xref: /freebsd-src/crypto/libecc/src/sig/eckcdsa.c (revision f0865ec9906d5a18fa2a3b61381f22ce16e606ad)

/*
 *  Copyright (C) 2017 - This file is part of libecc project
 *
 *  Authors:
 *      Ryad BENADJILA <ryadbenadjila@gmail.com>
 *      Arnaud EBALARD <arnaud.ebalard@ssi.gouv.fr>
 *      Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr>
 *
 *  Contributors:
 *      Nicolas VIVET <nicolas.vivet@ssi.gouv.fr>
 *      Karim KHALFALLAH <karim.khalfallah@ssi.gouv.fr>
 *
 *  This software is licensed under a dual BSD and GPL v2 license.
 *  See LICENSE file at the root folder of the project.
 */
#include <libecc/lib_ecc_config.h>
#ifdef WITH_SIG_ECKCDSA

#include <libecc/nn/nn_rand.h>
#include <libecc/nn/nn_mul_public.h>
#include <libecc/nn/nn_logical.h>

#include <libecc/sig/sig_algs_internal.h>
#include <libecc/sig/ec_key.h>
#ifdef VERBOSE_INNER_VALUES
#define EC_SIG_ALG "ECKCDSA"
#endif
#include <libecc/utils/dbg_sig.h>

/*
 * Initialize public key 'out_pub' from input private key 'in_priv'. The
 * function returns 0 on success, -1 on error.
 */
int eckcdsa_init_pub_key(ec_pub_key *out_pub, const ec_priv_key *in_priv)
{
	prj_pt_src_t G;
	int ret, cmp;
	nn xinv;
	nn_src_t q;
	xinv.magic = WORD(0);

	MUST_HAVE((out_pub != NULL), ret, err);

	ret = priv_key_check_initialized_and_type(in_priv, ECKCDSA); EG(ret, err);

	/* For readability in the remaining of the function */
	q = &(in_priv->params->ec_gen_order);

	/* Zero init public key to be generated */
	ret = local_memset(out_pub, 0, sizeof(ec_pub_key)); EG(ret, err);

	/* Sanity check on key */
	MUST_HAVE((!nn_cmp(&(in_priv->x), q, &cmp)) && (cmp < 0), ret, err);

	/* Y = (x^-1)G */
	G = &(in_priv->params->ec_gen);
        /* NOTE: we use Fermat's little theorem inversion for
         * constant time here. This is possible since q is prime.
         */
	ret = nn_modinv_fermat(&xinv, &(in_priv->x), q); EG(ret, err);

	/* Use blinding when computing point scalar multiplication */
	ret = prj_pt_mul_blind(&(out_pub->y), &xinv, G); EG(ret, err);

	out_pub->key_type = ECKCDSA;
	out_pub->params = in_priv->params;
	out_pub->magic = PUB_KEY_MAGIC;

err:
	nn_uninit(&xinv);

	return ret;
}

/*
 * Helper providing ECKCDSA signature length when exported to a buffer based on
 * hash algorithm digest and block size, generator point order bit length, and
 * underlying prime field order bit length. The function returns 0 on success,
 * -1 on error. On success, signature length is provided via 'siglen' out
 * parameter.
 */
int eckcdsa_siglen(u16 p_bit_len, u16 q_bit_len, u8 hsize, u8 blocksize,
		   u8 *siglen)
{
	int ret;

	MUST_HAVE((siglen != NULL), ret, err);
	MUST_HAVE((p_bit_len <= CURVES_MAX_P_BIT_LEN) &&
		  (q_bit_len <= CURVES_MAX_Q_BIT_LEN) &&
		  (hsize <= MAX_DIGEST_SIZE) &&
		  (blocksize <= MAX_BLOCK_SIZE), ret, err);

	(*siglen) = (u8)ECKCDSA_SIGLEN(hsize, q_bit_len);
	ret = 0;

err:
	return ret;
}

/*
 * ISO 14888-3:2016 has some insane specific case when the digest size
 * (gamma) is larger than beta, the bit length of q (i.e. hsize >
 * bitlen(q), i.e. gamma > beta). In that case, both the values of h
 * (= H(z||m)) and r (= H(FE2OS(W_x))) must be post-processed/mangled
 * in the following way:
 *
 *  - h = I2BS(beta', (BS2I(gamma, h))) mod 2^beta'
 *  - r = I2BS(beta', (BS2I(gamma, r))) mod 2^beta'
 *
 * where beta' = 8 * ceil(beta / 8)
 *
 * There are two things to consider before implementing those steps
 * using various conversions to/from nn, shifting and masking:
 *
 *  - the expected post-processing work is simply clearing the first
 *    (gamma - beta') bits at the beginning of h and r to keep only
 *    last beta ones unmodified.
 *  - In the library, we do not work on bitstring but byte strings in
 *    all cases
 *  - In EC-KCDSA sig/verif, the result (h and then r) are then XORed
 *    together and then converted to an integer (the buffer being
 *    considered in big endian order)
 *
 * For that reason, this function simply takes a buffer 'buf' of
 * 'buflen' bytes and shifts it 'shift' bytes to the left, clearing
 * the trailing 'shift' bytes at the end of the buffer. The function
 * is expected to be used with 'shift' parameter set to
 * (gamma - beta') / 8.
 *
 * This is better presented on an example:
 *
 * shift = (gamma - beta') / 8 = 4
 * before: buf = { 0xff, 0xff, 0xff, 0x12, 0x34, 0x56, 0x78}
 * after : buf = { 0x34, 0x56, 0x78, 0x00, 0x00, 0x00, 0x00}
 */
ATTRIBUTE_WARN_UNUSED_RET static int buf_lshift(u8 *buf, u8 buflen, u8 shift)
{
	u8 i;
	int ret;

	MUST_HAVE((buf != NULL), ret, err);

	if (shift > buflen) {
		shift = buflen;
	}

	/* Start by shifting all trailing bytes to the left ... */
	for (i = shift; i < buflen; i++) {
		buf[i - shift] = buf[i];
	}

	/* Let's now zeroize the end of the buffer ... */
	for (i = 1; i <= shift; i++) {
		buf[buflen - i] = 0;
	}

	ret = 0;

err:
	return ret;
}

/*
 * Generic *internal* EC-KCDSA signature functions (init, update and finalize).
 * Their purpose is to allow passing a specific hash function (along with
 * its output size) and the random ephemeral key k, so that compliance
 * tests against test vectors can be made without ugly hack in the code
 * itself.
 *
 * Global EC-KCDSA signature process is as follows (I,U,F provides
 * information in which function(s) (init(), update() or finalize())
 * a specific step is performed):
 *
 *| IUF - EC-KCDSA signature
 *|
 *| IUF  1. Compute h = H(z||m)
 *|   F  2. If |H| > bitlen(q), set h to beta' rightmost bits of
 *|         bitstring h (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e.
 *|         set h to I2BS(beta', BS2I(|H|, h) mod 2^beta')
 *|   F  3. Get a random value k in ]0,q[
 *|   F  4. Compute W = (W_x,W_y) = kG
 *|   F  5. Compute r = H(FE2OS(W_x)).
 *|   F  6. If |H| > bitlen(q), set r to beta' rightmost bits of
 *|         bitstring r (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e.
 *|         set r to I2BS(beta', BS2I(|H|, r) mod 2^beta')
 *|   F  7. Compute e = OS2I(r XOR h) mod q
 *|   F  8. Compute s = x(k - e) mod q
 *|   F  9. if s == 0, restart at step 3.
 *|   F 10. return (r,s)
 *
 */

#define ECKCDSA_SIGN_MAGIC ((word_t)(0x45503fcf5114bf1eULL))
#define ECKCDSA_SIGN_CHECK_INITIALIZED(A, ret, err) \
	MUST_HAVE((((void *)(A)) != NULL) && \
		  ((A)->magic == ECKCDSA_SIGN_MAGIC), ret, err)

/*
 * ECKCDSA signature initialization function. Returns 0 on success, -1 on
 * error.
 */
int _eckcdsa_sign_init(struct ec_sign_context *ctx)
{
	u8 tmp_buf[LOCAL_MAX(2 * BYTECEIL(CURVES_MAX_P_BIT_LEN), MAX_BLOCK_SIZE)];
	const ec_pub_key *pub_key;
	aff_pt y_aff;
	u8 p_len;
	u16 z_len;
	int ret;
	y_aff.magic = WORD(0);

	/* First, verify context has been initialized */
	ret = sig_sign_check_initialized(ctx); EG(ret, err);

	/* Additional sanity checks on input params from context */
	ret = key_pair_check_initialized_and_type(ctx->key_pair, ECKCDSA); EG(ret, err);
	MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) &&
		(ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err);

	/* Make things more readable */
	pub_key = &(ctx->key_pair->pub_key);
	p_len = (u8)BYTECEIL(pub_key->params->ec_fp.p_bitlen);
	z_len = ctx->h->block_size;

	/*
	 * 1. Compute h = H(z||m)
	 *
	 * We first need to compute z, the certificate data that will be
	 * prepended to the message m prior to hashing. In ISO-14888-3:2016,
	 * z is basically the concatenation of Yx and Yy (the affine coordinates
	 * of the public key Y) up to the block size of the hash function.
	 * If the concatenation of those coordinates is smaller than blocksize,
	 * 0 are appended.
	 *
	 * So, we convert the public key point to its affine representation and
	 * concatenate the two coordinates in a temporary (zeroized) buffer, of
	 * which the first z_len (i.e. blocksize) bytes are exported to z.
	 *
	 * Message m will be handled during following update() calls.
	 */
	ret = prj_pt_to_aff(&y_aff, &(pub_key->y)); EG(ret, err);
	ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err);
	ret = fp_export_to_buf(tmp_buf, p_len, &(y_aff.x)); EG(ret, err);
	ret = fp_export_to_buf(tmp_buf + p_len, p_len, &(y_aff.y)); EG(ret, err);

	dbg_pub_key_print("Y", pub_key);

	/* Since we call a callback, sanity check our mapping */
	ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
	ret = ctx->h->hfunc_init(&(ctx->sign_data.eckcdsa.h_ctx)); EG(ret, err);
	ret = ctx->h->hfunc_update(&(ctx->sign_data.eckcdsa.h_ctx), tmp_buf, z_len); EG(ret, err);
	ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err);

	/* Initialize data part of the context */
	ctx->sign_data.eckcdsa.magic = ECKCDSA_SIGN_MAGIC;

 err:
	aff_pt_uninit(&y_aff);

	VAR_ZEROIFY(p_len);
	VAR_ZEROIFY(z_len);
	PTR_NULLIFY(pub_key);

	return ret;
}

/* ECKCDSA signature update function. Returns 0 on success, -1 on error. */
int _eckcdsa_sign_update(struct ec_sign_context *ctx,
			 const u8 *chunk, u32 chunklen)
{
	int ret;

	/*
	 * First, verify context has been initialized and private
	 * part too. This guarantees the context is an EC-KCDSA
	 * signature one and we do not update() or finalize()
	 * before init().
	 */
	ret = sig_sign_check_initialized(ctx); EG(ret, err);
	ECKCDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.eckcdsa), ret, err);

	/* 1. Compute h = H(z||m) */
	/* Since we call a callback, sanity check our mapping */
	ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
	ret = ctx->h->hfunc_update(&(ctx->sign_data.eckcdsa.h_ctx), chunk, chunklen);

err:
	return ret;
}

/*
 * ECKCDSA signature finalization function. Returns 0 on success, -1 on
 * error.
 */
int _eckcdsa_sign_finalize(struct ec_sign_context *ctx, u8 *sig, u8 siglen)
{
	prj_pt_src_t G;
	nn_src_t q, x;
	prj_pt kG;
	unsigned int i;
	nn e, tmp, s, k;
	u8 hzm[MAX_DIGEST_SIZE];
	u8 r[MAX_DIGEST_SIZE];
	u8 tmp_buf[BYTECEIL(CURVES_MAX_P_BIT_LEN)];
	hash_context r_ctx;
	const ec_priv_key *priv_key;
	u8 p_len, r_len, s_len, hsize, shift;
	bitcnt_t q_bit_len;
	int ret, iszero, cmp;
#ifdef USE_SIG_BLINDING
	/* b is the blinding mask */
	nn b, binv;
	b.magic = binv.magic = WORD(0);
#endif /* USE_SIG_BLINDING */

	kG.magic = WORD(0);
	e.magic = tmp.magic = s.magic = k.magic = WORD(0);

	/*
	 * First, verify context has been initialized and private
	 * part too. This guarantees the context is an EC-KCDSA
	 * signature one and we do not finalize() before init().
	 */
	ret = sig_sign_check_initialized(ctx); EG(ret, err);
	ECKCDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.eckcdsa), ret, err);
	MUST_HAVE((sig != NULL), ret, err);

	/* Zero init points */
	ret = local_memset(&kG, 0, sizeof(prj_pt)); EG(ret, err);

	/* Make things more readable */
	priv_key = &(ctx->key_pair->priv_key);
	G = &(priv_key->params->ec_gen);
	q = &(priv_key->params->ec_gen_order);
	hsize = ctx->h->digest_size;
	p_len = (u8)BYTECEIL(priv_key->params->ec_fp.p_bitlen);
	q_bit_len = priv_key->params->ec_gen_order_bitlen;
	r_len = (u8)ECKCDSA_R_LEN(hsize, q_bit_len);
	s_len = (u8)ECKCDSA_S_LEN(q_bit_len);
	x = &(priv_key->x);

	/* Sanity check */
	ret = nn_cmp(x, q, &cmp); EG(ret, err);
	/* This should not happen and means that our
	 * private key is not compliant!
	 */
	MUST_HAVE((cmp < 0), ret, err);

	MUST_HAVE((siglen == ECKCDSA_SIGLEN(hsize, q_bit_len)), ret, err);

	dbg_nn_print("p", &(priv_key->params->ec_fp.p));
	dbg_nn_print("q", q);
	dbg_priv_key_print("x", priv_key);
	dbg_ec_point_print("G", G);

	/* 1. Compute h = H(z||m) */
	/* Since we call a callback, sanity check our mapping */
	ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
	ret = ctx->h->hfunc_finalize(&(ctx->sign_data.eckcdsa.h_ctx), hzm); EG(ret, err);
	dbg_buf_print("h = H(z||m)  pre-mask", hzm, hsize);

	/*
	 * 2. If |H| > bitlen(q), set h to beta' rightmost bits of
	 *    bitstring h (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e.
	 *    set h to I2BS(beta', BS2I(|H|, h) mod 2^beta')
	 */
	shift = (u8)((hsize > r_len) ? (hsize - r_len) : 0);
	MUST_HAVE((hsize <= sizeof(hzm)), ret, err);

	ret = buf_lshift(hzm, hsize, shift); EG(ret, err);
	dbg_buf_print("h = H(z||m) post-mask", hzm, r_len);

 restart:
	/* 3. Get a random value k in ]0,q[ */
#ifdef NO_KNOWN_VECTORS
	/* NOTE: when we do not need self tests for known vectors,
	 * we can be strict about random function handler!
	 * This allows us to avoid the corruption of such a pointer.
	 */
	/* Sanity check on the handler before calling it */
	MUST_HAVE((ctx->rand == nn_get_random_mod), ret, err);
#endif
	MUST_HAVE((ctx->rand != NULL), ret, err);
	ret = ctx->rand(&k, q); EG(ret, err);
	dbg_nn_print("k", &k);

#ifdef USE_SIG_BLINDING
	/* Note: if we use blinding, k and e are multiplied by
	 * a random value b in ]0,q[ */
	ret = nn_get_random_mod(&b, q); EG(ret, err);
	dbg_nn_print("b", &b);
#endif /* USE_SIG_BLINDING */

	/* 4. Compute W = (W_x,W_y) = kG */
#ifdef USE_SIG_BLINDING
	/* We use blinding for the scalar multiplication */
	ret = prj_pt_mul_blind(&kG, &k, G); EG(ret, err);
#else
	ret = prj_pt_mul(&kG, &k, G); EG(ret, err);
#endif /* USE_SIG_BLINDING */
	ret = prj_pt_unique(&kG, &kG); EG(ret, err);
	dbg_nn_print("W_x", &(kG.X.fp_val));
	dbg_nn_print("W_y", &(kG.Y.fp_val));

	/* 5 Compute r = h(FE2OS(W_x)). */
	ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err);
	ret = fp_export_to_buf(tmp_buf, p_len, &(kG.X)); EG(ret, err);
	/* Since we call a callback, sanity check our mapping */
	ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
	ret = ctx->h->hfunc_init(&r_ctx); EG(ret, err);
	ret = ctx->h->hfunc_update(&r_ctx, tmp_buf, p_len); EG(ret, err);
	ret = ctx->h->hfunc_finalize(&r_ctx, r); EG(ret, err);
	ret = local_memset(tmp_buf, 0, p_len); EG(ret, err);
	ret = local_memset(&r_ctx, 0, sizeof(hash_context)); EG(ret, err);

	/*
	 * 6. If |H| > bitlen(q), set r to beta' rightmost bits of
	 *    bitstring r (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e.
	 *    set r to I2BS(beta', BS2I(|H|, r) mod 2^beta')
	 */
	dbg_buf_print("r  pre-mask", r, hsize);
	MUST_HAVE((hsize <= sizeof(r)), ret, err);

	ret = buf_lshift(r, hsize, shift); EG(ret, err);
	dbg_buf_print("r post-mask", r, r_len);

	/* 7. Compute e = OS2I(r XOR h) mod q */
	for (i = 0; i < r_len; i++) {
		hzm[i] ^= r[i];
	}
	ret = nn_init_from_buf(&tmp, hzm, r_len); EG(ret, err);
	ret = local_memset(hzm, 0, r_len); EG(ret, err);
	ret = nn_mod(&e, &tmp, q); EG(ret, err);
	dbg_nn_print("e", &e);

#ifdef USE_SIG_BLINDING
	/* In case of blinding, we compute (k*b - e*b) * x * b^-1 */
	ret = nn_mod_mul(&k, &k, &b, q); EG(ret, err);
	ret = nn_mod_mul(&e, &e, &b, q); EG(ret, err);
        /* NOTE: we use Fermat's little theorem inversion for
         * constant time here. This is possible since q is prime.
         */
	ret = nn_modinv_fermat(&binv, &b, q); EG(ret, err);
#endif /* USE_SIG_BLINDING */
	/*
	 * 8. Compute s = x(k - e) mod q
	 *
	 * This is equivalent to computing s = x(k + (q - e)) mod q.
	 * This second version avoids checking if k < e before the
	 * subtraction, because e has already been reduced mod q
	 */
	ret = nn_mod_neg(&tmp, &e, q); EG(ret, err);
	ret = nn_mod_add(&tmp, &k, &tmp, q); EG(ret, err);
	ret = nn_mod_mul(&s, x, &tmp, q); EG(ret, err);
#ifdef USE_SIG_BLINDING
	/* Unblind s with b^-1 */
	ret = nn_mod_mul(&s, &s, &binv, q); EG(ret, err);
#endif /* USE_SIG_BLINDING */

	/* 9. if s == 0, restart at step 3. */
	ret = nn_iszero(&s, &iszero); EG(ret, err);
	if (iszero) {
		goto restart;
	}

	dbg_nn_print("s", &s);

	/* 10. return (r,s) */
	ret = local_memcpy(sig, r, r_len); EG(ret, err);
	ret = local_memset(r, 0, r_len); EG(ret, err);
	ret = nn_export_to_buf(sig + r_len, s_len, &s);

 err:
	prj_pt_uninit(&kG);
	nn_uninit(&e);
	nn_uninit(&tmp);
	nn_uninit(&s);
	nn_uninit(&k);
#ifdef USE_SIG_BLINDING
	nn_uninit(&b);
	nn_uninit(&binv);
#endif /* USE_SIG_BLINDING */

	/*
	 * We can now clear data part of the context. This will clear
	 * magic and avoid further reuse of the whole context.
	 */
	if(ctx != NULL){
		IGNORE_RET_VAL(local_memset(&(ctx->sign_data.eckcdsa), 0, sizeof(eckcdsa_sign_data)));
	}

	PTR_NULLIFY(G);
	PTR_NULLIFY(q);
	PTR_NULLIFY(x);
	VAR_ZEROIFY(i);
	PTR_NULLIFY(priv_key);
	VAR_ZEROIFY(p_len);
	VAR_ZEROIFY(r_len);
	VAR_ZEROIFY(s_len);
	VAR_ZEROIFY(q_bit_len);
	VAR_ZEROIFY(hsize);

	return ret;
}

/*
 * Generic *internal* EC-KCDSA verification functions (init, update and
 * finalize). Their purpose is to allow passing a specific hash function
 * (along with its output size) and the random ephemeral key k, so that
 * compliance tests against test vectors can be made without ugly hack
 * in the code itself.
 *
 * Global EC-CKDSA verification process is as follows (I,U,F provides
 * information in which function(s) (init(), update() or finalize())
 * a specific step is performed):
 *
 *| IUF - EC-KCDSA verification
 *|
 *| I   1. Check the length of r:
 *|         - if |H| > bitlen(q), r must be of length
 *|           beta' = 8 * ceil(bitlen(q) / 8)
 *|         - if |H| <= bitlen(q), r must be of length hsize
 *| I   2. Check that s is in ]0,q[
 *| IUF 3. Compute h = H(z||m)
 *|   F 4. If |H| > bitlen(q), set h to beta' rightmost bits of
 *|        bitstring h (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e.
 *|        set h to I2BS(beta', BS2I(|H|, h) mod 2^beta')
 *|   F 5. Compute e = OS2I(r XOR h) mod q
 *|   F 6. Compute W' = sY + eG, where Y is the public key
 *|   F 7. Compute r' = h(W'x)
 *|   F 8. If |H| > bitlen(q), set r' to beta' rightmost bits of
 *|        bitstring r' (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e.
 *|        set r' to I2BS(beta', BS2I(|H|, r') mod 2^beta')
 *|   F 9. Check if r == r'
 *
 */

#define ECKCDSA_VERIFY_MAGIC ((word_t)(0xa836a75de66643aaULL))
#define ECKCDSA_VERIFY_CHECK_INITIALIZED(A, ret, err) \
	MUST_HAVE((((void *)(A)) != NULL) && \
		  ((A)->magic == ECKCDSA_VERIFY_MAGIC), ret, err)

/*
 * ECKCDSA verification finalization function. Returns 0 on success, -1 on error.
 */
int _eckcdsa_verify_init(struct ec_verify_context *ctx,
			 const u8 *sig, u8 siglen)
{
	u8 tmp_buf[LOCAL_MAX(2 * BYTECEIL(CURVES_MAX_P_BIT_LEN), MAX_BLOCK_SIZE)];
	u8 p_len, r_len, s_len, z_len;
	bitcnt_t q_bit_len;
	const ec_pub_key *pub_key;
	aff_pt y_aff;
	nn_src_t q;
	u8 hsize;
	int ret, iszero, cmp;
	nn s;
	y_aff.magic = s.magic = WORD(0);

	/* First, verify context has been initialized */
	ret = sig_verify_check_initialized(ctx); EG(ret, err);
	MUST_HAVE((sig != NULL), ret, err);

	/* Do some sanity checks on input params */
	ret = pub_key_check_initialized_and_type(ctx->pub_key, ECKCDSA); EG(ret, err);
	MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) &&
		  (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err);
	MUST_HAVE((sig != NULL), ret, err);

	/* Make things more readable */
	pub_key = ctx->pub_key;
	p_len = (u8)BYTECEIL(pub_key->params->ec_fp.p_bitlen);
	q_bit_len = pub_key->params->ec_gen_order_bitlen;
	q = &(pub_key->params->ec_gen_order);
	hsize = ctx->h->digest_size;
	r_len = (u8)ECKCDSA_R_LEN(hsize, q_bit_len);
	s_len = (u8)ECKCDSA_S_LEN(q_bit_len);
	z_len = ctx->h->block_size;

	/*
	 * 1. Check the length of r:
	 *     - if |H| > bitlen(q), r must be of length
	 *       beta' = 8 * ceil(bitlen(q) / 8)
	 *     - if |H| <= bitlen(q), r must be of length hsize
	 *
	 * As we expect the signature as the concatenation of r and s, the check
	 * is done by verifying the length of the signature is the expected one.
	 */
	MUST_HAVE((siglen == ECKCDSA_SIGLEN(hsize, q_bit_len)), ret, err);

	/* 2. Check that s is in ]0,q[ */
	ret = nn_init_from_buf(&s, sig + r_len, s_len); EG(ret, err);
	ret = nn_iszero(&s, &iszero); EG(ret, err);
	ret = nn_cmp(&s, q, &cmp); EG(ret, err);
	MUST_HAVE((!iszero) && (cmp < 0), ret, err);
	dbg_nn_print("s", &s);

	/*
	 * 3. Compute h = H(z||m)
	 *
	 * We first need to compute z, the certificate data that will be
	 * prepended to the message m prior to hashing. In ISO-14888-3:2016,
	 * z is basically the concatenation of Yx and Yy (the affine coordinates
	 * of the public key Y) up to the block size of the hash function.
	 * If the concatenation of those coordinates is smaller than blocksize,
	 * 0 are appended.
	 *
	 * So, we convert the public key point to its affine representation and
	 * concatenate the two coordinates in a temporary (zeroized) buffer, of
	 * which the first z_len (i.e. blocksize) bytes are exported to z.
	 *
	 * Message m will be handled during following update() calls.
	 */
	ret = prj_pt_to_aff(&y_aff, &(pub_key->y)); EG(ret, err);
	ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err);
	ret = fp_export_to_buf(tmp_buf, p_len, &(y_aff.x)); EG(ret, err);
	ret = fp_export_to_buf(tmp_buf + p_len, p_len, &(y_aff.y)); EG(ret, err);

	dbg_pub_key_print("Y", pub_key);

	/* Since we call a callback, sanity check our mapping */
	ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
	ret = ctx->h->hfunc_init(&(ctx->verify_data.eckcdsa.h_ctx)); EG(ret, err);
	ret = ctx->h->hfunc_update(&(ctx->verify_data.eckcdsa.h_ctx), tmp_buf,
				   z_len); EG(ret, err);
	ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err);

	/*
	 * Initialize the verify context by storing r and s as imported
	 * from the signature
	 */
	ret = local_memcpy(ctx->verify_data.eckcdsa.r, sig, r_len); EG(ret, err);
	ret = nn_copy(&(ctx->verify_data.eckcdsa.s), &s); EG(ret, err);

	ctx->verify_data.eckcdsa.magic = ECKCDSA_VERIFY_MAGIC;

 err:
	aff_pt_uninit(&y_aff);
	nn_uninit(&s);

	if (ret && (ctx != NULL)) {
		/*
		 * Signature is invalid. Clear data part of the context.
		 * This will clear magic and avoid further reuse of the
		 * whole context.
		 */
		IGNORE_RET_VAL(local_memset(&(ctx->verify_data.eckcdsa), 0,
				     sizeof(eckcdsa_verify_data)));
	}

	/* Let's also clear what remains on the stack */
	PTR_NULLIFY(q);
	PTR_NULLIFY(pub_key);
	VAR_ZEROIFY(p_len);
	VAR_ZEROIFY(r_len);
	VAR_ZEROIFY(s_len);
	VAR_ZEROIFY(z_len);
	VAR_ZEROIFY(q_bit_len);
	VAR_ZEROIFY(hsize);

	return ret;
}

/* ECKCDSA verification update function. Returns 0 on success, -1 on error. */
int _eckcdsa_verify_update(struct ec_verify_context *ctx,
			   const u8 *chunk, u32 chunklen)
{
	int ret;

	/*
	 * First, verify context has been initialized and public
	 * part too. This guarantees the context is an EC-KCDSA
	 * verification one and we do not update() or finalize()
	 * before init().
	 */
	ret = sig_verify_check_initialized(ctx); EG(ret, err);
	ECKCDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.eckcdsa), ret, err);

	/* 3. Compute h = H(z||m) */
	/* Since we call a callback, sanity check our mapping */
	ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
	ret = ctx->h->hfunc_update(&(ctx->verify_data.eckcdsa.h_ctx),
				   chunk, chunklen);

err:
	return ret;
}

/*
 * ECKCDSA verification finalization function. Returns 0 on success, -1 on error.
 */
int _eckcdsa_verify_finalize(struct ec_verify_context *ctx)
{
	u8 tmp_buf[BYTECEIL(CURVES_MAX_P_BIT_LEN)];
	bitcnt_t q_bit_len, p_bit_len;
	u8 p_len, r_len;
	prj_pt sY, eG;
	prj_pt_t Wprime;
	prj_pt_src_t G, Y;
	u8 r_prime[MAX_DIGEST_SIZE];
	const ec_pub_key *pub_key;
	hash_context r_prime_ctx;
	u8 hzm[MAX_DIGEST_SIZE];
	unsigned int i;
	nn_src_t q;
	nn e, tmp;
	u8 hsize, shift;
	int ret, check;
	u8 *r;
	nn *s;

	sY.magic = eG.magic = WORD(0);
	e.magic = tmp.magic = WORD(0);

	/* NOTE: we reuse eG for Wprime to optimize local variables */
	Wprime = &eG;

	/*
	 * First, verify context has been initialized and public
	 * part too. This guarantees the context is an EC-KCDSA
	 * verification one and we do not finalize() before init().
	 */
	ret = sig_verify_check_initialized(ctx); EG(ret, err);
	ECKCDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.eckcdsa), ret, err);

	/* Zero init points */
	ret = local_memset(&sY, 0, sizeof(prj_pt)); EG(ret, err);
	ret = local_memset(&eG, 0, sizeof(prj_pt)); EG(ret, err);

	/* Make things more readable */
	pub_key = ctx->pub_key;
	G = &(pub_key->params->ec_gen);
	Y = &(pub_key->y);
	q = &(pub_key->params->ec_gen_order);
	p_bit_len = pub_key->params->ec_fp.p_bitlen;
	q_bit_len = pub_key->params->ec_gen_order_bitlen;
	p_len = (u8)BYTECEIL(p_bit_len);
	hsize = ctx->h->digest_size;
	r_len = (u8)ECKCDSA_R_LEN(hsize, q_bit_len);
	r = ctx->verify_data.eckcdsa.r;
	s = &(ctx->verify_data.eckcdsa.s);

	/* 3. Compute h = H(z||m) */
	/* Since we call a callback, sanity check our mapping */
	ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
	ret = ctx->h->hfunc_finalize(&(ctx->verify_data.eckcdsa.h_ctx), hzm); EG(ret, err);
	dbg_buf_print("h = H(z||m)  pre-mask", hzm, hsize);

	/*
	 * 4. If |H| > bitlen(q), set h to beta' rightmost bits of
	 *    bitstring h (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e.
	 *    set h to I2BS(beta', BS2I(|H|, h) mod 2^beta')
	 */
	shift = (u8)((hsize > r_len) ? (hsize - r_len) : 0);
	MUST_HAVE(hsize <= sizeof(hzm), ret, err);
	ret = buf_lshift(hzm, hsize, shift); EG(ret, err);
	dbg_buf_print("h = H(z||m) post-mask", hzm, r_len);

	/* 5. Compute e = OS2I(r XOR h) mod q */
	for (i = 0; i < r_len; i++) {
		hzm[i] ^= r[i];
	}
	ret = nn_init_from_buf(&tmp, hzm, r_len); EG(ret, err);
	ret = local_memset(hzm, 0, hsize); EG(ret, err);
	ret = nn_mod(&e, &tmp, q); EG(ret, err);

	dbg_nn_print("e", &e);

	/* 6. Compute W' = sY + eG, where Y is the public key */
	ret = prj_pt_mul(&sY, s, Y); EG(ret, err);
	ret = prj_pt_mul(&eG, &e, G); EG(ret, err);
	ret = prj_pt_add(Wprime, &sY, &eG); EG(ret, err);
	ret = prj_pt_unique(Wprime, Wprime); EG(ret, err);
	dbg_nn_print("W'_x", &(Wprime->X.fp_val));
	dbg_nn_print("W'_y", &(Wprime->Y.fp_val));

	/* 7. Compute r' = h(W'x) */
	ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err);
	ret = fp_export_to_buf(tmp_buf, p_len, &(Wprime->X)); EG(ret, err);
	/* Since we call a callback, sanity check our mapping */
	ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
	ret = ctx->h->hfunc_init(&r_prime_ctx); EG(ret, err);
	ret = ctx->h->hfunc_update(&r_prime_ctx, tmp_buf, p_len); EG(ret, err);
	ret = ctx->h->hfunc_finalize(&r_prime_ctx, r_prime); EG(ret, err);
	ret = local_memset(tmp_buf, 0, p_len); EG(ret, err);
	ret = local_memset(&r_prime_ctx, 0, sizeof(hash_context)); EG(ret, err);

	/*
	 * 8. If |H| > bitlen(q), set r' to beta' rightmost bits of
	 *    bitstring r' (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e.
	 *    set r' to I2BS(beta', BS2I(|H|, r') mod 2^beta')
	 */
	dbg_buf_print("r'  pre-mask", r_prime, hsize);
	ret = buf_lshift(r_prime, hsize, shift); EG(ret, err);
	dbg_buf_print("r' post-mask", r_prime, r_len);
	dbg_buf_print("r", r, r_len);

	/* 9. Check if r == r' */
	ret = are_equal(r, r_prime, r_len, &check); EG(ret, err);
	ret = check ? 0 : -1;

err:
	prj_pt_uninit(&sY);
	prj_pt_uninit(&eG);
	nn_uninit(&e);
	nn_uninit(&tmp);

	/*
	 * We can now clear data part of the context. This will clear
	 * magic and avoid further reuse of the whole context.
	 */
	if(ctx != NULL){
		IGNORE_RET_VAL(local_memset(&(ctx->verify_data.eckcdsa), 0,
				     sizeof(eckcdsa_verify_data)));
	}

	/* Let's also clear what remains on the stack */
	VAR_ZEROIFY(i);
	PTR_NULLIFY(Wprime);
	PTR_NULLIFY(G);
	PTR_NULLIFY(Y);
	PTR_NULLIFY(q);
	VAR_ZEROIFY(p_len);
	VAR_ZEROIFY(r_len);
	VAR_ZEROIFY(q_bit_len);
	VAR_ZEROIFY(p_bit_len);
	PTR_NULLIFY(pub_key);
	VAR_ZEROIFY(hsize);
	PTR_NULLIFY(r);
	PTR_NULLIFY(s);

	return ret;
}

#else /* WITH_SIG_ECKCDSA */

/*
 * Dummy definition to avoid the empty translation unit ISO C warning
 */
typedef int dummy;
#endif /* WITH_SIG_ECKCDSA */