xref: /reactos/dll/3rdparty/mbedtls/ecdsa.c (revision 8786e12d)
1 /*
2  *  Elliptic curve DSA
3  *
4  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5  *  SPDX-License-Identifier: GPL-2.0
6  *
7  *  This program is free software; you can redistribute it and/or modify
8  *  it under the terms of the GNU General Public License as published by
9  *  the Free Software Foundation; either version 2 of the License, or
10  *  (at your option) any later version.
11  *
12  *  This program is distributed in the hope that it will be useful,
13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  *  GNU General Public License for more details.
16  *
17  *  You should have received a copy of the GNU General Public License along
18  *  with this program; if not, write to the Free Software Foundation, Inc.,
19  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20  *
21  *  This file is part of mbed TLS (https://tls.mbed.org)
22  */
23 
24 /*
25  * References:
26  *
27  * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
28  */
29 
30 #if !defined(MBEDTLS_CONFIG_FILE)
31 #include "mbedtls/config.h"
32 #else
33 #include MBEDTLS_CONFIG_FILE
34 #endif
35 
36 #if defined(MBEDTLS_ECDSA_C)
37 
38 #include "mbedtls/ecdsa.h"
39 #include "mbedtls/asn1write.h"
40 
41 #include <string.h>
42 
43 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
44 #include "mbedtls/hmac_drbg.h"
45 #endif
46 
47 /*
48  * Derive a suitable integer for group grp from a buffer of length len
49  * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
50  */
51 static int derive_mpi( const mbedtls_ecp_group *grp, mbedtls_mpi *x,
52                        const unsigned char *buf, size_t blen )
53 {
54     int ret;
55     size_t n_size = ( grp->nbits + 7 ) / 8;
56     size_t use_size = blen > n_size ? n_size : blen;
57 
58     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( x, buf, use_size ) );
59     if( use_size * 8 > grp->nbits )
60         MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( x, use_size * 8 - grp->nbits ) );
61 
62     /* While at it, reduce modulo N */
63     if( mbedtls_mpi_cmp_mpi( x, &grp->N ) >= 0 )
64         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( x, x, &grp->N ) );
65 
66 cleanup:
67     return( ret );
68 }
69 
70 #if !defined(MBEDTLS_ECDSA_SIGN_ALT)
71 /*
72  * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
73  * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
74  */
75 int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
76                 const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
77                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
78 {
79     int ret, key_tries, sign_tries, blind_tries;
80     mbedtls_ecp_point R;
81     mbedtls_mpi k, e, t;
82 
83     /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
84     if( grp->N.p == NULL )
85         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
86 
87     /* Make sure d is in range 1..n-1 */
88     if( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
89         return( MBEDTLS_ERR_ECP_INVALID_KEY );
90 
91     mbedtls_ecp_point_init( &R );
92     mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t );
93 
94     sign_tries = 0;
95     do
96     {
97         /*
98          * Steps 1-3: generate a suitable ephemeral keypair
99          * and set r = xR mod n
100          */
101         key_tries = 0;
102         do
103         {
104             MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
105             MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( r, &R.X, &grp->N ) );
106 
107             if( key_tries++ > 10 )
108             {
109                 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
110                 goto cleanup;
111             }
112         }
113         while( mbedtls_mpi_cmp_int( r, 0 ) == 0 );
114 
115         /*
116          * Step 5: derive MPI from hashed message
117          */
118         MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
119 
120         /*
121          * Generate a random value to blind inv_mod in next step,
122          * avoiding a potential timing leak.
123          */
124         blind_tries = 0;
125         do
126         {
127             size_t n_size = ( grp->nbits + 7 ) / 8;
128             MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &t, n_size, f_rng, p_rng ) );
129             MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &t, 8 * n_size - grp->nbits ) );
130 
131             /* See mbedtls_ecp_gen_keypair() */
132             if( ++blind_tries > 30 )
133                 return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
134         }
135         while( mbedtls_mpi_cmp_int( &t, 1 ) < 0 ||
136                mbedtls_mpi_cmp_mpi( &t, &grp->N ) >= 0 );
137 
138         /*
139          * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
140          */
141         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, r, d ) );
142         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
143         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
144         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) );
145         MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) );
146         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
147         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
148 
149         if( sign_tries++ > 10 )
150         {
151             ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
152             goto cleanup;
153         }
154     }
155     while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );
156 
157 cleanup:
158     mbedtls_ecp_point_free( &R );
159     mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t );
160 
161     return( ret );
162 }
163 #endif /* MBEDTLS_ECDSA_SIGN_ALT */
164 
165 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
166 /*
167  * Deterministic signature wrapper
168  */
169 int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
170                     const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
171                     mbedtls_md_type_t md_alg )
172 {
173     int ret;
174     mbedtls_hmac_drbg_context rng_ctx;
175     unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
176     size_t grp_len = ( grp->nbits + 7 ) / 8;
177     const mbedtls_md_info_t *md_info;
178     mbedtls_mpi h;
179 
180     if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
181         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
182 
183     mbedtls_mpi_init( &h );
184     mbedtls_hmac_drbg_init( &rng_ctx );
185 
186     /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
187     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) );
188     MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) );
189     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) );
190     mbedtls_hmac_drbg_seed_buf( &rng_ctx, md_info, data, 2 * grp_len );
191 
192     ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen,
193                       mbedtls_hmac_drbg_random, &rng_ctx );
194 
195 cleanup:
196     mbedtls_hmac_drbg_free( &rng_ctx );
197     mbedtls_mpi_free( &h );
198 
199     return( ret );
200 }
201 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
202 
203 #if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
204 /*
205  * Verify ECDSA signature of hashed message (SEC1 4.1.4)
206  * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
207  */
208 int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
209                   const unsigned char *buf, size_t blen,
210                   const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s)
211 {
212     int ret;
213     mbedtls_mpi e, s_inv, u1, u2;
214     mbedtls_ecp_point R;
215 
216     mbedtls_ecp_point_init( &R );
217     mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv ); mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
218 
219     /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
220     if( grp->N.p == NULL )
221         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
222 
223     /*
224      * Step 1: make sure r and s are in range 1..n-1
225      */
226     if( mbedtls_mpi_cmp_int( r, 1 ) < 0 || mbedtls_mpi_cmp_mpi( r, &grp->N ) >= 0 ||
227         mbedtls_mpi_cmp_int( s, 1 ) < 0 || mbedtls_mpi_cmp_mpi( s, &grp->N ) >= 0 )
228     {
229         ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
230         goto cleanup;
231     }
232 
233     /*
234      * Additional precaution: make sure Q is valid
235      */
236     MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, Q ) );
237 
238     /*
239      * Step 3: derive MPI from hashed message
240      */
241     MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
242 
243     /*
244      * Step 4: u1 = e / s mod n, u2 = r / s mod n
245      */
246     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &s_inv, s, &grp->N ) );
247 
248     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u1, &e, &s_inv ) );
249     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &u1, &u1, &grp->N ) );
250 
251     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u2, r, &s_inv ) );
252     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &u2, &u2, &grp->N ) );
253 
254     /*
255      * Step 5: R = u1 G + u2 Q
256      *
257      * Since we're not using any secret data, no need to pass a RNG to
258      * mbedtls_ecp_mul() for countermesures.
259      */
260     MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, &R, &u1, &grp->G, &u2, Q ) );
261 
262     if( mbedtls_ecp_is_zero( &R ) )
263     {
264         ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
265         goto cleanup;
266     }
267 
268     /*
269      * Step 6: convert xR to an integer (no-op)
270      * Step 7: reduce xR mod n (gives v)
271      */
272     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
273 
274     /*
275      * Step 8: check if v (that is, R.X) is equal to r
276      */
277     if( mbedtls_mpi_cmp_mpi( &R.X, r ) != 0 )
278     {
279         ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
280         goto cleanup;
281     }
282 
283 cleanup:
284     mbedtls_ecp_point_free( &R );
285     mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv ); mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
286 
287     return( ret );
288 }
289 #endif /* MBEDTLS_ECDSA_VERIFY_ALT */
290 
291 /*
292  * Convert a signature (given by context) to ASN.1
293  */
294 static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
295                                     unsigned char *sig, size_t *slen )
296 {
297     int ret;
298     unsigned char buf[MBEDTLS_ECDSA_MAX_LEN];
299     unsigned char *p = buf + sizeof( buf );
300     size_t len = 0;
301 
302     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, s ) );
303     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, r ) );
304 
305     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, len ) );
306     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf,
307                                        MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
308 
309     memcpy( sig, p, len );
310     *slen = len;
311 
312     return( 0 );
313 }
314 
315 /*
316  * Compute and write signature
317  */
318 int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
319                            const unsigned char *hash, size_t hlen,
320                            unsigned char *sig, size_t *slen,
321                            int (*f_rng)(void *, unsigned char *, size_t),
322                            void *p_rng )
323 {
324     int ret;
325     mbedtls_mpi r, s;
326 
327     mbedtls_mpi_init( &r );
328     mbedtls_mpi_init( &s );
329 
330 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
331     (void) f_rng;
332     (void) p_rng;
333 
334     MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det( &ctx->grp, &r, &s, &ctx->d,
335                              hash, hlen, md_alg ) );
336 #else
337     (void) md_alg;
338 
339     MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
340                          hash, hlen, f_rng, p_rng ) );
341 #endif
342 
343     MBEDTLS_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) );
344 
345 cleanup:
346     mbedtls_mpi_free( &r );
347     mbedtls_mpi_free( &s );
348 
349     return( ret );
350 }
351 
352 #if ! defined(MBEDTLS_DEPRECATED_REMOVED) && \
353     defined(MBEDTLS_ECDSA_DETERMINISTIC)
354 int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
355                                const unsigned char *hash, size_t hlen,
356                                unsigned char *sig, size_t *slen,
357                                mbedtls_md_type_t md_alg )
358 {
359     return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen,
360                                    NULL, NULL ) );
361 }
362 #endif
363 
364 /*
365  * Read and check signature
366  */
367 int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
368                           const unsigned char *hash, size_t hlen,
369                           const unsigned char *sig, size_t slen )
370 {
371     int ret;
372     unsigned char *p = (unsigned char *) sig;
373     const unsigned char *end = sig + slen;
374     size_t len;
375     mbedtls_mpi r, s;
376 
377     mbedtls_mpi_init( &r );
378     mbedtls_mpi_init( &s );
379 
380     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
381                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
382     {
383         ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
384         goto cleanup;
385     }
386 
387     if( p + len != end )
388     {
389         ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
390               MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
391         goto cleanup;
392     }
393 
394     if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 ||
395         ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 )
396     {
397         ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
398         goto cleanup;
399     }
400 
401     if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen,
402                               &ctx->Q, &r, &s ) ) != 0 )
403         goto cleanup;
404 
405     /* At this point we know that the buffer starts with a valid signature.
406      * Return 0 if the buffer just contains the signature, and a specific
407      * error code if the valid signature is followed by more data. */
408     if( p != end )
409         ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;
410 
411 cleanup:
412     mbedtls_mpi_free( &r );
413     mbedtls_mpi_free( &s );
414 
415     return( ret );
416 }
417 
418 #if !defined(MBEDTLS_ECDSA_GENKEY_ALT)
419 /*
420  * Generate key pair
421  */
422 int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
423                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
424 {
425     return( mbedtls_ecp_group_load( &ctx->grp, gid ) ||
426             mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) );
427 }
428 #endif /* MBEDTLS_ECDSA_GENKEY_ALT */
429 
430 /*
431  * Set context from an mbedtls_ecp_keypair
432  */
433 int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key )
434 {
435     int ret;
436 
437     if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
438         ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 ||
439         ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
440     {
441         mbedtls_ecdsa_free( ctx );
442     }
443 
444     return( ret );
445 }
446 
447 /*
448  * Initialize context
449  */
450 void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx )
451 {
452     mbedtls_ecp_keypair_init( ctx );
453 }
454 
455 /*
456  * Free context
457  */
458 void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx )
459 {
460     mbedtls_ecp_keypair_free( ctx );
461 }
462 
463 #endif /* MBEDTLS_ECDSA_C */
464