 825*f0865ec9SKyle Evans IGNORE_RET_VAL(local_memset(&(ctx->verify_data.ecdsa), 0, sizeof(ecdsa_verify_data))); 826*f0865ec9SKyle Evans } 827*f0865ec9SKyle Evans 828*f0865ec9SKyle Evans /* Clean what remains on the stack */ 829*f0865ec9SKyle Evans PTR_NULLIFY(W_prime); 830*f0865ec9SKyle Evans PTR_NULLIFY(G); 831*f0865ec9SKyle Evans PTR_NULLIFY(Y); 832*f0865ec9SKyle Evans VAR_ZEROIFY(rshift); 833*f0865ec9SKyle Evans VAR_ZEROIFY(q_bit_len); 834*f0865ec9SKyle Evans PTR_NULLIFY(q); 835*f0865ec9SKyle Evans PTR_NULLIFY(s); 836*f0865ec9SKyle Evans PTR_NULLIFY(r); 837*f0865ec9SKyle Evans VAR_ZEROIFY(hsize); 838*f0865ec9SKyle Evans 839*f0865ec9SKyle Evans return ret; 840*f0865ec9SKyle Evans } 841*f0865ec9SKyle Evans 842*f0865ec9SKyle Evans /* Public key recovery from a signature. 843*f0865ec9SKyle Evans * For ECDSA, it is possible to recover two possible public keys from 844*f0865ec9SKyle Evans * a signature and a digest. 845*f0865ec9SKyle Evans * 846*f0865ec9SKyle Evans * Please note that this recovery is not perfect as some information is 847*f0865ec9SKyle Evans * lost when reducing Rx modulo the order q during the signature. Hence, 848*f0865ec9SKyle Evans * a few possible R points can provide the same r. The following algorithm 849*f0865ec9SKyle Evans * assumes that Rx == r, i.e. Rx is < q and already reduced. This should 850*f0865ec9SKyle Evans * happen with a probability q / p, and "bad" cases with probability 851*f0865ec9SKyle Evans * (p - q) / p. Actually, some small multiples of r are also tested, 852*f0865ec9SKyle Evans * but we give up after 10 tries as this can be very time consuming. 853*f0865ec9SKyle Evans * 854*f0865ec9SKyle Evans * With usual curve parameters, this last probability is negligible if 855*f0865ec9SKyle Evans * everything is random (which should be the case for a "regular" signature 856*f0865ec9SKyle Evans * algorithm) for curves with cofactor = 1. However, an adversary could 857*f0865ec9SKyle Evans * willingly choose a Rx > q and the following algorithm will most certainly 858*f0865ec9SKyle Evans * fail. 859*f0865ec9SKyle Evans * 860*f0865ec9SKyle Evans * For curves with cofactor > 1, q is usually some orders of magnitudes 861*f0865ec9SKyle Evans * smaller than p and this function will certainly fail. 862*f0865ec9SKyle Evans * 863*f0865ec9SKyle Evans * Please use the resulting public keys with care and with all these 864*f0865ec9SKyle Evans * warnings in mind! 865*f0865ec9SKyle Evans * 866*f0865ec9SKyle Evans */ 867*f0865ec9SKyle Evans int __ecdsa_public_key_from_sig(ec_pub_key *out_pub1, ec_pub_key *out_pub2, const ec_params *params, 868*f0865ec9SKyle Evans const u8 *sig, u8 siglen, const u8 *hash, u8 hsize, 869*f0865ec9SKyle Evans ec_alg_type key_type) 870*f0865ec9SKyle Evans { 871*f0865ec9SKyle Evans int ret, iszero1, iszero2, cmp1, cmp2; 872*f0865ec9SKyle Evans prj_pt uG; 873*f0865ec9SKyle Evans prj_pt_t Y1, Y2; 874*f0865ec9SKyle Evans prj_pt_src_t G; 875*f0865ec9SKyle Evans nn u, v, e, r, s; 876*f0865ec9SKyle Evans nn_src_t q, p; 877*f0865ec9SKyle Evans bitcnt_t rshift, q_bit_len; 878*f0865ec9SKyle Evans u8 q_len; 879*f0865ec9SKyle Evans word_t order_multiplier = WORD(1); 880*f0865ec9SKyle Evans 881*f0865ec9SKyle Evans uG.magic = WORD(0); 882*f0865ec9SKyle Evans u.magic = v.magic = e.magic = r.magic = s.magic = WORD(0); 883*f0865ec9SKyle Evans 884*f0865ec9SKyle Evans /* Zero init points */ 885*f0865ec9SKyle Evans ret = local_memset(&uG, 0, sizeof(prj_pt)); EG(ret, err); 886*f0865ec9SKyle Evans 887*f0865ec9SKyle Evans /* Sanity checks */ 888*f0865ec9SKyle Evans MUST_HAVE((params != NULL) && (sig != NULL) && (hash != NULL) && (out_pub1 != NULL) && (out_pub2 != NULL), ret, err); 889*f0865ec9SKyle Evans 890*f0865ec9SKyle Evans /* Import our params */ 891*f0865ec9SKyle Evans G = &(params->ec_gen); 892*f0865ec9SKyle Evans p = &(params->ec_fp.p); 893*f0865ec9SKyle Evans q = &(params->ec_gen_order); 894*f0865ec9SKyle Evans q_bit_len = params->ec_gen_order_bitlen; 895*f0865ec9SKyle Evans q_len = (u8)BYTECEIL(q_bit_len); 896*f0865ec9SKyle Evans Y1 = &(out_pub1->y); 897*f0865ec9SKyle Evans Y2 = &(out_pub2->y); 898*f0865ec9SKyle Evans 899*f0865ec9SKyle Evans /* Check given signature length is the expected one */ 900*f0865ec9SKyle Evans MUST_HAVE((siglen == ECDSA_SIGLEN(q_bit_len)), ret, err); 901*f0865ec9SKyle Evans 902*f0865ec9SKyle Evans restart: 903*f0865ec9SKyle Evans /* Import r and s values from signature buffer */ 904*f0865ec9SKyle Evans ret = nn_init_from_buf(&r, sig, q_len); EG(ret, err); 905*f0865ec9SKyle Evans ret = nn_init_from_buf(&s, sig + q_len, q_len); EG(ret, err); 906*f0865ec9SKyle Evans 907*f0865ec9SKyle Evans /* Reject the signature if r or s is 0. */ 908*f0865ec9SKyle Evans ret = nn_iszero(&r, &iszero1); EG(ret, err); 909*f0865ec9SKyle Evans ret = nn_iszero(&s, &iszero2); EG(ret, err); 910*f0865ec9SKyle Evans ret = nn_cmp(&r, q, &cmp1); EG(ret, err); 911*f0865ec9SKyle Evans ret = nn_cmp(&s, q, &cmp2); EG(ret, err); 912*f0865ec9SKyle Evans MUST_HAVE(((!iszero1) && (cmp1 < 0) && !iszero2 && (cmp2 < 0)), ret, err); 913*f0865ec9SKyle Evans 914*f0865ec9SKyle Evans /* Add a multiple of the order to r using our current order multiplier */ 915*f0865ec9SKyle Evans if(order_multiplier > 1){ 916*f0865ec9SKyle Evans int cmp; 917*f0865ec9SKyle Evans ret = nn_init(&u, 0); 918*f0865ec9SKyle Evans ret = nn_mul_word(&u, q, order_multiplier); EG(ret, err); 919*f0865ec9SKyle Evans ret = nn_add(&r, &r, &u); EG(ret, err); 920*f0865ec9SKyle Evans /* If we have reached > p, leave with an error */ 921*f0865ec9SKyle Evans ret = nn_cmp(&r, p, &cmp); EG(ret, err); 922*f0865ec9SKyle Evans /* NOTE: we do not use a MUST_HAVE macro here since 923*f0865ec9SKyle Evans * this condition can nominally happen, and we do not want 924*f0865ec9SKyle Evans * a MUST_HAVE in debug mode (i.e. with an assert) to break 925*f0865ec9SKyle Evans * the execution flow. 926*f0865ec9SKyle Evans */ 927*f0865ec9SKyle Evans if(cmp < 0){ 928*f0865ec9SKyle Evans ret = -1; 929*f0865ec9SKyle Evans goto err; 930*f0865ec9SKyle Evans } 931*f0865ec9SKyle Evans } 932*f0865ec9SKyle Evans 933*f0865ec9SKyle Evans /* 934*f0865ec9SKyle Evans * Compute e. 935*f0865ec9SKyle Evans * If |h| > bitlen(q), set h to bitlen(q) 936*f0865ec9SKyle Evans * leftmost bits of h. 937*f0865ec9SKyle Evans * 938*f0865ec9SKyle Evans * Note that it's easier to check here if the truncation 939*f0865ec9SKyle Evans * needs to be done but implement it using a logical 940*f0865ec9SKyle Evans * shift. 941*f0865ec9SKyle Evans */ 942*f0865ec9SKyle Evans rshift = 0; 943*f0865ec9SKyle Evans if ((hsize * 8) > q_bit_len) { 944*f0865ec9SKyle Evans rshift = (bitcnt_t)((hsize * 8) - q_bit_len); 945*f0865ec9SKyle Evans } 946*f0865ec9SKyle Evans ret = nn_init_from_buf(&e, hash, hsize); EG(ret, err); 947*f0865ec9SKyle Evans if (rshift) { 948*f0865ec9SKyle Evans ret = nn_rshift_fixedlen(&e, &e, rshift); EG(ret, err); 949*f0865ec9SKyle Evans } 950*f0865ec9SKyle Evans ret = nn_mod(&e, &e, q); EG(ret, err); 951*f0865ec9SKyle Evans 952*f0865ec9SKyle Evans /* Now to find the y coordinate by solving the curve equation. 953*f0865ec9SKyle Evans * NOTE: we use uG as temporary storage. 954*f0865ec9SKyle Evans */ 955*f0865ec9SKyle Evans ret = fp_init(&(uG.X), &(params->ec_fp)); EG(ret, err); 956*f0865ec9SKyle Evans ret = fp_init(&(uG.Y), &(params->ec_fp)); EG(ret, err); 957*f0865ec9SKyle Evans ret = fp_init(&(uG.Z), &(params->ec_fp)); EG(ret, err); 958*f0865ec9SKyle Evans ret = fp_set_nn(&(uG.Z), &r); EG(ret, err); 959*f0865ec9SKyle Evans ret = aff_pt_y_from_x(&(uG.X), &(uG.Y), &(uG.Z), &(params->ec_curve)); 960*f0865ec9SKyle Evans if(ret){ 961*f0865ec9SKyle Evans /* If we have failed here, this means that our r has certainly been 962*f0865ec9SKyle Evans * reduced. Increment our multiplier and restart the process. 963*f0865ec9SKyle Evans */ 964*f0865ec9SKyle Evans order_multiplier = (word_t)(order_multiplier + 1); 965*f0865ec9SKyle Evans if(order_multiplier > 10){ 966*f0865ec9SKyle Evans /* Too much tries, leave ... */ 967*f0865ec9SKyle Evans ret = -1; 968*f0865ec9SKyle Evans goto err; 969*f0865ec9SKyle Evans } 970*f0865ec9SKyle Evans goto restart; 971*f0865ec9SKyle Evans } 972*f0865ec9SKyle Evans 973*f0865ec9SKyle Evans /* Initialize Y1 and Y2 */ 974*f0865ec9SKyle Evans ret = fp_init(&(Y2->Z), &(params->ec_fp)); EG(ret, err); 975*f0865ec9SKyle Evans ret = fp_one(&(Y2->Z)); EG(ret, err); 976*f0865ec9SKyle Evans /* Y1 */ 977*f0865ec9SKyle Evans ret = prj_pt_init_from_coords(Y1, &(params->ec_curve), &(uG.Z), &(uG.X), &(Y2->Z)); EG(ret, err); 978*f0865ec9SKyle Evans /* Y2 */ 979*f0865ec9SKyle Evans ret = prj_pt_init_from_coords(Y2, &(params->ec_curve), &(uG.Z), &(uG.Y), &(Y1->Z)); EG(ret, err); 980*f0865ec9SKyle Evans 981*f0865ec9SKyle Evans /* Now compute u = (-e r^-1) mod q, and v = (s r^-1) mod q */ 982*f0865ec9SKyle Evans ret = nn_init(&u, 0); EG(ret, err); 983*f0865ec9SKyle Evans ret = nn_init(&v, 0); EG(ret, err); 984*f0865ec9SKyle Evans ret = nn_modinv(&r, &r, q); EG(ret, err); 985*f0865ec9SKyle Evans /* u */ 986*f0865ec9SKyle Evans ret = nn_mod_mul(&u, &e, &r, q); EG(ret, err); 987*f0865ec9SKyle Evans /* NOTE: -x mod q is (q - x) mod q, i.e. (q - x) when x is reduced, except for 0 */ 988*f0865ec9SKyle Evans ret = nn_mod_neg(&u, &u, q); EG(ret, err); 989*f0865ec9SKyle Evans /* v */ 990*f0865ec9SKyle Evans ret = nn_mod_mul(&v, &s, &r, q); EG(ret, err); 991*f0865ec9SKyle Evans 992*f0865ec9SKyle Evans /* Compute uG */ 993*f0865ec9SKyle Evans ret = prj_pt_mul(&uG, &u, G); EG(ret, err); 994*f0865ec9SKyle Evans /* Compute vR1 and possible Y1 */ 995*f0865ec9SKyle Evans ret = prj_pt_mul(Y1, &v, Y1); EG(ret, err); 996*f0865ec9SKyle Evans ret = prj_pt_add(Y1, Y1, &uG); EG(ret, err); 997*f0865ec9SKyle Evans /* Compute vR2 and possible Y2 */ 998*f0865ec9SKyle Evans ret = prj_pt_mul(Y2, &v, Y2); EG(ret, err); 999*f0865ec9SKyle Evans ret = prj_pt_add(Y2, Y2, &uG); EG(ret, err); 1000*f0865ec9SKyle Evans 1001*f0865ec9SKyle Evans /* Now initialize our two public keys */ 1002*f0865ec9SKyle Evans /* out_pub1 */ 1003*f0865ec9SKyle Evans out_pub1->key_type = key_type; 1004*f0865ec9SKyle Evans out_pub1->params = params; 1005*f0865ec9SKyle Evans out_pub1->magic = PUB_KEY_MAGIC; 1006*f0865ec9SKyle Evans /* out_pub2 */ 1007*f0865ec9SKyle Evans out_pub2->key_type = key_type; 1008*f0865ec9SKyle Evans out_pub2->params = params; 1009*f0865ec9SKyle Evans out_pub2->magic = PUB_KEY_MAGIC; 1010*f0865ec9SKyle Evans 1011*f0865ec9SKyle Evans ret = 0; 1012*f0865ec9SKyle Evans 1013*f0865ec9SKyle Evans err: 1014*f0865ec9SKyle Evans prj_pt_uninit(&uG); 1015*f0865ec9SKyle Evans nn_uninit(&r); 1016*f0865ec9SKyle Evans nn_uninit(&s); 1017*f0865ec9SKyle Evans nn_uninit(&u); 1018*f0865ec9SKyle Evans nn_uninit(&v); 1019*f0865ec9SKyle Evans nn_uninit(&e); 1020*f0865ec9SKyle Evans 1021*f0865ec9SKyle Evans /* Clean what remains on the stack */ 1022*f0865ec9SKyle Evans PTR_NULLIFY(G); 1023*f0865ec9SKyle Evans PTR_NULLIFY(Y1); 1024*f0865ec9SKyle Evans PTR_NULLIFY(Y2); 1025*f0865ec9SKyle Evans VAR_ZEROIFY(rshift); 1026*f0865ec9SKyle Evans VAR_ZEROIFY(q_bit_len); 1027*f0865ec9SKyle Evans PTR_NULLIFY(q); 1028*f0865ec9SKyle Evans PTR_NULLIFY(p); 1029*f0865ec9SKyle Evans 1030*f0865ec9SKyle Evans return ret; 1031*f0865ec9SKyle Evans } 1032*f0865ec9SKyle Evans 1033*f0865ec9SKyle Evans #else /* defined(WITH_SIG_ECDSA) || defined(WITH_SIG_DECDSA) */ 1034*f0865ec9SKyle Evans 1035*f0865ec9SKyle Evans /* 1036*f0865ec9SKyle Evans * Dummy definition to avoid the empty translation unit ISO C warning 1037*f0865ec9SKyle Evans */ 1038*f0865ec9SKyle Evans typedef int dummy; 1039*f0865ec9SKyle Evans #endif /* WITH_SIG_ECDSA */ 1040