/* * Copyright (C) 2017 - This file is part of libecc project * * Authors: * Ryad BENADJILA * Arnaud EBALARD * Jean-Pierre FLORI * * Contributors: * Nicolas VIVET * Karim KHALFALLAH * * This software is licensed under a dual BSD and GPL v2 license. * See LICENSE file at the root folder of the project. */ #include #ifdef WITH_SIG_ECKCDSA #include #include #include #include #include #ifdef VERBOSE_INNER_VALUES #define EC_SIG_ALG "ECKCDSA" #endif #include /* * Initialize public key 'out_pub' from input private key 'in_priv'. The * function returns 0 on success, -1 on error. */ int eckcdsa_init_pub_key(ec_pub_key *out_pub, const ec_priv_key *in_priv) { prj_pt_src_t G; int ret, cmp; nn xinv; nn_src_t q; xinv.magic = WORD(0); MUST_HAVE((out_pub != NULL), ret, err); ret = priv_key_check_initialized_and_type(in_priv, ECKCDSA); EG(ret, err); /* For readability in the remaining of the function */ q = &(in_priv->params->ec_gen_order); /* Zero init public key to be generated */ ret = local_memset(out_pub, 0, sizeof(ec_pub_key)); EG(ret, err); /* Sanity check on key */ MUST_HAVE((!nn_cmp(&(in_priv->x), q, &cmp)) && (cmp < 0), ret, err); /* Y = (x^-1)G */ G = &(in_priv->params->ec_gen); /* NOTE: we use Fermat's little theorem inversion for * constant time here. This is possible since q is prime. */ ret = nn_modinv_fermat(&xinv, &(in_priv->x), q); EG(ret, err); /* Use blinding when computing point scalar multiplication */ ret = prj_pt_mul_blind(&(out_pub->y), &xinv, G); EG(ret, err); out_pub->key_type = ECKCDSA; out_pub->params = in_priv->params; out_pub->magic = PUB_KEY_MAGIC; err: nn_uninit(&xinv); return ret; } /* * Helper providing ECKCDSA signature length when exported to a buffer based on * hash algorithm digest and block size, generator point order bit length, and * underlying prime field order bit length. The function returns 0 on success, * -1 on error. On success, signature length is provided via 'siglen' out * parameter. */ int eckcdsa_siglen(u16 p_bit_len, u16 q_bit_len, u8 hsize, u8 blocksize, u8 *siglen) { int ret; MUST_HAVE((siglen != NULL), ret, err); MUST_HAVE((p_bit_len <= CURVES_MAX_P_BIT_LEN) && (q_bit_len <= CURVES_MAX_Q_BIT_LEN) && (hsize <= MAX_DIGEST_SIZE) && (blocksize <= MAX_BLOCK_SIZE), ret, err); (*siglen) = (u8)ECKCDSA_SIGLEN(hsize, q_bit_len); ret = 0; err: return ret; } /* * ISO 14888-3:2016 has some insane specific case when the digest size * (gamma) is larger than beta, the bit length of q (i.e. hsize > * bitlen(q), i.e. gamma > beta). In that case, both the values of h * (= H(z||m)) and r (= H(FE2OS(W_x))) must be post-processed/mangled * in the following way: * * - h = I2BS(beta', (BS2I(gamma, h))) mod 2^beta' * - r = I2BS(beta', (BS2I(gamma, r))) mod 2^beta' * * where beta' = 8 * ceil(beta / 8) * * There are two things to consider before implementing those steps * using various conversions to/from nn, shifting and masking: * * - the expected post-processing work is simply clearing the first * (gamma - beta') bits at the beginning of h and r to keep only * last beta ones unmodified. * - In the library, we do not work on bitstring but byte strings in * all cases * - In EC-KCDSA sig/verif, the result (h and then r) are then XORed * together and then converted to an integer (the buffer being * considered in big endian order) * * For that reason, this function simply takes a buffer 'buf' of * 'buflen' bytes and shifts it 'shift' bytes to the left, clearing * the trailing 'shift' bytes at the end of the buffer. The function * is expected to be used with 'shift' parameter set to * (gamma - beta') / 8. * * This is better presented on an example: * * shift = (gamma - beta') / 8 = 4 * before: buf = { 0xff, 0xff, 0xff, 0x12, 0x34, 0x56, 0x78} * after : buf = { 0x34, 0x56, 0x78, 0x00, 0x00, 0x00, 0x00} */ ATTRIBUTE_WARN_UNUSED_RET static int buf_lshift(u8 *buf, u8 buflen, u8 shift) { u8 i; int ret; MUST_HAVE((buf != NULL), ret, err); if (shift > buflen) { shift = buflen; } /* Start by shifting all trailing bytes to the left ... */ for (i = shift; i < buflen; i++) { buf[i - shift] = buf[i]; } /* Let's now zeroize the end of the buffer ... */ for (i = 1; i <= shift; i++) { buf[buflen - i] = 0; } ret = 0; err: return ret; } /* * Generic *internal* EC-KCDSA signature functions (init, update and finalize). * Their purpose is to allow passing a specific hash function (along with * its output size) and the random ephemeral key k, so that compliance * tests against test vectors can be made without ugly hack in the code * itself. * * Global EC-KCDSA signature process is as follows (I,U,F provides * information in which function(s) (init(), update() or finalize()) * a specific step is performed): * *| IUF - EC-KCDSA signature *| *| IUF 1. Compute h = H(z||m) *| F 2. If |H| > bitlen(q), set h to beta' rightmost bits of *| bitstring h (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e. *| set h to I2BS(beta', BS2I(|H|, h) mod 2^beta') *| F 3. Get a random value k in ]0,q[ *| F 4. Compute W = (W_x,W_y) = kG *| F 5. Compute r = H(FE2OS(W_x)). *| F 6. If |H| > bitlen(q), set r to beta' rightmost bits of *| bitstring r (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e. *| set r to I2BS(beta', BS2I(|H|, r) mod 2^beta') *| F 7. Compute e = OS2I(r XOR h) mod q *| F 8. Compute s = x(k - e) mod q *| F 9. if s == 0, restart at step 3. *| F 10. return (r,s) * */ #define ECKCDSA_SIGN_MAGIC ((word_t)(0x45503fcf5114bf1eULL)) #define ECKCDSA_SIGN_CHECK_INITIALIZED(A, ret, err) \ MUST_HAVE((((void *)(A)) != NULL) && \ ((A)->magic == ECKCDSA_SIGN_MAGIC), ret, err) /* * ECKCDSA signature initialization function. Returns 0 on success, -1 on * error. */ int _eckcdsa_sign_init(struct ec_sign_context *ctx) { u8 tmp_buf[LOCAL_MAX(2 * BYTECEIL(CURVES_MAX_P_BIT_LEN), MAX_BLOCK_SIZE)]; const ec_pub_key *pub_key; aff_pt y_aff; u8 p_len; u16 z_len; int ret; y_aff.magic = WORD(0); /* First, verify context has been initialized */ ret = sig_sign_check_initialized(ctx); EG(ret, err); /* Additional sanity checks on input params from context */ ret = key_pair_check_initialized_and_type(ctx->key_pair, ECKCDSA); EG(ret, err); MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); /* Make things more readable */ pub_key = &(ctx->key_pair->pub_key); p_len = (u8)BYTECEIL(pub_key->params->ec_fp.p_bitlen); z_len = ctx->h->block_size; /* * 1. Compute h = H(z||m) * * We first need to compute z, the certificate data that will be * prepended to the message m prior to hashing. In ISO-14888-3:2016, * z is basically the concatenation of Yx and Yy (the affine coordinates * of the public key Y) up to the block size of the hash function. * If the concatenation of those coordinates is smaller than blocksize, * 0 are appended. * * So, we convert the public key point to its affine representation and * concatenate the two coordinates in a temporary (zeroized) buffer, of * which the first z_len (i.e. blocksize) bytes are exported to z. * * Message m will be handled during following update() calls. */ ret = prj_pt_to_aff(&y_aff, &(pub_key->y)); EG(ret, err); ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err); ret = fp_export_to_buf(tmp_buf, p_len, &(y_aff.x)); EG(ret, err); ret = fp_export_to_buf(tmp_buf + p_len, p_len, &(y_aff.y)); EG(ret, err); dbg_pub_key_print("Y", pub_key); /* Since we call a callback, sanity check our mapping */ ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); ret = ctx->h->hfunc_init(&(ctx->sign_data.eckcdsa.h_ctx)); EG(ret, err); ret = ctx->h->hfunc_update(&(ctx->sign_data.eckcdsa.h_ctx), tmp_buf, z_len); EG(ret, err); ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err); /* Initialize data part of the context */ ctx->sign_data.eckcdsa.magic = ECKCDSA_SIGN_MAGIC; err: aff_pt_uninit(&y_aff); VAR_ZEROIFY(p_len); VAR_ZEROIFY(z_len); PTR_NULLIFY(pub_key); return ret; } /* ECKCDSA signature update function. Returns 0 on success, -1 on error. */ int _eckcdsa_sign_update(struct ec_sign_context *ctx, const u8 *chunk, u32 chunklen) { int ret; /* * First, verify context has been initialized and private * part too. This guarantees the context is an EC-KCDSA * signature one and we do not update() or finalize() * before init(). */ ret = sig_sign_check_initialized(ctx); EG(ret, err); ECKCDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.eckcdsa), ret, err); /* 1. Compute h = H(z||m) */ /* Since we call a callback, sanity check our mapping */ ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); ret = ctx->h->hfunc_update(&(ctx->sign_data.eckcdsa.h_ctx), chunk, chunklen); err: return ret; } /* * ECKCDSA signature finalization function. Returns 0 on success, -1 on * error. */ int _eckcdsa_sign_finalize(struct ec_sign_context *ctx, u8 *sig, u8 siglen) { prj_pt_src_t G; nn_src_t q, x; prj_pt kG; unsigned int i; nn e, tmp, s, k; u8 hzm[MAX_DIGEST_SIZE]; u8 r[MAX_DIGEST_SIZE]; u8 tmp_buf[BYTECEIL(CURVES_MAX_P_BIT_LEN)]; hash_context r_ctx; const ec_priv_key *priv_key; u8 p_len, r_len, s_len, hsize, shift; bitcnt_t q_bit_len; int ret, iszero, cmp; #ifdef USE_SIG_BLINDING /* b is the blinding mask */ nn b, binv; b.magic = binv.magic = WORD(0); #endif /* USE_SIG_BLINDING */ kG.magic = WORD(0); e.magic = tmp.magic = s.magic = k.magic = WORD(0); /* * First, verify context has been initialized and private * part too. This guarantees the context is an EC-KCDSA * signature one and we do not finalize() before init(). */ ret = sig_sign_check_initialized(ctx); EG(ret, err); ECKCDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.eckcdsa), ret, err); MUST_HAVE((sig != NULL), ret, err); /* Zero init points */ ret = local_memset(&kG, 0, sizeof(prj_pt)); EG(ret, err); /* Make things more readable */ priv_key = &(ctx->key_pair->priv_key); G = &(priv_key->params->ec_gen); q = &(priv_key->params->ec_gen_order); hsize = ctx->h->digest_size; p_len = (u8)BYTECEIL(priv_key->params->ec_fp.p_bitlen); q_bit_len = priv_key->params->ec_gen_order_bitlen; r_len = (u8)ECKCDSA_R_LEN(hsize, q_bit_len); s_len = (u8)ECKCDSA_S_LEN(q_bit_len); x = &(priv_key->x); /* Sanity check */ ret = nn_cmp(x, q, &cmp); EG(ret, err); /* This should not happen and means that our * private key is not compliant! */ MUST_HAVE((cmp < 0), ret, err); MUST_HAVE((siglen == ECKCDSA_SIGLEN(hsize, q_bit_len)), ret, err); dbg_nn_print("p", &(priv_key->params->ec_fp.p)); dbg_nn_print("q", q); dbg_priv_key_print("x", priv_key); dbg_ec_point_print("G", G); /* 1. Compute h = H(z||m) */ /* Since we call a callback, sanity check our mapping */ ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); ret = ctx->h->hfunc_finalize(&(ctx->sign_data.eckcdsa.h_ctx), hzm); EG(ret, err); dbg_buf_print("h = H(z||m) pre-mask", hzm, hsize); /* * 2. If |H| > bitlen(q), set h to beta' rightmost bits of * bitstring h (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e. * set h to I2BS(beta', BS2I(|H|, h) mod 2^beta') */ shift = (u8)((hsize > r_len) ? (hsize - r_len) : 0); MUST_HAVE((hsize <= sizeof(hzm)), ret, err); ret = buf_lshift(hzm, hsize, shift); EG(ret, err); dbg_buf_print("h = H(z||m) post-mask", hzm, r_len); restart: /* 3. Get a random value k in ]0,q[ */ #ifdef NO_KNOWN_VECTORS /* NOTE: when we do not need self tests for known vectors, * we can be strict about random function handler! * This allows us to avoid the corruption of such a pointer. */ /* Sanity check on the handler before calling it */ MUST_HAVE((ctx->rand == nn_get_random_mod), ret, err); #endif MUST_HAVE((ctx->rand != NULL), ret, err); ret = ctx->rand(&k, q); EG(ret, err); dbg_nn_print("k", &k); #ifdef USE_SIG_BLINDING /* Note: if we use blinding, k and e are multiplied by * a random value b in ]0,q[ */ ret = nn_get_random_mod(&b, q); EG(ret, err); dbg_nn_print("b", &b); #endif /* USE_SIG_BLINDING */ /* 4. Compute W = (W_x,W_y) = kG */ #ifdef USE_SIG_BLINDING /* We use blinding for the scalar multiplication */ ret = prj_pt_mul_blind(&kG, &k, G); EG(ret, err); #else ret = prj_pt_mul(&kG, &k, G); EG(ret, err); #endif /* USE_SIG_BLINDING */ ret = prj_pt_unique(&kG, &kG); EG(ret, err); dbg_nn_print("W_x", &(kG.X.fp_val)); dbg_nn_print("W_y", &(kG.Y.fp_val)); /* 5 Compute r = h(FE2OS(W_x)). */ ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err); ret = fp_export_to_buf(tmp_buf, p_len, &(kG.X)); EG(ret, err); /* Since we call a callback, sanity check our mapping */ ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); ret = ctx->h->hfunc_init(&r_ctx); EG(ret, err); ret = ctx->h->hfunc_update(&r_ctx, tmp_buf, p_len); EG(ret, err); ret = ctx->h->hfunc_finalize(&r_ctx, r); EG(ret, err); ret = local_memset(tmp_buf, 0, p_len); EG(ret, err); ret = local_memset(&r_ctx, 0, sizeof(hash_context)); EG(ret, err); /* * 6. If |H| > bitlen(q), set r to beta' rightmost bits of * bitstring r (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e. * set r to I2BS(beta', BS2I(|H|, r) mod 2^beta') */ dbg_buf_print("r pre-mask", r, hsize); MUST_HAVE((hsize <= sizeof(r)), ret, err); ret = buf_lshift(r, hsize, shift); EG(ret, err); dbg_buf_print("r post-mask", r, r_len); /* 7. Compute e = OS2I(r XOR h) mod q */ for (i = 0; i < r_len; i++) { hzm[i] ^= r[i]; } ret = nn_init_from_buf(&tmp, hzm, r_len); EG(ret, err); ret = local_memset(hzm, 0, r_len); EG(ret, err); ret = nn_mod(&e, &tmp, q); EG(ret, err); dbg_nn_print("e", &e); #ifdef USE_SIG_BLINDING /* In case of blinding, we compute (k*b - e*b) * x * b^-1 */ ret = nn_mod_mul(&k, &k, &b, q); EG(ret, err); ret = nn_mod_mul(&e, &e, &b, q); EG(ret, err); /* NOTE: we use Fermat's little theorem inversion for * constant time here. This is possible since q is prime. */ ret = nn_modinv_fermat(&binv, &b, q); EG(ret, err); #endif /* USE_SIG_BLINDING */ /* * 8. Compute s = x(k - e) mod q * * This is equivalent to computing s = x(k + (q - e)) mod q. * This second version avoids checking if k < e before the * subtraction, because e has already been reduced mod q */ ret = nn_mod_neg(&tmp, &e, q); EG(ret, err); ret = nn_mod_add(&tmp, &k, &tmp, q); EG(ret, err); ret = nn_mod_mul(&s, x, &tmp, q); EG(ret, err); #ifdef USE_SIG_BLINDING /* Unblind s with b^-1 */ ret = nn_mod_mul(&s, &s, &binv, q); EG(ret, err); #endif /* USE_SIG_BLINDING */ /* 9. if s == 0, restart at step 3. */ ret = nn_iszero(&s, &iszero); EG(ret, err); if (iszero) { goto restart; } dbg_nn_print("s", &s); /* 10. return (r,s) */ ret = local_memcpy(sig, r, r_len); EG(ret, err); ret = local_memset(r, 0, r_len); EG(ret, err); ret = nn_export_to_buf(sig + r_len, s_len, &s); err: prj_pt_uninit(&kG); nn_uninit(&e); nn_uninit(&tmp); nn_uninit(&s); nn_uninit(&k); #ifdef USE_SIG_BLINDING nn_uninit(&b); nn_uninit(&binv); #endif /* USE_SIG_BLINDING */ /* * We can now clear data part of the context. This will clear * magic and avoid further reuse of the whole context. */ if(ctx != NULL){ IGNORE_RET_VAL(local_memset(&(ctx->sign_data.eckcdsa), 0, sizeof(eckcdsa_sign_data))); } PTR_NULLIFY(G); PTR_NULLIFY(q); PTR_NULLIFY(x); VAR_ZEROIFY(i); PTR_NULLIFY(priv_key); VAR_ZEROIFY(p_len); VAR_ZEROIFY(r_len); VAR_ZEROIFY(s_len); VAR_ZEROIFY(q_bit_len); VAR_ZEROIFY(hsize); return ret; } /* * Generic *internal* EC-KCDSA verification functions (init, update and * finalize). Their purpose is to allow passing a specific hash function * (along with its output size) and the random ephemeral key k, so that * compliance tests against test vectors can be made without ugly hack * in the code itself. * * Global EC-CKDSA verification process is as follows (I,U,F provides * information in which function(s) (init(), update() or finalize()) * a specific step is performed): * *| IUF - EC-KCDSA verification *| *| I 1. Check the length of r: *| - if |H| > bitlen(q), r must be of length *| beta' = 8 * ceil(bitlen(q) / 8) *| - if |H| <= bitlen(q), r must be of length hsize *| I 2. Check that s is in ]0,q[ *| IUF 3. Compute h = H(z||m) *| F 4. If |H| > bitlen(q), set h to beta' rightmost bits of *| bitstring h (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e. *| set h to I2BS(beta', BS2I(|H|, h) mod 2^beta') *| F 5. Compute e = OS2I(r XOR h) mod q *| F 6. Compute W' = sY + eG, where Y is the public key *| F 7. Compute r' = h(W'x) *| F 8. If |H| > bitlen(q), set r' to beta' rightmost bits of *| bitstring r' (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e. *| set r' to I2BS(beta', BS2I(|H|, r') mod 2^beta') *| F 9. Check if r == r' * */ #define ECKCDSA_VERIFY_MAGIC ((word_t)(0xa836a75de66643aaULL)) #define ECKCDSA_VERIFY_CHECK_INITIALIZED(A, ret, err) \ MUST_HAVE((((void *)(A)) != NULL) && \ ((A)->magic == ECKCDSA_VERIFY_MAGIC), ret, err) /* * ECKCDSA verification finalization function. Returns 0 on success, -1 on error. */ int _eckcdsa_verify_init(struct ec_verify_context *ctx, const u8 *sig, u8 siglen) { u8 tmp_buf[LOCAL_MAX(2 * BYTECEIL(CURVES_MAX_P_BIT_LEN), MAX_BLOCK_SIZE)]; u8 p_len, r_len, s_len, z_len; bitcnt_t q_bit_len; const ec_pub_key *pub_key; aff_pt y_aff; nn_src_t q; u8 hsize; int ret, iszero, cmp; nn s; y_aff.magic = s.magic = WORD(0); /* First, verify context has been initialized */ ret = sig_verify_check_initialized(ctx); EG(ret, err); MUST_HAVE((sig != NULL), ret, err); /* Do some sanity checks on input params */ ret = pub_key_check_initialized_and_type(ctx->pub_key, ECKCDSA); EG(ret, err); MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); MUST_HAVE((sig != NULL), ret, err); /* Make things more readable */ pub_key = ctx->pub_key; p_len = (u8)BYTECEIL(pub_key->params->ec_fp.p_bitlen); q_bit_len = pub_key->params->ec_gen_order_bitlen; q = &(pub_key->params->ec_gen_order); hsize = ctx->h->digest_size; r_len = (u8)ECKCDSA_R_LEN(hsize, q_bit_len); s_len = (u8)ECKCDSA_S_LEN(q_bit_len); z_len = ctx->h->block_size; /* * 1. Check the length of r: * - if |H| > bitlen(q), r must be of length * beta' = 8 * ceil(bitlen(q) / 8) * - if |H| <= bitlen(q), r must be of length hsize * * As we expect the signature as the concatenation of r and s, the check * is done by verifying the length of the signature is the expected one. */ MUST_HAVE((siglen == ECKCDSA_SIGLEN(hsize, q_bit_len)), ret, err); /* 2. Check that s is in ]0,q[ */ ret = nn_init_from_buf(&s, sig + r_len, s_len); EG(ret, err); ret = nn_iszero(&s, &iszero); EG(ret, err); ret = nn_cmp(&s, q, &cmp); EG(ret, err); MUST_HAVE((!iszero) && (cmp < 0), ret, err); dbg_nn_print("s", &s); /* * 3. Compute h = H(z||m) * * We first need to compute z, the certificate data that will be * prepended to the message m prior to hashing. In ISO-14888-3:2016, * z is basically the concatenation of Yx and Yy (the affine coordinates * of the public key Y) up to the block size of the hash function. * If the concatenation of those coordinates is smaller than blocksize, * 0 are appended. * * So, we convert the public key point to its affine representation and * concatenate the two coordinates in a temporary (zeroized) buffer, of * which the first z_len (i.e. blocksize) bytes are exported to z. * * Message m will be handled during following update() calls. */ ret = prj_pt_to_aff(&y_aff, &(pub_key->y)); EG(ret, err); ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err); ret = fp_export_to_buf(tmp_buf, p_len, &(y_aff.x)); EG(ret, err); ret = fp_export_to_buf(tmp_buf + p_len, p_len, &(y_aff.y)); EG(ret, err); dbg_pub_key_print("Y", pub_key); /* Since we call a callback, sanity check our mapping */ ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); ret = ctx->h->hfunc_init(&(ctx->verify_data.eckcdsa.h_ctx)); EG(ret, err); ret = ctx->h->hfunc_update(&(ctx->verify_data.eckcdsa.h_ctx), tmp_buf, z_len); EG(ret, err); ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err); /* * Initialize the verify context by storing r and s as imported * from the signature */ ret = local_memcpy(ctx->verify_data.eckcdsa.r, sig, r_len); EG(ret, err); ret = nn_copy(&(ctx->verify_data.eckcdsa.s), &s); EG(ret, err); ctx->verify_data.eckcdsa.magic = ECKCDSA_VERIFY_MAGIC; err: aff_pt_uninit(&y_aff); nn_uninit(&s); if (ret && (ctx != NULL)) { /* * Signature is invalid. Clear data part of the context. * This will clear magic and avoid further reuse of the * whole context. */ IGNORE_RET_VAL(local_memset(&(ctx->verify_data.eckcdsa), 0, sizeof(eckcdsa_verify_data))); } /* Let's also clear what remains on the stack */ PTR_NULLIFY(q); PTR_NULLIFY(pub_key); VAR_ZEROIFY(p_len); VAR_ZEROIFY(r_len); VAR_ZEROIFY(s_len); VAR_ZEROIFY(z_len); VAR_ZEROIFY(q_bit_len); VAR_ZEROIFY(hsize); return ret; } /* ECKCDSA verification update function. Returns 0 on success, -1 on error. */ int _eckcdsa_verify_update(struct ec_verify_context *ctx, const u8 *chunk, u32 chunklen) { int ret; /* * First, verify context has been initialized and public * part too. This guarantees the context is an EC-KCDSA * verification one and we do not update() or finalize() * before init(). */ ret = sig_verify_check_initialized(ctx); EG(ret, err); ECKCDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.eckcdsa), ret, err); /* 3. Compute h = H(z||m) */ /* Since we call a callback, sanity check our mapping */ ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); ret = ctx->h->hfunc_update(&(ctx->verify_data.eckcdsa.h_ctx), chunk, chunklen); err: return ret; } /* * ECKCDSA verification finalization function. Returns 0 on success, -1 on error. */ int _eckcdsa_verify_finalize(struct ec_verify_context *ctx) { u8 tmp_buf[BYTECEIL(CURVES_MAX_P_BIT_LEN)]; bitcnt_t q_bit_len, p_bit_len; u8 p_len, r_len; prj_pt sY, eG; prj_pt_t Wprime; prj_pt_src_t G, Y; u8 r_prime[MAX_DIGEST_SIZE]; const ec_pub_key *pub_key; hash_context r_prime_ctx; u8 hzm[MAX_DIGEST_SIZE]; unsigned int i; nn_src_t q; nn e, tmp; u8 hsize, shift; int ret, check; u8 *r; nn *s; sY.magic = eG.magic = WORD(0); e.magic = tmp.magic = WORD(0); /* NOTE: we reuse eG for Wprime to optimize local variables */ Wprime = &eG; /* * First, verify context has been initialized and public * part too. This guarantees the context is an EC-KCDSA * verification one and we do not finalize() before init(). */ ret = sig_verify_check_initialized(ctx); EG(ret, err); ECKCDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.eckcdsa), ret, err); /* Zero init points */ ret = local_memset(&sY, 0, sizeof(prj_pt)); EG(ret, err); ret = local_memset(&eG, 0, sizeof(prj_pt)); EG(ret, err); /* Make things more readable */ pub_key = ctx->pub_key; G = &(pub_key->params->ec_gen); Y = &(pub_key->y); q = &(pub_key->params->ec_gen_order); p_bit_len = pub_key->params->ec_fp.p_bitlen; q_bit_len = pub_key->params->ec_gen_order_bitlen; p_len = (u8)BYTECEIL(p_bit_len); hsize = ctx->h->digest_size; r_len = (u8)ECKCDSA_R_LEN(hsize, q_bit_len); r = ctx->verify_data.eckcdsa.r; s = &(ctx->verify_data.eckcdsa.s); /* 3. Compute h = H(z||m) */ /* Since we call a callback, sanity check our mapping */ ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); ret = ctx->h->hfunc_finalize(&(ctx->verify_data.eckcdsa.h_ctx), hzm); EG(ret, err); dbg_buf_print("h = H(z||m) pre-mask", hzm, hsize); /* * 4. If |H| > bitlen(q), set h to beta' rightmost bits of * bitstring h (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e. * set h to I2BS(beta', BS2I(|H|, h) mod 2^beta') */ shift = (u8)((hsize > r_len) ? (hsize - r_len) : 0); MUST_HAVE(hsize <= sizeof(hzm), ret, err); ret = buf_lshift(hzm, hsize, shift); EG(ret, err); dbg_buf_print("h = H(z||m) post-mask", hzm, r_len); /* 5. Compute e = OS2I(r XOR h) mod q */ for (i = 0; i < r_len; i++) { hzm[i] ^= r[i]; } ret = nn_init_from_buf(&tmp, hzm, r_len); EG(ret, err); ret = local_memset(hzm, 0, hsize); EG(ret, err); ret = nn_mod(&e, &tmp, q); EG(ret, err); dbg_nn_print("e", &e); /* 6. Compute W' = sY + eG, where Y is the public key */ ret = prj_pt_mul(&sY, s, Y); EG(ret, err); ret = prj_pt_mul(&eG, &e, G); EG(ret, err); ret = prj_pt_add(Wprime, &sY, &eG); EG(ret, err); ret = prj_pt_unique(Wprime, Wprime); EG(ret, err); dbg_nn_print("W'_x", &(Wprime->X.fp_val)); dbg_nn_print("W'_y", &(Wprime->Y.fp_val)); /* 7. Compute r' = h(W'x) */ ret = local_memset(tmp_buf, 0, sizeof(tmp_buf)); EG(ret, err); ret = fp_export_to_buf(tmp_buf, p_len, &(Wprime->X)); EG(ret, err); /* Since we call a callback, sanity check our mapping */ ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); ret = ctx->h->hfunc_init(&r_prime_ctx); EG(ret, err); ret = ctx->h->hfunc_update(&r_prime_ctx, tmp_buf, p_len); EG(ret, err); ret = ctx->h->hfunc_finalize(&r_prime_ctx, r_prime); EG(ret, err); ret = local_memset(tmp_buf, 0, p_len); EG(ret, err); ret = local_memset(&r_prime_ctx, 0, sizeof(hash_context)); EG(ret, err); /* * 8. If |H| > bitlen(q), set r' to beta' rightmost bits of * bitstring r' (w/ beta' = 8 * ceil(bitlen(q) / 8)), i.e. * set r' to I2BS(beta', BS2I(|H|, r') mod 2^beta') */ dbg_buf_print("r' pre-mask", r_prime, hsize); ret = buf_lshift(r_prime, hsize, shift); EG(ret, err); dbg_buf_print("r' post-mask", r_prime, r_len); dbg_buf_print("r", r, r_len); /* 9. Check if r == r' */ ret = are_equal(r, r_prime, r_len, &check); EG(ret, err); ret = check ? 0 : -1; err: prj_pt_uninit(&sY); prj_pt_uninit(&eG); nn_uninit(&e); nn_uninit(&tmp); /* * We can now clear data part of the context. This will clear * magic and avoid further reuse of the whole context. */ if(ctx != NULL){ IGNORE_RET_VAL(local_memset(&(ctx->verify_data.eckcdsa), 0, sizeof(eckcdsa_verify_data))); } /* Let's also clear what remains on the stack */ VAR_ZEROIFY(i); PTR_NULLIFY(Wprime); PTR_NULLIFY(G); PTR_NULLIFY(Y); PTR_NULLIFY(q); VAR_ZEROIFY(p_len); VAR_ZEROIFY(r_len); VAR_ZEROIFY(q_bit_len); VAR_ZEROIFY(p_bit_len); PTR_NULLIFY(pub_key); VAR_ZEROIFY(hsize); PTR_NULLIFY(r); PTR_NULLIFY(s); return ret; } #else /* WITH_SIG_ECKCDSA */ /* * Dummy definition to avoid the empty translation unit ISO C warning */ typedef int dummy; #endif /* WITH_SIG_ECKCDSA */